CAPE

Detections: TrickBot Triggered CAPE Tasks: Task #87750: TrickBot


Analysis

Category Package Started Completed Duration Options Log
FILE exe 2019-08-13 21:56:34 2019-08-13 22:00:44 250 seconds Show Options Show Log
route = internet
procdump = 1
2019-08-13 22:56:35,000 [root] INFO: Date set to: 08-13-19, time set to: 21:56:35, timeout set to: 200
2019-08-13 22:56:35,015 [root] DEBUG: Starting analyzer from: C:\epyfuwi
2019-08-13 22:56:35,015 [root] DEBUG: Storing results at: C:\HRnqwoJUO
2019-08-13 22:56:35,015 [root] DEBUG: Pipe server name: \\.\PIPE\KxvfqAkc
2019-08-13 22:56:35,015 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2019-08-13 22:56:35,015 [root] INFO: Automatically selected analysis package "exe"
2019-08-13 22:56:35,296 [root] DEBUG: Started auxiliary module Browser
2019-08-13 22:56:35,296 [root] DEBUG: Started auxiliary module Curtain
2019-08-13 22:56:35,296 [modules.auxiliary.digisig] DEBUG: Checking for a digitial signature.
2019-08-13 22:56:35,529 [modules.auxiliary.digisig] DEBUG: File is not signed.
2019-08-13 22:56:35,529 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2019-08-13 22:56:35,529 [root] DEBUG: Started auxiliary module DigiSig
2019-08-13 22:56:35,529 [root] DEBUG: Started auxiliary module Disguise
2019-08-13 22:56:35,529 [root] DEBUG: Started auxiliary module Human
2019-08-13 22:56:35,546 [root] DEBUG: Started auxiliary module Screenshots
2019-08-13 22:56:35,546 [root] DEBUG: Started auxiliary module Sysmon
2019-08-13 22:56:35,546 [root] DEBUG: Started auxiliary module Usage
2019-08-13 22:56:35,546 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2019-08-13 22:56:35,546 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2019-08-13 22:56:35,546 [lib.api.process] INFO: Successfully executed process from path "C:\Users\user\AppData\Local\Temp\XVVzw2.exe" with arguments "" with pid 3040
2019-08-13 22:56:35,546 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 22:56:35,546 [lib.api.process] INFO: 32-bit DLL to inject is C:\epyfuwi\dll\WIUzSfV.dll, loader C:\epyfuwi\bin\zoNgnVz.exe
2019-08-13 22:56:35,592 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\KxvfqAkc.
2019-08-13 22:56:35,592 [root] DEBUG: Loader: Injecting process 3040 (thread 3044) with C:\epyfuwi\dll\WIUzSfV.dll.
2019-08-13 22:56:35,592 [root] DEBUG: Process image base: 0x00400000
2019-08-13 22:56:35,592 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\epyfuwi\dll\WIUzSfV.dll.
2019-08-13 22:56:35,592 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x0048F000 - 0x77110000
2019-08-13 22:56:35,592 [root] DEBUG: InjectDllViaIAT: Allocated 0x1128 bytes for new import table at 0x00490000.
2019-08-13 22:56:35,592 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 22:56:35,592 [root] DEBUG: Successfully injected DLL C:\epyfuwi\dll\WIUzSfV.dll.
2019-08-13 22:56:35,592 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3040
2019-08-13 22:56:37,605 [lib.api.process] INFO: Successfully resumed process with pid 3040
2019-08-13 22:56:37,605 [root] INFO: Added new process to list with pid: 3040
2019-08-13 22:56:37,605 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 22:56:37,605 [root] DEBUG: Process dumps enabled.
2019-08-13 22:56:37,651 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 22:56:37,651 [root] INFO: Disabling sleep skipping.
2019-08-13 22:56:37,651 [root] INFO: Disabling sleep skipping.
2019-08-13 22:56:37,651 [root] INFO: Disabling sleep skipping.
2019-08-13 22:56:37,651 [root] INFO: Disabling sleep skipping.
2019-08-13 22:56:37,651 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 3040 at 0x748b0000, image base 0x400000, stack from 0x286000-0x290000
2019-08-13 22:56:37,667 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\XVVzw2.exe".
2019-08-13 22:56:37,667 [root] INFO: Monitor successfully loaded in process with pid 3040.
2019-08-13 22:56:37,667 [root] DEBUG: DLL loaded at 0x74C70000: C:\Windows\system32\CRYPTSP (0x16000 bytes).
2019-08-13 22:56:37,667 [root] DEBUG: DLL loaded at 0x74C30000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2019-08-13 22:56:37,667 [root] DEBUG: DLL loaded at 0x74850000: C:\Windows\system32\USERENV (0x17000 bytes).
2019-08-13 22:56:37,667 [root] DEBUG: DLL loaded at 0x748A0000: C:\Windows\system32\profapi (0xb000 bytes).
2019-08-13 22:56:37,713 [root] DEBUG: DLL loaded at 0x74440000: C:\Windows\system32\PROPSYS (0xf5000 bytes).
2019-08-13 22:56:37,713 [root] DEBUG: DLL loaded at 0x75980000: C:\Windows\syswow64\OLEAUT32 (0x8f000 bytes).
2019-08-13 22:56:37,713 [root] DEBUG: DLL loaded at 0x742A0000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32 (0x19e000 bytes).
2019-08-13 22:56:37,744 [root] DEBUG: DLL loaded at 0x74EB0000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2019-08-13 22:56:37,744 [root] DEBUG: DLL loaded at 0x74870000: C:\Windows\system32\ntmarta (0x21000 bytes).
2019-08-13 22:56:37,744 [root] DEBUG: DLL loaded at 0x76EA0000: C:\Windows\syswow64\WLDAP32 (0x45000 bytes).
2019-08-13 22:56:37,776 [root] DEBUG: DLL loaded at 0x74F40000: C:\Windows\SysWOW64\urlmon (0x136000 bytes).
2019-08-13 22:56:37,808 [root] DEBUG: DLL loaded at 0x75600000: C:\Windows\syswow64\WININET (0xf5000 bytes).
2019-08-13 22:56:37,808 [root] DEBUG: DLL loaded at 0x76CA0000: C:\Windows\syswow64\iertutil (0x1fb000 bytes).
2019-08-13 22:56:37,808 [root] DEBUG: DLL loaded at 0x75790000: C:\Windows\syswow64\CRYPT32 (0x11d000 bytes).
2019-08-13 22:56:37,808 [root] DEBUG: DLL loaded at 0x755F0000: C:\Windows\syswow64\MSASN1 (0xc000 bytes).
2019-08-13 22:56:37,822 [root] DEBUG: DLL loaded at 0x75A70000: C:\Windows\syswow64\SETUPAPI (0x19d000 bytes).
2019-08-13 22:56:37,822 [root] DEBUG: DLL loaded at 0x75A10000: C:\Windows\syswow64\CFGMGR32 (0x27000 bytes).
2019-08-13 22:56:37,822 [root] DEBUG: DLL loaded at 0x75D40000: C:\Windows\syswow64\DEVOBJ (0x12000 bytes).
2019-08-13 22:56:37,838 [root] DEBUG: DLL loaded at 0x74AF0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2019-08-13 22:56:37,854 [root] DEBUG: DLL unloaded from 0x75E70000.
2019-08-13 22:56:37,869 [root] INFO: Announced 32-bit process name: ропрУВаЫсено.exe pid: 1996
2019-08-13 22:56:37,869 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 22:56:37,869 [lib.api.process] INFO: 32-bit DLL to inject is C:\epyfuwi\dll\WIUzSfV.dll, loader C:\epyfuwi\bin\zoNgnVz.exe
2019-08-13 22:56:37,885 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\KxvfqAkc.
2019-08-13 22:56:37,885 [root] DEBUG: Loader: Injecting process 1996 (thread 1704) with C:\epyfuwi\dll\WIUzSfV.dll.
2019-08-13 22:56:37,885 [root] DEBUG: Process image base: 0x00400000
2019-08-13 22:56:37,885 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\epyfuwi\dll\WIUzSfV.dll.
2019-08-13 22:56:37,885 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x0048F000 - 0x77110000
2019-08-13 22:56:37,885 [root] DEBUG: InjectDllViaIAT: Allocated 0x1128 bytes for new import table at 0x00490000.
2019-08-13 22:56:37,885 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 22:56:37,885 [root] DEBUG: Successfully injected DLL C:\epyfuwi\dll\WIUzSfV.dll.
2019-08-13 22:56:37,885 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1996
2019-08-13 22:56:37,885 [root] DEBUG: DLL unloaded from 0x74F40000.
2019-08-13 22:56:37,885 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 22:56:37,885 [root] DEBUG: Process dumps enabled.
2019-08-13 22:56:37,885 [root] INFO: Disabling sleep skipping.
2019-08-13 22:56:37,885 [root] DEBUG: DLL unloaded from 0x74440000.
2019-08-13 22:56:37,885 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 3040
2019-08-13 22:56:37,885 [root] DEBUG: GetHookCallerBase: thread 3044 (handle 0x0), return address 0x00407C87, allocation base 0x00400000.
2019-08-13 22:56:37,885 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00400000.
2019-08-13 22:56:37,885 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00400000.
2019-08-13 22:56:37,885 [root] DEBUG: DumpProcess: Module entry point VA is 0x000014E0.
2019-08-13 22:56:37,901 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 22:56:37,901 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 1996 at 0x748b0000, image base 0x400000, stack from 0x286000-0x290000
2019-08-13 22:56:37,901 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\ProgramData\????????????.exe".
2019-08-13 22:56:37,901 [root] INFO: Added new process to list with pid: 1996
2019-08-13 22:56:37,901 [root] INFO: Monitor successfully loaded in process with pid 1996.
2019-08-13 22:56:37,901 [root] DEBUG: DLL loaded at 0x74C70000: C:\Windows\system32\CRYPTSP (0x16000 bytes).
2019-08-13 22:56:37,901 [root] INFO: Added new CAPE file to list with path: C:\HRnqwoJUO\CAPE\3040_21342264413756514382019
2019-08-13 22:56:37,901 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x82c00.
2019-08-13 22:56:37,901 [root] DEBUG: DLL loaded at 0x74C30000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2019-08-13 22:56:37,901 [root] DEBUG: DLL unloaded from 0x75140000.
2019-08-13 22:56:37,901 [root] DEBUG: DLL unloaded from 0x74870000.
2019-08-13 22:56:37,901 [root] DEBUG: DLL loaded at 0x74850000: C:\Windows\system32\USERENV (0x17000 bytes).
2019-08-13 22:56:37,901 [root] INFO: Notified of termination of process with pid 3040.
2019-08-13 22:56:37,901 [root] DEBUG: DLL loaded at 0x748A0000: C:\Windows\system32\profapi (0xb000 bytes).
2019-08-13 22:56:37,901 [root] DEBUG: set_caller_info: Adding region at 0x002E0000 to caller regions list (ntdll::LdrLoadDll).
2019-08-13 22:56:37,917 [root] DEBUG: DLL loaded at 0x75790000: C:\Windows\syswow64\CRYPT32 (0x11d000 bytes).
2019-08-13 22:56:37,917 [root] DEBUG: DLL loaded at 0x755F0000: C:\Windows\syswow64\MSASN1 (0xc000 bytes).
2019-08-13 22:56:38,009 [root] DEBUG: DLL unloaded from 0x75790000.
2019-08-13 22:56:38,026 [root] DEBUG: set_caller_info: Adding region at 0x04650000 to caller regions list (ntdll::LdrLoadDll).
2019-08-13 22:56:38,056 [root] DEBUG: DLL loaded at 0x74340000: C:\Windows\system32\PROPSYS (0xf5000 bytes).
2019-08-13 22:56:38,056 [root] DEBUG: DLL loaded at 0x75980000: C:\Windows\syswow64\OLEAUT32 (0x8f000 bytes).
2019-08-13 22:56:38,056 [root] DEBUG: DLL loaded at 0x741A0000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32 (0x19e000 bytes).
2019-08-13 22:56:38,056 [root] DEBUG: DLL loaded at 0x74AF0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2019-08-13 22:56:38,056 [root] DEBUG: DLL loaded at 0x74EB0000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2019-08-13 22:56:38,088 [root] DEBUG: DLL loaded at 0x72F70000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 22:56:38,134 [root] DEBUG: DLL loaded at 0x74810000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 22:56:38,165 [root] DEBUG: DLL loaded at 0x76CA0000: C:\Windows\syswow64\iertutil (0x1fb000 bytes).
2019-08-13 22:56:38,197 [root] DEBUG: DLL loaded at 0x74F40000: C:\Windows\syswow64\urlmon (0x136000 bytes).
2019-08-13 22:56:38,197 [root] DEBUG: DLL loaded at 0x75600000: C:\Windows\syswow64\WININET (0xf5000 bytes).
2019-08-13 22:56:38,229 [root] DEBUG: DLL loaded at 0x74870000: C:\Windows\system32\ntmarta (0x21000 bytes).
2019-08-13 22:56:38,229 [root] DEBUG: DLL loaded at 0x76EA0000: C:\Windows\syswow64\WLDAP32 (0x45000 bytes).
2019-08-13 22:56:38,229 [root] DEBUG: DLL loaded at 0x75A70000: C:\Windows\syswow64\SETUPAPI (0x19d000 bytes).
2019-08-13 22:56:38,229 [root] DEBUG: DLL loaded at 0x75A10000: C:\Windows\syswow64\CFGMGR32 (0x27000 bytes).
2019-08-13 22:56:38,243 [root] DEBUG: DLL loaded at 0x75D40000: C:\Windows\syswow64\DEVOBJ (0x12000 bytes).
2019-08-13 22:56:38,259 [root] DEBUG: DLL unloaded from 0x75E70000.
2019-08-13 22:56:38,276 [root] INFO: Announced 64-bit process name: cmd.exe pid: 3032
2019-08-13 22:56:38,290 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 22:56:38,290 [lib.api.process] INFO: 64-bit DLL to inject is C:\epyfuwi\dll\HeJRZT.dll, loader C:\epyfuwi\bin\NKFmJEvz.exe
2019-08-13 22:56:38,322 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\KxvfqAkc.
2019-08-13 22:56:38,322 [root] DEBUG: Loader: Injecting process 3032 (thread 1928) with C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:38,322 [root] DEBUG: Process image base: 0x000000004A180000
2019-08-13 22:56:38,338 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:38,354 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000004A1D9000 - 0x0000000077110000
2019-08-13 22:56:38,354 [root] DEBUG: InjectDllViaIAT: Allocated 0x1bc bytes for new import table at 0x000000004A1E0000.
2019-08-13 22:56:38,354 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 22:56:38,368 [root] DEBUG: Successfully injected DLL C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:38,368 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 3032
2019-08-13 22:56:38,368 [root] DEBUG: DLL unloaded from 0x74F40000.
2019-08-13 22:56:38,384 [root] DEBUG: DLL unloaded from 0x74340000.
2019-08-13 22:56:38,384 [root] DEBUG: DLL unloaded from 0x72F70000.
2019-08-13 22:56:38,384 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-08-13 22:56:38,384 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 22:56:38,400 [root] DEBUG: Process dumps enabled.
2019-08-13 22:56:38,400 [root] DEBUG: DLL loaded at 0x724F0000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 22:56:38,400 [root] DEBUG: DLL loaded at 0x747D0000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 22:56:38,400 [root] INFO: Disabling sleep skipping.
2019-08-13 22:56:38,400 [root] INFO: Announced 64-bit process name: cmd.exe pid: 836
2019-08-13 22:56:38,400 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 22:56:38,400 [lib.api.process] INFO: 64-bit DLL to inject is C:\epyfuwi\dll\HeJRZT.dll, loader C:\epyfuwi\bin\NKFmJEvz.exe
2019-08-13 22:56:38,400 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\KxvfqAkc.
2019-08-13 22:56:38,400 [root] DEBUG: Loader: Injecting process 836 (thread 1756) with C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:38,400 [root] DEBUG: Process image base: 0x000000004A180000
2019-08-13 22:56:38,415 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:38,415 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000004A1D9000 - 0x0000000077110000
2019-08-13 22:56:38,415 [root] DEBUG: InjectDllViaIAT: Allocated 0x1bc bytes for new import table at 0x000000004A1E0000.
2019-08-13 22:56:38,415 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 22:56:38,415 [root] DEBUG: Successfully injected DLL C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:38,415 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 836
2019-08-13 22:56:38,415 [root] DEBUG: DLL unloaded from 0x74F40000.
2019-08-13 22:56:38,415 [root] DEBUG: DLL unloaded from 0x724F0000.
2019-08-13 22:56:38,415 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-08-13 22:56:38,431 [root] DEBUG: DLL loaded at 0x72F70000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 22:56:38,431 [root] DEBUG: DLL loaded at 0x74810000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 22:56:38,431 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 22:56:38,431 [root] INFO: Announced 64-bit process name: cmd.exe pid: 2888
2019-08-13 22:56:38,431 [root] DEBUG: Process dumps enabled.
2019-08-13 22:56:38,431 [root] WARNING: Unable to place hook on LockResource
2019-08-13 22:56:38,431 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 22:56:38,431 [lib.api.process] INFO: 64-bit DLL to inject is C:\epyfuwi\dll\HeJRZT.dll, loader C:\epyfuwi\bin\NKFmJEvz.exe
2019-08-13 22:56:38,431 [root] WARNING: Unable to hook LockResource
2019-08-13 22:56:38,431 [root] INFO: Disabling sleep skipping.
2019-08-13 22:56:38,447 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\KxvfqAkc.
2019-08-13 22:56:38,447 [root] WARNING: Unable to place hook on LockResource
2019-08-13 22:56:38,447 [root] DEBUG: Loader: Injecting process 2888 (thread 2860) with C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:38,447 [root] WARNING: Unable to hook LockResource
2019-08-13 22:56:38,447 [root] DEBUG: Process image base: 0x000000004A180000
2019-08-13 22:56:38,447 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:38,447 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000004A1D9000 - 0x0000000077110000
2019-08-13 22:56:38,447 [root] DEBUG: InjectDllViaIAT: Allocated 0x1bc bytes for new import table at 0x000000004A1E0000.
2019-08-13 22:56:38,447 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 22:56:38,447 [root] DEBUG: Successfully injected DLL C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:38,447 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 22:56:38,447 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 22:56:38,463 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2888
2019-08-13 22:56:38,463 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 836 at 0x0000000074460000, image base 0x000000004A180000, stack from 0x0000000000044000-0x0000000000140000
2019-08-13 22:56:38,463 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 3032 at 0x0000000074460000, image base 0x000000004A180000, stack from 0x0000000000094000-0x0000000000190000
2019-08-13 22:56:38,463 [root] DEBUG: DLL unloaded from 0x74F40000.
2019-08-13 22:56:38,463 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Windows\System32\cmd.exe" \c sc delete WinDefend.
2019-08-13 22:56:38,463 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Windows\System32\cmd.exe" \c sc stop WinDefend.
2019-08-13 22:56:38,463 [root] DEBUG: DLL unloaded from 0x72F70000.
2019-08-13 22:56:38,463 [root] INFO: Added new process to list with pid: 836
2019-08-13 22:56:38,463 [root] INFO: Monitor successfully loaded in process with pid 836.
2019-08-13 22:56:38,463 [root] INFO: Added new process to list with pid: 3032
2019-08-13 22:56:38,463 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-08-13 22:56:38,463 [root] INFO: Monitor successfully loaded in process with pid 3032.
2019-08-13 22:56:38,463 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 22:56:38,463 [root] DEBUG: DLL loaded at 0x724F0000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 22:56:38,463 [root] DEBUG: Process dumps enabled.
2019-08-13 22:56:38,463 [root] DEBUG: DLL loaded at 0x747D0000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 22:56:38,463 [root] INFO: Disabling sleep skipping.
2019-08-13 22:56:38,477 [root] WARNING: Unable to place hook on LockResource
2019-08-13 22:56:38,477 [root] WARNING: Unable to hook LockResource
2019-08-13 22:56:38,477 [root] INFO: Announced 64-bit process name: cmd.exe pid: 1512
2019-08-13 22:56:38,477 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 22:56:38,477 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 2888 at 0x0000000074460000, image base 0x000000004A180000, stack from 0x0000000000154000-0x0000000000250000
2019-08-13 22:56:38,477 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 22:56:38,477 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Windows\System32\cmd.exe" \c powershell Set-MpPreference -DisableRealtimeMonitoring $true.
2019-08-13 22:56:38,477 [lib.api.process] INFO: 64-bit DLL to inject is C:\epyfuwi\dll\HeJRZT.dll, loader C:\epyfuwi\bin\NKFmJEvz.exe
2019-08-13 22:56:38,477 [root] INFO: Added new process to list with pid: 2888
2019-08-13 22:56:38,477 [root] INFO: Monitor successfully loaded in process with pid 2888.
2019-08-13 22:56:38,493 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\KxvfqAkc.
2019-08-13 22:56:38,493 [root] DEBUG: DLL loaded at 0x000007FEFCEF0000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 22:56:38,493 [root] DEBUG: DLL loaded at 0x000007FEFCEF0000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 22:56:38,493 [root] DEBUG: Loader: Injecting process 1512 (thread 2696) with C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:38,493 [root] INFO: Announced 64-bit process name: sc.exe pid: 1068
2019-08-13 22:56:38,493 [root] DEBUG: Process image base: 0x000000004A180000
2019-08-13 22:56:38,493 [root] INFO: Announced 64-bit process name: sc.exe pid: 1260
2019-08-13 22:56:38,493 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:38,493 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 22:56:38,493 [lib.api.process] INFO: 64-bit DLL to inject is C:\epyfuwi\dll\HeJRZT.dll, loader C:\epyfuwi\bin\NKFmJEvz.exe
2019-08-13 22:56:38,493 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000004A1D9000 - 0x0000000077110000
2019-08-13 22:56:38,493 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 22:56:38,493 [root] DEBUG: InjectDllViaIAT: Allocated 0x1bc bytes for new import table at 0x000000004A1E0000.
2019-08-13 22:56:38,493 [lib.api.process] INFO: 64-bit DLL to inject is C:\epyfuwi\dll\HeJRZT.dll, loader C:\epyfuwi\bin\NKFmJEvz.exe
2019-08-13 22:56:38,509 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 22:56:38,509 [root] DEBUG: Successfully injected DLL C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:38,509 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\KxvfqAkc.
2019-08-13 22:56:38,509 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 1512
2019-08-13 22:56:38,509 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\KxvfqAkc.
2019-08-13 22:56:38,509 [root] DEBUG: Loader: Injecting process 1068 (thread 252) with C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:38,509 [root] DEBUG: DLL unloaded from 0x74F40000.
2019-08-13 22:56:38,509 [root] DEBUG: DLL loaded at 0x000007FEFCEF0000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 22:56:38,509 [root] DEBUG: Loader: Injecting process 1260 (thread 2204) with C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:38,509 [root] DEBUG: Process image base: 0x00000000FF420000
2019-08-13 22:56:38,509 [root] DEBUG: DLL unloaded from 0x724F0000.
2019-08-13 22:56:38,509 [root] INFO: Announced 64-bit process name: powershell.exe pid: 2324
2019-08-13 22:56:38,509 [root] DEBUG: Process image base: 0x00000000FF420000
2019-08-13 22:56:38,509 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-08-13 22:56:38,509 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:38,509 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 22:56:38,509 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:38,509 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 22:56:38,509 [root] DEBUG: DLL loaded at 0x72F70000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 22:56:38,525 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00000000FF42F000 - 0x000007FEFF430000
2019-08-13 22:56:38,525 [root] DEBUG: Process dumps enabled.
2019-08-13 22:56:38,525 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00000000FF42F000 - 0x000007FEFF430000
2019-08-13 22:56:38,525 [lib.api.process] INFO: 64-bit DLL to inject is C:\epyfuwi\dll\HeJRZT.dll, loader C:\epyfuwi\bin\NKFmJEvz.exe
2019-08-13 22:56:38,525 [root] DEBUG: DLL loaded at 0x74810000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 22:56:38,525 [root] DEBUG: InjectDllViaIAT: Allocated 0x1d8 bytes for new import table at 0x00000000FF430000.
2019-08-13 22:56:38,525 [root] DEBUG: InjectDllViaIAT: Allocated 0x1d8 bytes for new import table at 0x00000000FF430000.
2019-08-13 22:56:38,525 [root] INFO: Disabling sleep skipping.
2019-08-13 22:56:38,525 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 22:56:38,525 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 22:56:38,525 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\KxvfqAkc.
2019-08-13 22:56:38,525 [root] INFO: Announced 64-bit process name: cmd.exe pid: 2652
2019-08-13 22:56:38,525 [root] DEBUG: Successfully injected DLL C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:38,525 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 1260
2019-08-13 22:56:38,525 [root] DEBUG: Loader: Injecting process 2324 (thread 2308) with C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:38,525 [root] DEBUG: Successfully injected DLL C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:38,525 [root] WARNING: Unable to place hook on LockResource
2019-08-13 22:56:38,525 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 22:56:38,540 [root] DEBUG: Process image base: 0x000000013FD00000
2019-08-13 22:56:38,540 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 1068
2019-08-13 22:56:38,540 [root] WARNING: Unable to hook LockResource
2019-08-13 22:56:38,540 [lib.api.process] INFO: 64-bit DLL to inject is C:\epyfuwi\dll\HeJRZT.dll, loader C:\epyfuwi\bin\NKFmJEvz.exe
2019-08-13 22:56:38,540 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:38,540 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 22:56:38,540 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\KxvfqAkc.
2019-08-13 22:56:38,540 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000013FD77000 - 0x000007FEFF430000
2019-08-13 22:56:38,540 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 1512 at 0x0000000074460000, image base 0x000000004A180000, stack from 0x0000000000084000-0x0000000000180000
2019-08-13 22:56:38,540 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 22:56:38,540 [root] DEBUG: Loader: Injecting process 2652 (thread 2724) with C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:38,540 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 22:56:38,540 [root] DEBUG: InjectDllViaIAT: Allocated 0x228 bytes for new import table at 0x000000013FD80000.
2019-08-13 22:56:38,540 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Windows\System32\cmd.exe" \c powershell Set-MpPreference -DisableBehaviorMonitoring $true.
2019-08-13 22:56:38,540 [root] DEBUG: Process dumps enabled.
2019-08-13 22:56:38,540 [root] DEBUG: Process image base: 0x000000004A180000
2019-08-13 22:56:38,540 [root] DEBUG: Process dumps enabled.
2019-08-13 22:56:38,540 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 22:56:38,555 [root] INFO: Added new process to list with pid: 1512
2019-08-13 22:56:38,555 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:38,555 [root] INFO: Disabling sleep skipping.
2019-08-13 22:56:38,555 [root] INFO: Monitor successfully loaded in process with pid 1512.
2019-08-13 22:56:38,555 [root] DEBUG: Successfully injected DLL C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:38,555 [root] INFO: Disabling sleep skipping.
2019-08-13 22:56:38,555 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000004A1D9000 - 0x0000000077110000
2019-08-13 22:56:38,555 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2324
2019-08-13 22:56:38,555 [root] DEBUG: DLL loaded at 0x000007FEFCEF0000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 22:56:38,555 [root] WARNING: Unable to place hook on LockResource
2019-08-13 22:56:38,555 [root] WARNING: Unable to place hook on LockResource
2019-08-13 22:56:38,572 [root] DEBUG: InjectDllViaIAT: Allocated 0x1bc bytes for new import table at 0x000000004A1E0000.
2019-08-13 22:56:38,572 [root] INFO: Announced 64-bit process name: powershell.exe pid: 1812
2019-08-13 22:56:38,572 [root] WARNING: Unable to hook LockResource
2019-08-13 22:56:38,572 [root] WARNING: Unable to hook LockResource
2019-08-13 22:56:38,572 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 22:56:38,572 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 22:56:38,572 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 22:56:38,572 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 22:56:38,572 [root] DEBUG: Successfully injected DLL C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:38,572 [lib.api.process] INFO: 64-bit DLL to inject is C:\epyfuwi\dll\HeJRZT.dll, loader C:\epyfuwi\bin\NKFmJEvz.exe
2019-08-13 22:56:38,572 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 1068 at 0x0000000074460000, image base 0x00000000FF420000, stack from 0x0000000000215000-0x0000000000220000
2019-08-13 22:56:38,572 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 1260 at 0x0000000074460000, image base 0x00000000FF420000, stack from 0x00000000001F5000-0x0000000000200000
2019-08-13 22:56:38,572 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2652
2019-08-13 22:56:38,572 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\sc  stop WinDefend.
2019-08-13 22:56:38,572 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\sc  delete WinDefend.
2019-08-13 22:56:38,572 [root] DEBUG: DLL unloaded from 0x74F40000.
2019-08-13 22:56:38,572 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\KxvfqAkc.
2019-08-13 22:56:38,572 [root] INFO: Added new process to list with pid: 1260
2019-08-13 22:56:38,588 [root] DEBUG: Loader: Injecting process 1812 (thread 2112) with C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:38,588 [root] INFO: Added new process to list with pid: 1068
2019-08-13 22:56:38,588 [root] INFO: Monitor successfully loaded in process with pid 1260.
2019-08-13 22:56:38,588 [root] INFO: Monitor successfully loaded in process with pid 1068.
2019-08-13 22:56:38,588 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 22:56:38,588 [root] DEBUG: Process image base: 0x000000013FD00000
2019-08-13 22:56:38,588 [root] DEBUG: DLL unloaded from 0x72F70000.
2019-08-13 22:56:38,588 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 22:56:38,588 [root] DEBUG: Process dumps enabled.
2019-08-13 22:56:38,588 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:38,588 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-08-13 22:56:38,588 [root] DEBUG: Process dumps enabled.
2019-08-13 22:56:38,588 [root] DEBUG: DLL unloaded from 0x000007FEFD430000.
2019-08-13 22:56:38,588 [root] DEBUG: DLL unloaded from 0x000007FEFD430000.
2019-08-13 22:56:38,588 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000013FD77000 - 0x000007FEFF430000
2019-08-13 22:56:38,588 [root] INFO: Disabling sleep skipping.
2019-08-13 22:56:38,602 [root] DEBUG: DLL loaded at 0x724F0000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 22:56:38,602 [root] INFO: Disabling sleep skipping.
2019-08-13 22:56:38,602 [root] DEBUG: InjectDllViaIAT: Allocated 0x228 bytes for new import table at 0x000000013FD80000.
2019-08-13 22:56:38,602 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 1068
2019-08-13 22:56:38,602 [root] DEBUG: DLL loaded at 0x747D0000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 22:56:38,602 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 22:56:38,602 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 1260
2019-08-13 22:56:38,602 [root] WARNING: Unable to place hook on LockResource
2019-08-13 22:56:38,602 [root] DEBUG: GetHookCallerBase: thread 252 (handle 0x0), return address 0x00000000FF42107F, allocation base 0x00000000FF420000.
2019-08-13 22:56:38,602 [root] DEBUG: Successfully injected DLL C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:38,602 [root] WARNING: Unable to place hook on LockResource
2019-08-13 22:56:38,602 [root] INFO: Announced 64-bit process name: cmd.exe pid: 2284
2019-08-13 22:56:38,602 [root] DEBUG: GetHookCallerBase: thread 2204 (handle 0x0), return address 0x00000000FF42107F, allocation base 0x00000000FF420000.
2019-08-13 22:56:38,618 [root] INFO: Process with pid 3040 has terminated
2019-08-13 22:56:38,618 [root] WARNING: Unable to hook LockResource
2019-08-13 22:56:38,618 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 1812
2019-08-13 22:56:38,618 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00000000FF420000.
2019-08-13 22:56:38,618 [root] WARNING: Unable to hook LockResource
2019-08-13 22:56:38,618 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00000000FF420000.
2019-08-13 22:56:38,618 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 22:56:38,618 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 22:56:38,618 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00000000FF420000.
2019-08-13 22:56:38,618 [lib.api.process] INFO: 64-bit DLL to inject is C:\epyfuwi\dll\HeJRZT.dll, loader C:\epyfuwi\bin\NKFmJEvz.exe
2019-08-13 22:56:38,618 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 22:56:38,618 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 22:56:38,618 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00000000FF420000.
2019-08-13 22:56:38,618 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 2324 at 0x0000000074460000, image base 0x000000013FD00000, stack from 0x00000000000D5000-0x00000000000E0000
2019-08-13 22:56:38,618 [root] DEBUG: DumpProcess: Module entry point VA is 0x0000000000001DD4.
2019-08-13 22:56:38,618 [root] DEBUG: Process dumps enabled.
2019-08-13 22:56:38,618 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 2652 at 0x0000000074460000, image base 0x000000004A180000, stack from 0x0000000000124000-0x0000000000220000
2019-08-13 22:56:38,618 [root] DEBUG: DumpProcess: Module entry point VA is 0x0000000000001DD4.
2019-08-13 22:56:38,618 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\powershell  Set-MpPreference -DisableRealtimeMonitoring $true.
2019-08-13 22:56:38,634 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\KxvfqAkc.
2019-08-13 22:56:38,634 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Windows\System32\cmd.exe" \c powershell Set-MpPreference -DisableBlockAtFirstSeen $true.
2019-08-13 22:56:38,634 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\system32\cryptbase (0xf000 bytes).
2019-08-13 22:56:38,634 [root] INFO: Disabling sleep skipping.
2019-08-13 22:56:38,634 [root] INFO: Added new process to list with pid: 2324
2019-08-13 22:56:38,634 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\system32\cryptbase (0xf000 bytes).
2019-08-13 22:56:38,634 [root] DEBUG: Loader: Injecting process 2284 (thread 2692) with C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:38,634 [root] INFO: Monitor successfully loaded in process with pid 2324.
2019-08-13 22:56:38,634 [root] INFO: Added new process to list with pid: 2652
2019-08-13 22:56:38,634 [root] WARNING: Unable to place hook on LockResource
2019-08-13 22:56:38,634 [root] DEBUG: Error 2 (0x2) - savePeFileToDisk: There was a problem renaming the file: The system cannot find the file specified.
2019-08-13 22:56:38,634 [root] DEBUG: Process image base: 0x000000004A180000
2019-08-13 22:56:38,634 [root] INFO: Monitor successfully loaded in process with pid 2652.
2019-08-13 22:56:38,634 [root] WARNING: Unable to hook LockResource
2019-08-13 22:56:38,650 [root] DEBUG: Error 2 (0x2) - savePeFileToDisk: There was a problem deleting the file: C:\Users\user\AppData\Local\Temp\CapeOutput.bin: The system cannot find the file specified.
2019-08-13 22:56:38,650 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:38,650 [root] INFO: Added new CAPE file to list with path: C:\HRnqwoJUO\CAPE\1068_9707126185856514382019
2019-08-13 22:56:38,650 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 22:56:38,650 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000004A1D9000 - 0x0000000077110000
2019-08-13 22:56:38,650 [root] DEBUG: DumpProcess: Module image dump success - dump size 0xb000.
2019-08-13 22:56:38,650 [root] DEBUG: DLL loaded at 0x000007FEFCEF0000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 22:56:38,650 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 1812 at 0x0000000074460000, image base 0x000000013FD00000, stack from 0x00000000001C5000-0x00000000001D0000
2019-08-13 22:56:38,650 [root] DEBUG: InjectDllViaIAT: Allocated 0x1bc bytes for new import table at 0x000000004A1E0000.
2019-08-13 22:56:38,650 [root] INFO: Announced 64-bit process name: powershell.exe pid: 2796
2019-08-13 22:56:38,650 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\powershell  Set-MpPreference -DisableBehaviorMonitoring $true.
2019-08-13 22:56:38,650 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 22:56:38,650 [root] INFO: Added new process to list with pid: 1812
2019-08-13 22:56:38,650 [root] DEBUG: Successfully injected DLL C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:38,650 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 22:56:38,665 [root] INFO: Monitor successfully loaded in process with pid 1812.
2019-08-13 22:56:38,665 [lib.api.process] INFO: 64-bit DLL to inject is C:\epyfuwi\dll\HeJRZT.dll, loader C:\epyfuwi\bin\NKFmJEvz.exe
2019-08-13 22:56:38,665 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2284
2019-08-13 22:56:38,665 [root] DEBUG: DLL unloaded from 0x74F40000.
2019-08-13 22:56:38,665 [root] DEBUG: DLL unloaded from 0x724F0000.
2019-08-13 22:56:38,665 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\KxvfqAkc.
2019-08-13 22:56:38,665 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-08-13 22:56:38,665 [root] DEBUG: Loader: Injecting process 2796 (thread 2612) with C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:38,665 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 22:56:38,665 [root] DEBUG: DLL loaded at 0x72F70000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 22:56:38,665 [root] DEBUG: Process image base: 0x000000013FD00000
2019-08-13 22:56:38,665 [root] DEBUG: Process dumps enabled.
2019-08-13 22:56:38,665 [root] DEBUG: DLL loaded at 0x74810000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 22:56:38,665 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:38,697 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000013FD77000 - 0x000007FEFF430000
2019-08-13 22:56:38,697 [root] INFO: Disabling sleep skipping.
2019-08-13 22:56:38,697 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\system32\CRYPTBASE (0xf000 bytes).
2019-08-13 22:56:38,697 [root] DEBUG: DLL unloaded from 0x000007FEFF190000.
2019-08-13 22:56:38,697 [root] INFO: Announced 64-bit process name: cmd.exe pid: 2116
2019-08-13 22:56:38,697 [root] DEBUG: DLL unloaded from 0x000007FEFF190000.
2019-08-13 22:56:38,697 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\system32\CRYPTBASE (0xf000 bytes).
2019-08-13 22:56:38,697 [root] DEBUG: InjectDllViaIAT: Allocated 0x228 bytes for new import table at 0x000000013FD80000.
2019-08-13 22:56:38,697 [root] DEBUG: DLL loaded at 0x000007FEFE400000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-08-13 22:56:38,697 [root] DEBUG: DLL loaded at 0x000007FEFE400000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-08-13 22:56:38,697 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 22:56:38,697 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 22:56:38,697 [root] WARNING: Unable to place hook on LockResource
2019-08-13 22:56:38,697 [lib.api.process] INFO: 64-bit DLL to inject is C:\epyfuwi\dll\HeJRZT.dll, loader C:\epyfuwi\bin\NKFmJEvz.exe
2019-08-13 22:56:38,697 [root] DEBUG: DLL loaded at 0x000007FEFD560000: C:\Windows\system32\shell32 (0xd88000 bytes).
2019-08-13 22:56:38,697 [root] DEBUG: DLL loaded at 0x000007FEFD560000: C:\Windows\system32\shell32 (0xd88000 bytes).
2019-08-13 22:56:38,697 [root] DEBUG: Successfully injected DLL C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:38,697 [root] WARNING: Unable to hook LockResource
2019-08-13 22:56:38,697 [root] INFO: Notified of termination of process with pid 1068.
2019-08-13 22:56:38,711 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2796
2019-08-13 22:56:38,711 [root] INFO: Notified of termination of process with pid 1260.
2019-08-13 22:56:38,711 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\KxvfqAkc.
2019-08-13 22:56:38,711 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 22:56:38,711 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 836
2019-08-13 22:56:38,711 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 3032
2019-08-13 22:56:38,711 [root] DEBUG: Loader: Injecting process 2116 (thread 2108) with C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:38,711 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 2284 at 0x0000000074460000, image base 0x000000004A180000, stack from 0x00000000000C4000-0x00000000001C0000
2019-08-13 22:56:38,711 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 22:56:38,711 [root] DEBUG: GetHookCallerBase: thread 1756 (handle 0x0), return address 0x000000004A1887DD, allocation base 0x000000004A180000.
2019-08-13 22:56:38,711 [root] DEBUG: GetHookCallerBase: thread 1928 (handle 0x0), return address 0x000000004A1887DD, allocation base 0x000000004A180000.
2019-08-13 22:56:38,711 [root] DEBUG: Process image base: 0x000000004A180000
2019-08-13 22:56:38,711 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Windows\System32\cmd.exe" \c powershell Set-MpPreference -DisableIOAVProtection $true.
2019-08-13 22:56:38,711 [root] DEBUG: Process dumps enabled.
2019-08-13 22:56:38,727 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x000000004A180000.
2019-08-13 22:56:38,727 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x000000004A180000.
2019-08-13 22:56:38,727 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:38,727 [root] INFO: Added new process to list with pid: 2284
2019-08-13 22:56:38,727 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000004A180000.
2019-08-13 22:56:38,727 [root] INFO: Disabling sleep skipping.
2019-08-13 22:56:38,727 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000004A180000.
2019-08-13 22:56:38,727 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000004A1D9000 - 0x0000000077110000
2019-08-13 22:56:38,727 [root] INFO: Monitor successfully loaded in process with pid 2284.
2019-08-13 22:56:38,727 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 22:56:38,727 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 22:56:38,727 [root] DEBUG: DLL loaded at 0x000007FEFC3B0000: C:\Windows\system32\USERENV (0x1e000 bytes).
2019-08-13 22:56:38,727 [root] DEBUG: DLL loaded at 0x000007FEFC3B0000: C:\Windows\system32\USERENV (0x1e000 bytes).
2019-08-13 22:56:38,727 [root] DEBUG: InjectDllViaIAT: Allocated 0x1bc bytes for new import table at 0x000000004A1E0000.
2019-08-13 22:56:38,743 [root] WARNING: Unable to place hook on LockResource
2019-08-13 22:56:38,743 [root] DEBUG: DLL loaded at 0x000007FEFCEF0000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 22:56:38,743 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 22:56:38,743 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 22:56:38,743 [root] DEBUG: DLL loaded at 0x000007FEFD020000: C:\Windows\system32\profapi (0xf000 bytes).
2019-08-13 22:56:38,743 [root] DEBUG: DLL loaded at 0x000007FEFD020000: C:\Windows\system32\profapi (0xf000 bytes).
2019-08-13 22:56:38,743 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 22:56:38,743 [root] WARNING: Unable to hook LockResource
2019-08-13 22:56:38,743 [root] INFO: Announced 64-bit process name: powershell.exe pid: 1116
2019-08-13 22:56:38,743 [root] DEBUG: Error 2 (0x2) - savePeFileToDisk: There was a problem renaming the file: The system cannot find the file specified.
2019-08-13 22:56:38,743 [root] DEBUG: DLL loaded at 0x000007FEFBB00000: C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32 (0x1f4000 bytes).
2019-08-13 22:56:38,759 [root] DEBUG: Successfully injected DLL C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:38,759 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 22:56:38,759 [root] DEBUG: DLL loaded at 0x000007FEFBB00000: C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32 (0x1f4000 bytes).
2019-08-13 22:56:38,759 [root] DEBUG: Error 2 (0x2) - savePeFileToDisk: There was a problem deleting the file: C:\Users\user\AppData\Local\Temp\CapeOutput.bin: The system cannot find the file specified.
2019-08-13 22:56:38,759 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 22:56:38,759 [root] INFO: Added new CAPE file to list with path: C:\HRnqwoJUO\CAPE\3032_17756240963856514382019
2019-08-13 22:56:38,759 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2116
2019-08-13 22:56:38,759 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 2796 at 0x0000000074460000, image base 0x000000013FD00000, stack from 0x00000000000A5000-0x00000000000B0000
2019-08-13 22:56:38,775 [root] DEBUG: DLL loaded at 0x000007FEFB840000: C:\Windows\system32\propsys (0x12c000 bytes).
2019-08-13 22:56:38,775 [lib.api.process] INFO: 64-bit DLL to inject is C:\epyfuwi\dll\HeJRZT.dll, loader C:\epyfuwi\bin\NKFmJEvz.exe
2019-08-13 22:56:38,775 [root] DEBUG: DLL unloaded from 0x000007FEFF190000.
2019-08-13 22:56:38,775 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x54400.
2019-08-13 22:56:38,775 [root] DEBUG: DLL unloaded from 0x74F40000.
2019-08-13 22:56:38,775 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\powershell  Set-MpPreference -DisableBlockAtFirstSeen $true.
2019-08-13 22:56:38,775 [root] DEBUG: DLL loaded at 0x000007FEFC190000: C:\Windows\system32\ntmarta (0x2d000 bytes).
2019-08-13 22:56:38,775 [root] INFO: Notified of termination of process with pid 836.
2019-08-13 22:56:38,775 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\KxvfqAkc.
2019-08-13 22:56:38,775 [root] DEBUG: DLL loaded at 0x000007FEFE4A0000: C:\Windows\system32\SETUPAPI (0x1d7000 bytes).
2019-08-13 22:56:38,775 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 22:56:38,775 [root] DEBUG: DLL unloaded from 0x000007FEFF190000.
2019-08-13 22:56:38,775 [root] DEBUG: DLL unloaded from 0x72F70000.
2019-08-13 22:56:38,775 [root] DEBUG: DLL loaded at 0x000007FEFE860000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2019-08-13 22:56:38,789 [root] INFO: Added new process to list with pid: 2796
2019-08-13 22:56:38,789 [root] DEBUG: Loader: Injecting process 1116 (thread 416) with C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:38,789 [root] DEBUG: DLL loaded at 0x000007FEFD1B0000: C:\Windows\system32\CFGMGR32 (0x36000 bytes).
2019-08-13 22:56:38,789 [root] DEBUG: Process dumps enabled.
2019-08-13 22:56:38,789 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-08-13 22:56:38,789 [root] INFO: Monitor successfully loaded in process with pid 2796.
2019-08-13 22:56:38,789 [root] INFO: Notified of termination of process with pid 3032.
2019-08-13 22:56:38,789 [root] DEBUG: DLL loaded at 0x000007FEFE4A0000: C:\Windows\system32\SETUPAPI (0x1d7000 bytes).
2019-08-13 22:56:38,789 [root] DEBUG: Process image base: 0x000000013FD00000
2019-08-13 22:56:38,789 [root] DEBUG: DLL loaded at 0x000007FEFD410000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2019-08-13 22:56:38,805 [root] INFO: Disabling sleep skipping.
2019-08-13 22:56:38,805 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\system32\CRYPTBASE (0xf000 bytes).
2019-08-13 22:56:38,805 [root] DEBUG: DLL loaded at 0x724F0000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 22:56:38,805 [root] DEBUG: DLL loaded at 0x000007FEFD1B0000: C:\Windows\system32\CFGMGR32 (0x36000 bytes).
2019-08-13 22:56:38,805 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:38,805 [root] DEBUG: DLL loaded at 0x000007FEFE400000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-08-13 22:56:38,805 [root] DEBUG: DLL loaded at 0x747D0000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 22:56:38,805 [root] DEBUG: DLL loaded at 0x000007FEFD410000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2019-08-13 22:56:38,805 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000013FD77000 - 0x000007FEFF430000
2019-08-13 22:56:38,805 [root] WARNING: Unable to place hook on LockResource
2019-08-13 22:56:38,805 [root] DEBUG: DLL loaded at 0x000007FEFD560000: C:\Windows\system32\shell32 (0xd88000 bytes).
2019-08-13 22:56:38,805 [root] DEBUG: InjectDllViaIAT: Allocated 0x228 bytes for new import table at 0x000000013FD80000.
2019-08-13 22:56:38,822 [root] WARNING: Unable to hook LockResource
2019-08-13 22:56:38,822 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 22:56:38,822 [root] DEBUG: DLL loaded at 0x000007FEFC3B0000: C:\Windows\system32\USERENV (0x1e000 bytes).
2019-08-13 22:56:38,822 [root] INFO: Announced 64-bit process name: cmd.exe pid: 2976
2019-08-13 22:56:38,822 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 22:56:38,822 [root] DEBUG: DLL loaded at 0x000007FEFB840000: C:\Windows\system32\propsys (0x12c000 bytes).
2019-08-13 22:56:38,822 [root] DEBUG: Successfully injected DLL C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:38,822 [root] DEBUG: DLL loaded at 0x000007FEFD020000: C:\Windows\system32\profapi (0xf000 bytes).
2019-08-13 22:56:38,822 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 22:56:38,836 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 2116 at 0x0000000074460000, image base 0x000000004A180000, stack from 0x00000000001D4000-0x00000000002D0000
2019-08-13 22:56:38,852 [root] DEBUG: DLL unloaded from 0x000007FEFD560000.
2019-08-13 22:56:38,852 [root] DEBUG: DLL unloaded from 0x000007FEFD560000.
2019-08-13 22:56:38,852 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 1116
2019-08-13 22:56:38,852 [root] DEBUG: DLL loaded at 0x000007FEFC190000: C:\Windows\system32\ntmarta (0x2d000 bytes).
2019-08-13 22:56:38,852 [lib.api.process] INFO: 64-bit DLL to inject is C:\epyfuwi\dll\HeJRZT.dll, loader C:\epyfuwi\bin\NKFmJEvz.exe
2019-08-13 22:56:38,852 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Windows\System32\cmd.exe" \c powershell Set-MpPreference -DisablePrivacyMode $true.
2019-08-13 22:56:38,852 [root] DEBUG: DLL loaded at 0x000007FEFBB00000: C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32 (0x1f4000 bytes).
2019-08-13 22:56:38,852 [root] DEBUG: DLL loaded at 0x000007FEFE860000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2019-08-13 22:56:38,852 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 22:56:38,852 [root] INFO: Added new process to list with pid: 2116
2019-08-13 22:56:38,868 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\KxvfqAkc.
2019-08-13 22:56:38,884 [root] DEBUG: DLL loaded at 0x000007FEFE4A0000: C:\Windows\system32\SETUPAPI (0x1d7000 bytes).
2019-08-13 22:56:38,900 [root] DEBUG: DLL unloaded from 0x000007FEFD560000.
2019-08-13 22:56:38,900 [root] DEBUG: Process dumps enabled.
2019-08-13 22:56:38,900 [root] INFO: Monitor successfully loaded in process with pid 2116.
2019-08-13 22:56:38,900 [root] DEBUG: Loader: Injecting process 2976 (thread 2980) with C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:38,900 [root] DEBUG: DLL unloaded from 0x000007FEFD560000.
2019-08-13 22:56:38,930 [root] DEBUG: DLL loaded at 0x000007FEFD1B0000: C:\Windows\system32\CFGMGR32 (0x36000 bytes).
2019-08-13 22:56:38,930 [root] DEBUG: DLL loaded at 0x000007FEFCEF0000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 22:56:38,930 [root] INFO: Disabling sleep skipping.
2019-08-13 22:56:38,930 [root] DEBUG: Process image base: 0x000000004A180000
2019-08-13 22:56:39,071 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:39,071 [root] INFO: Announced 64-bit process name: powershell.exe pid: 2644
2019-08-13 22:56:39,086 [root] DEBUG: DLL loaded at 0x000007FEFD410000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2019-08-13 22:56:39,086 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000004A1D9000 - 0x0000000077110000
2019-08-13 22:56:39,086 [root] WARNING: Unable to place hook on LockResource
2019-08-13 22:56:39,134 [root] DEBUG: InjectDllViaIAT: Allocated 0x1bc bytes for new import table at 0x000000004A1E0000.
2019-08-13 22:56:39,134 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 22:56:39,134 [lib.api.process] INFO: 64-bit DLL to inject is C:\epyfuwi\dll\HeJRZT.dll, loader C:\epyfuwi\bin\NKFmJEvz.exe
2019-08-13 22:56:39,148 [root] DEBUG: DLL loaded at 0x000007FEFB840000: C:\Windows\system32\propsys (0x12c000 bytes).
2019-08-13 22:56:39,148 [root] WARNING: Unable to hook LockResource
2019-08-13 22:56:39,148 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 22:56:39,148 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 22:56:39,164 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 1116 at 0x0000000074460000, image base 0x000000013FD00000, stack from 0x0000000000256000-0x0000000000260000
2019-08-13 22:56:39,180 [root] DEBUG: DLL loaded at 0x000007FEFC190000: C:\Windows\system32\ntmarta (0x2d000 bytes).
2019-08-13 22:56:39,180 [root] DEBUG: Successfully injected DLL C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:39,180 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\powershell  Set-MpPreference -DisableIOAVProtection $true.
2019-08-13 22:56:39,211 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2976
2019-08-13 22:56:39,211 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\KxvfqAkc.
2019-08-13 22:56:39,211 [root] INFO: Added new process to list with pid: 1116
2019-08-13 22:56:39,211 [root] DEBUG: DLL loaded at 0x000007FEFE860000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2019-08-13 22:56:39,211 [root] DEBUG: Loader: Injecting process 2644 (thread 2148) with C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:39,211 [root] INFO: Monitor successfully loaded in process with pid 1116.
2019-08-13 22:56:39,226 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\system32\CRYPTBASE (0xf000 bytes).
2019-08-13 22:56:39,243 [root] DEBUG: DLL unloaded from 0x74F40000.
2019-08-13 22:56:39,243 [root] DEBUG: DLL loaded at 0x000007FEFE400000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-08-13 22:56:39,243 [root] DEBUG: Process image base: 0x000000013FD00000
2019-08-13 22:56:39,243 [root] DEBUG: DLL unloaded from 0x000007FEFD560000.
2019-08-13 22:56:39,243 [root] DEBUG: DLL unloaded from 0x724F0000.
2019-08-13 22:56:39,257 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 22:56:39,257 [root] DEBUG: DLL unloaded from 0x000007FEFD560000.
2019-08-13 22:56:39,257 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:39,257 [root] DEBUG: DLL loaded at 0x000007FEFD560000: C:\Windows\system32\shell32 (0xd88000 bytes).
2019-08-13 22:56:39,273 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-08-13 22:56:39,273 [root] DEBUG: Process dumps enabled.
2019-08-13 22:56:39,273 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000013FD77000 - 0x000007FEFF430000
2019-08-13 22:56:39,289 [root] DEBUG: DLL loaded at 0x000007FEF7810000: C:\Windows\system32\LINKINFO (0xc000 bytes).
2019-08-13 22:56:39,289 [root] DEBUG: DLL loaded at 0x000007FEFC3B0000: C:\Windows\system32\USERENV (0x1e000 bytes).
2019-08-13 22:56:39,289 [root] DEBUG: DLL loaded at 0x000007FEF7810000: C:\Windows\system32\LINKINFO (0xc000 bytes).
2019-08-13 22:56:39,289 [root] DEBUG: InjectDllViaIAT: Allocated 0x228 bytes for new import table at 0x000000013FD80000.
2019-08-13 22:56:39,289 [root] DEBUG: DLL loaded at 0x72F70000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 22:56:39,289 [root] DEBUG: DLL loaded at 0x000007FEFD020000: C:\Windows\system32\profapi (0xf000 bytes).
2019-08-13 22:56:39,305 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 22:56:39,305 [root] DEBUG: DLL loaded at 0x000007FEF8900000: C:\Windows\system32\ntshrui (0x80000 bytes).
2019-08-13 22:56:39,305 [root] DEBUG: DLL loaded at 0x000007FEF8900000: C:\Windows\system32\ntshrui (0x80000 bytes).
2019-08-13 22:56:39,305 [root] DEBUG: DLL loaded at 0x74810000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 22:56:39,305 [root] INFO: Disabling sleep skipping.
2019-08-13 22:56:39,305 [root] DEBUG: DLL loaded at 0x000007FEFBB00000: C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32 (0x1f4000 bytes).
2019-08-13 22:56:39,305 [root] DEBUG: Successfully injected DLL C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:39,305 [root] DEBUG: DLL loaded at 0x000007FEFCB90000: C:\Windows\system32\srvcli (0x23000 bytes).
2019-08-13 22:56:39,305 [root] DEBUG: DLL loaded at 0x000007FEFCB90000: C:\Windows\system32\srvcli (0x23000 bytes).
2019-08-13 22:56:39,321 [root] INFO: Announced 64-bit process name: cmd.exe pid: 3056
2019-08-13 22:56:39,321 [root] WARNING: Unable to place hook on LockResource
2019-08-13 22:56:39,321 [root] DEBUG: DLL loaded at 0x000007FEFB840000: C:\Windows\system32\propsys (0x12c000 bytes).
2019-08-13 22:56:39,335 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2644
2019-08-13 22:56:39,335 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 22:56:39,335 [root] WARNING: Unable to hook LockResource
2019-08-13 22:56:39,335 [root] DEBUG: DLL loaded at 0x000007FEFC190000: C:\Windows\system32\ntmarta (0x2d000 bytes).
2019-08-13 22:56:39,335 [lib.api.process] INFO: 64-bit DLL to inject is C:\epyfuwi\dll\HeJRZT.dll, loader C:\epyfuwi\bin\NKFmJEvz.exe
2019-08-13 22:56:39,460 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 22:56:39,476 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 22:56:39,476 [root] DEBUG: DLL loaded at 0x000007FEFE860000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2019-08-13 22:56:39,476 [root] DEBUG: DLL loaded at 0x000007FEF8AC0000: C:\Windows\system32\cscapi (0xf000 bytes).
2019-08-13 22:56:39,476 [root] DEBUG: Process dumps enabled.
2019-08-13 22:56:39,476 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\KxvfqAkc.
2019-08-13 22:56:39,476 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 2976 at 0x0000000074460000, image base 0x000000004A180000, stack from 0x00000000001F4000-0x00000000002F0000
2019-08-13 22:56:39,507 [root] DEBUG: DLL loaded at 0x000007FEFE4A0000: C:\Windows\system32\SETUPAPI (0x1d7000 bytes).
2019-08-13 22:56:39,507 [root] DEBUG: DLL loaded at 0x000007FEFB0B0000: C:\Windows\system32\slc (0xb000 bytes).
2019-08-13 22:56:39,507 [root] INFO: Disabling sleep skipping.
2019-08-13 22:56:39,507 [root] DEBUG: Loader: Injecting process 3056 (thread 624) with C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:39,507 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Windows\System32\cmd.exe" \c powershell Set-MpPreference -DisableIntrusionPreventionSystem $true.
2019-08-13 22:56:39,507 [root] DEBUG: DLL loaded at 0x000007FEFD1B0000: C:\Windows\system32\CFGMGR32 (0x36000 bytes).
2019-08-13 22:56:39,523 [root] DEBUG: Process image base: 0x000000004A180000
2019-08-13 22:56:39,523 [root] WARNING: Unable to place hook on LockResource
2019-08-13 22:56:39,523 [root] INFO: Added new process to list with pid: 2976
2019-08-13 22:56:39,523 [root] DEBUG: DLL loaded at 0x000007FEFD410000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2019-08-13 22:56:39,523 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:39,523 [root] INFO: Monitor successfully loaded in process with pid 2976.
2019-08-13 22:56:39,523 [root] WARNING: Unable to hook LockResource
2019-08-13 22:56:39,569 [root] DEBUG: DLL loaded at 0x000007FEFC8F0000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2019-08-13 22:56:39,569 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000004A1D9000 - 0x0000000077110000
2019-08-13 22:56:39,569 [root] DEBUG: DLL unloaded from 0x000007FEFD560000.
2019-08-13 22:56:39,569 [root] DEBUG: DLL loaded at 0x000007FEFCEF0000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 22:56:39,569 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 22:56:39,569 [root] DEBUG: DLL unloaded from 0x000007FEFD560000.
2019-08-13 22:56:39,569 [root] DEBUG: InjectDllViaIAT: Allocated 0x1bc bytes for new import table at 0x000000004A1E0000.
2019-08-13 22:56:39,617 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 2644 at 0x0000000074460000, image base 0x000000013FD00000, stack from 0x0000000000135000-0x0000000000140000
2019-08-13 22:56:39,617 [root] INFO: Announced 64-bit process name: powershell.exe pid: 1360
2019-08-13 22:56:39,617 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 22:56:39,632 [root] DEBUG: DLL loaded at 0x000007FEFC5F0000: C:\Windows\system32\rsaenh (0x47000 bytes).
2019-08-13 22:56:39,632 [root] INFO: Process with pid 836 has terminated
2019-08-13 22:56:39,632 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\powershell  Set-MpPreference -DisablePrivacyMode $true.
2019-08-13 22:56:39,694 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 22:56:39,694 [root] INFO: Process with pid 1260 has terminated
2019-08-13 22:56:39,694 [lib.api.process] INFO: 64-bit DLL to inject is C:\epyfuwi\dll\HeJRZT.dll, loader C:\epyfuwi\bin\NKFmJEvz.exe
2019-08-13 22:56:39,726 [root] INFO: Added new process to list with pid: 2644
2019-08-13 22:56:39,726 [root] DEBUG: Successfully injected DLL C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:39,726 [root] DEBUG: DLL loaded at 0x000007FEF7810000: C:\Windows\system32\LINKINFO (0xc000 bytes).
2019-08-13 22:56:39,726 [root] INFO: Monitor successfully loaded in process with pid 2644.
2019-08-13 22:56:39,742 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\system32\CRYPTBASE (0xf000 bytes).
2019-08-13 22:56:39,742 [root] DEBUG: DLL loaded at 0x000007FEFE400000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-08-13 22:56:39,789 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 3056
2019-08-13 22:56:39,789 [root] DEBUG: DLL loaded at 0x000007FEFD560000: C:\Windows\system32\shell32 (0xd88000 bytes).
2019-08-13 22:56:39,789 [root] DEBUG: DLL loaded at 0x000007FEF8900000: C:\Windows\system32\ntshrui (0x80000 bytes).
2019-08-13 22:56:39,803 [root] DEBUG: DLL loaded at 0x000007FEFCB90000: C:\Windows\system32\srvcli (0x23000 bytes).
2019-08-13 22:56:39,803 [root] DEBUG: DLL unloaded from 0x74F40000.
2019-08-13 22:56:39,819 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\KxvfqAkc.
2019-08-13 22:56:39,819 [root] DEBUG: Loader: Injecting process 1360 (thread 2916) with C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:39,851 [root] DEBUG: DLL loaded at 0x000007FEFC3B0000: C:\Windows\system32\USERENV (0x1e000 bytes).
2019-08-13 22:56:39,851 [root] DEBUG: DLL loaded at 0x000007FEF2F10000: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei (0x97000 bytes).
2019-08-13 22:56:39,851 [root] DEBUG: Process image base: 0x000000013FD00000
2019-08-13 22:56:39,851 [root] DEBUG: DLL unloaded from 0x72F70000.
2019-08-13 22:56:39,867 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 22:56:39,867 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-08-13 22:56:39,867 [root] DEBUG: DLL loaded at 0x724F0000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 22:56:39,928 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:39,928 [root] DEBUG: DLL loaded at 0x000007FEFD020000: C:\Windows\system32\profapi (0xf000 bytes).
2019-08-13 22:56:39,928 [root] DEBUG: DLL loaded at 0x747D0000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 22:56:39,944 [root] DEBUG: Process dumps enabled.
2019-08-13 22:56:39,944 [root] DEBUG: DLL loaded at 0x000007FEF8AC0000: C:\Windows\system32\cscapi (0xf000 bytes).
2019-08-13 22:56:39,944 [root] DEBUG: DLL loaded at 0x000007FEF2570000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks (0x99d000 bytes).
2019-08-13 22:56:39,944 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000013FD77000 - 0x000007FEFF430000
2019-08-13 22:56:39,960 [root] DEBUG: DLL loaded at 0x000007FEFBB00000: C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32 (0x1f4000 bytes).
2019-08-13 22:56:39,960 [root] INFO: Announced 64-bit process name: cmd.exe pid: 2920
2019-08-13 22:56:39,960 [root] DEBUG: DLL loaded at 0x000007FEFB0B0000: C:\Windows\system32\slc (0xb000 bytes).
2019-08-13 22:56:39,960 [root] INFO: Disabling sleep skipping.
2019-08-13 22:56:39,960 [root] DEBUG: DLL loaded at 0x000007FEF7810000: C:\Windows\system32\LINKINFO (0xc000 bytes).
2019-08-13 22:56:39,960 [root] DEBUG: DLL loaded at 0x00000000740D0000: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\MSVCR80 (0xc9000 bytes).
2019-08-13 22:56:39,960 [root] DEBUG: InjectDllViaIAT: Allocated 0x228 bytes for new import table at 0x000000013FD80000.
2019-08-13 22:56:39,976 [root] DEBUG: DLL loaded at 0x000007FEFB840000: C:\Windows\system32\propsys (0x12c000 bytes).
2019-08-13 22:56:40,006 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 22:56:40,006 [root] WARNING: Unable to place hook on LockResource
2019-08-13 22:56:40,023 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 22:56:40,023 [lib.api.process] INFO: 64-bit DLL to inject is C:\epyfuwi\dll\HeJRZT.dll, loader C:\epyfuwi\bin\NKFmJEvz.exe
2019-08-13 22:56:40,023 [root] DEBUG: DLL loaded at 0x000007FEFE4A0000: C:\Windows\system32\SETUPAPI (0x1d7000 bytes).
2019-08-13 22:56:40,023 [root] WARNING: Unable to hook LockResource
2019-08-13 22:56:40,038 [root] DEBUG: Successfully injected DLL C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:40,053 [root] DEBUG: DLL loaded at 0x000007FEFD1B0000: C:\Windows\system32\CFGMGR32 (0x36000 bytes).
2019-08-13 22:56:40,053 [root] DEBUG: DLL loaded at 0x000007FEF8900000: C:\Windows\system32\ntshrui (0x80000 bytes).
2019-08-13 22:56:40,053 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\KxvfqAkc.
2019-08-13 22:56:40,053 [root] DEBUG: DLL loaded at 0x000007FEFC8F0000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2019-08-13 22:56:40,053 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 1360
2019-08-13 22:56:40,053 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 22:56:40,053 [root] DEBUG: DLL loaded at 0x000007FEFD410000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2019-08-13 22:56:40,053 [root] DEBUG: DLL loaded at 0x000007FEFCB90000: C:\Windows\system32\srvcli (0x23000 bytes).
2019-08-13 22:56:40,069 [root] DEBUG: Loader: Injecting process 2920 (thread 2856) with C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:40,069 [root] DEBUG: DLL loaded at 0x000007FEFC5F0000: C:\Windows\system32\rsaenh (0x47000 bytes).
2019-08-13 22:56:40,069 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 22:56:40,069 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 3056 at 0x0000000074460000, image base 0x000000004A180000, stack from 0x0000000000084000-0x0000000000180000
2019-08-13 22:56:40,069 [root] DEBUG: DLL loaded at 0x000007FEF1690000: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\9469491f37d9c35b596968b206615309\mscorlib.ni (0xedc000 bytes).
2019-08-13 22:56:40,101 [root] DEBUG: DLL loaded at 0x000007FEFC190000: C:\Windows\system32\ntmarta (0x2d000 bytes).
2019-08-13 22:56:40,101 [root] DEBUG: DLL loaded at 0x000007FEF8AC0000: C:\Windows\system32\cscapi (0xf000 bytes).
2019-08-13 22:56:40,101 [root] DEBUG: Process dumps enabled.
2019-08-13 22:56:40,101 [root] DEBUG: Process image base: 0x000000004A180000
2019-08-13 22:56:40,101 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Windows\System32\cmd.exe" \c powershell Set-MpPreference -SevereThreatDefaultAction 6.
2019-08-13 22:56:40,101 [root] DEBUG: DLL unloaded from 0x000007FEFE8C0000.
2019-08-13 22:56:40,115 [root] DEBUG: DLL loaded at 0x000007FEFE860000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2019-08-13 22:56:40,115 [root] DEBUG: DLL loaded at 0x000007FEFB0B0000: C:\Windows\system32\slc (0xb000 bytes).
2019-08-13 22:56:40,115 [root] INFO: Disabling sleep skipping.
2019-08-13 22:56:40,115 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:40,148 [root] DEBUG: DLL loaded at 0x000007FEF0C60000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System\adff7dd9fe8e541775c46b6363401b22\System.ni (0xa23000 bytes).
2019-08-13 22:56:40,148 [root] INFO: Added new process to list with pid: 3056
2019-08-13 22:56:40,178 [root] DEBUG: DLL unloaded from 0x000007FEFD560000.
2019-08-13 22:56:40,178 [root] DEBUG: DLL unloaded from 0x000007FEFD560000.
2019-08-13 22:56:40,178 [root] DEBUG: DLL loaded at 0x000007FEFC8F0000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2019-08-13 22:56:40,178 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7N2KXBS5TRX8PZUE5V26.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\7N2KXBS5TRX8PZUE5V26.temp'
2019-08-13 22:56:40,178 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000004A1D9000 - 0x0000000077110000
2019-08-13 22:56:40,178 [root] INFO: Monitor successfully loaded in process with pid 3056.
2019-08-13 22:56:40,178 [root] WARNING: Unable to place hook on LockResource
2019-08-13 22:56:40,178 [root] DEBUG: DLL loaded at 0x000007FEF0BA0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b023321bc53c20c10ccbbd8f78c82c82\Microsoft.PowerShell.ConsoleHost.ni (0xb2000 bytes).
2019-08-13 22:56:40,194 [root] DEBUG: DLL loaded at 0x000007FEFC5F0000: C:\Windows\system32\rsaenh (0x47000 bytes).
2019-08-13 22:56:40,194 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7N2KXBS5TRX8PZUE5V26.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\7N2KXBS5TRX8PZUE5V26.temp'
2019-08-13 22:56:40,194 [root] DEBUG: InjectDllViaIAT: Allocated 0x1bc bytes for new import table at 0x000000004A1E0000.
2019-08-13 22:56:40,194 [root] DEBUG: DLL loaded at 0x000007FEFCEF0000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 22:56:40,194 [root] WARNING: Unable to hook LockResource
2019-08-13 22:56:40,226 [root] DEBUG: DLL unloaded from 0x000007FEFE320000.
2019-08-13 22:56:40,226 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 22:56:40,226 [root] DEBUG: DLL loaded at 0x000007FEF0040000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management.A#\009a09f5b2322bb8c5520dc5ddbb28bb\System.Management.Automation.ni (0xb5d000 bytes).
2019-08-13 22:56:40,226 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 22:56:40,240 [root] DEBUG: Successfully injected DLL C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:40,240 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2920
2019-08-13 22:56:40,240 [root] DEBUG: DLL loaded at 0x000007FEF8AC0000: C:\Windows\system32\cscapi (0xf000 bytes).
2019-08-13 22:56:40,240 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\WIW1R5TNTGDLJULCI4XX.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\WIW1R5TNTGDLJULCI4XX.temp'
2019-08-13 22:56:40,240 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7N2KXBS5TRX8PZUE5V26.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\7N2KXBS5TRX8PZUE5V26.temp'
2019-08-13 22:56:40,240 [root] INFO: Announced 64-bit process name: powershell.exe pid: 2880
2019-08-13 22:56:40,240 [root] DEBUG: DLL loaded at 0x000007FEFC1C0000: C:\Windows\system32\version (0xc000 bytes).
2019-08-13 22:56:40,240 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 1360 at 0x0000000074460000, image base 0x000000013FD00000, stack from 0x00000000000D5000-0x00000000000E0000
2019-08-13 22:56:40,240 [root] DEBUG: DLL unloaded from 0x74F40000.
2019-08-13 22:56:40,240 [root] DEBUG: DLL loaded at 0x000007FEFB0B0000: C:\Windows\system32\slc (0xb000 bytes).
2019-08-13 22:56:40,256 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\WIW1R5TNTGDLJULCI4XX.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\WIW1R5TNTGDLJULCI4XX.temp'
2019-08-13 22:56:40,256 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF1e537dc.TMP": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RF1e537dc.TMP'
2019-08-13 22:56:40,256 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 22:56:40,256 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 22:56:40,256 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\powershell  Set-MpPreference -DisableIntrusionPreventionSystem $true.
