Analysis

Category Package Started Completed Duration Options Log
FILE exe 2019-08-13 21:29:02 2019-08-13 21:29:50 48 seconds Show Options Show Log
procmemdump = 1
import_reconstruction = 1
procdump = 1
route = internet
2019-08-13 22:29:02,000 [root] INFO: Date set to: 08-13-19, time set to: 21:29:02, timeout set to: 200
2019-08-13 22:29:02,015 [root] DEBUG: Starting analyzer from: C:\wherurmpn
2019-08-13 22:29:02,015 [root] DEBUG: Storing results at: C:\aCeeOitcHo
2019-08-13 22:29:02,015 [root] DEBUG: Pipe server name: \\.\PIPE\spCkZuJ
2019-08-13 22:29:02,015 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2019-08-13 22:29:02,015 [root] INFO: Automatically selected analysis package "exe"
2019-08-13 22:29:02,390 [root] DEBUG: Started auxiliary module Browser
2019-08-13 22:29:02,390 [root] DEBUG: Started auxiliary module Curtain
2019-08-13 22:29:02,390 [modules.auxiliary.digisig] DEBUG: Checking for a digitial signature.
2019-08-13 22:29:02,858 [modules.auxiliary.digisig] DEBUG: File is not signed.
2019-08-13 22:29:02,858 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2019-08-13 22:29:02,858 [root] DEBUG: Started auxiliary module DigiSig
2019-08-13 22:29:02,858 [root] DEBUG: Started auxiliary module Disguise
2019-08-13 22:29:02,858 [root] DEBUG: Started auxiliary module Human
2019-08-13 22:29:02,858 [root] DEBUG: Started auxiliary module Screenshots
2019-08-13 22:29:02,872 [root] DEBUG: Started auxiliary module Sysmon
2019-08-13 22:29:02,872 [root] DEBUG: Started auxiliary module Usage
2019-08-13 22:29:02,872 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2019-08-13 22:29:02,872 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2019-08-13 22:29:02,888 [lib.api.process] INFO: Successfully executed process from path "C:\Users\user\AppData\Local\Temp\HKCU_Floor_Planning.exe" with arguments "" with pid 264
2019-08-13 22:29:02,888 [lib.api.process] INFO: Option 'procmemdump' with value '1' sent to monitor
2019-08-13 22:29:02,888 [lib.api.process] INFO: Option 'import_reconstruction' with value '1' sent to monitor
2019-08-13 22:29:02,888 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 22:29:02,888 [lib.api.process] INFO: 32-bit DLL to inject is C:\wherurmpn\dll\NEldtcbQ.dll, loader C:\wherurmpn\bin\YsfDLTv.exe
2019-08-13 22:29:02,904 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\spCkZuJ.
2019-08-13 22:29:02,904 [root] DEBUG: Loader: Injecting process 264 (thread 1988) with C:\wherurmpn\dll\NEldtcbQ.dll.
2019-08-13 22:29:02,904 [root] DEBUG: Process image base: 0x00400000
2019-08-13 22:29:02,904 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\wherurmpn\dll\NEldtcbQ.dll.
2019-08-13 22:29:02,904 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00415000 - 0x77110000
2019-08-13 22:29:02,904 [root] DEBUG: InjectDllViaIAT: Allocated 0xa24 bytes for new import table at 0x00420000.
2019-08-13 22:29:02,904 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 22:29:02,904 [root] DEBUG: Successfully injected DLL C:\wherurmpn\dll\NEldtcbQ.dll.
2019-08-13 22:29:02,904 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 264
2019-08-13 22:29:04,917 [lib.api.process] INFO: Successfully resumed process with pid 264
2019-08-13 22:29:04,917 [root] INFO: Added new process to list with pid: 264
2019-08-13 22:29:04,917 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 22:29:04,917 [root] DEBUG: Full process memory dumps enabled.
2019-08-13 22:29:04,917 [root] DEBUG: Import reconstruction of process dumps enabled.
2019-08-13 22:29:04,917 [root] DEBUG: Process dumps enabled.
2019-08-13 22:29:04,963 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 22:29:04,963 [root] INFO: Disabling sleep skipping.
2019-08-13 22:29:04,963 [root] INFO: Disabling sleep skipping.
2019-08-13 22:29:04,963 [root] INFO: Disabling sleep skipping.
2019-08-13 22:29:04,963 [root] INFO: Disabling sleep skipping.
2019-08-13 22:29:04,963 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 264 at 0x747e0000, image base 0x400000, stack from 0x186000-0x190000
2019-08-13 22:29:04,963 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\HKCU_Floor_Planning.exe".
2019-08-13 22:29:04,963 [root] INFO: Monitor successfully loaded in process with pid 264.
2019-08-13 22:29:04,979 [root] DEBUG: DLL loaded at 0x74AF0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2019-08-13 22:29:05,026 [root] INFO: Announced 32-bit process name: cmd.exe pid: 2348
2019-08-13 22:29:05,026 [lib.api.process] INFO: Option 'procmemdump' with value '1' sent to monitor
2019-08-13 22:29:05,026 [lib.api.process] INFO: Option 'import_reconstruction' with value '1' sent to monitor
2019-08-13 22:29:05,026 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 22:29:05,026 [lib.api.process] INFO: 32-bit DLL to inject is C:\wherurmpn\dll\NEldtcbQ.dll, loader C:\wherurmpn\bin\YsfDLTv.exe
2019-08-13 22:29:05,026 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\spCkZuJ.
2019-08-13 22:29:05,026 [root] DEBUG: Loader: Injecting process 2348 (thread 1360) with C:\wherurmpn\dll\NEldtcbQ.dll.
2019-08-13 22:29:05,026 [root] DEBUG: Process image base: 0x4A660000
2019-08-13 22:29:05,026 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\wherurmpn\dll\NEldtcbQ.dll.
2019-08-13 22:29:05,026 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x4A6AC000 - 0x77110000
2019-08-13 22:29:05,026 [root] DEBUG: InjectDllViaIAT: Allocated 0x1a0 bytes for new import table at 0x4A6B0000.
2019-08-13 22:29:05,026 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 22:29:05,026 [root] DEBUG: Successfully injected DLL C:\wherurmpn\dll\NEldtcbQ.dll.
2019-08-13 22:29:05,026 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2348
2019-08-13 22:29:05,042 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 22:29:05,042 [root] DEBUG: Full process memory dumps enabled.
2019-08-13 22:29:05,042 [root] DEBUG: Import reconstruction of process dumps enabled.
2019-08-13 22:29:05,042 [root] DEBUG: Process dumps enabled.
2019-08-13 22:29:05,042 [root] INFO: Disabling sleep skipping.
2019-08-13 22:29:05,042 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 22:29:05,042 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 2348 at 0x747e0000, image base 0x4a660000, stack from 0x2b3000-0x3b0000
2019-08-13 22:29:05,042 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\cmd.exe \c ""C:\Users\user\AppData\Local\Temp\264XNOJ7.bat" "C:\Users\user\AppData\Local\Temp\HKCU_Floor_Planning.exe" ".
2019-08-13 22:29:05,042 [root] INFO: Added new process to list with pid: 2348
2019-08-13 22:29:05,042 [root] INFO: Monitor successfully loaded in process with pid 2348.
2019-08-13 22:29:05,056 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2348
2019-08-13 22:29:05,056 [root] DEBUG: GetHookCallerBase: thread 1360 (handle 0x0), return address 0x4A667302, allocation base 0x4A660000.
2019-08-13 22:29:05,072 [root] DEBUG: DoProcessDump: Created dump file for full process memory dump: C:\aCeeOitcHo\memory\2348.dmp.
2019-08-13 22:29:05,119 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x4A660000.
2019-08-13 22:29:05,119 [root] DEBUG: ApiReader: module list size: 19
2019-08-13 22:29:05,119 [root] DEBUG: Module parsing: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,119 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,119 [root] DEBUG: Module parsing: \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll
2019-08-13 22:29:05,119 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll
2019-08-13 22:29:05,119 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,119 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,119 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,119 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,119 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,119 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,134 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,134 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,134 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,134 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,134 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,134 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,134 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,134 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,134 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,134 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,134 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,134 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,134 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,134 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,134 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,134 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,134 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,134 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,134 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,134 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,134 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,134 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,134 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,134 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,134 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,134 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,134 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,134 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,134 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,134 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,134 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,134 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,134 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,151 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,151 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,151 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,151 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,151 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,151 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,151 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,151 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,151 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,151 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,151 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,151 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,151 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,151 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,151 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,151 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,151 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,151 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,151 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,151 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,151 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,151 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,151 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,151 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,151 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,151 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,151 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,151 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,151 [root] DEBUG: Module parsing: \Device\HarddiskVolume2\Windows\SysWOW64\KernelBase.dll
2019-08-13 22:29:05,151 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\KernelBase.dll
2019-08-13 22:29:05,151 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,151 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,151 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,165 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,165 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,165 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,165 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,165 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,165 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,165 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,165 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,165 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,165 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,165 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,165 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,165 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,165 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,165 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,165 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,165 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,165 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,165 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,165 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,165 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,165 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,165 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,165 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,165 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,165 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,165 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,165 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,165 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,165 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,165 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,165 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,165 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,181 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,181 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,181 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,181 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,181 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,181 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,181 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,181 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,181 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,181 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,181 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,181 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,181 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,181 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,181 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,181 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,181 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,181 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,181 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,181 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,181 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,181 [root] DEBUG: Module parsing: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:05,181 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:05,181 [root] DEBUG: Module parsing: \Device\HarddiskVolume2\Windows\SysWOW64\gdi32.dll
