CAPE

Detections: TrickBot Triggered CAPE Tasks: Task #87755: TrickBot


Analysis

Category Package Started Completed Duration Options Log
FILE exe 2019-08-13 22:42:01 2019-08-13 22:46:20 259 seconds Show Options Show Log
route = internet
procdump = 1
2019-08-13 23:42:02,000 [root] INFO: Date set to: 08-13-19, time set to: 22:42:02, timeout set to: 200
2019-08-13 23:42:02,078 [root] DEBUG: Starting analyzer from: C:\nehbva
2019-08-13 23:42:02,078 [root] DEBUG: Storing results at: C:\xyAIARtiO
2019-08-13 23:42:02,078 [root] DEBUG: Pipe server name: \\.\PIPE\TUUSvecfzs
2019-08-13 23:42:02,078 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2019-08-13 23:42:02,078 [root] INFO: Automatically selected analysis package "exe"
2019-08-13 23:42:03,029 [root] DEBUG: Started auxiliary module Browser
2019-08-13 23:42:03,045 [root] DEBUG: Started auxiliary module Curtain
2019-08-13 23:42:03,045 [modules.auxiliary.digisig] DEBUG: Checking for a digitial signature.
2019-08-13 23:42:03,793 [modules.auxiliary.digisig] DEBUG: File is not signed.
2019-08-13 23:42:03,793 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2019-08-13 23:42:03,793 [root] DEBUG: Started auxiliary module DigiSig
2019-08-13 23:42:03,793 [root] DEBUG: Started auxiliary module Disguise
2019-08-13 23:42:03,793 [root] DEBUG: Started auxiliary module Human
2019-08-13 23:42:03,793 [root] DEBUG: Started auxiliary module Screenshots
2019-08-13 23:42:03,793 [root] DEBUG: Started auxiliary module Sysmon
2019-08-13 23:42:03,809 [root] DEBUG: Started auxiliary module Usage
2019-08-13 23:42:03,809 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2019-08-13 23:42:03,809 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2019-08-13 23:42:03,855 [lib.api.process] INFO: Successfully executed process from path "C:\Users\user\AppData\Local\Temp\2JWyzmff7st.exe" with arguments "" with pid 1116
2019-08-13 23:42:03,871 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 23:42:03,871 [lib.api.process] INFO: 32-bit DLL to inject is C:\nehbva\dll\qNaPrre.dll, loader C:\nehbva\bin\gApLtcZ.exe
2019-08-13 23:42:03,887 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\TUUSvecfzs.
2019-08-13 23:42:03,887 [root] DEBUG: Loader: Injecting process 1116 (thread 1332) with C:\nehbva\dll\qNaPrre.dll.
2019-08-13 23:42:03,887 [root] DEBUG: Process image base: 0x00400000
2019-08-13 23:42:03,887 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\nehbva\dll\qNaPrre.dll.
2019-08-13 23:42:03,887 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x0048F000 - 0x77380000
2019-08-13 23:42:03,887 [root] DEBUG: InjectDllViaIAT: Allocated 0x1128 bytes for new import table at 0x00490000.
2019-08-13 23:42:03,903 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:42:03,903 [root] DEBUG: Successfully injected DLL C:\nehbva\dll\qNaPrre.dll.
2019-08-13 23:42:03,903 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1116
2019-08-13 23:42:05,914 [lib.api.process] INFO: Successfully resumed process with pid 1116
2019-08-13 23:42:05,914 [root] INFO: Added new process to list with pid: 1116
2019-08-13 23:42:06,118 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 23:42:06,118 [root] DEBUG: Process dumps enabled.
2019-08-13 23:42:06,243 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 23:42:06,243 [root] INFO: Disabling sleep skipping.
2019-08-13 23:42:06,243 [root] INFO: Disabling sleep skipping.
2019-08-13 23:42:06,243 [root] INFO: Disabling sleep skipping.
2019-08-13 23:42:06,243 [root] INFO: Disabling sleep skipping.
2019-08-13 23:42:06,243 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 1116 at 0x74af0000, image base 0x400000, stack from 0x286000-0x290000
2019-08-13 23:42:06,257 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\2JWyzmff7st.exe".
2019-08-13 23:42:06,257 [root] INFO: Monitor successfully loaded in process with pid 1116.
2019-08-13 23:42:06,257 [root] DEBUG: DLL loaded at 0x74F80000: C:\Windows\system32\CRYPTSP (0x16000 bytes).
2019-08-13 23:42:06,273 [root] DEBUG: DLL loaded at 0x74F40000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2019-08-13 23:42:06,321 [root] DEBUG: DLL loaded at 0x74830000: C:\Windows\system32\USERENV (0x17000 bytes).
2019-08-13 23:42:06,321 [root] DEBUG: DLL loaded at 0x74820000: C:\Windows\system32\profapi (0xb000 bytes).
2019-08-13 23:42:06,398 [root] DEBUG: DLL loaded at 0x74720000: C:\Windows\system32\PROPSYS (0xf5000 bytes).
2019-08-13 23:42:06,398 [root] DEBUG: DLL loaded at 0x76EA0000: C:\Windows\syswow64\OLEAUT32 (0x8f000 bytes).
2019-08-13 23:42:06,398 [root] DEBUG: DLL loaded at 0x74580000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32 (0x19e000 bytes).
2019-08-13 23:42:06,414 [root] DEBUG: DLL loaded at 0x75670000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2019-08-13 23:42:06,460 [root] DEBUG: DLL loaded at 0x74BB0000: C:\Windows\system32\ntmarta (0x21000 bytes).
2019-08-13 23:42:06,460 [root] DEBUG: DLL loaded at 0x75860000: C:\Windows\syswow64\WLDAP32 (0x45000 bytes).
2019-08-13 23:42:06,632 [root] DEBUG: DLL loaded at 0x75530000: C:\Windows\SysWOW64\urlmon (0x136000 bytes).
2019-08-13 23:42:06,757 [root] DEBUG: DLL loaded at 0x75370000: C:\Windows\syswow64\WININET (0xf5000 bytes).
2019-08-13 23:42:06,819 [root] DEBUG: DLL loaded at 0x76BD0000: C:\Windows\syswow64\iertutil (0x1fb000 bytes).
2019-08-13 23:42:06,851 [root] DEBUG: DLL loaded at 0x76790000: C:\Windows\syswow64\CRYPT32 (0x11d000 bytes).
2019-08-13 23:42:06,851 [root] DEBUG: DLL loaded at 0x768B0000: C:\Windows\syswow64\MSASN1 (0xc000 bytes).
2019-08-13 23:42:07,053 [root] DEBUG: DLL loaded at 0x758B0000: C:\Windows\syswow64\SETUPAPI (0x19d000 bytes).
2019-08-13 23:42:07,069 [root] DEBUG: DLL loaded at 0x76A40000: C:\Windows\syswow64\CFGMGR32 (0x27000 bytes).
2019-08-13 23:42:07,069 [root] DEBUG: DLL loaded at 0x76770000: C:\Windows\syswow64\DEVOBJ (0x12000 bytes).
2019-08-13 23:42:07,069 [root] DEBUG: DLL loaded at 0x74CB0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2019-08-13 23:42:07,069 [root] DEBUG: DLL unloaded from 0x75B20000.
2019-08-13 23:42:07,148 [root] INFO: Announced 32-bit process name: ропрУВаЫсен.exe pid: 112
2019-08-13 23:42:07,148 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 23:42:07,148 [lib.api.process] INFO: 32-bit DLL to inject is C:\nehbva\dll\qNaPrre.dll, loader C:\nehbva\bin\gApLtcZ.exe
2019-08-13 23:42:07,163 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\TUUSvecfzs.
2019-08-13 23:42:07,163 [root] DEBUG: Loader: Injecting process 112 (thread 684) with C:\nehbva\dll\qNaPrre.dll.
2019-08-13 23:42:07,163 [root] DEBUG: Process image base: 0x00400000
2019-08-13 23:42:07,163 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\nehbva\dll\qNaPrre.dll.
2019-08-13 23:42:07,163 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x0048F000 - 0x77380000
2019-08-13 23:42:07,163 [root] DEBUG: InjectDllViaIAT: Allocated 0x1128 bytes for new import table at 0x00490000.
2019-08-13 23:42:07,163 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:42:07,163 [root] DEBUG: Successfully injected DLL C:\nehbva\dll\qNaPrre.dll.
2019-08-13 23:42:07,163 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 112
2019-08-13 23:42:07,163 [root] DEBUG: DLL unloaded from 0x75530000.
2019-08-13 23:42:07,178 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 23:42:07,178 [root] DEBUG: Process dumps enabled.
2019-08-13 23:42:07,194 [root] INFO: Disabling sleep skipping.
2019-08-13 23:42:07,194 [root] DEBUG: DLL unloaded from 0x74720000.
2019-08-13 23:42:07,194 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 1116
2019-08-13 23:42:07,194 [root] DEBUG: GetHookCallerBase: thread 1332 (handle 0x0), return address 0x00407C87, allocation base 0x00400000.
2019-08-13 23:42:07,194 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00400000.
2019-08-13 23:42:07,194 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00400000.
2019-08-13 23:42:07,194 [root] DEBUG: DumpProcess: Module entry point VA is 0x000014E0.
2019-08-13 23:42:07,210 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 23:42:07,210 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 112 at 0x74af0000, image base 0x400000, stack from 0x286000-0x290000
2019-08-13 23:42:07,210 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\ProgramData\???????????.exe".
2019-08-13 23:42:07,210 [root] INFO: Added new process to list with pid: 112
2019-08-13 23:42:07,210 [root] INFO: Monitor successfully loaded in process with pid 112.
2019-08-13 23:42:07,226 [root] DEBUG: DLL loaded at 0x74F80000: C:\Windows\system32\CRYPTSP (0x16000 bytes).
2019-08-13 23:42:07,226 [root] INFO: Added new CAPE file to list with path: C:\xyAIARtiO\CAPE\1116_1159463214722314382019
2019-08-13 23:42:07,226 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x82c00.
2019-08-13 23:42:07,240 [root] DEBUG: DLL unloaded from 0x75700000.
2019-08-13 23:42:07,240 [root] DEBUG: DLL loaded at 0x74F40000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2019-08-13 23:42:07,240 [root] DEBUG: DLL unloaded from 0x74BB0000.
2019-08-13 23:42:07,240 [root] DEBUG: DLL loaded at 0x74830000: C:\Windows\system32\USERENV (0x17000 bytes).
2019-08-13 23:42:07,240 [root] INFO: Notified of termination of process with pid 1116.
2019-08-13 23:42:07,240 [root] DEBUG: DLL loaded at 0x74820000: C:\Windows\system32\profapi (0xb000 bytes).
2019-08-13 23:42:07,288 [root] DEBUG: set_caller_info: Adding region at 0x003F0000 to caller regions list (ntdll::LdrLoadDll).
2019-08-13 23:42:07,303 [root] DEBUG: DLL loaded at 0x76790000: C:\Windows\syswow64\CRYPT32 (0x11d000 bytes).
2019-08-13 23:42:07,335 [root] DEBUG: DLL loaded at 0x768B0000: C:\Windows\syswow64\MSASN1 (0xc000 bytes).
2019-08-13 23:42:07,335 [root] DEBUG: DLL unloaded from 0x76790000.
2019-08-13 23:42:07,427 [root] DEBUG: set_caller_info: Adding region at 0x005C0000 to caller regions list (ntdll::LdrLoadDll).
2019-08-13 23:42:07,522 [root] DEBUG: DLL loaded at 0x74620000: C:\Windows\system32\PROPSYS (0xf5000 bytes).
2019-08-13 23:42:07,522 [root] DEBUG: DLL loaded at 0x76EA0000: C:\Windows\syswow64\OLEAUT32 (0x8f000 bytes).
2019-08-13 23:42:07,538 [root] DEBUG: DLL loaded at 0x74480000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32 (0x19e000 bytes).
2019-08-13 23:42:07,552 [root] DEBUG: DLL loaded at 0x74CB0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2019-08-13 23:42:07,569 [root] DEBUG: DLL loaded at 0x75670000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2019-08-13 23:42:07,677 [root] DEBUG: DLL loaded at 0x731E0000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 23:42:07,818 [root] DEBUG: DLL loaded at 0x747E0000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 23:42:07,834 [root] DEBUG: DLL loaded at 0x76BD0000: C:\Windows\syswow64\iertutil (0x1fb000 bytes).
2019-08-13 23:42:07,911 [root] DEBUG: DLL loaded at 0x75530000: C:\Windows\syswow64\urlmon (0x136000 bytes).
2019-08-13 23:42:07,911 [root] DEBUG: DLL loaded at 0x75370000: C:\Windows\syswow64\WININET (0xf5000 bytes).
2019-08-13 23:42:07,927 [root] DEBUG: DLL loaded at 0x758B0000: C:\Windows\syswow64\SETUPAPI (0x19d000 bytes).
2019-08-13 23:42:07,927 [root] DEBUG: DLL loaded at 0x76A40000: C:\Windows\syswow64\CFGMGR32 (0x27000 bytes).
2019-08-13 23:42:07,927 [root] DEBUG: DLL loaded at 0x76770000: C:\Windows\syswow64\DEVOBJ (0x12000 bytes).
2019-08-13 23:42:07,927 [root] DEBUG: DLL unloaded from 0x75B20000.
2019-08-13 23:42:07,943 [root] INFO: Process with pid 1116 has terminated
2019-08-13 23:42:07,973 [root] DEBUG: DLL loaded at 0x74BB0000: C:\Windows\system32\ntmarta (0x21000 bytes).
2019-08-13 23:42:07,973 [root] DEBUG: DLL loaded at 0x75860000: C:\Windows\syswow64\WLDAP32 (0x45000 bytes).
2019-08-13 23:42:08,006 [root] INFO: Announced 64-bit process name: cmd.exe pid: 1088
2019-08-13 23:42:08,020 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 23:42:08,020 [lib.api.process] INFO: 64-bit DLL to inject is C:\nehbva\dll\rcDBrG.dll, loader C:\nehbva\bin\lOErlQGD.exe
2019-08-13 23:42:08,036 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\TUUSvecfzs.
2019-08-13 23:42:08,068 [root] DEBUG: Loader: Injecting process 1088 (thread 2380) with C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:08,068 [root] DEBUG: Process image base: 0x0000000049E20000
2019-08-13 23:42:08,098 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:08,098 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x0000000049E79000 - 0x0000000077380000
2019-08-13 23:42:08,115 [root] DEBUG: InjectDllViaIAT: Allocated 0x1bc bytes for new import table at 0x0000000049E80000.
2019-08-13 23:42:08,130 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:42:08,145 [root] DEBUG: Successfully injected DLL C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:08,145 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 1088
2019-08-13 23:42:08,161 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 23:42:08,161 [root] DEBUG: Process dumps enabled.
2019-08-13 23:42:08,161 [root] DEBUG: DLL unloaded from 0x75530000.
2019-08-13 23:42:08,161 [root] DEBUG: DLL unloaded from 0x74620000.
2019-08-13 23:42:08,161 [root] INFO: Disabling sleep skipping.
2019-08-13 23:42:08,161 [root] DEBUG: DLL unloaded from 0x731E0000.
2019-08-13 23:42:08,177 [root] DEBUG: DLL unloaded from 0x77050000.
2019-08-13 23:42:08,177 [root] DEBUG: DLL loaded at 0x72760000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 23:42:08,177 [root] DEBUG: DLL loaded at 0x747A0000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 23:42:08,177 [root] WARNING: Unable to place hook on LockResource
2019-08-13 23:42:08,177 [root] WARNING: Unable to hook LockResource
2019-08-13 23:42:08,177 [root] INFO: Announced 64-bit process name: cmd.exe pid: 2564
2019-08-13 23:42:08,177 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 23:42:08,193 [lib.api.process] INFO: 64-bit DLL to inject is C:\nehbva\dll\rcDBrG.dll, loader C:\nehbva\bin\lOErlQGD.exe
2019-08-13 23:42:08,193 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\TUUSvecfzs.
2019-08-13 23:42:08,193 [root] DEBUG: Loader: Injecting process 2564 (thread 2484) with C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:08,193 [root] DEBUG: Process image base: 0x0000000049E20000
2019-08-13 23:42:08,193 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:08,193 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x0000000049E79000 - 0x0000000077380000
2019-08-13 23:42:08,193 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 23:42:08,207 [root] DEBUG: InjectDllViaIAT: Allocated 0x1bc bytes for new import table at 0x0000000049E80000.
2019-08-13 23:42:08,207 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 1088 at 0x00000000743A0000, image base 0x0000000049E20000, stack from 0x0000000000154000-0x0000000000250000
2019-08-13 23:42:08,207 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:42:08,207 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Windows\System32\cmd.exe" \c sc stop WinDefend.
2019-08-13 23:42:08,207 [root] DEBUG: Successfully injected DLL C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:08,207 [root] INFO: Added new process to list with pid: 1088
2019-08-13 23:42:08,207 [root] INFO: Monitor successfully loaded in process with pid 1088.
2019-08-13 23:42:08,207 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2564
2019-08-13 23:42:08,207 [root] DEBUG: DLL unloaded from 0x75530000.
2019-08-13 23:42:08,207 [root] DEBUG: DLL unloaded from 0x72760000.
2019-08-13 23:42:08,207 [root] DEBUG: DLL unloaded from 0x77050000.
2019-08-13 23:42:08,207 [root] DEBUG: DLL loaded at 0x731E0000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 23:42:08,223 [root] DEBUG: DLL loaded at 0x747E0000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 23:42:08,223 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 23:42:08,223 [root] DEBUG: Process dumps enabled.
2019-08-13 23:42:08,223 [root] INFO: Disabling sleep skipping.
2019-08-13 23:42:08,223 [root] INFO: Announced 64-bit process name: cmd.exe pid: 2840
2019-08-13 23:42:08,240 [root] DEBUG: DLL loaded at 0x000007FEFD160000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 23:42:08,240 [root] WARNING: Unable to place hook on LockResource
2019-08-13 23:42:08,240 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 23:42:08,240 [lib.api.process] INFO: 64-bit DLL to inject is C:\nehbva\dll\rcDBrG.dll, loader C:\nehbva\bin\lOErlQGD.exe
2019-08-13 23:42:08,240 [root] WARNING: Unable to hook LockResource
2019-08-13 23:42:08,240 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 23:42:08,240 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 2564 at 0x00000000743A0000, image base 0x0000000049E20000, stack from 0x00000000000B4000-0x00000000001B0000
2019-08-13 23:42:08,240 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Windows\System32\cmd.exe" \c sc delete WinDefend.
2019-08-13 23:42:08,240 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\TUUSvecfzs.
2019-08-13 23:42:08,240 [root] INFO: Added new process to list with pid: 2564
2019-08-13 23:42:08,240 [root] DEBUG: Loader: Injecting process 2840 (thread 1772) with C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:08,240 [root] INFO: Monitor successfully loaded in process with pid 2564.
2019-08-13 23:42:08,240 [root] INFO: Announced 64-bit process name: sc.exe pid: 2508
2019-08-13 23:42:08,240 [root] DEBUG: Process image base: 0x0000000049E20000
2019-08-13 23:42:08,240 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 23:42:08,240 [lib.api.process] INFO: 64-bit DLL to inject is C:\nehbva\dll\rcDBrG.dll, loader C:\nehbva\bin\lOErlQGD.exe
2019-08-13 23:42:08,255 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:08,255 [root] DEBUG: DLL loaded at 0x000007FEFD160000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 23:42:08,255 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x0000000049E79000 - 0x0000000077380000
2019-08-13 23:42:08,255 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\TUUSvecfzs.
2019-08-13 23:42:08,255 [root] INFO: Announced 64-bit process name: sc.exe pid: 592
2019-08-13 23:42:08,255 [root] DEBUG: InjectDllViaIAT: Allocated 0x1bc bytes for new import table at 0x0000000049E80000.
2019-08-13 23:42:08,255 [root] DEBUG: Loader: Injecting process 2508 (thread 2320) with C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:08,255 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:42:08,255 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 23:42:08,255 [root] DEBUG: Process image base: 0x00000000FF030000
2019-08-13 23:42:08,255 [lib.api.process] INFO: 64-bit DLL to inject is C:\nehbva\dll\rcDBrG.dll, loader C:\nehbva\bin\lOErlQGD.exe
2019-08-13 23:42:08,255 [root] DEBUG: Successfully injected DLL C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:08,255 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:08,255 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2840
2019-08-13 23:42:08,255 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00000000FF03F000 - 0x000007FEFF6A0000
2019-08-13 23:42:08,255 [root] DEBUG: DLL unloaded from 0x75530000.
2019-08-13 23:42:08,270 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\TUUSvecfzs.
2019-08-13 23:42:08,270 [root] DEBUG: InjectDllViaIAT: Allocated 0x1d8 bytes for new import table at 0x00000000FF040000.
2019-08-13 23:42:08,270 [root] DEBUG: DLL unloaded from 0x731E0000.
2019-08-13 23:42:08,270 [root] DEBUG: Loader: Injecting process 592 (thread 2828) with C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:08,270 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:42:08,270 [root] DEBUG: DLL unloaded from 0x77050000.
2019-08-13 23:42:08,270 [root] DEBUG: Successfully injected DLL C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:08,270 [root] DEBUG: Process image base: 0x00000000FF030000
2019-08-13 23:42:08,270 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2508
2019-08-13 23:42:08,270 [root] DEBUG: DLL loaded at 0x72760000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 23:42:08,270 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 23:42:08,270 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:08,270 [root] DEBUG: DLL loaded at 0x747A0000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 23:42:08,270 [root] DEBUG: Process dumps enabled.
2019-08-13 23:42:08,270 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00000000FF03F000 - 0x000007FEFF6A0000
2019-08-13 23:42:08,270 [root] INFO: Disabling sleep skipping.
2019-08-13 23:42:08,286 [root] DEBUG: InjectDllViaIAT: Allocated 0x1d8 bytes for new import table at 0x00000000FF040000.
2019-08-13 23:42:08,286 [root] INFO: Announced 64-bit process name: cmd.exe pid: 2280
2019-08-13 23:42:08,286 [root] WARNING: Unable to place hook on LockResource
2019-08-13 23:42:08,286 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 23:42:08,286 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:42:08,286 [root] WARNING: Unable to hook LockResource
2019-08-13 23:42:08,286 [root] DEBUG: Process dumps enabled.
2019-08-13 23:42:08,286 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 23:42:08,286 [root] DEBUG: Successfully injected DLL C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:08,286 [lib.api.process] INFO: 64-bit DLL to inject is C:\nehbva\dll\rcDBrG.dll, loader C:\nehbva\bin\lOErlQGD.exe
2019-08-13 23:42:08,286 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 23:42:08,286 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 592
2019-08-13 23:42:08,286 [root] INFO: Disabling sleep skipping.
2019-08-13 23:42:08,286 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 2840 at 0x00000000743A0000, image base 0x0000000049E20000, stack from 0x0000000000104000-0x0000000000200000
2019-08-13 23:42:08,302 [root] WARNING: Unable to place hook on LockResource
2019-08-13 23:42:08,302 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 23:42:08,302 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\TUUSvecfzs.
2019-08-13 23:42:08,302 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Windows\System32\cmd.exe" \c powershell Set-MpPreference -DisableRealtimeMonitoring $true.
2019-08-13 23:42:08,302 [root] WARNING: Unable to hook LockResource
2019-08-13 23:42:08,302 [root] DEBUG: Process dumps enabled.
2019-08-13 23:42:08,302 [root] DEBUG: Loader: Injecting process 2280 (thread 1840) with C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:08,302 [root] INFO: Added new process to list with pid: 2840
2019-08-13 23:42:08,302 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 23:42:08,302 [root] DEBUG: Process image base: 0x0000000049E20000
2019-08-13 23:42:08,302 [root] INFO: Monitor successfully loaded in process with pid 2840.
2019-08-13 23:42:08,302 [root] INFO: Disabling sleep skipping.
2019-08-13 23:42:08,302 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 2508 at 0x00000000743A0000, image base 0x00000000FF030000, stack from 0x0000000000255000-0x0000000000260000
2019-08-13 23:42:08,302 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:08,318 [root] WARNING: Unable to place hook on LockResource
2019-08-13 23:42:08,318 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\sc  stop WinDefend.
2019-08-13 23:42:08,318 [root] WARNING: Unable to hook LockResource
2019-08-13 23:42:08,318 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x0000000049E79000 - 0x0000000077380000
2019-08-13 23:42:08,318 [root] INFO: Added new process to list with pid: 2508
2019-08-13 23:42:08,318 [root] DEBUG: InjectDllViaIAT: Allocated 0x1bc bytes for new import table at 0x0000000049E80000.
2019-08-13 23:42:08,318 [root] INFO: Monitor successfully loaded in process with pid 2508.
2019-08-13 23:42:08,318 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 23:42:08,318 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:42:08,318 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 592 at 0x00000000743A0000, image base 0x00000000FF030000, stack from 0x00000000001D5000-0x00000000001E0000
2019-08-13 23:42:08,318 [root] DEBUG: Successfully injected DLL C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:08,318 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\sc  delete WinDefend.
2019-08-13 23:42:08,318 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2280
2019-08-13 23:42:08,318 [root] INFO: Added new process to list with pid: 592
2019-08-13 23:42:08,318 [root] DEBUG: DLL unloaded from 0x75530000.
2019-08-13 23:42:08,318 [root] INFO: Monitor successfully loaded in process with pid 592.
2019-08-13 23:42:08,332 [root] DEBUG: DLL unloaded from 0x72760000.
2019-08-13 23:42:08,332 [root] DEBUG: DLL unloaded from 0x77050000.
2019-08-13 23:42:08,332 [root] DEBUG: DLL unloaded from 0x000007FEFE500000.
2019-08-13 23:42:08,332 [root] DEBUG: DLL unloaded from 0x000007FEFE500000.
2019-08-13 23:42:08,332 [root] DEBUG: DLL loaded at 0x731E0000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 23:42:08,332 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 23:42:08,332 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 592
2019-08-13 23:42:08,332 [root] DEBUG: DLL loaded at 0x000007FEFD160000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 23:42:08,332 [root] DEBUG: DLL loaded at 0x747E0000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 23:42:08,332 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2508
2019-08-13 23:42:08,332 [root] DEBUG: Process dumps enabled.
2019-08-13 23:42:08,348 [root] DEBUG: GetHookCallerBase: thread 2828 (handle 0x0), return address 0x00000000FF03107F, allocation base 0x00000000FF030000.
2019-08-13 23:42:08,348 [root] DEBUG: GetHookCallerBase: thread 2320 (handle 0x0), return address 0x00000000FF03107F, allocation base 0x00000000FF030000.
2019-08-13 23:42:08,348 [root] INFO: Announced 64-bit process name: powershell.exe pid: 2244
2019-08-13 23:42:08,348 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00000000FF030000.
2019-08-13 23:42:08,348 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00000000FF030000.
2019-08-13 23:42:08,348 [root] INFO: Announced 64-bit process name: cmd.exe pid: 1468
2019-08-13 23:42:08,348 [root] INFO: Disabling sleep skipping.
2019-08-13 23:42:08,348 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 23:42:08,348 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00000000FF030000.
2019-08-13 23:42:08,348 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00000000FF030000.
2019-08-13 23:42:08,348 [lib.api.process] INFO: 64-bit DLL to inject is C:\nehbva\dll\rcDBrG.dll, loader C:\nehbva\bin\lOErlQGD.exe
2019-08-13 23:42:08,348 [root] WARNING: Unable to place hook on LockResource
2019-08-13 23:42:08,364 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 23:42:08,364 [root] DEBUG: DumpProcess: Module entry point VA is 0x0000000000001DD4.
2019-08-13 23:42:08,364 [root] DEBUG: DumpProcess: Module entry point VA is 0x0000000000001DD4.
2019-08-13 23:42:08,364 [lib.api.process] INFO: 64-bit DLL to inject is C:\nehbva\dll\rcDBrG.dll, loader C:\nehbva\bin\lOErlQGD.exe
2019-08-13 23:42:08,364 [root] WARNING: Unable to hook LockResource
2019-08-13 23:42:08,364 [root] DEBUG: DLL loaded at 0x000007FEFD1C0000: C:\Windows\system32\cryptbase (0xf000 bytes).
2019-08-13 23:42:08,364 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\TUUSvecfzs.
2019-08-13 23:42:08,364 [root] DEBUG: DLL loaded at 0x000007FEFD1C0000: C:\Windows\system32\cryptbase (0xf000 bytes).
2019-08-13 23:42:08,364 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 23:42:08,364 [root] DEBUG: Loader: Injecting process 2244 (thread 2172) with C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:08,364 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 2280 at 0x00000000743A0000, image base 0x0000000049E20000, stack from 0x0000000000094000-0x0000000000190000
2019-08-13 23:42:08,364 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\TUUSvecfzs.
2019-08-13 23:42:08,364 [root] DEBUG: Process image base: 0x000000013FD20000
2019-08-13 23:42:08,364 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Windows\System32\cmd.exe" \c powershell Set-MpPreference -DisableBehaviorMonitoring $true.
2019-08-13 23:42:08,364 [root] DEBUG: Error 2 (0x2) - savePeFileToDisk: There was a problem renaming the file: The system cannot find the file specified.
2019-08-13 23:42:08,364 [root] DEBUG: Loader: Injecting process 1468 (thread 2284) with C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:08,364 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:08,380 [root] INFO: Added new process to list with pid: 2280
2019-08-13 23:42:08,380 [root] DEBUG: Error 2 (0x2) - savePeFileToDisk: There was a problem deleting the file: C:\Users\user\AppData\Local\Temp\CapeOutput.bin: The system cannot find the file specified.
2019-08-13 23:42:08,380 [root] DEBUG: Process image base: 0x0000000049E20000
2019-08-13 23:42:08,380 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000013FD97000 - 0x000007FEFF6A0000
2019-08-13 23:42:08,380 [root] INFO: Monitor successfully loaded in process with pid 2280.
2019-08-13 23:42:08,380 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:08,380 [root] INFO: Added new CAPE file to list with path: C:\xyAIARtiO\CAPE\592_6334872482822314382019
2019-08-13 23:42:08,380 [root] DEBUG: InjectDllViaIAT: Allocated 0x228 bytes for new import table at 0x000000013FDA0000.
2019-08-13 23:42:08,380 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:42:08,380 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x0000000049E79000 - 0x0000000077380000
2019-08-13 23:42:08,380 [root] DEBUG: DumpProcess: Module image dump success - dump size 0xb000.
2019-08-13 23:42:08,380 [root] DEBUG: Successfully injected DLL C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:08,380 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2244
2019-08-13 23:42:08,380 [root] DEBUG: InjectDllViaIAT: Allocated 0x1bc bytes for new import table at 0x0000000049E80000.
2019-08-13 23:42:08,380 [root] DEBUG: DLL loaded at 0x000007FEFD160000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 23:42:08,380 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:42:08,395 [root] INFO: Announced 64-bit process name: powershell.exe pid: 2208
2019-08-13 23:42:08,395 [root] DEBUG: Successfully injected DLL C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:08,395 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 1468
2019-08-13 23:42:08,411 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 23:42:08,411 [lib.api.process] INFO: 64-bit DLL to inject is C:\nehbva\dll\rcDBrG.dll, loader C:\nehbva\bin\lOErlQGD.exe
2019-08-13 23:42:08,411 [root] DEBUG: DLL unloaded from 0x75530000.
2019-08-13 23:42:08,411 [root] DEBUG: DLL unloaded from 0x731E0000.
2019-08-13 23:42:08,411 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\TUUSvecfzs.
2019-08-13 23:42:08,411 [root] DEBUG: DLL unloaded from 0x77050000.
2019-08-13 23:42:08,411 [root] DEBUG: Loader: Injecting process 2208 (thread 3012) with C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:08,411 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 23:42:08,411 [root] DEBUG: DLL loaded at 0x72760000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 23:42:08,411 [root] DEBUG: Process image base: 0x000000013FD20000
2019-08-13 23:42:08,411 [root] DEBUG: Process dumps enabled.
2019-08-13 23:42:08,411 [root] DEBUG: DLL loaded at 0x747A0000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 23:42:08,411 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:08,427 [root] INFO: Disabling sleep skipping.
2019-08-13 23:42:08,427 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000013FD97000 - 0x000007FEFF6A0000
2019-08-13 23:42:08,427 [root] DEBUG: InjectDllViaIAT: Allocated 0x228 bytes for new import table at 0x000000013FDA0000.
2019-08-13 23:42:08,427 [root] WARNING: Unable to place hook on LockResource
2019-08-13 23:42:08,427 [root] INFO: Announced 64-bit process name: cmd.exe pid: 2924
2019-08-13 23:42:08,427 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:42:08,427 [root] WARNING: Unable to hook LockResource
2019-08-13 23:42:08,427 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 23:42:08,427 [root] DEBUG: Successfully injected DLL C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:08,427 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 23:42:08,427 [root] DEBUG: Process dumps enabled.
2019-08-13 23:42:08,427 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2208
2019-08-13 23:42:08,427 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 23:42:08,427 [lib.api.process] INFO: 64-bit DLL to inject is C:\nehbva\dll\rcDBrG.dll, loader C:\nehbva\bin\lOErlQGD.exe
2019-08-13 23:42:08,427 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 1468 at 0x00000000743A0000, image base 0x0000000049E20000, stack from 0x00000000001A4000-0x00000000002A0000
2019-08-13 23:42:08,427 [root] INFO: Disabling sleep skipping.
2019-08-13 23:42:08,441 [root] DEBUG: DLL unloaded from 0x000007FEFE6E0000.
2019-08-13 23:42:08,441 [root] DEBUG: DLL unloaded from 0x000007FEFE6E0000.
2019-08-13 23:42:08,441 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 23:42:08,441 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Windows\System32\cmd.exe" \c powershell Set-MpPreference -DisableBlockAtFirstSeen $true.
2019-08-13 23:42:08,441 [root] DEBUG: Process dumps enabled.
2019-08-13 23:42:08,441 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\TUUSvecfzs.
2019-08-13 23:42:08,441 [root] INFO: Added new process to list with pid: 1468
2019-08-13 23:42:08,441 [root] INFO: Monitor successfully loaded in process with pid 1468.
2019-08-13 23:42:08,441 [root] DEBUG: Loader: Injecting process 2924 (thread 2888) with C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:08,441 [root] WARNING: Unable to place hook on LockResource
2019-08-13 23:42:08,441 [root] INFO: Disabling sleep skipping.
2019-08-13 23:42:08,441 [root] DEBUG: Process image base: 0x0000000049E20000
2019-08-13 23:42:08,441 [root] WARNING: Unable to hook LockResource
2019-08-13 23:42:08,441 [root] DEBUG: DLL loaded at 0x000007FEFD160000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 23:42:08,441 [root] INFO: Notified of termination of process with pid 592.
2019-08-13 23:42:08,441 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 23:42:08,457 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:08,457 [root] INFO: Announced 64-bit process name: powershell.exe pid: 2868
2019-08-13 23:42:08,457 [root] INFO: Notified of termination of process with pid 2508.
2019-08-13 23:42:08,457 [root] WARNING: Unable to place hook on LockResource
2019-08-13 23:42:08,457 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2564
2019-08-13 23:42:08,457 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 2244 at 0x00000000743A0000, image base 0x000000013FD20000, stack from 0x0000000000155000-0x0000000000160000
2019-08-13 23:42:08,457 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x0000000049E79000 - 0x0000000077380000
2019-08-13 23:42:08,457 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 1088
2019-08-13 23:42:08,457 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 23:42:08,457 [root] WARNING: Unable to hook LockResource
2019-08-13 23:42:08,457 [root] DEBUG: GetHookCallerBase: thread 2484 (handle 0x0), return address 0x0000000049E287DD, allocation base 0x0000000049E20000.
2019-08-13 23:42:08,457 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\powershell  Set-MpPreference -DisableRealtimeMonitoring $true.
2019-08-13 23:42:08,457 [root] DEBUG: InjectDllViaIAT: Allocated 0x1bc bytes for new import table at 0x0000000049E80000.
2019-08-13 23:42:08,457 [root] DEBUG: GetHookCallerBase: thread 2380 (handle 0x0), return address 0x0000000049E287DD, allocation base 0x0000000049E20000.
2019-08-13 23:42:08,457 [lib.api.process] INFO: 64-bit DLL to inject is C:\nehbva\dll\rcDBrG.dll, loader C:\nehbva\bin\lOErlQGD.exe
2019-08-13 23:42:08,457 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x0000000049E20000.
2019-08-13 23:42:08,473 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 23:42:08,473 [root] INFO: Added new process to list with pid: 2244
2019-08-13 23:42:08,473 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:42:08,473 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x0000000049E20000.
2019-08-13 23:42:08,473 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x0000000049E20000.
2019-08-13 23:42:08,473 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\TUUSvecfzs.
2019-08-13 23:42:08,473 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 2208 at 0x00000000743A0000, image base 0x000000013FD20000, stack from 0x00000000001B5000-0x00000000001C0000
2019-08-13 23:42:08,473 [root] INFO: Monitor successfully loaded in process with pid 2244.
2019-08-13 23:42:08,473 [root] DEBUG: Successfully injected DLL C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:08,473 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 23:42:08,473 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x0000000049E20000.
2019-08-13 23:42:08,473 [root] DEBUG: Loader: Injecting process 2868 (thread 2012) with C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:08,473 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\powershell  Set-MpPreference -DisableBehaviorMonitoring $true.
2019-08-13 23:42:08,473 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2924
2019-08-13 23:42:08,473 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 23:42:08,489 [root] DEBUG: Process image base: 0x000000013FD20000
2019-08-13 23:42:08,489 [root] INFO: Added new process to list with pid: 2208
2019-08-13 23:42:08,489 [root] DEBUG: DLL unloaded from 0x75530000.
2019-08-13 23:42:08,489 [root] DEBUG: DLL loaded at 0x000007FEFD1C0000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 23:42:08,489 [root] DEBUG: DLL loaded at 0x000007FEFD1C0000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 23:42:08,489 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:08,489 [root] INFO: Monitor successfully loaded in process with pid 2208.
2019-08-13 23:42:08,489 [root] DEBUG: DLL unloaded from 0x72760000.
2019-08-13 23:42:08,489 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 23:42:08,489 [root] DEBUG: Error 2 (0x2) - savePeFileToDisk: There was a problem renaming the file: The system cannot find the file specified.
2019-08-13 23:42:08,489 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000013FD97000 - 0x000007FEFF6A0000
2019-08-13 23:42:08,489 [root] DEBUG: DLL unloaded from 0x77050000.
2019-08-13 23:42:08,505 [root] DEBUG: Process dumps enabled.
2019-08-13 23:42:08,505 [root] DEBUG: Error 2 (0x2) - savePeFileToDisk: There was a problem deleting the file: C:\Users\user\AppData\Local\Temp\CapeOutput.bin: The system cannot find the file specified.
2019-08-13 23:42:08,505 [root] DEBUG: InjectDllViaIAT: Allocated 0x228 bytes for new import table at 0x000000013FDA0000.
2019-08-13 23:42:08,505 [root] DEBUG: DLL loaded at 0x000007FEFD1C0000: C:\Windows\system32\CRYPTBASE (0xf000 bytes).
2019-08-13 23:42:08,505 [root] DEBUG: DLL loaded at 0x000007FEFD1C0000: C:\Windows\system32\CRYPTBASE (0xf000 bytes).
2019-08-13 23:42:08,505 [root] DEBUG: DLL unloaded from 0x000007FEFE6E0000.
2019-08-13 23:42:08,505 [root] DEBUG: DLL loaded at 0x731E0000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 23:42:08,505 [root] INFO: Disabling sleep skipping.
2019-08-13 23:42:08,505 [root] INFO: Added new CAPE file to list with path: C:\xyAIARtiO\CAPE\2564_766043740822314382019
2019-08-13 23:42:08,505 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:42:08,505 [root] DEBUG: DLL loaded at 0x000007FEFE640000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-08-13 23:42:08,505 [root] DEBUG: DLL loaded at 0x000007FEFE640000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-08-13 23:42:08,519 [root] INFO: Notified of termination of process with pid 1088.
2019-08-13 23:42:08,519 [root] DEBUG: DLL loaded at 0x747E0000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 23:42:08,519 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x54400.
2019-08-13 23:42:08,519 [root] DEBUG: Successfully injected DLL C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:08,519 [root] WARNING: Unable to place hook on LockResource
2019-08-13 23:42:08,519 [root] DEBUG: DLL loaded at 0x000007FEFE710000: C:\Windows\system32\shell32 (0xd88000 bytes).
2019-08-13 23:42:08,519 [root] DEBUG: DLL loaded at 0x000007FEFE710000: C:\Windows\system32\shell32 (0xd88000 bytes).
2019-08-13 23:42:08,536 [root] DEBUG: DLL unloaded from 0x000007FEFE6E0000.
2019-08-13 23:42:08,536 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2868
2019-08-13 23:42:08,536 [root] INFO: Announced 64-bit process name: cmd.exe pid: 2672
2019-08-13 23:42:08,536 [root] WARNING: Unable to hook LockResource
2019-08-13 23:42:08,536 [root] INFO: Notified of termination of process with pid 2564.
2019-08-13 23:42:08,536 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 23:42:08,536 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 23:42:08,536 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 23:42:08,536 [root] DEBUG: DLL loaded at 0x000007FEFC610000: C:\Windows\system32\USERENV (0x1e000 bytes).
2019-08-13 23:42:08,536 [root] DEBUG: DLL loaded at 0x000007FEFC610000: C:\Windows\system32\USERENV (0x1e000 bytes).
2019-08-13 23:42:08,536 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 2924 at 0x00000000743A0000, image base 0x0000000049E20000, stack from 0x00000000001B4000-0x00000000002B0000
2019-08-13 23:42:08,536 [lib.api.process] INFO: 64-bit DLL to inject is C:\nehbva\dll\rcDBrG.dll, loader C:\nehbva\bin\lOErlQGD.exe
2019-08-13 23:42:08,552 [root] DEBUG: Process dumps enabled.
2019-08-13 23:42:08,552 [root] DEBUG: DLL loaded at 0x000007FEFD290000: C:\Windows\system32\profapi (0xf000 bytes).
2019-08-13 23:42:08,552 [root] DEBUG: DLL loaded at 0x000007FEFD290000: C:\Windows\system32\profapi (0xf000 bytes).
2019-08-13 23:42:08,552 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Windows\System32\cmd.exe" \c powershell Set-MpPreference -DisableIOAVProtection $true.
2019-08-13 23:42:08,552 [root] INFO: Disabling sleep skipping.
2019-08-13 23:42:08,552 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\TUUSvecfzs.
2019-08-13 23:42:08,552 [root] INFO: Added new process to list with pid: 2924
2019-08-13 23:42:08,552 [root] INFO: Monitor successfully loaded in process with pid 2924.
2019-08-13 23:42:08,552 [root] DEBUG: Loader: Injecting process 2672 (thread 1136) with C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:08,566 [root] DEBUG: DLL loaded at 0x000007FEFBD70000: C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32 (0x1f4000 bytes).
2019-08-13 23:42:08,566 [root] WARNING: Unable to place hook on LockResource
2019-08-13 23:42:08,566 [root] DEBUG: DLL loaded at 0x000007FEFBD70000: C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32 (0x1f4000 bytes).
2019-08-13 23:42:08,566 [root] DEBUG: DLL loaded at 0x000007FEFD160000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 23:42:08,566 [root] DEBUG: Process image base: 0x0000000049E20000
2019-08-13 23:42:08,566 [root] WARNING: Unable to hook LockResource
2019-08-13 23:42:08,566 [root] INFO: Announced 64-bit process name: powershell.exe pid: 1340
2019-08-13 23:42:08,566 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:08,582 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 23:42:08,582 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 23:42:08,582 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x0000000049E79000 - 0x0000000077380000
2019-08-13 23:42:08,582 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 2868 at 0x00000000743A0000, image base 0x000000013FD20000, stack from 0x0000000000245000-0x0000000000250000
2019-08-13 23:42:08,582 [root] DEBUG: DLL loaded at 0x000007FEFBAE0000: C:\Windows\system32\propsys (0x12c000 bytes).
2019-08-13 23:42:08,582 [lib.api.process] INFO: 64-bit DLL to inject is C:\nehbva\dll\rcDBrG.dll, loader C:\nehbva\bin\lOErlQGD.exe
2019-08-13 23:42:08,598 [root] DEBUG: InjectDllViaIAT: Allocated 0x1bc bytes for new import table at 0x0000000049E80000.
2019-08-13 23:42:08,598 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\powershell  Set-MpPreference -DisableBlockAtFirstSeen $true.
2019-08-13 23:42:08,598 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:42:08,598 [root] INFO: Added new process to list with pid: 2868
2019-08-13 23:42:08,598 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\TUUSvecfzs.
2019-08-13 23:42:08,598 [root] DEBUG: Successfully injected DLL C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:08,598 [root] INFO: Monitor successfully loaded in process with pid 2868.
2019-08-13 23:42:08,598 [root] DEBUG: Loader: Injecting process 1340 (thread 1912) with C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:08,598 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2672
2019-08-13 23:42:08,614 [root] DEBUG: Process image base: 0x000000013FD20000
2019-08-13 23:42:08,614 [root] DEBUG: DLL loaded at 0x000007FEFD1C0000: C:\Windows\system32\CRYPTBASE (0xf000 bytes).
2019-08-13 23:42:08,614 [root] DEBUG: DLL loaded at 0x000007FEFDCB0000: C:\Windows\system32\SETUPAPI (0x1d7000 bytes).
2019-08-13 23:42:08,614 [root] DEBUG: DLL loaded at 0x000007FEFDCB0000: C:\Windows\system32\SETUPAPI (0x1d7000 bytes).
2019-08-13 23:42:08,614 [root] DEBUG: DLL unloaded from 0x75530000.
2019-08-13 23:42:08,614 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:08,614 [root] DEBUG: DLL loaded at 0x000007FEFE640000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-08-13 23:42:08,614 [root] DEBUG: DLL loaded at 0x000007FEFD660000: C:\Windows\system32\CFGMGR32 (0x36000 bytes).
2019-08-13 23:42:08,614 [root] DEBUG: DLL loaded at 0x000007FEFD660000: C:\Windows\system32\CFGMGR32 (0x36000 bytes).
2019-08-13 23:42:08,614 [root] DEBUG: DLL unloaded from 0x731E0000.
2019-08-13 23:42:08,614 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000013FD97000 - 0x000007FEFF6A0000
2019-08-13 23:42:08,614 [root] DEBUG: DLL loaded at 0x000007FEFD3F0000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2019-08-13 23:42:08,614 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 23:42:08,630 [root] DEBUG: DLL loaded at 0x000007FEFE710000: C:\Windows\system32\shell32 (0xd88000 bytes).
2019-08-13 23:42:08,630 [root] DEBUG: DLL loaded at 0x000007FEFD3F0000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2019-08-13 23:42:08,630 [root] DEBUG: DLL unloaded from 0x77050000.
2019-08-13 23:42:08,630 [root] DEBUG: InjectDllViaIAT: Allocated 0x228 bytes for new import table at 0x000000013FDA0000.
2019-08-13 23:42:08,630 [root] DEBUG: Process dumps enabled.
2019-08-13 23:42:08,630 [root] DEBUG: DLL loaded at 0x000007FEFC610000: C:\Windows\system32\USERENV (0x1e000 bytes).
2019-08-13 23:42:08,630 [root] DEBUG: DLL loaded at 0x000007FEFD290000: C:\Windows\system32\profapi (0xf000 bytes).
2019-08-13 23:42:08,630 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:42:08,630 [root] INFO: Disabling sleep skipping.
2019-08-13 23:42:08,630 [root] DEBUG: DLL loaded at 0x72760000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 23:42:08,644 [root] DEBUG: Successfully injected DLL C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:08,644 [root] DEBUG: DLL loaded at 0x000007FEFBD70000: C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32 (0x1f4000 bytes).
2019-08-13 23:42:08,644 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 1340
2019-08-13 23:42:08,644 [root] DEBUG: DLL loaded at 0x747A0000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 23:42:08,644 [root] WARNING: Unable to place hook on LockResource
2019-08-13 23:42:08,661 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 23:42:08,661 [root] DEBUG: DLL loaded at 0x000007FEFC400000: C:\Windows\system32\ntmarta (0x2d000 bytes).
2019-08-13 23:42:08,661 [root] DEBUG: DLL loaded at 0x000007FEFBAE0000: C:\Windows\system32\propsys (0x12c000 bytes).
2019-08-13 23:42:08,661 [root] DEBUG: DLL loaded at 0x000007FEFDCB0000: C:\Windows\system32\SETUPAPI (0x1d7000 bytes).
2019-08-13 23:42:08,661 [root] INFO: Announced 64-bit process name: cmd.exe pid: 2860
2019-08-13 23:42:08,661 [root] WARNING: Unable to hook LockResource
2019-08-13 23:42:08,661 [root] DEBUG: Process dumps enabled.
2019-08-13 23:42:08,661 [root] DEBUG: DLL loaded at 0x000007FEFE1F0000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2019-08-13 23:42:08,661 [root] DEBUG: DLL loaded at 0x000007FEFD660000: C:\Windows\system32\CFGMGR32 (0x36000 bytes).
2019-08-13 23:42:08,661 [root] DEBUG: DLL loaded at 0x000007FEFC400000: C:\Windows\system32\ntmarta (0x2d000 bytes).
2019-08-13 23:42:08,661 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 23:42:08,661 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 23:42:08,661 [root] INFO: Disabling sleep skipping.
2019-08-13 23:42:08,676 [root] DEBUG: DLL loaded at 0x000007FEFD3F0000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2019-08-13 23:42:08,676 [root] DEBUG: DLL loaded at 0x000007FEFE1F0000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2019-08-13 23:42:08,676 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 2672 at 0x00000000743A0000, image base 0x0000000049E20000, stack from 0x0000000000054000-0x0000000000150000
2019-08-13 23:42:08,676 [lib.api.process] INFO: 64-bit DLL to inject is C:\nehbva\dll\rcDBrG.dll, loader C:\nehbva\bin\lOErlQGD.exe
2019-08-13 23:42:08,676 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Windows\System32\cmd.exe" \c powershell Set-MpPreference -DisablePrivacyMode $true.
2019-08-13 23:42:08,676 [root] DEBUG: DLL loaded at 0x000007FEFBAE0000: C:\Windows\system32\propsys (0x12c000 bytes).
2019-08-13 23:42:08,676 [root] WARNING: Unable to place hook on LockResource
2019-08-13 23:42:08,707 [root] INFO: Added new process to list with pid: 2672
2019-08-13 23:42:08,707 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\TUUSvecfzs.
2019-08-13 23:42:08,707 [root] DEBUG: DLL loaded at 0x000007FEFC400000: C:\Windows\system32\ntmarta (0x2d000 bytes).
2019-08-13 23:42:08,707 [root] DEBUG: DLL unloaded from 0x000007FEFE710000.
2019-08-13 23:42:08,707 [root] DEBUG: DLL unloaded from 0x000007FEFE710000.
2019-08-13 23:42:08,707 [root] WARNING: Unable to hook LockResource
2019-08-13 23:42:08,707 [root] DEBUG: DLL unloaded from 0x000007FEFE710000.
2019-08-13 23:42:08,707 [root] DEBUG: DLL unloaded from 0x000007FEFE710000.
2019-08-13 23:42:08,707 [root] INFO: Monitor successfully loaded in process with pid 2672.
2019-08-13 23:42:08,723 [root] DEBUG: Loader: Injecting process 2860 (thread 2892) with C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:08,723 [root] DEBUG: DLL loaded at 0x000007FEFE1F0000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2019-08-13 23:42:08,848 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 23:42:08,910 [root] DEBUG: DLL loaded at 0x000007FEFD160000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 23:42:08,926 [root] DEBUG: Process image base: 0x0000000049E20000
2019-08-13 23:42:08,926 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 1340 at 0x00000000743A0000, image base 0x000000013FD20000, stack from 0x0000000000135000-0x0000000000140000
2019-08-13 23:42:08,973 [root] DEBUG: DLL unloaded from 0x000007FEFE710000.
2019-08-13 23:42:08,973 [root] DEBUG: DLL unloaded from 0x000007FEFE710000.
2019-08-13 23:42:08,973 [root] INFO: Process with pid 1088 has terminated
2019-08-13 23:42:08,973 [root] INFO: Announced 64-bit process name: powershell.exe pid: 2828
2019-08-13 23:42:08,987 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\powershell  Set-MpPreference -DisableIOAVProtection $true.
2019-08-13 23:42:08,987 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:08,987 [root] INFO: Process with pid 2508 has terminated
2019-08-13 23:42:09,003 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 23:42:09,003 [lib.api.process] INFO: 64-bit DLL to inject is C:\nehbva\dll\rcDBrG.dll, loader C:\nehbva\bin\lOErlQGD.exe
2019-08-13 23:42:09,003 [root] DEBUG: DLL loaded at 0x000007FEF7A60000: C:\Windows\system32\LINKINFO (0xc000 bytes).
2019-08-13 23:42:09,098 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x0000000049E79000 - 0x0000000077380000
2019-08-13 23:42:09,098 [root] INFO: Added new process to list with pid: 1340
2019-08-13 23:42:09,098 [root] DEBUG: DLL loaded at 0x000007FEF8540000: C:\Windows\system32\ntshrui (0x80000 bytes).
2019-08-13 23:42:09,098 [root] INFO: Monitor successfully loaded in process with pid 1340.
2019-08-13 23:42:09,144 [root] DEBUG: DLL loaded at 0x000007FEFD1C0000: C:\Windows\system32\CRYPTBASE (0xf000 bytes).
2019-08-13 23:42:09,144 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\TUUSvecfzs.
2019-08-13 23:42:09,144 [root] DEBUG: DLL loaded at 0x000007FEFCDE0000: C:\Windows\system32\srvcli (0x23000 bytes).
2019-08-13 23:42:09,144 [root] DEBUG: InjectDllViaIAT: Allocated 0x1bc bytes for new import table at 0x0000000049E80000.
2019-08-13 23:42:09,144 [root] DEBUG: Loader: Injecting process 2828 (thread 1640) with C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:09,176 [root] DEBUG: Process image base: 0x000000013FD20000
2019-08-13 23:42:09,221 [root] DEBUG: DLL loaded at 0x000007FEFE640000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-08-13 23:42:09,221 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:09,221 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:42:09,237 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000013FD97000 - 0x000007FEFF6A0000
2019-08-13 23:42:09,253 [root] DEBUG: DLL loaded at 0x000007FEF8EC0000: C:\Windows\system32\cscapi (0xf000 bytes).
2019-08-13 23:42:09,253 [root] DEBUG: InjectDllViaIAT: Allocated 0x228 bytes for new import table at 0x000000013FDA0000.
2019-08-13 23:42:09,253 [root] DEBUG: DLL loaded at 0x000007FEFE710000: C:\Windows\system32\shell32 (0xd88000 bytes).
2019-08-13 23:42:09,253 [root] DEBUG: Successfully injected DLL C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:09,253 [root] DEBUG: DLL loaded at 0x000007FEFB320000: C:\Windows\system32\slc (0xb000 bytes).
2019-08-13 23:42:09,269 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:42:09,269 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2860
2019-08-13 23:42:09,269 [root] DEBUG: Successfully injected DLL C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:09,269 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2828
2019-08-13 23:42:09,285 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 23:42:09,299 [root] DEBUG: DLL loaded at 0x000007FEF7A60000: C:\Windows\system32\LINKINFO (0xc000 bytes).
2019-08-13 23:42:09,299 [root] DEBUG: DLL loaded at 0x000007FEFC610000: C:\Windows\system32\USERENV (0x1e000 bytes).
2019-08-13 23:42:09,315 [root] DEBUG: Process dumps enabled.
2019-08-13 23:42:09,315 [root] DEBUG: DLL unloaded from 0x75530000.
2019-08-13 23:42:09,315 [root] DEBUG: DLL loaded at 0x000007FEFD290000: C:\Windows\system32\profapi (0xf000 bytes).
2019-08-13 23:42:09,315 [root] DEBUG: DLL loaded at 0x000007FEF8540000: C:\Windows\system32\ntshrui (0x80000 bytes).
2019-08-13 23:42:09,315 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 23:42:09,315 [root] DEBUG: DLL loaded at 0x000007FEFCB60000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2019-08-13 23:42:09,315 [root] DEBUG: DLL unloaded from 0x72760000.
2019-08-13 23:42:09,315 [root] INFO: Disabling sleep skipping.
2019-08-13 23:42:09,332 [root] DEBUG: DLL loaded at 0x000007FEFCDE0000: C:\Windows\system32\srvcli (0x23000 bytes).
2019-08-13 23:42:09,332 [root] DEBUG: Process dumps enabled.
