CAPE

Detections: Azorult Triggered CAPE Tasks: Task #85126: Extraction Task #85127: Injection


Analysis

Category Package Started Completed Duration Options Log
FILE exe 2019-07-11 02:05:19 2019-07-11 02:09:05 226 seconds Show Options Show Log
route = internet
procdump = 1
2019-07-11 03:05:20,000 [root] INFO: Date set to: 07-11-19, time set to: 02:05:20, timeout set to: 200
2019-07-11 03:05:20,015 [root] DEBUG: Starting analyzer from: C:\hjcplavoq
2019-07-11 03:05:20,015 [root] DEBUG: Storing results at: C:\fVxfVt
2019-07-11 03:05:20,015 [root] DEBUG: Pipe server name: \\.\PIPE\USfOmwe
2019-07-11 03:05:20,015 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2019-07-11 03:05:20,015 [root] INFO: Automatically selected analysis package "exe"
2019-07-11 03:05:20,467 [root] DEBUG: Started auxiliary module Browser
2019-07-11 03:05:20,467 [root] DEBUG: Started auxiliary module Curtain
2019-07-11 03:05:20,467 [modules.auxiliary.digisig] DEBUG: Checking for a digitial signature.
2019-07-11 03:05:21,059 [modules.auxiliary.digisig] DEBUG: File is not signed.
2019-07-11 03:05:21,059 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2019-07-11 03:05:21,059 [root] DEBUG: Started auxiliary module DigiSig
2019-07-11 03:05:21,059 [root] DEBUG: Started auxiliary module Disguise
2019-07-11 03:05:21,059 [root] DEBUG: Started auxiliary module Human
2019-07-11 03:05:21,059 [root] DEBUG: Started auxiliary module Screenshots
2019-07-11 03:05:21,059 [root] DEBUG: Started auxiliary module Sysmon
2019-07-11 03:05:21,059 [root] DEBUG: Started auxiliary module Usage
2019-07-11 03:05:21,059 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2019-07-11 03:05:21,059 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2019-07-11 03:05:21,092 [lib.api.process] INFO: Successfully executed process from path "C:\Users\user\AppData\Local\Temp\201907060947039062.exe" with arguments "" with pid 1332
2019-07-11 03:05:21,092 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:05:21,092 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:05:21,154 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:05:21,247 [root] DEBUG: Loader: Injecting process 1332 (thread 1860) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:05:21,247 [root] DEBUG: Process image base: 0x00DC0000
2019-07-11 03:05:21,247 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:05:21,247 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00EF3000 - 0x77110000
2019-07-11 03:05:21,247 [root] DEBUG: InjectDllViaIAT: Allocated 0x2b8 bytes for new import table at 0x00F00000.
2019-07-11 03:05:21,247 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-07-11 03:05:21,247 [root] DEBUG: Successfully injected DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:05:21,247 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1332
2019-07-11 03:05:23,259 [lib.api.process] INFO: Successfully resumed process with pid 1332
2019-07-11 03:05:23,259 [root] INFO: Added new process to list with pid: 1332
2019-07-11 03:05:23,477 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-07-11 03:05:23,477 [root] DEBUG: Process dumps enabled.
2019-07-11 03:05:23,555 [root] INFO: Disabling sleep skipping.
2019-07-11 03:05:23,555 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-07-11 03:05:23,555 [root] INFO: Disabling sleep skipping.
2019-07-11 03:05:23,555 [root] INFO: Disabling sleep skipping.
2019-07-11 03:05:23,555 [root] INFO: Disabling sleep skipping.
2019-07-11 03:05:23,555 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 1332 at 0x747e0000, image base 0xdc0000, stack from 0x666000-0x670000
2019-07-11 03:05:23,555 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\201907060947039062.exe".
2019-07-11 03:05:23,555 [root] INFO: Monitor successfully loaded in process with pid 1332.
2019-07-11 03:05:23,572 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-07-11 03:05:23,572 [root] DEBUG: DLL unloaded from 0x00DC0000.
2019-07-11 03:05:23,572 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-07-11 03:05:23,618 [root] DEBUG: DLL unloaded from 0x00DC0000.
2019-07-11 03:05:23,759 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-07-11 03:05:24,039 [root] DEBUG: DLL loaded at 0x74C70000: C:\Windows\system32\CRYPTSP (0x16000 bytes).
2019-07-11 03:05:24,039 [root] DEBUG: DLL loaded at 0x74C30000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2019-07-11 03:05:24,196 [root] DEBUG: set_caller_info: Adding region at 0x00170000 to caller regions list (kernel32::CreateProcessInternalW).
2019-07-11 03:05:24,196 [root] DEBUG: DLL loaded at 0x74AF0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2019-07-11 03:05:24,243 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 2376
2019-07-11 03:05:24,243 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:05:24,243 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:05:24,243 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:05:24,243 [root] DEBUG: Loader: Injecting process 2376 (thread 2672) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:05:24,243 [root] DEBUG: Process image base: 0x00DC0000
2019-07-11 03:05:24,243 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:05:24,243 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00EF3000 - 0x77110000
2019-07-11 03:05:24,243 [root] DEBUG: InjectDllViaIAT: Allocated 0x2b8 bytes for new import table at 0x00F00000.
2019-07-11 03:05:24,243 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-07-11 03:05:24,243 [root] DEBUG: Successfully injected DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:05:24,243 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2376
2019-07-11 03:05:24,243 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 2376
2019-07-11 03:05:24,243 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:05:24,243 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:05:24,243 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:05:24,243 [root] DEBUG: Loader: Injecting process 2376 (thread 0) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:05:24,243 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2019-07-11 03:05:24,243 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed.
2019-07-11 03:05:24,257 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-07-11 03:05:24,257 [root] DEBUG: Process dumps enabled.
2019-07-11 03:05:24,257 [root] INFO: Disabling sleep skipping.
2019-07-11 03:05:24,257 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-07-11 03:05:24,257 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 2376 at 0x747e0000, image base 0xdc0000, stack from 0xb06000-0xb10000
2019-07-11 03:05:24,257 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\201907060947039062.exe".
2019-07-11 03:05:24,257 [root] INFO: Added new process to list with pid: 2376
2019-07-11 03:05:24,257 [root] INFO: Monitor successfully loaded in process with pid 2376.
2019-07-11 03:05:24,257 [root] DEBUG: set_caller_info: Adding region at 0x000A0000 to caller regions list (ntdll::LdrLoadDll).
2019-07-11 03:05:24,257 [root] DEBUG: DLL loaded at 0x00CE0000: C:\hjcplavoq\dll\WdAVpQZT (0xb3000 bytes).
2019-07-11 03:05:24,257 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-07-11 03:05:24,257 [root] DEBUG: DLL unloaded from 0x00CE0000.
2019-07-11 03:05:24,273 [root] DEBUG: Error 1114 (0x45a) - InjectDllViaThread: RtlCreateUserThread injection failed: A dynamic link library (DLL) initialization routine failed.
2019-07-11 03:05:24,273 [root] DEBUG: InjectDll: DLL injection via thread failed.
2019-07-11 03:05:24,273 [root] DEBUG: Failed to inject DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:05:24,273 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 2376, error: -8
2019-07-11 03:05:25,413 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2019-07-11 03:05:26,441 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2376
2019-07-11 03:05:26,441 [root] DEBUG: GetHookCallerBase: thread 2672 (handle 0x0), return address 0xC0000302, allocation base 0x00000000.
2019-07-11 03:05:26,441 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00080000.
2019-07-11 03:05:26,441 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00080000.
2019-07-11 03:05:26,441 [root] DEBUG: DumpProcess: Module entry point VA is 0x0001A1F8.
2019-07-11 03:05:26,457 [root] INFO: Added new CAPE file to list with path: C:\fVxfVt\CAPE\2376_11876520362625511472019
2019-07-11 03:05:26,457 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x1c200.
2019-07-11 03:05:26,457 [root] INFO: Notified of termination of process with pid 2376.
2019-07-11 03:05:26,676 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 2876
2019-07-11 03:05:26,676 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:05:26,676 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:05:26,676 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:05:26,691 [root] DEBUG: Loader: Injecting process 2876 (thread 2832) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:05:26,691 [root] DEBUG: Process image base: 0x00DC0000
2019-07-11 03:05:26,691 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:05:26,707 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00EF3000 - 0x77110000
2019-07-11 03:05:26,707 [root] DEBUG: InjectDllViaIAT: Allocated 0x2b8 bytes for new import table at 0x00F00000.
2019-07-11 03:05:26,723 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-07-11 03:05:26,723 [root] DEBUG: Successfully injected DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:05:26,723 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2876
2019-07-11 03:05:26,723 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 2876
2019-07-11 03:05:26,723 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:05:26,723 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:05:26,753 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:05:26,753 [root] DEBUG: Loader: Injecting process 2876 (thread 0) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:05:26,753 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2019-07-11 03:05:26,753 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed.
2019-07-11 03:05:26,769 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-07-11 03:05:26,769 [root] DEBUG: Process dumps enabled.
2019-07-11 03:05:26,769 [root] INFO: Disabling sleep skipping.
2019-07-11 03:05:26,786 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-07-11 03:05:26,786 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 2876 at 0x747e0000, image base 0xdc0000, stack from 0xb76000-0xb80000
2019-07-11 03:05:26,801 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\201907060947039062.exe".
2019-07-11 03:05:26,801 [root] INFO: Added new process to list with pid: 2876
2019-07-11 03:05:26,801 [root] INFO: Monitor successfully loaded in process with pid 2876.
2019-07-11 03:05:26,832 [root] DEBUG: set_caller_info: Adding region at 0x000E0000 to caller regions list (ntdll::LdrLoadDll).
2019-07-11 03:05:26,832 [root] DEBUG: DLL loaded at 0x02B30000: C:\hjcplavoq\dll\WdAVpQZT (0xb3000 bytes).
2019-07-11 03:05:26,848 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-07-11 03:05:26,848 [root] DEBUG: DLL unloaded from 0x02B30000.
2019-07-11 03:05:26,864 [root] DEBUG: Error 1114 (0x45a) - InjectDllViaThread: RtlCreateUserThread injection failed: A dynamic link library (DLL) initialization routine failed.
2019-07-11 03:05:26,864 [root] DEBUG: InjectDll: DLL injection via thread failed.
2019-07-11 03:05:26,878 [root] DEBUG: Failed to inject DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:05:26,878 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 2876, error: -8
2019-07-11 03:05:27,332 [root] INFO: Process with pid 2376 has terminated
2019-07-11 03:05:27,440 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2019-07-11 03:05:29,157 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2876
2019-07-11 03:05:29,157 [root] DEBUG: GetHookCallerBase: thread 2832 (handle 0x0), return address 0xC0000302, allocation base 0x00000000.
2019-07-11 03:05:29,157 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x000C0000.
2019-07-11 03:05:29,171 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000C0000.
2019-07-11 03:05:29,171 [root] DEBUG: DumpProcess: Module entry point VA is 0x0001A1F8.
2019-07-11 03:05:29,187 [root] INFO: Added new CAPE file to list with path: C:\fVxfVt\CAPE\2876_15811107602925511472019
2019-07-11 03:05:29,187 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x1c200.
2019-07-11 03:05:29,187 [root] INFO: Notified of termination of process with pid 2876.
2019-07-11 03:05:29,203 [root] DEBUG: Terminate Event: Process 2876 has already been dumped(!)
2019-07-11 03:05:29,359 [root] INFO: Process with pid 2876 has terminated
2019-07-11 03:05:29,405 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 2032
2019-07-11 03:05:29,421 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:05:29,421 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:05:29,421 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:05:29,421 [root] DEBUG: Loader: Injecting process 2032 (thread 880) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:05:29,421 [root] DEBUG: Process image base: 0x00DC0000
2019-07-11 03:05:29,421 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:05:29,421 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00EF3000 - 0x77110000
2019-07-11 03:05:29,421 [root] DEBUG: InjectDllViaIAT: Allocated 0x2b8 bytes for new import table at 0x00F00000.
2019-07-11 03:05:29,421 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-07-11 03:05:29,437 [root] DEBUG: Successfully injected DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:05:29,437 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2032
2019-07-11 03:05:29,437 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 2032
2019-07-11 03:05:29,437 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:05:29,437 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:05:29,437 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:05:29,437 [root] DEBUG: Loader: Injecting process 2032 (thread 0) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:05:29,437 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2019-07-11 03:05:29,437 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed.
2019-07-11 03:05:29,453 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-07-11 03:05:29,453 [root] DEBUG: Process dumps enabled.
2019-07-11 03:05:29,453 [root] INFO: Disabling sleep skipping.
2019-07-11 03:05:29,453 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-07-11 03:05:29,469 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 2032 at 0x747e0000, image base 0xdc0000, stack from 0xd16000-0xd20000
2019-07-11 03:05:29,469 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\201907060947039062.exe".
2019-07-11 03:05:29,469 [root] INFO: Added new process to list with pid: 2032
2019-07-11 03:05:29,469 [root] INFO: Monitor successfully loaded in process with pid 2032.
2019-07-11 03:05:29,483 [root] DEBUG: set_caller_info: Adding region at 0x000A0000 to caller regions list (ntdll::LdrLoadDll).
2019-07-11 03:05:29,483 [root] DEBUG: DLL loaded at 0x044C0000: C:\hjcplavoq\dll\WdAVpQZT (0xb3000 bytes).
2019-07-11 03:05:29,483 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-07-11 03:05:29,500 [root] DEBUG: DLL unloaded from 0x044C0000.
2019-07-11 03:05:29,500 [root] DEBUG: Error 1114 (0x45a) - InjectDllViaThread: RtlCreateUserThread injection failed: A dynamic link library (DLL) initialization routine failed.
2019-07-11 03:05:29,500 [root] DEBUG: InjectDll: DLL injection via thread failed.
2019-07-11 03:05:29,500 [root] DEBUG: Failed to inject DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:05:29,500 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 2032, error: -8
2019-07-11 03:05:30,545 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2019-07-11 03:05:31,559 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2032
2019-07-11 03:05:31,559 [root] DEBUG: GetHookCallerBase: thread 880 (handle 0x0), return address 0xC0000302, allocation base 0x00000000.
2019-07-11 03:05:31,559 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00080000.
2019-07-11 03:05:31,559 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00080000.
2019-07-11 03:05:31,559 [root] DEBUG: DumpProcess: Module entry point VA is 0x0001A1F8.
2019-07-11 03:05:31,575 [root] INFO: Added new CAPE file to list with path: C:\fVxfVt\CAPE\2032_18721652813125511472019
2019-07-11 03:05:31,575 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x1c200.
2019-07-11 03:05:31,575 [root] INFO: Notified of termination of process with pid 2032.
2019-07-11 03:05:31,575 [root] DEBUG: Terminate Event: Process 2032 has already been dumped(!)
2019-07-11 03:05:31,809 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 3032
2019-07-11 03:05:31,809 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:05:31,823 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:05:31,823 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:05:31,823 [root] DEBUG: Loader: Injecting process 3032 (thread 1856) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:05:31,823 [root] DEBUG: Process image base: 0x00DC0000
2019-07-11 03:05:31,823 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:05:31,823 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00EF3000 - 0x77110000
2019-07-11 03:05:31,823 [root] DEBUG: InjectDllViaIAT: Allocated 0x2b8 bytes for new import table at 0x00F00000.
2019-07-11 03:05:31,839 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-07-11 03:05:31,839 [root] DEBUG: Successfully injected DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:05:31,839 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3032
2019-07-11 03:05:31,839 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 3032
2019-07-11 03:05:31,839 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:05:31,839 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:05:31,839 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:05:31,855 [root] DEBUG: Loader: Injecting process 3032 (thread 0) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:05:31,855 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2019-07-11 03:05:31,855 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed.
2019-07-11 03:05:31,855 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-07-11 03:05:31,855 [root] DEBUG: Process dumps enabled.
2019-07-11 03:05:31,855 [root] INFO: Disabling sleep skipping.
2019-07-11 03:05:31,871 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-07-11 03:05:31,871 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 3032 at 0x747e0000, image base 0xdc0000, stack from 0xa06000-0xa10000
2019-07-11 03:05:31,871 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\201907060947039062.exe".
2019-07-11 03:05:31,871 [root] INFO: Added new process to list with pid: 3032
2019-07-11 03:05:31,871 [root] INFO: Monitor successfully loaded in process with pid 3032.
2019-07-11 03:05:31,871 [root] DEBUG: set_caller_info: Adding region at 0x004E0000 to caller regions list (ntdll::LdrLoadDll).
2019-07-11 03:05:31,887 [root] DEBUG: DLL loaded at 0x04450000: C:\hjcplavoq\dll\WdAVpQZT (0xb3000 bytes).
2019-07-11 03:05:31,887 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-07-11 03:05:31,887 [root] DEBUG: DLL unloaded from 0x04450000.
2019-07-11 03:05:31,887 [root] DEBUG: Error 1114 (0x45a) - InjectDllViaThread: RtlCreateUserThread injection failed: A dynamic link library (DLL) initialization routine failed.
2019-07-11 03:05:31,887 [root] DEBUG: InjectDll: DLL injection via thread failed.
2019-07-11 03:05:31,887 [root] DEBUG: Failed to inject DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:05:31,887 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 3032, error: -8
2019-07-11 03:05:32,401 [root] INFO: Process with pid 2032 has terminated
2019-07-11 03:05:32,635 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2019-07-11 03:05:33,650 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 3032
2019-07-11 03:05:33,650 [root] DEBUG: GetHookCallerBase: thread 1856 (handle 0x0), return address 0xC0000302, allocation base 0x00000000.
2019-07-11 03:05:33,650 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x004C0000.
2019-07-11 03:05:33,650 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x004C0000.
2019-07-11 03:05:33,650 [root] DEBUG: DumpProcess: Module entry point VA is 0x0001A1F8.
2019-07-11 03:05:33,664 [root] INFO: Added new CAPE file to list with path: C:\fVxfVt\CAPE\3032_13096042363325511472019
2019-07-11 03:05:33,664 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x1c200.
2019-07-11 03:05:33,664 [root] INFO: Notified of termination of process with pid 3032.
2019-07-11 03:05:33,664 [root] DEBUG: Terminate Event: Process 3032 has already been dumped(!)
2019-07-11 03:05:33,961 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 2764
2019-07-11 03:05:33,961 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:05:33,961 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:05:33,976 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:05:33,976 [root] DEBUG: Loader: Injecting process 2764 (thread 2676) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:05:33,976 [root] DEBUG: Process image base: 0x00DC0000
2019-07-11 03:05:33,976 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:05:33,976 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00EF3000 - 0x77110000
2019-07-11 03:05:33,976 [root] DEBUG: InjectDllViaIAT: Allocated 0x2b8 bytes for new import table at 0x00F00000.
2019-07-11 03:05:33,993 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-07-11 03:05:33,993 [root] DEBUG: Successfully injected DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:05:33,993 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2764
2019-07-11 03:05:33,993 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 2764
2019-07-11 03:05:33,993 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:05:33,993 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:05:34,007 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:05:34,007 [root] DEBUG: Loader: Injecting process 2764 (thread 0) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:05:34,007 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2019-07-11 03:05:34,007 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed.
2019-07-11 03:05:34,023 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-07-11 03:05:34,023 [root] DEBUG: Process dumps enabled.
2019-07-11 03:05:34,023 [root] INFO: Disabling sleep skipping.
2019-07-11 03:05:34,039 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-07-11 03:05:34,039 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 2764 at 0x747e0000, image base 0xdc0000, stack from 0xaf6000-0xb00000
2019-07-11 03:05:34,039 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\201907060947039062.exe".
2019-07-11 03:05:34,039 [root] INFO: Added new process to list with pid: 2764
2019-07-11 03:05:34,039 [root] INFO: Monitor successfully loaded in process with pid 2764.
2019-07-11 03:05:34,055 [root] DEBUG: set_caller_info: Adding region at 0x000A0000 to caller regions list (ntdll::LdrLoadDll).
2019-07-11 03:05:34,055 [root] DEBUG: DLL loaded at 0x03FE0000: C:\hjcplavoq\dll\WdAVpQZT (0xb3000 bytes).
2019-07-11 03:05:34,055 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-07-11 03:05:34,055 [root] DEBUG: DLL unloaded from 0x03FE0000.
2019-07-11 03:05:34,055 [root] DEBUG: Error 1114 (0x45a) - InjectDllViaThread: RtlCreateUserThread injection failed: A dynamic link library (DLL) initialization routine failed.
2019-07-11 03:05:34,055 [root] DEBUG: InjectDll: DLL injection via thread failed.
2019-07-11 03:05:34,071 [root] DEBUG: Failed to inject DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:05:34,071 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 2764, error: -8
2019-07-11 03:05:34,430 [root] INFO: Process with pid 3032 has terminated
2019-07-11 03:05:34,742 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2019-07-11 03:05:35,770 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2764
2019-07-11 03:05:35,770 [root] DEBUG: GetHookCallerBase: thread 2676 (handle 0x0), return address 0xC0000302, allocation base 0x00000000.
2019-07-11 03:05:35,786 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00080000.
2019-07-11 03:05:35,786 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00080000.
2019-07-11 03:05:35,786 [root] DEBUG: DumpProcess: Module entry point VA is 0x0001A1F8.
2019-07-11 03:05:35,802 [root] INFO: Added new CAPE file to list with path: C:\fVxfVt\CAPE\2764_17697805623525511472019
2019-07-11 03:05:35,802 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x1c200.
2019-07-11 03:05:35,802 [root] INFO: Notified of termination of process with pid 2764.
2019-07-11 03:05:35,802 [root] DEBUG: Terminate Event: Process 2764 has already been dumped(!)
2019-07-11 03:05:36,098 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 1092
2019-07-11 03:05:36,098 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:05:36,098 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:05:36,098 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:05:36,098 [root] DEBUG: Loader: Injecting process 1092 (thread 1752) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:05:36,114 [root] DEBUG: Process image base: 0x00DC0000
2019-07-11 03:05:36,114 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:05:36,114 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00EF3000 - 0x77110000
2019-07-11 03:05:36,114 [root] DEBUG: InjectDllViaIAT: Allocated 0x2b8 bytes for new import table at 0x00F00000.
2019-07-11 03:05:36,114 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-07-11 03:05:36,114 [root] DEBUG: Successfully injected DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:05:36,114 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1092
2019-07-11 03:05:36,130 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 1092
2019-07-11 03:05:36,130 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:05:36,130 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:05:36,130 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:05:36,130 [root] DEBUG: Loader: Injecting process 1092 (thread 0) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:05:36,145 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2019-07-11 03:05:36,145 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed.
2019-07-11 03:05:36,145 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-07-11 03:05:36,145 [root] DEBUG: Process dumps enabled.
2019-07-11 03:05:36,145 [root] INFO: Disabling sleep skipping.
2019-07-11 03:05:36,161 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-07-11 03:05:36,161 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 1092 at 0x747e0000, image base 0xdc0000, stack from 0xb46000-0xb50000
2019-07-11 03:05:36,161 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\201907060947039062.exe".
2019-07-11 03:05:36,161 [root] INFO: Added new process to list with pid: 1092
2019-07-11 03:05:36,161 [root] INFO: Monitor successfully loaded in process with pid 1092.
2019-07-11 03:05:36,177 [root] DEBUG: set_caller_info: Adding region at 0x000A0000 to caller regions list (ntdll::LdrLoadDll).
2019-07-11 03:05:36,177 [root] DEBUG: DLL loaded at 0x02AD0000: C:\hjcplavoq\dll\WdAVpQZT (0xb3000 bytes).
2019-07-11 03:05:36,177 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-07-11 03:05:36,177 [root] DEBUG: DLL unloaded from 0x02AD0000.
2019-07-11 03:05:36,177 [root] DEBUG: Error 1114 (0x45a) - InjectDllViaThread: RtlCreateUserThread injection failed: A dynamic link library (DLL) initialization routine failed.
2019-07-11 03:05:36,191 [root] DEBUG: InjectDll: DLL injection via thread failed.
2019-07-11 03:05:36,191 [root] DEBUG: Failed to inject DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:05:36,191 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 1092, error: -8
2019-07-11 03:05:36,457 [root] INFO: Process with pid 2764 has terminated
2019-07-11 03:05:36,769 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2019-07-11 03:05:37,783 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 1092
2019-07-11 03:05:37,783 [root] DEBUG: GetHookCallerBase: thread 1752 (handle 0x0), return address 0xC0000302, allocation base 0x00000000.
2019-07-11 03:05:37,783 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00080000.
2019-07-11 03:05:37,799 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00080000.
2019-07-11 03:05:37,799 [root] DEBUG: DumpProcess: Module entry point VA is 0x0001A1F8.
2019-07-11 03:05:37,799 [root] INFO: Added new CAPE file to list with path: C:\fVxfVt\CAPE\1092_3265835623725511472019
2019-07-11 03:05:37,815 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x1c200.
2019-07-11 03:05:37,815 [root] INFO: Notified of termination of process with pid 1092.
2019-07-11 03:05:37,815 [root] DEBUG: Terminate Event: Process 1092 has already been dumped(!)
2019-07-11 03:05:38,049 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 2848
2019-07-11 03:05:38,049 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:05:38,049 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:05:38,049 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:05:38,049 [root] DEBUG: Loader: Injecting process 2848 (thread 2856) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:05:38,063 [root] DEBUG: Process image base: 0x00DC0000
2019-07-11 03:05:38,063 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:05:38,063 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00EF3000 - 0x77110000
2019-07-11 03:05:38,063 [root] DEBUG: InjectDllViaIAT: Allocated 0x2b8 bytes for new import table at 0x00F00000.
2019-07-11 03:05:38,063 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-07-11 03:05:38,079 [root] DEBUG: Successfully injected DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:05:38,079 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2848
2019-07-11 03:05:38,079 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 2848
2019-07-11 03:05:38,079 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:05:38,079 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:05:38,079 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:05:38,095 [root] DEBUG: Loader: Injecting process 2848 (thread 0) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:05:38,095 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2019-07-11 03:05:38,095 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed.
2019-07-11 03:05:38,111 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-07-11 03:05:38,111 [root] DEBUG: Process dumps enabled.
2019-07-11 03:05:38,111 [root] INFO: Disabling sleep skipping.
2019-07-11 03:05:38,127 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-07-11 03:05:38,127 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 2848 at 0x747e0000, image base 0xdc0000, stack from 0xba6000-0xbb0000
2019-07-11 03:05:38,127 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\201907060947039062.exe".
2019-07-11 03:05:38,127 [root] INFO: Added new process to list with pid: 2848
2019-07-11 03:05:38,127 [root] INFO: Monitor successfully loaded in process with pid 2848.
2019-07-11 03:05:38,141 [root] DEBUG: set_caller_info: Adding region at 0x000A0000 to caller regions list (ntdll::LdrLoadDll).
2019-07-11 03:05:38,141 [root] DEBUG: DLL loaded at 0x05110000: C:\hjcplavoq\dll\WdAVpQZT (0xb3000 bytes).
2019-07-11 03:05:38,141 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-07-11 03:05:38,141 [root] DEBUG: DLL unloaded from 0x05110000.
2019-07-11 03:05:38,141 [root] DEBUG: Error 1114 (0x45a) - InjectDllViaThread: RtlCreateUserThread injection failed: A dynamic link library (DLL) initialization routine failed.
2019-07-11 03:05:38,141 [root] DEBUG: InjectDll: DLL injection via thread failed.
2019-07-11 03:05:38,157 [root] DEBUG: Failed to inject DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:05:38,157 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 2848, error: -8
2019-07-11 03:05:38,486 [root] INFO: Process with pid 1092 has terminated
2019-07-11 03:05:38,859 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2019-07-11 03:05:39,874 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2848
2019-07-11 03:05:39,874 [root] DEBUG: GetHookCallerBase: thread 2856 (handle 0x0), return address 0xC0000302, allocation base 0x00000000.
2019-07-11 03:05:39,874 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00080000.
2019-07-11 03:05:39,890 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00080000.
2019-07-11 03:05:39,890 [root] DEBUG: DumpProcess: Module entry point VA is 0x0001A1F8.
2019-07-11 03:05:39,890 [root] INFO: Added new CAPE file to list with path: C:\fVxfVt\CAPE\2848_306201143925511472019
2019-07-11 03:05:39,890 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x1c200.
2019-07-11 03:05:39,904 [root] INFO: Notified of termination of process with pid 2848.
2019-07-11 03:05:39,904 [root] DEBUG: Terminate Event: Process 2848 has already been dumped(!)
2019-07-11 03:05:40,247 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 1672
2019-07-11 03:05:40,247 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:05:40,263 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:05:40,263 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:05:40,263 [root] DEBUG: Loader: Injecting process 1672 (thread 1096) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:05:40,263 [root] DEBUG: Process image base: 0x00DC0000
2019-07-11 03:05:40,279 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:05:40,279 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00EF3000 - 0x77110000
2019-07-11 03:05:40,279 [root] DEBUG: InjectDllViaIAT: Allocated 0x2b8 bytes for new import table at 0x00F00000.
2019-07-11 03:05:40,279 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-07-11 03:05:40,279 [root] DEBUG: Successfully injected DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:05:40,279 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1672
2019-07-11 03:05:40,295 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 1672
2019-07-11 03:05:40,295 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:05:40,295 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:05:40,295 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:05:40,295 [root] DEBUG: Loader: Injecting process 1672 (thread 0) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:05:40,311 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2019-07-11 03:05:40,311 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed.
2019-07-11 03:05:40,311 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-07-11 03:05:40,311 [root] DEBUG: Process dumps enabled.
2019-07-11 03:05:40,325 [root] INFO: Disabling sleep skipping.
2019-07-11 03:05:40,325 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-07-11 03:05:40,325 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 1672 at 0x747e0000, image base 0xdc0000, stack from 0xc26000-0xc30000
2019-07-11 03:05:40,325 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\201907060947039062.exe".
2019-07-11 03:05:40,342 [root] INFO: Added new process to list with pid: 1672
2019-07-11 03:05:40,342 [root] INFO: Monitor successfully loaded in process with pid 1672.
2019-07-11 03:05:40,342 [root] DEBUG: set_caller_info: Adding region at 0x000E0000 to caller regions list (ntdll::LdrLoadDll).
2019-07-11 03:05:40,342 [root] DEBUG: DLL loaded at 0x04C00000: C:\hjcplavoq\dll\WdAVpQZT (0xb3000 bytes).
2019-07-11 03:05:40,342 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-07-11 03:05:40,358 [root] DEBUG: DLL unloaded from 0x04C00000.
2019-07-11 03:05:40,358 [root] DEBUG: Error 1114 (0x45a) - InjectDllViaThread: RtlCreateUserThread injection failed: A dynamic link library (DLL) initialization routine failed.
2019-07-11 03:05:40,358 [root] DEBUG: InjectDll: DLL injection via thread failed.
2019-07-11 03:05:40,358 [root] DEBUG: Failed to inject DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:05:40,358 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 1672, error: -8
2019-07-11 03:05:40,513 [root] INFO: Process with pid 2848 has terminated
2019-07-11 03:05:40,950 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2019-07-11 03:05:41,963 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 1672
2019-07-11 03:05:41,963 [root] DEBUG: GetHookCallerBase: thread 1096 (handle 0x0), return address 0xC0000302, allocation base 0x00000000.
2019-07-11 03:05:41,963 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x000C0000.
2019-07-11 03:05:41,980 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000C0000.
2019-07-11 03:05:41,980 [root] DEBUG: DumpProcess: Module entry point VA is 0x0001A1F8.
2019-07-11 03:05:41,996 [root] INFO: Added new CAPE file to list with path: C:\fVxfVt\CAPE\1672_19032424884125511472019
2019-07-11 03:05:41,996 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x1c200.
2019-07-11 03:05:42,010 [root] INFO: Notified of termination of process with pid 1672.
2019-07-11 03:05:42,010 [root] DEBUG: Terminate Event: Process 1672 has already been dumped(!)
2019-07-11 03:05:42,151 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 544
2019-07-11 03:05:42,167 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:05:42,167 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:05:42,167 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:05:42,183 [root] DEBUG: Loader: Injecting process 544 (thread 2844) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:05:42,183 [root] DEBUG: Process image base: 0x00DC0000
2019-07-11 03:05:42,183 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:05:42,183 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00EF3000 - 0x77110000
2019-07-11 03:05:42,183 [root] DEBUG: InjectDllViaIAT: Allocated 0x2b8 bytes for new import table at 0x00F00000.
2019-07-11 03:05:42,183 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-07-11 03:05:42,197 [root] DEBUG: Successfully injected DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:05:42,197 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 544
2019-07-11 03:05:42,197 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 544
2019-07-11 03:05:42,197 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:05:42,213 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:05:42,213 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:05:42,213 [root] DEBUG: Loader: Injecting process 544 (thread 0) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:05:42,213 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2019-07-11 03:05:42,230 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed.
2019-07-11 03:05:42,230 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-07-11 03:05:42,230 [root] DEBUG: Process dumps enabled.
2019-07-11 03:05:42,244 [root] INFO: Disabling sleep skipping.
2019-07-11 03:05:42,244 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-07-11 03:05:42,244 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 544 at 0x747e0000, image base 0xdc0000, stack from 0xb46000-0xb50000
2019-07-11 03:05:42,244 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\201907060947039062.exe".
2019-07-11 03:05:42,260 [root] INFO: Added new process to list with pid: 544
2019-07-11 03:05:42,260 [root] INFO: Monitor successfully loaded in process with pid 544.
2019-07-11 03:05:42,260 [root] DEBUG: set_caller_info: Adding region at 0x000A0000 to caller regions list (ntdll::LdrLoadDll).
2019-07-11 03:05:42,260 [root] DEBUG: DLL loaded at 0x00F00000: C:\hjcplavoq\dll\WdAVpQZT (0xb3000 bytes).
2019-07-11 03:05:42,276 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-07-11 03:05:42,276 [root] DEBUG: DLL unloaded from 0x00F00000.
2019-07-11 03:05:42,276 [root] DEBUG: Error 1114 (0x45a) - InjectDllViaThread: RtlCreateUserThread injection failed: A dynamic link library (DLL) initialization routine failed.
2019-07-11 03:05:42,276 [root] DEBUG: InjectDll: DLL injection via thread failed.
2019-07-11 03:05:42,276 [root] DEBUG: Failed to inject DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:05:42,292 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 544, error: -8
2019-07-11 03:05:42,542 [root] INFO: Process with pid 1672 has terminated
2019-07-11 03:05:43,040 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2019-07-11 03:05:44,055 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 544
2019-07-11 03:05:44,055 [root] DEBUG: GetHookCallerBase: thread 2844 (handle 0x0), return address 0xC0000302, allocation base 0x00000000.
2019-07-11 03:05:44,055 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00080000.
2019-07-11 03:05:44,069 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00080000.
2019-07-11 03:05:44,069 [root] DEBUG: DumpProcess: Module entry point VA is 0x0001A1F8.
2019-07-11 03:05:44,085 [root] INFO: Added new CAPE file to list with path: C:\fVxfVt\CAPE\544_16951723664425511472019
2019-07-11 03:05:44,085 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x1c200.
2019-07-11 03:05:44,085 [root] INFO: Notified of termination of process with pid 544.
2019-07-11 03:05:44,085 [root] DEBUG: Terminate Event: Process 544 has already been dumped(!)
2019-07-11 03:05:44,319 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 2348
2019-07-11 03:05:44,335 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:05:44,335 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:05:44,335 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:05:44,351 [root] DEBUG: Loader: Injecting process 2348 (thread 2380) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:05:44,351 [root] DEBUG: Process image base: 0x00DC0000
2019-07-11 03:05:44,351 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:05:44,351 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00EF3000 - 0x77110000
2019-07-11 03:05:44,367 [root] DEBUG: InjectDllViaIAT: Allocated 0x2b8 bytes for new import table at 0x00F00000.
2019-07-11 03:05:44,367 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-07-11 03:05:44,367 [root] DEBUG: Successfully injected DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:05:44,367 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2348
2019-07-11 03:05:44,367 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 2348
2019-07-11 03:05:44,381 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:05:44,381 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:05:44,381 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:05:44,381 [root] DEBUG: Loader: Injecting process 2348 (thread 0) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:05:44,398 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2019-07-11 03:05:44,398 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed.
2019-07-11 03:05:44,398 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-07-11 03:05:44,414 [root] DEBUG: Process dumps enabled.
2019-07-11 03:05:44,414 [root] INFO: Disabling sleep skipping.
2019-07-11 03:05:44,428 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-07-11 03:05:44,428 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 2348 at 0x747e0000, image base 0xdc0000, stack from 0xbc6000-0xbd0000
2019-07-11 03:05:44,428 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\201907060947039062.exe".
2019-07-11 03:05:44,428 [root] INFO: Added new process to list with pid: 2348
2019-07-11 03:05:44,428 [root] INFO: Monitor successfully loaded in process with pid 2348.
2019-07-11 03:05:44,444 [root] DEBUG: set_caller_info: Adding region at 0x000A0000 to caller regions list (ntdll::LdrLoadDll).
2019-07-11 03:05:44,444 [root] DEBUG: DLL loaded at 0x006F0000: C:\hjcplavoq\dll\WdAVpQZT (0xb3000 bytes).
2019-07-11 03:05:44,444 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-07-11 03:05:44,444 [root] DEBUG: DLL unloaded from 0x006F0000.
2019-07-11 03:05:44,460 [root] DEBUG: Error 1114 (0x45a) - InjectDllViaThread: RtlCreateUserThread injection failed: A dynamic link library (DLL) initialization routine failed.
2019-07-11 03:05:44,460 [root] DEBUG: InjectDll: DLL injection via thread failed.
2019-07-11 03:05:44,460 [root] DEBUG: Failed to inject DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:05:44,460 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 2348, error: -8
2019-07-11 03:05:44,569 [root] INFO: Process with pid 544 has terminated
2019-07-11 03:05:45,131 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2019-07-11 03:05:46,161 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2348
2019-07-11 03:05:46,161 [root] DEBUG: GetHookCallerBase: thread 2380 (handle 0x0), return address 0xC0000302, allocation base 0x00000000.
2019-07-11 03:05:46,161 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00080000.
2019-07-11 03:05:46,176 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00080000.
2019-07-11 03:05:46,176 [root] DEBUG: DumpProcess: Module entry point VA is 0x0001A1F8.
2019-07-11 03:05:46,191 [root] INFO: Added new CAPE file to list with path: C:\fVxfVt\CAPE\2348_6396580484625511472019
2019-07-11 03:05:46,207 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x1c200.
2019-07-11 03:05:46,207 [root] INFO: Notified of termination of process with pid 2348.
2019-07-11 03:05:46,207 [root] DEBUG: Terminate Event: Process 2348 has already been dumped(!)
2019-07-11 03:05:46,503 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 2896
2019-07-11 03:05:46,503 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:05:46,519 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:05:46,519 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:05:46,519 [root] DEBUG: Loader: Injecting process 2896 (thread 2852) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:05:46,519 [root] DEBUG: Process image base: 0x00DC0000
2019-07-11 03:05:46,535 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:05:46,535 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00EF3000 - 0x77110000
2019-07-11 03:05:46,535 [root] DEBUG: InjectDllViaIAT: Allocated 0x2b8 bytes for new import table at 0x00F00000.
2019-07-11 03:05:46,535 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-07-11 03:05:46,551 [root] DEBUG: Successfully injected DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:05:46,551 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2896
2019-07-11 03:05:46,551 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 2896
2019-07-11 03:05:46,551 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:05:46,565 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:05:46,565 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:05:46,565 [root] DEBUG: Loader: Injecting process 2896 (thread 0) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:05:46,582 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2019-07-11 03:05:46,582 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed.
2019-07-11 03:05:46,582 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-07-11 03:05:46,598 [root] DEBUG: Process dumps enabled.
2019-07-11 03:05:46,598 [root] INFO: Process with pid 2348 has terminated
2019-07-11 03:05:46,598 [root] INFO: Disabling sleep skipping.
2019-07-11 03:05:46,598 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-07-11 03:05:46,612 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 2896 at 0x747e0000, image base 0xdc0000, stack from 0xbb6000-0xbc0000
2019-07-11 03:05:46,612 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\201907060947039062.exe".
2019-07-11 03:05:46,612 [root] INFO: Added new process to list with pid: 2896
2019-07-11 03:05:46,612 [root] INFO: Monitor successfully loaded in process with pid 2896.
2019-07-11 03:05:46,628 [root] DEBUG: set_caller_info: Adding region at 0x000A0000 to caller regions list (ntdll::LdrLoadDll).
2019-07-11 03:05:46,628 [root] DEBUG: DLL loaded at 0x00BC0000: C:\hjcplavoq\dll\WdAVpQZT (0xb3000 bytes).
2019-07-11 03:05:46,628 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-07-11 03:05:46,628 [root] DEBUG: DLL unloaded from 0x00BC0000.
2019-07-11 03:05:46,644 [root] DEBUG: Error 1114 (0x45a) - InjectDllViaThread: RtlCreateUserThread injection failed: A dynamic link library (DLL) initialization routine failed.
2019-07-11 03:05:46,644 [root] DEBUG: InjectDll: DLL injection via thread failed.
2019-07-11 03:05:46,644 [root] DEBUG: Failed to inject DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:05:46,644 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 2896, error: -8
2019-07-11 03:05:47,283 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2019-07-11 03:05:48,298 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2896
2019-07-11 03:05:48,298 [root] DEBUG: GetHookCallerBase: thread 2852 (handle 0x0), return address 0xC0000302, allocation base 0x00000000.
2019-07-11 03:05:48,313 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00080000.
2019-07-11 03:05:48,313 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00080000.
2019-07-11 03:05:48,313 [root] DEBUG: DumpProcess: Module entry point VA is 0x0001A1F8.
2019-07-11 03:05:48,328 [root] INFO: Added new CAPE file to list with path: C:\fVxfVt\CAPE\2896_4125774964825511472019
2019-07-11 03:05:48,328 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x1c200.
2019-07-11 03:05:48,328 [root] INFO: Notified of termination of process with pid 2896.
2019-07-11 03:05:48,345 [root] DEBUG: Terminate Event: Process 2896 has already been dumped(!)
2019-07-11 03:05:48,500 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 2128
2019-07-11 03:05:48,500 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:05:48,516 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:05:48,516 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:05:48,516 [root] DEBUG: Loader: Injecting process 2128 (thread 2052) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:05:48,532 [root] DEBUG: Process image base: 0x00DC0000
2019-07-11 03:05:48,532 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:05:48,532 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00EF3000 - 0x77110000
2019-07-11 03:05:48,532 [root] DEBUG: InjectDllViaIAT: Allocated 0x2b8 bytes for new import table at 0x00F00000.
2019-07-11 03:05:48,548 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-07-11 03:05:48,548 [root] DEBUG: Successfully injected DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:05:48,548 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2128
2019-07-11 03:05:48,548 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 2128
2019-07-11 03:05:48,562 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:05:48,562 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:05:48,562 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:05:48,562 [root] DEBUG: Loader: Injecting process 2128 (thread 0) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:05:48,594 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2019-07-11 03:05:48,609 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed.
2019-07-11 03:05:48,625 [root] INFO: Process with pid 2896 has terminated
2019-07-11 03:05:48,641 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-07-11 03:05:48,657 [root] DEBUG: Process dumps enabled.
2019-07-11 03:05:48,657 [root] INFO: Disabling sleep skipping.
2019-07-11 03:05:48,657 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-07-11 03:05:48,671 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 2128 at 0x747e0000, image base 0xdc0000, stack from 0xc36000-0xc40000
2019-07-11 03:05:48,671 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\201907060947039062.exe".
2019-07-11 03:05:48,671 [root] INFO: Added new process to list with pid: 2128
2019-07-11 03:05:48,671 [root] INFO: Monitor successfully loaded in process with pid 2128.
2019-07-11 03:05:48,687 [root] DEBUG: set_caller_info: Adding region at 0x000A0000 to caller regions list (ntdll::LdrLoadDll).
2019-07-11 03:05:48,687 [root] DEBUG: DLL loaded at 0x043A0000: C:\hjcplavoq\dll\WdAVpQZT (0xb3000 bytes).
2019-07-11 03:05:48,687 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-07-11 03:05:48,687 [root] DEBUG: DLL unloaded from 0x043A0000.
2019-07-11 03:05:48,703 [root] DEBUG: Error 1114 (0x45a) - InjectDllViaThread: RtlCreateUserThread injection failed: A dynamic link library (DLL) initialization routine failed.
2019-07-11 03:05:48,703 [root] DEBUG: InjectDll: DLL injection via thread failed.
2019-07-11 03:05:48,703 [root] DEBUG: Failed to inject DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:05:48,719 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 2128, error: -8
2019-07-11 03:05:49,328 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2019-07-11 03:05:50,357 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2128
2019-07-11 03:05:50,357 [root] DEBUG: GetHookCallerBase: thread 2052 (handle 0x0), return address 0xC0000302, allocation base 0x00000000.
2019-07-11 03:05:50,372 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00080000.
2019-07-11 03:05:50,372 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00080000.
2019-07-11 03:05:50,372 [root] DEBUG: DumpProcess: Module entry point VA is 0x0001A1F8.
2019-07-11 03:05:50,388 [root] INFO: Added new CAPE file to list with path: C:\fVxfVt\CAPE\2128_5477366375025511472019
2019-07-11 03:05:50,404 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x1c200.
2019-07-11 03:05:50,420 [root] INFO: Notified of termination of process with pid 2128.
2019-07-11 03:05:50,434 [root] DEBUG: Terminate Event: Process 2128 has already been dumped(!)
2019-07-11 03:05:50,668 [root] INFO: Process with pid 2128 has terminated
2019-07-11 03:05:50,732 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 2944
2019-07-11 03:05:50,732 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:05:50,732 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:05:50,746 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:05:50,746 [root] DEBUG: Loader: Injecting process 2944 (thread 2812) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:05:50,746 [root] DEBUG: Process image base: 0x00DC0000
2019-07-11 03:05:50,746 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:05:50,763 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00EF3000 - 0x77110000
2019-07-11 03:05:50,763 [root] DEBUG: InjectDllViaIAT: Allocated 0x2b8 bytes for new import table at 0x00F00000.
2019-07-11 03:05:50,763 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-07-11 03:05:50,778 [root] DEBUG: Successfully injected DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:05:50,778 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2944
2019-07-11 03:05:50,778 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 2944
2019-07-11 03:05:50,778 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:05:50,793 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:05:50,793 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:05:50,793 [root] DEBUG: Loader: Injecting process 2944 (thread 0) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:05:50,809 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2019-07-11 03:05:50,809 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed.
2019-07-11 03:05:50,825 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-07-11 03:05:50,825 [root] DEBUG: Process dumps enabled.
2019-07-11 03:05:50,825 [root] INFO: Disabling sleep skipping.
2019-07-11 03:05:50,841 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-07-11 03:05:50,841 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 2944 at 0x747e0000, image base 0xdc0000, stack from 0xba6000-0xbb0000
2019-07-11 03:05:50,841 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\201907060947039062.exe".
2019-07-11 03:05:50,855 [root] INFO: Added new process to list with pid: 2944
2019-07-11 03:05:50,855 [root] INFO: Monitor successfully loaded in process with pid 2944.
2019-07-11 03:05:50,855 [root] DEBUG: set_caller_info: Adding region at 0x000E0000 to caller regions list (ntdll::LdrLoadDll).
2019-07-11 03:05:50,871 [root] DEBUG: DLL loaded at 0x04390000: C:\hjcplavoq\dll\WdAVpQZT (0xb3000 bytes).
2019-07-11 03:05:50,871 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-07-11 03:05:50,871 [root] DEBUG: DLL unloaded from 0x04390000.
2019-07-11 03:05:50,888 [root] DEBUG: Error 1114 (0x45a) - InjectDllViaThread: RtlCreateUserThread injection failed: A dynamic link library (DLL) initialization routine failed.
2019-07-11 03:05:50,888 [root] DEBUG: InjectDll: DLL injection via thread failed.
2019-07-11 03:05:50,888 [root] DEBUG: Failed to inject DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:05:50,888 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 2944, error: -8
2019-07-11 03:05:51,434 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2019-07-11 03:05:52,447 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2944
2019-07-11 03:05:52,447 [root] DEBUG: GetHookCallerBase: thread 2812 (handle 0x0), return address 0xC0000302, allocation base 0x00000000.
2019-07-11 03:05:52,463 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00080000.
2019-07-11 03:05:52,463 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00080000.
2019-07-11 03:05:52,463 [root] DEBUG: DumpProcess: Module entry point VA is 0x0001A1F8.
2019-07-11 03:05:52,493 [root] INFO: Added new CAPE file to list with path: C:\fVxfVt\CAPE\2944_978166645225511472019
2019-07-11 03:05:52,493 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x1c200.
2019-07-11 03:05:52,493 [root] INFO: Notified of termination of process with pid 2944.
2019-07-11 03:05:52,493 [root] DEBUG: Terminate Event: Process 2944 has already been dumped(!)
2019-07-11 03:05:52,697 [root] INFO: Process with pid 2944 has terminated
2019-07-11 03:05:52,727 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 2780
2019-07-11 03:05:52,727 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:05:52,727 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:05:52,743 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:05:52,743 [root] DEBUG: Loader: Injecting process 2780 (thread 3036) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:05:52,759 [root] DEBUG: Process image base: 0x00DC0000
2019-07-11 03:05:52,759 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:05:52,759 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00EF3000 - 0x77110000
2019-07-11 03:05:52,775 [root] DEBUG: InjectDllViaIAT: Allocated 0x2b8 bytes for new import table at 0x00F00000.
2019-07-11 03:05:52,775 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-07-11 03:05:52,775 [root] DEBUG: Successfully injected DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:05:52,775 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2780
2019-07-11 03:05:52,790 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 2780
2019-07-11 03:05:52,790 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:05:52,790 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:05:52,805 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:05:52,805 [root] DEBUG: Loader: Injecting process 2780 (thread 0) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:05:52,805 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2019-07-11 03:05:52,822 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed.
2019-07-11 03:05:52,822 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-07-11 03:05:52,838 [root] DEBUG: Process dumps enabled.
2019-07-11 03:05:52,838 [root] INFO: Disabling sleep skipping.
2019-07-11 03:05:52,852 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-07-11 03:05:52,852 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 2780 at 0x747e0000, image base 0xdc0000, stack from 0xbc6000-0xbd0000
2019-07-11 03:05:52,852 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\201907060947039062.exe".
2019-07-11 03:05:52,868 [root] INFO: Added new process to list with pid: 2780
2019-07-11 03:05:52,868 [root] INFO: Monitor successfully loaded in process with pid 2780.
2019-07-11 03:05:52,868 [root] DEBUG: set_caller_info: Adding region at 0x000A0000 to caller regions list (ntdll::LdrLoadDll).
2019-07-11 03:05:52,884 [root] DEBUG: DLL loaded at 0x04010000: C:\hjcplavoq\dll\WdAVpQZT (0xb3000 bytes).
2019-07-11 03:05:52,884 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-07-11 03:05:52,884 [root] DEBUG: DLL unloaded from 0x04010000.
2019-07-11 03:05:52,900 [root] DEBUG: Error 1114 (0x45a) - InjectDllViaThread: RtlCreateUserThread injection failed: A dynamic link library (DLL) initialization routine failed.
2019-07-11 03:05:52,900 [root] DEBUG: InjectDll: DLL injection via thread failed.
2019-07-11 03:05:52,900 [root] DEBUG: Failed to inject DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:05:52,900 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 2780, error: -8
2019-07-11 03:05:53,461 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2019-07-11 03:05:54,476 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2780
2019-07-11 03:05:54,476 [root] DEBUG: GetHookCallerBase: thread 3036 (handle 0x0), return address 0xC0000302, allocation base 0x00000000.
2019-07-11 03:05:54,490 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00080000.
2019-07-11 03:05:54,490 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00080000.
2019-07-11 03:05:54,490 [root] DEBUG: DumpProcess: Module entry point VA is 0x0001A1F8.
2019-07-11 03:05:54,522 [root] INFO: Added new CAPE file to list with path: C:\fVxfVt\CAPE\2780_14011023535425511472019
2019-07-11 03:05:54,522 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x1c200.
2019-07-11 03:05:54,522 [root] INFO: Notified of termination of process with pid 2780.
2019-07-11 03:05:54,522 [root] DEBUG: Terminate Event: Process 2780 has already been dumped(!)
2019-07-11 03:05:54,724 [root] INFO: Process with pid 2780 has terminated
2019-07-11 03:05:54,819 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 2112
2019-07-11 03:05:54,834 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:05:54,834 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:05:54,849 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:05:54,849 [root] DEBUG: Loader: Injecting process 2112 (thread 2064) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:05:54,849 [root] DEBUG: Process image base: 0x00DC0000
2019-07-11 03:05:54,865 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:05:54,865 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00EF3000 - 0x77110000
2019-07-11 03:05:54,865 [root] DEBUG: InjectDllViaIAT: Allocated 0x2b8 bytes for new import table at 0x00F00000.
2019-07-11 03:05:54,881 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-07-11 03:05:54,881 [root] DEBUG: Successfully injected DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:05:54,881 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2112
2019-07-11 03:05:54,897 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 2112
2019-07-11 03:05:54,897 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:05:54,897 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:05:54,911 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:05:54,911 [root] DEBUG: Loader: Injecting process 2112 (thread 0) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:05:54,927 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2019-07-11 03:05:54,927 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed.
2019-07-11 03:05:54,944 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-07-11 03:05:54,944 [root] DEBUG: Process dumps enabled.
2019-07-11 03:05:54,944 [root] INFO: Disabling sleep skipping.
2019-07-11 03:05:54,959 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-07-11 03:05:54,959 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 2112 at 0x747e0000, image base 0xdc0000, stack from 0xbe6000-0xbf0000
2019-07-11 03:05:54,974 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\201907060947039062.exe".
2019-07-11 03:05:54,974 [root] INFO: Added new process to list with pid: 2112
2019-07-11 03:05:54,974 [root] INFO: Monitor successfully loaded in process with pid 2112.
2019-07-11 03:05:54,990 [root] DEBUG: set_caller_info: Adding region at 0x000A0000 to caller regions list (ntdll::LdrLoadDll).
2019-07-11 03:05:54,990 [root] DEBUG: DLL loaded at 0x00F00000: C:\hjcplavoq\dll\WdAVpQZT (0xb3000 bytes).
2019-07-11 03:05:54,990 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-07-11 03:05:55,006 [root] DEBUG: DLL unloaded from 0x00F00000.
2019-07-11 03:05:55,006 [root] DEBUG: Error 1114 (0x45a) - InjectDllViaThread: RtlCreateUserThread injection failed: A dynamic link library (DLL) initialization routine failed.
2019-07-11 03:05:55,006 [root] DEBUG: InjectDll: DLL injection via thread failed.
2019-07-11 03:05:55,006 [root] DEBUG: Failed to inject DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:05:55,022 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 2112, error: -8