2019-08-13 22:29:05,181 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\gdi32.dll
2019-08-13 22:29:05,181 [root] DEBUG: Module parsing: \Device\HarddiskVolume2\Windows\SysWOW64\lpk.dll
2019-08-13 22:29:05,181 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\lpk.dll
2019-08-13 22:29:05,181 [root] DEBUG: Module parsing: \Device\HarddiskVolume2\Windows\SysWOW64\usp10.dll
2019-08-13 22:29:05,181 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\usp10.dll
2019-08-13 22:29:05,181 [root] DEBUG: Module parsing: \Device\HarddiskVolume2\Windows\SysWOW64\msvcrt.dll
2019-08-13 22:29:05,181 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\msvcrt.dll
2019-08-13 22:29:05,181 [root] DEBUG: Module parsing: \Device\HarddiskVolume2\Windows\SysWOW64\advapi32.dll
2019-08-13 22:29:05,197 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\advapi32.dll
2019-08-13 22:29:05,197 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,197 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,197 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,197 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\KernelBase.dll
2019-08-13 22:29:05,197 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,197 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,197 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,197 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,197 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,197 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,197 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,197 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,197 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,197 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,197 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,197 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,197 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,197 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,197 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\KernelBase.dll
2019-08-13 22:29:05,197 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,197 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,197 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,197 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,197 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,197 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,197 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,197 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,197 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,197 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,197 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,197 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,197 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,197 [root] DEBUG: Module parsing: \Device\HarddiskVolume2\Windows\SysWOW64\sechost.dll
2019-08-13 22:29:05,213 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\sechost.dll
2019-08-13 22:29:05,213 [root] DEBUG: Module parsing: \Device\HarddiskVolume2\Windows\SysWOW64\rpcrt4.dll
2019-08-13 22:29:05,213 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\rpcrt4.dll
2019-08-13 22:29:05,213 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\rpcrt4.dll
2019-08-13 22:29:05,213 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\rpcrt4.dll
2019-08-13 22:29:05,213 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\rpcrt4.dll
2019-08-13 22:29:05,213 [root] DEBUG: Module parsing: \Device\HarddiskVolume2\Windows\SysWOW64\sspicli.dll
2019-08-13 22:29:05,213 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\sspicli.dll
2019-08-13 22:29:05,213 [root] DEBUG: Module parsing: \Device\HarddiskVolume2\Windows\SysWOW64\cryptbase.dll
2019-08-13 22:29:05,213 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\cryptbase.dll
2019-08-13 22:29:05,213 [root] DEBUG: Module parsing: \Device\HarddiskVolume2\Windows\SysWOW64\ole32.dll
2019-08-13 22:29:05,213 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ole32.dll
2019-08-13 22:29:05,213 [root] DEBUG: Module parsing: \Device\HarddiskVolume2\Windows\SysWOW64\shlwapi.dll
2019-08-13 22:29:05,213 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\shlwapi.dll
2019-08-13 22:29:05,213 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:05,229 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:05,229 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:05,229 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:05,229 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:05,229 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:05,229 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:05,229 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:05,229 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:05,229 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:05,229 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:05,229 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:05,229 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:05,229 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll
2019-08-13 22:29:05,229 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:05,229 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:05,229 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\gdi32.dll
2019-08-13 22:29:05,229 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:05,229 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll
2019-08-13 22:29:05,229 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll
2019-08-13 22:29:05,229 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll
2019-08-13 22:29:05,229 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\gdi32.dll
2019-08-13 22:29:05,229 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\gdi32.dll
2019-08-13 22:29:05,229 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:05,229 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:05,229 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll
2019-08-13 22:29:05,229 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:05,229 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:05,229 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:05,229 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:05,229 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\gdi32.dll
2019-08-13 22:29:05,229 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\gdi32.dll
2019-08-13 22:29:05,229 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll
2019-08-13 22:29:05,229 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll
2019-08-13 22:29:05,229 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll
2019-08-13 22:29:05,229 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:05,243 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll
2019-08-13 22:29:05,243 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:05,243 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:05,243 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:05,243 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:05,243 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll
2019-08-13 22:29:05,243 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:05,243 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll
2019-08-13 22:29:05,243 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll
2019-08-13 22:29:05,243 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll
2019-08-13 22:29:05,243 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:05,243 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:05,243 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll
2019-08-13 22:29:05,243 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll
2019-08-13 22:29:05,243 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll
2019-08-13 22:29:05,243 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll
2019-08-13 22:29:05,243 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\gdi32.dll
2019-08-13 22:29:05,243 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll
2019-08-13 22:29:05,243 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll
2019-08-13 22:29:05,243 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:05,243 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll
2019-08-13 22:29:05,243 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll
2019-08-13 22:29:05,243 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll
2019-08-13 22:29:05,243 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\gdi32.dll
2019-08-13 22:29:05,243 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\gdi32.dll
2019-08-13 22:29:05,243 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\gdi32.dll
2019-08-13 22:29:05,243 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:05,243 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:05,243 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:05,243 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll
2019-08-13 22:29:05,243 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:05,243 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:05,243 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:05,243 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:05,243 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:05,259 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:05,259 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:05,259 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll
2019-08-13 22:29:05,259 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:05,259 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:05,259 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:05,259 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:05,259 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\gdi32.dll
2019-08-13 22:29:05,259 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\gdi32.dll
2019-08-13 22:29:05,259 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll
2019-08-13 22:29:05,259 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll
2019-08-13 22:29:05,259 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:05,259 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll
2019-08-13 22:29:05,259 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:05,259 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:05,259 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:05,259 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:05,259 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:05,259 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:05,259 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:05,259 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:05,259 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:05,259 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll
2019-08-13 22:29:05,259 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:05,259 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:05,259 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:05,259 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:05,259 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:05,259 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:05,259 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\gdi32.dll
2019-08-13 22:29:05,259 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:05,259 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:05,259 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:05,259 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:05,259 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:05,259 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:05,259 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll
2019-08-13 22:29:05,259 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll
2019-08-13 22:29:05,259 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\gdi32.dll
2019-08-13 22:29:05,259 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\gdi32.dll
2019-08-13 22:29:05,276 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:05,276 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:05,276 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:05,276 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\gdi32.dll
2019-08-13 22:29:05,276 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll
2019-08-13 22:29:05,276 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll
2019-08-13 22:29:05,276 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll
2019-08-13 22:29:05,276 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll
2019-08-13 22:29:05,276 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll
2019-08-13 22:29:05,276 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll
2019-08-13 22:29:05,276 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll
2019-08-13 22:29:05,276 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll
2019-08-13 22:29:05,276 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:05,276 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:05,276 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:05,276 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:05,276 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll
2019-08-13 22:29:05,276 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll
2019-08-13 22:29:05,276 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:05,276 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll
2019-08-13 22:29:05,276 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll
2019-08-13 22:29:05,276 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll
2019-08-13 22:29:05,276 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll
2019-08-13 22:29:05,276 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll
2019-08-13 22:29:05,276 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll
2019-08-13 22:29:05,276 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll
2019-08-13 22:29:05,276 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll
2019-08-13 22:29:05,276 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:05,276 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:05,276 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:05,276 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll
2019-08-13 22:29:05,276 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:05,276 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:05,276 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:05,276 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:05,276 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:05,276 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:05,276 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:05,276 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:05,276 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:05,276 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll
2019-08-13 22:29:05,290 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll
2019-08-13 22:29:05,290 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll
2019-08-13 22:29:05,290 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll
2019-08-13 22:29:05,290 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll
2019-08-13 22:29:05,290 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll
2019-08-13 22:29:05,290 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll
2019-08-13 22:29:05,290 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\gdi32.dll
2019-08-13 22:29:05,290 [root] DEBUG: Module parsing: \Device\HarddiskVolume2\Windows\SysWOW64\psapi.dll
2019-08-13 22:29:05,290 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\psapi.dll
2019-08-13 22:29:05,290 [root] DEBUG: Module parsing: \Device\HarddiskVolume2\Windows\SysWOW64\winbrand.dll
2019-08-13 22:29:05,290 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\winbrand.dll
2019-08-13 22:29:05,290 [root] DEBUG: Module parsing: \Device\HarddiskVolume2\Windows\SysWOW64\imm32.dll
2019-08-13 22:29:05,290 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\imm32.dll
2019-08-13 22:29:05,290 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:05,290 [root] DEBUG: Module parsing: \Device\HarddiskVolume2\Windows\SysWOW64\msctf.dll
2019-08-13 22:29:05,290 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\msctf.dll
2019-08-13 22:29:05,290 [root] DEBUG: DumpProcessFixImports: Instantiating PeParser with address: 0x4A660000
2019-08-13 22:29:05,290 [root] DEBUG: DumpProcessFixImports: Module entry point VA is 0x4A66829A
2019-08-13 22:29:05,306 [root] DEBUG: Module image dump success
2019-08-13 22:29:05,306 [root] DEBUG: DumpProcessFixImports: Found IAT - 0x4a660ffc, size: 0x3a4
2019-08-13 22:29:05,306 [root] DEBUG: IAT parsing finished, found 229 valid APIs, missed 0 APIs
2019-08-13 22:29:05,306 [root] DEBUG: Adding module to module list: msvcrt.dll
2019-08-13 22:29:05,306 [root] DEBUG: Adding module to module list: ntdll.dll
2019-08-13 22:29:05,306 [root] DEBUG: Adding module to module list: kernel32.dll
2019-08-13 22:29:05,306 [root] DEBUG: Adding module to module list: winbrand.dll
2019-08-13 22:29:05,306 [root] DEBUG: Warning - IAT is not inside the PE image, requires rebasing.
2019-08-13 22:29:05,306 [root] DEBUG: Invalid PE file: import table rebuild failed.
2019-08-13 22:29:05,306 [root] DEBUG: Import table rebuild failed, falling back to unfixed dump.
2019-08-13 22:29:05,322 [root] INFO: Added new CAPE file to list with path: C:\aCeeOitcHo\CAPE\2348_188617222549614382019
2019-08-13 22:29:05,540 [root] DEBUG: DoProcessDump: Full process memory dump saved to file: C:\aCeeOitcHo\memory\2348.dmp.
2019-08-13 22:29:05,540 [root] DEBUG: DLL unloaded from 0x75140000.
2019-08-13 22:29:05,540 [root] INFO: Notified of termination of process with pid 2348.
2019-08-13 22:29:05,555 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 264
2019-08-13 22:29:05,572 [root] DEBUG: GetHookCallerBase: thread 1988 (handle 0x0), return address 0x00404001, allocation base 0x00400000.
2019-08-13 22:29:05,572 [root] DEBUG: DoProcessDump: Created dump file for full process memory dump: C:\aCeeOitcHo\memory\264.dmp.
2019-08-13 22:29:05,588 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00400000.
2019-08-13 22:29:05,602 [root] DEBUG: ApiReader: module list size: 20
2019-08-13 22:29:05,602 [root] DEBUG: Module parsing: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,602 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,602 [root] DEBUG: Module parsing: \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll
2019-08-13 22:29:05,618 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll
2019-08-13 22:29:05,618 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,634 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,634 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,634 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,634 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,634 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,634 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,634 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,634 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,665 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,711 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,711 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,711 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,727 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,727 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,743 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,743 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,743 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,743 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,743 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,743 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,743 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,759 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,759 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,759 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,775 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,789 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,789 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,789 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,789 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,805 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,822 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,822 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,822 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,822 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,822 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,822 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,822 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,836 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,836 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,852 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,852 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,852 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,868 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,868 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,868 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,868 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,868 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,868 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,884 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,884 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,884 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,884 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,884 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,900 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,900 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,914 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,914 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,914 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,914 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,914 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,930 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,930 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,930 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,930 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,930 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,930 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,930 [root] DEBUG: Module parsing: \Device\HarddiskVolume2\Windows\SysWOW64\KernelBase.dll
2019-08-13 22:29:05,930 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\KernelBase.dll
2019-08-13 22:29:05,930 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,946 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,946 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,946 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,946 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,946 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,946 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,946 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,946 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,946 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,961 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,961 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,961 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,961 [lib.api.process] WARNING: Upload of memory dump for process 2348 failed.
2019-08-13 22:29:05,961 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,961 [root] INFO: Process with pid 2348 has terminated
2019-08-13 22:29:05,961 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,961 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,961 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,961 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,977 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,977 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,993 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,993 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:05,993 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:06,009 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:06,009 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:06,023 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:06,023 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:06,023 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:06,023 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:06,023 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:06,023 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:06,023 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:06,023 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:06,023 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:06,039 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:06,039 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:06,039 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:06,039 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:06,039 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:06,039 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:06,039 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:06,055 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:06,055 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:06,055 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:06,055 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:06,055 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:06,071 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:06,071 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:06,071 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:06,071 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:06,071 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:06,071 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:06,071 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:06,086 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:06,086 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:06,101 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:06,101 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:06,101 [root] DEBUG: Module parsing: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:06,101 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:06,101 [root] DEBUG: Module parsing: \Device\HarddiskVolume2\Windows\SysWOW64\gdi32.dll
2019-08-13 22:29:06,101 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\gdi32.dll
2019-08-13 22:29:06,101 [root] DEBUG: Module parsing: \Device\HarddiskVolume2\Windows\SysWOW64\lpk.dll
2019-08-13 22:29:06,118 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\lpk.dll
2019-08-13 22:29:06,118 [root] DEBUG: Module parsing: \Device\HarddiskVolume2\Windows\SysWOW64\usp10.dll
2019-08-13 22:29:06,148 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\usp10.dll
2019-08-13 22:29:06,164 [root] DEBUG: Module parsing: \Device\HarddiskVolume2\Windows\SysWOW64\msvcrt.dll
2019-08-13 22:29:06,180 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\msvcrt.dll
2019-08-13 22:29:06,180 [root] DEBUG: Module parsing: \Device\HarddiskVolume2\Windows\SysWOW64\advapi32.dll
2019-08-13 22:29:06,180 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\advapi32.dll
2019-08-13 22:29:06,180 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:06,180 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:06,180 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:06,180 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\KernelBase.dll
2019-08-13 22:29:06,196 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:06,196 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:06,196 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:06,196 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:06,211 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:06,211 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:06,211 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:06,226 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:06,226 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:06,243 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:06,243 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:06,257 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:06,257 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:06,257 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:06,273 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\KernelBase.dll