2019-08-13 23:42:09,332 [root] DEBUG: DLL loaded at 0x000007FEFBD70000: C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32 (0x1f4000 bytes).
2019-08-13 23:42:09,332 [root] DEBUG: DLL unloaded from 0x77050000.
2019-08-13 23:42:09,346 [root] DEBUG: DLL loaded at 0x000007FEF7A60000: C:\Windows\system32\LINKINFO (0xc000 bytes).
2019-08-13 23:42:09,346 [root] DEBUG: DLL loaded at 0x000007FEFC860000: C:\Windows\system32\rsaenh (0x47000 bytes).
2019-08-13 23:42:09,346 [root] WARNING: Unable to place hook on LockResource
2019-08-13 23:42:09,362 [root] DEBUG: DLL loaded at 0x000007FEFBAE0000: C:\Windows\system32\propsys (0x12c000 bytes).
2019-08-13 23:42:09,362 [root] INFO: Disabling sleep skipping.
2019-08-13 23:42:09,362 [root] DEBUG: DLL loaded at 0x731E0000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 23:42:09,362 [root] DEBUG: DLL loaded at 0x000007FEF8540000: C:\Windows\system32\ntshrui (0x80000 bytes).
2019-08-13 23:42:09,378 [root] DEBUG: DLL loaded at 0x000007FEFC400000: C:\Windows\system32\ntmarta (0x2d000 bytes).
2019-08-13 23:42:09,378 [root] DEBUG: DLL loaded at 0x000007FEFCDE0000: C:\Windows\system32\srvcli (0x23000 bytes).
2019-08-13 23:42:09,378 [root] WARNING: Unable to hook LockResource
2019-08-13 23:42:09,378 [root] DEBUG: DLL loaded at 0x747E0000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 23:42:09,378 [root] DEBUG: DLL loaded at 0x000007FEFE1F0000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2019-08-13 23:42:09,378 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 23:42:09,394 [root] WARNING: Unable to place hook on LockResource
2019-08-13 23:42:09,394 [root] DEBUG: DLL loaded at 0x000007FEF8EC0000: C:\Windows\system32\cscapi (0xf000 bytes).
2019-08-13 23:42:09,394 [root] DEBUG: DLL loaded at 0x000007FEFDCB0000: C:\Windows\system32\SETUPAPI (0x1d7000 bytes).
2019-08-13 23:42:09,394 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 2828 at 0x00000000743A0000, image base 0x000000013FD20000, stack from 0x0000000000245000-0x0000000000250000
2019-08-13 23:42:09,394 [root] INFO: Announced 64-bit process name: cmd.exe pid: 1216
2019-08-13 23:42:09,394 [root] WARNING: Unable to hook LockResource
2019-08-13 23:42:09,394 [root] DEBUG: DLL loaded at 0x000007FEFB320000: C:\Windows\system32\slc (0xb000 bytes).
2019-08-13 23:42:09,394 [root] DEBUG: DLL loaded at 0x000007FEFD660000: C:\Windows\system32\CFGMGR32 (0x36000 bytes).
2019-08-13 23:42:09,394 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\powershell  Set-MpPreference -DisablePrivacyMode $true.
2019-08-13 23:42:09,410 [root] DEBUG: DLL loaded at 0x000007FEF3FA0000: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei (0x97000 bytes).
2019-08-13 23:42:09,410 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 23:42:09,410 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 23:42:09,410 [root] INFO: Added new process to list with pid: 2828
2019-08-13 23:42:09,410 [lib.api.process] INFO: 64-bit DLL to inject is C:\nehbva\dll\rcDBrG.dll, loader C:\nehbva\bin\lOErlQGD.exe
2019-08-13 23:42:09,410 [root] INFO: Monitor successfully loaded in process with pid 2828.
2019-08-13 23:42:09,410 [root] DEBUG: DLL loaded at 0x000007FEFD3F0000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2019-08-13 23:42:09,410 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 2860 at 0x00000000743A0000, image base 0x0000000049E20000, stack from 0x00000000000B4000-0x00000000001B0000
2019-08-13 23:42:09,440 [root] DEBUG: DLL loaded at 0x000007FEFD1C0000: C:\Windows\system32\CRYPTBASE (0xf000 bytes).
2019-08-13 23:42:09,440 [root] DEBUG: DLL loaded at 0x000007FEF2270000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks (0x99d000 bytes).
2019-08-13 23:42:09,440 [root] DEBUG: DLL unloaded from 0x000007FEFE710000.
2019-08-13 23:42:09,456 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\TUUSvecfzs.
2019-08-13 23:42:09,456 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Windows\System32\cmd.exe" \c powershell Set-MpPreference -DisableIntrusionPreventionSystem $true.
2019-08-13 23:42:09,456 [root] DEBUG: DLL loaded at 0x00000000742D0000: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\MSVCR80 (0xc9000 bytes).
2019-08-13 23:42:09,456 [root] DEBUG: DLL loaded at 0x000007FEFE640000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-08-13 23:42:09,456 [root] INFO: Added new process to list with pid: 2860
2019-08-13 23:42:09,456 [root] INFO: Monitor successfully loaded in process with pid 2860.
2019-08-13 23:42:09,471 [root] DEBUG: Loader: Injecting process 1216 (thread 2792) with C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:09,471 [root] DEBUG: DLL loaded at 0x000007FEFE710000: C:\Windows\system32\shell32 (0xd88000 bytes).
2019-08-13 23:42:09,471 [root] DEBUG: DLL loaded at 0x000007FEFD160000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 23:42:09,471 [root] DEBUG: Process image base: 0x0000000049E20000
2019-08-13 23:42:09,471 [root] DEBUG: DLL loaded at 0x000007FEFC610000: C:\Windows\system32\USERENV (0x1e000 bytes).
2019-08-13 23:42:09,471 [root] INFO: Announced 64-bit process name: powershell.exe pid: 2176
2019-08-13 23:42:09,471 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:09,487 [root] DEBUG: DLL loaded at 0x000007FEFD290000: C:\Windows\system32\profapi (0xf000 bytes).
2019-08-13 23:42:09,487 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x0000000049E79000 - 0x0000000077380000
2019-08-13 23:42:09,487 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 23:42:09,487 [root] DEBUG: DLL loaded at 0x000007FEFBD70000: C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32 (0x1f4000 bytes).
2019-08-13 23:42:09,487 [root] DEBUG: InjectDllViaIAT: Allocated 0x1bc bytes for new import table at 0x0000000049E80000.
2019-08-13 23:42:09,487 [lib.api.process] INFO: 64-bit DLL to inject is C:\nehbva\dll\rcDBrG.dll, loader C:\nehbva\bin\lOErlQGD.exe
2019-08-13 23:42:09,503 [root] DEBUG: DLL loaded at 0x000007FEFBAE0000: C:\Windows\system32\propsys (0x12c000 bytes).
2019-08-13 23:42:09,503 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:42:09,519 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\TUUSvecfzs.
2019-08-13 23:42:09,519 [root] DEBUG: DLL loaded at 0x000007FEFC400000: C:\Windows\system32\ntmarta (0x2d000 bytes).
2019-08-13 23:42:09,519 [root] DEBUG: Successfully injected DLL C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:09,519 [root] DEBUG: Loader: Injecting process 2176 (thread 1748) with C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:09,533 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 1216
2019-08-13 23:42:09,533 [root] DEBUG: DLL loaded at 0x000007FEFE1F0000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2019-08-13 23:42:09,533 [root] DEBUG: DLL loaded at 0x000007FEF1390000: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\9469491f37d9c35b596968b206615309\mscorlib.ni (0xedc000 bytes).
2019-08-13 23:42:09,533 [root] DEBUG: Process image base: 0x000000013FD20000
2019-08-13 23:42:09,581 [root] DEBUG: DLL unloaded from 0x75530000.
2019-08-13 23:42:09,581 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 23:42:09,581 [root] DEBUG: DLL loaded at 0x000007FEFDCB0000: C:\Windows\system32\SETUPAPI (0x1d7000 bytes).
2019-08-13 23:42:09,581 [root] DEBUG: DLL unloaded from 0x000007FEFE710000.
2019-08-13 23:42:09,581 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:09,581 [root] DEBUG: DLL unloaded from 0x731E0000.
2019-08-13 23:42:09,581 [root] DEBUG: DLL loaded at 0x000007FEFD660000: C:\Windows\system32\CFGMGR32 (0x36000 bytes).
2019-08-13 23:42:09,596 [root] DEBUG: Process dumps enabled.
2019-08-13 23:42:09,596 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000013FD97000 - 0x000007FEFF6A0000
2019-08-13 23:42:09,596 [root] DEBUG: DLL unloaded from 0x77050000.
2019-08-13 23:42:09,596 [root] DEBUG: DLL loaded at 0x000007FEFD3F0000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2019-08-13 23:42:09,596 [root] INFO: Disabling sleep skipping.
2019-08-13 23:42:09,596 [root] DEBUG: InjectDllViaIAT: Allocated 0x228 bytes for new import table at 0x000000013FDA0000.
2019-08-13 23:42:09,690 [root] DEBUG: DLL unloaded from 0x000007FEFDF10000.
2019-08-13 23:42:09,690 [root] DEBUG: DLL loaded at 0x72760000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 23:42:09,721 [root] DEBUG: DLL loaded at 0x747A0000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 23:42:09,721 [root] WARNING: Unable to place hook on LockResource
2019-08-13 23:42:09,767 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:42:09,767 [root] DEBUG: DLL loaded at 0x000007FEF0960000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System\adff7dd9fe8e541775c46b6363401b22\System.ni (0xa23000 bytes).
2019-08-13 23:42:09,767 [root] INFO: Announced 64-bit process name: cmd.exe pid: 1428
2019-08-13 23:42:09,767 [root] WARNING: Unable to hook LockResource
2019-08-13 23:42:09,767 [root] DEBUG: Successfully injected DLL C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:09,767 [root] DEBUG: DLL loaded at 0x000007FEF3D30000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b023321bc53c20c10ccbbd8f78c82c82\Microsoft.PowerShell.ConsoleHost.ni (0xb2000 bytes).
2019-08-13 23:42:09,783 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 23:42:09,783 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2176
2019-08-13 23:42:09,783 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 23:42:09,783 [root] DEBUG: DLL loaded at 0x000007FEF7A60000: C:\Windows\system32\LINKINFO (0xc000 bytes).
2019-08-13 23:42:09,783 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 1216 at 0x00000000743A0000, image base 0x0000000049E20000, stack from 0x0000000000104000-0x0000000000200000
2019-08-13 23:42:09,799 [lib.api.process] INFO: 64-bit DLL to inject is C:\nehbva\dll\rcDBrG.dll, loader C:\nehbva\bin\lOErlQGD.exe
2019-08-13 23:42:09,799 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 23:42:09,799 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Windows\System32\cmd.exe" \c powershell Set-MpPreference -SevereThreatDefaultAction 6.
2019-08-13 23:42:09,799 [root] DEBUG: Process dumps enabled.
2019-08-13 23:42:09,799 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\TUUSvecfzs.
2019-08-13 23:42:09,799 [root] INFO: Added new process to list with pid: 1216
2019-08-13 23:42:09,845 [root] DEBUG: DLL loaded at 0x000007FEF8540000: C:\Windows\system32\ntshrui (0x80000 bytes).
2019-08-13 23:42:09,845 [root] DEBUG: DLL loaded at 0x000007FEEFE00000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management.A#\009a09f5b2322bb8c5520dc5ddbb28bb\System.Management.Automation.ni (0xb5d000 bytes).
2019-08-13 23:42:09,845 [root] INFO: Monitor successfully loaded in process with pid 1216.
2019-08-13 23:42:09,845 [root] INFO: Disabling sleep skipping.
2019-08-13 23:42:09,845 [root] DEBUG: Loader: Injecting process 1428 (thread 2316) with C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:09,845 [root] DEBUG: DLL loaded at 0x000007FEFCDE0000: C:\Windows\system32\srvcli (0x23000 bytes).
2019-08-13 23:42:09,861 [root] DEBUG: DLL loaded at 0x000007FEFD160000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 23:42:09,861 [root] DEBUG: Process image base: 0x0000000049E20000
2019-08-13 23:42:09,861 [root] WARNING: Unable to place hook on LockResource
2019-08-13 23:42:09,878 [root] INFO: Announced 64-bit process name: powershell.exe pid: 1316
2019-08-13 23:42:09,878 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:09,878 [root] DEBUG: DLL loaded at 0x000007FEF7A60000: C:\Windows\system32\LINKINFO (0xc000 bytes).
2019-08-13 23:42:09,878 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x0000000049E79000 - 0x0000000077380000
2019-08-13 23:42:09,878 [root] WARNING: Unable to hook LockResource
2019-08-13 23:42:09,878 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 23:42:09,878 [lib.api.process] INFO: 64-bit DLL to inject is C:\nehbva\dll\rcDBrG.dll, loader C:\nehbva\bin\lOErlQGD.exe
2019-08-13 23:42:09,878 [root] DEBUG: InjectDllViaIAT: Allocated 0x1bc bytes for new import table at 0x0000000049E80000.
2019-08-13 23:42:09,892 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 23:42:09,892 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 2176 at 0x00000000743A0000, image base 0x000000013FD20000, stack from 0x0000000000175000-0x0000000000180000
2019-08-13 23:42:09,908 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:42:09,908 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\powershell  Set-MpPreference -DisableIntrusionPreventionSystem $true.
2019-08-13 23:42:09,908 [root] DEBUG: DLL loaded at 0x000007FEF8540000: C:\Windows\system32\ntshrui (0x80000 bytes).
2019-08-13 23:42:09,908 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\TUUSvecfzs.
2019-08-13 23:42:09,908 [root] DEBUG: Successfully injected DLL C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:09,908 [root] INFO: Added new process to list with pid: 2176
2019-08-13 23:42:09,908 [root] DEBUG: DLL loaded at 0x000007FEFCDE0000: C:\Windows\system32\srvcli (0x23000 bytes).
2019-08-13 23:42:09,924 [root] DEBUG: Loader: Injecting process 1316 (thread 2160) with C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:09,924 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 1428
2019-08-13 23:42:09,924 [root] INFO: Monitor successfully loaded in process with pid 2176.
2019-08-13 23:42:09,924 [root] DEBUG: Process image base: 0x000000013FD20000
2019-08-13 23:42:09,924 [root] DEBUG: DLL unloaded from 0x75530000.
2019-08-13 23:42:09,924 [root] DEBUG: DLL loaded at 0x000007FEFD1C0000: C:\Windows\system32\CRYPTBASE (0xf000 bytes).
2019-08-13 23:42:09,940 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:09,940 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 23:42:09,940 [root] DEBUG: DLL unloaded from 0x72760000.
2019-08-13 23:42:09,940 [root] DEBUG: DLL loaded at 0x000007FEFE640000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-08-13 23:42:09,940 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000013FD97000 - 0x000007FEFF6A0000
2019-08-13 23:42:09,940 [root] DEBUG: Process dumps enabled.
2019-08-13 23:42:09,940 [root] DEBUG: DLL unloaded from 0x77050000.
2019-08-13 23:42:09,940 [root] DEBUG: DLL loaded at 0x000007FEFE710000: C:\Windows\system32\shell32 (0xd88000 bytes).
2019-08-13 23:42:09,956 [root] INFO: Disabling sleep skipping.
2019-08-13 23:42:09,956 [root] DEBUG: InjectDllViaIAT: Allocated 0x228 bytes for new import table at 0x000000013FDA0000.
2019-08-13 23:42:09,956 [root] DEBUG: DLL loaded at 0x731E0000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 23:42:09,956 [root] DEBUG: DLL loaded at 0x000007FEFC610000: C:\Windows\system32\USERENV (0x1e000 bytes).
2019-08-13 23:42:09,956 [root] DEBUG: DLL loaded at 0x747E0000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 23:42:09,956 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:42:09,956 [root] DEBUG: DLL loaded at 0x000007FEFD290000: C:\Windows\system32\profapi (0xf000 bytes).
2019-08-13 23:42:09,956 [root] WARNING: Unable to place hook on LockResource
2019-08-13 23:42:09,956 [root] DEBUG: Successfully injected DLL C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:09,956 [root] WARNING: Unable to hook LockResource
2019-08-13 23:42:09,956 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 1316
2019-08-13 23:42:09,956 [root] DEBUG: DLL loaded at 0x000007FEFBD70000: C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32 (0x1f4000 bytes).
2019-08-13 23:42:09,956 [root] INFO: Announced 64-bit process name: cmd.exe pid: 716
2019-08-13 23:42:09,970 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 23:42:09,970 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 1428 at 0x00000000743A0000, image base 0x0000000049E20000, stack from 0x0000000000164000-0x0000000000260000
2019-08-13 23:42:09,970 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 23:42:09,970 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 23:42:09,970 [lib.api.process] INFO: 64-bit DLL to inject is C:\nehbva\dll\rcDBrG.dll, loader C:\nehbva\bin\lOErlQGD.exe
2019-08-13 23:42:09,970 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Windows\System32\cmd.exe" \c powershell Set-MpPreference -LowThreatDefaultAction 6.
2019-08-13 23:42:09,970 [root] DEBUG: Process dumps enabled.
2019-08-13 23:42:09,970 [root] DEBUG: DLL loaded at 0x000007FEFBAE0000: C:\Windows\system32\propsys (0x12c000 bytes).
2019-08-13 23:42:09,970 [root] INFO: Added new process to list with pid: 1428
2019-08-13 23:42:09,970 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\TUUSvecfzs.
2019-08-13 23:42:09,986 [root] INFO: Disabling sleep skipping.
2019-08-13 23:42:09,986 [root] DEBUG: DLL loaded at 0x000007FEFDCB0000: C:\Windows\system32\SETUPAPI (0x1d7000 bytes).
2019-08-13 23:42:09,986 [root] INFO: Monitor successfully loaded in process with pid 1428.
2019-08-13 23:42:09,986 [root] DEBUG: Loader: Injecting process 716 (thread 1844) with C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:09,986 [root] DEBUG: DLL loaded at 0x000007FEFD660000: C:\Windows\system32\CFGMGR32 (0x36000 bytes).
2019-08-13 23:42:09,986 [root] WARNING: Unable to place hook on LockResource
2019-08-13 23:42:09,986 [root] DEBUG: DLL loaded at 0x000007FEFD160000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 23:42:09,986 [root] DEBUG: Process image base: 0x0000000049E20000
2019-08-13 23:42:09,986 [root] DEBUG: DLL loaded at 0x000007FEFD3F0000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2019-08-13 23:42:09,986 [root] WARNING: Unable to hook LockResource
2019-08-13 23:42:10,002 [root] INFO: Announced 64-bit process name: powershell.exe pid: 924
2019-08-13 23:42:10,002 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:10,002 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 23:42:10,002 [root] DEBUG: DLL loaded at 0x000007FEFC400000: C:\Windows\system32\ntmarta (0x2d000 bytes).
2019-08-13 23:42:10,002 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x0000000049E79000 - 0x0000000077380000
2019-08-13 23:42:10,002 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 1316 at 0x00000000743A0000, image base 0x000000013FD20000, stack from 0x0000000000115000-0x0000000000120000
2019-08-13 23:42:10,002 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 23:42:10,002 [root] DEBUG: DLL loaded at 0x000007FEFE1F0000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2019-08-13 23:42:10,002 [root] DEBUG: InjectDllViaIAT: Allocated 0x1bc bytes for new import table at 0x0000000049E80000.
2019-08-13 23:42:10,002 [lib.api.process] INFO: 64-bit DLL to inject is C:\nehbva\dll\rcDBrG.dll, loader C:\nehbva\bin\lOErlQGD.exe
2019-08-13 23:42:10,002 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\powershell  Set-MpPreference -SevereThreatDefaultAction 6.
2019-08-13 23:42:10,002 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:42:10,017 [root] DEBUG: DLL unloaded from 0x000007FEFE710000.
2019-08-13 23:42:10,017 [root] INFO: Process with pid 2564 has terminated
2019-08-13 23:42:10,017 [root] INFO: Added new process to list with pid: 1316
2019-08-13 23:42:10,017 [root] DEBUG: Successfully injected DLL C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:10,017 [root] INFO: Process with pid 592 has terminated
2019-08-13 23:42:10,017 [root] INFO: Monitor successfully loaded in process with pid 1316.
2019-08-13 23:42:10,017 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 716
2019-08-13 23:42:10,017 [root] DEBUG: DLL loaded at 0x000007FEFC430000: C:\Windows\system32\version (0xc000 bytes).
2019-08-13 23:42:10,017 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\TUUSvecfzs.
2019-08-13 23:42:10,033 [root] DEBUG: DLL loaded at 0x000007FEFD1C0000: C:\Windows\system32\CRYPTBASE (0xf000 bytes).
2019-08-13 23:42:10,033 [root] DEBUG: DLL unloaded from 0x75530000.
2019-08-13 23:42:10,033 [root] DEBUG: DLL unloaded from 0x731E0000.
2019-08-13 23:42:10,111 [root] DEBUG: Loader: Injecting process 924 (thread 2948) with C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:10,111 [root] DEBUG: DLL loaded at 0x000007FEFE640000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-08-13 23:42:10,111 [root] DEBUG: DLL unloaded from 0x77050000.
2019-08-13 23:42:10,111 [root] DEBUG: Process image base: 0x000000013FD20000
2019-08-13 23:42:10,127 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:10,127 [root] DEBUG: DLL loaded at 0x72760000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 23:42:10,127 [root] DEBUG: DLL loaded at 0x000007FEFE710000: C:\Windows\system32\shell32 (0xd88000 bytes).
2019-08-13 23:42:10,127 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 23:42:10,127 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000013FD97000 - 0x000007FEFF6A0000
2019-08-13 23:42:10,127 [root] DEBUG: DLL loaded at 0x747A0000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 23:42:10,127 [root] DEBUG: DLL loaded at 0x000007FEFC610000: C:\Windows\system32\USERENV (0x1e000 bytes).
2019-08-13 23:42:10,127 [root] DEBUG: Process dumps enabled.
2019-08-13 23:42:10,127 [root] DEBUG: InjectDllViaIAT: Allocated 0x228 bytes for new import table at 0x000000013FDA0000.
2019-08-13 23:42:10,127 [root] DEBUG: DLL loaded at 0x000007FEFD290000: C:\Windows\system32\profapi (0xf000 bytes).
2019-08-13 23:42:10,142 [root] INFO: Announced 64-bit process name: cmd.exe pid: 828
2019-08-13 23:42:10,142 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:42:10,142 [root] INFO: Disabling sleep skipping.
2019-08-13 23:42:10,142 [root] DEBUG: DLL loaded at 0x000007FEFBD70000: C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32 (0x1f4000 bytes).
2019-08-13 23:42:10,142 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 23:42:10,142 [root] DEBUG: Successfully injected DLL C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:10,157 [root] WARNING: Unable to place hook on LockResource
2019-08-13 23:42:10,174 [lib.api.process] INFO: 64-bit DLL to inject is C:\nehbva\dll\rcDBrG.dll, loader C:\nehbva\bin\lOErlQGD.exe
2019-08-13 23:42:10,174 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 924
2019-08-13 23:42:10,174 [root] DEBUG: DLL loaded at 0x000007FEFBAE0000: C:\Windows\system32\propsys (0x12c000 bytes).
2019-08-13 23:42:10,174 [root] WARNING: Unable to hook LockResource
2019-08-13 23:42:10,190 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\TUUSvecfzs.
2019-08-13 23:42:10,190 [root] DEBUG: DLL loaded at 0x000007FEFC400000: C:\Windows\system32\ntmarta (0x2d000 bytes).
2019-08-13 23:42:10,190 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 23:42:10,204 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 23:42:10,204 [root] DEBUG: DLL loaded at 0x000007FEF8EC0000: C:\Windows\system32\cscapi (0xf000 bytes).
2019-08-13 23:42:10,204 [root] DEBUG: Loader: Injecting process 828 (thread 3060) with C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:10,204 [root] DEBUG: Process dumps enabled.
2019-08-13 23:42:10,204 [root] DEBUG: DLL loaded at 0x000007FEFE1F0000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2019-08-13 23:42:10,204 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 716 at 0x00000000743A0000, image base 0x0000000049E20000, stack from 0x0000000000124000-0x0000000000220000
2019-08-13 23:42:10,204 [root] DEBUG: DLL loaded at 0x000007FEFB320000: C:\Windows\system32\slc (0xb000 bytes).
2019-08-13 23:42:10,204 [root] DEBUG: Process image base: 0x0000000049E20000
2019-08-13 23:42:10,252 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Windows\System32\cmd.exe" \c powershell Set-MpPreference -ModerateThreatDefaultAction 6.
2019-08-13 23:42:10,252 [root] DEBUG: DLL loaded at 0x000007FEFDCB0000: C:\Windows\system32\SETUPAPI (0x1d7000 bytes).
2019-08-13 23:42:10,252 [root] DEBUG: DLL loaded at 0x000007FEF3430000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Core\83e2f6909980da7347e7806d8c26670e\System.Core.ni (0x32e000 bytes).
2019-08-13 23:42:10,252 [root] INFO: Added new process to list with pid: 716
2019-08-13 23:42:10,267 [root] INFO: Monitor successfully loaded in process with pid 716.
2019-08-13 23:42:10,267 [root] DEBUG: DLL loaded at 0x000007FEFCB60000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2019-08-13 23:42:10,267 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:10,267 [root] INFO: Disabling sleep skipping.
2019-08-13 23:42:10,267 [root] DEBUG: DLL loaded at 0x000007FEFD660000: C:\Windows\system32\CFGMGR32 (0x36000 bytes).
2019-08-13 23:42:10,267 [root] DEBUG: DLL loaded at 0x000007FEF52B0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\ec50af274bf7a15fb59ac1f0d353b7ea\Microsoft.PowerShell.Commands.Diagnostics.ni (0x69000 bytes).
2019-08-13 23:42:10,267 [root] DEBUG: DLL loaded at 0x000007FEFD160000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 23:42:10,267 [root] DEBUG: DLL loaded at 0x000007FEFC860000: C:\Windows\system32\rsaenh (0x47000 bytes).
2019-08-13 23:42:10,282 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x0000000049E79000 - 0x0000000077380000
2019-08-13 23:42:10,282 [root] WARNING: Unable to place hook on LockResource
2019-08-13 23:42:10,282 [root] DEBUG: DLL loaded at 0x000007FEFD3F0000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2019-08-13 23:42:10,282 [root] INFO: Announced 64-bit process name: powershell.exe pid: 2008
2019-08-13 23:42:10,299 [root] DEBUG: InjectDllViaIAT: Allocated 0x1bc bytes for new import table at 0x0000000049E80000.
2019-08-13 23:42:10,299 [root] DEBUG: DLL loaded at 0x000007FEF9A20000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Configuratio#\fcf35536476614410e0b0bd0e412199e\System.Configuration.Install.ni (0x32000 bytes).
2019-08-13 23:42:10,299 [root] WARNING: Unable to hook LockResource
2019-08-13 23:42:10,313 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 23:42:10,313 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 23:42:10,313 [lib.api.process] INFO: 64-bit DLL to inject is C:\nehbva\dll\rcDBrG.dll, loader C:\nehbva\bin\lOErlQGD.exe
2019-08-13 23:42:10,329 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:42:10,329 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 924 at 0x00000000743A0000, image base 0x000000013FD20000, stack from 0x0000000000145000-0x0000000000150000
2019-08-13 23:42:10,329 [root] DEBUG: DLL unloaded from 0x000007FEFE710000.
2019-08-13 23:42:10,329 [root] DEBUG: DLL unloaded from 0x000007FEFE710000.
2019-08-13 23:42:10,329 [root] DEBUG: DLL loaded at 0x000007FEF7A60000: C:\Windows\system32\LINKINFO (0xc000 bytes).
2019-08-13 23:42:10,329 [root] DEBUG: DLL loaded at 0x000007FEF3FA0000: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei (0x97000 bytes).
2019-08-13 23:42:10,329 [root] DEBUG: Successfully injected DLL C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:10,329 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\TUUSvecfzs.
2019-08-13 23:42:10,345 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\powershell  Set-MpPreference -LowThreatDefaultAction 6.
2019-08-13 23:42:10,345 [root] DEBUG: DLL loaded at 0x000007FEF3C80000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.WSMan.Man#\8cd73e65058ef6f77f36b62a74ec3344\Microsoft.WSMan.Management.ni (0xaa000 bytes).
2019-08-13 23:42:10,377 [root] DEBUG: DLL loaded at 0x000007FEF2270000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks (0x99d000 bytes).
2019-08-13 23:42:10,377 [root] INFO: Added new process to list with pid: 924
2019-08-13 23:42:10,377 [root] INFO: Monitor successfully loaded in process with pid 924.
2019-08-13 23:42:10,391 [root] DEBUG: DLL loaded at 0x00000000742D0000: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\MSVCR80 (0xc9000 bytes).
2019-08-13 23:42:10,391 [root] DEBUG: DLL loaded at 0x000007FEF8540000: C:\Windows\system32\ntshrui (0x80000 bytes).
2019-08-13 23:42:10,391 [root] DEBUG: Loader: Injecting process 2008 (thread 2580) with C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:10,424 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 828
2019-08-13 23:42:10,424 [root] DEBUG: DLL loaded at 0x000007FEFD1C0000: C:\Windows\system32\CRYPTBASE (0xf000 bytes).
2019-08-13 23:42:10,424 [root] DEBUG: DLL loaded at 0x000007FEF3B90000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Transactions\051655963f24f9ade08486084c570086\System.Transactions.ni (0xe5000 bytes).
2019-08-13 23:42:10,424 [root] DEBUG: DLL loaded at 0x000007FEF1390000: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\9469491f37d9c35b596968b206615309\mscorlib.ni (0xedc000 bytes).
2019-08-13 23:42:10,424 [root] DEBUG: DLL loaded at 0x000007FEFCDE0000: C:\Windows\system32\srvcli (0x23000 bytes).
2019-08-13 23:42:10,424 [root] DEBUG: Process image base: 0x000000013FD20000
2019-08-13 23:42:10,438 [root] DEBUG: DLL unloaded from 0x75530000.
2019-08-13 23:42:10,438 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 23:42:10,438 [root] DEBUG: DLL loaded at 0x000007FEFE640000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-08-13 23:42:10,438 [root] DEBUG: DLL loaded at 0x000000001E230000: C:\Windows\assembly\GAC_64\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions (0x49000 bytes).
2019-08-13 23:42:10,563 [root] DEBUG: DLL loaded at 0x000007FEF0960000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System\adff7dd9fe8e541775c46b6363401b22\System.ni (0xa23000 bytes).
2019-08-13 23:42:10,579 [root] DEBUG: DLL unloaded from 0x72760000.
2019-08-13 23:42:10,579 [root] DEBUG: DLL loaded at 0x000007FEFE710000: C:\Windows\system32\shell32 (0xd88000 bytes).
2019-08-13 23:42:10,579 [root] DEBUG: DLL unloaded from 0x000007FEFDF10000.
2019-08-13 23:42:10,595 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:10,595 [root] DEBUG: Process dumps enabled.
2019-08-13 23:42:10,595 [root] DEBUG: DLL loaded at 0x000007FEF3D30000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b023321bc53c20c10ccbbd8f78c82c82\Microsoft.PowerShell.ConsoleHost.ni (0xb2000 bytes).
2019-08-13 23:42:10,595 [root] DEBUG: DLL unloaded from 0x77050000.
2019-08-13 23:42:10,595 [root] DEBUG: DLL loaded at 0x000007FEFC610000: C:\Windows\system32\USERENV (0x1e000 bytes).
2019-08-13 23:42:10,595 [root] DEBUG: DLL loaded at 0x000007FEF3210000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\cdf48153115fc0bb466f37b7dcad9ac5\Microsoft.PowerShell.Commands.Utility.ni (0x216000 bytes).
2019-08-13 23:42:10,595 [root] DEBUG: DLL loaded at 0x000007FEF7A60000: C:\Windows\system32\LINKINFO (0xc000 bytes).
2019-08-13 23:42:10,595 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000013FD97000 - 0x000007FEFF6A0000
2019-08-13 23:42:10,611 [root] INFO: Disabling sleep skipping.
2019-08-13 23:42:10,611 [root] DEBUG: DLL loaded at 0x000007FEEFE00000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management.A#\009a09f5b2322bb8c5520dc5ddbb28bb\System.Management.Automation.ni (0xb5d000 bytes).
2019-08-13 23:42:10,611 [root] DEBUG: DLL loaded at 0x000007FEFD290000: C:\Windows\system32\profapi (0xf000 bytes).
2019-08-13 23:42:10,611 [root] DEBUG: InjectDllViaIAT: Allocated 0x228 bytes for new import table at 0x000000013FDA0000.
2019-08-13 23:42:10,625 [root] WARNING: Unable to place hook on LockResource
2019-08-13 23:42:10,641 [root] DEBUG: DLL loaded at 0x000007FEFC430000: C:\Windows\system32\version (0xc000 bytes).
2019-08-13 23:42:10,641 [root] DEBUG: DLL loaded at 0x000007FEFBD70000: C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32 (0x1f4000 bytes).
2019-08-13 23:42:10,641 [root] DEBUG: DLL loaded at 0x000007FEF30F0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\9206dc8156588e608d405729c833edc5\Microsoft.PowerShell.Commands.Management.ni (0x118000 bytes).
2019-08-13 23:42:10,641 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:42:10,641 [root] WARNING: Unable to hook LockResource
2019-08-13 23:42:10,641 [root] DEBUG: DLL loaded at 0x000007FEF8540000: C:\Windows\system32\ntshrui (0x80000 bytes).
2019-08-13 23:42:10,641 [root] DEBUG: DLL loaded at 0x000007FEFCB60000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2019-08-13 23:42:10,657 [root] DEBUG: DLL loaded at 0x000007FEFBAE0000: C:\Windows\system32\propsys (0x12c000 bytes).
2019-08-13 23:42:10,657 [root] DEBUG: DLL loaded at 0x000007FEF3430000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Core\83e2f6909980da7347e7806d8c26670e\System.Core.ni (0x32e000 bytes).
2019-08-13 23:42:10,657 [root] DEBUG: Successfully injected DLL C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:10,673 [root] DEBUG: DLL loaded at 0x000007FEFCDE0000: C:\Windows\system32\srvcli (0x23000 bytes).
2019-08-13 23:42:10,673 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 23:42:10,673 [root] DEBUG: DLL loaded at 0x000007FEFC860000: C:\Windows\system32\rsaenh (0x47000 bytes).
2019-08-13 23:42:10,673 [root] DEBUG: DLL loaded at 0x000007FEFDCB0000: C:\Windows\system32\SETUPAPI (0x1d7000 bytes).
2019-08-13 23:42:10,673 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2008
2019-08-13 23:42:10,673 [root] DEBUG: DLL loaded at 0x000007FEF52B0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\ec50af274bf7a15fb59ac1f0d353b7ea\Microsoft.PowerShell.Commands.Diagnostics.ni (0x69000 bytes).
2019-08-13 23:42:10,688 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 828 at 0x00000000743A0000, image base 0x0000000049E20000, stack from 0x0000000000114000-0x0000000000210000
2019-08-13 23:42:10,720 [root] DEBUG: DLL loaded at 0x000007FEFD660000: C:\Windows\system32\CFGMGR32 (0x36000 bytes).
2019-08-13 23:42:10,720 [root] DEBUG: DLL loaded at 0x000007FEF50F0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b5a6a5ce3cd3d4dd2b151315c612aeff\Microsoft.PowerShell.Security.ni (0x3e000 bytes).
2019-08-13 23:42:10,720 [root] INFO: Announced 32-bit process name: ропрУВаЫсен.exe pid: 2076
2019-08-13 23:42:10,720 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Windows\System32\cmd.exe" \c powershell Set-MpPreference -DisableScriptScanning $true.
2019-08-13 23:42:10,720 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 23:42:10,720 [root] DEBUG: DLL loaded at 0x000007FEFD3F0000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2019-08-13 23:42:10,720 [root] DEBUG: DLL loaded at 0x000007FEF9A20000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Configuratio#\fcf35536476614410e0b0bd0e412199e\System.Configuration.Install.ni (0x32000 bytes).
2019-08-13 23:42:10,720 [root] INFO: Added new process to list with pid: 828
2019-08-13 23:42:10,736 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 23:42:10,736 [root] DEBUG: Process dumps enabled.
2019-08-13 23:42:10,736 [root] DEBUG: DLL loaded at 0x000007FEFC400000: C:\Windows\system32\ntmarta (0x2d000 bytes).
2019-08-13 23:42:10,736 [root] INFO: Monitor successfully loaded in process with pid 828.
2019-08-13 23:42:10,736 [lib.api.process] INFO: 32-bit DLL to inject is C:\nehbva\dll\qNaPrre.dll, loader C:\nehbva\bin\gApLtcZ.exe
2019-08-13 23:42:10,736 [root] DEBUG: DLL loaded at 0x000007FEFE1F0000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2019-08-13 23:42:10,736 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HDHLYERMRZNARKV8ZXR2.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\HDHLYERMRZNARKV8ZXR2.temp'
2019-08-13 23:42:10,736 [root] INFO: Disabling sleep skipping.
2019-08-13 23:42:10,736 [root] DEBUG: DLL loaded at 0x000007FEF3C80000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.WSMan.Man#\8cd73e65058ef6f77f36b62a74ec3344\Microsoft.WSMan.Management.ni (0xaa000 bytes).
2019-08-13 23:42:10,750 [root] DEBUG: DLL loaded at 0x000007FEFD160000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 23:42:10,750 [root] DEBUG: DLL unloaded from 0x000007FEFE710000.
2019-08-13 23:42:10,750 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\TUUSvecfzs.
2019-08-13 23:42:10,750 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HDHLYERMRZNARKV8ZXR2.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\HDHLYERMRZNARKV8ZXR2.temp'
2019-08-13 23:42:10,766 [root] WARNING: Unable to place hook on LockResource
2019-08-13 23:42:10,766 [root] DEBUG: Loader: Injecting process 2076 (thread 2424) with C:\nehbva\dll\qNaPrre.dll.
2019-08-13 23:42:10,766 [root] DEBUG: DLL unloaded from 0x000007FEFD970000.
2019-08-13 23:42:10,782 [root] INFO: Announced 64-bit process name: powershell.exe pid: 2772
2019-08-13 23:42:10,782 [root] WARNING: Unable to hook LockResource
2019-08-13 23:42:10,782 [root] DEBUG: DLL loaded at 0x000007FEF3B90000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Transactions\051655963f24f9ade08486084c570086\System.Transactions.ni (0xe5000 bytes).
2019-08-13 23:42:10,782 [root] DEBUG: Process image base: 0x00400000
2019-08-13 23:42:10,782 [root] DEBUG: DLL loaded at 0x00000642FF4A0000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\culture (0xa000 bytes).
2019-08-13 23:42:10,798 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HDHLYERMRZNARKV8ZXR2.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\HDHLYERMRZNARKV8ZXR2.temp'
2019-08-13 23:42:10,798 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 23:42:10,798 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 23:42:10,798 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\nehbva\dll\qNaPrre.dll.
2019-08-13 23:42:10,798 [root] DEBUG: DLL loaded at 0x000000001E230000: C:\Windows\assembly\GAC_64\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions (0x49000 bytes).
2019-08-13 23:42:10,813 [lib.api.process] INFO: 64-bit DLL to inject is C:\nehbva\dll\rcDBrG.dll, loader C:\nehbva\bin\lOErlQGD.exe
2019-08-13 23:42:10,813 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF1389b1e.TMP": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RF1389b1e.TMP'
2019-08-13 23:42:10,813 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x0048F000 - 0x77380000
2019-08-13 23:42:10,828 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 2008 at 0x00000000743A0000, image base 0x000000013FD20000, stack from 0x0000000000255000-0x0000000000260000
2019-08-13 23:42:10,828 [root] DEBUG: DLL unloaded from 0x00000642FF4A0000.
2019-08-13 23:42:10,828 [root] DEBUG: DLL loaded at 0x000007FEF3210000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\cdf48153115fc0bb466f37b7dcad9ac5\Microsoft.PowerShell.Commands.Utility.ni (0x216000 bytes).
2019-08-13 23:42:10,828 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms'
2019-08-13 23:42:10,828 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\TUUSvecfzs.
2019-08-13 23:42:10,828 [root] DEBUG: InjectDllViaIAT: Allocated 0x1128 bytes for new import table at 0x00490000.
2019-08-13 23:42:10,828 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\powershell  Set-MpPreference -ModerateThreatDefaultAction 6.
2019-08-13 23:42:10,845 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HDHLYERMRZNARKV8ZXR2.temp" does not exist, skip.
2019-08-13 23:42:10,845 [root] DEBUG: DLL loaded at 0x000007FEF30F0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\9206dc8156588e608d405729c833edc5\Microsoft.PowerShell.Commands.Management.ni (0x118000 bytes).
2019-08-13 23:42:10,845 [root] DEBUG: Loader: Injecting process 2772 (thread 2536) with C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:10,845 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:42:10,845 [root] INFO: Added new process to list with pid: 2008
2019-08-13 23:42:10,859 [root] DEBUG: DLL loaded at 0x000007FEF50F0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b5a6a5ce3cd3d4dd2b151315c612aeff\Microsoft.PowerShell.Security.ni (0x3e000 bytes).
2019-08-13 23:42:10,859 [root] DEBUG: DLL loaded at 0x000007FEF3FA0000: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei (0x97000 bytes).
2019-08-13 23:42:10,859 [root] DEBUG: Process image base: 0x000000013FD20000
2019-08-13 23:42:10,859 [root] INFO: Monitor successfully loaded in process with pid 2008.
2019-08-13 23:42:10,859 [root] DEBUG: Successfully injected DLL C:\nehbva\dll\qNaPrre.dll.
2019-08-13 23:42:10,859 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HDHLYERMRZNARKV8ZXR2.temp" does not exist, skip.
2019-08-13 23:42:10,875 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:10,875 [root] DEBUG: DLL loaded at 0x000007FEFD1C0000: C:\Windows\system32\CRYPTBASE (0xf000 bytes).
2019-08-13 23:42:10,875 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2076
2019-08-13 23:42:10,875 [root] DEBUG: DLL loaded at 0x000007FEF2270000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks (0x99d000 bytes).
2019-08-13 23:42:10,891 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000013FD97000 - 0x000007FEFF6A0000
2019-08-13 23:42:10,891 [root] DEBUG: DLL loaded at 0x000007FEFE640000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-08-13 23:42:10,891 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 23:42:10,891 [root] DEBUG: DLL loaded at 0x00000000742D0000: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\MSVCR80 (0xc9000 bytes).
2019-08-13 23:42:10,891 [root] DEBUG: InjectDllViaIAT: Allocated 0x228 bytes for new import table at 0x000000013FDA0000.
2019-08-13 23:42:10,891 [root] DEBUG: DLL loaded at 0x000007FEFE710000: C:\Windows\system32\shell32 (0xd88000 bytes).
2019-08-13 23:42:10,907 [root] DEBUG: Process dumps enabled.
2019-08-13 23:42:10,923 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:42:10,923 [root] DEBUG: DLL loaded at 0x000007FEF2F60000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorjit (0x184000 bytes).
2019-08-13 23:42:10,923 [root] DEBUG: Successfully injected DLL C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:10,923 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2772
2019-08-13 23:42:10,923 [root] DEBUG: DLL loaded at 0x000007FEFC610000: C:\Windows\system32\USERENV (0x1e000 bytes).
2019-08-13 23:42:10,923 [root] INFO: Disabling sleep skipping.
2019-08-13 23:42:10,937 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 23:42:10,937 [root] DEBUG: DLL loaded at 0x000007FEFD290000: C:\Windows\system32\profapi (0xf000 bytes).
2019-08-13 23:42:10,937 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 23:42:10,937 [root] DEBUG: Process dumps enabled.
2019-08-13 23:42:10,953 [root] DEBUG: DLL loaded at 0x000007FEFBD70000: C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32 (0x1f4000 bytes).
2019-08-13 23:42:10,953 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 2076 at 0x74af0000, image base 0x400000, stack from 0x286000-0x290000
2019-08-13 23:42:10,970 [root] INFO: Disabling sleep skipping.
2019-08-13 23:42:10,970 [root] DEBUG: DLL loaded at 0x000007FEFBAE0000: C:\Windows\system32\propsys (0x12c000 bytes).
2019-08-13 23:42:10,970 [root] DEBUG: Commandline: C:\Users\user\AppData\Roaming\syslink\???????????.exe.
2019-08-13 23:42:10,970 [root] WARNING: Unable to place hook on LockResource
2019-08-13 23:42:10,970 [root] DEBUG: DLL loaded at 0x000007FEFC400000: C:\Windows\system32\ntmarta (0x2d000 bytes).
2019-08-13 23:42:10,984 [root] INFO: Added new process to list with pid: 2076
2019-08-13 23:42:10,984 [root] WARNING: Unable to hook LockResource
2019-08-13 23:42:10,984 [root] INFO: Monitor successfully loaded in process with pid 2076.
2019-08-13 23:42:10,984 [root] DEBUG: DLL loaded at 0x000007FEFE1F0000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2019-08-13 23:42:10,984 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 23:42:11,000 [root] DEBUG: DLL loaded at 0x74F80000: C:\Windows\system32\CRYPTSP (0x16000 bytes).
2019-08-13 23:42:11,000 [root] DEBUG: DLL loaded at 0x000007FEFDCB0000: C:\Windows\system32\SETUPAPI (0x1d7000 bytes).
2019-08-13 23:42:11,000 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 2772 at 0x00000000743A0000, image base 0x000000013FD20000, stack from 0x0000000000275000-0x0000000000280000
2019-08-13 23:42:11,000 [root] DEBUG: DLL loaded at 0x74F40000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2019-08-13 23:42:11,000 [root] DEBUG: DLL loaded at 0x000007FEFD660000: C:\Windows\system32\CFGMGR32 (0x36000 bytes).
2019-08-13 23:42:11,000 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\powershell  Set-MpPreference -DisableScriptScanning $true.
2019-08-13 23:42:11,000 [root] DEBUG: DLL loaded at 0x74830000: C:\Windows\system32\USERENV (0x17000 bytes).
2019-08-13 23:42:11,016 [root] DEBUG: DLL loaded at 0x000007FEFD3F0000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2019-08-13 23:42:11,016 [root] INFO: Added new process to list with pid: 2772
2019-08-13 23:42:11,016 [root] DEBUG: DLL loaded at 0x74820000: C:\Windows\system32\profapi (0xb000 bytes).
2019-08-13 23:42:11,016 [root] INFO: Monitor successfully loaded in process with pid 2772.
2019-08-13 23:42:11,032 [root] DEBUG: DLL loaded at 0x000007FEFD1C0000: C:\Windows\system32\CRYPTBASE (0xf000 bytes).
2019-08-13 23:42:11,032 [root] DEBUG: DLL loaded at 0x76790000: C:\Windows\syswow64\CRYPT32 (0x11d000 bytes).
2019-08-13 23:42:11,032 [root] DEBUG: DLL unloaded from 0x000007FEFE710000.
2019-08-13 23:42:11,048 [root] DEBUG: DLL unloaded from 0x000007FEFE710000.
2019-08-13 23:42:11,048 [root] DEBUG: DLL loaded at 0x000007FEFE640000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-08-13 23:42:11,048 [root] DEBUG: DLL loaded at 0x768B0000: C:\Windows\syswow64\MSASN1 (0xc000 bytes).
2019-08-13 23:42:11,048 [root] DEBUG: DLL loaded at 0x000007FEF1390000: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\9469491f37d9c35b596968b206615309\mscorlib.ni (0xedc000 bytes).
2019-08-13 23:42:11,048 [root] DEBUG: DLL loaded at 0x000007FEFE710000: C:\Windows\system32\shell32 (0xd88000 bytes).
2019-08-13 23:42:11,094 [root] DEBUG: DLL loaded at 0x000007FEFC610000: C:\Windows\system32\USERENV (0x1e000 bytes).
2019-08-13 23:42:11,094 [root] DEBUG: DLL loaded at 0x000007FEF0960000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System\adff7dd9fe8e541775c46b6363401b22\System.ni (0xa23000 bytes).
2019-08-13 23:42:11,094 [root] DEBUG: set_caller_info: Adding region at 0x003F0000 to caller regions list (ntdll::LdrLoadDll).
2019-08-13 23:42:11,094 [root] DEBUG: DLL loaded at 0x000007FEFD290000: C:\Windows\system32\profapi (0xf000 bytes).
2019-08-13 23:42:11,094 [root] DEBUG: DLL loaded at 0x000007FEF3D30000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b023321bc53c20c10ccbbd8f78c82c82\Microsoft.PowerShell.ConsoleHost.ni (0xb2000 bytes).
2019-08-13 23:42:11,125 [root] DEBUG: DLL unloaded from 0x76790000.
2019-08-13 23:42:11,125 [root] DEBUG: DLL loaded at 0x000007FEFBD70000: C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32 (0x1f4000 bytes).
2019-08-13 23:42:11,125 [root] DEBUG: DLL loaded at 0x000007FEEF750000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Xml\ee795155543768ea67eecddc686a1e9e\System.Xml.ni (0x6a5000 bytes).
2019-08-13 23:42:11,141 [root] DEBUG: DLL loaded at 0x000007FEF7A60000: C:\Windows\system32\LINKINFO (0xc000 bytes).
2019-08-13 23:42:11,157 [root] DEBUG: DLL loaded at 0x000007FEFBAE0000: C:\Windows\system32\propsys (0x12c000 bytes).
2019-08-13 23:42:11,157 [root] DEBUG: DLL loaded at 0x000007FEF2DF0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management\c44929bde355680c886f8a52f5e22b81\System.Management.ni (0x16c000 bytes).
2019-08-13 23:42:11,203 [root] DEBUG: DLL loaded at 0x000007FEF8540000: C:\Windows\system32\ntshrui (0x80000 bytes).
2019-08-13 23:42:11,203 [root] DEBUG: DLL loaded at 0x000007FEFC400000: C:\Windows\system32\ntmarta (0x2d000 bytes).
2019-08-13 23:42:11,203 [root] DEBUG: DLL loaded at 0x000007FEEF5B0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.DirectorySer#\c1cdea55f62c9e8b9b9c1ae4c23b1c1f\System.DirectoryServices.ni (0x195000 bytes).
2019-08-13 23:42:11,203 [root] DEBUG: DLL loaded at 0x000007FEFCDE0000: C:\Windows\system32\srvcli (0x23000 bytes).
2019-08-13 23:42:11,219 [root] DEBUG: DLL loaded at 0x000007FEFE1F0000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2019-08-13 23:42:11,296 [root] DEBUG: set_caller_info: Adding region at 0x009B0000 to caller regions list (ntdll::LdrLoadDll).
2019-08-13 23:42:11,296 [root] DEBUG: DLL loaded at 0x000007FEFA5A0000: C:\Windows\system32\shfolder (0x7000 bytes).
2019-08-13 23:42:11,296 [root] DEBUG: DLL loaded at 0x000007FEFDCB0000: C:\Windows\system32\SETUPAPI (0x1d7000 bytes).
2019-08-13 23:42:11,312 [root] DEBUG: DLL loaded at 0x000007FEFD660000: C:\Windows\system32\CFGMGR32 (0x36000 bytes).
2019-08-13 23:42:11,312 [root] DEBUG: DLL loaded at 0x000007FEF7A60000: C:\Windows\system32\LINKINFO (0xc000 bytes).
2019-08-13 23:42:11,328 [root] DEBUG: DLL loaded at 0x000007FEFD3F0000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2019-08-13 23:42:11,328 [root] DEBUG: DLL loaded at 0x74620000: C:\Windows\system32\PROPSYS (0xf5000 bytes).
2019-08-13 23:42:11,359 [root] DEBUG: DLL unloaded from 0x000007FEFE710000.
2019-08-13 23:42:11,359 [root] DEBUG: DLL loaded at 0x000007FEF8540000: C:\Windows\system32\ntshrui (0x80000 bytes).
2019-08-13 23:42:11,359 [root] DEBUG: DLL loaded at 0x76EA0000: C:\Windows\syswow64\OLEAUT32 (0x8f000 bytes).
2019-08-13 23:42:11,359 [root] DEBUG: DLL loaded at 0x000007FEFCDE0000: C:\Windows\system32\srvcli (0x23000 bytes).
2019-08-13 23:42:11,359 [root] DEBUG: DLL loaded at 0x74480000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32 (0x19e000 bytes).
2019-08-13 23:42:11,391 [root] DEBUG: DLL loaded at 0x74CB0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2019-08-13 23:42:11,391 [root] DEBUG: DLL loaded at 0x00000642FF4A0000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\culture (0xa000 bytes).
2019-08-13 23:42:11,391 [root] DEBUG: DLL loaded at 0x75670000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2019-08-13 23:42:11,391 [root] DEBUG: DLL unloaded from 0x00000642FF4A0000.
2019-08-13 23:42:11,391 [root] DEBUG: DLL loaded at 0x731E0000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 23:42:11,405 [root] DEBUG: DLL loaded at 0x747D0000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 23:42:11,405 [root] DEBUG: DLL loaded at 0x000007FEF2F60000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorjit (0x184000 bytes).
2019-08-13 23:42:11,405 [root] DEBUG: DLL loaded at 0x76BD0000: C:\Windows\syswow64\iertutil (0x1fb000 bytes).
2019-08-13 23:42:11,405 [root] DEBUG: DLL loaded at 0x75530000: C:\Windows\syswow64\urlmon (0x136000 bytes).
2019-08-13 23:42:11,421 [root] DEBUG: DLL loaded at 0x75370000: C:\Windows\syswow64\WININET (0xf5000 bytes).
2019-08-13 23:42:11,437 [root] DEBUG: DLL loaded at 0x74BB0000: C:\Windows\system32\ntmarta (0x21000 bytes).
2019-08-13 23:42:11,437 [root] DEBUG: DLL loaded at 0x75860000: C:\Windows\syswow64\WLDAP32 (0x45000 bytes).
2019-08-13 23:42:11,437 [root] DEBUG: DLL loaded at 0x000007FEEF750000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Xml\ee795155543768ea67eecddc686a1e9e\System.Xml.ni (0x6a5000 bytes).
2019-08-13 23:42:11,437 [root] DEBUG: DLL loaded at 0x758B0000: C:\Windows\syswow64\SETUPAPI (0x19d000 bytes).
2019-08-13 23:42:11,469 [root] DEBUG: DLL loaded at 0x76A40000: C:\Windows\syswow64\CFGMGR32 (0x27000 bytes).
2019-08-13 23:42:11,469 [root] DEBUG: DLL loaded at 0x000007FEF2DF0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management\c44929bde355680c886f8a52f5e22b81\System.Management.ni (0x16c000 bytes).
2019-08-13 23:42:11,469 [root] DEBUG: DLL loaded at 0x000007FEEF5B0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.DirectorySer#\c1cdea55f62c9e8b9b9c1ae4c23b1c1f\System.DirectoryServices.ni (0x195000 bytes).
2019-08-13 23:42:11,469 [root] DEBUG: DLL loaded at 0x76770000: C:\Windows\syswow64\DEVOBJ (0x12000 bytes).
2019-08-13 23:42:11,500 [root] DEBUG: DLL loaded at 0x000007FEFA5A0000: C:\Windows\system32\shfolder (0x7000 bytes).
2019-08-13 23:42:11,500 [root] DEBUG: DLL loaded at 0x000007FEEFE00000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management.A#\009a09f5b2322bb8c5520dc5ddbb28bb\System.Management.Automation.ni (0xb5d000 bytes).
2019-08-13 23:42:11,500 [root] DEBUG: DLL unloaded from 0x75B20000.
2019-08-13 23:42:11,500 [root] INFO: Announced 64-bit process name: cmd.exe pid: 2416
2019-08-13 23:42:11,546 [root] DEBUG: DLL loaded at 0x000007FEFC430000: C:\Windows\system32\version (0xc000 bytes).
2019-08-13 23:42:11,608 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 23:42:11,608 [lib.api.process] INFO: 64-bit DLL to inject is C:\nehbva\dll\rcDBrG.dll, loader C:\nehbva\bin\lOErlQGD.exe
2019-08-13 23:42:11,640 [root] DEBUG: DLL unloaded from 0x000007FEFDF10000.
2019-08-13 23:42:11,655 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\TUUSvecfzs.
2019-08-13 23:42:11,671 [root] DEBUG: Loader: Injecting process 2416 (thread 2916) with C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:11,671 [root] DEBUG: Process image base: 0x0000000049E20000
2019-08-13 23:42:11,671 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:11,671 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x0000000049E79000 - 0x0000000077380000
2019-08-13 23:42:11,671 [root] DEBUG: InjectDllViaIAT: Allocated 0x1bc bytes for new import table at 0x0000000049E80000.