2019-07-11 03:05:55,568 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2019-07-11 03:05:56,582 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2112
2019-07-11 03:05:56,582 [root] DEBUG: GetHookCallerBase: thread 2064 (handle 0x0), return address 0xC0000302, allocation base 0x00000000.
2019-07-11 03:05:56,596 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00080000.
2019-07-11 03:05:56,596 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00080000.
2019-07-11 03:05:56,596 [root] DEBUG: DumpProcess: Module entry point VA is 0x0001A1F8.
2019-07-11 03:05:56,628 [root] INFO: Added new CAPE file to list with path: C:\fVxfVt\CAPE\2112_4235362325625511472019
2019-07-11 03:05:56,628 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x1c200.
2019-07-11 03:05:56,628 [root] INFO: Notified of termination of process with pid 2112.
2019-07-11 03:05:56,644 [root] DEBUG: Terminate Event: Process 2112 has already been dumped(!)
2019-07-11 03:05:56,753 [root] INFO: Process with pid 2112 has terminated
2019-07-11 03:05:56,924 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 1428
2019-07-11 03:05:56,940 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:05:56,940 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:05:56,956 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:05:56,956 [root] DEBUG: Loader: Injecting process 1428 (thread 2232) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:05:56,956 [root] DEBUG: Process image base: 0x00DC0000
2019-07-11 03:05:56,971 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:05:56,971 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00EF3000 - 0x77110000
2019-07-11 03:05:56,971 [root] DEBUG: InjectDllViaIAT: Allocated 0x2b8 bytes for new import table at 0x00F00000.
2019-07-11 03:05:56,986 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-07-11 03:05:56,986 [root] DEBUG: Successfully injected DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:05:56,986 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1428
2019-07-11 03:05:56,986 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 1428
2019-07-11 03:05:57,003 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:05:57,003 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:05:57,017 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:05:57,017 [root] DEBUG: Loader: Injecting process 1428 (thread 0) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:05:57,017 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2019-07-11 03:05:57,033 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed.
2019-07-11 03:05:57,033 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-07-11 03:05:57,049 [root] DEBUG: Process dumps enabled.
2019-07-11 03:05:57,049 [root] INFO: Disabling sleep skipping.
2019-07-11 03:05:57,065 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-07-11 03:05:57,065 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 1428 at 0x747e0000, image base 0xdc0000, stack from 0xca6000-0xcb0000
2019-07-11 03:05:57,081 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\201907060947039062.exe".
2019-07-11 03:05:57,081 [root] INFO: Added new process to list with pid: 1428
2019-07-11 03:05:57,081 [root] INFO: Monitor successfully loaded in process with pid 1428.
2019-07-11 03:05:57,095 [root] DEBUG: set_caller_info: Adding region at 0x000A0000 to caller regions list (ntdll::LdrLoadDll).
2019-07-11 03:05:57,095 [root] DEBUG: DLL loaded at 0x02CA0000: C:\hjcplavoq\dll\WdAVpQZT (0xb3000 bytes).
2019-07-11 03:05:57,095 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-07-11 03:05:57,111 [root] DEBUG: DLL unloaded from 0x02CA0000.
2019-07-11 03:05:57,111 [root] DEBUG: Error 1114 (0x45a) - InjectDllViaThread: RtlCreateUserThread injection failed: A dynamic link library (DLL) initialization routine failed.
2019-07-11 03:05:57,111 [root] DEBUG: InjectDll: DLL injection via thread failed.
2019-07-11 03:05:57,128 [root] DEBUG: Failed to inject DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:05:57,128 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 1428, error: -8
2019-07-11 03:05:57,611 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2019-07-11 03:05:58,625 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 1428
2019-07-11 03:05:58,625 [root] DEBUG: GetHookCallerBase: thread 2232 (handle 0x0), return address 0xC0000302, allocation base 0x00000000.
2019-07-11 03:05:58,641 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00080000.
2019-07-11 03:05:58,641 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00080000.
2019-07-11 03:05:58,655 [root] DEBUG: DumpProcess: Module entry point VA is 0x0001A1F8.
2019-07-11 03:05:58,671 [root] INFO: Added new CAPE file to list with path: C:\fVxfVt\CAPE\1428_9143098885825511472019
2019-07-11 03:05:58,671 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x1c200.
2019-07-11 03:05:58,687 [root] INFO: Notified of termination of process with pid 1428.
2019-07-11 03:05:58,687 [root] DEBUG: Terminate Event: Process 1428 has already been dumped(!)
2019-07-11 03:05:58,780 [root] INFO: Process with pid 1428 has terminated
2019-07-11 03:05:59,092 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 2608
2019-07-11 03:05:59,092 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:05:59,108 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:05:59,108 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:05:59,124 [root] DEBUG: Loader: Injecting process 2608 (thread 3000) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:05:59,124 [root] DEBUG: Process image base: 0x00DC0000
2019-07-11 03:05:59,124 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:05:59,140 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00EF3000 - 0x77110000
2019-07-11 03:05:59,140 [root] DEBUG: InjectDllViaIAT: Allocated 0x2b8 bytes for new import table at 0x00F00000.
2019-07-11 03:05:59,140 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-07-11 03:05:59,155 [root] DEBUG: Successfully injected DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:05:59,155 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2608
2019-07-11 03:05:59,155 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 2608
2019-07-11 03:05:59,171 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:05:59,171 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:05:59,187 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:05:59,187 [root] DEBUG: Loader: Injecting process 2608 (thread 0) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:05:59,187 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2019-07-11 03:05:59,201 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed.
2019-07-11 03:05:59,217 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-07-11 03:05:59,217 [root] DEBUG: Process dumps enabled.
2019-07-11 03:05:59,217 [root] INFO: Disabling sleep skipping.
2019-07-11 03:05:59,233 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-07-11 03:05:59,233 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 2608 at 0x747e0000, image base 0xdc0000, stack from 0xba6000-0xbb0000
2019-07-11 03:05:59,249 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\201907060947039062.exe".
2019-07-11 03:05:59,249 [root] INFO: Added new process to list with pid: 2608
2019-07-11 03:05:59,249 [root] INFO: Monitor successfully loaded in process with pid 2608.
2019-07-11 03:05:59,265 [root] DEBUG: set_caller_info: Adding region at 0x000A0000 to caller regions list (ntdll::LdrLoadDll).
2019-07-11 03:05:59,265 [root] DEBUG: DLL loaded at 0x00BB0000: C:\hjcplavoq\dll\WdAVpQZT (0xb3000 bytes).
2019-07-11 03:05:59,279 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-07-11 03:05:59,279 [root] DEBUG: DLL unloaded from 0x00BB0000.
2019-07-11 03:05:59,279 [root] DEBUG: Error 1114 (0x45a) - InjectDllViaThread: RtlCreateUserThread injection failed: A dynamic link library (DLL) initialization routine failed.
2019-07-11 03:05:59,296 [root] DEBUG: InjectDll: DLL injection via thread failed.
2019-07-11 03:05:59,296 [root] DEBUG: Failed to inject DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:05:59,296 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 2608, error: -8
2019-07-11 03:05:59,717 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2019-07-11 03:06:00,730 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2608
2019-07-11 03:06:00,746 [root] DEBUG: GetHookCallerBase: thread 3000 (handle 0x0), return address 0xC0000302, allocation base 0x00000000.
2019-07-11 03:06:00,746 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00080000.
2019-07-11 03:06:00,746 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00080000.
2019-07-11 03:06:00,762 [root] DEBUG: DumpProcess: Module entry point VA is 0x0001A1F8.
2019-07-11 03:06:00,778 [root] INFO: Added new CAPE file to list with path: C:\fVxfVt\CAPE\2608_896635380026511472019
2019-07-11 03:06:00,793 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x1c200.
2019-07-11 03:06:00,793 [root] INFO: Notified of termination of process with pid 2608.
2019-07-11 03:06:00,793 [root] DEBUG: Terminate Event: Process 2608 has already been dumped(!)
2019-07-11 03:06:00,809 [root] INFO: Process with pid 2608 has terminated
2019-07-11 03:06:01,028 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 2952
2019-07-11 03:06:01,042 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:06:01,042 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:06:01,059 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:06:01,059 [root] DEBUG: Loader: Injecting process 2952 (thread 2056) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:01,073 [root] DEBUG: Process image base: 0x00DC0000
2019-07-11 03:06:01,073 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:01,073 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00EF3000 - 0x77110000
2019-07-11 03:06:01,089 [root] DEBUG: InjectDllViaIAT: Allocated 0x2b8 bytes for new import table at 0x00F00000.
2019-07-11 03:06:01,089 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-07-11 03:06:01,089 [root] DEBUG: Successfully injected DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:01,105 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2952
2019-07-11 03:06:01,105 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 2952
2019-07-11 03:06:01,121 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:06:01,121 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:06:01,137 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:06:01,137 [root] DEBUG: Loader: Injecting process 2952 (thread 0) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:01,137 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2019-07-11 03:06:01,151 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed.
2019-07-11 03:06:01,151 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-07-11 03:06:01,167 [root] DEBUG: Process dumps enabled.
2019-07-11 03:06:01,167 [root] INFO: Disabling sleep skipping.
2019-07-11 03:06:01,184 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-07-11 03:06:01,184 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 2952 at 0x747e0000, image base 0xdc0000, stack from 0xbe6000-0xbf0000
2019-07-11 03:06:01,198 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\201907060947039062.exe".
2019-07-11 03:06:01,198 [root] INFO: Added new process to list with pid: 2952
2019-07-11 03:06:01,198 [root] INFO: Monitor successfully loaded in process with pid 2952.
2019-07-11 03:06:01,214 [root] DEBUG: set_caller_info: Adding region at 0x000A0000 to caller regions list (ntdll::LdrLoadDll).
2019-07-11 03:06:01,230 [root] DEBUG: DLL loaded at 0x043A0000: C:\hjcplavoq\dll\WdAVpQZT (0xb3000 bytes).
2019-07-11 03:06:01,230 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-07-11 03:06:01,246 [root] DEBUG: DLL unloaded from 0x043A0000.
2019-07-11 03:06:01,262 [root] DEBUG: Error 1114 (0x45a) - InjectDllViaThread: RtlCreateUserThread injection failed: A dynamic link library (DLL) initialization routine failed.
2019-07-11 03:06:01,262 [root] DEBUG: InjectDll: DLL injection via thread failed.
2019-07-11 03:06:01,276 [root] DEBUG: Failed to inject DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:01,276 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 2952, error: -8
2019-07-11 03:06:01,760 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2019-07-11 03:06:02,775 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2952
2019-07-11 03:06:02,775 [root] DEBUG: GetHookCallerBase: thread 2056 (handle 0x0), return address 0xC0000302, allocation base 0x00000000.
2019-07-11 03:06:02,789 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00080000.
2019-07-11 03:06:02,789 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00080000.
2019-07-11 03:06:02,805 [root] DEBUG: DumpProcess: Module entry point VA is 0x0001A1F8.
2019-07-11 03:06:02,822 [root] INFO: Added new CAPE file to list with path: C:\fVxfVt\CAPE\2952_1638673832226511472019
2019-07-11 03:06:02,836 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x1c200.
2019-07-11 03:06:02,836 [root] INFO: Notified of termination of process with pid 2952.
2019-07-11 03:06:02,836 [root] DEBUG: Terminate Event: Process 2952 has already been dumped(!)
2019-07-11 03:06:03,196 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 1512
2019-07-11 03:06:03,211 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:06:03,211 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:06:03,226 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:06:03,226 [root] DEBUG: Loader: Injecting process 1512 (thread 2436) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:03,243 [root] DEBUG: Process image base: 0x00DC0000
2019-07-11 03:06:03,243 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:03,257 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00EF3000 - 0x77110000
2019-07-11 03:06:03,257 [root] DEBUG: InjectDllViaIAT: Allocated 0x2b8 bytes for new import table at 0x00F00000.
2019-07-11 03:06:03,257 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-07-11 03:06:03,273 [root] DEBUG: Successfully injected DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:03,273 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1512
2019-07-11 03:06:03,289 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 1512
2019-07-11 03:06:03,289 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:06:03,289 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:06:03,305 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:06:03,305 [root] DEBUG: Loader: Injecting process 1512 (thread 0) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:03,321 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2019-07-11 03:06:03,321 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed.
2019-07-11 03:06:03,335 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-07-11 03:06:03,335 [root] DEBUG: Process dumps enabled.
2019-07-11 03:06:03,351 [root] INFO: Disabling sleep skipping.
2019-07-11 03:06:03,368 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-07-11 03:06:03,368 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 1512 at 0x747e0000, image base 0xdc0000, stack from 0xb36000-0xb40000
2019-07-11 03:06:03,382 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\201907060947039062.exe".
2019-07-11 03:06:03,398 [root] INFO: Added new process to list with pid: 1512
2019-07-11 03:06:03,398 [root] INFO: Monitor successfully loaded in process with pid 1512.
2019-07-11 03:06:03,414 [root] DEBUG: set_caller_info: Adding region at 0x000A0000 to caller regions list (ntdll::LdrLoadDll).
2019-07-11 03:06:03,430 [root] DEBUG: DLL loaded at 0x00F00000: C:\hjcplavoq\dll\WdAVpQZT (0xb3000 bytes).
2019-07-11 03:06:03,430 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-07-11 03:06:03,446 [root] DEBUG: DLL unloaded from 0x00F00000.
2019-07-11 03:06:03,446 [root] DEBUG: Error 1114 (0x45a) - InjectDllViaThread: RtlCreateUserThread injection failed: A dynamic link library (DLL) initialization routine failed.
2019-07-11 03:06:03,460 [root] DEBUG: InjectDll: DLL injection via thread failed.
2019-07-11 03:06:03,460 [root] DEBUG: Failed to inject DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:03,460 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 1512, error: -8
2019-07-11 03:06:03,803 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2019-07-11 03:06:03,851 [root] INFO: Process with pid 2952 has terminated
2019-07-11 03:06:04,818 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 1512
2019-07-11 03:06:04,834 [root] DEBUG: GetHookCallerBase: thread 2436 (handle 0x0), return address 0xC0000302, allocation base 0x00000000.
2019-07-11 03:06:04,834 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00080000.
2019-07-11 03:06:04,834 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00080000.
2019-07-11 03:06:04,849 [root] DEBUG: DumpProcess: Module entry point VA is 0x0001A1F8.
2019-07-11 03:06:04,881 [root] INFO: Added new CAPE file to list with path: C:\fVxfVt\CAPE\1512_200748140426511472019
2019-07-11 03:06:04,881 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x1c200.
2019-07-11 03:06:04,881 [root] INFO: Notified of termination of process with pid 1512.
2019-07-11 03:06:04,895 [root] DEBUG: Terminate Event: Process 1512 has already been dumped(!)
2019-07-11 03:06:05,302 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 2756
2019-07-11 03:06:05,318 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:06:05,318 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:06:05,332 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:06:05,332 [root] DEBUG: Loader: Injecting process 2756 (thread 2624) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:05,348 [root] DEBUG: Process image base: 0x00DC0000
2019-07-11 03:06:05,348 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:05,364 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00EF3000 - 0x77110000
2019-07-11 03:06:05,364 [root] DEBUG: InjectDllViaIAT: Allocated 0x2b8 bytes for new import table at 0x00F00000.
2019-07-11 03:06:05,364 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-07-11 03:06:05,380 [root] DEBUG: Successfully injected DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:05,380 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2756
2019-07-11 03:06:05,395 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 2756
2019-07-11 03:06:05,395 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:06:05,395 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:06:05,411 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:06:05,427 [root] DEBUG: Loader: Injecting process 2756 (thread 0) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:05,427 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2019-07-11 03:06:05,427 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed.
2019-07-11 03:06:05,441 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-07-11 03:06:05,457 [root] DEBUG: Process dumps enabled.
2019-07-11 03:06:05,457 [root] INFO: Disabling sleep skipping.
2019-07-11 03:06:05,473 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-07-11 03:06:05,473 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 2756 at 0x747e0000, image base 0xdc0000, stack from 0xb96000-0xba0000
2019-07-11 03:06:05,489 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\201907060947039062.exe".
2019-07-11 03:06:05,489 [root] INFO: Added new process to list with pid: 2756
2019-07-11 03:06:05,489 [root] INFO: Monitor successfully loaded in process with pid 2756.
2019-07-11 03:06:05,505 [root] DEBUG: set_caller_info: Adding region at 0x000A0000 to caller regions list (ntdll::LdrLoadDll).
2019-07-11 03:06:05,519 [root] DEBUG: DLL loaded at 0x00610000: C:\hjcplavoq\dll\WdAVpQZT (0xb3000 bytes).
2019-07-11 03:06:05,519 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-07-11 03:06:05,519 [root] DEBUG: DLL unloaded from 0x00610000.
2019-07-11 03:06:05,536 [root] DEBUG: Error 1114 (0x45a) - InjectDllViaThread: RtlCreateUserThread injection failed: A dynamic link library (DLL) initialization routine failed.
2019-07-11 03:06:05,536 [root] DEBUG: InjectDll: DLL injection via thread failed.
2019-07-11 03:06:05,552 [root] DEBUG: Failed to inject DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:05,552 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 2756, error: -8
2019-07-11 03:06:05,878 [root] INFO: Process with pid 1512 has terminated
2019-07-11 03:06:05,910 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2019-07-11 03:06:06,940 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2756
2019-07-11 03:06:06,956 [root] DEBUG: GetHookCallerBase: thread 2624 (handle 0x0), return address 0xC0000302, allocation base 0x00000000.
2019-07-11 03:06:06,956 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00080000.
2019-07-11 03:06:06,956 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00080000.
2019-07-11 03:06:06,970 [root] DEBUG: DumpProcess: Module entry point VA is 0x0001A1F8.
2019-07-11 03:06:07,002 [root] INFO: Added new CAPE file to list with path: C:\fVxfVt\CAPE\2756_540162214626511472019
2019-07-11 03:06:07,002 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x1c200.
2019-07-11 03:06:07,017 [root] INFO: Notified of termination of process with pid 2756.
2019-07-11 03:06:07,017 [root] DEBUG: Terminate Event: Process 2756 has already been dumped(!)
2019-07-11 03:06:07,377 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 2940
2019-07-11 03:06:07,377 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:06:07,391 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:06:07,391 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:06:07,407 [root] DEBUG: Loader: Injecting process 2940 (thread 3012) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:07,407 [root] DEBUG: Process image base: 0x00DC0000
2019-07-11 03:06:07,424 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:07,424 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00EF3000 - 0x77110000
2019-07-11 03:06:07,438 [root] DEBUG: InjectDllViaIAT: Allocated 0x2b8 bytes for new import table at 0x00F00000.
2019-07-11 03:06:07,438 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-07-11 03:06:07,438 [root] DEBUG: Successfully injected DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:07,454 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2940
2019-07-11 03:06:07,454 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 2940
2019-07-11 03:06:07,470 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:06:07,470 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:06:07,486 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:06:07,486 [root] DEBUG: Loader: Injecting process 2940 (thread 0) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:07,502 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2019-07-11 03:06:07,502 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed.
2019-07-11 03:06:07,516 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-07-11 03:06:07,516 [root] DEBUG: Process dumps enabled.
2019-07-11 03:06:07,532 [root] INFO: Disabling sleep skipping.
2019-07-11 03:06:07,548 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-07-11 03:06:07,548 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 2940 at 0x747e0000, image base 0xdc0000, stack from 0xcd6000-0xce0000
2019-07-11 03:06:07,548 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\201907060947039062.exe".
2019-07-11 03:06:07,563 [root] INFO: Added new process to list with pid: 2940
2019-07-11 03:06:07,563 [root] INFO: Monitor successfully loaded in process with pid 2940.
2019-07-11 03:06:07,579 [root] DEBUG: set_caller_info: Adding region at 0x000A0000 to caller regions list (ntdll::LdrLoadDll).
2019-07-11 03:06:07,579 [root] DEBUG: DLL loaded at 0x05150000: C:\hjcplavoq\dll\WdAVpQZT (0xb3000 bytes).
2019-07-11 03:06:07,595 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-07-11 03:06:07,595 [root] DEBUG: DLL unloaded from 0x05150000.
2019-07-11 03:06:07,611 [root] DEBUG: Error 1114 (0x45a) - InjectDllViaThread: RtlCreateUserThread injection failed: A dynamic link library (DLL) initialization routine failed.
2019-07-11 03:06:07,611 [root] DEBUG: InjectDll: DLL injection via thread failed.
2019-07-11 03:06:07,625 [root] DEBUG: Failed to inject DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:07,625 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 2940, error: -8
2019-07-11 03:06:07,907 [root] INFO: Process with pid 2756 has terminated
2019-07-11 03:06:08,048 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2019-07-11 03:06:09,076 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2940
2019-07-11 03:06:09,092 [root] DEBUG: GetHookCallerBase: thread 3012 (handle 0x0), return address 0xC0000302, allocation base 0x00000000.
2019-07-11 03:06:09,092 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00080000.
2019-07-11 03:06:09,108 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00080000.
2019-07-11 03:06:09,108 [root] DEBUG: DumpProcess: Module entry point VA is 0x0001A1F8.
2019-07-11 03:06:09,140 [root] INFO: Added new CAPE file to list with path: C:\fVxfVt\CAPE\2940_81670888926511472019
2019-07-11 03:06:09,140 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x1c200.
2019-07-11 03:06:09,154 [root] INFO: Notified of termination of process with pid 2940.
2019-07-11 03:06:09,154 [root] DEBUG: Terminate Event: Process 2940 has already been dumped(!)
2019-07-11 03:06:09,622 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 2784
2019-07-11 03:06:09,638 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:06:09,638 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:06:09,654 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:06:09,654 [root] DEBUG: Loader: Injecting process 2784 (thread 864) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:09,670 [root] DEBUG: Process image base: 0x00DC0000
2019-07-11 03:06:09,670 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:09,670 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00EF3000 - 0x77110000
2019-07-11 03:06:09,686 [root] DEBUG: InjectDllViaIAT: Allocated 0x2b8 bytes for new import table at 0x00F00000.
2019-07-11 03:06:09,686 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-07-11 03:06:09,700 [root] DEBUG: Successfully injected DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:09,700 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2784
2019-07-11 03:06:09,717 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 2784
2019-07-11 03:06:09,717 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:06:09,732 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:06:09,747 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:06:09,747 [root] DEBUG: Loader: Injecting process 2784 (thread 0) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:09,763 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2019-07-11 03:06:09,763 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed.
2019-07-11 03:06:09,779 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-07-11 03:06:09,779 [root] DEBUG: Process dumps enabled.
2019-07-11 03:06:09,795 [root] INFO: Disabling sleep skipping.
2019-07-11 03:06:09,809 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-07-11 03:06:09,809 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 2784 at 0x747e0000, image base 0xdc0000, stack from 0xc26000-0xc30000
2019-07-11 03:06:09,825 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\201907060947039062.exe".
2019-07-11 03:06:09,825 [root] INFO: Added new process to list with pid: 2784
2019-07-11 03:06:09,842 [root] INFO: Monitor successfully loaded in process with pid 2784.
2019-07-11 03:06:09,842 [root] DEBUG: set_caller_info: Adding region at 0x000A0000 to caller regions list (ntdll::LdrLoadDll).
2019-07-11 03:06:09,857 [root] DEBUG: DLL loaded at 0x04940000: C:\hjcplavoq\dll\WdAVpQZT (0xb3000 bytes).
2019-07-11 03:06:09,857 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-07-11 03:06:09,872 [root] DEBUG: DLL unloaded from 0x04940000.
2019-07-11 03:06:09,872 [root] DEBUG: Error 1114 (0x45a) - InjectDllViaThread: RtlCreateUserThread injection failed: A dynamic link library (DLL) initialization routine failed.
2019-07-11 03:06:09,888 [root] DEBUG: InjectDll: DLL injection via thread failed.
2019-07-11 03:06:09,888 [root] DEBUG: Failed to inject DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:09,888 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 2784, error: -8
2019-07-11 03:06:09,934 [root] INFO: Process with pid 2940 has terminated
2019-07-11 03:06:10,121 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2019-07-11 03:06:11,151 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2784
2019-07-11 03:06:11,167 [root] DEBUG: GetHookCallerBase: thread 864 (handle 0x0), return address 0xC0000302, allocation base 0x00000000.
2019-07-11 03:06:11,167 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00080000.
2019-07-11 03:06:11,183 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00080000.
2019-07-11 03:06:11,183 [root] DEBUG: DumpProcess: Module entry point VA is 0x0001A1F8.
2019-07-11 03:06:11,213 [root] INFO: Added new CAPE file to list with path: C:\fVxfVt\CAPE\2784_10425092091126511472019
2019-07-11 03:06:11,213 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x1c200.
2019-07-11 03:06:11,230 [root] INFO: Notified of termination of process with pid 2784.
2019-07-11 03:06:11,230 [root] DEBUG: Terminate Event: Process 2784 has already been dumped(!)
2019-07-11 03:06:11,681 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 576
2019-07-11 03:06:11,697 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:06:11,697 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:06:11,713 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:06:11,729 [root] DEBUG: Loader: Injecting process 576 (thread 2700) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:11,729 [root] DEBUG: Process image base: 0x00DC0000
2019-07-11 03:06:11,744 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:11,744 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00EF3000 - 0x77110000
2019-07-11 03:06:11,759 [root] DEBUG: InjectDllViaIAT: Allocated 0x2b8 bytes for new import table at 0x00F00000.
2019-07-11 03:06:11,759 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-07-11 03:06:11,776 [root] DEBUG: Successfully injected DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:11,776 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 576
2019-07-11 03:06:11,792 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 576
2019-07-11 03:06:11,792 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:06:11,792 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:06:11,806 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:06:11,822 [root] DEBUG: Loader: Injecting process 576 (thread 0) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:11,838 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2019-07-11 03:06:11,838 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed.
2019-07-11 03:06:11,854 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-07-11 03:06:11,854 [root] DEBUG: Process dumps enabled.
2019-07-11 03:06:11,869 [root] INFO: Disabling sleep skipping.
2019-07-11 03:06:11,884 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-07-11 03:06:11,884 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 576 at 0x747e0000, image base 0xdc0000, stack from 0xc06000-0xc10000
2019-07-11 03:06:11,901 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\201907060947039062.exe".
2019-07-11 03:06:11,901 [root] INFO: Added new process to list with pid: 576
2019-07-11 03:06:11,915 [root] INFO: Monitor successfully loaded in process with pid 576.
2019-07-11 03:06:11,915 [root] DEBUG: set_caller_info: Adding region at 0x000A0000 to caller regions list (ntdll::LdrLoadDll).
2019-07-11 03:06:11,931 [root] DEBUG: DLL loaded at 0x04BE0000: C:\hjcplavoq\dll\WdAVpQZT (0xb3000 bytes).
2019-07-11 03:06:11,931 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-07-11 03:06:11,947 [root] DEBUG: DLL unloaded from 0x04BE0000.
2019-07-11 03:06:11,947 [root] DEBUG: Error 1114 (0x45a) - InjectDllViaThread: RtlCreateUserThread injection failed: A dynamic link library (DLL) initialization routine failed.
2019-07-11 03:06:11,963 [root] INFO: Process with pid 2784 has terminated
2019-07-11 03:06:11,963 [root] DEBUG: InjectDll: DLL injection via thread failed.
2019-07-11 03:06:11,963 [root] DEBUG: Failed to inject DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:11,979 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 576, error: -8
2019-07-11 03:06:12,259 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2019-07-11 03:06:13,289 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 576
2019-07-11 03:06:13,305 [root] DEBUG: GetHookCallerBase: thread 2700 (handle 0x0), return address 0xC0000302, allocation base 0x00000000.
2019-07-11 03:06:13,305 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00080000.
2019-07-11 03:06:13,319 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00080000.
2019-07-11 03:06:13,319 [root] DEBUG: DumpProcess: Module entry point VA is 0x0001A1F8.
2019-07-11 03:06:13,351 [root] INFO: Added new CAPE file to list with path: C:\fVxfVt\CAPE\576_21388687361326511472019
2019-07-11 03:06:13,367 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x1c200.
2019-07-11 03:06:13,367 [root] INFO: Notified of termination of process with pid 576.
2019-07-11 03:06:13,382 [root] DEBUG: Terminate Event: Process 576 has already been dumped(!)
2019-07-11 03:06:13,756 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 1116
2019-07-11 03:06:13,756 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:06:13,773 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:06:13,788 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:06:13,788 [root] DEBUG: Loader: Injecting process 1116 (thread 1940) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:13,788 [root] DEBUG: Process image base: 0x00DC0000
2019-07-11 03:06:13,803 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:13,803 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00EF3000 - 0x77110000
2019-07-11 03:06:13,819 [root] DEBUG: InjectDllViaIAT: Allocated 0x2b8 bytes for new import table at 0x00F00000.
2019-07-11 03:06:13,819 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-07-11 03:06:13,835 [root] DEBUG: Successfully injected DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:13,835 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1116
2019-07-11 03:06:13,851 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 1116
2019-07-11 03:06:13,851 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:06:13,865 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:06:13,881 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:06:13,881 [root] DEBUG: Loader: Injecting process 1116 (thread 0) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:13,898 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2019-07-11 03:06:13,898 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed.
2019-07-11 03:06:13,913 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-07-11 03:06:13,928 [root] DEBUG: Process dumps enabled.
2019-07-11 03:06:13,928 [root] INFO: Disabling sleep skipping.
2019-07-11 03:06:13,944 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-07-11 03:06:13,960 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 1116 at 0x747e0000, image base 0xdc0000, stack from 0xb56000-0xb60000
2019-07-11 03:06:13,960 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\201907060947039062.exe".
2019-07-11 03:06:13,976 [root] INFO: Added new process to list with pid: 1116
2019-07-11 03:06:13,976 [root] INFO: Monitor successfully loaded in process with pid 1116.
2019-07-11 03:06:13,976 [root] DEBUG: set_caller_info: Adding region at 0x000A0000 to caller regions list (ntdll::LdrLoadDll).
2019-07-11 03:06:13,990 [root] INFO: Process with pid 576 has terminated
2019-07-11 03:06:13,990 [root] DEBUG: DLL loaded at 0x04D10000: C:\hjcplavoq\dll\WdAVpQZT (0xb3000 bytes).
2019-07-11 03:06:14,006 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-07-11 03:06:14,006 [root] DEBUG: DLL unloaded from 0x04D10000.
2019-07-11 03:06:14,022 [root] DEBUG: Error 1114 (0x45a) - InjectDllViaThread: RtlCreateUserThread injection failed: A dynamic link library (DLL) initialization routine failed.
2019-07-11 03:06:14,022 [root] DEBUG: InjectDll: DLL injection via thread failed.
2019-07-11 03:06:14,038 [root] DEBUG: Failed to inject DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:14,038 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 1116, error: -8
2019-07-11 03:06:14,397 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2019-07-11 03:06:15,426 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 1116
2019-07-11 03:06:15,441 [root] DEBUG: GetHookCallerBase: thread 1940 (handle 0x0), return address 0xC0000302, allocation base 0x00000000.
2019-07-11 03:06:15,441 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00080000.
2019-07-11 03:06:15,457 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00080000.
2019-07-11 03:06:15,457 [root] DEBUG: DumpProcess: Module entry point VA is 0x0001A1F8.
2019-07-11 03:06:15,489 [root] INFO: Added new CAPE file to list with path: C:\fVxfVt\CAPE\1116_16020271751526511472019
2019-07-11 03:06:15,503 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x1c200.
2019-07-11 03:06:15,503 [root] INFO: Notified of termination of process with pid 1116.
2019-07-11 03:06:15,519 [root] DEBUG: Terminate Event: Process 1116 has already been dumped(!)
2019-07-11 03:06:15,832 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 2296
2019-07-11 03:06:15,848 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:06:15,862 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:06:15,862 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:06:15,878 [root] DEBUG: Loader: Injecting process 2296 (thread 2796) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:15,878 [root] DEBUG: Process image base: 0x00DC0000
2019-07-11 03:06:15,894 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:15,894 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00EF3000 - 0x77110000
2019-07-11 03:06:15,910 [root] DEBUG: InjectDllViaIAT: Allocated 0x2b8 bytes for new import table at 0x00F00000.
2019-07-11 03:06:15,926 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-07-11 03:06:15,926 [root] DEBUG: Successfully injected DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:15,940 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2296
2019-07-11 03:06:15,940 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 2296
2019-07-11 03:06:15,957 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:06:15,957 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:06:15,971 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:06:15,987 [root] DEBUG: Loader: Injecting process 2296 (thread 0) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:15,987 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2019-07-11 03:06:16,003 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed.
2019-07-11 03:06:16,019 [root] INFO: Process with pid 1116 has terminated
2019-07-11 03:06:16,019 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-07-11 03:06:16,019 [root] DEBUG: Process dumps enabled.
2019-07-11 03:06:16,035 [root] INFO: Disabling sleep skipping.
2019-07-11 03:06:16,049 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-07-11 03:06:16,049 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 2296 at 0x747e0000, image base 0xdc0000, stack from 0xc06000-0xc10000
2019-07-11 03:06:16,065 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\201907060947039062.exe".
2019-07-11 03:06:16,065 [root] INFO: Added new process to list with pid: 2296
2019-07-11 03:06:16,082 [root] INFO: Monitor successfully loaded in process with pid 2296.
2019-07-11 03:06:16,082 [root] DEBUG: set_caller_info: Adding region at 0x000C0000 to caller regions list (ntdll::LdrLoadDll).
2019-07-11 03:06:16,096 [root] DEBUG: DLL loaded at 0x03EE0000: C:\hjcplavoq\dll\WdAVpQZT (0xb3000 bytes).
2019-07-11 03:06:16,096 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-07-11 03:06:16,112 [root] DEBUG: DLL unloaded from 0x03EE0000.
2019-07-11 03:06:16,112 [root] DEBUG: Error 1114 (0x45a) - InjectDllViaThread: RtlCreateUserThread injection failed: A dynamic link library (DLL) initialization routine failed.
2019-07-11 03:06:16,128 [root] DEBUG: InjectDll: DLL injection via thread failed.
2019-07-11 03:06:16,128 [root] DEBUG: Failed to inject DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:16,144 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 2296, error: -8
2019-07-11 03:06:16,533 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2019-07-11 03:06:17,563 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2296
2019-07-11 03:06:17,578 [root] DEBUG: GetHookCallerBase: thread 2796 (handle 0x0), return address 0xC0000302, allocation base 0x00000000.
2019-07-11 03:06:17,578 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x004D0000.
2019-07-11 03:06:17,595 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x004D0000.
2019-07-11 03:06:17,595 [root] DEBUG: DumpProcess: Module entry point VA is 0x0001A1F8.
2019-07-11 03:06:17,625 [root] INFO: Added new CAPE file to list with path: C:\fVxfVt\CAPE\2296_18289084181726511472019
2019-07-11 03:06:17,641 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x1c200.
2019-07-11 03:06:17,657 [root] INFO: Notified of termination of process with pid 2296.
2019-07-11 03:06:17,657 [root] DEBUG: Terminate Event: Process 2296 has already been dumped(!)
2019-07-11 03:06:17,921 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 2628
2019-07-11 03:06:17,937 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:06:17,937 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:06:17,953 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:06:17,969 [root] DEBUG: Loader: Injecting process 2628 (thread 3016) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:17,969 [root] DEBUG: Process image base: 0x00DC0000
2019-07-11 03:06:17,984 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:17,984 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00EF3000 - 0x77110000
2019-07-11 03:06:18,000 [root] DEBUG: InjectDllViaIAT: Allocated 0x2b8 bytes for new import table at 0x00F00000.
2019-07-11 03:06:18,016 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-07-11 03:06:18,016 [root] DEBUG: Successfully injected DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:18,016 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2628
2019-07-11 03:06:18,032 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 2628
2019-07-11 03:06:18,046 [root] INFO: Process with pid 2296 has terminated
2019-07-11 03:06:18,046 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:06:18,046 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:06:18,062 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:06:18,078 [root] DEBUG: Loader: Injecting process 2628 (thread 0) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:18,078 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2019-07-11 03:06:18,094 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed.
2019-07-11 03:06:18,109 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-07-11 03:06:18,109 [root] DEBUG: Process dumps enabled.
2019-07-11 03:06:18,125 [root] INFO: Disabling sleep skipping.
2019-07-11 03:06:18,141 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-07-11 03:06:18,141 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 2628 at 0x747e0000, image base 0xdc0000, stack from 0xd26000-0xd30000
2019-07-11 03:06:18,155 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\201907060947039062.exe".
2019-07-11 03:06:18,171 [root] INFO: Added new process to list with pid: 2628
2019-07-11 03:06:18,171 [root] INFO: Monitor successfully loaded in process with pid 2628.
2019-07-11 03:06:18,187 [root] DEBUG: set_caller_info: Adding region at 0x000A0000 to caller regions list (ntdll::LdrLoadDll).
2019-07-11 03:06:18,187 [root] DEBUG: DLL loaded at 0x00F00000: C:\hjcplavoq\dll\WdAVpQZT (0xb3000 bytes).
2019-07-11 03:06:18,203 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-07-11 03:06:18,219 [root] DEBUG: DLL unloaded from 0x00F00000.
2019-07-11 03:06:18,219 [root] DEBUG: Error 1114 (0x45a) - InjectDllViaThread: RtlCreateUserThread injection failed: A dynamic link library (DLL) initialization routine failed.
2019-07-11 03:06:18,233 [root] DEBUG: InjectDll: DLL injection via thread failed.
2019-07-11 03:06:18,233 [root] DEBUG: Failed to inject DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:18,250 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 2628, error: -8
2019-07-11 03:06:18,671 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2019-07-11 03:06:19,700 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2628
2019-07-11 03:06:19,716 [root] DEBUG: GetHookCallerBase: thread 3016 (handle 0x0), return address 0xC0000302, allocation base 0x00000000.
2019-07-11 03:06:19,716 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00080000.
2019-07-11 03:06:19,732 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00080000.
2019-07-11 03:06:19,732 [root] DEBUG: DumpProcess: Module entry point VA is 0x0001A1F8.
2019-07-11 03:06:19,779 [root] INFO: Added new CAPE file to list with path: C:\fVxfVt\CAPE\2628_2939819841926511472019
2019-07-11 03:06:19,779 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x1c200.
2019-07-11 03:06:19,793 [root] INFO: Notified of termination of process with pid 2628.
2019-07-11 03:06:19,793 [root] DEBUG: Terminate Event: Process 2628 has already been dumped(!)
2019-07-11 03:06:20,075 [root] INFO: Process with pid 2628 has terminated
2019-07-11 03:06:20,216 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 1776
2019-07-11 03:06:20,230 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:06:20,246 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:06:20,262 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:06:20,262 [root] DEBUG: Loader: Injecting process 1776 (thread 2240) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:20,278 [root] DEBUG: Process image base: 0x00DC0000
2019-07-11 03:06:20,278 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:20,293 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00EF3000 - 0x77110000
2019-07-11 03:06:20,309 [root] DEBUG: InjectDllViaIAT: Allocated 0x2b8 bytes for new import table at 0x00F00000.
2019-07-11 03:06:20,309 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-07-11 03:06:20,325 [root] DEBUG: Successfully injected DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:20,325 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1776
2019-07-11 03:06:20,339 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 1776
2019-07-11 03:06:20,339 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:06:20,355 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:06:20,371 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:06:20,371 [root] DEBUG: Loader: Injecting process 1776 (thread 0) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:20,387 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2019-07-11 03:06:20,387 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed.
2019-07-11 03:06:20,403 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-07-11 03:06:20,417 [root] DEBUG: Process dumps enabled.
2019-07-11 03:06:20,434 [root] INFO: Disabling sleep skipping.
2019-07-11 03:06:20,450 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-07-11 03:06:20,450 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 1776 at 0x747e0000, image base 0xdc0000, stack from 0xc46000-0xc50000
2019-07-11 03:06:20,464 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\201907060947039062.exe".
2019-07-11 03:06:20,464 [root] INFO: Added new process to list with pid: 1776
2019-07-11 03:06:20,480 [root] INFO: Monitor successfully loaded in process with pid 1776.
2019-07-11 03:06:20,480 [root] DEBUG: set_caller_info: Adding region at 0x000A0000 to caller regions list (ntdll::LdrLoadDll).
2019-07-11 03:06:20,496 [root] DEBUG: DLL loaded at 0x00F00000: C:\hjcplavoq\dll\WdAVpQZT (0xb3000 bytes).
2019-07-11 03:06:20,512 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-07-11 03:06:20,512 [root] DEBUG: DLL unloaded from 0x00F00000.
2019-07-11 03:06:20,528 [root] DEBUG: Error 1114 (0x45a) - InjectDllViaThread: RtlCreateUserThread injection failed: A dynamic link library (DLL) initialization routine failed.
2019-07-11 03:06:20,528 [root] DEBUG: InjectDll: DLL injection via thread failed.
2019-07-11 03:06:20,542 [root] DEBUG: Failed to inject DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:20,542 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 1776, error: -8
2019-07-11 03:06:20,823 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2019-07-11 03:06:21,838 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 1776
2019-07-11 03:06:21,854 [root] DEBUG: GetHookCallerBase: thread 2240 (handle 0x0), return address 0xC0000302, allocation base 0x00000000.
2019-07-11 03:06:21,854 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00080000.
2019-07-11 03:06:21,868 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00080000.
2019-07-11 03:06:21,868 [root] DEBUG: DumpProcess: Module entry point VA is 0x0001A1F8.
2019-07-11 03:06:21,915 [root] INFO: Added new CAPE file to list with path: C:\fVxfVt\CAPE\1776_20035631542126511472019
2019-07-11 03:06:21,915 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x1c200.
2019-07-11 03:06:21,931 [root] INFO: Notified of termination of process with pid 1776.
2019-07-11 03:06:21,931 [root] DEBUG: Terminate Event: Process 1776 has already been dumped(!)
2019-07-11 03:06:22,102 [root] INFO: Process with pid 1776 has terminated
2019-07-11 03:06:22,336 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 1924
2019-07-11 03:06:22,352 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:06:22,368 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:06:22,368 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:06:22,384 [root] DEBUG: Loader: Injecting process 1924 (thread 2272) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:22,400 [root] DEBUG: Process image base: 0x00DC0000
2019-07-11 03:06:22,400 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:22,414 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00EF3000 - 0x77110000
2019-07-11 03:06:22,414 [root] DEBUG: InjectDllViaIAT: Allocated 0x2b8 bytes for new import table at 0x00F00000.
2019-07-11 03:06:22,430 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-07-11 03:06:22,446 [root] DEBUG: Successfully injected DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:22,446 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1924
2019-07-11 03:06:22,461 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 1924
2019-07-11 03:06:22,461 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:06:22,477 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:06:22,493 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:06:22,493 [root] DEBUG: Loader: Injecting process 1924 (thread 0) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:22,509 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2019-07-11 03:06:22,509 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed.
2019-07-11 03:06:22,523 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-07-11 03:06:22,539 [root] DEBUG: Process dumps enabled.
2019-07-11 03:06:22,555 [root] INFO: Disabling sleep skipping.
2019-07-11 03:06:22,571 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-07-11 03:06:22,571 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 1924 at 0x747e0000, image base 0xdc0000, stack from 0xab6000-0xac0000
2019-07-11 03:06:22,586 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\201907060947039062.exe".
2019-07-11 03:06:22,601 [root] INFO: Added new process to list with pid: 1924
2019-07-11 03:06:22,601 [root] INFO: Monitor successfully loaded in process with pid 1924.
2019-07-11 03:06:22,618 [root] DEBUG: set_caller_info: Adding region at 0x00080000 to caller regions list (ntdll::LdrLoadDll).
2019-07-11 03:06:22,618 [root] DEBUG: DLL loaded at 0x04790000: C:\hjcplavoq\dll\WdAVpQZT (0xb3000 bytes).
2019-07-11 03:06:22,634 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-07-11 03:06:22,648 [root] DEBUG: DLL unloaded from 0x04790000.
2019-07-11 03:06:22,648 [root] DEBUG: Error 1114 (0x45a) - InjectDllViaThread: RtlCreateUserThread injection failed: A dynamic link library (DLL) initialization routine failed.
2019-07-11 03:06:22,648 [root] DEBUG: InjectDll: DLL injection via thread failed.
2019-07-11 03:06:22,664 [root] DEBUG: Failed to inject DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:22,664 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 1924, error: -8
2019-07-11 03:06:22,960 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2019-07-11 03:06:23,974 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 1924
2019-07-11 03:06:23,990 [root] DEBUG: GetHookCallerBase: thread 2272 (handle 0x0), return address 0xC0000302, allocation base 0x00000000.
2019-07-11 03:06:24,006 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x000D0000.
2019-07-11 03:06:24,022 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000D0000.
2019-07-11 03:06:24,038 [root] DEBUG: DumpProcess: Module entry point VA is 0x0001A1F8.
2019-07-11 03:06:24,084 [root] INFO: Added new CAPE file to list with path: C:\fVxfVt\CAPE\1924_3325250502426511472019
2019-07-11 03:06:24,084 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x1c200.
2019-07-11 03:06:24,099 [root] INFO: Notified of termination of process with pid 1924.
2019-07-11 03:06:24,099 [root] DEBUG: Terminate Event: Process 1924 has already been dumped(!)
2019-07-11 03:06:24,131 [root] INFO: Process with pid 1924 has terminated
2019-07-11 03:06:24,427 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 560
2019-07-11 03:06:24,443 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:06:24,443 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:06:24,459 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:06:24,459 [root] DEBUG: Loader: Injecting process 560 (thread 3028) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:24,473 [root] DEBUG: Process image base: 0x00DC0000
2019-07-11 03:06:24,490 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:24,490 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00EF3000 - 0x77110000
2019-07-11 03:06:24,506 [root] DEBUG: InjectDllViaIAT: Allocated 0x2b8 bytes for new import table at 0x00F00000.
2019-07-11 03:06:24,506 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-07-11 03:06:24,520 [root] DEBUG: Successfully injected DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:24,536 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 560
2019-07-11 03:06:24,536 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 560
2019-07-11 03:06:24,552 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:06:24,568 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:06:24,568 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:06:24,584 [root] DEBUG: Loader: Injecting process 560 (thread 0) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:24,584 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2019-07-11 03:06:24,598 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed.
2019-07-11 03:06:24,615 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-07-11 03:06:24,630 [root] DEBUG: Process dumps enabled.
2019-07-11 03:06:24,630 [root] INFO: Disabling sleep skipping.
2019-07-11 03:06:24,645 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-07-11 03:06:24,661 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 560 at 0x747e0000, image base 0xdc0000, stack from 0xa46000-0xa50000
2019-07-11 03:06:24,677 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\201907060947039062.exe".
2019-07-11 03:06:24,677 [root] INFO: Added new process to list with pid: 560
2019-07-11 03:06:24,693 [root] INFO: Monitor successfully loaded in process with pid 560.
2019-07-11 03:06:24,693 [root] DEBUG: set_caller_info: Adding region at 0x000E0000 to caller regions list (ntdll::LdrLoadDll).
2019-07-11 03:06:24,707 [root] DEBUG: DLL loaded at 0x00CC0000: C:\hjcplavoq\dll\WdAVpQZT (0xb3000 bytes).
2019-07-11 03:06:24,707 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-07-11 03:06:24,707 [root] DEBUG: DLL unloaded from 0x00CC0000.
2019-07-11 03:06:24,723 [root] DEBUG: Error 1114 (0x45a) - InjectDllViaThread: RtlCreateUserThread injection failed: A dynamic link library (DLL) initialization routine failed.
2019-07-11 03:06:24,740 [root] DEBUG: InjectDll: DLL injection via thread failed.
2019-07-11 03:06:24,740 [root] DEBUG: Failed to inject DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:24,755 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 560, error: -8
2019-07-11 03:06:25,130 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2019-07-11 03:06:26,158 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 560
2019-07-11 03:06:26,174 [root] DEBUG: GetHookCallerBase: thread 3028 (handle 0x0), return address 0xC0000302, allocation base 0x00000000.
2019-07-11 03:06:26,174 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00080000.
2019-07-11 03:06:26,190 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00080000.
2019-07-11 03:06:26,206 [root] DEBUG: DumpProcess: Module entry point VA is 0x0001A1F8.
2019-07-11 03:06:26,253 [root] INFO: Added new CAPE file to list with path: C:\fVxfVt\CAPE\560_7163846982626511472019
2019-07-11 03:06:26,267 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x1c200.
2019-07-11 03:06:26,283 [root] INFO: Notified of termination of process with pid 560.
2019-07-11 03:06:26,299 [root] DEBUG: Terminate Event: Process 560 has already been dumped(!)
2019-07-11 03:06:26,690 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 2904
2019-07-11 03:06:26,704 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:06:26,720 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:06:26,736 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:06:26,736 [root] DEBUG: Loader: Injecting process 2904 (thread 252) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:26,752 [root] DEBUG: Process image base: 0x00DC0000
2019-07-11 03:06:26,752 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:26,767 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00EF3000 - 0x77110000
2019-07-11 03:06:26,767 [root] DEBUG: InjectDllViaIAT: Allocated 0x2b8 bytes for new import table at 0x00F00000.
2019-07-11 03:06:26,782 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-07-11 03:06:26,799 [root] DEBUG: Successfully injected DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:26,799 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2904
2019-07-11 03:06:26,813 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 2904
2019-07-11 03:06:26,829 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:06:26,829 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:06:26,845 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:06:26,861 [root] DEBUG: Loader: Injecting process 2904 (thread 0) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:26,861 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2019-07-11 03:06:26,877 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed.
2019-07-11 03:06:26,891 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-07-11 03:06:26,891 [root] DEBUG: Process dumps enabled.
2019-07-11 03:06:26,907 [root] INFO: Disabling sleep skipping.
2019-07-11 03:06:26,924 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-07-11 03:06:26,938 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 2904 at 0x747e0000, image base 0xdc0000, stack from 0xbf6000-0xc00000
2019-07-11 03:06:26,938 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\201907060947039062.exe".
2019-07-11 03:06:26,954 [root] INFO: Added new process to list with pid: 2904
2019-07-11 03:06:26,970 [root] INFO: Monitor successfully loaded in process with pid 2904.
2019-07-11 03:06:26,970 [root] DEBUG: set_caller_info: Adding region at 0x000E0000 to caller regions list (ntdll::LdrLoadDll).
2019-07-11 03:06:26,986 [root] DEBUG: DLL loaded at 0x01870000: C:\hjcplavoq\dll\WdAVpQZT (0xb3000 bytes).
2019-07-11 03:06:27,002 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-07-11 03:06:27,002 [root] DEBUG: DLL unloaded from 0x01870000.
2019-07-11 03:06:27,016 [root] DEBUG: Error 1114 (0x45a) - InjectDllViaThread: RtlCreateUserThread injection failed: A dynamic link library (DLL) initialization routine failed.
2019-07-11 03:06:27,032 [root] DEBUG: InjectDll: DLL injection via thread failed.
2019-07-11 03:06:27,032 [root] DEBUG: Failed to inject DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:27,048 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 2904, error: -8
2019-07-11 03:06:27,173 [root] INFO: Process with pid 560 has terminated
2019-07-11 03:06:27,298 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2019-07-11 03:06:28,312 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2904
2019-07-11 03:06:28,328 [root] DEBUG: GetHookCallerBase: thread 252 (handle 0x0), return address 0xC0000302, allocation base 0x00000000.
2019-07-11 03:06:28,342 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x000C0000.
2019-07-11 03:06:28,342 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000C0000.
2019-07-11 03:06:28,358 [root] DEBUG: DumpProcess: Module entry point VA is 0x0001A1F8.
2019-07-11 03:06:28,390 [root] INFO: Added new CAPE file to list with path: C:\fVxfVt\CAPE\2904_14575980562826511472019
2019-07-11 03:06:28,405 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x1c200.
2019-07-11 03:06:28,421 [root] INFO: Notified of termination of process with pid 2904.
2019-07-11 03:06:28,421 [root] DEBUG: Terminate Event: Process 2904 has already been dumped(!)
2019-07-11 03:06:28,842 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 2680
2019-07-11 03:06:28,858 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:06:28,874 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:06:28,888 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:06:28,888 [root] DEBUG: Loader: Injecting process 2680 (thread 2984) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:28,904 [root] DEBUG: Process image base: 0x00DC0000
2019-07-11 03:06:28,920 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:28,920 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00EF3000 - 0x77110000
2019-07-11 03:06:28,936 [root] DEBUG: InjectDllViaIAT: Allocated 0x2b8 bytes for new import table at 0x00F00000.
2019-07-11 03:06:28,936 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-07-11 03:06:28,951 [root] DEBUG: Successfully injected DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:28,967 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2680
2019-07-11 03:06:28,967 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 2680
2019-07-11 03:06:28,983 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:06:28,997 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:06:28,997 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:06:29,013 [root] DEBUG: Loader: Injecting process 2680 (thread 0) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:29,029 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2019-07-11 03:06:29,029 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed.
2019-07-11 03:06:29,045 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-07-11 03:06:29,061 [root] DEBUG: Process dumps enabled.
2019-07-11 03:06:29,075 [root] INFO: Disabling sleep skipping.
2019-07-11 03:06:29,092 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-07-11 03:06:29,092 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 2680 at 0x747e0000, image base 0xdc0000, stack from 0xa56000-0xa60000
2019-07-11 03:06:29,108 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\201907060947039062.exe".
2019-07-11 03:06:29,122 [root] INFO: Added new process to list with pid: 2680
2019-07-11 03:06:29,122 [root] INFO: Monitor successfully loaded in process with pid 2680.
2019-07-11 03:06:29,138 [root] DEBUG: set_caller_info: Adding region at 0x000E0000 to caller regions list (ntdll::LdrLoadDll).
2019-07-11 03:06:29,154 [root] DEBUG: DLL loaded at 0x02900000: C:\hjcplavoq\dll\WdAVpQZT (0xb3000 bytes).
2019-07-11 03:06:29,154 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-07-11 03:06:29,170 [root] DEBUG: DLL unloaded from 0x02900000.
2019-07-11 03:06:29,170 [root] DEBUG: Error 1114 (0x45a) - InjectDllViaThread: RtlCreateUserThread injection failed: A dynamic link library (DLL) initialization routine failed.
2019-07-11 03:06:29,186 [root] DEBUG: InjectDll: DLL injection via thread failed.