2019-08-13 22:56:40,256 [root] DEBUG: DLL unloaded from 0x724F0000.
2019-08-13 22:56:40,303 [root] DEBUG: DLL loaded at 0x000007FEFC8F0000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2019-08-13 22:56:40,303 [root] DEBUG: DLL unloaded from 0x000007FEFE320000.
2019-08-13 22:56:40,319 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms'
2019-08-13 22:56:40,319 [root] DEBUG: Process dumps enabled.
2019-08-13 22:56:40,319 [lib.api.process] INFO: 64-bit DLL to inject is C:\epyfuwi\dll\HeJRZT.dll, loader C:\epyfuwi\bin\NKFmJEvz.exe
2019-08-13 22:56:40,319 [root] INFO: Added new process to list with pid: 1360
2019-08-13 22:56:40,319 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-08-13 22:56:40,319 [root] DEBUG: DLL loaded at 0x000007FEFC5F0000: C:\Windows\system32\rsaenh (0x47000 bytes).
2019-08-13 22:56:40,319 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\WIW1R5TNTGDLJULCI4XX.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\WIW1R5TNTGDLJULCI4XX.temp'
2019-08-13 22:56:40,319 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7N2KXBS5TRX8PZUE5V26.temp" does not exist, skip.
2019-08-13 22:56:40,319 [root] INFO: Monitor successfully loaded in process with pid 1360.
2019-08-13 22:56:40,319 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\KxvfqAkc.
2019-08-13 22:56:40,319 [root] INFO: Disabling sleep skipping.
2019-08-13 22:56:40,335 [root] DEBUG: DLL loaded at 0x72F70000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 22:56:40,335 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF1e53839.TMP": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RF1e53839.TMP'
2019-08-13 22:56:40,335 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\system32\CRYPTBASE (0xf000 bytes).
2019-08-13 22:56:40,349 [root] DEBUG: Loader: Injecting process 2880 (thread 2620) with C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:40,349 [root] WARNING: Unable to place hook on LockResource
2019-08-13 22:56:40,365 [root] DEBUG: DLL loaded at 0x74810000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 22:56:40,365 [root] DEBUG: DLL loaded at 0x000007FEEFD10000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Core\83e2f6909980da7347e7806d8c26670e\System.Core.ni (0x32e000 bytes).
2019-08-13 22:56:40,365 [root] DEBUG: DLL loaded at 0x000007FEF2F10000: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei (0x97000 bytes).
2019-08-13 22:56:40,365 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YVUHPD16BVH756D1NC94.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\YVUHPD16BVH756D1NC94.temp'
2019-08-13 22:56:40,365 [root] DEBUG: DLL loaded at 0x000007FEFE400000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-08-13 22:56:40,365 [root] DEBUG: Process image base: 0x000000013FD00000
2019-08-13 22:56:40,381 [root] WARNING: Unable to hook LockResource
2019-08-13 22:56:40,381 [root] INFO: Announced 64-bit process name: cmd.exe pid: 2772
2019-08-13 22:56:40,381 [root] DEBUG: DLL loaded at 0x000007FEEFCA0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\ec50af274bf7a15fb59ac1f0d353b7ea\Microsoft.PowerShell.Commands.Diagnostics.ni (0x69000 bytes).
2019-08-13 22:56:40,381 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7N2KXBS5TRX8PZUE5V26.temp" does not exist, skip.
2019-08-13 22:56:40,381 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YVUHPD16BVH756D1NC94.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\YVUHPD16BVH756D1NC94.temp'
2019-08-13 22:56:40,381 [root] DEBUG: DLL loaded at 0x000007FEFD560000: C:\Windows\system32\shell32 (0xd88000 bytes).
2019-08-13 22:56:40,397 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:40,397 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 22:56:40,397 [root] DEBUG: DLL loaded at 0x000007FEF2F10000: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei (0x97000 bytes).
2019-08-13 22:56:40,397 [root] DEBUG: DLL loaded at 0x000007FEF9860000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Configuratio#\fcf35536476614410e0b0bd0e412199e\System.Configuration.Install.ni (0x32000 bytes).
2019-08-13 22:56:40,397 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 22:56:40,397 [root] DEBUG: DLL loaded at 0x000007FEF2570000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks (0x99d000 bytes).
2019-08-13 22:56:40,413 [root] DEBUG: DLL unloaded from 0x000007FEFE320000.
2019-08-13 22:56:40,413 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 2920 at 0x0000000074460000, image base 0x000000004A180000, stack from 0x0000000000224000-0x0000000000320000
2019-08-13 22:56:40,413 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000013FD77000 - 0x000007FEFF430000
2019-08-13 22:56:40,413 [root] DEBUG: DLL loaded at 0x000007FEFC3B0000: C:\Windows\system32\USERENV (0x1e000 bytes).
2019-08-13 22:56:40,413 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\WIW1R5TNTGDLJULCI4XX.temp" does not exist, skip.
2019-08-13 22:56:40,413 [lib.api.process] INFO: 64-bit DLL to inject is C:\epyfuwi\dll\HeJRZT.dll, loader C:\epyfuwi\bin\NKFmJEvz.exe
2019-08-13 22:56:40,413 [root] DEBUG: DLL loaded at 0x000007FEEFBF0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.WSMan.Man#\8cd73e65058ef6f77f36b62a74ec3344\Microsoft.WSMan.Management.ni (0xaa000 bytes).
2019-08-13 22:56:40,413 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YVUHPD16BVH756D1NC94.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\YVUHPD16BVH756D1NC94.temp'
2019-08-13 22:56:40,413 [root] DEBUG: DLL loaded at 0x00000000740D0000: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\MSVCR80 (0xc9000 bytes).
2019-08-13 22:56:40,413 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Windows\System32\cmd.exe" \c powershell Set-MpPreference -LowThreatDefaultAction 6.
2019-08-13 22:56:40,413 [root] DEBUG: InjectDllViaIAT: Allocated 0x228 bytes for new import table at 0x000000013FD80000.
2019-08-13 22:56:40,427 [root] DEBUG: DLL loaded at 0x000007FEFD020000: C:\Windows\system32\profapi (0xf000 bytes).
2019-08-13 22:56:40,427 [root] DEBUG: DLL loaded at 0x000007FEF2570000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks (0x99d000 bytes).
2019-08-13 22:56:40,427 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\KxvfqAkc.
2019-08-13 22:56:40,444 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF1e53897.TMP": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RF1e53897.TMP'
2019-08-13 22:56:40,444 [root] DEBUG: DLL loaded at 0x000007FEEFB00000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Transactions\051655963f24f9ade08486084c570086\System.Transactions.ni (0xe5000 bytes).
2019-08-13 22:56:40,444 [root] INFO: Added new process to list with pid: 2920
2019-08-13 22:56:40,444 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 22:56:40,444 [root] DEBUG: DLL loaded at 0x000007FEF1690000: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\9469491f37d9c35b596968b206615309\mscorlib.ni (0xedc000 bytes).
2019-08-13 22:56:40,460 [root] DEBUG: DLL loaded at 0x000007FEFBB00000: C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32 (0x1f4000 bytes).
2019-08-13 22:56:40,460 [root] DEBUG: DLL loaded at 0x00000000740D0000: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\MSVCR80 (0xc9000 bytes).
2019-08-13 22:56:40,460 [root] DEBUG: Loader: Injecting process 2772 (thread 1856) with C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:40,460 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms'
2019-08-13 22:56:40,460 [root] DEBUG: DLL loaded at 0x000000001E230000: C:\Windows\assembly\GAC_64\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions (0x49000 bytes).
2019-08-13 22:56:40,460 [root] INFO: Monitor successfully loaded in process with pid 2920.
2019-08-13 22:56:40,460 [root] DEBUG: DLL loaded at 0x000007FEF7810000: C:\Windows\system32\LINKINFO (0xc000 bytes).
2019-08-13 22:56:40,460 [root] DEBUG: Successfully injected DLL C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:40,474 [root] DEBUG: DLL loaded at 0x000007FEFB840000: C:\Windows\system32\propsys (0x12c000 bytes).
2019-08-13 22:56:40,474 [root] DEBUG: DLL loaded at 0x000007FEF0C60000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System\adff7dd9fe8e541775c46b6363401b22\System.ni (0xa23000 bytes).
2019-08-13 22:56:40,474 [root] DEBUG: Process image base: 0x000000004A180000
2019-08-13 22:56:40,490 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YVUHPD16BVH756D1NC94.temp" does not exist, skip.
2019-08-13 22:56:40,506 [root] DEBUG: DLL loaded at 0x000007FEFCEF0000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 22:56:40,506 [root] DEBUG: DLL loaded at 0x000007FEEF8E0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\cdf48153115fc0bb466f37b7dcad9ac5\Microsoft.PowerShell.Commands.Utility.ni (0x216000 bytes).
2019-08-13 22:56:40,506 [root] DEBUG: DLL loaded at 0x000007FEF1690000: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\9469491f37d9c35b596968b206615309\mscorlib.ni (0xedc000 bytes).
2019-08-13 22:56:40,506 [root] DEBUG: DLL loaded at 0x000007FEF8900000: C:\Windows\system32\ntshrui (0x80000 bytes).
2019-08-13 22:56:40,506 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2880
2019-08-13 22:56:40,506 [root] DEBUG: DLL loaded at 0x000007FEFE4A0000: C:\Windows\system32\SETUPAPI (0x1d7000 bytes).
2019-08-13 22:56:40,506 [root] DEBUG: DLL unloaded from 0x000007FEFE8C0000.
2019-08-13 22:56:40,506 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:40,506 [root] DEBUG: DLL loaded at 0x000007FEF0BA0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b023321bc53c20c10ccbbd8f78c82c82\Microsoft.PowerShell.ConsoleHost.ni (0xb2000 bytes).
2019-08-13 22:56:40,506 [root] INFO: Announced 64-bit process name: powershell.exe pid: 2876
2019-08-13 22:56:40,506 [root] DEBUG: DLL loaded at 0x000007FEF2F10000: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei (0x97000 bytes).
2019-08-13 22:56:40,522 [root] DEBUG: DLL loaded at 0x000007FEEF7C0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\9206dc8156588e608d405729c833edc5\Microsoft.PowerShell.Commands.Management.ni (0x118000 bytes).
2019-08-13 22:56:40,522 [root] DEBUG: DLL unloaded from 0x000007FEFE8C0000.
2019-08-13 22:56:40,522 [root] DEBUG: DLL loaded at 0x000007FEFCB90000: C:\Windows\system32\srvcli (0x23000 bytes).
2019-08-13 22:56:40,522 [root] DEBUG: DLL loaded at 0x000007FEFD1B0000: C:\Windows\system32\CFGMGR32 (0x36000 bytes).
2019-08-13 22:56:40,522 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 22:56:40,522 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000004A1D9000 - 0x0000000077110000
2019-08-13 22:56:40,522 [root] DEBUG: DLL loaded at 0x000007FEF0C60000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System\adff7dd9fe8e541775c46b6363401b22\System.ni (0xa23000 bytes).
2019-08-13 22:56:40,522 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YVUHPD16BVH756D1NC94.temp" does not exist, skip.
2019-08-13 22:56:40,522 [root] DEBUG: DLL loaded at 0x000007FEF0040000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management.A#\009a09f5b2322bb8c5520dc5ddbb28bb\System.Management.Automation.ni (0xb5d000 bytes).
2019-08-13 22:56:40,522 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 22:56:40,538 [root] DEBUG: DLL loaded at 0x000007FEF3870000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b5a6a5ce3cd3d4dd2b151315c612aeff\Microsoft.PowerShell.Security.ni (0x3e000 bytes).
2019-08-13 22:56:40,538 [root] DEBUG: Process dumps enabled.
2019-08-13 22:56:40,538 [root] DEBUG: DLL loaded at 0x000007FEFD410000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2019-08-13 22:56:40,538 [root] DEBUG: InjectDllViaIAT: Allocated 0x1bc bytes for new import table at 0x000000004A1E0000.
2019-08-13 22:56:40,538 [root] DEBUG: DLL loaded at 0x000007FEF0BA0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b023321bc53c20c10ccbbd8f78c82c82\Microsoft.PowerShell.ConsoleHost.ni (0xb2000 bytes).
2019-08-13 22:56:40,552 [root] DEBUG: DLL loaded at 0x000007FEF2570000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks (0x99d000 bytes).
2019-08-13 22:56:40,552 [lib.api.process] INFO: 64-bit DLL to inject is C:\epyfuwi\dll\HeJRZT.dll, loader C:\epyfuwi\bin\NKFmJEvz.exe
2019-08-13 22:56:40,552 [root] DEBUG: DLL loaded at 0x000007FEFC1C0000: C:\Windows\system32\version (0xc000 bytes).
2019-08-13 22:56:40,552 [root] DEBUG: DLL loaded at 0x000007FEFC190000: C:\Windows\system32\ntmarta (0x2d000 bytes).
2019-08-13 22:56:40,569 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 22:56:40,569 [root] INFO: Disabling sleep skipping.
2019-08-13 22:56:40,569 [root] DEBUG: DLL loaded at 0x00000000740D0000: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\MSVCR80 (0xc9000 bytes).
2019-08-13 22:56:40,569 [root] DEBUG: DLL loaded at 0x00000642FF4A0000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\culture (0xa000 bytes).
2019-08-13 22:56:40,569 [root] DEBUG: DLL loaded at 0x000007FEF0040000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management.A#\009a09f5b2322bb8c5520dc5ddbb28bb\System.Management.Automation.ni (0xb5d000 bytes).
2019-08-13 22:56:40,584 [root] DEBUG: DLL loaded at 0x000007FEFE860000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2019-08-13 22:56:40,584 [root] DEBUG: Successfully injected DLL C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:40,584 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\KxvfqAkc.
2019-08-13 22:56:40,584 [root] WARNING: Unable to place hook on LockResource
2019-08-13 22:56:40,599 [root] DEBUG: DLL loaded at 0x000007FEFC1C0000: C:\Windows\system32\version (0xc000 bytes).
2019-08-13 22:56:40,584 [root] DEBUG: DLL loaded at 0x000007FEEFD10000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Core\83e2f6909980da7347e7806d8c26670e\System.Core.ni (0x32e000 bytes).
2019-08-13 22:56:40,599 [root] DEBUG: DLL unloaded from 0x00000642FF4A0000.
2019-08-13 22:56:40,599 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2772
2019-08-13 22:56:40,599 [root] DEBUG: DLL loaded at 0x000007FEF1690000: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\9469491f37d9c35b596968b206615309\mscorlib.ni (0xedc000 bytes).
2019-08-13 22:56:40,599 [root] DEBUG: DLL unloaded from 0x000007FEFD560000.
2019-08-13 22:56:40,599 [root] DEBUG: Loader: Injecting process 2876 (thread 2672) with C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:40,615 [root] WARNING: Unable to hook LockResource
2019-08-13 22:56:40,615 [root] DEBUG: DLL unloaded from 0x000007FEFD560000.
2019-08-13 22:56:40,631 [root] DEBUG: DLL loaded at 0x000007FEEFCA0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\ec50af274bf7a15fb59ac1f0d353b7ea\Microsoft.PowerShell.Commands.Diagnostics.ni (0x69000 bytes).
2019-08-13 22:56:40,631 [root] DEBUG: DLL unloaded from 0x74F40000.
2019-08-13 22:56:40,631 [root] DEBUG: DLL unloaded from 0x000007FEFE8C0000.
2019-08-13 22:56:40,631 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 22:56:40,647 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 22:56:40,647 [root] DEBUG: Process image base: 0x000000013FD00000
2019-08-13 22:56:40,647 [root] DEBUG: DLL loaded at 0x000007FEF0C60000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System\adff7dd9fe8e541775c46b6363401b22\System.ni (0xa23000 bytes).
2019-08-13 22:56:40,647 [root] DEBUG: DLL loaded at 0x000007FEF9860000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Configuratio#\fcf35536476614410e0b0bd0e412199e\System.Configuration.Install.ni (0x32000 bytes).
2019-08-13 22:56:40,647 [root] DEBUG: DLL loaded at 0x000007FEEFD10000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Core\83e2f6909980da7347e7806d8c26670e\System.Core.ni (0x32e000 bytes).
2019-08-13 22:56:40,661 [root] DEBUG: DLL unloaded from 0x72F70000.
2019-08-13 22:56:40,661 [root] DEBUG: Process dumps enabled.
2019-08-13 22:56:40,661 [root] DEBUG: DLL loaded at 0x000007FEEF630000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorjit (0x184000 bytes).
2019-08-13 22:56:40,661 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 2880 at 0x0000000074460000, image base 0x000000013FD00000, stack from 0x0000000000175000-0x0000000000180000
2019-08-13 22:56:40,661 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:40,661 [root] DEBUG: DLL loaded at 0x000007FEF0BA0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b023321bc53c20c10ccbbd8f78c82c82\Microsoft.PowerShell.ConsoleHost.ni (0xb2000 bytes).
2019-08-13 22:56:40,661 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-08-13 22:56:40,677 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\powershell  Set-MpPreference -SevereThreatDefaultAction 6.
2019-08-13 22:56:40,677 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000013FD77000 - 0x000007FEFF430000
2019-08-13 22:56:40,677 [root] DEBUG: DLL loaded at 0x000007FEEFCA0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\ec50af274bf7a15fb59ac1f0d353b7ea\Microsoft.PowerShell.Commands.Diagnostics.ni (0x69000 bytes).
2019-08-13 22:56:40,694 [root] DEBUG: DLL loaded at 0x000007FEF0040000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management.A#\009a09f5b2322bb8c5520dc5ddbb28bb\System.Management.Automation.ni (0xb5d000 bytes).
2019-08-13 22:56:40,694 [root] DEBUG: DLL loaded at 0x724F0000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 22:56:40,694 [root] INFO: Disabling sleep skipping.
2019-08-13 22:56:40,694 [root] DEBUG: InjectDllViaIAT: Allocated 0x228 bytes for new import table at 0x000000013FD80000.
2019-08-13 22:56:40,694 [root] INFO: Added new process to list with pid: 2880
2019-08-13 22:56:40,694 [root] DEBUG: DLL loaded at 0x000007FEF9860000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Configuratio#\fcf35536476614410e0b0bd0e412199e\System.Configuration.Install.ni (0x32000 bytes).
2019-08-13 22:56:40,709 [root] DEBUG: DLL loaded at 0x73DA0000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 22:56:40,709 [root] WARNING: Unable to place hook on LockResource
2019-08-13 22:56:40,709 [root] DEBUG: DLL loaded at 0x000007FEFC1C0000: C:\Windows\system32\version (0xc000 bytes).
2019-08-13 22:56:40,709 [root] INFO: Monitor successfully loaded in process with pid 2880.
2019-08-13 22:56:40,724 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 22:56:40,724 [root] DEBUG: DLL loaded at 0x000007FEEFBF0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.WSMan.Man#\8cd73e65058ef6f77f36b62a74ec3344\Microsoft.WSMan.Management.ni (0xaa000 bytes).
2019-08-13 22:56:40,740 [root] INFO: Announced 64-bit process name: cmd.exe pid: 3292
2019-08-13 22:56:40,756 [root] WARNING: Unable to hook LockResource
2019-08-13 22:56:40,756 [root] INFO: Process with pid 3032 has terminated
2019-08-13 22:56:40,772 [root] DEBUG: DLL loaded at 0x000007FEEEF80000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Xml\ee795155543768ea67eecddc686a1e9e\System.Xml.ni (0x6a5000 bytes).
2019-08-13 22:56:40,772 [root] DEBUG: DLL loaded at 0x000007FEEFD10000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Core\83e2f6909980da7347e7806d8c26670e\System.Core.ni (0x32e000 bytes).
2019-08-13 22:56:40,772 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\system32\CRYPTBASE (0xf000 bytes).
2019-08-13 22:56:40,786 [root] DEBUG: Successfully injected DLL C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:40,786 [root] DEBUG: DLL loaded at 0x000007FEEFB00000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Transactions\051655963f24f9ade08486084c570086\System.Transactions.ni (0xe5000 bytes).
2019-08-13 22:56:40,786 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 22:56:40,786 [root] INFO: Process with pid 1068 has terminated
2019-08-13 22:56:40,786 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 22:56:40,786 [root] DEBUG: DLL loaded at 0x000007FEEEE10000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management\c44929bde355680c886f8a52f5e22b81\System.Management.ni (0x16c000 bytes).
2019-08-13 22:56:40,786 [root] DEBUG: DLL loaded at 0x000007FEEFCA0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\ec50af274bf7a15fb59ac1f0d353b7ea\Microsoft.PowerShell.Commands.Diagnostics.ni (0x69000 bytes).
2019-08-13 22:56:40,786 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2876
2019-08-13 22:56:40,786 [root] DEBUG: DLL loaded at 0x000007FEFE400000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-08-13 22:56:40,802 [root] DEBUG: DLL loaded at 0x000000001E230000: C:\Windows\assembly\GAC_64\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions (0x49000 bytes).
2019-08-13 22:56:40,802 [lib.api.process] INFO: 64-bit DLL to inject is C:\epyfuwi\dll\HeJRZT.dll, loader C:\epyfuwi\bin\NKFmJEvz.exe
2019-08-13 22:56:40,802 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 2772 at 0x0000000074460000, image base 0x000000004A180000, stack from 0x0000000000054000-0x0000000000150000
2019-08-13 22:56:40,802 [root] DEBUG: DLL loaded at 0x000007FEEEC70000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.DirectorySer#\c1cdea55f62c9e8b9b9c1ae4c23b1c1f\System.DirectoryServices.ni (0x195000 bytes).
2019-08-13 22:56:40,818 [root] DEBUG: DLL loaded at 0x000007FEF9860000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Configuratio#\fcf35536476614410e0b0bd0e412199e\System.Configuration.Install.ni (0x32000 bytes).
2019-08-13 22:56:40,818 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 22:56:40,818 [root] DEBUG: DLL loaded at 0x000007FEFD560000: C:\Windows\system32\shell32 (0xd88000 bytes).
2019-08-13 22:56:40,834 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Windows\System32\cmd.exe" \c powershell Set-MpPreference -ModerateThreatDefaultAction 6.
2019-08-13 22:56:40,834 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\KxvfqAkc.
2019-08-13 22:56:40,834 [root] DEBUG: DLL loaded at 0x000007FEF9850000: C:\Windows\system32\shfolder (0x7000 bytes).
2019-08-13 22:56:40,849 [root] DEBUG: Process dumps enabled.
2019-08-13 22:56:40,849 [root] DEBUG: DLL loaded at 0x000007FEEFBF0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.WSMan.Man#\8cd73e65058ef6f77f36b62a74ec3344\Microsoft.WSMan.Management.ni (0xaa000 bytes).
2019-08-13 22:56:40,849 [root] DEBUG: DLL loaded at 0x000007FEEFBF0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.WSMan.Man#\8cd73e65058ef6f77f36b62a74ec3344\Microsoft.WSMan.Management.ni (0xaa000 bytes).
2019-08-13 22:56:40,849 [root] DEBUG: DLL loaded at 0x000007FEFC3B0000: C:\Windows\system32\USERENV (0x1e000 bytes).
2019-08-13 22:56:40,849 [root] DEBUG: DLL loaded at 0x000007FEF7810000: C:\Windows\system32\LINKINFO (0xc000 bytes).
2019-08-13 22:56:40,849 [root] INFO: Added new process to list with pid: 2772
2019-08-13 22:56:40,849 [root] DEBUG: Loader: Injecting process 3292 (thread 3296) with C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:40,865 [root] INFO: Disabling sleep skipping.
2019-08-13 22:56:40,865 [root] DEBUG: DLL loaded at 0x000007FEEFB00000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Transactions\051655963f24f9ade08486084c570086\System.Transactions.ni (0xe5000 bytes).
2019-08-13 22:56:40,881 [root] DEBUG: DLL loaded at 0x000007FEEFB00000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Transactions\051655963f24f9ade08486084c570086\System.Transactions.ni (0xe5000 bytes).
2019-08-13 22:56:40,881 [root] DEBUG: DLL loaded at 0x000007FEFD020000: C:\Windows\system32\profapi (0xf000 bytes).
2019-08-13 22:56:40,881 [root] INFO: Monitor successfully loaded in process with pid 2772.
2019-08-13 22:56:40,895 [root] DEBUG: Process image base: 0x000000004A180000
2019-08-13 22:56:40,895 [root] WARNING: Unable to place hook on LockResource
2019-08-13 22:56:40,895 [root] DEBUG: DLL loaded at 0x000007FEF8900000: C:\Windows\system32\ntshrui (0x80000 bytes).
2019-08-13 22:56:40,895 [root] DEBUG: DLL loaded at 0x000000001E230000: C:\Windows\assembly\GAC_64\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions (0x49000 bytes).
2019-08-13 22:56:40,911 [root] DEBUG: DLL loaded at 0x000000001E230000: C:\Windows\assembly\GAC_64\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions (0x49000 bytes).
2019-08-13 22:56:40,911 [root] DEBUG: DLL loaded at 0x000007FEFBB00000: C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32 (0x1f4000 bytes).
2019-08-13 22:56:40,911 [root] DEBUG: DLL loaded at 0x000007FEFCEF0000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 22:56:40,911 [root] DEBUG: DLL loaded at 0x000007FEEF8E0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\cdf48153115fc0bb466f37b7dcad9ac5\Microsoft.PowerShell.Commands.Utility.ni (0x216000 bytes).
2019-08-13 22:56:40,911 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:40,911 [root] WARNING: Unable to hook LockResource
2019-08-13 22:56:40,927 [root] DEBUG: DLL loaded at 0x000007FEFCB90000: C:\Windows\system32\srvcli (0x23000 bytes).
2019-08-13 22:56:40,959 [root] DEBUG: DLL loaded at 0x000007FEEF8E0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\cdf48153115fc0bb466f37b7dcad9ac5\Microsoft.PowerShell.Commands.Utility.ni (0x216000 bytes).
2019-08-13 22:56:40,959 [root] DEBUG: DLL loaded at 0x000007FEEF8E0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\cdf48153115fc0bb466f37b7dcad9ac5\Microsoft.PowerShell.Commands.Utility.ni (0x216000 bytes).
2019-08-13 22:56:40,959 [root] DEBUG: DLL loaded at 0x000007FEFB840000: C:\Windows\system32\propsys (0x12c000 bytes).
2019-08-13 22:56:40,973 [root] INFO: Announced 64-bit process name: powershell.exe pid: 3484
2019-08-13 22:56:40,973 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000004A1D9000 - 0x0000000077110000
2019-08-13 22:56:40,973 [root] DEBUG: DLL loaded at 0x000007FEEF7C0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\9206dc8156588e608d405729c833edc5\Microsoft.PowerShell.Commands.Management.ni (0x118000 bytes).
2019-08-13 22:56:41,006 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 22:56:41,006 [root] DEBUG: DLL loaded at 0x000007FEEF7C0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\9206dc8156588e608d405729c833edc5\Microsoft.PowerShell.Commands.Management.ni (0x118000 bytes).
2019-08-13 22:56:41,020 [root] DEBUG: DLL loaded at 0x000007FEFC190000: C:\Windows\system32\ntmarta (0x2d000 bytes).
2019-08-13 22:56:41,020 [root] DEBUG: DLL loaded at 0x000007FEEF7C0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\9206dc8156588e608d405729c833edc5\Microsoft.PowerShell.Commands.Management.ni (0x118000 bytes).
2019-08-13 22:56:41,020 [root] DEBUG: InjectDllViaIAT: Allocated 0x1bc bytes for new import table at 0x000000004A1E0000.
2019-08-13 22:56:41,020 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 22:56:41,020 [root] DEBUG: DLL loaded at 0x000007FEFCCF0000: C:\Windows\system32\secur32 (0xb000 bytes).
2019-08-13 22:56:41,036 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 2876 at 0x0000000074460000, image base 0x000000013FD00000, stack from 0x00000000000A5000-0x00000000000B0000
2019-08-13 22:56:41,036 [root] DEBUG: DLL loaded at 0x000007FEF3870000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b5a6a5ce3cd3d4dd2b151315c612aeff\Microsoft.PowerShell.Security.ni (0x3e000 bytes).
2019-08-13 22:56:41,036 [root] DEBUG: DLL loaded at 0x000007FEF3870000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b5a6a5ce3cd3d4dd2b151315c612aeff\Microsoft.PowerShell.Security.ni (0x3e000 bytes).
2019-08-13 22:56:41,036 [root] DEBUG: DLL loaded at 0x000007FEFE860000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2019-08-13 22:56:41,036 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 22:56:41,036 [lib.api.process] INFO: 64-bit DLL to inject is C:\epyfuwi\dll\HeJRZT.dll, loader C:\epyfuwi\bin\NKFmJEvz.exe
2019-08-13 22:56:41,036 [root] DEBUG: DLL loaded at 0x000007FEF3870000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b5a6a5ce3cd3d4dd2b151315c612aeff\Microsoft.PowerShell.Security.ni (0x3e000 bytes).
2019-08-13 22:56:41,052 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\powershell  Set-MpPreference -LowThreatDefaultAction 6.
2019-08-13 22:56:41,052 [root] DEBUG: DLL loaded at 0x00000642FF4A0000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\culture (0xa000 bytes).
2019-08-13 22:56:41,052 [root] DEBUG: DLL loaded at 0x00000642FF4A0000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\culture (0xa000 bytes).
2019-08-13 22:56:41,052 [root] DEBUG: DLL loaded at 0x000007FEFE4A0000: C:\Windows\system32\SETUPAPI (0x1d7000 bytes).
2019-08-13 22:56:41,052 [root] DEBUG: Successfully injected DLL C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:41,068 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\KxvfqAkc.
2019-08-13 22:56:41,068 [root] INFO: Added new process to list with pid: 2876
2019-08-13 22:56:41,068 [root] DEBUG: DLL loaded at 0x00000642FF4A0000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\culture (0xa000 bytes).
2019-08-13 22:56:41,068 [root] DEBUG: DLL unloaded from 0x00000642FF4A0000.
2019-08-13 22:56:41,068 [root] DEBUG: DLL unloaded from 0x00000642FF4A0000.
2019-08-13 22:56:41,084 [root] DEBUG: DLL loaded at 0x000007FEFD1B0000: C:\Windows\system32\CFGMGR32 (0x36000 bytes).
2019-08-13 22:56:41,084 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 3292
2019-08-13 22:56:41,084 [root] DEBUG: Loader: Injecting process 3484 (thread 3488) with C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:41,084 [root] INFO: Monitor successfully loaded in process with pid 2876.
2019-08-13 22:56:41,084 [root] DEBUG: DLL unloaded from 0x00000642FF4A0000.
2019-08-13 22:56:41,084 [root] DEBUG: DLL loaded at 0x000007FEEF630000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorjit (0x184000 bytes).
2019-08-13 22:56:41,098 [root] DEBUG: DLL loaded at 0x000007FEFD410000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2019-08-13 22:56:41,098 [root] DEBUG: DLL unloaded from 0x74F40000.
2019-08-13 22:56:41,098 [root] DEBUG: DLL loaded at 0x000007FEEF630000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorjit (0x184000 bytes).
2019-08-13 22:56:41,098 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 22:56:41,098 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\system32\CRYPTBASE (0xf000 bytes).
2019-08-13 22:56:41,098 [root] DEBUG: Process image base: 0x000000013FD00000
2019-08-13 22:56:41,115 [root] DEBUG: DLL loaded at 0x000007FEEE420000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Data\accc3a5269658c8c47fe3e402ac4ac1c\System.Data.ni (0x84b000 bytes).
2019-08-13 22:56:41,115 [root] DEBUG: DLL loaded at 0x000007FEEF630000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorjit (0x184000 bytes).
2019-08-13 22:56:41,130 [root] DEBUG: DLL unloaded from 0x724F0000.
2019-08-13 22:56:41,130 [root] DEBUG: DLL unloaded from 0x000007FEFD560000.
2019-08-13 22:56:41,130 [root] DEBUG: Process dumps enabled.
2019-08-13 22:56:41,145 [root] DEBUG: DLL loaded at 0x000007FEFE400000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-08-13 22:56:41,145 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:41,145 [root] DEBUG: DLL loaded at 0x000000001CF70000: C:\Windows\assembly\GAC_64\System.Data\2.0.0.0__b77a5c561934e089\System.Data (0x2ff000 bytes).
2019-08-13 22:56:41,145 [root] DEBUG: DLL unloaded from 0x000007FEFD560000.
2019-08-13 22:56:41,145 [root] DEBUG: DLL loaded at 0x000007FEEEF80000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Xml\ee795155543768ea67eecddc686a1e9e\System.Xml.ni (0x6a5000 bytes).
2019-08-13 22:56:41,145 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-08-13 22:56:41,145 [root] DEBUG: DLL loaded at 0x000007FEEEF80000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Xml\ee795155543768ea67eecddc686a1e9e\System.Xml.ni (0x6a5000 bytes).
2019-08-13 22:56:41,161 [root] INFO: Disabling sleep skipping.
2019-08-13 22:56:41,161 [root] DEBUG: DLL loaded at 0x000007FEFD560000: C:\Windows\system32\shell32 (0xd88000 bytes).
2019-08-13 22:56:41,161 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000013FD77000 - 0x000007FEFF430000
2019-08-13 22:56:41,177 [root] DEBUG: DLL loaded at 0x000007FEEEE10000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management\c44929bde355680c886f8a52f5e22b81\System.Management.ni (0x16c000 bytes).
2019-08-13 22:56:41,177 [root] DEBUG: DLL loaded at 0x000007FEFEE90000: C:\Windows\system32\WS2_32 (0x4d000 bytes).
2019-08-13 22:56:41,193 [root] DEBUG: DLL loaded at 0x000007FEEEE10000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management\c44929bde355680c886f8a52f5e22b81\System.Management.ni (0x16c000 bytes).
2019-08-13 22:56:41,193 [root] WARNING: Unable to place hook on LockResource
2019-08-13 22:56:41,193 [root] DEBUG: DLL loaded at 0x000007FEFC3B0000: C:\Windows\system32\USERENV (0x1e000 bytes).
2019-08-13 22:56:41,193 [root] DEBUG: InjectDllViaIAT: Allocated 0x228 bytes for new import table at 0x000000013FD80000.
2019-08-13 22:56:41,207 [root] DEBUG: DLL loaded at 0x000007FEEEC70000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.DirectorySer#\c1cdea55f62c9e8b9b9c1ae4c23b1c1f\System.DirectoryServices.ni (0x195000 bytes).
2019-08-13 22:56:41,207 [root] DEBUG: DLL loaded at 0x000007FEFE2F0000: C:\Windows\system32\NSI (0x8000 bytes).
2019-08-13 22:56:41,207 [root] DEBUG: DLL loaded at 0x000007FEEEC70000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.DirectorySer#\c1cdea55f62c9e8b9b9c1ae4c23b1c1f\System.DirectoryServices.ni (0x195000 bytes).
2019-08-13 22:56:41,223 [root] WARNING: Unable to hook LockResource
2019-08-13 22:56:41,223 [root] DEBUG: DLL loaded at 0x000007FEFD020000: C:\Windows\system32\profapi (0xf000 bytes).
2019-08-13 22:56:41,223 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 22:56:41,223 [root] DEBUG: DLL loaded at 0x000007FEF9850000: C:\Windows\system32\shfolder (0x7000 bytes).
2019-08-13 22:56:41,240 [root] DEBUG: DLL loaded at 0x000007FEFD1F0000: C:\Windows\system32\CRYPT32 (0x167000 bytes).
2019-08-13 22:56:41,240 [root] DEBUG: DLL loaded at 0x000007FEF9850000: C:\Windows\system32\shfolder (0x7000 bytes).
2019-08-13 22:56:41,270 [root] DEBUG: DLL loaded at 0x000007FEFBB00000: C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32 (0x1f4000 bytes).
2019-08-13 22:56:41,270 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 22:56:41,270 [root] DEBUG: Successfully injected DLL C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:41,270 [root] INFO: Announced 32-bit process name: ропрУВаЫсено.exe pid: 3872
2019-08-13 22:56:41,427 [root] DEBUG: DLL loaded at 0x000007FEEEF80000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Xml\ee795155543768ea67eecddc686a1e9e\System.Xml.ni (0x6a5000 bytes).
2019-08-13 22:56:41,427 [root] DEBUG: DLL loaded at 0x000007FEFD100000: C:\Windows\system32\MSASN1 (0xf000 bytes).
2019-08-13 22:56:41,427 [root] DEBUG: DLL loaded at 0x000007FEFCCF0000: C:\Windows\system32\secur32 (0xb000 bytes).
2019-08-13 22:56:41,427 [root] DEBUG: DLL loaded at 0x000007FEFB840000: C:\Windows\system32\propsys (0x12c000 bytes).
2019-08-13 22:56:41,427 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 3484
2019-08-13 22:56:41,427 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 3292 at 0x0000000074460000, image base 0x000000004A180000, stack from 0x00000000001D4000-0x00000000002D0000
2019-08-13 22:56:41,427 [root] DEBUG: DLL loaded at 0x000007FEF8AC0000: C:\Windows\system32\cscapi (0xf000 bytes).
2019-08-13 22:56:41,457 [root] DEBUG: DLL loaded at 0x000007FEEEE10000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management\c44929bde355680c886f8a52f5e22b81\System.Management.ni (0x16c000 bytes).
2019-08-13 22:56:41,457 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 22:56:41,473 [root] DEBUG: DLL loaded at 0x000007FEFCCF0000: C:\Windows\system32\secur32 (0xb000 bytes).
2019-08-13 22:56:41,473 [root] DEBUG: DLL loaded at 0x000007FEF7810000: C:\Windows\system32\LINKINFO (0xc000 bytes).
2019-08-13 22:56:41,473 [root] DEBUG: DLL loaded at 0x000007FEFE4A0000: C:\Windows\system32\SETUPAPI (0x1d7000 bytes).
2019-08-13 22:56:41,489 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 22:56:41,489 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Windows\System32\cmd.exe" \c powershell Set-MpPreference -DisableScriptScanning $true.
2019-08-13 22:56:41,489 [root] DEBUG: DLL loaded at 0x000007FEEE420000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Data\accc3a5269658c8c47fe3e402ac4ac1c\System.Data.ni (0x84b000 bytes).
2019-08-13 22:56:41,489 [root] DEBUG: DLL loaded at 0x000007FEFB0B0000: C:\Windows\system32\slc (0xb000 bytes).
2019-08-13 22:56:41,505 [root] DEBUG: DLL loaded at 0x000007FEEEC70000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.DirectorySer#\c1cdea55f62c9e8b9b9c1ae4c23b1c1f\System.DirectoryServices.ni (0x195000 bytes).
2019-08-13 22:56:41,505 [lib.api.process] INFO: 32-bit DLL to inject is C:\epyfuwi\dll\WIUzSfV.dll, loader C:\epyfuwi\bin\zoNgnVz.exe
2019-08-13 22:56:41,552 [root] DEBUG: DLL loaded at 0x000007FEF8900000: C:\Windows\system32\ntshrui (0x80000 bytes).
2019-08-13 22:56:41,552 [root] DEBUG: DLL loaded at 0x000007FEFD1B0000: C:\Windows\system32\CFGMGR32 (0x36000 bytes).
2019-08-13 22:56:41,552 [root] DEBUG: Process dumps enabled.
2019-08-13 22:56:41,552 [root] INFO: Added new process to list with pid: 3292
2019-08-13 22:56:41,582 [root] DEBUG: DLL loaded at 0x000007FEFC8F0000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2019-08-13 22:56:41,582 [root] DEBUG: DLL loaded at 0x000000001D100000: C:\Windows\assembly\GAC_64\System.Data\2.0.0.0__b77a5c561934e089\System.Data (0x2ff000 bytes).
2019-08-13 22:56:41,582 [root] DEBUG: DLL loaded at 0x000007FEEE420000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Data\accc3a5269658c8c47fe3e402ac4ac1c\System.Data.ni (0x84b000 bytes).
2019-08-13 22:56:41,582 [root] DEBUG: DLL loaded at 0x000007FEFCB90000: C:\Windows\system32\srvcli (0x23000 bytes).
2019-08-13 22:56:41,582 [root] DEBUG: DLL loaded at 0x000007FEF9850000: C:\Windows\system32\shfolder (0x7000 bytes).
2019-08-13 22:56:41,582 [root] DEBUG: DLL loaded at 0x000007FEFD410000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2019-08-13 22:56:41,582 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\KxvfqAkc.
2019-08-13 22:56:41,582 [root] INFO: Monitor successfully loaded in process with pid 3292.
2019-08-13 22:56:41,582 [root] INFO: Disabling sleep skipping.
2019-08-13 22:56:41,598 [root] DEBUG: DLL loaded at 0x000007FEFC5F0000: C:\Windows\system32\rsaenh (0x47000 bytes).
2019-08-13 22:56:41,598 [root] DEBUG: DLL loaded at 0x000000001D120000: C:\Windows\assembly\GAC_64\System.Data\2.0.0.0__b77a5c561934e089\System.Data (0x2ff000 bytes).
2019-08-13 22:56:41,598 [root] DEBUG: DLL loaded at 0x0000000516F00000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\diasymreader (0xc6000 bytes).
2019-08-13 22:56:41,614 [root] DEBUG: DLL loaded at 0x000007FEFEE90000: C:\Windows\system32\WS2_32 (0x4d000 bytes).
2019-08-13 22:56:41,614 [root] DEBUG: DLL loaded at 0x000007FEFC190000: C:\Windows\system32\ntmarta (0x2d000 bytes).
2019-08-13 22:56:41,614 [root] DEBUG: Loader: Injecting process 3872 (thread 3876) with C:\epyfuwi\dll\WIUzSfV.dll.
2019-08-13 22:56:41,630 [root] WARNING: Unable to place hook on LockResource
2019-08-13 22:56:41,644 [root] DEBUG: DLL loaded at 0x000007FEFCEF0000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 22:56:41,644 [root] DEBUG: DLL loaded at 0x000007FEFEE90000: C:\Windows\system32\WS2_32 (0x4d000 bytes).
2019-08-13 22:56:41,644 [root] DEBUG: DLL loaded at 0x000007FEFE2F0000: C:\Windows\system32\NSI (0x8000 bytes).
2019-08-13 22:56:41,644 [root] DEBUG: Process image base: 0x00400000
2019-08-13 22:56:41,644 [root] DEBUG: DLL loaded at 0x000007FEFE860000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2019-08-13 22:56:41,644 [root] WARNING: Unable to hook LockResource
2019-08-13 22:56:41,661 [root] INFO: Announced 64-bit process name: powershell.exe pid: 4060
2019-08-13 22:56:41,661 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1VZCNBWHK9ANI5WD5S4J.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\1VZCNBWHK9ANI5WD5S4J.temp'
2019-08-13 22:56:41,661 [root] DEBUG: DLL loaded at 0x000007FEFD1F0000: C:\Windows\system32\CRYPT32 (0x167000 bytes).
2019-08-13 22:56:41,707 [root] DEBUG: DLL unloaded from 0x000007FEFD560000.
2019-08-13 22:56:41,707 [root] DEBUG: DLL loaded at 0x000007FEFE2F0000: C:\Windows\system32\NSI (0x8000 bytes).
2019-08-13 22:56:41,707 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\epyfuwi\dll\WIUzSfV.dll.
2019-08-13 22:56:41,707 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 22:56:41,707 [root] DEBUG: DLL unloaded from 0x000007FEFD560000.
2019-08-13 22:56:41,707 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1VZCNBWHK9ANI5WD5S4J.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\1VZCNBWHK9ANI5WD5S4J.temp'
2019-08-13 22:56:41,707 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 22:56:41,707 [root] DEBUG: DLL loaded at 0x000007FEFD100000: C:\Windows\system32\MSASN1 (0xf000 bytes).
2019-08-13 22:56:41,707 [root] DEBUG: DLL loaded at 0x000007FEFCCF0000: C:\Windows\system32\secur32 (0xb000 bytes).
2019-08-13 22:56:41,707 [root] DEBUG: DLL loaded at 0x000007FEFD1F0000: C:\Windows\system32\CRYPT32 (0x167000 bytes).
2019-08-13 22:56:41,707 [root] DEBUG: set_caller_info: Adding region at 0x000007FF00280000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2019-08-13 22:56:41,707 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x0048F000 - 0x77110000
2019-08-13 22:56:41,707 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 3484 at 0x0000000074460000, image base 0x000000013FD00000, stack from 0x00000000001D5000-0x00000000001E0000
2019-08-13 22:56:41,723 [lib.api.process] INFO: 64-bit DLL to inject is C:\epyfuwi\dll\HeJRZT.dll, loader C:\epyfuwi\bin\NKFmJEvz.exe
2019-08-13 22:56:41,753 [root] DEBUG: DLL unloaded from 0x000007FEFE320000.
2019-08-13 22:56:41,816 [root] DEBUG: DLL loaded at 0x000007FEFD100000: C:\Windows\system32\MSASN1 (0xf000 bytes).
2019-08-13 22:56:41,832 [root] DEBUG: DLL loaded at 0x000007FEEE420000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Data\accc3a5269658c8c47fe3e402ac4ac1c\System.Data.ni (0x84b000 bytes).
2019-08-13 22:56:41,832 [root] DEBUG: InjectDllViaIAT: Allocated 0x1128 bytes for new import table at 0x00490000.
2019-08-13 22:56:41,832 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\powershell  Set-MpPreference -ModerateThreatDefaultAction 6.
2019-08-13 22:56:41,848 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\KxvfqAkc.
2019-08-13 22:56:41,848 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1VZCNBWHK9ANI5WD5S4J.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\1VZCNBWHK9ANI5WD5S4J.temp'
2019-08-13 22:56:41,878 [root] DEBUG: DLL loaded at 0x000000001D070000: C:\Windows\assembly\GAC_64\System.Data\2.0.0.0__b77a5c561934e089\System.Data (0x2ff000 bytes).
2019-08-13 22:56:41,878 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF1f2d2b3.TMP": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RF1f2d2b3.TMP'
2019-08-13 22:56:41,878 [root] INFO: Added new process to list with pid: 3484
2019-08-13 22:56:41,878 [root] INFO: Monitor successfully loaded in process with pid 3484.
2019-08-13 22:56:41,894 [root] DEBUG: Loader: Injecting process 4060 (thread 4064) with C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:41,894 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 22:56:41,894 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms'
2019-08-13 22:56:41,894 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\system32\CRYPTBASE (0xf000 bytes).
2019-08-13 22:56:41,894 [root] DEBUG: DLL loaded at 0x000007FEFEE90000: C:\Windows\system32\WS2_32 (0x4d000 bytes).
2019-08-13 22:56:41,894 [root] DEBUG: Process image base: 0x000000013FD00000
2019-08-13 22:56:41,894 [root] DEBUG: Successfully injected DLL C:\epyfuwi\dll\WIUzSfV.dll.
2019-08-13 22:56:41,894 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1VZCNBWHK9ANI5WD5S4J.temp" does not exist, skip.
2019-08-13 22:56:41,894 [root] DEBUG: DLL loaded at 0x000007FEFE400000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-08-13 22:56:41,894 [root] DEBUG: DLL loaded at 0x000007FEFE2F0000: C:\Windows\system32\NSI (0x8000 bytes).
2019-08-13 22:56:41,910 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3872
2019-08-13 22:56:41,910 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:41,910 [root] DEBUG: DLL loaded at 0x000007FEFD560000: C:\Windows\system32\shell32 (0xd88000 bytes).
2019-08-13 22:56:41,910 [root] DEBUG: DLL loaded at 0x000007FEFD1F0000: C:\Windows\system32\CRYPT32 (0x167000 bytes).
2019-08-13 22:56:41,910 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 22:56:41,910 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000013FD77000 - 0x000007FEFF430000
2019-08-13 22:56:41,910 [root] DEBUG: DLL loaded at 0x000007FEF2F10000: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei (0x97000 bytes).
2019-08-13 22:56:41,926 [root] DEBUG: DLL loaded at 0x000007FEFC3B0000: C:\Windows\system32\USERENV (0x1e000 bytes).
2019-08-13 22:56:41,926 [root] DEBUG: DLL loaded at 0x000007FEFD100000: C:\Windows\system32\MSASN1 (0xf000 bytes).
2019-08-13 22:56:41,926 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2324
2019-08-13 22:56:41,926 [root] DEBUG: DLL loaded at 0x0000000516F00000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\diasymreader (0xc6000 bytes).
2019-08-13 22:56:41,926 [root] DEBUG: Process dumps enabled.
2019-08-13 22:56:41,926 [root] DEBUG: InjectDllViaIAT: Allocated 0x228 bytes for new import table at 0x000000013FD80000.
2019-08-13 22:56:41,926 [root] DEBUG: DLL loaded at 0x000007FEFD020000: C:\Windows\system32\profapi (0xf000 bytes).
2019-08-13 22:56:41,941 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1VZCNBWHK9ANI5WD5S4J.temp" does not exist, skip.
2019-08-13 22:56:41,941 [root] DEBUG: GetHookCallerBase: thread 2308 (handle 0x0), return address 0x000000013FD0C504, allocation base 0x000000013FD00000.
2019-08-13 22:56:41,941 [root] DEBUG: DLL loaded at 0x0000000516F00000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\diasymreader (0xc6000 bytes).
2019-08-13 22:56:41,941 [root] DEBUG: set_caller_info: Adding region at 0x000007FF00270000 to caller regions list (ntdll::LdrGetProcedureAddress).
2019-08-13 22:56:41,957 [root] INFO: Disabling sleep skipping.
2019-08-13 22:56:41,957 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 22:56:41,957 [root] DEBUG: DLL loaded at 0x000007FEF2570000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks (0x99d000 bytes).
2019-08-13 22:56:41,957 [root] DEBUG: DLL loaded at 0x000007FEFBB00000: C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32 (0x1f4000 bytes).
2019-08-13 22:56:41,973 [root] DEBUG: DLL loaded at 0x000007FEF7810000: C:\Windows\system32\LINKINFO (0xc000 bytes).
2019-08-13 22:56:41,957 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x000000013FD00000.
2019-08-13 22:56:41,973 [root] DEBUG: set_caller_info: Adding region at 0x000007FF00270000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2019-08-13 22:56:41,973 [root] DEBUG: Successfully injected DLL C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:41,987 [root] DEBUG: DLL loaded at 0x00000000740D0000: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\MSVCR80 (0xc9000 bytes).
2019-08-13 22:56:41,987 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 22:56:41,987 [root] DEBUG: DLL loaded at 0x000007FEFE4A0000: C:\Windows\system32\SETUPAPI (0x1d7000 bytes).
2019-08-13 22:56:42,003 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000013FD00000.
2019-08-13 22:56:42,019 [root] DEBUG: DLL loaded at 0x000007FEF8900000: C:\Windows\system32\ntshrui (0x80000 bytes).
2019-08-13 22:56:42,019 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 4060
2019-08-13 22:56:42,035 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 3872 at 0x748b0000, image base 0x400000, stack from 0x286000-0x290000
2019-08-13 22:56:42,035 [root] DEBUG: DLL loaded at 0x000007FEFD1B0000: C:\Windows\system32\CFGMGR32 (0x36000 bytes).
2019-08-13 22:56:42,035 [root] DEBUG: DLL loaded at 0x000007FEFCB90000: C:\Windows\system32\srvcli (0x23000 bytes).
2019-08-13 22:56:42,035 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000C63C.
2019-08-13 22:56:42,035 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 1116
2019-08-13 22:56:42,035 [root] DEBUG: DLL loaded at 0x000007FEF1690000: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\9469491f37d9c35b596968b206615309\mscorlib.ni (0xedc000 bytes).
2019-08-13 22:56:42,035 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 22:56:42,035 [root] DEBUG: Commandline: C:\Users\user\AppData\Roaming\syslink\????????????.exe.
2019-08-13 22:56:42,035 [root] DEBUG: DLL loaded at 0x000007FEFD410000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2019-08-13 22:56:42,051 [root] DEBUG: GetHookCallerBase: thread 416 (handle 0x0), return address 0x000000013FD0C504, allocation base 0x000000013FD00000.
2019-08-13 22:56:42,051 [root] DEBUG: DLL unloaded from 0x000007FEFE8C0000.
2019-08-13 22:56:42,065 [root] DEBUG: Process dumps enabled.
2019-08-13 22:56:42,065 [root] DEBUG: DLL loaded at 0x000007FEF0C60000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System\adff7dd9fe8e541775c46b6363401b22\System.ni (0xa23000 bytes).
2019-08-13 22:56:42,065 [root] INFO: Added new process to list with pid: 3872
2019-08-13 22:56:42,065 [root] DEBUG: DLL loaded at 0x000007FEFB840000: C:\Windows\system32\propsys (0x12c000 bytes).
2019-08-13 22:56:42,065 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x000000013FD00000.
2019-08-13 22:56:42,065 [root] INFO: Disabling sleep skipping.
2019-08-13 22:56:42,065 [root] DEBUG: DLL loaded at 0x000007FEF0BA0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b023321bc53c20c10ccbbd8f78c82c82\Microsoft.PowerShell.ConsoleHost.ni (0xb2000 bytes).
2019-08-13 22:56:42,065 [root] INFO: Monitor successfully loaded in process with pid 3872.
2019-08-13 22:56:42,082 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000013FD00000.
2019-08-13 22:56:42,082 [root] INFO: Added new CAPE file to list with path: C:\HRnqwoJUO\CAPE\2324_5161624675211614382019
2019-08-13 22:56:42,082 [root] DEBUG: DLL loaded at 0x000007FEFC190000: C:\Windows\system32\ntmarta (0x2d000 bytes).
2019-08-13 22:56:42,082 [root] WARNING: Unable to place hook on LockResource
2019-08-13 22:56:42,082 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000C63C.
2019-08-13 22:56:42,082 [root] DEBUG: DLL loaded at 0x000007FEF0040000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management.A#\009a09f5b2322bb8c5520dc5ddbb28bb\System.Management.Automation.ni (0xb5d000 bytes).
2019-08-13 22:56:42,082 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x73e00.
2019-08-13 22:56:42,098 [root] DEBUG: DLL loaded at 0x000007FEFE860000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2019-08-13 22:56:42,098 [root] DEBUG: DLL loaded at 0x74C70000: C:\Windows\system32\CRYPTSP (0x16000 bytes).
2019-08-13 22:56:42,098 [root] WARNING: Unable to hook LockResource
2019-08-13 22:56:42,098 [root] DEBUG: DLL loaded at 0x000007FEFC1C0000: C:\Windows\system32\version (0xc000 bytes).
2019-08-13 22:56:42,098 [root] DEBUG: DLL loaded at 0x000007FEFAC20000: C:\Windows\system32\netutils (0xc000 bytes).
2019-08-13 22:56:42,112 [root] DEBUG: DLL loaded at 0x74C30000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2019-08-13 22:56:42,112 [root] DEBUG: DLL unloaded from 0x000007FEFD560000.
2019-08-13 22:56:42,128 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 22:56:42,128 [root] DEBUG: DLL loaded at 0x000007FEEFD10000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Core\83e2f6909980da7347e7806d8c26670e\System.Core.ni (0x32e000 bytes).
2019-08-13 22:56:42,128 [root] DEBUG: DLL unloaded from 0x000007FEFD560000.
2019-08-13 22:56:42,144 [root] DEBUG: DLL loaded at 0x74850000: C:\Windows\system32\USERENV (0x17000 bytes).
2019-08-13 22:56:42,144 [root] INFO: Added new CAPE file to list with path: C:\HRnqwoJUO\CAPE\1116_2141331420257514382019
2019-08-13 22:56:42,144 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 4060 at 0x0000000074460000, image base 0x000000013FD00000, stack from 0x00000000000B5000-0x00000000000C0000
2019-08-13 22:56:42,144 [root] DEBUG: DLL loaded at 0x000007FEEFCA0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\ec50af274bf7a15fb59ac1f0d353b7ea\Microsoft.PowerShell.Commands.Diagnostics.ni (0x69000 bytes).
2019-08-13 22:56:42,144 [root] DEBUG: DLL loaded at 0x748A0000: C:\Windows\system32\profapi (0xb000 bytes).
2019-08-13 22:56:42,144 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\powershell  Set-MpPreference -DisableScriptScanning $true.
2019-08-13 22:56:42,144 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x73e00.
2019-08-13 22:56:42,144 [root] DEBUG: DLL unloaded from 0x000007FEFB840000.
2019-08-13 22:56:42,144 [root] DEBUG: DLL loaded at 0x000007FEF9860000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Configuratio#\fcf35536476614410e0b0bd0e412199e\System.Configuration.Install.ni (0x32000 bytes).
2019-08-13 22:56:42,160 [root] DEBUG: DLL loaded at 0x75790000: C:\Windows\syswow64\CRYPT32 (0x11d000 bytes).
2019-08-13 22:56:42,160 [root] INFO: Added new process to list with pid: 4060
2019-08-13 22:56:42,160 [root] DEBUG: DLL loaded at 0x000007FEFAC20000: C:\Windows\system32\netutils (0xc000 bytes).
2019-08-13 22:56:42,176 [root] DEBUG: DLL unloaded from 0x0000000076FF0000.
2019-08-13 22:56:42,176 [root] DEBUG: DLL loaded at 0x0000000516F00000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\diasymreader (0xc6000 bytes).
2019-08-13 22:56:42,176 [root] INFO: Monitor successfully loaded in process with pid 4060.
2019-08-13 22:56:42,176 [root] DEBUG: DLL unloaded from 0x000007FEFB840000.
2019-08-13 22:56:42,190 [root] DEBUG: DLL loaded at 0x755F0000: C:\Windows\syswow64\MSASN1 (0xc000 bytes).
2019-08-13 22:56:42,190 [root] DEBUG: DLL unloaded from 0x000007FEF2570000.
2019-08-13 22:56:42,190 [root] DEBUG: set_caller_info: Adding region at 0x000007FF00270000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2019-08-13 22:56:42,190 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\system32\CRYPTBASE (0xf000 bytes).
2019-08-13 22:56:42,190 [root] DEBUG: set_caller_info: Adding region at 0x003D0000 to caller regions list (ntdll::LdrLoadDll).
2019-08-13 22:56:42,207 [root] DEBUG: DLL unloaded from 0x0000000076FF0000.
2019-08-13 22:56:42,207 [root] DEBUG: DLL unloaded from 0x000007FEF2F10000.
2019-08-13 22:56:42,221 [root] DEBUG: DLL loaded at 0x000007FEFE400000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-08-13 22:56:42,221 [root] DEBUG: DLL unloaded from 0x75790000.
2019-08-13 22:56:42,299 [root] DEBUG: DLL unloaded from 0x000007FEF2570000.
2019-08-13 22:56:42,299 [root] DEBUG: DLL unloaded from 0x000007FEFC190000.
2019-08-13 22:56:42,299 [root] DEBUG: DLL unloaded from 0x000007FEF2F10000.
2019-08-13 22:56:42,315 [root] DEBUG: DLL loaded at 0x000007FEFD560000: C:\Windows\system32\shell32 (0xd88000 bytes).
2019-08-13 22:56:42,315 [root] DEBUG: DLL unloaded from 0x000007FEFF190000.
2019-08-13 22:56:42,315 [root] DEBUG: DLL unloaded from 0x000007FEFC190000.
2019-08-13 22:56:42,315 [root] INFO: Notified of termination of process with pid 2324.
2019-08-13 22:56:42,315 [root] DEBUG: DLL loaded at 0x000007FEFC3B0000: C:\Windows\system32\USERENV (0x1e000 bytes).
2019-08-13 22:56:42,315 [root] DEBUG: DLL unloaded from 0x000007FEFF190000.
2019-08-13 22:56:42,315 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2796
2019-08-13 22:56:42,346 [root] DEBUG: set_caller_info: Adding region at 0x01D80000 to caller regions list (ntdll::LdrLoadDll).
2019-08-13 22:56:42,346 [root] INFO: Notified of termination of process with pid 1116.
2019-08-13 22:56:42,346 [root] DEBUG: DLL loaded at 0x000007FEFD020000: C:\Windows\system32\profapi (0xf000 bytes).
2019-08-13 22:56:42,346 [root] DEBUG: GetHookCallerBase: thread 2612 (handle 0x0), return address 0x000000013FD0C504, allocation base 0x000000013FD00000.
2019-08-13 22:56:42,346 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2888
2019-08-13 22:56:42,362 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2284
2019-08-13 22:56:42,362 [root] DEBUG: DLL loaded at 0x74340000: C:\Windows\system32\PROPSYS (0xf5000 bytes).
2019-08-13 22:56:42,362 [root] DEBUG: DLL loaded at 0x000007FEFBB00000: C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32 (0x1f4000 bytes).
2019-08-13 22:56:42,362 [root] DEBUG: GetHookCallerBase: thread 2860 (handle 0x0), return address 0x000000004A1887DD, allocation base 0x000000004A180000.
2019-08-13 22:56:42,362 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x000000013FD00000.
2019-08-13 22:56:42,362 [root] DEBUG: GetHookCallerBase: thread 2692 (handle 0x0), return address 0x000000004A1887DD, allocation base 0x000000004A180000.
2019-08-13 22:56:42,378 [root] DEBUG: DLL loaded at 0x75980000: C:\Windows\syswow64\OLEAUT32 (0x8f000 bytes).
2019-08-13 22:56:42,378 [root] DEBUG: DLL loaded at 0x000007FEF7810000: C:\Windows\system32\LINKINFO (0xc000 bytes).
2019-08-13 22:56:42,378 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x000000004A180000.
2019-08-13 22:56:42,378 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 1812
2019-08-13 22:56:42,378 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000013FD00000.
2019-08-13 22:56:42,378 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x000000004A180000.
2019-08-13 22:56:42,378 [root] DEBUG: DLL loaded at 0x000007FEFE4A0000: C:\Windows\system32\SETUPAPI (0x1d7000 bytes).
2019-08-13 22:56:42,378 [root] DEBUG: DLL loaded at 0x741A0000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32 (0x19e000 bytes).
2019-08-13 22:56:42,394 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000004A180000.
2019-08-13 22:56:42,394 [root] DEBUG: GetHookCallerBase: thread 2112 (handle 0x0), return address 0x000000013FD0C504, allocation base 0x000000013FD00000.
2019-08-13 22:56:42,394 [root] DEBUG: DLL loaded at 0x000007FEEFBF0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.WSMan.Man#\8cd73e65058ef6f77f36b62a74ec3344\Microsoft.WSMan.Management.ni (0xaa000 bytes).
2019-08-13 22:56:42,394 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000004A180000.
2019-08-13 22:56:42,394 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000C63C.
2019-08-13 22:56:42,394 [root] DEBUG: DLL loaded at 0x000007FEFD1B0000: C:\Windows\system32\CFGMGR32 (0x36000 bytes).
2019-08-13 22:56:42,394 [root] DEBUG: DLL loaded at 0x74AF0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2019-08-13 22:56:42,394 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 22:56:42,394 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x000000013FD00000.
2019-08-13 22:56:42,410 [root] DEBUG: DLL loaded at 0x000007FEEFB00000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Transactions\051655963f24f9ade08486084c570086\System.Transactions.ni (0xe5000 bytes).
2019-08-13 22:56:42,410 [root] DEBUG: DLL loaded at 0x000007FEF8900000: C:\Windows\system32\ntshrui (0x80000 bytes).
2019-08-13 22:56:42,410 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 22:56:42,424 [root] DEBUG: DLL loaded at 0x74EB0000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2019-08-13 22:56:42,424 [root] DEBUG: DLL loaded at 0x000007FEFD410000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2019-08-13 22:56:42,424 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 22:56:42,424 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000013FD00000.
2019-08-13 22:56:42,424 [root] DEBUG: DLL loaded at 0x000000001E230000: C:\Windows\assembly\GAC_64\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions (0x49000 bytes).
2019-08-13 22:56:42,440 [root] DEBUG: DLL loaded at 0x000007FEFCB90000: C:\Windows\system32\srvcli (0x23000 bytes).
2019-08-13 22:56:42,440 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 22:56:42,440 [root] DEBUG: DLL loaded at 0x72F70000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 22:56:42,440 [root] DEBUG: DLL loaded at 0x000007FEFB840000: C:\Windows\system32\propsys (0x12c000 bytes).
2019-08-13 22:56:42,440 [root] INFO: Added new CAPE file to list with path: C:\HRnqwoJUO\CAPE\2796_468442972257514382019
2019-08-13 22:56:42,440 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000C63C.
2019-08-13 22:56:42,456 [root] DEBUG: DLL loaded at 0x000007FEEF8E0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\cdf48153115fc0bb466f37b7dcad9ac5\Microsoft.PowerShell.Commands.Utility.ni (0x216000 bytes).
2019-08-13 22:56:42,456 [root] DEBUG: Error 2 (0x2) - savePeFileToDisk: There was a problem renaming the file: The system cannot find the file specified.
2019-08-13 22:56:42,456 [root] DEBUG: DLL loaded at 0x000007FEF8AC0000: C:\Windows\system32\cscapi (0xf000 bytes).
2019-08-13 22:56:42,456 [root] DEBUG: DLL loaded at 0x74810000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 22:56:42,456 [root] DEBUG: DLL loaded at 0x000007FEFC190000: C:\Windows\system32\ntmarta (0x2d000 bytes).
2019-08-13 22:56:42,456 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x73e00.
2019-08-13 22:56:42,471 [root] INFO: Added new CAPE file to list with path: C:\HRnqwoJUO\CAPE\2888_6395341674256514382019
2019-08-13 22:56:42,471 [root] DEBUG: DLL loaded at 0x000007FEEF7C0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\9206dc8156588e608d405729c833edc5\Microsoft.PowerShell.Commands.Management.ni (0x118000 bytes).
2019-08-13 22:56:42,471 [root] DEBUG: Error 2 (0x2) - savePeFileToDisk: There was a problem deleting the file: C:\Users\user\AppData\Local\Temp\CapeOutput.bin: The system cannot find the file specified.
2019-08-13 22:56:42,471 [root] DEBUG: DLL loaded at 0x000007FEFB0B0000: C:\Windows\system32\slc (0xb000 bytes).
2019-08-13 22:56:42,471 [root] DEBUG: DLL loaded at 0x76CA0000: C:\Windows\syswow64\iertutil (0x1fb000 bytes).
2019-08-13 22:56:42,471 [root] DEBUG: DLL loaded at 0x000007FEFE860000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2019-08-13 22:56:42,487 [root] INFO: Added new CAPE file to list with path: C:\HRnqwoJUO\CAPE\1812_1652201128257514382019
2019-08-13 22:56:42,487 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x54400.
2019-08-13 22:56:42,487 [root] DEBUG: DLL loaded at 0x000007FEFAC20000: C:\Windows\system32\netutils (0xc000 bytes).
2019-08-13 22:56:42,487 [root] DEBUG: DLL unloaded from 0x000007FEFF190000.
2019-08-13 22:56:42,487 [root] DEBUG: DLL loaded at 0x74F40000: C:\Windows\syswow64\urlmon (0x136000 bytes).
2019-08-13 22:56:42,519 [root] DEBUG: DLL loaded at 0x000007FEF3870000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b5a6a5ce3cd3d4dd2b151315c612aeff\Microsoft.PowerShell.Security.ni (0x3e000 bytes).
2019-08-13 22:56:42,519 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x73e00.
2019-08-13 22:56:42,519 [root] DEBUG: DLL unloaded from 0x000007FEFF190000.
2019-08-13 22:56:42,519 [root] DEBUG: DLL unloaded from 0x000007FEFD560000.
2019-08-13 22:56:42,519 [root] INFO: Notified of termination of process with pid 2284.
2019-08-13 22:56:42,519 [root] DEBUG: DLL unloaded from 0x000007FEFB840000.
2019-08-13 22:56:42,519 [root] DEBUG: DLL unloaded from 0x000007FEFD560000.
2019-08-13 22:56:42,519 [root] DEBUG: DLL loaded at 0x75600000: C:\Windows\syswow64\WININET (0xf5000 bytes).
2019-08-13 22:56:42,533 [root] DEBUG: DLL loaded at 0x000007FEFAC20000: C:\Windows\system32\netutils (0xc000 bytes).
2019-08-13 22:56:42,533 [root] INFO: Notified of termination of process with pid 2888.
2019-08-13 22:56:42,549 [root] DEBUG: DLL unloaded from 0x0000000076FF0000.
2019-08-13 22:56:42,549 [root] DEBUG: DLL loaded at 0x74870000: C:\Windows\system32\ntmarta (0x21000 bytes).
2019-08-13 22:56:42,565 [root] DEBUG: DLL unloaded from 0x000007FEFB840000.
2019-08-13 22:56:42,565 [root] DEBUG: DLL loaded at 0x000007FEF8AC0000: C:\Windows\system32\cscapi (0xf000 bytes).
2019-08-13 22:56:42,565 [root] DEBUG: DLL unloaded from 0x000007FEF2570000.
2019-08-13 22:56:42,565 [root] DEBUG: DLL loaded at 0x76EA0000: C:\Windows\syswow64\WLDAP32 (0x45000 bytes).
2019-08-13 22:56:42,565 [root] DEBUG: DLL unloaded from 0x0000000076FF0000.
2019-08-13 22:56:42,565 [root] DEBUG: DLL loaded at 0x000007FEFB0B0000: C:\Windows\system32\slc (0xb000 bytes).
2019-08-13 22:56:42,565 [root] DEBUG: DLL unloaded from 0x000007FEF2F10000.
2019-08-13 22:56:42,596 [root] DEBUG: DLL loaded at 0x75A70000: C:\Windows\syswow64\SETUPAPI (0x19d000 bytes).
2019-08-13 22:56:42,596 [root] DEBUG: DLL loaded at 0x00000642FF4A0000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\culture (0xa000 bytes).
2019-08-13 22:56:42,644 [root] DEBUG: DLL unloaded from 0x000007FEF2570000.
2019-08-13 22:56:42,644 [root] DEBUG: DLL unloaded from 0x000007FEFC190000.
2019-08-13 22:56:42,644 [root] DEBUG: DLL loaded at 0x75A10000: C:\Windows\syswow64\CFGMGR32 (0x27000 bytes).
2019-08-13 22:56:42,644 [root] DEBUG: DLL unloaded from 0x00000642FF4A0000.
2019-08-13 22:56:42,658 [root] DEBUG: DLL unloaded from 0x000007FEF2F10000.
2019-08-13 22:56:42,690 [root] DEBUG: DLL unloaded from 0x000007FEFF190000.
2019-08-13 22:56:42,706 [root] DEBUG: DLL loaded at 0x75D40000: C:\Windows\syswow64\DEVOBJ (0x12000 bytes).
2019-08-13 22:56:42,706 [root] DEBUG: DLL loaded at 0x000007FEEF630000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorjit (0x184000 bytes).
2019-08-13 22:56:42,706 [root] DEBUG: DLL unloaded from 0x000007FEFC190000.
2019-08-13 22:56:42,721 [root] INFO: Notified of termination of process with pid 2796.
2019-08-13 22:56:42,736 [root] DEBUG: DLL unloaded from 0x75E70000.
2019-08-13 22:56:42,736 [root] INFO: Announced 64-bit process name: cmd.exe pid: 3192
2019-08-13 22:56:42,736 [root] DEBUG: DLL unloaded from 0x000007FEFF190000.
2019-08-13 22:56:42,753 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2652
2019-08-13 22:56:42,753 [root] INFO: Notified of termination of process with pid 1812.