2019-08-13 23:42:11,671 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:42:11,687 [root] DEBUG: Successfully injected DLL C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:11,687 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2416
2019-08-13 23:42:11,687 [root] DEBUG: DLL unloaded from 0x75530000.
2019-08-13 23:42:11,703 [root] DEBUG: DLL unloaded from 0x74620000.
2019-08-13 23:42:11,717 [root] DEBUG: DLL unloaded from 0x731E0000.
2019-08-13 23:42:11,717 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 23:42:11,733 [root] DEBUG: DLL unloaded from 0x77050000.
2019-08-13 23:42:11,733 [root] DEBUG: Process dumps enabled.
2019-08-13 23:42:11,733 [root] DEBUG: DLL loaded at 0x72760000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 23:42:11,733 [root] INFO: Disabling sleep skipping.
2019-08-13 23:42:11,750 [root] DEBUG: DLL loaded at 0x74790000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 23:42:11,750 [root] DEBUG: DLL loaded at 0x000007FEF7A60000: C:\Windows\system32\LINKINFO (0xc000 bytes).
2019-08-13 23:42:11,750 [root] DEBUG: DLL loaded at 0x000007FEF3430000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Core\83e2f6909980da7347e7806d8c26670e\System.Core.ni (0x32e000 bytes).
2019-08-13 23:42:11,750 [root] WARNING: Unable to place hook on LockResource
2019-08-13 23:42:11,765 [root] INFO: Announced 64-bit process name: cmd.exe pid: 1240
2019-08-13 23:42:11,765 [root] WARNING: Unable to hook LockResource
2019-08-13 23:42:11,765 [root] DEBUG: DLL loaded at 0x000007FEF52B0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\ec50af274bf7a15fb59ac1f0d353b7ea\Microsoft.PowerShell.Commands.Diagnostics.ni (0x69000 bytes).
2019-08-13 23:42:11,780 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 23:42:11,780 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 23:42:11,780 [root] DEBUG: DLL loaded at 0x000007FEF9A20000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Configuratio#\fcf35536476614410e0b0bd0e412199e\System.Configuration.Install.ni (0x32000 bytes).
2019-08-13 23:42:11,780 [lib.api.process] INFO: 64-bit DLL to inject is C:\nehbva\dll\rcDBrG.dll, loader C:\nehbva\bin\lOErlQGD.exe
2019-08-13 23:42:11,796 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 2416 at 0x00000000743A0000, image base 0x0000000049E20000, stack from 0x0000000000144000-0x0000000000240000
2019-08-13 23:42:11,796 [root] DEBUG: DLL loaded at 0x000007FEF8540000: C:\Windows\system32\ntshrui (0x80000 bytes).
2019-08-13 23:42:11,796 [root] DEBUG: Commandline: C:\Users\user\AppData\Roaming\syslink\"C:\Windows\System32\cmd.exe" \c sc stop WinDefend.
2019-08-13 23:42:11,796 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\TUUSvecfzs.
2019-08-13 23:42:11,796 [root] DEBUG: DLL loaded at 0x000007FEFCDE0000: C:\Windows\system32\srvcli (0x23000 bytes).
2019-08-13 23:42:11,796 [root] INFO: Added new process to list with pid: 2416
2019-08-13 23:42:11,812 [root] INFO: Monitor successfully loaded in process with pid 2416.
2019-08-13 23:42:11,812 [root] DEBUG: Loader: Injecting process 1240 (thread 2780) with C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:11,812 [root] DEBUG: DLL loaded at 0x000007FEFD160000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 23:42:11,828 [root] INFO: Announced 64-bit process name: sc.exe pid: 1084
2019-08-13 23:42:11,828 [root] DEBUG: Process image base: 0x0000000049E20000
2019-08-13 23:42:11,828 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 23:42:11,842 [lib.api.process] INFO: 64-bit DLL to inject is C:\nehbva\dll\rcDBrG.dll, loader C:\nehbva\bin\lOErlQGD.exe
2019-08-13 23:42:11,842 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:11,842 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x0000000049E79000 - 0x0000000077380000
2019-08-13 23:42:11,842 [root] DEBUG: InjectDllViaIAT: Allocated 0x1bc bytes for new import table at 0x0000000049E80000.
2019-08-13 23:42:11,842 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\TUUSvecfzs.
2019-08-13 23:42:11,842 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:42:11,842 [root] DEBUG: Loader: Injecting process 1084 (thread 1248) with C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:11,858 [root] DEBUG: Successfully injected DLL C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:11,858 [root] DEBUG: Process image base: 0x00000000FF410000
2019-08-13 23:42:11,858 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 1240
2019-08-13 23:42:11,858 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:11,858 [root] DEBUG: DLL unloaded from 0x75530000.
2019-08-13 23:42:11,858 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00000000FF41F000 - 0x000007FEFF6A0000
2019-08-13 23:42:11,858 [root] DEBUG: DLL unloaded from 0x72760000.
2019-08-13 23:42:11,874 [root] DEBUG: InjectDllViaIAT: Allocated 0x1d8 bytes for new import table at 0x00000000FF420000.
2019-08-13 23:42:11,874 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 23:42:11,874 [root] DEBUG: DLL unloaded from 0x77050000.
2019-08-13 23:42:11,874 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:42:11,874 [root] DEBUG: Process dumps enabled.
2019-08-13 23:42:11,874 [root] DEBUG: Successfully injected DLL C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:11,874 [root] INFO: Disabling sleep skipping.
2019-08-13 23:42:11,890 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 1084
2019-08-13 23:42:11,890 [root] DEBUG: DLL loaded at 0x731E0000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 23:42:11,937 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 112
2019-08-13 23:42:11,951 [root] WARNING: Unable to place hook on LockResource
2019-08-13 23:42:11,951 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 23:42:11,951 [root] DEBUG: GetHookCallerBase: thread 684 (handle 0x0), return address 0x005D56B3, allocation base 0x005C0000.
2019-08-13 23:42:11,951 [root] WARNING: Unable to hook LockResource
2019-08-13 23:42:11,951 [root] DEBUG: DLL loaded at 0x747D0000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 23:42:11,951 [root] DEBUG: DLL loaded at 0x000007FEF8EC0000: C:\Windows\system32\cscapi (0xf000 bytes).
2019-08-13 23:42:11,951 [root] DEBUG: Process dumps enabled.
2019-08-13 23:42:11,967 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00400000.
2019-08-13 23:42:11,967 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 23:42:11,967 [root] DEBUG: DLL loaded at 0x000007FEFB320000: C:\Windows\system32\slc (0xb000 bytes).
2019-08-13 23:42:11,967 [root] INFO: Announced 64-bit process name: cmd.exe pid: 2984
2019-08-13 23:42:11,967 [root] INFO: Disabling sleep skipping.
2019-08-13 23:42:11,967 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00400000.
2019-08-13 23:42:11,967 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 1240 at 0x00000000743A0000, image base 0x0000000049E20000, stack from 0x0000000000134000-0x0000000000230000
2019-08-13 23:42:11,983 [root] WARNING: Unable to place hook on LockResource
2019-08-13 23:42:11,983 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 23:42:11,983 [root] DEBUG: DumpProcess: Module entry point VA is 0x000014E0.
2019-08-13 23:42:11,999 [root] DEBUG: Commandline: C:\Users\user\AppData\Roaming\syslink\"C:\Windows\System32\cmd.exe" \c sc delete WinDefend.
2019-08-13 23:42:11,999 [root] WARNING: Unable to hook LockResource
2019-08-13 23:42:11,999 [lib.api.process] INFO: 64-bit DLL to inject is C:\nehbva\dll\rcDBrG.dll, loader C:\nehbva\bin\lOErlQGD.exe
2019-08-13 23:42:12,015 [root] INFO: Added new process to list with pid: 1240
2019-08-13 23:42:12,015 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 23:42:12,015 [root] INFO: Monitor successfully loaded in process with pid 1240.
2019-08-13 23:42:12,015 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 1084 at 0x00000000743A0000, image base 0x00000000FF410000, stack from 0x00000000001B6000-0x00000000001C0000
2019-08-13 23:42:12,015 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\TUUSvecfzs.
2019-08-13 23:42:12,029 [root] INFO: Added new CAPE file to list with path: C:\xyAIARtiO\CAPE\112_4905288211122314382019
2019-08-13 23:42:12,029 [root] DEBUG: DLL loaded at 0x000007FEFCF60000: C:\Windows\system32\secur32 (0xb000 bytes).
2019-08-13 23:42:12,029 [root] DEBUG: Commandline: C:\Users\user\AppData\Roaming\syslink\sc  stop WinDefend.
2019-08-13 23:42:12,029 [root] DEBUG: DLL loaded at 0x000007FEFD160000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 23:42:12,029 [root] DEBUG: DLL loaded at 0x000007FEFCF60000: C:\Windows\system32\secur32 (0xb000 bytes).
2019-08-13 23:42:12,029 [root] DEBUG: Loader: Injecting process 2984 (thread 3076) with C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:12,029 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x82c00.
2019-08-13 23:42:12,029 [root] INFO: Added new process to list with pid: 1084
2019-08-13 23:42:12,029 [root] INFO: Announced 64-bit process name: sc.exe pid: 3168
2019-08-13 23:42:12,029 [root] DEBUG: Process image base: 0x0000000049E20000
2019-08-13 23:42:12,046 [root] INFO: Monitor successfully loaded in process with pid 1084.
2019-08-13 23:42:12,046 [root] DEBUG: DumpInterestingRegions: Dumping calling region at 0x005C0000.
2019-08-13 23:42:12,046 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:12,046 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 23:42:12,046 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\xyAIARtiO\CAPE\112_5681490701222314382019
2019-08-13 23:42:12,046 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x0000000049E79000 - 0x0000000077380000
2019-08-13 23:42:12,046 [lib.api.process] INFO: 64-bit DLL to inject is C:\nehbva\dll\rcDBrG.dll, loader C:\nehbva\bin\lOErlQGD.exe
2019-08-13 23:42:12,046 [root] DEBUG: DLL loaded at 0x000007FEF3C80000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.WSMan.Man#\8cd73e65058ef6f77f36b62a74ec3344\Microsoft.WSMan.Management.ni (0xaa000 bytes).
2019-08-13 23:42:12,046 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 1084
2019-08-13 23:42:12,046 [root] DEBUG: InjectDllViaIAT: Allocated 0x1bc bytes for new import table at 0x0000000049E80000.
2019-08-13 23:42:12,062 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:42:12,062 [root] DEBUG: GetHookCallerBase: thread 1248 (handle 0x0), return address 0x00000000FF41107F, allocation base 0x00000000FF410000.
2019-08-13 23:42:12,062 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\TUUSvecfzs.
2019-08-13 23:42:12,062 [root] DEBUG: DLL loaded at 0x000007FEF3B90000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Transactions\051655963f24f9ade08486084c570086\System.Transactions.ni (0xe5000 bytes).
2019-08-13 23:42:12,062 [root] DEBUG: Successfully injected DLL C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:12,076 [root] INFO: Added new CAPE file to list with path: C:\xyAIARtiO\CAPE\112_5681490701222314382019
2019-08-13 23:42:12,076 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00000000FF410000.
2019-08-13 23:42:12,076 [root] DEBUG: Loader: Injecting process 3168 (thread 3172) with C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:12,092 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2984
2019-08-13 23:42:12,092 [root] DEBUG: DLL loaded at 0x000000001E230000: C:\Windows\assembly\GAC_64\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions (0x49000 bytes).
2019-08-13 23:42:12,092 [root] DEBUG: DumpRegion: Dumped stack region from 0x005C0000, size 0x2c000.
2019-08-13 23:42:12,092 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00000000FF410000.
2019-08-13 23:42:12,092 [root] DEBUG: Process image base: 0x00000000FF410000
2019-08-13 23:42:12,092 [root] DEBUG: DLL unloaded from 0x75530000.
2019-08-13 23:42:12,108 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 23:42:12,108 [root] DEBUG: DLL unloaded from 0x74620000.
2019-08-13 23:42:12,108 [root] DEBUG: DumpProcess: Module entry point VA is 0x0000000000001DD4.
2019-08-13 23:42:12,108 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:12,108 [root] DEBUG: DLL unloaded from 0x731E0000.
2019-08-13 23:42:12,108 [root] DEBUG: Process dumps enabled.
2019-08-13 23:42:12,108 [root] DEBUG: DLL unloaded from 0x75700000.
2019-08-13 23:42:12,108 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00000000FF41F000 - 0x000007FEFF6A0000
2019-08-13 23:42:12,108 [root] DEBUG: DLL loaded at 0x000007FEFD1C0000: C:\Windows\system32\cryptbase (0xf000 bytes).
2019-08-13 23:42:12,124 [root] DEBUG: DLL unloaded from 0x77050000.
2019-08-13 23:42:12,124 [root] DEBUG: DLL unloaded from 0x74BB0000.
2019-08-13 23:42:12,124 [root] INFO: Disabling sleep skipping.
2019-08-13 23:42:12,124 [root] DEBUG: InjectDllViaIAT: Allocated 0x1d8 bytes for new import table at 0x00000000FF420000.
2019-08-13 23:42:12,140 [root] INFO: Notified of termination of process with pid 112.
2019-08-13 23:42:12,140 [root] DEBUG: DLL loaded at 0x72760000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 23:42:12,140 [root] WARNING: Unable to place hook on LockResource
2019-08-13 23:42:12,140 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:42:12,140 [root] DEBUG: DLL loaded at 0x74790000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 23:42:12,140 [root] WARNING: Unable to hook LockResource
2019-08-13 23:42:12,140 [root] DEBUG: Successfully injected DLL C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:12,140 [root] INFO: Added new CAPE file to list with path: C:\xyAIARtiO\CAPE\1084_8489230123222314382019
2019-08-13 23:42:12,154 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 3168
2019-08-13 23:42:12,154 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 23:42:12,154 [root] DEBUG: DLL loaded at 0x000007FEF3210000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\cdf48153115fc0bb466f37b7dcad9ac5\Microsoft.PowerShell.Commands.Utility.ni (0x216000 bytes).
2019-08-13 23:42:12,154 [root] DEBUG: DumpProcess: Module image dump success - dump size 0xb000.
2019-08-13 23:42:12,154 [root] INFO: Announced 64-bit process name: cmd.exe pid: 3436
2019-08-13 23:42:12,154 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 23:42:12,171 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 2984 at 0x00000000743A0000, image base 0x0000000049E20000, stack from 0x0000000000124000-0x0000000000220000
2019-08-13 23:42:12,171 [root] DEBUG: DLL loaded at 0x000007FEF30F0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\9206dc8156588e608d405729c833edc5\Microsoft.PowerShell.Commands.Management.ni (0x118000 bytes).
2019-08-13 23:42:12,171 [root] DEBUG: DLL unloaded from 0x000007FEFE6E0000.
2019-08-13 23:42:12,186 [root] DEBUG: Process dumps enabled.
2019-08-13 23:42:12,186 [root] DEBUG: Commandline: C:\Users\user\AppData\Roaming\syslink\"C:\Windows\System32\cmd.exe" \c powershell Set-MpPreference -DisableRealtimeMonitoring $true.
2019-08-13 23:42:12,186 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 23:42:12,186 [root] DEBUG: DLL loaded at 0x000007FEF50F0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b5a6a5ce3cd3d4dd2b151315c612aeff\Microsoft.PowerShell.Security.ni (0x3e000 bytes).
2019-08-13 23:42:12,186 [root] INFO: Notified of termination of process with pid 1084.
2019-08-13 23:42:12,186 [lib.api.process] INFO: 64-bit DLL to inject is C:\nehbva\dll\rcDBrG.dll, loader C:\nehbva\bin\lOErlQGD.exe
2019-08-13 23:42:12,186 [root] INFO: Disabling sleep skipping.
2019-08-13 23:42:12,201 [root] INFO: Added new process to list with pid: 2984
2019-08-13 23:42:12,201 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2416
2019-08-13 23:42:12,201 [root] INFO: Monitor successfully loaded in process with pid 2984.
2019-08-13 23:42:12,201 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\TUUSvecfzs.
2019-08-13 23:42:12,201 [root] WARNING: Unable to place hook on LockResource
2019-08-13 23:42:12,217 [root] DEBUG: GetHookCallerBase: thread 2916 (handle 0x0), return address 0x0000000049E287DD, allocation base 0x0000000049E20000.
2019-08-13 23:42:12,217 [root] DEBUG: Loader: Injecting process 3436 (thread 3440) with C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:12,217 [root] WARNING: Unable to hook LockResource
2019-08-13 23:42:12,217 [root] DEBUG: DLL loaded at 0x000007FEFD160000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 23:42:12,217 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x0000000049E20000.
2019-08-13 23:42:12,217 [root] DEBUG: Process image base: 0x0000000049E20000
2019-08-13 23:42:12,217 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 23:42:12,217 [root] INFO: Announced 64-bit process name: powershell.exe pid: 3564
2019-08-13 23:42:12,217 [root] DEBUG: DLL loaded at 0x000007FEFCB60000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2019-08-13 23:42:12,217 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x0000000049E20000.
2019-08-13 23:42:12,233 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:12,233 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 3168 at 0x00000000743A0000, image base 0x00000000FF410000, stack from 0x00000000001C5000-0x00000000001D0000
2019-08-13 23:42:12,233 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 23:42:12,233 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 23:42:12,233 [root] DEBUG: DLL loaded at 0x000007FEFC860000: C:\Windows\system32\rsaenh (0x47000 bytes).
2019-08-13 23:42:12,233 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x0000000049E79000 - 0x0000000077380000
2019-08-13 23:42:12,249 [root] DEBUG: Commandline: C:\Users\user\AppData\Roaming\syslink\sc  delete WinDefend.
2019-08-13 23:42:12,249 [lib.api.process] INFO: 64-bit DLL to inject is C:\nehbva\dll\rcDBrG.dll, loader C:\nehbva\bin\lOErlQGD.exe
2019-08-13 23:42:12,249 [root] DEBUG: InjectDllViaIAT: Allocated 0x1bc bytes for new import table at 0x0000000049E80000.
2019-08-13 23:42:12,249 [root] DEBUG: DLL loaded at 0x000007FEFD1C0000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 23:42:12,249 [root] INFO: Added new process to list with pid: 3168
2019-08-13 23:42:12,263 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:42:12,263 [root] INFO: Monitor successfully loaded in process with pid 3168.
2019-08-13 23:42:12,263 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\TUUSvecfzs.
2019-08-13 23:42:12,263 [root] DEBUG: Successfully injected DLL C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:12,263 [root] DEBUG: Loader: Injecting process 3564 (thread 3568) with C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:12,263 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 3436
2019-08-13 23:42:12,263 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 3168
2019-08-13 23:42:12,279 [root] DEBUG: Process image base: 0x000000013FD20000
2019-08-13 23:42:12,279 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\S0PI7J0GLVSY176LK5RV.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\S0PI7J0GLVSY176LK5RV.temp'
2019-08-13 23:42:12,279 [root] DEBUG: DLL unloaded from 0x75530000.
2019-08-13 23:42:12,279 [root] DEBUG: GetHookCallerBase: thread 3172 (handle 0x0), return address 0x00000000FF41107F, allocation base 0x00000000FF410000.
2019-08-13 23:42:12,279 [root] INFO: Added new CAPE file to list with path: C:\xyAIARtiO\CAPE\2416_2193493361222314382019
2019-08-13 23:42:12,279 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:12,279 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\S0PI7J0GLVSY176LK5RV.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\S0PI7J0GLVSY176LK5RV.temp'
2019-08-13 23:42:12,279 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 23:42:12,296 [root] DEBUG: DLL unloaded from 0x72760000.
2019-08-13 23:42:12,296 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x54400.
2019-08-13 23:42:12,296 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00000000FF410000.
2019-08-13 23:42:12,296 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000013FD97000 - 0x000007FEFF6A0000
2019-08-13 23:42:12,296 [root] DEBUG: DLL unloaded from 0x000007FEFD970000.
2019-08-13 23:42:12,296 [root] DEBUG: Process dumps enabled.
2019-08-13 23:42:12,311 [root] DEBUG: DLL unloaded from 0x77050000.
2019-08-13 23:42:12,311 [root] DEBUG: DLL loaded at 0x000007FEEED60000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Data\accc3a5269658c8c47fe3e402ac4ac1c\System.Data.ni (0x84b000 bytes).
2019-08-13 23:42:12,311 [root] DEBUG: DLL loaded at 0x000007FEEED60000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Data\accc3a5269658c8c47fe3e402ac4ac1c\System.Data.ni (0x84b000 bytes).
2019-08-13 23:42:12,311 [root] DEBUG: DLL unloaded from 0x000007FEFE6E0000.
2019-08-13 23:42:12,311 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00000000FF410000.
2019-08-13 23:42:12,311 [root] DEBUG: InjectDllViaIAT: Allocated 0x228 bytes for new import table at 0x000000013FDA0000.
2019-08-13 23:42:12,311 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\S0PI7J0GLVSY176LK5RV.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\S0PI7J0GLVSY176LK5RV.temp'
2019-08-13 23:42:12,311 [root] INFO: Disabling sleep skipping.
2019-08-13 23:42:12,311 [root] DEBUG: DLL loaded at 0x731E0000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 23:42:12,311 [root] DEBUG: DLL loaded at 0x000000001D0C0000: C:\Windows\assembly\GAC_64\System.Data\2.0.0.0__b77a5c561934e089\System.Data (0x2ff000 bytes).
2019-08-13 23:42:12,326 [root] INFO: Notified of termination of process with pid 2416.
2019-08-13 23:42:12,326 [root] DEBUG: DumpProcess: Module entry point VA is 0x0000000000001DD4.
2019-08-13 23:42:12,326 [root] DEBUG: DLL loaded at 0x000000001D100000: C:\Windows\assembly\GAC_64\System.Data\2.0.0.0__b77a5c561934e089\System.Data (0x2ff000 bytes).
2019-08-13 23:42:12,326 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:42:12,326 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF12b0c87.TMP": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RF12b0c87.TMP'
2019-08-13 23:42:12,326 [root] DEBUG: DLL loaded at 0x747D0000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 23:42:12,326 [root] WARNING: Unable to place hook on LockResource
2019-08-13 23:42:12,342 [root] DEBUG: Successfully injected DLL C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:12,342 [root] DEBUG: DLL loaded at 0x000007FEFDE90000: C:\Windows\system32\WS2_32 (0x4d000 bytes).
2019-08-13 23:42:12,342 [root] DEBUG: DLL loaded at 0x000007FEFD1C0000: C:\Windows\system32\cryptbase (0xf000 bytes).
2019-08-13 23:42:12,358 [root] WARNING: Unable to hook LockResource
2019-08-13 23:42:12,358 [root] DEBUG: DLL loaded at 0x000007FEFDE90000: C:\Windows\system32\WS2_32 (0x4d000 bytes).
2019-08-13 23:42:12,358 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms'
2019-08-13 23:42:12,358 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 3564
2019-08-13 23:42:12,358 [root] DEBUG: DLL loaded at 0x000007FEFDF00000: C:\Windows\system32\NSI (0x8000 bytes).
2019-08-13 23:42:12,358 [root] INFO: Announced 64-bit process name: cmd.exe pid: 3868
2019-08-13 23:42:12,358 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 23:42:12,358 [root] DEBUG: DLL loaded at 0x000007FEFDF00000: C:\Windows\system32\NSI (0x8000 bytes).
2019-08-13 23:42:12,374 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\S0PI7J0GLVSY176LK5RV.temp" does not exist, skip.
2019-08-13 23:42:12,374 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 23:42:12,374 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 3436 at 0x00000000743A0000, image base 0x0000000049E20000, stack from 0x0000000000194000-0x0000000000290000
2019-08-13 23:42:12,374 [root] INFO: Added new CAPE file to list with path: C:\xyAIARtiO\CAPE\3168_15893016543222314382019
2019-08-13 23:42:12,374 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 23:42:12,374 [root] DEBUG: DLL loaded at 0x000007FEFD410000: C:\Windows\system32\CRYPT32 (0x167000 bytes).
2019-08-13 23:42:12,374 [root] DEBUG: DLL loaded at 0x000007FEFD410000: C:\Windows\system32\CRYPT32 (0x167000 bytes).
2019-08-13 23:42:12,374 [root] DEBUG: Process dumps enabled.
2019-08-13 23:42:12,388 [root] DEBUG: Commandline: C:\Users\user\AppData\Roaming\syslink\"C:\Windows\System32\cmd.exe" \c powershell Set-MpPreference -DisableBehaviorMonitoring $true.
2019-08-13 23:42:12,388 [lib.api.process] INFO: 64-bit DLL to inject is C:\nehbva\dll\rcDBrG.dll, loader C:\nehbva\bin\lOErlQGD.exe
2019-08-13 23:42:12,388 [root] DEBUG: DumpProcess: Module image dump success - dump size 0xb000.
2019-08-13 23:42:12,388 [root] DEBUG: DLL loaded at 0x000007FEFD370000: C:\Windows\system32\MSASN1 (0xf000 bytes).
2019-08-13 23:42:12,388 [root] DEBUG: DLL loaded at 0x000007FEFD370000: C:\Windows\system32\MSASN1 (0xf000 bytes).
2019-08-13 23:42:12,388 [root] INFO: Added new process to list with pid: 3436
2019-08-13 23:42:12,388 [root] INFO: Disabling sleep skipping.
2019-08-13 23:42:12,388 [root] DEBUG: DLL unloaded from 0x000007FEFE6E0000.
2019-08-13 23:42:12,388 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\TUUSvecfzs.
2019-08-13 23:42:12,404 [root] INFO: Monitor successfully loaded in process with pid 3436.
2019-08-13 23:42:12,404 [root] INFO: Notified of termination of process with pid 3168.
2019-08-13 23:42:12,404 [root] DEBUG: Loader: Injecting process 3868 (thread 3872) with C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:12,404 [root] WARNING: Unable to place hook on LockResource
2019-08-13 23:42:12,404 [root] DEBUG: DLL loaded at 0x000007FEFD160000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 23:42:12,404 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 1240
2019-08-13 23:42:12,404 [root] DEBUG: Process image base: 0x0000000049E20000
2019-08-13 23:42:12,420 [root] WARNING: Unable to hook LockResource
2019-08-13 23:42:12,420 [root] DEBUG: GetHookCallerBase: thread 2780 (handle 0x0), return address 0x0000000049E287DD, allocation base 0x0000000049E20000.
2019-08-13 23:42:12,420 [root] INFO: Announced 64-bit process name: powershell.exe pid: 4008
2019-08-13 23:42:12,420 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:12,436 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 23:42:12,436 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x0000000049E20000.
2019-08-13 23:42:12,436 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x0000000049E79000 - 0x0000000077380000
2019-08-13 23:42:12,436 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 23:42:12,436 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 3564 at 0x00000000743A0000, image base 0x000000013FD20000, stack from 0x0000000000286000-0x0000000000290000
2019-08-13 23:42:12,436 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x0000000049E20000.
2019-08-13 23:42:12,436 [root] DEBUG: InjectDllViaIAT: Allocated 0x1bc bytes for new import table at 0x0000000049E80000.
2019-08-13 23:42:12,436 [lib.api.process] INFO: 64-bit DLL to inject is C:\nehbva\dll\rcDBrG.dll, loader C:\nehbva\bin\lOErlQGD.exe
2019-08-13 23:42:12,436 [root] DEBUG: Commandline: C:\Users\user\AppData\Roaming\syslink\powershell  Set-MpPreference -DisableRealtimeMonitoring $true.
2019-08-13 23:42:12,451 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 23:42:12,451 [root] DEBUG: DLL loaded at 0x00000642FF4A0000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\culture (0xa000 bytes).
2019-08-13 23:42:12,451 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:42:12,451 [root] INFO: Added new process to list with pid: 3564
2019-08-13 23:42:12,451 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\TUUSvecfzs.
2019-08-13 23:42:12,451 [root] DEBUG: DLL loaded at 0x000007FEFD1C0000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 23:42:12,451 [root] DEBUG: Successfully injected DLL C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:12,451 [root] INFO: Monitor successfully loaded in process with pid 3564.
2019-08-13 23:42:12,451 [root] DEBUG: DLL unloaded from 0x00000642FF4A0000.
2019-08-13 23:42:12,467 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 3868
2019-08-13 23:42:12,467 [root] DEBUG: Loader: Injecting process 4008 (thread 4012) with C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:12,467 [root] DEBUG: DLL loaded at 0x000007FEFD1C0000: C:\Windows\system32\CRYPTBASE (0xf000 bytes).
2019-08-13 23:42:12,483 [root] DEBUG: DLL unloaded from 0x75530000.
2019-08-13 23:42:12,483 [root] DEBUG: Process image base: 0x000000013FD20000
2019-08-13 23:42:12,483 [root] DEBUG: DLL loaded at 0x000007FEF2F60000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorjit (0x184000 bytes).
2019-08-13 23:42:12,483 [root] DEBUG: DLL loaded at 0x000007FEFE640000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-08-13 23:42:12,483 [root] DEBUG: DLL unloaded from 0x731E0000.
2019-08-13 23:42:12,483 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 23:42:12,483 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:12,483 [root] INFO: Added new CAPE file to list with path: C:\xyAIARtiO\CAPE\1240_13375657081222314382019
2019-08-13 23:42:12,497 [root] DEBUG: DLL loaded at 0x000007FEFE710000: C:\Windows\system32\shell32 (0xd88000 bytes).
2019-08-13 23:42:12,497 [root] DEBUG: DLL unloaded from 0x77050000.
2019-08-13 23:42:12,497 [root] DEBUG: Process dumps enabled.
2019-08-13 23:42:12,497 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000013FD97000 - 0x000007FEFF6A0000
2019-08-13 23:42:12,497 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x54400.
2019-08-13 23:42:12,513 [root] DEBUG: DLL loaded at 0x72760000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 23:42:12,513 [root] DEBUG: DLL loaded at 0x000007FEFC610000: C:\Windows\system32\USERENV (0x1e000 bytes).
2019-08-13 23:42:12,513 [root] INFO: Disabling sleep skipping.
2019-08-13 23:42:12,513 [root] DEBUG: InjectDllViaIAT: Allocated 0x228 bytes for new import table at 0x000000013FDA0000.
2019-08-13 23:42:12,513 [root] DEBUG: DLL unloaded from 0x000007FEFE6E0000.
2019-08-13 23:42:12,529 [root] DEBUG: DLL loaded at 0x74790000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 23:42:12,529 [root] DEBUG: DLL loaded at 0x000007FEFD290000: C:\Windows\system32\profapi (0xf000 bytes).
2019-08-13 23:42:12,529 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:42:12,529 [root] INFO: Notified of termination of process with pid 1240.
2019-08-13 23:42:12,529 [root] WARNING: Unable to place hook on LockResource
2019-08-13 23:42:12,545 [root] INFO: Announced 64-bit process name: cmd.exe pid: 3148
2019-08-13 23:42:12,545 [root] DEBUG: DLL loaded at 0x000007FEFBD70000: C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32 (0x1f4000 bytes).
2019-08-13 23:42:12,545 [root] DEBUG: Successfully injected DLL C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:12,561 [root] WARNING: Unable to hook LockResource
2019-08-13 23:42:12,561 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 23:42:12,561 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 4008
2019-08-13 23:42:12,561 [lib.api.process] INFO: 64-bit DLL to inject is C:\nehbva\dll\rcDBrG.dll, loader C:\nehbva\bin\lOErlQGD.exe
2019-08-13 23:42:12,575 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 23:42:12,575 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 23:42:12,575 [root] DEBUG: DLL loaded at 0x000007FEFDCB0000: C:\Windows\system32\SETUPAPI (0x1d7000 bytes).
2019-08-13 23:42:12,575 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 3868 at 0x00000000743A0000, image base 0x0000000049E20000, stack from 0x00000000001B4000-0x00000000002B0000
2019-08-13 23:42:12,575 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\TUUSvecfzs.
2019-08-13 23:42:12,575 [root] DEBUG: Process dumps enabled.
2019-08-13 23:42:12,575 [root] DEBUG: DLL loaded at 0x000007FEFD660000: C:\Windows\system32\CFGMGR32 (0x36000 bytes).
2019-08-13 23:42:12,575 [root] DEBUG: Commandline: C:\Users\user\AppData\Roaming\syslink\"C:\Windows\System32\cmd.exe" \c powershell Set-MpPreference -DisableBlockAtFirstSeen $true.
2019-08-13 23:42:12,592 [root] DEBUG: Loader: Injecting process 3148 (thread 3284) with C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:12,592 [root] INFO: Disabling sleep skipping.
2019-08-13 23:42:12,592 [root] DEBUG: DLL loaded at 0x000007FEFD3F0000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2019-08-13 23:42:12,592 [root] INFO: Added new process to list with pid: 3868
2019-08-13 23:42:12,592 [root] DEBUG: Process image base: 0x0000000049E20000
2019-08-13 23:42:12,608 [root] DEBUG: DLL loaded at 0x000007FEFBAE0000: C:\Windows\system32\propsys (0x12c000 bytes).
2019-08-13 23:42:12,608 [root] INFO: Monitor successfully loaded in process with pid 3868.
2019-08-13 23:42:12,608 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:12,608 [root] WARNING: Unable to place hook on LockResource
2019-08-13 23:42:12,608 [root] DEBUG: DLL loaded at 0x000007FEFC400000: C:\Windows\system32\ntmarta (0x2d000 bytes).
2019-08-13 23:42:12,608 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x0000000049E79000 - 0x0000000077380000
2019-08-13 23:42:12,608 [root] WARNING: Unable to hook LockResource
2019-08-13 23:42:12,608 [root] DEBUG: DLL loaded at 0x000007FEFD160000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 23:42:12,638 [root] DEBUG: DLL loaded at 0x000007FEFE1F0000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2019-08-13 23:42:12,638 [root] DEBUG: DLL loaded at 0x000007FEEF750000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Xml\ee795155543768ea67eecddc686a1e9e\System.Xml.ni (0x6a5000 bytes).
2019-08-13 23:42:12,638 [root] DEBUG: InjectDllViaIAT: Allocated 0x1bc bytes for new import table at 0x0000000049E80000.
2019-08-13 23:42:12,638 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 23:42:12,654 [root] INFO: Announced 64-bit process name: powershell.exe pid: 3424
2019-08-13 23:42:12,654 [root] DEBUG: DLL unloaded from 0x000007FEFE710000.
2019-08-13 23:42:12,654 [root] DEBUG: DLL loaded at 0x000007FEF3FA0000: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei (0x97000 bytes).
2019-08-13 23:42:12,654 [root] DEBUG: DLL loaded at 0x000007FEF2DF0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management\c44929bde355680c886f8a52f5e22b81\System.Management.ni (0x16c000 bytes).
2019-08-13 23:42:12,654 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:42:12,670 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 4008 at 0x00000000743A0000, image base 0x000000013FD20000, stack from 0x0000000000215000-0x0000000000220000
2019-08-13 23:42:12,686 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\S0PI7J0GLVSY176LK5RV.temp" does not exist, skip.
2019-08-13 23:42:12,686 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 23:42:12,686 [root] DEBUG: Successfully injected DLL C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:12,686 [root] DEBUG: Commandline: C:\Users\user\AppData\Roaming\syslink\powershell  Set-MpPreference -DisableBehaviorMonitoring $true.
2019-08-13 23:42:12,686 [root] DEBUG: DLL loaded at 0x000007FEEF5B0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.DirectorySer#\c1cdea55f62c9e8b9b9c1ae4c23b1c1f\System.DirectoryServices.ni (0x195000 bytes).
2019-08-13 23:42:12,686 [lib.api.process] INFO: 64-bit DLL to inject is C:\nehbva\dll\rcDBrG.dll, loader C:\nehbva\bin\lOErlQGD.exe
2019-08-13 23:42:12,700 [root] INFO: Added new process to list with pid: 4008
2019-08-13 23:42:12,700 [root] INFO: Monitor successfully loaded in process with pid 4008.
2019-08-13 23:42:12,717 [root] DEBUG: DLL loaded at 0x000007FEFD1C0000: C:\Windows\system32\CRYPTBASE (0xf000 bytes).
2019-08-13 23:42:12,717 [root] DEBUG: DLL loaded at 0x000007FEF2270000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks (0x99d000 bytes).
2019-08-13 23:42:12,717 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 3148
2019-08-13 23:42:12,717 [root] DEBUG: DLL loaded at 0x000007FEFE640000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-08-13 23:42:12,717 [root] DEBUG: DLL loaded at 0x0000000516F00000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\diasymreader (0xc6000 bytes).
2019-08-13 23:42:12,717 [root] DEBUG: DLL loaded at 0x00000000742D0000: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\MSVCR80 (0xc9000 bytes).
2019-08-13 23:42:12,717 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\TUUSvecfzs.
2019-08-13 23:42:12,717 [root] DEBUG: DLL unloaded from 0x75530000.
2019-08-13 23:42:12,732 [root] DEBUG: DLL loaded at 0x000007FEFE710000: C:\Windows\system32\shell32 (0xd88000 bytes).
2019-08-13 23:42:12,747 [root] DEBUG: Loader: Injecting process 3424 (thread 3428) with C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:12,747 [root] DEBUG: DLL unloaded from 0x72760000.
2019-08-13 23:42:12,747 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 23:42:12,763 [root] DEBUG: DLL loaded at 0x000007FEFC610000: C:\Windows\system32\USERENV (0x1e000 bytes).
2019-08-13 23:42:12,763 [root] DEBUG: Process image base: 0x000000013FD20000
2019-08-13 23:42:12,763 [root] DEBUG: DLL unloaded from 0x77050000.
2019-08-13 23:42:12,779 [root] DEBUG: Process dumps enabled.
2019-08-13 23:42:12,779 [root] DEBUG: DLL loaded at 0x000007FEFD290000: C:\Windows\system32\profapi (0xf000 bytes).
2019-08-13 23:42:12,779 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:12,795 [root] DEBUG: DLL loaded at 0x731E0000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 23:42:12,795 [root] INFO: Disabling sleep skipping.
2019-08-13 23:42:12,809 [root] DEBUG: DLL loaded at 0x000007FEFBD70000: C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32 (0x1f4000 bytes).
2019-08-13 23:42:12,809 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000013FD97000 - 0x000007FEFF6A0000
2019-08-13 23:42:12,809 [root] DEBUG: DLL loaded at 0x747D0000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 23:42:12,825 [root] DEBUG: DLL loaded at 0x000007FEFBAE0000: C:\Windows\system32\propsys (0x12c000 bytes).
2019-08-13 23:42:12,842 [root] DEBUG: InjectDllViaIAT: Allocated 0x228 bytes for new import table at 0x000000013FDA0000.
2019-08-13 23:42:12,842 [root] WARNING: Unable to place hook on LockResource
2019-08-13 23:42:12,842 [root] INFO: Announced 64-bit process name: cmd.exe pid: 3708
2019-08-13 23:42:12,842 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:42:12,842 [root] WARNING: Unable to hook LockResource
2019-08-13 23:42:12,842 [root] DEBUG: DLL loaded at 0x000007FEFC400000: C:\Windows\system32\ntmarta (0x2d000 bytes).
2019-08-13 23:42:12,857 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 23:42:12,857 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 23:42:12,857 [lib.api.process] INFO: 64-bit DLL to inject is C:\nehbva\dll\rcDBrG.dll, loader C:\nehbva\bin\lOErlQGD.exe
2019-08-13 23:42:12,857 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 3148 at 0x00000000743A0000, image base 0x0000000049E20000, stack from 0x00000000000C4000-0x00000000001C0000
2019-08-13 23:42:12,872 [root] DEBUG: DLL loaded at 0x000007FEFE1F0000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2019-08-13 23:42:12,872 [root] DEBUG: Successfully injected DLL C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:12,872 [root] DEBUG: Commandline: C:\Users\user\AppData\Roaming\syslink\"C:\Windows\System32\cmd.exe" \c powershell Set-MpPreference -DisableIOAVProtection $true.
2019-08-13 23:42:12,904 [root] DEBUG: DLL loaded at 0x000007FEFDCB0000: C:\Windows\system32\SETUPAPI (0x1d7000 bytes).
2019-08-13 23:42:12,904 [root] DEBUG: set_caller_info: Adding region at 0x000007FF00270000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2019-08-13 23:42:12,904 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\TUUSvecfzs.
2019-08-13 23:42:12,904 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 3424
2019-08-13 23:42:12,904 [root] INFO: Added new process to list with pid: 3148
2019-08-13 23:42:12,904 [root] DEBUG: DLL loaded at 0x000007FEFD660000: C:\Windows\system32\CFGMGR32 (0x36000 bytes).
2019-08-13 23:42:12,920 [root] DEBUG: Loader: Injecting process 3708 (thread 3716) with C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:12,920 [root] INFO: Monitor successfully loaded in process with pid 3148.
2019-08-13 23:42:12,920 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 23:42:12,934 [root] DEBUG: DLL loaded at 0x000007FEFD3F0000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2019-08-13 23:42:12,934 [root] DEBUG: DLL loaded at 0x000007FEF7A60000: C:\Windows\system32\LINKINFO (0xc000 bytes).
2019-08-13 23:42:12,934 [root] DEBUG: Process image base: 0x0000000049E20000
2019-08-13 23:42:12,950 [root] DEBUG: Process dumps enabled.
2019-08-13 23:42:12,950 [root] DEBUG: DLL loaded at 0x000007FEFD160000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 23:42:12,950 [root] DEBUG: DLL unloaded from 0x000007FEFE710000.
2019-08-13 23:42:12,950 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:12,950 [root] DEBUG: DLL unloaded from 0x000007FEFE710000.
2019-08-13 23:42:12,950 [root] INFO: Announced 64-bit process name: powershell.exe pid: 2264
2019-08-13 23:42:12,966 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x0000000049E79000 - 0x0000000077380000
2019-08-13 23:42:12,966 [root] INFO: Disabling sleep skipping.
2019-08-13 23:42:12,966 [root] DEBUG: DLL loaded at 0x000007FEF8540000: C:\Windows\system32\ntshrui (0x80000 bytes).
2019-08-13 23:42:12,966 [root] DEBUG: DLL loaded at 0x000007FEFA5A0000: C:\Windows\system32\shfolder (0x7000 bytes).
2019-08-13 23:42:12,997 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 23:42:12,997 [root] WARNING: Unable to place hook on LockResource
2019-08-13 23:42:13,091 [root] DEBUG: DLL loaded at 0x000007FEFCDE0000: C:\Windows\system32\srvcli (0x23000 bytes).
2019-08-13 23:42:13,091 [root] DEBUG: InjectDllViaIAT: Allocated 0x1bc bytes for new import table at 0x0000000049E80000.
2019-08-13 23:42:13,091 [lib.api.process] INFO: 64-bit DLL to inject is C:\nehbva\dll\rcDBrG.dll, loader C:\nehbva\bin\lOErlQGD.exe
2019-08-13 23:42:13,121 [root] DEBUG: DLL loaded at 0x000007FEF1390000: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\9469491f37d9c35b596968b206615309\mscorlib.ni (0xedc000 bytes).
2019-08-13 23:42:13,138 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:42:13,154 [root] INFO: Process with pid 112 has terminated
2019-08-13 23:42:13,168 [root] WARNING: Unable to hook LockResource
2019-08-13 23:42:13,168 [root] DEBUG: Successfully injected DLL C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:13,168 [root] DEBUG: DLL loaded at 0x000007FEF0960000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System\adff7dd9fe8e541775c46b6363401b22\System.ni (0xa23000 bytes).
2019-08-13 23:42:13,168 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 3708
2019-08-13 23:42:13,168 [root] INFO: Process with pid 2416 has terminated
2019-08-13 23:42:13,168 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\TUUSvecfzs.
2019-08-13 23:42:13,184 [root] DEBUG: DLL loaded at 0x000007FEF3D30000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b023321bc53c20c10ccbbd8f78c82c82\Microsoft.PowerShell.ConsoleHost.ni (0xb2000 bytes).
2019-08-13 23:42:13,184 [root] INFO: Process with pid 1084 has terminated
2019-08-13 23:42:13,184 [root] DEBUG: Loader: Injecting process 2264 (thread 2916) with C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:13,200 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 23:42:13,200 [root] DEBUG: DLL loaded at 0x000007FEFCF60000: C:\Windows\system32\secur32 (0xb000 bytes).
2019-08-13 23:42:13,200 [root] DEBUG: DLL unloaded from 0x75530000.
2019-08-13 23:42:13,200 [root] DEBUG: DLL unloaded from 0x000007FEFDF10000.
2019-08-13 23:42:13,200 [root] INFO: Process with pid 3168 has terminated
2019-08-13 23:42:13,200 [root] DEBUG: Process image base: 0x000000013FD20000
2019-08-13 23:42:13,200 [root] DEBUG: DLL unloaded from 0x731E0000.
2019-08-13 23:42:13,246 [root] DEBUG: DLL loaded at 0x000007FEF8EC0000: C:\Windows\system32\cscapi (0xf000 bytes).
2019-08-13 23:42:13,263 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 3424 at 0x00000000743A0000, image base 0x000000013FD20000, stack from 0x00000000001D6000-0x00000000001E0000
2019-08-13 23:42:13,263 [root] DEBUG: DLL loaded at 0x000007FEEED60000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Data\accc3a5269658c8c47fe3e402ac4ac1c\System.Data.ni (0x84b000 bytes).
2019-08-13 23:42:13,263 [root] DEBUG: DLL unloaded from 0x77050000.
2019-08-13 23:42:13,263 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:13,263 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 23:42:13,263 [root] DEBUG: Commandline: C:\Users\user\AppData\Roaming\syslink\powershell  Set-MpPreference -DisableBlockAtFirstSeen $true.
2019-08-13 23:42:13,263 [root] DEBUG: DLL loaded at 0x000007FEFB320000: C:\Windows\system32\slc (0xb000 bytes).
2019-08-13 23:42:13,263 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2208
2019-08-13 23:42:13,293 [root] DEBUG: Process dumps enabled.
2019-08-13 23:42:13,293 [root] DEBUG: DLL loaded at 0x000000001CFF0000: C:\Windows\assembly\GAC_64\System.Data\2.0.0.0__b77a5c561934e089\System.Data (0x2ff000 bytes).
2019-08-13 23:42:13,309 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000013FD97000 - 0x000007FEFF6A0000
2019-08-13 23:42:13,309 [root] DEBUG: DLL loaded at 0x72760000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 23:42:13,309 [root] DEBUG: GetHookCallerBase: thread 3012 (handle 0x0), return address 0x000000013FD2C504, allocation base 0x000000013FD20000.
2019-08-13 23:42:13,309 [root] INFO: Added new process to list with pid: 3424
2019-08-13 23:42:13,325 [root] DEBUG: DLL loaded at 0x000007FEFCB60000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2019-08-13 23:42:13,325 [root] INFO: Disabling sleep skipping.
2019-08-13 23:42:13,325 [root] DEBUG: InjectDllViaIAT: Allocated 0x228 bytes for new import table at 0x000000013FDA0000.
2019-08-13 23:42:13,325 [root] DEBUG: DLL loaded at 0x000007FEFDE90000: C:\Windows\system32\WS2_32 (0x4d000 bytes).
2019-08-13 23:42:13,341 [root] DEBUG: DLL loaded at 0x74790000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 23:42:13,341 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x000000013FD20000.
2019-08-13 23:42:13,341 [root] INFO: Monitor successfully loaded in process with pid 3424.
2019-08-13 23:42:13,341 [root] DEBUG: DLL loaded at 0x000007FEFC860000: C:\Windows\system32\rsaenh (0x47000 bytes).
2019-08-13 23:42:13,355 [root] WARNING: Unable to place hook on LockResource
2019-08-13 23:42:13,355 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:42:13,355 [root] DEBUG: DLL loaded at 0x000007FEFDF00000: C:\Windows\system32\NSI (0x8000 bytes).
2019-08-13 23:42:13,355 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000013FD20000.
2019-08-13 23:42:13,355 [root] INFO: Announced 64-bit process name: cmd.exe pid: 3180
2019-08-13 23:42:13,371 [root] DEBUG: DLL loaded at 0x000007FEFD1C0000: C:\Windows\system32\CRYPTBASE (0xf000 bytes).
2019-08-13 23:42:13,371 [root] WARNING: Unable to hook LockResource
2019-08-13 23:42:13,371 [root] DEBUG: Successfully injected DLL C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:13,371 [root] DEBUG: DLL loaded at 0x000007FEFD410000: C:\Windows\system32\CRYPT32 (0x167000 bytes).
2019-08-13 23:42:13,371 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000C63C.
2019-08-13 23:42:13,388 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2264
2019-08-13 23:42:13,388 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 23:42:13,388 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 23:42:13,388 [root] DEBUG: DLL loaded at 0x000007FEFE640000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-08-13 23:42:13,388 [root] DEBUG: DLL loaded at 0x000007FEFD370000: C:\Windows\system32\MSASN1 (0xf000 bytes).
2019-08-13 23:42:13,403 [lib.api.process] INFO: 64-bit DLL to inject is C:\nehbva\dll\rcDBrG.dll, loader C:\nehbva\bin\lOErlQGD.exe
2019-08-13 23:42:13,403 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 23:42:13,403 [root] DEBUG: DLL loaded at 0x000007FEF3FA0000: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei (0x97000 bytes).
2019-08-13 23:42:13,403 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 3708 at 0x00000000743A0000, image base 0x0000000049E20000, stack from 0x0000000000114000-0x0000000000210000
2019-08-13 23:42:13,403 [root] DEBUG: DLL loaded at 0x000007FEFE710000: C:\Windows\system32\shell32 (0xd88000 bytes).
2019-08-13 23:42:13,418 [root] DEBUG: Process dumps enabled.
2019-08-13 23:42:13,418 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\TUUSvecfzs.
2019-08-13 23:42:13,434 [root] DEBUG: DLL loaded at 0x000007FEF7A60000: C:\Windows\system32\LINKINFO (0xc000 bytes).
2019-08-13 23:42:13,434 [root] DEBUG: DLL loaded at 0x000007FEEFE00000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management.A#\009a09f5b2322bb8c5520dc5ddbb28bb\System.Management.Automation.ni (0xb5d000 bytes).
2019-08-13 23:42:13,434 [root] DEBUG: Commandline: C:\Users\user\AppData\Roaming\syslink\"C:\Windows\System32\cmd.exe" \c powershell Set-MpPreference -DisablePrivacyMode $true.
2019-08-13 23:42:13,434 [root] INFO: Added new CAPE file to list with path: C:\xyAIARtiO\CAPE\2208_4612761203322314382019
2019-08-13 23:42:13,434 [root] DEBUG: DLL loaded at 0x000007FEFC610000: C:\Windows\system32\USERENV (0x1e000 bytes).
2019-08-13 23:42:13,450 [root] DEBUG: Loader: Injecting process 3180 (thread 3184) with C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:13,450 [root] INFO: Disabling sleep skipping.
2019-08-13 23:42:13,466 [root] DEBUG: DLL loaded at 0x000007FEFC430000: C:\Windows\system32\version (0xc000 bytes).
2019-08-13 23:42:13,466 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x73e00.
2019-08-13 23:42:13,466 [root] DEBUG: DLL loaded at 0x000007FEFD290000: C:\Windows\system32\profapi (0xf000 bytes).
2019-08-13 23:42:13,466 [root] DEBUG: Process image base: 0x0000000049E20000
2019-08-13 23:42:13,466 [root] INFO: Added new process to list with pid: 3708
2019-08-13 23:42:13,466 [root] DEBUG: DLL loaded at 0x000007FEF8540000: C:\Windows\system32\ntshrui (0x80000 bytes).
2019-08-13 23:42:13,480 [root] WARNING: Unable to place hook on LockResource
2019-08-13 23:42:13,480 [root] DEBUG: DLL loaded at 0x000007FEFAE90000: C:\Windows\system32\netutils (0xc000 bytes).
2019-08-13 23:42:13,496 [root] INFO: Monitor successfully loaded in process with pid 3708.
2019-08-13 23:42:13,496 [root] DEBUG: DLL loaded at 0x000007FEFBD70000: C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32 (0x1f4000 bytes).
2019-08-13 23:42:13,496 [root] DEBUG: DLL loaded at 0x000007FEFCDE0000: C:\Windows\system32\srvcli (0x23000 bytes).
2019-08-13 23:42:13,496 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:13,496 [root] WARNING: Unable to hook LockResource
2019-08-13 23:42:13,512 [root] DEBUG: DLL unloaded from 0x000007FEFBAE0000.
2019-08-13 23:42:13,512 [root] DEBUG: DLL loaded at 0x000007FEFD160000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 23:42:13,512 [root] DEBUG: DLL loaded at 0x000007FEFBAE0000: C:\Windows\system32\propsys (0x12c000 bytes).
2019-08-13 23:42:13,512 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x0000000049E79000 - 0x0000000077380000
2019-08-13 23:42:13,512 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 23:42:13,528 [root] INFO: Announced 64-bit process name: powershell.exe pid: 3416
2019-08-13 23:42:13,528 [root] DEBUG: DLL unloaded from 0x0000000077260000.
2019-08-13 23:42:13,528 [root] DEBUG: DLL loaded at 0x000007FEFC400000: C:\Windows\system32\ntmarta (0x2d000 bytes).
2019-08-13 23:42:13,528 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 2264 at 0x00000000743A0000, image base 0x000000013FD20000, stack from 0x00000000001C5000-0x00000000001D0000
2019-08-13 23:42:13,528 [root] DEBUG: InjectDllViaIAT: Allocated 0x1bc bytes for new import table at 0x0000000049E80000.
2019-08-13 23:42:13,528 [root] DEBUG: DLL unloaded from 0x000007FEF2270000.
2019-08-13 23:42:13,528 [root] DEBUG: DLL loaded at 0x000007FEFE1F0000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2019-08-13 23:42:13,528 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 23:42:13,543 [root] DEBUG: Commandline: C:\Users\user\AppData\Roaming\syslink\powershell  Set-MpPreference -DisableIOAVProtection $true.
2019-08-13 23:42:13,543 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:42:13,543 [lib.api.process] INFO: 64-bit DLL to inject is C:\nehbva\dll\rcDBrG.dll, loader C:\nehbva\bin\lOErlQGD.exe
2019-08-13 23:42:13,543 [root] DEBUG: DLL unloaded from 0x000007FEF3FA0000.
2019-08-13 23:42:13,543 [root] INFO: Added new process to list with pid: 2264
2019-08-13 23:42:13,543 [root] DEBUG: Successfully injected DLL C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:13,543 [root] DEBUG: DLL loaded at 0x000007FEFDCB0000: C:\Windows\system32\SETUPAPI (0x1d7000 bytes).
2019-08-13 23:42:13,559 [root] DEBUG: DLL loaded at 0x000007FEF3430000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Core\83e2f6909980da7347e7806d8c26670e\System.Core.ni (0x32e000 bytes).
2019-08-13 23:42:13,559 [root] INFO: Monitor successfully loaded in process with pid 2264.
2019-08-13 23:42:13,559 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 3180
2019-08-13 23:42:13,559 [root] DEBUG: DLL loaded at 0x000007FEFD660000: C:\Windows\system32\CFGMGR32 (0x36000 bytes).
2019-08-13 23:42:13,559 [root] DEBUG: DLL loaded at 0x000007FEF52B0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\ec50af274bf7a15fb59ac1f0d353b7ea\Microsoft.PowerShell.Commands.Diagnostics.ni (0x69000 bytes).
2019-08-13 23:42:13,575 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\TUUSvecfzs.
2019-08-13 23:42:13,575 [root] DEBUG: DLL unloaded from 0x000007FEFC400000.
2019-08-13 23:42:13,575 [root] DEBUG: DLL loaded at 0x000007FEFD1C0000: C:\Windows\system32\CRYPTBASE (0xf000 bytes).
2019-08-13 23:42:13,575 [root] DEBUG: DLL unloaded from 0x75530000.
2019-08-13 23:42:13,575 [root] DEBUG: DLL loaded at 0x000007FEFD3F0000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2019-08-13 23:42:13,575 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 23:42:13,575 [root] DEBUG: Loader: Injecting process 3416 (thread 3420) with C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:13,589 [root] DEBUG: DLL loaded at 0x000007FEF9A20000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Configuratio#\fcf35536476614410e0b0bd0e412199e\System.Configuration.Install.ni (0x32000 bytes).
2019-08-13 23:42:13,589 [root] DEBUG: DLL loaded at 0x000007FEF8EC0000: C:\Windows\system32\cscapi (0xf000 bytes).
2019-08-13 23:42:13,589 [root] DEBUG: DLL unloaded from 0x000007FEFE6E0000.