2019-07-11 03:06:29,200 [root] INFO: Process with pid 2904 has terminated
2019-07-11 03:06:29,200 [root] DEBUG: Failed to inject DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:29,200 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 2680, error: -8
2019-07-11 03:06:29,420 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2019-07-11 03:06:30,448 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2680
2019-07-11 03:06:30,464 [root] DEBUG: GetHookCallerBase: thread 2984 (handle 0x0), return address 0xC0000302, allocation base 0x00000000.
2019-07-11 03:06:30,464 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x000C0000.
2019-07-11 03:06:30,480 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000C0000.
2019-07-11 03:06:30,496 [root] DEBUG: DumpProcess: Module entry point VA is 0x0001A1F8.
2019-07-11 03:06:30,526 [root] INFO: Added new CAPE file to list with path: C:\fVxfVt\CAPE\2680_13077943843026511472019
2019-07-11 03:06:30,542 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x1c200.
2019-07-11 03:06:30,558 [root] INFO: Notified of termination of process with pid 2680.
2019-07-11 03:06:30,558 [root] DEBUG: Terminate Event: Process 2680 has already been dumped(!)
2019-07-11 03:06:30,901 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 924
2019-07-11 03:06:30,917 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:06:30,917 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:06:30,933 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:06:30,947 [root] DEBUG: Loader: Injecting process 924 (thread 1224) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:30,947 [root] DEBUG: Process image base: 0x00DC0000
2019-07-11 03:06:30,963 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:30,980 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00EF3000 - 0x77110000
2019-07-11 03:06:30,980 [root] DEBUG: InjectDllViaIAT: Allocated 0x2b8 bytes for new import table at 0x00F00000.
2019-07-11 03:06:30,994 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-07-11 03:06:31,010 [root] DEBUG: Successfully injected DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:31,010 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 924
2019-07-11 03:06:31,026 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 924
2019-07-11 03:06:31,042 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:06:31,042 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:06:31,058 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:06:31,072 [root] DEBUG: Loader: Injecting process 924 (thread 0) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:31,072 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2019-07-11 03:06:31,088 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed.
2019-07-11 03:06:31,104 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-07-11 03:06:31,119 [root] DEBUG: Process dumps enabled.
2019-07-11 03:06:31,119 [root] INFO: Disabling sleep skipping.
2019-07-11 03:06:31,135 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-07-11 03:06:31,151 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 924 at 0x747e0000, image base 0xdc0000, stack from 0xc26000-0xc30000
2019-07-11 03:06:31,167 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\201907060947039062.exe".
2019-07-11 03:06:31,167 [root] INFO: Added new process to list with pid: 924
2019-07-11 03:06:31,181 [root] INFO: Monitor successfully loaded in process with pid 924.
2019-07-11 03:06:31,197 [root] DEBUG: set_caller_info: Adding region at 0x000A0000 to caller regions list (ntdll::LdrLoadDll).
2019-07-11 03:06:31,197 [root] DEBUG: DLL loaded at 0x02AF0000: C:\hjcplavoq\dll\WdAVpQZT (0xb3000 bytes).
2019-07-11 03:06:31,213 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-07-11 03:06:31,229 [root] INFO: Process with pid 2680 has terminated
2019-07-11 03:06:31,229 [root] DEBUG: DLL unloaded from 0x02AF0000.
2019-07-11 03:06:31,244 [root] DEBUG: Error 1114 (0x45a) - InjectDllViaThread: RtlCreateUserThread injection failed: A dynamic link library (DLL) initialization routine failed.
2019-07-11 03:06:31,244 [root] DEBUG: InjectDll: DLL injection via thread failed.
2019-07-11 03:06:31,259 [root] DEBUG: Failed to inject DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:31,276 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 924, error: -8
2019-07-11 03:06:31,572 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2019-07-11 03:06:32,585 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 924
2019-07-11 03:06:32,601 [root] DEBUG: GetHookCallerBase: thread 1224 (handle 0x0), return address 0xC0000302, allocation base 0x00000000.
2019-07-11 03:06:32,618 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00080000.
2019-07-11 03:06:32,618 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00080000.
2019-07-11 03:06:32,632 [root] DEBUG: DumpProcess: Module entry point VA is 0x0001A1F8.
2019-07-11 03:06:32,680 [root] INFO: Added new CAPE file to list with path: C:\fVxfVt\CAPE\924_13382140803226511472019
2019-07-11 03:06:32,680 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x1c200.
2019-07-11 03:06:32,696 [root] INFO: Notified of termination of process with pid 924.
2019-07-11 03:06:32,710 [root] DEBUG: Terminate Event: Process 924 has already been dumped(!)
2019-07-11 03:06:32,992 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 2612
2019-07-11 03:06:33,007 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:06:33,023 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:06:33,039 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:06:33,053 [root] DEBUG: Loader: Injecting process 2612 (thread 1592) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:33,069 [root] DEBUG: Process image base: 0x00DC0000
2019-07-11 03:06:33,069 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:33,085 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00EF3000 - 0x77110000
2019-07-11 03:06:33,101 [root] DEBUG: InjectDllViaIAT: Allocated 0x2b8 bytes for new import table at 0x00F00000.
2019-07-11 03:06:33,101 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-07-11 03:06:33,117 [root] DEBUG: Successfully injected DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:33,131 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2612
2019-07-11 03:06:33,148 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 2612
2019-07-11 03:06:33,148 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:06:33,164 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:06:33,178 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:06:33,194 [root] DEBUG: Loader: Injecting process 2612 (thread 0) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:33,194 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2019-07-11 03:06:33,210 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed.
2019-07-11 03:06:33,226 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-07-11 03:06:33,242 [root] DEBUG: Process dumps enabled.
2019-07-11 03:06:33,256 [root] INFO: Process with pid 924 has terminated
2019-07-11 03:06:33,256 [root] INFO: Disabling sleep skipping.
2019-07-11 03:06:33,273 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-07-11 03:06:33,288 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 2612 at 0x747e0000, image base 0xdc0000, stack from 0xb46000-0xb50000
2019-07-11 03:06:33,288 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\201907060947039062.exe".
2019-07-11 03:06:33,303 [root] INFO: Added new process to list with pid: 2612
2019-07-11 03:06:33,303 [root] INFO: Monitor successfully loaded in process with pid 2612.
2019-07-11 03:06:33,319 [root] DEBUG: set_caller_info: Adding region at 0x000A0000 to caller regions list (ntdll::LdrLoadDll).
2019-07-11 03:06:33,335 [root] DEBUG: DLL loaded at 0x00240000: C:\hjcplavoq\dll\WdAVpQZT (0xb3000 bytes).
2019-07-11 03:06:33,335 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-07-11 03:06:33,351 [root] DEBUG: DLL unloaded from 0x00240000.
2019-07-11 03:06:33,365 [root] DEBUG: Error 1114 (0x45a) - InjectDllViaThread: RtlCreateUserThread injection failed: A dynamic link library (DLL) initialization routine failed.
2019-07-11 03:06:33,381 [root] DEBUG: InjectDll: DLL injection via thread failed.
2019-07-11 03:06:33,381 [root] DEBUG: Failed to inject DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:33,398 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 2612, error: -8
2019-07-11 03:06:33,724 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2019-07-11 03:06:34,739 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2612
2019-07-11 03:06:34,755 [root] DEBUG: GetHookCallerBase: thread 1592 (handle 0x0), return address 0xC0000302, allocation base 0x00000000.
2019-07-11 03:06:34,769 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00080000.
2019-07-11 03:06:34,769 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00080000.
2019-07-11 03:06:34,786 [root] DEBUG: DumpProcess: Module entry point VA is 0x0001A1F8.
2019-07-11 03:06:34,832 [root] INFO: Added new CAPE file to list with path: C:\fVxfVt\CAPE\2612_3972824923426511472019
2019-07-11 03:06:34,848 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x1c200.
2019-07-11 03:06:34,848 [root] INFO: Notified of termination of process with pid 2612.
2019-07-11 03:06:34,864 [root] DEBUG: Terminate Event: Process 2612 has already been dumped(!)
2019-07-11 03:06:35,128 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 1676
2019-07-11 03:06:35,144 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:06:35,144 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:06:35,160 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:06:35,176 [root] DEBUG: Loader: Injecting process 1676 (thread 288) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:35,191 [root] DEBUG: Process image base: 0x00DC0000
2019-07-11 03:06:35,191 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:35,207 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00EF3000 - 0x77110000
2019-07-11 03:06:35,223 [root] DEBUG: InjectDllViaIAT: Allocated 0x2b8 bytes for new import table at 0x00F00000.
2019-07-11 03:06:35,223 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-07-11 03:06:35,237 [root] DEBUG: Successfully injected DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:35,253 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1676
2019-07-11 03:06:35,269 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 1676
2019-07-11 03:06:35,269 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:06:35,285 [root] INFO: Process with pid 2612 has terminated
2019-07-11 03:06:35,285 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:06:35,301 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:06:35,315 [root] DEBUG: Loader: Injecting process 1676 (thread 0) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:35,332 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2019-07-11 03:06:35,348 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed.
2019-07-11 03:06:35,362 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-07-11 03:06:35,378 [root] DEBUG: Process dumps enabled.
2019-07-11 03:06:35,394 [root] INFO: Disabling sleep skipping.
2019-07-11 03:06:35,410 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-07-11 03:06:35,426 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 1676 at 0x747e0000, image base 0xdc0000, stack from 0xa46000-0xa50000
2019-07-11 03:06:35,440 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\201907060947039062.exe".
2019-07-11 03:06:35,457 [root] INFO: Added new process to list with pid: 1676
2019-07-11 03:06:35,457 [root] INFO: Monitor successfully loaded in process with pid 1676.
2019-07-11 03:06:35,471 [root] DEBUG: set_caller_info: Adding region at 0x000A0000 to caller regions list (ntdll::LdrLoadDll).
2019-07-11 03:06:35,487 [root] DEBUG: DLL loaded at 0x00A90000: C:\hjcplavoq\dll\WdAVpQZT (0xb3000 bytes).
2019-07-11 03:06:35,487 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-07-11 03:06:35,503 [root] DEBUG: DLL unloaded from 0x00A90000.
2019-07-11 03:06:35,519 [root] DEBUG: Error 1114 (0x45a) - InjectDllViaThread: RtlCreateUserThread injection failed: A dynamic link library (DLL) initialization routine failed.
2019-07-11 03:06:35,519 [root] DEBUG: InjectDll: DLL injection via thread failed.
2019-07-11 03:06:35,535 [root] DEBUG: Failed to inject DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:35,549 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 1676, error: -8
2019-07-11 03:06:35,878 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2019-07-11 03:06:36,891 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 1676
2019-07-11 03:06:36,907 [root] DEBUG: GetHookCallerBase: thread 288 (handle 0x0), return address 0xC0000302, allocation base 0x00000000.
2019-07-11 03:06:36,923 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00080000.
2019-07-11 03:06:36,923 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00080000.
2019-07-11 03:06:36,938 [root] DEBUG: DumpProcess: Module entry point VA is 0x0001A1F8.
2019-07-11 03:06:36,986 [root] INFO: Added new CAPE file to list with path: C:\fVxfVt\CAPE\1676_4495898353626511472019
2019-07-11 03:06:37,000 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x1c200.
2019-07-11 03:06:37,000 [root] INFO: Notified of termination of process with pid 1676.
2019-07-11 03:06:37,016 [root] DEBUG: Terminate Event: Process 1676 has already been dumped(!)
2019-07-11 03:06:37,282 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 2416
2019-07-11 03:06:37,298 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:06:37,298 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:06:37,312 [root] INFO: Process with pid 1676 has terminated
2019-07-11 03:06:37,312 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:06:37,328 [root] DEBUG: Loader: Injecting process 2416 (thread 2344) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:37,344 [root] DEBUG: Process image base: 0x00DC0000
2019-07-11 03:06:37,344 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:37,359 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00EF3000 - 0x77110000
2019-07-11 03:06:37,375 [root] DEBUG: InjectDllViaIAT: Allocated 0x2b8 bytes for new import table at 0x00F00000.
2019-07-11 03:06:37,391 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-07-11 03:06:37,391 [root] DEBUG: Successfully injected DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:37,407 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2416
2019-07-11 03:06:37,421 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 2416
2019-07-11 03:06:37,437 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:06:37,437 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:06:37,453 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:06:37,469 [root] DEBUG: Loader: Injecting process 2416 (thread 0) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:37,484 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2019-07-11 03:06:37,500 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed.
2019-07-11 03:06:37,516 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-07-11 03:06:37,516 [root] DEBUG: Process dumps enabled.
2019-07-11 03:06:37,532 [root] INFO: Disabling sleep skipping.
2019-07-11 03:06:37,546 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-07-11 03:06:37,562 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 2416 at 0x747e0000, image base 0xdc0000, stack from 0xbd6000-0xbe0000
2019-07-11 03:06:37,578 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\201907060947039062.exe".
2019-07-11 03:06:37,594 [root] INFO: Added new process to list with pid: 2416
2019-07-11 03:06:37,609 [root] INFO: Monitor successfully loaded in process with pid 2416.
2019-07-11 03:06:37,625 [root] DEBUG: set_caller_info: Adding region at 0x000A0000 to caller regions list (ntdll::LdrLoadDll).
2019-07-11 03:06:37,641 [root] DEBUG: DLL loaded at 0x043A0000: C:\hjcplavoq\dll\WdAVpQZT (0xb3000 bytes).
2019-07-11 03:06:37,655 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-07-11 03:06:37,671 [root] DEBUG: DLL unloaded from 0x043A0000.
2019-07-11 03:06:37,687 [root] DEBUG: Error 1114 (0x45a) - InjectDllViaThread: RtlCreateUserThread injection failed: A dynamic link library (DLL) initialization routine failed.
2019-07-11 03:06:37,703 [root] DEBUG: InjectDll: DLL injection via thread failed.
2019-07-11 03:06:37,703 [root] DEBUG: Failed to inject DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:37,719 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 2416, error: -8
2019-07-11 03:06:38,030 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2019-07-11 03:06:39,045 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2416
2019-07-11 03:06:39,059 [root] DEBUG: GetHookCallerBase: thread 2344 (handle 0x0), return address 0xC0000302, allocation base 0x00000000.
2019-07-11 03:06:39,075 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00080000.
2019-07-11 03:06:39,092 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00080000.
2019-07-11 03:06:39,092 [root] DEBUG: DumpProcess: Module entry point VA is 0x0001A1F8.
2019-07-11 03:06:39,138 [root] INFO: Added new CAPE file to list with path: C:\fVxfVt\CAPE\2416_16658708023926511472019
2019-07-11 03:06:39,154 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x1c200.
2019-07-11 03:06:39,170 [root] INFO: Notified of termination of process with pid 2416.
2019-07-11 03:06:39,170 [root] DEBUG: Terminate Event: Process 2416 has already been dumped(!)
2019-07-11 03:06:39,341 [root] INFO: Process with pid 2416 has terminated
2019-07-11 03:06:39,559 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 2792
2019-07-11 03:06:39,591 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:06:39,591 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:06:39,605 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:06:39,621 [root] DEBUG: Loader: Injecting process 2792 (thread 1260) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:39,638 [root] DEBUG: Process image base: 0x00DC0000
2019-07-11 03:06:39,653 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:39,653 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00EF3000 - 0x77110000
2019-07-11 03:06:39,668 [root] DEBUG: InjectDllViaIAT: Allocated 0x2b8 bytes for new import table at 0x00F00000.
2019-07-11 03:06:39,684 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-07-11 03:06:39,684 [root] DEBUG: Successfully injected DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:39,700 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2792
2019-07-11 03:06:39,716 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 2792
2019-07-11 03:06:39,730 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:06:39,730 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:06:39,746 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:06:39,762 [root] DEBUG: Loader: Injecting process 2792 (thread 0) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:39,778 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2019-07-11 03:06:39,793 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed.
2019-07-11 03:06:39,809 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-07-11 03:06:39,825 [root] DEBUG: Process dumps enabled.
2019-07-11 03:06:39,839 [root] INFO: Disabling sleep skipping.
2019-07-11 03:06:39,855 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-07-11 03:06:39,871 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 2792 at 0x747e0000, image base 0xdc0000, stack from 0xc16000-0xc20000
2019-07-11 03:06:39,887 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\201907060947039062.exe".
2019-07-11 03:06:39,887 [root] INFO: Added new process to list with pid: 2792
2019-07-11 03:06:39,903 [root] INFO: Monitor successfully loaded in process with pid 2792.
2019-07-11 03:06:39,917 [root] DEBUG: set_caller_info: Adding region at 0x000A0000 to caller regions list (ntdll::LdrLoadDll).
2019-07-11 03:06:39,934 [root] DEBUG: DLL loaded at 0x01150000: C:\hjcplavoq\dll\WdAVpQZT (0xb3000 bytes).
2019-07-11 03:06:39,950 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-07-11 03:06:39,980 [root] DEBUG: DLL unloaded from 0x01150000.
2019-07-11 03:06:39,980 [root] DEBUG: Error 1114 (0x45a) - InjectDllViaThread: RtlCreateUserThread injection failed: A dynamic link library (DLL) initialization routine failed.
2019-07-11 03:06:39,996 [root] DEBUG: InjectDll: DLL injection via thread failed.
2019-07-11 03:06:40,012 [root] DEBUG: Failed to inject DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:40,012 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 2792, error: -8
2019-07-11 03:06:40,184 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2019-07-11 03:06:41,197 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2792
2019-07-11 03:06:41,213 [root] DEBUG: GetHookCallerBase: thread 1260 (handle 0x0), return address 0xC0000302, allocation base 0x00000000.
2019-07-11 03:06:41,229 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00080000.
2019-07-11 03:06:41,243 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00080000.
2019-07-11 03:06:41,243 [root] DEBUG: DumpProcess: Module entry point VA is 0x0001A1F8.
2019-07-11 03:06:41,290 [root] INFO: Added new CAPE file to list with path: C:\fVxfVt\CAPE\2792_18093928124126511472019
2019-07-11 03:06:41,306 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x1c200.
2019-07-11 03:06:41,322 [root] INFO: Notified of termination of process with pid 2792.
2019-07-11 03:06:41,338 [root] DEBUG: Terminate Event: Process 2792 has already been dumped(!)
2019-07-11 03:06:41,368 [root] INFO: Process with pid 2792 has terminated
2019-07-11 03:06:41,789 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 2404
2019-07-11 03:06:41,805 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:06:41,805 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:06:41,836 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:06:41,836 [root] DEBUG: Loader: Injecting process 2404 (thread 2412) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:41,852 [root] DEBUG: Process image base: 0x00DC0000
2019-07-11 03:06:41,868 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:41,884 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00EF3000 - 0x77110000
2019-07-11 03:06:41,900 [root] DEBUG: InjectDllViaIAT: Allocated 0x2b8 bytes for new import table at 0x00F00000.
2019-07-11 03:06:41,900 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-07-11 03:06:41,914 [root] DEBUG: Successfully injected DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:41,930 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2404
2019-07-11 03:06:41,946 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 2404
2019-07-11 03:06:41,961 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:06:41,961 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:06:41,977 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:06:41,993 [root] DEBUG: Loader: Injecting process 2404 (thread 0) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:42,009 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2019-07-11 03:06:42,009 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed.
2019-07-11 03:06:42,023 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-07-11 03:06:42,039 [root] DEBUG: Process dumps enabled.
2019-07-11 03:06:42,055 [root] INFO: Disabling sleep skipping.
2019-07-11 03:06:42,071 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-07-11 03:06:42,086 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 2404 at 0x747e0000, image base 0xdc0000, stack from 0xaf6000-0xb00000
2019-07-11 03:06:42,101 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\201907060947039062.exe".
2019-07-11 03:06:42,118 [root] INFO: Added new process to list with pid: 2404
2019-07-11 03:06:42,118 [root] INFO: Monitor successfully loaded in process with pid 2404.
2019-07-11 03:06:42,134 [root] DEBUG: set_caller_info: Adding region at 0x000E0000 to caller regions list (ntdll::LdrLoadDll).
2019-07-11 03:06:42,148 [root] DEBUG: DLL loaded at 0x00B70000: C:\hjcplavoq\dll\WdAVpQZT (0xb3000 bytes).
2019-07-11 03:06:42,164 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-07-11 03:06:42,180 [root] DEBUG: DLL unloaded from 0x00B70000.
2019-07-11 03:06:42,196 [root] DEBUG: Error 1114 (0x45a) - InjectDllViaThread: RtlCreateUserThread injection failed: A dynamic link library (DLL) initialization routine failed.
2019-07-11 03:06:42,196 [root] DEBUG: InjectDll: DLL injection via thread failed.
2019-07-11 03:06:42,226 [root] DEBUG: Failed to inject DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:42,226 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 2404, error: -8
2019-07-11 03:06:42,398 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2019-07-11 03:06:43,413 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2404
2019-07-11 03:06:43,427 [root] DEBUG: GetHookCallerBase: thread 2412 (handle 0x0), return address 0xC0000302, allocation base 0x00000000.
2019-07-11 03:06:43,444 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x000C0000.
2019-07-11 03:06:43,460 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000C0000.
2019-07-11 03:06:43,474 [root] DEBUG: DumpProcess: Module entry point VA is 0x0001A1F8.
2019-07-11 03:06:43,522 [root] INFO: Added new CAPE file to list with path: C:\fVxfVt\CAPE\2404_11792843824326511472019
2019-07-11 03:06:43,522 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x1c200.
2019-07-11 03:06:43,538 [root] INFO: Notified of termination of process with pid 2404.
2019-07-11 03:06:43,552 [root] DEBUG: Terminate Event: Process 2404 has already been dumped(!)
2019-07-11 03:06:43,834 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 2916
2019-07-11 03:06:43,849 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:06:43,865 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:06:43,881 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:06:43,895 [root] DEBUG: Loader: Injecting process 2916 (thread 1936) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:43,911 [root] DEBUG: Process image base: 0x00DC0000
2019-07-11 03:06:43,911 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:43,927 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00EF3000 - 0x77110000
2019-07-11 03:06:43,943 [root] DEBUG: InjectDllViaIAT: Allocated 0x2b8 bytes for new import table at 0x00F00000.
2019-07-11 03:06:43,959 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-07-11 03:06:43,973 [root] DEBUG: Successfully injected DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:43,973 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2916
2019-07-11 03:06:43,990 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 2916
2019-07-11 03:06:44,006 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:06:44,020 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:06:44,036 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:06:44,052 [root] DEBUG: Loader: Injecting process 2916 (thread 0) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:44,052 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2019-07-11 03:06:44,068 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed.
2019-07-11 03:06:44,084 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-07-11 03:06:44,098 [root] DEBUG: Process dumps enabled.
2019-07-11 03:06:44,115 [root] INFO: Disabling sleep skipping.
2019-07-11 03:06:44,130 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-07-11 03:06:44,145 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 2916 at 0x747e0000, image base 0xdc0000, stack from 0xc46000-0xc50000
2019-07-11 03:06:44,161 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\201907060947039062.exe".
2019-07-11 03:06:44,177 [root] INFO: Added new process to list with pid: 2916
2019-07-11 03:06:44,177 [root] INFO: Monitor successfully loaded in process with pid 2916.
2019-07-11 03:06:44,193 [root] DEBUG: set_caller_info: Adding region at 0x000A0000 to caller regions list (ntdll::LdrLoadDll).
2019-07-11 03:06:44,207 [root] DEBUG: DLL loaded at 0x00F00000: C:\hjcplavoq\dll\WdAVpQZT (0xb3000 bytes).
2019-07-11 03:06:44,223 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-07-11 03:06:44,223 [root] DEBUG: DLL unloaded from 0x00F00000.
2019-07-11 03:06:44,240 [root] DEBUG: Error 1114 (0x45a) - InjectDllViaThread: RtlCreateUserThread injection failed: A dynamic link library (DLL) initialization routine failed.
2019-07-11 03:06:44,255 [root] DEBUG: InjectDll: DLL injection via thread failed.
2019-07-11 03:06:44,270 [root] DEBUG: Failed to inject DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:44,270 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 2916, error: -8
2019-07-11 03:06:44,411 [root] INFO: Process with pid 2404 has terminated
2019-07-11 03:06:44,519 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2019-07-11 03:06:45,549 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2916
2019-07-11 03:06:45,549 [root] DEBUG: GetHookCallerBase: thread 1936 (handle 0x0), return address 0xC0000302, allocation base 0x00000000.
2019-07-11 03:06:45,565 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00080000.
2019-07-11 03:06:45,596 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00080000.
2019-07-11 03:06:45,611 [root] DEBUG: DumpProcess: Module entry point VA is 0x0001A1F8.
2019-07-11 03:06:45,674 [root] INFO: Added new CAPE file to list with path: C:\fVxfVt\CAPE\2916_19438282284526511472019
2019-07-11 03:06:45,674 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x1c200.
2019-07-11 03:06:45,690 [root] INFO: Notified of termination of process with pid 2916.
2019-07-11 03:06:45,706 [root] DEBUG: Terminate Event: Process 2916 has already been dumped(!)
2019-07-11 03:06:46,065 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 2472
2019-07-11 03:06:46,079 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:06:46,095 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:06:46,111 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:06:46,111 [root] DEBUG: Loader: Injecting process 2472 (thread 2788) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:46,127 [root] DEBUG: Process image base: 0x00DC0000
2019-07-11 03:06:46,142 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:46,157 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00EF3000 - 0x77110000
2019-07-11 03:06:46,174 [root] DEBUG: InjectDllViaIAT: Allocated 0x2b8 bytes for new import table at 0x00F00000.
2019-07-11 03:06:46,174 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-07-11 03:06:46,190 [root] DEBUG: Successfully injected DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:46,204 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2472
2019-07-11 03:06:46,220 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 2472
2019-07-11 03:06:46,236 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:06:46,236 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:06:46,252 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:06:46,267 [root] DEBUG: Loader: Injecting process 2472 (thread 0) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:46,282 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2019-07-11 03:06:46,299 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed.
2019-07-11 03:06:46,313 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-07-11 03:06:46,329 [root] DEBUG: Process dumps enabled.
2019-07-11 03:06:46,345 [root] INFO: Disabling sleep skipping.
2019-07-11 03:06:46,361 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-07-11 03:06:46,377 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 2472 at 0x747e0000, image base 0xdc0000, stack from 0xb06000-0xb10000
2019-07-11 03:06:46,391 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\201907060947039062.exe".
2019-07-11 03:06:46,407 [root] INFO: Added new process to list with pid: 2472
2019-07-11 03:06:46,407 [root] INFO: Monitor successfully loaded in process with pid 2472.
2019-07-11 03:06:46,424 [root] DEBUG: set_caller_info: Adding region at 0x000A0000 to caller regions list (ntdll::LdrLoadDll).
2019-07-11 03:06:46,438 [root] INFO: Process with pid 2916 has terminated
2019-07-11 03:06:46,438 [root] DEBUG: DLL loaded at 0x02A60000: C:\hjcplavoq\dll\WdAVpQZT (0xb3000 bytes).
2019-07-11 03:06:46,454 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-07-11 03:06:46,470 [root] DEBUG: DLL unloaded from 0x02A60000.
2019-07-11 03:06:46,486 [root] DEBUG: Error 1114 (0x45a) - InjectDllViaThread: RtlCreateUserThread injection failed: A dynamic link library (DLL) initialization routine failed.
2019-07-11 03:06:46,502 [root] DEBUG: InjectDll: DLL injection via thread failed.
2019-07-11 03:06:46,502 [root] DEBUG: Failed to inject DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:46,516 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 2472, error: -8
2019-07-11 03:06:46,641 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2019-07-11 03:06:47,655 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2472
2019-07-11 03:06:47,671 [root] DEBUG: GetHookCallerBase: thread 2788 (handle 0x0), return address 0xC0000302, allocation base 0x00000000.
2019-07-11 03:06:47,687 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00080000.
2019-07-11 03:06:47,703 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00080000.
2019-07-11 03:06:47,717 [root] DEBUG: DumpProcess: Module entry point VA is 0x0001A1F8.
2019-07-11 03:06:47,765 [root] INFO: Added new CAPE file to list with path: C:\fVxfVt\CAPE\2472_12797377684726511472019
2019-07-11 03:06:47,780 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x1c200.
2019-07-11 03:06:47,796 [root] INFO: Notified of termination of process with pid 2472.
2019-07-11 03:06:47,812 [root] DEBUG: Terminate Event: Process 2472 has already been dumped(!)
2019-07-11 03:06:48,233 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 2660
2019-07-11 03:06:48,249 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:06:48,263 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:06:48,279 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:06:48,296 [root] DEBUG: Loader: Injecting process 2660 (thread 2900) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:48,311 [root] DEBUG: Process image base: 0x00DC0000
2019-07-11 03:06:48,311 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:48,326 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00EF3000 - 0x77110000
2019-07-11 03:06:48,342 [root] DEBUG: InjectDllViaIAT: Allocated 0x2b8 bytes for new import table at 0x00F00000.
2019-07-11 03:06:48,358 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-07-11 03:06:48,374 [root] DEBUG: Successfully injected DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:48,388 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2660
2019-07-11 03:06:48,404 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 2660
2019-07-11 03:06:48,420 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:06:48,420 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:06:48,436 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:06:48,451 [root] DEBUG: Loader: Injecting process 2660 (thread 0) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:48,467 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2019-07-11 03:06:48,467 [root] INFO: Process with pid 2472 has terminated
2019-07-11 03:06:48,467 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed.
2019-07-11 03:06:48,483 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-07-11 03:06:48,513 [root] DEBUG: Process dumps enabled.
2019-07-11 03:06:48,529 [root] INFO: Disabling sleep skipping.
2019-07-11 03:06:48,545 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-07-11 03:06:48,545 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 2660 at 0x747e0000, image base 0xdc0000, stack from 0xac6000-0xad0000
2019-07-11 03:06:48,561 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\201907060947039062.exe".
2019-07-11 03:06:48,575 [root] INFO: Added new process to list with pid: 2660
2019-07-11 03:06:48,592 [root] INFO: Monitor successfully loaded in process with pid 2660.
2019-07-11 03:06:48,608 [root] DEBUG: set_caller_info: Adding region at 0x000A0000 to caller regions list (ntdll::LdrLoadDll).
2019-07-11 03:06:48,608 [root] DEBUG: DLL loaded at 0x043D0000: C:\hjcplavoq\dll\WdAVpQZT (0xb3000 bytes).
2019-07-11 03:06:48,622 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-07-11 03:06:48,638 [root] DEBUG: DLL unloaded from 0x043D0000.
2019-07-11 03:06:48,654 [root] DEBUG: Error 1114 (0x45a) - InjectDllViaThread: RtlCreateUserThread injection failed: A dynamic link library (DLL) initialization routine failed.
2019-07-11 03:06:48,670 [root] DEBUG: InjectDll: DLL injection via thread failed.
2019-07-11 03:06:48,670 [root] DEBUG: Failed to inject DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:48,686 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 2660, error: -8
2019-07-11 03:06:48,795 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2019-07-11 03:06:49,823 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2660
2019-07-11 03:06:49,839 [root] DEBUG: GetHookCallerBase: thread 2900 (handle 0x0), return address 0xC0000302, allocation base 0x00000000.
2019-07-11 03:06:49,855 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00080000.
2019-07-11 03:06:49,871 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00080000.
2019-07-11 03:06:49,887 [root] DEBUG: DumpProcess: Module entry point VA is 0x0001A1F8.
2019-07-11 03:06:49,934 [root] INFO: Added new CAPE file to list with path: C:\fVxfVt\CAPE\2660_17663927764926511472019
2019-07-11 03:06:49,948 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x1c200.
2019-07-11 03:06:49,964 [root] INFO: Notified of termination of process with pid 2660.
2019-07-11 03:06:49,980 [root] DEBUG: Terminate Event: Process 2660 has already been dumped(!)
2019-07-11 03:06:50,246 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 2120
2019-07-11 03:06:50,260 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:06:50,276 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:06:50,308 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:06:50,323 [root] DEBUG: Loader: Injecting process 2120 (thread 368) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:50,338 [root] DEBUG: Process image base: 0x00DC0000
2019-07-11 03:06:50,338 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:50,355 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00EF3000 - 0x77110000
2019-07-11 03:06:50,369 [root] DEBUG: InjectDllViaIAT: Allocated 0x2b8 bytes for new import table at 0x00F00000.
2019-07-11 03:06:50,385 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-07-11 03:06:50,401 [root] DEBUG: Successfully injected DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:50,401 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2120
2019-07-11 03:06:50,433 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 2120
2019-07-11 03:06:50,433 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:06:50,447 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:06:50,463 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:06:50,480 [root] DEBUG: Loader: Injecting process 2120 (thread 0) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:50,494 [root] INFO: Process with pid 2660 has terminated
2019-07-11 03:06:50,494 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2019-07-11 03:06:50,510 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed.
2019-07-11 03:06:50,526 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-07-11 03:06:50,542 [root] DEBUG: Process dumps enabled.
2019-07-11 03:06:50,572 [root] INFO: Disabling sleep skipping.
2019-07-11 03:06:50,588 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-07-11 03:06:50,588 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 2120 at 0x747e0000, image base 0xdc0000, stack from 0xb26000-0xb30000
2019-07-11 03:06:50,604 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\201907060947039062.exe".
2019-07-11 03:06:50,619 [root] INFO: Added new process to list with pid: 2120
2019-07-11 03:06:50,635 [root] INFO: Monitor successfully loaded in process with pid 2120.
2019-07-11 03:06:50,635 [root] DEBUG: set_caller_info: Adding region at 0x000E0000 to caller regions list (ntdll::LdrLoadDll).
2019-07-11 03:06:50,651 [root] DEBUG: DLL loaded at 0x03EB0000: C:\hjcplavoq\dll\WdAVpQZT (0xb3000 bytes).
2019-07-11 03:06:50,667 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-07-11 03:06:50,681 [root] DEBUG: DLL unloaded from 0x03EB0000.
2019-07-11 03:06:50,697 [root] DEBUG: Error 1114 (0x45a) - InjectDllViaThread: RtlCreateUserThread injection failed: A dynamic link library (DLL) initialization routine failed.
2019-07-11 03:06:50,713 [root] DEBUG: InjectDll: DLL injection via thread failed.
2019-07-11 03:06:50,713 [root] DEBUG: Failed to inject DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:50,729 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 2120, error: -8
2019-07-11 03:06:50,963 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2019-07-11 03:06:51,993 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2120
2019-07-11 03:06:52,007 [root] DEBUG: GetHookCallerBase: thread 368 (handle 0x0), return address 0xC0000302, allocation base 0x00000000.
2019-07-11 03:06:52,023 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x000C0000.
2019-07-11 03:06:52,039 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000C0000.
2019-07-11 03:06:52,055 [root] DEBUG: DumpProcess: Module entry point VA is 0x0001A1F8.
2019-07-11 03:06:52,101 [root] INFO: Added new CAPE file to list with path: C:\fVxfVt\CAPE\2120_5782730665226511472019
2019-07-11 03:06:52,118 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x1c200.
2019-07-11 03:06:52,132 [root] INFO: Notified of termination of process with pid 2120.
2019-07-11 03:06:52,148 [root] DEBUG: Terminate Event: Process 2120 has already been dumped(!)
2019-07-11 03:06:52,492 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 2424
2019-07-11 03:06:52,523 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:06:52,523 [root] INFO: Process with pid 2120 has terminated
2019-07-11 03:06:52,523 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:06:52,539 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:06:52,553 [root] DEBUG: Loader: Injecting process 2424 (thread 928) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:52,569 [root] DEBUG: Process image base: 0x00DC0000
2019-07-11 03:06:52,585 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:52,601 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00EF3000 - 0x77110000
2019-07-11 03:06:52,631 [root] DEBUG: InjectDllViaIAT: Allocated 0x2b8 bytes for new import table at 0x00F00000.
2019-07-11 03:06:52,631 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-07-11 03:06:52,664 [root] DEBUG: Successfully injected DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:52,678 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2424
2019-07-11 03:06:52,694 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 2424
2019-07-11 03:06:52,710 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:06:52,726 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:06:52,742 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:06:52,756 [root] DEBUG: Loader: Injecting process 2424 (thread 0) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:52,773 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2019-07-11 03:06:52,773 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed.
2019-07-11 03:06:52,803 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-07-11 03:06:52,803 [root] DEBUG: Process dumps enabled.
2019-07-11 03:06:52,835 [root] INFO: Disabling sleep skipping.
2019-07-11 03:06:52,851 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-07-11 03:06:52,865 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 2424 at 0x747e0000, image base 0xdc0000, stack from 0xca6000-0xcb0000
2019-07-11 03:06:52,881 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\201907060947039062.exe".
2019-07-11 03:06:52,898 [root] INFO: Added new process to list with pid: 2424
2019-07-11 03:06:52,898 [root] INFO: Monitor successfully loaded in process with pid 2424.
2019-07-11 03:06:52,913 [root] DEBUG: set_caller_info: Adding region at 0x000A0000 to caller regions list (ntdll::LdrLoadDll).
2019-07-11 03:06:52,928 [root] DEBUG: DLL loaded at 0x03F00000: C:\hjcplavoq\dll\WdAVpQZT (0xb3000 bytes).
2019-07-11 03:06:52,944 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-07-11 03:06:52,960 [root] DEBUG: DLL unloaded from 0x03F00000.
2019-07-11 03:06:52,960 [root] DEBUG: Error 1114 (0x45a) - InjectDllViaThread: RtlCreateUserThread injection failed: A dynamic link library (DLL) initialization routine failed.
2019-07-11 03:06:52,976 [root] DEBUG: InjectDll: DLL injection via thread failed.
2019-07-11 03:06:52,990 [root] DEBUG: Failed to inject DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:53,006 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 2424, error: -8
2019-07-11 03:06:54,177 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2019-07-11 03:06:55,206 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2424
2019-07-11 03:06:55,221 [root] DEBUG: GetHookCallerBase: thread 928 (handle 0x0), return address 0xC0000302, allocation base 0x00000000.
2019-07-11 03:06:55,237 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00080000.
2019-07-11 03:06:55,253 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00080000.
2019-07-11 03:06:55,269 [root] DEBUG: DumpProcess: Module entry point VA is 0x0001A1F8.
2019-07-11 03:06:55,315 [root] INFO: Added new CAPE file to list with path: C:\fVxfVt\CAPE\2424_17580223865526511472019
2019-07-11 03:06:55,331 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x1c200.
2019-07-11 03:06:55,346 [root] INFO: Notified of termination of process with pid 2424.
2019-07-11 03:06:55,346 [root] DEBUG: Terminate Event: Process 2424 has already been dumped(!)
2019-07-11 03:06:55,581 [root] INFO: Process with pid 2424 has terminated
2019-07-11 03:06:55,767 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 3064
2019-07-11 03:06:55,799 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:06:55,815 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:06:55,829 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:06:55,845 [root] DEBUG: Loader: Injecting process 3064 (thread 1588) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:55,861 [root] DEBUG: Process image base: 0x00DC0000
2019-07-11 03:06:55,877 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:55,877 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00EF3000 - 0x77110000
2019-07-11 03:06:55,907 [root] DEBUG: InjectDllViaIAT: Allocated 0x2b8 bytes for new import table at 0x00F00000.
2019-07-11 03:06:55,907 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-07-11 03:06:55,940 [root] DEBUG: Successfully injected DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:55,954 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3064
2019-07-11 03:06:55,970 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 3064
2019-07-11 03:06:55,986 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:06:55,986 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:06:56,017 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:06:56,017 [root] DEBUG: Loader: Injecting process 3064 (thread 0) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:56,032 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2019-07-11 03:06:56,049 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed.
2019-07-11 03:06:56,063 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-07-11 03:06:56,079 [root] DEBUG: Process dumps enabled.
2019-07-11 03:06:56,111 [root] INFO: Disabling sleep skipping.
2019-07-11 03:06:56,127 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-07-11 03:06:56,157 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 3064 at 0x747e0000, image base 0xdc0000, stack from 0xd06000-0xd10000
2019-07-11 03:06:56,174 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\201907060947039062.exe".
2019-07-11 03:06:56,188 [root] INFO: Added new process to list with pid: 3064
2019-07-11 03:06:56,204 [root] INFO: Monitor successfully loaded in process with pid 3064.
2019-07-11 03:06:56,220 [root] DEBUG: set_caller_info: Adding region at 0x000A0000 to caller regions list (ntdll::LdrLoadDll).
2019-07-11 03:06:56,236 [root] DEBUG: DLL loaded at 0x02BF0000: C:\hjcplavoq\dll\WdAVpQZT (0xb3000 bytes).
2019-07-11 03:06:56,252 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-07-11 03:06:56,266 [root] DEBUG: DLL unloaded from 0x02BF0000.
2019-07-11 03:06:56,266 [root] DEBUG: Error 1114 (0x45a) - InjectDllViaThread: RtlCreateUserThread injection failed: A dynamic link library (DLL) initialization routine failed.
2019-07-11 03:06:56,282 [root] DEBUG: InjectDll: DLL injection via thread failed.
2019-07-11 03:06:56,298 [root] DEBUG: Failed to inject DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:56,313 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 3064, error: -8
2019-07-11 03:06:57,467 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2019-07-11 03:06:58,482 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 3064
2019-07-11 03:06:58,497 [root] DEBUG: GetHookCallerBase: thread 1588 (handle 0x0), return address 0xC0000302, allocation base 0x00000000.
2019-07-11 03:06:58,513 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00080000.
2019-07-11 03:06:58,529 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00080000.
2019-07-11 03:06:58,545 [root] DEBUG: DumpProcess: Module entry point VA is 0x0001A1F8.
2019-07-11 03:06:58,592 [root] INFO: Added new CAPE file to list with path: C:\fVxfVt\CAPE\3064_14790620815826511472019
2019-07-11 03:06:58,607 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x1c200.
2019-07-11 03:06:58,622 [root] INFO: Notified of termination of process with pid 3064.
2019-07-11 03:06:58,638 [root] DEBUG: Terminate Event: Process 3064 has already been dumped(!)
2019-07-11 03:06:58,934 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 2396
2019-07-11 03:06:58,966 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:06:58,982 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:06:58,996 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:06:59,013 [root] DEBUG: Loader: Injecting process 2396 (thread 2400) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:59,028 [root] DEBUG: Process image base: 0x00DC0000
2019-07-11 03:06:59,043 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:59,059 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00EF3000 - 0x77110000
2019-07-11 03:06:59,075 [root] DEBUG: InjectDllViaIAT: Allocated 0x2b8 bytes for new import table at 0x00F00000.
2019-07-11 03:06:59,091 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-07-11 03:06:59,105 [root] DEBUG: Successfully injected DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:59,105 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2396
2019-07-11 03:06:59,121 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 2396
2019-07-11 03:06:59,138 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:06:59,153 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:06:59,168 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:06:59,184 [root] DEBUG: Loader: Injecting process 2396 (thread 0) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:59,200 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2019-07-11 03:06:59,216 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed.
2019-07-11 03:06:59,230 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-07-11 03:06:59,246 [root] DEBUG: Process dumps enabled.
2019-07-11 03:06:59,262 [root] INFO: Disabling sleep skipping.
2019-07-11 03:06:59,278 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-07-11 03:06:59,293 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 2396 at 0x747e0000, image base 0xdc0000, stack from 0xa76000-0xa80000
2019-07-11 03:06:59,309 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\201907060947039062.exe".
2019-07-11 03:06:59,325 [root] INFO: Added new process to list with pid: 2396
2019-07-11 03:06:59,339 [root] INFO: Monitor successfully loaded in process with pid 2396.
2019-07-11 03:06:59,355 [root] DEBUG: set_caller_info: Adding region at 0x000E0000 to caller regions list (ntdll::LdrLoadDll).
2019-07-11 03:06:59,371 [root] DEBUG: DLL loaded at 0x00A80000: C:\hjcplavoq\dll\WdAVpQZT (0xb3000 bytes).
2019-07-11 03:06:59,371 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-07-11 03:06:59,387 [root] DEBUG: DLL unloaded from 0x00A80000.
2019-07-11 03:06:59,403 [root] DEBUG: Error 1114 (0x45a) - InjectDllViaThread: RtlCreateUserThread injection failed: A dynamic link library (DLL) initialization routine failed.
2019-07-11 03:06:59,417 [root] DEBUG: InjectDll: DLL injection via thread failed.
2019-07-11 03:06:59,434 [root] DEBUG: Failed to inject DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:06:59,450 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 2396, error: -8
2019-07-11 03:06:59,637 [root] INFO: Process with pid 3064 has terminated
2019-07-11 03:06:59,667 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2019-07-11 03:07:00,697 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2396
2019-07-11 03:07:00,713 [root] DEBUG: GetHookCallerBase: thread 2400 (handle 0x0), return address 0xC0000302, allocation base 0x00000000.
2019-07-11 03:07:00,729 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x000C0000.
2019-07-11 03:07:00,743 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000C0000.
2019-07-11 03:07:00,759 [root] DEBUG: DumpProcess: Module entry point VA is 0x0001A1F8.
2019-07-11 03:07:00,822 [root] INFO: Added new CAPE file to list with path: C:\fVxfVt\CAPE\2396_1820290712027511472019
2019-07-11 03:07:00,838 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x1c200.
2019-07-11 03:07:00,854 [root] INFO: Notified of termination of process with pid 2396.
2019-07-11 03:07:00,868 [root] DEBUG: Terminate Event: Process 2396 has already been dumped(!)
2019-07-11 03:07:01,259 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 2260
2019-07-11 03:07:01,289 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:07:01,305 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:07:01,322 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:07:01,336 [root] DEBUG: Loader: Injecting process 2260 (thread 2368) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:07:01,352 [root] DEBUG: Process image base: 0x00DC0000
2019-07-11 03:07:01,368 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:07:01,384 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00EF3000 - 0x77110000
2019-07-11 03:07:01,400 [root] DEBUG: InjectDllViaIAT: Allocated 0x2b8 bytes for new import table at 0x00F00000.
2019-07-11 03:07:01,414 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-07-11 03:07:01,430 [root] DEBUG: Successfully injected DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:07:01,430 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2260
2019-07-11 03:07:01,446 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 2260
2019-07-11 03:07:01,461 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:07:01,477 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:07:01,493 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:07:01,509 [root] DEBUG: Loader: Injecting process 2260 (thread 0) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:07:01,523 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2019-07-11 03:07:01,539 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed.
2019-07-11 03:07:01,555 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-07-11 03:07:01,571 [root] DEBUG: Process dumps enabled.
2019-07-11 03:07:01,601 [root] INFO: Disabling sleep skipping.
2019-07-11 03:07:01,618 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-07-11 03:07:01,634 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 2260 at 0x747e0000, image base 0xdc0000, stack from 0xbb6000-0xbc0000
2019-07-11 03:07:01,648 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\201907060947039062.exe".
2019-07-11 03:07:01,664 [root] INFO: Added new process to list with pid: 2260
2019-07-11 03:07:01,664 [root] INFO: Process with pid 2396 has terminated
2019-07-11 03:07:01,664 [root] INFO: Monitor successfully loaded in process with pid 2260.
2019-07-11 03:07:01,680 [root] DEBUG: set_caller_info: Adding region at 0x000E0000 to caller regions list (ntdll::LdrLoadDll).
2019-07-11 03:07:01,696 [root] DEBUG: DLL loaded at 0x04800000: C:\hjcplavoq\dll\WdAVpQZT (0xb3000 bytes).
2019-07-11 03:07:01,711 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-07-11 03:07:01,726 [root] DEBUG: DLL unloaded from 0x04800000.
2019-07-11 03:07:01,743 [root] DEBUG: Error 1114 (0x45a) - InjectDllViaThread: RtlCreateUserThread injection failed: A dynamic link library (DLL) initialization routine failed.
2019-07-11 03:07:01,757 [root] DEBUG: InjectDll: DLL injection via thread failed.
2019-07-11 03:07:01,773 [root] DEBUG: Failed to inject DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:07:01,789 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 2260, error: -8
2019-07-11 03:07:02,881 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2019-07-11 03:07:03,911 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2260
2019-07-11 03:07:03,927 [root] DEBUG: GetHookCallerBase: thread 2368 (handle 0x0), return address 0xC0000302, allocation base 0x00000000.
2019-07-11 03:07:03,941 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00080000.
2019-07-11 03:07:03,957 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00080000.
2019-07-11 03:07:03,973 [root] DEBUG: DumpProcess: Module entry point VA is 0x0001A1F8.
2019-07-11 03:07:04,036 [root] INFO: Added new CAPE file to list with path: C:\fVxfVt\CAPE\2260_116958780327511472019
2019-07-11 03:07:04,052 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x1c200.
2019-07-11 03:07:04,066 [root] INFO: Notified of termination of process with pid 2260.
2019-07-11 03:07:04,082 [root] DEBUG: Terminate Event: Process 2260 has already been dumped(!)
2019-07-11 03:07:04,316 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 1324
2019-07-11 03:07:04,348 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:07:04,348 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:07:04,364 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:07:04,378 [root] DEBUG: Loader: Injecting process 1324 (thread 2512) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:07:04,394 [root] DEBUG: Process image base: 0x00DC0000
2019-07-11 03:07:04,410 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:07:04,426 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00EF3000 - 0x77110000
2019-07-11 03:07:04,441 [root] DEBUG: InjectDllViaIAT: Allocated 0x2b8 bytes for new import table at 0x00F00000.
2019-07-11 03:07:04,457 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-07-11 03:07:04,473 [root] DEBUG: Successfully injected DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:07:04,487 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1324
2019-07-11 03:07:04,503 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 1324
2019-07-11 03:07:04,519 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:07:04,535 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:07:04,551 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:07:04,565 [root] DEBUG: Loader: Injecting process 1324 (thread 0) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:07:04,582 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2019-07-11 03:07:04,598 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed.
2019-07-11 03:07:04,612 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-07-11 03:07:04,628 [root] DEBUG: Process dumps enabled.
2019-07-11 03:07:04,660 [root] INFO: Disabling sleep skipping.
2019-07-11 03:07:04,676 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-07-11 03:07:04,690 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 1324 at 0x747e0000, image base 0xdc0000, stack from 0xbc6000-0xbd0000
2019-07-11 03:07:04,707 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\201907060947039062.exe".
2019-07-11 03:07:04,721 [root] INFO: Added new process to list with pid: 1324
2019-07-11 03:07:04,721 [root] INFO: Process with pid 2260 has terminated
2019-07-11 03:07:04,721 [root] INFO: Monitor successfully loaded in process with pid 1324.
2019-07-11 03:07:04,753 [root] DEBUG: set_caller_info: Adding region at 0x000E0000 to caller regions list (ntdll::LdrLoadDll).
2019-07-11 03:07:04,753 [root] DEBUG: DLL loaded at 0x03FC0000: C:\hjcplavoq\dll\WdAVpQZT (0xb3000 bytes).
2019-07-11 03:07:04,785 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-07-11 03:07:04,785 [root] DEBUG: DLL unloaded from 0x03FC0000.
2019-07-11 03:07:04,799 [root] DEBUG: Error 1114 (0x45a) - InjectDllViaThread: RtlCreateUserThread injection failed: A dynamic link library (DLL) initialization routine failed.
2019-07-11 03:07:04,815 [root] DEBUG: InjectDll: DLL injection via thread failed.
2019-07-11 03:07:04,832 [root] DEBUG: Failed to inject DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:07:04,846 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 1324, error: -8
2019-07-11 03:07:05,065 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2019-07-11 03:07:06,095 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 1324
2019-07-11 03:07:06,111 [root] DEBUG: GetHookCallerBase: thread 2512 (handle 0x0), return address 0xC0000302, allocation base 0x00000000.
2019-07-11 03:07:06,125 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x000C0000.
2019-07-11 03:07:06,141 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000C0000.
2019-07-11 03:07:06,157 [root] DEBUG: DumpProcess: Module entry point VA is 0x0001A1F8.
2019-07-11 03:07:06,220 [root] INFO: Added new CAPE file to list with path: C:\fVxfVt\CAPE\1324_578938728627511472019
2019-07-11 03:07:06,236 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x1c200.
2019-07-11 03:07:06,250 [root] INFO: Notified of termination of process with pid 1324.
2019-07-11 03:07:06,266 [root] DEBUG: Terminate Event: Process 1324 has already been dumped(!)
2019-07-11 03:07:06,532 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 1628
2019-07-11 03:07:06,562 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:07:06,578 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:07:06,594 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:07:06,609 [root] DEBUG: Loader: Injecting process 1628 (thread 2444) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:07:06,625 [root] DEBUG: Process image base: 0x00DC0000
2019-07-11 03:07:06,641 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:07:06,657 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00EF3000 - 0x77110000
2019-07-11 03:07:06,671 [root] DEBUG: InjectDllViaIAT: Allocated 0x2b8 bytes for new import table at 0x00F00000.
2019-07-11 03:07:06,687 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-07-11 03:07:06,703 [root] DEBUG: Successfully injected DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:07:06,719 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1628
2019-07-11 03:07:06,734 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 1628
2019-07-11 03:07:06,750 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:07:06,766 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:07:06,766 [root] INFO: Process with pid 1324 has terminated
2019-07-11 03:07:06,782 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:07:06,796 [root] DEBUG: Loader: Injecting process 1628 (thread 0) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:07:06,812 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2019-07-11 03:07:06,828 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed.
2019-07-11 03:07:06,844 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-07-11 03:07:06,859 [root] DEBUG: Process dumps enabled.
2019-07-11 03:07:06,875 [root] INFO: Disabling sleep skipping.
2019-07-11 03:07:06,891 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-07-11 03:07:06,905 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 1628 at 0x747e0000, image base 0xdc0000, stack from 0xb46000-0xb50000
2019-07-11 03:07:06,921 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\201907060947039062.exe".
2019-07-11 03:07:06,937 [root] INFO: Added new process to list with pid: 1628
2019-07-11 03:07:06,953 [root] INFO: Monitor successfully loaded in process with pid 1628.
2019-07-11 03:07:06,969 [root] DEBUG: set_caller_info: Adding region at 0x000A0000 to caller regions list (ntdll::LdrLoadDll).
2019-07-11 03:07:06,983 [root] DEBUG: DLL loaded at 0x00F00000: C:\hjcplavoq\dll\WdAVpQZT (0xb3000 bytes).