2019-08-13 22:56:42,753 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 22:56:42,753 [root] DEBUG: GetHookCallerBase: thread 2724 (handle 0x0), return address 0x000000004A1887DD, allocation base 0x000000004A180000.
2019-08-13 22:56:42,767 [lib.api.process] INFO: 64-bit DLL to inject is C:\epyfuwi\dll\HeJRZT.dll, loader C:\epyfuwi\bin\NKFmJEvz.exe
2019-08-13 22:56:42,767 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 1512
2019-08-13 22:56:42,767 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x000000004A180000.
2019-08-13 22:56:42,767 [root] DEBUG: GetHookCallerBase: thread 2696 (handle 0x0), return address 0x000000004A1887DD, allocation base 0x000000004A180000.
2019-08-13 22:56:42,767 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\KxvfqAkc.
2019-08-13 22:56:42,767 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000004A180000.
2019-08-13 22:56:42,783 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x000000004A180000.
2019-08-13 22:56:42,783 [root] DEBUG: Loader: Injecting process 3192 (thread 3188) with C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:42,783 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 22:56:42,783 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000004A180000.
2019-08-13 22:56:42,783 [root] DEBUG: Process image base: 0x000000004A180000
2019-08-13 22:56:42,799 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 22:56:42,799 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 22:56:42,799 [root] DEBUG: DLL loaded at 0x000007FEF8AC0000: C:\Windows\system32\cscapi (0xf000 bytes).
2019-08-13 22:56:42,799 [root] DEBUG: DLL loaded at 0x000007FEEEF80000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Xml\ee795155543768ea67eecddc686a1e9e\System.Xml.ni (0x6a5000 bytes).
2019-08-13 22:56:42,799 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:42,799 [root] DEBUG: DLL loaded at 0x000007FEF7810000: C:\Windows\system32\LINKINFO (0xc000 bytes).
2019-08-13 22:56:42,799 [root] DEBUG: DLL loaded at 0x000007FEFC8F0000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2019-08-13 22:56:42,815 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 22:56:42,815 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000004A1D9000 - 0x0000000077110000
2019-08-13 22:56:42,815 [root] DEBUG: DLL loaded at 0x000007FEFB0B0000: C:\Windows\system32\slc (0xb000 bytes).
2019-08-13 22:56:42,831 [root] DEBUG: DLL loaded at 0x000007FEFC5F0000: C:\Windows\system32\rsaenh (0x47000 bytes).
2019-08-13 22:56:42,831 [root] DEBUG: DLL loaded at 0x000007FEEECA0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management\c44929bde355680c886f8a52f5e22b81\System.Management.ni (0x16c000 bytes).
2019-08-13 22:56:42,831 [root] INFO: Added new CAPE file to list with path: C:\HRnqwoJUO\CAPE\2652_9104275204256514382019
2019-08-13 22:56:42,845 [root] DEBUG: InjectDllViaIAT: Allocated 0x1bc bytes for new import table at 0x000000004A1E0000.
2019-08-13 22:56:42,861 [root] DEBUG: DLL loaded at 0x000007FEF8900000: C:\Windows\system32\ntshrui (0x80000 bytes).
2019-08-13 22:56:42,861 [root] DEBUG: DLL loaded at 0x000007FEEEB00000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.DirectorySer#\c1cdea55f62c9e8b9b9c1ae4c23b1c1f\System.DirectoryServices.ni (0x195000 bytes).
2019-08-13 22:56:42,878 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x54400.
2019-08-13 22:56:42,878 [root] DEBUG: DLL loaded at 0x000007FEFC8F0000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2019-08-13 22:56:42,878 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 22:56:42,878 [root] DEBUG: DLL loaded at 0x000007FEFCB90000: C:\Windows\system32\srvcli (0x23000 bytes).
2019-08-13 22:56:42,878 [root] DEBUG: DLL unloaded from 0x000007FEFF190000.
2019-08-13 22:56:42,878 [root] INFO: Added new CAPE file to list with path: C:\HRnqwoJUO\CAPE\1512_18007214084256514382019
2019-08-13 22:56:42,878 [root] DEBUG: DLL loaded at 0x000007FEFC5F0000: C:\Windows\system32\rsaenh (0x47000 bytes).
2019-08-13 22:56:42,892 [root] INFO: Process with pid 2888 has terminated
2019-08-13 22:56:42,892 [root] DEBUG: Successfully injected DLL C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:42,892 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\MHQBKYEW5FLB7CPQF2UL.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\MHQBKYEW5FLB7CPQF2UL.temp'
2019-08-13 22:56:42,892 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x54400.
2019-08-13 22:56:42,892 [root] INFO: Notified of termination of process with pid 2652.
2019-08-13 22:56:42,892 [root] INFO: Process with pid 2324 has terminated
2019-08-13 22:56:42,892 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 3192
2019-08-13 22:56:42,908 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\MHQBKYEW5FLB7CPQF2UL.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\MHQBKYEW5FLB7CPQF2UL.temp'
2019-08-13 22:56:42,908 [root] DEBUG: DLL unloaded from 0x000007FEFF190000.
2019-08-13 22:56:42,908 [root] INFO: Process with pid 1812 has terminated
2019-08-13 22:56:42,908 [root] DEBUG: DLL unloaded from 0x74F40000.
2019-08-13 22:56:42,924 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LR0HXJ2YFGQC75SFWAMA.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\LR0HXJ2YFGQC75SFWAMA.temp'
2019-08-13 22:56:42,924 [root] DEBUG: DLL unloaded from 0x000007FEFE320000.
2019-08-13 22:56:42,924 [root] INFO: Process with pid 2796 has terminated
2019-08-13 22:56:42,924 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 1996
2019-08-13 22:56:42,924 [root] INFO: Notified of termination of process with pid 1512.
2019-08-13 22:56:42,924 [root] DEBUG: DLL unloaded from 0x74340000.
2019-08-13 22:56:42,924 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 22:56:42,924 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LR0HXJ2YFGQC75SFWAMA.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\LR0HXJ2YFGQC75SFWAMA.temp'
2019-08-13 22:56:42,924 [root] INFO: Process with pid 1116 has terminated
2019-08-13 22:56:42,924 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\MHQBKYEW5FLB7CPQF2UL.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\MHQBKYEW5FLB7CPQF2UL.temp'
2019-08-13 22:56:42,940 [root] DEBUG: GetHookCallerBase: thread 1704 (handle 0x0), return address 0x046790EB, allocation base 0x04650000.
2019-08-13 22:56:42,940 [root] DEBUG: DLL unloaded from 0x72F70000.
2019-08-13 22:56:42,940 [root] DEBUG: Process dumps enabled.
2019-08-13 22:56:42,940 [root] DEBUG: DLL unloaded from 0x000007FEFE320000.
2019-08-13 22:56:42,956 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF1e54267.TMP": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RF1e54267.TMP'
2019-08-13 22:56:42,956 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00400000.
2019-08-13 22:56:42,956 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-08-13 22:56:42,956 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LR0HXJ2YFGQC75SFWAMA.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\LR0HXJ2YFGQC75SFWAMA.temp'
2019-08-13 22:56:42,956 [root] INFO: Disabling sleep skipping.
2019-08-13 22:56:42,970 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms'
2019-08-13 22:56:42,970 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00400000.
2019-08-13 22:56:42,970 [root] DEBUG: DLL loaded at 0x724F0000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 22:56:42,970 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF1e54286.TMP": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RF1e54286.TMP'
2019-08-13 22:56:42,986 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\MHQBKYEW5FLB7CPQF2UL.temp" does not exist, skip.
2019-08-13 22:56:42,986 [root] DEBUG: DumpProcess: Module entry point VA is 0x000014E0.
2019-08-13 22:56:42,986 [root] WARNING: Unable to place hook on LockResource
2019-08-13 22:56:42,986 [root] DEBUG: DLL loaded at 0x73DA0000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 22:56:42,986 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms'
2019-08-13 22:56:43,002 [root] WARNING: Unable to hook LockResource
2019-08-13 22:56:43,002 [root] INFO: Announced 64-bit process name: cmd.exe pid: 2972
2019-08-13 22:56:43,002 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LR0HXJ2YFGQC75SFWAMA.temp" does not exist, skip.
2019-08-13 22:56:43,002 [root] DEBUG: DLL loaded at 0x000007FEF2F10000: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei (0x97000 bytes).
2019-08-13 22:56:43,002 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 22:56:43,017 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 22:56:43,017 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\MHQBKYEW5FLB7CPQF2UL.temp" does not exist, skip.
2019-08-13 22:56:43,017 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 3192 at 0x0000000074460000, image base 0x000000004A180000, stack from 0x0000000000134000-0x0000000000230000
2019-08-13 22:56:43,017 [lib.api.process] INFO: 64-bit DLL to inject is C:\epyfuwi\dll\HeJRZT.dll, loader C:\epyfuwi\bin\NKFmJEvz.exe
2019-08-13 22:56:43,017 [root] INFO: Added new CAPE file to list with path: C:\HRnqwoJUO\CAPE\1996_15805337294256514382019
2019-08-13 22:56:43,017 [root] DEBUG: Commandline: C:\Users\user\AppData\Roaming\syslink\"C:\Windows\System32\cmd.exe" \c sc stop WinDefend.
2019-08-13 22:56:43,017 [root] DEBUG: DLL loaded at 0x000007FEF2570000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks (0x99d000 bytes).
2019-08-13 22:56:43,033 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x82c00.
2019-08-13 22:56:43,033 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\KxvfqAkc.
2019-08-13 22:56:43,033 [root] INFO: Added new process to list with pid: 3192
2019-08-13 22:56:43,033 [root] DEBUG: DLL loaded at 0x00000000740D0000: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\MSVCR80 (0xc9000 bytes).
2019-08-13 22:56:43,033 [root] DEBUG: DumpInterestingRegions: Dumping calling region at 0x04650000.
2019-08-13 22:56:43,033 [root] DEBUG: Loader: Injecting process 2972 (thread 3908) with C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:43,033 [root] INFO: Monitor successfully loaded in process with pid 3192.
2019-08-13 22:56:43,049 [root] DEBUG: Process image base: 0x000000004A180000
2019-08-13 22:56:43,049 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\HRnqwoJUO\CAPE\1996_18535407564356514382019
2019-08-13 22:56:43,049 [root] DEBUG: DLL loaded at 0x000007FEFCEF0000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 22:56:43,049 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:43,065 [root] INFO: Announced 64-bit process name: sc.exe pid: 3952
2019-08-13 22:56:43,065 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000004A1D9000 - 0x0000000077110000
2019-08-13 22:56:43,079 [root] DEBUG: InjectDllViaIAT: Allocated 0x1bc bytes for new import table at 0x000000004A1E0000.
2019-08-13 22:56:43,079 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 22:56:43,079 [root] INFO: Added new CAPE file to list with path: C:\HRnqwoJUO\CAPE\1996_18535407564356514382019
2019-08-13 22:56:43,079 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 22:56:43,079 [lib.api.process] INFO: 64-bit DLL to inject is C:\epyfuwi\dll\HeJRZT.dll, loader C:\epyfuwi\bin\NKFmJEvz.exe
2019-08-13 22:56:43,079 [root] DEBUG: DumpRegion: Dumped stack region from 0x04650000, size 0x2c000.
2019-08-13 22:56:43,095 [root] DEBUG: Successfully injected DLL C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:43,095 [root] DEBUG: DLL unloaded from 0x74340000.
2019-08-13 22:56:43,095 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2972
2019-08-13 22:56:43,095 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\KxvfqAkc.
2019-08-13 22:56:43,095 [root] DEBUG: DLL unloaded from 0x75140000.
2019-08-13 22:56:43,111 [root] DEBUG: DLL unloaded from 0x74F40000.
2019-08-13 22:56:43,111 [root] DEBUG: Loader: Injecting process 3952 (thread 4016) with C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:43,111 [root] DEBUG: DLL unloaded from 0x74870000.
2019-08-13 22:56:43,111 [root] DEBUG: DLL unloaded from 0x724F0000.
2019-08-13 22:56:43,111 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 22:56:43,111 [root] DEBUG: Process image base: 0x00000000FF160000
2019-08-13 22:56:43,111 [root] INFO: Notified of termination of process with pid 1996.
2019-08-13 22:56:43,127 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-08-13 22:56:43,127 [root] DEBUG: Process dumps enabled.
2019-08-13 22:56:43,127 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:43,127 [root] DEBUG: DLL loaded at 0x72F70000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 22:56:43,142 [root] DEBUG: DLL loaded at 0x000007FEF90A0000: C:\Windows\system32\shfolder (0x7000 bytes).
2019-08-13 22:56:43,142 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00000000FF16F000 - 0x000007FEFF430000
2019-08-13 22:56:43,142 [root] INFO: Disabling sleep skipping.
2019-08-13 22:56:43,142 [root] DEBUG: DLL loaded at 0x000007FEF2F10000: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei (0x97000 bytes).
2019-08-13 22:56:43,142 [root] DEBUG: DLL loaded at 0x74810000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 22:56:43,142 [root] DEBUG: InjectDllViaIAT: Allocated 0x1d8 bytes for new import table at 0x00000000FF170000.
2019-08-13 22:56:43,157 [root] WARNING: Unable to place hook on LockResource
2019-08-13 22:56:43,157 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LR0HXJ2YFGQC75SFWAMA.temp" does not exist, skip.
2019-08-13 22:56:43,157 [root] INFO: Announced 64-bit process name: cmd.exe pid: 3236
2019-08-13 22:56:43,157 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 22:56:43,157 [root] WARNING: Unable to hook LockResource
2019-08-13 22:56:43,190 [root] DEBUG: DLL loaded at 0x000007FEF1690000: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\9469491f37d9c35b596968b206615309\mscorlib.ni (0xedc000 bytes).
2019-08-13 22:56:43,204 [root] DEBUG: DLL loaded at 0x000007FEF2570000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks (0x99d000 bytes).
2019-08-13 22:56:43,204 [root] DEBUG: Successfully injected DLL C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:43,204 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 22:56:43,220 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 22:56:43,236 [root] DEBUG: DLL loaded at 0x000007FEF0C60000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System\adff7dd9fe8e541775c46b6363401b22\System.ni (0xa23000 bytes).
2019-08-13 22:56:43,236 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 3952
2019-08-13 22:56:43,236 [root] DEBUG: DLL loaded at 0x00000000740D0000: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\MSVCR80 (0xc9000 bytes).
2019-08-13 22:56:43,236 [lib.api.process] INFO: 64-bit DLL to inject is C:\epyfuwi\dll\HeJRZT.dll, loader C:\epyfuwi\bin\NKFmJEvz.exe
2019-08-13 22:56:43,267 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 2972 at 0x0000000074460000, image base 0x000000004A180000, stack from 0x0000000000224000-0x0000000000320000
2019-08-13 22:56:43,267 [root] DEBUG: DLL unloaded from 0x000007FEFE8C0000.
2019-08-13 22:56:43,282 [root] DEBUG: DLL loaded at 0x000007FEF0BA0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b023321bc53c20c10ccbbd8f78c82c82\Microsoft.PowerShell.ConsoleHost.ni (0xb2000 bytes).
2019-08-13 22:56:43,282 [root] DEBUG: DLL loaded at 0x000007FEFCCF0000: C:\Windows\system32\secur32 (0xb000 bytes).
2019-08-13 22:56:43,282 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 22:56:43,282 [root] DEBUG: Commandline: C:\Users\user\AppData\Roaming\syslink\"C:\Windows\System32\cmd.exe" \c sc delete WinDefend.
2019-08-13 22:56:43,282 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\KxvfqAkc.
2019-08-13 22:56:43,299 [root] DEBUG: DLL loaded at 0x000007FEF1690000: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\9469491f37d9c35b596968b206615309\mscorlib.ni (0xedc000 bytes).
2019-08-13 22:56:43,313 [root] DEBUG: Process dumps enabled.
2019-08-13 22:56:43,313 [root] INFO: Added new process to list with pid: 2972
2019-08-13 22:56:43,313 [root] DEBUG: Loader: Injecting process 3236 (thread 3036) with C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:43,329 [root] DEBUG: DLL unloaded from 0x000007FEFE8C0000.
2019-08-13 22:56:43,329 [root] INFO: Monitor successfully loaded in process with pid 2972.
2019-08-13 22:56:43,329 [root] INFO: Disabling sleep skipping.
2019-08-13 22:56:43,345 [root] DEBUG: Process image base: 0x000000004A180000
2019-08-13 22:56:43,345 [root] DEBUG: DLL loaded at 0x000007FEEE2B0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Data\accc3a5269658c8c47fe3e402ac4ac1c\System.Data.ni (0x84b000 bytes).
2019-08-13 22:56:43,345 [root] DEBUG: DLL loaded at 0x000007FEFCEF0000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 22:56:43,345 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:43,345 [root] DEBUG: DLL loaded at 0x000000001D0A0000: C:\Windows\assembly\GAC_64\System.Data\2.0.0.0__b77a5c561934e089\System.Data (0x2ff000 bytes).
2019-08-13 22:56:43,345 [root] WARNING: Unable to place hook on LockResource
2019-08-13 22:56:43,361 [root] INFO: Announced 64-bit process name: sc.exe pid: 1324
2019-08-13 22:56:43,361 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000004A1D9000 - 0x0000000077110000
2019-08-13 22:56:43,361 [root] WARNING: Unable to hook LockResource
2019-08-13 22:56:43,361 [root] DEBUG: InjectDllViaIAT: Allocated 0x1bc bytes for new import table at 0x000000004A1E0000.
2019-08-13 22:56:43,361 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 22:56:43,361 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 22:56:43,361 [root] DEBUG: DLL loaded at 0x000007FEFEE90000: C:\Windows\system32\WS2_32 (0x4d000 bytes).
2019-08-13 22:56:43,361 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 22:56:43,377 [lib.api.process] INFO: 64-bit DLL to inject is C:\epyfuwi\dll\HeJRZT.dll, loader C:\epyfuwi\bin\NKFmJEvz.exe
2019-08-13 22:56:43,377 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 3952 at 0x0000000074460000, image base 0x00000000FF160000, stack from 0x0000000000185000-0x0000000000190000
2019-08-13 22:56:43,377 [root] DEBUG: DLL loaded at 0x000007FEFE2F0000: C:\Windows\system32\NSI (0x8000 bytes).
2019-08-13 22:56:43,377 [root] DEBUG: Successfully injected DLL C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:43,377 [root] DEBUG: Commandline: C:\Users\user\AppData\Roaming\syslink\sc  stop WinDefend.
2019-08-13 22:56:43,391 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\KxvfqAkc.
2019-08-13 22:56:43,391 [root] DEBUG: DLL loaded at 0x000007FEFD1F0000: C:\Windows\system32\CRYPT32 (0x167000 bytes).
2019-08-13 22:56:43,391 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 3236
2019-08-13 22:56:43,391 [root] INFO: Added new process to list with pid: 3952
2019-08-13 22:56:43,391 [root] DEBUG: Loader: Injecting process 1324 (thread 3320) with C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:43,391 [root] DEBUG: DLL loaded at 0x000007FEFD100000: C:\Windows\system32\MSASN1 (0xf000 bytes).
2019-08-13 22:56:43,391 [root] DEBUG: DLL unloaded from 0x74F40000.
2019-08-13 22:56:43,391 [root] INFO: Monitor successfully loaded in process with pid 3952.
2019-08-13 22:56:43,391 [root] DEBUG: Process image base: 0x00000000FF160000
2019-08-13 22:56:43,407 [root] DEBUG: DLL unloaded from 0x72F70000.
2019-08-13 22:56:43,407 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 22:56:43,407 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:43,407 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-08-13 22:56:43,407 [root] DEBUG: Process dumps enabled.
2019-08-13 22:56:43,407 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00000000FF16F000 - 0x000007FEFF430000
2019-08-13 22:56:43,424 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 3952
2019-08-13 22:56:43,424 [root] DEBUG: DLL loaded at 0x724F0000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 22:56:43,424 [root] DEBUG: InjectDllViaIAT: Allocated 0x1d8 bytes for new import table at 0x00000000FF170000.
2019-08-13 22:56:43,424 [root] INFO: Disabling sleep skipping.
2019-08-13 22:56:43,424 [root] DEBUG: GetHookCallerBase: thread 4016 (handle 0x0), return address 0x00000000FF16107F, allocation base 0x00000000FF160000.
2019-08-13 22:56:43,424 [root] DEBUG: DLL loaded at 0x73DA0000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 22:56:43,424 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 22:56:43,438 [root] WARNING: Unable to place hook on LockResource
2019-08-13 22:56:43,438 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00000000FF160000.
2019-08-13 22:56:43,438 [root] DEBUG: Successfully injected DLL C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:43,454 [root] WARNING: Unable to hook LockResource
2019-08-13 22:56:43,454 [root] INFO: Announced 64-bit process name: cmd.exe pid: 3524
2019-08-13 22:56:43,454 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00000000FF160000.
2019-08-13 22:56:43,454 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 1324
2019-08-13 22:56:43,454 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 22:56:43,454 [root] DEBUG: DumpProcess: Module entry point VA is 0x0000000000001DD4.
2019-08-13 22:56:43,470 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 22:56:43,470 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 22:56:43,470 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 3236 at 0x0000000074460000, image base 0x000000004A180000, stack from 0x0000000000154000-0x0000000000250000
2019-08-13 22:56:43,470 [lib.api.process] INFO: 64-bit DLL to inject is C:\epyfuwi\dll\HeJRZT.dll, loader C:\epyfuwi\bin\NKFmJEvz.exe
2019-08-13 22:56:43,470 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\system32\cryptbase (0xf000 bytes).
2019-08-13 22:56:43,470 [root] DEBUG: Process dumps enabled.
2019-08-13 22:56:43,470 [root] DEBUG: Commandline: C:\Users\user\AppData\Roaming\syslink\"C:\Windows\System32\cmd.exe" \c powershell Set-MpPreference -DisableRealtimeMonitoring $true.
2019-08-13 22:56:43,486 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\KxvfqAkc.
2019-08-13 22:56:43,486 [root] INFO: Disabling sleep skipping.
2019-08-13 22:56:43,486 [root] INFO: Added new process to list with pid: 3236
2019-08-13 22:56:43,486 [root] DEBUG: DLL loaded at 0x000007FEF8AC0000: C:\Windows\system32\cscapi (0xf000 bytes).
2019-08-13 22:56:43,486 [root] DEBUG: Loader: Injecting process 3524 (thread 3540) with C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:43,486 [root] INFO: Monitor successfully loaded in process with pid 3236.
2019-08-13 22:56:43,502 [root] DEBUG: Process image base: 0x000000004A180000
2019-08-13 22:56:43,502 [root] WARNING: Unable to place hook on LockResource
2019-08-13 22:56:43,502 [root] DEBUG: DLL loaded at 0x000007FEFCEF0000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 22:56:43,502 [root] INFO: Added new CAPE file to list with path: C:\HRnqwoJUO\CAPE\3952_537219872357514382019
2019-08-13 22:56:43,502 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:43,502 [root] WARNING: Unable to hook LockResource
2019-08-13 22:56:43,516 [root] INFO: Announced 64-bit process name: powershell.exe pid: 3708
2019-08-13 22:56:43,516 [root] DEBUG: DumpProcess: Module image dump success - dump size 0xb000.
2019-08-13 22:56:43,516 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000004A1D9000 - 0x0000000077110000
2019-08-13 22:56:43,516 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 22:56:43,516 [root] DEBUG: DLL unloaded from 0x000007FEFF190000.
2019-08-13 22:56:43,532 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 22:56:43,532 [root] DEBUG: InjectDllViaIAT: Allocated 0x1bc bytes for new import table at 0x000000004A1E0000.
2019-08-13 22:56:43,532 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 1324 at 0x0000000074460000, image base 0x00000000FF160000, stack from 0x0000000000275000-0x0000000000280000
2019-08-13 22:56:43,532 [root] INFO: Notified of termination of process with pid 3952.
2019-08-13 22:56:43,532 [root] DEBUG: DLL loaded at 0x000007FEF0040000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management.A#\009a09f5b2322bb8c5520dc5ddbb28bb\System.Management.Automation.ni (0xb5d000 bytes).
2019-08-13 22:56:43,532 [lib.api.process] INFO: 64-bit DLL to inject is C:\epyfuwi\dll\HeJRZT.dll, loader C:\epyfuwi\bin\NKFmJEvz.exe
2019-08-13 22:56:43,532 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 22:56:43,532 [root] DEBUG: Commandline: C:\Users\user\AppData\Roaming\syslink\sc  delete WinDefend.
2019-08-13 22:56:43,548 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 3192
2019-08-13 22:56:43,548 [root] DEBUG: DLL loaded at 0x000007FEFC1C0000: C:\Windows\system32\version (0xc000 bytes).
2019-08-13 22:56:43,548 [root] DEBUG: Successfully injected DLL C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:43,548 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\KxvfqAkc.
2019-08-13 22:56:43,548 [root] INFO: Added new process to list with pid: 1324
2019-08-13 22:56:43,563 [root] DEBUG: GetHookCallerBase: thread 3188 (handle 0x0), return address 0x000000004A1887DD, allocation base 0x000000004A180000.
2019-08-13 22:56:43,563 [root] DEBUG: DLL loaded at 0x000007FEF0C60000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System\adff7dd9fe8e541775c46b6363401b22\System.ni (0xa23000 bytes).
2019-08-13 22:56:43,563 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 3524
2019-08-13 22:56:43,563 [root] INFO: Monitor successfully loaded in process with pid 1324.
2019-08-13 22:56:43,563 [root] DEBUG: Loader: Injecting process 3708 (thread 3668) with C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:43,579 [root] DEBUG: DLL loaded at 0x000007FEF0BA0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b023321bc53c20c10ccbbd8f78c82c82\Microsoft.PowerShell.ConsoleHost.ni (0xb2000 bytes).
2019-08-13 22:56:43,579 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x000000004A180000.
2019-08-13 22:56:43,579 [root] DEBUG: DLL unloaded from 0x74F40000.
2019-08-13 22:56:43,579 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 22:56:43,595 [root] DEBUG: Process image base: 0x000000013FD00000
2019-08-13 22:56:43,595 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 1324
2019-08-13 22:56:43,595 [root] DEBUG: DLL loaded at 0x000007FEF0040000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management.A#\009a09f5b2322bb8c5520dc5ddbb28bb\System.Management.Automation.ni (0xb5d000 bytes).
2019-08-13 22:56:43,595 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000004A180000.
2019-08-13 22:56:43,595 [root] DEBUG: DLL unloaded from 0x724F0000.
2019-08-13 22:56:43,611 [root] DEBUG: Process dumps enabled.
2019-08-13 22:56:43,611 [root] DEBUG: GetHookCallerBase: thread 3320 (handle 0x0), return address 0x00000000FF16107F, allocation base 0x00000000FF160000.
2019-08-13 22:56:43,611 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:43,611 [root] DEBUG: DLL loaded at 0x000007FEFC1C0000: C:\Windows\system32\version (0xc000 bytes).
2019-08-13 22:56:43,611 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 22:56:43,611 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-08-13 22:56:43,625 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00000000FF160000.
2019-08-13 22:56:43,625 [root] INFO: Disabling sleep skipping.
2019-08-13 22:56:43,625 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000013FD77000 - 0x000007FEFF430000
2019-08-13 22:56:43,641 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 22:56:43,641 [root] DEBUG: DLL loaded at 0x72F70000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 22:56:43,641 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00000000FF160000.
2019-08-13 22:56:43,657 [root] DEBUG: InjectDllViaIAT: Allocated 0x228 bytes for new import table at 0x000000013FD80000.
2019-08-13 22:56:43,657 [root] WARNING: Unable to place hook on LockResource
2019-08-13 22:56:43,657 [root] DEBUG: DLL loaded at 0x74810000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 22:56:43,657 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 22:56:43,657 [root] DEBUG: DumpProcess: Module entry point VA is 0x0000000000001DD4.
2019-08-13 22:56:43,657 [root] INFO: Announced 64-bit process name: cmd.exe pid: 512
2019-08-13 22:56:43,673 [root] WARNING: Unable to hook LockResource
2019-08-13 22:56:43,673 [root] DEBUG: Successfully injected DLL C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:43,673 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\system32\cryptbase (0xf000 bytes).
2019-08-13 22:56:43,673 [root] INFO: Added new CAPE file to list with path: C:\HRnqwoJUO\CAPE\3192_15386997224356514382019
2019-08-13 22:56:43,673 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 3708
2019-08-13 22:56:43,673 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 22:56:43,673 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 22:56:43,673 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x54400.
2019-08-13 22:56:43,688 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 22:56:43,688 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 3524 at 0x0000000074460000, image base 0x000000004A180000, stack from 0x0000000000064000-0x0000000000160000
2019-08-13 22:56:43,688 [lib.api.process] INFO: 64-bit DLL to inject is C:\epyfuwi\dll\HeJRZT.dll, loader C:\epyfuwi\bin\NKFmJEvz.exe
2019-08-13 22:56:43,688 [root] DEBUG: DLL unloaded from 0x000007FEFF190000.
2019-08-13 22:56:43,688 [root] DEBUG: Process dumps enabled.
2019-08-13 22:56:43,703 [root] INFO: Notified of termination of process with pid 3192.
2019-08-13 22:56:43,703 [root] INFO: Added new CAPE file to list with path: C:\HRnqwoJUO\CAPE\1324_1065757757357514382019
2019-08-13 22:56:43,703 [root] DEBUG: Commandline: C:\Users\user\AppData\Roaming\syslink\"C:\Windows\System32\cmd.exe" \c powershell Set-MpPreference -DisableBehaviorMonitoring $true.
2019-08-13 22:56:43,703 [root] INFO: Disabling sleep skipping.
2019-08-13 22:56:43,703 [root] DEBUG: DLL loaded at 0x000007FEEFD10000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Core\83e2f6909980da7347e7806d8c26670e\System.Core.ni (0x32e000 bytes).
2019-08-13 22:56:43,703 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\KxvfqAkc.
2019-08-13 22:56:43,720 [root] INFO: Added new process to list with pid: 3524
2019-08-13 22:56:43,720 [root] DEBUG: DumpProcess: Module image dump success - dump size 0xb000.
2019-08-13 22:56:43,720 [root] DEBUG: DLL loaded at 0x000007FEEFD10000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Core\83e2f6909980da7347e7806d8c26670e\System.Core.ni (0x32e000 bytes).
2019-08-13 22:56:43,720 [root] DEBUG: DLL loaded at 0x000007FEEFCA0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\ec50af274bf7a15fb59ac1f0d353b7ea\Microsoft.PowerShell.Commands.Diagnostics.ni (0x69000 bytes).
2019-08-13 22:56:43,720 [root] WARNING: Unable to place hook on LockResource
2019-08-13 22:56:43,720 [root] DEBUG: Loader: Injecting process 512 (thread 2328) with C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:43,736 [root] INFO: Monitor successfully loaded in process with pid 3524.
2019-08-13 22:56:43,736 [root] DEBUG: DLL unloaded from 0x000007FEFF190000.
2019-08-13 22:56:43,736 [root] DEBUG: DLL loaded at 0x000007FEEFCA0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\ec50af274bf7a15fb59ac1f0d353b7ea\Microsoft.PowerShell.Commands.Diagnostics.ni (0x69000 bytes).
2019-08-13 22:56:43,736 [root] DEBUG: DLL loaded at 0x000007FEF9860000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Configuratio#\fcf35536476614410e0b0bd0e412199e\System.Configuration.Install.ni (0x32000 bytes).
2019-08-13 22:56:43,736 [root] WARNING: Unable to hook LockResource
2019-08-13 22:56:43,750 [root] DEBUG: Process image base: 0x000000004A180000
2019-08-13 22:56:43,750 [root] DEBUG: DLL loaded at 0x000007FEFCEF0000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 22:56:43,750 [root] INFO: Notified of termination of process with pid 1324.
2019-08-13 22:56:43,750 [root] DEBUG: DLL loaded at 0x000007FEF9860000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Configuratio#\fcf35536476614410e0b0bd0e412199e\System.Configuration.Install.ni (0x32000 bytes).
2019-08-13 22:56:43,750 [root] DEBUG: DLL loaded at 0x000007FEFB0B0000: C:\Windows\system32\slc (0xb000 bytes).
2019-08-13 22:56:43,766 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 22:56:43,766 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:43,766 [root] INFO: Announced 64-bit process name: powershell.exe pid: 336
2019-08-13 22:56:43,782 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2972
2019-08-13 22:56:43,782 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000004A1D9000 - 0x0000000077110000
2019-08-13 22:56:43,782 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 3708 at 0x0000000074460000, image base 0x000000013FD00000, stack from 0x00000000000C5000-0x00000000000D0000
2019-08-13 22:56:43,782 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 22:56:43,782 [root] DEBUG: GetHookCallerBase: thread 3908 (handle 0x0), return address 0x000000004A1887DD, allocation base 0x000000004A180000.
2019-08-13 22:56:43,782 [root] DEBUG: InjectDllViaIAT: Allocated 0x1bc bytes for new import table at 0x000000004A1E0000.
2019-08-13 22:56:43,782 [lib.api.process] INFO: 64-bit DLL to inject is C:\epyfuwi\dll\HeJRZT.dll, loader C:\epyfuwi\bin\NKFmJEvz.exe
2019-08-13 22:56:43,798 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x000000004A180000.
2019-08-13 22:56:43,798 [root] DEBUG: Commandline: C:\Users\user\AppData\Roaming\syslink\powershell  Set-MpPreference -DisableRealtimeMonitoring $true.
2019-08-13 22:56:43,798 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 22:56:43,798 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000004A180000.
2019-08-13 22:56:43,798 [root] INFO: Added new process to list with pid: 3708
2019-08-13 22:56:43,798 [root] DEBUG: Successfully injected DLL C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:43,813 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\KxvfqAkc.
2019-08-13 22:56:43,813 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 22:56:43,813 [root] DEBUG: DLL loaded at 0x000007FEFC8F0000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2019-08-13 22:56:43,813 [root] INFO: Monitor successfully loaded in process with pid 3708.
2019-08-13 22:56:43,813 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 512
2019-08-13 22:56:43,813 [root] DEBUG: Loader: Injecting process 336 (thread 1576) with C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:43,828 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 22:56:43,828 [root] DEBUG: DLL loaded at 0x000007FEFC5F0000: C:\Windows\system32\rsaenh (0x47000 bytes).
2019-08-13 22:56:43,828 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\system32\CRYPTBASE (0xf000 bytes).
2019-08-13 22:56:43,828 [root] DEBUG: DLL unloaded from 0x74F40000.
2019-08-13 22:56:43,828 [root] DEBUG: Process image base: 0x000000013FD00000
2019-08-13 22:56:43,845 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 22:56:43,845 [root] DEBUG: DLL loaded at 0x000007FEFE400000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-08-13 22:56:43,845 [root] DEBUG: DLL unloaded from 0x72F70000.
2019-08-13 22:56:43,859 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:43,859 [root] DEBUG: Process dumps enabled.
2019-08-13 22:56:43,859 [root] DEBUG: DLL loaded at 0x000007FEFD560000: C:\Windows\system32\shell32 (0xd88000 bytes).
2019-08-13 22:56:43,859 [root] INFO: Added new CAPE file to list with path: C:\HRnqwoJUO\CAPE\2972_13374467504356514382019
2019-08-13 22:56:43,859 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-08-13 22:56:43,875 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000013FD77000 - 0x000007FEFF430000
2019-08-13 22:56:43,875 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\BXC0XRJS7ZBHTVVO1COD.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\BXC0XRJS7ZBHTVVO1COD.temp'
2019-08-13 22:56:43,875 [root] DEBUG: DLL loaded at 0x000007FEFC3B0000: C:\Windows\system32\USERENV (0x1e000 bytes).
2019-08-13 22:56:43,875 [root] INFO: Disabling sleep skipping.
2019-08-13 22:56:43,875 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x54400.
2019-08-13 22:56:43,907 [root] DEBUG: InjectDllViaIAT: Allocated 0x228 bytes for new import table at 0x000000013FD80000.
2019-08-13 22:56:43,907 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\BXC0XRJS7ZBHTVVO1COD.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\BXC0XRJS7ZBHTVVO1COD.temp'
2019-08-13 22:56:43,923 [root] DEBUG: DLL loaded at 0x000007FEFD020000: C:\Windows\system32\profapi (0xf000 bytes).
2019-08-13 22:56:43,923 [root] DEBUG: DLL loaded at 0x724F0000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 22:56:43,923 [root] WARNING: Unable to place hook on LockResource
2019-08-13 22:56:43,923 [root] DEBUG: DLL unloaded from 0x000007FEFF190000.
2019-08-13 22:56:43,923 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 22:56:43,923 [root] DEBUG: DLL unloaded from 0x000007FEFE320000.
2019-08-13 22:56:43,937 [root] DEBUG: DLL loaded at 0x000007FEFBB00000: C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32 (0x1f4000 bytes).
2019-08-13 22:56:43,937 [root] DEBUG: DLL loaded at 0x73DA0000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 22:56:43,937 [root] WARNING: Unable to hook LockResource
2019-08-13 22:56:43,937 [root] INFO: Notified of termination of process with pid 2972.
2019-08-13 22:56:43,937 [root] DEBUG: Successfully injected DLL C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:43,937 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\BXC0XRJS7ZBHTVVO1COD.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\BXC0XRJS7ZBHTVVO1COD.temp'
2019-08-13 22:56:43,953 [root] DEBUG: DLL loaded at 0x000007FEEFBF0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.WSMan.Man#\8cd73e65058ef6f77f36b62a74ec3344\Microsoft.WSMan.Management.ni (0xaa000 bytes).
2019-08-13 22:56:43,953 [root] DEBUG: DLL loaded at 0x000007FEFB840000: C:\Windows\system32\propsys (0x12c000 bytes).
2019-08-13 22:56:43,953 [root] INFO: Announced 64-bit process name: cmd.exe pid: 804
2019-08-13 22:56:43,970 [root] INFO: Process with pid 1996 has terminated
2019-08-13 22:56:43,970 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 336
2019-08-13 22:56:43,970 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 22:56:43,970 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF1e5465d.TMP": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RF1e5465d.TMP'
2019-08-13 22:56:43,970 [root] DEBUG: DLL loaded at 0x000007FEFC190000: C:\Windows\system32\ntmarta (0x2d000 bytes).
2019-08-13 22:56:43,970 [root] DEBUG: DLL loaded at 0x000007FEEFB00000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Transactions\051655963f24f9ade08486084c570086\System.Transactions.ni (0xe5000 bytes).
2019-08-13 22:56:43,984 [root] INFO: Process with pid 2652 has terminated
2019-08-13 22:56:43,984 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 22:56:43,984 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 22:56:43,984 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 512 at 0x0000000074460000, image base 0x000000004A180000, stack from 0x0000000000044000-0x0000000000140000
2019-08-13 22:56:44,000 [root] DEBUG: DLL loaded at 0x000007FEFE860000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2019-08-13 22:56:44,000 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms'
2019-08-13 22:56:44,000 [root] DEBUG: DLL loaded at 0x000000001E230000: C:\Windows\assembly\GAC_64\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions (0x49000 bytes).
2019-08-13 22:56:44,000 [lib.api.process] INFO: 64-bit DLL to inject is C:\epyfuwi\dll\HeJRZT.dll, loader C:\epyfuwi\bin\NKFmJEvz.exe
2019-08-13 22:56:44,000 [root] DEBUG: Process dumps enabled.
2019-08-13 22:56:44,000 [root] INFO: Process with pid 3192 has terminated
2019-08-13 22:56:44,000 [root] DEBUG: Commandline: C:\Users\user\AppData\Roaming\syslink\"C:\Windows\System32\cmd.exe" \c powershell Set-MpPreference -DisableBlockAtFirstSeen $true.
2019-08-13 22:56:44,000 [root] DEBUG: DLL loaded at 0x000007FEFE4A0000: C:\Windows\system32\SETUPAPI (0x1d7000 bytes).
2019-08-13 22:56:44,016 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\BXC0XRJS7ZBHTVVO1COD.temp" does not exist, skip.
2019-08-13 22:56:44,016 [root] INFO: Process with pid 3952 has terminated
2019-08-13 22:56:44,032 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\KxvfqAkc.
2019-08-13 22:56:44,032 [root] INFO: Disabling sleep skipping.
2019-08-13 22:56:44,032 [root] INFO: Added new process to list with pid: 512
2019-08-13 22:56:44,032 [root] INFO: Process with pid 1324 has terminated
2019-08-13 22:56:44,032 [root] DEBUG: DLL loaded at 0x000007FEFD1B0000: C:\Windows\system32\CFGMGR32 (0x36000 bytes).
2019-08-13 22:56:44,032 [root] DEBUG: DLL loaded at 0x000007FEF2F10000: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei (0x97000 bytes).
2019-08-13 22:56:44,048 [root] DEBUG: Loader: Injecting process 804 (thread 2828) with C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:44,048 [root] INFO: Monitor successfully loaded in process with pid 512.
2019-08-13 22:56:44,048 [root] WARNING: Unable to place hook on LockResource
2019-08-13 22:56:44,048 [root] DEBUG: DLL loaded at 0x000007FEEFBF0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.WSMan.Man#\8cd73e65058ef6f77f36b62a74ec3344\Microsoft.WSMan.Management.ni (0xaa000 bytes).
2019-08-13 22:56:44,062 [root] DEBUG: DLL loaded at 0x000007FEFD410000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2019-08-13 22:56:44,062 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\BXC0XRJS7ZBHTVVO1COD.temp" does not exist, skip.
2019-08-13 22:56:44,062 [root] DEBUG: Process image base: 0x000000004A180000
2019-08-13 22:56:44,078 [root] DEBUG: DLL loaded at 0x000007FEFCEF0000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 22:56:44,078 [root] WARNING: Unable to hook LockResource
2019-08-13 22:56:44,078 [root] DEBUG: DLL loaded at 0x000007FEEFB00000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Transactions\051655963f24f9ade08486084c570086\System.Transactions.ni (0xe5000 bytes).
2019-08-13 22:56:44,109 [root] DEBUG: DLL unloaded from 0x000007FEFD560000.
2019-08-13 22:56:44,125 [root] DEBUG: DLL loaded at 0x000007FEF2570000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks (0x99d000 bytes).
2019-08-13 22:56:44,125 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:44,125 [root] DEBUG: DLL unloaded from 0x000007FEFD560000.
2019-08-13 22:56:44,125 [root] INFO: Announced 64-bit process name: powershell.exe pid: 3724
2019-08-13 22:56:44,125 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 22:56:44,125 [root] DEBUG: DLL loaded at 0x000000001E230000: C:\Windows\assembly\GAC_64\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions (0x49000 bytes).
2019-08-13 22:56:44,141 [root] DEBUG: DLL loaded at 0x00000000740D0000: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\MSVCR80 (0xc9000 bytes).
2019-08-13 22:56:44,141 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000004A1D9000 - 0x0000000077110000
2019-08-13 22:56:44,219 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 22:56:44,219 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 336 at 0x0000000074460000, image base 0x000000013FD00000, stack from 0x00000000000E5000-0x00000000000F0000
2019-08-13 22:56:44,266 [root] DEBUG: DLL loaded at 0x000007FEF1690000: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\9469491f37d9c35b596968b206615309\mscorlib.ni (0xedc000 bytes).
2019-08-13 22:56:44,266 [lib.api.process] INFO: 64-bit DLL to inject is C:\epyfuwi\dll\HeJRZT.dll, loader C:\epyfuwi\bin\NKFmJEvz.exe
2019-08-13 22:56:44,266 [root] DEBUG: InjectDllViaIAT: Allocated 0x1bc bytes for new import table at 0x000000004A1E0000.
2019-08-13 22:56:44,282 [root] DEBUG: Commandline: C:\Users\user\AppData\Roaming\syslink\powershell  Set-MpPreference -DisableBehaviorMonitoring $true.
2019-08-13 22:56:44,296 [root] DEBUG: DLL loaded at 0x000007FEF0C60000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System\adff7dd9fe8e541775c46b6363401b22\System.ni (0xa23000 bytes).
2019-08-13 22:56:44,296 [root] DEBUG: DLL loaded at 0x0000000516F00000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\diasymreader (0xc6000 bytes).
2019-08-13 22:56:44,296 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 22:56:44,296 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\KxvfqAkc.
2019-08-13 22:56:44,296 [root] INFO: Added new process to list with pid: 336
2019-08-13 22:56:44,296 [root] DEBUG: DLL loaded at 0x000007FEEF8E0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\cdf48153115fc0bb466f37b7dcad9ac5\Microsoft.PowerShell.Commands.Utility.ni (0x216000 bytes).
2019-08-13 22:56:44,312 [root] DEBUG: DLL loaded at 0x000007FEF0BA0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b023321bc53c20c10ccbbd8f78c82c82\Microsoft.PowerShell.ConsoleHost.ni (0xb2000 bytes).
2019-08-13 22:56:44,312 [root] DEBUG: set_caller_info: Adding region at 0x000007FF00250000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2019-08-13 22:56:44,375 [root] DEBUG: Successfully injected DLL C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:44,375 [root] DEBUG: DLL loaded at 0x000007FEEF8E0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\cdf48153115fc0bb466f37b7dcad9ac5\Microsoft.PowerShell.Commands.Utility.ni (0x216000 bytes).
2019-08-13 22:56:44,375 [root] DEBUG: Loader: Injecting process 3724 (thread 3616) with C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:44,375 [root] INFO: Monitor successfully loaded in process with pid 336.
2019-08-13 22:56:44,391 [root] DEBUG: DLL loaded at 0x000007FEEF7C0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\9206dc8156588e608d405729c833edc5\Microsoft.PowerShell.Commands.Management.ni (0x118000 bytes).
2019-08-13 22:56:44,405 [root] DEBUG: DLL unloaded from 0x000007FEFE8C0000.
2019-08-13 22:56:44,405 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 804
2019-08-13 22:56:44,421 [root] DEBUG: DLL loaded at 0x000007FEEF7C0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\9206dc8156588e608d405729c833edc5\Microsoft.PowerShell.Commands.Management.ni (0x118000 bytes).
2019-08-13 22:56:44,421 [root] DEBUG: Process image base: 0x000000013FD00000
2019-08-13 22:56:44,421 [root] DEBUG: DLL loaded at 0x000007FEF7810000: C:\Windows\system32\LINKINFO (0xc000 bytes).
2019-08-13 22:56:44,421 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\system32\CRYPTBASE (0xf000 bytes).
2019-08-13 22:56:44,437 [root] DEBUG: DLL loaded at 0x000007FEF3870000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b5a6a5ce3cd3d4dd2b151315c612aeff\Microsoft.PowerShell.Security.ni (0x3e000 bytes).
2019-08-13 22:56:44,437 [root] DEBUG: DLL unloaded from 0x74F40000.
2019-08-13 22:56:44,437 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 22:56:44,437 [root] DEBUG: DLL loaded at 0x000007FEF3870000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b5a6a5ce3cd3d4dd2b151315c612aeff\Microsoft.PowerShell.Security.ni (0x3e000 bytes).
2019-08-13 22:56:44,437 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2644
2019-08-13 22:56:44,437 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:44,453 [root] DEBUG: DLL loaded at 0x000007FEFE400000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-08-13 22:56:44,469 [root] DEBUG: DLL loaded at 0x00000642FF4A0000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\culture (0xa000 bytes).
2019-08-13 22:56:44,469 [root] DEBUG: DLL loaded at 0x000007FEF8900000: C:\Windows\system32\ntshrui (0x80000 bytes).
2019-08-13 22:56:44,469 [root] DEBUG: DLL unloaded from 0x724F0000.
2019-08-13 22:56:44,469 [root] DEBUG: Process dumps enabled.
2019-08-13 22:56:44,483 [root] DEBUG: GetHookCallerBase: thread 2148 (handle 0x0), return address 0x000000013FD0C504, allocation base 0x000000013FD00000.
2019-08-13 22:56:44,483 [root] DEBUG: DLL loaded at 0x00000642FF4A0000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\culture (0xa000 bytes).
2019-08-13 22:56:44,483 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000013FD77000 - 0x000007FEFF430000
2019-08-13 22:56:44,500 [root] DEBUG: DLL loaded at 0x000007FEFD560000: C:\Windows\system32\shell32 (0xd88000 bytes).
2019-08-13 22:56:44,500 [root] DEBUG: DLL unloaded from 0x00000642FF4A0000.
2019-08-13 22:56:44,500 [root] DEBUG: DLL loaded at 0x000007FEFCB90000: C:\Windows\system32\srvcli (0x23000 bytes).
2019-08-13 22:56:44,500 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-08-13 22:56:44,500 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x000000013FD00000.
2019-08-13 22:56:44,516 [root] DEBUG: DLL unloaded from 0x00000642FF4A0000.
2019-08-13 22:56:44,516 [root] INFO: Disabling sleep skipping.
2019-08-13 22:56:44,516 [root] DEBUG: InjectDllViaIAT: Allocated 0x228 bytes for new import table at 0x000000013FD80000.
2019-08-13 22:56:44,516 [root] DEBUG: DLL loaded at 0x000007FEFC3B0000: C:\Windows\system32\USERENV (0x1e000 bytes).
2019-08-13 22:56:44,516 [root] DEBUG: DLL loaded at 0x000007FEEF630000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorjit (0x184000 bytes).
2019-08-13 22:56:44,530 [root] DEBUG: DLL loaded at 0x72F70000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 22:56:44,530 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000013FD00000.
2019-08-13 22:56:44,530 [root] DEBUG: DLL loaded at 0x000007FEEF630000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorjit (0x184000 bytes).
2019-08-13 22:56:44,546 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 22:56:44,546 [root] WARNING: Unable to place hook on LockResource
2019-08-13 22:56:44,546 [root] DEBUG: DLL loaded at 0x000007FEFD020000: C:\Windows\system32\profapi (0xf000 bytes).
2019-08-13 22:56:44,546 [root] DEBUG: DLL loaded at 0x74810000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 22:56:44,546 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000C63C.
2019-08-13 22:56:44,562 [root] DEBUG: Successfully injected DLL C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:44,562 [root] WARNING: Unable to hook LockResource
2019-08-13 22:56:44,562 [root] DEBUG: DLL loaded at 0x000007FEFBB00000: C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32 (0x1f4000 bytes).
2019-08-13 22:56:44,578 [root] DEBUG: DLL loaded at 0x000007FEF0040000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management.A#\009a09f5b2322bb8c5520dc5ddbb28bb\System.Management.Automation.ni (0xb5d000 bytes).
2019-08-13 22:56:44,578 [root] INFO: Announced 64-bit process name: cmd.exe pid: 1936
2019-08-13 22:56:44,594 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 3724
2019-08-13 22:56:44,594 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 22:56:44,594 [root] DEBUG: DLL loaded at 0x000007FEFB840000: C:\Windows\system32\propsys (0x12c000 bytes).
2019-08-13 22:56:44,594 [root] DEBUG: DLL loaded at 0x000007FEF8AC0000: C:\Windows\system32\cscapi (0xf000 bytes).
2019-08-13 22:56:44,608 [root] DEBUG: DLL loaded at 0x000007FEFC1C0000: C:\Windows\system32\version (0xc000 bytes).
2019-08-13 22:56:44,608 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 22:56:44,608 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 22:56:44,608 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 804 at 0x0000000074460000, image base 0x000000004A180000, stack from 0x0000000000194000-0x0000000000290000
2019-08-13 22:56:44,608 [root] DEBUG: DLL loaded at 0x000007FEFE4A0000: C:\Windows\system32\SETUPAPI (0x1d7000 bytes).
2019-08-13 22:56:44,625 [root] INFO: Added new CAPE file to list with path: C:\HRnqwoJUO\CAPE\2644_1216560145411614382019
2019-08-13 22:56:44,625 [root] DEBUG: DLL loaded at 0x000007FEFB0B0000: C:\Windows\system32\slc (0xb000 bytes).
2019-08-13 22:56:44,625 [lib.api.process] INFO: 64-bit DLL to inject is C:\epyfuwi\dll\HeJRZT.dll, loader C:\epyfuwi\bin\NKFmJEvz.exe
2019-08-13 22:56:44,625 [root] DEBUG: Commandline: C:\Users\user\AppData\Roaming\syslink\"C:\Windows\System32\cmd.exe" \c powershell Set-MpPreference -DisableIOAVProtection $true.
2019-08-13 22:56:44,625 [root] DEBUG: Process dumps enabled.
2019-08-13 22:56:44,640 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x73e00.
2019-08-13 22:56:44,655 [root] DEBUG: DLL loaded at 0x000007FEFD1B0000: C:\Windows\system32\CFGMGR32 (0x36000 bytes).
2019-08-13 22:56:44,655 [root] DEBUG: DLL loaded at 0x000007FEEEF80000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Xml\ee795155543768ea67eecddc686a1e9e\System.Xml.ni (0x6a5000 bytes).
2019-08-13 22:56:44,655 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\KxvfqAkc.
2019-08-13 22:56:44,655 [root] INFO: Added new process to list with pid: 804
2019-08-13 22:56:44,655 [root] INFO: Disabling sleep skipping.
2019-08-13 22:56:44,671 [root] DEBUG: DLL loaded at 0x000007FEFAC20000: C:\Windows\system32\netutils (0xc000 bytes).
2019-08-13 22:56:44,671 [root] DEBUG: DLL loaded at 0x000007FEFD410000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2019-08-13 22:56:44,671 [root] DEBUG: DLL loaded at 0x000007FEEECA0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management\c44929bde355680c886f8a52f5e22b81\System.Management.ni (0x16c000 bytes).
2019-08-13 22:56:44,671 [root] DEBUG: Loader: Injecting process 1936 (thread 576) with C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:44,671 [root] INFO: Monitor successfully loaded in process with pid 804.
2019-08-13 22:56:44,687 [root] DEBUG: DLL unloaded from 0x000007FEFB840000.
2019-08-13 22:56:44,687 [root] DEBUG: DLL loaded at 0x000007FEFC190000: C:\Windows\system32\ntmarta (0x2d000 bytes).
2019-08-13 22:56:44,687 [root] WARNING: Unable to place hook on LockResource
2019-08-13 22:56:44,687 [root] DEBUG: DLL loaded at 0x000007FEEEB00000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.DirectorySer#\c1cdea55f62c9e8b9b9c1ae4c23b1c1f\System.DirectoryServices.ni (0x195000 bytes).
2019-08-13 22:56:44,687 [root] DEBUG: Process image base: 0x000000004A180000
2019-08-13 22:56:44,703 [root] DEBUG: DLL loaded at 0x000007FEFCEF0000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 22:56:44,703 [root] DEBUG: DLL unloaded from 0x0000000076FF0000.
2019-08-13 22:56:44,703 [root] DEBUG: DLL loaded at 0x000007FEFE860000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2019-08-13 22:56:44,703 [root] WARNING: Unable to hook LockResource
2019-08-13 22:56:44,703 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:44,703 [root] DEBUG: DLL loaded at 0x000007FEF90A0000: C:\Windows\system32\shfolder (0x7000 bytes).
2019-08-13 22:56:44,717 [root] INFO: Announced 64-bit process name: powershell.exe pid: 3288
2019-08-13 22:56:44,717 [root] DEBUG: DLL unloaded from 0x000007FEF2570000.
2019-08-13 22:56:44,750 [root] DEBUG: DLL unloaded from 0x000007FEFD560000.
2019-08-13 22:56:44,750 [root] DEBUG: DLL loaded at 0x000007FEEEF80000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Xml\ee795155543768ea67eecddc686a1e9e\System.Xml.ni (0x6a5000 bytes).
2019-08-13 22:56:44,750 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000004A1D9000 - 0x0000000077110000
2019-08-13 22:56:44,750 [root] DEBUG: DLL unloaded from 0x000007FEFD560000.
2019-08-13 22:56:44,796 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 22:56:44,874 [root] DEBUG: DLL loaded at 0x000007FEEFD10000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Core\83e2f6909980da7347e7806d8c26670e\System.Core.ni (0x32e000 bytes).
2019-08-13 22:56:44,890 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 22:56:44,890 [lib.api.process] INFO: 64-bit DLL to inject is C:\epyfuwi\dll\HeJRZT.dll, loader C:\epyfuwi\bin\NKFmJEvz.exe
2019-08-13 22:56:44,905 [root] DEBUG: DLL loaded at 0x000007FEEECA0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management\c44929bde355680c886f8a52f5e22b81\System.Management.ni (0x16c000 bytes).
2019-08-13 22:56:44,905 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 3724 at 0x0000000074460000, image base 0x000000013FD00000, stack from 0x0000000000206000-0x0000000000210000
2019-08-13 22:56:44,951 [root] DEBUG: DLL loaded at 0x000007FEFC8F0000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2019-08-13 22:56:44,951 [root] DEBUG: DLL unloaded from 0x000007FEF2F10000.
2019-08-13 22:56:44,951 [root] DEBUG: DLL loaded at 0x000007FEEEB00000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.DirectorySer#\c1cdea55f62c9e8b9b9c1ae4c23b1c1f\System.DirectoryServices.ni (0x195000 bytes).
2019-08-13 22:56:44,967 [root] DEBUG: DLL loaded at 0x000007FEFC5F0000: C:\Windows\system32\rsaenh (0x47000 bytes).
2019-08-13 22:56:45,015 [root] DEBUG: InjectDllViaIAT: Allocated 0x1bc bytes for new import table at 0x000000004A1E0000.
2019-08-13 22:56:45,015 [root] DEBUG: DLL loaded at 0x000007FEEFCA0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\ec50af274bf7a15fb59ac1f0d353b7ea\Microsoft.PowerShell.Commands.Diagnostics.ni (0x69000 bytes).
2019-08-13 22:56:45,046 [root] DEBUG: DLL unloaded from 0x000007FEFC190000.
2019-08-13 22:56:45,046 [root] DEBUG: Commandline: C:\Users\user\AppData\Roaming\syslink\powershell  Set-MpPreference -DisableBlockAtFirstSeen $true.
2019-08-13 22:56:45,076 [root] DEBUG: DLL loaded at 0x000007FEFC8F0000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2019-08-13 22:56:45,076 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\W7ACO07T29RTCOMGBG7L.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\W7ACO07T29RTCOMGBG7L.temp'
2019-08-13 22:56:45,076 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\KxvfqAkc.
2019-08-13 22:56:45,108 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 22:56:45,108 [root] INFO: Process with pid 1512 has terminated
2019-08-13 22:56:45,108 [root] DEBUG: DLL loaded at 0x000007FEFC5F0000: C:\Windows\system32\rsaenh (0x47000 bytes).
2019-08-13 22:56:45,108 [root] DEBUG: DLL loaded at 0x000007FEF90A0000: C:\Windows\system32\shfolder (0x7000 bytes).
2019-08-13 22:56:45,217 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\W7ACO07T29RTCOMGBG7L.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\W7ACO07T29RTCOMGBG7L.temp'
2019-08-13 22:56:45,217 [root] DEBUG: DLL unloaded from 0x000007FEFF190000.
2019-08-13 22:56:45,217 [root] DEBUG: DLL loaded at 0x000007FEF9860000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Configuratio#\fcf35536476614410e0b0bd0e412199e\System.Configuration.Install.ni (0x32000 bytes).
2019-08-13 22:56:45,217 [root] INFO: Added new process to list with pid: 3724
2019-08-13 22:56:45,217 [root] DEBUG: Loader: Injecting process 3288 (thread 2896) with C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:45,217 [root] DEBUG: DLL loaded at 0x000007FEFCCF0000: C:\Windows\system32\secur32 (0xb000 bytes).
2019-08-13 22:56:45,217 [root] INFO: Process with pid 2972 has terminated
2019-08-13 22:56:45,217 [root] DEBUG: Successfully injected DLL C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:45,217 [root] DEBUG: DLL unloaded from 0x000007FEFE320000.
2019-08-13 22:56:45,249 [root] DEBUG: DLL loaded at 0x000007FEEFBF0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.WSMan.Man#\8cd73e65058ef6f77f36b62a74ec3344\Microsoft.WSMan.Management.ni (0xaa000 bytes).
2019-08-13 22:56:45,249 [root] INFO: Notified of termination of process with pid 2644.
2019-08-13 22:56:45,249 [root] INFO: Monitor successfully loaded in process with pid 3724.
2019-08-13 22:56:45,263 [root] DEBUG: Process image base: 0x000000013FD00000
2019-08-13 22:56:45,279 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 1936
2019-08-13 22:56:45,311 [root] DEBUG: DLL loaded at 0x000007FEF7810000: C:\Windows\system32\LINKINFO (0xc000 bytes).
2019-08-13 22:56:45,326 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\568SF86C55F0HWYBSC7N.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\568SF86C55F0HWYBSC7N.temp'
2019-08-13 22:56:45,326 [root] DEBUG: DLL loaded at 0x000007FEEE2B0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Data\accc3a5269658c8c47fe3e402ac4ac1c\System.Data.ni (0x84b000 bytes).
2019-08-13 22:56:45,326 [root] DEBUG: DLL loaded at 0x000007FEFCCF0000: C:\Windows\system32\secur32 (0xb000 bytes).
2019-08-13 22:56:45,326 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\W7ACO07T29RTCOMGBG7L.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\W7ACO07T29RTCOMGBG7L.temp'
2019-08-13 22:56:45,326 [root] DEBUG: DLL loaded at 0x000007FEEFB00000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Transactions\051655963f24f9ade08486084c570086\System.Transactions.ni (0xe5000 bytes).
2019-08-13 22:56:45,342 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2116
2019-08-13 22:56:45,342 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\system32\CRYPTBASE (0xf000 bytes).
2019-08-13 22:56:45,342 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:45,358 [root] DEBUG: DLL unloaded from 0x74F40000.
2019-08-13 22:56:45,358 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 22:56:45,358 [root] DEBUG: DLL loaded at 0x000007FEF8900000: C:\Windows\system32\ntshrui (0x80000 bytes).
2019-08-13 22:56:45,358 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\568SF86C55F0HWYBSC7N.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\568SF86C55F0HWYBSC7N.temp'
2019-08-13 22:56:45,358 [root] DEBUG: DLL loaded at 0x000000001CF10000: C:\Windows\assembly\GAC_64\System.Data\2.0.0.0__b77a5c561934e089\System.Data (0x2ff000 bytes).
2019-08-13 22:56:45,404 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF1e54bb9.TMP": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RF1e54bb9.TMP'
2019-08-13 22:56:45,404 [root] DEBUG: DLL loaded at 0x000007FEEE2B0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Data\accc3a5269658c8c47fe3e402ac4ac1c\System.Data.ni (0x84b000 bytes).
2019-08-13 22:56:45,404 [root] DEBUG: DLL loaded at 0x000000001E230000: C:\Windows\assembly\GAC_64\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions (0x49000 bytes).
2019-08-13 22:56:45,404 [root] DEBUG: GetHookCallerBase: thread 2108 (handle 0x0), return address 0x000000004A1887DD, allocation base 0x000000004A180000.
2019-08-13 22:56:45,404 [root] DEBUG: DLL loaded at 0x000007FEFE400000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-08-13 22:56:45,404 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000013FD77000 - 0x000007FEFF430000
2019-08-13 22:56:45,404 [root] DEBUG: DLL unloaded from 0x72F70000.
2019-08-13 22:56:45,420 [root] DEBUG: Process dumps enabled.
2019-08-13 22:56:45,420 [root] DEBUG: DLL loaded at 0x000007FEFCB90000: C:\Windows\system32\srvcli (0x23000 bytes).
2019-08-13 22:56:45,420 [root] DEBUG: DLL unloaded from 0x000007FEFE320000.
2019-08-13 22:56:45,436 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms'
2019-08-13 22:56:45,436 [root] DEBUG: DLL loaded at 0x000007FEFEE90000: C:\Windows\system32\WS2_32 (0x4d000 bytes).
2019-08-13 22:56:45,436 [root] DEBUG: DLL loaded at 0x000000001CFF0000: C:\Windows\assembly\GAC_64\System.Data\2.0.0.0__b77a5c561934e089\System.Data (0x2ff000 bytes).
2019-08-13 22:56:45,436 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x000000004A180000.
2019-08-13 22:56:45,436 [root] DEBUG: DLL loaded at 0x000007FEFD560000: C:\Windows\system32\shell32 (0xd88000 bytes).
2019-08-13 22:56:45,436 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-08-13 22:56:45,436 [root] DEBUG: InjectDllViaIAT: Allocated 0x228 bytes for new import table at 0x000000013FD80000.
2019-08-13 22:56:45,436 [root] DEBUG: DLL loaded at 0x000007FEEF8E0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\cdf48153115fc0bb466f37b7dcad9ac5\Microsoft.PowerShell.Commands.Utility.ni (0x216000 bytes).
2019-08-13 22:56:45,451 [root] INFO: Disabling sleep skipping.
2019-08-13 22:56:45,451 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\568SF86C55F0HWYBSC7N.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\568SF86C55F0HWYBSC7N.temp'
2019-08-13 22:56:45,451 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\W7ACO07T29RTCOMGBG7L.temp" does not exist, skip.
2019-08-13 22:56:45,467 [root] DEBUG: DLL loaded at 0x000007FEFE2F0000: C:\Windows\system32\NSI (0x8000 bytes).
2019-08-13 22:56:45,467 [root] DEBUG: DLL loaded at 0x000007FEFEE90000: C:\Windows\system32\WS2_32 (0x4d000 bytes).
2019-08-13 22:56:45,467 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000004A180000.
2019-08-13 22:56:45,467 [root] DEBUG: DLL loaded at 0x000007FEFC3B0000: C:\Windows\system32\USERENV (0x1e000 bytes).
2019-08-13 22:56:45,467 [root] DEBUG: DLL loaded at 0x724F0000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 22:56:45,483 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 22:56:45,483 [root] DEBUG: DLL loaded at 0x000007FEEF7C0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\9206dc8156588e608d405729c833edc5\Microsoft.PowerShell.Commands.Management.ni (0x118000 bytes).
2019-08-13 22:56:45,497 [root] WARNING: Unable to place hook on LockResource
2019-08-13 22:56:45,497 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF1e54c46.TMP": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RF1e54c46.TMP'
2019-08-13 22:56:45,497 [root] DEBUG: DLL loaded at 0x000007FEFD1F0000: C:\Windows\system32\CRYPT32 (0x167000 bytes).
2019-08-13 22:56:45,497 [root] DEBUG: DLL loaded at 0x000007FEFE2F0000: C:\Windows\system32\NSI (0x8000 bytes).
2019-08-13 22:56:45,513 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 22:56:45,513 [root] DEBUG: DLL loaded at 0x000007FEFD020000: C:\Windows\system32\profapi (0xf000 bytes).
2019-08-13 22:56:45,513 [root] DEBUG: DLL loaded at 0x73DA0000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 22:56:45,513 [root] DEBUG: Successfully injected DLL C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:45,513 [root] WARNING: Unable to hook LockResource
2019-08-13 22:56:45,529 [root] DEBUG: DLL loaded at 0x000007FEF3870000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b5a6a5ce3cd3d4dd2b151315c612aeff\Microsoft.PowerShell.Security.ni (0x3e000 bytes).
2019-08-13 22:56:45,529 [root] DEBUG: DLL loaded at 0x000007FEF2F10000: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei (0x97000 bytes).
2019-08-13 22:56:45,529 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms'
2019-08-13 22:56:45,529 [root] DEBUG: DLL loaded at 0x000007FEFD100000: C:\Windows\system32\MSASN1 (0xf000 bytes).
2019-08-13 22:56:45,529 [root] DEBUG: DLL loaded at 0x000007FEFD1F0000: C:\Windows\system32\CRYPT32 (0x167000 bytes).
2019-08-13 22:56:45,545 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 22:56:45,545 [root] INFO: Announced 64-bit process name: cmd.exe pid: 1516
2019-08-13 22:56:45,545 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 3288
2019-08-13 22:56:45,545 [root] DEBUG: DLL loaded at 0x000007FEFBB00000: C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32 (0x1f4000 bytes).
2019-08-13 22:56:45,545 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 22:56:45,561 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\W7ACO07T29RTCOMGBG7L.temp" does not exist, skip.
2019-08-13 22:56:45,561 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\568SF86C55F0HWYBSC7N.temp" does not exist, skip.
2019-08-13 22:56:45,561 [root] DEBUG: DLL loaded at 0x00000642FF4A0000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\culture (0xa000 bytes).
2019-08-13 22:56:45,561 [root] DEBUG: DLL loaded at 0x000007FEFD100000: C:\Windows\system32\MSASN1 (0xf000 bytes).
2019-08-13 22:56:45,608 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 22:56:45,608 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 22:56:45,608 [root] DEBUG: DLL loaded at 0x000007FEFE4A0000: C:\Windows\system32\SETUPAPI (0x1d7000 bytes).
2019-08-13 22:56:45,608 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 1936 at 0x0000000074460000, image base 0x000000004A180000, stack from 0x00000000000A4000-0x00000000001A0000
2019-08-13 22:56:45,622 [root] DEBUG: DLL loaded at 0x000007FEF2570000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks (0x99d000 bytes).
2019-08-13 22:56:45,622 [root] DEBUG: DLL loaded at 0x000007FEF2F10000: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei (0x97000 bytes).
2019-08-13 22:56:45,638 [root] DEBUG: Process dumps enabled.
2019-08-13 22:56:45,638 [lib.api.process] INFO: 64-bit DLL to inject is C:\epyfuwi\dll\HeJRZT.dll, loader C:\epyfuwi\bin\NKFmJEvz.exe
2019-08-13 22:56:45,638 [root] DEBUG: DLL unloaded from 0x00000642FF4A0000.
2019-08-13 22:56:45,638 [root] INFO: Added new CAPE file to list with path: C:\HRnqwoJUO\CAPE\2116_11073894024556514382019
2019-08-13 22:56:45,638 [root] DEBUG: DLL loaded at 0x000007FEFD1B0000: C:\Windows\system32\CFGMGR32 (0x36000 bytes).
2019-08-13 22:56:45,638 [root] DEBUG: Commandline: C:\Users\user\AppData\Roaming\syslink\"C:\Windows\System32\cmd.exe" \c powershell Set-MpPreference -DisablePrivacyMode $true.
2019-08-13 22:56:45,654 [root] DEBUG: DLL loaded at 0x00000000740D0000: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\MSVCR80 (0xc9000 bytes).
2019-08-13 22:56:45,654 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\568SF86C55F0HWYBSC7N.temp" does not exist, skip.
2019-08-13 22:56:45,654 [root] INFO: Disabling sleep skipping.
2019-08-13 22:56:45,670 [root] DEBUG: DLL loaded at 0x000007FEEF630000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorjit (0x184000 bytes).
2019-08-13 22:56:45,670 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\KxvfqAkc.
2019-08-13 22:56:45,670 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x54400.
2019-08-13 22:56:45,670 [root] DEBUG: DLL loaded at 0x000007FEFD410000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2019-08-13 22:56:45,686 [root] INFO: Added new process to list with pid: 1936
2019-08-13 22:56:45,686 [root] DEBUG: DLL loaded at 0x000007FEF2570000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks (0x99d000 bytes).
2019-08-13 22:56:45,686 [root] WARNING: Unable to place hook on LockResource
2019-08-13 22:56:45,700 [root] DEBUG: DLL loaded at 0x000007FEF1690000: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\9469491f37d9c35b596968b206615309\mscorlib.ni (0xedc000 bytes).