2019-08-13 23:42:13,589 [root] DEBUG: DLL loaded at 0x000007FEFE640000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-08-13 23:42:13,589 [root] DEBUG: DLL unloaded from 0x72760000.
2019-08-13 23:42:13,589 [root] DEBUG: DLL unloaded from 0x000007FEFE710000.
2019-08-13 23:42:13,605 [root] DEBUG: Process image base: 0x000000013FD20000
2019-08-13 23:42:13,605 [root] DEBUG: Process dumps enabled.
2019-08-13 23:42:13,605 [root] DEBUG: DLL loaded at 0x000007FEFB320000: C:\Windows\system32\slc (0xb000 bytes).
2019-08-13 23:42:13,605 [root] INFO: Notified of termination of process with pid 2208.
2019-08-13 23:42:13,605 [root] DEBUG: DLL loaded at 0x000007FEFE710000: C:\Windows\system32\shell32 (0xd88000 bytes).
2019-08-13 23:42:13,605 [root] DEBUG: DLL unloaded from 0x77050000.
2019-08-13 23:42:13,653 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:13,653 [root] INFO: Disabling sleep skipping.
2019-08-13 23:42:13,684 [root] DEBUG: DLL loaded at 0x000007FEFC610000: C:\Windows\system32\USERENV (0x1e000 bytes).
2019-08-13 23:42:13,700 [root] DEBUG: DLL loaded at 0x731E0000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 23:42:13,714 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2280
2019-08-13 23:42:13,714 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000013FD97000 - 0x000007FEFF6A0000
2019-08-13 23:42:13,714 [root] DEBUG: DLL loaded at 0x000007FEF2270000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks (0x99d000 bytes).
2019-08-13 23:42:13,714 [root] WARNING: Unable to place hook on LockResource
2019-08-13 23:42:13,714 [root] DEBUG: DLL loaded at 0x000007FEFD290000: C:\Windows\system32\profapi (0xf000 bytes).
2019-08-13 23:42:13,714 [root] DEBUG: DLL loaded at 0x747D0000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 23:42:13,730 [root] DEBUG: InjectDllViaIAT: Allocated 0x228 bytes for new import table at 0x000000013FDA0000.
2019-08-13 23:42:13,730 [root] DEBUG: GetHookCallerBase: thread 1840 (handle 0x0), return address 0x0000000049E287DD, allocation base 0x0000000049E20000.
2019-08-13 23:42:13,730 [root] DEBUG: DLL loaded at 0x00000000742D0000: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\MSVCR80 (0xc9000 bytes).
2019-08-13 23:42:13,730 [root] WARNING: Unable to hook LockResource
2019-08-13 23:42:13,746 [root] DEBUG: DLL loaded at 0x000007FEFBD70000: C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32 (0x1f4000 bytes).
2019-08-13 23:42:13,746 [root] INFO: Announced 64-bit process name: cmd.exe pid: 3844
2019-08-13 23:42:13,746 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x0000000049E20000.
2019-08-13 23:42:13,746 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:42:13,778 [root] DEBUG: DLL loaded at 0x000007FEF1390000: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\9469491f37d9c35b596968b206615309\mscorlib.ni (0xedc000 bytes).
2019-08-13 23:42:13,778 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 23:42:13,809 [root] DEBUG: DLL loaded at 0x000007FEFBAE0000: C:\Windows\system32\propsys (0x12c000 bytes).
2019-08-13 23:42:13,809 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x0000000049E20000.
2019-08-13 23:42:13,809 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 23:42:13,823 [root] DEBUG: Successfully injected DLL C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:13,823 [root] DEBUG: DLL loaded at 0x000007FEF0960000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System\adff7dd9fe8e541775c46b6363401b22\System.ni (0xa23000 bytes).
2019-08-13 23:42:13,823 [root] DEBUG: DLL loaded at 0x0000000516F00000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\diasymreader (0xc6000 bytes).
2019-08-13 23:42:13,823 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 3180 at 0x00000000743A0000, image base 0x0000000049E20000, stack from 0x0000000000134000-0x0000000000230000
2019-08-13 23:42:13,823 [root] DEBUG: DLL loaded at 0x000007FEFC400000: C:\Windows\system32\ntmarta (0x2d000 bytes).
2019-08-13 23:42:13,839 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 23:42:13,839 [lib.api.process] INFO: 64-bit DLL to inject is C:\nehbva\dll\rcDBrG.dll, loader C:\nehbva\bin\lOErlQGD.exe
2019-08-13 23:42:13,839 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 3416
2019-08-13 23:42:13,855 [root] DEBUG: DLL loaded at 0x000007FEF3D30000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b023321bc53c20c10ccbbd8f78c82c82\Microsoft.PowerShell.ConsoleHost.ni (0xb2000 bytes).
2019-08-13 23:42:13,871 [root] DEBUG: set_caller_info: Adding region at 0x000007FF00270000 to caller regions list (ntdll::LdrGetProcedureAddress).
2019-08-13 23:42:13,871 [root] DEBUG: Commandline: C:\Users\user\AppData\Roaming\syslink\"C:\Windows\System32\cmd.exe" \c powershell Set-MpPreference -DisableIntrusionPreventionSystem $true.
2019-08-13 23:42:13,887 [root] DEBUG: DLL loaded at 0x000007FEFE1F0000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2019-08-13 23:42:13,887 [root] DEBUG: DLL loaded at 0x000007FEFD1C0000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 23:42:13,901 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\TUUSvecfzs.
2019-08-13 23:42:13,901 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 23:42:13,901 [root] DEBUG: DLL unloaded from 0x000007FEFDF10000.
2019-08-13 23:42:13,917 [root] DEBUG: DLL loaded at 0x000007FEF7A60000: C:\Windows\system32\LINKINFO (0xc000 bytes).
2019-08-13 23:42:13,917 [root] INFO: Added new process to list with pid: 3180
2019-08-13 23:42:13,917 [root] DEBUG: DLL loaded at 0x000007FEFDCB0000: C:\Windows\system32\SETUPAPI (0x1d7000 bytes).
2019-08-13 23:42:13,934 [root] DEBUG: Loader: Injecting process 3844 (thread 3648) with C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:13,934 [root] DEBUG: Process dumps enabled.
2019-08-13 23:42:13,934 [root] INFO: Monitor successfully loaded in process with pid 3180.
2019-08-13 23:42:13,934 [root] DEBUG: DLL loaded at 0x000007FEFD660000: C:\Windows\system32\CFGMGR32 (0x36000 bytes).
2019-08-13 23:42:13,934 [root] INFO: Added new CAPE file to list with path: C:\xyAIARtiO\CAPE\2280_16474198661322314382019
2019-08-13 23:42:13,948 [root] DEBUG: Process image base: 0x0000000049E20000
2019-08-13 23:42:13,948 [root] INFO: Disabling sleep skipping.
2019-08-13 23:42:13,948 [root] DEBUG: DLL loaded at 0x000007FEFD160000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 23:42:13,948 [root] DEBUG: DLL loaded at 0x000007FEFD3F0000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2019-08-13 23:42:13,948 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x54400.
2019-08-13 23:42:13,964 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:13,964 [root] INFO: Announced 64-bit process name: powershell.exe pid: 4072
2019-08-13 23:42:13,964 [root] WARNING: Unable to place hook on LockResource
2019-08-13 23:42:13,964 [root] DEBUG: DLL loaded at 0x000007FEF8540000: C:\Windows\system32\ntshrui (0x80000 bytes).
2019-08-13 23:42:13,964 [root] DEBUG: DLL unloaded from 0x000007FEFE710000.
2019-08-13 23:42:13,980 [root] DEBUG: DLL unloaded from 0x000007FEFE6E0000.
2019-08-13 23:42:13,980 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x0000000049E79000 - 0x0000000077380000
2019-08-13 23:42:13,980 [root] WARNING: Unable to hook LockResource
2019-08-13 23:42:13,996 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 23:42:13,996 [root] DEBUG: DLL loaded at 0x000007FEFCDE0000: C:\Windows\system32\srvcli (0x23000 bytes).
2019-08-13 23:42:13,996 [root] INFO: Notified of termination of process with pid 2280.
2019-08-13 23:42:13,996 [root] DEBUG: InjectDllViaIAT: Allocated 0x1bc bytes for new import table at 0x0000000049E80000.
2019-08-13 23:42:13,996 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 23:42:13,996 [lib.api.process] INFO: 64-bit DLL to inject is C:\nehbva\dll\rcDBrG.dll, loader C:\nehbva\bin\lOErlQGD.exe
2019-08-13 23:42:14,058 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 3416 at 0x00000000743A0000, image base 0x000000013FD20000, stack from 0x00000000001A5000-0x00000000001B0000
2019-08-13 23:42:14,073 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:42:14,073 [root] DEBUG: Commandline: C:\Users\user\AppData\Roaming\syslink\powershell  Set-MpPreference -DisablePrivacyMode $true.
2019-08-13 23:42:14,073 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\TUUSvecfzs.
2019-08-13 23:42:14,089 [root] DEBUG: Loader: Injecting process 4072 (thread 4064) with C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:14,089 [root] DEBUG: Successfully injected DLL C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:14,089 [root] INFO: Added new process to list with pid: 3416
2019-08-13 23:42:14,105 [root] DEBUG: Process image base: 0x000000013FD20000
2019-08-13 23:42:14,105 [root] INFO: Monitor successfully loaded in process with pid 3416.
2019-08-13 23:42:14,105 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 3844
2019-08-13 23:42:14,105 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:14,105 [root] DEBUG: DLL loaded at 0x000007FEFD1C0000: C:\Windows\system32\CRYPTBASE (0xf000 bytes).
2019-08-13 23:42:14,121 [root] DEBUG: DLL unloaded from 0x75530000.
2019-08-13 23:42:14,121 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000013FD97000 - 0x000007FEFF6A0000
2019-08-13 23:42:14,121 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 23:42:14,121 [root] DEBUG: DLL loaded at 0x000007FEFE640000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-08-13 23:42:14,135 [root] DEBUG: DLL unloaded from 0x731E0000.
2019-08-13 23:42:14,135 [root] DEBUG: InjectDllViaIAT: Allocated 0x228 bytes for new import table at 0x000000013FDA0000.
2019-08-13 23:42:14,135 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2868
2019-08-13 23:42:14,135 [root] DEBUG: Process dumps enabled.
2019-08-13 23:42:14,135 [root] DEBUG: DLL loaded at 0x000007FEFCB60000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2019-08-13 23:42:14,135 [root] DEBUG: DLL loaded at 0x000007FEFE710000: C:\Windows\system32\shell32 (0xd88000 bytes).
2019-08-13 23:42:14,135 [root] DEBUG: DLL unloaded from 0x77050000.
2019-08-13 23:42:14,151 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:42:14,151 [root] DEBUG: GetHookCallerBase: thread 2012 (handle 0x0), return address 0x000000013FD2C504, allocation base 0x000000013FD20000.
2019-08-13 23:42:14,151 [root] DEBUG: DLL loaded at 0x000007FEF3C80000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.WSMan.Man#\8cd73e65058ef6f77f36b62a74ec3344\Microsoft.WSMan.Management.ni (0xaa000 bytes).
2019-08-13 23:42:14,151 [root] INFO: Disabling sleep skipping.
2019-08-13 23:42:14,151 [root] DEBUG: DLL loaded at 0x000007FEFC860000: C:\Windows\system32\rsaenh (0x47000 bytes).
2019-08-13 23:42:14,167 [root] DEBUG: DLL loaded at 0x000007FEFC610000: C:\Windows\system32\USERENV (0x1e000 bytes).
2019-08-13 23:42:14,183 [root] DEBUG: Successfully injected DLL C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:14,183 [root] DEBUG: DLL loaded at 0x72760000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 23:42:14,183 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x000000013FD20000.
2019-08-13 23:42:14,198 [root] DEBUG: DLL loaded at 0x000007FEF3B90000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Transactions\051655963f24f9ade08486084c570086\System.Transactions.ni (0xe5000 bytes).
2019-08-13 23:42:14,198 [root] DEBUG: DLL loaded at 0x000007FEFD290000: C:\Windows\system32\profapi (0xf000 bytes).
2019-08-13 23:42:14,198 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 4072
2019-08-13 23:42:14,198 [root] WARNING: Unable to place hook on LockResource
2019-08-13 23:42:14,230 [root] INFO: Process with pid 2280 has terminated
2019-08-13 23:42:14,230 [root] DEBUG: DLL loaded at 0x74790000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 23:42:14,230 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000013FD20000.
2019-08-13 23:42:14,230 [root] DEBUG: DLL loaded at 0x000000001E230000: C:\Windows\assembly\GAC_64\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions (0x49000 bytes).
2019-08-13 23:42:14,230 [root] DEBUG: DLL loaded at 0x000007FEFBD70000: C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32 (0x1f4000 bytes).
2019-08-13 23:42:14,246 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 23:42:14,246 [root] WARNING: Unable to hook LockResource
2019-08-13 23:42:14,246 [root] INFO: Process with pid 2208 has terminated
2019-08-13 23:42:14,260 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\EPGPGRXGPEWTFF5FLXX0.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\EPGPGRXGPEWTFF5FLXX0.temp'
2019-08-13 23:42:14,276 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000C63C.
2019-08-13 23:42:14,276 [root] INFO: Announced 64-bit process name: cmd.exe pid: 3576
2019-08-13 23:42:14,308 [root] DEBUG: DLL loaded at 0x000007FEFBAE0000: C:\Windows\system32\propsys (0x12c000 bytes).
2019-08-13 23:42:14,308 [root] DEBUG: Process dumps enabled.
2019-08-13 23:42:14,308 [root] DEBUG: DLL loaded at 0x000007FEF8EC0000: C:\Windows\system32\cscapi (0xf000 bytes).
2019-08-13 23:42:14,308 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 23:42:14,323 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\EPGPGRXGPEWTFF5FLXX0.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\EPGPGRXGPEWTFF5FLXX0.temp'
2019-08-13 23:42:14,338 [root] INFO: Process with pid 1240 has terminated
2019-08-13 23:42:14,338 [root] DEBUG: DLL loaded at 0x000007FEFC400000: C:\Windows\system32\ntmarta (0x2d000 bytes).
2019-08-13 23:42:14,338 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 23:42:14,338 [root] INFO: Disabling sleep skipping.
2019-08-13 23:42:14,338 [root] DEBUG: DLL loaded at 0x000007FEFB320000: C:\Windows\system32\slc (0xb000 bytes).
2019-08-13 23:42:14,338 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 3844 at 0x00000000743A0000, image base 0x0000000049E20000, stack from 0x0000000000124000-0x0000000000220000
2019-08-13 23:42:14,355 [root] DEBUG: DLL unloaded from 0x000007FEFD970000.
2019-08-13 23:42:14,355 [root] INFO: Added new CAPE file to list with path: C:\xyAIARtiO\CAPE\2868_11850243443422314382019
2019-08-13 23:42:14,355 [root] DEBUG: DLL loaded at 0x000007FEFE1F0000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2019-08-13 23:42:14,355 [lib.api.process] INFO: 64-bit DLL to inject is C:\nehbva\dll\rcDBrG.dll, loader C:\nehbva\bin\lOErlQGD.exe
2019-08-13 23:42:14,401 [root] WARNING: Unable to place hook on LockResource
2019-08-13 23:42:14,401 [root] DEBUG: Commandline: C:\Users\user\AppData\Roaming\syslink\"C:\Windows\System32\cmd.exe" \c powershell Set-MpPreference -SevereThreatDefaultAction 6.
2019-08-13 23:42:14,401 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\EPGPGRXGPEWTFF5FLXX0.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\EPGPGRXGPEWTFF5FLXX0.temp'
2019-08-13 23:42:14,401 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x73e00.
2019-08-13 23:42:14,417 [root] DEBUG: DLL loaded at 0x000007FEFDCB0000: C:\Windows\system32\SETUPAPI (0x1d7000 bytes).
2019-08-13 23:42:14,417 [root] WARNING: Unable to hook LockResource
2019-08-13 23:42:14,433 [root] INFO: Added new process to list with pid: 3844
2019-08-13 23:42:14,433 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\TUUSvecfzs.
2019-08-13 23:42:14,433 [root] DEBUG: DLL loaded at 0x000007FEF7A60000: C:\Windows\system32\LINKINFO (0xc000 bytes).
2019-08-13 23:42:14,433 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF12b14b1.TMP": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RF12b14b1.TMP'
2019-08-13 23:42:14,433 [root] DEBUG: DLL loaded at 0x000007FEFD660000: C:\Windows\system32\CFGMGR32 (0x36000 bytes).
2019-08-13 23:42:14,433 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 23:42:14,433 [root] DEBUG: DLL loaded at 0x000007FEFAE90000: C:\Windows\system32\netutils (0xc000 bytes).
2019-08-13 23:42:14,433 [root] INFO: Monitor successfully loaded in process with pid 3844.
2019-08-13 23:42:14,447 [root] DEBUG: Loader: Injecting process 3576 (thread 3572) with C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:14,447 [root] DEBUG: DLL loaded at 0x000007FEF8540000: C:\Windows\system32\ntshrui (0x80000 bytes).
2019-08-13 23:42:14,447 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms'
2019-08-13 23:42:14,447 [root] DEBUG: DLL loaded at 0x000007FEFD3F0000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2019-08-13 23:42:14,447 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 4072 at 0x00000000743A0000, image base 0x000000013FD20000, stack from 0x00000000000C5000-0x00000000000D0000
2019-08-13 23:42:14,463 [root] DEBUG: DLL unloaded from 0x000007FEFBAE0000.
2019-08-13 23:42:14,480 [root] DEBUG: DLL loaded at 0x000007FEFD160000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 23:42:14,480 [root] DEBUG: Process image base: 0x0000000049E20000
2019-08-13 23:42:14,480 [root] DEBUG: DLL loaded at 0x000007FEFCDE0000: C:\Windows\system32\srvcli (0x23000 bytes).
2019-08-13 23:42:14,494 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\EPGPGRXGPEWTFF5FLXX0.temp" does not exist, skip.
2019-08-13 23:42:14,494 [root] DEBUG: DLL loaded at 0x000007FEF8EC0000: C:\Windows\system32\cscapi (0xf000 bytes).
2019-08-13 23:42:14,494 [root] DEBUG: DLL unloaded from 0x000007FEFE710000.
2019-08-13 23:42:14,510 [root] DEBUG: Commandline: C:\Users\user\AppData\Roaming\syslink\powershell  Set-MpPreference -DisableIntrusionPreventionSystem $true.
2019-08-13 23:42:14,510 [root] DEBUG: DLL unloaded from 0x0000000077260000.
2019-08-13 23:42:14,510 [root] INFO: Announced 64-bit process name: powershell.exe pid: 3660
2019-08-13 23:42:14,526 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:14,526 [root] DEBUG: DLL unloaded from 0x000007FEFE710000.
2019-08-13 23:42:14,542 [root] DEBUG: DLL loaded at 0x000007FEFB320000: C:\Windows\system32\slc (0xb000 bytes).
2019-08-13 23:42:14,542 [root] DEBUG: DLL loaded at 0x000007FEF8EC0000: C:\Windows\system32\cscapi (0xf000 bytes).
2019-08-13 23:42:14,542 [root] DEBUG: DLL loaded at 0x000007FEF3FA0000: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei (0x97000 bytes).
2019-08-13 23:42:14,542 [root] INFO: Added new process to list with pid: 4072
2019-08-13 23:42:14,542 [root] DEBUG: DLL unloaded from 0x000007FEF2270000.
2019-08-13 23:42:14,542 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x0000000049E79000 - 0x0000000077380000
2019-08-13 23:42:14,542 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 23:42:14,604 [root] DEBUG: DLL loaded at 0x000007FEEFE00000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management.A#\009a09f5b2322bb8c5520dc5ddbb28bb\System.Management.Automation.ni (0xb5d000 bytes).
2019-08-13 23:42:14,604 [root] DEBUG: DLL loaded at 0x000007FEFB320000: C:\Windows\system32\slc (0xb000 bytes).
2019-08-13 23:42:14,604 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\EPGPGRXGPEWTFF5FLXX0.temp" does not exist, skip.
2019-08-13 23:42:14,604 [root] INFO: Monitor successfully loaded in process with pid 4072.
2019-08-13 23:42:14,619 [root] DEBUG: DLL unloaded from 0x000007FEF3FA0000.
2019-08-13 23:42:14,619 [lib.api.process] INFO: 64-bit DLL to inject is C:\nehbva\dll\rcDBrG.dll, loader C:\nehbva\bin\lOErlQGD.exe
2019-08-13 23:42:14,619 [root] DEBUG: InjectDllViaIAT: Allocated 0x1bc bytes for new import table at 0x0000000049E80000.
2019-08-13 23:42:14,667 [root] DEBUG: DLL loaded at 0x000007FEFC430000: C:\Windows\system32\version (0xc000 bytes).
2019-08-13 23:42:14,667 [root] DEBUG: DLL loaded at 0x000007FEF2270000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks (0x99d000 bytes).
2019-08-13 23:42:14,667 [root] DEBUG: DLL loaded at 0x000007FEF3210000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\cdf48153115fc0bb466f37b7dcad9ac5\Microsoft.PowerShell.Commands.Utility.ni (0x216000 bytes).
2019-08-13 23:42:14,681 [root] DEBUG: DLL loaded at 0x000007FEFD1C0000: C:\Windows\system32\CRYPTBASE (0xf000 bytes).
2019-08-13 23:42:14,681 [root] DEBUG: DLL unloaded from 0x000007FEFC400000.
2019-08-13 23:42:14,681 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:42:14,713 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\TUUSvecfzs.
2019-08-13 23:42:14,744 [root] DEBUG: DLL loaded at 0x00000000742D0000: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\MSVCR80 (0xc9000 bytes).
2019-08-13 23:42:14,759 [root] DEBUG: DLL loaded at 0x000007FEF30F0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\9206dc8156588e608d405729c833edc5\Microsoft.PowerShell.Commands.Management.ni (0x118000 bytes).
2019-08-13 23:42:14,759 [root] DEBUG: DLL loaded at 0x000007FEFE640000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-08-13 23:42:14,759 [root] DEBUG: DLL unloaded from 0x000007FEFE6E0000.
2019-08-13 23:42:14,759 [root] DEBUG: Successfully injected DLL C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:14,759 [root] DEBUG: Loader: Injecting process 3660 (thread 3892) with C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:14,792 [root] DEBUG: DLL loaded at 0x000007FEF3430000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Core\83e2f6909980da7347e7806d8c26670e\System.Core.ni (0x32e000 bytes).
2019-08-13 23:42:14,792 [root] DEBUG: DLL loaded at 0x000007FEF1390000: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\9469491f37d9c35b596968b206615309\mscorlib.ni (0xedc000 bytes).
2019-08-13 23:42:14,792 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 3576
2019-08-13 23:42:14,806 [root] DEBUG: Process image base: 0x000000013FD20000
2019-08-13 23:42:14,806 [root] DEBUG: DLL loaded at 0x000007FEFE710000: C:\Windows\system32\shell32 (0xd88000 bytes).
2019-08-13 23:42:14,806 [root] DEBUG: DLL loaded at 0x000007FEF50F0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b5a6a5ce3cd3d4dd2b151315c612aeff\Microsoft.PowerShell.Security.ni (0x3e000 bytes).
2019-08-13 23:42:14,806 [root] INFO: Notified of termination of process with pid 2868.
2019-08-13 23:42:14,806 [root] DEBUG: DLL loaded at 0x000007FEF52B0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\ec50af274bf7a15fb59ac1f0d353b7ea\Microsoft.PowerShell.Commands.Diagnostics.ni (0x69000 bytes).
2019-08-13 23:42:14,806 [root] DEBUG: DLL unloaded from 0x000007FEFDF10000.
2019-08-13 23:42:14,806 [root] DEBUG: DLL unloaded from 0x75530000.
2019-08-13 23:42:14,806 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:14,822 [root] DEBUG: DLL loaded at 0x000007FEFC610000: C:\Windows\system32\USERENV (0x1e000 bytes).
2019-08-13 23:42:14,822 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 23:42:14,838 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 1468
2019-08-13 23:42:14,854 [root] DEBUG: DLL loaded at 0x000007FEF7A60000: C:\Windows\system32\LINKINFO (0xc000 bytes).
2019-08-13 23:42:14,854 [root] DEBUG: DLL loaded at 0x0000000516F00000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\diasymreader (0xc6000 bytes).
2019-08-13 23:42:14,854 [root] DEBUG: DLL unloaded from 0x72760000.
2019-08-13 23:42:14,854 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000013FD97000 - 0x000007FEFF6A0000
2019-08-13 23:42:14,854 [root] DEBUG: DLL loaded at 0x000007FEF9A20000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Configuratio#\fcf35536476614410e0b0bd0e412199e\System.Configuration.Install.ni (0x32000 bytes).
2019-08-13 23:42:14,854 [root] DEBUG: DLL loaded at 0x000007FEFD290000: C:\Windows\system32\profapi (0xf000 bytes).
2019-08-13 23:42:14,869 [root] DEBUG: Process dumps enabled.
2019-08-13 23:42:14,869 [root] DEBUG: GetHookCallerBase: thread 2284 (handle 0x0), return address 0x0000000049E287DD, allocation base 0x0000000049E20000.
2019-08-13 23:42:14,884 [root] DEBUG: DLL loaded at 0x000007FEFCB60000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2019-08-13 23:42:14,884 [root] DEBUG: set_caller_info: Adding region at 0x000007FF00280000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2019-08-13 23:42:14,884 [root] DEBUG: DLL unloaded from 0x77050000.
2019-08-13 23:42:14,901 [root] DEBUG: InjectDllViaIAT: Allocated 0x228 bytes for new import table at 0x000000013FDA0000.
2019-08-13 23:42:14,901 [root] DEBUG: DLL loaded at 0x000007FEFBD70000: C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32 (0x1f4000 bytes).
2019-08-13 23:42:14,901 [root] DEBUG: DLL loaded at 0x00000642FF4A0000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\culture (0xa000 bytes).
2019-08-13 23:42:14,901 [root] DEBUG: DLL loaded at 0x000007FEF8540000: C:\Windows\system32\ntshrui (0x80000 bytes).
2019-08-13 23:42:14,915 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x0000000049E20000.
2019-08-13 23:42:14,915 [root] INFO: Disabling sleep skipping.
2019-08-13 23:42:14,915 [root] DEBUG: DLL loaded at 0x000007FEFC860000: C:\Windows\system32\rsaenh (0x47000 bytes).
2019-08-13 23:42:14,931 [root] DEBUG: DLL loaded at 0x731E0000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 23:42:14,931 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:42:14,931 [root] DEBUG: DLL loaded at 0x000007FEFCB60000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2019-08-13 23:42:14,947 [root] DEBUG: DLL loaded at 0x000007FEFBAE0000: C:\Windows\system32\propsys (0x12c000 bytes).
2019-08-13 23:42:14,947 [root] DEBUG: DLL unloaded from 0x00000642FF4A0000.
2019-08-13 23:42:14,947 [root] DEBUG: DLL loaded at 0x000007FEFCDE0000: C:\Windows\system32\srvcli (0x23000 bytes).
2019-08-13 23:42:14,963 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x0000000049E20000.
2019-08-13 23:42:14,963 [root] DEBUG: DLL loaded at 0x000007FEF3C80000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.WSMan.Man#\8cd73e65058ef6f77f36b62a74ec3344\Microsoft.WSMan.Management.ni (0xaa000 bytes).
2019-08-13 23:42:14,963 [root] WARNING: Unable to place hook on LockResource
2019-08-13 23:42:14,979 [root] DEBUG: DLL loaded at 0x747D0000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 23:42:14,979 [root] DEBUG: Successfully injected DLL C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:14,993 [root] DEBUG: DLL loaded at 0x000007FEFC400000: C:\Windows\system32\ntmarta (0x2d000 bytes).
2019-08-13 23:42:14,993 [root] DEBUG: DLL loaded at 0x000007FEFC860000: C:\Windows\system32\rsaenh (0x47000 bytes).
2019-08-13 23:42:15,009 [root] DEBUG: DLL loaded at 0x000007FEF2F60000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorjit (0x184000 bytes).
2019-08-13 23:42:15,026 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3DEH1Y7N4ZZ76A6L2Z9V.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\3DEH1Y7N4ZZ76A6L2Z9V.temp'
2019-08-13 23:42:15,026 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 23:42:15,026 [root] WARNING: Unable to hook LockResource
2019-08-13 23:42:15,040 [root] INFO: Announced 64-bit process name: cmd.exe pid: 3524
2019-08-13 23:42:15,040 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 3660
2019-08-13 23:42:15,040 [root] DEBUG: DLL loaded at 0x000007FEFE1F0000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2019-08-13 23:42:15,040 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2244
2019-08-13 23:42:15,056 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3DEH1Y7N4ZZ76A6L2Z9V.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\3DEH1Y7N4ZZ76A6L2Z9V.temp'
2019-08-13 23:42:15,056 [root] DEBUG: DLL loaded at 0x000007FEFD1C0000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 23:42:15,056 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 23:42:15,072 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 23:42:15,072 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 23:42:15,072 [root] DEBUG: DLL loaded at 0x000007FEFDCB0000: C:\Windows\system32\SETUPAPI (0x1d7000 bytes).
2019-08-13 23:42:15,072 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JU75V9NTIXPPHOA5A3DY.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\JU75V9NTIXPPHOA5A3DY.temp'
2019-08-13 23:42:15,088 [root] DEBUG: GetHookCallerBase: thread 2172 (handle 0x0), return address 0x000000013FD2C504, allocation base 0x000000013FD20000.
2019-08-13 23:42:15,088 [root] DEBUG: DLL unloaded from 0x000007FEFD970000.
2019-08-13 23:42:15,104 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 3576 at 0x00000000743A0000, image base 0x0000000049E20000, stack from 0x00000000001A4000-0x00000000002A0000
2019-08-13 23:42:15,104 [lib.api.process] INFO: 64-bit DLL to inject is C:\nehbva\dll\rcDBrG.dll, loader C:\nehbva\bin\lOErlQGD.exe
2019-08-13 23:42:15,104 [root] DEBUG: Process dumps enabled.
2019-08-13 23:42:15,104 [root] DEBUG: DLL loaded at 0x000007FEFD660000: C:\Windows\system32\CFGMGR32 (0x36000 bytes).
2019-08-13 23:42:15,118 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JU75V9NTIXPPHOA5A3DY.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\JU75V9NTIXPPHOA5A3DY.temp'
2019-08-13 23:42:15,118 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x000000013FD20000.
2019-08-13 23:42:15,118 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3DEH1Y7N4ZZ76A6L2Z9V.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\3DEH1Y7N4ZZ76A6L2Z9V.temp'
2019-08-13 23:42:15,118 [root] DEBUG: DLL loaded at 0x000007FEF0960000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System\adff7dd9fe8e541775c46b6363401b22\System.ni (0xa23000 bytes).
2019-08-13 23:42:15,118 [root] INFO: Added new CAPE file to list with path: C:\xyAIARtiO\CAPE\1468_8692525771522314382019
2019-08-13 23:42:15,134 [root] DEBUG: Commandline: C:\Users\user\AppData\Roaming\syslink\"C:\Windows\System32\cmd.exe" \c powershell Set-MpPreference -LowThreatDefaultAction 6.
2019-08-13 23:42:15,134 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\TUUSvecfzs.
2019-08-13 23:42:15,134 [root] DEBUG: DLL loaded at 0x000007FEFD3F0000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2019-08-13 23:42:15,150 [root] INFO: Disabling sleep skipping.
2019-08-13 23:42:15,150 [root] DEBUG: DLL unloaded from 0x000007FEFD970000.
2019-08-13 23:42:15,150 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000013FD20000.
2019-08-13 23:42:15,150 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF12b177f.TMP": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RF12b177f.TMP'
2019-08-13 23:42:15,150 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x54400.
2019-08-13 23:42:15,150 [root] DEBUG: DLL loaded at 0x000007FEF3D30000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b023321bc53c20c10ccbbd8f78c82c82\Microsoft.PowerShell.ConsoleHost.ni (0xb2000 bytes).
2019-08-13 23:42:15,165 [root] INFO: Added new process to list with pid: 3576
2019-08-13 23:42:15,165 [root] DEBUG: Loader: Injecting process 3524 (thread 3732) with C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:15,181 [root] WARNING: Unable to place hook on LockResource
2019-08-13 23:42:15,181 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JU75V9NTIXPPHOA5A3DY.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\JU75V9NTIXPPHOA5A3DY.temp'
2019-08-13 23:42:15,181 [root] DEBUG: DLL unloaded from 0x000007FEFE710000.
2019-08-13 23:42:15,181 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000C63C.
2019-08-13 23:42:15,181 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms'
2019-08-13 23:42:15,197 [root] DEBUG: DLL unloaded from 0x000007FEFE6E0000.
2019-08-13 23:42:15,197 [root] INFO: Monitor successfully loaded in process with pid 3576.
2019-08-13 23:42:15,197 [root] DEBUG: DLL unloaded from 0x000007FEFE710000.
2019-08-13 23:42:15,197 [root] DEBUG: Process image base: 0x0000000049E20000
2019-08-13 23:42:15,213 [root] WARNING: Unable to hook LockResource
2019-08-13 23:42:15,227 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF12b17ae.TMP": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RF12b17ae.TMP'
2019-08-13 23:42:15,227 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3DEH1Y7N4ZZ76A6L2Z9V.temp" does not exist, skip.
2019-08-13 23:42:15,227 [root] INFO: Notified of termination of process with pid 1468.
2019-08-13 23:42:15,243 [root] DEBUG: DLL loaded at 0x000007FEFD160000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 23:42:15,243 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:15,259 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms'
2019-08-13 23:42:15,259 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 23:42:15,259 [root] INFO: Added new CAPE file to list with path: C:\xyAIARtiO\CAPE\2244_13251470722537314382019
2019-08-13 23:42:15,275 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x0000000049E79000 - 0x0000000077380000
2019-08-13 23:42:15,275 [root] INFO: Announced 64-bit process name: powershell.exe pid: 4084
2019-08-13 23:42:15,275 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JU75V9NTIXPPHOA5A3DY.temp" does not exist, skip.
2019-08-13 23:42:15,275 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 3660 at 0x00000000743A0000, image base 0x000000013FD20000, stack from 0x0000000000105000-0x0000000000110000
2019-08-13 23:42:15,275 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x73e00.
2019-08-13 23:42:15,275 [root] DEBUG: InjectDllViaIAT: Allocated 0x1bc bytes for new import table at 0x0000000049E80000.
2019-08-13 23:42:15,290 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 23:42:15,290 [root] DEBUG: Commandline: C:\Users\user\AppData\Roaming\syslink\powershell  Set-MpPreference -SevereThreatDefaultAction 6.
2019-08-13 23:42:15,290 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:42:15,290 [lib.api.process] INFO: 64-bit DLL to inject is C:\nehbva\dll\rcDBrG.dll, loader C:\nehbva\bin\lOErlQGD.exe
2019-08-13 23:42:15,305 [root] DEBUG: DLL loaded at 0x000007FEFAE90000: C:\Windows\system32\netutils (0xc000 bytes).
2019-08-13 23:42:15,305 [root] INFO: Added new process to list with pid: 3660
2019-08-13 23:42:15,305 [root] DEBUG: Successfully injected DLL C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:15,322 [root] DEBUG: DLL unloaded from 0x000007FEFBAE0000.
2019-08-13 23:42:15,322 [root] INFO: Monitor successfully loaded in process with pid 3660.
2019-08-13 23:42:15,322 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 3524
2019-08-13 23:42:15,322 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\TUUSvecfzs.
2019-08-13 23:42:15,322 [root] DEBUG: DLL unloaded from 0x0000000077260000.
2019-08-13 23:42:15,338 [root] DEBUG: DLL loaded at 0x000007FEFD1C0000: C:\Windows\system32\CRYPTBASE (0xf000 bytes).
2019-08-13 23:42:15,338 [root] DEBUG: DLL unloaded from 0x75530000.
2019-08-13 23:42:15,338 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 23:42:15,352 [root] DEBUG: DLL unloaded from 0x000007FEF2270000.
2019-08-13 23:42:15,352 [root] DEBUG: Loader: Injecting process 4084 (thread 2576) with C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:15,352 [root] DEBUG: DLL unloaded from 0x731E0000.
2019-08-13 23:42:15,352 [root] DEBUG: Process dumps enabled.
2019-08-13 23:42:15,352 [root] DEBUG: DLL loaded at 0x000007FEFE640000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-08-13 23:42:15,352 [root] DEBUG: DLL unloaded from 0x000007FEF3FA0000.
2019-08-13 23:42:15,352 [root] DEBUG: Process image base: 0x000000013FD20000
2019-08-13 23:42:15,352 [root] DEBUG: DLL unloaded from 0x77050000.
2019-08-13 23:42:15,368 [root] INFO: Disabling sleep skipping.
2019-08-13 23:42:15,368 [root] DEBUG: DLL loaded at 0x000007FEFE710000: C:\Windows\system32\shell32 (0xd88000 bytes).
2019-08-13 23:42:15,368 [root] DEBUG: DLL unloaded from 0x000007FEFC400000.
2019-08-13 23:42:15,400 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:15,400 [root] DEBUG: DLL loaded at 0x72760000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 23:42:15,400 [root] INFO: Process with pid 1468 has terminated
2019-08-13 23:42:15,400 [root] WARNING: Unable to place hook on LockResource
2019-08-13 23:42:15,400 [root] DEBUG: DLL loaded at 0x000007FEFC610000: C:\Windows\system32\USERENV (0x1e000 bytes).
2019-08-13 23:42:15,400 [root] DEBUG: DLL unloaded from 0x000007FEFE6E0000.
2019-08-13 23:42:15,415 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000013FD97000 - 0x000007FEFF6A0000
2019-08-13 23:42:15,415 [root] DEBUG: DLL loaded at 0x74790000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 23:42:15,415 [root] INFO: Process with pid 2868 has terminated
2019-08-13 23:42:15,415 [root] WARNING: Unable to hook LockResource
2019-08-13 23:42:15,415 [root] DEBUG: DLL loaded at 0x000007FEFD290000: C:\Windows\system32\profapi (0xf000 bytes).
2019-08-13 23:42:15,430 [root] INFO: Notified of termination of process with pid 2244.
2019-08-13 23:42:15,430 [root] DEBUG: InjectDllViaIAT: Allocated 0x228 bytes for new import table at 0x000000013FDA0000.
2019-08-13 23:42:15,447 [root] INFO: Announced 64-bit process name: cmd.exe pid: 2168
2019-08-13 23:42:15,447 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 23:42:15,447 [root] DEBUG: DLL loaded at 0x000007FEFBD70000: C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32 (0x1f4000 bytes).
2019-08-13 23:42:15,461 [root] DEBUG: DLL loaded at 0x000007FEF8EC0000: C:\Windows\system32\cscapi (0xf000 bytes).
2019-08-13 23:42:15,461 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2840
2019-08-13 23:42:15,461 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:42:15,477 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 3524 at 0x00000000743A0000, image base 0x0000000049E20000, stack from 0x00000000001F4000-0x00000000002F0000
2019-08-13 23:42:15,493 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 23:42:15,493 [root] DEBUG: DLL loaded at 0x000007FEFBAE0000: C:\Windows\system32\propsys (0x12c000 bytes).
2019-08-13 23:42:15,493 [root] DEBUG: DLL loaded at 0x000007FEFB320000: C:\Windows\system32\slc (0xb000 bytes).
2019-08-13 23:42:15,493 [root] DEBUG: GetHookCallerBase: thread 1772 (handle 0x0), return address 0x0000000049E287DD, allocation base 0x0000000049E20000.
2019-08-13 23:42:15,493 [root] DEBUG: Successfully injected DLL C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:15,493 [root] DEBUG: Commandline: C:\Users\user\AppData\Roaming\syslink\"C:\Windows\System32\cmd.exe" \c powershell Set-MpPreference -ModerateThreatDefaultAction 6.
2019-08-13 23:42:15,493 [lib.api.process] INFO: 64-bit DLL to inject is C:\nehbva\dll\rcDBrG.dll, loader C:\nehbva\bin\lOErlQGD.exe
2019-08-13 23:42:15,493 [root] DEBUG: DLL loaded at 0x000007FEF3FA0000: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei (0x97000 bytes).
2019-08-13 23:42:15,509 [root] DEBUG: DLL loaded at 0x000007FEFC400000: C:\Windows\system32\ntmarta (0x2d000 bytes).
2019-08-13 23:42:15,509 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x0000000049E20000.
2019-08-13 23:42:15,509 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 4084
2019-08-13 23:42:15,525 [root] INFO: Added new process to list with pid: 3524
2019-08-13 23:42:15,525 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\TUUSvecfzs.
2019-08-13 23:42:15,539 [root] DEBUG: DLL loaded at 0x000007FEF3B90000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Transactions\051655963f24f9ade08486084c570086\System.Transactions.ni (0xe5000 bytes).
2019-08-13 23:42:15,539 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3DEH1Y7N4ZZ76A6L2Z9V.temp" does not exist, skip.
2019-08-13 23:42:15,539 [root] DEBUG: DLL loaded at 0x000007FEF3FA0000: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei (0x97000 bytes).
2019-08-13 23:42:15,539 [root] DEBUG: DLL loaded at 0x000007FEFE1F0000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2019-08-13 23:42:15,539 [root] DEBUG: DLL loaded at 0x000007FEF7A60000: C:\Windows\system32\LINKINFO (0xc000 bytes).
2019-08-13 23:42:15,539 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x0000000049E20000.
2019-08-13 23:42:15,555 [root] INFO: Monitor successfully loaded in process with pid 3524.
2019-08-13 23:42:15,555 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 23:42:15,555 [root] DEBUG: Loader: Injecting process 2168 (thread 2512) with C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:15,572 [root] DEBUG: DLL loaded at 0x000000001E230000: C:\Windows\assembly\GAC_64\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions (0x49000 bytes).
2019-08-13 23:42:15,572 [root] DEBUG: DLL loaded at 0x000007FEF2270000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks (0x99d000 bytes).
2019-08-13 23:42:15,572 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JU75V9NTIXPPHOA5A3DY.temp" does not exist, skip.
2019-08-13 23:42:15,572 [root] DEBUG: DLL loaded at 0x000007FEEF750000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Xml\ee795155543768ea67eecddc686a1e9e\System.Xml.ni (0x6a5000 bytes).
2019-08-13 23:42:15,572 [root] DEBUG: DLL loaded at 0x000007FEFDCB0000: C:\Windows\system32\SETUPAPI (0x1d7000 bytes).
2019-08-13 23:42:15,586 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 23:42:15,586 [root] DEBUG: DLL loaded at 0x000007FEFD160000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 23:42:15,586 [root] DEBUG: Process image base: 0x0000000049E20000
2019-08-13 23:42:15,602 [root] DEBUG: Process dumps enabled.
2019-08-13 23:42:15,602 [root] DEBUG: DLL loaded at 0x00000000742D0000: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\MSVCR80 (0xc9000 bytes).
2019-08-13 23:42:15,602 [root] DEBUG: DLL loaded at 0x000007FEF8540000: C:\Windows\system32\ntshrui (0x80000 bytes).
2019-08-13 23:42:15,602 [root] DEBUG: DLL loaded at 0x000007FEF2270000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks (0x99d000 bytes).
2019-08-13 23:42:15,618 [root] DEBUG: DLL loaded at 0x000007FEFD660000: C:\Windows\system32\CFGMGR32 (0x36000 bytes).
2019-08-13 23:42:15,618 [root] DEBUG: DLL loaded at 0x000007FEFD1C0000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 23:42:15,618 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:15,618 [root] DEBUG: DLL loaded at 0x000007FEEF5E0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management\c44929bde355680c886f8a52f5e22b81\System.Management.ni (0x16c000 bytes).
2019-08-13 23:42:15,618 [root] INFO: Announced 64-bit process name: powershell.exe pid: 2632
2019-08-13 23:42:15,634 [root] INFO: Disabling sleep skipping.
2019-08-13 23:42:15,634 [root] DEBUG: DLL loaded at 0x000007FEFCDE0000: C:\Windows\system32\srvcli (0x23000 bytes).
2019-08-13 23:42:15,634 [root] DEBUG: DLL loaded at 0x00000000742D0000: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\MSVCR80 (0xc9000 bytes).
2019-08-13 23:42:15,634 [root] DEBUG: DLL loaded at 0x000007FEFD3F0000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2019-08-13 23:42:15,650 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x0000000049E79000 - 0x0000000077380000
2019-08-13 23:42:15,664 [root] DEBUG: DLL loaded at 0x000007FEEF440000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.DirectorySer#\c1cdea55f62c9e8b9b9c1ae4c23b1c1f\System.DirectoryServices.ni (0x195000 bytes).
2019-08-13 23:42:15,664 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 23:42:15,680 [root] WARNING: Unable to place hook on LockResource
2019-08-13 23:42:15,680 [root] DEBUG: DLL loaded at 0x000007FEF1390000: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\9469491f37d9c35b596968b206615309\mscorlib.ni (0xedc000 bytes).
2019-08-13 23:42:15,696 [root] DEBUG: DLL unloaded from 0x000007FEFE710000.
2019-08-13 23:42:15,696 [root] INFO: Added new CAPE file to list with path: C:\xyAIARtiO\CAPE\2840_4248671521522314382019
2019-08-13 23:42:15,696 [root] DEBUG: InjectDllViaIAT: Allocated 0x1bc bytes for new import table at 0x0000000049E80000.
2019-08-13 23:42:15,696 [root] DEBUG: DLL loaded at 0x000007FEF1390000: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\9469491f37d9c35b596968b206615309\mscorlib.ni (0xedc000 bytes).
2019-08-13 23:42:15,696 [root] DEBUG: DLL loaded at 0x000007FEFA390000: C:\Windows\system32\shfolder (0x7000 bytes).
2019-08-13 23:42:15,696 [lib.api.process] INFO: 64-bit DLL to inject is C:\nehbva\dll\rcDBrG.dll, loader C:\nehbva\bin\lOErlQGD.exe
2019-08-13 23:42:15,711 [root] WARNING: Unable to hook LockResource
2019-08-13 23:42:15,711 [root] DEBUG: DLL unloaded from 0x000007FEFE710000.
2019-08-13 23:42:15,727 [root] DEBUG: DLL unloaded from 0x000007FEFDF10000.
2019-08-13 23:42:15,727 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x54400.
2019-08-13 23:42:15,727 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:42:15,759 [root] DEBUG: DLL loaded at 0x000007FEF0960000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System\adff7dd9fe8e541775c46b6363401b22\System.ni (0xa23000 bytes).
2019-08-13 23:42:15,884 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 23:42:15,884 [root] DEBUG: DLL loaded at 0x000007FEEFE00000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management.A#\009a09f5b2322bb8c5520dc5ddbb28bb\System.Management.Automation.ni (0xb5d000 bytes).
2019-08-13 23:42:15,898 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\TUUSvecfzs.
2019-08-13 23:42:15,914 [root] DEBUG: DLL unloaded from 0x000007FEFE6E0000.
2019-08-13 23:42:15,898 [root] DEBUG: DLL loaded at 0x000007FEFCB60000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2019-08-13 23:42:15,914 [root] DEBUG: DLL unloaded from 0x000007FEFDF10000.
2019-08-13 23:42:15,930 [root] DEBUG: DLL loaded at 0x000007FEF3210000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\cdf48153115fc0bb466f37b7dcad9ac5\Microsoft.PowerShell.Commands.Utility.ni (0x216000 bytes).
2019-08-13 23:42:15,930 [root] DEBUG: DLL loaded at 0x000007FEFC860000: C:\Windows\system32\rsaenh (0x47000 bytes).
2019-08-13 23:42:15,930 [root] DEBUG: DLL loaded at 0x000007FEFCF60000: C:\Windows\system32\secur32 (0xb000 bytes).
2019-08-13 23:42:15,930 [root] DEBUG: DLL loaded at 0x000007FEF3D30000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b023321bc53c20c10ccbbd8f78c82c82\Microsoft.PowerShell.ConsoleHost.ni (0xb2000 bytes).
2019-08-13 23:42:15,930 [root] DEBUG: Successfully injected DLL C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:15,930 [root] DEBUG: DLL loaded at 0x000007FEFC430000: C:\Windows\system32\version (0xc000 bytes).
2019-08-13 23:42:15,946 [root] DEBUG: Loader: Injecting process 2632 (thread 2320) with C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:15,946 [root] INFO: Notified of termination of process with pid 2840.
2019-08-13 23:42:15,946 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 4084 at 0x00000000743A0000, image base 0x000000013FD20000, stack from 0x0000000000115000-0x0000000000120000
2019-08-13 23:42:15,993 [root] DEBUG: DLL loaded at 0x000007FEF30F0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\9206dc8156588e608d405729c833edc5\Microsoft.PowerShell.Commands.Management.ni (0x118000 bytes).
2019-08-13 23:42:15,993 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2168
2019-08-13 23:42:15,993 [root] DEBUG: DLL loaded at 0x000007FEF0960000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System\adff7dd9fe8e541775c46b6363401b22\System.ni (0xa23000 bytes).
2019-08-13 23:42:16,023 [root] DEBUG: Process image base: 0x000000013FD20000
2019-08-13 23:42:16,023 [root] DEBUG: DLL loaded at 0x000007FEF3430000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Core\83e2f6909980da7347e7806d8c26670e\System.Core.ni (0x32e000 bytes).
2019-08-13 23:42:16,039 [root] DEBUG: Commandline: C:\Users\user\AppData\Roaming\syslink\powershell  Set-MpPreference -LowThreatDefaultAction 6.
2019-08-13 23:42:16,039 [root] DEBUG: DLL unloaded from 0x75530000.
2019-08-13 23:42:16,039 [root] DEBUG: DLL loaded at 0x000007FEF50F0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b5a6a5ce3cd3d4dd2b151315c612aeff\Microsoft.PowerShell.Security.ni (0x3e000 bytes).
2019-08-13 23:42:16,039 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\03C4H017QVD6G6RH061M.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\03C4H017QVD6G6RH061M.temp'
2019-08-13 23:42:16,055 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:16,055 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 23:42:16,071 [root] DEBUG: DLL loaded at 0x000007FEF3D30000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b023321bc53c20c10ccbbd8f78c82c82\Microsoft.PowerShell.ConsoleHost.ni (0xb2000 bytes).
2019-08-13 23:42:16,071 [root] DEBUG: DLL loaded at 0x000007FEF52B0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\ec50af274bf7a15fb59ac1f0d353b7ea\Microsoft.PowerShell.Commands.Diagnostics.ni (0x69000 bytes).
2019-08-13 23:42:16,071 [root] DEBUG: DLL unloaded from 0x72760000.
2019-08-13 23:42:16,085 [root] DEBUG: Process dumps enabled.
2019-08-13 23:42:16,085 [root] INFO: Added new process to list with pid: 4084
2019-08-13 23:42:16,085 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\03C4H017QVD6G6RH061M.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\03C4H017QVD6G6RH061M.temp'
2019-08-13 23:42:16,085 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000013FD97000 - 0x000007FEFF6A0000
2019-08-13 23:42:16,085 [root] DEBUG: DLL unloaded from 0x77050000.
2019-08-13 23:42:16,085 [root] DEBUG: DLL loaded at 0x000007FEF9A20000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Configuratio#\fcf35536476614410e0b0bd0e412199e\System.Configuration.Install.ni (0x32000 bytes).
2019-08-13 23:42:16,085 [root] INFO: Monitor successfully loaded in process with pid 4084.
2019-08-13 23:42:16,101 [root] INFO: Disabling sleep skipping.
2019-08-13 23:42:16,101 [root] DEBUG: DLL unloaded from 0x000007FEFD970000.
2019-08-13 23:42:16,101 [root] DEBUG: InjectDllViaIAT: Allocated 0x228 bytes for new import table at 0x000000013FDA0000.
2019-08-13 23:42:16,118 [root] INFO: Announced 64-bit process name: svchost.exe pid: 3316
2019-08-13 23:42:16,118 [root] DEBUG: DLL loaded at 0x000007FEFD1C0000: C:\Windows\system32\CRYPTBASE (0xf000 bytes).
2019-08-13 23:42:16,118 [root] DEBUG: DLL loaded at 0x000007FEF8EC0000: C:\Windows\system32\cscapi (0xf000 bytes).
2019-08-13 23:42:16,132 [root] WARNING: Unable to place hook on LockResource
2019-08-13 23:42:16,148 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:42:16,148 [root] DEBUG: DLL loaded at 0x00000642FF4A0000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\culture (0xa000 bytes).
2019-08-13 23:42:16,148 [root] DEBUG: DLL loaded at 0x000007FEFE640000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-08-13 23:42:16,148 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\03C4H017QVD6G6RH061M.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\03C4H017QVD6G6RH061M.temp'
2019-08-13 23:42:16,148 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 23:42:16,148 [root] DEBUG: DLL loaded at 0x000007FEFB320000: C:\Windows\system32\slc (0xb000 bytes).
2019-08-13 23:42:16,148 [root] WARNING: Unable to hook LockResource
2019-08-13 23:42:16,148 [root] DEBUG: Successfully injected DLL C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:16,148 [root] DEBUG: DLL unloaded from 0x00000642FF4A0000.
2019-08-13 23:42:16,164 [lib.api.process] INFO: 64-bit DLL to inject is C:\nehbva\dll\rcDBrG.dll, loader C:\nehbva\bin\lOErlQGD.exe
2019-08-13 23:42:16,180 [root] DEBUG: DLL loaded at 0x000007FEFE710000: C:\Windows\system32\shell32 (0xd88000 bytes).
2019-08-13 23:42:16,180 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF12b1b75.TMP": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RF12b1b75.TMP'
2019-08-13 23:42:16,180 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 23:42:16,196 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2632
2019-08-13 23:42:16,196 [root] DEBUG: DLL loaded at 0x000007FEF2F60000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorjit (0x184000 bytes).
2019-08-13 23:42:16,196 [root] DEBUG: DLL loaded at 0x000007FEFCB60000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2019-08-13 23:42:16,210 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\TUUSvecfzs.
2019-08-13 23:42:16,210 [root] DEBUG: DLL loaded at 0x000007FEFC610000: C:\Windows\system32\USERENV (0x1e000 bytes).
2019-08-13 23:42:16,210 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms'
2019-08-13 23:42:16,226 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 2168 at 0x00000000743A0000, image base 0x0000000049E20000, stack from 0x0000000000074000-0x0000000000170000
2019-08-13 23:42:16,226 [root] DEBUG: DLL loaded at 0x000007FEF7A60000: C:\Windows\system32\LINKINFO (0xc000 bytes).
2019-08-13 23:42:16,226 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 23:42:16,242 [root] DEBUG: DLL loaded at 0x000007FEFC860000: C:\Windows\system32\rsaenh (0x47000 bytes).
2019-08-13 23:42:16,242 [root] DEBUG: Loader: Injecting process 3316 (thread 3448) with C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:16,257 [root] DEBUG: DLL loaded at 0x000007FEFD290000: C:\Windows\system32\profapi (0xf000 bytes).
2019-08-13 23:42:16,257 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\03C4H017QVD6G6RH061M.temp" does not exist, skip.
2019-08-13 23:42:16,257 [root] DEBUG: Commandline: C:\Users\user\AppData\Roaming\syslink\"C:\Windows\System32\cmd.exe" \c powershell Set-MpPreference -DisableScriptScanning $true.
2019-08-13 23:42:16,257 [root] DEBUG: DLL loaded at 0x000007FEF8540000: C:\Windows\system32\ntshrui (0x80000 bytes).
2019-08-13 23:42:16,273 [root] DEBUG: Process dumps enabled.
2019-08-13 23:42:16,273 [root] DEBUG: Process image base: 0x00000000FF8E0000
2019-08-13 23:42:16,289 [root] DEBUG: DLL loaded at 0x000007FEFBD70000: C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32 (0x1f4000 bytes).
2019-08-13 23:42:16,289 [root] INFO: Added new process to list with pid: 2168
2019-08-13 23:42:16,289 [root] DEBUG: DLL loaded at 0x000007FEF3FA0000: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei (0x97000 bytes).
2019-08-13 23:42:16,289 [root] DEBUG: DLL loaded at 0x000007FEFCDE0000: C:\Windows\system32\srvcli (0x23000 bytes).
2019-08-13 23:42:16,305 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:16,305 [root] INFO: Disabling sleep skipping.
2019-08-13 23:42:16,305 [root] INFO: Monitor successfully loaded in process with pid 2168.
2019-08-13 23:42:16,319 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\03C4H017QVD6G6RH061M.temp" does not exist, skip.