2019-07-11 03:07:07,000 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-07-11 03:07:07,016 [root] DEBUG: DLL unloaded from 0x00F00000.
2019-07-11 03:07:07,030 [root] DEBUG: Error 1114 (0x45a) - InjectDllViaThread: RtlCreateUserThread injection failed: A dynamic link library (DLL) initialization routine failed.
2019-07-11 03:07:07,046 [root] DEBUG: InjectDll: DLL injection via thread failed.
2019-07-11 03:07:07,062 [root] DEBUG: Failed to inject DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:07:07,062 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 1628, error: -8
2019-07-11 03:07:07,250 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2019-07-11 03:07:08,279 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 1628
2019-07-11 03:07:08,309 [root] DEBUG: GetHookCallerBase: thread 2444 (handle 0x0), return address 0xC0000302, allocation base 0x00000000.
2019-07-11 03:07:08,325 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00080000.
2019-07-11 03:07:08,325 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00080000.
2019-07-11 03:07:08,342 [root] DEBUG: DumpProcess: Module entry point VA is 0x0001A1F8.
2019-07-11 03:07:08,404 [root] INFO: Added new CAPE file to list with path: C:\fVxfVt\CAPE\1628_382899709827511472019
2019-07-11 03:07:08,420 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x1c200.
2019-07-11 03:07:08,434 [root] INFO: Notified of termination of process with pid 1628.
2019-07-11 03:07:08,450 [root] DEBUG: Terminate Event: Process 1628 has already been dumped(!)
2019-07-11 03:07:08,778 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 2548
2019-07-11 03:07:08,809 [root] INFO: Process with pid 1628 has terminated
2019-07-11 03:07:08,809 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:07:08,841 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:07:08,855 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:07:08,888 [root] DEBUG: Loader: Injecting process 2548 (thread 1472) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:07:08,903 [root] DEBUG: Process image base: 0x00DC0000
2019-07-11 03:07:08,918 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:07:08,934 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00EF3000 - 0x77110000
2019-07-11 03:07:08,950 [root] DEBUG: InjectDllViaIAT: Allocated 0x2b8 bytes for new import table at 0x00F00000.
2019-07-11 03:07:08,966 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-07-11 03:07:08,980 [root] DEBUG: Successfully injected DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:07:08,980 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2548
2019-07-11 03:07:09,012 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 2548
2019-07-11 03:07:09,028 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:07:09,043 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:07:09,059 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:07:09,075 [root] DEBUG: Loader: Injecting process 2548 (thread 0) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:07:09,089 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2019-07-11 03:07:09,105 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed.
2019-07-11 03:07:09,121 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-07-11 03:07:09,137 [root] DEBUG: Process dumps enabled.
2019-07-11 03:07:09,153 [root] INFO: Disabling sleep skipping.
2019-07-11 03:07:09,184 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-07-11 03:07:09,200 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 2548 at 0x747e0000, image base 0xdc0000, stack from 0xb46000-0xb50000
2019-07-11 03:07:09,214 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\201907060947039062.exe".
2019-07-11 03:07:09,230 [root] INFO: Added new process to list with pid: 2548
2019-07-11 03:07:09,230 [root] INFO: Monitor successfully loaded in process with pid 2548.
2019-07-11 03:07:09,246 [root] DEBUG: set_caller_info: Adding region at 0x000A0000 to caller regions list (ntdll::LdrLoadDll).
2019-07-11 03:07:09,262 [root] DEBUG: DLL loaded at 0x03FA0000: C:\hjcplavoq\dll\WdAVpQZT (0xb3000 bytes).
2019-07-11 03:07:09,278 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-07-11 03:07:09,292 [root] DEBUG: DLL unloaded from 0x03FA0000.
2019-07-11 03:07:09,309 [root] DEBUG: Error 1114 (0x45a) - InjectDllViaThread: RtlCreateUserThread injection failed: A dynamic link library (DLL) initialization routine failed.
2019-07-11 03:07:09,323 [root] DEBUG: InjectDll: DLL injection via thread failed.
2019-07-11 03:07:09,339 [root] DEBUG: Failed to inject DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:07:09,355 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 2548, error: -8
2019-07-11 03:07:10,447 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2019-07-11 03:07:11,476 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2548
2019-07-11 03:07:11,507 [root] DEBUG: GetHookCallerBase: thread 1472 (handle 0x0), return address 0xC0000302, allocation base 0x00000000.
2019-07-11 03:07:11,507 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00080000.
2019-07-11 03:07:11,523 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00080000.
2019-07-11 03:07:11,539 [root] DEBUG: DumpProcess: Module entry point VA is 0x0001A1F8.
2019-07-11 03:07:11,601 [root] INFO: Added new CAPE file to list with path: C:\fVxfVt\CAPE\2548_11871587261127511472019
2019-07-11 03:07:11,618 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x1c200.
2019-07-11 03:07:11,632 [root] INFO: Notified of termination of process with pid 2548.
2019-07-11 03:07:11,648 [root] DEBUG: Terminate Event: Process 2548 has already been dumped(!)
2019-07-11 03:07:11,851 [root] INFO: Process with pid 2548 has terminated
2019-07-11 03:07:11,930 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 2928
2019-07-11 03:07:11,960 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:07:11,960 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:07:11,992 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:07:12,007 [root] DEBUG: Loader: Injecting process 2928 (thread 2072) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:07:12,023 [root] DEBUG: Process image base: 0x00DC0000
2019-07-11 03:07:12,039 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:07:12,053 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00EF3000 - 0x77110000
2019-07-11 03:07:12,069 [root] DEBUG: InjectDllViaIAT: Allocated 0x2b8 bytes for new import table at 0x00F00000.
2019-07-11 03:07:12,085 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-07-11 03:07:12,101 [root] DEBUG: Successfully injected DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:07:12,101 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2928
2019-07-11 03:07:12,117 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 2928
2019-07-11 03:07:12,131 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:07:12,148 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:07:12,178 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:07:12,194 [root] DEBUG: Loader: Injecting process 2928 (thread 0) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:07:12,210 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2019-07-11 03:07:12,226 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed.
2019-07-11 03:07:12,242 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-07-11 03:07:12,256 [root] DEBUG: Process dumps enabled.
2019-07-11 03:07:12,273 [root] INFO: Disabling sleep skipping.
2019-07-11 03:07:12,303 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-07-11 03:07:12,319 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 2928 at 0x747e0000, image base 0xdc0000, stack from 0xcc6000-0xcd0000
2019-07-11 03:07:12,335 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\201907060947039062.exe".
2019-07-11 03:07:12,365 [root] INFO: Added new process to list with pid: 2928
2019-07-11 03:07:12,381 [root] INFO: Monitor successfully loaded in process with pid 2928.
2019-07-11 03:07:12,398 [root] DEBUG: set_caller_info: Adding region at 0x000A0000 to caller regions list (ntdll::LdrLoadDll).
2019-07-11 03:07:12,413 [root] DEBUG: DLL loaded at 0x04500000: C:\hjcplavoq\dll\WdAVpQZT (0xb3000 bytes).
2019-07-11 03:07:12,428 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-07-11 03:07:12,444 [root] DEBUG: DLL unloaded from 0x04500000.
2019-07-11 03:07:12,476 [root] DEBUG: Error 1114 (0x45a) - InjectDllViaThread: RtlCreateUserThread injection failed: A dynamic link library (DLL) initialization routine failed.
2019-07-11 03:07:12,476 [root] DEBUG: InjectDll: DLL injection via thread failed.
2019-07-11 03:07:12,490 [root] DEBUG: Failed to inject DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:07:12,506 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 2928, error: -8
2019-07-11 03:07:12,631 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2019-07-11 03:07:13,661 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2928
2019-07-11 03:07:13,677 [root] DEBUG: GetHookCallerBase: thread 2072 (handle 0x0), return address 0xC0000302, allocation base 0x00000000.
2019-07-11 03:07:13,691 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00080000.
2019-07-11 03:07:13,707 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00080000.
2019-07-11 03:07:13,739 [root] DEBUG: DumpProcess: Module entry point VA is 0x0001A1F8.
2019-07-11 03:07:13,802 [root] INFO: Added new CAPE file to list with path: C:\fVxfVt\CAPE\2928_8043950991327511472019
2019-07-11 03:07:13,816 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x1c200.
2019-07-11 03:07:13,832 [root] INFO: Notified of termination of process with pid 2928.
2019-07-11 03:07:13,848 [root] DEBUG: Terminate Event: Process 2928 has already been dumped(!)
2019-07-11 03:07:13,880 [root] INFO: Process with pid 2928 has terminated
2019-07-11 03:07:14,223 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 1112
2019-07-11 03:07:14,253 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:07:14,269 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:07:14,285 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:07:14,301 [root] DEBUG: Loader: Injecting process 1112 (thread 1424) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:07:14,316 [root] DEBUG: Process image base: 0x00DC0000
2019-07-11 03:07:14,332 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:07:14,348 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00EF3000 - 0x77110000
2019-07-11 03:07:14,362 [root] DEBUG: InjectDllViaIAT: Allocated 0x2b8 bytes for new import table at 0x00F00000.
2019-07-11 03:07:14,378 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-07-11 03:07:14,394 [root] DEBUG: Successfully injected DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:07:14,394 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1112
2019-07-11 03:07:14,426 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 1112
2019-07-11 03:07:14,440 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:07:14,440 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:07:14,473 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:07:14,487 [root] DEBUG: Loader: Injecting process 1112 (thread 0) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:07:14,503 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2019-07-11 03:07:14,519 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed.
2019-07-11 03:07:14,535 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-07-11 03:07:14,551 [root] DEBUG: Process dumps enabled.
2019-07-11 03:07:14,582 [root] INFO: Disabling sleep skipping.
2019-07-11 03:07:14,596 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-07-11 03:07:14,612 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 1112 at 0x747e0000, image base 0xdc0000, stack from 0xb06000-0xb10000
2019-07-11 03:07:14,628 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\201907060947039062.exe".
2019-07-11 03:07:14,644 [root] INFO: Added new process to list with pid: 1112
2019-07-11 03:07:14,660 [root] INFO: Monitor successfully loaded in process with pid 1112.
2019-07-11 03:07:14,690 [root] DEBUG: set_caller_info: Adding region at 0x000A0000 to caller regions list (ntdll::LdrLoadDll).
2019-07-11 03:07:14,707 [root] DEBUG: DLL loaded at 0x04820000: C:\hjcplavoq\dll\WdAVpQZT (0xb3000 bytes).
2019-07-11 03:07:14,721 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-07-11 03:07:14,753 [root] DEBUG: DLL unloaded from 0x04820000.
2019-07-11 03:07:14,769 [root] DEBUG: Error 1114 (0x45a) - InjectDllViaThread: RtlCreateUserThread injection failed: A dynamic link library (DLL) initialization routine failed.
2019-07-11 03:07:14,785 [root] DEBUG: InjectDll: DLL injection via thread failed.
2019-07-11 03:07:14,799 [root] DEBUG: Failed to inject DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:07:14,815 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 1112, error: -8
2019-07-11 03:07:15,970 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2019-07-11 03:07:16,983 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 1112
2019-07-11 03:07:17,000 [root] DEBUG: GetHookCallerBase: thread 1424 (handle 0x0), return address 0xC0000302, allocation base 0x00000000.
2019-07-11 03:07:17,030 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00080000.
2019-07-11 03:07:17,046 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00080000.
2019-07-11 03:07:17,062 [root] DEBUG: DumpProcess: Module entry point VA is 0x0001A1F8.
2019-07-11 03:07:17,140 [root] INFO: Added new CAPE file to list with path: C:\fVxfVt\CAPE\1112_13167526421727511472019
2019-07-11 03:07:17,155 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x1c200.
2019-07-11 03:07:17,171 [root] INFO: Notified of termination of process with pid 1112.
2019-07-11 03:07:17,187 [root] DEBUG: Terminate Event: Process 1112 has already been dumped(!)
2019-07-11 03:07:17,576 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 2324
2019-07-11 03:07:17,608 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:07:17,624 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:07:17,638 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:07:17,654 [root] DEBUG: Loader: Injecting process 2324 (thread 1568) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:07:17,671 [root] DEBUG: Process image base: 0x00DC0000
2019-07-11 03:07:17,686 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:07:17,701 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00EF3000 - 0x77110000
2019-07-11 03:07:17,717 [root] DEBUG: InjectDllViaIAT: Allocated 0x2b8 bytes for new import table at 0x00F00000.
2019-07-11 03:07:17,733 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-07-11 03:07:17,749 [root] DEBUG: Successfully injected DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:07:17,763 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2324
2019-07-11 03:07:17,779 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 2324
2019-07-11 03:07:17,811 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:07:17,811 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:07:17,842 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:07:17,858 [root] DEBUG: Loader: Injecting process 2324 (thread 0) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:07:17,872 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2019-07-11 03:07:17,888 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed.
2019-07-11 03:07:17,904 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-07-11 03:07:17,920 [root] DEBUG: Process dumps enabled.
2019-07-11 03:07:17,936 [root] INFO: Process with pid 1112 has terminated
2019-07-11 03:07:17,936 [root] INFO: Disabling sleep skipping.
2019-07-11 03:07:17,967 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-07-11 03:07:17,983 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 2324 at 0x747e0000, image base 0xdc0000, stack from 0xb96000-0xba0000
2019-07-11 03:07:17,997 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\201907060947039062.exe".
2019-07-11 03:07:18,013 [root] INFO: Added new process to list with pid: 2324
2019-07-11 03:07:18,013 [root] INFO: Monitor successfully loaded in process with pid 2324.
2019-07-11 03:07:18,045 [root] DEBUG: set_caller_info: Adding region at 0x000A0000 to caller regions list (ntdll::LdrLoadDll).
2019-07-11 03:07:18,061 [root] DEBUG: DLL loaded at 0x028E0000: C:\hjcplavoq\dll\WdAVpQZT (0xb3000 bytes).
2019-07-11 03:07:18,075 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-07-11 03:07:18,092 [root] DEBUG: DLL unloaded from 0x028E0000.
2019-07-11 03:07:18,107 [root] DEBUG: Error 1114 (0x45a) - InjectDllViaThread: RtlCreateUserThread injection failed: A dynamic link library (DLL) initialization routine failed.
2019-07-11 03:07:18,122 [root] DEBUG: InjectDll: DLL injection via thread failed.
2019-07-11 03:07:18,138 [root] DEBUG: Failed to inject DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:07:18,154 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 2324, error: -8
2019-07-11 03:07:19,230 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2019-07-11 03:07:20,276 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2324
2019-07-11 03:07:20,306 [root] DEBUG: GetHookCallerBase: thread 1568 (handle 0x0), return address 0xC0000302, allocation base 0x00000000.
2019-07-11 03:07:20,322 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00080000.
2019-07-11 03:07:20,338 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00080000.
2019-07-11 03:07:20,354 [root] DEBUG: DumpProcess: Module entry point VA is 0x0001A1F8.
2019-07-11 03:07:20,415 [root] INFO: Added new CAPE file to list with path: C:\fVxfVt\CAPE\2324_18055080422027511472019
2019-07-11 03:07:20,431 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x1c200.
2019-07-11 03:07:20,447 [root] INFO: Notified of termination of process with pid 2324.
2019-07-11 03:07:20,479 [root] DEBUG: Terminate Event: Process 2324 has already been dumped(!)
2019-07-11 03:07:20,713 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 2460
2019-07-11 03:07:20,743 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:07:20,759 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:07:20,790 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:07:20,805 [root] DEBUG: Loader: Injecting process 2460 (thread 2564) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:07:20,822 [root] DEBUG: Process image base: 0x00DC0000
2019-07-11 03:07:20,836 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:07:20,852 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00EF3000 - 0x77110000
2019-07-11 03:07:20,868 [root] DEBUG: InjectDllViaIAT: Allocated 0x2b8 bytes for new import table at 0x00F00000.
2019-07-11 03:07:20,884 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-07-11 03:07:20,900 [root] DEBUG: Successfully injected DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:07:20,914 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2460
2019-07-11 03:07:20,930 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 2460
2019-07-11 03:07:20,947 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:07:20,961 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:07:20,977 [root] INFO: Process with pid 2324 has terminated
2019-07-11 03:07:20,977 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:07:21,009 [root] DEBUG: Loader: Injecting process 2460 (thread 0) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:07:21,025 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2019-07-11 03:07:21,039 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed.
2019-07-11 03:07:21,055 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-07-11 03:07:21,071 [root] DEBUG: Process dumps enabled.
2019-07-11 03:07:21,086 [root] INFO: Disabling sleep skipping.
2019-07-11 03:07:21,118 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-07-11 03:07:21,134 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 2460 at 0x747e0000, image base 0xdc0000, stack from 0xb06000-0xb10000
2019-07-11 03:07:21,148 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\201907060947039062.exe".
2019-07-11 03:07:21,164 [root] INFO: Added new process to list with pid: 2460
2019-07-11 03:07:21,164 [root] INFO: Monitor successfully loaded in process with pid 2460.
2019-07-11 03:07:21,196 [root] DEBUG: set_caller_info: Adding region at 0x000A0000 to caller regions list (ntdll::LdrLoadDll).
2019-07-11 03:07:21,211 [root] DEBUG: DLL loaded at 0x048C0000: C:\hjcplavoq\dll\WdAVpQZT (0xb3000 bytes).
2019-07-11 03:07:21,226 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-07-11 03:07:21,243 [root] DEBUG: DLL unloaded from 0x048C0000.
2019-07-11 03:07:21,259 [root] DEBUG: Error 1114 (0x45a) - InjectDllViaThread: RtlCreateUserThread injection failed: A dynamic link library (DLL) initialization routine failed.
2019-07-11 03:07:21,273 [root] DEBUG: InjectDll: DLL injection via thread failed.
2019-07-11 03:07:21,289 [root] DEBUG: Failed to inject DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:07:21,305 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 2460, error: -8
2019-07-11 03:07:21,446 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2019-07-11 03:07:22,460 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2460
2019-07-11 03:07:22,474 [root] DEBUG: GetHookCallerBase: thread 2564 (handle 0x0), return address 0xC0000302, allocation base 0x00000000.
2019-07-11 03:07:22,506 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00080000.
2019-07-11 03:07:22,522 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00080000.
2019-07-11 03:07:22,538 [root] DEBUG: DumpProcess: Module entry point VA is 0x0001A1F8.
2019-07-11 03:07:22,599 [root] INFO: Added new CAPE file to list with path: C:\fVxfVt\CAPE\2460_19038012402227511472019
2019-07-11 03:07:22,615 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x1c200.
2019-07-11 03:07:22,647 [root] INFO: Notified of termination of process with pid 2460.
2019-07-11 03:07:22,663 [root] DEBUG: Terminate Event: Process 2460 has already been dumped(!)
2019-07-11 03:07:22,959 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 164
2019-07-11 03:07:22,974 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:07:22,990 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:07:23,006 [root] INFO: Process with pid 2460 has terminated
2019-07-11 03:07:23,020 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:07:23,036 [root] DEBUG: Loader: Injecting process 164 (thread 1276) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:07:23,052 [root] DEBUG: Process image base: 0x00DC0000
2019-07-11 03:07:23,068 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:07:23,084 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00EF3000 - 0x77110000
2019-07-11 03:07:23,098 [root] DEBUG: InjectDllViaIAT: Allocated 0x2b8 bytes for new import table at 0x00F00000.
2019-07-11 03:07:23,115 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-07-11 03:07:23,131 [root] DEBUG: Successfully injected DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:07:23,145 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 164
2019-07-11 03:07:23,161 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 164
2019-07-11 03:07:23,193 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:07:23,193 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:07:23,223 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:07:23,240 [root] DEBUG: Loader: Injecting process 164 (thread 0) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:07:23,255 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2019-07-11 03:07:23,270 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed.
2019-07-11 03:07:23,302 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-07-11 03:07:23,318 [root] DEBUG: Process dumps enabled.
2019-07-11 03:07:23,332 [root] INFO: Disabling sleep skipping.
2019-07-11 03:07:23,348 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-07-11 03:07:23,365 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 164 at 0x747e0000, image base 0xdc0000, stack from 0xc46000-0xc50000
2019-07-11 03:07:23,380 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\201907060947039062.exe".
2019-07-11 03:07:23,411 [root] INFO: Added new process to list with pid: 164
2019-07-11 03:07:23,411 [root] INFO: Monitor successfully loaded in process with pid 164.
2019-07-11 03:07:23,443 [root] DEBUG: set_caller_info: Adding region at 0x000A0000 to caller regions list (ntdll::LdrLoadDll).
2019-07-11 03:07:23,457 [root] DEBUG: DLL loaded at 0x049E0000: C:\hjcplavoq\dll\WdAVpQZT (0xb3000 bytes).
2019-07-11 03:07:23,473 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-07-11 03:07:23,489 [root] DEBUG: DLL unloaded from 0x049E0000.
2019-07-11 03:07:23,505 [root] DEBUG: Error 1114 (0x45a) - InjectDllViaThread: RtlCreateUserThread injection failed: A dynamic link library (DLL) initialization routine failed.
2019-07-11 03:07:23,520 [root] DEBUG: InjectDll: DLL injection via thread failed.
2019-07-11 03:07:23,536 [root] DEBUG: Failed to inject DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:07:23,552 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 164, error: -8
2019-07-11 03:07:24,753 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2019-07-11 03:07:25,766 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 164
2019-07-11 03:07:25,798 [root] DEBUG: GetHookCallerBase: thread 1276 (handle 0x0), return address 0xC0000302, allocation base 0x00000000.
2019-07-11 03:07:25,813 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00080000.
2019-07-11 03:07:25,828 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00080000.
2019-07-11 03:07:25,845 [root] DEBUG: DumpProcess: Module entry point VA is 0x0001A1F8.
2019-07-11 03:07:25,907 [root] INFO: Added new CAPE file to list with path: C:\fVxfVt\CAPE\164_16577904562527511472019
2019-07-11 03:07:25,923 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x1c200.
2019-07-11 03:07:25,953 [root] INFO: Notified of termination of process with pid 164.
2019-07-11 03:07:25,970 [root] DEBUG: Terminate Event: Process 164 has already been dumped(!)
2019-07-11 03:07:26,048 [root] INFO: Process with pid 164 has terminated
2019-07-11 03:07:26,344 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 2320
2019-07-11 03:07:26,375 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:07:26,391 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:07:26,407 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:07:26,421 [root] DEBUG: Loader: Injecting process 2320 (thread 2316) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:07:26,453 [root] DEBUG: Process image base: 0x00DC0000
2019-07-11 03:07:26,469 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:07:26,484 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00EF3000 - 0x77110000
2019-07-11 03:07:26,500 [root] DEBUG: InjectDllViaIAT: Allocated 0x2b8 bytes for new import table at 0x00F00000.
2019-07-11 03:07:26,516 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-07-11 03:07:26,530 [root] DEBUG: Successfully injected DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:07:26,546 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2320
2019-07-11 03:07:26,562 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 2320
2019-07-11 03:07:26,594 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:07:26,594 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:07:26,625 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:07:26,641 [root] DEBUG: Loader: Injecting process 2320 (thread 0) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:07:26,655 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2019-07-11 03:07:26,671 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed.
2019-07-11 03:07:26,703 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-07-11 03:07:26,719 [root] DEBUG: Process dumps enabled.
2019-07-11 03:07:26,733 [root] INFO: Disabling sleep skipping.
2019-07-11 03:07:26,750 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-07-11 03:07:26,765 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 2320 at 0x747e0000, image base 0xdc0000, stack from 0xa26000-0xa30000
2019-07-11 03:07:26,796 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\201907060947039062.exe".
2019-07-11 03:07:26,812 [root] INFO: Added new process to list with pid: 2320
2019-07-11 03:07:26,812 [root] INFO: Monitor successfully loaded in process with pid 2320.
2019-07-11 03:07:26,842 [root] DEBUG: set_caller_info: Adding region at 0x000A0000 to caller regions list (ntdll::LdrLoadDll).
2019-07-11 03:07:26,858 [root] DEBUG: DLL loaded at 0x00F00000: C:\hjcplavoq\dll\WdAVpQZT (0xb3000 bytes).
2019-07-11 03:07:26,875 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-07-11 03:07:26,890 [root] DEBUG: DLL unloaded from 0x00F00000.
2019-07-11 03:07:26,905 [root] DEBUG: Error 1114 (0x45a) - InjectDllViaThread: RtlCreateUserThread injection failed: A dynamic link library (DLL) initialization routine failed.
2019-07-11 03:07:26,921 [root] DEBUG: InjectDll: DLL injection via thread failed.
2019-07-11 03:07:26,937 [root] DEBUG: Failed to inject DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:07:26,953 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 2320, error: -8
2019-07-11 03:07:28,107 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2019-07-11 03:07:29,121 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2320
2019-07-11 03:07:29,151 [root] DEBUG: GetHookCallerBase: thread 2316 (handle 0x0), return address 0xC0000302, allocation base 0x00000000.
2019-07-11 03:07:29,167 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00080000.
2019-07-11 03:07:29,183 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00080000.
2019-07-11 03:07:29,198 [root] DEBUG: DumpProcess: Module entry point VA is 0x0001A1F8.
2019-07-11 03:07:29,260 [root] INFO: Added new CAPE file to list with path: C:\fVxfVt\CAPE\2320_111278822927511472019
2019-07-11 03:07:29,276 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x1c200.
2019-07-11 03:07:29,292 [root] INFO: Notified of termination of process with pid 2320.
2019-07-11 03:07:29,308 [root] DEBUG: Terminate Event: Process 2320 has already been dumped(!)
2019-07-11 03:07:29,526 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 2884
2019-07-11 03:07:29,542 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:07:29,558 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:07:29,588 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:07:29,605 [root] DEBUG: Loader: Injecting process 2884 (thread 2360) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:07:29,635 [root] DEBUG: Process image base: 0x00DC0000
2019-07-11 03:07:29,651 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:07:29,683 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00EF3000 - 0x77110000
2019-07-11 03:07:29,697 [root] DEBUG: InjectDllViaIAT: Allocated 0x2b8 bytes for new import table at 0x00F00000.
2019-07-11 03:07:29,713 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-07-11 03:07:29,744 [root] DEBUG: Successfully injected DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:07:29,744 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2884
2019-07-11 03:07:29,776 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 2884
2019-07-11 03:07:29,792 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:07:29,806 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:07:29,822 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:07:29,838 [root] DEBUG: Loader: Injecting process 2884 (thread 0) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:07:29,869 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2019-07-11 03:07:29,884 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed.
2019-07-11 03:07:29,901 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-07-11 03:07:29,917 [root] DEBUG: Process dumps enabled.
2019-07-11 03:07:29,947 [root] INFO: Disabling sleep skipping.
2019-07-11 03:07:29,963 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-07-11 03:07:29,979 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 2884 at 0x747e0000, image base 0xdc0000, stack from 0x986000-0x990000
2019-07-11 03:07:29,994 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\201907060947039062.exe".
2019-07-11 03:07:30,009 [root] INFO: Added new process to list with pid: 2884
2019-07-11 03:07:30,026 [root] INFO: Monitor successfully loaded in process with pid 2884.
2019-07-11 03:07:30,056 [root] DEBUG: set_caller_info: Adding region at 0x000A0000 to caller regions list (ntdll::LdrLoadDll).
2019-07-11 03:07:30,072 [root] DEBUG: DLL loaded at 0x043C0000: C:\hjcplavoq\dll\WdAVpQZT (0xb3000 bytes).
2019-07-11 03:07:30,088 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-07-11 03:07:30,104 [root] DEBUG: DLL unloaded from 0x043C0000.
2019-07-11 03:07:30,118 [root] INFO: Process with pid 2320 has terminated
2019-07-11 03:07:30,118 [root] DEBUG: Error 1114 (0x45a) - InjectDllViaThread: RtlCreateUserThread injection failed: A dynamic link library (DLL) initialization routine failed.
2019-07-11 03:07:30,134 [root] DEBUG: InjectDll: DLL injection via thread failed.
2019-07-11 03:07:30,165 [root] DEBUG: Failed to inject DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:07:30,165 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 2884, error: -8
2019-07-11 03:07:30,290 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2019-07-11 03:07:31,305 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2884
2019-07-11 03:07:31,321 [root] DEBUG: GetHookCallerBase: thread 2360 (handle 0x0), return address 0xC0000302, allocation base 0x00000000.
2019-07-11 03:07:31,351 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00080000.
2019-07-11 03:07:31,367 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00080000.
2019-07-11 03:07:31,382 [root] DEBUG: DumpProcess: Module entry point VA is 0x0001A1F8.
2019-07-11 03:07:31,460 [root] INFO: Added new CAPE file to list with path: C:\fVxfVt\CAPE\2884_20431475053127511472019
2019-07-11 03:07:31,476 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x1c200.
2019-07-11 03:07:31,507 [root] INFO: Notified of termination of process with pid 2884.
2019-07-11 03:07:31,523 [root] DEBUG: Terminate Event: Process 2884 has already been dumped(!)
2019-07-11 03:07:31,881 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 3024
2019-07-11 03:07:31,913 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:07:31,928 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:07:31,960 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:07:31,976 [root] DEBUG: Loader: Injecting process 3024 (thread 264) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:07:31,990 [root] DEBUG: Process image base: 0x00DC0000
2019-07-11 03:07:32,023 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:07:32,038 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00EF3000 - 0x77110000
2019-07-11 03:07:32,085 [root] DEBUG: InjectDllViaIAT: Allocated 0x2b8 bytes for new import table at 0x00F00000.
2019-07-11 03:07:32,101 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-07-11 03:07:32,115 [root] DEBUG: Successfully injected DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:07:32,131 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3024
2019-07-11 03:07:32,147 [root] INFO: Process with pid 2884 has terminated
2019-07-11 03:07:32,147 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 3024
2019-07-11 03:07:32,178 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:07:32,194 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:07:32,210 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:07:32,224 [root] DEBUG: Loader: Injecting process 3024 (thread 0) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:07:32,256 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2019-07-11 03:07:32,272 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed.
2019-07-11 03:07:32,288 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-07-11 03:07:32,302 [root] DEBUG: Process dumps enabled.
2019-07-11 03:07:32,335 [root] INFO: Disabling sleep skipping.
2019-07-11 03:07:32,349 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-07-11 03:07:32,365 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 3024 at 0x747e0000, image base 0xdc0000, stack from 0xcd6000-0xce0000
2019-07-11 03:07:32,397 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\201907060947039062.exe".
2019-07-11 03:07:32,413 [root] INFO: Added new process to list with pid: 3024
2019-07-11 03:07:32,413 [root] INFO: Monitor successfully loaded in process with pid 3024.
2019-07-11 03:07:32,444 [root] DEBUG: set_caller_info: Adding region at 0x000E0000 to caller regions list (ntdll::LdrLoadDll).
2019-07-11 03:07:32,459 [root] DEBUG: DLL loaded at 0x00CE0000: C:\hjcplavoq\dll\WdAVpQZT (0xb3000 bytes).
2019-07-11 03:07:32,474 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-07-11 03:07:32,490 [root] DEBUG: DLL unloaded from 0x00CE0000.
2019-07-11 03:07:32,506 [root] DEBUG: Error 1114 (0x45a) - InjectDllViaThread: RtlCreateUserThread injection failed: A dynamic link library (DLL) initialization routine failed.
2019-07-11 03:07:32,522 [root] DEBUG: InjectDll: DLL injection via thread failed.
2019-07-11 03:07:32,552 [root] DEBUG: Failed to inject DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:07:32,552 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 3024, error: -8
2019-07-11 03:07:33,644 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2019-07-11 03:07:34,658 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 3024
2019-07-11 03:07:34,690 [root] DEBUG: GetHookCallerBase: thread 264 (handle 0x0), return address 0xC0000302, allocation base 0x00000000.
2019-07-11 03:07:34,706 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x000C0000.
2019-07-11 03:07:34,720 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000C0000.
2019-07-11 03:07:34,736 [root] DEBUG: DumpProcess: Module entry point VA is 0x0001A1F8.
2019-07-11 03:07:34,799 [root] INFO: Added new CAPE file to list with path: C:\fVxfVt\CAPE\3024_1403836133427511472019
2019-07-11 03:07:34,831 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x1c200.
2019-07-11 03:07:34,845 [root] INFO: Notified of termination of process with pid 3024.
2019-07-11 03:07:34,861 [root] DEBUG: Terminate Event: Process 3024 has already been dumped(!)
2019-07-11 03:07:35,079 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 1596
2019-07-11 03:07:35,111 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:07:35,127 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:07:35,157 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:07:35,174 [root] DEBUG: Loader: Injecting process 1596 (thread 2204) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:07:35,188 [root] DEBUG: Process image base: 0x00DC0000
2019-07-11 03:07:35,204 [root] INFO: Process with pid 3024 has terminated
2019-07-11 03:07:35,204 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:07:35,236 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00EF3000 - 0x77110000
2019-07-11 03:07:35,252 [root] DEBUG: InjectDllViaIAT: Allocated 0x2b8 bytes for new import table at 0x00F00000.
2019-07-11 03:07:35,266 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-07-11 03:07:35,282 [root] DEBUG: Successfully injected DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:07:35,299 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1596
2019-07-11 03:07:35,329 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 1596
2019-07-11 03:07:35,345 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:07:35,361 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:07:35,391 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:07:35,407 [root] DEBUG: Loader: Injecting process 1596 (thread 0) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:07:35,423 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2019-07-11 03:07:35,438 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed.
2019-07-11 03:07:35,454 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-07-11 03:07:35,486 [root] DEBUG: Process dumps enabled.
2019-07-11 03:07:35,500 [root] INFO: Disabling sleep skipping.
2019-07-11 03:07:35,532 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-07-11 03:07:35,548 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 1596 at 0x747e0000, image base 0xdc0000, stack from 0xd46000-0xd50000
2019-07-11 03:07:35,563 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\201907060947039062.exe".
2019-07-11 03:07:35,578 [root] INFO: Added new process to list with pid: 1596
2019-07-11 03:07:35,595 [root] INFO: Monitor successfully loaded in process with pid 1596.
2019-07-11 03:07:35,611 [root] DEBUG: set_caller_info: Adding region at 0x000A0000 to caller regions list (ntdll::LdrLoadDll).
2019-07-11 03:07:35,641 [root] DEBUG: DLL loaded at 0x03EB0000: C:\hjcplavoq\dll\WdAVpQZT (0xb3000 bytes).
2019-07-11 03:07:35,673 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-07-11 03:07:35,688 [root] DEBUG: DLL unloaded from 0x03EB0000.
2019-07-11 03:07:35,703 [root] DEBUG: Error 1114 (0x45a) - InjectDllViaThread: RtlCreateUserThread injection failed: A dynamic link library (DLL) initialization routine failed.
2019-07-11 03:07:35,734 [root] DEBUG: InjectDll: DLL injection via thread failed.
2019-07-11 03:07:35,750 [root] DEBUG: Failed to inject DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:07:35,766 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 1596, error: -8
2019-07-11 03:07:36,967 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2019-07-11 03:07:37,996 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 1596
2019-07-11 03:07:38,013 [root] DEBUG: GetHookCallerBase: thread 2204 (handle 0x0), return address 0xC0000302, allocation base 0x00000000.
2019-07-11 03:07:38,043 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00080000.
2019-07-11 03:07:38,075 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00080000.
2019-07-11 03:07:38,091 [root] DEBUG: DumpProcess: Module entry point VA is 0x0001A1F8.
2019-07-11 03:07:38,168 [root] INFO: Added new CAPE file to list with path: C:\fVxfVt\CAPE\1596_20304237923827511472019
2019-07-11 03:07:38,184 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x1c200.
2019-07-11 03:07:38,200 [root] INFO: Notified of termination of process with pid 1596.
2019-07-11 03:07:38,216 [root] DEBUG: Terminate Event: Process 1596 has already been dumped(!)
2019-07-11 03:07:38,263 [root] INFO: Process with pid 1596 has terminated
2019-07-11 03:07:38,589 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 2264
2019-07-11 03:07:38,621 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:07:38,637 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:07:38,667 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:07:38,684 [root] DEBUG: Loader: Injecting process 2264 (thread 3048) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:07:38,698 [root] DEBUG: Process image base: 0x00DC0000
2019-07-11 03:07:38,714 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:07:38,730 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00EF3000 - 0x77110000
2019-07-11 03:07:38,762 [root] DEBUG: InjectDllViaIAT: Allocated 0x2b8 bytes for new import table at 0x00F00000.
2019-07-11 03:07:38,776 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-07-11 03:07:38,792 [root] DEBUG: Successfully injected DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:07:38,809 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2264
2019-07-11 03:07:38,823 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 2264
2019-07-11 03:07:38,855 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:07:38,871 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:07:38,887 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:07:38,901 [root] DEBUG: Loader: Injecting process 2264 (thread 0) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:07:38,933 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2019-07-11 03:07:38,948 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed.
2019-07-11 03:07:38,964 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-07-11 03:07:38,980 [root] DEBUG: Process dumps enabled.
2019-07-11 03:07:39,010 [root] INFO: Disabling sleep skipping.
2019-07-11 03:07:39,026 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-07-11 03:07:39,042 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 2264 at 0x747e0000, image base 0xdc0000, stack from 0xc36000-0xc40000
2019-07-11 03:07:39,073 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\201907060947039062.exe".
2019-07-11 03:07:39,088 [root] INFO: Added new process to list with pid: 2264
2019-07-11 03:07:39,105 [root] INFO: Monitor successfully loaded in process with pid 2264.
2019-07-11 03:07:39,121 [root] DEBUG: set_caller_info: Adding region at 0x000A0000 to caller regions list (ntdll::LdrLoadDll).
2019-07-11 03:07:39,135 [root] DEBUG: DLL loaded at 0x00C80000: C:\hjcplavoq\dll\WdAVpQZT (0xb3000 bytes).
2019-07-11 03:07:39,151 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-07-11 03:07:39,183 [root] DEBUG: DLL unloaded from 0x00C80000.
2019-07-11 03:07:39,198 [root] DEBUG: Error 1114 (0x45a) - InjectDllViaThread: RtlCreateUserThread injection failed: A dynamic link library (DLL) initialization routine failed.
2019-07-11 03:07:39,213 [root] DEBUG: InjectDll: DLL injection via thread failed.
2019-07-11 03:07:39,244 [root] DEBUG: Failed to inject DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:07:39,244 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 2264, error: -8
2019-07-11 03:07:40,352 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2019-07-11 03:07:41,382 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2264
2019-07-11 03:07:41,414 [root] DEBUG: GetHookCallerBase: thread 3048 (handle 0x0), return address 0xC0000302, allocation base 0x00000000.
2019-07-11 03:07:41,428 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00080000.
2019-07-11 03:07:41,444 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00080000.
2019-07-11 03:07:41,460 [root] DEBUG: DumpProcess: Module entry point VA is 0x0001A1F8.
2019-07-11 03:07:41,553 [root] INFO: Added new CAPE file to list with path: C:\fVxfVt\CAPE\2264_20678693564127511472019
2019-07-11 03:07:41,569 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x1c200.
2019-07-11 03:07:41,601 [root] INFO: Notified of termination of process with pid 2264.
2019-07-11 03:07:41,617 [root] DEBUG: Terminate Event: Process 2264 has already been dumped(!)
2019-07-11 03:07:41,835 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 2936
2019-07-11 03:07:41,865 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:07:41,865 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:07:41,897 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:07:41,913 [root] DEBUG: Loader: Injecting process 2936 (thread 2760) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:07:41,928 [root] DEBUG: Process image base: 0x00DC0000
2019-07-11 03:07:41,960 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:07:41,974 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00EF3000 - 0x77110000
2019-07-11 03:07:41,990 [root] DEBUG: InjectDllViaIAT: Allocated 0x2b8 bytes for new import table at 0x00F00000.
2019-07-11 03:07:42,006 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-07-11 03:07:42,038 [root] DEBUG: Successfully injected DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:07:42,038 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2936
2019-07-11 03:07:42,069 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 2936
2019-07-11 03:07:42,085 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:07:42,099 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:07:42,131 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:07:42,147 [root] DEBUG: Loader: Injecting process 2936 (thread 0) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:07:42,163 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2019-07-11 03:07:42,177 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed.
2019-07-11 03:07:42,194 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-07-11 03:07:42,224 [root] DEBUG: Process dumps enabled.
2019-07-11 03:07:42,240 [root] INFO: Disabling sleep skipping.
2019-07-11 03:07:42,272 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-07-11 03:07:42,286 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 2936 at 0x747e0000, image base 0xdc0000, stack from 0xd26000-0xd30000
2019-07-11 03:07:42,319 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\201907060947039062.exe".
2019-07-11 03:07:42,334 [root] INFO: Process with pid 2264 has terminated
2019-07-11 03:07:42,334 [root] INFO: Added new process to list with pid: 2936
2019-07-11 03:07:42,349 [root] INFO: Monitor successfully loaded in process with pid 2936.
2019-07-11 03:07:42,365 [root] DEBUG: set_caller_info: Adding region at 0x000A0000 to caller regions list (ntdll::LdrLoadDll).
2019-07-11 03:07:42,397 [root] DEBUG: DLL loaded at 0x05350000: C:\hjcplavoq\dll\WdAVpQZT (0xb3000 bytes).
2019-07-11 03:07:42,411 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-07-11 03:07:42,427 [root] DEBUG: DLL unloaded from 0x05350000.
2019-07-11 03:07:42,443 [root] DEBUG: Error 1114 (0x45a) - InjectDllViaThread: RtlCreateUserThread injection failed: A dynamic link library (DLL) initialization routine failed.
2019-07-11 03:07:42,474 [root] DEBUG: InjectDll: DLL injection via thread failed.
2019-07-11 03:07:42,490 [root] DEBUG: Failed to inject DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:07:42,506 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 2936, error: -8
2019-07-11 03:07:43,676 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2019-07-11 03:07:44,704 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2936
2019-07-11 03:07:44,736 [root] DEBUG: GetHookCallerBase: thread 2760 (handle 0x0), return address 0xC0000302, allocation base 0x00000000.
2019-07-11 03:07:44,752 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00080000.
2019-07-11 03:07:44,767 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00080000.
2019-07-11 03:07:44,782 [root] DEBUG: DumpProcess: Module entry point VA is 0x0001A1F8.
2019-07-11 03:07:44,861 [root] INFO: Added new CAPE file to list with path: C:\fVxfVt\CAPE\2936_19108482084427511472019
2019-07-11 03:07:44,877 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x1c200.
2019-07-11 03:07:44,907 [root] INFO: Notified of termination of process with pid 2936.
2019-07-11 03:07:44,924 [root] DEBUG: Terminate Event: Process 2936 has already been dumped(!)
2019-07-11 03:07:45,236 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 1516
2019-07-11 03:07:45,266 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:07:45,282 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:07:45,313 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:07:45,328 [root] DEBUG: Loader: Injecting process 1516 (thread 2520) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:07:45,345 [root] DEBUG: Process image base: 0x00DC0000
2019-07-11 03:07:45,361 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:07:45,391 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00EF3000 - 0x77110000
2019-07-11 03:07:45,391 [root] INFO: Process with pid 2936 has terminated
2019-07-11 03:07:45,407 [root] DEBUG: InjectDllViaIAT: Allocated 0x2b8 bytes for new import table at 0x00F00000.
2019-07-11 03:07:45,423 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-07-11 03:07:45,438 [root] DEBUG: Successfully injected DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:07:45,453 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1516
2019-07-11 03:07:45,484 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 1516
2019-07-11 03:07:45,500 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:07:45,516 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:07:45,548 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:07:45,562 [root] DEBUG: Loader: Injecting process 1516 (thread 0) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:07:45,578 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2019-07-11 03:07:45,595 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed.
2019-07-11 03:07:45,625 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-07-11 03:07:45,641 [root] DEBUG: Process dumps enabled.
2019-07-11 03:07:45,673 [root] INFO: Disabling sleep skipping.
2019-07-11 03:07:45,703 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-07-11 03:07:45,719 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 1516 at 0x747e0000, image base 0xdc0000, stack from 0xd26000-0xd30000
2019-07-11 03:07:45,734 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\201907060947039062.exe".
2019-07-11 03:07:45,750 [root] INFO: Added new process to list with pid: 1516
2019-07-11 03:07:45,766 [root] INFO: Monitor successfully loaded in process with pid 1516.
2019-07-11 03:07:45,796 [root] DEBUG: set_caller_info: Adding region at 0x000A0000 to caller regions list (ntdll::LdrLoadDll).
2019-07-11 03:07:45,812 [root] DEBUG: DLL loaded at 0x010D0000: C:\hjcplavoq\dll\WdAVpQZT (0xb3000 bytes).
2019-07-11 03:07:45,828 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-07-11 03:07:45,844 [root] DEBUG: DLL unloaded from 0x010D0000.
2019-07-11 03:07:45,875 [root] DEBUG: Error 1114 (0x45a) - InjectDllViaThread: RtlCreateUserThread injection failed: A dynamic link library (DLL) initialization routine failed.
2019-07-11 03:07:45,891 [root] DEBUG: InjectDll: DLL injection via thread failed.
2019-07-11 03:07:45,907 [root] DEBUG: Failed to inject DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:07:45,921 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 1516, error: -8
2019-07-11 03:07:47,013 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2019-07-11 03:07:48,043 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 1516
2019-07-11 03:07:48,059 [root] DEBUG: GetHookCallerBase: thread 2520 (handle 0x0), return address 0xC0000302, allocation base 0x00000000.
2019-07-11 03:07:48,091 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00080000.
2019-07-11 03:07:48,105 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00080000.
2019-07-11 03:07:48,121 [root] DEBUG: DumpProcess: Module entry point VA is 0x0001A1F8.
2019-07-11 03:07:48,200 [root] INFO: Added new CAPE file to list with path: C:\fVxfVt\CAPE\1516_12465823204827511472019
2019-07-11 03:07:48,230 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x1c200.
2019-07-11 03:07:48,246 [root] INFO: Notified of termination of process with pid 1516.
2019-07-11 03:07:48,262 [root] DEBUG: Terminate Event: Process 1516 has already been dumped(!)
2019-07-11 03:07:48,448 [root] INFO: Process with pid 1516 has terminated
2019-07-11 03:07:48,464 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 2920
2019-07-11 03:07:48,512 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:07:48,526 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:07:48,559 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:07:48,573 [root] DEBUG: Loader: Injecting process 2920 (thread 2488) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:07:48,589 [root] DEBUG: Process image base: 0x00DC0000
2019-07-11 03:07:48,621 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:07:48,637 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00EF3000 - 0x77110000
2019-07-11 03:07:48,651 [root] DEBUG: InjectDllViaIAT: Allocated 0x2b8 bytes for new import table at 0x00F00000.
2019-07-11 03:07:48,667 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-07-11 03:07:48,698 [root] DEBUG: Successfully injected DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:07:48,698 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2920
2019-07-11 03:07:48,730 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 2920
2019-07-11 03:07:48,746 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:07:48,760 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:07:48,792 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:07:48,808 [root] DEBUG: Loader: Injecting process 2920 (thread 0) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:07:48,823 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2019-07-11 03:07:48,838 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed.
2019-07-11 03:07:48,871 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-07-11 03:07:48,885 [root] DEBUG: Process dumps enabled.
2019-07-11 03:07:48,917 [root] INFO: Disabling sleep skipping.
2019-07-11 03:07:48,933 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-07-11 03:07:48,948 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 2920 at 0x747e0000, image base 0xdc0000, stack from 0xaf6000-0xb00000
2019-07-11 03:07:48,980 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\201907060947039062.exe".
2019-07-11 03:07:48,994 [root] INFO: Added new process to list with pid: 2920
2019-07-11 03:07:49,010 [root] INFO: Monitor successfully loaded in process with pid 2920.
2019-07-11 03:07:49,026 [root] DEBUG: set_caller_info: Adding region at 0x000A0000 to caller regions list (ntdll::LdrLoadDll).
2019-07-11 03:07:49,042 [root] DEBUG: DLL loaded at 0x04280000: C:\hjcplavoq\dll\WdAVpQZT (0xb3000 bytes).
2019-07-11 03:07:49,072 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-07-11 03:07:49,088 [root] DEBUG: DLL unloaded from 0x04280000.
2019-07-11 03:07:49,105 [root] DEBUG: Error 1114 (0x45a) - InjectDllViaThread: RtlCreateUserThread injection failed: A dynamic link library (DLL) initialization routine failed.
2019-07-11 03:07:49,119 [root] DEBUG: InjectDll: DLL injection via thread failed.
2019-07-11 03:07:49,151 [root] DEBUG: Failed to inject DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:07:49,167 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 2920, error: -8
2019-07-11 03:07:50,352 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2019-07-11 03:07:51,381 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2920
2019-07-11 03:07:51,413 [root] DEBUG: GetHookCallerBase: thread 2488 (handle 0x0), return address 0xC0000302, allocation base 0x00000000.
2019-07-11 03:07:51,428 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00080000.
2019-07-11 03:07:51,460 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00080000.
2019-07-11 03:07:51,476 [root] DEBUG: DumpProcess: Module entry point VA is 0x0001A1F8.
2019-07-11 03:07:51,553 [root] INFO: Added new CAPE file to list with path: C:\fVxfVt\CAPE\2920_20018649715127511472019
2019-07-11 03:07:51,569 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x1c200.
2019-07-11 03:07:51,601 [root] INFO: Notified of termination of process with pid 2920.
2019-07-11 03:07:51,615 [root] DEBUG: Terminate Event: Process 2920 has already been dumped(!)
2019-07-11 03:07:51,802 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 920
2019-07-11 03:07:51,849 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:07:51,849 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:07:51,881 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:07:51,897 [root] DEBUG: Loader: Injecting process 920 (thread 2040) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:07:51,913 [root] DEBUG: Process image base: 0x00DC0000
2019-07-11 03:07:51,927 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:07:51,959 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00EF3000 - 0x77110000
2019-07-11 03:07:51,990 [root] DEBUG: InjectDllViaIAT: Allocated 0x2b8 bytes for new import table at 0x00F00000.
2019-07-11 03:07:52,006 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-07-11 03:07:52,022 [root] DEBUG: Successfully injected DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:07:52,052 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 920
2019-07-11 03:07:52,069 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 920
2019-07-11 03:07:52,099 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:07:52,115 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:07:52,131 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:07:52,147 [root] DEBUG: Loader: Injecting process 920 (thread 0) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:07:52,177 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2019-07-11 03:07:52,193 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed.
2019-07-11 03:07:52,224 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-07-11 03:07:52,240 [root] DEBUG: Process dumps enabled.
2019-07-11 03:07:52,270 [root] INFO: Disabling sleep skipping.
2019-07-11 03:07:52,286 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-07-11 03:07:52,302 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 920 at 0x747e0000, image base 0xdc0000, stack from 0xc76000-0xc80000
2019-07-11 03:07:52,318 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\201907060947039062.exe".
2019-07-11 03:07:52,348 [root] INFO: Added new process to list with pid: 920
2019-07-11 03:07:52,365 [root] INFO: Monitor successfully loaded in process with pid 920.
2019-07-11 03:07:52,381 [root] DEBUG: set_caller_info: Adding region at 0x000E0000 to caller regions list (ntdll::LdrLoadDll).
2019-07-11 03:07:52,395 [root] DEBUG: DLL loaded at 0x04100000: C:\hjcplavoq\dll\WdAVpQZT (0xb3000 bytes).
2019-07-11 03:07:52,427 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-07-11 03:07:52,443 [root] DEBUG: DLL unloaded from 0x04100000.
2019-07-11 03:07:52,459 [root] DEBUG: Error 1114 (0x45a) - InjectDllViaThread: RtlCreateUserThread injection failed: A dynamic link library (DLL) initialization routine failed.
2019-07-11 03:07:52,490 [root] DEBUG: InjectDll: DLL injection via thread failed.
2019-07-11 03:07:52,505 [root] INFO: Process with pid 2920 has terminated
2019-07-11 03:07:52,505 [root] DEBUG: Failed to inject DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:07:52,520 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 920, error: -8
2019-07-11 03:07:53,628 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2019-07-11 03:07:54,642 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 920
2019-07-11 03:07:54,674 [root] DEBUG: GetHookCallerBase: thread 2040 (handle 0x0), return address 0xC0000302, allocation base 0x00000000.
2019-07-11 03:07:54,688 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x000C0000.
2019-07-11 03:07:54,704 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000C0000.
2019-07-11 03:07:54,736 [root] DEBUG: DumpProcess: Module entry point VA is 0x0001A1F8.
2019-07-11 03:07:54,813 [root] INFO: Added new CAPE file to list with path: C:\fVxfVt\CAPE\920_19348599045427511472019
2019-07-11 03:07:54,829 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x1c200.
2019-07-11 03:07:54,845 [root] INFO: Notified of termination of process with pid 920.
2019-07-11 03:07:54,877 [root] DEBUG: Terminate Event: Process 920 has already been dumped(!)
2019-07-11 03:07:55,095 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 2212
2019-07-11 03:07:55,125 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:07:55,141 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:07:55,157 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:07:55,188 [root] DEBUG: Loader: Injecting process 2212 (thread 2088) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:07:55,203 [root] DEBUG: Process image base: 0x00DC0000
2019-07-11 03:07:55,220 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:07:55,250 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00EF3000 - 0x77110000
2019-07-11 03:07:55,266 [root] DEBUG: InjectDllViaIAT: Allocated 0x2b8 bytes for new import table at 0x00F00000.
2019-07-11 03:07:55,282 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-07-11 03:07:55,298 [root] DEBUG: Successfully injected DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:07:55,312 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2212
2019-07-11 03:07:55,345 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 2212
2019-07-11 03:07:55,359 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:07:55,375 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:07:55,407 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:07:55,423 [root] DEBUG: Loader: Injecting process 2212 (thread 0) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:07:55,437 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2019-07-11 03:07:55,469 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed.
2019-07-11 03:07:55,484 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-07-11 03:07:55,500 [root] DEBUG: Process dumps enabled.
2019-07-11 03:07:55,532 [root] INFO: Disabling sleep skipping.
2019-07-11 03:07:55,546 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-07-11 03:07:55,578 [root] INFO: Process with pid 920 has terminated
2019-07-11 03:07:55,578 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 2212 at 0x747e0000, image base 0xdc0000, stack from 0xb26000-0xb30000