2019-08-13 22:29:06,273 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:06,289 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:06,289 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:06,289 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:06,305 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:06,321 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:06,335 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:06,351 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:06,368 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:06,368 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:06,368 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:06,368 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:06,368 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-08-13 22:29:06,382 [root] DEBUG: Module parsing: \Device\HarddiskVolume2\Windows\SysWOW64\sechost.dll
2019-08-13 22:29:06,382 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\sechost.dll
2019-08-13 22:29:06,382 [root] DEBUG: Module parsing: \Device\HarddiskVolume2\Windows\SysWOW64\rpcrt4.dll
2019-08-13 22:29:06,382 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\rpcrt4.dll
2019-08-13 22:29:06,398 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\rpcrt4.dll
2019-08-13 22:29:06,414 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\rpcrt4.dll
2019-08-13 22:29:06,414 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\rpcrt4.dll
2019-08-13 22:29:06,414 [root] DEBUG: Module parsing: \Device\HarddiskVolume2\Windows\SysWOW64\sspicli.dll
2019-08-13 22:29:06,414 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\sspicli.dll
2019-08-13 22:29:06,414 [root] DEBUG: Module parsing: \Device\HarddiskVolume2\Windows\SysWOW64\cryptbase.dll
2019-08-13 22:29:06,414 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\cryptbase.dll
2019-08-13 22:29:06,414 [root] DEBUG: Module parsing: \Device\HarddiskVolume2\Windows\SysWOW64\ole32.dll
2019-08-13 22:29:06,430 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ole32.dll
2019-08-13 22:29:06,430 [root] DEBUG: Module parsing: \Device\HarddiskVolume2\Windows\SysWOW64\shlwapi.dll
2019-08-13 22:29:06,430 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\shlwapi.dll
2019-08-13 22:29:06,430 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:06,446 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:06,446 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:06,460 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:06,460 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:06,476 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:06,492 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:06,492 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:06,507 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:06,507 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:06,523 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:06,523 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:06,523 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:06,539 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll
2019-08-13 22:29:06,539 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:06,539 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:06,539 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\gdi32.dll
2019-08-13 22:29:06,555 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:06,555 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll
2019-08-13 22:29:06,555 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll
2019-08-13 22:29:06,569 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll
2019-08-13 22:29:06,569 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\gdi32.dll
2019-08-13 22:29:06,585 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\gdi32.dll
2019-08-13 22:29:06,585 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:06,585 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:06,601 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll
2019-08-13 22:29:06,601 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:06,601 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:06,617 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:06,617 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:06,617 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\gdi32.dll
2019-08-13 22:29:06,617 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\gdi32.dll
2019-08-13 22:29:06,617 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll
2019-08-13 22:29:06,617 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll
2019-08-13 22:29:06,632 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll
2019-08-13 22:29:06,632 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:06,648 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll
2019-08-13 22:29:06,664 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:06,664 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:06,664 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:06,664 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:06,680 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll
2019-08-13 22:29:06,680 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:06,680 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll
2019-08-13 22:29:06,680 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll
2019-08-13 22:29:06,680 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll
2019-08-13 22:29:06,680 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:06,680 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:06,710 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll
2019-08-13 22:29:06,710 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll
2019-08-13 22:29:06,710 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll
2019-08-13 22:29:06,710 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll
2019-08-13 22:29:06,726 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\gdi32.dll
2019-08-13 22:29:06,726 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll
2019-08-13 22:29:06,742 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll
2019-08-13 22:29:06,742 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:06,742 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll
2019-08-13 22:29:06,742 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll
2019-08-13 22:29:06,742 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll
2019-08-13 22:29:06,742 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\gdi32.dll
2019-08-13 22:29:06,742 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\gdi32.dll
2019-08-13 22:29:06,742 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\gdi32.dll
2019-08-13 22:29:06,742 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:06,757 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:06,773 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:06,789 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll
2019-08-13 22:29:06,789 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:06,789 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:06,803 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:06,803 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:06,819 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:06,819 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:06,819 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:06,819 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll
2019-08-13 22:29:06,819 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:06,819 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:06,835 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:06,835 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:06,851 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\gdi32.dll
2019-08-13 22:29:06,851 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\gdi32.dll
2019-08-13 22:29:06,881 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll
2019-08-13 22:29:06,881 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll
2019-08-13 22:29:06,881 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:06,881 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll
2019-08-13 22:29:06,898 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:06,898 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:06,914 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:06,914 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:06,914 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:06,914 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:06,928 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:06,928 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:06,928 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:06,928 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll
2019-08-13 22:29:06,944 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:06,944 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:06,944 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:06,944 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:06,944 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:06,944 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:06,944 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\gdi32.dll
2019-08-13 22:29:06,960 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:06,960 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:06,960 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:06,960 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:06,992 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:06,992 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:06,992 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll
2019-08-13 22:29:07,006 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll
2019-08-13 22:29:07,023 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\gdi32.dll
2019-08-13 22:29:07,023 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\gdi32.dll
2019-08-13 22:29:07,023 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:07,023 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:07,023 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:07,023 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\gdi32.dll
2019-08-13 22:29:07,023 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll
2019-08-13 22:29:07,038 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll
2019-08-13 22:29:07,053 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll
2019-08-13 22:29:07,053 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll
2019-08-13 22:29:07,053 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll
2019-08-13 22:29:07,069 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll
2019-08-13 22:29:07,085 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll
2019-08-13 22:29:07,101 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll
2019-08-13 22:29:07,101 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:07,101 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:07,101 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:07,115 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:07,115 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll
2019-08-13 22:29:07,115 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll
2019-08-13 22:29:07,115 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:07,131 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll
2019-08-13 22:29:07,131 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll
2019-08-13 22:29:07,131 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll
2019-08-13 22:29:07,131 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll
2019-08-13 22:29:07,131 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll
2019-08-13 22:29:07,148 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll
2019-08-13 22:29:07,148 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll
2019-08-13 22:29:07,148 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll
2019-08-13 22:29:07,148 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:07,148 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:07,163 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:07,163 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll
2019-08-13 22:29:07,178 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:07,178 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:07,210 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:07,210 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:07,210 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:07,210 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:07,210 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:07,256 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:07,256 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:07,256 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll
2019-08-13 22:29:07,303 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll
2019-08-13 22:29:07,303 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll
2019-08-13 22:29:07,303 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll
2019-08-13 22:29:07,303 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll
2019-08-13 22:29:07,349 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll
2019-08-13 22:29:07,349 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll
2019-08-13 22:29:07,349 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\gdi32.dll
2019-08-13 22:29:07,349 [root] DEBUG: Module parsing: \Device\HarddiskVolume2\Windows\SysWOW64\psapi.dll
2019-08-13 22:29:07,397 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\psapi.dll
2019-08-13 22:29:07,397 [root] DEBUG: Module parsing: \Device\HarddiskVolume2\Windows\SysWOW64\oleaut32.dll
2019-08-13 22:29:07,397 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\oleaut32.dll
2019-08-13 22:29:07,397 [root] DEBUG: Module parsing: \Device\HarddiskVolume2\Windows\SysWOW64\imm32.dll
2019-08-13 22:29:07,397 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\imm32.dll
2019-08-13 22:29:07,397 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\user32.dll
2019-08-13 22:29:07,427 [root] DEBUG: Module parsing: \Device\HarddiskVolume2\Windows\SysWOW64\msctf.dll