2019-08-13 23:42:16,319 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\W7Z5PGPA8E94DZ61WX6Y.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\W7Z5PGPA8E94DZ61WX6Y.temp'
2019-08-13 23:42:16,319 [root] DEBUG: DLL loaded at 0x000007FEFDCB0000: C:\Windows\system32\SETUPAPI (0x1d7000 bytes).
2019-08-13 23:42:16,335 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00000000FF8EB000 - 0x000007FEFF6A0000
2019-08-13 23:42:16,335 [root] WARNING: Unable to place hook on LockResource
2019-08-13 23:42:16,335 [root] DEBUG: DLL loaded at 0x000007FEFD160000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 23:42:16,351 [root] DEBUG: DLL loaded at 0x000007FEF2270000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks (0x99d000 bytes).
2019-08-13 23:42:16,351 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\W7Z5PGPA8E94DZ61WX6Y.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\W7Z5PGPA8E94DZ61WX6Y.temp'
2019-08-13 23:42:16,351 [root] DEBUG: DLL loaded at 0x000007FEFD660000: C:\Windows\system32\CFGMGR32 (0x36000 bytes).
2019-08-13 23:42:16,367 [root] DEBUG: DLL loaded at 0x000007FEF3C80000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.WSMan.Man#\8cd73e65058ef6f77f36b62a74ec3344\Microsoft.WSMan.Management.ni (0xaa000 bytes).
2019-08-13 23:42:16,367 [root] DEBUG: InjectDllViaIAT: Allocated 0x20c bytes for new import table at 0x00000000FF8F0000.
2019-08-13 23:42:16,367 [root] WARNING: Unable to hook LockResource
2019-08-13 23:42:16,367 [root] INFO: Announced 64-bit process name: powershell.exe pid: 3236
2019-08-13 23:42:16,367 [root] DEBUG: DLL loaded at 0x00000000742D0000: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\MSVCR80 (0xc9000 bytes).
2019-08-13 23:42:16,367 [root] DEBUG: DLL unloaded from 0x000007FEFD970000.
2019-08-13 23:42:16,382 [root] DEBUG: DLL loaded at 0x000007FEFD3F0000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2019-08-13 23:42:16,382 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:42:16,382 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 23:42:16,398 [root] DEBUG: DLL loaded at 0x000007FEF3B90000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Transactions\051655963f24f9ade08486084c570086\System.Transactions.ni (0xe5000 bytes).
2019-08-13 23:42:16,398 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\W7Z5PGPA8E94DZ61WX6Y.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\W7Z5PGPA8E94DZ61WX6Y.temp'
2019-08-13 23:42:16,398 [root] DEBUG: DLL loaded at 0x000007FEFBAE0000: C:\Windows\system32\propsys (0x12c000 bytes).
2019-08-13 23:42:16,398 [root] DEBUG: Successfully injected DLL C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:16,398 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 23:42:16,398 [root] DEBUG: DLL loaded at 0x000000001E230000: C:\Windows\assembly\GAC_64\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions (0x49000 bytes).
2019-08-13 23:42:16,414 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 2632 at 0x00000000743A0000, image base 0x000000013FD20000, stack from 0x0000000000275000-0x0000000000280000
2019-08-13 23:42:16,414 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 3316
2019-08-13 23:42:16,414 [lib.api.process] INFO: 64-bit DLL to inject is C:\nehbva\dll\rcDBrG.dll, loader C:\nehbva\bin\lOErlQGD.exe
2019-08-13 23:42:16,414 [root] DEBUG: DLL loaded at 0x000007FEF1390000: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\9469491f37d9c35b596968b206615309\mscorlib.ni (0xedc000 bytes).
2019-08-13 23:42:16,414 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF12b1c7e.TMP": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RF12b1c7e.TMP'
2019-08-13 23:42:16,414 [root] DEBUG: DLL loaded at 0x000007FEFC400000: C:\Windows\system32\ntmarta (0x2d000 bytes).
2019-08-13 23:42:16,430 [root] DEBUG: Commandline: C:\Users\user\AppData\Roaming\syslink\powershell  Set-MpPreference -ModerateThreatDefaultAction 6.
2019-08-13 23:42:16,430 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 23:42:16,430 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\TUUSvecfzs.
2019-08-13 23:42:16,430 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms'
2019-08-13 23:42:16,430 [root] DEBUG: DLL unloaded from 0x000007FEFDF10000.
2019-08-13 23:42:16,444 [root] INFO: Added new process to list with pid: 2632
2019-08-13 23:42:16,444 [root] DEBUG: DLL loaded at 0x000007FEFE1F0000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2019-08-13 23:42:16,444 [root] DEBUG: Loader: Injecting process 3236 (thread 4040) with C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:16,444 [root] INFO: Monitor successfully loaded in process with pid 2632.
2019-08-13 23:42:16,444 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\W7Z5PGPA8E94DZ61WX6Y.temp" does not exist, skip.
2019-08-13 23:42:16,444 [root] DEBUG: Process dumps enabled.
2019-08-13 23:42:16,460 [root] DEBUG: DLL unloaded from 0x000007FEFE710000.
2019-08-13 23:42:16,460 [root] DEBUG: Process image base: 0x000000013FD20000
2019-08-13 23:42:16,460 [root] DEBUG: DLL loaded at 0x000007FEFD1C0000: C:\Windows\system32\CRYPTBASE (0xf000 bytes).
2019-08-13 23:42:16,476 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:16,476 [root] INFO: Disabling sleep skipping.
2019-08-13 23:42:16,476 [root] DEBUG: DLL loaded at 0x000007FEFE640000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-08-13 23:42:16,492 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000013FD97000 - 0x000007FEFF6A0000
2019-08-13 23:42:16,492 [root] WARNING: Unable to place hook on LockResource
2019-08-13 23:42:16,492 [root] DEBUG: DLL loaded at 0x000007FEFE710000: C:\Windows\system32\shell32 (0xd88000 bytes).
2019-08-13 23:42:16,492 [root] WARNING: Unable to hook LockResource
2019-08-13 23:42:16,492 [root] DEBUG: InjectDllViaIAT: Allocated 0x228 bytes for new import table at 0x000000013FDA0000.
2019-08-13 23:42:16,507 [root] DEBUG: DLL loaded at 0x000007FEFC610000: C:\Windows\system32\USERENV (0x1e000 bytes).
2019-08-13 23:42:16,507 [root] INFO: Process with pid 2840 has terminated
2019-08-13 23:42:16,507 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 23:42:16,507 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:42:16,507 [root] DEBUG: DLL loaded at 0x000007FEFD290000: C:\Windows\system32\profapi (0xf000 bytes).
2019-08-13 23:42:16,523 [root] DEBUG: Successfully injected DLL C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:16,523 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 3316 at 0x00000000743A0000, image base 0x00000000FF8E0000, stack from 0x00000000000C5000-0x00000000000D0000
2019-08-13 23:42:16,523 [root] DEBUG: DLL loaded at 0x000007FEFBD70000: C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32 (0x1f4000 bytes).
2019-08-13 23:42:16,523 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 3236
2019-08-13 23:42:16,539 [root] DEBUG: Commandline: C:\Windows\sysnative\svchost.exe.
2019-08-13 23:42:16,539 [root] DEBUG: DLL loaded at 0x000007FEEFE00000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management.A#\009a09f5b2322bb8c5520dc5ddbb28bb\System.Management.Automation.ni (0xb5d000 bytes).
2019-08-13 23:42:16,553 [root] DEBUG: DLL loaded at 0x000007FEFBAE0000: C:\Windows\system32\propsys (0x12c000 bytes).
2019-08-13 23:42:16,553 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 23:42:16,569 [root] INFO: Added new process to list with pid: 3316
2019-08-13 23:42:16,569 [root] DEBUG: DLL loaded at 0x000007FEFC430000: C:\Windows\system32\version (0xc000 bytes).
2019-08-13 23:42:16,569 [root] DEBUG: DLL loaded at 0x000007FEFC400000: C:\Windows\system32\ntmarta (0x2d000 bytes).
2019-08-13 23:42:16,569 [root] INFO: Monitor successfully loaded in process with pid 3316.
2019-08-13 23:42:16,569 [root] DEBUG: Process dumps enabled.
2019-08-13 23:42:16,617 [root] DEBUG: DLL loaded at 0x000007FEF3FA0000: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei (0x97000 bytes).
2019-08-13 23:42:16,617 [root] DEBUG: DLL loaded at 0x000007FEFE1F0000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2019-08-13 23:42:16,631 [root] DEBUG: set_caller_info: Adding region at 0x0000000010000000 to caller regions list (ntdll::LdrLoadDll).
2019-08-13 23:42:16,678 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\W7Z5PGPA8E94DZ61WX6Y.temp" does not exist, skip.
2019-08-13 23:42:16,678 [root] INFO: Disabling sleep skipping.
2019-08-13 23:42:16,678 [root] DEBUG: DLL loaded at 0x000007FEEFE00000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management.A#\009a09f5b2322bb8c5520dc5ddbb28bb\System.Management.Automation.ni (0xb5d000 bytes).
2019-08-13 23:42:16,678 [root] DEBUG: DLL loaded at 0x000007FEFDCB0000: C:\Windows\system32\SETUPAPI (0x1d7000 bytes).
2019-08-13 23:42:16,678 [root] DEBUG: set_caller_info: Adding region at 0x0000000001EF0000 to caller regions list (ntdll::LdrLoadDll).
2019-08-13 23:42:16,678 [root] DEBUG: DLL unloaded from 0x000007FEFE710000.
2019-08-13 23:42:16,694 [root] DEBUG: DLL loaded at 0x000007FEF2270000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks (0x99d000 bytes).
2019-08-13 23:42:16,710 [root] WARNING: Unable to place hook on LockResource
2019-08-13 23:42:16,710 [root] DEBUG: DLL loaded at 0x000007FEFC430000: C:\Windows\system32\version (0xc000 bytes).
2019-08-13 23:42:16,710 [root] DEBUG: DLL loaded at 0x000007FEFD660000: C:\Windows\system32\CFGMGR32 (0x36000 bytes).
2019-08-13 23:42:16,710 [root] DEBUG: DLL loaded at 0x000007FEF4350000: C:\Windows\system32\WINHTTP (0x71000 bytes).
2019-08-13 23:42:16,710 [root] DEBUG: DLL loaded at 0x00000000742D0000: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\MSVCR80 (0xc9000 bytes).
2019-08-13 23:42:16,710 [root] WARNING: Unable to hook LockResource
2019-08-13 23:42:16,726 [root] DEBUG: DLL loaded at 0x000007FEFD3F0000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2019-08-13 23:42:16,742 [root] DEBUG: DLL loaded at 0x000007FEF4240000: C:\Windows\system32\webio (0x64000 bytes).
2019-08-13 23:42:16,742 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 23:42:16,756 [root] DEBUG: DLL loaded at 0x000007FEF7A60000: C:\Windows\system32\LINKINFO (0xc000 bytes).
2019-08-13 23:42:16,756 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 3236 at 0x00000000743A0000, image base 0x000000013FD20000, stack from 0x00000000000F5000-0x0000000000100000
2019-08-13 23:42:16,803 [root] DEBUG: DLL loaded at 0x000007FEFE400000: C:\Windows\system32\OLEAUT32 (0xd7000 bytes).
2019-08-13 23:42:16,803 [root] DEBUG: Commandline: C:\Users\user\AppData\Roaming\syslink\powershell  Set-MpPreference -DisableScriptScanning $true.
2019-08-13 23:42:16,803 [root] DEBUG: DLL loaded at 0x000007FEF3430000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Core\83e2f6909980da7347e7806d8c26670e\System.Core.ni (0x32e000 bytes).
2019-08-13 23:42:16,803 [root] DEBUG: DLL loaded at 0x000007FEF8540000: C:\Windows\system32\ntshrui (0x80000 bytes).
2019-08-13 23:42:16,803 [root] DEBUG: DLL loaded at 0x000007FEF1390000: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\9469491f37d9c35b596968b206615309\mscorlib.ni (0xedc000 bytes).
2019-08-13 23:42:16,803 [root] DEBUG: DLL loaded at 0x000007FEFC610000: C:\Windows\system32\USERENV (0x1e000 bytes).
2019-08-13 23:42:16,803 [root] INFO: Added new process to list with pid: 3236
2019-08-13 23:42:16,819 [root] DEBUG: DLL loaded at 0x000007FEF52B0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\ec50af274bf7a15fb59ac1f0d353b7ea\Microsoft.PowerShell.Commands.Diagnostics.ni (0x69000 bytes).
2019-08-13 23:42:16,819 [root] DEBUG: DLL loaded at 0x000007FEFCDE0000: C:\Windows\system32\srvcli (0x23000 bytes).
2019-08-13 23:42:16,835 [root] DEBUG: DLL unloaded from 0x000007FEFDF10000.
2019-08-13 23:42:16,835 [root] DEBUG: DLL loaded at 0x000007FEFD290000: C:\Windows\system32\profapi (0xf000 bytes).
2019-08-13 23:42:16,835 [root] INFO: Monitor successfully loaded in process with pid 3236.
2019-08-13 23:42:16,835 [root] DEBUG: DLL loaded at 0x000007FEF0960000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System\adff7dd9fe8e541775c46b6363401b22\System.ni (0xa23000 bytes).
2019-08-13 23:42:16,865 [root] DEBUG: DLL loaded at 0x000007FEF9A20000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Configuratio#\fcf35536476614410e0b0bd0e412199e\System.Configuration.Install.ni (0x32000 bytes).
2019-08-13 23:42:16,881 [root] DEBUG: DLL loaded at 0x000007FEFDE90000: C:\Windows\system32\WS2_32 (0x4d000 bytes).
2019-08-13 23:42:16,881 [root] DEBUG: DLL loaded at 0x000007FEEEBF0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Data\accc3a5269658c8c47fe3e402ac4ac1c\System.Data.ni (0x84b000 bytes).
2019-08-13 23:42:16,881 [root] DEBUG: DLL loaded at 0x000007FEFD1C0000: C:\Windows\system32\CRYPTBASE (0xf000 bytes).
2019-08-13 23:42:16,881 [root] DEBUG: DLL loaded at 0x000007FEFDF00000: C:\Windows\system32\NSI (0x8000 bytes).
2019-08-13 23:42:16,898 [root] DEBUG: DLL loaded at 0x000007FEF8EC0000: C:\Windows\system32\cscapi (0xf000 bytes).
2019-08-13 23:42:16,898 [root] DEBUG: DLL loaded at 0x000000001D010000: C:\Windows\assembly\GAC_64\System.Data\2.0.0.0__b77a5c561934e089\System.Data (0x2ff000 bytes).
2019-08-13 23:42:16,898 [root] DEBUG: DLL loaded at 0x000007FEFE640000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-08-13 23:42:16,898 [root] DEBUG: DLL loaded at 0x000007FEFCCB0000: C:\Windows\system32\bcrypt (0x22000 bytes).
2019-08-13 23:42:16,944 [root] DEBUG: DLL loaded at 0x000007FEFB320000: C:\Windows\system32\slc (0xb000 bytes).
2019-08-13 23:42:16,990 [root] DEBUG: DLL loaded at 0x000007FEEF750000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Xml\ee795155543768ea67eecddc686a1e9e\System.Xml.ni (0x6a5000 bytes).
2019-08-13 23:42:16,990 [root] DEBUG: DLL loaded at 0x000007FEFDE90000: C:\Windows\system32\WS2_32 (0x4d000 bytes).
2019-08-13 23:42:17,006 [root] DEBUG: DLL loaded at 0x000007FEFCCE0000: C:\Windows\system32\ncrypt (0x4e000 bytes).
2019-08-13 23:42:17,006 [root] DEBUG: DLL loaded at 0x000007FEFE710000: C:\Windows\system32\shell32 (0xd88000 bytes).
2019-08-13 23:42:17,006 [root] DEBUG: DLL loaded at 0x000007FEEF5E0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management\c44929bde355680c886f8a52f5e22b81\System.Management.ni (0x16c000 bytes).
2019-08-13 23:42:17,006 [root] DEBUG: DLL loaded at 0x000007FEFD370000: C:\Windows\system32\MSASN1 (0xf000 bytes).
2019-08-13 23:42:17,006 [root] DEBUG: DLL loaded at 0x000007FEFDF00000: C:\Windows\system32\NSI (0x8000 bytes).
2019-08-13 23:42:17,022 [root] DEBUG: DLL loaded at 0x000007FEFC610000: C:\Windows\system32\USERENV (0x1e000 bytes).
2019-08-13 23:42:17,038 [root] DEBUG: DLL loaded at 0x000007FEFD410000: C:\Windows\system32\CRYPT32 (0x167000 bytes).
2019-08-13 23:42:17,038 [root] DEBUG: DLL loaded at 0x000007FEFD410000: C:\Windows\system32\CRYPT32 (0x167000 bytes).
2019-08-13 23:42:17,038 [root] DEBUG: DLL loaded at 0x000007FEEF440000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.DirectorySer#\c1cdea55f62c9e8b9b9c1ae4c23b1c1f\System.DirectoryServices.ni (0x195000 bytes).
2019-08-13 23:42:17,038 [root] DEBUG: DLL loaded at 0x000007FEFD290000: C:\Windows\system32\profapi (0xf000 bytes).
2019-08-13 23:42:17,038 [root] DEBUG: DLL loaded at 0x000007FEFD370000: C:\Windows\system32\MSASN1 (0xf000 bytes).
2019-08-13 23:42:17,053 [root] DEBUG: DLL loaded at 0x000007FEFB1A0000: C:\Windows\system32\IPHLPAPI (0x27000 bytes).
2019-08-13 23:42:17,053 [root] DEBUG: DLL loaded at 0x000007FEFA390000: C:\Windows\system32\shfolder (0x7000 bytes).
2019-08-13 23:42:17,069 [root] DEBUG: DLL loaded at 0x000007FEFBD70000: C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32 (0x1f4000 bytes).
2019-08-13 23:42:17,224 [root] DEBUG: DLL loaded at 0x000007FEFB190000: C:\Windows\system32\WINNSI (0xb000 bytes).
2019-08-13 23:42:17,240 [root] DEBUG: DLL loaded at 0x000007FEF3210000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\cdf48153115fc0bb466f37b7dcad9ac5\Microsoft.PowerShell.Commands.Utility.ni (0x216000 bytes).
2019-08-13 23:42:17,240 [root] DEBUG: DLL loaded at 0x000007FEF0960000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System\adff7dd9fe8e541775c46b6363401b22\System.ni (0xa23000 bytes).
2019-08-13 23:42:17,240 [root] DEBUG: DLL loaded at 0x000007FEF3430000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Core\83e2f6909980da7347e7806d8c26670e\System.Core.ni (0x32e000 bytes).
2019-08-13 23:42:17,256 [root] DEBUG: DLL loaded at 0x000007FEF30F0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\9206dc8156588e608d405729c833edc5\Microsoft.PowerShell.Commands.Management.ni (0x118000 bytes).
2019-08-13 23:42:17,256 [root] DEBUG: DLL loaded at 0x000007FEFCF60000: C:\Windows\system32\secur32 (0xb000 bytes).
2019-08-13 23:42:17,256 [root] DEBUG: DLL loaded at 0x000007FEFBAE0000: C:\Windows\system32\propsys (0x12c000 bytes).
2019-08-13 23:42:17,256 [root] DEBUG: DLL loaded at 0x000007FEFE710000: C:\Windows\system32\SHELL32 (0xd88000 bytes).
2019-08-13 23:42:17,256 [root] DEBUG: DLL loaded at 0x000007FEF3D30000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b023321bc53c20c10ccbbd8f78c82c82\Microsoft.PowerShell.ConsoleHost.ni (0xb2000 bytes).
2019-08-13 23:42:17,272 [root] DEBUG: DLL loaded at 0x000007FEF52B0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\ec50af274bf7a15fb59ac1f0d353b7ea\Microsoft.PowerShell.Commands.Diagnostics.ni (0x69000 bytes).
2019-08-13 23:42:17,272 [root] DEBUG: DLL loaded at 0x000007FEF7A60000: C:\Windows\system32\LINKINFO (0xc000 bytes).
2019-08-13 23:42:17,272 [root] DEBUG: DLL loaded at 0x000007FEF50F0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b5a6a5ce3cd3d4dd2b151315c612aeff\Microsoft.PowerShell.Security.ni (0x3e000 bytes).
2019-08-13 23:42:17,288 [root] DEBUG: set_caller_info: Adding region at 0x0000000000190000 to caller regions list (advapi32::LsaOpenPolicy).
2019-08-13 23:42:17,288 [root] DEBUG: DLL loaded at 0x000007FEFC400000: C:\Windows\system32\ntmarta (0x2d000 bytes).
2019-08-13 23:42:17,288 [root] DEBUG: DLL loaded at 0x000007FEF9A20000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Configuratio#\fcf35536476614410e0b0bd0e412199e\System.Configuration.Install.ni (0x32000 bytes).
2019-08-13 23:42:17,334 [root] DEBUG: DLL loaded at 0x000007FEF8540000: C:\Windows\system32\ntshrui (0x80000 bytes).
2019-08-13 23:42:17,349 [root] DEBUG: DLL loaded at 0x000007FEFE1F0000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2019-08-13 23:42:17,349 [root] DEBUG: DLL loaded at 0x000007FEFCDE0000: C:\Windows\system32\srvcli (0x23000 bytes).
2019-08-13 23:42:17,349 [root] DEBUG: set_caller_info: Adding region at 0x0000000000050000 to caller regions list (ntdll::NtOpenFile).
2019-08-13 23:42:17,365 [root] DEBUG: DLL loaded at 0x000007FEFDCB0000: C:\Windows\system32\SETUPAPI (0x1d7000 bytes).
2019-08-13 23:42:17,365 [root] DEBUG: DLL loaded at 0x000007FEFD1C0000: C:\Windows\system32\CRYPTBASE (0xf000 bytes).
2019-08-13 23:42:17,365 [root] DEBUG: DLL loaded at 0x000007FEFD660000: C:\Windows\system32\CFGMGR32 (0x36000 bytes).
2019-08-13 23:42:17,381 [root] DEBUG: DLL loaded at 0x000007FEFD3F0000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2019-08-13 23:42:17,444 [root] DEBUG: DLL loaded at 0x00000642FF4A0000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\culture (0xa000 bytes).
2019-08-13 23:42:17,459 [root] DEBUG: DLL unloaded from 0x00000642FF4A0000.
2019-08-13 23:42:17,474 [root] DEBUG: DLL loaded at 0x000007FEF2F60000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorjit (0x184000 bytes).
2019-08-13 23:42:17,506 [root] DEBUG: DLL loaded at 0x000007FEEFE00000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management.A#\009a09f5b2322bb8c5520dc5ddbb28bb\System.Management.Automation.ni (0xb5d000 bytes).
2019-08-13 23:42:17,506 [root] DEBUG: DLL loaded at 0x000007FEFC430000: C:\Windows\system32\version (0xc000 bytes).
2019-08-13 23:42:17,522 [root] DEBUG: DLL loaded at 0x000007FEF3C80000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.WSMan.Man#\8cd73e65058ef6f77f36b62a74ec3344\Microsoft.WSMan.Management.ni (0xaa000 bytes).
2019-08-13 23:42:17,536 [root] DEBUG: DLL loaded at 0x000007FEF3B90000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Transactions\051655963f24f9ade08486084c570086\System.Transactions.ni (0xe5000 bytes).
2019-08-13 23:42:17,552 [root] DEBUG: DLL loaded at 0x000000001E230000: C:\Windows\assembly\GAC_64\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions (0x49000 bytes).
2019-08-13 23:42:17,584 [root] INFO: Process with pid 2244 has terminated
2019-08-13 23:42:17,584 [root] DEBUG: DLL loaded at 0x000007FEF3D30000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b023321bc53c20c10ccbbd8f78c82c82\Microsoft.PowerShell.ConsoleHost.ni (0xb2000 bytes).
2019-08-13 23:42:17,615 [root] INFO: Stopped Task Scheduler Service
2019-08-13 23:42:17,631 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2076
2019-08-13 23:42:17,631 [root] DEBUG: GetHookCallerBase: thread 2424 (handle 0x0), return address 0x009C56B3, allocation base 0x009B0000.
2019-08-13 23:42:17,645 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00400000.
2019-08-13 23:42:17,661 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00400000.
2019-08-13 23:42:17,661 [root] INFO: Started Task Scheduler Service
2019-08-13 23:42:17,661 [root] DEBUG: DumpProcess: Module entry point VA is 0x000014E0.
2019-08-13 23:42:17,677 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 23:42:17,677 [lib.api.process] INFO: 64-bit DLL to inject is C:\nehbva\dll\rcDBrG.dll, loader C:\nehbva\bin\lOErlQGD.exe
2019-08-13 23:42:17,693 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\TUUSvecfzs.
2019-08-13 23:42:17,693 [root] INFO: Added new CAPE file to list with path: C:\xyAIARtiO\CAPE\2076_20747833541722314382019
2019-08-13 23:42:17,693 [root] DEBUG: Loader: Injecting process 816 (thread 0) with C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:17,709 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x82c00.
2019-08-13 23:42:17,709 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed.
2019-08-13 23:42:17,723 [root] DEBUG: DumpInterestingRegions: Dumping calling region at 0x009B0000.
2019-08-13 23:42:17,723 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 23:42:17,740 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\xyAIARtiO\CAPE\2076_1958232361722314382019
2019-08-13 23:42:17,740 [root] DEBUG: Process dumps enabled.
2019-08-13 23:42:17,756 [root] INFO: Disabling sleep skipping.
2019-08-13 23:42:17,770 [root] DEBUG: DLL loaded at 0x000007FEF3430000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Core\83e2f6909980da7347e7806d8c26670e\System.Core.ni (0x32e000 bytes).
2019-08-13 23:42:17,770 [root] INFO: Added new CAPE file to list with path: C:\xyAIARtiO\CAPE\2076_1958232361722314382019
2019-08-13 23:42:17,786 [root] WARNING: Unable to place hook on LockResource
2019-08-13 23:42:17,786 [root] DEBUG: DLL loaded at 0x000007FEF52B0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\ec50af274bf7a15fb59ac1f0d353b7ea\Microsoft.PowerShell.Commands.Diagnostics.ni (0x69000 bytes).
2019-08-13 23:42:17,786 [root] DEBUG: DumpRegion: Dumped stack region from 0x009B0000, size 0x2c000.
2019-08-13 23:42:17,802 [root] WARNING: Unable to hook LockResource
2019-08-13 23:42:17,802 [root] DEBUG: DLL unloaded from 0x74620000.
2019-08-13 23:42:17,802 [root] DEBUG: DLL loaded at 0x000007FEF9A20000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Configuratio#\fcf35536476614410e0b0bd0e412199e\System.Configuration.Install.ni (0x32000 bytes).
2019-08-13 23:42:17,802 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 816 at 0x00000000743A0000, image base 0x00000000FF8E0000, stack from 0x0000000003706000-0x0000000003710000
2019-08-13 23:42:17,802 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF99A0000 to caller regions list (ntdll::NtWaitForSingleObject).
2019-08-13 23:42:17,818 [root] DEBUG: DLL unloaded from 0x75700000.
2019-08-13 23:42:17,818 [root] DEBUG: Commandline: C:\Windows\sysnative\svchost.exe -k netsvcs.
2019-08-13 23:42:17,834 [root] DEBUG: DLL unloaded from 0x74BB0000.
2019-08-13 23:42:17,834 [root] INFO: Added new process to list with pid: 816
2019-08-13 23:42:17,834 [root] INFO: Notified of termination of process with pid 2076.
2019-08-13 23:42:17,834 [root] INFO: Monitor successfully loaded in process with pid 816.
2019-08-13 23:42:17,848 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2019-08-13 23:42:17,865 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2019-08-13 23:42:17,865 [root] DEBUG: Successfully injected DLL C:\nehbva\dll\rcDBrG.dll.
2019-08-13 23:42:17,927 [root] DEBUG: DLL loaded at 0x000007FEF3210000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\cdf48153115fc0bb466f37b7dcad9ac5\Microsoft.PowerShell.Commands.Utility.ni (0x216000 bytes).
2019-08-13 23:42:17,943 [root] DEBUG: DLL loaded at 0x000007FEF30F0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\9206dc8156588e608d405729c833edc5\Microsoft.PowerShell.Commands.Management.ni (0x118000 bytes).
2019-08-13 23:42:17,957 [root] DEBUG: DLL loaded at 0x000007FEF50F0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b5a6a5ce3cd3d4dd2b151315c612aeff\Microsoft.PowerShell.Security.ni (0x3e000 bytes).
2019-08-13 23:42:17,973 [root] DEBUG: DLL loaded at 0x000007FEF3C80000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.WSMan.Man#\8cd73e65058ef6f77f36b62a74ec3344\Microsoft.WSMan.Management.ni (0xaa000 bytes).
2019-08-13 23:42:17,990 [root] DEBUG: DLL loaded at 0x000007FEF3B90000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Transactions\051655963f24f9ade08486084c570086\System.Transactions.ni (0xe5000 bytes).
2019-08-13 23:42:18,020 [root] DEBUG: DLL loaded at 0x000000001E230000: C:\Windows\assembly\GAC_64\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions (0x49000 bytes).
2019-08-13 23:42:18,052 [root] DEBUG: DLL loaded at 0x000007FEEFE00000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management.A#\009a09f5b2322bb8c5520dc5ddbb28bb\System.Management.Automation.ni (0xb5d000 bytes).
2019-08-13 23:42:18,052 [root] DEBUG: DLL loaded at 0x000007FEFC430000: C:\Windows\system32\version (0xc000 bytes).
2019-08-13 23:42:18,082 [root] DEBUG: DLL loaded at 0x000007FEF3430000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Core\83e2f6909980da7347e7806d8c26670e\System.Core.ni (0x32e000 bytes).
2019-08-13 23:42:18,082 [root] DEBUG: DLL loaded at 0x000007FEEF750000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Xml\ee795155543768ea67eecddc686a1e9e\System.Xml.ni (0x6a5000 bytes).
2019-08-13 23:42:18,098 [root] DEBUG: DLL loaded at 0x000007FEF52B0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\ec50af274bf7a15fb59ac1f0d353b7ea\Microsoft.PowerShell.Commands.Diagnostics.ni (0x69000 bytes).
2019-08-13 23:42:18,098 [root] DEBUG: DLL loaded at 0x000007FEEEBF0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Data\accc3a5269658c8c47fe3e402ac4ac1c\System.Data.ni (0x84b000 bytes).
2019-08-13 23:42:18,098 [root] DEBUG: DLL loaded at 0x000007FEEF5E0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management\c44929bde355680c886f8a52f5e22b81\System.Management.ni (0x16c000 bytes).
2019-08-13 23:42:18,130 [root] DEBUG: DLL loaded at 0x000007FEF9A20000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Configuratio#\fcf35536476614410e0b0bd0e412199e\System.Configuration.Install.ni (0x32000 bytes).
2019-08-13 23:42:18,130 [root] DEBUG: DLL loaded at 0x000000001D1A0000: C:\Windows\assembly\GAC_64\System.Data\2.0.0.0__b77a5c561934e089\System.Data (0x2ff000 bytes).
2019-08-13 23:42:18,145 [root] DEBUG: DLL loaded at 0x000007FEEF440000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.DirectorySer#\c1cdea55f62c9e8b9b9c1ae4c23b1c1f\System.DirectoryServices.ni (0x195000 bytes).
2019-08-13 23:42:18,161 [root] DEBUG: DLL loaded at 0x000007FEFA390000: C:\Windows\system32\shfolder (0x7000 bytes).
2019-08-13 23:42:18,161 [root] DEBUG: DLL loaded at 0x000007FEFDE90000: C:\Windows\system32\WS2_32 (0x4d000 bytes).
2019-08-13 23:42:18,269 [root] DEBUG: DLL loaded at 0x0000000516F00000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\diasymreader (0xc6000 bytes).
2019-08-13 23:42:18,286 [root] DEBUG: DLL loaded at 0x000007FEF3C80000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.WSMan.Man#\8cd73e65058ef6f77f36b62a74ec3344\Microsoft.WSMan.Management.ni (0xaa000 bytes).
2019-08-13 23:42:18,394 [root] DEBUG: DLL loaded at 0x000007FEF8EC0000: C:\Windows\system32\cscapi (0xf000 bytes).
2019-08-13 23:42:18,394 [root] DEBUG: DLL loaded at 0x000007FEF3C80000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.WSMan.Man#\8cd73e65058ef6f77f36b62a74ec3344\Microsoft.WSMan.Management.ni (0xaa000 bytes).
2019-08-13 23:42:18,457 [root] DEBUG: DLL loaded at 0x000007FEF3210000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\cdf48153115fc0bb466f37b7dcad9ac5\Microsoft.PowerShell.Commands.Utility.ni (0x216000 bytes).
2019-08-13 23:42:18,519 [root] DEBUG: DLL loaded at 0x000007FEF8EC0000: C:\Windows\system32\cscapi (0xf000 bytes).
2019-08-13 23:42:18,519 [root] DEBUG: DLL loaded at 0x00000642FF4A0000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\culture (0xa000 bytes).
2019-08-13 23:42:18,614 [root] INFO: Process with pid 2076 has terminated
2019-08-13 23:42:18,676 [root] DEBUG: DLL loaded at 0x000007FEF8EC0000: C:\Windows\system32\cscapi (0xf000 bytes).
2019-08-13 23:42:18,957 [root] DEBUG: DLL loaded at 0x000007FEFDF00000: C:\Windows\system32\NSI (0x8000 bytes).
2019-08-13 23:42:18,957 [root] DEBUG: set_caller_info: Adding region at 0x000007FF00270000 to caller regions list (ntdll::LdrGetProcedureAddress).
2019-08-13 23:42:18,957 [root] DEBUG: DLL loaded at 0x000007FEF3B90000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Transactions\051655963f24f9ade08486084c570086\System.Transactions.ni (0xe5000 bytes).
2019-08-13 23:42:18,971 [root] DEBUG: DLL loaded at 0x000007FEF30F0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\9206dc8156588e608d405729c833edc5\Microsoft.PowerShell.Commands.Management.ni (0x118000 bytes).
2019-08-13 23:42:18,971 [root] DEBUG: DLL loaded at 0x000007FEF3B90000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Transactions\051655963f24f9ade08486084c570086\System.Transactions.ni (0xe5000 bytes).
2019-08-13 23:42:18,971 [root] DEBUG: DLL loaded at 0x000007FEFB320000: C:\Windows\system32\slc (0xb000 bytes).
2019-08-13 23:42:19,035 [root] DEBUG: DLL unloaded from 0x00000642FF4A0000.
2019-08-13 23:42:19,035 [root] DEBUG: DLL loaded at 0x000007FEFB320000: C:\Windows\system32\slc (0xb000 bytes).
2019-08-13 23:42:19,035 [root] DEBUG: DLL loaded at 0x000007FEFB320000: C:\Windows\system32\slc (0xb000 bytes).
2019-08-13 23:42:19,035 [root] DEBUG: DLL loaded at 0x000007FEFD410000: C:\Windows\system32\CRYPT32 (0x167000 bytes).
2019-08-13 23:42:19,065 [root] DEBUG: DLL loaded at 0x000000001E230000: C:\Windows\assembly\GAC_64\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions (0x49000 bytes).
2019-08-13 23:42:19,065 [root] DEBUG: DLL loaded at 0x000007FEFCF60000: C:\Windows\system32\secur32 (0xb000 bytes).
2019-08-13 23:42:19,082 [root] DEBUG: DLL loaded at 0x000007FEF50F0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b5a6a5ce3cd3d4dd2b151315c612aeff\Microsoft.PowerShell.Security.ni (0x3e000 bytes).
2019-08-13 23:42:19,082 [root] DEBUG: DLL loaded at 0x000000001E230000: C:\Windows\assembly\GAC_64\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions (0x49000 bytes).
2019-08-13 23:42:19,112 [root] DEBUG: DLL loaded at 0x000007FEF2F60000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorjit (0x184000 bytes).
2019-08-13 23:42:19,128 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2828
2019-08-13 23:42:19,128 [root] DEBUG: DLL loaded at 0x000007FEFCB60000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2019-08-13 23:42:19,160 [root] DEBUG: DLL loaded at 0x000007FEFCB60000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2019-08-13 23:42:19,160 [root] DEBUG: DLL loaded at 0x000007FEFD370000: C:\Windows\system32\MSASN1 (0xf000 bytes).
2019-08-13 23:42:19,174 [root] DEBUG: DLL loaded at 0x000007FEFCB60000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2019-08-13 23:42:19,174 [root] DEBUG: DLL loaded at 0x000007FEF3210000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\cdf48153115fc0bb466f37b7dcad9ac5\Microsoft.PowerShell.Commands.Utility.ni (0x216000 bytes).
2019-08-13 23:42:19,190 [root] DEBUG: DLL loaded at 0x00000642FF4A0000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\culture (0xa000 bytes).
2019-08-13 23:42:19,206 [root] DEBUG: GetHookCallerBase: thread 1640 (handle 0x0), return address 0x000000013FD2C504, allocation base 0x000000013FD20000.
2019-08-13 23:42:19,221 [root] DEBUG: DLL loaded at 0x000007FEFC860000: C:\Windows\system32\rsaenh (0x47000 bytes).
2019-08-13 23:42:19,221 [root] DEBUG: DLL loaded at 0x000007FEFC860000: C:\Windows\system32\rsaenh (0x47000 bytes).
2019-08-13 23:42:19,269 [root] DEBUG: DLL loaded at 0x0000000516F00000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\diasymreader (0xc6000 bytes).
2019-08-13 23:42:19,269 [root] DEBUG: DLL loaded at 0x000007FEF3210000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\cdf48153115fc0bb466f37b7dcad9ac5\Microsoft.PowerShell.Commands.Utility.ni (0x216000 bytes).
2019-08-13 23:42:19,269 [root] DEBUG: DLL loaded at 0x000007FEEF750000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Xml\ee795155543768ea67eecddc686a1e9e\System.Xml.ni (0x6a5000 bytes).
2019-08-13 23:42:19,269 [root] DEBUG: DLL loaded at 0x000007FEEEBF0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Data\accc3a5269658c8c47fe3e402ac4ac1c\System.Data.ni (0x84b000 bytes).
2019-08-13 23:42:19,283 [root] DEBUG: DLL loaded at 0x000007FEFC860000: C:\Windows\system32\rsaenh (0x47000 bytes).
2019-08-13 23:42:19,283 [root] DEBUG: DLL unloaded from 0x00000642FF4A0000.
2019-08-13 23:42:19,283 [root] DEBUG: DLL loaded at 0x000007FEF30F0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\9206dc8156588e608d405729c833edc5\Microsoft.PowerShell.Commands.Management.ni (0x118000 bytes).
2019-08-13 23:42:19,283 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x000000013FD20000.
2019-08-13 23:42:19,331 [root] DEBUG: set_caller_info: Adding region at 0x000007FF00270000 to caller regions list (ntdll::LdrGetProcedureAddress).
2019-08-13 23:42:19,331 [root] DEBUG: DLL loaded at 0x000007FEF30F0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\9206dc8156588e608d405729c833edc5\Microsoft.PowerShell.Commands.Management.ni (0x118000 bytes).
2019-08-13 23:42:19,331 [root] DEBUG: DLL loaded at 0x000000001D140000: C:\Windows\assembly\GAC_64\System.Data\2.0.0.0__b77a5c561934e089\System.Data (0x2ff000 bytes).
2019-08-13 23:42:19,331 [root] DEBUG: DLL loaded at 0x000007FEEF5E0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management\c44929bde355680c886f8a52f5e22b81\System.Management.ni (0x16c000 bytes).
2019-08-13 23:42:19,346 [root] DEBUG: DLL loaded at 0x000007FEF2F60000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorjit (0x184000 bytes).
2019-08-13 23:42:19,361 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SSS4JTN011YGNZH5J4CU.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\SSS4JTN011YGNZH5J4CU.temp'
2019-08-13 23:42:19,361 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000013FD20000.
2019-08-13 23:42:19,361 [root] DEBUG: DLL loaded at 0x000007FEFCB60000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2019-08-13 23:42:19,361 [root] DEBUG: DLL loaded at 0x000007FEF50F0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b5a6a5ce3cd3d4dd2b151315c612aeff\Microsoft.PowerShell.Security.ni (0x3e000 bytes).
2019-08-13 23:42:19,378 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\OJHRIJ5T46T98R8K2OZZ.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\OJHRIJ5T46T98R8K2OZZ.temp'
2019-08-13 23:42:19,394 [root] DEBUG: DLL loaded at 0x000007FEF50F0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b5a6a5ce3cd3d4dd2b151315c612aeff\Microsoft.PowerShell.Security.ni (0x3e000 bytes).
2019-08-13 23:42:19,408 [root] DEBUG: DLL loaded at 0x000007FEEF440000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.DirectorySer#\c1cdea55f62c9e8b9b9c1ae4c23b1c1f\System.DirectoryServices.ni (0x195000 bytes).
2019-08-13 23:42:19,408 [root] DEBUG: DLL loaded at 0x000007FEFDE90000: C:\Windows\system32\WS2_32 (0x4d000 bytes).
2019-08-13 23:42:19,408 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SSS4JTN011YGNZH5J4CU.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\SSS4JTN011YGNZH5J4CU.temp'
2019-08-13 23:42:19,424 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000C63C.
2019-08-13 23:42:19,424 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\RXCV6XZ8KNA4SYB1O7VM.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\RXCV6XZ8KNA4SYB1O7VM.temp'
2019-08-13 23:42:19,424 [root] DEBUG: DLL loaded at 0x000007FEFC860000: C:\Windows\system32\rsaenh (0x47000 bytes).
2019-08-13 23:42:19,440 [root] DEBUG: DLL loaded at 0x00000642FF4A0000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\culture (0xa000 bytes).
2019-08-13 23:42:19,456 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 1340
2019-08-13 23:42:19,456 [root] DEBUG: DLL loaded at 0x000007FEFA390000: C:\Windows\system32\shfolder (0x7000 bytes).
2019-08-13 23:42:19,456 [root] DEBUG: DLL unloaded from 0x000007FEFD970000.
2019-08-13 23:42:19,456 [root] DEBUG: DLL loaded at 0x000007FEFDF00000: C:\Windows\system32\NSI (0x8000 bytes).
2019-08-13 23:42:19,471 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\OJHRIJ5T46T98R8K2OZZ.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\OJHRIJ5T46T98R8K2OZZ.temp'
2019-08-13 23:42:19,471 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\RXCV6XZ8KNA4SYB1O7VM.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\RXCV6XZ8KNA4SYB1O7VM.temp'
2019-08-13 23:42:19,486 [root] DEBUG: DLL unloaded from 0x00000642FF4A0000.
2019-08-13 23:42:19,486 [root] DEBUG: GetHookCallerBase: thread 1912 (handle 0x0), return address 0x000000013FD2C504, allocation base 0x000000013FD20000.
2019-08-13 23:42:19,503 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SSS4JTN011YGNZH5J4CU.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\SSS4JTN011YGNZH5J4CU.temp'
2019-08-13 23:42:19,595 [root] INFO: Added new CAPE file to list with path: C:\xyAIARtiO\CAPE\2828_18913570723922314382019
2019-08-13 23:42:19,595 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DOPZT8XW22FESGB59OEV.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\DOPZT8XW22FESGB59OEV.temp'
2019-08-13 23:42:19,595 [root] DEBUG: DLL loaded at 0x000007FEFD410000: C:\Windows\system32\CRYPT32 (0x167000 bytes).
2019-08-13 23:42:19,595 [root] DEBUG: DLL unloaded from 0x000007FEFD970000.
2019-08-13 23:42:19,611 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x000000013FD20000.
2019-08-13 23:42:19,611 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x73e00.
2019-08-13 23:42:19,628 [root] DEBUG: DLL unloaded from 0x000007FEFD970000.
2019-08-13 23:42:19,642 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF12b289f.TMP": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RF12b289f.TMP'
2019-08-13 23:42:19,642 [root] DEBUG: DLL loaded at 0x000007FEF2F60000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorjit (0x184000 bytes).
2019-08-13 23:42:19,642 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DOPZT8XW22FESGB59OEV.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\DOPZT8XW22FESGB59OEV.temp'
2019-08-13 23:42:19,642 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000013FD20000.
2019-08-13 23:42:19,642 [root] DEBUG: DLL loaded at 0x000007FEFD370000: C:\Windows\system32\MSASN1 (0xf000 bytes).
2019-08-13 23:42:19,642 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\OJHRIJ5T46T98R8K2OZZ.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\OJHRIJ5T46T98R8K2OZZ.temp'
2019-08-13 23:42:19,658 [root] DEBUG: DLL unloaded from 0x000007FEFD970000.
2019-08-13 23:42:19,674 [root] DEBUG: DLL loaded at 0x000007FEFAE90000: C:\Windows\system32\netutils (0xc000 bytes).
2019-08-13 23:42:19,674 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000C63C.
2019-08-13 23:42:19,674 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\RXCV6XZ8KNA4SYB1O7VM.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\RXCV6XZ8KNA4SYB1O7VM.temp'
2019-08-13 23:42:19,674 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms'
2019-08-13 23:42:19,706 [root] DEBUG: DLL loaded at 0x000007FEFCF60000: C:\Windows\system32\secur32 (0xb000 bytes).
2019-08-13 23:42:19,706 [root] DEBUG: DLL loaded at 0x000007FEEF750000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Xml\ee795155543768ea67eecddc686a1e9e\System.Xml.ni (0x6a5000 bytes).
2019-08-13 23:42:19,706 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DOPZT8XW22FESGB59OEV.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\DOPZT8XW22FESGB59OEV.temp'
2019-08-13 23:42:19,706 [root] DEBUG: DLL unloaded from 0x000007FEFBAE0000.
2019-08-13 23:42:19,720 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF12b292b.TMP" does not exist, skip.
2019-08-13 23:42:19,736 [root] DEBUG: DLL loaded at 0x00000642FF4A0000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\culture (0xa000 bytes).
2019-08-13 23:42:19,736 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SSS4JTN011YGNZH5J4CU.temp" does not exist, skip.
2019-08-13 23:42:19,752 [root] DEBUG: DLL loaded at 0x000007FEEF5E0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management\c44929bde355680c886f8a52f5e22b81\System.Management.ni (0x16c000 bytes).
2019-08-13 23:42:19,752 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF12b291b.TMP" does not exist, skip.
2019-08-13 23:42:19,767 [root] DEBUG: DLL unloaded from 0x0000000077260000.
2019-08-13 23:42:19,783 [root] INFO: Added new CAPE file to list with path: C:\xyAIARtiO\CAPE\1340_17786945913922314382019
2019-08-13 23:42:19,783 [root] DEBUG: DLL unloaded from 0x00000642FF4A0000.
2019-08-13 23:42:19,783 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms'
2019-08-13 23:42:19,799 [root] DEBUG: DLL loaded at 0x000007FEEF440000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.DirectorySer#\c1cdea55f62c9e8b9b9c1ae4c23b1c1f\System.DirectoryServices.ni (0x195000 bytes).
2019-08-13 23:42:19,799 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x73e00.
2019-08-13 23:42:19,815 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF138bdf9.TMP": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RF138bdf9.TMP'
2019-08-13 23:42:19,815 [root] DEBUG: DLL loaded at 0x000007FEF2F60000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorjit (0x184000 bytes).
2019-08-13 23:42:19,815 [root] DEBUG: DLL unloaded from 0x000007FEF2270000.
2019-08-13 23:42:19,815 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\OJHRIJ5T46T98R8K2OZZ.temp" does not exist, skip.
2019-08-13 23:42:19,815 [root] DEBUG: DLL loaded at 0x000007FEFA390000: C:\Windows\system32\shfolder (0x7000 bytes).
2019-08-13 23:42:19,829 [root] DEBUG: DLL loaded at 0x000007FEEF750000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Xml\ee795155543768ea67eecddc686a1e9e\System.Xml.ni (0x6a5000 bytes).
2019-08-13 23:42:19,877 [root] DEBUG: DLL loaded at 0x000007FEFE640000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-08-13 23:42:19,924 [root] DEBUG: DLL loaded at 0x000007FEF8EC0000: C:\Windows\system32\cscapi (0xf000 bytes).
2019-08-13 23:42:20,578 [root] DEBUG: DLL loaded at 0x000007FEEEBF0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Data\accc3a5269658c8c47fe3e402ac4ac1c\System.Data.ni (0x84b000 bytes).
2019-08-13 23:42:20,641 [root] DEBUG: DLL loaded at 0x0000000516F00000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\diasymreader (0xc6000 bytes).
2019-08-13 23:42:21,141 [root] DEBUG: DLL loaded at 0x000007FEF8EC0000: C:\Windows\system32\cscapi (0xf000 bytes).
2019-08-13 23:42:21,375 [root] DEBUG: DLL loaded at 0x000007FEF8EC0000: C:\Windows\system32\cscapi (0xf000 bytes).
2019-08-13 23:42:22,029 [root] DEBUG: DLL loaded at 0x000007FEFCB60000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2019-08-13 23:42:22,622 [root] DEBUG: DLL loaded at 0x000007FEF8EC0000: C:\Windows\system32\cscapi (0xf000 bytes).
2019-08-13 23:42:23,651 [root] DEBUG: DLL loaded at 0x000007FEFAE90000: C:\Windows\system32\netutils (0xc000 bytes).
2019-08-13 23:42:23,667 [root] DEBUG: DLL loaded at 0x000007FEF3FA0000: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei (0x97000 bytes).
2019-08-13 23:42:23,667 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms'
2019-08-13 23:42:23,684 [root] DEBUG: DLL unloaded from 0x000007FEF3FA0000.
2019-08-13 23:42:23,684 [root] DEBUG: DLL loaded at 0x000007FEEF5E0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management\c44929bde355680c886f8a52f5e22b81\System.Management.ni (0x16c000 bytes).
2019-08-13 23:42:23,684 [root] DEBUG: set_caller_info: Adding region at 0x000007FF00280000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2019-08-13 23:42:23,714 [root] DEBUG: DLL loaded at 0x000007FEFB320000: C:\Windows\system32\slc (0xb000 bytes).
2019-08-13 23:42:23,714 [root] DEBUG: DLL loaded at 0x000007FEFB320000: C:\Windows\system32\slc (0xb000 bytes).
2019-08-13 23:42:23,714 [root] DEBUG: DLL loaded at 0x000007FEF3FA0000: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei (0x97000 bytes).
2019-08-13 23:42:23,714 [root] DEBUG: DLL loaded at 0x000007FEFB3D0000: C:\Windows\system32\taskschd (0x127000 bytes).
2019-08-13 23:42:23,714 [root] DEBUG: DLL loaded at 0x000007FEFB320000: C:\Windows\system32\slc (0xb000 bytes).
2019-08-13 23:42:23,762 [root] DEBUG: DLL unloaded from 0x000007FEFC400000.
2019-08-13 23:42:23,762 [root] DEBUG: DLL loaded at 0x000007FEEF440000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.DirectorySer#\c1cdea55f62c9e8b9b9c1ae4c23b1c1f\System.DirectoryServices.ni (0x195000 bytes).
2019-08-13 23:42:23,762 [root] DEBUG: DLL loaded at 0x000007FEF3FA0000: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei (0x97000 bytes).
2019-08-13 23:42:23,808 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SSS4JTN011YGNZH5J4CU.temp" does not exist, skip.
2019-08-13 23:42:23,808 [root] DEBUG: DLL loaded at 0x000007FEEF750000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Xml\ee795155543768ea67eecddc686a1e9e\System.Xml.ni (0x6a5000 bytes).
2019-08-13 23:42:23,808 [root] DEBUG: DLL loaded at 0x000000001D0E0000: C:\Windows\assembly\GAC_64\System.Data\2.0.0.0__b77a5c561934e089\System.Data (0x2ff000 bytes).
2019-08-13 23:42:23,808 [root] DEBUG: DLL loaded at 0x000007FEFB320000: C:\Windows\system32\slc (0xb000 bytes).
2019-08-13 23:42:23,808 [root] DEBUG: DLL loaded at 0x000007FEFCB60000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2019-08-13 23:42:23,808 [root] DEBUG: DLL loaded at 0x000007FEFC860000: C:\Windows\system32\rsaenh (0x47000 bytes).
2019-08-13 23:42:23,808 [root] DEBUG: DLL loaded at 0x000007FEFCB60000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2019-08-13 23:42:23,808 [root] DEBUG: DLL unloaded from 0x000007FEFBAE0000.
2019-08-13 23:42:23,808 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\RXCV6XZ8KNA4SYB1O7VM.temp" does not exist, skip.
2019-08-13 23:42:23,808 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DOPZT8XW22FESGB59OEV.temp" does not exist, skip.
2019-08-13 23:42:23,855 [root] DEBUG: DLL loaded at 0x000007FEFCF60000: C:\Windows\system32\secur32 (0xb000 bytes).
2019-08-13 23:42:23,855 [root] DEBUG: DLL loaded at 0x000007FEFCB60000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2019-08-13 23:42:23,871 [root] DEBUG: DLL unloaded from 0x000007FEFE6E0000.
2019-08-13 23:42:23,871 [root] DEBUG: DLL loaded at 0x000007FEFA390000: C:\Windows\system32\shfolder (0x7000 bytes).
2019-08-13 23:42:23,871 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 1316
2019-08-13 23:42:23,885 [root] DEBUG: DLL loaded at 0x000007FEEF5E0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management\c44929bde355680c886f8a52f5e22b81\System.Management.ni (0x16c000 bytes).
2019-08-13 23:42:23,885 [root] DEBUG: DLL loaded at 0x000007FEF2270000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks (0x99d000 bytes).
2019-08-13 23:42:23,885 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\OJHRIJ5T46T98R8K2OZZ.temp" does not exist, skip.
2019-08-13 23:42:23,933 [root] DEBUG: DLL loaded at 0x000007FEFDE90000: C:\Windows\system32\WS2_32 (0x4d000 bytes).
2019-08-13 23:42:23,948 [root] DEBUG: DLL loaded at 0x000007FEFC860000: C:\Windows\system32\rsaenh (0x47000 bytes).
2019-08-13 23:42:23,948 [root] DEBUG: DLL loaded at 0x000007FEFCB60000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2019-08-13 23:42:23,948 [root] DEBUG: DLL loaded at 0x000007FEFC860000: C:\Windows\system32\rsaenh (0x47000 bytes).
2019-08-13 23:42:23,948 [root] DEBUG: DLL unloaded from 0x0000000077260000.
2019-08-13 23:42:23,963 [root] DEBUG: DLL loaded at 0x000007FEF2270000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks (0x99d000 bytes).
2019-08-13 23:42:24,010 [root] DEBUG: DLL loaded at 0x000007FEF3FA0000: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei (0x97000 bytes).
2019-08-13 23:42:24,010 [root] DEBUG: DLL loaded at 0x000007FEEEBF0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Data\accc3a5269658c8c47fe3e402ac4ac1c\System.Data.ni (0x84b000 bytes).
2019-08-13 23:42:24,010 [root] DEBUG: DLL loaded at 0x000007FEFC860000: C:\Windows\system32\rsaenh (0x47000 bytes).
2019-08-13 23:42:24,105 [root] INFO: Notified of termination of process with pid 2828.
2019-08-13 23:42:24,105 [root] DEBUG: GetHookCallerBase: thread 2160 (handle 0x0), return address 0x000000013FD2C504, allocation base 0x000000013FD20000.
2019-08-13 23:42:24,119 [root] DEBUG: DLL loaded at 0x00000000742D0000: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\MSVCR80 (0xc9000 bytes).
2019-08-13 23:42:24,119 [root] DEBUG: DLL loaded at 0x000007FEFDF00000: C:\Windows\system32\NSI (0x8000 bytes).
2019-08-13 23:42:24,230 [root] DEBUG: DLL loaded at 0x000007FEEF440000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.DirectorySer#\c1cdea55f62c9e8b9b9c1ae4c23b1c1f\System.DirectoryServices.ni (0x195000 bytes).
2019-08-13 23:42:24,230 [root] DEBUG: DLL loaded at 0x000007FEF2270000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks (0x99d000 bytes).
2019-08-13 23:42:24,230 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\OQMH0OG7WF08W1L6S5SY.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\OQMH0OG7WF08W1L6S5SY.temp'
2019-08-13 23:42:24,230 [root] DEBUG: DLL loaded at 0x000007FEFC860000: C:\Windows\system32\rsaenh (0x47000 bytes).
2019-08-13 23:42:24,244 [root] DEBUG: DLL unloaded from 0x000007FEF2270000.
2019-08-13 23:42:24,244 [root] INFO: Process with pid 2828 has terminated
2019-08-13 23:42:24,276 [root] DEBUG: DLL loaded at 0x00000000742D0000: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\MSVCR80 (0xc9000 bytes).