2019-07-11 03:07:55,609 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\201907060947039062.exe".
2019-07-11 03:07:55,641 [root] INFO: Added new process to list with pid: 2212
2019-07-11 03:07:55,641 [root] INFO: Monitor successfully loaded in process with pid 2212.
2019-07-11 03:07:55,671 [root] DEBUG: set_caller_info: Adding region at 0x000A0000 to caller regions list (ntdll::LdrLoadDll).
2019-07-11 03:07:55,687 [root] DEBUG: DLL loaded at 0x04390000: C:\hjcplavoq\dll\WdAVpQZT (0xb3000 bytes).
2019-07-11 03:07:55,703 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-07-11 03:07:55,734 [root] DEBUG: DLL unloaded from 0x04390000.
2019-07-11 03:07:55,750 [root] DEBUG: Error 1114 (0x45a) - InjectDllViaThread: RtlCreateUserThread injection failed: A dynamic link library (DLL) initialization routine failed.
2019-07-11 03:07:55,766 [root] DEBUG: InjectDll: DLL injection via thread failed.
2019-07-11 03:07:55,796 [root] DEBUG: Failed to inject DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:07:55,796 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 2212, error: -8
2019-07-11 03:07:56,983 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2019-07-11 03:07:58,012 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2212
2019-07-11 03:07:58,042 [root] DEBUG: GetHookCallerBase: thread 2088 (handle 0x0), return address 0xC0000302, allocation base 0x00000000.
2019-07-11 03:07:58,075 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00080000.
2019-07-11 03:07:58,105 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00080000.
2019-07-11 03:07:58,121 [root] DEBUG: DumpProcess: Module entry point VA is 0x0001A1F8.
2019-07-11 03:07:58,214 [root] INFO: Added new CAPE file to list with path: C:\fVxfVt\CAPE\2212_15528374815827511472019
2019-07-11 03:07:58,230 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x1c200.
2019-07-11 03:07:58,246 [root] INFO: Notified of termination of process with pid 2212.
2019-07-11 03:07:58,262 [root] DEBUG: Terminate Event: Process 2212 has already been dumped(!)
2019-07-11 03:07:58,588 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 1132
2019-07-11 03:07:58,621 [root] INFO: Process with pid 2212 has terminated
2019-07-11 03:07:58,621 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:07:58,635 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:07:58,667 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:07:58,683 [root] DEBUG: Loader: Injecting process 1132 (thread 2552) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:07:58,713 [root] DEBUG: Process image base: 0x00DC0000
2019-07-11 03:07:58,730 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:07:58,744 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00EF3000 - 0x77110000
2019-07-11 03:07:58,776 [root] DEBUG: InjectDllViaIAT: Allocated 0x2b8 bytes for new import table at 0x00F00000.
2019-07-11 03:07:58,792 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-07-11 03:07:58,808 [root] DEBUG: Successfully injected DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:07:58,822 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1132
2019-07-11 03:07:58,855 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 1132
2019-07-11 03:07:58,869 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:07:58,885 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:07:58,917 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:07:58,933 [root] DEBUG: Loader: Injecting process 1132 (thread 0) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:07:58,963 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2019-07-11 03:07:58,979 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed.
2019-07-11 03:07:59,010 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-07-11 03:07:59,026 [root] DEBUG: Process dumps enabled.
2019-07-11 03:07:59,056 [root] INFO: Disabling sleep skipping.
2019-07-11 03:07:59,072 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-07-11 03:07:59,104 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 1132 at 0x747e0000, image base 0xdc0000, stack from 0xbc6000-0xbd0000
2019-07-11 03:07:59,119 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\201907060947039062.exe".
2019-07-11 03:07:59,134 [root] INFO: Added new process to list with pid: 1132
2019-07-11 03:07:59,151 [root] INFO: Monitor successfully loaded in process with pid 1132.
2019-07-11 03:07:59,167 [root] DEBUG: set_caller_info: Adding region at 0x000E0000 to caller regions list (ntdll::LdrLoadDll).
2019-07-11 03:07:59,197 [root] DEBUG: DLL loaded at 0x02AD0000: C:\hjcplavoq\dll\WdAVpQZT (0xb3000 bytes).
2019-07-11 03:07:59,213 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-07-11 03:07:59,229 [root] DEBUG: DLL unloaded from 0x02AD0000.
2019-07-11 03:07:59,259 [root] DEBUG: Error 1114 (0x45a) - InjectDllViaThread: RtlCreateUserThread injection failed: A dynamic link library (DLL) initialization routine failed.
2019-07-11 03:07:59,290 [root] DEBUG: InjectDll: DLL injection via thread failed.
2019-07-11 03:07:59,322 [root] DEBUG: Failed to inject DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:07:59,322 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 1132, error: -8
2019-07-11 03:08:00,336 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2019-07-11 03:08:01,365 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 1132
2019-07-11 03:08:01,397 [root] DEBUG: GetHookCallerBase: thread 2552 (handle 0x0), return address 0xC0000302, allocation base 0x00000000.
2019-07-11 03:08:01,413 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00080000.
2019-07-11 03:08:01,428 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00080000.
2019-07-11 03:08:01,444 [root] DEBUG: DumpProcess: Module entry point VA is 0x0001A1F8.
2019-07-11 03:08:01,538 [root] INFO: Added new CAPE file to list with path: C:\fVxfVt\CAPE\1132_420047340128511472019
2019-07-11 03:08:01,552 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x1c200.
2019-07-11 03:08:01,569 [root] INFO: Notified of termination of process with pid 1132.
2019-07-11 03:08:01,599 [root] DEBUG: Terminate Event: Process 1132 has already been dumped(!)
2019-07-11 03:08:01,677 [root] INFO: Process with pid 1132 has terminated
2019-07-11 03:08:01,881 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 1928
2019-07-11 03:08:01,911 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:08:01,927 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:08:01,959 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:08:01,974 [root] DEBUG: Loader: Injecting process 1928 (thread 2580) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:08:01,990 [root] DEBUG: Process image base: 0x00DC0000
2019-07-11 03:08:02,020 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:08:02,036 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00EF3000 - 0x77110000
2019-07-11 03:08:02,052 [root] DEBUG: InjectDllViaIAT: Allocated 0x2b8 bytes for new import table at 0x00F00000.
2019-07-11 03:08:02,084 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-07-11 03:08:02,098 [root] DEBUG: Successfully injected DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:08:02,115 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1928
2019-07-11 03:08:02,131 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 1928
2019-07-11 03:08:02,161 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:08:02,177 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:08:02,209 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:08:02,223 [root] DEBUG: Loader: Injecting process 1928 (thread 0) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:08:02,255 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2019-07-11 03:08:02,270 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed.
2019-07-11 03:08:02,302 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-07-11 03:08:02,318 [root] DEBUG: Process dumps enabled.
2019-07-11 03:08:02,348 [root] INFO: Disabling sleep skipping.
2019-07-11 03:08:02,365 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-07-11 03:08:02,395 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 1928 at 0x747e0000, image base 0xdc0000, stack from 0xb46000-0xb50000
2019-07-11 03:08:02,411 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\201907060947039062.exe".
2019-07-11 03:08:02,427 [root] INFO: Added new process to list with pid: 1928
2019-07-11 03:08:02,443 [root] INFO: Monitor successfully loaded in process with pid 1928.
2019-07-11 03:08:02,473 [root] DEBUG: set_caller_info: Adding region at 0x000A0000 to caller regions list (ntdll::LdrLoadDll).
2019-07-11 03:08:02,489 [root] DEBUG: DLL loaded at 0x03FC0000: C:\hjcplavoq\dll\WdAVpQZT (0xb3000 bytes).
2019-07-11 03:08:02,505 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-07-11 03:08:02,520 [root] DEBUG: DLL unloaded from 0x03FC0000.
2019-07-11 03:08:02,552 [root] DEBUG: Error 1114 (0x45a) - InjectDllViaThread: RtlCreateUserThread injection failed: A dynamic link library (DLL) initialization routine failed.
2019-07-11 03:08:02,566 [root] DEBUG: InjectDll: DLL injection via thread failed.
2019-07-11 03:08:02,598 [root] DEBUG: Failed to inject DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:08:02,614 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 1928, error: -8
2019-07-11 03:08:03,674 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2019-07-11 03:08:04,704 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 1928
2019-07-11 03:08:04,736 [root] DEBUG: GetHookCallerBase: thread 2580 (handle 0x0), return address 0xC0000302, allocation base 0x00000000.
2019-07-11 03:08:04,750 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00080000.
2019-07-11 03:08:04,766 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00080000.
2019-07-11 03:08:04,798 [root] DEBUG: DumpProcess: Module entry point VA is 0x0001A1F8.
2019-07-11 03:08:04,875 [root] INFO: Added new CAPE file to list with path: C:\fVxfVt\CAPE\1928_932688280428511472019
2019-07-11 03:08:04,891 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x1c200.
2019-07-11 03:08:04,923 [root] INFO: Notified of termination of process with pid 1928.
2019-07-11 03:08:04,938 [root] DEBUG: Terminate Event: Process 1928 has already been dumped(!)
2019-07-11 03:08:05,173 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 2184
2019-07-11 03:08:05,203 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:08:05,219 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:08:05,250 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:08:05,282 [root] DEBUG: Loader: Injecting process 2184 (thread 2432) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:08:05,312 [root] DEBUG: Process image base: 0x00DC0000
2019-07-11 03:08:05,328 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:08:05,359 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00EF3000 - 0x77110000
2019-07-11 03:08:05,375 [root] DEBUG: InjectDllViaIAT: Allocated 0x2b8 bytes for new import table at 0x00F00000.
2019-07-11 03:08:05,391 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-07-11 03:08:05,421 [root] DEBUG: Successfully injected DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:08:05,437 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2184
2019-07-11 03:08:05,453 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 2184
2019-07-11 03:08:05,484 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:08:05,500 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:08:05,530 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:08:05,546 [root] DEBUG: Loader: Injecting process 2184 (thread 0) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:08:05,562 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2019-07-11 03:08:05,594 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed.
2019-07-11 03:08:05,608 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-07-11 03:08:05,641 [root] DEBUG: Process dumps enabled.
2019-07-11 03:08:05,671 [root] INFO: Disabling sleep skipping.
2019-07-11 03:08:05,687 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-07-11 03:08:05,719 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 2184 at 0x747e0000, image base 0xdc0000, stack from 0xa76000-0xa80000
2019-07-11 03:08:05,733 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\201907060947039062.exe".
2019-07-11 03:08:05,750 [root] INFO: Process with pid 1928 has terminated
2019-07-11 03:08:05,765 [root] INFO: Added new process to list with pid: 2184
2019-07-11 03:08:05,765 [root] INFO: Monitor successfully loaded in process with pid 2184.
2019-07-11 03:08:05,796 [root] DEBUG: set_caller_info: Adding region at 0x000E0000 to caller regions list (ntdll::LdrLoadDll).
2019-07-11 03:08:05,812 [root] DEBUG: DLL loaded at 0x00CE0000: C:\hjcplavoq\dll\WdAVpQZT (0xb3000 bytes).
2019-07-11 03:08:05,842 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-07-11 03:08:05,858 [root] DEBUG: DLL unloaded from 0x00CE0000.
2019-07-11 03:08:05,875 [root] DEBUG: Error 1114 (0x45a) - InjectDllViaThread: RtlCreateUserThread injection failed: A dynamic link library (DLL) initialization routine failed.
2019-07-11 03:08:05,905 [root] DEBUG: InjectDll: DLL injection via thread failed.
2019-07-11 03:08:05,921 [root] DEBUG: Failed to inject DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:08:05,937 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 2184, error: -8
2019-07-11 03:08:06,950 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2019-07-11 03:08:07,996 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2184
2019-07-11 03:08:08,012 [root] DEBUG: GetHookCallerBase: thread 2432 (handle 0x0), return address 0xC0000302, allocation base 0x00000000.
2019-07-11 03:08:08,026 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x000C0000.
2019-07-11 03:08:08,042 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000C0000.
2019-07-11 03:08:08,073 [root] DEBUG: DumpProcess: Module entry point VA is 0x0001A1F8.
2019-07-11 03:08:08,151 [root] INFO: Added new CAPE file to list with path: C:\fVxfVt\CAPE\2184_2067825314828511472019
2019-07-11 03:08:08,183 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x1c200.
2019-07-11 03:08:08,198 [root] INFO: Notified of termination of process with pid 2184.
2019-07-11 03:08:08,214 [root] DEBUG: Terminate Event: Process 2184 has already been dumped(!)
2019-07-11 03:08:08,588 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 2356
2019-07-11 03:08:08,619 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:08:08,635 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:08:08,667 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:08:08,683 [root] DEBUG: Loader: Injecting process 2356 (thread 1648) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:08:08,697 [root] DEBUG: Process image base: 0x00DC0000
2019-07-11 03:08:08,713 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:08:08,744 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00EF3000 - 0x77110000
2019-07-11 03:08:08,760 [root] DEBUG: InjectDllViaIAT: Allocated 0x2b8 bytes for new import table at 0x00F00000.
2019-07-11 03:08:08,776 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-07-11 03:08:08,806 [root] DEBUG: Successfully injected DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:08:08,806 [root] INFO: Process with pid 2184 has terminated
2019-07-11 03:08:08,822 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2356
2019-07-11 03:08:08,869 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 2356
2019-07-11 03:08:08,884 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:08:08,901 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:08:08,931 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:08:08,963 [root] DEBUG: Loader: Injecting process 2356 (thread 0) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:08:08,994 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2019-07-11 03:08:09,009 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed.
2019-07-11 03:08:09,040 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-07-11 03:08:09,056 [root] DEBUG: Process dumps enabled.
2019-07-11 03:08:09,088 [root] INFO: Disabling sleep skipping.
2019-07-11 03:08:09,118 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-07-11 03:08:09,134 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 2356 at 0x747e0000, image base 0xdc0000, stack from 0xaa6000-0xab0000
2019-07-11 03:08:09,165 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\201907060947039062.exe".
2019-07-11 03:08:09,181 [root] INFO: Added new process to list with pid: 2356
2019-07-11 03:08:09,197 [root] INFO: Monitor successfully loaded in process with pid 2356.
2019-07-11 03:08:09,229 [root] DEBUG: set_caller_info: Adding region at 0x000A0000 to caller regions list (ntdll::LdrLoadDll).
2019-07-11 03:08:09,243 [root] DEBUG: DLL loaded at 0x00CF0000: C:\hjcplavoq\dll\WdAVpQZT (0xb3000 bytes).
2019-07-11 03:08:09,259 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-07-11 03:08:09,275 [root] DEBUG: DLL unloaded from 0x00CF0000.
2019-07-11 03:08:09,306 [root] DEBUG: Error 1114 (0x45a) - InjectDllViaThread: RtlCreateUserThread injection failed: A dynamic link library (DLL) initialization routine failed.
2019-07-11 03:08:09,322 [root] DEBUG: InjectDll: DLL injection via thread failed.
2019-07-11 03:08:09,352 [root] DEBUG: Failed to inject DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:08:09,368 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 2356, error: -8
2019-07-11 03:08:10,351 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2019-07-11 03:08:11,397 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2356
2019-07-11 03:08:11,427 [root] DEBUG: GetHookCallerBase: thread 1648 (handle 0x0), return address 0xC0000302, allocation base 0x00000000.
2019-07-11 03:08:11,444 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00080000.
2019-07-11 03:08:11,474 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00080000.
2019-07-11 03:08:11,490 [root] DEBUG: DumpProcess: Module entry point VA is 0x0001A1F8.
2019-07-11 03:08:11,584 [root] INFO: Added new CAPE file to list with path: C:\fVxfVt\CAPE\2356_1138258741128511472019
2019-07-11 03:08:11,599 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x1c200.
2019-07-11 03:08:11,631 [root] INFO: Notified of termination of process with pid 2356.
2019-07-11 03:08:11,647 [root] DEBUG: Terminate Event: Process 2356 has already been dumped(!)
2019-07-11 03:08:11,865 [root] INFO: Process with pid 2356 has terminated
2019-07-11 03:08:11,959 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 1240
2019-07-11 03:08:12,005 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:08:12,020 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:08:12,052 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:08:12,068 [root] DEBUG: Loader: Injecting process 1240 (thread 2820) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:08:12,082 [root] DEBUG: Process image base: 0x00DC0000
2019-07-11 03:08:12,115 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:08:12,130 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00EF3000 - 0x77110000
2019-07-11 03:08:12,161 [root] DEBUG: InjectDllViaIAT: Allocated 0x2b8 bytes for new import table at 0x00F00000.
2019-07-11 03:08:12,177 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-07-11 03:08:12,193 [root] DEBUG: Successfully injected DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:08:12,207 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1240
2019-07-11 03:08:12,239 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 1240
2019-07-11 03:08:12,255 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:08:12,270 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:08:12,302 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:08:12,332 [root] DEBUG: Loader: Injecting process 1240 (thread 0) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:08:12,348 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2019-07-11 03:08:12,364 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed.
2019-07-11 03:08:12,394 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-07-11 03:08:12,427 [root] DEBUG: Process dumps enabled.
2019-07-11 03:08:12,441 [root] INFO: Disabling sleep skipping.
2019-07-11 03:08:12,473 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-07-11 03:08:12,489 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 1240 at 0x747e0000, image base 0xdc0000, stack from 0xb76000-0xb80000
2019-07-11 03:08:12,519 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\201907060947039062.exe".
2019-07-11 03:08:12,536 [root] INFO: Added new process to list with pid: 1240
2019-07-11 03:08:12,551 [root] INFO: Monitor successfully loaded in process with pid 1240.
2019-07-11 03:08:12,566 [root] DEBUG: set_caller_info: Adding region at 0x000A0000 to caller regions list (ntdll::LdrLoadDll).
2019-07-11 03:08:12,598 [root] DEBUG: DLL loaded at 0x04540000: C:\hjcplavoq\dll\WdAVpQZT (0xb3000 bytes).
2019-07-11 03:08:12,614 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-07-11 03:08:12,644 [root] DEBUG: DLL unloaded from 0x04540000.
2019-07-11 03:08:12,676 [root] DEBUG: Error 1114 (0x45a) - InjectDllViaThread: RtlCreateUserThread injection failed: A dynamic link library (DLL) initialization routine failed.
2019-07-11 03:08:12,707 [root] DEBUG: InjectDll: DLL injection via thread failed.
2019-07-11 03:08:12,723 [root] DEBUG: Failed to inject DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:08:12,739 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 1240, error: -8
2019-07-11 03:08:13,783 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2019-07-11 03:08:14,812 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 1240
2019-07-11 03:08:14,845 [root] DEBUG: GetHookCallerBase: thread 2820 (handle 0x0), return address 0xC0000302, allocation base 0x00000000.
2019-07-11 03:08:14,859 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00080000.
2019-07-11 03:08:14,875 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00080000.
2019-07-11 03:08:14,907 [root] DEBUG: DumpProcess: Module entry point VA is 0x0001A1F8.
2019-07-11 03:08:14,984 [root] INFO: Added new CAPE file to list with path: C:\fVxfVt\CAPE\1240_16472721801428511472019
2019-07-11 03:08:15,016 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x1c200.
2019-07-11 03:08:15,032 [root] INFO: Notified of termination of process with pid 1240.
2019-07-11 03:08:15,062 [root] DEBUG: Terminate Event: Process 1240 has already been dumped(!)
2019-07-11 03:08:15,280 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 3204
2019-07-11 03:08:15,312 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:08:15,344 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:08:15,358 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:08:15,391 [root] DEBUG: Loader: Injecting process 3204 (thread 3208) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:08:15,405 [root] DEBUG: Process image base: 0x00DC0000
2019-07-11 03:08:15,437 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:08:15,453 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00EF3000 - 0x77110000
2019-07-11 03:08:15,483 [root] DEBUG: InjectDllViaIAT: Allocated 0x2b8 bytes for new import table at 0x00F00000.
2019-07-11 03:08:15,500 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-07-11 03:08:15,530 [root] DEBUG: Successfully injected DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:08:15,546 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3204
2019-07-11 03:08:15,578 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 3204
2019-07-11 03:08:15,592 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:08:15,608 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:08:15,640 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:08:15,671 [root] DEBUG: Loader: Injecting process 3204 (thread 0) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:08:15,687 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2019-07-11 03:08:15,717 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed.
2019-07-11 03:08:15,733 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-07-11 03:08:15,765 [root] DEBUG: Process dumps enabled.
2019-07-11 03:08:15,796 [root] INFO: Disabling sleep skipping.
2019-07-11 03:08:15,812 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-07-11 03:08:15,842 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 3204 at 0x747e0000, image base 0xdc0000, stack from 0xa26000-0xa30000
2019-07-11 03:08:15,858 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\201907060947039062.exe".
2019-07-11 03:08:15,890 [root] INFO: Added new process to list with pid: 3204
2019-07-11 03:08:15,890 [root] INFO: Monitor successfully loaded in process with pid 3204.
2019-07-11 03:08:15,921 [root] INFO: Process with pid 1240 has terminated
2019-07-11 03:08:15,921 [root] DEBUG: set_caller_info: Adding region at 0x000A0000 to caller regions list (ntdll::LdrLoadDll).
2019-07-11 03:08:15,951 [root] DEBUG: DLL loaded at 0x03FF0000: C:\hjcplavoq\dll\WdAVpQZT (0xb3000 bytes).
2019-07-11 03:08:15,967 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-07-11 03:08:15,999 [root] DEBUG: DLL unloaded from 0x03FF0000.
2019-07-11 03:08:16,015 [root] DEBUG: Error 1114 (0x45a) - InjectDllViaThread: RtlCreateUserThread injection failed: A dynamic link library (DLL) initialization routine failed.
2019-07-11 03:08:16,046 [root] DEBUG: InjectDll: DLL injection via thread failed.
2019-07-11 03:08:16,061 [root] DEBUG: Failed to inject DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:08:16,076 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 3204, error: -8
2019-07-11 03:08:17,184 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2019-07-11 03:08:18,213 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 3204
2019-07-11 03:08:18,244 [root] DEBUG: GetHookCallerBase: thread 3208 (handle 0x0), return address 0xC0000302, allocation base 0x00000000.
2019-07-11 03:08:18,260 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00080000.
2019-07-11 03:08:18,292 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00080000.
2019-07-11 03:08:18,308 [root] DEBUG: DumpProcess: Module entry point VA is 0x0001A1F8.
2019-07-11 03:08:18,385 [root] INFO: Added new CAPE file to list with path: C:\fVxfVt\CAPE\3204_19880024191828511472019
2019-07-11 03:08:18,417 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x1c200.
2019-07-11 03:08:18,433 [root] INFO: Notified of termination of process with pid 3204.
2019-07-11 03:08:18,463 [root] DEBUG: Terminate Event: Process 3204 has already been dumped(!)
2019-07-11 03:08:18,667 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 3452
2019-07-11 03:08:18,713 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:08:18,729 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:08:18,759 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:08:18,776 [root] DEBUG: Loader: Injecting process 3452 (thread 3456) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:08:18,806 [root] DEBUG: Process image base: 0x00DC0000
2019-07-11 03:08:18,822 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:08:18,838 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00EF3000 - 0x77110000
2019-07-11 03:08:18,868 [root] DEBUG: InjectDllViaIAT: Allocated 0x2b8 bytes for new import table at 0x00F00000.
2019-07-11 03:08:18,901 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-07-11 03:08:18,915 [root] DEBUG: Successfully injected DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:08:18,931 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3452
2019-07-11 03:08:18,963 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 3452
2019-07-11 03:08:18,979 [root] INFO: Process with pid 3204 has terminated
2019-07-11 03:08:18,993 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:08:19,009 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:08:19,040 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:08:19,056 [root] DEBUG: Loader: Injecting process 3452 (thread 0) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:08:19,088 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2019-07-11 03:08:19,102 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed.
2019-07-11 03:08:19,134 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-07-11 03:08:19,150 [root] DEBUG: Process dumps enabled.
2019-07-11 03:08:19,180 [root] INFO: Disabling sleep skipping.
2019-07-11 03:08:19,213 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-07-11 03:08:19,227 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 3452 at 0x747e0000, image base 0xdc0000, stack from 0xbd6000-0xbe0000
2019-07-11 03:08:19,259 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\201907060947039062.exe".
2019-07-11 03:08:19,290 [root] INFO: Added new process to list with pid: 3452
2019-07-11 03:08:19,305 [root] INFO: Monitor successfully loaded in process with pid 3452.
2019-07-11 03:08:19,322 [root] DEBUG: set_caller_info: Adding region at 0x000A0000 to caller regions list (ntdll::LdrLoadDll).
2019-07-11 03:08:19,352 [root] DEBUG: DLL loaded at 0x001D0000: C:\hjcplavoq\dll\WdAVpQZT (0xb3000 bytes).
2019-07-11 03:08:19,368 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-07-11 03:08:19,400 [root] DEBUG: DLL unloaded from 0x001D0000.
2019-07-11 03:08:19,414 [root] DEBUG: Error 1114 (0x45a) - InjectDllViaThread: RtlCreateUserThread injection failed: A dynamic link library (DLL) initialization routine failed.
2019-07-11 03:08:19,447 [root] DEBUG: InjectDll: DLL injection via thread failed.
2019-07-11 03:08:19,461 [root] DEBUG: Failed to inject DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:08:19,477 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 3452, error: -8
2019-07-11 03:08:20,585 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2019-07-11 03:08:21,631 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 3452
2019-07-11 03:08:21,645 [root] DEBUG: GetHookCallerBase: thread 3456 (handle 0x0), return address 0xC0000302, allocation base 0x00000000.
2019-07-11 03:08:21,677 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00080000.
2019-07-11 03:08:21,693 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00080000.
2019-07-11 03:08:21,709 [root] DEBUG: DumpProcess: Module entry point VA is 0x0001A1F8.
2019-07-11 03:08:21,802 [root] INFO: Added new CAPE file to list with path: C:\fVxfVt\CAPE\3452_11671982442128511472019
2019-07-11 03:08:21,832 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x1c200.
2019-07-11 03:08:21,848 [root] INFO: Notified of termination of process with pid 3452.
2019-07-11 03:08:21,880 [root] DEBUG: Terminate Event: Process 3452 has already been dumped(!)
2019-07-11 03:08:22,036 [root] INFO: Process with pid 3452 has terminated
2019-07-11 03:08:22,066 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 3700
2019-07-11 03:08:22,098 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:08:22,114 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:08:22,144 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:08:22,177 [root] DEBUG: Loader: Injecting process 3700 (thread 3704) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:08:22,207 [root] DEBUG: Process image base: 0x00DC0000
2019-07-11 03:08:22,223 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:08:22,255 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00EF3000 - 0x77110000
2019-07-11 03:08:22,286 [root] DEBUG: InjectDllViaIAT: Allocated 0x2b8 bytes for new import table at 0x00F00000.
2019-07-11 03:08:22,301 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-07-11 03:08:22,332 [root] DEBUG: Successfully injected DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:08:22,348 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3700
2019-07-11 03:08:22,364 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 3700
2019-07-11 03:08:22,394 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:08:22,411 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:08:22,441 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:08:22,457 [root] DEBUG: Loader: Injecting process 3700 (thread 0) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:08:22,489 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2019-07-11 03:08:22,503 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed.
2019-07-11 03:08:22,535 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-07-11 03:08:22,551 [root] DEBUG: Process dumps enabled.
2019-07-11 03:08:22,598 [root] INFO: Disabling sleep skipping.
2019-07-11 03:08:22,612 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-07-11 03:08:22,644 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 3700 at 0x747e0000, image base 0xdc0000, stack from 0xb56000-0xb60000
2019-07-11 03:08:22,660 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\201907060947039062.exe".
2019-07-11 03:08:22,690 [root] INFO: Added new process to list with pid: 3700
2019-07-11 03:08:22,707 [root] INFO: Monitor successfully loaded in process with pid 3700.
2019-07-11 03:08:22,723 [root] DEBUG: set_caller_info: Adding region at 0x000A0000 to caller regions list (ntdll::LdrLoadDll).
2019-07-11 03:08:22,753 [root] DEBUG: DLL loaded at 0x04620000: C:\hjcplavoq\dll\WdAVpQZT (0xb3000 bytes).
2019-07-11 03:08:22,785 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-07-11 03:08:22,801 [root] DEBUG: DLL unloaded from 0x04620000.
2019-07-11 03:08:22,832 [root] DEBUG: Error 1114 (0x45a) - InjectDllViaThread: RtlCreateUserThread injection failed: A dynamic link library (DLL) initialization routine failed.
2019-07-11 03:08:22,846 [root] DEBUG: InjectDll: DLL injection via thread failed.
2019-07-11 03:08:22,878 [root] DEBUG: Failed to inject DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:08:22,894 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 3700, error: -8
2019-07-11 03:08:23,924 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2019-07-11 03:08:24,969 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 3700
2019-07-11 03:08:24,984 [root] DEBUG: GetHookCallerBase: thread 3704 (handle 0x0), return address 0xC0000302, allocation base 0x00000000.
2019-07-11 03:08:25,016 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00080000.
2019-07-11 03:08:25,030 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00080000.
2019-07-11 03:08:25,046 [root] DEBUG: DumpProcess: Module entry point VA is 0x0001A1F8.
2019-07-11 03:08:25,155 [root] INFO: Added new CAPE file to list with path: C:\fVxfVt\CAPE\3700_6089326512528511472019
2019-07-11 03:08:25,171 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x1c200.
2019-07-11 03:08:25,187 [root] INFO: Notified of termination of process with pid 3700.
2019-07-11 03:08:25,219 [root] DEBUG: Terminate Event: Process 3700 has already been dumped(!)
2019-07-11 03:08:25,467 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 3956
2019-07-11 03:08:25,515 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:08:25,530 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:08:25,562 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:08:25,576 [root] DEBUG: Loader: Injecting process 3956 (thread 3960) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:08:25,608 [root] DEBUG: Process image base: 0x00DC0000
2019-07-11 03:08:25,624 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:08:25,654 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00EF3000 - 0x77110000
2019-07-11 03:08:25,671 [root] DEBUG: InjectDllViaIAT: Allocated 0x2b8 bytes for new import table at 0x00F00000.
2019-07-11 03:08:25,701 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-07-11 03:08:25,717 [root] DEBUG: Successfully injected DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:08:25,733 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3956
2019-07-11 03:08:25,765 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 3956
2019-07-11 03:08:25,811 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:08:25,811 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:08:25,842 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:08:25,874 [root] DEBUG: Loader: Injecting process 3956 (thread 0) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:08:25,904 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2019-07-11 03:08:25,936 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed.
2019-07-11 03:08:25,951 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-07-11 03:08:25,983 [root] DEBUG: Process dumps enabled.
2019-07-11 03:08:26,013 [root] INFO: Disabling sleep skipping.
2019-07-11 03:08:26,045 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-07-11 03:08:26,061 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 3956 at 0x747e0000, image base 0xdc0000, stack from 0xcd6000-0xce0000
2019-07-11 03:08:26,092 [root] INFO: Process with pid 3700 has terminated
2019-07-11 03:08:26,092 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\201907060947039062.exe".
2019-07-11 03:08:26,138 [root] INFO: Added new process to list with pid: 3956
2019-07-11 03:08:26,154 [root] INFO: Monitor successfully loaded in process with pid 3956.
2019-07-11 03:08:26,186 [root] DEBUG: set_caller_info: Adding region at 0x000A0000 to caller regions list (ntdll::LdrLoadDll).
2019-07-11 03:08:26,217 [root] DEBUG: DLL loaded at 0x05140000: C:\hjcplavoq\dll\WdAVpQZT (0xb3000 bytes).
2019-07-11 03:08:26,233 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-07-11 03:08:26,263 [root] DEBUG: DLL unloaded from 0x05140000.
2019-07-11 03:08:26,279 [root] DEBUG: Error 1114 (0x45a) - InjectDllViaThread: RtlCreateUserThread injection failed: A dynamic link library (DLL) initialization routine failed.
2019-07-11 03:08:26,311 [root] DEBUG: InjectDll: DLL injection via thread failed.
2019-07-11 03:08:26,342 [root] DEBUG: Failed to inject DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:08:26,357 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 3956, error: -8
2019-07-11 03:08:27,371 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2019-07-11 03:08:28,417 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 3956
2019-07-11 03:08:28,447 [root] DEBUG: GetHookCallerBase: thread 3960 (handle 0x0), return address 0xC0000302, allocation base 0x00000000.
2019-07-11 03:08:28,463 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00080000.
2019-07-11 03:08:28,494 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00080000.
2019-07-11 03:08:28,526 [root] DEBUG: DumpProcess: Module entry point VA is 0x0001A1F8.
2019-07-11 03:08:28,604 [root] INFO: Added new CAPE file to list with path: C:\fVxfVt\CAPE\3956_1692632722828511472019
2019-07-11 03:08:28,634 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x1c200.
2019-07-11 03:08:28,665 [root] INFO: Notified of termination of process with pid 3956.
2019-07-11 03:08:28,681 [root] DEBUG: Terminate Event: Process 3956 has already been dumped(!)
2019-07-11 03:08:28,900 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 3180
2019-07-11 03:08:28,930 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:08:28,947 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:08:28,977 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:08:28,993 [root] DEBUG: Loader: Injecting process 3180 (thread 3184) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:08:29,025 [root] DEBUG: Process image base: 0x00DC0000
2019-07-11 03:08:29,055 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:08:29,072 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00EF3000 - 0x77110000
2019-07-11 03:08:29,102 [root] DEBUG: InjectDllViaIAT: Allocated 0x2b8 bytes for new import table at 0x00F00000.
2019-07-11 03:08:29,118 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-07-11 03:08:29,150 [root] DEBUG: Successfully injected DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:08:29,150 [root] INFO: Process with pid 3956 has terminated
2019-07-11 03:08:29,164 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3180
2019-07-11 03:08:29,180 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 3180
2019-07-11 03:08:29,211 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:08:29,227 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:08:29,259 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:08:29,289 [root] DEBUG: Loader: Injecting process 3180 (thread 0) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:08:29,305 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2019-07-11 03:08:29,321 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed.
2019-07-11 03:08:29,352 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-07-11 03:08:29,384 [root] DEBUG: Process dumps enabled.
2019-07-11 03:08:29,414 [root] INFO: Disabling sleep skipping.
2019-07-11 03:08:29,446 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-07-11 03:08:29,476 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 3180 at 0x747e0000, image base 0xdc0000, stack from 0xb96000-0xba0000
2019-07-11 03:08:29,493 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\201907060947039062.exe".
2019-07-11 03:08:29,523 [root] INFO: Added new process to list with pid: 3180
2019-07-11 03:08:29,539 [root] INFO: Monitor successfully loaded in process with pid 3180.
2019-07-11 03:08:29,571 [root] DEBUG: set_caller_info: Adding region at 0x000A0000 to caller regions list (ntdll::LdrLoadDll).
2019-07-11 03:08:29,586 [root] DEBUG: DLL loaded at 0x02A30000: C:\hjcplavoq\dll\WdAVpQZT (0xb3000 bytes).
2019-07-11 03:08:29,618 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-07-11 03:08:29,648 [root] DEBUG: DLL unloaded from 0x02A30000.
2019-07-11 03:08:29,680 [root] DEBUG: Error 1114 (0x45a) - InjectDllViaThread: RtlCreateUserThread injection failed: A dynamic link library (DLL) initialization routine failed.
2019-07-11 03:08:29,696 [root] DEBUG: InjectDll: DLL injection via thread failed.
2019-07-11 03:08:29,710 [root] DEBUG: Failed to inject DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:08:29,743 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 3180, error: -8
2019-07-11 03:08:30,756 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2019-07-11 03:08:31,816 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 3180
2019-07-11 03:08:31,832 [root] DEBUG: GetHookCallerBase: thread 3184 (handle 0x0), return address 0xC0000302, allocation base 0x00000000.
2019-07-11 03:08:31,864 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00080000.
2019-07-11 03:08:31,880 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00080000.
2019-07-11 03:08:31,911 [root] DEBUG: DumpProcess: Module entry point VA is 0x0001A1F8.
2019-07-11 03:08:32,005 [root] INFO: Added new CAPE file to list with path: C:\fVxfVt\CAPE\3180_20473324323128511472019
2019-07-11 03:08:32,036 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x1c200.
2019-07-11 03:08:32,051 [root] INFO: Notified of termination of process with pid 3180.
2019-07-11 03:08:32,082 [root] DEBUG: Terminate Event: Process 3180 has already been dumped(!)
2019-07-11 03:08:32,207 [root] INFO: Process with pid 3180 has terminated
2019-07-11 03:08:32,332 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 3444
2019-07-11 03:08:32,378 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:08:32,394 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:08:32,426 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:08:32,457 [root] DEBUG: Loader: Injecting process 3444 (thread 3448) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:08:32,473 [root] DEBUG: Process image base: 0x00DC0000
2019-07-11 03:08:32,503 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:08:32,535 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00EF3000 - 0x77110000
2019-07-11 03:08:32,551 [root] DEBUG: InjectDllViaIAT: Allocated 0x2b8 bytes for new import table at 0x00F00000.
2019-07-11 03:08:32,582 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-07-11 03:08:32,596 [root] DEBUG: Successfully injected DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:08:32,612 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3444
2019-07-11 03:08:32,644 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 3444
2019-07-11 03:08:32,674 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:08:32,690 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:08:32,721 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:08:32,737 [root] DEBUG: Loader: Injecting process 3444 (thread 0) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:08:32,769 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2019-07-11 03:08:32,785 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed.
2019-07-11 03:08:32,815 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-07-11 03:08:32,846 [root] DEBUG: Process dumps enabled.
2019-07-11 03:08:32,878 [root] INFO: Disabling sleep skipping.
2019-07-11 03:08:32,908 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-07-11 03:08:32,924 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 3444 at 0x747e0000, image base 0xdc0000, stack from 0xb36000-0xb40000
2019-07-11 03:08:32,956 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\201907060947039062.exe".
2019-07-11 03:08:32,971 [root] INFO: Added new process to list with pid: 3444
2019-07-11 03:08:33,003 [root] INFO: Monitor successfully loaded in process with pid 3444.
2019-07-11 03:08:33,019 [root] DEBUG: set_caller_info: Adding region at 0x000A0000 to caller regions list (ntdll::LdrLoadDll).
2019-07-11 03:08:33,049 [root] DEBUG: DLL loaded at 0x03E70000: C:\hjcplavoq\dll\WdAVpQZT (0xb3000 bytes).
2019-07-11 03:08:33,065 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-07-11 03:08:33,096 [root] DEBUG: DLL unloaded from 0x03E70000.
2019-07-11 03:08:33,128 [root] DEBUG: Error 1114 (0x45a) - InjectDllViaThread: RtlCreateUserThread injection failed: A dynamic link library (DLL) initialization routine failed.
2019-07-11 03:08:33,142 [root] DEBUG: InjectDll: DLL injection via thread failed.
2019-07-11 03:08:33,174 [root] DEBUG: Failed to inject DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:08:33,190 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 3444, error: -8
2019-07-11 03:08:34,141 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2019-07-11 03:08:35,187 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 3444
2019-07-11 03:08:35,203 [root] DEBUG: GetHookCallerBase: thread 3448 (handle 0x0), return address 0xC0000302, allocation base 0x00000000.
2019-07-11 03:08:35,233 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00080000.
2019-07-11 03:08:35,249 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00080000.
2019-07-11 03:08:35,280 [root] DEBUG: DumpProcess: Module entry point VA is 0x0001A1F8.
2019-07-11 03:08:35,374 [root] INFO: Added new CAPE file to list with path: C:\fVxfVt\CAPE\3444_6840855443528511472019
2019-07-11 03:08:35,404 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x1c200.
2019-07-11 03:08:35,421 [root] INFO: Notified of termination of process with pid 3444.
2019-07-11 03:08:35,437 [root] DEBUG: Terminate Event: Process 3444 has already been dumped(!)
2019-07-11 03:08:35,686 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 3736
2019-07-11 03:08:35,717 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:08:35,749 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:08:35,779 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:08:35,795 [root] DEBUG: Loader: Injecting process 3736 (thread 3740) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:08:35,826 [root] DEBUG: Process image base: 0x00DC0000
2019-07-11 03:08:35,858 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:08:35,872 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00EF3000 - 0x77110000
2019-07-11 03:08:35,904 [root] DEBUG: InjectDllViaIAT: Allocated 0x2b8 bytes for new import table at 0x00F00000.
2019-07-11 03:08:35,920 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-07-11 03:08:35,950 [root] DEBUG: Successfully injected DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:08:35,967 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3736
2019-07-11 03:08:35,997 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 3736
2019-07-11 03:08:36,029 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:08:36,045 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:08:36,075 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:08:36,107 [root] DEBUG: Loader: Injecting process 3736 (thread 0) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:08:36,122 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2019-07-11 03:08:36,154 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed.
2019-07-11 03:08:36,184 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-07-11 03:08:36,200 [root] DEBUG: Process dumps enabled.
2019-07-11 03:08:36,232 [root] INFO: Disabling sleep skipping.
2019-07-11 03:08:36,263 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-07-11 03:08:36,263 [root] INFO: Process with pid 3444 has terminated
2019-07-11 03:08:36,295 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 3736 at 0x747e0000, image base 0xdc0000, stack from 0xa96000-0xaa0000
2019-07-11 03:08:36,325 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\201907060947039062.exe".
2019-07-11 03:08:36,341 [root] INFO: Added new process to list with pid: 3736
2019-07-11 03:08:36,357 [root] INFO: Monitor successfully loaded in process with pid 3736.
2019-07-11 03:08:36,388 [root] DEBUG: set_caller_info: Adding region at 0x000E0000 to caller regions list (ntdll::LdrLoadDll).
2019-07-11 03:08:36,418 [root] DEBUG: DLL loaded at 0x03F10000: C:\hjcplavoq\dll\WdAVpQZT (0xb3000 bytes).
2019-07-11 03:08:36,434 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-07-11 03:08:36,466 [root] DEBUG: DLL unloaded from 0x03F10000.
2019-07-11 03:08:36,496 [root] DEBUG: Error 1114 (0x45a) - InjectDllViaThread: RtlCreateUserThread injection failed: A dynamic link library (DLL) initialization routine failed.
2019-07-11 03:08:36,513 [root] DEBUG: InjectDll: DLL injection via thread failed.
2019-07-11 03:08:36,543 [root] DEBUG: Failed to inject DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:08:36,559 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 3736, error: -8
2019-07-11 03:08:37,510 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2019-07-11 03:08:38,556 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 3736
2019-07-11 03:08:38,572 [root] DEBUG: GetHookCallerBase: thread 3740 (handle 0x0), return address 0xC0000302, allocation base 0x00000000.
2019-07-11 03:08:38,602 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x000C0000.
2019-07-11 03:08:38,634 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000C0000.
2019-07-11 03:08:38,665 [root] DEBUG: DumpProcess: Module entry point VA is 0x0001A1F8.
2019-07-11 03:08:38,743 [root] INFO: Added new CAPE file to list with path: C:\fVxfVt\CAPE\3736_1100244903828511472019
2019-07-11 03:08:38,775 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x1c200.
2019-07-11 03:08:38,805 [root] INFO: Notified of termination of process with pid 3736.
2019-07-11 03:08:38,822 [root] DEBUG: Terminate Event: Process 3736 has already been dumped(!)
2019-07-11 03:08:39,134 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 3980
2019-07-11 03:08:39,180 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:08:39,211 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:08:39,243 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:08:39,259 [root] DEBUG: Loader: Injecting process 3980 (thread 3976) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:08:39,289 [root] DEBUG: Process image base: 0x00DC0000
2019-07-11 03:08:39,305 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:08:39,336 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00EF3000 - 0x77110000
2019-07-11 03:08:39,336 [root] INFO: Process with pid 3736 has terminated
2019-07-11 03:08:39,351 [root] DEBUG: InjectDllViaIAT: Allocated 0x2b8 bytes for new import table at 0x00F00000.
2019-07-11 03:08:39,382 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-07-11 03:08:39,414 [root] DEBUG: Successfully injected DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:08:39,430 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3980
2019-07-11 03:08:39,460 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 3980
2019-07-11 03:08:39,493 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:08:39,507 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:08:39,539 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:08:39,571 [root] DEBUG: Loader: Injecting process 3980 (thread 0) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:08:39,585 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2019-07-11 03:08:39,617 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed.
2019-07-11 03:08:39,648 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-07-11 03:08:39,680 [root] DEBUG: Process dumps enabled.
2019-07-11 03:08:39,710 [root] INFO: Disabling sleep skipping.
2019-07-11 03:08:39,742 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-07-11 03:08:39,757 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 3980 at 0x747e0000, image base 0xdc0000, stack from 0xc16000-0xc20000
2019-07-11 03:08:39,789 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\201907060947039062.exe".
2019-07-11 03:08:39,805 [root] INFO: Added new process to list with pid: 3980
2019-07-11 03:08:39,819 [root] INFO: Monitor successfully loaded in process with pid 3980.
2019-07-11 03:08:39,851 [root] DEBUG: set_caller_info: Adding region at 0x000A0000 to caller regions list (ntdll::LdrLoadDll).
2019-07-11 03:08:39,867 [root] DEBUG: DLL loaded at 0x00C20000: C:\hjcplavoq\dll\WdAVpQZT (0xb3000 bytes).
2019-07-11 03:08:39,898 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-07-11 03:08:39,928 [root] DEBUG: DLL unloaded from 0x00C20000.
2019-07-11 03:08:39,944 [root] DEBUG: Error 1114 (0x45a) - InjectDllViaThread: RtlCreateUserThread injection failed: A dynamic link library (DLL) initialization routine failed.
2019-07-11 03:08:39,976 [root] DEBUG: InjectDll: DLL injection via thread failed.
2019-07-11 03:08:39,992 [root] DEBUG: Failed to inject DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:08:40,023 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 3980, error: -8
2019-07-11 03:08:40,897 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2019-07-11 03:08:41,926 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 3980
2019-07-11 03:08:41,941 [root] DEBUG: GetHookCallerBase: thread 3976 (handle 0x0), return address 0xC0000302, allocation base 0x00000000.
2019-07-11 03:08:41,957 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00080000.
2019-07-11 03:08:41,989 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00080000.
2019-07-11 03:08:42,019 [root] DEBUG: DumpProcess: Module entry point VA is 0x0001A1F8.
2019-07-11 03:08:42,112 [root] INFO: Added new CAPE file to list with path: C:\fVxfVt\CAPE\3980_18797217254228511472019
2019-07-11 03:08:42,128 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x1c200.
2019-07-11 03:08:42,160 [root] INFO: Notified of termination of process with pid 3980.
2019-07-11 03:08:42,190 [root] DEBUG: Terminate Event: Process 3980 has already been dumped(!)
2019-07-11 03:08:42,410 [root] INFO: Process with pid 3980 has terminated
2019-07-11 03:08:42,519 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 3080
2019-07-11 03:08:42,549 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:08:42,581 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:08:42,612 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:08:42,628 [root] DEBUG: Loader: Injecting process 3080 (thread 3196) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:08:42,658 [root] DEBUG: Process image base: 0x00DC0000
2019-07-11 03:08:42,674 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:08:42,706 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00EF3000 - 0x77110000
2019-07-11 03:08:42,736 [root] DEBUG: InjectDllViaIAT: Allocated 0x2b8 bytes for new import table at 0x00F00000.
2019-07-11 03:08:42,753 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-07-11 03:08:42,783 [root] DEBUG: Successfully injected DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:08:42,799 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3080
2019-07-11 03:08:42,846 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 3080
2019-07-11 03:08:42,861 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:08:42,892 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:08:42,924 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:08:42,956 [root] DEBUG: Loader: Injecting process 3080 (thread 0) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:08:42,986 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2019-07-11 03:08:43,003 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed.
2019-07-11 03:08:43,033 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-07-11 03:08:43,065 [root] DEBUG: Process dumps enabled.
2019-07-11 03:08:43,095 [root] INFO: Disabling sleep skipping.
2019-07-11 03:08:43,127 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-07-11 03:08:43,142 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 3080 at 0x747e0000, image base 0xdc0000, stack from 0xc26000-0xc30000
2019-07-11 03:08:43,174 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\201907060947039062.exe".
2019-07-11 03:08:43,204 [root] INFO: Added new process to list with pid: 3080
2019-07-11 03:08:43,220 [root] INFO: Monitor successfully loaded in process with pid 3080.
2019-07-11 03:08:43,236 [root] DEBUG: set_caller_info: Adding region at 0x000A0000 to caller regions list (ntdll::LdrLoadDll).
2019-07-11 03:08:43,267 [root] DEBUG: DLL loaded at 0x042E0000: C:\hjcplavoq\dll\WdAVpQZT (0xb3000 bytes).
2019-07-11 03:08:43,282 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-07-11 03:08:43,315 [root] DEBUG: DLL unloaded from 0x042E0000.
2019-07-11 03:08:43,329 [root] DEBUG: Error 1114 (0x45a) - InjectDllViaThread: RtlCreateUserThread injection failed: A dynamic link library (DLL) initialization routine failed.
2019-07-11 03:08:43,361 [root] DEBUG: InjectDll: DLL injection via thread failed.
2019-07-11 03:08:43,377 [root] DEBUG: Failed to inject DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:08:43,407 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 3080, error: -8
2019-07-11 03:08:44,328 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2019-07-11 03:08:45,374 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 3080
2019-07-11 03:08:45,388 [root] DEBUG: GetHookCallerBase: thread 3196 (handle 0x0), return address 0xC0000302, allocation base 0x00000000.
2019-07-11 03:08:45,436 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00080000.
2019-07-11 03:08:45,451 [root] INFO: Analysis timeout hit (200 seconds), terminating analysis.
2019-07-11 03:08:45,451 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00080000.
2019-07-11 03:08:45,467 [root] INFO: Created shutdown mutex.
2019-07-11 03:08:45,483 [root] DEBUG: DumpProcess: Module entry point VA is 0x0001A1F8.
2019-07-11 03:08:45,592 [root] INFO: Added new CAPE file to list with path: C:\fVxfVt\CAPE\3080_17704633354528511472019
2019-07-11 03:08:45,622 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x1c200.
2019-07-11 03:08:45,638 [root] INFO: Notified of termination of process with pid 3080.
2019-07-11 03:08:45,670 [root] DEBUG: Terminate Event: Process 3080 has already been dumped(!)
2019-07-11 03:08:45,997 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 3424
2019-07-11 03:08:46,045 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:08:46,059 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:08:46,091 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:08:46,107 [root] DEBUG: Loader: Injecting process 3424 (thread 3428) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:08:46,138 [root] DEBUG: Process image base: 0x00DC0000
2019-07-11 03:08:46,168 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:08:46,184 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00EF3000 - 0x77110000
2019-07-11 03:08:46,216 [root] DEBUG: InjectDllViaIAT: Allocated 0x2b8 bytes for new import table at 0x00F00000.
2019-07-11 03:08:46,246 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-07-11 03:08:46,263 [root] DEBUG: Successfully injected DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:08:46,279 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3424
2019-07-11 03:08:46,309 [root] INFO: Announced 32-bit process name: 201907060947039062.exe pid: 3424
2019-07-11 03:08:46,341 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-07-11 03:08:46,357 [lib.api.process] INFO: 32-bit DLL to inject is C:\hjcplavoq\dll\WdAVpQZT.dll, loader C:\hjcplavoq\bin\Odtmjls.exe
2019-07-11 03:08:46,403 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\USfOmwe.
2019-07-11 03:08:46,434 [root] DEBUG: Loader: Injecting process 3424 (thread 0) with C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:08:46,466 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2019-07-11 03:08:46,496 [root] INFO: Setting terminate event for process 1332.
2019-07-11 03:08:46,496 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed.
2019-07-11 03:08:46,513 [lib.api.process] INFO: Successfully received reply to terminate_event, pid 1332
2019-07-11 03:08:46,528 [root] DEBUG: Terminate Event: Attempting to dump process 1332
2019-07-11 03:08:46,528 [root] INFO: Terminating process 1332 before shutdown.
2019-07-11 03:08:46,543 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-07-11 03:08:46,543 [root] INFO: Waiting for process 1332 to exit.
2019-07-11 03:08:46,543 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00DC0000.
2019-07-11 03:08:46,575 [root] DEBUG: Process dumps enabled.
2019-07-11 03:08:46,605 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00DC0000.
2019-07-11 03:08:46,621 [root] INFO: Disabling sleep skipping.
2019-07-11 03:08:46,637 [root] DEBUG: DumpProcess: Module entry point VA is 0x0002800A.
2019-07-11 03:08:46,668 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-07-11 03:08:46,700 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 3424 at 0x747e0000, image base 0xdc0000, stack from 0xc76000-0xc80000
2019-07-11 03:08:46,730 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\201907060947039062.exe".
2019-07-11 03:08:46,762 [root] INFO: Added new process to list with pid: 3424
2019-07-11 03:08:46,778 [root] INFO: Monitor successfully loaded in process with pid 3424.
2019-07-11 03:08:46,792 [root] INFO: Added new CAPE file to list with path: C:\fVxfVt\CAPE\1332_1382841055468211472019
2019-07-11 03:08:46,809 [root] DEBUG: set_caller_info: Adding region at 0x000A0000 to caller regions list (ntdll::LdrLoadDll).
2019-07-11 03:08:46,809 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x130e00.
2019-07-11 03:08:46,839 [root] DEBUG: DLL loaded at 0x00C80000: C:\hjcplavoq\dll\WdAVpQZT (0xb3000 bytes).
2019-07-11 03:08:46,871 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-07-11 03:08:46,903 [root] DEBUG: DLL unloaded from 0x00C80000.
2019-07-11 03:08:46,934 [root] DEBUG: Error 1114 (0x45a) - InjectDllViaThread: RtlCreateUserThread injection failed: A dynamic link library (DLL) initialization routine failed.
2019-07-11 03:08:46,948 [root] DEBUG: InjectDll: DLL injection via thread failed.
2019-07-11 03:08:46,980 [root] DEBUG: Failed to inject DLL C:\hjcplavoq\dll\WdAVpQZT.dll.
2019-07-11 03:08:46,996 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 3424, error: -8
2019-07-11 03:08:47,588 [root] INFO: Terminating process 3080 before shutdown.
2019-07-11 03:08:47,605 [root] INFO: Setting terminate event for process 3424.
2019-07-11 03:08:47,619 [lib.api.process] INFO: Successfully received reply to terminate_event, pid 3424
2019-07-11 03:08:47,635 [root] DEBUG: Terminate Event: Attempting to dump process 3424
2019-07-11 03:08:47,651 [root] INFO: Terminating process 3424 before shutdown.
2019-07-11 03:08:47,667 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00DC0000.
2019-07-11 03:08:47,667 [root] INFO: Waiting for process 3424 to exit.
2019-07-11 03:08:47,683 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00DC0000.
2019-07-11 03:08:47,713 [root] DEBUG: DumpProcess: Module entry point VA is 0x0002800A.
2019-07-11 03:08:47,822 [root] INFO: Added new CAPE file to list with path: C:\fVxfVt\CAPE\3424_1312497965478211472019
2019-07-11 03:08:47,854 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x12d000.
2019-07-11 03:08:48,711 [root] INFO: Shutting down package.
2019-07-11 03:08:48,727 [root] INFO: Stopping auxiliary modules.
2019-07-11 03:08:48,743 [root] INFO: Finishing auxiliary modules.
2019-07-11 03:08:48,759 [root] INFO: Shutting down pipe server and dumping dropped files.
2019-07-11 03:08:48,775 [root] WARNING: File at path "C:\fVxfVt\debugger" does not exist, skip.
2019-07-11 03:08:48,789 [root] INFO: Analysis completed.