2019-08-13 22:56:45,717 [root] DEBUG: Loader: Injecting process 1516 (thread 3940) with C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:45,717 [root] DEBUG: DLL loaded at 0x000007FEEEF80000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Xml\ee795155543768ea67eecddc686a1e9e\System.Xml.ni (0x6a5000 bytes).
2019-08-13 22:56:45,717 [root] DEBUG: DLL unloaded from 0x000007FEFF190000.
2019-08-13 22:56:45,717 [root] DEBUG: DLL loaded at 0x000007FEFB840000: C:\Windows\system32\propsys (0x12c000 bytes).
2019-08-13 22:56:45,717 [root] INFO: Monitor successfully loaded in process with pid 1936.
2019-08-13 22:56:45,717 [root] DEBUG: DLL loaded at 0x00000000740D0000: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\MSVCR80 (0xc9000 bytes).
2019-08-13 22:56:45,747 [root] WARNING: Unable to hook LockResource
2019-08-13 22:56:45,747 [root] DEBUG: Process image base: 0x000000004A180000
2019-08-13 22:56:45,747 [root] DEBUG: DLL loaded at 0x000007FEF0C60000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System\adff7dd9fe8e541775c46b6363401b22\System.ni (0xa23000 bytes).
2019-08-13 22:56:45,747 [root] DEBUG: DLL loaded at 0x000007FEEECA0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management\c44929bde355680c886f8a52f5e22b81\System.Management.ni (0x16c000 bytes).
2019-08-13 22:56:45,747 [root] INFO: Notified of termination of process with pid 2116.
2019-08-13 22:56:45,763 [root] DEBUG: DLL loaded at 0x000007FEFC190000: C:\Windows\system32\ntmarta (0x2d000 bytes).
2019-08-13 22:56:45,763 [root] DEBUG: DLL loaded at 0x000007FEFCEF0000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 22:56:45,763 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 22:56:45,779 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:45,779 [root] DEBUG: DLL loaded at 0x000007FEF1690000: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\9469491f37d9c35b596968b206615309\mscorlib.ni (0xedc000 bytes).
2019-08-13 22:56:45,779 [root] DEBUG: DLL unloaded from 0x000007FEFE8C0000.
2019-08-13 22:56:45,779 [root] DEBUG: DLL loaded at 0x000007FEF0BA0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b023321bc53c20c10ccbbd8f78c82c82\Microsoft.PowerShell.ConsoleHost.ni (0xb2000 bytes).
2019-08-13 22:56:45,795 [root] DEBUG: DLL loaded at 0x000007FEFE860000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2019-08-13 22:56:45,809 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 3288 at 0x0000000074460000, image base 0x000000013FD00000, stack from 0x0000000000135000-0x0000000000140000
2019-08-13 22:56:45,809 [root] DEBUG: DLL loaded at 0x000007FEEEB00000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.DirectorySer#\c1cdea55f62c9e8b9b9c1ae4c23b1c1f\System.DirectoryServices.ni (0x195000 bytes).
2019-08-13 22:56:45,809 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000004A1D9000 - 0x0000000077110000
2019-08-13 22:56:45,809 [root] INFO: Announced 64-bit process name: powershell.exe pid: 2964
2019-08-13 22:56:45,809 [root] DEBUG: DLL unloaded from 0x000007FEFE8C0000.
2019-08-13 22:56:45,825 [root] DEBUG: DLL loaded at 0x000007FEF0C60000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System\adff7dd9fe8e541775c46b6363401b22\System.ni (0xa23000 bytes).
2019-08-13 22:56:45,825 [root] DEBUG: DLL unloaded from 0x000007FEFD560000.
2019-08-13 22:56:45,825 [root] DEBUG: DLL loaded at 0x000007FEF0040000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management.A#\009a09f5b2322bb8c5520dc5ddbb28bb\System.Management.Automation.ni (0xb5d000 bytes).
2019-08-13 22:56:45,842 [root] DEBUG: Commandline: C:\Users\user\AppData\Roaming\syslink\powershell  Set-MpPreference -DisableIOAVProtection $true.
2019-08-13 22:56:45,842 [root] DEBUG: InjectDllViaIAT: Allocated 0x1bc bytes for new import table at 0x000000004A1E0000.
2019-08-13 22:56:45,857 [root] DEBUG: DLL loaded at 0x000007FEF90A0000: C:\Windows\system32\shfolder (0x7000 bytes).
2019-08-13 22:56:45,857 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 22:56:45,857 [root] DEBUG: DLL loaded at 0x000007FEF0BA0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b023321bc53c20c10ccbbd8f78c82c82\Microsoft.PowerShell.ConsoleHost.ni (0xb2000 bytes).
2019-08-13 22:56:45,857 [root] DEBUG: DLL loaded at 0x0000000516F00000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\diasymreader (0xc6000 bytes).
2019-08-13 22:56:45,857 [root] DEBUG: DLL unloaded from 0x000007FEFD560000.
2019-08-13 22:56:45,872 [root] DEBUG: DLL loaded at 0x000007FEFC1C0000: C:\Windows\system32\version (0xc000 bytes).
2019-08-13 22:56:45,872 [root] INFO: Added new process to list with pid: 3288
2019-08-13 22:56:45,934 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 22:56:45,950 [lib.api.process] INFO: 64-bit DLL to inject is C:\epyfuwi\dll\HeJRZT.dll, loader C:\epyfuwi\bin\NKFmJEvz.exe
2019-08-13 22:56:45,982 [root] DEBUG: DLL loaded at 0x0000000516F00000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\diasymreader (0xc6000 bytes).
2019-08-13 22:56:45,982 [root] DEBUG: DLL loaded at 0x000007FEF0040000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management.A#\009a09f5b2322bb8c5520dc5ddbb28bb\System.Management.Automation.ni (0xb5d000 bytes).
2019-08-13 22:56:45,997 [root] DEBUG: DLL loaded at 0x000007FEFCCF0000: C:\Windows\system32\secur32 (0xb000 bytes).
2019-08-13 22:56:45,997 [root] DEBUG: set_caller_info: Adding region at 0x000007FF00270000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2019-08-13 22:56:46,029 [root] INFO: Monitor successfully loaded in process with pid 3288.
2019-08-13 22:56:46,029 [root] DEBUG: DLL loaded at 0x000007FEEFD10000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Core\83e2f6909980da7347e7806d8c26670e\System.Core.ni (0x32e000 bytes).
2019-08-13 22:56:46,043 [root] DEBUG: Successfully injected DLL C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:46,075 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\KxvfqAkc.
2019-08-13 22:56:46,075 [root] DEBUG: set_caller_info: Adding region at 0x000007FF00270000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2019-08-13 22:56:46,216 [root] DEBUG: DLL loaded at 0x000007FEFC1C0000: C:\Windows\system32\version (0xc000 bytes).
2019-08-13 22:56:46,216 [root] DEBUG: DLL loaded at 0x000007FEEE2B0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Data\accc3a5269658c8c47fe3e402ac4ac1c\System.Data.ni (0x84b000 bytes).
2019-08-13 22:56:46,232 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\system32\CRYPTBASE (0xf000 bytes).
2019-08-13 22:56:46,232 [root] DEBUG: DLL loaded at 0x000007FEEFCA0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\ec50af274bf7a15fb59ac1f0d353b7ea\Microsoft.PowerShell.Commands.Diagnostics.ni (0x69000 bytes).
2019-08-13 22:56:46,232 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 1516
2019-08-13 22:56:46,246 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2880
2019-08-13 22:56:46,246 [root] DEBUG: Loader: Injecting process 2964 (thread 2952) with C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:46,278 [root] DEBUG: DLL loaded at 0x000007FEF7810000: C:\Windows\system32\LINKINFO (0xc000 bytes).
2019-08-13 22:56:46,278 [root] DEBUG: DLL loaded at 0x000007FEEFD10000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Core\83e2f6909980da7347e7806d8c26670e\System.Core.ni (0x32e000 bytes).
2019-08-13 22:56:46,278 [root] DEBUG: DLL loaded at 0x000000001CF70000: C:\Windows\assembly\GAC_64\System.Data\2.0.0.0__b77a5c561934e089\System.Data (0x2ff000 bytes).
2019-08-13 22:56:46,278 [root] DEBUG: DLL loaded at 0x000007FEFE400000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-08-13 22:56:46,293 [root] DEBUG: DLL loaded at 0x000007FEF9860000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Configuratio#\fcf35536476614410e0b0bd0e412199e\System.Configuration.Install.ni (0x32000 bytes).
2019-08-13 22:56:46,293 [root] DEBUG: DLL unloaded from 0x74F40000.
2019-08-13 22:56:46,309 [root] DEBUG: GetHookCallerBase: thread 2620 (handle 0x0), return address 0x000000013FD0C504, allocation base 0x000000013FD00000.
2019-08-13 22:56:46,309 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 22:56:46,325 [root] INFO: Process with pid 2284 has terminated
2019-08-13 22:56:46,341 [root] DEBUG: Process image base: 0x000000013FD00000
2019-08-13 22:56:46,341 [root] DEBUG: DLL loaded at 0x000007FEEFCA0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\ec50af274bf7a15fb59ac1f0d353b7ea\Microsoft.PowerShell.Commands.Diagnostics.ni (0x69000 bytes).
2019-08-13 22:56:46,341 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 1360
2019-08-13 22:56:46,341 [root] DEBUG: DLL loaded at 0x000007FEF8900000: C:\Windows\system32\ntshrui (0x80000 bytes).
2019-08-13 22:56:46,355 [root] DEBUG: DLL loaded at 0x000007FEFD560000: C:\Windows\system32\shell32 (0xd88000 bytes).
2019-08-13 22:56:46,355 [root] DEBUG: DLL loaded at 0x000007FEFEE90000: C:\Windows\system32\WS2_32 (0x4d000 bytes).
2019-08-13 22:56:46,355 [root] DEBUG: DLL loaded at 0x000007FEEFBF0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.WSMan.Man#\8cd73e65058ef6f77f36b62a74ec3344\Microsoft.WSMan.Management.ni (0xaa000 bytes).
2019-08-13 22:56:46,355 [root] DEBUG: DLL unloaded from 0x724F0000.
2019-08-13 22:56:46,355 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x000000013FD00000.
2019-08-13 22:56:46,355 [root] DEBUG: Process dumps enabled.
2019-08-13 22:56:46,355 [root] INFO: Process with pid 2644 has terminated
2019-08-13 22:56:46,371 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:46,371 [root] DEBUG: DLL loaded at 0x000007FEF9860000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Configuratio#\fcf35536476614410e0b0bd0e412199e\System.Configuration.Install.ni (0x32000 bytes).
2019-08-13 22:56:46,371 [root] DEBUG: GetHookCallerBase: thread 2916 (handle 0x0), return address 0x000000013FD0C504, allocation base 0x000000013FD00000.
2019-08-13 22:56:46,371 [root] DEBUG: DLL loaded at 0x000007FEFCB90000: C:\Windows\system32\srvcli (0x23000 bytes).
2019-08-13 22:56:46,388 [root] DEBUG: DLL loaded at 0x000007FEFC3B0000: C:\Windows\system32\USERENV (0x1e000 bytes).
2019-08-13 22:56:46,388 [root] DEBUG: DLL loaded at 0x000007FEFE2F0000: C:\Windows\system32\NSI (0x8000 bytes).
2019-08-13 22:56:46,403 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-08-13 22:56:46,403 [root] DEBUG: DLL loaded at 0x000007FEEFB00000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Transactions\051655963f24f9ade08486084c570086\System.Transactions.ni (0xe5000 bytes).
2019-08-13 22:56:46,403 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000013FD00000.
2019-08-13 22:56:46,418 [root] INFO: Disabling sleep skipping.
2019-08-13 22:56:46,418 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000013FD77000 - 0x000007FEFF430000
2019-08-13 22:56:46,418 [root] DEBUG: DLL loaded at 0x000007FEEFBF0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.WSMan.Man#\8cd73e65058ef6f77f36b62a74ec3344\Microsoft.WSMan.Management.ni (0xaa000 bytes).
2019-08-13 22:56:46,418 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x000000013FD00000.
2019-08-13 22:56:46,434 [root] DEBUG: DLL loaded at 0x000007FEFD020000: C:\Windows\system32\profapi (0xf000 bytes).
2019-08-13 22:56:46,434 [root] DEBUG: DLL loaded at 0x000007FEFD1F0000: C:\Windows\system32\CRYPT32 (0x167000 bytes).
2019-08-13 22:56:46,434 [root] DEBUG: DLL loaded at 0x000007FEF8AC0000: C:\Windows\system32\cscapi (0xf000 bytes).
2019-08-13 22:56:46,450 [root] DEBUG: DLL loaded at 0x000000001E230000: C:\Windows\assembly\GAC_64\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions (0x49000 bytes).
2019-08-13 22:56:46,450 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000C63C.
2019-08-13 22:56:46,450 [root] DEBUG: InjectDllViaIAT: Allocated 0x228 bytes for new import table at 0x000000013FD80000.
2019-08-13 22:56:46,450 [root] WARNING: Unable to place hook on LockResource
2019-08-13 22:56:46,466 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000013FD00000.
2019-08-13 22:56:46,466 [root] DEBUG: DLL loaded at 0x000007FEFD100000: C:\Windows\system32\MSASN1 (0xf000 bytes).
2019-08-13 22:56:46,466 [root] DEBUG: DLL loaded at 0x000007FEFB0B0000: C:\Windows\system32\slc (0xb000 bytes).
2019-08-13 22:56:46,480 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 22:56:46,480 [root] WARNING: Unable to hook LockResource
2019-08-13 22:56:46,480 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000C63C.
2019-08-13 22:56:46,480 [root] DEBUG: Successfully injected DLL C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:46,496 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 22:56:46,496 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 1516 at 0x0000000074460000, image base 0x000000004A180000, stack from 0x0000000000184000-0x0000000000280000
2019-08-13 22:56:46,496 [root] INFO: Added new CAPE file to list with path: C:\HRnqwoJUO\CAPE\2880_1750123526657514382019
2019-08-13 22:56:46,512 [root] DEBUG: Commandline: C:\Users\user\AppData\Roaming\syslink\"C:\Windows\System32\cmd.exe" \c powershell Set-MpPreference -DisableIntrusionPreventionSystem $true.
2019-08-13 22:56:46,512 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x73e00.
2019-08-13 22:56:46,512 [root] INFO: Added new process to list with pid: 1516
2019-08-13 22:56:46,512 [root] INFO: Added new CAPE file to list with path: C:\HRnqwoJUO\CAPE\1360_1846932871657514382019
2019-08-13 22:56:46,512 [root] INFO: Monitor successfully loaded in process with pid 1516.
2019-08-13 22:56:46,528 [root] DEBUG: DLL loaded at 0x000007FEFAC20000: C:\Windows\system32\netutils (0xc000 bytes).
2019-08-13 22:56:46,528 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x73e00.
2019-08-13 22:56:46,528 [root] DEBUG: DLL unloaded from 0x000007FEFB840000.
2019-08-13 22:56:46,543 [root] DEBUG: DLL loaded at 0x000007FEFAC20000: C:\Windows\system32\netutils (0xc000 bytes).
2019-08-13 22:56:46,543 [root] DEBUG: DLL unloaded from 0x000007FEFB840000.
2019-08-13 22:56:46,589 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2964
2019-08-13 22:56:46,589 [root] DEBUG: DLL loaded at 0x72F70000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 22:56:46,589 [root] DEBUG: DLL loaded at 0x000007FEEF8E0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\cdf48153115fc0bb466f37b7dcad9ac5\Microsoft.PowerShell.Commands.Utility.ni (0x216000 bytes).
2019-08-13 22:56:46,589 [root] DEBUG: DLL loaded at 0x000007FEFBB00000: C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32 (0x1f4000 bytes).
2019-08-13 22:56:46,589 [root] DEBUG: DLL unloaded from 0x0000000076FF0000.
2019-08-13 22:56:46,589 [root] DEBUG: DLL loaded at 0x000007FEEFB00000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Transactions\051655963f24f9ade08486084c570086\System.Transactions.ni (0xe5000 bytes).
2019-08-13 22:56:46,589 [root] DEBUG: DLL loaded at 0x000007FEFCEF0000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 22:56:47,121 [root] DEBUG: DLL loaded at 0x000007FEF8AC0000: C:\Windows\system32\cscapi (0xf000 bytes).
2019-08-13 22:56:47,151 [root] DEBUG: DLL unloaded from 0x0000000076FF0000.
2019-08-13 22:56:47,167 [root] DEBUG: DLL loaded at 0x74810000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 22:56:47,183 [root] DEBUG: DLL loaded at 0x000007FEEF7C0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\9206dc8156588e608d405729c833edc5\Microsoft.PowerShell.Commands.Management.ni (0x118000 bytes).
2019-08-13 22:56:47,183 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 22:56:47,183 [root] DEBUG: DLL loaded at 0x000007FEFE4A0000: C:\Windows\system32\SETUPAPI (0x1d7000 bytes).
2019-08-13 22:56:47,183 [root] DEBUG: DLL loaded at 0x0000000516F00000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\diasymreader (0xc6000 bytes).
2019-08-13 22:56:47,183 [root] DEBUG: DLL unloaded from 0x000007FEF2570000.
2019-08-13 22:56:47,183 [root] DEBUG: DLL loaded at 0x000000001E230000: C:\Windows\assembly\GAC_64\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions (0x49000 bytes).
2019-08-13 22:56:47,183 [root] INFO: Announced 64-bit process name: powershell.exe pid: 3244
2019-08-13 22:56:47,183 [root] DEBUG: DLL unloaded from 0x000007FEF2570000.
2019-08-13 22:56:47,198 [root] DEBUG: DLL loaded at 0x000007FEFB0B0000: C:\Windows\system32\slc (0xb000 bytes).
2019-08-13 22:56:47,198 [root] DEBUG: DLL loaded at 0x000007FEF3870000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b5a6a5ce3cd3d4dd2b151315c612aeff\Microsoft.PowerShell.Security.ni (0x3e000 bytes).
2019-08-13 22:56:47,198 [root] INFO: Announced 64-bit process name: cmd.exe pid: 3128
2019-08-13 22:56:47,198 [root] DEBUG: DLL loaded at 0x000007FEF8AC0000: C:\Windows\system32\cscapi (0xf000 bytes).
2019-08-13 22:56:47,213 [root] DEBUG: Process dumps enabled.
2019-08-13 22:56:47,213 [root] DEBUG: DLL loaded at 0x000007FEFD1B0000: C:\Windows\system32\CFGMGR32 (0x36000 bytes).
2019-08-13 22:56:47,230 [root] DEBUG: DLL unloaded from 0x000007FEF2F10000.
2019-08-13 22:56:47,230 [root] DEBUG: set_caller_info: Adding region at 0x000007FF00280000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2019-08-13 22:56:47,230 [root] DEBUG: DLL unloaded from 0x000007FEF2F10000.
2019-08-13 22:56:47,230 [root] DEBUG: DLL loaded at 0x000007FEEF8E0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\cdf48153115fc0bb466f37b7dcad9ac5\Microsoft.PowerShell.Commands.Utility.ni (0x216000 bytes).
2019-08-13 22:56:47,230 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 22:56:47,246 [root] DEBUG: DLL loaded at 0x00000642FF4A0000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\culture (0xa000 bytes).
2019-08-13 22:56:47,246 [root] DEBUG: DLL loaded at 0x000007FEFB0B0000: C:\Windows\system32\slc (0xb000 bytes).
2019-08-13 22:56:47,260 [root] DEBUG: DLL loaded at 0x000007FEFC8F0000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2019-08-13 22:56:47,260 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 22:56:47,276 [root] INFO: Disabling sleep skipping.
2019-08-13 22:56:47,276 [root] DEBUG: DLL loaded at 0x000007FEFD410000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2019-08-13 22:56:47,276 [root] DEBUG: DLL unloaded from 0x000007FEFC190000.
2019-08-13 22:56:47,292 [root] DEBUG: DLL unloaded from 0x000007FEFC190000.
2019-08-13 22:56:47,292 [lib.api.process] INFO: 64-bit DLL to inject is C:\epyfuwi\dll\HeJRZT.dll, loader C:\epyfuwi\bin\NKFmJEvz.exe
2019-08-13 22:56:47,292 [root] DEBUG: DLL loaded at 0x000007FEEF7C0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\9206dc8156588e608d405729c833edc5\Microsoft.PowerShell.Commands.Management.ni (0x118000 bytes).
2019-08-13 22:56:47,308 [root] DEBUG: DLL unloaded from 0x00000642FF4A0000.
2019-08-13 22:56:47,308 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2876
2019-08-13 22:56:47,308 [lib.api.process] INFO: 64-bit DLL to inject is C:\epyfuwi\dll\HeJRZT.dll, loader C:\epyfuwi\bin\NKFmJEvz.exe
2019-08-13 22:56:47,308 [root] DEBUG: DLL loaded at 0x000007FEFC5F0000: C:\Windows\system32\rsaenh (0x47000 bytes).
2019-08-13 22:56:47,355 [root] WARNING: Unable to place hook on LockResource
2019-08-13 22:56:47,355 [root] DEBUG: DLL loaded at 0x000007FEFB840000: C:\Windows\system32\propsys (0x12c000 bytes).
2019-08-13 22:56:47,369 [root] DEBUG: DLL unloaded from 0x000007FEFF190000.
2019-08-13 22:56:47,369 [root] DEBUG: DLL unloaded from 0x000007FEFF190000.
2019-08-13 22:56:47,385 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\KxvfqAkc.
2019-08-13 22:56:47,385 [root] DEBUG: DLL loaded at 0x000007FEF3870000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b5a6a5ce3cd3d4dd2b151315c612aeff\Microsoft.PowerShell.Security.ni (0x3e000 bytes).
2019-08-13 22:56:47,385 [root] DEBUG: GetHookCallerBase: thread 2672 (handle 0x0), return address 0x000000013FD0C504, allocation base 0x000000013FD00000.
2019-08-13 22:56:47,385 [root] DEBUG: DLL loaded at 0x000007FEEF630000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorjit (0x184000 bytes).
2019-08-13 22:56:47,385 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\KxvfqAkc.
2019-08-13 22:56:47,385 [root] WARNING: Unable to hook LockResource
2019-08-13 22:56:47,401 [root] DEBUG: DLL loaded at 0x000007FEFC190000: C:\Windows\system32\ntmarta (0x2d000 bytes).
2019-08-13 22:56:47,401 [root] INFO: Notified of termination of process with pid 2880.
2019-08-13 22:56:47,401 [root] DEBUG: Loader: Injecting process 3244 (thread 2900) with C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:47,417 [root] DEBUG: DLL loaded at 0x00000642FF4A0000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\culture (0xa000 bytes).
2019-08-13 22:56:47,433 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x000000013FD00000.
2019-08-13 22:56:47,433 [root] DEBUG: Loader: Injecting process 3128 (thread 3168) with C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:47,433 [root] DEBUG: DLL loaded at 0x000007FEEEF80000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Xml\ee795155543768ea67eecddc686a1e9e\System.Xml.ni (0x6a5000 bytes).
2019-08-13 22:56:47,433 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\GVX7Y73XN25VJNAA98WZ.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\GVX7Y73XN25VJNAA98WZ.temp'
2019-08-13 22:56:47,433 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 22:56:47,433 [root] DEBUG: DLL loaded at 0x000007FEFE860000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2019-08-13 22:56:47,447 [root] INFO: Notified of termination of process with pid 1360.
2019-08-13 22:56:47,447 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 3056
2019-08-13 22:56:47,447 [root] DEBUG: DLL loaded at 0x000007FEFC8F0000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2019-08-13 22:56:47,463 [root] DEBUG: Process image base: 0x000000013FD00000
2019-08-13 22:56:47,463 [root] DEBUG: DLL unloaded from 0x00000642FF4A0000.
2019-08-13 22:56:47,463 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000013FD00000.
2019-08-13 22:56:47,463 [root] DEBUG: Process image base: 0x000000004A180000
2019-08-13 22:56:47,480 [root] DEBUG: DLL loaded at 0x000007FEEECA0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management\c44929bde355680c886f8a52f5e22b81\System.Management.ni (0x16c000 bytes).
2019-08-13 22:56:47,480 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\GVX7Y73XN25VJNAA98WZ.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\GVX7Y73XN25VJNAA98WZ.temp'
2019-08-13 22:56:47,480 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 2964 at 0x0000000074460000, image base 0x000000013FD00000, stack from 0x0000000000235000-0x0000000000240000
2019-08-13 22:56:47,526 [root] DEBUG: DLL unloaded from 0x000007FEFD560000.
2019-08-13 22:56:47,526 [root] DEBUG: DLL unloaded from 0x000007FEFD560000.
2019-08-13 22:56:47,542 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2976
2019-08-13 22:56:47,542 [root] DEBUG: GetHookCallerBase: thread 624 (handle 0x0), return address 0x000000004A1887DD, allocation base 0x000000004A180000.
2019-08-13 22:56:47,542 [root] DEBUG: DLL loaded at 0x000007FEFC5F0000: C:\Windows\system32\rsaenh (0x47000 bytes).
2019-08-13 22:56:47,542 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:47,558 [root] DEBUG: DLL loaded at 0x000007FEEF630000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorjit (0x184000 bytes).
2019-08-13 22:56:47,558 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000C63C.
2019-08-13 22:56:47,572 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:47,572 [root] DEBUG: DLL loaded at 0x000007FEEEB00000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.DirectorySer#\c1cdea55f62c9e8b9b9c1ae4c23b1c1f\System.DirectoryServices.ni (0x195000 bytes).
2019-08-13 22:56:47,572 [root] DEBUG: DLL unloaded from 0x000007FEFE320000.
2019-08-13 22:56:47,572 [root] DEBUG: Commandline: C:\Users\user\AppData\Roaming\syslink\powershell  Set-MpPreference -DisablePrivacyMode $true.
2019-08-13 22:56:47,604 [root] DEBUG: GetHookCallerBase: thread 2980 (handle 0x0), return address 0x000000004A1887DD, allocation base 0x000000004A180000.
2019-08-13 22:56:47,619 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x000000004A180000.
2019-08-13 22:56:47,619 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000013FD77000 - 0x000007FEFF430000
2019-08-13 22:56:47,651 [root] DEBUG: DLL loaded at 0x000007FEEEF80000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Xml\ee795155543768ea67eecddc686a1e9e\System.Xml.ni (0x6a5000 bytes).
2019-08-13 22:56:47,667 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000004A1D9000 - 0x0000000077110000
2019-08-13 22:56:47,667 [root] DEBUG: DLL loaded at 0x000007FEF90A0000: C:\Windows\system32\shfolder (0x7000 bytes).
2019-08-13 22:56:47,667 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\GVX7Y73XN25VJNAA98WZ.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\GVX7Y73XN25VJNAA98WZ.temp'
2019-08-13 22:56:47,681 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x000000004A180000.
2019-08-13 22:56:47,681 [root] INFO: Added new process to list with pid: 2964
2019-08-13 22:56:47,681 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HE4KHS049ZTNKGEPJTQG.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\HE4KHS049ZTNKGEPJTQG.temp'
2019-08-13 22:56:47,697 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000004A180000.
2019-08-13 22:56:47,713 [root] DEBUG: InjectDllViaIAT: Allocated 0x228 bytes for new import table at 0x000000013FD80000.
2019-08-13 22:56:47,822 [root] DEBUG: InjectDllViaIAT: Allocated 0x1bc bytes for new import table at 0x000000004A1E0000.
2019-08-13 22:56:47,822 [root] DEBUG: DLL loaded at 0x000007FEEECA0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management\c44929bde355680c886f8a52f5e22b81\System.Management.ni (0x16c000 bytes).
2019-08-13 22:56:47,838 [root] INFO: Added new CAPE file to list with path: C:\HRnqwoJUO\CAPE\2876_1260011903757514382019
2019-08-13 22:56:47,838 [root] INFO: Monitor successfully loaded in process with pid 2964.
2019-08-13 22:56:47,838 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000004A180000.
2019-08-13 22:56:47,838 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF1f2e97d.TMP": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RF1f2e97d.TMP'
2019-08-13 22:56:47,838 [root] DEBUG: DLL loaded at 0x000007FEFCCF0000: C:\Windows\system32\secur32 (0xb000 bytes).
2019-08-13 22:56:47,838 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 22:56:47,854 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 22:56:47,854 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 22:56:47,854 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HE4KHS049ZTNKGEPJTQG.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\HE4KHS049ZTNKGEPJTQG.temp'
2019-08-13 22:56:47,854 [root] DEBUG: DLL loaded at 0x000007FEEEB00000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.DirectorySer#\c1cdea55f62c9e8b9b9c1ae4c23b1c1f\System.DirectoryServices.ni (0x195000 bytes).
2019-08-13 22:56:47,854 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x73e00.
2019-08-13 22:56:47,869 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\system32\CRYPTBASE (0xf000 bytes).
2019-08-13 22:56:47,869 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 22:56:47,884 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms'
2019-08-13 22:56:47,884 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 22:56:47,901 [root] DEBUG: Successfully injected DLL C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:47,901 [root] DEBUG: Successfully injected DLL C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:47,915 [root] DEBUG: DLL unloaded from 0x000007FEFE320000.
2019-08-13 22:56:47,915 [root] DEBUG: DLL loaded at 0x000007FEF90A0000: C:\Windows\system32\shfolder (0x7000 bytes).
2019-08-13 22:56:47,915 [root] DEBUG: DLL loaded at 0x000007FEFAC20000: C:\Windows\system32\netutils (0xc000 bytes).
2019-08-13 22:56:47,931 [root] DEBUG: DLL loaded at 0x000007FEFE400000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-08-13 22:56:47,931 [root] DEBUG: DLL loaded at 0x000007FEEE2B0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Data\accc3a5269658c8c47fe3e402ac4ac1c\System.Data.ni (0x84b000 bytes).
2019-08-13 22:56:47,931 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 22:56:47,931 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\GVX7Y73XN25VJNAA98WZ.temp" does not exist, skip.
2019-08-13 22:56:47,931 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 3128
2019-08-13 22:56:47,947 [root] DEBUG: DLL loaded at 0x000007FEF7810000: C:\Windows\system32\LINKINFO (0xc000 bytes).
2019-08-13 22:56:47,947 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 3244
2019-08-13 22:56:47,963 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HE4KHS049ZTNKGEPJTQG.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\HE4KHS049ZTNKGEPJTQG.temp'
2019-08-13 22:56:47,963 [root] DEBUG: DLL unloaded from 0x000007FEFB840000.
2019-08-13 22:56:47,979 [root] DEBUG: DLL loaded at 0x000000001D100000: C:\Windows\assembly\GAC_64\System.Data\2.0.0.0__b77a5c561934e089\System.Data (0x2ff000 bytes).
2019-08-13 22:56:47,979 [root] INFO: Added new CAPE file to list with path: C:\HRnqwoJUO\CAPE\3056_17241624164756514382019
2019-08-13 22:56:47,979 [root] DEBUG: DLL loaded at 0x000007FEFD560000: C:\Windows\system32\shell32 (0xd88000 bytes).
2019-08-13 22:56:47,979 [root] DEBUG: Error 2 (0x2) - savePeFileToDisk: There was a problem renaming the file: The system cannot find the file specified.
2019-08-13 22:56:47,993 [root] DEBUG: DLL loaded at 0x000007FEF2F10000: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei (0x97000 bytes).
2019-08-13 22:56:47,993 [root] DEBUG: DLL unloaded from 0x74F40000.
2019-08-13 22:56:47,993 [root] DEBUG: DLL loaded at 0x000007FEF8900000: C:\Windows\system32\ntshrui (0x80000 bytes).
2019-08-13 22:56:48,009 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 22:56:48,009 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 22:56:48,009 [root] DEBUG: DLL unloaded from 0x0000000076FF0000.
2019-08-13 22:56:48,026 [root] DEBUG: DLL loaded at 0x000007FEFEE90000: C:\Windows\system32\WS2_32 (0x4d000 bytes).
2019-08-13 22:56:48,056 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x54400.
2019-08-13 22:56:48,056 [root] DEBUG: DLL loaded at 0x000007FEFC3B0000: C:\Windows\system32\USERENV (0x1e000 bytes).
2019-08-13 22:56:48,056 [root] DEBUG: Error 2 (0x2) - savePeFileToDisk: There was a problem deleting the file: C:\Users\user\AppData\Local\Temp\CapeOutput.bin: The system cannot find the file specified.
2019-08-13 22:56:48,056 [root] DEBUG: DLL loaded at 0x000007FEFCCF0000: C:\Windows\system32\secur32 (0xb000 bytes).
2019-08-13 22:56:48,056 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\GVX7Y73XN25VJNAA98WZ.temp" does not exist, skip.
2019-08-13 22:56:48,072 [root] DEBUG: DLL unloaded from 0x72F70000.
2019-08-13 22:56:48,072 [root] DEBUG: DLL loaded at 0x000007FEFCB90000: C:\Windows\system32\srvcli (0x23000 bytes).
2019-08-13 22:56:48,072 [root] DEBUG: DLL loaded at 0x000007FEFC8F0000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2019-08-13 22:56:48,072 [root] DEBUG: Process dumps enabled.
2019-08-13 22:56:48,072 [root] DEBUG: Process dumps enabled.
2019-08-13 22:56:48,072 [root] DEBUG: DLL loaded at 0x000007FEF2F10000: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei (0x97000 bytes).
2019-08-13 22:56:48,072 [root] DEBUG: DLL unloaded from 0x000007FEF2570000.
2019-08-13 22:56:48,072 [root] DEBUG: DLL loaded at 0x000007FEFE2F0000: C:\Windows\system32\NSI (0x8000 bytes).
2019-08-13 22:56:48,088 [root] DEBUG: DLL unloaded from 0x000007FEFF190000.
2019-08-13 22:56:48,088 [root] DEBUG: DLL loaded at 0x000007FEFD020000: C:\Windows\system32\profapi (0xf000 bytes).
2019-08-13 22:56:48,088 [root] DEBUG: DLL unloaded from 0x000007FEFF190000.
2019-08-13 22:56:48,088 [root] DEBUG: DLL loaded at 0x000007FEF2570000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks (0x99d000 bytes).
2019-08-13 22:56:48,104 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-08-13 22:56:48,104 [root] DEBUG: DLL loaded at 0x000007FEFC5F0000: C:\Windows\system32\rsaenh (0x47000 bytes).
2019-08-13 22:56:48,118 [root] INFO: Disabling sleep skipping.
2019-08-13 22:56:48,118 [root] INFO: Disabling sleep skipping.
2019-08-13 22:56:48,118 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HE4KHS049ZTNKGEPJTQG.temp" does not exist, skip.
2019-08-13 22:56:48,118 [root] DEBUG: DLL unloaded from 0x000007FEF2F10000.
2019-08-13 22:56:48,118 [root] DEBUG: DLL loaded at 0x000007FEFD1F0000: C:\Windows\system32\CRYPT32 (0x167000 bytes).
2019-08-13 22:56:48,118 [root] INFO: Notified of termination of process with pid 3056.
2019-08-13 22:56:48,134 [root] DEBUG: DLL loaded at 0x000007FEFBB00000: C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32 (0x1f4000 bytes).
2019-08-13 22:56:48,134 [root] DEBUG: DLL loaded at 0x00000000740D0000: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\MSVCR80 (0xc9000 bytes).
2019-08-13 22:56:48,150 [root] DEBUG: DLL loaded at 0x724F0000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 22:56:48,150 [root] DEBUG: DLL loaded at 0x000007FEEE2B0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Data\accc3a5269658c8c47fe3e402ac4ac1c\System.Data.ni (0x84b000 bytes).
2019-08-13 22:56:48,150 [root] WARNING: Unable to place hook on LockResource
2019-08-13 22:56:48,150 [root] DEBUG: DLL loaded at 0x000007FEF2570000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks (0x99d000 bytes).
2019-08-13 22:56:48,150 [root] WARNING: Unable to place hook on LockResource
2019-08-13 22:56:48,165 [root] DEBUG: DLL unloaded from 0x000007FEFC190000.
2019-08-13 22:56:48,165 [root] DEBUG: DLL loaded at 0x000007FEFD100000: C:\Windows\system32\MSASN1 (0xf000 bytes).
2019-08-13 22:56:48,165 [root] INFO: Notified of termination of process with pid 2976.
2019-08-13 22:56:48,181 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\878VPN8Q8UVT5TUJDOM0.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\878VPN8Q8UVT5TUJDOM0.temp'
2019-08-13 22:56:48,181 [root] DEBUG: DLL loaded at 0x000007FEFE4A0000: C:\Windows\system32\SETUPAPI (0x1d7000 bytes).
2019-08-13 22:56:48,197 [root] DEBUG: DLL loaded at 0x000007FEF1690000: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\9469491f37d9c35b596968b206615309\mscorlib.ni (0xedc000 bytes).
2019-08-13 22:56:48,197 [root] DEBUG: DLL loaded at 0x73DA0000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 22:56:48,197 [root] WARNING: Unable to hook LockResource
2019-08-13 22:56:48,197 [root] DEBUG: DLL loaded at 0x000000001D0B0000: C:\Windows\assembly\GAC_64\System.Data\2.0.0.0__b77a5c561934e089\System.Data (0x2ff000 bytes).
2019-08-13 22:56:48,197 [root] DEBUG: DLL loaded at 0x00000000740D0000: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\MSVCR80 (0xc9000 bytes).
2019-08-13 22:56:48,197 [root] WARNING: Unable to hook LockResource
2019-08-13 22:56:48,213 [root] DEBUG: DLL unloaded from 0x000007FEFF190000.
2019-08-13 22:56:48,213 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\878VPN8Q8UVT5TUJDOM0.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\878VPN8Q8UVT5TUJDOM0.temp'
2019-08-13 22:56:48,243 [root] DEBUG: DLL loaded at 0x000007FEFD1B0000: C:\Windows\system32\CFGMGR32 (0x36000 bytes).
2019-08-13 22:56:48,243 [root] DEBUG: DLL loaded at 0x000007FEF0C60000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System\adff7dd9fe8e541775c46b6363401b22\System.ni (0xa23000 bytes).
2019-08-13 22:56:48,243 [root] DEBUG: DLL unloaded from 0x000007FEFE8C0000.
2019-08-13 22:56:48,243 [root] INFO: Announced 64-bit process name: cmd.exe pid: 2740
2019-08-13 22:56:48,259 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 22:56:48,259 [root] DEBUG: DLL loaded at 0x0000000516F00000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\diasymreader (0xc6000 bytes).
2019-08-13 22:56:48,259 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 22:56:48,259 [root] DEBUG: DLL loaded at 0x000007FEFEE90000: C:\Windows\system32\WS2_32 (0x4d000 bytes).
2019-08-13 22:56:48,275 [root] INFO: Notified of termination of process with pid 2876.
2019-08-13 22:56:48,275 [root] DEBUG: DLL unloaded from 0x000007FEFE320000.
2019-08-13 22:56:48,275 [root] DEBUG: DLL loaded at 0x000007FEFD410000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2019-08-13 22:56:48,275 [root] DEBUG: DLL loaded at 0x000007FEF0BA0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b023321bc53c20c10ccbbd8f78c82c82\Microsoft.PowerShell.ConsoleHost.ni (0xb2000 bytes).
2019-08-13 22:56:48,275 [root] DEBUG: DLL loaded at 0x000007FEF1690000: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\9469491f37d9c35b596968b206615309\mscorlib.ni (0xedc000 bytes).
2019-08-13 22:56:48,290 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 3244 at 0x0000000074460000, image base 0x000000013FD00000, stack from 0x0000000000175000-0x0000000000180000
2019-08-13 22:56:48,290 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 22:56:48,290 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 3128 at 0x0000000074460000, image base 0x000000004A180000, stack from 0x0000000000144000-0x0000000000240000
2019-08-13 22:56:48,305 [root] DEBUG: DLL loaded at 0x000007FEFE2F0000: C:\Windows\system32\NSI (0x8000 bytes).
2019-08-13 22:56:48,322 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\878VPN8Q8UVT5TUJDOM0.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\878VPN8Q8UVT5TUJDOM0.temp'
2019-08-13 22:56:48,322 [root] DEBUG: set_caller_info: Adding region at 0x000007FF00280000 to caller regions list (ntdll::LdrGetProcedureAddress).
2019-08-13 22:56:48,322 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2920
2019-08-13 22:56:48,322 [root] DEBUG: DLL unloaded from 0x000007FEFD560000.
2019-08-13 22:56:48,322 [root] DEBUG: DLL loaded at 0x000007FEFB840000: C:\Windows\system32\propsys (0x12c000 bytes).
2019-08-13 22:56:48,322 [root] DEBUG: DLL loaded at 0x000007FEF0040000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management.A#\009a09f5b2322bb8c5520dc5ddbb28bb\System.Management.Automation.ni (0xb5d000 bytes).
2019-08-13 22:56:48,322 [root] DEBUG: DLL unloaded from 0x000007FEFE8C0000.
2019-08-13 22:56:48,322 [root] DEBUG: Commandline: C:\Users\user\AppData\Roaming\syslink\powershell  Set-MpPreference -DisableIntrusionPreventionSystem $true.
2019-08-13 22:56:48,322 [lib.api.process] INFO: 64-bit DLL to inject is C:\epyfuwi\dll\HeJRZT.dll, loader C:\epyfuwi\bin\NKFmJEvz.exe
2019-08-13 22:56:48,338 [root] DEBUG: Commandline: C:\Users\user\AppData\Roaming\syslink\"C:\Windows\System32\cmd.exe" \c powershell Set-MpPreference -SevereThreatDefaultAction 6.
2019-08-13 22:56:48,338 [root] DEBUG: DLL loaded at 0x000007FEF0C60000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System\adff7dd9fe8e541775c46b6363401b22\System.ni (0xa23000 bytes).
2019-08-13 22:56:48,338 [root] DEBUG: DLL loaded at 0x000007FEFD1F0000: C:\Windows\system32\CRYPT32 (0x167000 bytes).
2019-08-13 22:56:48,338 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF1e5575d.TMP": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RF1e5575d.TMP'
2019-08-13 22:56:48,352 [root] DEBUG: GetHookCallerBase: thread 2856 (handle 0x0), return address 0x000000004A1887DD, allocation base 0x000000004A180000.
2019-08-13 22:56:48,352 [root] DEBUG: DLL loaded at 0x000007FEFC190000: C:\Windows\system32\ntmarta (0x2d000 bytes).
2019-08-13 22:56:48,368 [root] DEBUG: DLL loaded at 0x000007FEFC1C0000: C:\Windows\system32\version (0xc000 bytes).
2019-08-13 22:56:48,368 [root] INFO: Added new process to list with pid: 3244
2019-08-13 22:56:48,384 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\KxvfqAkc.
2019-08-13 22:56:48,384 [root] DEBUG: DLL loaded at 0x000007FEF0BA0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b023321bc53c20c10ccbbd8f78c82c82\Microsoft.PowerShell.ConsoleHost.ni (0xb2000 bytes).
2019-08-13 22:56:48,821 [root] DEBUG: DLL loaded at 0x000007FEF8AC0000: C:\Windows\system32\cscapi (0xf000 bytes).
2019-08-13 22:56:49,164 [root] INFO: Monitor successfully loaded in process with pid 3244.
2019-08-13 22:56:49,164 [root] INFO: Added new process to list with pid: 3128
2019-08-13 22:56:49,180 [root] DEBUG: DLL loaded at 0x000007FEFD100000: C:\Windows\system32\MSASN1 (0xf000 bytes).
2019-08-13 22:56:49,180 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms'
2019-08-13 22:56:49,180 [root] DEBUG: DLL loaded at 0x000007FEFE860000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2019-08-13 22:56:49,180 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x000000004A180000.
2019-08-13 22:56:49,180 [root] DEBUG: DLL loaded at 0x000007FEF0040000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management.A#\009a09f5b2322bb8c5520dc5ddbb28bb\System.Management.Automation.ni (0xb5d000 bytes).
2019-08-13 22:56:49,180 [root] INFO: Monitor successfully loaded in process with pid 3128.
2019-08-13 22:56:49,180 [root] DEBUG: DLL loaded at 0x000007FEFB0B0000: C:\Windows\system32\slc (0xb000 bytes).
2019-08-13 22:56:49,196 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\system32\CRYPTBASE (0xf000 bytes).
2019-08-13 22:56:49,196 [root] DEBUG: DLL loaded at 0x000007FEEFD10000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Core\83e2f6909980da7347e7806d8c26670e\System.Core.ni (0x32e000 bytes).
2019-08-13 22:56:49,196 [root] DEBUG: Loader: Injecting process 2740 (thread 3248) with C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:49,196 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 4060
2019-08-13 22:56:49,226 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\878VPN8Q8UVT5TUJDOM0.temp" does not exist, skip.
2019-08-13 22:56:49,242 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000004A180000.
2019-08-13 22:56:49,242 [root] DEBUG: DLL loaded at 0x0000000516F00000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\diasymreader (0xc6000 bytes).
2019-08-13 22:56:49,242 [root] DEBUG: DLL loaded at 0x000007FEFC1C0000: C:\Windows\system32\version (0xc000 bytes).
2019-08-13 22:56:49,289 [root] DEBUG: DLL loaded at 0x000007FEFCEF0000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 22:56:49,289 [root] DEBUG: DLL loaded at 0x000007FEFE400000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-08-13 22:56:49,289 [root] DEBUG: DLL loaded at 0x000007FEEFCA0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\ec50af274bf7a15fb59ac1f0d353b7ea\Microsoft.PowerShell.Commands.Diagnostics.ni (0x69000 bytes).
2019-08-13 22:56:49,289 [root] DEBUG: DLL loaded at 0x000007FEFC8F0000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2019-08-13 22:56:49,289 [root] DEBUG: Process image base: 0x000000004A180000
2019-08-13 22:56:49,289 [root] DEBUG: GetHookCallerBase: thread 4064 (handle 0x0), return address 0x000000013FD0C504, allocation base 0x000000013FD00000.
2019-08-13 22:56:49,305 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 22:56:49,335 [root] DEBUG: DLL loaded at 0x000007FEF2F10000: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei (0x97000 bytes).
2019-08-13 22:56:49,335 [root] DEBUG: set_caller_info: Adding region at 0x000007FF00280000 to caller regions list (ntdll::LdrGetProcedureAddress).
2019-08-13 22:56:49,335 [root] DEBUG: DLL loaded at 0x000007FEEFD10000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Core\83e2f6909980da7347e7806d8c26670e\System.Core.ni (0x32e000 bytes).
2019-08-13 22:56:49,335 [root] DEBUG: DLL loaded at 0x000007FEFD560000: C:\Windows\system32\shell32 (0xd88000 bytes).
2019-08-13 22:56:49,335 [root] INFO: Announced 64-bit process name: powershell.exe pid: 3512
2019-08-13 22:56:49,367 [root] DEBUG: DLL loaded at 0x000007FEF9860000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Configuratio#\fcf35536476614410e0b0bd0e412199e\System.Configuration.Install.ni (0x32000 bytes).
2019-08-13 22:56:49,367 [root] DEBUG: DLL loaded at 0x000007FEFC5F0000: C:\Windows\system32\rsaenh (0x47000 bytes).
2019-08-13 22:56:49,367 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:49,382 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 22:56:49,398 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x000000013FD00000.
2019-08-13 22:56:49,398 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\878VPN8Q8UVT5TUJDOM0.temp" does not exist, skip.
2019-08-13 22:56:49,398 [root] DEBUG: DLL loaded at 0x000007FEFC3B0000: C:\Windows\system32\USERENV (0x1e000 bytes).
2019-08-13 22:56:49,414 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 22:56:49,430 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000004A1D9000 - 0x0000000077110000
2019-08-13 22:56:49,430 [root] DEBUG: DLL loaded at 0x000007FEEFBF0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.WSMan.Man#\8cd73e65058ef6f77f36b62a74ec3344\Microsoft.WSMan.Management.ni (0xaa000 bytes).
2019-08-13 22:56:49,430 [root] DEBUG: DLL loaded at 0x000007FEEFCA0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\ec50af274bf7a15fb59ac1f0d353b7ea\Microsoft.PowerShell.Commands.Diagnostics.ni (0x69000 bytes).
2019-08-13 22:56:49,444 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000013FD00000.
2019-08-13 22:56:49,444 [root] DEBUG: DLL loaded at 0x000007FEF2570000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks (0x99d000 bytes).
2019-08-13 22:56:49,444 [lib.api.process] INFO: 64-bit DLL to inject is C:\epyfuwi\dll\HeJRZT.dll, loader C:\epyfuwi\bin\NKFmJEvz.exe
2019-08-13 22:56:49,444 [root] DEBUG: DLL loaded at 0x000007FEFD020000: C:\Windows\system32\profapi (0xf000 bytes).
2019-08-13 22:56:49,460 [root] DEBUG: InjectDllViaIAT: Allocated 0x1bc bytes for new import table at 0x000000004A1E0000.
2019-08-13 22:56:49,460 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 3484
2019-08-13 22:56:49,460 [root] DEBUG: DLL loaded at 0x000007FEEFB00000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Transactions\051655963f24f9ade08486084c570086\System.Transactions.ni (0xe5000 bytes).
2019-08-13 22:56:49,460 [root] DEBUG: DLL loaded at 0x000007FEF9860000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Configuratio#\fcf35536476614410e0b0bd0e412199e\System.Configuration.Install.ni (0x32000 bytes).
2019-08-13 22:56:49,476 [root] INFO: Process with pid 2116 has terminated
2019-08-13 22:56:49,476 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000C63C.
2019-08-13 22:56:49,476 [root] DEBUG: DLL loaded at 0x00000000740D0000: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\MSVCR80 (0xc9000 bytes).
2019-08-13 22:56:49,492 [root] INFO: Added new CAPE file to list with path: C:\HRnqwoJUO\CAPE\2920_1422237284956514382019
2019-08-13 22:56:49,492 [root] DEBUG: DLL loaded at 0x000007FEFBB00000: C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32 (0x1f4000 bytes).
2019-08-13 22:56:49,492 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\KxvfqAkc.
2019-08-13 22:56:49,492 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 22:56:49,492 [root] DEBUG: DLL loaded at 0x000007FEF7810000: C:\Windows\system32\LINKINFO (0xc000 bytes).
2019-08-13 22:56:49,492 [root] DEBUG: DLL loaded at 0x000007FEF2F10000: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei (0x97000 bytes).
2019-08-13 22:56:49,492 [root] DEBUG: GetHookCallerBase: thread 3488 (handle 0x0), return address 0x000000013FD0C504, allocation base 0x000000013FD00000.
2019-08-13 22:56:49,507 [root] INFO: Process with pid 3056 has terminated
2019-08-13 22:56:49,507 [root] DEBUG: DLL loaded at 0x000000001E230000: C:\Windows\assembly\GAC_64\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions (0x49000 bytes).
2019-08-13 22:56:49,507 [root] DEBUG: DLL loaded at 0x000007FEEFBF0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.WSMan.Man#\8cd73e65058ef6f77f36b62a74ec3344\Microsoft.WSMan.Management.ni (0xaa000 bytes).
2019-08-13 22:56:49,523 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x54400.
2019-08-13 22:56:49,523 [root] DEBUG: Loader: Injecting process 3512 (thread 3740) with C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:49,539 [root] DEBUG: DLL loaded at 0x000007FEF1690000: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\9469491f37d9c35b596968b206615309\mscorlib.ni (0xedc000 bytes).
2019-08-13 22:56:49,539 [root] DEBUG: Successfully injected DLL C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:49,539 [root] DEBUG: DLL loaded at 0x000007FEFB840000: C:\Windows\system32\propsys (0x12c000 bytes).
2019-08-13 22:56:49,553 [root] INFO: Added new CAPE file to list with path: C:\HRnqwoJUO\CAPE\4060_358627792957514382019
2019-08-13 22:56:49,553 [root] DEBUG: DLL loaded at 0x000007FEF2570000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks (0x99d000 bytes).
2019-08-13 22:56:49,553 [root] INFO: Process with pid 2880 has terminated
2019-08-13 22:56:49,553 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x000000013FD00000.
2019-08-13 22:56:49,569 [root] DEBUG: DLL loaded at 0x000007FEF8900000: C:\Windows\system32\ntshrui (0x80000 bytes).
2019-08-13 22:56:49,569 [root] DEBUG: DLL loaded at 0x000007FEEF8E0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\cdf48153115fc0bb466f37b7dcad9ac5\Microsoft.PowerShell.Commands.Utility.ni (0x216000 bytes).
2019-08-13 22:56:49,569 [root] DEBUG: DLL loaded at 0x000007FEEFB00000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Transactions\051655963f24f9ade08486084c570086\System.Transactions.ni (0xe5000 bytes).
2019-08-13 22:56:49,569 [root] DEBUG: DLL unloaded from 0x000007FEFF190000.
2019-08-13 22:56:49,569 [root] DEBUG: Process image base: 0x000000013FD00000
2019-08-13 22:56:49,585 [root] DEBUG: DLL unloaded from 0x000007FEFE8C0000.
2019-08-13 22:56:49,585 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2740
2019-08-13 22:56:49,585 [root] DEBUG: DLL loaded at 0x000007FEFC190000: C:\Windows\system32\ntmarta (0x2d000 bytes).
2019-08-13 22:56:49,585 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x73e00.
2019-08-13 22:56:49,585 [root] DEBUG: DLL loaded at 0x000007FEF0C60000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System\adff7dd9fe8e541775c46b6363401b22\System.ni (0xa23000 bytes).
2019-08-13 22:56:49,585 [root] INFO: Process with pid 2876 has terminated
2019-08-13 22:56:49,601 [root] DEBUG: DLL loaded at 0x00000000740D0000: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\MSVCR80 (0xc9000 bytes).
2019-08-13 22:56:49,601 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000013FD00000.
2019-08-13 22:56:49,601 [root] DEBUG: DLL loaded at 0x000007FEFCB90000: C:\Windows\system32\srvcli (0x23000 bytes).
2019-08-13 22:56:49,617 [root] DEBUG: DLL loaded at 0x000000001E230000: C:\Windows\assembly\GAC_64\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions (0x49000 bytes).
2019-08-13 22:56:49,617 [root] DEBUG: DLL loaded at 0x000007FEEF7C0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\9206dc8156588e608d405729c833edc5\Microsoft.PowerShell.Commands.Management.ni (0x118000 bytes).
2019-08-13 22:56:49,617 [root] INFO: Notified of termination of process with pid 2920.
2019-08-13 22:56:49,617 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:49,631 [root] DEBUG: DLL loaded at 0x000007FEFE860000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2019-08-13 22:56:49,631 [root] DEBUG: DLL unloaded from 0x74F40000.
2019-08-13 22:56:49,631 [root] DEBUG: DLL loaded at 0x000007FEF0BA0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b023321bc53c20c10ccbbd8f78c82c82\Microsoft.PowerShell.ConsoleHost.ni (0xb2000 bytes).
2019-08-13 22:56:49,648 [root] DEBUG: DLL loaded at 0x000007FEFAC20000: C:\Windows\system32\netutils (0xc000 bytes).
2019-08-13 22:56:49,648 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 22:56:49,648 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000C63C.
2019-08-13 22:56:49,664 [root] DEBUG: DLL loaded at 0x000007FEF1690000: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\9469491f37d9c35b596968b206615309\mscorlib.ni (0xedc000 bytes).
2019-08-13 22:56:49,678 [root] DEBUG: DLL loaded at 0x000007FEF8AC0000: C:\Windows\system32\cscapi (0xf000 bytes).
2019-08-13 22:56:49,678 [root] DEBUG: DLL loaded at 0x000007FEF3870000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b5a6a5ce3cd3d4dd2b151315c612aeff\Microsoft.PowerShell.Security.ni (0x3e000 bytes).
2019-08-13 22:56:49,678 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000013FD77000 - 0x000007FEFF430000
2019-08-13 22:56:49,678 [root] DEBUG: DLL loaded at 0x000007FEEF8E0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\cdf48153115fc0bb466f37b7dcad9ac5\Microsoft.PowerShell.Commands.Utility.ni (0x216000 bytes).
2019-08-13 22:56:49,678 [root] DEBUG: DLL loaded at 0x000007FEFE4A0000: C:\Windows\system32\SETUPAPI (0x1d7000 bytes).
2019-08-13 22:56:49,694 [root] DEBUG: DLL unloaded from 0x724F0000.
2019-08-13 22:56:49,694 [root] DEBUG: DLL unloaded from 0x000007FEFB840000.
2019-08-13 22:56:49,694 [root] DEBUG: Process dumps enabled.
2019-08-13 22:56:49,694 [root] DEBUG: DLL loaded at 0x000007FEF0040000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management.A#\009a09f5b2322bb8c5520dc5ddbb28bb\System.Management.Automation.ni (0xb5d000 bytes).
2019-08-13 22:56:49,710 [root] DEBUG: DLL loaded at 0x000007FEFB0B0000: C:\Windows\system32\slc (0xb000 bytes).
2019-08-13 22:56:49,710 [root] DEBUG: DLL unloaded from 0x000007FEFE8C0000.
2019-08-13 22:56:49,726 [root] DEBUG: DLL loaded at 0x000007FEF0C60000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System\adff7dd9fe8e541775c46b6363401b22\System.ni (0xa23000 bytes).
2019-08-13 22:56:49,726 [root] DEBUG: InjectDllViaIAT: Allocated 0x228 bytes for new import table at 0x000000013FD80000.
2019-08-13 22:56:49,726 [root] DEBUG: DLL loaded at 0x00000642FF4A0000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\culture (0xa000 bytes).
2019-08-13 22:56:49,726 [root] DEBUG: DLL loaded at 0x000007FEFD1B0000: C:\Windows\system32\CFGMGR32 (0x36000 bytes).
2019-08-13 22:56:49,742 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-08-13 22:56:49,742 [root] DEBUG: DLL loaded at 0x000007FEEF7C0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\9206dc8156588e608d405729c833edc5\Microsoft.PowerShell.Commands.Management.ni (0x118000 bytes).
2019-08-13 22:56:49,742 [root] DEBUG: DLL unloaded from 0x0000000076FF0000.
2019-08-13 22:56:49,742 [root] INFO: Added new CAPE file to list with path: C:\HRnqwoJUO\CAPE\3484_374762242957514382019
2019-08-13 22:56:49,756 [root] INFO: Disabling sleep skipping.
2019-08-13 22:56:49,756 [root] DEBUG: DLL loaded at 0x000007FEFC1C0000: C:\Windows\system32\version (0xc000 bytes).
2019-08-13 22:56:49,756 [root] DEBUG: DLL loaded at 0x000007FEF0BA0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b023321bc53c20c10ccbbd8f78c82c82\Microsoft.PowerShell.ConsoleHost.ni (0xb2000 bytes).
2019-08-13 22:56:49,756 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 22:56:49,773 [root] DEBUG: DLL unloaded from 0x00000642FF4A0000.
2019-08-13 22:56:49,773 [root] DEBUG: DLL loaded at 0x000007FEFD410000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2019-08-13 22:56:49,773 [root] DEBUG: DLL loaded at 0x72F70000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 22:56:49,773 [root] DEBUG: DLL unloaded from 0x000007FEF2570000.
2019-08-13 22:56:49,788 [root] DEBUG: DLL loaded at 0x000007FEF3870000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b5a6a5ce3cd3d4dd2b151315c612aeff\Microsoft.PowerShell.Security.ni (0x3e000 bytes).
2019-08-13 22:56:49,788 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x73e00.
2019-08-13 22:56:49,788 [root] WARNING: Unable to place hook on LockResource
2019-08-13 22:56:49,803 [root] DEBUG: DLL loaded at 0x000007FEF0040000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management.A#\009a09f5b2322bb8c5520dc5ddbb28bb\System.Management.Automation.ni (0xb5d000 bytes).
2019-08-13 22:56:49,803 [root] DEBUG: DLL loaded at 0x000007FEEFD10000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Core\83e2f6909980da7347e7806d8c26670e\System.Core.ni (0x32e000 bytes).
2019-08-13 22:56:49,803 [root] DEBUG: Successfully injected DLL C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:49,819 [root] DEBUG: DLL loaded at 0x000007FEEF630000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorjit (0x184000 bytes).
2019-08-13 22:56:49,819 [root] DEBUG: DLL unloaded from 0x000007FEFD560000.
2019-08-13 22:56:49,819 [root] DEBUG: DLL loaded at 0x74810000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 22:56:49,819 [root] DEBUG: DLL unloaded from 0x000007FEF2F10000.
2019-08-13 22:56:49,835 [root] DEBUG: DLL loaded at 0x00000642FF4A0000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\culture (0xa000 bytes).
2019-08-13 22:56:49,851 [root] DEBUG: DLL unloaded from 0x000007FEFD560000.
2019-08-13 22:56:49,851 [root] DEBUG: DLL loaded at 0x000007FEFAC20000: C:\Windows\system32\netutils (0xc000 bytes).
2019-08-13 22:56:49,851 [root] WARNING: Unable to hook LockResource
2019-08-13 22:56:49,851 [root] DEBUG: DLL loaded at 0x000007FEFC1C0000: C:\Windows\system32\version (0xc000 bytes).
2019-08-13 22:56:49,851 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 3512
2019-08-13 22:56:49,851 [root] DEBUG: DLL loaded at 0x000007FEEFCA0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\ec50af274bf7a15fb59ac1f0d353b7ea\Microsoft.PowerShell.Commands.Diagnostics.ni (0x69000 bytes).
2019-08-13 22:56:49,865 [root] INFO: Announced 64-bit process name: cmd.exe pid: 3912
2019-08-13 22:56:49,865 [root] DEBUG: DLL loaded at 0x000007FEEEF80000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Xml\ee795155543768ea67eecddc686a1e9e\System.Xml.ni (0x6a5000 bytes).
2019-08-13 22:56:49,865 [root] DEBUG: DLL unloaded from 0x000007FEFC190000.
2019-08-13 22:56:49,865 [root] DEBUG: DLL unloaded from 0x00000642FF4A0000.
2019-08-13 22:56:49,881 [root] DEBUG: DLL unloaded from 0x000007FEFB840000.
2019-08-13 22:56:49,898 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 22:56:49,913 [root] DEBUG: DLL loaded at 0x000007FEEFD10000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Core\83e2f6909980da7347e7806d8c26670e\System.Core.ni (0x32e000 bytes).
2019-08-13 22:56:49,928 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 22:56:49,928 [root] DEBUG: DLL loaded at 0x000007FEF9860000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Configuratio#\fcf35536476614410e0b0bd0e412199e\System.Configuration.Install.ni (0x32000 bytes).
2019-08-13 22:56:49,928 [root] DEBUG: DLL loaded at 0x000007FEEECA0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management\c44929bde355680c886f8a52f5e22b81\System.Management.ni (0x16c000 bytes).
2019-08-13 22:56:49,928 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 22:56:49,944 [root] DEBUG: DLL unloaded from 0x000007FEFF190000.
2019-08-13 22:56:49,944 [root] DEBUG: DLL loaded at 0x000007FEEF630000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorjit (0x184000 bytes).
2019-08-13 22:56:49,960 [root] DEBUG: DLL unloaded from 0x0000000076FF0000.
2019-08-13 22:56:49,960 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 2740 at 0x0000000074460000, image base 0x000000004A180000, stack from 0x0000000000054000-0x0000000000150000
2019-08-13 22:56:49,960 [root] DEBUG: Process dumps enabled.
2019-08-13 22:56:49,960 [root] DEBUG: DLL loaded at 0x000007FEEFCA0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\ec50af274bf7a15fb59ac1f0d353b7ea\Microsoft.PowerShell.Commands.Diagnostics.ni (0x69000 bytes).
2019-08-13 22:56:49,990 [root] DEBUG: DLL loaded at 0x000007FEEFBF0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.WSMan.Man#\8cd73e65058ef6f77f36b62a74ec3344\Microsoft.WSMan.Management.ni (0xaa000 bytes).
2019-08-13 22:56:49,990 [root] DEBUG: DLL loaded at 0x000007FEEEB00000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.DirectorySer#\c1cdea55f62c9e8b9b9c1ae4c23b1c1f\System.DirectoryServices.ni (0x195000 bytes).
2019-08-13 22:56:49,990 [lib.api.process] INFO: 64-bit DLL to inject is C:\epyfuwi\dll\HeJRZT.dll, loader C:\epyfuwi\bin\NKFmJEvz.exe
2019-08-13 22:56:50,006 [root] INFO: Notified of termination of process with pid 4060.
2019-08-13 22:56:50,006 [root] DEBUG: DLL loaded at 0x000007FEEEF80000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Xml\ee795155543768ea67eecddc686a1e9e\System.Xml.ni (0x6a5000 bytes).
2019-08-13 22:56:50,006 [root] DEBUG: DLL unloaded from 0x000007FEF2570000.
2019-08-13 22:56:50,022 [root] DEBUG: Commandline: C:\Users\user\AppData\Roaming\syslink\"C:\Windows\System32\cmd.exe" \c powershell Set-MpPreference -LowThreatDefaultAction 6.
2019-08-13 22:56:50,038 [root] DEBUG: DLL loaded at 0x000007FEF9860000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Configuratio#\fcf35536476614410e0b0bd0e412199e\System.Configuration.Install.ni (0x32000 bytes).
2019-08-13 22:56:50,038 [root] DEBUG: DLL loaded at 0x000007FEEFB00000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Transactions\051655963f24f9ade08486084c570086\System.Transactions.ni (0xe5000 bytes).
2019-08-13 22:56:50,038 [root] INFO: Disabling sleep skipping.
2019-08-13 22:56:50,053 [root] DEBUG: DLL loaded at 0x000007FEF90A0000: C:\Windows\system32\shfolder (0x7000 bytes).
2019-08-13 22:56:50,053 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\KxvfqAkc.
2019-08-13 22:56:50,069 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 3292
2019-08-13 22:56:50,069 [root] DEBUG: DLL loaded at 0x000007FEEECA0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management\c44929bde355680c886f8a52f5e22b81\System.Management.ni (0x16c000 bytes).
2019-08-13 22:56:50,069 [root] DEBUG: DLL unloaded from 0x000007FEF2F10000.
2019-08-13 22:56:50,069 [root] INFO: Added new process to list with pid: 2740
2019-08-13 22:56:50,099 [root] DEBUG: DLL loaded at 0x000000001E230000: C:\Windows\assembly\GAC_64\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions (0x49000 bytes).
2019-08-13 22:56:50,099 [root] WARNING: Unable to place hook on LockResource
2019-08-13 22:56:50,099 [root] DEBUG: Loader: Injecting process 3912 (thread 904) with C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:50,099 [root] DEBUG: GetHookCallerBase: thread 3296 (handle 0x0), return address 0x000000004A1887DD, allocation base 0x000000004A180000.
2019-08-13 22:56:50,115 [root] DEBUG: DLL loaded at 0x000007FEEFBF0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.WSMan.Man#\8cd73e65058ef6f77f36b62a74ec3344\Microsoft.WSMan.Management.ni (0xaa000 bytes).
2019-08-13 22:56:50,115 [root] DEBUG: DLL loaded at 0x000007FEF7810000: C:\Windows\system32\LINKINFO (0xc000 bytes).
2019-08-13 22:56:50,115 [root] DEBUG: DLL loaded at 0x000007FEEEB00000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.DirectorySer#\c1cdea55f62c9e8b9b9c1ae4c23b1c1f\System.DirectoryServices.ni (0x195000 bytes).
2019-08-13 22:56:50,115 [root] INFO: Monitor successfully loaded in process with pid 2740.
2019-08-13 22:56:50,115 [root] DEBUG: DLL unloaded from 0x000007FEFC190000.
2019-08-13 22:56:50,131 [root] DEBUG: DLL loaded at 0x000007FEEF8E0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\cdf48153115fc0bb466f37b7dcad9ac5\Microsoft.PowerShell.Commands.Utility.ni (0x216000 bytes).
2019-08-13 22:56:50,131 [root] WARNING: Unable to hook LockResource
2019-08-13 22:56:50,131 [root] DEBUG: Process image base: 0x000000004A180000
2019-08-13 22:56:50,131 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x000000004A180000.
2019-08-13 22:56:50,131 [root] DEBUG: DLL loaded at 0x000007FEEFB00000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Transactions\051655963f24f9ade08486084c570086\System.Transactions.ni (0xe5000 bytes).
2019-08-13 22:56:50,177 [root] DEBUG: DLL loaded at 0x000007FEF8900000: C:\Windows\system32\ntshrui (0x80000 bytes).
2019-08-13 22:56:50,177 [root] DEBUG: DLL loaded at 0x000007FEF90A0000: C:\Windows\system32\shfolder (0x7000 bytes).
2019-08-13 22:56:50,194 [root] DEBUG: DLL loaded at 0x000007FEFCEF0000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 22:56:50,194 [root] DEBUG: DLL loaded at 0x000007FEFCCF0000: C:\Windows\system32\secur32 (0xb000 bytes).
2019-08-13 22:56:50,194 [root] DEBUG: DLL unloaded from 0x000007FEFF190000.
2019-08-13 22:56:50,210 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 22:56:50,210 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:50,210 [root] DEBUG: DLL loaded at 0x000007FEEF7C0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\9206dc8156588e608d405729c833edc5\Microsoft.PowerShell.Commands.Management.ni (0x118000 bytes).
2019-08-13 22:56:50,224 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000004A180000.
2019-08-13 22:56:50,224 [root] DEBUG: DLL loaded at 0x000000001E230000: C:\Windows\assembly\GAC_64\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions (0x49000 bytes).
2019-08-13 22:56:50,224 [root] DEBUG: DLL loaded at 0x000007FEFCB90000: C:\Windows\system32\srvcli (0x23000 bytes).
2019-08-13 22:56:50,256 [root] INFO: Announced 64-bit process name: powershell.exe pid: 3980
2019-08-13 22:56:50,256 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 3512 at 0x0000000074460000, image base 0x000000013FD00000, stack from 0x0000000000155000-0x0000000000160000
2019-08-13 22:56:50,272 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000004A1D9000 - 0x0000000077110000
2019-08-13 22:56:50,272 [root] INFO: Notified of termination of process with pid 3484.
2019-08-13 22:56:50,288 [root] DEBUG: DLL loaded at 0x000007FEF3870000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b5a6a5ce3cd3d4dd2b151315c612aeff\Microsoft.PowerShell.Security.ni (0x3e000 bytes).
2019-08-13 22:56:50,288 [root] DEBUG: DLL loaded at 0x000007FEEE2B0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Data\accc3a5269658c8c47fe3e402ac4ac1c\System.Data.ni (0x84b000 bytes).
2019-08-13 22:56:50,302 [root] DEBUG: DLL loaded at 0x000007FEEF8E0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\cdf48153115fc0bb466f37b7dcad9ac5\Microsoft.PowerShell.Commands.Utility.ni (0x216000 bytes).
2019-08-13 22:56:50,334 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 22:56:50,334 [root] DEBUG: DLL loaded at 0x000007FEFC8F0000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2019-08-13 22:56:50,334 [root] DEBUG: Commandline: C:\Users\user\AppData\Roaming\syslink\powershell  Set-MpPreference -SevereThreatDefaultAction 6.