2019-08-13 23:42:24,276 [root] DEBUG: DLL loaded at 0x000007FEF1390000: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\9469491f37d9c35b596968b206615309\mscorlib.ni (0xedc000 bytes).
2019-08-13 23:42:24,276 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DOPZT8XW22FESGB59OEV.temp" does not exist, skip.
2019-08-13 23:42:24,276 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x000000013FD20000.
2019-08-13 23:42:24,276 [root] DEBUG: DLL loaded at 0x00000000742D0000: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\MSVCR80 (0xc9000 bytes).
2019-08-13 23:42:24,292 [root] DEBUG: DLL loaded at 0x000007FEFD410000: C:\Windows\system32\CRYPT32 (0x167000 bytes).
2019-08-13 23:42:24,369 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2672
2019-08-13 23:42:24,369 [root] DEBUG: DLL loaded at 0x000000001D0E0000: C:\Windows\assembly\GAC_64\System.Data\2.0.0.0__b77a5c561934e089\System.Data (0x2ff000 bytes).
2019-08-13 23:42:24,369 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TZUCQPJS39D9G3XQ82B2.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\TZUCQPJS39D9G3XQ82B2.temp'
2019-08-13 23:42:24,369 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\OQMH0OG7WF08W1L6S5SY.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\OQMH0OG7WF08W1L6S5SY.temp'
2019-08-13 23:42:24,401 [root] DEBUG: DLL loaded at 0x000007FEF2270000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks (0x99d000 bytes).
2019-08-13 23:42:24,401 [root] DEBUG: DLL loaded at 0x000007FEF1390000: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\9469491f37d9c35b596968b206615309\mscorlib.ni (0xedc000 bytes).
2019-08-13 23:42:24,401 [root] DEBUG: DLL loaded at 0x000007FEF0960000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System\adff7dd9fe8e541775c46b6363401b22\System.ni (0xa23000 bytes).
2019-08-13 23:42:24,417 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KLXPOZK4AZ6JGMQG8QZM.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\KLXPOZK4AZ6JGMQG8QZM.temp'
2019-08-13 23:42:24,417 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\RX4CL67QCQWRDOIRKYPG.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\RX4CL67QCQWRDOIRKYPG.temp'
2019-08-13 23:42:24,431 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000013FD20000.
2019-08-13 23:42:24,431 [root] DEBUG: DLL unloaded from 0x000007FEFDF10000.
2019-08-13 23:42:24,431 [root] DEBUG: DLL loaded at 0x000007FEFA390000: C:\Windows\system32\shfolder (0x7000 bytes).
2019-08-13 23:42:24,479 [root] DEBUG: DLL unloaded from 0x000007FEF3FA0000.
2019-08-13 23:42:24,479 [root] DEBUG: DLL loaded at 0x000007FEFD370000: C:\Windows\system32\MSASN1 (0xf000 bytes).
2019-08-13 23:42:24,479 [root] DEBUG: DLL loaded at 0x000007FEFCF60000: C:\Windows\system32\secur32 (0xb000 bytes).
2019-08-13 23:42:24,494 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TZUCQPJS39D9G3XQ82B2.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\TZUCQPJS39D9G3XQ82B2.temp'
2019-08-13 23:42:24,494 [root] DEBUG: DLL unloaded from 0x000007FEFDF10000.
2019-08-13 23:42:24,494 [root] DEBUG: DLL loaded at 0x000007FEF3D30000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b023321bc53c20c10ccbbd8f78c82c82\Microsoft.PowerShell.ConsoleHost.ni (0xb2000 bytes).
2019-08-13 23:42:24,494 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KLXPOZK4AZ6JGMQG8QZM.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\KLXPOZK4AZ6JGMQG8QZM.temp'
2019-08-13 23:42:24,494 [root] DEBUG: DLL loaded at 0x000007FEF0960000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System\adff7dd9fe8e541775c46b6363401b22\System.ni (0xa23000 bytes).
2019-08-13 23:42:24,494 [root] DEBUG: DLL loaded at 0x000007FEF1390000: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\9469491f37d9c35b596968b206615309\mscorlib.ni (0xedc000 bytes).
2019-08-13 23:42:24,494 [root] DEBUG: DLL unloaded from 0x000007FEFD970000.
2019-08-13 23:42:24,494 [root] DEBUG: GetHookCallerBase: thread 1136 (handle 0x0), return address 0x0000000049E287DD, allocation base 0x0000000049E20000.
2019-08-13 23:42:24,494 [root] DEBUG: DLL loaded at 0x00000000742D0000: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\MSVCR80 (0xc9000 bytes).
2019-08-13 23:42:24,494 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\RX4CL67QCQWRDOIRKYPG.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\RX4CL67QCQWRDOIRKYPG.temp'
2019-08-13 23:42:24,604 [root] DEBUG: DLL loaded at 0x000007FEFDE90000: C:\Windows\system32\WS2_32 (0x4d000 bytes).
2019-08-13 23:42:24,604 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000C63C.
2019-08-13 23:42:24,697 [root] DEBUG: DLL unloaded from 0x000007FEFC400000.
2019-08-13 23:42:24,697 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JH7PIXP0UVWU6GRM24LX.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\JH7PIXP0UVWU6GRM24LX.temp'
2019-08-13 23:42:24,713 [root] DEBUG: DLL unloaded from 0x000007FEFD970000.
2019-08-13 23:42:24,743 [root] DEBUG: DLL unloaded from 0x000007FEFD970000.
2019-08-13 23:42:24,743 [root] DEBUG: DLL unloaded from 0x000007FEFDF10000.
2019-08-13 23:42:24,776 [root] DEBUG: DLL loaded at 0x000007FEEFE00000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management.A#\009a09f5b2322bb8c5520dc5ddbb28bb\System.Management.Automation.ni (0xb5d000 bytes).
2019-08-13 23:42:24,776 [root] DEBUG: DLL loaded at 0x000007FEF3D30000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b023321bc53c20c10ccbbd8f78c82c82\Microsoft.PowerShell.ConsoleHost.ni (0xb2000 bytes).
2019-08-13 23:42:24,790 [root] DEBUG: DLL loaded at 0x0000000516F00000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\diasymreader (0xc6000 bytes).
2019-08-13 23:42:24,790 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\OQMH0OG7WF08W1L6S5SY.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\OQMH0OG7WF08W1L6S5SY.temp'
2019-08-13 23:42:24,806 [root] DEBUG: DLL unloaded from 0x000007FEFD970000.
2019-08-13 23:42:24,806 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x0000000049E20000.
2019-08-13 23:42:24,838 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TZUCQPJS39D9G3XQ82B2.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\TZUCQPJS39D9G3XQ82B2.temp'
2019-08-13 23:42:24,838 [root] DEBUG: DLL loaded at 0x000007FEF1390000: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\9469491f37d9c35b596968b206615309\mscorlib.ni (0xedc000 bytes).
2019-08-13 23:42:24,838 [root] DEBUG: DLL loaded at 0x000007FEF0960000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System\adff7dd9fe8e541775c46b6363401b22\System.ni (0xa23000 bytes).
2019-08-13 23:42:24,838 [root] DEBUG: DLL loaded at 0x000007FEFC430000: C:\Windows\system32\version (0xc000 bytes).
2019-08-13 23:42:24,838 [root] DEBUG: DLL loaded at 0x000007FEFDF00000: C:\Windows\system32\NSI (0x8000 bytes).
2019-08-13 23:42:24,854 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JH7PIXP0UVWU6GRM24LX.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\JH7PIXP0UVWU6GRM24LX.temp'
2019-08-13 23:42:24,868 [root] DEBUG: DLL loaded at 0x000007FEFCF60000: C:\Windows\system32\secur32 (0xb000 bytes).
2019-08-13 23:42:24,868 [root] DEBUG: DLL unloaded from 0x000007FEFE6E0000.
2019-08-13 23:42:24,868 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF12b3d18.TMP" does not exist, skip.
2019-08-13 23:42:24,868 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KLXPOZK4AZ6JGMQG8QZM.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\KLXPOZK4AZ6JGMQG8QZM.temp'
2019-08-13 23:42:24,884 [root] DEBUG: DLL loaded at 0x000007FEEFE00000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management.A#\009a09f5b2322bb8c5520dc5ddbb28bb\System.Management.Automation.ni (0xb5d000 bytes).
2019-08-13 23:42:24,884 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x0000000049E20000.
2019-08-13 23:42:24,900 [root] INFO: Added new CAPE file to list with path: C:\xyAIARtiO\CAPE\1316_21321551844422314382019
2019-08-13 23:42:24,900 [root] DEBUG: set_caller_info: Adding region at 0x000007FF00280000 to caller regions list (ntdll::LdrGetProcedureAddress).
2019-08-13 23:42:24,900 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\RX4CL67QCQWRDOIRKYPG.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\RX4CL67QCQWRDOIRKYPG.temp'
2019-08-13 23:42:24,900 [root] DEBUG: DLL loaded at 0x000007FEF0960000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System\adff7dd9fe8e541775c46b6363401b22\System.ni (0xa23000 bytes).
2019-08-13 23:42:24,900 [root] DEBUG: DLL loaded at 0x000007FEF3D30000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b023321bc53c20c10ccbbd8f78c82c82\Microsoft.PowerShell.ConsoleHost.ni (0xb2000 bytes).
2019-08-13 23:42:24,915 [root] DEBUG: DLL loaded at 0x000007FEF3430000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Core\83e2f6909980da7347e7806d8c26670e\System.Core.ni (0x32e000 bytes).
2019-08-13 23:42:24,915 [root] DEBUG: DLL loaded at 0x000007FEEEBF0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Data\accc3a5269658c8c47fe3e402ac4ac1c\System.Data.ni (0x84b000 bytes).
2019-08-13 23:42:24,931 [root] DEBUG: DLL loaded at 0x000007FEFD410000: C:\Windows\system32\CRYPT32 (0x167000 bytes).
2019-08-13 23:42:24,931 [root] DEBUG: DLL unloaded from 0x000007FEFD970000.
2019-08-13 23:42:24,931 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF12b3d37.TMP": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RF12b3d37.TMP'
2019-08-13 23:42:24,947 [root] DEBUG: DLL loaded at 0x000007FEFC430000: C:\Windows\system32\version (0xc000 bytes).
2019-08-13 23:42:24,963 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x73e00.
2019-08-13 23:42:24,977 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 23:42:24,977 [root] INFO: Notified of termination of process with pid 1340.
2019-08-13 23:42:24,993 [root] DEBUG: DLL loaded at 0x000007FEF52B0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\ec50af274bf7a15fb59ac1f0d353b7ea\Microsoft.PowerShell.Commands.Diagnostics.ni (0x69000 bytes).
2019-08-13 23:42:24,993 [root] DEBUG: DLL loaded at 0x000007FEEFE00000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management.A#\009a09f5b2322bb8c5520dc5ddbb28bb\System.Management.Automation.ni (0xb5d000 bytes).
2019-08-13 23:42:24,993 [root] DEBUG: DLL loaded at 0x000007FEFD370000: C:\Windows\system32\MSASN1 (0xf000 bytes).
2019-08-13 23:42:24,993 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms'
2019-08-13 23:42:25,025 [root] DEBUG: DLL loaded at 0x000007FEF3D30000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b023321bc53c20c10ccbbd8f78c82c82\Microsoft.PowerShell.ConsoleHost.ni (0xb2000 bytes).
2019-08-13 23:42:25,025 [root] DEBUG: DLL loaded at 0x000000001D140000: C:\Windows\assembly\GAC_64\System.Data\2.0.0.0__b77a5c561934e089\System.Data (0x2ff000 bytes).
2019-08-13 23:42:25,055 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JH7PIXP0UVWU6GRM24LX.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\JH7PIXP0UVWU6GRM24LX.temp'
2019-08-13 23:42:25,055 [root] DEBUG: DLL loaded at 0x000007FEF3430000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Core\83e2f6909980da7347e7806d8c26670e\System.Core.ni (0x32e000 bytes).
2019-08-13 23:42:25,072 [root] DEBUG: DLL loaded at 0x000007FEEEBF0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Data\accc3a5269658c8c47fe3e402ac4ac1c\System.Data.ni (0x84b000 bytes).
2019-08-13 23:42:25,072 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 1216
2019-08-13 23:42:25,072 [root] DEBUG: DLL loaded at 0x000007FEFD1C0000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 23:42:25,088 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2924
2019-08-13 23:42:25,088 [root] DEBUG: DLL loaded at 0x000007FEFC430000: C:\Windows\system32\version (0xc000 bytes).
2019-08-13 23:42:25,134 [root] DEBUG: DLL loaded at 0x000007FEF9A20000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Configuratio#\fcf35536476614410e0b0bd0e412199e\System.Configuration.Install.ni (0x32000 bytes).
2019-08-13 23:42:25,150 [root] DEBUG: DLL loaded at 0x0000000516F00000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\diasymreader (0xc6000 bytes).
2019-08-13 23:42:25,150 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF12b3d47.TMP" does not exist, skip.
2019-08-13 23:42:25,165 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\OQMH0OG7WF08W1L6S5SY.temp" does not exist, skip.
2019-08-13 23:42:25,165 [root] DEBUG: DLL loaded at 0x000007FEEFE00000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management.A#\009a09f5b2322bb8c5520dc5ddbb28bb\System.Management.Automation.ni (0xb5d000 bytes).
2019-08-13 23:42:25,180 [root] DEBUG: DLL loaded at 0x000007FEFDE90000: C:\Windows\system32\WS2_32 (0x4d000 bytes).
2019-08-13 23:42:25,180 [root] DEBUG: DLL loaded at 0x000007FEF52B0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\ec50af274bf7a15fb59ac1f0d353b7ea\Microsoft.PowerShell.Commands.Diagnostics.ni (0x69000 bytes).
2019-08-13 23:42:25,197 [root] DEBUG: DLL loaded at 0x000000001D0D0000: C:\Windows\assembly\GAC_64\System.Data\2.0.0.0__b77a5c561934e089\System.Data (0x2ff000 bytes).
2019-08-13 23:42:25,197 [root] DEBUG: GetHookCallerBase: thread 2792 (handle 0x0), return address 0x0000000049E287DD, allocation base 0x0000000049E20000.
2019-08-13 23:42:25,227 [root] DEBUG: GetHookCallerBase: thread 2888 (handle 0x0), return address 0x0000000049E287DD, allocation base 0x0000000049E20000.
2019-08-13 23:42:25,243 [root] DEBUG: DLL loaded at 0x000007FEF3430000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Core\83e2f6909980da7347e7806d8c26670e\System.Core.ni (0x32e000 bytes).
2019-08-13 23:42:25,259 [root] DEBUG: DLL loaded at 0x000007FEF3C80000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.WSMan.Man#\8cd73e65058ef6f77f36b62a74ec3344\Microsoft.WSMan.Management.ni (0xaa000 bytes).
2019-08-13 23:42:25,259 [root] DEBUG: set_caller_info: Adding region at 0x000007FF00280000 to caller regions list (ntdll::LdrGetProcedureAddress).
2019-08-13 23:42:25,259 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF12b3d76.TMP" does not exist, skip.
2019-08-13 23:42:25,275 [root] INFO: Added new CAPE file to list with path: C:\xyAIARtiO\CAPE\2672_17177056482522314382019
2019-08-13 23:42:25,275 [root] DEBUG: DLL loaded at 0x000007FEFC430000: C:\Windows\system32\version (0xc000 bytes).
2019-08-13 23:42:25,275 [root] DEBUG: DLL loaded at 0x000007FEFDF00000: C:\Windows\system32\NSI (0x8000 bytes).
2019-08-13 23:42:25,289 [root] DEBUG: DLL loaded at 0x000007FEF9A20000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Configuratio#\fcf35536476614410e0b0bd0e412199e\System.Configuration.Install.ni (0x32000 bytes).
2019-08-13 23:42:25,289 [root] DEBUG: DLL loaded at 0x000007FEFDE90000: C:\Windows\system32\WS2_32 (0x4d000 bytes).
2019-08-13 23:42:25,305 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x0000000049E20000.
2019-08-13 23:42:25,305 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x0000000049E20000.
2019-08-13 23:42:25,322 [root] DEBUG: DLL loaded at 0x000007FEF52B0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\ec50af274bf7a15fb59ac1f0d353b7ea\Microsoft.PowerShell.Commands.Diagnostics.ni (0x69000 bytes).
2019-08-13 23:42:25,336 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF12b3e12.TMP": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RF12b3e12.TMP'
2019-08-13 23:42:25,352 [root] DEBUG: DLL loaded at 0x000007FEF3B90000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Transactions\051655963f24f9ade08486084c570086\System.Transactions.ni (0xe5000 bytes).
2019-08-13 23:42:25,368 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x54400.
2019-08-13 23:42:25,368 [root] DEBUG: DLL loaded at 0x000007FEF3FA0000: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei (0x97000 bytes).
2019-08-13 23:42:25,368 [root] DEBUG: DLL unloaded from 0x000007FEFDF10000.
2019-08-13 23:42:25,384 [root] DEBUG: DLL loaded at 0x000007FEF3430000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Core\83e2f6909980da7347e7806d8c26670e\System.Core.ni (0x32e000 bytes).
2019-08-13 23:42:25,384 [root] DEBUG: DLL loaded at 0x000007FEFD410000: C:\Windows\system32\CRYPT32 (0x167000 bytes).
2019-08-13 23:42:25,384 [root] DEBUG: DLL loaded at 0x000007FEFDF00000: C:\Windows\system32\NSI (0x8000 bytes).
2019-08-13 23:42:25,400 [root] DEBUG: DLL loaded at 0x000007FEF3C80000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.WSMan.Man#\8cd73e65058ef6f77f36b62a74ec3344\Microsoft.WSMan.Management.ni (0xaa000 bytes).
2019-08-13 23:42:25,400 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x0000000049E20000.
2019-08-13 23:42:25,400 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x0000000049E20000.
2019-08-13 23:42:25,414 [root] DEBUG: DLL loaded at 0x000007FEF9A20000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Configuratio#\fcf35536476614410e0b0bd0e412199e\System.Configuration.Install.ni (0x32000 bytes).
2019-08-13 23:42:25,414 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms'
2019-08-13 23:42:25,414 [root] DEBUG: DLL loaded at 0x000000001E230000: C:\Windows\assembly\GAC_64\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions (0x49000 bytes).
2019-08-13 23:42:25,430 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TZUCQPJS39D9G3XQ82B2.temp" does not exist, skip.
2019-08-13 23:42:25,430 [root] DEBUG: DLL unloaded from 0x000007FEFE6E0000.
2019-08-13 23:42:25,446 [root] DEBUG: DLL loaded at 0x000007FEF52B0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\ec50af274bf7a15fb59ac1f0d353b7ea\Microsoft.PowerShell.Commands.Diagnostics.ni (0x69000 bytes).
2019-08-13 23:42:25,477 [root] INFO: Process with pid 1340 has terminated
2019-08-13 23:42:25,477 [root] DEBUG: DLL loaded at 0x000007FEFD370000: C:\Windows\system32\MSASN1 (0xf000 bytes).
2019-08-13 23:42:25,509 [root] DEBUG: DLL loaded at 0x000007FEFD410000: C:\Windows\system32\CRYPT32 (0x167000 bytes).
2019-08-13 23:42:25,586 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 23:42:25,586 [root] DEBUG: DLL loaded at 0x000007FEF3B90000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Transactions\051655963f24f9ade08486084c570086\System.Transactions.ni (0xe5000 bytes).
2019-08-13 23:42:25,586 [root] DEBUG: DLL loaded at 0x000007FEF3C80000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.WSMan.Man#\8cd73e65058ef6f77f36b62a74ec3344\Microsoft.WSMan.Management.ni (0xaa000 bytes).
2019-08-13 23:42:25,586 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 23:42:25,586 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KLXPOZK4AZ6JGMQG8QZM.temp" does not exist, skip.
2019-08-13 23:42:25,601 [root] DEBUG: DLL loaded at 0x000007FEF3FA0000: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei (0x97000 bytes).
2019-08-13 23:42:25,601 [root] DEBUG: DLL loaded at 0x000007FEF3FA0000: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei (0x97000 bytes).
2019-08-13 23:42:25,601 [root] DEBUG: DLL loaded at 0x000007FEF3FA0000: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei (0x97000 bytes).
2019-08-13 23:42:25,601 [root] DEBUG: DLL loaded at 0x000007FEF3210000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\cdf48153115fc0bb466f37b7dcad9ac5\Microsoft.PowerShell.Commands.Utility.ni (0x216000 bytes).
2019-08-13 23:42:25,601 [root] INFO: Notified of termination of process with pid 2672.
2019-08-13 23:42:25,634 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 924
2019-08-13 23:42:25,634 [root] DEBUG: DLL loaded at 0x000007FEF2270000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks (0x99d000 bytes).
2019-08-13 23:42:25,634 [root] INFO: Process with pid 1316 has terminated
2019-08-13 23:42:25,648 [root] DEBUG: DLL loaded at 0x000007FEF9A20000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Configuratio#\fcf35536476614410e0b0bd0e412199e\System.Configuration.Install.ni (0x32000 bytes).
2019-08-13 23:42:25,696 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2176
2019-08-13 23:42:25,696 [root] DEBUG: DLL loaded at 0x000007FEFD370000: C:\Windows\system32\MSASN1 (0xf000 bytes).
2019-08-13 23:42:25,711 [root] DEBUG: DLL loaded at 0x000007FEFD1C0000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 23:42:25,711 [root] DEBUG: DLL loaded at 0x000007FEF3B90000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Transactions\051655963f24f9ade08486084c570086\System.Transactions.ni (0xe5000 bytes).
2019-08-13 23:42:25,726 [root] DEBUG: DLL loaded at 0x0000000516F00000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\diasymreader (0xc6000 bytes).
2019-08-13 23:42:25,726 [root] DEBUG: DLL loaded at 0x000000001E230000: C:\Windows\assembly\GAC_64\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions (0x49000 bytes).
2019-08-13 23:42:25,743 [root] DEBUG: DLL loaded at 0x000007FEFD1C0000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 23:42:25,743 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\RX4CL67QCQWRDOIRKYPG.temp" does not exist, skip.
2019-08-13 23:42:25,743 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\OQMH0OG7WF08W1L6S5SY.temp" does not exist, skip.
2019-08-13 23:42:25,743 [root] DEBUG: DLL loaded at 0x000007FEF3FA0000: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei (0x97000 bytes).
2019-08-13 23:42:25,743 [root] DEBUG: DLL loaded at 0x000007FEF30F0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\9206dc8156588e608d405729c833edc5\Microsoft.PowerShell.Commands.Management.ni (0x118000 bytes).
2019-08-13 23:42:25,743 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JH7PIXP0UVWU6GRM24LX.temp" does not exist, skip.
2019-08-13 23:42:25,743 [root] DEBUG: GetHookCallerBase: thread 2948 (handle 0x0), return address 0x000000013FD2C504, allocation base 0x000000013FD20000.
2019-08-13 23:42:25,757 [root] DEBUG: DLL loaded at 0x00000000742D0000: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\MSVCR80 (0xc9000 bytes).
2019-08-13 23:42:25,757 [root] DEBUG: DLL loaded at 0x000007FEF3C80000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.WSMan.Man#\8cd73e65058ef6f77f36b62a74ec3344\Microsoft.WSMan.Management.ni (0xaa000 bytes).
2019-08-13 23:42:25,757 [root] DEBUG: GetHookCallerBase: thread 1748 (handle 0x0), return address 0x000000013FD2C504, allocation base 0x000000013FD20000.
2019-08-13 23:42:25,835 [root] DEBUG: DLL loaded at 0x0000000516F00000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\diasymreader (0xc6000 bytes).
2019-08-13 23:42:25,851 [root] DEBUG: DLL loaded at 0x000000001E230000: C:\Windows\assembly\GAC_64\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions (0x49000 bytes).
2019-08-13 23:42:25,851 [root] DEBUG: DLL loaded at 0x000007FEF3210000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\cdf48153115fc0bb466f37b7dcad9ac5\Microsoft.PowerShell.Commands.Utility.ni (0x216000 bytes).
2019-08-13 23:42:25,851 [root] DEBUG: set_caller_info: Adding region at 0x000007FF00280000 to caller regions list (ntdll::LdrGetProcedureAddress).
2019-08-13 23:42:25,851 [root] DEBUG: Error 2 (0x2) - savePeFileToDisk: There was a problem renaming the file: The system cannot find the file specified.
2019-08-13 23:42:25,851 [root] DEBUG: DLL loaded at 0x000007FEF2270000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks (0x99d000 bytes).
2019-08-13 23:42:25,868 [root] DEBUG: DLL loaded at 0x000007FEF2270000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks (0x99d000 bytes).
2019-08-13 23:42:25,868 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KLXPOZK4AZ6JGMQG8QZM.temp" does not exist, skip.
2019-08-13 23:42:25,868 [root] INFO: Added new CAPE file to list with path: C:\xyAIARtiO\CAPE\1216_16875033562522314382019
2019-08-13 23:42:25,882 [root] DEBUG: DLL loaded at 0x000007FEF50F0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b5a6a5ce3cd3d4dd2b151315c612aeff\Microsoft.PowerShell.Security.ni (0x3e000 bytes).
2019-08-13 23:42:25,882 [root] DEBUG: DLL loaded at 0x000007FEF2270000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks (0x99d000 bytes).
2019-08-13 23:42:25,898 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x000000013FD20000.
2019-08-13 23:42:25,898 [root] DEBUG: DLL loaded at 0x000007FEF1390000: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\9469491f37d9c35b596968b206615309\mscorlib.ni (0xedc000 bytes).
2019-08-13 23:42:25,914 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x000000013FD20000.
2019-08-13 23:42:25,930 [root] DEBUG: DLL loaded at 0x000007FEF3B90000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Transactions\051655963f24f9ade08486084c570086\System.Transactions.ni (0xe5000 bytes).
2019-08-13 23:42:25,946 [root] DEBUG: set_caller_info: Adding region at 0x000007FF00280000 to caller regions list (ntdll::LdrGetProcedureAddress).
2019-08-13 23:42:25,946 [root] DEBUG: DLL loaded at 0x000007FEF3210000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\cdf48153115fc0bb466f37b7dcad9ac5\Microsoft.PowerShell.Commands.Utility.ni (0x216000 bytes).
2019-08-13 23:42:25,960 [root] DEBUG: DLL loaded at 0x000007FEF30F0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\9206dc8156588e608d405729c833edc5\Microsoft.PowerShell.Commands.Management.ni (0x118000 bytes).
2019-08-13 23:42:25,976 [root] DEBUG: Error 2 (0x2) - savePeFileToDisk: There was a problem deleting the file: C:\Users\user\AppData\Local\Temp\CapeOutput.bin: The system cannot find the file specified.
2019-08-13 23:42:25,976 [root] DEBUG: DLL loaded at 0x00000000742D0000: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\MSVCR80 (0xc9000 bytes).
2019-08-13 23:42:25,976 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x54400.
2019-08-13 23:42:25,992 [root] DEBUG: DLL loaded at 0x00000000742D0000: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\MSVCR80 (0xc9000 bytes).
2019-08-13 23:42:25,992 [root] DEBUG: DLL loaded at 0x000007FEF2270000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks (0x99d000 bytes).
2019-08-13 23:42:26,007 [root] DEBUG: DLL loaded at 0x00000642FF4A0000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\culture (0xa000 bytes).
2019-08-13 23:42:26,007 [root] DEBUG: DLL loaded at 0x00000000742D0000: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\MSVCR80 (0xc9000 bytes).
2019-08-13 23:42:26,039 [root] DEBUG: DLL loaded at 0x000007FEF0960000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System\adff7dd9fe8e541775c46b6363401b22\System.ni (0xa23000 bytes).
2019-08-13 23:42:26,039 [root] DEBUG: DLL unloaded from 0x000007FEFDF10000.
2019-08-13 23:42:26,039 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000013FD20000.
2019-08-13 23:42:26,055 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000013FD20000.
2019-08-13 23:42:26,055 [root] DEBUG: DLL loaded at 0x000007FEF30F0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\9206dc8156588e608d405729c833edc5\Microsoft.PowerShell.Commands.Management.ni (0x118000 bytes).
2019-08-13 23:42:26,055 [root] DEBUG: DLL loaded at 0x000000001E230000: C:\Windows\assembly\GAC_64\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions (0x49000 bytes).
2019-08-13 23:42:26,085 [root] DEBUG: DLL loaded at 0x000007FEF50F0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b5a6a5ce3cd3d4dd2b151315c612aeff\Microsoft.PowerShell.Security.ni (0x3e000 bytes).
2019-08-13 23:42:26,085 [root] DEBUG: DLL unloaded from 0x000007FEFE6E0000.
2019-08-13 23:42:26,085 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2008
2019-08-13 23:42:26,101 [root] DEBUG: DLL unloaded from 0x000007FEFE6E0000.
2019-08-13 23:42:26,101 [root] DEBUG: DLL loaded at 0x000007FEF1390000: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\9469491f37d9c35b596968b206615309\mscorlib.ni (0xedc000 bytes).
2019-08-13 23:42:26,101 [root] DEBUG: DLL loaded at 0x000007FEF1390000: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\9469491f37d9c35b596968b206615309\mscorlib.ni (0xedc000 bytes).
2019-08-13 23:42:26,117 [root] DEBUG: DLL unloaded from 0x00000642FF4A0000.
2019-08-13 23:42:26,132 [root] DEBUG: DLL loaded at 0x00000000742D0000: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\MSVCR80 (0xc9000 bytes).
2019-08-13 23:42:26,132 [root] DEBUG: DLL loaded at 0x000007FEF1390000: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\9469491f37d9c35b596968b206615309\mscorlib.ni (0xedc000 bytes).
2019-08-13 23:42:26,148 [root] DEBUG: DLL loaded at 0x000007FEF3D30000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b023321bc53c20c10ccbbd8f78c82c82\Microsoft.PowerShell.ConsoleHost.ni (0xb2000 bytes).
2019-08-13 23:42:26,148 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2772
2019-08-13 23:42:26,148 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000C63C.
2019-08-13 23:42:26,164 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000C63C.
2019-08-13 23:42:26,164 [root] DEBUG: DLL loaded at 0x000007FEF50F0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b5a6a5ce3cd3d4dd2b151315c612aeff\Microsoft.PowerShell.Security.ni (0x3e000 bytes).
2019-08-13 23:42:26,194 [root] DEBUG: DLL loaded at 0x000007FEF3210000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\cdf48153115fc0bb466f37b7dcad9ac5\Microsoft.PowerShell.Commands.Utility.ni (0x216000 bytes).
2019-08-13 23:42:26,194 [root] DEBUG: DLL loaded at 0x00000642FF4A0000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\culture (0xa000 bytes).
2019-08-13 23:42:26,194 [root] DEBUG: GetHookCallerBase: thread 2580 (handle 0x0), return address 0x000000013FD2C504, allocation base 0x000000013FD20000.
2019-08-13 23:42:26,194 [root] INFO: Notified of termination of process with pid 2924.
2019-08-13 23:42:26,226 [root] DEBUG: DLL unloaded from 0x000007FEFDF10000.
2019-08-13 23:42:26,226 [root] DEBUG: DLL unloaded from 0x000007FEFDF10000.
2019-08-13 23:42:26,242 [root] DEBUG: DLL loaded at 0x000007FEF0960000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System\adff7dd9fe8e541775c46b6363401b22\System.ni (0xa23000 bytes).
2019-08-13 23:42:26,273 [root] DEBUG: DLL loaded at 0x000007FEF2F60000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorjit (0x184000 bytes).
2019-08-13 23:42:26,289 [root] DEBUG: DLL loaded at 0x000007FEF1390000: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\9469491f37d9c35b596968b206615309\mscorlib.ni (0xedc000 bytes).
2019-08-13 23:42:26,289 [root] DEBUG: DLL loaded at 0x000007FEF0960000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System\adff7dd9fe8e541775c46b6363401b22\System.ni (0xa23000 bytes).
2019-08-13 23:42:26,289 [root] DEBUG: DLL unloaded from 0x000007FEFDF10000.
2019-08-13 23:42:26,289 [root] DEBUG: DLL loaded at 0x000007FEEFE00000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management.A#\009a09f5b2322bb8c5520dc5ddbb28bb\System.Management.Automation.ni (0xb5d000 bytes).
2019-08-13 23:42:26,303 [root] DEBUG: GetHookCallerBase: thread 2536 (handle 0x0), return address 0x000000013FD2C504, allocation base 0x000000013FD20000.
2019-08-13 23:42:26,319 [root] DEBUG: DLL loaded at 0x000007FEF0960000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System\adff7dd9fe8e541775c46b6363401b22\System.ni (0xa23000 bytes).
2019-08-13 23:42:26,351 [root] DEBUG: DLL loaded at 0x000007FEF30F0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\9206dc8156588e608d405729c833edc5\Microsoft.PowerShell.Commands.Management.ni (0x118000 bytes).
2019-08-13 23:42:26,351 [root] DEBUG: DLL loaded at 0x00000642FF4A0000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\culture (0xa000 bytes).
2019-08-13 23:42:26,351 [root] DEBUG: DLL unloaded from 0x00000642FF4A0000.
2019-08-13 23:42:26,351 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x000000013FD20000.
2019-08-13 23:42:26,351 [root] INFO: Notified of termination of process with pid 1216.
2019-08-13 23:42:26,367 [root] INFO: Added new CAPE file to list with path: C:\xyAIARtiO\CAPE\2176_10822028964622314382019
2019-08-13 23:42:26,381 [root] INFO: Added new CAPE file to list with path: C:\xyAIARtiO\CAPE\924_10345546084622314382019
2019-08-13 23:42:26,381 [root] DEBUG: DLL loaded at 0x000007FEF3D30000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b023321bc53c20c10ccbbd8f78c82c82\Microsoft.PowerShell.ConsoleHost.ni (0xb2000 bytes).
2019-08-13 23:42:26,398 [root] DEBUG: DLL loaded at 0x000007FEEF750000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Xml\ee795155543768ea67eecddc686a1e9e\System.Xml.ni (0x6a5000 bytes).
2019-08-13 23:42:26,414 [root] DEBUG: DLL unloaded from 0x000007FEFDF10000.
2019-08-13 23:42:26,414 [root] DEBUG: DLL loaded at 0x000007FEF0960000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System\adff7dd9fe8e541775c46b6363401b22\System.ni (0xa23000 bytes).
2019-08-13 23:42:26,414 [root] DEBUG: DLL loaded at 0x000007FEF3D30000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b023321bc53c20c10ccbbd8f78c82c82\Microsoft.PowerShell.ConsoleHost.ni (0xb2000 bytes).
2019-08-13 23:42:26,428 [root] DEBUG: DLL loaded at 0x000007FEFC430000: C:\Windows\system32\version (0xc000 bytes).
2019-08-13 23:42:26,444 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x000000013FD20000.
2019-08-13 23:42:26,460 [root] DEBUG: DLL loaded at 0x000007FEF3D30000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b023321bc53c20c10ccbbd8f78c82c82\Microsoft.PowerShell.ConsoleHost.ni (0xb2000 bytes).
2019-08-13 23:42:26,460 [root] DEBUG: DLL loaded at 0x000007FEF50F0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b5a6a5ce3cd3d4dd2b151315c612aeff\Microsoft.PowerShell.Security.ni (0x3e000 bytes).
2019-08-13 23:42:26,460 [root] DEBUG: DLL unloaded from 0x00000642FF4A0000.
2019-08-13 23:42:26,553 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000013FD20000.
2019-08-13 23:42:26,615 [root] DEBUG: DLL loaded at 0x000007FEEFE00000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management.A#\009a09f5b2322bb8c5520dc5ddbb28bb\System.Management.Automation.ni (0xb5d000 bytes).
2019-08-13 23:42:26,615 [root] DEBUG: DLL loaded at 0x000007FEF2F60000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorjit (0x184000 bytes).
2019-08-13 23:42:26,615 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x73e00.
2019-08-13 23:42:26,615 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x73e00.
2019-08-13 23:42:26,615 [root] DEBUG: DLL loaded at 0x000007FEEF5E0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management\c44929bde355680c886f8a52f5e22b81\System.Management.ni (0x16c000 bytes).
2019-08-13 23:42:26,631 [root] DEBUG: DLL loaded at 0x000007FEF3D30000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b023321bc53c20c10ccbbd8f78c82c82\Microsoft.PowerShell.ConsoleHost.ni (0xb2000 bytes).
2019-08-13 23:42:26,631 [root] DEBUG: DLL loaded at 0x000007FEEFE00000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management.A#\009a09f5b2322bb8c5520dc5ddbb28bb\System.Management.Automation.ni (0xb5d000 bytes).
2019-08-13 23:42:26,694 [root] DEBUG: DLL loaded at 0x000007FEF3430000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Core\83e2f6909980da7347e7806d8c26670e\System.Core.ni (0x32e000 bytes).
2019-08-13 23:42:26,694 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000013FD20000.
2019-08-13 23:42:26,710 [root] DEBUG: DLL loaded at 0x000007FEEFE00000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management.A#\009a09f5b2322bb8c5520dc5ddbb28bb\System.Management.Automation.ni (0xb5d000 bytes).
2019-08-13 23:42:26,710 [root] DEBUG: DLL loaded at 0x00000642FF4A0000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\culture (0xa000 bytes).
2019-08-13 23:42:26,726 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000C63C.
2019-08-13 23:42:26,740 [root] DEBUG: DLL loaded at 0x000007FEEF750000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Xml\ee795155543768ea67eecddc686a1e9e\System.Xml.ni (0x6a5000 bytes).
2019-08-13 23:42:26,756 [root] DEBUG: DLL loaded at 0x000007FEF2F60000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorjit (0x184000 bytes).
2019-08-13 23:42:26,756 [root] DEBUG: DLL loaded at 0x000007FEFC430000: C:\Windows\system32\version (0xc000 bytes).
2019-08-13 23:42:26,772 [root] DEBUG: DLL loaded at 0x000007FEFAE90000: C:\Windows\system32\netutils (0xc000 bytes).
2019-08-13 23:42:26,772 [root] DEBUG: DLL loaded at 0x000007FEEFE00000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management.A#\009a09f5b2322bb8c5520dc5ddbb28bb\System.Management.Automation.ni (0xb5d000 bytes).
2019-08-13 23:42:26,788 [root] DEBUG: DLL loaded at 0x000007FEFAE90000: C:\Windows\system32\netutils (0xc000 bytes).
2019-08-13 23:42:26,788 [root] DEBUG: DLL loaded at 0x000007FEF52B0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\ec50af274bf7a15fb59ac1f0d353b7ea\Microsoft.PowerShell.Commands.Diagnostics.ni (0x69000 bytes).
2019-08-13 23:42:26,803 [root] DEBUG: DLL loaded at 0x000007FEEF440000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.DirectorySer#\c1cdea55f62c9e8b9b9c1ae4c23b1c1f\System.DirectoryServices.ni (0x195000 bytes).
2019-08-13 23:42:26,803 [root] DEBUG: DLL loaded at 0x000007FEFC430000: C:\Windows\system32\version (0xc000 bytes).
2019-08-13 23:42:26,803 [root] DEBUG: DLL loaded at 0x000007FEFC430000: C:\Windows\system32\version (0xc000 bytes).
2019-08-13 23:42:26,803 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000C63C.
2019-08-13 23:42:26,835 [root] DEBUG: DLL loaded at 0x000007FEEF5E0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management\c44929bde355680c886f8a52f5e22b81\System.Management.ni (0x16c000 bytes).
2019-08-13 23:42:26,835 [root] DEBUG: DLL unloaded from 0x00000642FF4A0000.
2019-08-13 23:42:26,849 [root] DEBUG: DLL loaded at 0x000007FEEF750000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Xml\ee795155543768ea67eecddc686a1e9e\System.Xml.ni (0x6a5000 bytes).
2019-08-13 23:42:26,865 [root] INFO: Process with pid 2924 has terminated
2019-08-13 23:42:26,865 [root] DEBUG: DLL unloaded from 0x000007FEFBAE0000.
2019-08-13 23:42:26,865 [root] DEBUG: DLL loaded at 0x000007FEF3430000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Core\83e2f6909980da7347e7806d8c26670e\System.Core.ni (0x32e000 bytes).
2019-08-13 23:42:26,865 [root] DEBUG: DLL loaded at 0x000007FEFC430000: C:\Windows\system32\version (0xc000 bytes).
2019-08-13 23:42:26,881 [root] DEBUG: DLL unloaded from 0x000007FEFBAE0000.
2019-08-13 23:42:26,881 [root] DEBUG: DLL loaded at 0x000007FEF9A20000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Configuratio#\fcf35536476614410e0b0bd0e412199e\System.Configuration.Install.ni (0x32000 bytes).
2019-08-13 23:42:26,913 [root] DEBUG: DLL loaded at 0x000007FEFA390000: C:\Windows\system32\shfolder (0x7000 bytes).
2019-08-13 23:42:26,927 [root] DEBUG: DLL loaded at 0x000007FEF3430000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Core\83e2f6909980da7347e7806d8c26670e\System.Core.ni (0x32e000 bytes).
2019-08-13 23:42:26,927 [root] INFO: Added new CAPE file to list with path: C:\xyAIARtiO\CAPE\2008_4626351804622314382019
2019-08-13 23:42:26,927 [root] DEBUG: DLL loaded at 0x000007FEF3430000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Core\83e2f6909980da7347e7806d8c26670e\System.Core.ni (0x32e000 bytes).
2019-08-13 23:42:26,944 [root] DEBUG: DLL loaded at 0x000007FEEF440000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.DirectorySer#\c1cdea55f62c9e8b9b9c1ae4c23b1c1f\System.DirectoryServices.ni (0x195000 bytes).
2019-08-13 23:42:26,960 [root] DEBUG: DLL loaded at 0x000007FEF2F60000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorjit (0x184000 bytes).
2019-08-13 23:42:26,960 [root] DEBUG: DLL loaded at 0x000007FEEF5E0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management\c44929bde355680c886f8a52f5e22b81\System.Management.ni (0x16c000 bytes).
2019-08-13 23:42:26,974 [root] INFO: Process with pid 1216 has terminated
2019-08-13 23:42:26,990 [root] DEBUG: DLL loaded at 0x000007FEF52B0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\ec50af274bf7a15fb59ac1f0d353b7ea\Microsoft.PowerShell.Commands.Diagnostics.ni (0x69000 bytes).
2019-08-13 23:42:27,006 [root] DEBUG: DLL unloaded from 0x0000000077260000.
2019-08-13 23:42:27,006 [root] DEBUG: DLL loaded at 0x000007FEF3430000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Core\83e2f6909980da7347e7806d8c26670e\System.Core.ni (0x32e000 bytes).
2019-08-13 23:42:27,006 [root] DEBUG: DLL unloaded from 0x0000000077260000.
2019-08-13 23:42:27,006 [root] INFO: Added new CAPE file to list with path: C:\xyAIARtiO\CAPE\2772_11267374724622314382019
2019-08-13 23:42:27,115 [root] DEBUG: DLL loaded at 0x000007FEF3C80000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.WSMan.Man#\8cd73e65058ef6f77f36b62a74ec3344\Microsoft.WSMan.Management.ni (0xaa000 bytes).
2019-08-13 23:42:27,115 [root] DEBUG: DLL loaded at 0x000007FEF52B0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\ec50af274bf7a15fb59ac1f0d353b7ea\Microsoft.PowerShell.Commands.Diagnostics.ni (0x69000 bytes).
2019-08-13 23:42:27,115 [root] DEBUG: DLL loaded at 0x000007FEF52B0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\ec50af274bf7a15fb59ac1f0d353b7ea\Microsoft.PowerShell.Commands.Diagnostics.ni (0x69000 bytes).
2019-08-13 23:42:27,147 [root] DEBUG: DLL loaded at 0x000007FEEF750000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Xml\ee795155543768ea67eecddc686a1e9e\System.Xml.ni (0x6a5000 bytes).
2019-08-13 23:42:27,161 [root] DEBUG: DLL loaded at 0x000007FEF9A20000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Configuratio#\fcf35536476614410e0b0bd0e412199e\System.Configuration.Install.ni (0x32000 bytes).
2019-08-13 23:42:27,240 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x73e00.
2019-08-13 23:42:27,240 [root] DEBUG: DLL loaded at 0x000007FEF52B0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\ec50af274bf7a15fb59ac1f0d353b7ea\Microsoft.PowerShell.Commands.Diagnostics.ni (0x69000 bytes).
2019-08-13 23:42:27,256 [root] DEBUG: DLL loaded at 0x000007FEFA390000: C:\Windows\system32\shfolder (0x7000 bytes).
2019-08-13 23:42:27,256 [root] DEBUG: DLL unloaded from 0x000007FEF2270000.
2019-08-13 23:42:27,256 [root] DEBUG: DLL loaded at 0x000007FEEF440000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.DirectorySer#\c1cdea55f62c9e8b9b9c1ae4c23b1c1f\System.DirectoryServices.ni (0x195000 bytes).
2019-08-13 23:42:27,256 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x73e00.
2019-08-13 23:42:27,256 [root] DEBUG: DLL unloaded from 0x000007FEF2270000.
2019-08-13 23:42:27,365 [root] DEBUG: DLL loaded at 0x000007FEF9A20000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Configuratio#\fcf35536476614410e0b0bd0e412199e\System.Configuration.Install.ni (0x32000 bytes).
2019-08-13 23:42:27,381 [root] DEBUG: DLL loaded at 0x000007FEF3B90000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Transactions\051655963f24f9ade08486084c570086\System.Transactions.ni (0xe5000 bytes).
2019-08-13 23:42:27,381 [root] DEBUG: DLL loaded at 0x000007FEF3C80000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.WSMan.Man#\8cd73e65058ef6f77f36b62a74ec3344\Microsoft.WSMan.Management.ni (0xaa000 bytes).
2019-08-13 23:42:27,395 [root] DEBUG: DLL loaded at 0x000007FEEF5E0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management\c44929bde355680c886f8a52f5e22b81\System.Management.ni (0x16c000 bytes).
2019-08-13 23:42:27,395 [root] DEBUG: DLL loaded at 0x000007FEFAE90000: C:\Windows\system32\netutils (0xc000 bytes).
2019-08-13 23:42:27,395 [root] DEBUG: DLL loaded at 0x000007FEF9A20000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Configuratio#\fcf35536476614410e0b0bd0e412199e\System.Configuration.Install.ni (0x32000 bytes).
2019-08-13 23:42:27,411 [root] DEBUG: DLL loaded at 0x000007FEFCF60000: C:\Windows\system32\secur32 (0xb000 bytes).
2019-08-13 23:42:27,427 [root] DEBUG: DLL loaded at 0x000007FEF9A20000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Configuratio#\fcf35536476614410e0b0bd0e412199e\System.Configuration.Install.ni (0x32000 bytes).
2019-08-13 23:42:27,427 [root] DEBUG: DLL unloaded from 0x000007FEF3FA0000.
2019-08-13 23:42:27,443 [root] DEBUG: DLL unloaded from 0x000007FEF3FA0000.
2019-08-13 23:42:27,443 [root] DEBUG: DLL loaded at 0x000007FEFAE90000: C:\Windows\system32\netutils (0xc000 bytes).
2019-08-13 23:42:27,443 [root] DEBUG: DLL loaded at 0x000007FEFA390000: C:\Windows\system32\shfolder (0x7000 bytes).
2019-08-13 23:42:27,443 [root] DEBUG: DLL loaded at 0x000007FEEF440000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.DirectorySer#\c1cdea55f62c9e8b9b9c1ae4c23b1c1f\System.DirectoryServices.ni (0x195000 bytes).
2019-08-13 23:42:27,443 [root] DEBUG: DLL loaded at 0x000000001E230000: C:\Windows\assembly\GAC_64\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions (0x49000 bytes).
2019-08-13 23:42:27,443 [root] DEBUG: DLL unloaded from 0x000007FEFBAE0000.
2019-08-13 23:42:27,536 [root] DEBUG: DLL loaded at 0x000007FEF3C80000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.WSMan.Man#\8cd73e65058ef6f77f36b62a74ec3344\Microsoft.WSMan.Management.ni (0xaa000 bytes).
2019-08-13 23:42:27,536 [root] DEBUG: DLL unloaded from 0x000007FEFC400000.
2019-08-13 23:42:27,536 [root] DEBUG: DLL loaded at 0x000007FEF3C80000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.WSMan.Man#\8cd73e65058ef6f77f36b62a74ec3344\Microsoft.WSMan.Management.ni (0xaa000 bytes).
2019-08-13 23:42:27,536 [root] DEBUG: DLL loaded at 0x000007FEF3C80000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.WSMan.Man#\8cd73e65058ef6f77f36b62a74ec3344\Microsoft.WSMan.Management.ni (0xaa000 bytes).
2019-08-13 23:42:27,598 [root] DEBUG: DLL unloaded from 0x000007FEFC400000.
2019-08-13 23:42:27,598 [root] DEBUG: DLL loaded at 0x000007FEF3B90000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Transactions\051655963f24f9ade08486084c570086\System.Transactions.ni (0xe5000 bytes).
2019-08-13 23:42:27,598 [root] DEBUG: DLL unloaded from 0x000007FEFBAE0000.
2019-08-13 23:42:27,598 [root] DEBUG: DLL loaded at 0x000007FEFA390000: C:\Windows\system32\shfolder (0x7000 bytes).
2019-08-13 23:42:27,598 [root] DEBUG: DLL loaded at 0x000007FEFCF60000: C:\Windows\system32\secur32 (0xb000 bytes).
2019-08-13 23:42:27,598 [root] DEBUG: DLL unloaded from 0x0000000077260000.
2019-08-13 23:42:27,615 [root] DEBUG: DLL loaded at 0x000007FEFCF60000: C:\Windows\system32\secur32 (0xb000 bytes).
2019-08-13 23:42:27,630 [root] DEBUG: DLL loaded at 0x000007FEF3210000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\cdf48153115fc0bb466f37b7dcad9ac5\Microsoft.PowerShell.Commands.Utility.ni (0x216000 bytes).
2019-08-13 23:42:27,630 [root] DEBUG: DLL loaded at 0x000007FEF3B90000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Transactions\051655963f24f9ade08486084c570086\System.Transactions.ni (0xe5000 bytes).
2019-08-13 23:42:27,630 [root] DEBUG: DLL unloaded from 0x000007FEFE6E0000.
2019-08-13 23:42:27,645 [root] DEBUG: DLL loaded at 0x000007FEEEBF0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Data\accc3a5269658c8c47fe3e402ac4ac1c\System.Data.ni (0x84b000 bytes).
2019-08-13 23:42:27,661 [root] DEBUG: DLL loaded at 0x000007FEF3B90000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Transactions\051655963f24f9ade08486084c570086\System.Transactions.ni (0xe5000 bytes).
2019-08-13 23:42:27,661 [root] DEBUG: DLL loaded at 0x000007FEF3B90000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Transactions\051655963f24f9ade08486084c570086\System.Transactions.ni (0xe5000 bytes).
2019-08-13 23:42:27,661 [root] DEBUG: DLL unloaded from 0x000007FEFE6E0000.
2019-08-13 23:42:27,661 [root] DEBUG: DLL loaded at 0x000000001E230000: C:\Windows\assembly\GAC_64\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions (0x49000 bytes).
2019-08-13 23:42:27,786 [root] DEBUG: DLL unloaded from 0x0000000077260000.
2019-08-13 23:42:27,848 [root] DEBUG: DLL unloaded from 0x000007FEF2270000.
2019-08-13 23:42:27,848 [root] DEBUG: DLL loaded at 0x000007FEF30F0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\9206dc8156588e608d405729c833edc5\Microsoft.PowerShell.Commands.Management.ni (0x118000 bytes).
2019-08-13 23:42:27,895 [root] DEBUG: DLL loaded at 0x000000001E230000: C:\Windows\assembly\GAC_64\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions (0x49000 bytes).
2019-08-13 23:42:27,911 [root] DEBUG: DLL loaded at 0x000007FEFCF60000: C:\Windows\system32\secur32 (0xb000 bytes).
2019-08-13 23:42:27,911 [root] DEBUG: DLL loaded at 0x000007FEEEBF0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Data\accc3a5269658c8c47fe3e402ac4ac1c\System.Data.ni (0x84b000 bytes).
2019-08-13 23:42:27,927 [root] DEBUG: DLL loaded at 0x000007FEEEBF0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Data\accc3a5269658c8c47fe3e402ac4ac1c\System.Data.ni (0x84b000 bytes).
2019-08-13 23:42:27,927 [root] INFO: Notified of termination of process with pid 2176.
2019-08-13 23:42:27,941 [root] DEBUG: DLL loaded at 0x000000001E230000: C:\Windows\assembly\GAC_64\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions (0x49000 bytes).
2019-08-13 23:42:27,957 [root] DEBUG: DLL loaded at 0x000000001D040000: C:\Windows\assembly\GAC_64\System.Data\2.0.0.0__b77a5c561934e089\System.Data (0x2ff000 bytes).
2019-08-13 23:42:27,957 [root] DEBUG: DLL loaded at 0x000000001E230000: C:\Windows\assembly\GAC_64\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions (0x49000 bytes).
2019-08-13 23:42:27,973 [root] DEBUG: DLL loaded at 0x000007FEF3210000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\cdf48153115fc0bb466f37b7dcad9ac5\Microsoft.PowerShell.Commands.Utility.ni (0x216000 bytes).
2019-08-13 23:42:27,973 [root] DEBUG: DLL unloaded from 0x000007FEF2270000.
2019-08-13 23:42:27,973 [root] DEBUG: DLL unloaded from 0x000007FEF3FA0000.
2019-08-13 23:42:27,989 [root] DEBUG: DLL loaded at 0x000007FEF50F0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b5a6a5ce3cd3d4dd2b151315c612aeff\Microsoft.PowerShell.Security.ni (0x3e000 bytes).
2019-08-13 23:42:28,005 [root] DEBUG: DLL loaded at 0x000007FEF3210000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\cdf48153115fc0bb466f37b7dcad9ac5\Microsoft.PowerShell.Commands.Utility.ni (0x216000 bytes).
2019-08-13 23:42:28,019 [root] DEBUG: DLL loaded at 0x000000001D180000: C:\Windows\assembly\GAC_64\System.Data\2.0.0.0__b77a5c561934e089\System.Data (0x2ff000 bytes).
2019-08-13 23:42:28,036 [root] INFO: Notified of termination of process with pid 924.
2019-08-13 23:42:28,036 [root] DEBUG: DLL loaded at 0x000000001D000000: C:\Windows\assembly\GAC_64\System.Data\2.0.0.0__b77a5c561934e089\System.Data (0x2ff000 bytes).
2019-08-13 23:42:28,052 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2860
2019-08-13 23:42:28,082 [root] DEBUG: DLL loaded at 0x000007FEF3210000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\cdf48153115fc0bb466f37b7dcad9ac5\Microsoft.PowerShell.Commands.Utility.ni (0x216000 bytes).
2019-08-13 23:42:28,098 [root] DEBUG: DLL loaded at 0x000007FEEEBF0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Data\accc3a5269658c8c47fe3e402ac4ac1c\System.Data.ni (0x84b000 bytes).
2019-08-13 23:42:28,114 [root] DEBUG: DLL loaded at 0x000007FEFDE90000: C:\Windows\system32\WS2_32 (0x4d000 bytes).
2019-08-13 23:42:28,114 [root] DEBUG: DLL loaded at 0x000007FEF3210000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\cdf48153115fc0bb466f37b7dcad9ac5\Microsoft.PowerShell.Commands.Utility.ni (0x216000 bytes).
2019-08-13 23:42:28,114 [root] DEBUG: DLL loaded at 0x000007FEF30F0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\9206dc8156588e608d405729c833edc5\Microsoft.PowerShell.Commands.Management.ni (0x118000 bytes).
2019-08-13 23:42:28,130 [root] DEBUG: DLL unloaded from 0x000007FEF3FA0000.
2019-08-13 23:42:28,144 [root] DEBUG: DLL unloaded from 0x000007FEFC400000.
2019-08-13 23:42:28,144 [root] DEBUG: DLL loaded at 0x00000642FF4A0000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\culture (0xa000 bytes).
2019-08-13 23:42:28,144 [root] DEBUG: DLL loaded at 0x000007FEF30F0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\9206dc8156588e608d405729c833edc5\Microsoft.PowerShell.Commands.Management.ni (0x118000 bytes).
2019-08-13 23:42:28,161 [root] DEBUG: DLL loaded at 0x000007FEFDE90000: C:\Windows\system32\WS2_32 (0x4d000 bytes).
2019-08-13 23:42:28,191 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 1428
2019-08-13 23:42:28,207 [root] INFO: Process with pid 2672 has terminated
2019-08-13 23:42:28,207 [root] DEBUG: GetHookCallerBase: thread 2892 (handle 0x0), return address 0x0000000049E287DD, allocation base 0x0000000049E20000.