MalScore

10.0

Azorult

Machine

Name Label Manager Started On Shutdown On
target-01 target-01 ESX 2019-07-11 02:05:20 2019-07-11 02:09:05

File Details

File Name 201907060947039062.exe
File Size 1232384 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 387973b7e3f3e06d0fb5dbd1f355a624
SHA1 37873e88c56bc3e2dac4514a151c55cc81c2bd5c
SHA256 ed7c0a248904a026a0e3cabded2aa55607626b8c6cfc8ba76811feed157ecea8
SHA512 4a2d099b49e494c753a41e1627b7bd168516f0ba55240ca3732ea825f55b4efe9a382bc7ce169a9205e195ce393c1efc3da981b51304123496f60f673f591a27
CRC32 04659FD2
Ssdeep 24576:8AHnh+eWsN3skA4RV1Hom2KXMmHawymc3MAdsSAeLNqAv5:bh+ZkldoPK8Yawym67NAeZq0
TrID
  • 61.7% (.EXE) Win64 Executable (generic) (27625/18/4)
  • 14.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
  • 10.0% (.EXE) Win32 Executable (generic) (4508/7/1)
  • 4.5% (.EXE) OS/2 Executable (generic) (2029/13)
  • 4.4% (.EXE) Generic Win/DOS Executable (2002/3)
ClamAV None matched
Yara None matched
CAPE Yara None matched
Resubmit sample