2019-08-13 22:56:50,334 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 22:56:50,349 [root] DEBUG: InjectDllViaIAT: Allocated 0x1bc bytes for new import table at 0x000000004A1E0000.
2019-08-13 22:56:50,349 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2772
2019-08-13 22:56:50,365 [root] DEBUG: DLL loaded at 0x000000001D120000: C:\Windows\assembly\GAC_64\System.Data\2.0.0.0__b77a5c561934e089\System.Data (0x2ff000 bytes).
2019-08-13 22:56:50,365 [root] DEBUG: DLL loaded at 0x000007FEFCCF0000: C:\Windows\system32\secur32 (0xb000 bytes).
2019-08-13 22:56:50,365 [root] DEBUG: DLL loaded at 0x00000642FF4A0000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\culture (0xa000 bytes).
2019-08-13 22:56:50,365 [root] DEBUG: DLL loaded at 0x000007FEEF7C0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\9206dc8156588e608d405729c833edc5\Microsoft.PowerShell.Commands.Management.ni (0x118000 bytes).
2019-08-13 22:56:50,381 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 22:56:50,381 [root] DEBUG: DLL loaded at 0x000007FEFC5F0000: C:\Windows\system32\rsaenh (0x47000 bytes).
2019-08-13 22:56:50,381 [root] INFO: Added new process to list with pid: 3512
2019-08-13 22:56:50,381 [lib.api.process] INFO: 64-bit DLL to inject is C:\epyfuwi\dll\HeJRZT.dll, loader C:\epyfuwi\bin\NKFmJEvz.exe
2019-08-13 22:56:50,381 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 22:56:50,397 [root] DEBUG: GetHookCallerBase: thread 1856 (handle 0x0), return address 0x000000004A1887DD, allocation base 0x000000004A180000.
2019-08-13 22:56:50,397 [root] DEBUG: DLL loaded at 0x000007FEFEE90000: C:\Windows\system32\WS2_32 (0x4d000 bytes).
2019-08-13 22:56:50,427 [root] DEBUG: DLL unloaded from 0x00000642FF4A0000.
2019-08-13 22:56:50,427 [root] DEBUG: DLL loaded at 0x000007FEF3870000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b5a6a5ce3cd3d4dd2b151315c612aeff\Microsoft.PowerShell.Security.ni (0x3e000 bytes).
2019-08-13 22:56:50,427 [root] DEBUG: DLL loaded at 0x000007FEEE2B0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Data\accc3a5269658c8c47fe3e402ac4ac1c\System.Data.ni (0x84b000 bytes).
2019-08-13 22:56:50,444 [root] INFO: Monitor successfully loaded in process with pid 3512.
2019-08-13 22:56:50,444 [root] DEBUG: Successfully injected DLL C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:50,459 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\KxvfqAkc.
2019-08-13 22:56:50,459 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x000000004A180000.
2019-08-13 22:56:50,459 [root] DEBUG: DLL loaded at 0x000007FEFE2F0000: C:\Windows\system32\NSI (0x8000 bytes).
2019-08-13 22:56:50,459 [root] INFO: Added new CAPE file to list with path: C:\HRnqwoJUO\CAPE\3292_144844325056514382019
2019-08-13 22:56:50,474 [root] DEBUG: DLL loaded at 0x000007FEEF630000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorjit (0x184000 bytes).
2019-08-13 22:56:50,474 [root] DEBUG: DLL loaded at 0x000000001D070000: C:\Windows\assembly\GAC_64\System.Data\2.0.0.0__b77a5c561934e089\System.Data (0x2ff000 bytes).
2019-08-13 22:56:50,490 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 3912
2019-08-13 22:56:50,490 [root] DEBUG: DLL loaded at 0x00000642FF4A0000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\culture (0xa000 bytes).
2019-08-13 22:56:50,490 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ZC22NI78CX6B1J2ZXT00.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\ZC22NI78CX6B1J2ZXT00.temp'
2019-08-13 22:56:50,490 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\system32\CRYPTBASE (0xf000 bytes).
2019-08-13 22:56:50,490 [root] DEBUG: Loader: Injecting process 3980 (thread 3284) with C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:50,506 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000004A180000.
2019-08-13 22:56:50,506 [root] DEBUG: DLL loaded at 0x000007FEFD1F0000: C:\Windows\system32\CRYPT32 (0x167000 bytes).
2019-08-13 22:56:50,506 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x54400.
2019-08-13 22:56:50,522 [root] DEBUG: DLL loaded at 0x000007FEFEE90000: C:\Windows\system32\WS2_32 (0x4d000 bytes).
2019-08-13 22:56:50,522 [root] DEBUG: DLL loaded at 0x000007FEEEF80000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Xml\ee795155543768ea67eecddc686a1e9e\System.Xml.ni (0x6a5000 bytes).
2019-08-13 22:56:50,522 [root] DEBUG: DLL unloaded from 0x74F40000.
2019-08-13 22:56:50,536 [root] DEBUG: DLL unloaded from 0x00000642FF4A0000.
2019-08-13 22:56:50,536 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 22:56:50,536 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ZC22NI78CX6B1J2ZXT00.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\ZC22NI78CX6B1J2ZXT00.temp'
2019-08-13 22:56:50,536 [root] DEBUG: DLL loaded at 0x000007FEFE400000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-08-13 22:56:50,536 [root] DEBUG: Process image base: 0x000000013FD00000
2019-08-13 22:56:50,552 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 22:56:50,552 [root] DEBUG: DLL loaded at 0x000007FEFD100000: C:\Windows\system32\MSASN1 (0xf000 bytes).
2019-08-13 22:56:50,552 [root] DEBUG: DLL unloaded from 0x000007FEFF190000.
2019-08-13 22:56:50,568 [root] DEBUG: DLL loaded at 0x000007FEFE2F0000: C:\Windows\system32\NSI (0x8000 bytes).
2019-08-13 22:56:50,568 [root] DEBUG: DLL loaded at 0x000007FEEECA0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management\c44929bde355680c886f8a52f5e22b81\System.Management.ni (0x16c000 bytes).
2019-08-13 22:56:50,584 [root] DEBUG: DLL unloaded from 0x72F70000.
2019-08-13 22:56:50,584 [root] DEBUG: Process dumps enabled.
2019-08-13 22:56:50,584 [root] DEBUG: DLL unloaded from 0x000007FEFE320000.
2019-08-13 22:56:50,584 [root] DEBUG: DLL loaded at 0x000007FEEF630000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorjit (0x184000 bytes).
2019-08-13 22:56:50,584 [root] DEBUG: DLL loaded at 0x000007FEFD560000: C:\Windows\system32\shell32 (0xd88000 bytes).
2019-08-13 22:56:50,599 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:50,599 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 22:56:50,599 [root] INFO: Notified of termination of process with pid 3292.
2019-08-13 22:56:50,599 [root] DEBUG: DLL loaded at 0x000007FEF8AC0000: C:\Windows\system32\cscapi (0xf000 bytes).
2019-08-13 22:56:50,615 [root] DEBUG: DLL loaded at 0x000007FEFD1F0000: C:\Windows\system32\CRYPT32 (0x167000 bytes).
2019-08-13 22:56:50,615 [root] DEBUG: DLL loaded at 0x000007FEEEB00000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.DirectorySer#\c1cdea55f62c9e8b9b9c1ae4c23b1c1f\System.DirectoryServices.ni (0x195000 bytes).
2019-08-13 22:56:50,615 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-08-13 22:56:50,631 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ZC22NI78CX6B1J2ZXT00.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\ZC22NI78CX6B1J2ZXT00.temp'
2019-08-13 22:56:50,631 [root] INFO: Disabling sleep skipping.
2019-08-13 22:56:50,645 [root] DEBUG: DLL loaded at 0x000007FEEEF80000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Xml\ee795155543768ea67eecddc686a1e9e\System.Xml.ni (0x6a5000 bytes).
2019-08-13 22:56:50,645 [root] DEBUG: DLL loaded at 0x0000000516F00000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\diasymreader (0xc6000 bytes).
2019-08-13 22:56:50,645 [root] DEBUG: DLL loaded at 0x000007FEFC3B0000: C:\Windows\system32\USERENV (0x1e000 bytes).
2019-08-13 22:56:50,645 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000013FD77000 - 0x000007FEFF430000
2019-08-13 22:56:50,661 [root] DEBUG: DLL loaded at 0x000007FEFB0B0000: C:\Windows\system32\slc (0xb000 bytes).
2019-08-13 22:56:50,677 [root] DEBUG: DLL loaded at 0x000007FEFD100000: C:\Windows\system32\MSASN1 (0xf000 bytes).
2019-08-13 22:56:50,677 [root] INFO: Process with pid 2976 has terminated
2019-08-13 22:56:50,677 [root] DEBUG: DLL loaded at 0x000007FEF90A0000: C:\Windows\system32\shfolder (0x7000 bytes).
2019-08-13 22:56:50,677 [root] DEBUG: DLL loaded at 0x724F0000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 22:56:50,677 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF1f2f511.TMP": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RF1f2f511.TMP'
2019-08-13 22:56:50,693 [root] INFO: Added new CAPE file to list with path: C:\HRnqwoJUO\CAPE\2772_7467248645056514382019
2019-08-13 22:56:50,693 [root] DEBUG: DLL loaded at 0x000007FEEECA0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management\c44929bde355680c886f8a52f5e22b81\System.Management.ni (0x16c000 bytes).
2019-08-13 22:56:50,693 [root] WARNING: Unable to place hook on LockResource
2019-08-13 22:56:50,693 [root] DEBUG: DLL loaded at 0x000007FEFD020000: C:\Windows\system32\profapi (0xf000 bytes).
2019-08-13 22:56:50,693 [root] DEBUG: InjectDllViaIAT: Allocated 0x228 bytes for new import table at 0x000000013FD80000.
2019-08-13 22:56:50,723 [root] DEBUG: set_caller_info: Adding region at 0x000007FF00260000 to caller regions list (ntdll::LdrGetProcedureAddress).
2019-08-13 22:56:50,723 [root] INFO: Process with pid 2920 has terminated
2019-08-13 22:56:50,723 [root] DEBUG: DLL loaded at 0x000007FEFC8F0000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2019-08-13 22:56:50,756 [root] DEBUG: DLL loaded at 0x0000000516F00000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\diasymreader (0xc6000 bytes).
2019-08-13 22:56:50,756 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms'
2019-08-13 22:56:50,756 [root] DEBUG: DLL loaded at 0x73DA0000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 22:56:50,756 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x54400.
2019-08-13 22:56:50,770 [root] WARNING: Unable to hook LockResource
2019-08-13 22:56:50,770 [root] DEBUG: DLL loaded at 0x000007FEEEB00000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.DirectorySer#\c1cdea55f62c9e8b9b9c1ae4c23b1c1f\System.DirectoryServices.ni (0x195000 bytes).
2019-08-13 22:56:50,770 [root] DEBUG: DLL loaded at 0x000007FEFBB00000: C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32 (0x1f4000 bytes).
2019-08-13 22:56:50,786 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 22:56:50,848 [root] INFO: Process with pid 3292 has terminated
2019-08-13 22:56:50,865 [root] DEBUG: DLL loaded at 0x000007FEFCCF0000: C:\Windows\system32\secur32 (0xb000 bytes).
2019-08-13 22:56:50,865 [root] DEBUG: DLL loaded at 0x000007FEFC5F0000: C:\Windows\system32\rsaenh (0x47000 bytes).
2019-08-13 22:56:50,880 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ZC22NI78CX6B1J2ZXT00.temp" does not exist, skip.
2019-08-13 22:56:50,880 [root] DEBUG: set_caller_info: Adding region at 0x000007FF00280000 to caller regions list (ntdll::LdrGetProcedureAddress).
2019-08-13 22:56:50,880 [root] INFO: Announced 64-bit process name: cmd.exe pid: 3220
2019-08-13 22:56:50,880 [root] DEBUG: DLL unloaded from 0x000007FEFF190000.
2019-08-13 22:56:50,880 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 3708
2019-08-13 22:56:50,895 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 22:56:50,895 [root] DEBUG: DLL loaded at 0x000007FEF90A0000: C:\Windows\system32\shfolder (0x7000 bytes).
2019-08-13 22:56:50,895 [root] DEBUG: Successfully injected DLL C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:50,895 [root] INFO: Process with pid 4060 has terminated
2019-08-13 22:56:50,911 [root] DEBUG: DLL loaded at 0x000007FEFB840000: C:\Windows\system32\propsys (0x12c000 bytes).
2019-08-13 22:56:50,927 [root] DEBUG: DLL loaded at 0x000007FEF2F10000: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei (0x97000 bytes).
2019-08-13 22:56:50,957 [root] INFO: Notified of termination of process with pid 2772.
2019-08-13 22:56:50,957 [root] DEBUG: DLL loaded at 0x000007FEEE2B0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Data\accc3a5269658c8c47fe3e402ac4ac1c\System.Data.ni (0x84b000 bytes).
2019-08-13 22:56:50,957 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 22:56:50,957 [root] DEBUG: GetHookCallerBase: thread 3668 (handle 0x0), return address 0x000000013FD0C504, allocation base 0x000000013FD00000.
2019-08-13 22:56:50,973 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 3912 at 0x0000000074460000, image base 0x000000004A180000, stack from 0x0000000000114000-0x0000000000210000
2019-08-13 22:56:50,973 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 3980
2019-08-13 22:56:50,973 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 336
2019-08-13 22:56:50,973 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ITC5VAJOHQKRPA9MO11A.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\ITC5VAJOHQKRPA9MO11A.temp'
2019-08-13 22:56:50,990 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ZC22NI78CX6B1J2ZXT00.temp" does not exist, skip.
2019-08-13 22:56:50,990 [root] DEBUG: DLL loaded at 0x000007FEFC190000: C:\Windows\system32\ntmarta (0x2d000 bytes).
2019-08-13 22:56:50,990 [root] DEBUG: DLL loaded at 0x000000001D140000: C:\Windows\assembly\GAC_64\System.Data\2.0.0.0__b77a5c561934e089\System.Data (0x2ff000 bytes).
2019-08-13 22:56:51,005 [lib.api.process] INFO: 64-bit DLL to inject is C:\epyfuwi\dll\HeJRZT.dll, loader C:\epyfuwi\bin\NKFmJEvz.exe
2019-08-13 22:56:51,005 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x000000013FD00000.
2019-08-13 22:56:51,020 [root] DEBUG: Commandline: C:\Users\user\AppData\Roaming\syslink\"C:\Windows\System32\cmd.exe" \c powershell Set-MpPreference -ModerateThreatDefaultAction 6.
2019-08-13 22:56:51,020 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 22:56:51,020 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ITC5VAJOHQKRPA9MO11A.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\ITC5VAJOHQKRPA9MO11A.temp'
2019-08-13 22:56:51,036 [root] DEBUG: DLL loaded at 0x000007FEF2570000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks (0x99d000 bytes).
2019-08-13 22:56:51,036 [root] DEBUG: GetHookCallerBase: thread 1576 (handle 0x0), return address 0x000000013FD0C504, allocation base 0x000000013FD00000.
2019-08-13 22:56:51,036 [root] DEBUG: DLL loaded at 0x000007FEFE860000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2019-08-13 22:56:51,036 [root] DEBUG: DLL loaded at 0x000007FEFEE90000: C:\Windows\system32\WS2_32 (0x4d000 bytes).
2019-08-13 22:56:51,052 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000013FD00000.
2019-08-13 22:56:51,068 [root] INFO: Added new process to list with pid: 3912
2019-08-13 22:56:51,068 [root] DEBUG: Process dumps enabled.
2019-08-13 22:56:51,068 [root] DEBUG: DLL unloaded from 0x000007FEFE320000.
2019-08-13 22:56:51,068 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\KxvfqAkc.
2019-08-13 22:56:51,082 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x000000013FD00000.
2019-08-13 22:56:51,082 [root] DEBUG: DLL loaded at 0x00000000740D0000: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\MSVCR80 (0xc9000 bytes).
2019-08-13 22:56:51,082 [root] DEBUG: DLL loaded at 0x000007FEFE4A0000: C:\Windows\system32\SETUPAPI (0x1d7000 bytes).
2019-08-13 22:56:51,098 [root] DEBUG: DLL loaded at 0x000007FEFE2F0000: C:\Windows\system32\NSI (0x8000 bytes).
2019-08-13 22:56:51,098 [root] DEBUG: DLL loaded at 0x000007FEFCCF0000: C:\Windows\system32\secur32 (0xb000 bytes).
2019-08-13 22:56:51,098 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000C63C.
2019-08-13 22:56:51,098 [root] INFO: Monitor successfully loaded in process with pid 3912.
2019-08-13 22:56:51,114 [root] INFO: Disabling sleep skipping.
2019-08-13 22:56:51,114 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ITC5VAJOHQKRPA9MO11A.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\ITC5VAJOHQKRPA9MO11A.temp'
2019-08-13 22:56:51,114 [root] DEBUG: Loader: Injecting process 3220 (thread 3456) with C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:51,130 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000013FD00000.
2019-08-13 22:56:51,130 [root] DEBUG: DLL loaded at 0x000007FEFD1F0000: C:\Windows\system32\CRYPT32 (0x167000 bytes).
2019-08-13 22:56:51,130 [root] DEBUG: DLL loaded at 0x000007FEFD1B0000: C:\Windows\system32\CFGMGR32 (0x36000 bytes).
2019-08-13 22:56:51,145 [root] DEBUG: DLL loaded at 0x000007FEF1690000: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\9469491f37d9c35b596968b206615309\mscorlib.ni (0xedc000 bytes).
2019-08-13 22:56:51,161 [root] DEBUG: DLL loaded at 0x000007FEFCEF0000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 22:56:51,161 [root] WARNING: Unable to place hook on LockResource
2019-08-13 22:56:51,161 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF1e56265.TMP": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RF1e56265.TMP'
2019-08-13 22:56:51,161 [root] DEBUG: Process image base: 0x000000004A180000
2019-08-13 22:56:51,161 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000C63C.
2019-08-13 22:56:51,161 [root] DEBUG: DLL loaded at 0x000007FEFD100000: C:\Windows\system32\MSASN1 (0xf000 bytes).
2019-08-13 22:56:51,177 [root] DEBUG: DLL loaded at 0x000007FEFD410000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2019-08-13 22:56:51,177 [root] DEBUG: DLL unloaded from 0x000007FEFE8C0000.
2019-08-13 22:56:51,177 [root] INFO: Added new CAPE file to list with path: C:\HRnqwoJUO\CAPE\3708_1454432788112614382019
2019-08-13 22:56:51,177 [root] DEBUG: DLL loaded at 0x000007FEEE2B0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Data\accc3a5269658c8c47fe3e402ac4ac1c\System.Data.ni (0x84b000 bytes).
2019-08-13 22:56:51,191 [root] INFO: Announced 64-bit process name: powershell.exe pid: 4028
2019-08-13 22:56:51,191 [root] WARNING: Unable to hook LockResource
2019-08-13 22:56:51,191 [root] DEBUG: DLL loaded at 0x000007FEF0C60000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System\adff7dd9fe8e541775c46b6363401b22\System.ni (0xa23000 bytes).
2019-08-13 22:56:51,191 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms'
2019-08-13 22:56:51,191 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:51,239 [root] DEBUG: DLL unloaded from 0x000007FEFD560000.
2019-08-13 22:56:51,239 [root] DEBUG: DLL unloaded from 0x000007FEFD560000.
2019-08-13 22:56:51,239 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x73e00.
2019-08-13 22:56:51,239 [root] DEBUG: DLL loaded at 0x0000000516F00000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\diasymreader (0xc6000 bytes).
2019-08-13 22:56:51,239 [root] DEBUG: DLL loaded at 0x000000001CE70000: C:\Windows\assembly\GAC_64\System.Data\2.0.0.0__b77a5c561934e089\System.Data (0x2ff000 bytes).
2019-08-13 22:56:51,255 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 22:56:51,255 [root] DEBUG: DLL loaded at 0x000007FEF0BA0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b023321bc53c20c10ccbbd8f78c82c82\Microsoft.PowerShell.ConsoleHost.ni (0xb2000 bytes).
2019-08-13 22:56:51,255 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 22:56:51,255 [root] INFO: Added new CAPE file to list with path: C:\HRnqwoJUO\CAPE\336_11725159681157514382019
2019-08-13 22:56:51,269 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ITC5VAJOHQKRPA9MO11A.temp" does not exist, skip.
2019-08-13 22:56:51,269 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000004A1D9000 - 0x0000000077110000
2019-08-13 22:56:51,302 [root] DEBUG: DLL loaded at 0x000007FEFAC20000: C:\Windows\system32\netutils (0xc000 bytes).
2019-08-13 22:56:51,302 [root] DEBUG: set_caller_info: Adding region at 0x000007FF00250000 to caller regions list (ntdll::LdrGetProcedureAddress).
2019-08-13 22:56:51,316 [root] DEBUG: DLL loaded at 0x000007FEFEE90000: C:\Windows\system32\WS2_32 (0x4d000 bytes).
2019-08-13 22:56:51,316 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 3980 at 0x0000000074460000, image base 0x000000013FD00000, stack from 0x0000000000266000-0x0000000000270000
2019-08-13 22:56:51,332 [lib.api.process] INFO: 64-bit DLL to inject is C:\epyfuwi\dll\HeJRZT.dll, loader C:\epyfuwi\bin\NKFmJEvz.exe
2019-08-13 22:56:51,332 [root] DEBUG: DLL loaded at 0x000007FEF0040000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management.A#\009a09f5b2322bb8c5520dc5ddbb28bb\System.Management.Automation.ni (0xb5d000 bytes).
2019-08-13 22:56:51,332 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x73e00.
2019-08-13 22:56:51,348 [root] DEBUG: InjectDllViaIAT: Allocated 0x1bc bytes for new import table at 0x000000004A1E0000.
2019-08-13 22:56:51,348 [root] DEBUG: DLL loaded at 0x000007FEF2F10000: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei (0x97000 bytes).
2019-08-13 22:56:51,394 [root] DEBUG: DLL unloaded from 0x000007FEFB840000.
2019-08-13 22:56:51,411 [root] DEBUG: DLL loaded at 0x000007FEFE2F0000: C:\Windows\system32\NSI (0x8000 bytes).
2019-08-13 22:56:51,411 [root] DEBUG: Commandline: C:\Users\user\AppData\Roaming\syslink\powershell  Set-MpPreference -LowThreatDefaultAction 6.
2019-08-13 22:56:51,411 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\KxvfqAkc.
2019-08-13 22:56:51,411 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 3724
2019-08-13 22:56:51,426 [root] DEBUG: DLL loaded at 0x000007FEFC1C0000: C:\Windows\system32\version (0xc000 bytes).
2019-08-13 22:56:51,426 [root] DEBUG: DLL loaded at 0x000007FEFAC20000: C:\Windows\system32\netutils (0xc000 bytes).
2019-08-13 22:56:51,426 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 22:56:51,426 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ITC5VAJOHQKRPA9MO11A.temp" does not exist, skip.
2019-08-13 22:56:51,426 [root] DEBUG: DLL unloaded from 0x0000000076FF0000.
2019-08-13 22:56:51,441 [root] DEBUG: DLL loaded at 0x000007FEFD1F0000: C:\Windows\system32\CRYPT32 (0x167000 bytes).
2019-08-13 22:56:51,441 [root] INFO: Added new process to list with pid: 3980
2019-08-13 22:56:51,441 [root] DEBUG: Loader: Injecting process 4028 (thread 1704) with C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:51,489 [root] DEBUG: GetHookCallerBase: thread 3616 (handle 0x0), return address 0x000000013FD0C504, allocation base 0x000000013FD00000.
2019-08-13 22:56:51,489 [root] DEBUG: DLL loaded at 0x000007FEEFD10000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Core\83e2f6909980da7347e7806d8c26670e\System.Core.ni (0x32e000 bytes).
2019-08-13 22:56:51,489 [root] DEBUG: DLL unloaded from 0x000007FEFB840000.
2019-08-13 22:56:51,489 [root] DEBUG: Successfully injected DLL C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:51,503 [root] DEBUG: DLL loaded at 0x000007FEF2570000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks (0x99d000 bytes).
2019-08-13 22:56:51,503 [root] DEBUG: DLL unloaded from 0x000007FEF2570000.
2019-08-13 22:56:51,503 [root] DEBUG: DLL loaded at 0x000007FEFD100000: C:\Windows\system32\MSASN1 (0xf000 bytes).
2019-08-13 22:56:51,503 [root] INFO: Monitor successfully loaded in process with pid 3980.
2019-08-13 22:56:51,519 [root] DEBUG: Process image base: 0x000000013FD00000
2019-08-13 22:56:51,519 [root] DEBUG: DLL loaded at 0x000007FEF7810000: C:\Windows\system32\LINKINFO (0xc000 bytes).
2019-08-13 22:56:51,519 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x000000013FD00000.
2019-08-13 22:56:51,519 [root] DEBUG: DLL loaded at 0x000007FEEFCA0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\ec50af274bf7a15fb59ac1f0d353b7ea\Microsoft.PowerShell.Commands.Diagnostics.ni (0x69000 bytes).
2019-08-13 22:56:51,536 [root] DEBUG: DLL unloaded from 0x0000000076FF0000.
2019-08-13 22:56:51,536 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 3220
2019-08-13 22:56:51,536 [root] DEBUG: DLL loaded at 0x00000000740D0000: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\MSVCR80 (0xc9000 bytes).
2019-08-13 22:56:51,536 [root] DEBUG: DLL unloaded from 0x000007FEF2F10000.
2019-08-13 22:56:51,582 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\system32\CRYPTBASE (0xf000 bytes).
2019-08-13 22:56:51,582 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:51,598 [root] DEBUG: DLL loaded at 0x000007FEF8900000: C:\Windows\system32\ntshrui (0x80000 bytes).
2019-08-13 22:56:51,598 [root] DEBUG: DLL loaded at 0x0000000516F00000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\diasymreader (0xc6000 bytes).
2019-08-13 22:56:51,598 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000013FD00000.
2019-08-13 22:56:51,598 [root] DEBUG: DLL unloaded from 0x000007FEF2570000.
2019-08-13 22:56:51,598 [root] DEBUG: DLL loaded at 0x000007FEF9860000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Configuratio#\fcf35536476614410e0b0bd0e412199e\System.Configuration.Install.ni (0x32000 bytes).
2019-08-13 22:56:51,598 [root] DEBUG: DLL unloaded from 0x74F40000.
2019-08-13 22:56:51,614 [root] DEBUG: DLL unloaded from 0x000007FEFC190000.
2019-08-13 22:56:51,614 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 22:56:51,614 [root] DEBUG: DLL loaded at 0x000007FEFE400000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-08-13 22:56:51,614 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000013FD77000 - 0x000007FEFF430000
2019-08-13 22:56:51,628 [root] DEBUG: DLL loaded at 0x000007FEFCB90000: C:\Windows\system32\srvcli (0x23000 bytes).
2019-08-13 22:56:51,628 [root] DEBUG: DLL loaded at 0x000007FEF1690000: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\9469491f37d9c35b596968b206615309\mscorlib.ni (0xedc000 bytes).
2019-08-13 22:56:51,628 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000C63C.
2019-08-13 22:56:51,628 [root] DEBUG: DLL unloaded from 0x000007FEF2F10000.
2019-08-13 22:56:51,628 [root] DEBUG: set_caller_info: Adding region at 0x000007FF00250000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2019-08-13 22:56:51,644 [root] DEBUG: DLL unloaded from 0x724F0000.
2019-08-13 22:56:51,644 [root] DEBUG: DLL loaded at 0x000007FEEFBF0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.WSMan.Man#\8cd73e65058ef6f77f36b62a74ec3344\Microsoft.WSMan.Management.ni (0xaa000 bytes).
2019-08-13 22:56:51,644 [root] DEBUG: DLL unloaded from 0x000007FEFF190000.
2019-08-13 22:56:51,644 [root] DEBUG: Process dumps enabled.
2019-08-13 22:56:51,660 [root] DEBUG: DLL loaded at 0x000007FEFD560000: C:\Windows\system32\shell32 (0xd88000 bytes).
2019-08-13 22:56:51,660 [root] DEBUG: InjectDllViaIAT: Allocated 0x228 bytes for new import table at 0x000000013FD80000.
2019-08-13 22:56:51,676 [root] DEBUG: DLL unloaded from 0x000007FEFE8C0000.
2019-08-13 22:56:51,676 [root] DEBUG: DLL loaded at 0x000007FEF0C60000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System\adff7dd9fe8e541775c46b6363401b22\System.ni (0xa23000 bytes).
2019-08-13 22:56:51,691 [root] DEBUG: DLL unloaded from 0x000007FEFC190000.
2019-08-13 22:56:51,707 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-08-13 22:56:51,707 [root] DEBUG: DLL loaded at 0x000007FEEFB00000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Transactions\051655963f24f9ade08486084c570086\System.Transactions.ni (0xe5000 bytes).
2019-08-13 22:56:51,723 [root] INFO: Notified of termination of process with pid 3708.
2019-08-13 22:56:51,723 [root] DEBUG: DLL loaded at 0x000007FEFC3B0000: C:\Windows\system32\USERENV (0x1e000 bytes).
2019-08-13 22:56:51,737 [root] INFO: Disabling sleep skipping.
2019-08-13 22:56:51,737 [root] INFO: Added new CAPE file to list with path: C:\HRnqwoJUO\CAPE\3724_12951723601157514382019
2019-08-13 22:56:51,737 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 22:56:51,737 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 3288
2019-08-13 22:56:51,753 [root] DEBUG: DLL loaded at 0x000007FEF0BA0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b023321bc53c20c10ccbbd8f78c82c82\Microsoft.PowerShell.ConsoleHost.ni (0xb2000 bytes).
2019-08-13 22:56:51,753 [root] DEBUG: DLL unloaded from 0x000007FEFF190000.
2019-08-13 22:56:51,753 [root] DEBUG: DLL loaded at 0x000000001E230000: C:\Windows\assembly\GAC_64\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions (0x49000 bytes).
2019-08-13 22:56:51,753 [root] INFO: Announced 64-bit process name: svchost.exe pid: 2204
2019-08-13 22:56:51,769 [root] DEBUG: DLL loaded at 0x000007FEFD020000: C:\Windows\system32\profapi (0xf000 bytes).
2019-08-13 22:56:51,769 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 3236
2019-08-13 22:56:51,769 [root] WARNING: Unable to place hook on LockResource
2019-08-13 22:56:51,785 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x73e00.
2019-08-13 22:56:51,785 [root] DEBUG: Successfully injected DLL C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:51,785 [root] DEBUG: GetHookCallerBase: thread 2896 (handle 0x0), return address 0x000000013FD0C504, allocation base 0x000000013FD00000.
2019-08-13 22:56:51,801 [root] INFO: Notified of termination of process with pid 336.
2019-08-13 22:56:51,801 [root] DEBUG: DLL loaded at 0x000007FEF0040000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management.A#\009a09f5b2322bb8c5520dc5ddbb28bb\System.Management.Automation.ni (0xb5d000 bytes).
2019-08-13 22:56:51,801 [root] DEBUG: DLL loaded at 0x000007FEEF8E0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\cdf48153115fc0bb466f37b7dcad9ac5\Microsoft.PowerShell.Commands.Utility.ni (0x216000 bytes).
2019-08-13 22:56:51,801 [root] DEBUG: DLL loaded at 0x000007FEFBB00000: C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32 (0x1f4000 bytes).
2019-08-13 22:56:51,801 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 22:56:51,801 [root] DEBUG: GetHookCallerBase: thread 3036 (handle 0x0), return address 0x000000004A1887DD, allocation base 0x000000004A180000.
2019-08-13 22:56:51,815 [root] WARNING: Unable to hook LockResource
2019-08-13 22:56:51,815 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 4028
2019-08-13 22:56:51,815 [root] DEBUG: DLL loaded at 0x000007FEFAC20000: C:\Windows\system32\netutils (0xc000 bytes).
2019-08-13 22:56:51,815 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x000000013FD00000.
2019-08-13 22:56:51,832 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 3524
2019-08-13 22:56:51,848 [root] DEBUG: DLL loaded at 0x000007FEEF7C0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\9206dc8156588e608d405729c833edc5\Microsoft.PowerShell.Commands.Management.ni (0x118000 bytes).
2019-08-13 22:56:51,848 [lib.api.process] INFO: 64-bit DLL to inject is C:\epyfuwi\dll\HeJRZT.dll, loader C:\epyfuwi\bin\NKFmJEvz.exe
2019-08-13 22:56:51,848 [root] DEBUG: DLL loaded at 0x000007FEFC1C0000: C:\Windows\system32\version (0xc000 bytes).
2019-08-13 22:56:51,848 [root] DEBUG: DLL loaded at 0x000007FEFE4A0000: C:\Windows\system32\SETUPAPI (0x1d7000 bytes).
2019-08-13 22:56:51,848 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x000000004A180000.
2019-08-13 22:56:51,848 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 22:56:51,862 [root] DEBUG: DLL unloaded from 0x000007FEFB840000.
2019-08-13 22:56:51,862 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 22:56:51,862 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000013FD00000.
2019-08-13 22:56:51,878 [root] DEBUG: GetHookCallerBase: thread 3540 (handle 0x0), return address 0x000000004A1887DD, allocation base 0x000000004A180000.
2019-08-13 22:56:51,878 [root] DEBUG: DLL loaded at 0x000007FEF3870000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b5a6a5ce3cd3d4dd2b151315c612aeff\Microsoft.PowerShell.Security.ni (0x3e000 bytes).
2019-08-13 22:56:51,894 [root] DEBUG: DLL loaded at 0x000007FEFD1B0000: C:\Windows\system32\CFGMGR32 (0x36000 bytes).
2019-08-13 22:56:51,894 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000004A180000.
2019-08-13 22:56:51,894 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\KxvfqAkc.
2019-08-13 22:56:51,894 [root] DEBUG: DLL unloaded from 0x0000000076FF0000.
2019-08-13 22:56:51,894 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 3220 at 0x0000000074460000, image base 0x000000004A180000, stack from 0x00000000000F4000-0x00000000001F0000
2019-08-13 22:56:51,894 [root] DEBUG: Process dumps enabled.
2019-08-13 22:56:51,894 [root] DEBUG: DLL loaded at 0x000007FEEFD10000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Core\83e2f6909980da7347e7806d8c26670e\System.Core.ni (0x32e000 bytes).
2019-08-13 22:56:51,910 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000C63C.
2019-08-13 22:56:51,910 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x000000004A180000.
2019-08-13 22:56:51,910 [root] DEBUG: DLL loaded at 0x000007FEFD410000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2019-08-13 22:56:51,910 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 22:56:51,926 [root] DEBUG: Loader: Injecting process 2204 (thread 2612) with C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:51,926 [root] DEBUG: DLL loaded at 0x00000642FF4A0000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\culture (0xa000 bytes).
2019-08-13 22:56:51,926 [root] DEBUG: DLL unloaded from 0x000007FEF2570000.
2019-08-13 22:56:51,926 [root] DEBUG: Commandline: C:\Users\user\AppData\Roaming\syslink\"C:\Windows\System32\cmd.exe" \c powershell Set-MpPreference -DisableScriptScanning $true.
2019-08-13 22:56:51,940 [root] DEBUG: DLL loaded at 0x000007FEEFCA0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\ec50af274bf7a15fb59ac1f0d353b7ea\Microsoft.PowerShell.Commands.Diagnostics.ni (0x69000 bytes).
2019-08-13 22:56:51,940 [root] INFO: Disabling sleep skipping.
2019-08-13 22:56:51,957 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000004A180000.
2019-08-13 22:56:51,957 [root] DEBUG: DLL loaded at 0x000007FEFB840000: C:\Windows\system32\propsys (0x12c000 bytes).
2019-08-13 22:56:51,957 [root] DEBUG: DLL unloaded from 0x000007FEFD560000.
2019-08-13 22:56:51,957 [root] DEBUG: DLL loaded at 0x000007FEF8AC0000: C:\Windows\system32\cscapi (0xf000 bytes).
2019-08-13 22:56:51,957 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 22:56:51,971 [root] DEBUG: Process image base: 0x00000000FFA10000
2019-08-13 22:56:51,971 [root] DEBUG: DLL unloaded from 0x00000642FF4A0000.
2019-08-13 22:56:51,971 [root] DEBUG: DLL unloaded from 0x000007FEF2F10000.
2019-08-13 22:56:51,987 [root] INFO: Added new process to list with pid: 3220
2019-08-13 22:56:51,987 [root] INFO: Added new CAPE file to list with path: C:\HRnqwoJUO\CAPE\3288_15746338391157514382019
2019-08-13 22:56:51,987 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 22:56:52,003 [root] DEBUG: DLL loaded at 0x000007FEF9860000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Configuratio#\fcf35536476614410e0b0bd0e412199e\System.Configuration.Install.ni (0x32000 bytes).
2019-08-13 22:56:52,003 [root] WARNING: Unable to place hook on LockResource
2019-08-13 22:56:52,003 [root] DEBUG: DLL loaded at 0x000007FEFC190000: C:\Windows\system32\ntmarta (0x2d000 bytes).
2019-08-13 22:56:52,003 [root] DEBUG: DLL loaded at 0x000007FEFB0B0000: C:\Windows\system32\slc (0xb000 bytes).
2019-08-13 22:56:52,019 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:52,019 [root] DEBUG: DLL unloaded from 0x000007FEFC190000.
2019-08-13 22:56:52,019 [root] INFO: Monitor successfully loaded in process with pid 3220.
2019-08-13 22:56:52,035 [root] DEBUG: DLL loaded at 0x000007FEEF630000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorjit (0x184000 bytes).
2019-08-13 22:56:52,035 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x73e00.
2019-08-13 22:56:52,035 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 22:56:52,035 [root] WARNING: Unable to hook LockResource
2019-08-13 22:56:52,035 [root] INFO: Added new CAPE file to list with path: C:\HRnqwoJUO\CAPE\3236_9825955555156514382019
2019-08-13 22:56:52,049 [root] DEBUG: DLL loaded at 0x000007FEEFBF0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.WSMan.Man#\8cd73e65058ef6f77f36b62a74ec3344\Microsoft.WSMan.Management.ni (0xaa000 bytes).
2019-08-13 22:56:52,049 [root] DEBUG: DLL loaded at 0x000007FEFE860000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2019-08-13 22:56:52,049 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00000000FFA1B000 - 0x000007FEFF430000
2019-08-13 22:56:52,065 [root] DEBUG: DLL unloaded from 0x000007FEFF190000.
2019-08-13 22:56:52,065 [root] DEBUG: DLL loaded at 0x000007FEFCEF0000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 22:56:52,082 [root] DEBUG: DLL loaded at 0x000007FEEEF80000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Xml\ee795155543768ea67eecddc686a1e9e\System.Xml.ni (0x6a5000 bytes).
2019-08-13 22:56:52,082 [root] DEBUG: DLL loaded at 0x000007FEFAC20000: C:\Windows\system32\netutils (0xc000 bytes).
2019-08-13 22:56:52,082 [root] DEBUG: DLL loaded at 0x000007FEFC8F0000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2019-08-13 22:56:52,096 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 22:56:52,096 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x54400.
2019-08-13 22:56:52,112 [root] DEBUG: InjectDllViaIAT: Allocated 0x20c bytes for new import table at 0x00000000FFA20000.
2019-08-13 22:56:52,128 [root] INFO: Announced 64-bit process name: powershell.exe pid: 3276
2019-08-13 22:56:52,128 [root] DEBUG: DLL loaded at 0x000007FEEFB00000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Transactions\051655963f24f9ade08486084c570086\System.Transactions.ni (0xe5000 bytes).
2019-08-13 22:56:52,128 [root] DEBUG: DLL loaded at 0x000007FEEECA0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management\c44929bde355680c886f8a52f5e22b81\System.Management.ni (0x16c000 bytes).
2019-08-13 22:56:52,128 [root] INFO: Notified of termination of process with pid 3724.
2019-08-13 22:56:52,128 [root] INFO: Added new CAPE file to list with path: C:\HRnqwoJUO\CAPE\3524_6454085295256514382019
2019-08-13 22:56:52,128 [root] DEBUG: DLL unloaded from 0x000007FEFB840000.
2019-08-13 22:56:52,128 [root] DEBUG: DLL loaded at 0x000007FEFC5F0000: C:\Windows\system32\rsaenh (0x47000 bytes).
2019-08-13 22:56:52,144 [root] DEBUG: DLL unloaded from 0x000007FEFF190000.
2019-08-13 22:56:52,144 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 4028 at 0x0000000074460000, image base 0x000000013FD00000, stack from 0x0000000000175000-0x0000000000180000
2019-08-13 22:56:52,144 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 22:56:52,144 [root] DEBUG: DLL loaded at 0x000000001E230000: C:\Windows\assembly\GAC_64\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions (0x49000 bytes).
2019-08-13 22:56:52,160 [root] DEBUG: DLL loaded at 0x000007FEEEB00000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.DirectorySer#\c1cdea55f62c9e8b9b9c1ae4c23b1c1f\System.DirectoryServices.ni (0x195000 bytes).
2019-08-13 22:56:52,160 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 22:56:52,160 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 512
2019-08-13 22:56:52,174 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x54400.
2019-08-13 22:56:52,174 [root] DEBUG: DLL unloaded from 0x0000000076FF0000.
2019-08-13 22:56:52,190 [root] INFO: Notified of termination of process with pid 3236.
2019-08-13 22:56:52,190 [root] DEBUG: Commandline: C:\Users\user\AppData\Roaming\syslink\powershell  Set-MpPreference -ModerateThreatDefaultAction 6.
2019-08-13 22:56:52,206 [root] DEBUG: Successfully injected DLL C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:52,206 [root] DEBUG: DLL loaded at 0x000007FEEF8E0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\cdf48153115fc0bb466f37b7dcad9ac5\Microsoft.PowerShell.Commands.Utility.ni (0x216000 bytes).
2019-08-13 22:56:52,221 [lib.api.process] INFO: 64-bit DLL to inject is C:\epyfuwi\dll\HeJRZT.dll, loader C:\epyfuwi\bin\NKFmJEvz.exe
2019-08-13 22:56:52,221 [root] DEBUG: DLL loaded at 0x000007FEF90A0000: C:\Windows\system32\shfolder (0x7000 bytes).
2019-08-13 22:56:52,221 [root] DEBUG: GetHookCallerBase: thread 2328 (handle 0x0), return address 0x000000004A1887DD, allocation base 0x000000004A180000.
2019-08-13 22:56:52,237 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7JFDTKU760BB5BS25O4B.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\7JFDTKU760BB5BS25O4B.temp'
2019-08-13 22:56:52,237 [root] DEBUG: DLL unloaded from 0x000007FEFF190000.
2019-08-13 22:56:52,237 [root] DEBUG: DLL unloaded from 0x000007FEF2570000.
2019-08-13 22:56:52,237 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2204
2019-08-13 22:56:52,237 [root] INFO: Added new process to list with pid: 4028
2019-08-13 22:56:52,253 [root] DEBUG: DLL loaded at 0x000007FEEF7C0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\9206dc8156588e608d405729c833edc5\Microsoft.PowerShell.Commands.Management.ni (0x118000 bytes).
2019-08-13 22:56:52,315 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\KxvfqAkc.
2019-08-13 22:56:52,331 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x000000004A180000.
2019-08-13 22:56:52,331 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7JFDTKU760BB5BS25O4B.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\7JFDTKU760BB5BS25O4B.temp'
2019-08-13 22:56:52,331 [root] DEBUG: DLL unloaded from 0x000007FEF2F10000.
2019-08-13 22:56:52,346 [root] INFO: Monitor successfully loaded in process with pid 4028.
2019-08-13 22:56:52,361 [root] INFO: Notified of termination of process with pid 3524.
2019-08-13 22:56:52,361 [root] DEBUG: DLL loaded at 0x000007FEF3870000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b5a6a5ce3cd3d4dd2b151315c612aeff\Microsoft.PowerShell.Security.ni (0x3e000 bytes).
2019-08-13 22:56:52,361 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 22:56:52,361 [root] DEBUG: DLL loaded at 0x000007FEF7810000: C:\Windows\system32\LINKINFO (0xc000 bytes).
2019-08-13 22:56:52,361 [root] DEBUG: Loader: Injecting process 3276 (thread 1856) with C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:52,378 [root] DEBUG: DLL loaded at 0x000007FEFCCF0000: C:\Windows\system32\secur32 (0xb000 bytes).
2019-08-13 22:56:52,378 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000004A180000.
2019-08-13 22:56:52,378 [root] DEBUG: DLL unloaded from 0x000007FEFE320000.
2019-08-13 22:56:52,378 [root] DEBUG: DLL unloaded from 0x000007FEFC190000.
2019-08-13 22:56:52,394 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\system32\CRYPTBASE (0xf000 bytes).
2019-08-13 22:56:52,408 [root] DEBUG: Process dumps enabled.
2019-08-13 22:56:52,408 [root] DEBUG: DLL loaded at 0x000007FEF8900000: C:\Windows\system32\ntshrui (0x80000 bytes).
2019-08-13 22:56:52,408 [root] DEBUG: Process image base: 0x000000013FD00000
2019-08-13 22:56:52,408 [root] DEBUG: DLL loaded at 0x00000642FF4A0000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\culture (0xa000 bytes).
2019-08-13 22:56:52,424 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 22:56:52,424 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7JFDTKU760BB5BS25O4B.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\7JFDTKU760BB5BS25O4B.temp'
2019-08-13 22:56:52,424 [root] DEBUG: DLL unloaded from 0x000007FEFF190000.
2019-08-13 22:56:52,424 [root] DEBUG: DLL loaded at 0x000007FEFE400000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-08-13 22:56:52,440 [root] INFO: Disabling sleep skipping.
2019-08-13 22:56:52,440 [root] DEBUG: DLL loaded at 0x000007FEFCB90000: C:\Windows\system32\srvcli (0x23000 bytes).
2019-08-13 22:56:52,440 [root] DEBUG: DLL unloaded from 0x00000642FF4A0000.
2019-08-13 22:56:52,456 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 22:56:52,456 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:52,456 [root] DEBUG: DLL loaded at 0x000007FEEE2B0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Data\accc3a5269658c8c47fe3e402ac4ac1c\System.Data.ni (0x84b000 bytes).
2019-08-13 22:56:52,456 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF1e56773.TMP": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RF1e56773.TMP'
2019-08-13 22:56:52,456 [root] INFO: Notified of termination of process with pid 3288.
2019-08-13 22:56:52,471 [root] DEBUG: DLL loaded at 0x000007FEFD560000: C:\Windows\system32\shell32 (0xd88000 bytes).
2019-08-13 22:56:52,486 [root] WARNING: Unable to place hook on LockResource
2019-08-13 22:56:52,486 [root] DEBUG: DLL loaded at 0x000007FEEF630000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorjit (0x184000 bytes).
2019-08-13 22:56:52,486 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000013FD77000 - 0x000007FEFF430000
2019-08-13 22:56:52,503 [root] DEBUG: DLL loaded at 0x000000001CFF0000: C:\Windows\assembly\GAC_64\System.Data\2.0.0.0__b77a5c561934e089\System.Data (0x2ff000 bytes).
2019-08-13 22:56:52,517 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms'
2019-08-13 22:56:52,533 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 804
2019-08-13 22:56:52,533 [root] DEBUG: DLL loaded at 0x000007FEFC3B0000: C:\Windows\system32\USERENV (0x1e000 bytes).
2019-08-13 22:56:52,533 [root] WARNING: Unable to hook LockResource
2019-08-13 22:56:52,549 [root] DEBUG: InjectDllViaIAT: Allocated 0x228 bytes for new import table at 0x000000013FD80000.
2019-08-13 22:56:52,549 [root] DEBUG: DLL loaded at 0x000007FEEEF80000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Xml\ee795155543768ea67eecddc686a1e9e\System.Xml.ni (0x6a5000 bytes).
2019-08-13 22:56:52,549 [root] INFO: Added new CAPE file to list with path: C:\HRnqwoJUO\CAPE\512_1373836485256514382019
2019-08-13 22:56:52,549 [root] DEBUG: DLL loaded at 0x000007FEFEE90000: C:\Windows\system32\WS2_32 (0x4d000 bytes).
2019-08-13 22:56:52,565 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7JFDTKU760BB5BS25O4B.temp" does not exist, skip.
2019-08-13 22:56:52,565 [root] DEBUG: GetHookCallerBase: thread 2828 (handle 0x0), return address 0x000000004A1887DD, allocation base 0x000000004A180000.
2019-08-13 22:56:52,565 [root] DEBUG: DLL loaded at 0x000007FEFD020000: C:\Windows\system32\profapi (0xf000 bytes).
2019-08-13 22:56:52,581 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 22:56:52,581 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 22:56:52,581 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x54400.
2019-08-13 22:56:52,595 [root] DEBUG: DLL loaded at 0x000007FEEECA0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management\c44929bde355680c886f8a52f5e22b81\System.Management.ni (0x16c000 bytes).
2019-08-13 22:56:52,595 [root] DEBUG: DLL loaded at 0x000007FEFE2F0000: C:\Windows\system32\NSI (0x8000 bytes).
2019-08-13 22:56:52,611 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x000000004A180000.
2019-08-13 22:56:52,611 [root] DEBUG: DLL loaded at 0x000007FEF2F10000: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei (0x97000 bytes).
2019-08-13 22:56:52,611 [root] DEBUG: DLL loaded at 0x000007FEFBB00000: C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32 (0x1f4000 bytes).
2019-08-13 22:56:52,611 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 2204 at 0x0000000074460000, image base 0x00000000FFA10000, stack from 0x0000000000225000-0x0000000000230000
2019-08-13 22:56:52,628 [root] DEBUG: Successfully injected DLL C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:52,628 [root] DEBUG: DLL unloaded from 0x000007FEFF190000.
2019-08-13 22:56:52,642 [root] DEBUG: DLL loaded at 0x000007FEEEB00000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.DirectorySer#\c1cdea55f62c9e8b9b9c1ae4c23b1c1f\System.DirectoryServices.ni (0x195000 bytes).
2019-08-13 22:56:52,642 [root] DEBUG: DLL loaded at 0x000007FEFD1F0000: C:\Windows\system32\CRYPT32 (0x167000 bytes).
2019-08-13 22:56:52,642 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000004A180000.
2019-08-13 22:56:52,642 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7JFDTKU760BB5BS25O4B.temp" does not exist, skip.
2019-08-13 22:56:52,658 [root] DEBUG: Commandline: C:\Windows\sysnative\svchost.exe.
2019-08-13 22:56:52,658 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 3276
2019-08-13 22:56:52,658 [root] INFO: Notified of termination of process with pid 512.
2019-08-13 22:56:52,658 [root] DEBUG: DLL loaded at 0x000007FEFB840000: C:\Windows\system32\propsys (0x12c000 bytes).
2019-08-13 22:56:52,658 [root] DEBUG: DLL loaded at 0x000007FEFD100000: C:\Windows\system32\MSASN1 (0xf000 bytes).
2019-08-13 22:56:52,674 [root] DEBUG: DLL loaded at 0x000007FEF90A0000: C:\Windows\system32\shfolder (0x7000 bytes).
2019-08-13 22:56:52,674 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 22:56:52,674 [root] DEBUG: DLL loaded at 0x000007FEF2570000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks (0x99d000 bytes).
2019-08-13 22:56:52,690 [root] INFO: Added new process to list with pid: 2204
2019-08-13 22:56:52,690 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 22:56:52,690 [root] DEBUG: DLL loaded at 0x000007FEFE4A0000: C:\Windows\system32\SETUPAPI (0x1d7000 bytes).
2019-08-13 22:56:52,829 [root] DEBUG: DLL loaded at 0x000007FEFCCF0000: C:\Windows\system32\secur32 (0xb000 bytes).
2019-08-13 22:56:52,829 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 22:56:52,829 [root] INFO: Monitor successfully loaded in process with pid 2204.
2019-08-13 22:56:52,829 [root] DEBUG: DLL loaded at 0x00000000740D0000: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\MSVCR80 (0xc9000 bytes).
2019-08-13 22:56:52,829 [root] DEBUG: DLL loaded at 0x000007FEF8AC0000: C:\Windows\system32\cscapi (0xf000 bytes).
2019-08-13 22:56:52,845 [root] DEBUG: Process dumps enabled.
2019-08-13 22:56:52,845 [root] DEBUG: DLL loaded at 0x0000000516F00000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\diasymreader (0xc6000 bytes).
2019-08-13 22:56:52,845 [root] DEBUG: DLL loaded at 0x000007FEFD1B0000: C:\Windows\system32\CFGMGR32 (0x36000 bytes).
2019-08-13 22:56:52,877 [root] DEBUG: set_caller_info: Adding region at 0x0000000010000000 to caller regions list (ntdll::LdrLoadDll).
2019-08-13 22:56:52,892 [root] DEBUG: DLL loaded at 0x000007FEF1690000: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\9469491f37d9c35b596968b206615309\mscorlib.ni (0xedc000 bytes).
2019-08-13 22:56:52,892 [root] DEBUG: DLL loaded at 0x000007FEFB0B0000: C:\Windows\system32\slc (0xb000 bytes).
2019-08-13 22:56:52,907 [root] DEBUG: DLL loaded at 0x000007FEEE2B0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Data\accc3a5269658c8c47fe3e402ac4ac1c\System.Data.ni (0x84b000 bytes).
2019-08-13 22:56:52,907 [root] INFO: Disabling sleep skipping.
2019-08-13 22:56:52,907 [root] DEBUG: DLL loaded at 0x000007FEFD410000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2019-08-13 22:56:52,907 [root] DEBUG: set_caller_info: Adding region at 0x0000000000140000 to caller regions list (ntdll::LdrLoadDll).
2019-08-13 22:56:52,907 [root] INFO: Added new CAPE file to list with path: C:\HRnqwoJUO\CAPE\804_14140034945256514382019
2019-08-13 22:56:52,924 [root] DEBUG: DLL unloaded from 0x000007FEFE8C0000.
2019-08-13 22:56:52,924 [root] DEBUG: set_caller_info: Adding region at 0x000007FF00270000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2019-08-13 22:56:52,940 [root] DEBUG: DLL loaded at 0x000007FEF0C60000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System\adff7dd9fe8e541775c46b6363401b22\System.ni (0xa23000 bytes).
2019-08-13 22:56:52,940 [root] DEBUG: DLL loaded at 0x000000001D0D0000: C:\Windows\assembly\GAC_64\System.Data\2.0.0.0__b77a5c561934e089\System.Data (0x2ff000 bytes).
2019-08-13 22:56:52,954 [root] WARNING: Unable to place hook on LockResource
2019-08-13 22:56:52,954 [root] DEBUG: DLL loaded at 0x000007FEFC8F0000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2019-08-13 22:56:52,970 [root] DEBUG: DLL loaded at 0x000007FEFC190000: C:\Windows\system32\ntmarta (0x2d000 bytes).
2019-08-13 22:56:52,986 [root] DEBUG: DLL loaded at 0x000007FEFCA40000: C:\Windows\system32\bcrypt (0x22000 bytes).
2019-08-13 22:56:52,986 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x54400.
2019-08-13 22:56:53,002 [root] DEBUG: DLL loaded at 0x000007FEF0BA0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b023321bc53c20c10ccbbd8f78c82c82\Microsoft.PowerShell.ConsoleHost.ni (0xb2000 bytes).
2019-08-13 22:56:53,017 [root] INFO: Process with pid 1360 has terminated
2019-08-13 22:56:53,017 [root] DEBUG: DLL loaded at 0x000007FEFEE90000: C:\Windows\system32\WS2_32 (0x4d000 bytes).
2019-08-13 22:56:53,017 [root] WARNING: Unable to hook LockResource
2019-08-13 22:56:53,032 [root] DEBUG: DLL loaded at 0x000007FEFC5F0000: C:\Windows\system32\rsaenh (0x47000 bytes).
2019-08-13 22:56:53,032 [root] DEBUG: DLL loaded at 0x000007FEFE860000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2019-08-13 22:56:53,049 [root] DEBUG: DLL unloaded from 0x000007FEFF190000.
2019-08-13 22:56:53,049 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2964
2019-08-13 22:56:53,049 [root] INFO: Process with pid 3484 has terminated
2019-08-13 22:56:53,049 [root] DEBUG: DLL loaded at 0x000007FEFCA70000: C:\Windows\system32\ncrypt (0x4e000 bytes).
2019-08-13 22:56:53,049 [root] DEBUG: DLL loaded at 0x000007FEF0040000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management.A#\009a09f5b2322bb8c5520dc5ddbb28bb\System.Management.Automation.ni (0xb5d000 bytes).
2019-08-13 22:56:53,063 [root] DEBUG: DLL loaded at 0x000007FEFE2F0000: C:\Windows\system32\NSI (0x8000 bytes).
2019-08-13 22:56:53,063 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 22:56:53,079 [root] INFO: Notified of termination of process with pid 804.
2019-08-13 22:56:53,079 [root] DEBUG: GetHookCallerBase: thread 2952 (handle 0x0), return address 0x000000013FD0C504, allocation base 0x000000013FD00000.
2019-08-13 22:56:53,079 [root] DEBUG: DLL unloaded from 0x000007FEFD560000.
2019-08-13 22:56:53,079 [root] INFO: Process with pid 3236 has terminated
2019-08-13 22:56:53,095 [root] DEBUG: DLL loaded at 0x000007FEFD100000: C:\Windows\system32\MSASN1 (0xf000 bytes).
2019-08-13 22:56:53,095 [root] DEBUG: DLL loaded at 0x000007FEFC1C0000: C:\Windows\system32\version (0xc000 bytes).
2019-08-13 22:56:53,095 [root] DEBUG: DLL loaded at 0x000007FEFD1F0000: C:\Windows\system32\CRYPT32 (0x167000 bytes).
2019-08-13 22:56:53,111 [root] DEBUG: DLL unloaded from 0x000007FEFD560000.
2019-08-13 22:56:53,111 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 3276 at 0x0000000074460000, image base 0x000000013FD00000, stack from 0x0000000000155000-0x0000000000160000
2019-08-13 22:56:53,127 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x000000013FD00000.
2019-08-13 22:56:53,127 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TVC8B6DD4Z82V0JM1ZK6.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\TVC8B6DD4Z82V0JM1ZK6.temp'
2019-08-13 22:56:53,127 [root] INFO: Process with pid 3708 has terminated
2019-08-13 22:56:53,157 [root] DEBUG: DLL loaded at 0x000007FEFD100000: C:\Windows\system32\MSASN1 (0xf000 bytes).
2019-08-13 22:56:53,157 [root] DEBUG: DLL loaded at 0x000007FEEFD10000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Core\83e2f6909980da7347e7806d8c26670e\System.Core.ni (0x32e000 bytes).
2019-08-13 22:56:53,174 [root] DEBUG: DLL loaded at 0x000007FEFEDB0000: C:\Windows\system32\OLEAUT32 (0xd7000 bytes).
2019-08-13 22:56:53,174 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000013FD00000.
2019-08-13 22:56:53,174 [root] DEBUG: Commandline: C:\Users\user\AppData\Roaming\syslink\powershell  Set-MpPreference -DisableScriptScanning $true.
2019-08-13 22:56:53,174 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TVC8B6DD4Z82V0JM1ZK6.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\TVC8B6DD4Z82V0JM1ZK6.temp'
2019-08-13 22:56:53,174 [root] INFO: Process with pid 336 has terminated
2019-08-13 22:56:53,220 [root] DEBUG: DLL loaded at 0x0000000516F00000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\diasymreader (0xc6000 bytes).
2019-08-13 22:56:53,236 [root] DEBUG: DLL loaded at 0x000007FEEFCA0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\ec50af274bf7a15fb59ac1f0d353b7ea\Microsoft.PowerShell.Commands.Diagnostics.ni (0x69000 bytes).
2019-08-13 22:56:53,236 [root] DEBUG: DLL loaded at 0x000007FEFC3B0000: C:\Windows\system32\USERENV (0x1e000 bytes).
2019-08-13 22:56:53,236 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000C63C.
2019-08-13 22:56:53,236 [root] INFO: Added new process to list with pid: 3276
2019-08-13 22:56:53,236 [root] DEBUG: DLL unloaded from 0x000007FEFE320000.
2019-08-13 22:56:53,236 [root] INFO: Process with pid 3724 has terminated
2019-08-13 22:56:53,282 [root] DEBUG: set_caller_info: Adding region at 0x000007FF00250000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2019-08-13 22:56:53,282 [root] DEBUG: DLL loaded at 0x000007FEF9860000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Configuratio#\fcf35536476614410e0b0bd0e412199e\System.Configuration.Install.ni (0x32000 bytes).
2019-08-13 22:56:53,282 [root] DEBUG: DLL loaded at 0x000007FEFD020000: C:\Windows\system32\profapi (0xf000 bytes).
2019-08-13 22:56:53,282 [root] INFO: Monitor successfully loaded in process with pid 3276.
2019-08-13 22:56:53,298 [root] INFO: Process with pid 3288 has terminated
2019-08-13 22:56:53,298 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TVC8B6DD4Z82V0JM1ZK6.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\TVC8B6DD4Z82V0JM1ZK6.temp'
2019-08-13 22:56:53,345 [root] DEBUG: DLL loaded at 0x000007FEEFBF0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.WSMan.Man#\8cd73e65058ef6f77f36b62a74ec3344\Microsoft.WSMan.Management.ni (0xaa000 bytes).
2019-08-13 22:56:53,345 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\system32\CRYPTBASE (0xf000 bytes).
2019-08-13 22:56:53,345 [root] DEBUG: DLL loaded at 0x000007FEF4950000: C:\Windows\system32\WINHTTP (0x71000 bytes).
2019-08-13 22:56:53,361 [root] INFO: Added new CAPE file to list with path: C:\HRnqwoJUO\CAPE\2964_675729760312614382019
2019-08-13 22:56:53,361 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF1e56add.TMP": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RF1e56add.TMP'
2019-08-13 22:56:53,375 [root] DEBUG: DLL loaded at 0x000007FEEFB00000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Transactions\051655963f24f9ade08486084c570086\System.Transactions.ni (0xe5000 bytes).
2019-08-13 22:56:53,375 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 3244
2019-08-13 22:56:53,375 [root] DEBUG: DLL loaded at 0x000007FEFE400000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-08-13 22:56:53,375 [root] DEBUG: DLL loaded at 0x000007FEF4500000: C:\Windows\system32\webio (0x64000 bytes).
2019-08-13 22:56:53,375 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x73e00.
2019-08-13 22:56:53,391 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms'
2019-08-13 22:56:53,391 [root] DEBUG: DLL loaded at 0x000000001E230000: C:\Windows\assembly\GAC_64\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions (0x49000 bytes).
2019-08-13 22:56:53,391 [root] DEBUG: GetHookCallerBase: thread 2900 (handle 0x0), return address 0x000000013FD0C504, allocation base 0x000000013FD00000.
2019-08-13 22:56:53,391 [root] DEBUG: DLL loaded at 0x000007FEFD560000: C:\Windows\system32\shell32 (0xd88000 bytes).
2019-08-13 22:56:53,407 [root] DEBUG: DLL loaded at 0x000007FEFAC20000: C:\Windows\system32\netutils (0xc000 bytes).
2019-08-13 22:56:53,407 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TVC8B6DD4Z82V0JM1ZK6.temp" does not exist, skip.
2019-08-13 22:56:53,423 [root] DEBUG: DLL loaded at 0x000007FEFEE90000: C:\Windows\system32\WS2_32 (0x4d000 bytes).
2019-08-13 22:56:53,423 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x000000013FD00000.
2019-08-13 22:56:53,438 [root] DEBUG: DLL loaded at 0x000007FEEF8E0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\cdf48153115fc0bb466f37b7dcad9ac5\Microsoft.PowerShell.Commands.Utility.ni (0x216000 bytes).
2019-08-13 22:56:53,438 [root] DEBUG: DLL loaded at 0x000007FEFC3B0000: C:\Windows\system32\USERENV (0x1e000 bytes).
2019-08-13 22:56:53,438 [root] DEBUG: DLL unloaded from 0x000007FEFB840000.
2019-08-13 22:56:53,453 [root] DEBUG: DLL loaded at 0x000007FEFE2F0000: C:\Windows\system32\NSI (0x8000 bytes).
2019-08-13 22:56:53,453 [root] DEBUG: DLL loaded at 0x000007FEF2F10000: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei (0x97000 bytes).
2019-08-13 22:56:53,453 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000013FD00000.
2019-08-13 22:56:53,453 [root] DEBUG: DLL loaded at 0x000007FEF7810000: C:\Windows\system32\LINKINFO (0xc000 bytes).
2019-08-13 22:56:53,470 [root] DEBUG: DLL loaded at 0x000007FEFD020000: C:\Windows\system32\profapi (0xf000 bytes).
2019-08-13 22:56:53,470 [root] DEBUG: DLL unloaded from 0x0000000076FF0000.
2019-08-13 22:56:53,470 [root] DEBUG: DLL loaded at 0x000007FEEF7C0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\9206dc8156588e608d405729c833edc5\Microsoft.PowerShell.Commands.Management.ni (0x118000 bytes).
2019-08-13 22:56:53,486 [root] DEBUG: DLL loaded at 0x000007FEFD1F0000: C:\Windows\system32\CRYPT32 (0x167000 bytes).
2019-08-13 22:56:53,486 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TVC8B6DD4Z82V0JM1ZK6.temp" does not exist, skip.
2019-08-13 22:56:53,486 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000C63C.
2019-08-13 22:56:53,500 [root] DEBUG: DLL unloaded from 0x000007FEF2570000.
2019-08-13 22:56:53,500 [root] DEBUG: DLL loaded at 0x000007FEFBB00000: C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32 (0x1f4000 bytes).
2019-08-13 22:56:53,516 [root] DEBUG: DLL loaded at 0x000007FEF3870000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b5a6a5ce3cd3d4dd2b151315c612aeff\Microsoft.PowerShell.Security.ni (0x3e000 bytes).
2019-08-13 22:56:53,516 [root] DEBUG: DLL loaded at 0x000007FEFD560000: C:\Windows\system32\SHELL32 (0xd88000 bytes).
2019-08-13 22:56:53,516 [root] DEBUG: DLL loaded at 0x000007FEF2570000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks (0x99d000 bytes).
2019-08-13 22:56:53,516 [root] DEBUG: DLL loaded at 0x000007FEF8900000: C:\Windows\system32\ntshrui (0x80000 bytes).
2019-08-13 22:56:53,532 [root] DEBUG: DLL unloaded from 0x000007FEF2F10000.
2019-08-13 22:56:53,548 [root] DEBUG: DLL loaded at 0x000007FEFAF10000: C:\Windows\system32\IPHLPAPI (0x27000 bytes).
2019-08-13 22:56:53,548 [root] DEBUG: DLL loaded at 0x000007FEFB840000: C:\Windows\system32\propsys (0x12c000 bytes).
2019-08-13 22:56:53,548 [root] DEBUG: DLL loaded at 0x00000642FF4A0000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\culture (0xa000 bytes).
2019-08-13 22:56:53,548 [root] DEBUG: DLL loaded at 0x00000000740D0000: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\MSVCR80 (0xc9000 bytes).
2019-08-13 22:56:53,563 [root] DEBUG: DLL loaded at 0x000007FEFCB90000: C:\Windows\system32\srvcli (0x23000 bytes).
2019-08-13 22:56:53,563 [root] DEBUG: DLL unloaded from 0x000007FEFC190000.
2019-08-13 22:56:53,563 [root] INFO: Added new CAPE file to list with path: C:\HRnqwoJUO\CAPE\3244_21364107801357514382019
2019-08-13 22:56:53,563 [root] DEBUG: DLL loaded at 0x000007FEFAED0000: C:\Windows\system32\WINNSI (0xb000 bytes).
2019-08-13 22:56:53,595 [root] DEBUG: DLL loaded at 0x000007FEFE4A0000: C:\Windows\system32\SETUPAPI (0x1d7000 bytes).
2019-08-13 22:56:53,595 [root] DEBUG: DLL unloaded from 0x00000642FF4A0000.
2019-08-13 22:56:53,609 [root] DEBUG: DLL unloaded from 0x000007FEFF190000.
2019-08-13 22:56:53,609 [root] DEBUG: DLL loaded at 0x000007FEF1690000: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\9469491f37d9c35b596968b206615309\mscorlib.ni (0xedc000 bytes).
2019-08-13 22:56:53,609 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x73e00.
2019-08-13 22:56:53,625 [root] DEBUG: DLL loaded at 0x000007FEF8AC0000: C:\Windows\system32\cscapi (0xf000 bytes).
2019-08-13 22:56:53,625 [root] DEBUG: DLL loaded at 0x000007FEFD1B0000: C:\Windows\system32\CFGMGR32 (0x36000 bytes).
2019-08-13 22:56:53,625 [root] DEBUG: set_caller_info: Adding region at 0x0000000000370000 to caller regions list (advapi32::LsaOpenPolicy).
2019-08-13 22:56:53,641 [root] INFO: Notified of termination of process with pid 2964.
2019-08-13 22:56:53,641 [root] DEBUG: DLL loaded at 0x000007FEEF630000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorjit (0x184000 bytes).
2019-08-13 22:56:53,641 [root] DEBUG: DLL unloaded from 0x000007FEFE8C0000.
2019-08-13 22:56:53,641 [root] DEBUG: DLL loaded at 0x000007FEFAC20000: C:\Windows\system32\netutils (0xc000 bytes).
2019-08-13 22:56:53,657 [root] DEBUG: DLL loaded at 0x000007FEF0C60000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System\adff7dd9fe8e541775c46b6363401b22\System.ni (0xa23000 bytes).
2019-08-13 22:56:53,657 [root] DEBUG: DLL loaded at 0x000007FEFB0B0000: C:\Windows\system32\slc (0xb000 bytes).
2019-08-13 22:56:53,657 [root] DEBUG: DLL loaded at 0x000007FEFD410000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2019-08-13 22:56:53,673 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 1936
2019-08-13 22:56:53,673 [root] DEBUG: set_caller_info: Adding region at 0x00000000001B0000 to caller regions list (ntdll::NtOpenFile).
2019-08-13 22:56:53,687 [root] DEBUG: DLL unloaded from 0x000007FEFB840000.
2019-08-13 22:56:53,687 [root] DEBUG: DLL loaded at 0x000007FEEEF80000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Xml\ee795155543768ea67eecddc686a1e9e\System.Xml.ni (0x6a5000 bytes).
2019-08-13 22:56:53,687 [root] DEBUG: DLL loaded at 0x000007FEF0BA0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b023321bc53c20c10ccbbd8f78c82c82\Microsoft.PowerShell.ConsoleHost.ni (0xb2000 bytes).
2019-08-13 22:56:53,687 [root] DEBUG: DLL loaded at 0x000007FEFC190000: C:\Windows\system32\ntmarta (0x2d000 bytes).
2019-08-13 22:56:53,703 [root] DEBUG: GetHookCallerBase: thread 576 (handle 0x0), return address 0x000000004A1887DD, allocation base 0x000000004A180000.
2019-08-13 22:56:53,703 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\system32\CRYPTBASE (0xf000 bytes).
2019-08-13 22:56:53,720 [root] DEBUG: DLL unloaded from 0x0000000076FF0000.