2019-08-13 22:29:07,427 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\msctf.dll
2019-08-13 22:29:07,427 [root] DEBUG: Module parsing: \Device\HarddiskVolume2\Windows\SysWOW64\apphelp.dll
2019-08-13 22:29:07,427 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\apphelp.dll
2019-08-13 22:29:07,444 [root] DEBUG: DumpProcessFixImports: Instantiating PeParser with address: 0x00400000
2019-08-13 22:29:07,444 [root] DEBUG: DumpProcessFixImports: Module entry point VA is 0x0040913C
2019-08-13 22:29:07,444 [root] DEBUG: Module image dump success
2019-08-13 22:29:07,444 [root] DEBUG: DumpProcessFixImports: Found IAT - 0x41009c, size: 0x2b0
2019-08-13 22:29:07,444 [root] DEBUG: parseIAT :: API not found 0001035E
2019-08-13 22:29:07,444 [root] DEBUG: parseIAT :: API not found 0001037C
2019-08-13 22:29:07,444 [root] DEBUG: parseIAT :: API not found 00010390
2019-08-13 22:29:07,444 [root] DEBUG: parseIAT :: API not found 000103A0
2019-08-13 22:29:07,444 [root] DEBUG: parseIAT :: API not found 000103BA
2019-08-13 22:29:07,444 [root] DEBUG: parseIAT :: API not found 000103CC
2019-08-13 22:29:07,444 [root] DEBUG: parseIAT :: API not found 000103DC
2019-08-13 22:29:07,444 [root] DEBUG: parseIAT :: API not found 000103EA
2019-08-13 22:29:07,490 [root] DEBUG: parseIAT :: API not found 000103F8
2019-08-13 22:29:07,506 [root] DEBUG: parseIAT :: API not found 00010412
2019-08-13 22:29:07,538 [root] DEBUG: parseIAT :: API not found 0001041C
2019-08-13 22:29:07,538 [root] DEBUG: parseIAT :: API not found 00010424
2019-08-13 22:29:07,538 [root] DEBUG: parseIAT :: API not found 00010432
2019-08-13 22:29:07,538 [root] DEBUG: parseIAT :: API not found 00010442
2019-08-13 22:29:07,538 [root] DEBUG: parseIAT :: API not found 00010452
2019-08-13 22:29:07,538 [root] DEBUG: parseIAT :: API not found 0001046C
2019-08-13 22:29:07,552 [root] DEBUG: parseIAT :: API not found 00010482
2019-08-13 22:29:07,552 [root] DEBUG: parseIAT :: API not found 00010492
2019-08-13 22:29:07,552 [root] DEBUG: parseIAT :: API not found 000104A8
2019-08-13 22:29:07,552 [root] DEBUG: parseIAT :: API not found 000104B4
2019-08-13 22:29:07,552 [root] DEBUG: parseIAT :: API not found 000104C0
2019-08-13 22:29:07,552 [root] DEBUG: parseIAT :: API not found 000104D2
2019-08-13 22:29:07,552 [root] DEBUG: parseIAT :: API not found 000104E4
2019-08-13 22:29:07,552 [root] DEBUG: parseIAT :: API not found 000104F6
2019-08-13 22:29:07,552 [root] DEBUG: parseIAT :: API not found 00010508
2019-08-13 22:29:07,552 [root] DEBUG: parseIAT :: API not found 0001051C
2019-08-13 22:29:07,552 [root] DEBUG: parseIAT :: API not found 00010532
2019-08-13 22:29:07,569 [root] DEBUG: parseIAT :: API not found 00010544
2019-08-13 22:29:07,569 [root] DEBUG: parseIAT :: API not found 00010556
2019-08-13 22:29:07,569 [root] DEBUG: parseIAT :: API not found 00010564
2019-08-13 22:29:07,569 [root] DEBUG: parseIAT :: API not found 00010576
2019-08-13 22:29:07,569 [root] DEBUG: parseIAT :: API not found 00010582
2019-08-13 22:29:07,569 [root] DEBUG: parseIAT :: API not found 00010590
2019-08-13 22:29:07,569 [root] DEBUG: parseIAT :: API not found 0001059C
2019-08-13 22:29:07,569 [root] DEBUG: parseIAT :: API not found 000105B8
2019-08-13 22:29:07,584 [root] DEBUG: parseIAT :: API not found 000105C4
2019-08-13 22:29:07,599 [root] DEBUG: parseIAT :: API not found 000105D6
2019-08-13 22:29:07,599 [root] DEBUG: parseIAT :: API not found 000105F4
2019-08-13 22:29:07,599 [root] DEBUG: parseIAT :: API not found 00010602
2019-08-13 22:29:07,615 [root] DEBUG: parseIAT :: API not found 00010610
2019-08-13 22:29:07,631 [root] DEBUG: parseIAT :: API not found 0001061E
2019-08-13 22:29:07,647 [root] DEBUG: parseIAT :: API not found 0001063E
2019-08-13 22:29:07,661 [root] DEBUG: parseIAT :: API not found 0001064C
2019-08-13 22:29:07,677 [root] DEBUG: parseIAT :: API not found 0001065A
2019-08-13 22:29:07,677 [root] DEBUG: parseIAT :: API not found 0001066E
2019-08-13 22:29:07,677 [root] DEBUG: parseIAT :: API not found 0001067A
2019-08-13 22:29:07,677 [root] DEBUG: parseIAT :: API not found 00010686
2019-08-13 22:29:07,677 [root] DEBUG: parseIAT :: API not found 000106A2
2019-08-13 22:29:07,694 [root] DEBUG: parseIAT :: API not found 000106AE
2019-08-13 22:29:07,694 [root] DEBUG: parseIAT :: API not found 000106C4
2019-08-13 22:29:07,694 [root] DEBUG: parseIAT :: API not found 000106D4
2019-08-13 22:29:07,694 [root] DEBUG: parseIAT :: API not found 000106E6
2019-08-13 22:29:07,709 [root] DEBUG: parseIAT :: API not found 000106FC
2019-08-13 22:29:07,709 [root] DEBUG: parseIAT :: API not found 00010716
2019-08-13 22:29:07,709 [root] DEBUG: parseIAT :: API not found 00010726
2019-08-13 22:29:07,724 [root] DEBUG: parseIAT :: API not found 00010736
2019-08-13 22:29:07,740 [root] DEBUG: parseIAT :: API not found 0001074E
2019-08-13 22:29:07,756 [root] DEBUG: parseIAT :: API not found 0001075E
2019-08-13 22:29:07,756 [root] DEBUG: parseIAT :: API not found 00010770
2019-08-13 22:29:07,772 [root] DEBUG: parseIAT :: API not found 00010780
2019-08-13 22:29:07,786 [root] DEBUG: parseIAT :: API not found 00010792
2019-08-13 22:29:07,786 [root] DEBUG: parseIAT :: API not found 000107A6
2019-08-13 22:29:07,786 [root] DEBUG: parseIAT :: API not found 000107BC
2019-08-13 22:29:07,786 [root] DEBUG: parseIAT :: API not found 000107CE
2019-08-13 22:29:07,786 [root] DEBUG: parseIAT :: API not found 000107E2
2019-08-13 22:29:07,802 [root] DEBUG: parseIAT :: API not found 000107F8
2019-08-13 22:29:07,802 [root] DEBUG: parseIAT :: API not found 0001080E
2019-08-13 22:29:07,802 [root] DEBUG: parseIAT :: API not found 00010828
2019-08-13 22:29:07,802 [root] DEBUG: parseIAT :: API not found 0001083C
2019-08-13 22:29:07,802 [root] DEBUG: parseIAT :: API not found 00010852
2019-08-13 22:29:07,802 [root] DEBUG: parseIAT :: API not found 00010864
2019-08-13 22:29:07,802 [root] DEBUG: parseIAT :: API not found 00010870
2019-08-13 22:29:07,818 [root] DEBUG: parseIAT :: API not found 00010880
2019-08-13 22:29:07,818 [root] DEBUG: parseIAT :: API not found 0001088E
2019-08-13 22:29:07,818 [root] DEBUG: parseIAT :: API not found 0001089E
2019-08-13 22:29:07,818 [root] DEBUG: parseIAT :: API not found 000108B2
2019-08-13 22:29:07,818 [root] DEBUG: parseIAT :: API not found 000108C0
2019-08-13 22:29:07,818 [root] DEBUG: parseIAT :: API not found 000108D2
2019-08-13 22:29:07,818 [root] DEBUG: parseIAT :: API not found 000108E0
2019-08-13 22:29:07,818 [root] DEBUG: IAT parsing finished, found 79 valid APIs, missed 79 APIs
2019-08-13 22:29:07,818 [root] DEBUG: API not found - added to module list.
2019-08-13 22:29:07,818 [root] DEBUG: API not found - added to module list.
2019-08-13 22:29:07,818 [root] DEBUG: API not found - added to module list.
2019-08-13 22:29:07,834 [root] DEBUG: API not found - added to module list.
2019-08-13 22:29:07,834 [root] DEBUG: API not found - added to module list.
2019-08-13 22:29:07,834 [root] DEBUG: API not found - added to module list.
2019-08-13 22:29:07,834 [root] DEBUG: API not found - added to module list.
2019-08-13 22:29:07,834 [root] DEBUG: API not found - added to module list.
2019-08-13 22:29:07,849 [root] DEBUG: API not found - added to module list.
2019-08-13 22:29:07,849 [root] DEBUG: API not found - added to module list.
2019-08-13 22:29:07,849 [root] DEBUG: API not found - added to module list.
2019-08-13 22:29:07,849 [root] DEBUG: API not found - added to module list.
2019-08-13 22:29:07,849 [root] DEBUG: API not found - added to module list.
2019-08-13 22:29:07,849 [root] DEBUG: API not found - added to module list.
2019-08-13 22:29:07,849 [root] DEBUG: API not found - added to module list.
2019-08-13 22:29:07,849 [root] DEBUG: API not found - added to module list.
2019-08-13 22:29:07,849 [root] DEBUG: API not found - added to module list.
2019-08-13 22:29:07,849 [root] DEBUG: API not found - added to module list.
2019-08-13 22:29:07,849 [root] DEBUG: API not found - added to module list.
2019-08-13 22:29:07,865 [root] DEBUG: API not found - added to module list.
2019-08-13 22:29:07,865 [root] DEBUG: API not found - added to module list.
2019-08-13 22:29:07,865 [root] DEBUG: API not found - added to module list.
2019-08-13 22:29:07,895 [root] DEBUG: API not found - added to module list.
2019-08-13 22:29:07,895 [root] DEBUG: API not found - added to module list.
2019-08-13 22:29:07,943 [root] DEBUG: API not found - added to module list.
2019-08-13 22:29:07,959 [root] DEBUG: API not found - added to module list.
2019-08-13 22:29:07,959 [root] DEBUG: API not found - added to module list.
2019-08-13 22:29:07,990 [root] DEBUG: API not found - added to module list.
2019-08-13 22:29:07,990 [root] DEBUG: API not found - added to module list.
2019-08-13 22:29:07,990 [root] DEBUG: API not found - added to module list.
2019-08-13 22:29:07,990 [root] DEBUG: API not found - added to module list.
2019-08-13 22:29:08,006 [root] DEBUG: API not found - added to module list.
2019-08-13 22:29:08,006 [root] DEBUG: API not found - added to module list.
2019-08-13 22:29:08,006 [root] DEBUG: API not found - added to module list.
2019-08-13 22:29:08,020 [root] DEBUG: API not found - added to module list.
2019-08-13 22:29:08,020 [root] DEBUG: API not found - added to module list.
2019-08-13 22:29:08,036 [root] DEBUG: API not found - added to module list.
2019-08-13 22:29:08,036 [root] DEBUG: API not found - added to module list.
2019-08-13 22:29:08,084 [root] DEBUG: API not found - added to module list.
2019-08-13 22:29:08,084 [root] DEBUG: API not found - added to module list.
2019-08-13 22:29:08,084 [root] DEBUG: API not found - added to module list.
2019-08-13 22:29:08,098 [root] DEBUG: API not found - added to module list.
2019-08-13 22:29:08,098 [root] DEBUG: API not found - added to module list.
2019-08-13 22:29:08,098 [root] DEBUG: API not found - added to module list.
2019-08-13 22:29:08,098 [root] DEBUG: API not found - added to module list.
2019-08-13 22:29:08,115 [root] DEBUG: API not found - added to module list.
2019-08-13 22:29:08,115 [root] DEBUG: API not found - added to module list.
2019-08-13 22:29:08,115 [root] DEBUG: API not found - added to module list.
2019-08-13 22:29:08,115 [root] DEBUG: API not found - added to module list.
2019-08-13 22:29:08,115 [root] DEBUG: API not found - added to module list.
2019-08-13 22:29:08,115 [root] DEBUG: API not found - added to module list.
2019-08-13 22:29:08,161 [root] DEBUG: API not found - added to module list.
2019-08-13 22:29:08,161 [root] DEBUG: API not found - added to module list.
2019-08-13 22:29:08,161 [root] DEBUG: API not found - added to module list.
2019-08-13 22:29:08,161 [root] DEBUG: API not found - added to module list.
2019-08-13 22:29:08,161 [root] DEBUG: API not found - added to module list.
2019-08-13 22:29:08,161 [root] DEBUG: API not found - added to module list.
2019-08-13 22:29:08,161 [root] DEBUG: API not found - added to module list.
2019-08-13 22:29:08,161 [root] DEBUG: API not found - added to module list.
2019-08-13 22:29:08,161 [root] DEBUG: API not found - added to module list.
2019-08-13 22:29:08,161 [root] DEBUG: API not found - added to module list.
2019-08-13 22:29:08,177 [root] DEBUG: API not found - added to module list.
2019-08-13 22:29:08,177 [root] DEBUG: API not found - added to module list.
2019-08-13 22:29:08,177 [root] DEBUG: API not found - added to module list.
2019-08-13 22:29:08,177 [root] DEBUG: API not found - added to module list.
2019-08-13 22:29:08,177 [root] DEBUG: API not found - added to module list.
2019-08-13 22:29:08,177 [root] DEBUG: API not found - added to module list.
2019-08-13 22:29:08,177 [root] DEBUG: API not found - added to module list.
2019-08-13 22:29:08,177 [root] DEBUG: API not found - added to module list.
2019-08-13 22:29:08,193 [root] DEBUG: API not found - added to module list.
2019-08-13 22:29:08,193 [root] DEBUG: API not found - added to module list.
2019-08-13 22:29:08,193 [root] DEBUG: API not found - added to module list.
2019-08-13 22:29:08,193 [root] DEBUG: API not found - added to module list.
2019-08-13 22:29:08,193 [root] DEBUG: API not found - added to module list.
2019-08-13 22:29:08,193 [root] DEBUG: API not found - added to module list.
2019-08-13 22:29:08,193 [root] DEBUG: API not found - added to module list.
2019-08-13 22:29:08,193 [root] DEBUG: API not found - added to module list.
2019-08-13 22:29:08,193 [root] DEBUG: API not found - added to module list.
2019-08-13 22:29:08,193 [root] DEBUG: API not found - added to module list.
2019-08-13 22:29:08,193 [root] DEBUG: Adding module to module list: oleaut32.dll
2019-08-13 22:29:08,193 [root] DEBUG: Adding module to module list: advapi32.dll
2019-08-13 22:29:08,193 [root] DEBUG: Adding module to module list: user32.dll
2019-08-13 22:29:08,193 [root] DEBUG: Adding module to module list: kernel32.dll
2019-08-13 22:29:08,193 [root] DEBUG: Adding module to module list: user32.dll
2019-08-13 22:29:08,193 [root] DEBUG: Adding module to module list: kernel32.dll
2019-08-13 22:29:08,193 [root] DEBUG: Warning - IAT is not inside the PE image, requires rebasing.
2019-08-13 22:29:08,193 [root] DEBUG: Invalid PE file: import table rebuild failed.
2019-08-13 22:29:08,207 [root] DEBUG: Import table rebuild failed, falling back to unfixed dump.
2019-08-13 22:29:08,207 [root] INFO: Added new CAPE file to list with path: C:\aCeeOitcHo\CAPE\264_1600875472849614382019
2019-08-13 22:29:08,286 [root] DEBUG: DoProcessDump: Full process memory dump saved to file: C:\aCeeOitcHo\memory\264.dmp.
2019-08-13 22:29:08,286 [root] DEBUG: DLL unloaded from 0x75140000.
2019-08-13 22:29:08,286 [root] INFO: Notified of termination of process with pid 264.
2019-08-13 22:29:09,596 [lib.api.process] WARNING: Upload of memory dump for process 264 failed.
2019-08-13 22:29:09,596 [root] INFO: Process with pid 264 has terminated
2019-08-13 22:29:25,821 [root] INFO: Process list is empty, terminating analysis.
2019-08-13 22:29:26,835 [root] INFO: Created shutdown mutex.
2019-08-13 22:29:27,848 [root] INFO: Shutting down package.
2019-08-13 22:29:27,848 [root] INFO: Stopping auxiliary modules.
2019-08-13 22:29:27,848 [root] INFO: Finishing auxiliary modules.
2019-08-13 22:29:27,848 [root] INFO: Shutting down pipe server and dumping dropped files.
2019-08-13 22:29:27,848 [root] WARNING: File at path "C:\aCeeOitcHo\debugger" does not exist, skip.
2019-08-13 22:29:27,848 [root] INFO: Analysis completed.