Signatures

SetUnhandledExceptionFilter detected (possible anti-debug)
Behavioural detection: Executable code extraction
Yara rule detections observed from a process memory dump/dropped files/CAPE
Hit: PID 2376 trigged the Yara rule 'Azorult'
Hit: PID 2876 trigged the Yara rule 'Azorult'
Hit: PID 3032 trigged the Yara rule 'Azorult'
Hit: PID 2296 trigged the Yara rule 'Azorult'
Hit: PID 1924 trigged the Yara rule 'Azorult'
Creates RWX memory
Possible date expiration check, exits too soon after checking local time
process: 201907060947039062.exe, PID 2376
Dynamic (imported) function loading detected
DynamicLoader: kernel32.dll/GetNativeSystemInfo
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: kernel32.dll/Wow64DisableWow64FsRedirection
DynamicLoader: kernel32.dll/Wow64RevertWow64FsRedirection
DynamicLoader: kernel32.dll/Wow64DisableWow64FsRedirection
DynamicLoader: kernel32.dll/Wow64RevertWow64FsRedirection
DynamicLoader: COMCTL32.dll/RegisterClassNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: UxTheme.dll/OpenThemeData
DynamicLoader: IMM32.DLL/ImmGetContext
DynamicLoader: IMM32.DLL/ImmReleaseContext
DynamicLoader: IMM32.DLL/ImmAssociateContext
DynamicLoader: IMM32.DLL/ImmIsIME
DynamicLoader: SHELL32.dll/
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/FindResourceW
DynamicLoader: kernel32.dll/SizeofResource
DynamicLoader: kernel32.dll/LoadResource
DynamicLoader: kernel32.dll/LockResource
DynamicLoader: kernel32.dll/FindResourceW
DynamicLoader: kernel32.dll/SizeofResource
DynamicLoader: kernel32.dll/LoadResource
DynamicLoader: kernel32.dll/LockResource
DynamicLoader: kernel32.dll/FindResourceW
DynamicLoader: kernel32.dll/SizeofResource
DynamicLoader: kernel32.dll/LoadResource
DynamicLoader: kernel32.dll/LockResource
DynamicLoader: kernel32.dll/FindResourceW
DynamicLoader: kernel32.dll/SizeofResource
DynamicLoader: kernel32.dll/LoadResource
DynamicLoader: kernel32.dll/LockResource
DynamicLoader: kernel32.dll/FindResourceW
DynamicLoader: kernel32.dll/SizeofResource
DynamicLoader: kernel32.dll/LoadResource
DynamicLoader: kernel32.dll/LockResource
DynamicLoader: kernel32.dll/FindResourceW
DynamicLoader: kernel32.dll/SizeofResource
DynamicLoader: kernel32.dll/LoadResource
DynamicLoader: kernel32.dll/LockResource
DynamicLoader: kernel32.dll/FindResourceW
DynamicLoader: kernel32.dll/SizeofResource
DynamicLoader: kernel32.dll/LoadResource
DynamicLoader: kernel32.dll/LockResource
DynamicLoader: kernel32.dll/FindResourceW
DynamicLoader: kernel32.dll/SizeofResource
DynamicLoader: kernel32.dll/LoadResource
DynamicLoader: kernel32.dll/LockResource
DynamicLoader: kernel32.dll/FindResourceW
DynamicLoader: kernel32.dll/SizeofResource
DynamicLoader: kernel32.dll/LoadResource
DynamicLoader: kernel32.dll/LockResource
DynamicLoader: kernel32.dll/FindResourceW
DynamicLoader: kernel32.dll/SizeofResource
DynamicLoader: kernel32.dll/LoadResource
DynamicLoader: kernel32.dll/LockResource
DynamicLoader: ADVAPI32.dll/CryptAcquireContext
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: CRYPTSP.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptCreateHash
DynamicLoader: CRYPTSP.dll/CryptCreateHash
DynamicLoader: ADVAPI32.dll/CryptHashData
DynamicLoader: CRYPTSP.dll/CryptHashData
DynamicLoader: ADVAPI32.dll/CryptDeriveKey
DynamicLoader: CRYPTSP.dll/CryptDeriveKey
DynamicLoader: ADVAPI32.dll/CryptDestroyHash
DynamicLoader: CRYPTSP.dll/CryptDestroyHash
DynamicLoader: ADVAPI32.dll/CryptDecrypt
DynamicLoader: CRYPTSP.dll/CryptDecrypt
DynamicLoader: ADVAPI32.dll/CryptDestroyKey
DynamicLoader: CRYPTSP.dll/CryptDestroyKey
DynamicLoader: ADVAPI32.dll/CryptReleaseContext
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: LPK.dll/LpkEditControl
DynamicLoader: LPK.dll/LpkEditControl
DynamicLoader: LPK.dll/LpkEditControl
DynamicLoader: LPK.dll/LpkEditControl
DynamicLoader: LPK.dll/LpkEditControl
DynamicLoader: LPK.dll/LpkEditControl
DynamicLoader: LPK.dll/LpkEditControl
DynamicLoader: LPK.dll/LpkEditControl
DynamicLoader: LPK.dll/LpkEditControl
DynamicLoader: LPK.dll/LpkEditControl
DynamicLoader: LPK.dll/LpkEditControl
DynamicLoader: LPK.dll/LpkEditControl
DynamicLoader: LPK.dll/LpkEditControl
DynamicLoader: LPK.dll/LpkEditControl
DynamicLoader: LPK.dll/LpkEditControl
DynamicLoader: LPK.dll/LpkEditControl
DynamicLoader: LPK.dll/LpkEditControl
DynamicLoader: LPK.dll/LpkEditControl
DynamicLoader: LPK.dll/LpkEditControl
DynamicLoader: LPK.dll/LpkEditControl
DynamicLoader: LPK.dll/LpkEditControl
DynamicLoader: LPK.dll/LpkEditControl
DynamicLoader: LPK.dll/LpkEditControl
DynamicLoader: LPK.dll/LpkEditControl
DynamicLoader: LPK.dll/LpkEditControl
DynamicLoader: LPK.dll/LpkEditControl
DynamicLoader: LPK.dll/LpkEditControl
DynamicLoader: LPK.dll/LpkEditControl
DynamicLoader: LPK.dll/LpkEditControl
DynamicLoader: LPK.dll/LpkEditControl
DynamicLoader: LPK.dll/LpkEditControl
DynamicLoader: LPK.dll/LpkEditControl
DynamicLoader: LPK.dll/LpkEditControl
DynamicLoader: LPK.dll/LpkEditControl
DynamicLoader: LPK.dll/LpkEditControl
DynamicLoader: LPK.dll/LpkEditControl
DynamicLoader: LPK.dll/LpkEditControl
DynamicLoader: LPK.dll/LpkEditControl
DynamicLoader: LPK.dll/LpkEditControl
DynamicLoader: LPK.dll/LpkEditControl
DynamicLoader: LPK.dll/LpkEditControl
DynamicLoader: LPK.dll/LpkEditControl
DynamicLoader: LPK.dll/LpkEditControl
DynamicLoader: LPK.dll/LpkEditControl
DynamicLoader: LPK.dll/LpkEditControl
DynamicLoader: LPK.dll/LpkEditControl
DynamicLoader: LPK.dll/LpkEditControl
DynamicLoader: LPK.dll/LpkEditControl
DynamicLoader: LPK.dll/LpkEditControl
DynamicLoader: LPK.dll/LpkEditControl
DynamicLoader: LPK.dll/LpkEditControl
DynamicLoader: LPK.dll/LpkEditControl
DynamicLoader: LPK.dll/LpkEditControl
DynamicLoader: LPK.dll/LpkEditControl
DynamicLoader: LPK.dll/LpkEditControl
DynamicLoader: LPK.dll/LpkEditControl
DynamicLoader: LPK.dll/LpkEditControl
DynamicLoader: LPK.dll/LpkEditControl
DynamicLoader: LPK.dll/LpkEditControl
DynamicLoader: LPK.dll/LpkEditControl
DynamicLoader: LPK.dll/LpkEditControl
DynamicLoader: LPK.dll/LpkEditControl
DynamicLoader: LPK.dll/LpkEditControl
DynamicLoader: LPK.dll/LpkEditControl
DynamicLoader: LPK.dll/LpkEditControl
DynamicLoader: LPK.dll/LpkEditControl
DynamicLoader: LPK.dll/LpkEditControl
DynamicLoader: LPK.dll/LpkEditControl
DynamicLoader: LPK.dll/LpkEditControl
DynamicLoader: LPK.dll/LpkEditControl
DynamicLoader: LPK.dll/LpkEditControl
DynamicLoader: LPK.dll/LpkEditControl
DynamicLoader: LPK.dll/LpkEditControl
DynamicLoader: LPK.dll/LpkEditControl
DynamicLoader: LPK.dll/LpkEditControl
DynamicLoader: LPK.dll/LpkEditControl
DynamicLoader: LPK.dll/LpkEditControl
DynamicLoader: LPK.dll/LpkEditControl
Expresses interest in specific running processes
process: 201907060947039062.exe
Reads data out of its own binary image
self_read: process: 201907060947039062.exe, pid: 1332, offset: 0x00000000, length: 0x0012ce00
The binary likely contains encrypted or compressed data.
section: name: .rsrc, entropy: 7.49, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ, raw_size: 0x00062800, virtual_size: 0x000627e0
Behavioural detection: Injection (Process Hollowing)
Injection: 201907060947039062.exe(1332) -> 201907060947039062.exe(2376)
Executed a process and injected code into it, probably while unpacking
Injection: 201907060947039062.exe(1332) -> 201907060947039062.exe(2376)
Behavioural detection: Injection (inter-process)
Installs itself for autorun at Windows startup
key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\vMJZLtFktw
data: C:\Users\Public\vMJZLtFktw.vbs
CAPE detected the Azorult malware family
Creates a slightly modified copy of itself
file: C:\Users\user\AppData\Local\Temp\WWAHost\wbengine.bat
percent_match: 100
Anomalous binary characteristics
anomaly: Actual checksum does not match that reported in PE header

Screenshots


Hosts

No hosts contacted.

DNS

No domains contacted.


Summary

C:\Windows\WindowsShell.Manifest
\Device\KsecDD
C:\Users\user\AppData\Local\Temp\201907060947039062.exe
C:\Users
C:\Users\user
C:\Users\user\AppData
C:\Users\user\AppData\Local
C:\Users\user\AppData\Local\Temp
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Users\user\AppData\Local\Temp\WWAHost\wbengine.bat
C:\Users\user\AppData\Local\Temp\WWAHost\
C:\Users\user\AppData\Local\Temp\WWAHost
C:\Users\Public\vMJZLtFktw.vbs
C:\Windows\WindowsShell.Manifest
\Device\KsecDD
C:\Users\user\AppData\Local\Temp\201907060947039062.exe
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Users\user\AppData\Local\Temp\WWAHost\wbengine.bat
C:\Users\Public\vMJZLtFktw.vbs
C:\Users\user\AppData\Local\Temp\WWAHost\wbengine.bat
C:\Users\Public\vMJZLtFktw.vbs
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\system\CurrentControlSet\control\NetworkProvider\HwOrder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\crypt32
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DebugHeapFlags
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\DisableImprovedZoneCheck
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_HKLM_only
DisableUserModeCallbackFilter
HKEY_CURRENT_USER\Control Panel\Mouse
HKEY_CURRENT_USER\Control Panel\Mouse\SwapMouseButtons
HKEY_CURRENT_USER\Software\AutoIt v3\AutoIt
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-GB
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-GB
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\201907060947039062.exe
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000809
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\vMJZLtFktw
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DebugHeapFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\DisableImprovedZoneCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_HKLM_only
DisableUserModeCallbackFilter
HKEY_CURRENT_USER\Control Panel\Mouse\SwapMouseButtons
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-GB
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-GB
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000809
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\vMJZLtFktw
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\vMJZLtFktw
lpk.dll.LpkEditControl
kernel32.dll.FlsAlloc
kernel32.dll.FlsFree
kernel32.dll.FlsGetValue
kernel32.dll.FlsSetValue
kernel32.dll.InitializeCriticalSectionEx
kernel32.dll.CreateEventExW
kernel32.dll.CreateSemaphoreExW
kernel32.dll.SetThreadStackGuarantee
kernel32.dll.CreateThreadpoolTimer
kernel32.dll.SetThreadpoolTimer
kernel32.dll.WaitForThreadpoolTimerCallbacks
kernel32.dll.CloseThreadpoolTimer
kernel32.dll.CreateThreadpoolWait
kernel32.dll.SetThreadpoolWait
kernel32.dll.CloseThreadpoolWait
kernel32.dll.FlushProcessWriteBuffers
kernel32.dll.FreeLibraryWhenCallbackReturns
kernel32.dll.GetCurrentProcessorNumber
kernel32.dll.GetLogicalProcessorInformation
kernel32.dll.CreateSymbolicLinkW
kernel32.dll.EnumSystemLocalesEx
kernel32.dll.CompareStringEx
kernel32.dll.GetDateFormatEx
kernel32.dll.GetLocaleInfoEx
kernel32.dll.GetTimeFormatEx
kernel32.dll.GetUserDefaultLocaleName
kernel32.dll.IsValidLocaleName
kernel32.dll.LCMapStringEx
kernel32.dll.GetTickCount64
kernel32.dll.GetNativeSystemInfo
cryptbase.dll.SystemFunction036
kernel32.dll.Wow64DisableWow64FsRedirection
kernel32.dll.Wow64RevertWow64FsRedirection
comctl32.dll.RegisterClassNameW
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
uxtheme.dll.OpenThemeData
imm32.dll.ImmGetContext
imm32.dll.ImmReleaseContext
imm32.dll.ImmAssociateContext
imm32.dll.ImmIsIME
shell32.dll.#66
ole32.dll.CoTaskMemFree
kernel32.dll.GetVersionExW
kernel32.dll.FindResourceW
kernel32.dll.SizeofResource
kernel32.dll.LoadResource
kernel32.dll.LockResource
advapi32.dll.CryptAcquireContextA
cryptsp.dll.CryptAcquireContextA
advapi32.dll.CryptCreateHash
cryptsp.dll.CryptCreateHash
advapi32.dll.CryptHashData
cryptsp.dll.CryptHashData
advapi32.dll.CryptDeriveKey
cryptsp.dll.CryptDeriveKey
advapi32.dll.CryptDestroyHash
cryptsp.dll.CryptDestroyHash
advapi32.dll.CryptDecrypt
cryptsp.dll.CryptDecrypt
advapi32.dll.CryptDestroyKey
cryptsp.dll.CryptDestroyKey
advapi32.dll.CryptReleaseContext
cryptsp.dll.CryptReleaseContext
kernel32.dll.VirtualAlloc
kernel32.dll.VirtualFree
kernel32.dll.OpenProcess

Binary Entropy

PE Information

Image Base 0x00400000
Entry Point 0x0042800a
Reported Checksum 0x0011617a
Actual Checksum 0x0012defb
Minimum OS Version 5.1
Compile Time 2019-07-10 10:35:45
Import Hash afcdf79be1557326c854b6e20cb900a7

Sections

Name Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00001000 0x0008dfdd 0x0008e000 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.68
.rdata 0x0008f000 0x0002fd8e 0x0002fe00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 5.76
.data 0x000bf000 0x00008f74 0x00005200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 1.20
.rsrc 0x000c8000 0x000627e0 0x00062800 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 7.49
.reloc 0x0012b000 0x00007134 0x00007200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ 6.78

Imports

Library WSOCK32.dll:
0x48f7c8 WSACleanup
0x48f7cc socket
0x48f7d0 inet_ntoa
0x48f7d4 setsockopt
0x48f7d8 ntohs
0x48f7dc recvfrom
0x48f7e0 ioctlsocket
0x48f7e4 htons
0x48f7e8 WSAStartup
0x48f7ec __WSAFDIsSet
0x48f7f0 select
0x48f7f4 accept
0x48f7f8 listen
0x48f7fc bind
0x48f800 closesocket
0x48f804 WSAGetLastError
0x48f808 recv
0x48f80c sendto
0x48f810 send
0x48f814 inet_addr
0x48f818 gethostbyname
0x48f81c gethostname
0x48f820 connect
Library VERSION.dll:
0x48f76c GetFileVersionInfoW
0x48f774 VerQueryValueW
Library WINMM.dll:
0x48f7b8 timeGetTime
0x48f7bc waveOutSetVolume
0x48f7c0 mciSendStringW
Library COMCTL32.dll:
0x48f08c ImageList_Destroy
0x48f090 ImageList_Remove
0x48f098 ImageList_BeginDrag
0x48f09c ImageList_DragEnter
0x48f0a0 ImageList_DragLeave
0x48f0a4 ImageList_EndDrag
0x48f0a8 ImageList_DragMove
0x48f0b0 ImageList_Create
Library MPR.dll:
0x48f3f8 WNetUseConnectionW
0x48f400 WNetGetConnectionW
0x48f404 WNetAddConnection2W
Library WININET.dll:
0x48f780 InternetCloseHandle
0x48f784 InternetOpenW
0x48f788 InternetSetOptionW
0x48f78c InternetCrackUrlW
0x48f790 HttpQueryInfoW
0x48f798 HttpOpenRequestW
0x48f79c HttpSendRequestW
0x48f7a0 FtpOpenFileW
0x48f7a4 FtpGetFileSize
0x48f7a8 InternetOpenUrlW
0x48f7ac InternetReadFile
0x48f7b0 InternetConnectW
Library PSAPI.DLL:
Library IPHLPAPI.DLL:
0x48f154 IcmpCreateFile
0x48f158 IcmpCloseHandle
0x48f15c IcmpSendEcho
Library USERENV.dll:
0x48f754 UnloadUserProfile
0x48f75c LoadUserProfileW
Library UxTheme.dll:
0x48f764 IsThemeActive
Library KERNEL32.dll:
0x48f164 DuplicateHandle
0x48f168 CreateThread
0x48f16c WaitForSingleObject
0x48f170 HeapAlloc
0x48f174 GetProcessHeap
0x48f178 HeapFree
0x48f17c Sleep
0x48f180 GetCurrentThreadId
0x48f184 MultiByteToWideChar
0x48f188 MulDiv
0x48f18c GetVersionExW
0x48f190 IsWow64Process
0x48f194 GetSystemInfo
0x48f198 FreeLibrary
0x48f19c LoadLibraryA
0x48f1a0 GetProcAddress
0x48f1a4 SetErrorMode
0x48f1a8 GetModuleFileNameW
0x48f1ac WideCharToMultiByte
0x48f1b0 lstrcpyW
0x48f1b4 lstrlenW
0x48f1b8 GetModuleHandleW
0x48f1c0 VirtualFreeEx
0x48f1c4 OpenProcess
0x48f1c8 VirtualAllocEx
0x48f1cc WriteProcessMemory
0x48f1d0 ReadProcessMemory
0x48f1d4 CreateFileW
0x48f1d8 SetFilePointerEx
0x48f1dc SetEndOfFile
0x48f1e0 ReadFile
0x48f1e4 WriteFile
0x48f1e8 FlushFileBuffers
0x48f1ec TerminateProcess
0x48f1f4 Process32FirstW
0x48f1f8 Process32NextW
0x48f1fc SetFileTime
0x48f200 GetFileAttributesW
0x48f204 FindFirstFileW
0x48f20c GetLongPathNameW
0x48f210 GetShortPathNameW
0x48f214 DeleteFileW
0x48f218 FindNextFileW
0x48f21c CopyFileExW
0x48f220 MoveFileW
0x48f224 CreateDirectoryW
0x48f228 RemoveDirectoryW
0x48f22c SetSystemPowerState
0x48f234 FindResourceW
0x48f238 LoadResource
0x48f23c LockResource
0x48f240 SizeofResource
0x48f244 EnumResourceNamesW
0x48f248 OutputDebugStringW
0x48f24c GetTempPathW
0x48f250 GetTempFileNameW
0x48f254 DeviceIoControl
0x48f258 GetLocalTime
0x48f25c CompareStringW
0x48f260 GetCurrentProcess
0x48f26c GetStdHandle
0x48f270 CreatePipe
0x48f274 InterlockedExchange
0x48f278 TerminateThread
0x48f27c LoadLibraryExW
0x48f280 FindResourceExW
0x48f284 CopyFileW
0x48f288 VirtualFree
0x48f28c FormatMessageW
0x48f290 GetExitCodeProcess
0x48f2b8 GetDriveTypeW
0x48f2bc GetDiskFreeSpaceExW
0x48f2c0 GetDiskFreeSpaceW
0x48f2c8 SetVolumeLabelW
0x48f2cc CreateHardLinkW
0x48f2d0 SetFileAttributesW
0x48f2d4 CreateEventW
0x48f2d8 SetEvent
0x48f2e4 GlobalLock
0x48f2e8 GlobalUnlock
0x48f2ec GlobalAlloc
0x48f2f0 GetFileSize
0x48f2f4 GlobalFree
0x48f2fc Beep
0x48f300 GetSystemDirectoryW
0x48f304 HeapReAlloc
0x48f308 HeapSize
0x48f30c GetComputerNameW
0x48f314 GetCurrentProcessId
0x48f31c CreateProcessW
0x48f320 GetProcessId
0x48f324 SetPriorityClass
0x48f328 LoadLibraryW
0x48f32c VirtualAlloc
0x48f330 IsDebuggerPresent
0x48f338 lstrcmpiW
0x48f33c DecodePointer
0x48f340 GetLastError
0x48f344 RaiseException
0x48f358 GetCurrentThread
0x48f35c CloseHandle
0x48f360 GetFullPathNameW
0x48f364 EncodePointer
0x48f368 ExitProcess
0x48f36c GetModuleHandleExW
0x48f370 ExitThread
0x48f378 ResumeThread
0x48f37c GetCommandLineW
0x48f384 IsValidCodePage
0x48f388 GetACP
0x48f38c GetOEMCP
0x48f390 GetCPInfo
0x48f394 SetLastError
0x48f3a0 TlsAlloc
0x48f3a4 TlsGetValue
0x48f3a8 TlsSetValue
0x48f3ac TlsFree
0x48f3b0 GetStartupInfoW
0x48f3b4 GetStringTypeW
0x48f3b8 SetStdHandle
0x48f3bc GetFileType
0x48f3c0 GetConsoleCP
0x48f3c4 GetConsoleMode
0x48f3c8 RtlUnwind
0x48f3cc ReadConsoleW
0x48f3d4 GetDateFormatW
0x48f3d8 GetTimeFormatW
0x48f3dc LCMapStringW
0x48f3e8 WriteConsoleW
0x48f3ec FindClose
Library USER32.dll:
0x48f4cc AdjustWindowRectEx
0x48f4d0 CopyImage
0x48f4d4 SetWindowPos
0x48f4d8 GetCursorInfo
0x48f4dc RegisterHotKey
0x48f4e0 ClientToScreen
0x48f4e8 IsCharAlphaW
0x48f4ec IsCharAlphaNumericW
0x48f4f0 IsCharLowerW
0x48f4f4 IsCharUpperW
0x48f4f8 GetMenuStringW
0x48f4fc GetSubMenu
0x48f500 GetCaretPos
0x48f504 IsZoomed
0x48f508 MonitorFromPoint
0x48f50c GetMonitorInfoW
0x48f510 SetWindowLongW
0x48f518 FlashWindow
0x48f51c GetClassLongW
0x48f524 IsDialogMessageW
0x48f528 GetSysColor
0x48f52c InflateRect
0x48f530 DrawFocusRect
0x48f534 DrawTextW
0x48f538 FrameRect
0x48f53c DrawFrameControl
0x48f540 FillRect
0x48f544 PtInRect
0x48f550 SetCursor
0x48f554 GetWindowDC
0x48f558 GetSystemMetrics
0x48f55c GetActiveWindow
0x48f560 CharNextW
0x48f564 wsprintfW
0x48f568 RedrawWindow
0x48f56c DrawMenuBar
0x48f570 DestroyMenu
0x48f574 SetMenu
0x48f57c CreateMenu
0x48f580 IsDlgButtonChecked
0x48f584 DefDlgProcW
0x48f588 CallWindowProcW
0x48f58c ReleaseCapture
0x48f590 SetCapture
0x48f598 mouse_event
0x48f59c ExitWindowsEx
0x48f5a0 SetActiveWindow
0x48f5a4 FindWindowExW
0x48f5a8 EnumThreadWindows
0x48f5ac SetMenuDefaultItem
0x48f5b0 InsertMenuItemW
0x48f5b4 IsMenu
0x48f5b8 TrackPopupMenuEx
0x48f5bc GetCursorPos
0x48f5c0 DeleteMenu
0x48f5c4 SetRect
0x48f5c8 GetMenuItemID
0x48f5cc GetMenuItemCount
0x48f5d0 SetMenuItemInfoW
0x48f5d4 GetMenuItemInfoW
0x48f5d8 SetForegroundWindow
0x48f5dc IsIconic
0x48f5e0 FindWindowW
0x48f5e4 MonitorFromRect
0x48f5e8 keybd_event
0x48f5ec SendInput
0x48f5f0 GetAsyncKeyState
0x48f5f4 SetKeyboardState
0x48f5f8 GetKeyboardState
0x48f5fc GetKeyState
0x48f600 VkKeyScanW
0x48f604 LoadStringW
0x48f608 DialogBoxParamW
0x48f60c MessageBeep
0x48f610 EndDialog
0x48f614 SendDlgItemMessageW
0x48f618 GetDlgItem
0x48f61c SetWindowTextW
0x48f620 CopyRect
0x48f624 ReleaseDC
0x48f628 GetDC
0x48f62c EndPaint
0x48f630 BeginPaint
0x48f634 GetClientRect
0x48f638 GetMenu
0x48f63c DestroyWindow
0x48f640 EnumWindows
0x48f644 GetDesktopWindow
0x48f648 IsWindow
0x48f64c IsWindowEnabled
0x48f650 IsWindowVisible
0x48f654 EnableWindow
0x48f658 InvalidateRect
0x48f65c GetWindowLongW
0x48f664 AttachThreadInput
0x48f668 GetFocus
0x48f66c GetWindowTextW
0x48f670 ScreenToClient
0x48f674 SendMessageTimeoutW
0x48f678 EnumChildWindows
0x48f67c CharUpperBuffW
0x48f680 GetParent
0x48f684 GetDlgCtrlID
0x48f688 SendMessageW
0x48f68c MapVirtualKeyW
0x48f690 PostMessageW
0x48f694 GetWindowRect
0x48f69c CloseDesktop
0x48f6a0 CloseWindowStation
0x48f6a4 OpenDesktopW
0x48f6b0 OpenWindowStationW
0x48f6b8 MessageBoxW
0x48f6bc DefWindowProcW
0x48f6c0 SetClipboardData
0x48f6c4 EmptyClipboard
0x48f6cc CloseClipboard
0x48f6d0 GetClipboardData
0x48f6d8 OpenClipboard
0x48f6dc BlockInput
0x48f6e0 GetMessageW
0x48f6e4 LockWindowUpdate
0x48f6e8 DispatchMessageW
0x48f6ec TranslateMessage
0x48f6f0 PeekMessageW
0x48f6f4 UnregisterHotKey
0x48f6f8 CheckMenuRadioItem
0x48f6fc CharLowerBuffW
0x48f700 MoveWindow
0x48f704 SetFocus
0x48f708 PostQuitMessage
0x48f70c KillTimer
0x48f710 CreatePopupMenu
0x48f718 SetTimer
0x48f71c ShowWindow
0x48f720 CreateWindowExW
0x48f724 RegisterClassExW
0x48f728 LoadIconW
0x48f72c LoadCursorW
0x48f730 GetSysColorBrush
0x48f734 GetForegroundWindow
0x48f738 MessageBoxA
0x48f73c DestroyIcon
0x48f744 LoadImageW
0x48f748 GetClassNameW
Library GDI32.dll:
0x48f0c4 StrokePath
0x48f0c8 DeleteObject
0x48f0d0 ExtCreatePen
0x48f0d4 GetDeviceCaps
0x48f0d8 EndPath
0x48f0dc SetPixel
0x48f0e0 CloseFigure
0x48f0e8 CreateCompatibleDC
0x48f0ec SelectObject
0x48f0f0 StretchBlt
0x48f0f4 GetDIBits
0x48f0f8 LineTo
0x48f0fc AngleArc
0x48f100 MoveToEx
0x48f104 Ellipse
0x48f108 DeleteDC
0x48f10c GetPixel
0x48f110 CreateDCW
0x48f114 GetStockObject
0x48f118 GetTextFaceW
0x48f11c CreateFontW
0x48f120 SetTextColor
0x48f124 PolyDraw
0x48f128 BeginPath
0x48f12c Rectangle
0x48f130 SetViewportOrgEx
0x48f134 GetObjectW
0x48f138 SetBkMode
0x48f13c RoundRect
0x48f140 SetBkColor
0x48f144 CreatePen
0x48f148 CreateSolidBrush
0x48f14c StrokeAndFillPath
Library COMDLG32.dll:
0x48f0b8 GetOpenFileNameW
0x48f0bc GetSaveFileNameW
Library ADVAPI32.dll:
0x48f000 GetAce
0x48f004 RegEnumValueW
0x48f008 RegDeleteValueW
0x48f00c RegDeleteKeyW
0x48f010 RegEnumKeyExW
0x48f014 RegSetValueExW
0x48f018 RegOpenKeyExW
0x48f01c RegCloseKey
0x48f020 RegQueryValueExW
0x48f024 RegConnectRegistryW
0x48f02c InitializeAcl
0x48f034 OpenThreadToken
0x48f038 OpenProcessToken
0x48f040 DuplicateTokenEx
0x48f04c GetLengthSid
0x48f050 CopySid
0x48f054 LogonUserW
0x48f060 RegCreateKeyExW
0x48f064 FreeSid
0x48f068 GetTokenInformation
0x48f070 GetAclInformation
0x48f074 AddAce
0x48f07c GetUserNameW
Library SHELL32.dll:
0x48f48c DragQueryPoint
0x48f490 ShellExecuteExW
0x48f494 DragQueryFileW
0x48f498 SHEmptyRecycleBinW
0x48f4a0 SHBrowseForFolderW
0x48f4a4 SHCreateShellItem
0x48f4a8 SHGetDesktopFolder
0x48f4b0 SHGetFolderPathW
0x48f4b4 SHFileOperationW
0x48f4b8 ExtractIconExW
0x48f4bc Shell_NotifyIconW
0x48f4c0 ShellExecuteW
0x48f4c4 DragFinish
Library ole32.dll:
0x48f828 CoTaskMemAlloc
0x48f82c CoTaskMemFree
0x48f830 CLSIDFromString
0x48f834 ProgIDFromCLSID
0x48f838 CLSIDFromProgID
0x48f840 MkParseDisplayName
0x48f848 CoCreateInstance
0x48f84c IIDFromString
0x48f850 StringFromGUID2
0x48f858 OleInitialize
0x48f85c OleUninitialize
0x48f860 CoInitialize
0x48f864 CoUninitialize
0x48f870 CoGetObject
0x48f874 CoSetProxyBlanket
0x48f878 CoCreateInstanceEx
Library OLEAUT32.dll:
0x48f40c LoadTypeLibEx
0x48f410 VariantCopyInd
0x48f414 SysReAllocString
0x48f418 SysFreeString
0x48f428 SafeArrayAccessData
0x48f42c SafeArrayAllocData
0x48f438 RegisterTypeLib
0x48f43c CreateStdDispatch
0x48f440 DispCallFunc
0x48f444 VariantChangeType
0x48f448 SysStringLen
0x48f450 VarR8FromDec
0x48f454 SafeArrayGetVartype
0x48f458 VariantCopy
0x48f45c VariantClear
0x48f460 OleLoadPicture
0x48f470 UnRegisterTypeLib
0x48f474 CreateDispTypeInfo
0x48f478 SysAllocString
0x48f47c VariantInit