2019-08-13 23:42:28,207 [root] DEBUG: DLL loaded at 0x000007FEF30F0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\9206dc8156588e608d405729c833edc5\Microsoft.PowerShell.Commands.Management.ni (0x118000 bytes).
2019-08-13 23:42:28,207 [root] DEBUG: DLL loaded at 0x000000001D220000: C:\Windows\assembly\GAC_64\System.Data\2.0.0.0__b77a5c561934e089\System.Data (0x2ff000 bytes).
2019-08-13 23:42:28,207 [root] DEBUG: DLL loaded at 0x000007FEFDF00000: C:\Windows\system32\NSI (0x8000 bytes).
2019-08-13 23:42:28,223 [root] DEBUG: DLL loaded at 0x000007FEFDE90000: C:\Windows\system32\WS2_32 (0x4d000 bytes).
2019-08-13 23:42:28,223 [root] DEBUG: DLL loaded at 0x000007FEF30F0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\9206dc8156588e608d405729c833edc5\Microsoft.PowerShell.Commands.Management.ni (0x118000 bytes).
2019-08-13 23:42:28,239 [root] DEBUG: DLL loaded at 0x000007FEF50F0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b5a6a5ce3cd3d4dd2b151315c612aeff\Microsoft.PowerShell.Security.ni (0x3e000 bytes).
2019-08-13 23:42:28,239 [root] DEBUG: DLL unloaded from 0x000007FEFC400000.
2019-08-13 23:42:28,253 [root] DEBUG: DLL unloaded from 0x000007FEFE6E0000.
2019-08-13 23:42:28,253 [root] DEBUG: DLL unloaded from 0x00000642FF4A0000.
2019-08-13 23:42:28,253 [root] DEBUG: DLL loaded at 0x000007FEF50F0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b5a6a5ce3cd3d4dd2b151315c612aeff\Microsoft.PowerShell.Security.ni (0x3e000 bytes).
2019-08-13 23:42:28,269 [root] DEBUG: GetHookCallerBase: thread 2316 (handle 0x0), return address 0x0000000049E287DD, allocation base 0x0000000049E20000.
2019-08-13 23:42:28,269 [root] INFO: Process with pid 2176 has terminated
2019-08-13 23:42:28,269 [root] DEBUG: DLL loaded at 0x000007FEFDF00000: C:\Windows\system32\NSI (0x8000 bytes).
2019-08-13 23:42:28,286 [root] DEBUG: DLL loaded at 0x000007FEF50F0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b5a6a5ce3cd3d4dd2b151315c612aeff\Microsoft.PowerShell.Security.ni (0x3e000 bytes).
2019-08-13 23:42:28,301 [root] DEBUG: DLL loaded at 0x000007FEFDE90000: C:\Windows\system32\WS2_32 (0x4d000 bytes).
2019-08-13 23:42:28,286 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x0000000049E20000.
2019-08-13 23:42:28,301 [root] DEBUG: DLL loaded at 0x000007FEFD410000: C:\Windows\system32\CRYPT32 (0x167000 bytes).
2019-08-13 23:42:28,316 [root] DEBUG: DLL loaded at 0x000007FEF50F0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b5a6a5ce3cd3d4dd2b151315c612aeff\Microsoft.PowerShell.Security.ni (0x3e000 bytes).
2019-08-13 23:42:28,316 [root] DEBUG: DLL loaded at 0x000007FEFDF00000: C:\Windows\system32\NSI (0x8000 bytes).
2019-08-13 23:42:28,316 [root] DEBUG: DLL loaded at 0x00000642FF4A0000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\culture (0xa000 bytes).
2019-08-13 23:42:28,316 [root] DEBUG: DLL unloaded from 0x000007FEFE6E0000.
2019-08-13 23:42:28,332 [root] INFO: Notified of termination of process with pid 2008.
2019-08-13 23:42:28,332 [root] DEBUG: DLL loaded at 0x000007FEF2F60000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorjit (0x184000 bytes).
2019-08-13 23:42:28,348 [root] DEBUG: DLL loaded at 0x00000642FF4A0000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\culture (0xa000 bytes).
2019-08-13 23:42:28,348 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x0000000049E20000.
2019-08-13 23:42:28,348 [root] INFO: Process with pid 924 has terminated
2019-08-13 23:42:28,364 [root] DEBUG: DLL loaded at 0x000007FEFD410000: C:\Windows\system32\CRYPT32 (0x167000 bytes).
2019-08-13 23:42:28,364 [root] DEBUG: DLL loaded at 0x00000642FF4A0000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\culture (0xa000 bytes).
2019-08-13 23:42:28,378 [root] DEBUG: DLL loaded at 0x000007FEFDF00000: C:\Windows\system32\NSI (0x8000 bytes).
2019-08-13 23:42:28,378 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x0000000049E20000.
2019-08-13 23:42:28,394 [root] DEBUG: DLL loaded at 0x000007FEFD370000: C:\Windows\system32\MSASN1 (0xf000 bytes).
2019-08-13 23:42:28,394 [root] DEBUG: DLL loaded at 0x00000642FF4A0000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\culture (0xa000 bytes).
2019-08-13 23:42:28,394 [root] DEBUG: DLL loaded at 0x000007FEFD410000: C:\Windows\system32\CRYPT32 (0x167000 bytes).
2019-08-13 23:42:28,394 [root] DEBUG: DLL unloaded from 0x00000642FF4A0000.
2019-08-13 23:42:28,457 [root] INFO: Notified of termination of process with pid 2772.
2019-08-13 23:42:28,457 [root] INFO: Process with pid 2008 has terminated
2019-08-13 23:42:28,457 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 716
2019-08-13 23:42:28,457 [root] DEBUG: DLL unloaded from 0x00000642FF4A0000.
2019-08-13 23:42:28,457 [root] DEBUG: DLL loaded at 0x000007FEEF750000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Xml\ee795155543768ea67eecddc686a1e9e\System.Xml.ni (0x6a5000 bytes).
2019-08-13 23:42:28,473 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x0000000049E20000.
2019-08-13 23:42:28,473 [root] DEBUG: DLL unloaded from 0x00000642FF4A0000.
2019-08-13 23:42:28,519 [root] DEBUG: DLL loaded at 0x000007FEFD370000: C:\Windows\system32\MSASN1 (0xf000 bytes).
2019-08-13 23:42:28,519 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 23:42:28,519 [root] DEBUG: DLL unloaded from 0x000007FEFB3D0000.
2019-08-13 23:42:28,519 [root] DEBUG: DLL loaded at 0x000007FEFD410000: C:\Windows\system32\CRYPT32 (0x167000 bytes).
2019-08-13 23:42:28,519 [root] DEBUG: DLL loaded at 0x0000000516F00000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\diasymreader (0xc6000 bytes).
2019-08-13 23:42:28,519 [root] DEBUG: DLL loaded at 0x000007FEFD370000: C:\Windows\system32\MSASN1 (0xf000 bytes).
2019-08-13 23:42:28,535 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 828
2019-08-13 23:42:28,551 [root] DEBUG: DLL loaded at 0x000007FEF2F60000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorjit (0x184000 bytes).
2019-08-13 23:42:28,551 [root] DEBUG: DLL unloaded from 0x00000642FF4A0000.
2019-08-13 23:42:28,551 [root] DEBUG: GetHookCallerBase: thread 1844 (handle 0x0), return address 0x0000000049E287DD, allocation base 0x0000000049E20000.
2019-08-13 23:42:28,551 [root] DEBUG: DLL loaded at 0x000007FEF2F60000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorjit (0x184000 bytes).
2019-08-13 23:42:28,565 [root] DEBUG: DLL loaded at 0x000007FEEF5E0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management\c44929bde355680c886f8a52f5e22b81\System.Management.ni (0x16c000 bytes).
2019-08-13 23:42:28,565 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 23:42:28,612 [root] DEBUG: DLL loaded at 0x000007FEF2F60000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorjit (0x184000 bytes).
2019-08-13 23:42:28,612 [root] DEBUG: DLL loaded at 0x000007FEFD1C0000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 23:42:28,644 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 3316
2019-08-13 23:42:28,644 [root] DEBUG: DLL loaded at 0x0000000516F00000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\diasymreader (0xc6000 bytes).
2019-08-13 23:42:28,660 [root] DEBUG: DLL loaded at 0x000007FEFD370000: C:\Windows\system32\MSASN1 (0xf000 bytes).
2019-08-13 23:42:28,676 [root] DEBUG: set_caller_info: Adding region at 0x000007FF00260000 to caller regions list (ntdll::LdrGetProcedureAddress).
2019-08-13 23:42:28,721 [root] DEBUG: DLL loaded at 0x000007FEEF750000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Xml\ee795155543768ea67eecddc686a1e9e\System.Xml.ni (0x6a5000 bytes).
2019-08-13 23:42:28,721 [root] DEBUG: GetHookCallerBase: thread 3060 (handle 0x0), return address 0x0000000049E287DD, allocation base 0x0000000049E20000.
2019-08-13 23:42:28,721 [root] DEBUG: DLL loaded at 0x0000000516F00000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\diasymreader (0xc6000 bytes).
2019-08-13 23:42:28,737 [root] DEBUG: DLL loaded at 0x000007FEF2F60000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorjit (0x184000 bytes).
2019-08-13 23:42:28,737 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x0000000049E20000.
2019-08-13 23:42:28,737 [root] DEBUG: DLL loaded at 0x000007FEEF750000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Xml\ee795155543768ea67eecddc686a1e9e\System.Xml.ni (0x6a5000 bytes).
2019-08-13 23:42:28,737 [root] DEBUG: DLL loaded at 0x000007FEEF440000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.DirectorySer#\c1cdea55f62c9e8b9b9c1ae4c23b1c1f\System.DirectoryServices.ni (0x195000 bytes).
2019-08-13 23:42:28,753 [root] DEBUG: DLL loaded at 0x000007FEFD1C0000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 23:42:28,753 [root] DEBUG: DLL loaded at 0x000007FEEF750000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Xml\ee795155543768ea67eecddc686a1e9e\System.Xml.ni (0x6a5000 bytes).
2019-08-13 23:42:28,769 [root] DEBUG: GetHookCallerBase: thread 3448 (handle 0x0), return address 0x000000001000CE88, allocation base 0x0000000010000000.
2019-08-13 23:42:28,815 [root] DEBUG: set_caller_info: Adding region at 0x000007FF00260000 to caller regions list (ntdll::LdrGetProcedureAddress).
2019-08-13 23:42:28,832 [root] DEBUG: DLL loaded at 0x0000000516F00000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\diasymreader (0xc6000 bytes).
2019-08-13 23:42:28,846 [root] DEBUG: DLL loaded at 0x000007FEEF5E0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management\c44929bde355680c886f8a52f5e22b81\System.Management.ni (0x16c000 bytes).
2019-08-13 23:42:28,878 [root] INFO: Added new CAPE file to list with path: C:\xyAIARtiO\CAPE\2860_343133642822314382019
2019-08-13 23:42:28,878 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x0000000049E20000.
2019-08-13 23:42:28,878 [root] DEBUG: set_caller_info: Adding region at 0x000007FF00260000 to caller regions list (ntdll::LdrGetProcedureAddress).
2019-08-13 23:42:28,878 [root] DEBUG: DLL loaded at 0x000007FEEF750000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Xml\ee795155543768ea67eecddc686a1e9e\System.Xml.ni (0x6a5000 bytes).
2019-08-13 23:42:28,894 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x0000000049E20000.
2019-08-13 23:42:28,894 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 3424
2019-08-13 23:42:28,894 [root] DEBUG: DLL loaded at 0x000007FEEF5E0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management\c44929bde355680c886f8a52f5e22b81\System.Management.ni (0x16c000 bytes).
2019-08-13 23:42:28,894 [root] DEBUG: DLL loaded at 0x000007FEFA390000: C:\Windows\system32\shfolder (0x7000 bytes).
2019-08-13 23:42:28,924 [root] DEBUG: Error 2 (0x2) - savePeFileToDisk: There was a problem renaming the file: The system cannot find the file specified.
2019-08-13 23:42:28,924 [root] DEBUG: DLL loaded at 0x000007FEEF5E0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management\c44929bde355680c886f8a52f5e22b81\System.Management.ni (0x16c000 bytes).
2019-08-13 23:42:28,924 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x0000000010000000.
2019-08-13 23:42:28,971 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x0000000049E20000.
2019-08-13 23:42:28,971 [root] DEBUG: DLL loaded at 0x000007FEEF440000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.DirectorySer#\c1cdea55f62c9e8b9b9c1ae4c23b1c1f\System.DirectoryServices.ni (0x195000 bytes).
2019-08-13 23:42:28,971 [root] DEBUG: set_caller_info: Adding region at 0x000007FF00270000 to caller regions list (ntdll::LdrGetProcedureAddress).
2019-08-13 23:42:28,971 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x54400.
2019-08-13 23:42:28,987 [root] DEBUG: DLL loaded at 0x000007FEEF5E0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management\c44929bde355680c886f8a52f5e22b81\System.Management.ni (0x16c000 bytes).
2019-08-13 23:42:29,081 [root] DEBUG: GetHookCallerBase: thread 3428 (handle 0x0), return address 0x000000013FD2C504, allocation base 0x000000013FD20000.
2019-08-13 23:42:29,081 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 23:42:29,081 [root] DEBUG: DLL loaded at 0x000007FEEF440000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.DirectorySer#\c1cdea55f62c9e8b9b9c1ae4c23b1c1f\System.DirectoryServices.ni (0x195000 bytes).
2019-08-13 23:42:29,081 [root] DEBUG: Error 2 (0x2) - savePeFileToDisk: There was a problem deleting the file: C:\Users\user\AppData\Local\Temp\CapeOutput.bin: The system cannot find the file specified.
2019-08-13 23:42:29,096 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x0000000010000000.
2019-08-13 23:42:29,096 [root] DEBUG: DLL loaded at 0x000007FEFA390000: C:\Windows\system32\shfolder (0x7000 bytes).
2019-08-13 23:42:29,144 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 23:42:29,144 [root] DEBUG: DLL unloaded from 0x000007FEFE6E0000.
2019-08-13 23:42:29,158 [root] DEBUG: DLL loaded at 0x000007FEEF440000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.DirectorySer#\c1cdea55f62c9e8b9b9c1ae4c23b1c1f\System.DirectoryServices.ni (0x195000 bytes).
2019-08-13 23:42:29,158 [root] DEBUG: DLL loaded at 0x000007FEFD1C0000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 23:42:29,158 [root] DEBUG: DLL loaded at 0x000007FEEF440000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.DirectorySer#\c1cdea55f62c9e8b9b9c1ae4c23b1c1f\System.DirectoryServices.ni (0x195000 bytes).
2019-08-13 23:42:29,158 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 3564
2019-08-13 23:42:29,190 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x000000013FD20000.
2019-08-13 23:42:29,190 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000055F0.
2019-08-13 23:42:29,190 [root] DEBUG: DLL loaded at 0x000007FEFCF60000: C:\Windows\system32\secur32 (0xb000 bytes).
2019-08-13 23:42:29,206 [root] INFO: Notified of termination of process with pid 2860.
2019-08-13 23:42:29,253 [root] DEBUG: DLL loaded at 0x000007FEFA390000: C:\Windows\system32\shfolder (0x7000 bytes).
2019-08-13 23:42:29,253 [root] DEBUG: DLL unloaded from 0x000007FEFE6E0000.
2019-08-13 23:42:29,253 [root] DEBUG: DLL loaded at 0x000007FEFD1C0000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 23:42:29,253 [root] DEBUG: DLL loaded at 0x000007FEFA390000: C:\Windows\system32\shfolder (0x7000 bytes).
2019-08-13 23:42:29,378 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000013FD20000.
2019-08-13 23:42:29,486 [root] DEBUG: GetHookCallerBase: thread 3568 (handle 0x0), return address 0x000000013FD2C504, allocation base 0x000000013FD20000.
2019-08-13 23:42:29,486 [root] DEBUG: DLL loaded at 0x000007FEFA390000: C:\Windows\system32\shfolder (0x7000 bytes).
2019-08-13 23:42:29,595 [root] DEBUG: DLL loaded at 0x000007FEFCF60000: C:\Windows\system32\secur32 (0xb000 bytes).
2019-08-13 23:42:29,627 [root] DEBUG: Error 2 (0x2) - savePeFileToDisk: There was a problem renaming the file: The system cannot find the file specified.
2019-08-13 23:42:29,627 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 4008
2019-08-13 23:42:29,627 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000C63C.
2019-08-13 23:42:29,627 [root] INFO: Process with pid 2860 has terminated
2019-08-13 23:42:29,627 [root] INFO: Notified of termination of process with pid 1428.
2019-08-13 23:42:29,642 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2264
2019-08-13 23:42:29,657 [root] DEBUG: DLL loaded at 0x000007FEFCF60000: C:\Windows\system32\secur32 (0xb000 bytes).
2019-08-13 23:42:29,657 [root] DEBUG: DLL loaded at 0x000007FEFCF60000: C:\Windows\system32\secur32 (0xb000 bytes).
2019-08-13 23:42:29,657 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x000000013FD20000.
2019-08-13 23:42:29,657 [root] DEBUG: DLL loaded at 0x000007FEEEBF0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Data\accc3a5269658c8c47fe3e402ac4ac1c\System.Data.ni (0x84b000 bytes).
2019-08-13 23:42:29,657 [root] DEBUG: DLL loaded at 0x000007FEEEBF0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Data\accc3a5269658c8c47fe3e402ac4ac1c\System.Data.ni (0x84b000 bytes).
2019-08-13 23:42:29,657 [root] INFO: Added new CAPE file to list with path: C:\xyAIARtiO\CAPE\3316_15250096684922314382019
2019-08-13 23:42:29,657 [root] INFO: Added new CAPE file to list with path: C:\xyAIARtiO\CAPE\716_14281583362922314382019
2019-08-13 23:42:29,657 [root] DEBUG: Error 2 (0x2) - savePeFileToDisk: There was a problem deleting the file: C:\Users\user\AppData\Local\Temp\CapeOutput.bin: The system cannot find the file specified.
2019-08-13 23:42:29,657 [root] DEBUG: DLL loaded at 0x000007FEFCF60000: C:\Windows\system32\secur32 (0xb000 bytes).
2019-08-13 23:42:29,674 [root] DEBUG: GetHookCallerBase: thread 4012 (handle 0x0), return address 0x000000013FD2C504, allocation base 0x000000013FD20000.
2019-08-13 23:42:29,674 [root] INFO: Process with pid 2772 has terminated
2019-08-13 23:42:29,690 [root] DEBUG: GetHookCallerBase: thread 2916 (handle 0x0), return address 0x000000013FD2C504, allocation base 0x000000013FD20000.
2019-08-13 23:42:29,767 [root] DEBUG: DLL loaded at 0x000007FEEEBF0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Data\accc3a5269658c8c47fe3e402ac4ac1c\System.Data.ni (0x84b000 bytes).
2019-08-13 23:42:29,767 [root] DEBUG: DLL loaded at 0x000007FEEEBF0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Data\accc3a5269658c8c47fe3e402ac4ac1c\System.Data.ni (0x84b000 bytes).
2019-08-13 23:42:29,767 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000013FD20000.
2019-08-13 23:42:29,782 [root] DEBUG: DLL loaded at 0x000000001CFB0000: C:\Windows\assembly\GAC_64\System.Data\2.0.0.0__b77a5c561934e089\System.Data (0x2ff000 bytes).
2019-08-13 23:42:29,782 [root] DEBUG: DLL loaded at 0x000000001D110000: C:\Windows\assembly\GAC_64\System.Data\2.0.0.0__b77a5c561934e089\System.Data (0x2ff000 bytes).
2019-08-13 23:42:29,782 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x1ba00.
2019-08-13 23:42:29,799 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x54400.
2019-08-13 23:42:29,799 [root] INFO: Added new CAPE file to list with path: C:\xyAIARtiO\CAPE\3424_16922034684922314382019
2019-08-13 23:42:29,799 [root] DEBUG: DLL unloaded from 0x000007FEFE6E0000.
2019-08-13 23:42:29,845 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x000000013FD20000.
2019-08-13 23:42:29,845 [root] DEBUG: DLL loaded at 0x000007FEEEBF0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Data\accc3a5269658c8c47fe3e402ac4ac1c\System.Data.ni (0x84b000 bytes).
2019-08-13 23:42:29,861 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x000000013FD20000.
2019-08-13 23:42:29,861 [root] DEBUG: DLL loaded at 0x000000001CFE0000: C:\Windows\assembly\GAC_64\System.Data\2.0.0.0__b77a5c561934e089\System.Data (0x2ff000 bytes).
2019-08-13 23:42:29,877 [root] DEBUG: DLL loaded at 0x000000001D080000: C:\Windows\assembly\GAC_64\System.Data\2.0.0.0__b77a5c561934e089\System.Data (0x2ff000 bytes).
2019-08-13 23:42:29,891 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000C63C.
2019-08-13 23:42:29,891 [root] DEBUG: DLL loaded at 0x000007FEFDE90000: C:\Windows\system32\WS2_32 (0x4d000 bytes).
2019-08-13 23:42:29,907 [root] DEBUG: DLL loaded at 0x000007FEFDE90000: C:\Windows\system32\WS2_32 (0x4d000 bytes).
2019-08-13 23:42:29,907 [root] DEBUG: DLL unloaded from 0x000007FEFE6E0000.
2019-08-13 23:42:29,907 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x73e00.
2019-08-13 23:42:29,924 [root] DEBUG: DLL unloaded from 0x000007FEFE6E0000.
2019-08-13 23:42:29,924 [root] INFO: Notified of termination of process with pid 828.
2019-08-13 23:42:29,924 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000013FD20000.
2019-08-13 23:42:29,924 [root] DEBUG: DLL loaded at 0x000000001D1D0000: C:\Windows\assembly\GAC_64\System.Data\2.0.0.0__b77a5c561934e089\System.Data (0x2ff000 bytes).
2019-08-13 23:42:29,938 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000013FD20000.
2019-08-13 23:42:29,970 [root] DEBUG: DLL loaded at 0x000007FEFDE90000: C:\Windows\system32\WS2_32 (0x4d000 bytes).
2019-08-13 23:42:29,986 [root] DEBUG: DLL loaded at 0x000007FEFDF00000: C:\Windows\system32\NSI (0x8000 bytes).
2019-08-13 23:42:29,986 [root] DEBUG: DLL loaded at 0x000007FEFDE90000: C:\Windows\system32\WS2_32 (0x4d000 bytes).
2019-08-13 23:42:30,016 [root] INFO: Notified of termination of process with pid 3316.
2019-08-13 23:42:30,016 [root] DEBUG: DLL loaded at 0x000007FEFDF00000: C:\Windows\system32\NSI (0x8000 bytes).
2019-08-13 23:42:30,032 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000C63C.
2019-08-13 23:42:30,032 [root] DEBUG: DLL loaded at 0x000007FEFAE90000: C:\Windows\system32\netutils (0xc000 bytes).
2019-08-13 23:42:30,032 [root] DEBUG: DLL loaded at 0x000007FEFDE90000: C:\Windows\system32\WS2_32 (0x4d000 bytes).
2019-08-13 23:42:30,032 [root] INFO: Added new CAPE file to list with path: C:\xyAIARtiO\CAPE\3564_20877224054922314382019
2019-08-13 23:42:30,032 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000C63C.
2019-08-13 23:42:30,032 [root] DEBUG: DLL loaded at 0x000007FEFDF00000: C:\Windows\system32\NSI (0x8000 bytes).
2019-08-13 23:42:30,048 [root] DEBUG: DLL loaded at 0x000007FEFD410000: C:\Windows\system32\CRYPT32 (0x167000 bytes).
2019-08-13 23:42:30,048 [root] DEBUG: DLL loaded at 0x000007FEFDF00000: C:\Windows\system32\NSI (0x8000 bytes).
2019-08-13 23:42:30,048 [root] INFO: Notified of termination of process with pid 716.
2019-08-13 23:42:30,048 [root] DEBUG: DLL loaded at 0x000007FEFD410000: C:\Windows\system32\CRYPT32 (0x167000 bytes).
2019-08-13 23:42:30,063 [root] DEBUG: DLL loaded at 0x000007FEFDF00000: C:\Windows\system32\NSI (0x8000 bytes).
2019-08-13 23:42:30,079 [root] DEBUG: DLL unloaded from 0x000007FEFBAE0000.
2019-08-13 23:42:30,079 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x73e00.
2019-08-13 23:42:30,095 [root] DEBUG: DLL loaded at 0x000007FEFD410000: C:\Windows\system32\CRYPT32 (0x167000 bytes).
2019-08-13 23:42:30,095 [root] DEBUG: DLL loaded at 0x000007FEFD370000: C:\Windows\system32\MSASN1 (0xf000 bytes).
2019-08-13 23:42:30,095 [root] DEBUG: DLL loaded at 0x000007FEFD410000: C:\Windows\system32\CRYPT32 (0x167000 bytes).
2019-08-13 23:42:30,111 [root] INFO: Added new CAPE file to list with path: C:\xyAIARtiO\CAPE\4008_17265651364037314382019
2019-08-13 23:42:30,111 [root] DEBUG: DLL loaded at 0x000007FEFD410000: C:\Windows\system32\CRYPT32 (0x167000 bytes).
2019-08-13 23:42:30,111 [root] DEBUG: DLL loaded at 0x000007FEFD370000: C:\Windows\system32\MSASN1 (0xf000 bytes).
2019-08-13 23:42:30,111 [root] DEBUG: DLL unloaded from 0x0000000077260000.
2019-08-13 23:42:30,125 [root] DEBUG: DLL loaded at 0x000007FEFAE90000: C:\Windows\system32\netutils (0xc000 bytes).
2019-08-13 23:42:30,125 [root] INFO: Added new CAPE file to list with path: C:\xyAIARtiO\CAPE\2264_19264815365022314382019
2019-08-13 23:42:30,157 [root] DEBUG: DLL loaded at 0x000007FEFD370000: C:\Windows\system32\MSASN1 (0xf000 bytes).
2019-08-13 23:42:30,157 [root] DEBUG: DLL loaded at 0x000007FEFD370000: C:\Windows\system32\MSASN1 (0xf000 bytes).
2019-08-13 23:42:30,173 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x73e00.
2019-08-13 23:42:30,173 [root] DEBUG: DLL loaded at 0x0000000516F00000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\diasymreader (0xc6000 bytes).
2019-08-13 23:42:30,188 [root] DEBUG: DLL loaded at 0x000007FEFD370000: C:\Windows\system32\MSASN1 (0xf000 bytes).
2019-08-13 23:42:30,236 [root] DEBUG: DLL unloaded from 0x000007FEF2270000.
2019-08-13 23:42:30,236 [root] DEBUG: DLL loaded at 0x0000000516F00000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\diasymreader (0xc6000 bytes).
2019-08-13 23:42:30,236 [root] DEBUG: DLL unloaded from 0x000007FEFBAE0000.
2019-08-13 23:42:30,236 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x73e00.
2019-08-13 23:42:30,313 [root] DEBUG: DLL loaded at 0x0000000516F00000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\diasymreader (0xc6000 bytes).
2019-08-13 23:42:30,328 [root] DEBUG: DLL loaded at 0x0000000516F00000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\diasymreader (0xc6000 bytes).
2019-08-13 23:42:30,345 [root] DEBUG: DLL loaded at 0x000007FEFAE90000: C:\Windows\system32\netutils (0xc000 bytes).
2019-08-13 23:42:30,345 [root] DEBUG: set_caller_info: Adding region at 0x000007FF00260000 to caller regions list (ntdll::LdrGetProcedureAddress).
2019-08-13 23:42:30,375 [root] DEBUG: DLL unloaded from 0x000007FEF3FA0000.
2019-08-13 23:42:30,407 [root] DEBUG: set_caller_info: Adding region at 0x000007FF00260000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2019-08-13 23:42:30,407 [root] DEBUG: DLL loaded at 0x0000000516F00000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\diasymreader (0xc6000 bytes).
2019-08-13 23:42:30,423 [root] DEBUG: DLL unloaded from 0x0000000077260000.
2019-08-13 23:42:30,437 [root] DEBUG: DLL loaded at 0x000007FEFAE90000: C:\Windows\system32\netutils (0xc000 bytes).
2019-08-13 23:42:30,437 [root] DEBUG: set_caller_info: Adding region at 0x000007FF00260000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2019-08-13 23:42:30,453 [root] DEBUG: set_caller_info: Adding region at 0x000007FF00260000 to caller regions list (ntdll::LdrGetProcedureAddress).
2019-08-13 23:42:30,453 [root] DEBUG: DLL unloaded from 0x000007FEFBAE0000.
2019-08-13 23:42:30,470 [root] DEBUG: DLL unloaded from 0x000007FEFC400000.
2019-08-13 23:42:30,516 [root] DEBUG: set_caller_info: Adding region at 0x000007FF00260000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2019-08-13 23:42:30,548 [root] DEBUG: DLL unloaded from 0x000007FEFBAE0000.
2019-08-13 23:42:30,548 [root] DEBUG: DLL unloaded from 0x000007FEF2270000.
2019-08-13 23:42:30,548 [root] DEBUG: DLL unloaded from 0x0000000077260000.
2019-08-13 23:42:30,578 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 3416
2019-08-13 23:42:30,578 [root] DEBUG: DLL unloaded from 0x000007FEFE6E0000.
2019-08-13 23:42:30,578 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2632
2019-08-13 23:42:30,578 [root] DEBUG: DLL unloaded from 0x0000000077260000.
2019-08-13 23:42:30,594 [root] DEBUG: DLL unloaded from 0x000007FEF3FA0000.
2019-08-13 23:42:30,594 [root] DEBUG: DLL unloaded from 0x000007FEF2270000.
2019-08-13 23:42:30,594 [root] DEBUG: GetHookCallerBase: thread 3420 (handle 0x0), return address 0x000000013FD2C504, allocation base 0x000000013FD20000.
2019-08-13 23:42:30,609 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 4084
2019-08-13 23:42:30,609 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 3660
2019-08-13 23:42:30,609 [root] INFO: Notified of termination of process with pid 3424.
2019-08-13 23:42:30,609 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 4072
2019-08-13 23:42:30,609 [root] DEBUG: GetHookCallerBase: thread 2320 (handle 0x0), return address 0x000000013FD2C504, allocation base 0x000000013FD20000.
2019-08-13 23:42:30,609 [root] DEBUG: DLL unloaded from 0x000007FEF2270000.
2019-08-13 23:42:30,625 [root] DEBUG: DLL unloaded from 0x000007FEF3FA0000.
2019-08-13 23:42:30,625 [root] DEBUG: DLL unloaded from 0x000007FEFC400000.
2019-08-13 23:42:30,625 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x000000013FD20000.
2019-08-13 23:42:30,641 [root] DEBUG: GetHookCallerBase: thread 2576 (handle 0x0), return address 0x000000013FD2C504, allocation base 0x000000013FD20000.
2019-08-13 23:42:30,641 [root] DEBUG: GetHookCallerBase: thread 3892 (handle 0x0), return address 0x000000013FD2C504, allocation base 0x000000013FD20000.
2019-08-13 23:42:30,657 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 3868
2019-08-13 23:42:30,657 [root] DEBUG: GetHookCallerBase: thread 4064 (handle 0x0), return address 0x000000013FD2C504, allocation base 0x000000013FD20000.
2019-08-13 23:42:30,657 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x000000013FD20000.
2019-08-13 23:42:30,657 [root] DEBUG: DLL unloaded from 0x000007FEF3FA0000.
2019-08-13 23:42:30,671 [root] DEBUG: DLL unloaded from 0x000007FEFC400000.
2019-08-13 23:42:30,671 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000013FD20000.
2019-08-13 23:42:30,671 [root] DEBUG: DLL unloaded from 0x000007FEFE6E0000.
2019-08-13 23:42:30,671 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x000000013FD20000.
2019-08-13 23:42:30,687 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x000000013FD20000.
2019-08-13 23:42:30,687 [root] DEBUG: GetHookCallerBase: thread 3872 (handle 0x0), return address 0x0000000049E287DD, allocation base 0x0000000049E20000.
2019-08-13 23:42:30,687 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x000000013FD20000.
2019-08-13 23:42:30,703 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000013FD20000.
2019-08-13 23:42:30,703 [root] DEBUG: DLL unloaded from 0x000007FEFC400000.
2019-08-13 23:42:30,703 [root] DEBUG: DLL unloaded from 0x000007FEFE6E0000.
2019-08-13 23:42:30,703 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000C63C.
2019-08-13 23:42:30,703 [root] INFO: Notified of termination of process with pid 3564.
2019-08-13 23:42:30,719 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000013FD20000.
2019-08-13 23:42:30,719 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000013FD20000.
2019-08-13 23:42:30,719 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x0000000049E20000.
2019-08-13 23:42:30,719 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000013FD20000.
2019-08-13 23:42:30,734 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000C63C.
2019-08-13 23:42:30,734 [root] DEBUG: DLL unloaded from 0x000007FEFE6E0000.
2019-08-13 23:42:30,750 [root] INFO: Notified of termination of process with pid 4008.
2019-08-13 23:42:30,750 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2984
2019-08-13 23:42:30,766 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000C63C.
2019-08-13 23:42:30,766 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000C63C.
2019-08-13 23:42:30,766 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x0000000049E20000.
2019-08-13 23:42:30,766 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000C63C.
2019-08-13 23:42:30,796 [root] INFO: Notified of termination of process with pid 2264.
2019-08-13 23:42:30,796 [root] INFO: Added new CAPE file to list with path: C:\xyAIARtiO\CAPE\3416_11515610255022314382019
2019-08-13 23:42:30,796 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 3436
2019-08-13 23:42:30,796 [root] DEBUG: GetHookCallerBase: thread 3076 (handle 0x0), return address 0x0000000049E287DD, allocation base 0x0000000049E20000.
2019-08-13 23:42:30,812 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 23:42:30,844 [root] INFO: Added new CAPE file to list with path: C:\xyAIARtiO\CAPE\2632_9839558245022314382019
2019-08-13 23:42:30,844 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 3148
2019-08-13 23:42:30,844 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x73e00.
2019-08-13 23:42:30,844 [root] DEBUG: GetHookCallerBase: thread 3440 (handle 0x0), return address 0x0000000049E287DD, allocation base 0x0000000049E20000.
2019-08-13 23:42:30,859 [root] INFO: Added new CAPE file to list with path: C:\xyAIARtiO\CAPE\4084_16447370135022314382019
2019-08-13 23:42:30,859 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x0000000049E20000.
2019-08-13 23:42:30,859 [root] DEBUG: DLL loaded at 0x000007FEFD1C0000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 23:42:30,859 [root] INFO: Added new CAPE file to list with path: C:\xyAIARtiO\CAPE\4072_17783661205022314382019
2019-08-13 23:42:30,875 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x73e00.
2019-08-13 23:42:30,875 [root] INFO: Added new CAPE file to list with path: C:\xyAIARtiO\CAPE\3660_14254118185022314382019
2019-08-13 23:42:30,875 [root] DEBUG: GetHookCallerBase: thread 3284 (handle 0x0), return address 0x0000000049E287DD, allocation base 0x0000000049E20000.
2019-08-13 23:42:30,875 [root] DEBUG: DLL loaded at 0x000007FEFAE90000: C:\Windows\system32\netutils (0xc000 bytes).
2019-08-13 23:42:30,891 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x0000000049E20000.
2019-08-13 23:42:30,891 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x73e00.
2019-08-13 23:42:30,891 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x0000000049E20000.
2019-08-13 23:42:30,905 [root] INFO: Process with pid 1428 has terminated
2019-08-13 23:42:30,905 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x73e00.
2019-08-13 23:42:30,905 [root] DEBUG: DLL loaded at 0x000007FEFAE90000: C:\Windows\system32\netutils (0xc000 bytes).
2019-08-13 23:42:30,921 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x73e00.
2019-08-13 23:42:30,921 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x0000000049E20000.
2019-08-13 23:42:30,921 [root] DEBUG: DLL unloaded from 0x000007FEFBAE0000.
2019-08-13 23:42:30,937 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x0000000049E20000.
2019-08-13 23:42:30,937 [root] DEBUG: DLL loaded at 0x000007FEFAE90000: C:\Windows\system32\netutils (0xc000 bytes).
2019-08-13 23:42:30,937 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 23:42:30,937 [root] INFO: Process with pid 828 has terminated
2019-08-13 23:42:30,937 [root] INFO: Added new CAPE file to list with path: C:\xyAIARtiO\CAPE\3868_13395659483022314382019
2019-08-13 23:42:30,953 [root] DEBUG: DLL loaded at 0x000007FEFAE90000: C:\Windows\system32\netutils (0xc000 bytes).
2019-08-13 23:42:30,953 [root] DEBUG: DLL unloaded from 0x000007FEFBAE0000.
2019-08-13 23:42:30,969 [root] DEBUG: DLL loaded at 0x000007FEFAE90000: C:\Windows\system32\netutils (0xc000 bytes).
2019-08-13 23:42:30,969 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x0000000049E20000.
2019-08-13 23:42:30,969 [root] DEBUG: DLL unloaded from 0x0000000077260000.
2019-08-13 23:42:30,969 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 23:42:30,983 [root] DEBUG: DLL unloaded from 0x000007FEFBAE0000.
2019-08-13 23:42:30,983 [root] DEBUG: DLL loaded at 0x000007FEFD1C0000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 23:42:30,983 [root] INFO: Process with pid 3564 has terminated
2019-08-13 23:42:30,983 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x54400.
2019-08-13 23:42:31,000 [root] DEBUG: DLL unloaded from 0x000007FEFBAE0000.
2019-08-13 23:42:31,000 [root] DEBUG: DLL unloaded from 0x0000000077260000.
2019-08-13 23:42:31,000 [root] DEBUG: DLL unloaded from 0x000007FEFBAE0000.
2019-08-13 23:42:31,000 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 23:42:31,016 [root] DEBUG: DLL unloaded from 0x000007FEF2270000.
2019-08-13 23:42:31,016 [root] DEBUG: DLL loaded at 0x000007FEFD1C0000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 23:42:31,016 [root] DEBUG: DLL unloaded from 0x0000000077260000.
2019-08-13 23:42:31,016 [root] INFO: Process with pid 4008 has terminated
2019-08-13 23:42:31,046 [root] DEBUG: DLL unloaded from 0x000007FEFE6E0000.
2019-08-13 23:42:31,046 [root] DEBUG: DLL unloaded from 0x0000000077260000.
2019-08-13 23:42:31,046 [root] DEBUG: DLL unloaded from 0x000007FEF2270000.
2019-08-13 23:42:31,062 [root] DEBUG: DLL unloaded from 0x0000000077260000.
2019-08-13 23:42:31,062 [root] DEBUG: DLL loaded at 0x000007FEFD1C0000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 23:42:31,062 [root] INFO: Added new CAPE file to list with path: C:\xyAIARtiO\CAPE\2984_16503963203022314382019
2019-08-13 23:42:31,062 [root] DEBUG: DLL unloaded from 0x000007FEF3FA0000.
2019-08-13 23:42:31,078 [root] DEBUG: DLL unloaded from 0x000007FEF2270000.
2019-08-13 23:42:31,078 [root] INFO: Process with pid 3424 has terminated
2019-08-13 23:42:31,094 [root] INFO: Notified of termination of process with pid 3868.
2019-08-13 23:42:31,094 [root] DEBUG: DLL unloaded from 0x000007FEF2270000.
2019-08-13 23:42:31,094 [root] DEBUG: DLL unloaded from 0x000007FEF3FA0000.
2019-08-13 23:42:31,094 [root] DEBUG: DLL unloaded from 0x000007FEF2270000.
2019-08-13 23:42:31,108 [root] DEBUG: Error 2 (0x2) - savePeFileToDisk: There was a problem renaming the file: The system cannot find the file specified.
2019-08-13 23:42:31,108 [root] INFO: Added new CAPE file to list with path: C:\xyAIARtiO\CAPE\3436_751672323122314382019
2019-08-13 23:42:31,108 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x54400.
2019-08-13 23:42:31,108 [root] DEBUG: DLL unloaded from 0x000007FEFC400000.
2019-08-13 23:42:31,108 [root] DEBUG: DLL unloaded from 0x000007FEF3FA0000.
2019-08-13 23:42:31,125 [root] INFO: Process with pid 2264 has terminated
2019-08-13 23:42:31,125 [root] DEBUG: DLL unloaded from 0x000007FEF3FA0000.
2019-08-13 23:42:31,140 [root] DEBUG: DLL unloaded from 0x000007FEFC400000.
2019-08-13 23:42:31,140 [root] DEBUG: DLL unloaded from 0x000007FEF3FA0000.
2019-08-13 23:42:31,140 [root] DEBUG: Error 2 (0x2) - savePeFileToDisk: There was a problem deleting the file: C:\Users\user\AppData\Roaming\syslink\CapeOutput.bin: The system cannot find the file specified.
2019-08-13 23:42:31,140 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x54400.
2019-08-13 23:42:31,140 [root] DEBUG: DLL unloaded from 0x000007FEFE6E0000.
2019-08-13 23:42:31,155 [root] DEBUG: DLL unloaded from 0x000007FEFE6E0000.
2019-08-13 23:42:31,155 [root] DEBUG: DLL unloaded from 0x000007FEFC400000.
2019-08-13 23:42:31,171 [root] DEBUG: DLL unloaded from 0x000007FEFC400000.
2019-08-13 23:42:31,171 [root] INFO: Process with pid 3316 has terminated
2019-08-13 23:42:31,171 [root] DEBUG: DLL unloaded from 0x000007FEFE6E0000.
2019-08-13 23:42:31,171 [root] DEBUG: DLL unloaded from 0x000007FEFC400000.
2019-08-13 23:42:31,171 [root] DEBUG: DLL unloaded from 0x000007FEFE6E0000.
2019-08-13 23:42:31,171 [root] DEBUG: DLL unloaded from 0x000007FEFE6E0000.
2019-08-13 23:42:31,187 [root] INFO: Notified of termination of process with pid 3416.
2019-08-13 23:42:31,187 [root] DEBUG: DLL unloaded from 0x000007FEFE6E0000.
2019-08-13 23:42:31,187 [root] DEBUG: DLL unloaded from 0x000007FEFE6E0000.
2019-08-13 23:42:31,203 [root] DEBUG: DLL unloaded from 0x000007FEFE6E0000.
2019-08-13 23:42:31,217 [root] INFO: Notified of termination of process with pid 2984.
2019-08-13 23:42:31,217 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 3708
2019-08-13 23:42:31,233 [root] INFO: Notified of termination of process with pid 2632.
2019-08-13 23:42:31,233 [root] INFO: Notified of termination of process with pid 3148.
2019-08-13 23:42:31,233 [root] DEBUG: GetHookCallerBase: thread 3716 (handle 0x0), return address 0x0000000049E287DD, allocation base 0x0000000049E20000.
2019-08-13 23:42:31,250 [root] INFO: Notified of termination of process with pid 3436.
2019-08-13 23:42:31,250 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 3524
2019-08-13 23:42:31,250 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x0000000049E20000.
2019-08-13 23:42:31,250 [root] INFO: Notified of termination of process with pid 4084.
2019-08-13 23:42:31,265 [root] DEBUG: GetHookCallerBase: thread 3732 (handle 0x0), return address 0x0000000049E287DD, allocation base 0x0000000049E20000.
2019-08-13 23:42:31,265 [root] INFO: Notified of termination of process with pid 4072.
2019-08-13 23:42:31,265 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x0000000049E20000.
2019-08-13 23:42:31,280 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 3576
2019-08-13 23:42:31,280 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x0000000049E20000.
2019-08-13 23:42:31,280 [root] INFO: Notified of termination of process with pid 3660.
2019-08-13 23:42:31,280 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 3180
2019-08-13 23:42:31,280 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 23:42:31,280 [root] DEBUG: GetHookCallerBase: thread 3572 (handle 0x0), return address 0x0000000049E287DD, allocation base 0x0000000049E20000.
2019-08-13 23:42:31,296 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x0000000049E20000.
2019-08-13 23:42:31,312 [root] DEBUG: GetHookCallerBase: thread 3184 (handle 0x0), return address 0x0000000049E287DD, allocation base 0x0000000049E20000.
2019-08-13 23:42:31,312 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 3844
2019-08-13 23:42:31,312 [root] DEBUG: DLL loaded at 0x000007FEFD1C0000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 23:42:31,312 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x0000000049E20000.
2019-08-13 23:42:31,312 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 23:42:31,312 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x0000000049E20000.
2019-08-13 23:42:31,328 [root] DEBUG: GetHookCallerBase: thread 3648 (handle 0x0), return address 0x0000000049E287DD, allocation base 0x0000000049E20000.
2019-08-13 23:42:31,328 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x0000000049E20000.
2019-08-13 23:42:31,342 [root] DEBUG: DLL loaded at 0x000007FEFD1C0000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 23:42:31,342 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x0000000049E20000.
2019-08-13 23:42:31,358 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x0000000049E20000.
2019-08-13 23:42:31,358 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 23:42:31,374 [root] INFO: Added new CAPE file to list with path: C:\xyAIARtiO\CAPE\3708_14802941923122314382019
2019-08-13 23:42:31,374 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 23:42:31,374 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x0000000049E20000.
2019-08-13 23:42:31,374 [root] DEBUG: DLL loaded at 0x000007FEFD1C0000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 23:42:31,390 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x54400.
2019-08-13 23:42:31,390 [root] DEBUG: DLL loaded at 0x000007FEFD1C0000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 23:42:31,390 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 23:42:31,405 [root] INFO: Added new CAPE file to list with path: C:\xyAIARtiO\CAPE\3524_21174504693122314382019
2019-08-13 23:42:31,405 [root] DEBUG: DLL unloaded from 0x000007FEFE6E0000.
2019-08-13 23:42:31,421 [root] DEBUG: Error 2 (0x2) - savePeFileToDisk: There was a problem renaming the file: The system cannot find the file specified.
2019-08-13 23:42:31,421 [root] DEBUG: DLL loaded at 0x000007FEFD1C0000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 23:42:31,421 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x54400.
2019-08-13 23:42:31,437 [root] INFO: Notified of termination of process with pid 3708.
2019-08-13 23:42:31,437 [root] DEBUG: DLL unloaded from 0x000007FEFE6E0000.
2019-08-13 23:42:31,437 [root] DEBUG: Error 2 (0x2) - savePeFileToDisk: There was a problem renaming the file: The system cannot find the file specified.
2019-08-13 23:42:31,437 [root] INFO: Added new CAPE file to list with path: C:\xyAIARtiO\CAPE\3576_11966256463122314382019
2019-08-13 23:42:31,437 [root] DEBUG: DLL unloaded from 0x000007FEFE6E0000.
2019-08-13 23:42:31,451 [root] INFO: Notified of termination of process with pid 3180.
2019-08-13 23:42:31,451 [root] DEBUG: Error 2 (0x2) - savePeFileToDisk: There was a problem deleting the file: C:\Users\user\AppData\Roaming\syslink\CapeOutput.bin: The system cannot find the file specified.
2019-08-13 23:42:31,467 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x54400.
2019-08-13 23:42:31,467 [root] INFO: Notified of termination of process with pid 3524.
2019-08-13 23:42:31,483 [root] DEBUG: DLL unloaded from 0x000007FEFE6E0000.
2019-08-13 23:42:31,483 [root] DEBUG: DLL unloaded from 0x000007FEFE6E0000.
2019-08-13 23:42:31,499 [root] INFO: Notified of termination of process with pid 3844.
2019-08-13 23:42:31,499 [root] INFO: Notified of termination of process with pid 3576.
2019-08-13 23:42:32,217 [root] INFO: Process with pid 716 has terminated
2019-08-13 23:42:32,217 [root] INFO: Process with pid 3436 has terminated
2019-08-13 23:42:32,232 [root] INFO: Process with pid 3148 has terminated
2019-08-13 23:42:32,232 [root] INFO: Process with pid 3180 has terminated
2019-08-13 23:42:32,247 [root] INFO: Process with pid 3844 has terminated
2019-08-13 23:42:32,263 [root] INFO: Process with pid 3576 has terminated
2019-08-13 23:42:32,263 [root] INFO: Process with pid 3524 has terminated
2019-08-13 23:42:32,279 [root] INFO: Process with pid 2632 has terminated
2019-08-13 23:42:33,309 [root] INFO: Process with pid 2984 has terminated
2019-08-13 23:42:33,309 [root] INFO: Process with pid 3708 has terminated
2019-08-13 23:42:33,323 [root] INFO: Process with pid 4072 has terminated
2019-08-13 23:42:33,323 [root] INFO: Process with pid 4084 has terminated
2019-08-13 23:42:34,354 [root] INFO: Process with pid 3868 has terminated
2019-08-13 23:42:34,354 [root] INFO: Process with pid 3660 has terminated
2019-08-13 23:42:35,384 [root] INFO: Process with pid 3416 has terminated
2019-08-13 23:42:36,819 [root] DEBUG: set_caller_info: Adding region at 0x000007FEFBAC0000 to caller regions list (ntdll::NtQueueApcThread).
2019-08-13 23:42:36,819 [root] DEBUG: DLL unloaded from 0x000007FEFBAC0000.
2019-08-13 23:42:45,368 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF4240000 to caller regions list (kernel32::GetSystemTimeAsFileTime).
2019-08-13 23:45:30,852 [root] INFO: Analysis timeout hit (200 seconds), terminating analysis.
2019-08-13 23:45:30,852 [root] INFO: Created shutdown mutex.
2019-08-13 23:45:31,881 [lib.api.process] INFO: Successfully received reply to terminate_event, pid 2168
2019-08-13 23:45:31,881 [root] DEBUG: Terminate Event: Attempting to dump process 2168
2019-08-13 23:45:31,881 [root] INFO: Terminate event set for process 2168.
2019-08-13 23:45:31,898 [root] INFO: Terminating process 2168 before shutdown.
2019-08-13 23:45:31,898 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x0000000049E20000.
2019-08-13 23:45:31,898 [root] INFO: Waiting for process 2168 to exit.
2019-08-13 23:45:31,913 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x0000000049E20000.
2019-08-13 23:45:31,928 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 23:45:31,928 [root] DEBUG: DLL loaded at 0x000007FEFD1C0000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 23:45:31,990 [root] INFO: Added new CAPE file to list with path: C:\xyAIARtiO\CAPE\2168_102556031231452213282019
2019-08-13 23:45:32,006 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x54400.
2019-08-13 23:45:32,927 [lib.api.process] INFO: Successfully received reply to terminate_event, pid 3236
2019-08-13 23:45:32,927 [root] INFO: Terminate event set for process 3236.
2019-08-13 23:45:32,943 [root] INFO: Terminating process 3236 before shutdown.
2019-08-13 23:45:32,943 [root] INFO: Waiting for process 3236 to exit.
2019-08-13 23:45:33,957 [root] INFO: Waiting for process 3236 to exit.
2019-08-13 23:45:34,970 [root] INFO: Waiting for process 3236 to exit.
2019-08-13 23:45:35,984 [root] INFO: Waiting for process 3236 to exit.
2019-08-13 23:45:36,999 [lib.api.process] INFO: Successfully terminated process with pid 3236.
2019-08-13 23:45:36,999 [root] INFO: Waiting for process 3236 to exit.
2019-08-13 23:45:38,029 [root] INFO: Shutting down package.
2019-08-13 23:45:38,029 [root] INFO: Stopping auxiliary modules.
2019-08-13 23:45:38,043 [root] INFO: Finishing auxiliary modules.
2019-08-13 23:45:38,043 [root] INFO: Shutting down pipe server and dumping dropped files.
2019-08-13 23:45:38,059 [root] WARNING: File at path "C:\xyAIARtiO\debugger" does not exist, skip.
2019-08-13 23:45:38,059 [root] INFO: Analysis completed.

MalScore

10.0

TrickBot

Machine

Name Label Manager Started On Shutdown On
target-02 target-02 ESX 2019-08-13 22:42:01 2019-08-13 22:45:50

File Details

File Name 7914d86e352c6d4681629dd737dc51c5df30d1e3cb2da4acdb8b019ac8f60ceb
File Size 677142 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 589200c0cc7b9ee82f3dc564a0128945
SHA1 526cd1acdd5b96fa059e99b236da89183fb69c23
SHA256 7914d86e352c6d4681629dd737dc51c5df30d1e3cb2da4acdb8b019ac8f60ceb
SHA512 12c16d8d547fcb6296f70d1e8faffa7d9a464c537d7cf36e91d74f4a49ef5e5e0b8e58846dc1bc96515497c8e23ff89dc34e8b450132d0974907a62aca93fe69
CRC32 342809D0
Ssdeep 12288:gSqiDKCiueQ5qVdlf49wOK6BGfLZu54oFBsM0Nb:gSxriueQ5wEw6BGDZGeM0Nb
TrID
  • 61.7% (.EXE) Win64 Executable (generic) (27625/18/4)
  • 14.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
  • 10.0% (.EXE) Win32 Executable (generic) (4508/7/1)
  • 4.5% (.EXE) OS/2 Executable (generic) (2029/13)
  • 4.4% (.EXE) Generic Win/DOS Executable (2002/3)
ClamAV None matched
Yara None matched
CAPE Yara None matched
Resubmit sample

Signatures

Behavioural detection: Executable code extraction
SetUnhandledExceptionFilter detected (possible anti-debug)
Scheduled file move on reboot detected
File Move on Reboot: Old: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ISUCJV86ONBOYVEYJSGX.temp -> New: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Yara rule detections observed from a process memory dump/dropped files/CAPE
Hit: PID 3316 trigged the Yara rule 'TrickBot'
Creates RWX memory
Possible date expiration check, exits too soon after checking local time
process: 2JWyzmff7st.exe, PID 1116
Anomalous file deletion behavior detected (10+)
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF1389b1e.TMP
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch.2244.20487067
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch.2244.20487067
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch.2244.20487067
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch.2208.19595678
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch.2208.19595678
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch.2208.19595678
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2CKOAGTMISP141BWJSJY.temp
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch.2868.19596568
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch.2868.19596568
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch.2868.19596568
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\V8X41C7R9BZ9KWVMQPZP.temp
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch.1340.19599922
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch.1340.19599922
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch.1340.19599922
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF12b0c87.TMP
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch.2828.19598892
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch.2828.19598892
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch.2828.19598892
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF12b177f.TMP
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch.2176.19601794
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch.2176.19601794
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch.2176.19601794
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF12b14b1.TMP
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch.1316.19600936
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch.1316.19600936
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch.1316.19600936
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF12b17ae.TMP
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch.924.19601825
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch.924.19601825
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch.924.19601825
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF12b1b75.TMP
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch.2008.19602558
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch.2008.19602558
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch.2008.19602558
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF12b1c7e.TMP
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch.2772.19602901
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch.2772.19602901
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch.2772.19602901
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\RXCV6XZ8KNA4SYB1O7VM.temp
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch.3564.19610452
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch.3564.19610467
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch.3564.19610467
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF138bdf9.TMP
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch.4008.20500920
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch.4008.20500920
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch.4008.20500920
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF12b289f.TMP
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch.3424.19610358
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch.3424.19610358
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch.3424.19610358
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF12b292b.TMP
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch.2264.19610514
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch.2264.19610545
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch.2264.19610545
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TZUCQPJS39D9G3XQ82B2.temp
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch.3416.19612059
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch.3416.19612059
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch.3416.19612059
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JH7PIXP0UVWU6GRM24LX.temp
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch.4072.19612293
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch.4072.19612293
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch.4072.19612293
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\RX4CL67QCQWRDOIRKYPG.temp
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch.3660.19612230
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch.3660.19612230
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch.3660.19612230
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF12b3d18.TMP
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch.4084.19612261
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch.4084.19612261
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch.4084.19612261
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF12b3d47.TMP
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch.2632.19612417
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch.2632.19612417
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch.2632.19612417
DeletedFile: C:\Windows\Tasks\SpeedLan.job
Guard pages use detected - possible anti-debugging.