2019-08-13 22:56:53,720 [root] DEBUG: DLL loaded at 0x000007FEEECA0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management\c44929bde355680c886f8a52f5e22b81\System.Management.ni (0x16c000 bytes).
2019-08-13 22:56:53,720 [root] DEBUG: DLL loaded at 0x000007FEFC8F0000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2019-08-13 22:56:53,720 [root] DEBUG: DLL loaded at 0x000007FEFE860000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2019-08-13 22:56:53,734 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x000000004A180000.
2019-08-13 22:56:53,734 [root] DEBUG: DLL loaded at 0x000007FEF0040000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management.A#\009a09f5b2322bb8c5520dc5ddbb28bb\System.Management.Automation.ni (0xb5d000 bytes).
2019-08-13 22:56:53,734 [root] DEBUG: DLL unloaded from 0x000007FEF2570000.
2019-08-13 22:56:53,750 [root] DEBUG: DLL loaded at 0x000007FEEEB00000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.DirectorySer#\c1cdea55f62c9e8b9b9c1ae4c23b1c1f\System.DirectoryServices.ni (0x195000 bytes).
2019-08-13 22:56:53,750 [root] DEBUG: DLL loaded at 0x000007FEFC5F0000: C:\Windows\system32\rsaenh (0x47000 bytes).
2019-08-13 22:56:53,766 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000004A180000.
2019-08-13 22:56:53,766 [root] DEBUG: DLL loaded at 0x000007FEFC1C0000: C:\Windows\system32\version (0xc000 bytes).
2019-08-13 22:56:53,766 [root] DEBUG: DLL unloaded from 0x000007FEFD560000.
2019-08-13 22:56:53,782 [root] DEBUG: DLL unloaded from 0x000007FEF2F10000.
2019-08-13 22:56:53,782 [root] DEBUG: DLL unloaded from 0x000007FEFD560000.
2019-08-13 22:56:53,782 [root] DEBUG: DLL loaded at 0x000007FEF90A0000: C:\Windows\system32\shfolder (0x7000 bytes).
2019-08-13 22:56:53,782 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 22:56:53,798 [root] DEBUG: DLL unloaded from 0x000007FEFC190000.
2019-08-13 22:56:53,907 [root] DEBUG: DLL loaded at 0x000007FEEFD10000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Core\83e2f6909980da7347e7806d8c26670e\System.Core.ni (0x32e000 bytes).
2019-08-13 22:56:53,969 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 3872
2019-08-13 22:56:53,984 [root] DEBUG: DLL unloaded from 0x000007FEFF190000.
2019-08-13 22:56:53,984 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\RSAGP91BXRU5JRC7895N.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\RSAGP91BXRU5JRC7895N.temp'
2019-08-13 22:56:53,984 [root] DEBUG: DLL loaded at 0x000007FEFCCF0000: C:\Windows\system32\secur32 (0xb000 bytes).
2019-08-13 22:56:54,000 [root] DEBUG: DLL loaded at 0x000007FEEFCA0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\ec50af274bf7a15fb59ac1f0d353b7ea\Microsoft.PowerShell.Commands.Diagnostics.ni (0x69000 bytes).
2019-08-13 22:56:54,000 [root] DEBUG: GetHookCallerBase: thread 3876 (handle 0x0), return address 0x01DA90EB, allocation base 0x01D80000.
2019-08-13 22:56:54,000 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 22:56:54,016 [root] INFO: Notified of termination of process with pid 3244.
2019-08-13 22:56:54,016 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\RSAGP91BXRU5JRC7895N.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\RSAGP91BXRU5JRC7895N.temp'
2019-08-13 22:56:54,032 [root] DEBUG: DLL loaded at 0x000007FEF9860000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Configuratio#\fcf35536476614410e0b0bd0e412199e\System.Configuration.Install.ni (0x32000 bytes).
2019-08-13 22:56:54,032 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00400000.
2019-08-13 22:56:54,046 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 1516
2019-08-13 22:56:54,062 [root] DEBUG: DLL unloaded from 0x000007FEFE320000.
2019-08-13 22:56:54,078 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00400000.
2019-08-13 22:56:54,078 [root] DEBUG: DLL loaded at 0x000007FEEFBF0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.WSMan.Man#\8cd73e65058ef6f77f36b62a74ec3344\Microsoft.WSMan.Management.ni (0xaa000 bytes).
2019-08-13 22:56:54,078 [root] DEBUG: DLL loaded at 0x000007FEED730000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Data\accc3a5269658c8c47fe3e402ac4ac1c\System.Data.ni (0x84b000 bytes).
2019-08-13 22:56:54,078 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\RSAGP91BXRU5JRC7895N.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\RSAGP91BXRU5JRC7895N.temp'
2019-08-13 22:56:54,078 [root] INFO: Stopped Task Scheduler Service
2019-08-13 22:56:54,078 [root] DEBUG: GetHookCallerBase: thread 3940 (handle 0x0), return address 0x000000004A1887DD, allocation base 0x000000004A180000.
2019-08-13 22:56:54,078 [root] DEBUG: DumpProcess: Module entry point VA is 0x000014E0.
2019-08-13 22:56:54,094 [root] INFO: Added new CAPE file to list with path: C:\HRnqwoJUO\CAPE\1936_599025745356514382019
2019-08-13 22:56:54,094 [root] DEBUG: DLL loaded at 0x000007FEEFB00000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Transactions\051655963f24f9ade08486084c570086\System.Transactions.ni (0xe5000 bytes).
2019-08-13 22:56:54,094 [root] DEBUG: DLL loaded at 0x000000001D070000: C:\Windows\assembly\GAC_64\System.Data\2.0.0.0__b77a5c561934e089\System.Data (0x2ff000 bytes).
2019-08-13 22:56:54,094 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF1e56df9.TMP": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RF1e56df9.TMP'
2019-08-13 22:56:54,109 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x000000004A180000.
2019-08-13 22:56:54,125 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x54400.
2019-08-13 22:56:54,125 [root] INFO: Started Task Scheduler Service
2019-08-13 22:56:54,125 [root] DEBUG: DLL loaded at 0x000007FEF7810000: C:\Windows\system32\LINKINFO (0xc000 bytes).
2019-08-13 22:56:54,141 [root] DEBUG: DLL loaded at 0x000000001E230000: C:\Windows\assembly\GAC_64\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions (0x49000 bytes).
2019-08-13 22:56:54,141 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000004A180000.
2019-08-13 22:56:54,141 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms'
2019-08-13 22:56:54,141 [root] DEBUG: DLL loaded at 0x000007FEFEE90000: C:\Windows\system32\WS2_32 (0x4d000 bytes).
2019-08-13 22:56:54,155 [root] DEBUG: DLL unloaded from 0x000007FEFF190000.
2019-08-13 22:56:54,155 [root] DEBUG: DLL loaded at 0x000007FEF8900000: C:\Windows\system32\ntshrui (0x80000 bytes).
2019-08-13 22:56:54,171 [root] INFO: Added new CAPE file to list with path: C:\HRnqwoJUO\CAPE\3872_9363664345456514382019
2019-08-13 22:56:54,171 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 22:56:54,171 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 22:56:54,187 [root] DEBUG: DLL loaded at 0x000007FEEF8E0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\cdf48153115fc0bb466f37b7dcad9ac5\Microsoft.PowerShell.Commands.Utility.ni (0x216000 bytes).
2019-08-13 22:56:54,187 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\RSAGP91BXRU5JRC7895N.temp" does not exist, skip.
2019-08-13 22:56:54,187 [root] DEBUG: DLL loaded at 0x000007FEFE2F0000: C:\Windows\system32\NSI (0x8000 bytes).
2019-08-13 22:56:54,203 [root] INFO: Notified of termination of process with pid 1936.
2019-08-13 22:56:54,203 [root] DEBUG: DLL loaded at 0x000007FEFCB90000: C:\Windows\system32\srvcli (0x23000 bytes).
2019-08-13 22:56:54,219 [lib.api.process] INFO: 64-bit DLL to inject is C:\epyfuwi\dll\HeJRZT.dll, loader C:\epyfuwi\bin\NKFmJEvz.exe
2019-08-13 22:56:54,203 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x82c00.
2019-08-13 22:56:54,219 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 22:56:54,233 [root] DEBUG: DLL loaded at 0x000007FEFD1F0000: C:\Windows\system32\CRYPT32 (0x167000 bytes).
2019-08-13 22:56:54,233 [root] DEBUG: DLL loaded at 0x000007FEEF7C0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\9206dc8156588e608d405729c833edc5\Microsoft.PowerShell.Commands.Management.ni (0x118000 bytes).
2019-08-13 22:56:54,233 [root] DEBUG: DLL loaded at 0x000007FEF2F10000: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei (0x97000 bytes).
2019-08-13 22:56:54,250 [root] DEBUG: DumpInterestingRegions: Dumping calling region at 0x01D80000.
2019-08-13 22:56:54,266 [root] DEBUG: DLL loaded at 0x000007FEFD100000: C:\Windows\system32\MSASN1 (0xf000 bytes).
2019-08-13 22:56:54,266 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\KxvfqAkc.
2019-08-13 22:56:54,266 [root] DEBUG: DLL loaded at 0x000007FEF3870000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b5a6a5ce3cd3d4dd2b151315c612aeff\Microsoft.PowerShell.Security.ni (0x3e000 bytes).
2019-08-13 22:56:54,280 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\RSAGP91BXRU5JRC7895N.temp" does not exist, skip.
2019-08-13 22:56:54,280 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\HRnqwoJUO\CAPE\3872_370892425456514382019
2019-08-13 22:56:54,280 [root] DEBUG: DLL loaded at 0x000007FEF8AC0000: C:\Windows\system32\cscapi (0xf000 bytes).
2019-08-13 22:56:54,280 [root] DEBUG: Loader: Injecting process 816 (thread 0) with C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:54,296 [root] DEBUG: DLL loaded at 0x00000642FF4A0000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\culture (0xa000 bytes).
2019-08-13 22:56:54,312 [root] DEBUG: DLL loaded at 0x000007FEF2570000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks (0x99d000 bytes).
2019-08-13 22:56:54,312 [root] INFO: Added new CAPE file to list with path: C:\HRnqwoJUO\CAPE\1516_20251866995456514382019
2019-08-13 22:56:54,328 [root] DEBUG: DLL loaded at 0x000007FEFB0B0000: C:\Windows\system32\slc (0xb000 bytes).
2019-08-13 22:56:54,328 [root] DEBUG: InjectDll: No thread ID supplied. Initial thread ID 820, handle 0x84
2019-08-13 22:56:54,328 [root] DEBUG: DLL loaded at 0x0000000516F00000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\diasymreader (0xc6000 bytes).
2019-08-13 22:56:54,344 [root] DEBUG: DLL unloaded from 0x00000642FF4A0000.
2019-08-13 22:56:54,344 [root] DEBUG: DLL loaded at 0x00000000740D0000: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\MSVCR80 (0xc9000 bytes).
2019-08-13 22:56:54,344 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x54400.
2019-08-13 22:56:54,375 [root] DEBUG: Process image base: 0x00000000FFA10000
2019-08-13 22:56:54,375 [root] INFO: Added new CAPE file to list with path: C:\HRnqwoJUO\CAPE\3872_370892425456514382019
2019-08-13 22:56:54,375 [root] DEBUG: set_caller_info: Adding region at 0x000007FF00250000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2019-08-13 22:56:54,375 [root] DEBUG: DLL loaded at 0x000007FEEF630000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorjit (0x184000 bytes).
2019-08-13 22:56:54,390 [root] DEBUG: DLL loaded at 0x000007FEFC8F0000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2019-08-13 22:56:54,390 [root] DEBUG: DLL unloaded from 0x000007FEFF190000.
2019-08-13 22:56:54,390 [root] INFO: Process with pid 2772 has terminated
2019-08-13 22:56:54,390 [root] DEBUG: InjectDllViaIAT: Not a new process, aborting IAT patch
2019-08-13 22:56:54,405 [root] DEBUG: DumpRegion: Dumped stack region from 0x01D80000, size 0x2c000.
2019-08-13 22:56:54,405 [root] DEBUG: DLL loaded at 0x000007FEF1690000: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\9469491f37d9c35b596968b206615309\mscorlib.ni (0xedc000 bytes).
2019-08-13 22:56:54,421 [root] DEBUG: DLL loaded at 0x000007FEEEF80000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Xml\ee795155543768ea67eecddc686a1e9e\System.Xml.ni (0x6a5000 bytes).
2019-08-13 22:56:54,421 [root] DEBUG: DLL loaded at 0x000007FEFC5F0000: C:\Windows\system32\rsaenh (0x47000 bytes).
2019-08-13 22:56:54,437 [root] INFO: Notified of termination of process with pid 1516.
2019-08-13 22:56:54,437 [root] INFO: Process with pid 3524 has terminated
2019-08-13 22:56:54,437 [root] DEBUG: InjectDll: IAT patching failed, falling back to thread injection.
2019-08-13 22:56:54,453 [root] DEBUG: DLL unloaded from 0x74340000.
2019-08-13 22:56:54,453 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 3512
2019-08-13 22:56:54,453 [root] DEBUG: DLL unloaded from 0x000007FEFE8C0000.
2019-08-13 22:56:54,467 [root] DEBUG: DLL loaded at 0x000007FEEECA0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management\c44929bde355680c886f8a52f5e22b81\System.Management.ni (0x16c000 bytes).
2019-08-13 22:56:54,467 [root] DEBUG: DLL loaded at 0x000007FEF0C60000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System\adff7dd9fe8e541775c46b6363401b22\System.ni (0xa23000 bytes).
2019-08-13 22:56:54,467 [root] INFO: Process with pid 804 has terminated
2019-08-13 22:56:54,483 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 22:56:54,483 [root] DEBUG: DLL unloaded from 0x75140000.
2019-08-13 22:56:54,500 [root] DEBUG: GetHookCallerBase: thread 3740 (handle 0x0), return address 0x000000013FD0C504, allocation base 0x000000013FD00000.
2019-08-13 22:56:54,515 [root] DEBUG: DLL loaded at 0x000007FEEEB00000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.DirectorySer#\c1cdea55f62c9e8b9b9c1ae4c23b1c1f\System.DirectoryServices.ni (0x195000 bytes).
2019-08-13 22:56:54,515 [root] DEBUG: DLL loaded at 0x000007FEF0BA0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b023321bc53c20c10ccbbd8f78c82c82\Microsoft.PowerShell.ConsoleHost.ni (0xb2000 bytes).
2019-08-13 22:56:54,515 [root] INFO: Process with pid 1516 has terminated
2019-08-13 22:56:54,515 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\X40ZAOBT8PKZ8FRAPX37.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\X40ZAOBT8PKZ8FRAPX37.temp'
2019-08-13 22:56:54,530 [root] DEBUG: Process dumps enabled.
2019-08-13 22:56:54,530 [root] DEBUG: DLL unloaded from 0x74870000.
2019-08-13 22:56:54,546 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x000000013FD00000.
2019-08-13 22:56:54,546 [root] INFO: Process with pid 3244 has terminated
2019-08-13 22:56:54,546 [root] DEBUG: DLL loaded at 0x000007FEF90A0000: C:\Windows\system32\shfolder (0x7000 bytes).
2019-08-13 22:56:54,562 [root] DEBUG: DLL loaded at 0x000007FEF0040000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management.A#\009a09f5b2322bb8c5520dc5ddbb28bb\System.Management.Automation.ni (0xb5d000 bytes).
2019-08-13 22:56:54,562 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\X40ZAOBT8PKZ8FRAPX37.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\X40ZAOBT8PKZ8FRAPX37.temp'
2019-08-13 22:56:54,578 [root] INFO: Disabling sleep skipping.
2019-08-13 22:56:54,578 [root] INFO: Notified of termination of process with pid 3872.
2019-08-13 22:56:54,578 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000013FD00000.
2019-08-13 22:56:54,592 [root] DEBUG: DLL loaded at 0x000007FEFC1C0000: C:\Windows\system32\version (0xc000 bytes).
2019-08-13 22:56:54,608 [root] DEBUG: DLL unloaded from 0x000007FEFE320000.
2019-08-13 22:56:54,608 [root] WARNING: Unable to place hook on LockResource
2019-08-13 22:56:54,608 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000C63C.
2019-08-13 22:56:54,671 [root] DEBUG: DLL loaded at 0x000007FEEFD10000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Core\83e2f6909980da7347e7806d8c26670e\System.Core.ni (0x32e000 bytes).
2019-08-13 22:56:54,671 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\X40ZAOBT8PKZ8FRAPX37.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\X40ZAOBT8PKZ8FRAPX37.temp'
2019-08-13 22:56:54,671 [root] WARNING: Unable to hook LockResource
2019-08-13 22:56:54,687 [root] DEBUG: DLL loaded at 0x000007FEEFCA0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\ec50af274bf7a15fb59ac1f0d353b7ea\Microsoft.PowerShell.Commands.Diagnostics.ni (0x69000 bytes).
2019-08-13 22:56:54,701 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF1e5703a.TMP": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RF1e5703a.TMP'
2019-08-13 22:56:54,701 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 816 at 0x0000000074460000, image base 0x00000000FFA10000, stack from 0x00000000016B6000-0x00000000016C0000
2019-08-13 22:56:54,717 [root] DEBUG: DLL loaded at 0x000007FEF9860000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Configuratio#\fcf35536476614410e0b0bd0e412199e\System.Configuration.Install.ni (0x32000 bytes).
2019-08-13 22:56:54,717 [root] DEBUG: DLL loaded at 0x000007FEFCCF0000: C:\Windows\system32\secur32 (0xb000 bytes).
2019-08-13 22:56:54,717 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms'
2019-08-13 22:56:54,717 [root] INFO: Added new CAPE file to list with path: C:\HRnqwoJUO\CAPE\3512_327878981457514382019
2019-08-13 22:56:54,717 [root] DEBUG: Commandline: C:\Windows\sysnative\svchost.exe -k netsvcs.
2019-08-13 22:56:54,733 [root] DEBUG: DLL loaded at 0x000007FEEFBF0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.WSMan.Man#\8cd73e65058ef6f77f36b62a74ec3344\Microsoft.WSMan.Management.ni (0xaa000 bytes).
2019-08-13 22:56:54,765 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\X40ZAOBT8PKZ8FRAPX37.temp" does not exist, skip.
2019-08-13 22:56:54,765 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x73e00.
2019-08-13 22:56:54,765 [root] DEBUG: DLL loaded at 0x000007FEED730000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Data\accc3a5269658c8c47fe3e402ac4ac1c\System.Data.ni (0x84b000 bytes).
2019-08-13 22:56:54,765 [root] INFO: Added new process to list with pid: 816
2019-08-13 22:56:54,779 [root] DEBUG: DLL loaded at 0x000007FEEFB00000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Transactions\051655963f24f9ade08486084c570086\System.Transactions.ni (0xe5000 bytes).
2019-08-13 22:56:54,796 [root] DEBUG: DLL loaded at 0x000007FEF2F10000: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei (0x97000 bytes).
2019-08-13 22:56:54,796 [root] DEBUG: DLL loaded at 0x000007FEFAC20000: C:\Windows\system32\netutils (0xc000 bytes).
2019-08-13 22:56:54,796 [root] INFO: Monitor successfully loaded in process with pid 816.
2019-08-13 22:56:54,796 [root] DEBUG: DLL loaded at 0x000000001D090000: C:\Windows\assembly\GAC_64\System.Data\2.0.0.0__b77a5c561934e089\System.Data (0x2ff000 bytes).
2019-08-13 22:56:54,812 [root] DEBUG: DLL loaded at 0x000000001E230000: C:\Windows\assembly\GAC_64\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions (0x49000 bytes).
2019-08-13 22:56:54,812 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\X40ZAOBT8PKZ8FRAPX37.temp" does not exist, skip.
2019-08-13 22:56:54,826 [root] DEBUG: DLL unloaded from 0x000007FEFB840000.
2019-08-13 22:56:54,826 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2019-08-13 22:56:54,858 [root] DEBUG: DLL loaded at 0x000007FEFEE90000: C:\Windows\system32\WS2_32 (0x4d000 bytes).
2019-08-13 22:56:54,858 [root] DEBUG: DLL loaded at 0x000007FEF2570000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks (0x99d000 bytes).
2019-08-13 22:56:54,858 [root] DEBUG: DLL loaded at 0x000007FEEF8E0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\cdf48153115fc0bb466f37b7dcad9ac5\Microsoft.PowerShell.Commands.Utility.ni (0x216000 bytes).
2019-08-13 22:56:54,858 [root] DEBUG: DLL unloaded from 0x0000000076FF0000.
2019-08-13 22:56:54,874 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2019-08-13 22:56:54,874 [root] DEBUG: DLL loaded at 0x000007FEFE2F0000: C:\Windows\system32\NSI (0x8000 bytes).
2019-08-13 22:56:54,874 [root] DEBUG: DLL loaded at 0x00000000740D0000: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\MSVCR80 (0xc9000 bytes).
2019-08-13 22:56:54,890 [root] DEBUG: DLL unloaded from 0x000007FEF2570000.
2019-08-13 22:56:54,890 [root] DEBUG: DLL loaded at 0x000007FEEF7C0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\9206dc8156588e608d405729c833edc5\Microsoft.PowerShell.Commands.Management.ni (0x118000 bytes).
2019-08-13 22:56:54,890 [root] DEBUG: Successfully injected DLL C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:56:54,904 [root] DEBUG: DLL loaded at 0x000007FEFD1F0000: C:\Windows\system32\CRYPT32 (0x167000 bytes).
2019-08-13 22:56:54,921 [root] DEBUG: DLL unloaded from 0x000007FEF2F10000.
2019-08-13 22:56:54,921 [root] DEBUG: DLL loaded at 0x000007FEF3870000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b5a6a5ce3cd3d4dd2b151315c612aeff\Microsoft.PowerShell.Security.ni (0x3e000 bytes).
2019-08-13 22:56:54,921 [root] DEBUG: DLL loaded at 0x000007FEF1690000: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\9469491f37d9c35b596968b206615309\mscorlib.ni (0xedc000 bytes).
2019-08-13 22:56:54,936 [root] DEBUG: DLL loaded at 0x000007FEFD100000: C:\Windows\system32\MSASN1 (0xf000 bytes).
2019-08-13 22:56:54,936 [root] DEBUG: DLL unloaded from 0x000007FEFC190000.
2019-08-13 22:56:54,951 [root] DEBUG: DLL unloaded from 0x000007FEFE8C0000.
2019-08-13 22:56:54,951 [root] DEBUG: DLL loaded at 0x000007FEF0C60000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System\adff7dd9fe8e541775c46b6363401b22\System.ni (0xa23000 bytes).
2019-08-13 22:56:54,951 [root] DEBUG: DLL loaded at 0x00000642FF4A0000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\culture (0xa000 bytes).
2019-08-13 22:56:54,951 [root] DEBUG: DLL unloaded from 0x000007FEFF190000.
2019-08-13 22:56:54,967 [root] DEBUG: DLL loaded at 0x000007FEF0BA0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b023321bc53c20c10ccbbd8f78c82c82\Microsoft.PowerShell.ConsoleHost.ni (0xb2000 bytes).
2019-08-13 22:56:54,967 [root] DEBUG: DLL unloaded from 0x00000642FF4A0000.
2019-08-13 22:56:54,983 [root] INFO: Notified of termination of process with pid 3512.
2019-08-13 22:56:54,983 [root] DEBUG: DLL loaded at 0x0000000516F00000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\diasymreader (0xc6000 bytes).
2019-08-13 22:56:54,999 [root] DEBUG: DLL loaded at 0x000007FEF0040000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management.A#\009a09f5b2322bb8c5520dc5ddbb28bb\System.Management.Automation.ni (0xb5d000 bytes).
2019-08-13 22:56:54,999 [root] DEBUG: DLL loaded at 0x000007FEEF630000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorjit (0x184000 bytes).
2019-08-13 22:56:54,999 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 3128
2019-08-13 22:56:55,013 [root] DEBUG: DLL loaded at 0x000007FEFC1C0000: C:\Windows\system32\version (0xc000 bytes).
2019-08-13 22:56:55,013 [root] DEBUG: set_caller_info: Adding region at 0x000007FF00250000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2019-08-13 22:56:55,013 [root] DEBUG: GetHookCallerBase: thread 3168 (handle 0x0), return address 0x000000004A1887DD, allocation base 0x000000004A180000.
2019-08-13 22:56:55,029 [root] DEBUG: DLL loaded at 0x000007FEEEF80000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Xml\ee795155543768ea67eecddc686a1e9e\System.Xml.ni (0x6a5000 bytes).
2019-08-13 22:56:55,046 [root] DEBUG: DLL loaded at 0x000007FEEFD10000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Core\83e2f6909980da7347e7806d8c26670e\System.Core.ni (0x32e000 bytes).
2019-08-13 22:56:55,046 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x000000004A180000.
2019-08-13 22:56:55,061 [root] DEBUG: DLL loaded at 0x000007FEEECA0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management\c44929bde355680c886f8a52f5e22b81\System.Management.ni (0x16c000 bytes).
2019-08-13 22:56:55,061 [root] DEBUG: DLL loaded at 0x000007FEEFCA0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\ec50af274bf7a15fb59ac1f0d353b7ea\Microsoft.PowerShell.Commands.Diagnostics.ni (0x69000 bytes).
2019-08-13 22:56:55,061 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 3980
2019-08-13 22:56:55,061 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000004A180000.
2019-08-13 22:56:55,076 [root] DEBUG: DLL loaded at 0x000007FEEEB00000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.DirectorySer#\c1cdea55f62c9e8b9b9c1ae4c23b1c1f\System.DirectoryServices.ni (0x195000 bytes).
2019-08-13 22:56:55,076 [root] DEBUG: GetHookCallerBase: thread 3284 (handle 0x0), return address 0x000000013FD0C504, allocation base 0x000000013FD00000.
2019-08-13 22:56:55,092 [root] DEBUG: DLL loaded at 0x000007FEF9860000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Configuratio#\fcf35536476614410e0b0bd0e412199e\System.Configuration.Install.ni (0x32000 bytes).
2019-08-13 22:56:55,092 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 22:56:55,092 [root] DEBUG: DLL loaded at 0x000007FEF90A0000: C:\Windows\system32\shfolder (0x7000 bytes).
2019-08-13 22:56:55,092 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x000000013FD00000.
2019-08-13 22:56:55,108 [root] DEBUG: DLL loaded at 0x000007FEEFBF0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.WSMan.Man#\8cd73e65058ef6f77f36b62a74ec3344\Microsoft.WSMan.Management.ni (0xaa000 bytes).
2019-08-13 22:56:55,108 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 22:56:55,108 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000013FD00000.
2019-08-13 22:56:55,124 [root] DEBUG: DLL loaded at 0x000007FEEFB00000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Transactions\051655963f24f9ade08486084c570086\System.Transactions.ni (0xe5000 bytes).
2019-08-13 22:56:55,138 [root] DEBUG: DLL loaded at 0x000000001E230000: C:\Windows\assembly\GAC_64\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions (0x49000 bytes).
2019-08-13 22:56:55,154 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000C63C.
2019-08-13 22:56:55,170 [root] INFO: Added new CAPE file to list with path: C:\HRnqwoJUO\CAPE\3128_16050086645556514382019
2019-08-13 22:56:55,170 [root] DEBUG: DLL loaded at 0x000007FEEF8E0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\cdf48153115fc0bb466f37b7dcad9ac5\Microsoft.PowerShell.Commands.Utility.ni (0x216000 bytes).
2019-08-13 22:56:55,186 [root] DEBUG: DLL loaded at 0x000007FEEF7C0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\9206dc8156588e608d405729c833edc5\Microsoft.PowerShell.Commands.Management.ni (0x118000 bytes).
2019-08-13 22:56:55,217 [root] DEBUG: DLL loaded at 0x000007FEF3870000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b5a6a5ce3cd3d4dd2b151315c612aeff\Microsoft.PowerShell.Security.ni (0x3e000 bytes).
2019-08-13 22:56:55,217 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x54400.
2019-08-13 22:56:55,217 [root] INFO: Added new CAPE file to list with path: C:\HRnqwoJUO\CAPE\3980_18522719531557514382019
2019-08-13 22:56:55,233 [root] DEBUG: DLL loaded at 0x000007FEFCCF0000: C:\Windows\system32\secur32 (0xb000 bytes).
2019-08-13 22:56:55,233 [root] DEBUG: DLL unloaded from 0x000007FEFF190000.
2019-08-13 22:56:55,233 [root] DEBUG: DLL loaded at 0x00000642FF4A0000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\culture (0xa000 bytes).
2019-08-13 22:56:55,233 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x73e00.
2019-08-13 22:56:55,247 [root] INFO: Notified of termination of process with pid 3128.
2019-08-13 22:56:55,247 [root] DEBUG: DLL unloaded from 0x00000642FF4A0000.
2019-08-13 22:56:55,247 [root] DEBUG: DLL loaded at 0x000007FEFAC20000: C:\Windows\system32\netutils (0xc000 bytes).
2019-08-13 22:56:55,263 [root] DEBUG: DLL loaded at 0x000007FEEF630000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorjit (0x184000 bytes).
2019-08-13 22:56:55,263 [root] DEBUG: DLL unloaded from 0x000007FEFB840000.
2019-08-13 22:56:55,279 [root] DEBUG: DLL unloaded from 0x0000000076FF0000.
2019-08-13 22:56:55,279 [root] DEBUG: DLL loaded at 0x000007FEED730000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Data\accc3a5269658c8c47fe3e402ac4ac1c\System.Data.ni (0x84b000 bytes).
2019-08-13 22:56:55,279 [root] DEBUG: DLL loaded at 0x000007FEEEF80000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Xml\ee795155543768ea67eecddc686a1e9e\System.Xml.ni (0x6a5000 bytes).
2019-08-13 22:56:55,295 [root] DEBUG: DLL unloaded from 0x000007FEF2570000.
2019-08-13 22:56:55,295 [root] DEBUG: DLL loaded at 0x000000001CEF0000: C:\Windows\assembly\GAC_64\System.Data\2.0.0.0__b77a5c561934e089\System.Data (0x2ff000 bytes).
2019-08-13 22:56:55,311 [root] DEBUG: DLL loaded at 0x000007FEEECA0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management\c44929bde355680c886f8a52f5e22b81\System.Management.ni (0x16c000 bytes).
2019-08-13 22:56:55,311 [root] DEBUG: DLL unloaded from 0x000007FEF2F10000.
2019-08-13 22:56:55,311 [root] DEBUG: DLL loaded at 0x000007FEEEB00000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.DirectorySer#\c1cdea55f62c9e8b9b9c1ae4c23b1c1f\System.DirectoryServices.ni (0x195000 bytes).
2019-08-13 22:56:55,325 [root] DEBUG: DLL loaded at 0x000007FEFEE90000: C:\Windows\system32\WS2_32 (0x4d000 bytes).
2019-08-13 22:56:55,325 [root] DEBUG: DLL unloaded from 0x000007FEFC190000.
2019-08-13 22:56:55,342 [root] DEBUG: DLL loaded at 0x000007FEF90A0000: C:\Windows\system32\shfolder (0x7000 bytes).
2019-08-13 22:56:55,342 [root] DEBUG: DLL loaded at 0x000007FEFE2F0000: C:\Windows\system32\NSI (0x8000 bytes).
2019-08-13 22:56:55,342 [root] DEBUG: DLL unloaded from 0x000007FEFF190000.
2019-08-13 22:56:55,358 [root] DEBUG: DLL loaded at 0x000007FEFD1F0000: C:\Windows\system32\CRYPT32 (0x167000 bytes).
2019-08-13 22:56:55,358 [root] INFO: Notified of termination of process with pid 3980.
2019-08-13 22:56:55,372 [root] DEBUG: DLL loaded at 0x000007FEFD100000: C:\Windows\system32\MSASN1 (0xf000 bytes).
2019-08-13 22:56:55,467 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2740
2019-08-13 22:56:55,467 [root] DEBUG: DLL loaded at 0x0000000516F00000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\diasymreader (0xc6000 bytes).
2019-08-13 22:56:55,482 [root] DEBUG: GetHookCallerBase: thread 3248 (handle 0x0), return address 0x000000004A1887DD, allocation base 0x000000004A180000.
2019-08-13 22:56:55,482 [root] DEBUG: DLL loaded at 0x000007FEFCCF0000: C:\Windows\system32\secur32 (0xb000 bytes).
2019-08-13 22:56:55,497 [root] DEBUG: set_caller_info: Adding region at 0x000007FF00260000 to caller regions list (ntdll::LdrGetProcedureAddress).
2019-08-13 22:56:55,497 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x000000004A180000.
2019-08-13 22:56:55,545 [root] DEBUG: DLL loaded at 0x000007FEED730000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Data\accc3a5269658c8c47fe3e402ac4ac1c\System.Data.ni (0x84b000 bytes).
2019-08-13 22:56:55,545 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000004A180000.
2019-08-13 22:56:55,559 [root] DEBUG: DLL loaded at 0x000000001CFD0000: C:\Windows\assembly\GAC_64\System.Data\2.0.0.0__b77a5c561934e089\System.Data (0x2ff000 bytes).
2019-08-13 22:56:55,575 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 4028
2019-08-13 22:56:55,575 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 22:56:55,575 [root] DEBUG: DLL loaded at 0x000007FEFEE90000: C:\Windows\system32\WS2_32 (0x4d000 bytes).
2019-08-13 22:56:55,592 [root] DEBUG: GetHookCallerBase: thread 1704 (handle 0x0), return address 0x000000013FD0C504, allocation base 0x000000013FD00000.
2019-08-13 22:56:55,592 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 22:56:55,592 [root] DEBUG: DLL loaded at 0x000007FEFE2F0000: C:\Windows\system32\NSI (0x8000 bytes).
2019-08-13 22:56:55,607 [root] INFO: Process with pid 3872 has terminated
2019-08-13 22:56:55,607 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x000000013FD00000.
2019-08-13 22:56:55,622 [root] DEBUG: DLL loaded at 0x000007FEFD1F0000: C:\Windows\system32\CRYPT32 (0x167000 bytes).
2019-08-13 22:56:55,622 [root] INFO: Process with pid 1936 has terminated
2019-08-13 22:56:55,622 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000013FD00000.
2019-08-13 22:56:55,638 [root] INFO: Process with pid 3128 has terminated
2019-08-13 22:56:55,638 [root] DEBUG: DLL loaded at 0x000007FEFD100000: C:\Windows\system32\MSASN1 (0xf000 bytes).
2019-08-13 22:56:55,638 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000C63C.
2019-08-13 22:56:55,638 [root] INFO: Added new CAPE file to list with path: C:\HRnqwoJUO\CAPE\2740_5528189925556514382019
2019-08-13 22:56:55,638 [root] INFO: Process with pid 3512 has terminated
2019-08-13 22:56:55,700 [root] DEBUG: DLL loaded at 0x0000000516F00000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\diasymreader (0xc6000 bytes).
2019-08-13 22:56:55,732 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x54400.
2019-08-13 22:56:55,732 [root] INFO: Process with pid 3980 has terminated
2019-08-13 22:56:55,747 [root] DEBUG: set_caller_info: Adding region at 0x000007FF00260000 to caller regions list (ntdll::LdrGetProcedureAddress).
2019-08-13 22:56:55,747 [root] DEBUG: DLL unloaded from 0x000007FEFF190000.
2019-08-13 22:56:55,779 [root] INFO: Added new CAPE file to list with path: C:\HRnqwoJUO\CAPE\4028_20164416571557514382019
2019-08-13 22:56:55,779 [root] INFO: Notified of termination of process with pid 2740.
2019-08-13 22:56:55,793 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x73e00.
2019-08-13 22:56:55,793 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 3276
2019-08-13 22:56:55,809 [root] DEBUG: DLL loaded at 0x000007FEFAC20000: C:\Windows\system32\netutils (0xc000 bytes).
2019-08-13 22:56:55,809 [root] DEBUG: GetHookCallerBase: thread 1856 (handle 0x0), return address 0x000000013FD0C504, allocation base 0x000000013FD00000.
2019-08-13 22:56:55,825 [root] DEBUG: DLL unloaded from 0x000007FEFB840000.
2019-08-13 22:56:55,825 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x000000013FD00000.
2019-08-13 22:56:55,825 [root] DEBUG: DLL unloaded from 0x0000000076FF0000.
2019-08-13 22:56:55,841 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000013FD00000.
2019-08-13 22:56:55,841 [root] DEBUG: DLL unloaded from 0x000007FEF2570000.
2019-08-13 22:56:55,857 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000C63C.
2019-08-13 22:56:55,857 [root] DEBUG: DLL unloaded from 0x000007FEF2F10000.
2019-08-13 22:56:55,871 [root] DEBUG: DLL unloaded from 0x000007FEFC190000.
2019-08-13 22:56:55,888 [root] DEBUG: DLL unloaded from 0x000007FEFF190000.
2019-08-13 22:56:55,904 [root] INFO: Notified of termination of process with pid 4028.
2019-08-13 22:56:55,904 [root] INFO: Added new CAPE file to list with path: C:\HRnqwoJUO\CAPE\3276_11664942941557514382019
2019-08-13 22:56:55,918 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 3912
2019-08-13 22:56:55,918 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x73e00.
2019-08-13 22:56:55,934 [root] DEBUG: GetHookCallerBase: thread 904 (handle 0x0), return address 0x000000004A1887DD, allocation base 0x000000004A180000.
2019-08-13 22:56:55,934 [root] DEBUG: DLL loaded at 0x000007FEFAC20000: C:\Windows\system32\netutils (0xc000 bytes).
2019-08-13 22:56:55,950 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x000000004A180000.
2019-08-13 22:56:55,950 [root] DEBUG: DLL unloaded from 0x000007FEFB840000.
2019-08-13 22:56:55,950 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000004A180000.
2019-08-13 22:56:55,966 [root] DEBUG: DLL unloaded from 0x0000000076FF0000.
2019-08-13 22:56:55,966 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 22:56:55,982 [root] DEBUG: DLL unloaded from 0x000007FEF2570000.
2019-08-13 22:56:55,982 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 22:56:55,996 [root] DEBUG: DLL unloaded from 0x000007FEF2F10000.
2019-08-13 22:56:56,013 [root] DEBUG: DLL unloaded from 0x000007FEFC190000.
2019-08-13 22:56:56,013 [root] DEBUG: DLL unloaded from 0x000007FEFF190000.
2019-08-13 22:56:56,028 [root] INFO: Notified of termination of process with pid 3276.
2019-08-13 22:56:56,028 [root] INFO: Added new CAPE file to list with path: C:\HRnqwoJUO\CAPE\3912_2528671185556514382019
2019-08-13 22:56:56,043 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 3220
2019-08-13 22:56:56,043 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x54400.
2019-08-13 22:56:56,059 [root] DEBUG: GetHookCallerBase: thread 3456 (handle 0x0), return address 0x000000004A1887DD, allocation base 0x000000004A180000.
2019-08-13 22:56:56,075 [root] DEBUG: DLL unloaded from 0x000007FEFF190000.
2019-08-13 22:56:56,075 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x000000004A180000.
2019-08-13 22:56:56,075 [root] INFO: Notified of termination of process with pid 3912.
2019-08-13 22:56:56,091 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000004A180000.
2019-08-13 22:56:56,105 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 22:56:56,121 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 22:56:56,168 [root] INFO: Added new CAPE file to list with path: C:\HRnqwoJUO\CAPE\3220_11498404065656514382019
2019-08-13 22:56:56,184 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x54400.
2019-08-13 22:56:56,184 [root] DEBUG: DLL unloaded from 0x000007FEFF190000.
2019-08-13 22:56:56,200 [root] INFO: Notified of termination of process with pid 3220.
2019-08-13 22:56:56,776 [root] INFO: Process with pid 512 has terminated
2019-08-13 22:56:56,776 [root] INFO: Process with pid 2740 has terminated
2019-08-13 22:56:56,808 [root] INFO: Process with pid 3220 has terminated
2019-08-13 22:56:56,808 [root] INFO: Process with pid 3276 has terminated
2019-08-13 22:56:56,933 [root] DEBUG: DLL loaded at 0x000007FEFE400000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-08-13 22:56:56,948 [root] DEBUG: DLL loaded at 0x000007FEFB140000: C:\Windows\system32\taskschd (0x127000 bytes).
2019-08-13 22:56:57,854 [root] INFO: Process with pid 2964 has terminated
2019-08-13 22:56:57,854 [root] INFO: Process with pid 4028 has terminated
2019-08-13 22:56:58,009 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF90B0000 to caller regions list (ntdll::NtWaitForSingleObject).
2019-08-13 22:56:58,523 [root] DEBUG: DLL unloaded from 0x000007FEFB140000.
2019-08-13 22:56:58,539 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2204
2019-08-13 22:56:58,555 [root] DEBUG: GetHookCallerBase: thread 2612 (handle 0x0), return address 0x00000000100175B8, allocation base 0x0000000010000000.
2019-08-13 22:56:58,571 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x0000000010000000.
2019-08-13 22:56:58,571 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x0000000010000000.
2019-08-13 22:56:58,586 [root] DEBUG: DumpProcess: Module entry point VA is 0x0000000000010580.
2019-08-13 22:56:58,634 [root] INFO: Added new CAPE file to list with path: C:\HRnqwoJUO\CAPE\2204_19210432631857514382019
2019-08-13 22:56:58,634 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x1ba00.
2019-08-13 22:56:58,648 [root] DEBUG: DLL unloaded from 0x000007FEFF190000.
2019-08-13 22:56:58,664 [root] INFO: Notified of termination of process with pid 2204.
2019-08-13 22:56:58,882 [root] INFO: Process with pid 3912 has terminated
2019-08-13 22:56:59,913 [root] INFO: Process with pid 2204 has terminated
2019-08-13 22:57:05,732 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF80F0000 to caller regions list (msvcrt::memcpy).
2019-08-13 22:57:05,778 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF45C0000 to caller regions list (ntdll::NtDuplicateObject).
2019-08-13 22:57:35,823 [root] DEBUG: DLL unloaded from 0x000007FEF45C0000.
2019-08-13 22:57:35,855 [root] DEBUG: DLL unloaded from 0x000007FEF9950000.
2019-08-13 22:57:37,586 [root] DEBUG: DLL unloaded from 0x000007FEF9540000.
2019-08-13 22:57:37,618 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF97C0000 to caller regions list (msvcrt::memcpy).
2019-08-13 22:57:37,634 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF9A00000 to caller regions list (msvcrt::memcpy).
2019-08-13 22:57:37,664 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF98B0000 to caller regions list (msvcrt::memcpy).
2019-08-13 22:57:37,664 [root] DEBUG: DLL unloaded from 0x000007FEFA1C0000.
2019-08-13 22:57:37,680 [root] DEBUG: set_caller_info: Adding region at 0x000007FEFCEF0000 to caller regions list (ntdll::NtCreateFile).
2019-08-13 22:57:37,680 [root] DEBUG: set_caller_info: Adding region at 0x000007FEFCEF0000 to caller regions list (ntdll::NtCreateFile).
2019-08-13 22:57:37,743 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF8070000 to caller regions list (msvcrt::memcpy).
2019-08-13 22:57:37,757 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF94D0000 to caller regions list (msvcrt::memcpy).
2019-08-13 22:57:40,176 [root] DEBUG: DLL unloaded from 0x000007FEF9B80000.
2019-08-13 22:57:42,734 [root] DEBUG: DLL unloaded from 0x000007FEFA1C0000.
2019-08-13 22:57:42,734 [root] DEBUG: DLL loaded at 0x000007FEFB0D0000: C:\Windows\system32\es (0x67000 bytes).
2019-08-13 22:57:42,766 [root] DEBUG: set_caller_info: Adding region at 0x000007FEFB0D0000 to caller regions list (kernel32::GetSystemTimeAsFileTime).
2019-08-13 22:57:42,859 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF4E10000 to caller regions list (msvcrt::memcpy).
2019-08-13 22:57:42,905 [root] DEBUG: set_caller_info: Adding region at 0x000007FEFA0C0000 to caller regions list (ntdll::NtWaitForSingleObject).
2019-08-13 22:57:42,953 [root] DEBUG: DLL unloaded from 0x000007FEF9540000.
2019-08-13 22:57:42,969 [root] DEBUG: DLL unloaded from 0x000007FEFB0D0000.
2019-08-13 22:57:42,983 [root] DEBUG: DLL unloaded from 0x000007FEF4E10000.
2019-08-13 22:57:43,000 [root] DEBUG: DLL unloaded from 0x000007FEF94D0000.
2019-08-13 22:57:43,000 [root] DEBUG: DLL unloaded from 0x000007FEF8070000.
2019-08-13 22:57:43,016 [root] DEBUG: DLL unloaded from 0x000007FEFA1C0000.
2019-08-13 22:57:45,309 [root] INFO: Stopped WMI Service
2019-08-13 22:57:45,309 [root] INFO: Attaching to DcomLaunch service (pid 564)
2019-08-13 22:57:45,339 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 22:57:45,339 [lib.api.process] INFO: 64-bit DLL to inject is C:\epyfuwi\dll\HeJRZT.dll, loader C:\epyfuwi\bin\NKFmJEvz.exe
2019-08-13 22:57:45,355 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\KxvfqAkc.
2019-08-13 22:57:45,371 [root] DEBUG: Loader: Injecting process 564 (thread 0) with C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:57:45,387 [root] DEBUG: InjectDll: No thread ID supplied. Initial thread ID 568, handle 0x84
2019-08-13 22:57:45,401 [root] DEBUG: Process image base: 0x00000000FFA10000
2019-08-13 22:57:45,401 [root] DEBUG: InjectDllViaIAT: Not a new process, aborting IAT patch
2019-08-13 22:57:45,417 [root] DEBUG: InjectDll: IAT patching failed, falling back to thread injection.
2019-08-13 22:57:45,434 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 22:57:45,448 [root] DEBUG: Process dumps enabled.
2019-08-13 22:57:45,464 [root] INFO: Disabling sleep skipping.
2019-08-13 22:57:45,480 [root] WARNING: Unable to place hook on LockResource
2019-08-13 22:57:45,480 [root] WARNING: Unable to hook LockResource
2019-08-13 22:57:45,496 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 564 at 0x0000000074460000, image base 0x00000000FFA10000, stack from 0x0000000002366000-0x0000000002370000
2019-08-13 22:57:45,512 [root] DEBUG: Commandline: C:\Windows\sysnative\svchost.exe -k DcomLaunch.
2019-08-13 22:57:45,526 [root] INFO: Added new process to list with pid: 564
2019-08-13 22:57:45,526 [root] INFO: Monitor successfully loaded in process with pid 564.
2019-08-13 22:57:45,542 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2019-08-13 22:57:45,558 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2019-08-13 22:57:45,573 [root] DEBUG: Successfully injected DLL C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:57:49,661 [root] INFO: Started WMI Service
2019-08-13 22:57:49,661 [root] INFO: Attaching to WMI service (pid 1992)
2019-08-13 22:57:49,677 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 22:57:49,691 [lib.api.process] INFO: 64-bit DLL to inject is C:\epyfuwi\dll\HeJRZT.dll, loader C:\epyfuwi\bin\NKFmJEvz.exe
2019-08-13 22:57:49,707 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\KxvfqAkc.
2019-08-13 22:57:49,707 [root] DEBUG: Loader: Injecting process 1992 (thread 0) with C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:57:49,723 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed.
2019-08-13 22:57:49,739 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 22:57:49,755 [root] DEBUG: Process dumps enabled.
2019-08-13 22:57:49,755 [root] INFO: Disabling sleep skipping.
2019-08-13 22:57:49,769 [root] WARNING: Unable to place hook on LockResource
2019-08-13 22:57:49,786 [root] WARNING: Unable to hook LockResource
2019-08-13 22:57:49,802 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 1992 at 0x0000000074460000, image base 0x00000000FFA10000, stack from 0x00000000017A6000-0x00000000017B0000
2019-08-13 22:57:49,816 [root] DEBUG: Commandline: C:\Windows\sysnative\svchost.exe -k netsvcs.
2019-08-13 22:57:49,816 [root] INFO: Added new process to list with pid: 1992
2019-08-13 22:57:49,832 [root] INFO: Monitor successfully loaded in process with pid 1992.
2019-08-13 22:57:49,832 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2019-08-13 22:57:49,848 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2019-08-13 22:57:49,864 [root] DEBUG: Successfully injected DLL C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:57:50,487 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF4500000 to caller regions list (kernel32::GetSystemTimeAsFileTime).
2019-08-13 22:57:51,970 [root] DEBUG: DLL loaded at 0x000007FEF9E80000: C:\Windows\system32\VSSAPI (0x1b0000 bytes).
2019-08-13 22:57:51,986 [root] DEBUG: DLL loaded at 0x000007FEFB270000: C:\Windows\system32\ATL (0x19000 bytes).
2019-08-13 22:57:52,000 [root] DEBUG: DLL loaded at 0x000007FEF9E60000: C:\Windows\system32\VssTrace (0x17000 bytes).
2019-08-13 22:57:52,016 [root] DEBUG: DLL loaded at 0x000007FEFA870000: C:\Windows\system32\samcli (0x14000 bytes).
2019-08-13 22:57:52,032 [root] DEBUG: DLL loaded at 0x000007FEFB820000: C:\Windows\system32\SAMLIB (0x1d000 bytes).
2019-08-13 22:57:52,048 [root] DEBUG: DLL loaded at 0x000007FEFAC20000: C:\Windows\system32\netutils (0xc000 bytes).
2019-08-13 22:57:52,063 [root] DEBUG: DLL loaded at 0x000007FEFB0D0000: C:\Windows\system32\es (0x67000 bytes).
2019-08-13 22:57:52,078 [root] DEBUG: DLL loaded at 0x000007FEFB840000: C:\Windows\system32\PROPSYS (0x12c000 bytes).
2019-08-13 22:57:52,109 [root] DEBUG: DLL loaded at 0x000007FEF9540000: C:\Windows\system32\wbem\wbemcore (0x12f000 bytes).
2019-08-13 22:57:52,125 [root] DEBUG: DLL loaded at 0x000007FEF94D0000: C:\Windows\system32\wbem\esscli (0x6f000 bytes).
2019-08-13 22:57:52,141 [root] DEBUG: DLL loaded at 0x000007FEF9A00000: C:\Windows\system32\wbem\FastProx (0xe2000 bytes).
2019-08-13 22:57:52,157 [root] DEBUG: DLL loaded at 0x000007FEF9980000: C:\Windows\system32\NTDSAPI (0x27000 bytes).
2019-08-13 22:57:52,157 [root] DEBUG: DLL unloaded from 0x000007FEF9540000.
2019-08-13 22:57:52,173 [root] DEBUG: DLL loaded at 0x000007FEFA0A0000: C:\Windows\system32\wbem\wbemsvc (0x14000 bytes).
2019-08-13 22:57:52,187 [root] DEBUG: DLL loaded at 0x000007FEFCAC0000: C:\Windows\system32\authZ (0x2f000 bytes).
2019-08-13 22:57:52,203 [root] DEBUG: DLL loaded at 0x000007FEF97C0000: C:\Windows\system32\wbem\wmiutils (0x26000 bytes).
2019-08-13 22:57:52,234 [root] DEBUG: DLL loaded at 0x000007FEF90B0000: C:\Windows\system32\wbem\repdrvfs (0x73000 bytes).
2019-08-13 22:57:52,282 [root] WARNING: File at path "C:\Windows\sysnative\wbem\repository\WRITABLE.TST" does not exist, skip.
2019-08-13 22:57:52,282 [root] DEBUG: DLL loaded at 0x000007FEFCB00000: C:\Windows\system32\Wevtapi (0x6d000 bytes).
2019-08-13 22:57:52,312 [root] DEBUG: DLL unloaded from 0x000007FEFCB00000.
2019-08-13 22:57:52,625 [root] DEBUG: DLL loaded at 0x000007FEF80F0000: C:\Windows\system32\wbem\wmiprvsd (0xbc000 bytes).
2019-08-13 22:57:52,641 [root] DEBUG: DLL loaded at 0x000007FEFA0C0000: C:\Windows\system32\NCObjAPI (0x16000 bytes).
2019-08-13 22:57:52,687 [root] DEBUG: DLL loaded at 0x000007FEF7400000: C:\Windows\system32\wbem\wbemess (0x7e000 bytes).
2019-08-13 22:57:52,766 [root] DEBUG: DLL unloaded from 0x0000000076FF0000.
2019-08-13 22:57:53,187 [root] INFO: Announced 64-bit process name: WmiPrvSE.exe pid: 2380
2019-08-13 22:57:53,217 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 22:57:53,233 [lib.api.process] INFO: 64-bit DLL to inject is C:\epyfuwi\dll\HeJRZT.dll, loader C:\epyfuwi\bin\NKFmJEvz.exe
2019-08-13 22:57:53,249 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\KxvfqAkc.
2019-08-13 22:57:53,265 [root] DEBUG: DLL loaded at 0x000007FEFA1E0000: C:\Windows\system32\wbem\ncprov (0x16000 bytes).
2019-08-13 22:57:53,265 [root] DEBUG: Loader: Injecting process 2380 (thread 3224) with C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:57:53,312 [root] DEBUG: Process image base: 0x00000000FFDF0000
2019-08-13 22:57:53,326 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:57:53,342 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00000000FFE4F000 - 0x000007FEFF430000
2019-08-13 22:57:53,358 [root] DEBUG: InjectDllViaIAT: Allocated 0x234 bytes for new import table at 0x00000000FFE50000.
2019-08-13 22:57:53,374 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 22:57:53,390 [root] DEBUG: Successfully injected DLL C:\epyfuwi\dll\HeJRZT.dll.
2019-08-13 22:57:53,404 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2380
2019-08-13 22:57:53,404 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 22:57:53,421 [root] DEBUG: Process dumps enabled.
2019-08-13 22:57:53,436 [root] INFO: Disabling sleep skipping.
2019-08-13 22:57:53,451 [root] WARNING: Unable to place hook on LockResource
2019-08-13 22:57:53,467 [root] WARNING: Unable to hook LockResource
2019-08-13 22:57:53,483 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 22:57:53,513 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 2380 at 0x0000000074460000, image base 0x00000000FFDF0000, stack from 0x0000000000120000-0x0000000000130000
2019-08-13 22:57:53,529 [root] DEBUG: Commandline: C:\Windows\sysnative\wbem\wmiprvse.exe -Embedding.
2019-08-13 22:57:53,561 [root] INFO: Added new process to list with pid: 2380
2019-08-13 22:57:53,561 [root] INFO: Monitor successfully loaded in process with pid 2380.
2019-08-13 22:57:53,576 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\system32\CRYPTBASE (0xf000 bytes).
2019-08-13 22:57:53,592 [root] DEBUG: DLL loaded at 0x000007FEFC190000: C:\Windows\system32\ntmarta (0x2d000 bytes).
2019-08-13 22:57:53,608 [root] DEBUG: DLL loaded at 0x000007FEFE860000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2019-08-13 22:57:53,670 [root] DEBUG: DLL loaded at 0x000007FEFE400000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-08-13 22:57:53,733 [root] DEBUG: DLL loaded at 0x000007FEF9D50000: C:\Windows\system32\wbem\wbemprox (0xf000 bytes).
2019-08-13 22:57:53,747 [root] DEBUG: DLL loaded at 0x000007FEFC8F0000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2019-08-13 22:57:53,763 [root] DEBUG: DLL loaded at 0x000007FEFC5F0000: C:\Windows\system32\rsaenh (0x47000 bytes).
2019-08-13 22:57:53,795 [root] DEBUG: DLL loaded at 0x000007FEFD000000: C:\Windows\system32\RpcRtRemote (0x14000 bytes).
2019-08-13 22:57:53,920 [root] DEBUG: DLL loaded at 0x000007FEFA0A0000: C:\Windows\system32\wbem\wbemsvc (0x14000 bytes).
2019-08-13 22:57:53,936 [root] DEBUG: DLL loaded at 0x000007FEF97C0000: C:\Windows\system32\wbem\wmiutils (0x26000 bytes).
2019-08-13 22:57:54,184 [root] DEBUG: DLL loaded at 0x000007FEF9BA0000: C:\Windows\system32\wbem\wmiprov (0x3c000 bytes).
2019-08-13 22:57:54,341 [root] DEBUG: DLL unloaded from 0x000007FEF9540000.
2019-08-13 22:58:24,683 [root] DEBUG: DLL unloaded from 0x000007FEFB0D0000.
2019-08-13 22:58:32,920 [root] DEBUG: DLL unloaded from 0x000007FEF9540000.
2019-08-13 22:59:55,006 [root] DEBUG: DLL unloaded from 0x000007FEF9BA0000.
2019-08-13 22:59:55,069 [root] DEBUG: DLL unloaded from 0x000007FEF97C0000.
2019-08-13 22:59:55,085 [root] DEBUG: DLL unloaded from 0x000007FEF9A00000.
2019-08-13 22:59:55,101 [root] DEBUG: DLL unloaded from 0x000007FEFA0A0000.
2019-08-13 22:59:55,117 [root] DEBUG: DLL unloaded from 0x000007FEF9D50000.
2019-08-13 22:59:55,131 [root] DEBUG: DLL unloaded from 0x000007FEFE8C0000.
2019-08-13 22:59:55,131 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2380
2019-08-13 22:59:55,148 [root] DEBUG: GetHookCallerBase: thread 3224 (handle 0x0), return address 0x00000000FFDF9845, allocation base 0x00000000FFDF0000.
2019-08-13 22:59:55,163 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00000000FFDF0000.
2019-08-13 22:59:55,178 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00000000FFDF0000.
2019-08-13 22:59:55,194 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000A9B4.
2019-08-13 22:59:55,444 [root] INFO: Added new CAPE file to list with path: C:\HRnqwoJUO\CAPE\2380_13206471543510614382019
2019-08-13 22:59:55,444 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x5b000.
2019-08-13 22:59:55,506 [root] DEBUG: DLL unloaded from 0x000007FEFC190000.
2019-08-13 22:59:55,522 [root] DEBUG: DLL unloaded from 0x000007FEFF190000.
2019-08-13 22:59:55,552 [root] INFO: Notified of termination of process with pid 2380.
2019-08-13 22:59:56,411 [root] INFO: Process with pid 2380 has terminated
2019-08-13 23:00:02,510 [root] INFO: Analysis timeout hit (200 seconds), terminating analysis.
2019-08-13 23:00:02,526 [root] INFO: Created shutdown mutex.
2019-08-13 23:00:03,555 [root] INFO: Shutting down package.
2019-08-13 23:00:03,572 [root] INFO: Stopping auxiliary modules.
2019-08-13 23:00:03,572 [root] INFO: Finishing auxiliary modules.
2019-08-13 23:00:03,586 [root] INFO: Shutting down pipe server and dumping dropped files.
2019-08-13 23:00:03,586 [root] WARNING: File at path "C:\HRnqwoJUO\debugger" does not exist, skip.
2019-08-13 23:00:03,586 [root] INFO: Analysis completed.

MalScore

10.0

TrickBot

Machine

Name Label Manager Started On Shutdown On
target-01 target-01 ESX 2019-08-13 21:56:34 2019-08-13 22:00:17

File Details

File Name b2adfc902ef49583b590da412ebc0383e209cb25cb6269b12d698b4666ddcf2c
File Size 677142 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 f0d2bd6573e2592113275065183a68cf
SHA1 2e8945a096b5582594591f3a2696e74ba0466db1
SHA256 b2adfc902ef49583b590da412ebc0383e209cb25cb6269b12d698b4666ddcf2c
SHA512 847b577eaae4ae541f856b088ccb81f90ed51b1f63147f9aaf038ce37d66a2f84e4228b8ad807737f259f32a14e52b7278c1bdf71ec45a9326e7be3d8109a4ce
CRC32 48BA3166
Ssdeep 12288:pSuiDKCiuef5J23iBm5pw4IZu54oFBsM0Nb:pSFriuexUJjoZGeM0Nb
TrID
  • 61.7% (.EXE) Win64 Executable (generic) (27625/18/4)
  • 14.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
  • 10.0% (.EXE) Win32 Executable (generic) (4508/7/1)
  • 4.5% (.EXE) OS/2 Executable (generic) (2029/13)
  • 4.4% (.EXE) Generic Win/DOS Executable (2002/3)
ClamAV None matched
Yara None matched
CAPE Yara None matched
Resubmit sample

Signatures

Behavioural detection: Executable code extraction
SetUnhandledExceptionFilter detected (possible anti-debug)
Scheduled file move on reboot detected
File Move on Reboot: Old: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\XACZBFJVH0AABI8HGRAP.temp -> New: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Yara rule detections observed from a process memory dump/dropped files/CAPE
Hit: PID 2204 trigged the Yara rule 'TrickBot'
Creates RWX memory
Possible date expiration check, exits too soon after checking local time
process: XVVzw2.exe, PID 3040
Anomalous file deletion behavior detected (10+)
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch.2324.32689104
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch.2324.32689104
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch.2324.32689104
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF1e537dc.TMP
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch.1812.31799478
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch.1812.31799478
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch.1812.31799478
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF1e53897.TMP
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch.2796.31799619
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch.2796.31799619
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch.2796.31799619
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\WIW1R5TNTGDLJULCI4XX.temp
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch.1116.31799525
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch.1116.31799525
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch.1116.31799525
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF1f2d2b3.TMP
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch.2644.32691069
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch.2644.32691069
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch.2644.32691069
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF1e54267.TMP
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch.1360.31802083
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch.1360.31802083
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch.1360.31802083
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF1e54286.TMP
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch.2880.31802317
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch.2880.31802317
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch.2880.31802317
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF1e5465d.TMP
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch.2876.31803253
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch.2876.31803253
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch.2876.31803253
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF1e54c46.TMP
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch.3484.31804813
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch.3484.31804813
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch.3484.31804813
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF1e54bb9.TMP
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch.4060.31804720
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch.4060.31804720
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch.4060.31804720
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF1f2e97d.TMP
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch.3708.32697216
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch.3708.32697216
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch.3708.32697216
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF1e55606.TMP
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HE4KHS049ZTNKGEPJTQG.temp
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch.336.31807294
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch.336.31807294
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch.336.31807309
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF1e5575d.TMP
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch.3724.31808557
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch.3724.31808557
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch.3724.31808557
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\VUB18BEN0HTKBEN811GL.temp
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch.3288.31808682
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch.3288.31808682
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch.3288.31808682
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF1f2f511.TMP
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch.2964.32700164
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch.2964.32700164
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch.2964.32700164
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF1e56265.TMP
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch.3244.31810648
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch.3244.31810648
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch.3244.31810648
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF1e56773.TMP
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch.3512.31811911
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch.3512.31811911
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch.3512.31811911
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF1e56add.TMP
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch.3980.31812629
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch.3980.31812629
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch.3980.31812629
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF1e56df9.TMP
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch.4028.31813425
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch.4028.31813425
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch.4028.31813425
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF1e5703a.TMP
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch.3276.31813939
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch.3276.31813939
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch.3276.31813939
DeletedFile: C:\Windows\Tasks\SpeedLan.job
Guard pages use detected - possible anti-debugging.
A process attempted to delay the analysis task.