MalScore

2.8

Suspicious

Machine

Name Label Manager Started On Shutdown On
target-01 target-01 ESX 2019-08-13 21:29:02 2019-08-13 21:29:49

File Details

File Name HKCU_Floor_Planning.exe
File Size 49664 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 035f4fa0b174e50b0504204955ef26ff
SHA1 d3fc21361ce89e1dd2c88eead0a8914289c87c59
SHA256 45eaa801f95e6562fa090e0a1e98d3faf3305691a59fa0236bfb674586445278
SHA512 ac013e74f57398d0252d2e6ea4769bb355d9bcd9dea32bcee6b4cd24bf4e6fbc8e833686730a9cb262313861a6969a7c57cebfa71eabed720026a9c0ff63b0ea
CRC32 9FF5667C
Ssdeep 768:sdpnF5/ija+1I+NYVawgYvCAvEZQ25AX94JosOy5upx/0LTWHiqZl84woTMeT8xg:sdJyqnvE3tJSbF0LiHiDxDGr
TrID
  • 42.4% (.EXE) Win32 Executable Delphi generic (14182/79/4)
  • 19.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
  • 13.5% (.EXE) Win32 Executable (generic) (4508/7/1)
  • 6.2% (.EXE) Win16/32 Executable Delphi generic (2072/23)
  • 6.0% (.EXE) OS/2 Executable (generic) (2029/13)
ClamAV None matched
Yara None matched
CAPE Yara None matched
Resubmit sample

Signatures

SetUnhandledExceptionFilter detected (possible anti-debug)
Possible date expiration check, exits too soon after checking local time
process: HKCU_Floor_Planning.exe, PID 264
Uses Windows utilities for basic functionality
command: cmd.exe /c ""C:\Users\user\AppData\Local\Temp\264XNOJ7.bat" "C:\Users\user\AppData\Local\Temp\HKCU_Floor_Planning.exe" "
Creates a hidden or system file
file: C:\Users\user\AppData\Local\Temp\264XNOJ7.bat

Screenshots


Hosts

No hosts contacted.

DNS

No domains contacted.


Summary

C:\Users\user\AppData\Local\Temp\HKCU_Floor_Planning.ENG
C:\Users\user\AppData\Local\Temp\HKCU_Floor_Planning.ENG.DLL
C:\Users\user\AppData\Local\Temp\HKCU_Floor_Planning.EN
C:\Users\user\AppData\Local\Temp\HKCU_Floor_Planning.EN.DLL
C:\Users\user\AppData\Local\Temp
C:\Users\user\AppData\Local\Temp\264XNOJ7.bat
C:\Users
C:\Users\user
C:\Users\user\AppData
C:\Users\user\AppData\Local
C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\264XNOJ7.bat"
C:\Program Files (x86)\JDA\Intactix\Floor Planning\ProFloor.exe
C:\Users\user\AppData\Local\Temp\264XNOJ7.bat
C:\Users\user\AppData\Local\Temp\264XNOJ7.bat
C:\Users\user\AppData\Local\Temp\264XNOJ7.bat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT
DisableUserModeCallbackFilter
HKEY_CURRENT_USER\Software\Borland\Locales
HKEY_LOCAL_MACHINE\Software\Borland\Locales
HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-GB
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-GB
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DisableUNCCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\EnableExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DelayedExpansion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DefaultColor
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\CompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\PathCompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\AutoRun
HKEY_CURRENT_USER\Software\Microsoft\Command Processor
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000809
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Option
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-GB
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-GB
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DisableUNCCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\EnableExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DelayedExpansion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DefaultColor
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\CompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\PathCompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\AutoRun
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000809
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
kernel32.dll.GetDiskFreeSpaceExA
kernel32.dll.SetThreadUILanguage
kernel32.dll.CopyFileExW
kernel32.dll.IsDebuggerPresent
kernel32.dll.SetConsoleInputExeNameW
advapi32.dll.SaferIdentifyLevel
advapi32.dll.SaferComputeTokenFromLevel
advapi32.dll.SaferCloseLevel
cmd.exe /c ""C:\Users\user\AppData\Local\Temp\264XNOJ7.bat" "C:\Users\user\AppData\Local\Temp\HKCU_Floor_Planning.exe" "

Binary Entropy

PE Information

Image Base 0x00400000
Entry Point 0x0040913c
Reported Checksum 0x00000000
Actual Checksum 0x0001835c
Minimum OS Version 4.0
Compile Time 2011-04-06 00:44:03
Import Hash 77abcad8d2a58839860bba9dc40f29e1