.text
`.rdata
@.data
.rsrc
@.reloc
9=thL
;=$tL
(SVWh
rCSVWj
,SVWh
Whvw@
D$<DtL
D$`DtL
D$8DtL
D$`DtL
;5htL
;=htL
D$$PVj
D$(PVj
D$d|)I
D$p$*I
!"#$%%%%%%&&'()*+%%%%%%&&'()*+,,,,,,--./012RRRRRRRRRRRR3345566789::::;<=<=>?>@ABC>@ABCRRRRRDEFGHIJKLMNO
Vh!BB
;5DbL
9=$BL
~\xAI
F\xAI
VWhp3I
T% {I
V%0{I
(5P{I
(=`{I
(5P{I
(=`{I
;=DbL
(5 }I
(%p}I
;5DbL
SVWUj
95xhL
D$8Pj
PhHmK
'tWj9Xj}Zj
Qh,,I
QhL,I
QQSVWh
}*j%h
Rh<-I
RhL-I
Rh<-I
Sh,-I
Sh\,I
Sh\-I
Qhl,I
D$D$@
j;_f9;j
[SVSh
@VPQj
Vhg]F
Rh<,I
Shl-I
T$$Rh<,I
Ph|-I
PPWPj
FDH/J
QQVWh
t$$Vj
D$<Pj
t4PhL'
Qh|,I
Vh,,I
PVh,,I
D$tPVj
,SVWh
F;54hL
D$ Pj
D$ Pj
D$ Pj
*;5PhL
_9=4hL
G;=4hL
SVjDj
GetNativeSystemInfo
kernel32.dll
[:>:]]
[:<:]]
bad allocation
CorExitProcess
RoInitialize
RoUninitialize
Unknown exception
Sunday
Monday
Tuesday
Wednesday
Thursday
Friday
Saturday
January
February
March
April
August
September
October
November
December
MM/dd/yy
dddd, MMMM dd, yyyy
HH:mm:ss
FlsAlloc
FlsFree
FlsGetValue
FlsSetValue
InitializeCriticalSectionEx
CreateEventExW
CreateSemaphoreExW
SetThreadStackGuarantee
CreateThreadpoolTimer
SetThreadpoolTimer
WaitForThreadpoolTimerCallbacks
CloseThreadpoolTimer
CreateThreadpoolWait
SetThreadpoolWait
CloseThreadpoolWait
FlushProcessWriteBuffers
FreeLibraryWhenCallbackReturns
GetCurrentProcessorNumber
GetLogicalProcessorInformation
CreateSymbolicLinkW
SetDefaultDllDirectories
EnumSystemLocalesEx
CompareStringEx
GetDateFormatEx
GetLocaleInfoEx
GetTimeFormatEx
GetUserDefaultLocaleName
IsValidLocaleName
LCMapStringEx
GetCurrentPackageId
GetTickCount64
GetFileInformationByHandleExW
SetFileInformationByHandleW
log10
atan2
floor
ldexp
_cabs
_hypot
frexp
_logb
_nextafter
(null)
`h````
=\uI=
Eb2]A=
2ieO=
|W8A=
V%A+=
>,'1D=
?g)([|X>=
r7Yr7=
.K="=
?Dj0Q:W$=
Lyc>=
?C;0=
?4j<=
Nl,"=
5s3R6=
#wi#:=
m0_$@
m0_$@
m0_$@
exp10
SunMonTueWedThuFriSat
JanFebMarAprMayJunJulAugSepOctNovDec
MessageBoxW
GetActiveWindow
GetLastActivePopup
GetUserObjectInformationW
GetProcessWindowStation
e+000
CreateFile2
i^^?(>
Y:/(A6>
MVx:>
[j&,>
F\IE>
B'=>>
in]D>
F"VM>
30}->
0)LK>
__based(
__cdecl
__pascal
__stdcall
__thiscall
__fastcall
__vectorcall
__clrcall
__eabi
__ptr64
__restrict
__unaligned
restrict(
delete
operator
`vftable'
`vbtable'
`vcall'
`typeof'
`local static guard'
`string'
`vbase destructor'
`vector deleting destructor'
`default constructor closure'
`scalar deleting destructor'
`vector constructor iterator'
`vector destructor iterator'
`vector vbase constructor iterator'
`virtual displacement map'
`eh vector constructor iterator'
`eh vector destructor iterator'
`eh vector vbase constructor iterator'
`copy constructor closure'
`udt returning'
`RTTI
`local vftable'
`local vftable constructor closure'
new[]
delete[]
`omni callsig'
`placement delete closure'
`placement delete[] closure'
`managed vector constructor iterator'
`managed vector destructor iterator'
`eh vector copy constructor iterator'
`eh vector vbase copy constructor iterator'
`dynamic initializer for '
`dynamic atexit destructor for '
`vector copy constructor iterator'
`vector vbase copy constructor iterator'
`managed vector copy constructor iterator'
`local static thread guard'
Type Descriptor'
Base Class Descriptor at (
Base Class Array'
Class Hierarchy Descriptor'
Complete Object Locator'
1#SNAN
1#IND
1#INF
1#QNAN
Wow64DisableWow64FsRedirection
Wow64RevertWow64FsRedirection
alpha
lower
upper
alnum
ascii
blank
cntrl
digit
graph
print
punct
space
xdigit
ACCEPT
COMMIT
PRUNE
no error
\ at end of pattern
\c at end of pattern
unrecognized character follows \
numbers out of order in {} quantifier
number too big in {} quantifier
missing terminating ] for character class
invalid escape sequence in character class
range out of order in character class
nothing to repeat
operand of unlimited repeat could match the empty string
internal error: unexpected repeat
unrecognized character after (? or (?-
POSIX named classes are supported only within a class
missing )
reference to non-existent subpattern
erroffset passed as NULL
unknown option bit(s) set
missing ) after comment
parentheses nested too deeply
regular expression is too large
failed to get memory
unmatched parentheses
internal error: code overflow
unrecognized character after (?<
lookbehind assertion is not fixed length
malformed number or name after (?(
conditional group contains more than two branches
assertion expected after (?(
(?R or (?[+-]digits must be followed by )
unknown POSIX class name
POSIX collating elements are not supported
this version of PCRE is compiled without UTF support
spare error
character value in \x{} or \o{} is too large
invalid condition (?(0)
\C not allowed in lookbehind assertion
PCRE does not support \L, \l, \N{name}, \U, or \u
number after (?C is > 255
closing ) for (?C expected
recursive call could loop indefinitely
unrecognized character after (?P
syntax error in subpattern name (missing terminator)
two named subpatterns have the same name
invalid UTF-8 string
support for \P, \p, and \X has not been compiled
malformed \P or \p sequence
unknown property name after \P or \p
subpattern name is too long (maximum 32 characters)
too many named subpatterns (maximum 10000)
repeated subpattern is too long
octal value is greater than \377 in 8-bit non-UTF-8 mode
internal error: overran compiling workspace
internal error: previously-checked referenced subpattern not found
DEFINE group contains more than one branch
repeating a DEFINE group is not allowed
inconsistent NEWLINE options
\g is not followed by a braced, angle-bracketed, or quoted name/number or by a plain number
a numbered reference must not be zero
an argument is not allowed for (*ACCEPT), (*FAIL), or (*COMMIT)
(*VERB) not recognized or malformed
number is too big
subpattern name expected
digit expected after (?+
] is an invalid data character in JavaScript compatibility mode
different names for subpatterns of the same number are not allowed
(*MARK) must have an argument
this version of PCRE is not compiled with Unicode property support
\c must be followed by an ASCII character
\k is not followed by a braced, angle-bracketed, or quoted name
internal error: unknown opcode in find_fixedlength()
\N is not supported in a class
too many forward references
disallowed Unicode code point (>= 0xd800 && <= 0xdfff)
invalid UTF-16 string
name is too long in (*MARK), (*PRUNE), (*SKIP), or (*THEN)
character value in \u.... sequence is too large
invalid UTF-32 string
setting UTF is disabled by the application
non-hex character in \x{} (closing brace missing?)
non-octal character in \o{} (closing brace missing?)
missing opening brace after \o
parentheses are too deeply nested
invalid range in character class
group name must start with a non-digit
parentheses are too deeply nested (stack check)
digits missing in \x{} or \o{}
Arabic
Armenian
Avestan
Balinese
Bamum
Bassa_Vah
Batak
Bengali
Bopomofo
Brahmi
Braille
Buginese
Buhid
Canadian_Aboriginal
Carian
Caucasian_Albanian
Chakma
Cherokee
Common
Coptic
Cuneiform
Cypriot
Cyrillic
Deseret
Devanagari
Duployan
Egyptian_Hieroglyphs
Elbasan
Ethiopic
Georgian
Glagolitic
Gothic
Grantha
Greek
Gujarati
Gurmukhi
Hangul
Hanunoo
Hebrew
Hiragana
Imperial_Aramaic
Inherited
Inscriptional_Pahlavi
Inscriptional_Parthian
Javanese
Kaithi
Kannada
Katakana
Kayah_Li
Kharoshthi
Khmer
Khojki
Khudawadi
Latin
Lepcha
Limbu
Linear_A
Linear_B
Lycian
Lydian
Mahajani
Malayalam
Mandaic
Manichaean
Meetei_Mayek
Mende_Kikakui
Meroitic_Cursive
Meroitic_Hieroglyphs
Mongolian
Myanmar
Nabataean
New_Tai_Lue
Ogham
Ol_Chiki
Old_Italic
Old_North_Arabian
Old_Permic
Old_Persian
Old_South_Arabian
Old_Turkic
Oriya
Osmanya
Pahawh_Hmong
Palmyrene
Pau_Cin_Hau
Phags_Pa
Phoenician
Psalter_Pahlavi
Rejang
Runic
Samaritan
Saurashtra
Sharada
Shavian
Siddham
Sinhala
Sora_Sompeng
Sundanese
Syloti_Nagri
Syriac
Tagalog
Tagbanwa
Tai_Le
Tai_Tham
Tai_Viet
Takri
Tamil
Telugu
Thaana
Tibetan
Tifinagh
Tirhuta
Ugaritic
Warang_Citi
This is a third-party compiled AutoIt script.
DllGetClassObject
GetModuleHandleExW
GetSystemWow64DirectoryW
RegDeleteKeyExW
advapi32.dll
Error text not found (please report)
DEFINE
UTF16)
NO_AUTO_POSSESS)
NO_START_OPT)
LIMIT_MATCH=
LIMIT_RECURSION=
CRLF)
ANYCRLF)
BSR_ANYCRLF)
BSR_UNICODE)
argument is not a compiled regular expression
argument not compiled in 16 bit mode
internal error: opcode not recognized
internal error: missing capturing bracket
failed to get memory
WSOCK32.dll
GetFileVersionInfoSizeW
GetFileVersionInfoW
VerQueryValueW
VERSION.dll
timeGetTime
mciSendStringW
waveOutSetVolume
WINMM.dll
InitCommonControlsEx
ImageList_Create
ImageList_ReplaceIcon
ImageList_Destroy
ImageList_Remove
ImageList_SetDragCursorImage
ImageList_BeginDrag
ImageList_DragEnter
ImageList_DragLeave
ImageList_EndDrag
ImageList_DragMove
COMCTL32.dll
WNetAddConnection2W
WNetUseConnectionW
WNetCancelConnection2W
WNetGetConnectionW
MPR.dll
InternetCloseHandle
InternetOpenW
InternetSetOptionW
InternetCrackUrlW
HttpQueryInfoW
InternetQueryOptionW
InternetConnectW
HttpOpenRequestW
HttpSendRequestW
FtpOpenFileW
FtpGetFileSize
InternetOpenUrlW
InternetReadFile
InternetQueryDataAvailable
WININET.dll
GetProcessMemoryInfo
PSAPI.DLL
IcmpCreateFile
IcmpSendEcho
IcmpCloseHandle
IPHLPAPI.DLL
LoadUserProfileW
CreateEnvironmentBlock
UnloadUserProfile
DestroyEnvironmentBlock
USERENV.dll
IsThemeActive
UxTheme.dll
InterlockedIncrement
InterlockedDecrement
DeleteCriticalSection
InitializeCriticalSectionAndSpinCount
RaiseException
GetLastError
DecodePointer
lstrcmpiW
GetCurrentDirectoryW
IsDebuggerPresent
SetCurrentDirectoryW
GetFullPathNameW
CloseHandle
GetCurrentThread
GetCurrentProcess
DuplicateHandle
CreateThread
WaitForSingleObject
HeapAlloc
GetProcessHeap
HeapFree
Sleep
GetCurrentThreadId
MultiByteToWideChar
MulDiv
GetVersionExW
IsWow64Process
GetSystemInfo
FreeLibrary
LoadLibraryA
GetProcAddress
SetErrorMode
GetModuleFileNameW
WideCharToMultiByte
lstrcpyW
lstrlenW
GetModuleHandleW
QueryPerformanceCounter
VirtualFreeEx
OpenProcess
VirtualAllocEx
WriteProcessMemory
ReadProcessMemory
CreateFileW
SetFilePointerEx
SetEndOfFile
ReadFile
WriteFile
FlushFileBuffers
TerminateProcess
CreateToolhelp32Snapshot
Process32FirstW
Process32NextW
SetFileTime
GetFileAttributesW
FindFirstFileW
FindClose
GetLongPathNameW
GetShortPathNameW
DeleteFileW
FindNextFileW
CopyFileExW
MoveFileW
CreateDirectoryW
RemoveDirectoryW
SetSystemPowerState
QueryPerformanceFrequency
FindResourceW
LoadResource
LockResource
SizeofResource
EnumResourceNamesW
OutputDebugStringW
GetTempPathW
GetTempFileNameW
DeviceIoControl
GetLocalTime
CompareStringW
EnterCriticalSection
LeaveCriticalSection
GetStdHandle
CreatePipe
InterlockedExchange
TerminateThread
LoadLibraryExW
FindResourceExW
CopyFileW
VirtualFree
FormatMessageW
GetExitCodeProcess
GetPrivateProfileStringW
WritePrivateProfileStringW
GetPrivateProfileSectionW
WritePrivateProfileSectionW
GetPrivateProfileSectionNamesW
FileTimeToLocalFileTime
FileTimeToSystemTime
SystemTimeToFileTime
LocalFileTimeToFileTime
GetDriveTypeW
GetDiskFreeSpaceExW
GetDiskFreeSpaceW
GetVolumeInformationW
SetVolumeLabelW
CreateHardLinkW
SetFileAttributesW
CreateEventW
SetEvent
GetEnvironmentVariableW
SetEnvironmentVariableW
GlobalLock
GlobalUnlock
GlobalAlloc
GetFileSize
GlobalFree
GlobalMemoryStatusEx
GetSystemDirectoryW
HeapReAlloc
HeapSize
GetComputerNameW
GetWindowsDirectoryW
GetCurrentProcessId
GetProcessIoCounters
CreateProcessW
GetProcessId
SetPriorityClass
LoadLibraryW
VirtualAlloc
KERNEL32.dll
DestroyIcon
MessageBoxA
GetForegroundWindow
GetSysColorBrush
LoadCursorW
LoadIconW
RegisterClassExW
CreateWindowExW
ShowWindow
SetTimer
RegisterWindowMessageW
CreatePopupMenu
KillTimer
PostQuitMessage
SetFocus
MoveWindow
DefWindowProcW
MessageBoxW
GetUserObjectSecurity
OpenWindowStationW
GetProcessWindowStation
SetProcessWindowStation
OpenDesktopW
CloseWindowStation
CloseDesktop
SetUserObjectSecurity
GetWindowRect
PostMessageW
MapVirtualKeyW
SendMessageW
GetDlgCtrlID
GetParent
GetClassNameW
CharUpperBuffW
EnumChildWindows
SendMessageTimeoutW
ScreenToClient
GetWindowTextW
GetFocus
AttachThreadInput
GetWindowThreadProcessId
GetWindowLongW
InvalidateRect
EnableWindow
IsWindowVisible
IsWindowEnabled
IsWindow
GetDesktopWindow
EnumWindows
DestroyWindow
GetMenu
GetClientRect
BeginPaint
EndPaint
GetDC
ReleaseDC
CopyRect
SetWindowTextW
GetDlgItem
SendDlgItemMessageW
EndDialog
MessageBeep
DialogBoxParamW
LoadStringW
VkKeyScanW
GetKeyState
GetKeyboardState
SetKeyboardState
GetAsyncKeyState
SendInput
keybd_event
SystemParametersInfoW
FindWindowW
IsIconic
SetForegroundWindow
GetMenuItemInfoW
SetMenuItemInfoW
GetMenuItemCount
GetMenuItemID
CheckMenuRadioItem
DeleteMenu
GetCursorPos
TrackPopupMenuEx
IsMenu
InsertMenuItemW
SetMenuDefaultItem
EnumThreadWindows
FindWindowExW
SetActiveWindow
ExitWindowsEx
mouse_event
CreateIconFromResourceEx
LoadImageW
MonitorFromRect
CharLowerBuffW
UnregisterHotKey
PeekMessageW
TranslateMessage
DispatchMessageW
LockWindowUpdate
GetMessageW
BlockInput
OpenClipboard
IsClipboardFormatAvailable
GetClipboardData
CloseClipboard
CountClipboardFormats
EmptyClipboard
SetClipboardData
SetRect
AdjustWindowRectEx
CopyImage
SetWindowPos
GetCursorInfo
RegisterHotKey
ClientToScreen
GetKeyboardLayoutNameW
IsCharAlphaW
IsCharAlphaNumericW
IsCharLowerW
IsCharUpperW
GetMenuStringW
GetSubMenu
GetCaretPos
IsZoomed
MonitorFromPoint
GetMonitorInfoW
SetWindowLongW
SetLayeredWindowAttributes
FlashWindow
GetClassLongW
TranslateAcceleratorW
IsDialogMessageW
GetSysColor
InflateRect
DrawFocusRect
DrawTextW
FrameRect
DrawFrameControl
FillRect
PtInRect
DestroyAcceleratorTable
CreateAcceleratorTableW
SetCursor
GetWindowDC
GetSystemMetrics
GetActiveWindow
CharNextW
wsprintfW
RedrawWindow
DrawMenuBar
DestroyMenu
SetMenu
GetWindowTextLengthW
CreateMenu
IsDlgButtonChecked
DefDlgProcW
CallWindowProcW
ReleaseCapture
SetCapture
USER32.dll
GetDeviceCaps
DeleteObject
GetTextExtentPoint32W
CreateCompatibleBitmap
CreateCompatibleDC
SelectObject
StretchBlt
GetDIBits
DeleteDC
GetPixel
CreateDCW
GetStockObject
GetTextFaceW
CreateFontW
SetTextColor
CreateSolidBrush
CreatePen
SetBkColor
RoundRect
SetBkMode
GetObjectW
SetViewportOrgEx
Rectangle
BeginPath
PolyDraw
Ellipse
MoveToEx
AngleArc
LineTo
CloseFigure
SetPixel
EndPath
StrokePath
StrokeAndFillPath
ExtCreatePen
GDI32.dll
GetOpenFileNameW
GetSaveFileNameW
COMDLG32.dll
RegOpenKeyExW
RegCloseKey
RegQueryValueExW
RegConnectRegistryW
InitializeSecurityDescriptor
InitializeAcl
AdjustTokenPrivileges
OpenThreadToken
OpenProcessToken
LookupPrivilegeValueW
DuplicateTokenEx
CreateProcessAsUserW
CreateProcessWithLogonW
GetLengthSid
CopySid
LogonUserW
AllocateAndInitializeSid
CheckTokenMembership
FreeSid
GetTokenInformation
GetSecurityDescriptorDacl
GetAclInformation
GetAce
AddAce
SetSecurityDescriptorDacl
InitiateSystemShutdownExW
GetUserNameW
RegCreateKeyExW
RegSetValueExW
RegEnumKeyExW
RegDeleteKeyW
RegDeleteValueW
RegEnumValueW
ADVAPI32.dll
ShellExecuteW
Shell_NotifyIconW
ExtractIconExW
SHFileOperationW
SHGetFolderPathW
SHGetSpecialFolderLocation
SHGetDesktopFolder
SHCreateShellItem
SHBrowseForFolderW
SHGetPathFromIDListW
SHEmptyRecycleBinW
DragQueryFileW
ShellExecuteExW
DragQueryPoint
DragFinish
SHELL32.dll
CoTaskMemAlloc
CoTaskMemFree
CLSIDFromString
ProgIDFromCLSID
CLSIDFromProgID
OleSetMenuDescriptor
MkParseDisplayName
OleSetContainedObject
CoCreateInstance
IIDFromString
StringFromGUID2
CreateStreamOnHGlobal
OleInitialize
OleUninitialize
CoInitialize
CoUninitialize
GetRunningObjectTable
CoGetInstanceFromFile
CoGetObject
CoInitializeSecurity
CoCreateInstanceEx
CoSetProxyBlanket
ole32.dll
OLEAUT32.dll
EncodePointer
ExitProcess
GetModuleHandleExW
ExitThread
GetSystemTimeAsFileTime
ResumeThread
GetCommandLineW
IsProcessorFeaturePresent
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
SetLastError
UnhandledExceptionFilter
SetUnhandledExceptionFilter
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetStartupInfoW
GetStringTypeW
SetStdHandle
GetFileType
GetConsoleCP
GetConsoleMode
RtlUnwind
ReadConsoleW
GetTimeZoneInformation
GetDateFormatW
GetTimeFormatW
LCMapStringW
GetEnvironmentStringsW
FreeEnvironmentStringsW
WriteConsoleW
SetEnvironmentVariableA
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
AU3!P/I
.?AVbad_alloc@std@@
.?AVexception@std@@
.?AVtype_info@@
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwx
_>=(a
2fT)L
Ct-4a
X0_k0
1Ke^R
9+>\{XWL
KWC:p
:'|II
kfdC6
c!*Pf
-}48+
>vTAU3!EA06PA
PPADDINGXXPADDINGPADDINGXXPADDING
;|<%>,>k?
:I<|<
=(?/?K?R?
=5>S>]>
>N?j?r?
>">(>L>t>
> ?(?/?
3(3]3z3r4
=I?Y?e?
?'?1?
>L?l?
?"?&?
<$=4=8=<=
?L?P?T?X?\?`?
<"<&<
3 3(30383@3
? ?$?(?,?0?
6H7L7
static
HControl Panel\Mouse
SwapMouseButtons
EAutoIt v3
TaskbarCreated
Script Paused
/AutoIt3ExecuteScript
/AutoIt3ExecuteLine
/AutoIt3OutputDebug
/ErrorStdOut
CMDLINE
CMDLINERAW
>>>AUTOIT NO CMDEXECUTE<<<
AutoIt v3 GUI
SCRIPT
#comments-end
#comments-start
EWM_GETCONTROLNAME
EFILECLOSE
FILECOPY
FILECREATENTFSLINK
FILECREATESHORTCUT
FILEDELETE
FILEEXISTS
FILEFINDFIRSTFILE
FILEFINDNEXTFILE
FILEFLUSH
FILEGETATTRIB
FILEGETENCODING
FILEGETLONGNAME
FILEGETPOS
FILEGETSHORTCUT
FILEGETSHORTNAME
FILEGETSIZE
FILEGETTIME
FILEGETVERSION
FILEINSTALL
FILEMOVE
FILEOPEN
FILEOPENDIALOG
FILEREAD
FILEREADLINE
FILEREADTOARRAY
FILERECYCLE
FILERECYCLEEMPTY
FILESAVEDIALOG
FILESELECTFOLDER
FILESETATTRIB
FILESETEND
FILESETPOS
FILESETTIME
FILEWRITE
FILEWRITELINE
FLOOR
FTPSETPROXY
FUNCNAME
GUICREATE
GUICTRLCREATEAVI
GUICTRLCREATEBUTTON
GUICTRLCREATECHECKBOX
GUICTRLCREATECOMBO
GUICTRLCREATECONTEXTMENU
GUICTRLCREATEDATE
GUICTRLCREATEDUMMY
GUICTRLCREATEEDIT
GUICTRLCREATEGRAPHIC
GUICTRLCREATEGROUP
GUICTRLCREATEICON
GUICTRLCREATEINPUT
GUICTRLCREATELABEL
GUICTRLCREATELIST
GUICTRLCREATELISTVIEW
GUICTRLCREATELISTVIEWITEM
GUICTRLCREATEMENU
GUICTRLCREATEMENUITEM
GUICTRLCREATEMONTHCAL
GUICTRLCREATEOBJ
GUICTRLCREATEPIC
GUICTRLCREATEPROGRESS
GUICTRLCREATERADIO
GUICTRLCREATESLIDER
GUICTRLCREATETAB
GUICTRLCREATETABITEM
GUICTRLCREATETREEVIEW
GUICTRLCREATETREEVIEWITEM
GUICTRLCREATEUPDOWN
GUICTRLDELETE
GUICTRLGETHANDLE
GUICTRLGETSTATE
GUICTRLREAD
GUICTRLRECVMSG
GUICTRLREGISTERLISTVIEWSORT
GUICTRLSENDMSG
GUICTRLSENDTODUMMY
GUICTRLSETBKCOLOR
GUICTRLSETCOLOR
GUICTRLSETCURSOR
GUICTRLSETDATA
GUICTRLSETDEFBKCOLOR
GUICTRLSETDEFCOLOR
GUICTRLSETFONT
GUICTRLSETGRAPHIC
GUICTRLSETIMAGE
GUICTRLSETLIMIT
GUICTRLSETONEVENT
GUICTRLSETPOS
GUICTRLSETRESIZING
GUICTRLSETSTATE
GUICTRLSETSTYLE
GUICTRLSETTIP
GUIDELETE
GUIGETCURSORINFO
GUIGETMSG
GUIGETSTYLE
GUIREGISTERMSG
GUISETACCELERATORS
GUISETBKCOLOR
GUISETCOORD
GUISETCURSOR
GUISETFONT
GUISETHELP
GUISETICON
GUISETONEVENT
GUISETSTATE
GUISETSTYLE
GUISTARTGROUP
GUISWITCH
HOTKEYSET
HTTPSETPROXY
HTTPSETUSERAGENT
INETCLOSE
INETGET
INETGETINFO
INETGETSIZE
INETREAD
INIDELETE
INIREAD
INIREADSECTION
INIREADSECTIONNAMES
INIRENAMESECTION
INIWRITE
INIWRITESECTION
INPUTBOX
ISADMIN
ISARRAY
ISBINARY
ISBOOL
ISDECLARED
ISDLLSTRUCT
ISFLOAT
ISFUNC
ISHWND
ISINT
ISKEYWORD
ISMAP
ISNUMBER
ISOBJ
ISPTR
ISSTRING
MAPAPPEND
MAPEXISTS
MAPKEYS
MAPREMOVE
MEMGETSTATS
MOUSECLICK
MOUSECLICKDRAG
MOUSEDOWN
MOUSEGETCURSOR
MOUSEGETPOS
MOUSEMOVE
MOUSEUP
MOUSEWHEEL
MSGBOX
NUMBER
OBJCREATE
OBJCREATEINTERFACE
OBJEVENT
OBJGET
OBJNAME
ONAUTOITEXITREGISTER
ONAUTOITEXITUNREGISTER
PIXELCHECKSUM
PIXELGETCOLOR
PIXELSEARCH
PROCESSCLOSE
PROCESSEXISTS
PROCESSGETSTATS
PROCESSLIST
PROCESSSETPRIORITY
PROCESSWAIT
PROCESSWAITCLOSE
PROGRESSOFF
PROGRESSON
PROGRESSSET
RANDOM
REGDELETE
REGENUMKEY
REGENUMVAL
REGREAD
REGWRITE
ROUND
RUNAS
RUNASWAIT
RUNWAIT
SENDKEEPACTIVE
SETERROR
SETEXTENDED
SHELLEXECUTE
SHELLEXECUTEWAIT
SHUTDOWN
SLEEP
SOUNDPLAY
SOUNDSETWAVEVOLUME
SPLASHIMAGEON
SPLASHOFF
SPLASHTEXTON
SRANDOM
STATUSBARGETTEXT
STDERRREAD
STDINWRITE
STDIOCLOSE
STDOUTREAD
STRING
STRINGADDCR
STRINGCOMPARE
STRINGFORMAT
STRINGFROMASCIIARRAY
STRINGINSTR
STRINGISALNUM
STRINGISALPHA
STRINGISASCII
STRINGISDIGIT
STRINGISFLOAT
STRINGISINT
STRINGISLOWER
STRINGISSPACE
STRINGISUPPER
STRINGISXDIGIT
STRINGLEFT
STRINGLEN
STRINGLOWER
STRINGMID
STRINGREGEXP
STRINGREGEXPREPLACE
STRINGREPLACE
STRINGREVERSE
STRINGRIGHT
STRINGSPLIT
STRINGSTRIPCR
STRINGSTRIPWS
STRINGTOASCIIARRAY
STRINGTOBINARY
STRINGTRIMLEFT
STRINGTRIMRIGHT
STRINGUPPER
TCPACCEPT
TCPCLOSESOCKET
TCPCONNECT
TCPLISTEN
TCPNAMETOIP
TCPRECV
TCPSEND
TCPSHUTDOWN
TCPSTARTUP
TIMERDIFF
TIMERINIT
TOOLTIP
TRAYCREATEITEM
TRAYCREATEMENU
TRAYGETMSG
TRAYITEMDELETE
TRAYITEMGETHANDLE
TRAYITEMGETSTATE
TRAYITEMGETTEXT
TRAYITEMSETONEVENT
TRAYITEMSETSTATE
TRAYITEMSETTEXT
TRAYSETCLICK
TRAYSETICON
TRAYSETONEVENT
TRAYSETPAUSEICON
TRAYSETSTATE
TRAYSETTOOLTIP
TRAYTIP
UBOUND
UDPBIND
UDPCLOSESOCKET
UDPOPEN
UDPRECV
UDPSEND
UDPSHUTDOWN
UDPSTARTUP
VARGETTYPE
WINACTIVATE
WINACTIVE
WINCLOSE
WINEXISTS
WINFLASH
WINGETCARETPOS
WINGETCLASSLIST
WINGETCLIENTSIZE
WINGETHANDLE
WINGETPOS
WINGETPROCESS
WINGETSTATE
WINGETTEXT
WINGETTITLE
WINKILL
WINLIST
WINMENUSELECTITEM
WINMINIMIZEALL
WINMINIMIZEALLUNDO
WINMOVE
WINSETONTOP
WINSETSTATE
WINSETTITLE
WINSETTRANS
WINWAIT
WINWAITACTIVE
WINWAITCLOSE
WINWAITNOTACTIVE
CAutoIt
FSoftware\AutoIt v3\AutoIt
CCALL
DLLCALLBACKREGISTER
DRIVEGETFILESYSTEM
AUTOITWINSETTITLE
AUTOITWINGETTITLE
CONSOLEWRITEERROR
DLLCALLBACKGETPTR
DLLSTRUCTGETDATA
DLLSTRUCTSETDATA
CONTROLGETHANDLE
DLLSTRUCTGETSIZE
CONTROLTREEVIEW
AUTOITSETOPTION
DLLSTRUCTGETPTR
ADLIBUNREGISTER
DRIVESPACETOTAL
DLLSTRUCTCREATE
CONTROLGETFOCUS
DLLCALLBACKFREE
CONTROLLISTVIEW
DRIVESPACEFREE
CONTROLCOMMAND
DUMMYSPEEDTEST
CONTROLGETTEXT
CONTROLSETTEXT
DRIVEGETSERIAL
BINARYTOSTRING
CONTROLDISABLE
DLLCALLADDRESS
DRIVEGETDRIVE
CONTROLGETPOS
ADLIBREGISTER
DRIVESETLABEL
FILECHANGEDIR
DRIVEGETLABEL
CONTROLENABLE
CONTROLFOCUS
CONTROLCLICK
DRIVEGETTYPE
CONSOLEWRITE
CONTROLSEND
CONTROLSHOW
DRIVEMAPADD
DRIVEMAPDEL
CONSOLEREAD
DRIVEMAPGET
CONTROLMOVE
CONTROLHIDE
DRIVESTATUS
@EXITMETHOD
DIRGETSIZE
BLOCKINPUT
\Include\
DIRCREATE
BITROTATE
BINARYMID
BINARYLEN
ENVUPDATE
DIRREMOVE
@EXITCODE
close all
DLLCLOSE
BITSHIFT
#include
CEILING
DIRCOPY
DLLOPEN
EXECUTE
DLLCALL
CLIPGET
DIRMOVE
CLIPPUT
CDTRAY
ENVGET
ASSIGN
BINARY
BITXOR
d1r0,2
BITAND
ENVSET
BITNOT
BREAK
BITOR
#OnAutoItStartRegister
#pragma compile
#requireadmin
#include-once
#notrayicon
d250m0
d10m0
GUIDataSeparatorChar
MouseClickDownDelay
MouseClickDragDelay
WinDetectHiddenText
WinTitleMatchMode
WinSearchChildren
SendKeyDownDelay
ExpandVarStrings
WinTextMatchMode
ExpandEnvStrings
SendCapsLockMode
GUIEventOptions
MustDeclareVars
MouseClickDelay
TrayOnEventMode
MouseCoordMode
CaretCoordMode
SendAttachMode
PixelCoordMode
GUIOnEventMode
GUICloseOnESC
TrayIconDebug
GUIResizeMode
TrayAutoPause
TrayIconHide
WinWaitDelay
GUICoordMode
TrayMenuMode
SendKeyDelay
SetExitCode
TCPTimeout
d0r0,1023
d1r1,2
d100m0
d0r0,3
%.15g
d124c
\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
mscoree.dll
combase.dll
am/pm
Ija-JP
zh-CN
ko-KR
zh-TW
Sunday
Monday
Tuesday
Wednesday
Thursday
Friday
Saturday
January
February
March
April
August
September
October
November
December
MM/dd/yy
dddd, MMMM dd, yyyy
HH:mm:ss
en-US
kernel32.dll
runtime error
Program:
<program name unknown>
Microsoft Visual C++ Runtime Library
(null)
UTF-8
UTF-16LE
UNICODE
zh-CHS
ar-SA
bg-BG
ca-ES
cs-CZ
da-DK
de-DE
el-GR
fi-FI
fr-FR
he-IL
hu-HU
is-IS
it-IT
nl-NL
nb-NO
pl-PL
pt-BR
ro-RO
ru-RU
hr-HR
sk-SK
sq-AL
sv-SE
th-TH
tr-TR
ur-PK
id-ID
uk-UA
be-BY
sl-SI
et-EE
lv-LV
lt-LT
fa-IR
vi-VN
hy-AM
az-AZ-Latn
eu-ES
mk-MK
tn-ZA
xh-ZA
zu-ZA
af-ZA
ka-GE
fo-FO
hi-IN
mt-MT
se-NO
ms-MY
kk-KZ
ky-KG
sw-KE
uz-UZ-Latn
tt-RU
bn-IN
pa-IN
gu-IN
ta-IN
te-IN
kn-IN
ml-IN
mr-IN
sa-IN
mn-MN
cy-GB
gl-ES
kok-IN
syr-SY
div-MV
quz-BO
ns-ZA
mi-NZ
ar-IQ
de-CH
en-GB
es-MX
fr-BE
it-CH
nl-BE
nn-NO
pt-PT
sr-SP-Latn
sv-FI
az-AZ-Cyrl
se-SE
ms-BN
uz-UZ-Cyrl
quz-EC
ar-EG
zh-HK
de-AT
en-AU
es-ES
fr-CA
sr-SP-Cyrl
se-FI
quz-PE
ar-LY
zh-SG
de-LU
en-CA
es-GT
fr-CH
hr-BA
smj-NO
ar-DZ
zh-MO
de-LI
en-NZ
es-CR
fr-LU
bs-BA-Latn
smj-SE
ar-MA
en-IE
es-PA
fr-MC
sr-BA-Latn
sma-NO
ar-TN
en-ZA
es-DO
sr-BA-Cyrl
sma-SE
ar-OM
en-JM
es-VE
sms-FI
ar-YE
en-CB
es-CO
smn-FI
ar-SY
en-BZ
es-PE
ar-JO
en-TT
es-AR
ar-LB
en-ZW
es-EC
ar-KW
en-PH
es-CL
ar-AE
es-UY
ar-BH
es-PY
ar-QA
es-BO
es-SV
es-HN
es-NI
es-PR
zh-CHT
af-za
ar-ae
ar-bh
ar-dz
ar-eg
ar-iq
ar-jo
ar-kw
ar-lb
ar-ly
ar-ma
ar-om
ar-qa
ar-sa
ar-sy
ar-tn
ar-ye
az-az-cyrl
az-az-latn
be-by
bg-bg
bn-in
bs-ba-latn
ca-es
cs-cz
cy-gb
da-dk
de-at
de-ch
de-de
de-li
de-lu
div-mv
el-gr
en-au
en-bz
en-ca
en-cb
en-gb
en-ie
en-jm
en-nz
en-ph
en-tt
en-us
en-za
en-zw
es-ar
es-bo
es-cl
es-co
es-cr
es-do
es-ec
es-es
es-gt
es-hn
es-mx
es-ni
es-pa
es-pe
es-pr
es-py
es-sv
es-uy
es-ve
et-ee
eu-es
fa-ir
fi-fi
fo-fo
fr-be
fr-ca
fr-ch
fr-fr
fr-lu
fr-mc
gl-es
gu-in
he-il
hi-in
hr-ba
hr-hr
hu-hu
hy-am
id-id
is-is
it-ch
it-it
ja-jp
ka-ge
kk-kz
kn-in
kok-in
ko-kr
ky-kg
lt-lt
lv-lv
mi-nz
mk-mk
ml-in
mn-mn
mr-in
ms-bn
ms-my
mt-mt
nb-no
nl-be
nl-nl
nn-no
ns-za
pa-in
pl-pl
pt-br
pt-pt
quz-bo
quz-ec
quz-pe
ro-ro
ru-ru
sa-in
se-fi
se-no
se-se
sk-sk
sl-si
sma-no
sma-se
smj-no
smj-se
smn-fi
sms-fi
sq-al
sr-ba-cyrl
sr-ba-latn
sr-sp-cyrl
sr-sp-latn
sv-fi
sv-se
sw-ke
syr-sy
ta-in
te-in
th-th
tn-za
tr-tr
tt-ru
uk-ua
ur-pk
uz-uz-cyrl
uz-uz-latn
vi-vn
xh-za
zh-chs
zh-cht
zh-cn
zh-hk
zh-mo
zh-sg
zh-tw
zu-za
USER32.DLL
CONOUT$
BInclude
F@GUI_CTRLID
@GUI_WINHANDLE
@GUI_CTRLHANDLE
@TRAY_ID
0123456789ABCDEF
BACKSPACE
DELETE
ENTER
ESCAPE
INSERT
RIGHT
SPACE
PRINTSCREEN
SCROLLLOCK
NUMLOCK
PAUSE
CAPSLOCK
NUMPAD0
NUMPAD1
NUMPAD2
NUMPAD3
NUMPAD4
NUMPAD5
NUMPAD6
NUMPAD7
NUMPAD8
NUMPAD9
NUMPADMULT
NUMPADADD
NUMPADSUB
NUMPADDOT
NUMPADDIV
APPSKEY
LCTRL
RCTRL
LSHIFT
RSHIFT
NUMPADENTER
BROWSER_BACK
BROWSER_FORWARD
BROWSER_REFRESH
BROWSER_STOP
BROWSER_SEARCH
BROWSER_FAVORTIES
BROWSER_HOME
VOLUME_MUTE
VOLUME_DOWN
VOLUME_UP
MEDIA_NEXT
MEDIA_PREV
MEDIA_STOP
MEDIA_PLAY_PAUSE
LAUNCH_MAIL
LAUNCH_MEDIA
LAUNCH_APP1
LAUNCH_APP2
OEM_102
MOUSE_LBUTTON
MOUSE_RBUTTON
MOUSE_MBUTTON
MOUSE_XBUTTON1
MOUSE_XBUTTON2
CTRLDOWN
CTRLUP
ALTDOWN
ALTUP
SHIFTDOWN
SHIFTUP
LWINDOWN
LWINUP
RWINDOWN
RWINUP
ELSEIF
ENDIF
WHILE
UNTIL
EXITLOOP
CONTINUELOOP
SELECT
ENDSELECT
SWITCH
ENDSWITCH
CONTINUECASE
REDIM
LOCAL
GLOBAL
CONST
STATIC
ENDFUNC
RETURN
BYREF
ENDWITH
FALSE
DEFAULT
VOLATILE
ERROR
EXTENDED
PROGRAMFILESDIR
COMMONFILESDIR
MYDOCUMENTSDIR
APPDATACOMMONDIR
DESKTOPCOMMONDIR
DOCUMENTSCOMMONDIR
FAVORITESCOMMONDIR
PROGRAMSCOMMONDIR
STARTMENUCOMMONDIR
STARTUPCOMMONDIR
LOCALAPPDATADIR
APPDATADIR
DESKTOPDIR
FAVORITESDIR
PROGRAMSDIR
STARTMENUDIR
STARTUPDIR
COMPUTERNAME
WINDOWSDIR
SYSTEMDIR
SW_HIDE
SW_MINIMIZE
SW_MAXIMIZE
SW_RESTORE
SW_SHOW
SW_SHOWDEFAULT
SW_ENABLE
SW_DISABLE
SW_SHOWMAXIMIZED
SW_SHOWMINIMIZED
SW_SHOWMINNOACTIVE
SW_SHOWNA
SW_SHOWNOACTIVATE
SW_SHOWNORMAL
SW_LOCK
SW_UNLOCK
TRAYICONVISIBLE
TRAYICONFLASHING
SCRIPTFULLPATH
SCRIPTNAME
SCRIPTDIR
SCRIPTLINENUMBER
WORKINGDIR
OSTYPE
OSVERSION
OSBUILD
OSSERVICEPACK
OSLANG
PROCESSORARCH
OSARCH
CPUARCH
KBLAYOUT
AUTOITVERSION
AUTOITEXE
IPADDRESS1
IPADDRESS2
IPADDRESS3
IPADDRESS4
DESKTOPWIDTH
DESKTOPHEIGHT
DESKTOPDEPTH
DESKTOPREFRESH
COMPILED
COMSPEC
USERNAME
TEMPDIR
USERPROFILEDIR
HOMEDRIVE
HOMEPATH
HOMESHARE
LOGONSERVER
LOGONDOMAIN
LOGONDNSDOMAIN
INETGETBYTESREAD
INETGETACTIVE
NUMPARAMS
HOTKEYPRESSED
AUTOITPID
AUTOITUNICODE
AUTOITX64
UNICODE
MUILANG
\P{Lu}
\P{Nd}
\P{L}
\P{Xan}
\b(?=\w)
\p{Xps}
\P{Xps}
\P{Xwd}
\p{Nd}
K\P{Ll}
\p{L}
\p{Xsp}
\p{Xwd}
\p{Lu}
\P{Xsp}
\p{Xan}
\b(?<=\w)
\p{Ll}
SOFTWARE\Classes\
\CLSID
\IPC$
runas
Error allocating memory.
SeAssignPrimaryTokenPrivilege
SeIncreaseQuotaPrivilege
SeBackupPrivilege
SeRestorePrivilege
winsta0
default
winsta0\default
ComboBox
ListBox
SHELLDLL_DefView
largeicons
details
smallicons
CLASS
CLASSNN
REGEXPCLASS
INSTANCE
[LAST
ACTIVE
[ACTIVE
HANDLE=
[HANDLE:
REGEXP=
[REGEXPTITLE:
CLASSNAME=
[CLASS:
HANDLE
REGEXPTITLE
TITLE
ThumbnailClass
AutoIt3GUI
Container
CWINDESCRIPTION
DESCRIPTION
SOURCE
HELPFILE
HELPCONTEXT
LASTDLLERROR
SCRIPTLINE
RETCODE
RAISE
CLEAR
E@COM_EVENTOBJ
Ecdecl
boolean
short
ushort
dword
ulong
variant
int64
uint64
float
double
hresult
handle
int_ptr
long_ptr
lresult
lparam
uint_ptr
ulong_ptr
dword_ptr
wparam
idispatch
object
struct
clsid
InterfaceDispatch
QueryInterface
AddRef
Release
Error:
^ ERROR
Error:
Run Script:
AutoIt script files (*.au3, *.a3x)
*.au3;*.a3x
All files (*.*)
#include depth exceeded. Make sure there are no recursive includes
Error opening the file
>>>AUTOIT SCRIPT<<<
Bad directive syntax error
Unterminated string
Cannot parse #include
Unterminated group of comments
Shell_TrayWnd
REMOVE
EXISTS
APPEND
blank
question
warning
Line:
BUTTON
#32770
\\?\UNC\
StringFileInfo\
\VarFileInfo\Translation
04090000
DefaultLangCodepage
%u.%u.%u.%u
0.0.0.0
open
alias PlayMe
status PlayMe mode
close PlayMe
play PlayMe wait
play PlayMe
SeShutdownPrivilege
MIDDLE
PRIMARY
SECONDARY
False
%4d%02d%02d%02d%02d%02d
Default
^ ERROR
cdrom
removable
fixed
network
ramdisk
unknown
close
closed
type cdaudio alias cd wait
set cd door
wait
close cd wait
PhysicalDrive
Removable
Fixed
Network
CDROM
RAMDisk
Unknown
ATAPI
Fibre
iSCSI
Virtual
FileBackedVirtual
READY
INVALID
NOTREADY
READONLY
UNKNOWN
\??\%s
GUI_RUNDEFMSG
<local>
Environment
DISPLAY
msctls_progress32
AUTOITCALLVARIABLE%d
^[A-Z\d_]+$
255.255.255.255
Int32
Int64
Double
String
Array
DLLStruct
Reference
Object
Keyword
Binary
Function
UserFunction
NULL Pointer assignment
Incorrect Parameter format
AUTOIT.ERROR
_NewEnum
get__NewEnum
Null Object assignment in FOR..IN loop
Incorrect Object type in FOR..IN loop
Not an Object type
Failed to create object
Invalid parameter
CALLARGARRAY
Variable must be of type 'Object'.
Variable is not of type 'Object'.
Incorrect parameters to object property !
WIN32_NT
WIN_10
WIN_2016
WIN_81
WIN_2012R2
WIN_2012
WIN_8
WIN_2008R2
WIN_7
WIN_2008
WIN_VISTA
WIN_2003
WIN_XPe
WIN_XP
InstallLanguage
SYSTEM\CurrentControlSet\Control\Nls\Language
SchemeLangID
Control Panel\Appearance
3, 3, 14, 5
USERPROFILE
USERDOMAIN
USERDNSDOMAIN
SeDebugPrivilege
winapi
stdcall
ubyte
HKEY_LOCAL_MACHINE
HKEY_CLASSES_ROOT
HKEY_CURRENT_CONFIG
HKEY_CURRENT_USER
HKEY_USERS
REG_EXPAND_SZ
REG_SZ
REG_MULTI_SZ
REG_DWORD
REG_QWORD
REG_BINARY
(*UCP)\X
ISVISIBLE
ISENABLED
TABLEFT
TABRIGHT
CURRENTTAB
SHOWDROPDOWN
HIDEDROPDOWN
ADDSTRING
DELSTRING
FINDSTRING
SETCURRENTSELECTION
GETCURRENTSELECTION
SELECTSTRING
ISCHECKED
CHECK
UNCHECK
GETSELECTED
GETLINECOUNT
GETCURRENTLINE
GETCURRENTCOL
EDITPASTE
GETLINE
SENDCOMMANDID
GETITEMCOUNT
GETSUBITEMCOUNT
GETTEXT
GETSELECTEDCOUNT
ISSELECTED
SELECTALL
SELECTCLEAR
SELECTINVERT
DESELECT
FINDITEM
VIEWCHANGE
GETTOTALCOUNT
COLLAPSE
EXPAND
msctls_statusbar321
tooltips_class32
%d/%02d/%02d
button
Combobox
Listbox
SysDateTimePick32
SysMonthCal32
Msctls_Progress32
msctls_trackbar32
SysAnimate32
msctls_updown32
SysTabControl32
SysTreeView32
SysListView32
-----
@GUI_DRAGID
@GUI_DROPID
@GUI_DRAGFILE
Kalign
struct
endstruct
ubyte
boolean
wchar
short
ushort
dword
ulong
int64
uint64
handle
float
double
int_ptr
uint_ptr
long_ptr
ulong_ptr
dword_ptr
lresult
lparam
wparam
SCRIPT(
Context1
Script &Paused
E&xit
Unknown macro.
*Unable to get a list of running processes.
Badly formated Enum statement
Assert Failed!
Func reassign not allowed.*Func reassign on global level not allowed.
String missing closing quote.!Badly formated variable or macro.*Missing separator character after keyword.
VS_VERSION_INFO
StringFileInfo
080904B0
VarFileInfo
Translation
This file is not on VirusTotal.

Process Tree


201907060947039062.exe, PID: 1332, Parent PID: 2480
Full Path: C:\Users\user\AppData\Local\Temp\201907060947039062.exe
Command Line: "C:\Users\user\AppData\Local\Temp\201907060947039062.exe"
201907060947039062.exe, PID: 2376, Parent PID: 1332
Full Path: C:\Users\user\AppData\Local\Temp\201907060947039062.exe
Command Line: "C:\Users\user\AppData\Local\Temp\201907060947039062.exe"
201907060947039062.exe, PID: 2876, Parent PID: 1332
Full Path: C:\Users\user\AppData\Local\Temp\201907060947039062.exe
Command Line: "C:\Users\user\AppData\Local\Temp\201907060947039062.exe"
201907060947039062.exe, PID: 2032, Parent PID: 1332
Full Path: C:\Users\user\AppData\Local\Temp\201907060947039062.exe
Command Line: "C:\Users\user\AppData\Local\Temp\201907060947039062.exe"
201907060947039062.exe, PID: 3032, Parent PID: 1332
Full Path: C:\Users\user\AppData\Local\Temp\201907060947039062.exe
Command Line: "C:\Users\user\AppData\Local\Temp\201907060947039062.exe"
201907060947039062.exe, PID: 2764, Parent PID: 1332
Full Path: C:\Users\user\AppData\Local\Temp\201907060947039062.exe
Command Line: "C:\Users\user\AppData\Local\Temp\201907060947039062.exe"
201907060947039062.exe, PID: 1092, Parent PID: 1332
Full Path: C:\Users\user\AppData\Local\Temp\201907060947039062.exe
Command Line: "C:\Users\user\AppData\Local\Temp\201907060947039062.exe"
201907060947039062.exe, PID: 2848, Parent PID: 1332
Full Path: C:\Users\user\AppData\Local\Temp\201907060947039062.exe
Command Line: "C:\Users\user\AppData\Local\Temp\201907060947039062.exe"
201907060947039062.exe, PID: 1672, Parent PID: 1332
Full Path: C:\Users\user\AppData\Local\Temp\201907060947039062.exe
Command Line: "C:\Users\user\AppData\Local\Temp\201907060947039062.exe"
201907060947039062.exe, PID: 544, Parent PID: 1332
Full Path: C:\Users\user\AppData\Local\Temp\201907060947039062.exe
Command Line: "C:\Users\user\AppData\Local\Temp\201907060947039062.exe"
201907060947039062.exe, PID: 2348, Parent PID: 1332
Full Path: C:\Users\user\AppData\Local\Temp\201907060947039062.exe
Command Line: "C:\Users\user\AppData\Local\Temp\201907060947039062.exe"
201907060947039062.exe, PID: 2896, Parent PID: 1332
Full Path: C:\Users\user\AppData\Local\Temp\201907060947039062.exe
Command Line: "C:\Users\user\AppData\Local\Temp\201907060947039062.exe"
201907060947039062.exe, PID: 2128, Parent PID: 1332
Full Path: C:\Users\user\AppData\Local\Temp\201907060947039062.exe
Command Line: "C:\Users\user\AppData\Local\Temp\201907060947039062.exe"
201907060947039062.exe, PID: 2944, Parent PID: 1332
Full Path: C:\Users\user\AppData\Local\Temp\201907060947039062.exe
Command Line: "C:\Users\user\AppData\Local\Temp\201907060947039062.exe"
201907060947039062.exe, PID: 2780, Parent PID: 1332
Full Path: C:\Users\user\AppData\Local\Temp\201907060947039062.exe
Command Line: "C:\Users\user\AppData\Local\Temp\201907060947039062.exe"
201907060947039062.exe, PID: 2112, Parent PID: 1332
Full Path: C:\Users\user\AppData\Local\Temp\201907060947039062.exe
Command Line: "C:\Users\user\AppData\Local\Temp\201907060947039062.exe"
201907060947039062.exe, PID: 1428, Parent PID: 1332
Full Path: C:\Users\user\AppData\Local\Temp\201907060947039062.exe
Command Line: "C:\Users\user\AppData\Local\Temp\201907060947039062.exe"
201907060947039062.exe, PID: 2608, Parent PID: 1332
Full Path: C:\Users\user\AppData\Local\Temp\201907060947039062.exe
Command Line: "C:\Users\user\AppData\Local\Temp\201907060947039062.exe"
201907060947039062.exe, PID: 2952, Parent PID: 1332
Full Path: C:\Users\user\AppData\Local\Temp\201907060947039062.exe
Command Line: "C:\Users\user\AppData\Local\Temp\201907060947039062.exe"
201907060947039062.exe, PID: 1512, Parent PID: 1332
Full Path: C:\Users\user\AppData\Local\Temp\201907060947039062.exe
Command Line: "C:\Users\user\AppData\Local\Temp\201907060947039062.exe"
201907060947039062.exe, PID: 2756, Parent PID: 1332
Full Path: C:\Users\user\AppData\Local\Temp\201907060947039062.exe
Command Line: "C:\Users\user\AppData\Local\Temp\201907060947039062.exe"
201907060947039062.exe, PID: 2940, Parent PID: 1332
Full Path: C:\Users\user\AppData\Local\Temp\201907060947039062.exe
Command Line: "C:\Users\user\AppData\Local\Temp\201907060947039062.exe"
201907060947039062.exe, PID: 2784, Parent PID: 1332
Full Path: C:\Users\user\AppData\Local\Temp\201907060947039062.exe
Command Line: "C:\Users\user\AppData\Local\Temp\201907060947039062.exe"
201907060947039062.exe, PID: 576, Parent PID: 1332
Full Path: C:\Users\user\AppData\Local\Temp\201907060947039062.exe
Command Line: "C:\Users\user\AppData\Local\Temp\201907060947039062.exe"
201907060947039062.exe, PID: 1116, Parent PID: 1332
Full Path: C:\Users\user\AppData\Local\Temp\201907060947039062.exe
Command Line: "C:\Users\user\AppData\Local\Temp\201907060947039062.exe"
201907060947039062.exe, PID: 2296, Parent PID: 1332
Full Path: C:\Users\user\AppData\Local\Temp\201907060947039062.exe
Command Line: "C:\Users\user\AppData\Local\Temp\201907060947039062.exe"
201907060947039062.exe, PID: 2628, Parent PID: 1332
Full Path: C:\Users\user\AppData\Local\Temp\201907060947039062.exe
Command Line: "C:\Users\user\AppData\Local\Temp\201907060947039062.exe"
201907060947039062.exe, PID: 1776, Parent PID: 1332
Full Path: C:\Users\user\AppData\Local\Temp\201907060947039062.exe
Command Line: "C:\Users\user\AppData\Local\Temp\201907060947039062.exe"
201907060947039062.exe, PID: 1924, Parent PID: 1332
Full Path: C:\Users\user\AppData\Local\Temp\201907060947039062.exe
Command Line: "C:\Users\user\AppData\Local\Temp\201907060947039062.exe"
201907060947039062.exe, PID: 560, Parent PID: 1332
Full Path: C:\Users\user\AppData\Local\Temp\201907060947039062.exe
Command Line: "C:\Users\user\AppData\Local\Temp\201907060947039062.exe"
201907060947039062.exe, PID: 2904, Parent PID: 1332
Full Path: C:\Users\user\AppData\Local\Temp\201907060947039062.exe
Command Line: "C:\Users\user\AppData\Local\Temp\201907060947039062.exe"
201907060947039062.exe, PID: 2680, Parent PID: 1332
Full Path: C:\Users\user\AppData\Local\Temp\201907060947039062.exe
Command Line: "C:\Users\user\AppData\Local\Temp\201907060947039062.exe"
201907060947039062.exe, PID: 924, Parent PID: 1332
Full Path: C:\Users\user\AppData\Local\Temp\201907060947039062.exe
Command Line: "C:\Users\user\AppData\Local\Temp\201907060947039062.exe"
201907060947039062.exe, PID: 2612, Parent PID: 1332
Full Path: C:\Users\user\AppData\Local\Temp\201907060947039062.exe
Command Line: "C:\Users\user\AppData\Local\Temp\201907060947039062.exe"
201907060947039062.exe, PID: 1676, Parent PID: 1332
Full Path: C:\Users\user\AppData\Local\Temp\201907060947039062.exe
Command Line: "C:\Users\user\AppData\Local\Temp\201907060947039062.exe"
201907060947039062.exe, PID: 2416, Parent PID: 1332
Full Path: C:\Users\user\AppData\Local\Temp\201907060947039062.exe
Command Line: "C:\Users\user\AppData\Local\Temp\201907060947039062.exe"
201907060947039062.exe, PID: 2792, Parent PID: 1332
Full Path: C:\Users\user\AppData\Local\Temp\201907060947039062.exe
Command Line: "C:\Users\user\AppData\Local\Temp\201907060947039062.exe"
201907060947039062.exe, PID: 2404, Parent PID: 1332
Full Path: C:\Users\user\AppData\Local\Temp\201907060947039062.exe
Command Line: "C:\Users\user\AppData\Local\Temp\201907060947039062.exe"
201907060947039062.exe, PID: 2916, Parent PID: 1332
Full Path: C:\Users\user\AppData\Local\Temp\201907060947039062.exe
Command Line: "C:\Users\user\AppData\Local\Temp\201907060947039062.exe"
201907060947039062.exe, PID: 2472, Parent PID: 1332
Full Path: C:\Users\user\AppData\Local\Temp\201907060947039062.exe
Command Line: "C:\Users\user\AppData\Local\Temp\201907060947039062.exe"
201907060947039062.exe, PID: 2660, Parent PID: 1332
Full Path: C:\Users\user\AppData\Local\Temp\201907060947039062.exe
Command Line: "C:\Users\user\AppData\Local\Temp\201907060947039062.exe"
201907060947039062.exe, PID: 2120, Parent PID: 1332
Full Path: C:\Users\user\AppData\Local\Temp\201907060947039062.exe
Command Line: "C:\Users\user\AppData\Local\Temp\201907060947039062.exe"
201907060947039062.exe, PID: 2424, Parent PID: 1332
Full Path: C:\Users\user\AppData\Local\Temp\201907060947039062.exe
Command Line: "C:\Users\user\AppData\Local\Temp\201907060947039062.exe"
201907060947039062.exe, PID: 3064, Parent PID: 1332
Full Path: C:\Users\user\AppData\Local\Temp\201907060947039062.exe
Command Line: "C:\Users\user\AppData\Local\Temp\201907060947039062.exe"
201907060947039062.exe, PID: 2396, Parent PID: 1332
Full Path: C:\Users\user\AppData\Local\Temp\201907060947039062.exe
Command Line: "C:\Users\user\AppData\Local\Temp\201907060947039062.exe"
201907060947039062.exe, PID: 2260, Parent PID: 1332
Full Path: C:\Users\user\AppData\Local\Temp\201907060947039062.exe
Command Line: "C:\Users\user\AppData\Local\Temp\201907060947039062.exe"
201