Process: WmiPrvSE.exe tried to sleep 720 seconds, actually delayed analysis time by 0 seconds
Dynamic (imported) function loading detected
DynamicLoader: CRYPTSP.dll/CryptAcquireContextA
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: comctl32.dll/
DynamicLoader: CRYPTSP.dll/CryptAcquireContextA
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: ntdll.dll/memcpy
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptImportKey
DynamicLoader: ADVAPI32.dll/CryptEncrypt
DynamicLoader: CRYPTSP.dll/CryptImportKey
DynamicLoader: CRYPTBASE.dll/SystemFunction040
DynamicLoader: CRYPTBASE.dll/SystemFunction041
DynamicLoader: CRYPTSP.dll/CryptEncrypt
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: comctl32.dll/
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: shell32.dll/
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: shell32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ntdll.dll/RtlDllShutdownInProgress
DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: profapi.dll/
DynamicLoader: LINKINFO.dll/CreateLinkInfoW
DynamicLoader: USER32.dll/IsCharAlphaW
DynamicLoader: USER32.dll/CharPrevW
DynamicLoader: ntshrui.dll/GetNetResourceFromLocalPathW
DynamicLoader: srvcli.dll/NetShareEnum
DynamicLoader: cscapi.dll/CscNetApiGetInterface
DynamicLoader: slc.dll/SLGetWindowsInformationDWORD
DynamicLoader: SHLWAPI.dll/PathRemoveFileSpecW
DynamicLoader: LINKINFO.dll/DestroyLinkInfo
DynamicLoader: propsys.dll/PropVariantToBoolean
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: mscoree.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx_RetAddr
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: kernel32.dll/GetCurrentPackageId
DynamicLoader: kernel32.dll/InitializeCriticalSectionAndSpinCount
DynamicLoader: msvcrt.dll/_set_error_mode
DynamicLoader: msvcrt.dll/?set_terminate@@YAP6AXXZP6AXXZ@Z
DynamicLoader: msvcrt.dll/_get_terminate
DynamicLoader: kernel32.dll/FindActCtxSectionStringW
DynamicLoader: kernel32.dll/GetSystemWindowsDirectoryW
DynamicLoader: mscoree.dll/GetProcessExecutableHeap
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap_RetAddr
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap
DynamicLoader: mscorwks.dll/SetLoadedByMscoree
DynamicLoader: mscorwks.dll/DllGetClassObjectInternal
DynamicLoader: mscorwks.dll/GetCLRFunction
DynamicLoader: ADVAPI32.dll/RegisterTraceGuidsW
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: ADVAPI32.dll/GetTraceLoggerHandle
DynamicLoader: ADVAPI32.dll/GetTraceEnableLevel
DynamicLoader: ADVAPI32.dll/GetTraceEnableFlags
DynamicLoader: ADVAPI32.dll/TraceEvent
DynamicLoader: mscoree.dll/IEE
DynamicLoader: mscoreei.dll/IEE_RetAddr
DynamicLoader: mscoreei.dll/IEE
DynamicLoader: mscorwks.dll/IEE
DynamicLoader: mscoree.dll/GetStartupFlags
DynamicLoader: mscoreei.dll/GetStartupFlags_RetAddr
DynamicLoader: mscoreei.dll/GetStartupFlags
DynamicLoader: mscoree.dll/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetHostConfigurationFile_RetAddr
DynamicLoader: mscoreei.dll/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetCORVersion_RetAddr
DynamicLoader: mscoreei.dll/GetCORVersion
DynamicLoader: mscoree.dll/GetCORSystemDirectory
DynamicLoader: mscoreei.dll/GetCORSystemDirectory_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream
DynamicLoader: ntdll.dll/RtlVirtualUnwind
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: kernel32.dll/GetSystemWindowsDirectoryW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: kernel32.dll/SetThreadStackGuarantee
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/AddVectoredContinueHandler
DynamicLoader: kernel32.dll/RemoveVectoredContinueHandler
DynamicLoader: ADVAPI32.dll/ConvertSidToStringSidW
DynamicLoader: shell32.dll/SHGetFolderPathW
DynamicLoader: kernel32.dll/FlushProcessWriteBuffers
DynamicLoader: kernel32.dll/GetWriteWatch
DynamicLoader: kernel32.dll/ResetWriteWatch
DynamicLoader: kernel32.dll/CreateMemoryResourceNotification
DynamicLoader: kernel32.dll/QueryMemoryResourceNotification
DynamicLoader: kernel32.dll/GlobalMemoryStatusEx
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CoGetContextToken
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/GetUserDefaultUILanguage
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/GetVersionEx
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/GetVersionEx
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/GetFullPathName
DynamicLoader: kernel32.dll/GetFullPathNameW
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: kernel32.dll/GetFileAttributesEx
DynamicLoader: kernel32.dll/GetFileAttributesExW
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: version.dll/GetFileVersionInfoSize
DynamicLoader: version.dll/GetFileVersionInfoSizeW
DynamicLoader: version.dll/GetFileVersionInfo
DynamicLoader: version.dll/GetFileVersionInfoW
DynamicLoader: version.dll/VerQueryValue
DynamicLoader: version.dll/VerQueryValueW
DynamicLoader: kernel32.dll/lstrlen
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: mscoree.dll/ND_RI2
DynamicLoader: mscoreei.dll/ND_RI2_RetAddr
DynamicLoader: mscoreei.dll/ND_RI2
DynamicLoader: kernel32.dll/lstrlen
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: kernel32.dll/lstrcpy
DynamicLoader: kernel32.dll/lstrcpyW
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: version.dll/VerLanguageName
DynamicLoader: version.dll/VerLanguageNameW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/GetCurrentProcessId
DynamicLoader: kernel32.dll/GetCurrentProcessIdW
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValue
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValueW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivileges
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivilegesW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/OpenProcessW
DynamicLoader: PSAPI.DLL/EnumProcessModules
DynamicLoader: PSAPI.DLL/EnumProcessModulesW
DynamicLoader: PSAPI.DLL/GetModuleInformation
DynamicLoader: PSAPI.DLL/GetModuleInformationW
DynamicLoader: PSAPI.DLL/GetModuleBaseName
DynamicLoader: PSAPI.DLL/GetModuleBaseNameW
DynamicLoader: PSAPI.DLL/GetModuleFileNameEx
DynamicLoader: PSAPI.DLL/GetModuleFileNameExW
DynamicLoader: kernel32.dll/GetExitCodeProcess
DynamicLoader: kernel32.dll/GetExitCodeProcessW
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtQuerySystemInformationW
DynamicLoader: USER32.dll/EnumWindows
DynamicLoader: USER32.dll/EnumWindowsW
DynamicLoader: USER32.dll/GetWindowThreadProcessId
DynamicLoader: USER32.dll/GetWindowThreadProcessIdW
DynamicLoader: kernel32.dll/WerSetFlags
DynamicLoader: kernel32.dll/SetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/SetThreadPreferredUILanguagesW
DynamicLoader: kernel32.dll/GetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/GetThreadPreferredUILanguagesW
DynamicLoader: kernel32.dll/GetUserDefaultLocaleName
DynamicLoader: kernel32.dll/GetUserDefaultLocaleNameW
DynamicLoader: kernel32.dll/GetEnvironmentVariable
DynamicLoader: kernel32.dll/GetEnvironmentVariableW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegOpenKeyEx
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/CryptCreateHash
DynamicLoader: ADVAPI32.dll/CryptDestroyHash
DynamicLoader: ADVAPI32.dll/CryptHashData
DynamicLoader: ADVAPI32.dll/CryptGetHashParam
DynamicLoader: ADVAPI32.dll/CryptImportKey
DynamicLoader: ADVAPI32.dll/CryptExportKey
DynamicLoader: ADVAPI32.dll/CryptGenKey
DynamicLoader: ADVAPI32.dll/CryptGetKeyParam
DynamicLoader: ADVAPI32.dll/CryptDestroyKey
DynamicLoader: ADVAPI32.dll/CryptVerifySignatureA
DynamicLoader: ADVAPI32.dll/CryptSignHashA
DynamicLoader: ADVAPI32.dll/CryptGetProvParam
DynamicLoader: ADVAPI32.dll/CryptGetUserKey
DynamicLoader: ADVAPI32.dll/CryptEnumProvidersA
DynamicLoader: CRYPTSP.dll/CryptImportKey
DynamicLoader: CRYPTSP.dll/CryptHashData
DynamicLoader: CRYPTSP.dll/CryptGetHashParam
DynamicLoader: CRYPTSP.dll/CryptDestroyHash
DynamicLoader: CRYPTSP.dll/CryptDestroyKey
DynamicLoader: mscoreei.dll/_CorDllMain_RetAddr
DynamicLoader: mscoreei.dll/_CorDllMain
DynamicLoader: mscoree.dll/GetTokenForVTableEntry
DynamicLoader: mscoree.dll/SetTargetForVTableEntry
DynamicLoader: mscoree.dll/GetTargetForVTableEntry
DynamicLoader: mscoreei.dll/LoadLibraryShim_RetAddr
DynamicLoader: mscoreei.dll/LoadLibraryShim
DynamicLoader: culture.dll/ConvertLangIdToCultureName
DynamicLoader: ole32.dll/CoCreateGuid
DynamicLoader: kernel32.dll/CreateFile
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetConsoleScreenBufferInfo
DynamicLoader: kernel32.dll/GetConsoleScreenBufferInfoW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: kernel32.dll/GetCurrentProcessW
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: kernel32.dll/LocalFree
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/GetTokenInformationW
DynamicLoader: kernel32.dll/LocalAlloc
DynamicLoader: kernel32.dll/LocalAllocW
DynamicLoader: mscoree.dll/ND_RI4
DynamicLoader: mscoreei.dll/ND_RI4_RetAddr
DynamicLoader: mscoreei.dll/ND_RI4
DynamicLoader: ADVAPI32.dll/DuplicateTokenEx
DynamicLoader: ADVAPI32.dll/DuplicateTokenExW
DynamicLoader: ADVAPI32.dll/CheckTokenMembership
DynamicLoader: ADVAPI32.dll/CheckTokenMembershipW
DynamicLoader: kernel32.dll/GetConsoleTitle
DynamicLoader: kernel32.dll/GetConsoleTitleW
DynamicLoader: mscorjit.dll/getJit
DynamicLoader: mscorwks.dll/GetCLRFunction
DynamicLoader: kernel32.dll/SetConsoleTitle
DynamicLoader: kernel32.dll/SetConsoleTitleW
DynamicLoader: kernel32.dll/SetConsoleCtrlHandler
DynamicLoader: kernel32.dll/SetConsoleCtrlHandlerW
DynamicLoader: kernel32.dll/CreateEvent
DynamicLoader: kernel32.dll/CreateEventW
DynamicLoader: ntdll.dll/WinSqmIsOptedIn
DynamicLoader: kernel32.dll/ExpandEnvironmentStrings
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsW
DynamicLoader: shfolder.dll/SHGetFolderPath
DynamicLoader: shfolder.dll/SHGetFolderPathW
DynamicLoader: kernel32.dll/SetEnvironmentVariable
DynamicLoader: kernel32.dll/SetEnvironmentVariableW
DynamicLoader: kernel32.dll/GetACP
DynamicLoader: kernel32.dll/UnmapViewOfFile
DynamicLoader: kernel32.dll/CreateFile
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetFileType
DynamicLoader: kernel32.dll/ReadFile
DynamicLoader: kernel32.dll/GetSystemInfo
DynamicLoader: kernel32.dll/VirtualQuery
DynamicLoader: ADVAPI32.dll/RegQueryInfoKey
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumValue
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegEnumKeyEx
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: secur32.dll/GetUserNameEx
DynamicLoader: secur32.dll/GetUserNameExW
DynamicLoader: ADVAPI32.dll/GetUserName
DynamicLoader: ADVAPI32.dll/GetUserNameW
DynamicLoader: kernel32.dll/ReleaseMutex
DynamicLoader: ADVAPI32.dll/RegisterEventSource
DynamicLoader: ADVAPI32.dll/RegisterEventSourceW
DynamicLoader: ADVAPI32.dll/DeregisterEventSource
DynamicLoader: ADVAPI32.dll/ReportEvent
DynamicLoader: ADVAPI32.dll/ReportEventW
DynamicLoader: kernel32.dll/GetLogicalDrives
DynamicLoader: kernel32.dll/GetDriveType
DynamicLoader: kernel32.dll/GetDriveTypeW
DynamicLoader: kernel32.dll/GetVolumeInformation
DynamicLoader: kernel32.dll/GetVolumeInformationW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: kernel32.dll/GetCurrentDirectory
DynamicLoader: kernel32.dll/GetCurrentDirectoryW
DynamicLoader: mscoreei.dll/GetTokenForVTableEntry_RetAddr
DynamicLoader: mscoreei.dll/GetTokenForVTableEntry
DynamicLoader: mscoreei.dll/SetTargetForVTableEntry_RetAddr
DynamicLoader: mscoreei.dll/SetTargetForVTableEntry
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/LocalAlloc
DynamicLoader: mscoree.dll/IEE
DynamicLoader: kernel32.dll/GetStdHandle
DynamicLoader: kernel32.dll/GetStdHandleW
DynamicLoader: kernel32.dll/GetConsoleMode
DynamicLoader: kernel32.dll/GetConsoleModeW
DynamicLoader: kernel32.dll/SetEvent
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/SetThreadUILanguageW
DynamicLoader: kernel32.dll/FindFirstFile
DynamicLoader: kernel32.dll/FindFirstFileW
DynamicLoader: kernel32.dll/FindClose
DynamicLoader: CRYPTSP.dll/CryptExportKey
DynamicLoader: CRYPTSP.dll/CryptCreateHash
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: mscoree.dll/CorExitProcess
DynamicLoader: mscoreei.dll/CorExitProcess_RetAddr
DynamicLoader: mscoreei.dll/CorExitProcess
DynamicLoader: mscorwks.dll/CorExitProcess
DynamicLoader: mscorwks.dll/_CorDllMain
DynamicLoader: kernel32.dll/CreateActCtxW
DynamicLoader: kernel32.dll/AddRefActCtx
DynamicLoader: kernel32.dll/ReleaseActCtx
DynamicLoader: kernel32.dll/ActivateActCtx
DynamicLoader: kernel32.dll/DeactivateActCtx
DynamicLoader: kernel32.dll/GetCurrentActCtx
DynamicLoader: kernel32.dll/QueryActCtxW
DynamicLoader: netutils.dll/NetApiBufferFree
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: shell32.dll/
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: shell32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ntdll.dll/RtlDllShutdownInProgress
DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: profapi.dll/
DynamicLoader: LINKINFO.dll/CreateLinkInfoW
DynamicLoader: USER32.dll/IsCharAlphaW
DynamicLoader: USER32.dll/CharPrevW
DynamicLoader: ntshrui.dll/GetNetResourceFromLocalPathW
DynamicLoader: srvcli.dll/NetShareEnum
DynamicLoader: cscapi.dll/CscNetApiGetInterface
DynamicLoader: slc.dll/SLGetWindowsInformationDWORD
DynamicLoader: SHLWAPI.dll/PathRemoveFileSpecW
DynamicLoader: LINKINFO.dll/DestroyLinkInfo
DynamicLoader: propsys.dll/PropVariantToBoolean
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/GetSecurityInfo
DynamicLoader: ADVAPI32.dll/SetSecurityInfo
DynamicLoader: ADVAPI32.dll/GetSecurityDescriptorControl
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: mscoree.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx_RetAddr
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: kernel32.dll/GetCurrentPackageId
DynamicLoader: kernel32.dll/InitializeCriticalSectionAndSpinCount
DynamicLoader: msvcrt.dll/_set_error_mode
DynamicLoader: msvcrt.dll/?set_terminate@@YAP6AXXZP6AXXZ@Z
DynamicLoader: msvcrt.dll/_get_terminate
DynamicLoader: kernel32.dll/FindActCtxSectionStringW
DynamicLoader: kernel32.dll/GetSystemWindowsDirectoryW
DynamicLoader: mscoree.dll/GetProcessExecutableHeap
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap_RetAddr
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap
DynamicLoader: mscorwks.dll/SetLoadedByMscoree
DynamicLoader: mscorwks.dll/DllGetClassObjectInternal
DynamicLoader: mscorwks.dll/GetCLRFunction
DynamicLoader: ADVAPI32.dll/RegisterTraceGuidsW
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: ADVAPI32.dll/GetTraceLoggerHandle
DynamicLoader: ADVAPI32.dll/GetTraceEnableLevel
DynamicLoader: ADVAPI32.dll/GetTraceEnableFlags
DynamicLoader: ADVAPI32.dll/TraceEvent
DynamicLoader: mscoree.dll/IEE
DynamicLoader: mscoreei.dll/IEE_RetAddr
DynamicLoader: mscoreei.dll/IEE
DynamicLoader: mscorwks.dll/IEE
DynamicLoader: mscoree.dll/GetStartupFlags
DynamicLoader: mscoreei.dll/GetStartupFlags_RetAddr
DynamicLoader: mscoreei.dll/GetStartupFlags
DynamicLoader: mscoree.dll/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetHostConfigurationFile_RetAddr
DynamicLoader: mscoreei.dll/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetCORVersion_RetAddr
DynamicLoader: mscoreei.dll/GetCORVersion
DynamicLoader: mscoree.dll/GetCORSystemDirectory
DynamicLoader: mscoreei.dll/GetCORSystemDirectory_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream
DynamicLoader: ntdll.dll/RtlVirtualUnwind
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: kernel32.dll/GetSystemWindowsDirectoryW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: kernel32.dll/SetThreadStackGuarantee
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/AddVectoredContinueHandler
DynamicLoader: kernel32.dll/RemoveVectoredContinueHandler
DynamicLoader: ADVAPI32.dll/ConvertSidToStringSidW
DynamicLoader: shell32.dll/SHGetFolderPathW
DynamicLoader: kernel32.dll/FlushProcessWriteBuffers
DynamicLoader: kernel32.dll/GetWriteWatch
DynamicLoader: kernel32.dll/ResetWriteWatch
DynamicLoader: kernel32.dll/CreateMemoryResourceNotification
DynamicLoader: kernel32.dll/QueryMemoryResourceNotification
DynamicLoader: kernel32.dll/GlobalMemoryStatusEx
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/GetUserDefaultUILanguage
DynamicLoader: ole32.dll/CoGetContextToken
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/GetVersionEx
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/GetVersionEx
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/GetFullPathName
DynamicLoader: kernel32.dll/GetFullPathNameW
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: kernel32.dll/GetFileAttributesEx
DynamicLoader: kernel32.dll/GetFileAttributesExW
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: version.dll/GetFileVersionInfoSize
DynamicLoader: version.dll/GetFileVersionInfoSizeW
DynamicLoader: version.dll/GetFileVersionInfo
DynamicLoader: version.dll/GetFileVersionInfoW
DynamicLoader: version.dll/VerQueryValue
DynamicLoader: version.dll/VerQueryValueW
DynamicLoader: kernel32.dll/lstrlen
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: mscoree.dll/ND_RI2
DynamicLoader: mscoreei.dll/ND_RI2_RetAddr
DynamicLoader: mscoreei.dll/ND_RI2
DynamicLoader: kernel32.dll/lstrlen
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: kernel32.dll/lstrcpy
DynamicLoader: kernel32.dll/lstrcpyW
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: version.dll/VerLanguageName
DynamicLoader: version.dll/VerLanguageNameW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/GetCurrentProcessId
DynamicLoader: kernel32.dll/GetCurrentProcessIdW
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValue
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValueW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivileges
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivilegesW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/OpenProcessW
DynamicLoader: PSAPI.DLL/EnumProcessModules
DynamicLoader: PSAPI.DLL/EnumProcessModulesW
DynamicLoader: PSAPI.DLL/GetModuleInformation
DynamicLoader: PSAPI.DLL/GetModuleInformationW
DynamicLoader: PSAPI.DLL/GetModuleBaseName
DynamicLoader: PSAPI.DLL/GetModuleBaseNameW
DynamicLoader: PSAPI.DLL/GetModuleFileNameEx
DynamicLoader: PSAPI.DLL/GetModuleFileNameExW
DynamicLoader: kernel32.dll/GetExitCodeProcess
DynamicLoader: kernel32.dll/GetExitCodeProcessW
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtQuerySystemInformationW
DynamicLoader: USER32.dll/EnumWindows
DynamicLoader: USER32.dll/EnumWindowsW
DynamicLoader: USER32.dll/GetWindowThreadProcessId
DynamicLoader: USER32.dll/GetWindowThreadProcessIdW
DynamicLoader: kernel32.dll/WerSetFlags
DynamicLoader: kernel32.dll/SetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/SetThreadPreferredUILanguagesW
DynamicLoader: kernel32.dll/GetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/GetThreadPreferredUILanguagesW
DynamicLoader: kernel32.dll/GetUserDefaultLocaleName
DynamicLoader: kernel32.dll/GetUserDefaultLocaleNameW
DynamicLoader: kernel32.dll/GetEnvironmentVariable
DynamicLoader: kernel32.dll/GetEnvironmentVariableW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegOpenKeyEx
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/CryptCreateHash
DynamicLoader: ADVAPI32.dll/CryptDestroyHash
DynamicLoader: ADVAPI32.dll/CryptHashData
DynamicLoader: ADVAPI32.dll/CryptGetHashParam
DynamicLoader: ADVAPI32.dll/CryptImportKey
DynamicLoader: ADVAPI32.dll/CryptExportKey
DynamicLoader: ADVAPI32.dll/CryptGenKey
DynamicLoader: ADVAPI32.dll/CryptGetKeyParam
DynamicLoader: ADVAPI32.dll/CryptDestroyKey
DynamicLoader: ADVAPI32.dll/CryptVerifySignatureA
DynamicLoader: ADVAPI32.dll/CryptSignHashA
DynamicLoader: ADVAPI32.dll/CryptGetProvParam
DynamicLoader: ADVAPI32.dll/CryptGetUserKey
DynamicLoader: ADVAPI32.dll/CryptEnumProvidersA
DynamicLoader: CRYPTSP.dll/CryptImportKey
DynamicLoader: CRYPTSP.dll/CryptHashData
DynamicLoader: CRYPTSP.dll/CryptGetHashParam
DynamicLoader: CRYPTSP.dll/CryptDestroyHash
DynamicLoader: CRYPTSP.dll/CryptDestroyKey
DynamicLoader: mscoreei.dll/_CorDllMain_RetAddr
DynamicLoader: mscoreei.dll/_CorDllMain
DynamicLoader: mscoree.dll/GetTokenForVTableEntry
DynamicLoader: mscoree.dll/SetTargetForVTableEntry
DynamicLoader: mscoree.dll/GetTargetForVTableEntry
DynamicLoader: mscoreei.dll/LoadLibraryShim_RetAddr
DynamicLoader: mscoreei.dll/LoadLibraryShim
DynamicLoader: culture.dll/ConvertLangIdToCultureName
DynamicLoader: ole32.dll/CoCreateGuid
DynamicLoader: kernel32.dll/CreateFile
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetConsoleScreenBufferInfo
DynamicLoader: kernel32.dll/GetConsoleScreenBufferInfoW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: kernel32.dll/GetCurrentProcessW
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: kernel32.dll/LocalFree
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/GetTokenInformationW
DynamicLoader: kernel32.dll/LocalAlloc
DynamicLoader: kernel32.dll/LocalAllocW
DynamicLoader: mscoree.dll/ND_RI4
DynamicLoader: mscoreei.dll/ND_RI4_RetAddr
DynamicLoader: mscoreei.dll/ND_RI4
DynamicLoader: ADVAPI32.dll/DuplicateTokenEx
DynamicLoader: ADVAPI32.dll/DuplicateTokenExW
DynamicLoader: ADVAPI32.dll/CheckTokenMembership
DynamicLoader: ADVAPI32.dll/CheckTokenMembershipW
DynamicLoader: kernel32.dll/GetConsoleTitle
DynamicLoader: kernel32.dll/GetConsoleTitleW
DynamicLoader: mscorjit.dll/getJit
DynamicLoader: mscorwks.dll/GetCLRFunction
DynamicLoader: kernel32.dll/SetConsoleTitle
DynamicLoader: kernel32.dll/SetConsoleTitleW
DynamicLoader: kernel32.dll/SetConsoleCtrlHandler
DynamicLoader: kernel32.dll/SetConsoleCtrlHandlerW
DynamicLoader: kernel32.dll/CreateEvent
DynamicLoader: kernel32.dll/CreateEventW
DynamicLoader: ntdll.dll/WinSqmIsOptedIn
DynamicLoader: kernel32.dll/ExpandEnvironmentStrings
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsW
DynamicLoader: shfolder.dll/SHGetFolderPath
DynamicLoader: shfolder.dll/SHGetFolderPathW
DynamicLoader: kernel32.dll/SetEnvironmentVariable
DynamicLoader: kernel32.dll/SetEnvironmentVariableW
DynamicLoader: kernel32.dll/GetACP
DynamicLoader: kernel32.dll/UnmapViewOfFile
DynamicLoader: kernel32.dll/CreateFile
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetFileType
DynamicLoader: kernel32.dll/ReadFile
DynamicLoader: kernel32.dll/GetSystemInfo
DynamicLoader: kernel32.dll/VirtualQuery
DynamicLoader: ADVAPI32.dll/RegQueryInfoKey
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumValue
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegEnumKeyEx
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: secur32.dll/GetUserNameEx
DynamicLoader: secur32.dll/GetUserNameExW
DynamicLoader: ADVAPI32.dll/GetUserName
DynamicLoader: ADVAPI32.dll/GetUserNameW
DynamicLoader: kernel32.dll/ReleaseMutex
DynamicLoader: ADVAPI32.dll/RegisterEventSource
DynamicLoader: ADVAPI32.dll/RegisterEventSourceW
DynamicLoader: ADVAPI32.dll/DeregisterEventSource
DynamicLoader: ADVAPI32.dll/ReportEvent
DynamicLoader: ADVAPI32.dll/ReportEventW
DynamicLoader: kernel32.dll/GetLogicalDrives
DynamicLoader: kernel32.dll/GetDriveType
DynamicLoader: kernel32.dll/GetDriveTypeW
DynamicLoader: kernel32.dll/GetVolumeInformation
DynamicLoader: kernel32.dll/GetVolumeInformationW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: kernel32.dll/GetCurrentDirectory
DynamicLoader: kernel32.dll/GetCurrentDirectoryW
DynamicLoader: mscoreei.dll/GetTokenForVTableEntry_RetAddr
DynamicLoader: mscoreei.dll/GetTokenForVTableEntry
DynamicLoader: mscoreei.dll/SetTargetForVTableEntry_RetAddr
DynamicLoader: mscoreei.dll/SetTargetForVTableEntry
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/LocalAlloc
DynamicLoader: mscoree.dll/IEE
DynamicLoader: kernel32.dll/GetStdHandle
DynamicLoader: kernel32.dll/GetStdHandleW
DynamicLoader: kernel32.dll/GetConsoleMode
DynamicLoader: kernel32.dll/GetConsoleModeW
DynamicLoader: kernel32.dll/SetEvent
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/SetThreadUILanguageW
DynamicLoader: kernel32.dll/FindFirstFile
DynamicLoader: kernel32.dll/FindFirstFileW
DynamicLoader: kernel32.dll/FindClose
DynamicLoader: CRYPTSP.dll/CryptExportKey
DynamicLoader: CRYPTSP.dll/CryptCreateHash
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: mscoree.dll/CorExitProcess
DynamicLoader: mscoreei.dll/CorExitProcess_RetAddr
DynamicLoader: mscoreei.dll/CorExitProcess
DynamicLoader: mscorwks.dll/CorExitProcess
DynamicLoader: mscorwks.dll/_CorDllMain
DynamicLoader: kernel32.dll/CreateActCtxW
DynamicLoader: kernel32.dll/AddRefActCtx
DynamicLoader: kernel32.dll/ReleaseActCtx
DynamicLoader: kernel32.dll/ActivateActCtx
DynamicLoader: kernel32.dll/DeactivateActCtx
DynamicLoader: kernel32.dll/GetCurrentActCtx
DynamicLoader: kernel32.dll/QueryActCtxW
DynamicLoader: netutils.dll/NetApiBufferFree
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: shell32.dll/
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: shell32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ntdll.dll/RtlDllShutdownInProgress
DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: profapi.dll/
DynamicLoader: LINKINFO.dll/CreateLinkInfoW
DynamicLoader: USER32.dll/IsCharAlphaW
DynamicLoader: USER32.dll/CharPrevW
DynamicLoader: ntshrui.dll/GetNetResourceFromLocalPathW
DynamicLoader: srvcli.dll/NetShareEnum
DynamicLoader: cscapi.dll/CscNetApiGetInterface
DynamicLoader: slc.dll/SLGetWindowsInformationDWORD
DynamicLoader: SHLWAPI.dll/PathRemoveFileSpecW
DynamicLoader: LINKINFO.dll/DestroyLinkInfo
DynamicLoader: propsys.dll/PropVariantToBoolean
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/GetSecurityInfo
DynamicLoader: ADVAPI32.dll/SetSecurityInfo
DynamicLoader: ADVAPI32.dll/GetSecurityDescriptorControl
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: mscoree.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx_RetAddr
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: kernel32.dll/GetCurrentPackageId
DynamicLoader: kernel32.dll/InitializeCriticalSectionAndSpinCount
DynamicLoader: msvcrt.dll/_set_error_mode
DynamicLoader: msvcrt.dll/?set_terminate@@YAP6AXXZP6AXXZ@Z
DynamicLoader: msvcrt.dll/_get_terminate
DynamicLoader: kernel32.dll/FindActCtxSectionStringW
DynamicLoader: kernel32.dll/GetSystemWindowsDirectoryW
DynamicLoader: mscoree.dll/GetProcessExecutableHeap
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap_RetAddr
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap
DynamicLoader: mscorwks.dll/SetLoadedByMscoree
DynamicLoader: mscorwks.dll/DllGetClassObjectInternal
DynamicLoader: mscorwks.dll/GetCLRFunction
DynamicLoader: ADVAPI32.dll/RegisterTraceGuidsW
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: ADVAPI32.dll/GetTraceLoggerHandle
DynamicLoader: ADVAPI32.dll/GetTraceEnableLevel
DynamicLoader: ADVAPI32.dll/GetTraceEnableFlags
DynamicLoader: ADVAPI32.dll/TraceEvent
DynamicLoader: mscoree.dll/IEE
DynamicLoader: mscoreei.dll/IEE_RetAddr
DynamicLoader: mscoreei.dll/IEE
DynamicLoader: mscorwks.dll/IEE
DynamicLoader: mscoree.dll/GetStartupFlags
DynamicLoader: mscoreei.dll/GetStartupFlags_RetAddr
DynamicLoader: mscoreei.dll/GetStartupFlags
DynamicLoader: mscoree.dll/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetHostConfigurationFile_RetAddr
DynamicLoader: mscoreei.dll/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetCORVersion_RetAddr
DynamicLoader: mscoreei.dll/GetCORVersion
DynamicLoader: mscoree.dll/GetCORSystemDirectory
DynamicLoader: mscoreei.dll/GetCORSystemDirectory_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream
DynamicLoader: ntdll.dll/RtlVirtualUnwind
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: kernel32.dll/GetSystemWindowsDirectoryW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: kernel32.dll/SetThreadStackGuarantee
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/AddVectoredContinueHandler
DynamicLoader: kernel32.dll/RemoveVectoredContinueHandler
DynamicLoader: ADVAPI32.dll/ConvertSidToStringSidW
DynamicLoader: shell32.dll/SHGetFolderPathW
DynamicLoader: kernel32.dll/FlushProcessWriteBuffers
DynamicLoader: kernel32.dll/GetWriteWatch
DynamicLoader: kernel32.dll/ResetWriteWatch
DynamicLoader: kernel32.dll/CreateMemoryResourceNotification
DynamicLoader: kernel32.dll/QueryMemoryResourceNotification
DynamicLoader: kernel32.dll/GlobalMemoryStatusEx
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CoGetContextToken
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/GetUserDefaultUILanguage
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/GetVersionEx
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/GetVersionEx
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/GetFullPathName
DynamicLoader: kernel32.dll/GetFullPathNameW
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: kernel32.dll/GetFileAttributesEx
DynamicLoader: kernel32.dll/GetFileAttributesExW
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: version.dll/GetFileVersionInfoSize
DynamicLoader: version.dll/GetFileVersionInfoSizeW
DynamicLoader: version.dll/GetFileVersionInfo
DynamicLoader: version.dll/GetFileVersionInfoW
DynamicLoader: version.dll/VerQueryValue
DynamicLoader: version.dll/VerQueryValueW
DynamicLoader: kernel32.dll/lstrlen
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: mscoree.dll/ND_RI2
DynamicLoader: mscoreei.dll/ND_RI2_RetAddr
DynamicLoader: mscoreei.dll/ND_RI2
DynamicLoader: kernel32.dll/lstrlen
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: kernel32.dll/lstrcpy
DynamicLoader: kernel32.dll/lstrcpyW
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: version.dll/VerLanguageName
DynamicLoader: version.dll/VerLanguageNameW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/GetCurrentProcessId
DynamicLoader: kernel32.dll/GetCurrentProcessIdW
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValue
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValueW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivileges
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivilegesW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/OpenProcessW
DynamicLoader: PSAPI.DLL/EnumProcessModules
DynamicLoader: PSAPI.DLL/EnumProcessModulesW
DynamicLoader: PSAPI.DLL/GetModuleInformation
DynamicLoader: PSAPI.DLL/GetModuleInformationW
DynamicLoader: PSAPI.DLL/GetModuleBaseName
DynamicLoader: PSAPI.DLL/GetModuleBaseNameW
DynamicLoader: PSAPI.DLL/GetModuleFileNameEx
DynamicLoader: PSAPI.DLL/GetModuleFileNameExW
DynamicLoader: kernel32.dll/GetExitCodeProcess
DynamicLoader: kernel32.dll/GetExitCodeProcessW
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtQuerySystemInformationW
DynamicLoader: USER32.dll/EnumWindows
DynamicLoader: USER32.dll/EnumWindowsW
DynamicLoader: USER32.dll/GetWindowThreadProcessId
DynamicLoader: USER32.dll/GetWindowThreadProcessIdW
DynamicLoader: kernel32.dll/WerSetFlags
DynamicLoader: kernel32.dll/SetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/SetThreadPreferredUILanguagesW
DynamicLoader: kernel32.dll/GetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/GetThreadPreferredUILanguagesW
DynamicLoader: kernel32.dll/GetUserDefaultLocaleName
DynamicLoader: kernel32.dll/GetUserDefaultLocaleNameW
DynamicLoader: kernel32.dll/GetEnvironmentVariable
DynamicLoader: kernel32.dll/GetEnvironmentVariableW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegOpenKeyEx
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/CryptCreateHash
DynamicLoader: ADVAPI32.dll/CryptDestroyHash
DynamicLoader: ADVAPI32.dll/CryptHashData
DynamicLoader: ADVAPI32.dll/CryptGetHashParam
DynamicLoader: ADVAPI32.dll/CryptImportKey
DynamicLoader: ADVAPI32.dll/CryptExportKey
DynamicLoader: ADVAPI32.dll/CryptGenKey
DynamicLoader: ADVAPI32.dll/CryptGetKeyParam
DynamicLoader: ADVAPI32.dll/CryptDestroyKey
DynamicLoader: ADVAPI32.dll/CryptVerifySignatureA
DynamicLoader: ADVAPI32.dll/CryptSignHashA
DynamicLoader: ADVAPI32.dll/CryptGetProvParam
DynamicLoader: ADVAPI32.dll/CryptGetUserKey
DynamicLoader: ADVAPI32.dll/CryptEnumProvidersA
DynamicLoader: CRYPTSP.dll/CryptImportKey
DynamicLoader: CRYPTSP.dll/CryptHashData
DynamicLoader: CRYPTSP.dll/CryptGetHashParam
DynamicLoader: CRYPTSP.dll/CryptDestroyHash
DynamicLoader: CRYPTSP.dll/CryptDestroyKey
DynamicLoader: mscoreei.dll/_CorDllMain_RetAddr
DynamicLoader: mscoreei.dll/_CorDllMain
DynamicLoader: mscoree.dll/GetTokenForVTableEntry
DynamicLoader: mscoree.dll/SetTargetForVTableEntry
DynamicLoader: mscoree.dll/GetTargetForVTableEntry
DynamicLoader: mscoreei.dll/LoadLibraryShim_RetAddr
DynamicLoader: mscoreei.dll/LoadLibraryShim
DynamicLoader: culture.dll/ConvertLangIdToCultureName
DynamicLoader: ole32.dll/CoCreateGuid
DynamicLoader: kernel32.dll/CreateFile
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetConsoleScreenBufferInfo
DynamicLoader: kernel32.dll/GetConsoleScreenBufferInfoW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: kernel32.dll/GetCurrentProcessW
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: kernel32.dll/LocalFree
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/GetTokenInformationW
DynamicLoader: kernel32.dll/LocalAlloc
DynamicLoader: kernel32.dll/LocalAllocW
DynamicLoader: mscoree.dll/ND_RI4
DynamicLoader: mscoreei.dll/ND_RI4_RetAddr
DynamicLoader: mscoreei.dll/ND_RI4
DynamicLoader: ADVAPI32.dll/DuplicateTokenEx
DynamicLoader: ADVAPI32.dll/DuplicateTokenExW
DynamicLoader: ADVAPI32.dll/CheckTokenMembership
DynamicLoader: ADVAPI32.dll/CheckTokenMembershipW
DynamicLoader: kernel32.dll/GetConsoleTitle
DynamicLoader: kernel32.dll/GetConsoleTitleW
DynamicLoader: mscorjit.dll/getJit
DynamicLoader: mscorwks.dll/GetCLRFunction
DynamicLoader: kernel32.dll/SetConsoleTitle
DynamicLoader: kernel32.dll/SetConsoleTitleW
DynamicLoader: kernel32.dll/SetConsoleCtrlHandler
DynamicLoader: kernel32.dll/SetConsoleCtrlHandlerW
DynamicLoader: kernel32.dll/CreateEvent
DynamicLoader: kernel32.dll/CreateEventW
DynamicLoader: ntdll.dll/WinSqmIsOptedIn
DynamicLoader: kernel32.dll/ExpandEnvironmentStrings
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsW
DynamicLoader: shfolder.dll/SHGetFolderPath
DynamicLoader: shfolder.dll/SHGetFolderPathW
DynamicLoader: kernel32.dll/SetEnvironmentVariable
DynamicLoader: kernel32.dll/SetEnvironmentVariableW
DynamicLoader: kernel32.dll/GetACP
DynamicLoader: kernel32.dll/UnmapViewOfFile
DynamicLoader: kernel32.dll/CreateFile
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetFileType
DynamicLoader: kernel32.dll/ReadFile
DynamicLoader: kernel32.dll/GetSystemInfo
DynamicLoader: kernel32.dll/VirtualQuery
DynamicLoader: ADVAPI32.dll/RegQueryInfoKey
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumValue
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegEnumKeyEx
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: secur32.dll/GetUserNameEx
DynamicLoader: secur32.dll/GetUserNameExW
DynamicLoader: ADVAPI32.dll/GetUserName
DynamicLoader: ADVAPI32.dll/GetUserNameW
DynamicLoader: kernel32.dll/ReleaseMutex
DynamicLoader: ADVAPI32.dll/RegisterEventSource
DynamicLoader: ADVAPI32.dll/RegisterEventSourceW
DynamicLoader: ADVAPI32.dll/DeregisterEventSource
DynamicLoader: ADVAPI32.dll/ReportEvent
DynamicLoader: ADVAPI32.dll/ReportEventW
DynamicLoader: kernel32.dll/GetLogicalDrives
DynamicLoader: kernel32.dll/GetDriveType
DynamicLoader: kernel32.dll/GetDriveTypeW
DynamicLoader: kernel32.dll/GetVolumeInformation
DynamicLoader: kernel32.dll/GetVolumeInformationW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: kernel32.dll/GetCurrentDirectory
DynamicLoader: kernel32.dll/GetCurrentDirectoryW
DynamicLoader: mscoreei.dll/GetTokenForVTableEntry_RetAddr
DynamicLoader: mscoreei.dll/GetTokenForVTableEntry
DynamicLoader: mscoreei.dll/SetTargetForVTableEntry_RetAddr
DynamicLoader: mscoreei.dll/SetTargetForVTableEntry
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/LocalAlloc
DynamicLoader: mscoree.dll/IEE
DynamicLoader: kernel32.dll/GetStdHandle
DynamicLoader: kernel32.dll/GetStdHandleW
DynamicLoader: kernel32.dll/GetConsoleMode
DynamicLoader: kernel32.dll/GetConsoleModeW
DynamicLoader: kernel32.dll/SetEvent
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/SetThreadUILanguageW
DynamicLoader: kernel32.dll/FindFirstFile
DynamicLoader: kernel32.dll/FindFirstFileW
DynamicLoader: kernel32.dll/FindClose
DynamicLoader: CRYPTSP.dll/CryptExportKey
DynamicLoader: CRYPTSP.dll/CryptCreateHash
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: mscoree.dll/CorExitProcess
DynamicLoader: mscoreei.dll/CorExitProcess_RetAddr
DynamicLoader: mscoreei.dll/CorExitProcess
DynamicLoader: mscorwks.dll/CorExitProcess
DynamicLoader: mscorwks.dll/_CorDllMain
DynamicLoader: kernel32.dll/CreateActCtxW
DynamicLoader: kernel32.dll/AddRefActCtx
DynamicLoader: kernel32.dll/ReleaseActCtx
DynamicLoader: kernel32.dll/ActivateActCtx
DynamicLoader: kernel32.dll/DeactivateActCtx
DynamicLoader: kernel32.dll/GetCurrentActCtx
DynamicLoader: kernel32.dll/QueryActCtxW
DynamicLoader: netutils.dll/NetApiBufferFree
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: shell32.dll/
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: shell32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ntdll.dll/RtlDllShutdownInProgress
DynamicLoader: LINKINFO.dll/IsValidLinkInfo
DynamicLoader: propsys.dll/
DynamicLoader: propsys.dll/PSGetNameFromPropertyKey
DynamicLoader: propsys.dll/PSStringFromPropertyKey
DynamicLoader: propsys.dll/InitVariantFromBuffer
DynamicLoader: OLEAUT32.dll/
DynamicLoader: propsys.dll/PropVariantToGUID
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: profapi.dll/
DynamicLoader: LINKINFO.dll/CreateLinkInfoW
DynamicLoader: USER32.dll/IsCharAlphaW
DynamicLoader: USER32.dll/CharPrevW
DynamicLoader: ntshrui.dll/GetNetResourceFromLocalPathW
DynamicLoader: srvcli.dll/NetShareEnum
DynamicLoader: cscapi.dll/CscNetApiGetInterface
DynamicLoader: slc.dll/SLGetWindowsInformationDWORD
DynamicLoader: SHLWAPI.dll/PathRemoveFileSpecW
DynamicLoader: LINKINFO.dll/DestroyLinkInfo
DynamicLoader: propsys.dll/PropVariantToBoolean
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/GetSecurityInfo
DynamicLoader: ADVAPI32.dll/SetSecurityInfo
DynamicLoader: ADVAPI32.dll/GetSecurityDescriptorControl
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: mscoree.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx_RetAddr
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: kernel32.dll/GetCurrentPackageId
DynamicLoader: kernel32.dll/InitializeCriticalSectionAndSpinCount
DynamicLoader: msvcrt.dll/_set_error_mode
DynamicLoader: msvcrt.dll/?set_terminate@@YAP6AXXZP6AXXZ@Z
DynamicLoader: msvcrt.dll/_get_terminate
DynamicLoader: kernel32.dll/FindActCtxSectionStringW
DynamicLoader: kernel32.dll/GetSystemWindowsDirectoryW
DynamicLoader: mscoree.dll/GetProcessExecutableHeap
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap_RetAddr
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap
DynamicLoader: mscorwks.dll/SetLoadedByMscoree
DynamicLoader: mscorwks.dll/DllGetClassObjectInternal
DynamicLoader: mscorwks.dll/GetCLRFunction
DynamicLoader: ADVAPI32.dll/RegisterTraceGuidsW
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: ADVAPI32.dll/GetTraceLoggerHandle
DynamicLoader: ADVAPI32.dll/GetTraceEnableLevel
DynamicLoader: ADVAPI32.dll/GetTraceEnableFlags
DynamicLoader: ADVAPI32.dll/TraceEvent
DynamicLoader: mscoree.dll/IEE
DynamicLoader: mscoreei.dll/IEE_RetAddr
DynamicLoader: mscoreei.dll/IEE
DynamicLoader: mscorwks.dll/IEE
DynamicLoader: mscoree.dll/GetStartupFlags
DynamicLoader: mscoreei.dll/GetStartupFlags_RetAddr
DynamicLoader: mscoreei.dll/GetStartupFlags
DynamicLoader: mscoree.dll/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetHostConfigurationFile_RetAddr
DynamicLoader: mscoreei.dll/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetCORVersion_RetAddr
DynamicLoader: mscoreei.dll/GetCORVersion
DynamicLoader: mscoree.dll/GetCORSystemDirectory
DynamicLoader: mscoreei.dll/GetCORSystemDirectory_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream
DynamicLoader: ntdll.dll/RtlVirtualUnwind
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: kernel32.dll/GetSystemWindowsDirectoryW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: kernel32.dll/SetThreadStackGuarantee
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/AddVectoredContinueHandler
DynamicLoader: kernel32.dll/RemoveVectoredContinueHandler
DynamicLoader: ADVAPI32.dll/ConvertSidToStringSidW
DynamicLoader: shell32.dll/SHGetFolderPathW
DynamicLoader: kernel32.dll/FlushProcessWriteBuffers
DynamicLoader: kernel32.dll/GetWriteWatch
DynamicLoader: kernel32.dll/ResetWriteWatch
DynamicLoader: kernel32.dll/CreateMemoryResourceNotification
DynamicLoader: kernel32.dll/QueryMemoryResourceNotification
DynamicLoader: kernel32.dll/GlobalMemoryStatusEx
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CoGetContextToken
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/GetUserDefaultUILanguage
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/GetVersionEx
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/GetVersionEx
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/GetFullPathName
DynamicLoader: kernel32.dll/GetFullPathNameW
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: kernel32.dll/GetFileAttributesEx
DynamicLoader: kernel32.dll/GetFileAttributesExW
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: version.dll/GetFileVersionInfoSize
DynamicLoader: version.dll/GetFileVersionInfoSizeW
DynamicLoader: version.dll/GetFileVersionInfo
DynamicLoader: version.dll/GetFileVersionInfoW
DynamicLoader: version.dll/VerQueryValue
DynamicLoader: version.dll/VerQueryValueW
DynamicLoader: kernel32.dll/lstrlen
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: mscoree.dll/ND_RI2
DynamicLoader: mscoreei.dll/ND_RI2_RetAddr
DynamicLoader: mscoreei.dll/ND_RI2
DynamicLoader: kernel32.dll/lstrlen
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: kernel32.dll/lstrcpy
DynamicLoader: kernel32.dll/lstrcpyW
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: version.dll/VerLanguageName
DynamicLoader: version.dll/VerLanguageNameW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/GetCurrentProcessId
DynamicLoader: kernel32.dll/GetCurrentProcessIdW
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValue
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValueW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivileges
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivilegesW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/OpenProcessW
DynamicLoader: PSAPI.DLL/EnumProcessModules
DynamicLoader: PSAPI.DLL/EnumProcessModulesW
DynamicLoader: PSAPI.DLL/GetModuleInformation
DynamicLoader: PSAPI.DLL/GetModuleInformationW
DynamicLoader: PSAPI.DLL/GetModuleBaseName
DynamicLoader: PSAPI.DLL/GetModuleBaseNameW
DynamicLoader: PSAPI.DLL/GetModuleFileNameEx
DynamicLoader: PSAPI.DLL/GetModuleFileNameExW
DynamicLoader: kernel32.dll/GetExitCodeProcess
DynamicLoader: kernel32.dll/GetExitCodeProcessW
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtQuerySystemInformationW
DynamicLoader: USER32.dll/EnumWindows
DynamicLoader: USER32.dll/EnumWindowsW
DynamicLoader: USER32.dll/GetWindowThreadProcessId
DynamicLoader: USER32.dll/GetWindowThreadProcessIdW
DynamicLoader: kernel32.dll/WerSetFlags
DynamicLoader: kernel32.dll/SetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/SetThreadPreferredUILanguagesW
DynamicLoader: kernel32.dll/GetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/GetThreadPreferredUILanguagesW
DynamicLoader: kernel32.dll/GetUserDefaultLocaleName
DynamicLoader: kernel32.dll/GetUserDefaultLocaleNameW
DynamicLoader: kernel32.dll/GetEnvironmentVariable
DynamicLoader: kernel32.dll/GetEnvironmentVariableW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegOpenKeyEx
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/CryptCreateHash
DynamicLoader: ADVAPI32.dll/CryptDestroyHash
DynamicLoader: ADVAPI32.dll/CryptHashData
DynamicLoader: ADVAPI32.dll/CryptGetHashParam
DynamicLoader: ADVAPI32.dll/CryptImportKey
DynamicLoader: ADVAPI32.dll/CryptExportKey
DynamicLoader: ADVAPI32.dll/CryptGenKey
DynamicLoader: ADVAPI32.dll/CryptGetKeyParam
DynamicLoader: ADVAPI32.dll/CryptDestroyKey
DynamicLoader: ADVAPI32.dll/CryptVerifySignatureA
DynamicLoader: ADVAPI32.dll/CryptSignHashA
DynamicLoader: ADVAPI32.dll/CryptGetProvParam
DynamicLoader: ADVAPI32.dll/CryptGetUserKey
DynamicLoader: ADVAPI32.dll/CryptEnumProvidersA
DynamicLoader: CRYPTSP.dll/CryptImportKey
DynamicLoader: CRYPTSP.dll/CryptHashData
DynamicLoader: CRYPTSP.dll/CryptGetHashParam
DynamicLoader: CRYPTSP.dll/CryptDestroyHash
DynamicLoader: CRYPTSP.dll/CryptDestroyKey
DynamicLoader: mscoreei.dll/_CorDllMain_RetAddr
DynamicLoader: mscoreei.dll/_CorDllMain
DynamicLoader: mscoree.dll/GetTokenForVTableEntry
DynamicLoader: mscoree.dll/SetTargetForVTableEntry
DynamicLoader: mscoree.dll/GetTargetForVTableEntry
DynamicLoader: mscoreei.dll/LoadLibraryShim_RetAddr
DynamicLoader: mscoreei.dll/LoadLibraryShim
DynamicLoader: culture.dll/ConvertLangIdToCultureName
DynamicLoader: ole32.dll/CoCreateGuid
DynamicLoader: kernel32.dll/CreateFile
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetConsoleScreenBufferInfo
DynamicLoader: kernel32.dll/GetConsoleScreenBufferInfoW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: kernel32.dll/GetCurrentProcessW
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: kernel32.dll/LocalFree
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/GetTokenInformationW
DynamicLoader: kernel32.dll/LocalAlloc
DynamicLoader: kernel32.dll/LocalAllocW
DynamicLoader: mscoree.dll/ND_RI4
DynamicLoader: mscoreei.dll/ND_RI4_RetAddr
DynamicLoader: mscoreei.dll/ND_RI4
DynamicLoader: ADVAPI32.dll/DuplicateTokenEx
DynamicLoader: ADVAPI32.dll/DuplicateTokenExW
DynamicLoader: ADVAPI32.dll/CheckTokenMembership
DynamicLoader: ADVAPI32.dll/CheckTokenMembershipW
DynamicLoader: kernel32.dll/GetConsoleTitle
DynamicLoader: kernel32.dll/GetConsoleTitleW
DynamicLoader: mscorjit.dll/getJit
DynamicLoader: mscorwks.dll/GetCLRFunction
DynamicLoader: kernel32.dll/SetConsoleTitle
DynamicLoader: kernel32.dll/SetConsoleTitleW
DynamicLoader: kernel32.dll/SetConsoleCtrlHandler
DynamicLoader: kernel32.dll/SetConsoleCtrlHandlerW
DynamicLoader: kernel32.dll/CreateEvent
DynamicLoader: kernel32.dll/CreateEventW
DynamicLoader: ntdll.dll/WinSqmIsOptedIn
DynamicLoader: kernel32.dll/ExpandEnvironmentStrings
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsW
DynamicLoader: shfolder.dll/SHGetFolderPath
DynamicLoader: shfolder.dll/SHGetFolderPathW
DynamicLoader: kernel32.dll/SetEnvironmentVariable
DynamicLoader: kernel32.dll/SetEnvironmentVariableW
DynamicLoader: kernel32.dll/GetACP
DynamicLoader: kernel32.dll/UnmapViewOfFile
DynamicLoader: kernel32.dll/CreateFile
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetFileType
DynamicLoader: kernel32.dll/ReadFile
DynamicLoader: kernel32.dll/GetSystemInfo
DynamicLoader: kernel32.dll/VirtualQuery
DynamicLoader: ADVAPI32.dll/RegQueryInfoKey
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumValue
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegEnumKeyEx
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: secur32.dll/GetUserNameEx
DynamicLoader: secur32.dll/GetUserNameExW
DynamicLoader: ADVAPI32.dll/GetUserName
DynamicLoader: ADVAPI32.dll/GetUserNameW
DynamicLoader: kernel32.dll/ReleaseMutex
DynamicLoader: ADVAPI32.dll/RegisterEventSource
DynamicLoader: ADVAPI32.dll/RegisterEventSourceW
DynamicLoader: ADVAPI32.dll/DeregisterEventSource
DynamicLoader: ADVAPI32.dll/ReportEvent
DynamicLoader: ADVAPI32.dll/ReportEventW
DynamicLoader: kernel32.dll/GetLogicalDrives
DynamicLoader: kernel32.dll/GetDriveType
DynamicLoader: kernel32.dll/GetDriveTypeW
DynamicLoader: kernel32.dll/GetVolumeInformation
DynamicLoader: kernel32.dll/GetVolumeInformationW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: kernel32.dll/GetCurrentDirectory
DynamicLoader: kernel32.dll/GetCurrentDirectoryW
DynamicLoader: mscoreei.dll/GetTokenForVTableEntry_RetAddr
DynamicLoader: mscoreei.dll/GetTokenForVTableEntry
DynamicLoader: mscoreei.dll/SetTargetForVTableEntry_RetAddr
DynamicLoader: mscoreei.dll/SetTargetForVTableEntry
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/LocalAlloc
DynamicLoader: mscoree.dll/IEE
DynamicLoader: kernel32.dll/GetStdHandle
DynamicLoader: kernel32.dll/GetStdHandleW
DynamicLoader: kernel32.dll/GetConsoleMode
DynamicLoader: kernel32.dll/GetConsoleModeW
DynamicLoader: kernel32.dll/SetEvent
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/SetThreadUILanguageW
DynamicLoader: kernel32.dll/FindFirstFile
DynamicLoader: kernel32.dll/FindFirstFileW
DynamicLoader: kernel32.dll/FindClose
DynamicLoader: CRYPTSP.dll/CryptExportKey
DynamicLoader: CRYPTSP.dll/CryptCreateHash
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: mscoree.dll/CorExitProcess
DynamicLoader: mscoreei.dll/CorExitProcess_RetAddr
DynamicLoader: mscoreei.dll/CorExitProcess
DynamicLoader: mscorwks.dll/CorExitProcess
DynamicLoader: mscorwks.dll/_CorDllMain
DynamicLoader: kernel32.dll/CreateActCtxW
DynamicLoader: kernel32.dll/AddRefActCtx
DynamicLoader: kernel32.dll/ReleaseActCtx
DynamicLoader: kernel32.dll/ActivateActCtx
DynamicLoader: kernel32.dll/DeactivateActCtx
DynamicLoader: kernel32.dll/GetCurrentActCtx
DynamicLoader: kernel32.dll/QueryActCtxW
DynamicLoader: netutils.dll/NetApiBufferFree
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: shell32.dll/
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: shell32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ntdll.dll/RtlDllShutdownInProgress
DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: profapi.dll/
DynamicLoader: LINKINFO.dll/CreateLinkInfoW
DynamicLoader: USER32.dll/IsCharAlphaW
DynamicLoader: USER32.dll/CharPrevW
DynamicLoader: ntshrui.dll/GetNetResourceFromLocalPathW
DynamicLoader: srvcli.dll/NetShareEnum
DynamicLoader: cscapi.dll/CscNetApiGetInterface
DynamicLoader: slc.dll/SLGetWindowsInformationDWORD
DynamicLoader: SHLWAPI.dll/PathRemoveFileSpecW
DynamicLoader: LINKINFO.dll/DestroyLinkInfo
DynamicLoader: propsys.dll/PropVariantToBoolean
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/GetSecurityInfo
DynamicLoader: ADVAPI32.dll/SetSecurityInfo
DynamicLoader: ADVAPI32.dll/GetSecurityDescriptorControl
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: mscoree.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx_RetAddr
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: kernel32.dll/GetCurrentPackageId
DynamicLoader: kernel32.dll/InitializeCriticalSectionAndSpinCount
DynamicLoader: msvcrt.dll/_set_error_mode
DynamicLoader: msvcrt.dll/?set_terminate@@YAP6AXXZP6AXXZ@Z
DynamicLoader: msvcrt.dll/_get_terminate
DynamicLoader: kernel32.dll/FindActCtxSectionStringW
DynamicLoader: kernel32.dll/GetSystemWindowsDirectoryW
DynamicLoader: mscoree.dll/GetProcessExecutableHeap
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap_RetAddr
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap
DynamicLoader: mscorwks.dll/SetLoadedByMscoree
DynamicLoader: mscorwks.dll/DllGetClassObjectInternal
DynamicLoader: mscorwks.dll/GetCLRFunction
DynamicLoader: ADVAPI32.dll/RegisterTraceGuidsW
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: ADVAPI32.dll/GetTraceLoggerHandle
DynamicLoader: ADVAPI32.dll/GetTraceEnableLevel
DynamicLoader: ADVAPI32.dll/GetTraceEnableFlags
DynamicLoader: ADVAPI32.dll/TraceEvent
DynamicLoader: mscoree.dll/IEE
DynamicLoader: mscoreei.dll/IEE_RetAddr
DynamicLoader: mscoreei.dll/IEE
DynamicLoader: mscorwks.dll/IEE
DynamicLoader: mscoree.dll/GetStartupFlags
DynamicLoader: mscoreei.dll/GetStartupFlags_RetAddr
DynamicLoader: mscoreei.dll/GetStartupFlags
DynamicLoader: mscoree.dll/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetHostConfigurationFile_RetAddr
DynamicLoader: mscoreei.dll/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetCORVersion_RetAddr
DynamicLoader: mscoreei.dll/GetCORVersion
DynamicLoader: mscoree.dll/GetCORSystemDirectory
DynamicLoader: mscoreei.dll/GetCORSystemDirectory_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream
DynamicLoader: ntdll.dll/RtlVirtualUnwind
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: kernel32.dll/GetSystemWindowsDirectoryW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: kernel32.dll/SetThreadStackGuarantee
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/AddVectoredContinueHandler
DynamicLoader: kernel32.dll/RemoveVectoredContinueHandler
DynamicLoader: ADVAPI32.dll/ConvertSidToStringSidW
DynamicLoader: shell32.dll/SHGetFolderPathW
DynamicLoader: kernel32.dll/FlushProcessWriteBuffers
DynamicLoader: kernel32.dll/GetWriteWatch
DynamicLoader: kernel32.dll/ResetWriteWatch
DynamicLoader: kernel32.dll/CreateMemoryResourceNotification
DynamicLoader: kernel32.dll/QueryMemoryResourceNotification
DynamicLoader: kernel32.dll/GlobalMemoryStatusEx
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoGetContextToken
DynamicLoader: kernel32.dll/GetUserDefaultUILanguage
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/GetVersionEx
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/GetVersionEx
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/GetFullPathName
DynamicLoader: kernel32.dll/GetFullPathNameW
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: kernel32.dll/GetFileAttributesEx
DynamicLoader: kernel32.dll/GetFileAttributesExW
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: version.dll/GetFileVersionInfoSize
DynamicLoader: version.dll/GetFileVersionInfoSizeW
DynamicLoader: version.dll/GetFileVersionInfo
DynamicLoader: version.dll/GetFileVersionInfoW
DynamicLoader: version.dll/VerQueryValue
DynamicLoader: version.dll/VerQueryValueW
DynamicLoader: kernel32.dll/lstrlen
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: mscoree.dll/ND_RI2
DynamicLoader: mscoreei.dll/ND_RI2_RetAddr
DynamicLoader: mscoreei.dll/ND_RI2
DynamicLoader: kernel32.dll/lstrlen
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: kernel32.dll/lstrcpy
DynamicLoader: kernel32.dll/lstrcpyW
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: version.dll/VerLanguageName
DynamicLoader: version.dll/VerLanguageNameW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/GetCurrentProcessId
DynamicLoader: kernel32.dll/GetCurrentProcessIdW
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValue
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValueW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivileges
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivilegesW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/OpenProcessW
DynamicLoader: PSAPI.DLL/EnumProcessModules
DynamicLoader: PSAPI.DLL/EnumProcessModulesW
DynamicLoader: PSAPI.DLL/GetModuleInformation
DynamicLoader: PSAPI.DLL/GetModuleInformationW
DynamicLoader: PSAPI.DLL/GetModuleBaseName
DynamicLoader: PSAPI.DLL/GetModuleBaseNameW
DynamicLoader: PSAPI.DLL/GetModuleFileNameEx
DynamicLoader: PSAPI.DLL/GetModuleFileNameExW
DynamicLoader: kernel32.dll/GetExitCodeProcess
DynamicLoader: kernel32.dll/GetExitCodeProcessW
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtQuerySystemInformationW
DynamicLoader: USER32.dll/EnumWindows
DynamicLoader: USER32.dll/EnumWindowsW
DynamicLoader: USER32.dll/GetWindowThreadProcessId
DynamicLoader: USER32.dll/GetWindowThreadProcessIdW
DynamicLoader: kernel32.dll/WerSetFlags
DynamicLoader: kernel32.dll/SetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/SetThreadPreferredUILanguagesW
DynamicLoader: kernel32.dll/GetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/GetThreadPreferredUILanguagesW
DynamicLoader: kernel32.dll/GetUserDefaultLocaleName
DynamicLoader: kernel32.dll/GetUserDefaultLocaleNameW
DynamicLoader: kernel32.dll/GetEnvironmentVariable
DynamicLoader: kernel32.dll/GetEnvironmentVariableW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegOpenKeyEx
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/CryptCreateHash
DynamicLoader: ADVAPI32.dll/CryptDestroyHash
DynamicLoader: ADVAPI32.dll/CryptHashData
DynamicLoader: ADVAPI32.dll/CryptGetHashParam
DynamicLoader: ADVAPI32.dll/CryptImportKey
DynamicLoader: ADVAPI32.dll/CryptExportKey
DynamicLoader: ADVAPI32.dll/CryptGenKey
DynamicLoader: ADVAPI32.dll/CryptGetKeyParam
DynamicLoader: ADVAPI32.dll/CryptDestroyKey
DynamicLoader: ADVAPI32.dll/CryptVerifySignatureA
DynamicLoader: ADVAPI32.dll/CryptSignHashA
DynamicLoader: ADVAPI32.dll/CryptGetProvParam
DynamicLoader: ADVAPI32.dll/CryptGetUserKey
DynamicLoader: ADVAPI32.dll/CryptEnumProvidersA
DynamicLoader: CRYPTSP.dll/CryptImportKey
DynamicLoader: CRYPTSP.dll/CryptHashData
DynamicLoader: CRYPTSP.dll/CryptGetHashParam
DynamicLoader: CRYPTSP.dll/CryptDestroyHash
DynamicLoader: CRYPTSP.dll/CryptDestroyKey
DynamicLoader: mscoreei.dll/_CorDllMain_RetAddr
DynamicLoader: mscoreei.dll/_CorDllMain
DynamicLoader: mscoree.dll/GetTokenForVTableEntry
DynamicLoader: mscoree.dll/SetTargetForVTableEntry
DynamicLoader: mscoree.dll/GetTargetForVTableEntry
DynamicLoader: mscoreei.dll/LoadLibraryShim_RetAddr
DynamicLoader: mscoreei.dll/LoadLibraryShim
DynamicLoader: culture.dll/ConvertLangIdToCultureName
DynamicLoader: ole32.dll/CoCreateGuid
DynamicLoader: kernel32.dll/CreateFile
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetConsoleScreenBufferInfo
DynamicLoader: kernel32.dll/GetConsoleScreenBufferInfoW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: kernel32.dll/GetCurrentProcessW
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: kernel32.dll/LocalFree
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/GetTokenInformationW
DynamicLoader: kernel32.dll/LocalAlloc
DynamicLoader: kernel32.dll/LocalAllocW
DynamicLoader: mscoree.dll/ND_RI4
DynamicLoader: mscoreei.dll/ND_RI4_RetAddr
DynamicLoader: mscoreei.dll/ND_RI4
DynamicLoader: ADVAPI32.dll/DuplicateTokenEx
DynamicLoader: ADVAPI32.dll/DuplicateTokenExW
DynamicLoader: ADVAPI32.dll/CheckTokenMembership
DynamicLoader: ADVAPI32.dll/CheckTokenMembershipW
DynamicLoader: kernel32.dll/GetConsoleTitle
DynamicLoader: kernel32.dll/GetConsoleTitleW
DynamicLoader: mscorjit.dll/getJit
DynamicLoader: mscorwks.dll/GetCLRFunction
DynamicLoader: kernel32.dll/SetConsoleTitle
DynamicLoader: kernel32.dll/SetConsoleTitleW
DynamicLoader: kernel32.dll/SetConsoleCtrlHandler
DynamicLoader: kernel32.dll/SetConsoleCtrlHandlerW
DynamicLoader: kernel32.dll/CreateEvent
DynamicLoader: kernel32.dll/CreateEventW
DynamicLoader: ntdll.dll/WinSqmIsOptedIn
DynamicLoader: kernel32.dll/ExpandEnvironmentStrings
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsW
DynamicLoader: shfolder.dll/SHGetFolderPath
DynamicLoader: shfolder.dll/SHGetFolderPathW
DynamicLoader: kernel32.dll/SetEnvironmentVariable
DynamicLoader: kernel32.dll/SetEnvironmentVariableW
DynamicLoader: kernel32.dll/GetACP
DynamicLoader: kernel32.dll/UnmapViewOfFile
DynamicLoader: kernel32.dll/CreateFile
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetFileType
DynamicLoader: kernel32.dll/ReadFile
DynamicLoader: kernel32.dll/GetSystemInfo
DynamicLoader: kernel32.dll/VirtualQuery
DynamicLoader: ADVAPI32.dll/RegQueryInfoKey
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumValue
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegEnumKeyEx
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: secur32.dll/GetUserNameEx
DynamicLoader: secur32.dll/GetUserNameExW
DynamicLoader: ADVAPI32.dll/GetUserName
DynamicLoader: ADVAPI32.dll/GetUserNameW
DynamicLoader: kernel32.dll/ReleaseMutex
DynamicLoader: ADVAPI32.dll/RegisterEventSource
DynamicLoader: ADVAPI32.dll/RegisterEventSourceW
DynamicLoader: ADVAPI32.dll/DeregisterEventSource
DynamicLoader: ADVAPI32.dll/ReportEvent
DynamicLoader: ADVAPI32.dll/ReportEventW
DynamicLoader: kernel32.dll/GetLogicalDrives
DynamicLoader: kernel32.dll/GetDriveType
DynamicLoader: kernel32.dll/GetDriveTypeW
DynamicLoader: kernel32.dll/GetVolumeInformation
DynamicLoader: kernel32.dll/GetVolumeInformationW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: kernel32.dll/GetCurrentDirectory
DynamicLoader: kernel32.dll/GetCurrentDirectoryW
DynamicLoader: mscoreei.dll/GetTokenForVTableEntry_RetAddr
DynamicLoader: mscoreei.dll/GetTokenForVTableEntry
DynamicLoader: mscoreei.dll/SetTargetForVTableEntry_RetAddr
DynamicLoader: mscoreei.dll/SetTargetForVTableEntry
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/LocalAlloc
DynamicLoader: mscoree.dll/IEE
DynamicLoader: kernel32.dll/GetStdHandle
DynamicLoader: kernel32.dll/GetStdHandleW
DynamicLoader: kernel32.dll/GetConsoleMode
DynamicLoader: kernel32.dll/GetConsoleModeW
DynamicLoader: kernel32.dll/SetEvent
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/SetThreadUILanguageW
DynamicLoader: kernel32.dll/FindFirstFile
DynamicLoader: kernel32.dll/FindFirstFileW
DynamicLoader: kernel32.dll/FindClose
DynamicLoader: CRYPTSP.dll/CryptExportKey
DynamicLoader: CRYPTSP.dll/CryptCreateHash
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: mscoree.dll/CorExitProcess
DynamicLoader: mscoreei.dll/CorExitProcess_RetAddr
DynamicLoader: mscoreei.dll/CorExitProcess
DynamicLoader: mscorwks.dll/CorExitProcess
DynamicLoader: mscorwks.dll/_CorDllMain
DynamicLoader: kernel32.dll/CreateActCtxW
DynamicLoader: kernel32.dll/AddRefActCtx
DynamicLoader: kernel32.dll/ReleaseActCtx
DynamicLoader: kernel32.dll/ActivateActCtx
DynamicLoader: kernel32.dll/DeactivateActCtx
DynamicLoader: kernel32.dll/GetCurrentActCtx
DynamicLoader: kernel32.dll/QueryActCtxW
DynamicLoader: netutils.dll/NetApiBufferFree
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: shell32.dll/
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: shell32.dll/
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ntdll.dll/RtlDllShutdownInProgress
DynamicLoader: LINKINFO.dll/IsValidLinkInfo
DynamicLoader: propsys.dll/
DynamicLoader: propsys.dll/PSGetNameFromPropertyKey
DynamicLoader: propsys.dll/PSStringFromPropertyKey
DynamicLoader: propsys.dll/InitVariantFromBuffer
DynamicLoader: OLEAUT32.dll/
DynamicLoader: propsys.dll/PropVariantToGUID
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: profapi.dll/
DynamicLoader: LINKINFO.dll/CreateLinkInfoW
DynamicLoader: USER32.dll/IsCharAlphaW
DynamicLoader: USER32.dll/CharPrevW
DynamicLoader: ntshrui.dll/GetNetResourceFromLocalPathW
DynamicLoader: srvcli.dll/NetShareEnum
DynamicLoader: cscapi.dll/CscNetApiGetInterface
DynamicLoader: slc.dll/SLGetWindowsInformationDWORD
DynamicLoader: SHLWAPI.dll/PathRemoveFileSpecW
DynamicLoader: LINKINFO.dll/DestroyLinkInfo
DynamicLoader: propsys.dll/PropVariantToBoolean
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/GetSecurityInfo
DynamicLoader: ADVAPI32.dll/SetSecurityInfo
DynamicLoader: ADVAPI32.dll/GetSecurityDescriptorControl
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: mscoree.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx_RetAddr
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: kernel32.dll/GetCurrentPackageId
DynamicLoader: kernel32.dll/InitializeCriticalSectionAndSpinCount
DynamicLoader: msvcrt.dll/_set_error_mode
DynamicLoader: msvcrt.dll/?set_terminate@@YAP6AXXZP6AXXZ@Z
DynamicLoader: msvcrt.dll/_get_terminate
DynamicLoader: kernel32.dll/FindActCtxSectionStringW
DynamicLoader: kernel32.dll/GetSystemWindowsDirectoryW
DynamicLoader: mscoree.dll/GetProcessExecutableHeap
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap_RetAddr
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap
DynamicLoader: mscorwks.dll/SetLoadedByMscoree
DynamicLoader: mscorwks.dll/DllGetClassObjectInternal
DynamicLoader: mscorwks.dll/GetCLRFunction
DynamicLoader: ADVAPI32.dll/RegisterTraceGuidsW
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: ADVAPI32.dll/GetTraceLoggerHandle
DynamicLoader: ADVAPI32.dll/GetTraceEnableLevel
DynamicLoader: ADVAPI32.dll/GetTraceEnableFlags
DynamicLoader: ADVAPI32.dll/TraceEvent
DynamicLoader: mscoree.dll/IEE
DynamicLoader: mscoreei.dll/IEE_RetAddr
DynamicLoader: mscoreei.dll/IEE
DynamicLoader: mscorwks.dll/IEE
DynamicLoader: mscoree.dll/GetStartupFlags
DynamicLoader: mscoreei.dll/GetStartupFlags_RetAddr
DynamicLoader: mscoreei.dll/GetStartupFlags
DynamicLoader: mscoree.dll/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetHostConfigurationFile_RetAddr
DynamicLoader: mscoreei.dll/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetCORVersion_RetAddr
DynamicLoader: mscoreei.dll/GetCORVersion
DynamicLoader: mscoree.dll/GetCORSystemDirectory
DynamicLoader: mscoreei.dll/GetCORSystemDirectory_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream
DynamicLoader: ntdll.dll/RtlVirtualUnwind
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: kernel32.dll/GetSystemWindowsDirectoryW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: kernel32.dll/SetThreadStackGuarantee
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/AddVectoredContinueHandler
DynamicLoader: kernel32.dll/RemoveVectoredContinueHandler
DynamicLoader: ADVAPI32.dll/ConvertSidToStringSidW
DynamicLoader: shell32.dll/SHGetFolderPathW
DynamicLoader: kernel32.dll/FlushProcessWriteBuffers
DynamicLoader: kernel32.dll/GetWriteWatch
DynamicLoader: kernel32.dll/ResetWriteWatch
DynamicLoader: kernel32.dll/CreateMemoryResourceNotification
DynamicLoader: kernel32.dll/QueryMemoryResourceNotification
DynamicLoader: kernel32.dll/GlobalMemoryStatusEx
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/GetUserDefaultUILanguage
DynamicLoader: ole32.dll/CoGetContextToken
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/GetVersionEx
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/GetVersionEx
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/GetFullPathName
DynamicLoader: kernel32.dll/GetFullPathNameW
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: kernel32.dll/GetFileAttributesEx
DynamicLoader: kernel32.dll/GetFileAttributesExW
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: version.dll/GetFileVersionInfoSize
DynamicLoader: version.dll/GetFileVersionInfoSizeW
DynamicLoader: version.dll/GetFileVersionInfo
DynamicLoader: version.dll/GetFileVersionInfoW
DynamicLoader: version.dll/VerQueryValue
DynamicLoader: version.dll/VerQueryValueW
DynamicLoader: kernel32.dll/lstrlen
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: mscoree.dll/ND_RI2
DynamicLoader: mscoreei.dll/ND_RI2_RetAddr
DynamicLoader: mscoreei.dll/ND_RI2
DynamicLoader: kernel32.dll/lstrlen