Sections

Name Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00001000 0x00007ff8 0x00008000 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.54
.itext 0x00009000 0x0000084c 0x00000a00 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 5.33
.data 0x0000a000 0x00000af8 0x00000c00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 2.00
.bss 0x0000b000 0x00004a74 0x00000000 IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.00
.idata 0x00010000 0x000008ee 0x00000a00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 4.53
.tls 0x00011000 0x00000008 0x00000000 IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.00
.rdata 0x00012000 0x00000018 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 0.21
.reloc 0x00013000 0x00000ca4 0x00000e00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ 6.32
.rsrc 0x00014000 0x00000d4c 0x00000e00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.68

Imports

Library oleaut32.dll:
0x4101f8 SysFreeString
Library advapi32.dll:
0x410200 RegQueryValueExA
0x410204 RegOpenKeyExA
0x410208 RegCloseKey
Library user32.dll:
0x410210 GetKeyboardType
0x410214 DestroyWindow
0x410218 LoadStringA
0x41021c MessageBoxA
0x410220 CharNextA
Library kernel32.dll:
0x410228 GetACP
0x41022c Sleep
0x410230 VirtualFree
0x410234 VirtualAlloc
0x410238 GetTickCount
0x410240 GetCurrentThreadId
0x410244 VirtualQuery
0x410248 WideCharToMultiByte
0x41024c lstrlenA
0x410250 lstrcpynA
0x410254 LoadLibraryExA
0x410258 GetThreadLocale
0x41025c GetStartupInfoA
0x410260 GetProcAddress
0x410264 GetModuleHandleA
0x410268 GetModuleFileNameA
0x41026c GetLocaleInfoA
0x410270 GetCommandLineA
0x410274 FreeLibrary
0x410278 FindFirstFileA
0x41027c FindClose
0x410280 ExitProcess
0x410284 WriteFile
0x41028c RtlUnwind
0x410290 RaiseException
0x410294 GetStdHandle
Library kernel32.dll:
0x41029c TlsSetValue
0x4102a0 TlsGetValue
0x4102a4 LocalAlloc
0x4102a8 GetModuleHandleA
Library user32.dll:
0x4102b0 MessageBoxA
0x4102b4 LoadStringA
0x4102b8 GetSystemMetrics
0x4102bc CharPrevA
0x4102c0 CharNextA
0x4102c4 CharToOemA
Library kernel32.dll:
0x4102cc WriteFile
0x4102d0 WaitForSingleObject
0x4102d4 VirtualQuery
0x4102d8 SizeofResource
0x4102dc SetFileAttributesA
0x4102e4 LockResource
0x4102e8 LoadResource
0x4102f0 GetVersionExA
0x4102f4 GetThreadLocale
0x4102f8 GetStdHandle
0x4102fc GetProcAddress
0x410300 GetModuleHandleA
0x410304 GetModuleFileNameA
0x410308 GetLocaleInfoA
0x41030c GetFullPathNameA
0x410310 GetFileAttributesA
0x410314 GetExitCodeProcess
0x41031c GetDiskFreeSpaceA
0x410320 GetCurrentProcessId
0x410324 GetCommandLineA
0x410328 GetCPInfo
0x41032c FreeResource
0x410330 FreeLibrary
0x410334 FindResourceA
0x410338 EnumCalendarInfoA
0x41033c DeleteFileA
0x410340 CreateProcessA
0x410344 CreateFileA
0x410348 CloseHandle

.text
`.itext
`.data
.idata
.rdata
@.reloc
B.rsrc
2004, 2005 Pierre le Riche / Professional Software Development
An unexpected memory leak has occurred.
bytes:
Unknown
String
The sizes of unexpected leaked medium and large blocks are:
Unexpected Memory Leak
SOFTWARE\Borland\Delphi\RTL
FPUMaskValue
Uhc7@
Ph\9@
VWUUh0:@
Ph"<@
Uhu=@
kernel32.dll
GetLongPathNameA
Software\Borland\Locales
Software\Borland\Delphi\Locales
Uh0S@
USERPROFILE
UhQq@
D$LPj
Uh6w@
Uhk|@
Uh5}@
m/d/yy
mmmm d, yyyy
AMPM
AMPM
:mm:ss
kernel32.dll
GetDiskFreeSpaceExA
xftjsrjsuyhew353y45y3e4r
SCRIPT
cmdln
cmd.exe /c ""
Unregistered Version
Visit http://www.abyssmedia.com for more details about ordering.
Error
Runtime error at 00000000
oleaut32.dll
SysFreeString
advapi32.dll
RegQueryValueExA
RegOpenKeyExA
RegCloseKey
user32.dll
GetKeyboardType
DestroyWindow
LoadStringA
MessageBoxA
CharNextA
kernel32.dll
GetACP
Sleep
VirtualFree
VirtualAlloc
GetTickCount
QueryPerformanceCounter
GetCurrentThreadId
VirtualQuery
WideCharToMultiByte
lstrlenA
lstrcpynA
LoadLibraryExA
GetThreadLocale
GetStartupInfoA
GetProcAddress
GetModuleHandleA
GetModuleFileNameA
GetLocaleInfoA
GetCommandLineA
FreeLibrary
FindFirstFileA
FindClose
ExitProcess
WriteFile
UnhandledExceptionFilter
RtlUnwind
RaiseException
GetStdHandle
kernel32.dll
TlsSetValue
TlsGetValue
LocalAlloc
GetModuleHandleA
user32.dll
MessageBoxA
LoadStringA
GetSystemMetrics
CharPrevA
CharNextA
CharToOemA
kernel32.dll
WriteFile
WaitForSingleObject
VirtualQuery
SizeofResource
SetFileAttributesA
SetEnvironmentVariableA
LockResource
LoadResource
GetWindowsDirectoryA
GetVersionExA
GetThreadLocale
GetStdHandle
GetProcAddress
GetModuleHandleA
GetModuleFileNameA
GetLocaleInfoA
GetFullPathNameA
GetFileAttributesA
GetExitCodeProcess
GetEnvironmentVariableA
GetDiskFreeSpaceA
GetCurrentProcessId
GetCommandLineA
GetCPInfo
FreeResource
FreeLibrary
FindResourceA
EnumCalendarInfoA
DeleteFileA
CreateProcessA
CreateFileA
CloseHandle
Saturday
Write$Error creating variant or safe array)Variant or safe array index out of bounds
This file is not on VirusTotal.

Process Tree

  • HKCU_Floor_Planning.exe 264
    • cmd.exe 2348 cmd.exe /c ""C:\Users\user\AppData\Local\Temp\264XNOJ7.bat" "C:\Users\user\AppData\Local\Temp\HKCU_Floor_Planning.exe" "

HKCU_Floor_Planning.exe, PID: 264, Parent PID: 2480
Full Path: C:\Users\user\AppData\Local\Temp\HKCU_Floor_Planning.exe
Command Line: "C:\Users\user\AppData\Local\Temp\HKCU_Floor_Planning.exe"
cmd.exe, PID: 2348, Parent PID: 264
Full Path: C:\Windows\SysWOW64\cmd.exe
Command Line: cmd.exe /c ""C:\Users\user\AppData\Local\Temp\264XNOJ7.bat" "C:\Users\user\AppData\Local\Temp\HKCU_Floor_Planning.exe" "

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

No UDP connections recorded.

DNS

No domains contacted.

HTTP Requests

No HTTP requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

File name 264XNOJ7.bat
Associated Filenames
C:\Users\user\AppData\Local\Temp\264XNOJ7.bat
File Size 479 bytes
File Type ASCII text, with CRLF line terminators
MD5 77b80d54c161e01144e2ebc3a91e9394
SHA1 a3482406249834b306adf467e4c795c2ad40f7aa
SHA256 fdb45d50bdc39b78b241a785f880171fc88d2c4d038ef065513971a102d81338
CRC32 C15AA30E
Ssdeep 6:NtL8t56lPxik6sxH4Ek1t56lkKQ6PRpEEk1t56lkKQ6H5RpEEk1t56lkKQ6HEEkx:N18L6XAiU6XQk66XQiP66XQp6XQMusM
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file Display Text
@shift
IF NOT EXIST "C:\Program Files (x86)\JDA\Intactix\Floor Planning\ProFloor.exe" GOTO EXIT
	GOTO TRUE

:TRUE
	regedit /s "C:\Program Files (x86)\JDA\Intactix\WAG files\hkcu_FP_floor_auth.reg"
	regedit /s "C:\Program Files (x86)\JDA\Intactix\WAG files\hkcu_FP_fusion_auth.reg"
	regedit /s "C:\Program Files (x86)\JDA\Intactix\WAG files\hkcu_FP_pilot_auth.reg"
	regedit /s "C:\Program Files (x86)\JDA\Intactix\WAG files\hkcu_FP_space_auth.reg"
	EXIT

:EXIT
	EXIT
Sorry! No CAPE files.
Process Name cmd.exe
PID 2348
Dump Size 302592 bytes
Module Path C:\Windows\SysWOW64\cmd.exe
Type PE imageexecutable
MD5 812752e69c3b86d12f995f34c586c8dd
SHA1 5db4157dfd583998c30673fea8024e3c8aa4c1ee
SHA256 1f708e681940b4d31b6240d3a75d76ab897ab52b8007774190bee147c9bea789
CRC32 6E1B2055
Ssdeep 3072:MGbVhOp3HOZOivhkPLH/WvRJ7YTkDGyvGEkRjyGez1c:ZbDOVO1WC37tvGEkRmt+
ClamAV None
Yara None matched
CAPE Yara None matched
Dump Filename 1f708e681940b4d31b6240d3a75d76ab897ab52b8007774190bee147c9bea789
Download
Process Name HKCU_Floor_Planning.exe
PID 264
Dump Size 69632 bytes
Module Path C:\Users\user\AppData\Local\Temp\HKCU_Floor_Planning.exe
Type PE imageexecutable
MD5 e2615ece84dbe7829c0e4782181d2d5a
SHA1 68720f6909e5fc3fe325ae1707d1bf6d1ef4669e
SHA256 f3039adcf9d6fc98159498b35cabd1349595219305b0526358fe089b6687b669
CRC32 A1F483D3
Ssdeep 768:xdpnF5/ija+1I+NYVawgYvCAvEZQ25AX94JosOy5upx/0LTWHiq895Rn9Ndl6+Iv:xdJyqnvE3tJSbF0LiHiXX9NtxDG
ClamAV None
Yara None matched
CAPE Yara None matched
Dump Filename f3039adcf9d6fc98159498b35cabd1349595219305b0526358fe089b6687b669
Download

Full Dump Information

Process Name cmd.exe
Executable Path C:\Windows\SysWOW64\cmd.exe
Yara None matched
Full Dump Download
Process Strings Download

Address Space

Start End Size Protection PE Download
0x00010000 0x00031000 0x00021000 Mixed No Download
0x00010000 0x00020000 0x00010000 RW Download
0x00020000 0x00030000 0x00010000 RW Download
0x00030000 0x00031000 0x00001000 R Download
0x00040000 0x00041000 0x00001000 R No Download
0x00050000 0x00054000 0x00004000 R No Download
0x00060000 0x00061000 0x00001000 R No Download
0x00070000 0x00071000 0x00001000 RW No Download
0x00080000 0x00086000 0x00006000 R No Download
0x00090000 0x00091000 0x00001000 RW No Download
0x000d9000 0x00147000 0x0006e000 Mixed No Download
0x000d9000 0x000dc000 0x00003000 G Download
0x000dc000 0x000e0000 0x00004000 RW Download
0x000e0000 0x00147000 0x00067000 R Download
0x00150000 0x00151000 0x00001000 RW No Download
0x00160000 0x00161000 0x00001000 RW No Download
0x00170000 0x00171000 0x00001000 RW No Download
0x001cc000 0x001d0000 0x00004000 RW No Download
0x00230000 0x00247000 0x00017000 RW No Download
0x002b3000 0x003b0000 0x000fd000 RW No Download
0x003f3000 0x004f0000 0x000fd000 RW No Download
0x00500000 0x0053b000 0x0003b000 RW No Download
0x00600000 0x00605000 0x00005000 R No Download
0x00780000 0x00783000 0x00003000 R No Download
0x007c0000 0x007c7000 0x00007000 RW No Download
0x007d0000 0x00951000 0x00181000 R No Download
0x00960000 0x009a3000 0x00043000 R No Download
0x01d60000 0x01feb000 0x0028b000 R No Download
0x0202c000 0x02030000 0x00004000 RW No Download
0x02093000 0x02190000 0x000fd000 RW No Download
0x021e0000 0x021e1000 0x00001000 RW No Download
0x023ec000 0x0245c000 0x00070000 Mixed No Download
0x023ec000 0x0245b000 0x0006f000 RW Download
0x0245b000 0x0245c000 0x00001000 RWX Download
0x02569000 0x025e0000 0x00077000 Mixed No Download
0x02569000 0x0256a000 0x00001000 RWX Download
0x0256a000 0x0259d000 0x00033000 RW Download
0x0259d000 0x025be000 0x00021000 RWX Download
0x025be000 0x025dc000 0x0001e000 RW Download
0x025dc000 0x025de000 0x00002000 RWX Download
0x025de000 0x025e0000 0x00002000 RW Download

Full Dump Information

Process Name HKCU_Floor_Planning.exe
Executable Path C:\Users\user\AppData\Local\Temp\HKCU_Floor_Planning.exe
Yara None matched
Full Dump Download
Process Strings Download

Address Space

Start End Size Protection PE Download
0x00010000 0x00021000 0x00011000 Mixed No Download
0x00010000 0x00020000 0x00010000 RW Download
0x00020000 0x00021000 0x00001000 R Download
0x00030000 0x00031000 0x00001000 RW No Download
0x00040000 0x00041000 0x00001000 R No Download
0x00089000 0x00090000 0x00007000 Mixed No Download
0x00089000 0x0008c000 0x00003000 G Download
0x0008c000 0x00090000 0x00004000 RW Download
0x00185000 0x00194000 0x0000f000 Mixed No Download
0x00185000 0x00186000 0x00001000 G Download
0x00186000 0x00190000 0x0000a000 RW Download
0x00190000 0x00194000 0x00004000 R Download
0x001a0000 0x001a1000 0x00001000 RW No Download
0x001b0000 0x00217000 0x00067000 R No Download
0x00220000 0x00221000 0x00001000 RW No Download
0x0026c000 0x00270000 0x00004000 RW No Download
0x002ac000 0x002b0000 0x00004000 RW No Download
0x002ec000 0x002f3000 0x00007000 RW No Download
0x002ec000 0x002f0000 0x00004000 RW Download
0x002f0000 0x002f3000 0x00003000 RW Download
0x00320000 0x00337000 0x00017000 RW No Download
0x003dc000 0x003e0000 0x00004000 RW No Download
0x00400000 0x00415000 0x00015000 Mixed Yes Download
0x00400000 0x00401000 0x00001000 R Download
0x00401000 0x0040a000 0x00009000 RX Download
0x0040a000 0x00412000 0x00008000 RW Download
0x00412000 0x00415000 0x00003000 R Download
0x0052c000 0x00530000 0x00004000 RW No Download
0x005a0000 0x006a5000 0x00105000 Mixed No Download
0x005a0000 0x006a0000 0x00100000 RW Download
0x006a0000 0x006a5000 0x00005000 R Download
0x00820000 0x00823000 0x00003000 R No Download
0x00830000 0x009b1000 0x00181000 R No Download
0x009c0000 0x00a03000 0x00043000 R No Download
0x01dc0000 0x01dc1000 0x00001000 RW No Download
0x01fcc000 0x0203c000 0x00070000 Mixed No Download
0x01fcc000 0x0203b000 0x0006f000 RW Download
0x0203b000 0x0203c000 0x00001000 RWX Download
0x02149000 0x021c0000 0x00077000 Mixed No Download
0x02149000 0x0214a000 0x00001000 RWX Download
0x0214a000 0x0217d000 0x00033000 RW Download
0x0217d000 0x0219d000 0x00020000 RWX Download
0x0219d000 0x021bc000 0x0001f000 RW Download
0x021bc000 0x021bf000 0x00003000 RWX Download
0x021bf000 0x021c0000 0x00001000 RW Download

Comments



No comments posted

Processing ( 5.741 seconds )

  • 3.313 ProcessMemory
  • 0.854 CAPE
  • 0.786 Static
  • 0.476 ProcDump
  • 0.139 TargetInfo
  • 0.088 TrID
  • 0.03 Deduplicate
  • 0.027 BehaviorAnalysis
  • 0.012 Dropped
  • 0.006 NetworkAnalysis
  • 0.005 AnalysisInfo
  • 0.004 Strings
  • 0.001 Debug

Signatures ( 0.052 seconds )

  • 0.009 antiav_detectreg
  • 0.007 stealth_file
  • 0.004 infostealer_ftp
  • 0.004 ransomware_files
  • 0.003 persistence_autorun
  • 0.003 antiav_detectfile
  • 0.003 ransomware_extensions
  • 0.002 antianalysis_detectreg
  • 0.002 browser_security
  • 0.002 infostealer_bitcoin
  • 0.002 infostealer_im
  • 0.002 infostealer_mail
  • 0.001 tinba_behavior
  • 0.001 rat_nanocore
  • 0.001 cerber_behavior
  • 0.001 ransomware_message
  • 0.001 antianalysis_detectfile
  • 0.001 antivm_vbox_files
  • 0.001 antivm_vbox_keys
  • 0.001 geodo_banking_trojan
  • 0.001 disables_browser_warn

Reporting ( 0.301 seconds )

  • 0.301 Compression
Task ID 87747
Mongo ID 5d532bd6399c393247a5798e
Cuckoo release 1.3-CAPE
Delete