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: kernel32.dll/lstrcpy
DynamicLoader: kernel32.dll/lstrcpyW
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: version.dll/VerLanguageName
DynamicLoader: version.dll/VerLanguageNameW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/GetCurrentProcessId
DynamicLoader: kernel32.dll/GetCurrentProcessIdW
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValue
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValueW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivileges
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivilegesW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/OpenProcessW
DynamicLoader: PSAPI.DLL/EnumProcessModules
DynamicLoader: PSAPI.DLL/EnumProcessModulesW
DynamicLoader: PSAPI.DLL/GetModuleInformation
DynamicLoader: PSAPI.DLL/GetModuleInformationW
DynamicLoader: PSAPI.DLL/GetModuleBaseName
DynamicLoader: PSAPI.DLL/GetModuleBaseNameW
DynamicLoader: PSAPI.DLL/GetModuleFileNameEx
DynamicLoader: PSAPI.DLL/GetModuleFileNameExW
DynamicLoader: kernel32.dll/GetExitCodeProcess
DynamicLoader: kernel32.dll/GetExitCodeProcessW
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtQuerySystemInformationW
DynamicLoader: USER32.dll/EnumWindows
DynamicLoader: USER32.dll/EnumWindowsW
DynamicLoader: USER32.dll/GetWindowThreadProcessId
DynamicLoader: USER32.dll/GetWindowThreadProcessIdW
DynamicLoader: kernel32.dll/WerSetFlags
DynamicLoader: kernel32.dll/SetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/SetThreadPreferredUILanguagesW
DynamicLoader: kernel32.dll/GetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/GetThreadPreferredUILanguagesW
DynamicLoader: kernel32.dll/GetUserDefaultLocaleName
DynamicLoader: kernel32.dll/GetUserDefaultLocaleNameW
DynamicLoader: kernel32.dll/GetEnvironmentVariable
DynamicLoader: kernel32.dll/GetEnvironmentVariableW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegOpenKeyEx
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/CryptCreateHash
DynamicLoader: ADVAPI32.dll/CryptDestroyHash
DynamicLoader: ADVAPI32.dll/CryptHashData
DynamicLoader: ADVAPI32.dll/CryptGetHashParam
DynamicLoader: ADVAPI32.dll/CryptImportKey
DynamicLoader: ADVAPI32.dll/CryptExportKey
DynamicLoader: ADVAPI32.dll/CryptGenKey
DynamicLoader: ADVAPI32.dll/CryptGetKeyParam
DynamicLoader: ADVAPI32.dll/CryptDestroyKey
DynamicLoader: ADVAPI32.dll/CryptVerifySignatureA
DynamicLoader: ADVAPI32.dll/CryptSignHashA
DynamicLoader: ADVAPI32.dll/CryptGetProvParam
DynamicLoader: ADVAPI32.dll/CryptGetUserKey
DynamicLoader: ADVAPI32.dll/CryptEnumProvidersA
DynamicLoader: CRYPTSP.dll/CryptImportKey
DynamicLoader: CRYPTSP.dll/CryptHashData
DynamicLoader: CRYPTSP.dll/CryptGetHashParam
DynamicLoader: CRYPTSP.dll/CryptDestroyHash
DynamicLoader: CRYPTSP.dll/CryptDestroyKey
DynamicLoader: mscoreei.dll/_CorDllMain_RetAddr
DynamicLoader: mscoreei.dll/_CorDllMain
DynamicLoader: mscoree.dll/GetTokenForVTableEntry
DynamicLoader: mscoree.dll/SetTargetForVTableEntry
DynamicLoader: mscoree.dll/GetTargetForVTableEntry
DynamicLoader: mscoreei.dll/LoadLibraryShim_RetAddr
DynamicLoader: mscoreei.dll/LoadLibraryShim
DynamicLoader: culture.dll/ConvertLangIdToCultureName
DynamicLoader: ole32.dll/CoCreateGuid
DynamicLoader: kernel32.dll/CreateFile
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetConsoleScreenBufferInfo
DynamicLoader: kernel32.dll/GetConsoleScreenBufferInfoW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: kernel32.dll/GetCurrentProcessW
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: kernel32.dll/LocalFree
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/GetTokenInformationW
DynamicLoader: kernel32.dll/LocalAlloc
DynamicLoader: kernel32.dll/LocalAllocW
DynamicLoader: mscoree.dll/ND_RI4
DynamicLoader: mscoreei.dll/ND_RI4_RetAddr
DynamicLoader: mscoreei.dll/ND_RI4
DynamicLoader: ADVAPI32.dll/DuplicateTokenEx
DynamicLoader: ADVAPI32.dll/DuplicateTokenExW
DynamicLoader: ADVAPI32.dll/CheckTokenMembership
DynamicLoader: ADVAPI32.dll/CheckTokenMembershipW
DynamicLoader: kernel32.dll/GetConsoleTitle
DynamicLoader: kernel32.dll/GetConsoleTitleW
DynamicLoader: mscorjit.dll/getJit
DynamicLoader: mscorwks.dll/GetCLRFunction
DynamicLoader: kernel32.dll/SetConsoleTitle
DynamicLoader: kernel32.dll/SetConsoleTitleW
DynamicLoader: kernel32.dll/SetConsoleCtrlHandler
DynamicLoader: kernel32.dll/SetConsoleCtrlHandlerW
DynamicLoader: kernel32.dll/CreateEvent
DynamicLoader: kernel32.dll/CreateEventW
DynamicLoader: ntdll.dll/WinSqmIsOptedIn
DynamicLoader: kernel32.dll/ExpandEnvironmentStrings
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsW
DynamicLoader: shfolder.dll/SHGetFolderPath
DynamicLoader: shfolder.dll/SHGetFolderPathW
DynamicLoader: kernel32.dll/SetEnvironmentVariable
DynamicLoader: kernel32.dll/SetEnvironmentVariableW
DynamicLoader: kernel32.dll/GetACP
DynamicLoader: kernel32.dll/UnmapViewOfFile
DynamicLoader: kernel32.dll/CreateFile
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetFileType
DynamicLoader: kernel32.dll/ReadFile
DynamicLoader: kernel32.dll/GetSystemInfo
DynamicLoader: kernel32.dll/VirtualQuery
DynamicLoader: ADVAPI32.dll/RegQueryInfoKey
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumValue
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegEnumKeyEx
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: secur32.dll/GetUserNameEx
DynamicLoader: secur32.dll/GetUserNameExW
DynamicLoader: ADVAPI32.dll/GetUserName
DynamicLoader: ADVAPI32.dll/GetUserNameW
DynamicLoader: kernel32.dll/ReleaseMutex
DynamicLoader: ADVAPI32.dll/RegisterEventSource
DynamicLoader: ADVAPI32.dll/RegisterEventSourceW
DynamicLoader: ADVAPI32.dll/DeregisterEventSource
DynamicLoader: ADVAPI32.dll/ReportEvent
DynamicLoader: ADVAPI32.dll/ReportEventW
DynamicLoader: kernel32.dll/GetLogicalDrives
DynamicLoader: kernel32.dll/GetDriveType
DynamicLoader: kernel32.dll/GetDriveTypeW
DynamicLoader: kernel32.dll/GetVolumeInformation
DynamicLoader: kernel32.dll/GetVolumeInformationW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: kernel32.dll/GetCurrentDirectory
DynamicLoader: kernel32.dll/GetCurrentDirectoryW
DynamicLoader: mscoreei.dll/GetTokenForVTableEntry_RetAddr
DynamicLoader: mscoreei.dll/GetTokenForVTableEntry
DynamicLoader: mscoreei.dll/SetTargetForVTableEntry_RetAddr
DynamicLoader: mscoreei.dll/SetTargetForVTableEntry
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/LocalAlloc
DynamicLoader: mscoree.dll/IEE
DynamicLoader: kernel32.dll/GetStdHandle
DynamicLoader: kernel32.dll/GetStdHandleW
DynamicLoader: kernel32.dll/GetConsoleMode
DynamicLoader: kernel32.dll/GetConsoleModeW
DynamicLoader: kernel32.dll/SetEvent
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/SetThreadUILanguageW
DynamicLoader: kernel32.dll/FindFirstFile
DynamicLoader: kernel32.dll/FindFirstFileW
DynamicLoader: kernel32.dll/FindClose
DynamicLoader: CRYPTSP.dll/CryptExportKey
DynamicLoader: CRYPTSP.dll/CryptCreateHash
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: mscoree.dll/CorExitProcess
DynamicLoader: mscoreei.dll/CorExitProcess_RetAddr
DynamicLoader: mscoreei.dll/CorExitProcess
DynamicLoader: mscorwks.dll/CorExitProcess
DynamicLoader: mscorwks.dll/_CorDllMain
DynamicLoader: kernel32.dll/CreateActCtxW
DynamicLoader: kernel32.dll/AddRefActCtx
DynamicLoader: kernel32.dll/ReleaseActCtx
DynamicLoader: kernel32.dll/ActivateActCtx
DynamicLoader: kernel32.dll/DeactivateActCtx
DynamicLoader: kernel32.dll/GetCurrentActCtx
DynamicLoader: kernel32.dll/QueryActCtxW
DynamicLoader: netutils.dll/NetApiBufferFree
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: shell32.dll/
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: comctl32.dll/
DynamicLoader: shell32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ntdll.dll/RtlDllShutdownInProgress
DynamicLoader: LINKINFO.dll/IsValidLinkInfo
DynamicLoader: propsys.dll/
DynamicLoader: propsys.dll/PSGetNameFromPropertyKey
DynamicLoader: propsys.dll/PSStringFromPropertyKey
DynamicLoader: propsys.dll/InitVariantFromBuffer
DynamicLoader: OLEAUT32.dll/
DynamicLoader: propsys.dll/PropVariantToGUID
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: profapi.dll/
DynamicLoader: LINKINFO.dll/CreateLinkInfoW
DynamicLoader: USER32.dll/IsCharAlphaW
DynamicLoader: USER32.dll/CharPrevW
DynamicLoader: ntshrui.dll/GetNetResourceFromLocalPathW
DynamicLoader: srvcli.dll/NetShareEnum
DynamicLoader: cscapi.dll/CscNetApiGetInterface
DynamicLoader: slc.dll/SLGetWindowsInformationDWORD
DynamicLoader: SHLWAPI.dll/PathRemoveFileSpecW
DynamicLoader: LINKINFO.dll/DestroyLinkInfo
DynamicLoader: propsys.dll/PropVariantToBoolean
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/GetSecurityInfo
DynamicLoader: ADVAPI32.dll/SetSecurityInfo
DynamicLoader: ADVAPI32.dll/GetSecurityDescriptorControl
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: mscoree.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx_RetAddr
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: kernel32.dll/GetCurrentPackageId
DynamicLoader: kernel32.dll/InitializeCriticalSectionAndSpinCount
DynamicLoader: msvcrt.dll/_set_error_mode
DynamicLoader: msvcrt.dll/?set_terminate@@YAP6AXXZP6AXXZ@Z
DynamicLoader: msvcrt.dll/_get_terminate
DynamicLoader: kernel32.dll/FindActCtxSectionStringW
DynamicLoader: kernel32.dll/GetSystemWindowsDirectoryW
DynamicLoader: mscoree.dll/GetProcessExecutableHeap
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap_RetAddr
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap
DynamicLoader: mscorwks.dll/SetLoadedByMscoree
DynamicLoader: mscorwks.dll/DllGetClassObjectInternal
DynamicLoader: mscorwks.dll/GetCLRFunction
DynamicLoader: ADVAPI32.dll/RegisterTraceGuidsW
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: ADVAPI32.dll/GetTraceLoggerHandle
DynamicLoader: ADVAPI32.dll/GetTraceEnableLevel
DynamicLoader: ADVAPI32.dll/GetTraceEnableFlags
DynamicLoader: ADVAPI32.dll/TraceEvent
DynamicLoader: mscoree.dll/IEE
DynamicLoader: mscoreei.dll/IEE_RetAddr
DynamicLoader: mscoreei.dll/IEE
DynamicLoader: mscorwks.dll/IEE
DynamicLoader: mscoree.dll/GetStartupFlags
DynamicLoader: mscoreei.dll/GetStartupFlags_RetAddr
DynamicLoader: mscoreei.dll/GetStartupFlags
DynamicLoader: mscoree.dll/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetHostConfigurationFile_RetAddr
DynamicLoader: mscoreei.dll/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetCORVersion_RetAddr
DynamicLoader: mscoreei.dll/GetCORVersion
DynamicLoader: mscoree.dll/GetCORSystemDirectory
DynamicLoader: mscoreei.dll/GetCORSystemDirectory_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream
DynamicLoader: ntdll.dll/RtlVirtualUnwind
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: kernel32.dll/GetSystemWindowsDirectoryW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: kernel32.dll/SetThreadStackGuarantee
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/AddVectoredContinueHandler
DynamicLoader: kernel32.dll/RemoveVectoredContinueHandler
DynamicLoader: ADVAPI32.dll/ConvertSidToStringSidW
DynamicLoader: shell32.dll/SHGetFolderPathW
DynamicLoader: kernel32.dll/FlushProcessWriteBuffers
DynamicLoader: kernel32.dll/GetWriteWatch
DynamicLoader: kernel32.dll/ResetWriteWatch
DynamicLoader: kernel32.dll/CreateMemoryResourceNotification
DynamicLoader: kernel32.dll/QueryMemoryResourceNotification
DynamicLoader: kernel32.dll/GlobalMemoryStatusEx
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CoGetContextToken
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/GetUserDefaultUILanguage
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/GetVersionEx
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/GetVersionEx
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/GetFullPathName
DynamicLoader: kernel32.dll/GetFullPathNameW
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: kernel32.dll/GetFileAttributesEx
DynamicLoader: kernel32.dll/GetFileAttributesExW
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: version.dll/GetFileVersionInfoSize
DynamicLoader: version.dll/GetFileVersionInfoSizeW
DynamicLoader: version.dll/GetFileVersionInfo
DynamicLoader: version.dll/GetFileVersionInfoW
DynamicLoader: version.dll/VerQueryValue
DynamicLoader: version.dll/VerQueryValueW
DynamicLoader: kernel32.dll/lstrlen
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: mscoree.dll/ND_RI2
DynamicLoader: mscoreei.dll/ND_RI2_RetAddr
DynamicLoader: mscoreei.dll/ND_RI2
DynamicLoader: kernel32.dll/lstrlen
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: kernel32.dll/lstrcpy
DynamicLoader: kernel32.dll/lstrcpyW
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: version.dll/VerLanguageName
DynamicLoader: version.dll/VerLanguageNameW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/GetCurrentProcessId
DynamicLoader: kernel32.dll/GetCurrentProcessIdW
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValue
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValueW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivileges
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivilegesW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/OpenProcessW
DynamicLoader: PSAPI.DLL/EnumProcessModules
DynamicLoader: PSAPI.DLL/EnumProcessModulesW
DynamicLoader: PSAPI.DLL/GetModuleInformation
DynamicLoader: PSAPI.DLL/GetModuleInformationW
DynamicLoader: PSAPI.DLL/GetModuleBaseName
DynamicLoader: PSAPI.DLL/GetModuleBaseNameW
DynamicLoader: PSAPI.DLL/GetModuleFileNameEx
DynamicLoader: PSAPI.DLL/GetModuleFileNameExW
DynamicLoader: kernel32.dll/GetExitCodeProcess
DynamicLoader: kernel32.dll/GetExitCodeProcessW
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtQuerySystemInformationW
DynamicLoader: USER32.dll/EnumWindows
DynamicLoader: USER32.dll/EnumWindowsW
DynamicLoader: USER32.dll/GetWindowThreadProcessId
DynamicLoader: USER32.dll/GetWindowThreadProcessIdW
DynamicLoader: kernel32.dll/WerSetFlags
DynamicLoader: kernel32.dll/SetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/SetThreadPreferredUILanguagesW
DynamicLoader: kernel32.dll/GetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/GetThreadPreferredUILanguagesW
DynamicLoader: kernel32.dll/GetUserDefaultLocaleName
DynamicLoader: kernel32.dll/GetUserDefaultLocaleNameW
DynamicLoader: kernel32.dll/GetEnvironmentVariable
DynamicLoader: kernel32.dll/GetEnvironmentVariableW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegOpenKeyEx
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/CryptCreateHash
DynamicLoader: ADVAPI32.dll/CryptDestroyHash
DynamicLoader: ADVAPI32.dll/CryptHashData
DynamicLoader: ADVAPI32.dll/CryptGetHashParam
DynamicLoader: ADVAPI32.dll/CryptImportKey
DynamicLoader: ADVAPI32.dll/CryptExportKey
DynamicLoader: ADVAPI32.dll/CryptGenKey
DynamicLoader: ADVAPI32.dll/CryptGetKeyParam
DynamicLoader: ADVAPI32.dll/CryptDestroyKey
DynamicLoader: ADVAPI32.dll/CryptVerifySignatureA
DynamicLoader: ADVAPI32.dll/CryptSignHashA
DynamicLoader: ADVAPI32.dll/CryptGetProvParam
DynamicLoader: ADVAPI32.dll/CryptGetUserKey
DynamicLoader: ADVAPI32.dll/CryptEnumProvidersA
DynamicLoader: CRYPTSP.dll/CryptImportKey
DynamicLoader: CRYPTSP.dll/CryptHashData
DynamicLoader: CRYPTSP.dll/CryptGetHashParam
DynamicLoader: CRYPTSP.dll/CryptDestroyHash
DynamicLoader: CRYPTSP.dll/CryptDestroyKey
DynamicLoader: mscoreei.dll/_CorDllMain_RetAddr
DynamicLoader: mscoreei.dll/_CorDllMain
DynamicLoader: mscoree.dll/GetTokenForVTableEntry
DynamicLoader: mscoree.dll/SetTargetForVTableEntry
DynamicLoader: mscoree.dll/GetTargetForVTableEntry
DynamicLoader: mscoreei.dll/LoadLibraryShim_RetAddr
DynamicLoader: mscoreei.dll/LoadLibraryShim
DynamicLoader: culture.dll/ConvertLangIdToCultureName
DynamicLoader: ole32.dll/CoCreateGuid
DynamicLoader: kernel32.dll/CreateFile
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetConsoleScreenBufferInfo
DynamicLoader: kernel32.dll/GetConsoleScreenBufferInfoW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: kernel32.dll/GetCurrentProcessW
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: kernel32.dll/LocalFree
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/GetTokenInformationW
DynamicLoader: kernel32.dll/LocalAlloc
DynamicLoader: kernel32.dll/LocalAllocW
DynamicLoader: mscoree.dll/ND_RI4
DynamicLoader: mscoreei.dll/ND_RI4_RetAddr
DynamicLoader: mscoreei.dll/ND_RI4
DynamicLoader: ADVAPI32.dll/DuplicateTokenEx
DynamicLoader: ADVAPI32.dll/DuplicateTokenExW
DynamicLoader: ADVAPI32.dll/CheckTokenMembership
DynamicLoader: ADVAPI32.dll/CheckTokenMembershipW
DynamicLoader: kernel32.dll/GetConsoleTitle
DynamicLoader: kernel32.dll/GetConsoleTitleW
DynamicLoader: mscorjit.dll/getJit
DynamicLoader: mscorwks.dll/GetCLRFunction
DynamicLoader: kernel32.dll/SetConsoleTitle
DynamicLoader: kernel32.dll/SetConsoleTitleW
DynamicLoader: kernel32.dll/SetConsoleCtrlHandler
DynamicLoader: kernel32.dll/SetConsoleCtrlHandlerW
DynamicLoader: kernel32.dll/CreateEvent
DynamicLoader: kernel32.dll/CreateEventW
DynamicLoader: ntdll.dll/WinSqmIsOptedIn
DynamicLoader: kernel32.dll/ExpandEnvironmentStrings
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsW
DynamicLoader: shfolder.dll/SHGetFolderPath
DynamicLoader: shfolder.dll/SHGetFolderPathW
DynamicLoader: kernel32.dll/SetEnvironmentVariable
DynamicLoader: kernel32.dll/SetEnvironmentVariableW
DynamicLoader: kernel32.dll/GetACP
DynamicLoader: kernel32.dll/UnmapViewOfFile
DynamicLoader: kernel32.dll/CreateFile
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetFileType
DynamicLoader: kernel32.dll/ReadFile
DynamicLoader: kernel32.dll/GetSystemInfo
DynamicLoader: kernel32.dll/VirtualQuery
DynamicLoader: ADVAPI32.dll/RegQueryInfoKey
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumValue
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegEnumKeyEx
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: secur32.dll/GetUserNameEx
DynamicLoader: secur32.dll/GetUserNameExW
DynamicLoader: ADVAPI32.dll/GetUserName
DynamicLoader: ADVAPI32.dll/GetUserNameW
DynamicLoader: kernel32.dll/ReleaseMutex
DynamicLoader: ADVAPI32.dll/RegisterEventSource
DynamicLoader: ADVAPI32.dll/RegisterEventSourceW
DynamicLoader: ADVAPI32.dll/DeregisterEventSource
DynamicLoader: ADVAPI32.dll/ReportEvent
DynamicLoader: ADVAPI32.dll/ReportEventW
DynamicLoader: kernel32.dll/GetLogicalDrives
DynamicLoader: kernel32.dll/GetDriveType
DynamicLoader: kernel32.dll/GetDriveTypeW
DynamicLoader: kernel32.dll/GetVolumeInformation
DynamicLoader: kernel32.dll/GetVolumeInformationW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: kernel32.dll/GetCurrentDirectory
DynamicLoader: kernel32.dll/GetCurrentDirectoryW
DynamicLoader: mscoreei.dll/GetTokenForVTableEntry_RetAddr
DynamicLoader: mscoreei.dll/GetTokenForVTableEntry
DynamicLoader: mscoreei.dll/SetTargetForVTableEntry_RetAddr
DynamicLoader: mscoreei.dll/SetTargetForVTableEntry
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/LocalAlloc
DynamicLoader: mscoree.dll/IEE
DynamicLoader: kernel32.dll/GetStdHandle
DynamicLoader: kernel32.dll/GetStdHandleW
DynamicLoader: kernel32.dll/GetConsoleMode
DynamicLoader: kernel32.dll/GetConsoleModeW
DynamicLoader: kernel32.dll/SetEvent
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/SetThreadUILanguageW
DynamicLoader: kernel32.dll/FindFirstFile
DynamicLoader: kernel32.dll/FindFirstFileW
DynamicLoader: kernel32.dll/FindClose
DynamicLoader: CRYPTSP.dll/CryptExportKey
DynamicLoader: CRYPTSP.dll/CryptCreateHash
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: mscoree.dll/CorExitProcess
DynamicLoader: mscoreei.dll/CorExitProcess_RetAddr
DynamicLoader: mscoreei.dll/CorExitProcess
DynamicLoader: mscorwks.dll/CorExitProcess
DynamicLoader: mscorwks.dll/_CorDllMain
DynamicLoader: kernel32.dll/CreateActCtxW
DynamicLoader: kernel32.dll/AddRefActCtx
DynamicLoader: kernel32.dll/ReleaseActCtx
DynamicLoader: kernel32.dll/ActivateActCtx
DynamicLoader: kernel32.dll/DeactivateActCtx
DynamicLoader: kernel32.dll/GetCurrentActCtx
DynamicLoader: kernel32.dll/QueryActCtxW
DynamicLoader: netutils.dll/NetApiBufferFree
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: shell32.dll/
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: shell32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ntdll.dll/RtlDllShutdownInProgress
DynamicLoader: LINKINFO.dll/IsValidLinkInfo
DynamicLoader: propsys.dll/
DynamicLoader: propsys.dll/PSGetNameFromPropertyKey
DynamicLoader: propsys.dll/PSStringFromPropertyKey
DynamicLoader: propsys.dll/InitVariantFromBuffer
DynamicLoader: OLEAUT32.dll/
DynamicLoader: propsys.dll/PropVariantToGUID
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: profapi.dll/
DynamicLoader: LINKINFO.dll/CreateLinkInfoW
DynamicLoader: USER32.dll/IsCharAlphaW
DynamicLoader: USER32.dll/CharPrevW
DynamicLoader: ntshrui.dll/GetNetResourceFromLocalPathW
DynamicLoader: srvcli.dll/NetShareEnum
DynamicLoader: cscapi.dll/CscNetApiGetInterface
DynamicLoader: slc.dll/SLGetWindowsInformationDWORD
DynamicLoader: SHLWAPI.dll/PathRemoveFileSpecW
DynamicLoader: LINKINFO.dll/DestroyLinkInfo
DynamicLoader: propsys.dll/PropVariantToBoolean
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/GetSecurityInfo
DynamicLoader: ADVAPI32.dll/SetSecurityInfo
DynamicLoader: ADVAPI32.dll/GetSecurityDescriptorControl
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: mscoree.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx_RetAddr
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: kernel32.dll/GetCurrentPackageId
DynamicLoader: kernel32.dll/InitializeCriticalSectionAndSpinCount
DynamicLoader: msvcrt.dll/_set_error_mode
DynamicLoader: msvcrt.dll/?set_terminate@@YAP6AXXZP6AXXZ@Z
DynamicLoader: msvcrt.dll/_get_terminate
DynamicLoader: kernel32.dll/FindActCtxSectionStringW
DynamicLoader: kernel32.dll/GetSystemWindowsDirectoryW
DynamicLoader: mscoree.dll/GetProcessExecutableHeap
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap_RetAddr
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap
DynamicLoader: mscorwks.dll/SetLoadedByMscoree
DynamicLoader: mscorwks.dll/DllGetClassObjectInternal
DynamicLoader: mscorwks.dll/GetCLRFunction
DynamicLoader: ADVAPI32.dll/RegisterTraceGuidsW
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: ADVAPI32.dll/GetTraceLoggerHandle
DynamicLoader: ADVAPI32.dll/GetTraceEnableLevel
DynamicLoader: ADVAPI32.dll/GetTraceEnableFlags
DynamicLoader: ADVAPI32.dll/TraceEvent
DynamicLoader: mscoree.dll/IEE
DynamicLoader: mscoreei.dll/IEE_RetAddr
DynamicLoader: mscoreei.dll/IEE
DynamicLoader: mscorwks.dll/IEE
DynamicLoader: mscoree.dll/GetStartupFlags
DynamicLoader: mscoreei.dll/GetStartupFlags_RetAddr
DynamicLoader: mscoreei.dll/GetStartupFlags
DynamicLoader: mscoree.dll/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetHostConfigurationFile_RetAddr
DynamicLoader: mscoreei.dll/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetCORVersion_RetAddr
DynamicLoader: mscoreei.dll/GetCORVersion
DynamicLoader: mscoree.dll/GetCORSystemDirectory
DynamicLoader: mscoreei.dll/GetCORSystemDirectory_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream
DynamicLoader: ntdll.dll/RtlVirtualUnwind
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: kernel32.dll/GetSystemWindowsDirectoryW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: kernel32.dll/SetThreadStackGuarantee
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/AddVectoredContinueHandler
DynamicLoader: kernel32.dll/RemoveVectoredContinueHandler
DynamicLoader: ADVAPI32.dll/ConvertSidToStringSidW
DynamicLoader: shell32.dll/SHGetFolderPathW
DynamicLoader: kernel32.dll/FlushProcessWriteBuffers
DynamicLoader: kernel32.dll/GetWriteWatch
DynamicLoader: kernel32.dll/ResetWriteWatch
DynamicLoader: kernel32.dll/CreateMemoryResourceNotification
DynamicLoader: kernel32.dll/QueryMemoryResourceNotification
DynamicLoader: kernel32.dll/GlobalMemoryStatusEx
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/GetUserDefaultUILanguage
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoGetContextToken
DynamicLoader: kernel32.dll/GetVersionEx
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/GetVersionEx
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/GetFullPathName
DynamicLoader: kernel32.dll/GetFullPathNameW
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: kernel32.dll/GetFileAttributesEx
DynamicLoader: kernel32.dll/GetFileAttributesExW
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: version.dll/GetFileVersionInfoSize
DynamicLoader: version.dll/GetFileVersionInfoSizeW
DynamicLoader: version.dll/GetFileVersionInfo
DynamicLoader: version.dll/GetFileVersionInfoW
DynamicLoader: version.dll/VerQueryValue
DynamicLoader: version.dll/VerQueryValueW
DynamicLoader: kernel32.dll/lstrlen
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: mscoree.dll/ND_RI2
DynamicLoader: mscoreei.dll/ND_RI2_RetAddr
DynamicLoader: mscoreei.dll/ND_RI2
DynamicLoader: kernel32.dll/lstrlen
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: kernel32.dll/lstrcpy
DynamicLoader: kernel32.dll/lstrcpyW
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: version.dll/VerLanguageName
DynamicLoader: version.dll/VerLanguageNameW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/GetCurrentProcessId
DynamicLoader: kernel32.dll/GetCurrentProcessIdW
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValue
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValueW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivileges
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivilegesW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/OpenProcessW
DynamicLoader: PSAPI.DLL/EnumProcessModules
DynamicLoader: PSAPI.DLL/EnumProcessModulesW
DynamicLoader: PSAPI.DLL/GetModuleInformation
DynamicLoader: PSAPI.DLL/GetModuleInformationW
DynamicLoader: PSAPI.DLL/GetModuleBaseName
DynamicLoader: PSAPI.DLL/GetModuleBaseNameW
DynamicLoader: PSAPI.DLL/GetModuleFileNameEx
DynamicLoader: PSAPI.DLL/GetModuleFileNameExW
DynamicLoader: kernel32.dll/GetExitCodeProcess
DynamicLoader: kernel32.dll/GetExitCodeProcessW
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtQuerySystemInformationW
DynamicLoader: USER32.dll/EnumWindows
DynamicLoader: USER32.dll/EnumWindowsW
DynamicLoader: USER32.dll/GetWindowThreadProcessId
DynamicLoader: USER32.dll/GetWindowThreadProcessIdW
DynamicLoader: kernel32.dll/WerSetFlags
DynamicLoader: kernel32.dll/SetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/SetThreadPreferredUILanguagesW
DynamicLoader: kernel32.dll/GetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/GetThreadPreferredUILanguagesW
DynamicLoader: kernel32.dll/GetUserDefaultLocaleName
DynamicLoader: kernel32.dll/GetUserDefaultLocaleNameW
DynamicLoader: kernel32.dll/GetEnvironmentVariable
DynamicLoader: kernel32.dll/GetEnvironmentVariableW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegOpenKeyEx
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/CryptCreateHash
DynamicLoader: ADVAPI32.dll/CryptDestroyHash
DynamicLoader: ADVAPI32.dll/CryptHashData
DynamicLoader: ADVAPI32.dll/CryptGetHashParam
DynamicLoader: ADVAPI32.dll/CryptImportKey
DynamicLoader: ADVAPI32.dll/CryptExportKey
DynamicLoader: ADVAPI32.dll/CryptGenKey
DynamicLoader: ADVAPI32.dll/CryptGetKeyParam
DynamicLoader: ADVAPI32.dll/CryptDestroyKey
DynamicLoader: ADVAPI32.dll/CryptVerifySignatureA
DynamicLoader: ADVAPI32.dll/CryptSignHashA
DynamicLoader: ADVAPI32.dll/CryptGetProvParam
DynamicLoader: ADVAPI32.dll/CryptGetUserKey
DynamicLoader: ADVAPI32.dll/CryptEnumProvidersA
DynamicLoader: CRYPTSP.dll/CryptImportKey
DynamicLoader: CRYPTSP.dll/CryptHashData
DynamicLoader: CRYPTSP.dll/CryptGetHashParam
DynamicLoader: CRYPTSP.dll/CryptDestroyHash
DynamicLoader: CRYPTSP.dll/CryptDestroyKey
DynamicLoader: mscoreei.dll/_CorDllMain_RetAddr
DynamicLoader: mscoreei.dll/_CorDllMain
DynamicLoader: mscoree.dll/GetTokenForVTableEntry
DynamicLoader: mscoree.dll/SetTargetForVTableEntry
DynamicLoader: mscoree.dll/GetTargetForVTableEntry
DynamicLoader: mscoreei.dll/LoadLibraryShim_RetAddr
DynamicLoader: mscoreei.dll/LoadLibraryShim
DynamicLoader: culture.dll/ConvertLangIdToCultureName
DynamicLoader: ole32.dll/CoCreateGuid
DynamicLoader: kernel32.dll/CreateFile
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetConsoleScreenBufferInfo
DynamicLoader: kernel32.dll/GetConsoleScreenBufferInfoW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: kernel32.dll/GetCurrentProcessW
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: kernel32.dll/LocalFree
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/GetTokenInformationW
DynamicLoader: kernel32.dll/LocalAlloc
DynamicLoader: kernel32.dll/LocalAllocW
DynamicLoader: mscoree.dll/ND_RI4
DynamicLoader: mscoreei.dll/ND_RI4_RetAddr
DynamicLoader: mscoreei.dll/ND_RI4
DynamicLoader: ADVAPI32.dll/DuplicateTokenEx
DynamicLoader: ADVAPI32.dll/DuplicateTokenExW
DynamicLoader: ADVAPI32.dll/CheckTokenMembership
DynamicLoader: ADVAPI32.dll/CheckTokenMembershipW
DynamicLoader: kernel32.dll/GetConsoleTitle
DynamicLoader: kernel32.dll/GetConsoleTitleW
DynamicLoader: mscorjit.dll/getJit
DynamicLoader: mscorwks.dll/GetCLRFunction
DynamicLoader: kernel32.dll/SetConsoleTitle
DynamicLoader: kernel32.dll/SetConsoleTitleW
DynamicLoader: kernel32.dll/SetConsoleCtrlHandler
DynamicLoader: kernel32.dll/SetConsoleCtrlHandlerW
DynamicLoader: kernel32.dll/CreateEvent
DynamicLoader: kernel32.dll/CreateEventW
DynamicLoader: ntdll.dll/WinSqmIsOptedIn
DynamicLoader: kernel32.dll/ExpandEnvironmentStrings
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsW
DynamicLoader: shfolder.dll/SHGetFolderPath
DynamicLoader: shfolder.dll/SHGetFolderPathW
DynamicLoader: kernel32.dll/SetEnvironmentVariable
DynamicLoader: kernel32.dll/SetEnvironmentVariableW
DynamicLoader: kernel32.dll/GetACP
DynamicLoader: kernel32.dll/UnmapViewOfFile
DynamicLoader: kernel32.dll/CreateFile
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetFileType
DynamicLoader: kernel32.dll/ReadFile
DynamicLoader: kernel32.dll/GetSystemInfo
DynamicLoader: kernel32.dll/VirtualQuery
DynamicLoader: ADVAPI32.dll/RegQueryInfoKey
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumValue
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegEnumKeyEx
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: secur32.dll/GetUserNameEx
DynamicLoader: secur32.dll/GetUserNameExW
DynamicLoader: ADVAPI32.dll/GetUserName
DynamicLoader: ADVAPI32.dll/GetUserNameW
DynamicLoader: kernel32.dll/ReleaseMutex
DynamicLoader: ADVAPI32.dll/RegisterEventSource
DynamicLoader: ADVAPI32.dll/RegisterEventSourceW
DynamicLoader: ADVAPI32.dll/DeregisterEventSource
DynamicLoader: ADVAPI32.dll/ReportEvent
DynamicLoader: ADVAPI32.dll/ReportEventW
DynamicLoader: kernel32.dll/GetLogicalDrives
DynamicLoader: kernel32.dll/GetDriveType
DynamicLoader: kernel32.dll/GetDriveTypeW
DynamicLoader: kernel32.dll/GetVolumeInformation
DynamicLoader: kernel32.dll/GetVolumeInformationW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: kernel32.dll/GetCurrentDirectory
DynamicLoader: kernel32.dll/GetCurrentDirectoryW
DynamicLoader: mscoreei.dll/GetTokenForVTableEntry_RetAddr
DynamicLoader: mscoreei.dll/GetTokenForVTableEntry
DynamicLoader: mscoreei.dll/SetTargetForVTableEntry_RetAddr
DynamicLoader: mscoreei.dll/SetTargetForVTableEntry
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/LocalAlloc
DynamicLoader: mscoree.dll/IEE
DynamicLoader: kernel32.dll/GetStdHandle
DynamicLoader: kernel32.dll/GetStdHandleW
DynamicLoader: kernel32.dll/GetConsoleMode
DynamicLoader: kernel32.dll/GetConsoleModeW
DynamicLoader: kernel32.dll/SetEvent
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/SetThreadUILanguageW
DynamicLoader: kernel32.dll/FindFirstFile
DynamicLoader: kernel32.dll/FindFirstFileW
DynamicLoader: kernel32.dll/FindClose
DynamicLoader: CRYPTSP.dll/CryptExportKey
DynamicLoader: CRYPTSP.dll/CryptCreateHash
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: mscoree.dll/CorExitProcess
DynamicLoader: mscoreei.dll/CorExitProcess_RetAddr
DynamicLoader: mscoreei.dll/CorExitProcess
DynamicLoader: mscorwks.dll/CorExitProcess
DynamicLoader: mscorwks.dll/_CorDllMain
DynamicLoader: kernel32.dll/CreateActCtxW
DynamicLoader: kernel32.dll/AddRefActCtx
DynamicLoader: kernel32.dll/ReleaseActCtx
DynamicLoader: kernel32.dll/ActivateActCtx
DynamicLoader: kernel32.dll/DeactivateActCtx
DynamicLoader: kernel32.dll/GetCurrentActCtx
DynamicLoader: kernel32.dll/QueryActCtxW
DynamicLoader: netutils.dll/NetApiBufferFree
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: shell32.dll/
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: comctl32.dll/
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: shell32.dll/
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ntdll.dll/RtlDllShutdownInProgress
DynamicLoader: LINKINFO.dll/IsValidLinkInfo
DynamicLoader: propsys.dll/
DynamicLoader: propsys.dll/PSGetNameFromPropertyKey
DynamicLoader: propsys.dll/PSStringFromPropertyKey
DynamicLoader: propsys.dll/InitVariantFromBuffer
DynamicLoader: OLEAUT32.dll/
DynamicLoader: propsys.dll/PropVariantToGUID
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: profapi.dll/
DynamicLoader: LINKINFO.dll/CreateLinkInfoW
DynamicLoader: USER32.dll/IsCharAlphaW
DynamicLoader: USER32.dll/CharPrevW
DynamicLoader: ntshrui.dll/GetNetResourceFromLocalPathW
DynamicLoader: srvcli.dll/NetShareEnum
DynamicLoader: cscapi.dll/CscNetApiGetInterface
DynamicLoader: slc.dll/SLGetWindowsInformationDWORD
DynamicLoader: SHLWAPI.dll/PathRemoveFileSpecW
DynamicLoader: LINKINFO.dll/DestroyLinkInfo
DynamicLoader: propsys.dll/PropVariantToBoolean
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/GetSecurityInfo
DynamicLoader: ADVAPI32.dll/SetSecurityInfo
DynamicLoader: ADVAPI32.dll/GetSecurityDescriptorControl
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: mscoree.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx_RetAddr
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: kernel32.dll/GetCurrentPackageId
DynamicLoader: kernel32.dll/InitializeCriticalSectionAndSpinCount
DynamicLoader: msvcrt.dll/_set_error_mode
DynamicLoader: msvcrt.dll/?set_terminate@@YAP6AXXZP6AXXZ@Z
DynamicLoader: msvcrt.dll/_get_terminate
DynamicLoader: kernel32.dll/FindActCtxSectionStringW
DynamicLoader: kernel32.dll/GetSystemWindowsDirectoryW
DynamicLoader: mscoree.dll/GetProcessExecutableHeap
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap_RetAddr
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap
DynamicLoader: mscorwks.dll/SetLoadedByMscoree
DynamicLoader: mscorwks.dll/DllGetClassObjectInternal
DynamicLoader: mscorwks.dll/GetCLRFunction
DynamicLoader: ADVAPI32.dll/RegisterTraceGuidsW
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: ADVAPI32.dll/GetTraceLoggerHandle
DynamicLoader: ADVAPI32.dll/GetTraceEnableLevel
DynamicLoader: ADVAPI32.dll/GetTraceEnableFlags
DynamicLoader: ADVAPI32.dll/TraceEvent
DynamicLoader: mscoree.dll/IEE
DynamicLoader: mscoreei.dll/IEE_RetAddr
DynamicLoader: mscoreei.dll/IEE
DynamicLoader: mscorwks.dll/IEE
DynamicLoader: mscoree.dll/GetStartupFlags
DynamicLoader: mscoreei.dll/GetStartupFlags_RetAddr
DynamicLoader: mscoreei.dll/GetStartupFlags
DynamicLoader: mscoree.dll/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetHostConfigurationFile_RetAddr
DynamicLoader: mscoreei.dll/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetCORVersion_RetAddr
DynamicLoader: mscoreei.dll/GetCORVersion
DynamicLoader: mscoree.dll/GetCORSystemDirectory
DynamicLoader: mscoreei.dll/GetCORSystemDirectory_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream
DynamicLoader: ntdll.dll/RtlVirtualUnwind
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: kernel32.dll/GetSystemWindowsDirectoryW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: kernel32.dll/SetThreadStackGuarantee
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/AddVectoredContinueHandler
DynamicLoader: kernel32.dll/RemoveVectoredContinueHandler
DynamicLoader: ADVAPI32.dll/ConvertSidToStringSidW
DynamicLoader: shell32.dll/SHGetFolderPathW
DynamicLoader: kernel32.dll/FlushProcessWriteBuffers
DynamicLoader: kernel32.dll/GetWriteWatch
DynamicLoader: kernel32.dll/ResetWriteWatch
DynamicLoader: kernel32.dll/CreateMemoryResourceNotification
DynamicLoader: kernel32.dll/QueryMemoryResourceNotification
DynamicLoader: kernel32.dll/GlobalMemoryStatusEx
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/GetUserDefaultUILanguage
DynamicLoader: ole32.dll/CoGetContextToken
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/GetVersionEx
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/GetVersionEx
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/GetFullPathName
DynamicLoader: kernel32.dll/GetFullPathNameW
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: kernel32.dll/GetFileAttributesEx
DynamicLoader: kernel32.dll/GetFileAttributesExW
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: version.dll/GetFileVersionInfoSize
DynamicLoader: version.dll/GetFileVersionInfoSizeW
DynamicLoader: version.dll/GetFileVersionInfo
DynamicLoader: version.dll/GetFileVersionInfoW
DynamicLoader: version.dll/VerQueryValue
DynamicLoader: version.dll/VerQueryValueW
DynamicLoader: kernel32.dll/lstrlen
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: mscoree.dll/ND_RI2
DynamicLoader: mscoreei.dll/ND_RI2_RetAddr
DynamicLoader: mscoreei.dll/ND_RI2
DynamicLoader: kernel32.dll/lstrlen
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: kernel32.dll/lstrcpy
DynamicLoader: kernel32.dll/lstrcpyW
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: version.dll/VerLanguageName
DynamicLoader: version.dll/VerLanguageNameW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/GetCurrentProcessId
DynamicLoader: kernel32.dll/GetCurrentProcessIdW
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValue
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValueW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivileges
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivilegesW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/OpenProcessW
DynamicLoader: PSAPI.DLL/EnumProcessModules
DynamicLoader: PSAPI.DLL/EnumProcessModulesW
DynamicLoader: PSAPI.DLL/GetModuleInformation
DynamicLoader: PSAPI.DLL/GetModuleInformationW
DynamicLoader: PSAPI.DLL/GetModuleBaseName
DynamicLoader: PSAPI.DLL/GetModuleBaseNameW
DynamicLoader: PSAPI.DLL/GetModuleFileNameEx
DynamicLoader: PSAPI.DLL/GetModuleFileNameExW
DynamicLoader: kernel32.dll/GetExitCodeProcess
DynamicLoader: kernel32.dll/GetExitCodeProcessW
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtQuerySystemInformationW
DynamicLoader: USER32.dll/EnumWindows
DynamicLoader: USER32.dll/EnumWindowsW
DynamicLoader: USER32.dll/GetWindowThreadProcessId
DynamicLoader: USER32.dll/GetWindowThreadProcessIdW
DynamicLoader: kernel32.dll/WerSetFlags
DynamicLoader: kernel32.dll/SetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/SetThreadPreferredUILanguagesW
DynamicLoader: kernel32.dll/GetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/GetThreadPreferredUILanguagesW
DynamicLoader: kernel32.dll/GetUserDefaultLocaleName
DynamicLoader: kernel32.dll/GetUserDefaultLocaleNameW
DynamicLoader: kernel32.dll/GetEnvironmentVariable
DynamicLoader: kernel32.dll/GetEnvironmentVariableW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegOpenKeyEx
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/CryptCreateHash
DynamicLoader: ADVAPI32.dll/CryptDestroyHash
DynamicLoader: ADVAPI32.dll/CryptHashData
DynamicLoader: ADVAPI32.dll/CryptGetHashParam
DynamicLoader: ADVAPI32.dll/CryptImportKey
DynamicLoader: ADVAPI32.dll/CryptExportKey
DynamicLoader: ADVAPI32.dll/CryptGenKey
DynamicLoader: ADVAPI32.dll/CryptGetKeyParam
DynamicLoader: ADVAPI32.dll/CryptDestroyKey
DynamicLoader: ADVAPI32.dll/CryptVerifySignatureA
DynamicLoader: ADVAPI32.dll/CryptSignHashA
DynamicLoader: ADVAPI32.dll/CryptGetProvParam
DynamicLoader: ADVAPI32.dll/CryptGetUserKey
DynamicLoader: ADVAPI32.dll/CryptEnumProvidersA
DynamicLoader: CRYPTSP.dll/CryptImportKey
DynamicLoader: CRYPTSP.dll/CryptHashData
DynamicLoader: CRYPTSP.dll/CryptGetHashParam
DynamicLoader: CRYPTSP.dll/CryptDestroyHash
DynamicLoader: CRYPTSP.dll/CryptDestroyKey
DynamicLoader: mscoreei.dll/_CorDllMain_RetAddr
DynamicLoader: mscoreei.dll/_CorDllMain
DynamicLoader: mscoree.dll/GetTokenForVTableEntry
DynamicLoader: mscoree.dll/SetTargetForVTableEntry
DynamicLoader: mscoree.dll/GetTargetForVTableEntry
DynamicLoader: mscoreei.dll/LoadLibraryShim_RetAddr
DynamicLoader: mscoreei.dll/LoadLibraryShim
DynamicLoader: culture.dll/ConvertLangIdToCultureName
DynamicLoader: ole32.dll/CoCreateGuid
DynamicLoader: kernel32.dll/CreateFile
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetConsoleScreenBufferInfo
DynamicLoader: kernel32.dll/GetConsoleScreenBufferInfoW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: kernel32.dll/GetCurrentProcessW
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: kernel32.dll/LocalFree
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/GetTokenInformationW
DynamicLoader: kernel32.dll/LocalAlloc
DynamicLoader: kernel32.dll/LocalAllocW
DynamicLoader: mscoree.dll/ND_RI4
DynamicLoader: mscoreei.dll/ND_RI4_RetAddr
DynamicLoader: mscoreei.dll/ND_RI4
DynamicLoader: ADVAPI32.dll/DuplicateTokenEx
DynamicLoader: ADVAPI32.dll/DuplicateTokenExW
DynamicLoader: ADVAPI32.dll/CheckTokenMembership
DynamicLoader: ADVAPI32.dll/CheckTokenMembershipW
DynamicLoader: kernel32.dll/GetConsoleTitle
DynamicLoader: kernel32.dll/GetConsoleTitleW
DynamicLoader: mscorjit.dll/getJit
DynamicLoader: mscorwks.dll/GetCLRFunction
DynamicLoader: kernel32.dll/SetConsoleTitle
DynamicLoader: kernel32.dll/SetConsoleTitleW
DynamicLoader: kernel32.dll/SetConsoleCtrlHandler
DynamicLoader: kernel32.dll/SetConsoleCtrlHandlerW
DynamicLoader: kernel32.dll/CreateEvent
DynamicLoader: kernel32.dll/CreateEventW
DynamicLoader: ntdll.dll/WinSqmIsOptedIn
DynamicLoader: kernel32.dll/ExpandEnvironmentStrings
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsW
DynamicLoader: shfolder.dll/SHGetFolderPath
DynamicLoader: shfolder.dll/SHGetFolderPathW
DynamicLoader: kernel32.dll/SetEnvironmentVariable
DynamicLoader: kernel32.dll/SetEnvironmentVariableW
DynamicLoader: kernel32.dll/GetACP
DynamicLoader: kernel32.dll/UnmapViewOfFile
DynamicLoader: kernel32.dll/CreateFile
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetFileType
DynamicLoader: kernel32.dll/ReadFile
DynamicLoader: kernel32.dll/GetSystemInfo
DynamicLoader: kernel32.dll/VirtualQuery
DynamicLoader: ADVAPI32.dll/RegQueryInfoKey
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumValue
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegEnumKeyEx
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: secur32.dll/GetUserNameEx
DynamicLoader: secur32.dll/GetUserNameExW
DynamicLoader: ADVAPI32.dll/GetUserName
DynamicLoader: ADVAPI32.dll/GetUserNameW
DynamicLoader: kernel32.dll/ReleaseMutex
DynamicLoader: ADVAPI32.dll/RegisterEventSource
DynamicLoader: ADVAPI32.dll/RegisterEventSourceW
DynamicLoader: ADVAPI32.dll/DeregisterEventSource
DynamicLoader: ADVAPI32.dll/ReportEvent
DynamicLoader: ADVAPI32.dll/ReportEventW
DynamicLoader: kernel32.dll/GetLogicalDrives
DynamicLoader: kernel32.dll/GetDriveType
DynamicLoader: kernel32.dll/GetDriveTypeW
DynamicLoader: kernel32.dll/GetVolumeInformation
DynamicLoader: kernel32.dll/GetVolumeInformationW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: kernel32.dll/GetCurrentDirectory
DynamicLoader: kernel32.dll/GetCurrentDirectoryW
DynamicLoader: mscoreei.dll/GetTokenForVTableEntry_RetAddr
DynamicLoader: mscoreei.dll/GetTokenForVTableEntry
DynamicLoader: mscoreei.dll/SetTargetForVTableEntry_RetAddr
DynamicLoader: mscoreei.dll/SetTargetForVTableEntry
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/LocalAlloc
DynamicLoader: mscoree.dll/IEE
DynamicLoader: kernel32.dll/GetStdHandle
DynamicLoader: kernel32.dll/GetStdHandleW
DynamicLoader: kernel32.dll/GetConsoleMode
DynamicLoader: kernel32.dll/GetConsoleModeW
DynamicLoader: kernel32.dll/SetEvent
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/SetThreadUILanguageW
DynamicLoader: kernel32.dll/FindFirstFile
DynamicLoader: kernel32.dll/FindFirstFileW
DynamicLoader: kernel32.dll/FindClose
DynamicLoader: CRYPTSP.dll/CryptExportKey
DynamicLoader: CRYPTSP.dll/CryptCreateHash
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: mscoree.dll/CorExitProcess
DynamicLoader: mscoreei.dll/CorExitProcess_RetAddr
DynamicLoader: mscoreei.dll/CorExitProcess
DynamicLoader: mscorwks.dll/CorExitProcess
DynamicLoader: mscorwks.dll/_CorDllMain
DynamicLoader: kernel32.dll/CreateActCtxW
DynamicLoader: kernel32.dll/AddRefActCtx
DynamicLoader: kernel32.dll/ReleaseActCtx
DynamicLoader: kernel32.dll/ActivateActCtx
DynamicLoader: kernel32.dll/DeactivateActCtx
DynamicLoader: kernel32.dll/GetCurrentActCtx
DynamicLoader: kernel32.dll/QueryActCtxW
DynamicLoader: netutils.dll/NetApiBufferFree
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: CRYPTSP.dll/CryptAcquireContextA
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: ntdll.dll/memcpy
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptImportKey
DynamicLoader: ADVAPI32.dll/CryptEncrypt
DynamicLoader: CRYPTSP.dll/CryptImportKey
DynamicLoader: CRYPTBASE.dll/SystemFunction040
DynamicLoader: CRYPTBASE.dll/SystemFunction041
DynamicLoader: CRYPT32.dll/CryptProtectData
DynamicLoader: CRYPTBASE.dll/SystemFunction040
DynamicLoader: CRYPTSP.dll/CryptEncrypt
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: comctl32.dll/
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: shell32.dll/
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: shell32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ntdll.dll/RtlDllShutdownInProgress
DynamicLoader: LINKINFO.dll/IsValidLinkInfo
DynamicLoader: propsys.dll/
DynamicLoader: propsys.dll/PSGetNameFromPropertyKey
DynamicLoader: propsys.dll/PSStringFromPropertyKey
DynamicLoader: propsys.dll/InitVariantFromBuffer
DynamicLoader: OLEAUT32.dll/
DynamicLoader: propsys.dll/PropVariantToGUID
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: profapi.dll/
DynamicLoader: LINKINFO.dll/CreateLinkInfoW
DynamicLoader: USER32.dll/IsCharAlphaW
DynamicLoader: USER32.dll/CharPrevW
DynamicLoader: ntshrui.dll/GetNetResourceFromLocalPathW
DynamicLoader: srvcli.dll/NetShareEnum
DynamicLoader: cscapi.dll/CscNetApiGetInterface
DynamicLoader: slc.dll/SLGetWindowsInformationDWORD
DynamicLoader: SHLWAPI.dll/PathRemoveFileSpecW
DynamicLoader: LINKINFO.dll/DestroyLinkInfo
DynamicLoader: propsys.dll/PropVariantToBoolean
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/GetSecurityInfo
DynamicLoader: ADVAPI32.dll/SetSecurityInfo
DynamicLoader: ADVAPI32.dll/GetSecurityDescriptorControl
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: mscoree.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx_RetAddr
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: kernel32.dll/GetCurrentPackageId
DynamicLoader: kernel32.dll/InitializeCriticalSectionAndSpinCount
DynamicLoader: msvcrt.dll/_set_error_mode
DynamicLoader: msvcrt.dll/?set_terminate@@YAP6AXXZP6AXXZ@Z
DynamicLoader: msvcrt.dll/_get_terminate
DynamicLoader: kernel32.dll/FindActCtxSectionStringW
DynamicLoader: kernel32.dll/GetSystemWindowsDirectoryW
DynamicLoader: mscoree.dll/GetProcessExecutableHeap
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap_RetAddr
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap
DynamicLoader: mscorwks.dll/SetLoadedByMscoree
DynamicLoader: mscorwks.dll/DllGetClassObjectInternal
DynamicLoader: mscorwks.dll/GetCLRFunction
DynamicLoader: ADVAPI32.dll/RegisterTraceGuidsW
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: ADVAPI32.dll/GetTraceLoggerHandle
DynamicLoader: ADVAPI32.dll/GetTraceEnableLevel
DynamicLoader: ADVAPI32.dll/GetTraceEnableFlags
DynamicLoader: ADVAPI32.dll/TraceEvent
DynamicLoader: mscoree.dll/IEE
DynamicLoader: mscoreei.dll/IEE_RetAddr
DynamicLoader: mscoreei.dll/IEE
DynamicLoader: mscorwks.dll/IEE
DynamicLoader: mscoree.dll/GetStartupFlags
DynamicLoader: mscoreei.dll/GetStartupFlags_RetAddr
DynamicLoader: mscoreei.dll/GetStartupFlags
DynamicLoader: mscoree.dll/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetHostConfigurationFile_RetAddr
DynamicLoader: mscoreei.dll/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetCORVersion_RetAddr
DynamicLoader: mscoreei.dll/GetCORVersion
DynamicLoader: mscoree.dll/GetCORSystemDirectory
DynamicLoader: mscoreei.dll/GetCORSystemDirectory_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream
DynamicLoader: ntdll.dll/RtlVirtualUnwind
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: kernel32.dll/GetSystemWindowsDirectoryW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: kernel32.dll/SetThreadStackGuarantee
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/AddVectoredContinueHandler
DynamicLoader: kernel32.dll/RemoveVectoredContinueHandler
DynamicLoader: ADVAPI32.dll/ConvertSidToStringSidW
DynamicLoader: shell32.dll/SHGetFolderPathW
DynamicLoader: kernel32.dll/FlushProcessWriteBuffers
DynamicLoader: kernel32.dll/GetWriteWatch
DynamicLoader: kernel32.dll/ResetWriteWatch
DynamicLoader: kernel32.dll/CreateMemoryResourceNotification
DynamicLoader: kernel32.dll/QueryMemoryResourceNotification
DynamicLoader: kernel32.dll/GlobalMemoryStatusEx
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/GetUserDefaultUILanguage
DynamicLoader: ole32.dll/CoGetContextToken
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/GetVersionEx
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/GetVersionEx
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/GetFullPathName
DynamicLoader: kernel32.dll/GetFullPathNameW
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: kernel32.dll/GetFileAttributesEx
DynamicLoader: kernel32.dll/GetFileAttributesExW
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: version.dll/GetFileVersionInfoSize
DynamicLoader: version.dll/GetFileVersionInfoSizeW
DynamicLoader: version.dll/GetFileVersionInfo
DynamicLoader: version.dll/GetFileVersionInfoW
DynamicLoader: version.dll/VerQueryValue
DynamicLoader: version.dll/VerQueryValueW
DynamicLoader: kernel32.dll/lstrlen
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: mscoree.dll/ND_RI2
DynamicLoader: mscoreei.dll/ND_RI2_RetAddr
DynamicLoader: mscoreei.dll/ND_RI2
DynamicLoader: kernel32.dll/lstrlen
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: kernel32.dll/lstrcpy
DynamicLoader: kernel32.dll/lstrcpyW
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: version.dll/VerLanguageName
DynamicLoader: version.dll/VerLanguageNameW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/GetCurrentProcessId
DynamicLoader: kernel32.dll/GetCurrentProcessIdW
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValue
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValueW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivileges
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivilegesW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/OpenProcessW
DynamicLoader: PSAPI.DLL/EnumProcessModules
DynamicLoader: PSAPI.DLL/EnumProcessModulesW
DynamicLoader: PSAPI.DLL/GetModuleInformation
DynamicLoader: PSAPI.DLL/GetModuleInformationW
DynamicLoader: PSAPI.DLL/GetModuleBaseName
DynamicLoader: PSAPI.DLL/GetModuleBaseNameW
DynamicLoader: PSAPI.DLL/GetModuleFileNameEx
DynamicLoader: PSAPI.DLL/GetModuleFileNameExW
DynamicLoader: kernel32.dll/GetExitCodeProcess
DynamicLoader: kernel32.dll/GetExitCodeProcessW
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtQuerySystemInformationW
DynamicLoader: USER32.dll/EnumWindows
DynamicLoader: USER32.dll/EnumWindowsW
DynamicLoader: USER32.dll/GetWindowThreadProcessId
DynamicLoader: USER32.dll/GetWindowThreadProcessIdW
DynamicLoader: kernel32.dll/WerSetFlags
DynamicLoader: kernel32.dll/SetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/SetThreadPreferredUILanguagesW
DynamicLoader: kernel32.dll/GetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/GetThreadPreferredUILanguagesW
DynamicLoader: kernel32.dll/GetUserDefaultLocaleName
DynamicLoader: kernel32.dll/GetUserDefaultLocaleNameW
DynamicLoader: kernel32.dll/GetEnvironmentVariable
DynamicLoader: kernel32.dll/GetEnvironmentVariableW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegOpenKeyEx
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/CryptCreateHash
DynamicLoader: ADVAPI32.dll/CryptDestroyHash
DynamicLoader: ADVAPI32.dll/CryptHashData
DynamicLoader: ADVAPI32.dll/CryptGetHashParam
DynamicLoader: ADVAPI32.dll/CryptImportKey
DynamicLoader: ADVAPI32.dll/CryptExportKey
DynamicLoader: ADVAPI32.dll/CryptGenKey
DynamicLoader: ADVAPI32.dll/CryptGetKeyParam
DynamicLoader: ADVAPI32.dll/CryptDestroyKey
DynamicLoader: ADVAPI32.dll/CryptVerifySignatureA
DynamicLoader: ADVAPI32.dll/CryptSignHashA
DynamicLoader: ADVAPI32.dll/CryptGetProvParam
DynamicLoader: ADVAPI32.dll/CryptGetUserKey
DynamicLoader: ADVAPI32.dll/CryptEnumProvidersA
DynamicLoader: CRYPTSP.dll/CryptImportKey
DynamicLoader: CRYPTSP.dll/CryptHashData
DynamicLoader: CRYPTSP.dll/CryptGetHashParam
DynamicLoader: CRYPTSP.dll/CryptDestroyHash
DynamicLoader: CRYPTSP.dll/CryptDestroyKey
DynamicLoader: mscoreei.dll/_CorDllMain_RetAddr
DynamicLoader: mscoreei.dll/_CorDllMain
DynamicLoader: mscoree.dll/GetTokenForVTableEntry
DynamicLoader: mscoree.dll/SetTargetForVTableEntry
DynamicLoader: mscoree.dll/GetTargetForVTableEntry
DynamicLoader: mscoreei.dll/LoadLibraryShim_RetAddr
DynamicLoader: mscoreei.dll/LoadLibraryShim
DynamicLoader: culture.dll/ConvertLangIdToCultureName
DynamicLoader: ole32.dll/CoCreateGuid
DynamicLoader: kernel32.dll/CreateFile
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetConsoleScreenBufferInfo
DynamicLoader: kernel32.dll/GetConsoleScreenBufferInfoW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: kernel32.dll/GetCurrentProcessW
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: kernel32.dll/LocalFree
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/GetTokenInformationW
DynamicLoader: kernel32.dll/LocalAlloc
DynamicLoader: kernel32.dll/LocalAllocW
DynamicLoader: mscoree.dll/ND_RI4
DynamicLoader: mscoreei.dll/ND_RI4_RetAddr
DynamicLoader: mscoreei.dll/ND_RI4
DynamicLoader: ADVAPI32.dll/DuplicateTokenEx
DynamicLoader: ADVAPI32.dll/DuplicateTokenExW
DynamicLoader: ADVAPI32.dll/CheckTokenMembership
DynamicLoader: ADVAPI32.dll/CheckTokenMembershipW
DynamicLoader: kernel32.dll/GetConsoleTitle
DynamicLoader: kernel32.dll/GetConsoleTitleW
DynamicLoader: mscorjit.dll/getJit
DynamicLoader: mscorwks.dll/GetCLRFunction
DynamicLoader: kernel32.dll/SetConsoleTitle
DynamicLoader: kernel32.dll/SetConsoleTitleW
DynamicLoader: kernel32.dll/SetConsoleCtrlHandler
DynamicLoader: kernel32.dll/SetConsoleCtrlHandlerW
DynamicLoader: kernel32.dll/CreateEvent
DynamicLoader: kernel32.dll/CreateEventW
DynamicLoader: ntdll.dll/WinSqmIsOptedIn
DynamicLoader: kernel32.dll/ExpandEnvironmentStrings
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsW
DynamicLoader: shfolder.dll/SHGetFolderPath
DynamicLoader: shfolder.dll/SHGetFolderPathW
DynamicLoader: kernel32.dll/SetEnvironmentVariable
DynamicLoader: kernel32.dll/SetEnvironmentVariableW
DynamicLoader: kernel32.dll/GetACP
DynamicLoader: kernel32.dll/UnmapViewOfFile
DynamicLoader: kernel32.dll/CreateFile
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetFileType
DynamicLoader: kernel32.dll/ReadFile
DynamicLoader: kernel32.dll/GetSystemInfo
DynamicLoader: kernel32.dll/VirtualQuery
DynamicLoader: ADVAPI32.dll/RegQueryInfoKey
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumValue
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegEnumKeyEx
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: secur32.dll/GetUserNameEx
DynamicLoader: secur32.dll/GetUserNameExW
DynamicLoader: ADVAPI32.dll/GetUserName
DynamicLoader: ADVAPI32.dll/GetUserNameW
DynamicLoader: kernel32.dll/ReleaseMutex
DynamicLoader: ADVAPI32.dll/RegisterEventSource
DynamicLoader: ADVAPI32.dll/RegisterEventSourceW
DynamicLoader: ADVAPI32.dll/DeregisterEventSource
DynamicLoader: ADVAPI32.dll/ReportEvent
DynamicLoader: ADVAPI32.dll/ReportEventW
DynamicLoader: kernel32.dll/GetLogicalDrives
DynamicLoader: kernel32.dll/GetDriveType
DynamicLoader: kernel32.dll/GetDriveTypeW
DynamicLoader: kernel32.dll/GetVolumeInformation
DynamicLoader: kernel32.dll/GetVolumeInformationW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: kernel32.dll/GetCurrentDirectory
DynamicLoader: kernel32.dll/GetCurrentDirectoryW
DynamicLoader: mscoreei.dll/GetTokenForVTableEntry_RetAddr
DynamicLoader: mscoreei.dll/GetTokenForVTableEntry
DynamicLoader: mscoreei.dll/SetTargetForVTableEntry_RetAddr
DynamicLoader: mscoreei.dll/SetTargetForVTableEntry
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/LocalAlloc
DynamicLoader: mscoree.dll/IEE
DynamicLoader: kernel32.dll/GetStdHandle
DynamicLoader: kernel32.dll/GetStdHandleW
DynamicLoader: kernel32.dll/GetConsoleMode
DynamicLoader: kernel32.dll/GetConsoleModeW
DynamicLoader: kernel32.dll/SetEvent
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/SetThreadUILanguageW
DynamicLoader: kernel32.dll/FindFirstFile
DynamicLoader: kernel32.dll/FindFirstFileW
DynamicLoader: kernel32.dll/FindClose
DynamicLoader: CRYPTSP.dll/CryptExportKey
DynamicLoader: CRYPTSP.dll/CryptCreateHash
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: mscoree.dll/CorExitProcess
DynamicLoader: mscoreei.dll/CorExitProcess_RetAddr
DynamicLoader: mscoreei.dll/CorExitProcess
DynamicLoader: mscorwks.dll/CorExitProcess
DynamicLoader: mscorwks.dll/_CorDllMain
DynamicLoader: kernel32.dll/CreateActCtxW
DynamicLoader: kernel32.dll/AddRefActCtx
DynamicLoader: kernel32.dll/ReleaseActCtx
DynamicLoader: kernel32.dll/ActivateActCtx
DynamicLoader: kernel32.dll/DeactivateActCtx
DynamicLoader: kernel32.dll/GetCurrentActCtx
DynamicLoader: kernel32.dll/QueryActCtxW
DynamicLoader: netutils.dll/NetApiBufferFree
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: shell32.dll/
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: shell32.dll/
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ntdll.dll/RtlDllShutdownInProgress
DynamicLoader: LINKINFO.dll/IsValidLinkInfo
DynamicLoader: propsys.dll/
DynamicLoader: propsys.dll/PSGetNameFromPropertyKey
DynamicLoader: propsys.dll/PSStringFromPropertyKey
DynamicLoader: propsys.dll/InitVariantFromBuffer
DynamicLoader: OLEAUT32.dll/
DynamicLoader: propsys.dll/PropVariantToGUID
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: profapi.dll/
DynamicLoader: LINKINFO.dll/CreateLinkInfoW
DynamicLoader: USER32.dll/IsCharAlphaW
DynamicLoader: USER32.dll/CharPrevW
DynamicLoader: ntshrui.dll/GetNetResourceFromLocalPathW
DynamicLoader: srvcli.dll/NetShareEnum
DynamicLoader: cscapi.dll/CscNetApiGetInterface
DynamicLoader: slc.dll/SLGetWindowsInformationDWORD
DynamicLoader: SHLWAPI.dll/PathRemoveFileSpecW
DynamicLoader: LINKINFO.dll/DestroyLinkInfo
DynamicLoader: propsys.dll/PropVariantToBoolean
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/GetSecurityInfo
DynamicLoader: ADVAPI32.dll/SetSecurityInfo
DynamicLoader: ADVAPI32.dll/GetSecurityDescriptorControl
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: mscoree.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx_RetAddr
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: kernel32.dll/GetCurrentPackageId
DynamicLoader: kernel32.dll/InitializeCriticalSectionAndSpinCount
DynamicLoader: msvcrt.dll/_set_error_mode
DynamicLoader: msvcrt.dll/?set_terminate@@YAP6AXXZP6AXXZ@Z
DynamicLoader: msvcrt.dll/_get_terminate
DynamicLoader: kernel32.dll/FindActCtxSectionStringW
DynamicLoader: kernel32.dll/GetSystemWindowsDirectoryW
DynamicLoader: mscoree.dll/GetProcessExecutableHeap
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap_RetAddr
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap
DynamicLoader: mscorwks.dll/SetLoadedByMscoree
DynamicLoader: mscorwks.dll/DllGetClassObjectInternal
DynamicLoader: mscorwks.dll/GetCLRFunction
DynamicLoader: ADVAPI32.dll/RegisterTraceGuidsW
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: ADVAPI32.dll/GetTraceLoggerHandle
DynamicLoader: ADVAPI32.dll/GetTraceEnableLevel
DynamicLoader: ADVAPI32.dll/GetTraceEnableFlags
DynamicLoader: ADVAPI32.dll/TraceEvent
DynamicLoader: mscoree.dll/IEE
DynamicLoader: mscoreei.dll/IEE_RetAddr
DynamicLoader: mscoreei.dll/IEE
DynamicLoader: mscorwks.dll/IEE
DynamicLoader: mscoree.dll/GetStartupFlags
DynamicLoader: mscoreei.dll/GetStartupFlags_RetAddr
DynamicLoader: mscoreei.dll/GetStartupFlags
DynamicLoader: mscoree.dll/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetHostConfigurationFile_RetAddr
DynamicLoader: mscoreei.dll/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetCORVersion_RetAddr
DynamicLoader: mscoreei.dll/GetCORVersion
DynamicLoader: mscoree.dll/GetCORSystemDirectory
DynamicLoader: mscoreei.dll/GetCORSystemDirectory_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream
DynamicLoader: ntdll.dll/RtlVirtualUnwind
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: kernel32.dll/GetSystemWindowsDirectoryW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: kernel32.dll/SetThreadStackGuarantee
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/AddVectoredContinueHandler
DynamicLoader: kernel32.dll/RemoveVectoredContinueHandler
DynamicLoader: ADVAPI32.dll/ConvertSidToStringSidW
DynamicLoader: shell32.dll/SHGetFolderPathW
DynamicLoader: kernel32.dll/FlushProcessWriteBuffers
DynamicLoader: kernel32.dll/GetWriteWatch
DynamicLoader: kernel32.dll/ResetWriteWatch
DynamicLoader: kernel32.dll/CreateMemoryResourceNotification
DynamicLoader: kernel32.dll/QueryMemoryResourceNotification
DynamicLoader: kernel32.dll/GlobalMemoryStatusEx
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/GetUserDefaultUILanguage
DynamicLoader: ole32.dll/CoGetContextToken
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/GetVersionEx
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/GetVersionEx
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/GetFullPathName
DynamicLoader: kernel32.dll/GetFullPathNameW
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: kernel32.dll/GetFileAttributesEx
DynamicLoader: kernel32.dll/GetFileAttributesExW
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: version.dll/GetFileVersionInfoSize
DynamicLoader: version.dll/GetFileVersionInfoSizeW
DynamicLoader: version.dll/GetFileVersionInfo
DynamicLoader: version.dll/GetFileVersionInfoW
DynamicLoader: version.dll/VerQueryValue
DynamicLoader: version.dll/VerQueryValueW
DynamicLoader: kernel32.dll/lstrlen
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: mscoree.dll/ND_RI2
DynamicLoader: mscoreei.dll/ND_RI2_RetAddr
DynamicLoader: mscoreei.dll/ND_RI2
DynamicLoader: kernel32.dll/lstrlen
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: kernel32.dll/lstrcpy
DynamicLoader: kernel32.dll/lstrcpyW
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: version.dll/VerLanguageName
DynamicLoader: version.dll/VerLanguageNameW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/GetCurrentProcessId
DynamicLoader: kernel32.dll/GetCurrentProcessIdW
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValue
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValueW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivileges
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivilegesW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/OpenProcessW
DynamicLoader: PSAPI.DLL/EnumProcessModules
DynamicLoader: PSAPI.DLL/EnumProcessModulesW
DynamicLoader: PSAPI.DLL/GetModuleInformation
DynamicLoader: PSAPI.DLL/GetModuleInformationW
DynamicLoader: PSAPI.DLL/GetModuleBaseName
DynamicLoader: PSAPI.DLL/GetModuleBaseNameW
DynamicLoader: PSAPI.DLL/GetModuleFileNameEx
DynamicLoader: PSAPI.DLL/GetModuleFileNameExW
DynamicLoader: kernel32.dll/GetExitCodeProcess
DynamicLoader: kernel32.dll/GetExitCodeProcessW
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtQuerySystemInformationW
DynamicLoader: USER32.dll/EnumWindows
DynamicLoader: USER32.dll/EnumWindowsW
DynamicLoader: USER32.dll/GetWindowThreadProcessId
DynamicLoader: USER32.dll/GetWindowThreadProcessIdW
DynamicLoader: kernel32.dll/WerSetFlags
DynamicLoader: kernel32.dll/SetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/SetThreadPreferredUILanguagesW
DynamicLoader: kernel32.dll/GetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/GetThreadPreferredUILanguagesW
DynamicLoader: kernel32.dll/GetUserDefaultLocaleName
DynamicLoader: kernel32.dll/GetUserDefaultLocaleNameW
DynamicLoader: kernel32.dll/GetEnvironmentVariable
DynamicLoader: kernel32.dll/GetEnvironmentVariableW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegOpenKeyEx
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/CryptCreateHash
DynamicLoader: ADVAPI32.dll/CryptDestroyHash
DynamicLoader: ADVAPI32.dll/CryptHashData
DynamicLoader: ADVAPI32.dll/CryptGetHashParam
DynamicLoader: ADVAPI32.dll/CryptImportKey
DynamicLoader: ADVAPI32.dll/CryptExportKey
DynamicLoader: ADVAPI32.dll/CryptGenKey
DynamicLoader: ADVAPI32.dll/CryptGetKeyParam
DynamicLoader: ADVAPI32.dll/CryptDestroyKey
DynamicLoader: ADVAPI32.dll/CryptVerifySignatureA
DynamicLoader: ADVAPI32.dll/CryptSignHashA
DynamicLoader: ADVAPI32.dll/CryptGetProvParam
DynamicLoader: ADVAPI32.dll/CryptGetUserKey
DynamicLoader: ADVAPI32.dll/CryptEnumProvidersA
DynamicLoader: CRYPTSP.dll/CryptImportKey
DynamicLoader: CRYPTSP.dll/CryptHashData
DynamicLoader: CRYPTSP.dll/CryptGetHashParam
DynamicLoader: CRYPTSP.dll/CryptDestroyHash
DynamicLoader: CRYPTSP.dll/CryptDestroyKey
DynamicLoader: mscoreei.dll/_CorDllMain_RetAddr
DynamicLoader: mscoreei.dll/_CorDllMain
DynamicLoader: mscoree.dll/GetTokenForVTableEntry
DynamicLoader: mscoree.dll/SetTargetForVTableEntry
DynamicLoader: mscoree.dll/GetTargetForVTableEntry
DynamicLoader: mscoreei.dll/LoadLibraryShim_RetAddr
DynamicLoader: mscoreei.dll/LoadLibraryShim
DynamicLoader: culture.dll/ConvertLangIdToCultureName
DynamicLoader: ole32.dll/CoCreateGuid
DynamicLoader: kernel32.dll/CreateFile
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetConsoleScreenBufferInfo
DynamicLoader: kernel32.dll/GetConsoleScreenBufferInfoW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: kernel32.dll/GetCurrentProcessW
DynamicLoader: ADVAPI32.dll/OpenProcessToken