Dynamic (imported) function loading detected
DynamicLoader: CRYPTSP.dll/CryptAcquireContextA
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: comctl32.dll/
DynamicLoader: CRYPTSP.dll/CryptAcquireContextA
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: ntdll.dll/memcpy
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptImportKey
DynamicLoader: ADVAPI32.dll/CryptEncrypt
DynamicLoader: CRYPTSP.dll/CryptImportKey
DynamicLoader: CRYPTBASE.dll/SystemFunction040
DynamicLoader: CRYPTBASE.dll/SystemFunction041
DynamicLoader: CRYPTSP.dll/CryptEncrypt
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: comctl32.dll/
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: shell32.dll/
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: shell32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ntdll.dll/RtlDllShutdownInProgress
DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: profapi.dll/
DynamicLoader: LINKINFO.dll/CreateLinkInfoW
DynamicLoader: USER32.dll/IsCharAlphaW
DynamicLoader: USER32.dll/CharPrevW
DynamicLoader: ntshrui.dll/GetNetResourceFromLocalPathW
DynamicLoader: srvcli.dll/NetShareEnum
DynamicLoader: cscapi.dll/CscNetApiGetInterface
DynamicLoader: slc.dll/SLGetWindowsInformationDWORD
DynamicLoader: SHLWAPI.dll/PathRemoveFileSpecW
DynamicLoader: LINKINFO.dll/DestroyLinkInfo
DynamicLoader: propsys.dll/PropVariantToBoolean
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/GetSecurityInfo
DynamicLoader: ADVAPI32.dll/SetSecurityInfo
DynamicLoader: ADVAPI32.dll/GetSecurityDescriptorControl
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: mscoree.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx_RetAddr
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: kernel32.dll/GetCurrentPackageId
DynamicLoader: kernel32.dll/InitializeCriticalSectionAndSpinCount
DynamicLoader: msvcrt.dll/_set_error_mode
DynamicLoader: msvcrt.dll/?set_terminate@@YAP6AXXZP6AXXZ@Z
DynamicLoader: msvcrt.dll/_get_terminate
DynamicLoader: kernel32.dll/FindActCtxSectionStringW
DynamicLoader: kernel32.dll/GetSystemWindowsDirectoryW
DynamicLoader: mscoree.dll/GetProcessExecutableHeap
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap_RetAddr
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap
DynamicLoader: mscorwks.dll/SetLoadedByMscoree
DynamicLoader: mscorwks.dll/DllGetClassObjectInternal
DynamicLoader: mscorwks.dll/GetCLRFunction
DynamicLoader: ADVAPI32.dll/RegisterTraceGuidsW
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: ADVAPI32.dll/GetTraceLoggerHandle
DynamicLoader: ADVAPI32.dll/GetTraceEnableLevel
DynamicLoader: ADVAPI32.dll/GetTraceEnableFlags
DynamicLoader: ADVAPI32.dll/TraceEvent
DynamicLoader: mscoree.dll/IEE
DynamicLoader: mscoreei.dll/IEE_RetAddr
DynamicLoader: mscoreei.dll/IEE
DynamicLoader: mscorwks.dll/IEE
DynamicLoader: mscoree.dll/GetStartupFlags
DynamicLoader: mscoreei.dll/GetStartupFlags_RetAddr
DynamicLoader: mscoreei.dll/GetStartupFlags
DynamicLoader: mscoree.dll/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetHostConfigurationFile_RetAddr
DynamicLoader: mscoreei.dll/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetCORVersion_RetAddr
DynamicLoader: mscoreei.dll/GetCORVersion
DynamicLoader: mscoree.dll/GetCORSystemDirectory
DynamicLoader: mscoreei.dll/GetCORSystemDirectory_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream
DynamicLoader: ntdll.dll/RtlVirtualUnwind
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: kernel32.dll/GetSystemWindowsDirectoryW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: kernel32.dll/SetThreadStackGuarantee
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/AddVectoredContinueHandler
DynamicLoader: kernel32.dll/RemoveVectoredContinueHandler
DynamicLoader: ADVAPI32.dll/ConvertSidToStringSidW
DynamicLoader: shell32.dll/SHGetFolderPathW
DynamicLoader: kernel32.dll/FlushProcessWriteBuffers
DynamicLoader: kernel32.dll/GetWriteWatch
DynamicLoader: kernel32.dll/ResetWriteWatch
DynamicLoader: kernel32.dll/CreateMemoryResourceNotification
DynamicLoader: kernel32.dll/QueryMemoryResourceNotification
DynamicLoader: kernel32.dll/GlobalMemoryStatusEx
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/GetUserDefaultUILanguage
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/GetVersionEx
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/GetVersionEx
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/GetFullPathName
DynamicLoader: kernel32.dll/GetFullPathNameW
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: kernel32.dll/GetFileAttributesEx
DynamicLoader: kernel32.dll/GetFileAttributesExW
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: version.dll/GetFileVersionInfoSize
DynamicLoader: version.dll/GetFileVersionInfoSizeW
DynamicLoader: version.dll/GetFileVersionInfo
DynamicLoader: version.dll/GetFileVersionInfoW
DynamicLoader: version.dll/VerQueryValue
DynamicLoader: version.dll/VerQueryValueW
DynamicLoader: kernel32.dll/lstrlen
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: mscoree.dll/ND_RI2
DynamicLoader: mscoreei.dll/ND_RI2_RetAddr
DynamicLoader: mscoreei.dll/ND_RI2
DynamicLoader: kernel32.dll/lstrlen
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: kernel32.dll/lstrcpy
DynamicLoader: kernel32.dll/lstrcpyW
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: version.dll/VerLanguageName
DynamicLoader: version.dll/VerLanguageNameW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/GetCurrentProcessId
DynamicLoader: kernel32.dll/GetCurrentProcessIdW
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValue
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValueW
DynamicLoader: ole32.dll/CoGetContextToken
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivileges
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivilegesW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/OpenProcessW
DynamicLoader: PSAPI.DLL/EnumProcessModules
DynamicLoader: PSAPI.DLL/EnumProcessModulesW
DynamicLoader: PSAPI.DLL/GetModuleInformation
DynamicLoader: PSAPI.DLL/GetModuleInformationW
DynamicLoader: PSAPI.DLL/GetModuleBaseName
DynamicLoader: PSAPI.DLL/GetModuleBaseNameW
DynamicLoader: PSAPI.DLL/GetModuleFileNameEx
DynamicLoader: PSAPI.DLL/GetModuleFileNameExW
DynamicLoader: kernel32.dll/GetExitCodeProcess
DynamicLoader: kernel32.dll/GetExitCodeProcessW
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtQuerySystemInformationW
DynamicLoader: USER32.dll/EnumWindows
DynamicLoader: USER32.dll/EnumWindowsW
DynamicLoader: USER32.dll/GetWindowThreadProcessId
DynamicLoader: USER32.dll/GetWindowThreadProcessIdW
DynamicLoader: kernel32.dll/WerSetFlags
DynamicLoader: kernel32.dll/SetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/SetThreadPreferredUILanguagesW
DynamicLoader: kernel32.dll/GetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/GetThreadPreferredUILanguagesW
DynamicLoader: kernel32.dll/GetUserDefaultLocaleName
DynamicLoader: kernel32.dll/GetUserDefaultLocaleNameW
DynamicLoader: kernel32.dll/GetEnvironmentVariable
DynamicLoader: kernel32.dll/GetEnvironmentVariableW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegOpenKeyEx
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/CryptCreateHash
DynamicLoader: ADVAPI32.dll/CryptDestroyHash
DynamicLoader: ADVAPI32.dll/CryptHashData
DynamicLoader: ADVAPI32.dll/CryptGetHashParam
DynamicLoader: ADVAPI32.dll/CryptImportKey
DynamicLoader: ADVAPI32.dll/CryptExportKey
DynamicLoader: ADVAPI32.dll/CryptGenKey
DynamicLoader: ADVAPI32.dll/CryptGetKeyParam
DynamicLoader: ADVAPI32.dll/CryptDestroyKey
DynamicLoader: ADVAPI32.dll/CryptVerifySignatureA
DynamicLoader: ADVAPI32.dll/CryptSignHashA
DynamicLoader: ADVAPI32.dll/CryptGetProvParam
DynamicLoader: ADVAPI32.dll/CryptGetUserKey
DynamicLoader: ADVAPI32.dll/CryptEnumProvidersA
DynamicLoader: CRYPTSP.dll/CryptImportKey
DynamicLoader: CRYPTSP.dll/CryptHashData
DynamicLoader: CRYPTSP.dll/CryptGetHashParam
DynamicLoader: CRYPTSP.dll/CryptDestroyHash
DynamicLoader: CRYPTSP.dll/CryptDestroyKey
DynamicLoader: mscoreei.dll/_CorDllMain_RetAddr
DynamicLoader: mscoreei.dll/_CorDllMain
DynamicLoader: mscoree.dll/GetTokenForVTableEntry
DynamicLoader: mscoree.dll/SetTargetForVTableEntry
DynamicLoader: mscoree.dll/GetTargetForVTableEntry
DynamicLoader: mscoreei.dll/LoadLibraryShim_RetAddr
DynamicLoader: mscoreei.dll/LoadLibraryShim
DynamicLoader: culture.dll/ConvertLangIdToCultureName
DynamicLoader: ole32.dll/CoCreateGuid
DynamicLoader: kernel32.dll/CreateFile
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetConsoleScreenBufferInfo
DynamicLoader: kernel32.dll/GetConsoleScreenBufferInfoW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: kernel32.dll/GetCurrentProcessW
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: kernel32.dll/LocalFree
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/GetTokenInformationW
DynamicLoader: kernel32.dll/LocalAlloc
DynamicLoader: kernel32.dll/LocalAllocW
DynamicLoader: mscoree.dll/ND_RI4
DynamicLoader: mscoreei.dll/ND_RI4_RetAddr
DynamicLoader: mscoreei.dll/ND_RI4
DynamicLoader: ADVAPI32.dll/DuplicateTokenEx
DynamicLoader: ADVAPI32.dll/DuplicateTokenExW
DynamicLoader: ADVAPI32.dll/CheckTokenMembership
DynamicLoader: ADVAPI32.dll/CheckTokenMembershipW
DynamicLoader: kernel32.dll/GetConsoleTitle
DynamicLoader: kernel32.dll/GetConsoleTitleW
DynamicLoader: mscorjit.dll/getJit
DynamicLoader: mscorwks.dll/GetCLRFunction
DynamicLoader: kernel32.dll/SetConsoleTitle
DynamicLoader: kernel32.dll/SetConsoleTitleW
DynamicLoader: kernel32.dll/SetConsoleCtrlHandler
DynamicLoader: kernel32.dll/SetConsoleCtrlHandlerW
DynamicLoader: kernel32.dll/CreateEvent
DynamicLoader: kernel32.dll/CreateEventW
DynamicLoader: ntdll.dll/WinSqmIsOptedIn
DynamicLoader: kernel32.dll/ExpandEnvironmentStrings
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsW
DynamicLoader: shfolder.dll/SHGetFolderPath
DynamicLoader: shfolder.dll/SHGetFolderPathW
DynamicLoader: kernel32.dll/SetEnvironmentVariable
DynamicLoader: kernel32.dll/SetEnvironmentVariableW
DynamicLoader: kernel32.dll/GetACP
DynamicLoader: kernel32.dll/UnmapViewOfFile
DynamicLoader: kernel32.dll/CreateFile
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetFileType
DynamicLoader: kernel32.dll/ReadFile
DynamicLoader: kernel32.dll/GetSystemInfo
DynamicLoader: kernel32.dll/VirtualQuery
DynamicLoader: ADVAPI32.dll/RegQueryInfoKey
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumValue
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegEnumKeyEx
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: secur32.dll/GetUserNameEx
DynamicLoader: secur32.dll/GetUserNameExW
DynamicLoader: ADVAPI32.dll/GetUserName
DynamicLoader: ADVAPI32.dll/GetUserNameW
DynamicLoader: kernel32.dll/ReleaseMutex
DynamicLoader: ADVAPI32.dll/RegisterEventSource
DynamicLoader: ADVAPI32.dll/RegisterEventSourceW
DynamicLoader: ADVAPI32.dll/DeregisterEventSource
DynamicLoader: ADVAPI32.dll/ReportEvent
DynamicLoader: ADVAPI32.dll/ReportEventW
DynamicLoader: kernel32.dll/GetLogicalDrives
DynamicLoader: kernel32.dll/GetDriveType
DynamicLoader: kernel32.dll/GetDriveTypeW
DynamicLoader: kernel32.dll/GetVolumeInformation
DynamicLoader: kernel32.dll/GetVolumeInformationW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: kernel32.dll/GetCurrentDirectory
DynamicLoader: kernel32.dll/GetCurrentDirectoryW
DynamicLoader: mscoreei.dll/GetTokenForVTableEntry_RetAddr
DynamicLoader: mscoreei.dll/GetTokenForVTableEntry
DynamicLoader: mscoreei.dll/SetTargetForVTableEntry_RetAddr
DynamicLoader: mscoreei.dll/SetTargetForVTableEntry
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/LocalAlloc
DynamicLoader: mscoree.dll/IEE
DynamicLoader: kernel32.dll/GetStdHandle
DynamicLoader: kernel32.dll/GetStdHandleW
DynamicLoader: kernel32.dll/GetConsoleMode
DynamicLoader: kernel32.dll/GetConsoleModeW
DynamicLoader: kernel32.dll/SetEvent
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/SetThreadUILanguageW
DynamicLoader: kernel32.dll/FindFirstFile
DynamicLoader: kernel32.dll/FindFirstFileW
DynamicLoader: kernel32.dll/FindClose
DynamicLoader: CRYPTSP.dll/CryptExportKey
DynamicLoader: CRYPTSP.dll/CryptCreateHash
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: mscoree.dll/CorExitProcess
DynamicLoader: mscoreei.dll/CorExitProcess_RetAddr
DynamicLoader: mscoreei.dll/CorExitProcess
DynamicLoader: mscorwks.dll/CorExitProcess
DynamicLoader: mscorwks.dll/_CorDllMain
DynamicLoader: kernel32.dll/CreateActCtxW
DynamicLoader: kernel32.dll/AddRefActCtx
DynamicLoader: kernel32.dll/ReleaseActCtx
DynamicLoader: kernel32.dll/ActivateActCtx
DynamicLoader: kernel32.dll/DeactivateActCtx
DynamicLoader: kernel32.dll/GetCurrentActCtx
DynamicLoader: kernel32.dll/QueryActCtxW
DynamicLoader: netutils.dll/NetApiBufferFree
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: shell32.dll/
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: shell32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ntdll.dll/RtlDllShutdownInProgress
DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: profapi.dll/
DynamicLoader: LINKINFO.dll/CreateLinkInfoW
DynamicLoader: USER32.dll/IsCharAlphaW
DynamicLoader: USER32.dll/CharPrevW
DynamicLoader: ntshrui.dll/GetNetResourceFromLocalPathW
DynamicLoader: srvcli.dll/NetShareEnum
DynamicLoader: cscapi.dll/CscNetApiGetInterface
DynamicLoader: slc.dll/SLGetWindowsInformationDWORD
DynamicLoader: SHLWAPI.dll/PathRemoveFileSpecW
DynamicLoader: LINKINFO.dll/DestroyLinkInfo
DynamicLoader: propsys.dll/PropVariantToBoolean
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: mscoree.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx_RetAddr
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: kernel32.dll/GetCurrentPackageId
DynamicLoader: kernel32.dll/InitializeCriticalSectionAndSpinCount
DynamicLoader: msvcrt.dll/_set_error_mode
DynamicLoader: msvcrt.dll/?set_terminate@@YAP6AXXZP6AXXZ@Z
DynamicLoader: msvcrt.dll/_get_terminate
DynamicLoader: kernel32.dll/FindActCtxSectionStringW
DynamicLoader: kernel32.dll/GetSystemWindowsDirectoryW
DynamicLoader: mscoree.dll/GetProcessExecutableHeap
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap_RetAddr
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap
DynamicLoader: mscorwks.dll/SetLoadedByMscoree
DynamicLoader: mscorwks.dll/DllGetClassObjectInternal
DynamicLoader: mscorwks.dll/GetCLRFunction
DynamicLoader: ADVAPI32.dll/RegisterTraceGuidsW
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: ADVAPI32.dll/GetTraceLoggerHandle
DynamicLoader: ADVAPI32.dll/GetTraceEnableLevel
DynamicLoader: ADVAPI32.dll/GetTraceEnableFlags
DynamicLoader: ADVAPI32.dll/TraceEvent
DynamicLoader: mscoree.dll/IEE
DynamicLoader: mscoreei.dll/IEE_RetAddr
DynamicLoader: mscoreei.dll/IEE
DynamicLoader: mscorwks.dll/IEE
DynamicLoader: mscoree.dll/GetStartupFlags
DynamicLoader: mscoreei.dll/GetStartupFlags_RetAddr
DynamicLoader: mscoreei.dll/GetStartupFlags
DynamicLoader: mscoree.dll/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetHostConfigurationFile_RetAddr
DynamicLoader: mscoreei.dll/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetCORVersion_RetAddr
DynamicLoader: mscoreei.dll/GetCORVersion
DynamicLoader: mscoree.dll/GetCORSystemDirectory
DynamicLoader: mscoreei.dll/GetCORSystemDirectory_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream
DynamicLoader: ntdll.dll/RtlVirtualUnwind
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: kernel32.dll/GetSystemWindowsDirectoryW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: kernel32.dll/SetThreadStackGuarantee
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/AddVectoredContinueHandler
DynamicLoader: kernel32.dll/RemoveVectoredContinueHandler
DynamicLoader: ADVAPI32.dll/ConvertSidToStringSidW
DynamicLoader: shell32.dll/SHGetFolderPathW
DynamicLoader: kernel32.dll/FlushProcessWriteBuffers
DynamicLoader: kernel32.dll/GetWriteWatch
DynamicLoader: kernel32.dll/ResetWriteWatch
DynamicLoader: kernel32.dll/CreateMemoryResourceNotification
DynamicLoader: kernel32.dll/QueryMemoryResourceNotification
DynamicLoader: kernel32.dll/GlobalMemoryStatusEx
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CoGetContextToken
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/GetUserDefaultUILanguage
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/GetVersionEx
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/GetVersionEx
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/GetFullPathName
DynamicLoader: kernel32.dll/GetFullPathNameW
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: kernel32.dll/GetFileAttributesEx
DynamicLoader: kernel32.dll/GetFileAttributesExW
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: version.dll/GetFileVersionInfoSize
DynamicLoader: version.dll/GetFileVersionInfoSizeW
DynamicLoader: version.dll/GetFileVersionInfo
DynamicLoader: version.dll/GetFileVersionInfoW
DynamicLoader: version.dll/VerQueryValue
DynamicLoader: version.dll/VerQueryValueW
DynamicLoader: kernel32.dll/lstrlen
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: mscoree.dll/ND_RI2
DynamicLoader: mscoreei.dll/ND_RI2_RetAddr
DynamicLoader: mscoreei.dll/ND_RI2
DynamicLoader: kernel32.dll/lstrlen
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: kernel32.dll/lstrcpy
DynamicLoader: kernel32.dll/lstrcpyW
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: version.dll/VerLanguageName
DynamicLoader: version.dll/VerLanguageNameW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/GetCurrentProcessId
DynamicLoader: kernel32.dll/GetCurrentProcessIdW
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValue
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValueW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivileges
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivilegesW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/OpenProcessW
DynamicLoader: PSAPI.DLL/EnumProcessModules
DynamicLoader: PSAPI.DLL/EnumProcessModulesW
DynamicLoader: PSAPI.DLL/GetModuleInformation
DynamicLoader: PSAPI.DLL/GetModuleInformationW
DynamicLoader: PSAPI.DLL/GetModuleBaseName
DynamicLoader: PSAPI.DLL/GetModuleBaseNameW
DynamicLoader: PSAPI.DLL/GetModuleFileNameEx
DynamicLoader: PSAPI.DLL/GetModuleFileNameExW
DynamicLoader: kernel32.dll/GetExitCodeProcess
DynamicLoader: kernel32.dll/GetExitCodeProcessW
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtQuerySystemInformationW
DynamicLoader: USER32.dll/EnumWindows
DynamicLoader: USER32.dll/EnumWindowsW
DynamicLoader: USER32.dll/GetWindowThreadProcessId
DynamicLoader: USER32.dll/GetWindowThreadProcessIdW
DynamicLoader: kernel32.dll/WerSetFlags
DynamicLoader: kernel32.dll/SetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/SetThreadPreferredUILanguagesW
DynamicLoader: kernel32.dll/GetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/GetThreadPreferredUILanguagesW
DynamicLoader: kernel32.dll/GetUserDefaultLocaleName
DynamicLoader: kernel32.dll/GetUserDefaultLocaleNameW
DynamicLoader: kernel32.dll/GetEnvironmentVariable
DynamicLoader: kernel32.dll/GetEnvironmentVariableW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegOpenKeyEx
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/CryptCreateHash
DynamicLoader: ADVAPI32.dll/CryptDestroyHash
DynamicLoader: ADVAPI32.dll/CryptHashData
DynamicLoader: ADVAPI32.dll/CryptGetHashParam
DynamicLoader: ADVAPI32.dll/CryptImportKey
DynamicLoader: ADVAPI32.dll/CryptExportKey
DynamicLoader: ADVAPI32.dll/CryptGenKey
DynamicLoader: ADVAPI32.dll/CryptGetKeyParam
DynamicLoader: ADVAPI32.dll/CryptDestroyKey
DynamicLoader: ADVAPI32.dll/CryptVerifySignatureA
DynamicLoader: ADVAPI32.dll/CryptSignHashA
DynamicLoader: ADVAPI32.dll/CryptGetProvParam
DynamicLoader: ADVAPI32.dll/CryptGetUserKey
DynamicLoader: ADVAPI32.dll/CryptEnumProvidersA
DynamicLoader: CRYPTSP.dll/CryptImportKey
DynamicLoader: CRYPTSP.dll/CryptHashData
DynamicLoader: CRYPTSP.dll/CryptGetHashParam
DynamicLoader: CRYPTSP.dll/CryptDestroyHash
DynamicLoader: CRYPTSP.dll/CryptDestroyKey
DynamicLoader: mscoreei.dll/_CorDllMain_RetAddr
DynamicLoader: mscoreei.dll/_CorDllMain
DynamicLoader: mscoree.dll/GetTokenForVTableEntry
DynamicLoader: mscoree.dll/SetTargetForVTableEntry
DynamicLoader: mscoree.dll/GetTargetForVTableEntry
DynamicLoader: mscoreei.dll/LoadLibraryShim_RetAddr
DynamicLoader: mscoreei.dll/LoadLibraryShim
DynamicLoader: culture.dll/ConvertLangIdToCultureName
DynamicLoader: ole32.dll/CoCreateGuid
DynamicLoader: kernel32.dll/CreateFile
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetConsoleScreenBufferInfo
DynamicLoader: kernel32.dll/GetConsoleScreenBufferInfoW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: kernel32.dll/GetCurrentProcessW
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: kernel32.dll/LocalFree
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/GetTokenInformationW
DynamicLoader: kernel32.dll/LocalAlloc
DynamicLoader: kernel32.dll/LocalAllocW
DynamicLoader: mscoree.dll/ND_RI4
DynamicLoader: mscoreei.dll/ND_RI4_RetAddr
DynamicLoader: mscoreei.dll/ND_RI4
DynamicLoader: ADVAPI32.dll/DuplicateTokenEx
DynamicLoader: ADVAPI32.dll/DuplicateTokenExW
DynamicLoader: ADVAPI32.dll/CheckTokenMembership
DynamicLoader: ADVAPI32.dll/CheckTokenMembershipW
DynamicLoader: kernel32.dll/GetConsoleTitle
DynamicLoader: kernel32.dll/GetConsoleTitleW
DynamicLoader: mscorjit.dll/getJit
DynamicLoader: mscorwks.dll/GetCLRFunction
DynamicLoader: kernel32.dll/SetConsoleTitle
DynamicLoader: kernel32.dll/SetConsoleTitleW
DynamicLoader: kernel32.dll/SetConsoleCtrlHandler
DynamicLoader: kernel32.dll/SetConsoleCtrlHandlerW
DynamicLoader: kernel32.dll/CreateEvent
DynamicLoader: kernel32.dll/CreateEventW
DynamicLoader: ntdll.dll/WinSqmIsOptedIn
DynamicLoader: kernel32.dll/ExpandEnvironmentStrings
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsW
DynamicLoader: shfolder.dll/SHGetFolderPath
DynamicLoader: shfolder.dll/SHGetFolderPathW
DynamicLoader: kernel32.dll/SetEnvironmentVariable
DynamicLoader: kernel32.dll/SetEnvironmentVariableW
DynamicLoader: kernel32.dll/GetACP
DynamicLoader: kernel32.dll/UnmapViewOfFile
DynamicLoader: kernel32.dll/CreateFile
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetFileType
DynamicLoader: kernel32.dll/ReadFile
DynamicLoader: kernel32.dll/GetSystemInfo
DynamicLoader: kernel32.dll/VirtualQuery
DynamicLoader: ADVAPI32.dll/RegQueryInfoKey
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumValue
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegEnumKeyEx
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: secur32.dll/GetUserNameEx
DynamicLoader: secur32.dll/GetUserNameExW
DynamicLoader: ADVAPI32.dll/GetUserName
DynamicLoader: ADVAPI32.dll/GetUserNameW
DynamicLoader: kernel32.dll/ReleaseMutex
DynamicLoader: ADVAPI32.dll/RegisterEventSource
DynamicLoader: ADVAPI32.dll/RegisterEventSourceW
DynamicLoader: ADVAPI32.dll/DeregisterEventSource
DynamicLoader: ADVAPI32.dll/ReportEvent
DynamicLoader: ADVAPI32.dll/ReportEventW
DynamicLoader: kernel32.dll/GetLogicalDrives
DynamicLoader: kernel32.dll/GetDriveType
DynamicLoader: kernel32.dll/GetDriveTypeW
DynamicLoader: kernel32.dll/GetVolumeInformation
DynamicLoader: kernel32.dll/GetVolumeInformationW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: kernel32.dll/GetCurrentDirectory
DynamicLoader: kernel32.dll/GetCurrentDirectoryW
DynamicLoader: mscoreei.dll/GetTokenForVTableEntry_RetAddr
DynamicLoader: mscoreei.dll/GetTokenForVTableEntry
DynamicLoader: mscoreei.dll/SetTargetForVTableEntry_RetAddr
DynamicLoader: mscoreei.dll/SetTargetForVTableEntry
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/LocalAlloc
DynamicLoader: mscoree.dll/IEE
DynamicLoader: kernel32.dll/GetStdHandle
DynamicLoader: kernel32.dll/GetStdHandleW
DynamicLoader: kernel32.dll/GetConsoleMode
DynamicLoader: kernel32.dll/GetConsoleModeW
DynamicLoader: kernel32.dll/SetEvent
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/SetThreadUILanguageW
DynamicLoader: kernel32.dll/FindFirstFile
DynamicLoader: kernel32.dll/FindFirstFileW
DynamicLoader: kernel32.dll/FindClose
DynamicLoader: CRYPTSP.dll/CryptExportKey
DynamicLoader: CRYPTSP.dll/CryptCreateHash
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: mscoree.dll/CorExitProcess
DynamicLoader: mscoreei.dll/CorExitProcess_RetAddr
DynamicLoader: mscoreei.dll/CorExitProcess
DynamicLoader: mscorwks.dll/CorExitProcess
DynamicLoader: mscorwks.dll/_CorDllMain
DynamicLoader: kernel32.dll/CreateActCtxW
DynamicLoader: kernel32.dll/AddRefActCtx
DynamicLoader: kernel32.dll/ReleaseActCtx
DynamicLoader: kernel32.dll/ActivateActCtx
DynamicLoader: kernel32.dll/DeactivateActCtx
DynamicLoader: kernel32.dll/GetCurrentActCtx
DynamicLoader: kernel32.dll/QueryActCtxW
DynamicLoader: netutils.dll/NetApiBufferFree
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: shell32.dll/
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: shell32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ntdll.dll/RtlDllShutdownInProgress
DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: profapi.dll/
DynamicLoader: LINKINFO.dll/CreateLinkInfoW
DynamicLoader: USER32.dll/IsCharAlphaW
DynamicLoader: USER32.dll/CharPrevW
DynamicLoader: ntshrui.dll/GetNetResourceFromLocalPathW
DynamicLoader: srvcli.dll/NetShareEnum
DynamicLoader: cscapi.dll/CscNetApiGetInterface
DynamicLoader: slc.dll/SLGetWindowsInformationDWORD
DynamicLoader: SHLWAPI.dll/PathRemoveFileSpecW
DynamicLoader: LINKINFO.dll/DestroyLinkInfo
DynamicLoader: propsys.dll/PropVariantToBoolean
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: mscoree.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx_RetAddr
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: kernel32.dll/GetCurrentPackageId
DynamicLoader: kernel32.dll/InitializeCriticalSectionAndSpinCount
DynamicLoader: msvcrt.dll/_set_error_mode
DynamicLoader: msvcrt.dll/?set_terminate@@YAP6AXXZP6AXXZ@Z
DynamicLoader: msvcrt.dll/_get_terminate
DynamicLoader: kernel32.dll/FindActCtxSectionStringW
DynamicLoader: kernel32.dll/GetSystemWindowsDirectoryW
DynamicLoader: mscoree.dll/GetProcessExecutableHeap
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap_RetAddr
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap
DynamicLoader: mscorwks.dll/SetLoadedByMscoree
DynamicLoader: mscorwks.dll/DllGetClassObjectInternal
DynamicLoader: mscorwks.dll/GetCLRFunction
DynamicLoader: ADVAPI32.dll/RegisterTraceGuidsW
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: ADVAPI32.dll/GetTraceLoggerHandle
DynamicLoader: ADVAPI32.dll/GetTraceEnableLevel
DynamicLoader: ADVAPI32.dll/GetTraceEnableFlags
DynamicLoader: ADVAPI32.dll/TraceEvent
DynamicLoader: mscoree.dll/IEE
DynamicLoader: mscoreei.dll/IEE_RetAddr
DynamicLoader: mscoreei.dll/IEE
DynamicLoader: mscorwks.dll/IEE
DynamicLoader: mscoree.dll/GetStartupFlags
DynamicLoader: mscoreei.dll/GetStartupFlags_RetAddr
DynamicLoader: mscoreei.dll/GetStartupFlags
DynamicLoader: mscoree.dll/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetHostConfigurationFile_RetAddr
DynamicLoader: mscoreei.dll/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetCORVersion_RetAddr
DynamicLoader: mscoreei.dll/GetCORVersion
DynamicLoader: mscoree.dll/GetCORSystemDirectory
DynamicLoader: mscoreei.dll/GetCORSystemDirectory_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream
DynamicLoader: ntdll.dll/RtlVirtualUnwind
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: kernel32.dll/GetSystemWindowsDirectoryW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: kernel32.dll/SetThreadStackGuarantee
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/AddVectoredContinueHandler
DynamicLoader: kernel32.dll/RemoveVectoredContinueHandler
DynamicLoader: ADVAPI32.dll/ConvertSidToStringSidW
DynamicLoader: shell32.dll/SHGetFolderPathW
DynamicLoader: kernel32.dll/FlushProcessWriteBuffers
DynamicLoader: kernel32.dll/GetWriteWatch
DynamicLoader: kernel32.dll/ResetWriteWatch
DynamicLoader: kernel32.dll/CreateMemoryResourceNotification
DynamicLoader: kernel32.dll/QueryMemoryResourceNotification
DynamicLoader: kernel32.dll/GlobalMemoryStatusEx
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/GetUserDefaultUILanguage
DynamicLoader: ole32.dll/CoGetContextToken
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/GetVersionEx
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/GetVersionEx
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/GetFullPathName
DynamicLoader: kernel32.dll/GetFullPathNameW
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: kernel32.dll/GetFileAttributesEx
DynamicLoader: kernel32.dll/GetFileAttributesExW
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: version.dll/GetFileVersionInfoSize
DynamicLoader: version.dll/GetFileVersionInfoSizeW
DynamicLoader: version.dll/GetFileVersionInfo
DynamicLoader: version.dll/GetFileVersionInfoW
DynamicLoader: version.dll/VerQueryValue
DynamicLoader: version.dll/VerQueryValueW
DynamicLoader: kernel32.dll/lstrlen
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: mscoree.dll/ND_RI2
DynamicLoader: mscoreei.dll/ND_RI2_RetAddr
DynamicLoader: mscoreei.dll/ND_RI2
DynamicLoader: kernel32.dll/lstrlen
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: kernel32.dll/lstrcpy
DynamicLoader: kernel32.dll/lstrcpyW
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: version.dll/VerLanguageName
DynamicLoader: version.dll/VerLanguageNameW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/GetCurrentProcessId
DynamicLoader: kernel32.dll/GetCurrentProcessIdW
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValue
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValueW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivileges
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivilegesW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/OpenProcessW
DynamicLoader: PSAPI.DLL/EnumProcessModules
DynamicLoader: PSAPI.DLL/EnumProcessModulesW
DynamicLoader: PSAPI.DLL/GetModuleInformation
DynamicLoader: PSAPI.DLL/GetModuleInformationW
DynamicLoader: PSAPI.DLL/GetModuleBaseName
DynamicLoader: PSAPI.DLL/GetModuleBaseNameW
DynamicLoader: PSAPI.DLL/GetModuleFileNameEx
DynamicLoader: PSAPI.DLL/GetModuleFileNameExW
DynamicLoader: kernel32.dll/GetExitCodeProcess
DynamicLoader: kernel32.dll/GetExitCodeProcessW
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtQuerySystemInformationW
DynamicLoader: USER32.dll/EnumWindows
DynamicLoader: USER32.dll/EnumWindowsW
DynamicLoader: USER32.dll/GetWindowThreadProcessId
DynamicLoader: USER32.dll/GetWindowThreadProcessIdW
DynamicLoader: kernel32.dll/WerSetFlags
DynamicLoader: kernel32.dll/SetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/SetThreadPreferredUILanguagesW
DynamicLoader: kernel32.dll/GetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/GetThreadPreferredUILanguagesW
DynamicLoader: kernel32.dll/GetUserDefaultLocaleName
DynamicLoader: kernel32.dll/GetUserDefaultLocaleNameW
DynamicLoader: kernel32.dll/GetEnvironmentVariable
DynamicLoader: kernel32.dll/GetEnvironmentVariableW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegOpenKeyEx
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/CryptCreateHash
DynamicLoader: ADVAPI32.dll/CryptDestroyHash
DynamicLoader: ADVAPI32.dll/CryptHashData
DynamicLoader: ADVAPI32.dll/CryptGetHashParam
DynamicLoader: ADVAPI32.dll/CryptImportKey
DynamicLoader: ADVAPI32.dll/CryptExportKey
DynamicLoader: ADVAPI32.dll/CryptGenKey
DynamicLoader: ADVAPI32.dll/CryptGetKeyParam
DynamicLoader: ADVAPI32.dll/CryptDestroyKey
DynamicLoader: ADVAPI32.dll/CryptVerifySignatureA
DynamicLoader: ADVAPI32.dll/CryptSignHashA
DynamicLoader: ADVAPI32.dll/CryptGetProvParam
DynamicLoader: ADVAPI32.dll/CryptGetUserKey
DynamicLoader: ADVAPI32.dll/CryptEnumProvidersA
DynamicLoader: CRYPTSP.dll/CryptImportKey
DynamicLoader: CRYPTSP.dll/CryptHashData
DynamicLoader: CRYPTSP.dll/CryptGetHashParam
DynamicLoader: CRYPTSP.dll/CryptDestroyHash
DynamicLoader: CRYPTSP.dll/CryptDestroyKey
DynamicLoader: mscoreei.dll/_CorDllMain_RetAddr
DynamicLoader: mscoreei.dll/_CorDllMain
DynamicLoader: mscoree.dll/GetTokenForVTableEntry
DynamicLoader: mscoree.dll/SetTargetForVTableEntry
DynamicLoader: mscoree.dll/GetTargetForVTableEntry
DynamicLoader: mscoreei.dll/LoadLibraryShim_RetAddr
DynamicLoader: mscoreei.dll/LoadLibraryShim
DynamicLoader: culture.dll/ConvertLangIdToCultureName
DynamicLoader: ole32.dll/CoCreateGuid
DynamicLoader: kernel32.dll/CreateFile
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetConsoleScreenBufferInfo
DynamicLoader: kernel32.dll/GetConsoleScreenBufferInfoW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: kernel32.dll/GetCurrentProcessW
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: kernel32.dll/LocalFree
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/GetTokenInformationW
DynamicLoader: kernel32.dll/LocalAlloc
DynamicLoader: kernel32.dll/LocalAllocW
DynamicLoader: mscoree.dll/ND_RI4
DynamicLoader: mscoreei.dll/ND_RI4_RetAddr
DynamicLoader: mscoreei.dll/ND_RI4
DynamicLoader: ADVAPI32.dll/DuplicateTokenEx
DynamicLoader: ADVAPI32.dll/DuplicateTokenExW
DynamicLoader: ADVAPI32.dll/CheckTokenMembership
DynamicLoader: ADVAPI32.dll/CheckTokenMembershipW
DynamicLoader: kernel32.dll/GetConsoleTitle
DynamicLoader: kernel32.dll/GetConsoleTitleW
DynamicLoader: mscorjit.dll/getJit
DynamicLoader: mscorwks.dll/GetCLRFunction
DynamicLoader: kernel32.dll/SetConsoleTitle
DynamicLoader: kernel32.dll/SetConsoleTitleW
DynamicLoader: kernel32.dll/SetConsoleCtrlHandler
DynamicLoader: kernel32.dll/SetConsoleCtrlHandlerW
DynamicLoader: kernel32.dll/CreateEvent
DynamicLoader: kernel32.dll/CreateEventW
DynamicLoader: ntdll.dll/WinSqmIsOptedIn
DynamicLoader: kernel32.dll/ExpandEnvironmentStrings
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsW
DynamicLoader: shfolder.dll/SHGetFolderPath
DynamicLoader: shfolder.dll/SHGetFolderPathW
DynamicLoader: kernel32.dll/SetEnvironmentVariable
DynamicLoader: kernel32.dll/SetEnvironmentVariableW
DynamicLoader: kernel32.dll/GetACP
DynamicLoader: kernel32.dll/UnmapViewOfFile
DynamicLoader: kernel32.dll/CreateFile
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetFileType
DynamicLoader: kernel32.dll/ReadFile
DynamicLoader: kernel32.dll/GetSystemInfo
DynamicLoader: kernel32.dll/VirtualQuery
DynamicLoader: ADVAPI32.dll/RegQueryInfoKey
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumValue
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegEnumKeyEx
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: secur32.dll/GetUserNameEx
DynamicLoader: secur32.dll/GetUserNameExW
DynamicLoader: ADVAPI32.dll/GetUserName
DynamicLoader: ADVAPI32.dll/GetUserNameW
DynamicLoader: kernel32.dll/ReleaseMutex
DynamicLoader: ADVAPI32.dll/RegisterEventSource
DynamicLoader: ADVAPI32.dll/RegisterEventSourceW
DynamicLoader: ADVAPI32.dll/DeregisterEventSource
DynamicLoader: ADVAPI32.dll/ReportEvent
DynamicLoader: ADVAPI32.dll/ReportEventW
DynamicLoader: kernel32.dll/GetLogicalDrives
DynamicLoader: kernel32.dll/GetDriveType
DynamicLoader: kernel32.dll/GetDriveTypeW
DynamicLoader: kernel32.dll/GetVolumeInformation
DynamicLoader: kernel32.dll/GetVolumeInformationW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: kernel32.dll/GetCurrentDirectory
DynamicLoader: kernel32.dll/GetCurrentDirectoryW
DynamicLoader: mscoreei.dll/GetTokenForVTableEntry_RetAddr
DynamicLoader: mscoreei.dll/GetTokenForVTableEntry
DynamicLoader: mscoreei.dll/SetTargetForVTableEntry_RetAddr
DynamicLoader: mscoreei.dll/SetTargetForVTableEntry
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/LocalAlloc
DynamicLoader: mscoree.dll/IEE
DynamicLoader: kernel32.dll/GetStdHandle
DynamicLoader: kernel32.dll/GetStdHandleW
DynamicLoader: kernel32.dll/GetConsoleMode
DynamicLoader: kernel32.dll/GetConsoleModeW
DynamicLoader: kernel32.dll/SetEvent
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/SetThreadUILanguageW
DynamicLoader: kernel32.dll/FindFirstFile
DynamicLoader: kernel32.dll/FindFirstFileW
DynamicLoader: kernel32.dll/FindClose
DynamicLoader: CRYPTSP.dll/CryptExportKey
DynamicLoader: CRYPTSP.dll/CryptCreateHash
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: mscoree.dll/CorExitProcess
DynamicLoader: mscoreei.dll/CorExitProcess_RetAddr
DynamicLoader: mscoreei.dll/CorExitProcess
DynamicLoader: mscorwks.dll/CorExitProcess
DynamicLoader: mscorwks.dll/_CorDllMain
DynamicLoader: kernel32.dll/CreateActCtxW
DynamicLoader: kernel32.dll/AddRefActCtx
DynamicLoader: kernel32.dll/ReleaseActCtx
DynamicLoader: kernel32.dll/ActivateActCtx
DynamicLoader: kernel32.dll/DeactivateActCtx
DynamicLoader: kernel32.dll/GetCurrentActCtx
DynamicLoader: kernel32.dll/QueryActCtxW
DynamicLoader: netutils.dll/NetApiBufferFree
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: shell32.dll/
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: shell32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ntdll.dll/RtlDllShutdownInProgress
DynamicLoader: LINKINFO.dll/IsValidLinkInfo
DynamicLoader: propsys.dll/
DynamicLoader: propsys.dll/PSGetNameFromPropertyKey
DynamicLoader: propsys.dll/PSStringFromPropertyKey
DynamicLoader: propsys.dll/InitVariantFromBuffer
DynamicLoader: OLEAUT32.dll/
DynamicLoader: propsys.dll/PropVariantToGUID
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: profapi.dll/
DynamicLoader: LINKINFO.dll/CreateLinkInfoW
DynamicLoader: USER32.dll/IsCharAlphaW
DynamicLoader: USER32.dll/CharPrevW
DynamicLoader: ntshrui.dll/GetNetResourceFromLocalPathW
DynamicLoader: srvcli.dll/NetShareEnum
DynamicLoader: cscapi.dll/CscNetApiGetInterface
DynamicLoader: slc.dll/SLGetWindowsInformationDWORD
DynamicLoader: SHLWAPI.dll/PathRemoveFileSpecW
DynamicLoader: LINKINFO.dll/DestroyLinkInfo
DynamicLoader: propsys.dll/PropVariantToBoolean
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: mscoree.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx_RetAddr
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: kernel32.dll/GetCurrentPackageId
DynamicLoader: kernel32.dll/InitializeCriticalSectionAndSpinCount
DynamicLoader: msvcrt.dll/_set_error_mode
DynamicLoader: msvcrt.dll/?set_terminate@@YAP6AXXZP6AXXZ@Z
DynamicLoader: msvcrt.dll/_get_terminate
DynamicLoader: kernel32.dll/FindActCtxSectionStringW
DynamicLoader: kernel32.dll/GetSystemWindowsDirectoryW
DynamicLoader: mscoree.dll/GetProcessExecutableHeap
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap_RetAddr
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap
DynamicLoader: mscorwks.dll/SetLoadedByMscoree
DynamicLoader: mscorwks.dll/DllGetClassObjectInternal
DynamicLoader: mscorwks.dll/GetCLRFunction
DynamicLoader: ADVAPI32.dll/RegisterTraceGuidsW
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: ADVAPI32.dll/GetTraceLoggerHandle
DynamicLoader: ADVAPI32.dll/GetTraceEnableLevel
DynamicLoader: ADVAPI32.dll/GetTraceEnableFlags
DynamicLoader: ADVAPI32.dll/TraceEvent
DynamicLoader: mscoree.dll/IEE
DynamicLoader: mscoreei.dll/IEE_RetAddr
DynamicLoader: mscoreei.dll/IEE
DynamicLoader: mscorwks.dll/IEE
DynamicLoader: mscoree.dll/GetStartupFlags
DynamicLoader: mscoreei.dll/GetStartupFlags_RetAddr
DynamicLoader: mscoreei.dll/GetStartupFlags
DynamicLoader: mscoree.dll/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetHostConfigurationFile_RetAddr
DynamicLoader: mscoreei.dll/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetCORVersion_RetAddr
DynamicLoader: mscoreei.dll/GetCORVersion
DynamicLoader: mscoree.dll/GetCORSystemDirectory
DynamicLoader: mscoreei.dll/GetCORSystemDirectory_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream
DynamicLoader: ntdll.dll/RtlVirtualUnwind
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: kernel32.dll/GetSystemWindowsDirectoryW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: kernel32.dll/SetThreadStackGuarantee
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/AddVectoredContinueHandler
DynamicLoader: kernel32.dll/RemoveVectoredContinueHandler
DynamicLoader: ADVAPI32.dll/ConvertSidToStringSidW
DynamicLoader: shell32.dll/SHGetFolderPathW
DynamicLoader: kernel32.dll/FlushProcessWriteBuffers
DynamicLoader: kernel32.dll/GetWriteWatch
DynamicLoader: kernel32.dll/ResetWriteWatch
DynamicLoader: kernel32.dll/CreateMemoryResourceNotification
DynamicLoader: kernel32.dll/QueryMemoryResourceNotification
DynamicLoader: kernel32.dll/GlobalMemoryStatusEx
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/GetUserDefaultUILanguage
DynamicLoader: ole32.dll/CoGetContextToken
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/GetVersionEx
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/GetVersionEx
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/GetFullPathName
DynamicLoader: kernel32.dll/GetFullPathNameW
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: kernel32.dll/GetFileAttributesEx
DynamicLoader: kernel32.dll/GetFileAttributesExW
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: version.dll/GetFileVersionInfoSize
DynamicLoader: version.dll/GetFileVersionInfoSizeW
DynamicLoader: version.dll/GetFileVersionInfo
DynamicLoader: version.dll/GetFileVersionInfoW
DynamicLoader: version.dll/VerQueryValue
DynamicLoader: version.dll/VerQueryValueW
DynamicLoader: kernel32.dll/lstrlen
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: mscoree.dll/ND_RI2
DynamicLoader: mscoreei.dll/ND_RI2_RetAddr
DynamicLoader: mscoreei.dll/ND_RI2
DynamicLoader: kernel32.dll/lstrlen
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: kernel32.dll/lstrcpy
DynamicLoader: kernel32.dll/lstrcpyW
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: version.dll/VerLanguageName
DynamicLoader: version.dll/VerLanguageNameW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/GetCurrentProcessId
DynamicLoader: kernel32.dll/GetCurrentProcessIdW
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValue
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValueW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivileges
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivilegesW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/OpenProcessW
DynamicLoader: PSAPI.DLL/EnumProcessModules
DynamicLoader: PSAPI.DLL/EnumProcessModulesW
DynamicLoader: PSAPI.DLL/GetModuleInformation
DynamicLoader: PSAPI.DLL/GetModuleInformationW
DynamicLoader: PSAPI.DLL/GetModuleBaseName
DynamicLoader: PSAPI.DLL/GetModuleBaseNameW
DynamicLoader: PSAPI.DLL/GetModuleFileNameEx
DynamicLoader: PSAPI.DLL/GetModuleFileNameExW
DynamicLoader: kernel32.dll/GetExitCodeProcess
DynamicLoader: kernel32.dll/GetExitCodeProcessW
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtQuerySystemInformationW
DynamicLoader: USER32.dll/EnumWindows
DynamicLoader: USER32.dll/EnumWindowsW
DynamicLoader: USER32.dll/GetWindowThreadProcessId
DynamicLoader: USER32.dll/GetWindowThreadProcessIdW
DynamicLoader: kernel32.dll/WerSetFlags
DynamicLoader: kernel32.dll/SetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/SetThreadPreferredUILanguagesW
DynamicLoader: kernel32.dll/GetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/GetThreadPreferredUILanguagesW
DynamicLoader: kernel32.dll/GetUserDefaultLocaleName
DynamicLoader: kernel32.dll/GetUserDefaultLocaleNameW
DynamicLoader: kernel32.dll/GetEnvironmentVariable
DynamicLoader: kernel32.dll/GetEnvironmentVariableW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegOpenKeyEx
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/CryptCreateHash
DynamicLoader: ADVAPI32.dll/CryptDestroyHash
DynamicLoader: ADVAPI32.dll/CryptHashData
DynamicLoader: ADVAPI32.dll/CryptGetHashParam
DynamicLoader: ADVAPI32.dll/CryptImportKey
DynamicLoader: ADVAPI32.dll/CryptExportKey
DynamicLoader: ADVAPI32.dll/CryptGenKey
DynamicLoader: ADVAPI32.dll/CryptGetKeyParam
DynamicLoader: ADVAPI32.dll/CryptDestroyKey
DynamicLoader: ADVAPI32.dll/CryptVerifySignatureA
DynamicLoader: ADVAPI32.dll/CryptSignHashA
DynamicLoader: ADVAPI32.dll/CryptGetProvParam
DynamicLoader: ADVAPI32.dll/CryptGetUserKey
DynamicLoader: ADVAPI32.dll/CryptEnumProvidersA
DynamicLoader: CRYPTSP.dll/CryptImportKey
DynamicLoader: CRYPTSP.dll/CryptHashData
DynamicLoader: CRYPTSP.dll/CryptGetHashParam
DynamicLoader: CRYPTSP.dll/CryptDestroyHash
DynamicLoader: CRYPTSP.dll/CryptDestroyKey
DynamicLoader: mscoreei.dll/_CorDllMain_RetAddr
DynamicLoader: mscoreei.dll/_CorDllMain
DynamicLoader: mscoree.dll/GetTokenForVTableEntry
DynamicLoader: mscoree.dll/SetTargetForVTableEntry
DynamicLoader: mscoree.dll/GetTargetForVTableEntry
DynamicLoader: mscoreei.dll/LoadLibraryShim_RetAddr
DynamicLoader: mscoreei.dll/LoadLibraryShim
DynamicLoader: culture.dll/ConvertLangIdToCultureName
DynamicLoader: ole32.dll/CoCreateGuid
DynamicLoader: kernel32.dll/CreateFile
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetConsoleScreenBufferInfo
DynamicLoader: kernel32.dll/GetConsoleScreenBufferInfoW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: kernel32.dll/GetCurrentProcessW
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: kernel32.dll/LocalFree
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/GetTokenInformationW
DynamicLoader: kernel32.dll/LocalAlloc
DynamicLoader: kernel32.dll/LocalAllocW
DynamicLoader: mscoree.dll/ND_RI4
DynamicLoader: mscoreei.dll/ND_RI4_RetAddr
DynamicLoader: mscoreei.dll/ND_RI4
DynamicLoader: ADVAPI32.dll/DuplicateTokenEx
DynamicLoader: ADVAPI32.dll/DuplicateTokenExW
DynamicLoader: ADVAPI32.dll/CheckTokenMembership
DynamicLoader: ADVAPI32.dll/CheckTokenMembershipW
DynamicLoader: kernel32.dll/GetConsoleTitle
DynamicLoader: kernel32.dll/GetConsoleTitleW
DynamicLoader: mscorjit.dll/getJit
DynamicLoader: mscorwks.dll/GetCLRFunction
DynamicLoader: kernel32.dll/SetConsoleTitle
DynamicLoader: kernel32.dll/SetConsoleTitleW
DynamicLoader: kernel32.dll/SetConsoleCtrlHandler
DynamicLoader: kernel32.dll/SetConsoleCtrlHandlerW
DynamicLoader: kernel32.dll/CreateEvent
DynamicLoader: kernel32.dll/CreateEventW
DynamicLoader: ntdll.dll/WinSqmIsOptedIn
DynamicLoader: kernel32.dll/ExpandEnvironmentStrings
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsW
DynamicLoader: shfolder.dll/SHGetFolderPath
DynamicLoader: shfolder.dll/SHGetFolderPathW
DynamicLoader: kernel32.dll/SetEnvironmentVariable
DynamicLoader: kernel32.dll/SetEnvironmentVariableW
DynamicLoader: kernel32.dll/GetACP
DynamicLoader: kernel32.dll/UnmapViewOfFile
DynamicLoader: kernel32.dll/CreateFile
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetFileType
DynamicLoader: kernel32.dll/ReadFile
DynamicLoader: kernel32.dll/GetSystemInfo
DynamicLoader: kernel32.dll/VirtualQuery
DynamicLoader: ADVAPI32.dll/RegQueryInfoKey
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumValue
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegEnumKeyEx
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: secur32.dll/GetUserNameEx
DynamicLoader: secur32.dll/GetUserNameExW
DynamicLoader: ADVAPI32.dll/GetUserName
DynamicLoader: ADVAPI32.dll/GetUserNameW
DynamicLoader: kernel32.dll/ReleaseMutex
DynamicLoader: ADVAPI32.dll/RegisterEventSource
DynamicLoader: ADVAPI32.dll/RegisterEventSourceW
DynamicLoader: ADVAPI32.dll/DeregisterEventSource
DynamicLoader: ADVAPI32.dll/ReportEvent
DynamicLoader: ADVAPI32.dll/ReportEventW
DynamicLoader: kernel32.dll/GetLogicalDrives
DynamicLoader: kernel32.dll/GetDriveType
DynamicLoader: kernel32.dll/GetDriveTypeW
DynamicLoader: kernel32.dll/GetVolumeInformation
DynamicLoader: kernel32.dll/GetVolumeInformationW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: kernel32.dll/GetCurrentDirectory
DynamicLoader: kernel32.dll/GetCurrentDirectoryW
DynamicLoader: mscoreei.dll/GetTokenForVTableEntry_RetAddr
DynamicLoader: mscoreei.dll/GetTokenForVTableEntry
DynamicLoader: mscoreei.dll/SetTargetForVTableEntry_RetAddr
DynamicLoader: mscoreei.dll/SetTargetForVTableEntry
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/LocalAlloc
DynamicLoader: mscoree.dll/IEE
DynamicLoader: kernel32.dll/GetStdHandle
DynamicLoader: kernel32.dll/GetStdHandleW
DynamicLoader: kernel32.dll/GetConsoleMode
DynamicLoader: kernel32.dll/GetConsoleModeW
DynamicLoader: kernel32.dll/SetEvent
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/SetThreadUILanguageW
DynamicLoader: kernel32.dll/FindFirstFile
DynamicLoader: kernel32.dll/FindFirstFileW
DynamicLoader: kernel32.dll/FindClose
DynamicLoader: CRYPTSP.dll/CryptExportKey
DynamicLoader: CRYPTSP.dll/CryptCreateHash
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: mscoree.dll/CorExitProcess
DynamicLoader: mscoreei.dll/CorExitProcess_RetAddr
DynamicLoader: mscoreei.dll/CorExitProcess
DynamicLoader: mscorwks.dll/CorExitProcess
DynamicLoader: mscorwks.dll/_CorDllMain
DynamicLoader: kernel32.dll/CreateActCtxW
DynamicLoader: kernel32.dll/AddRefActCtx
DynamicLoader: kernel32.dll/ReleaseActCtx
DynamicLoader: kernel32.dll/ActivateActCtx
DynamicLoader: kernel32.dll/DeactivateActCtx
DynamicLoader: kernel32.dll/GetCurrentActCtx
DynamicLoader: kernel32.dll/QueryActCtxW
DynamicLoader: netutils.dll/NetApiBufferFree
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: shell32.dll/
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: shell32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ntdll.dll/RtlDllShutdownInProgress
DynamicLoader: LINKINFO.dll/IsValidLinkInfo
DynamicLoader: propsys.dll/
DynamicLoader: propsys.dll/PSGetNameFromPropertyKey
DynamicLoader: propsys.dll/PSStringFromPropertyKey
DynamicLoader: propsys.dll/InitVariantFromBuffer
DynamicLoader: OLEAUT32.dll/
DynamicLoader: propsys.dll/PropVariantToGUID
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: profapi.dll/
DynamicLoader: LINKINFO.dll/CreateLinkInfoW
DynamicLoader: USER32.dll/IsCharAlphaW
DynamicLoader: USER32.dll/CharPrevW
DynamicLoader: ntshrui.dll/GetNetResourceFromLocalPathW
DynamicLoader: srvcli.dll/NetShareEnum
DynamicLoader: cscapi.dll/CscNetApiGetInterface
DynamicLoader: slc.dll/SLGetWindowsInformationDWORD
DynamicLoader: SHLWAPI.dll/PathRemoveFileSpecW
DynamicLoader: LINKINFO.dll/DestroyLinkInfo
DynamicLoader: propsys.dll/PropVariantToBoolean
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/GetSecurityInfo
DynamicLoader: ADVAPI32.dll/SetSecurityInfo
DynamicLoader: ADVAPI32.dll/GetSecurityDescriptorControl
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: mscoree.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx_RetAddr
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: kernel32.dll/GetCurrentPackageId
DynamicLoader: kernel32.dll/InitializeCriticalSectionAndSpinCount
DynamicLoader: msvcrt.dll/_set_error_mode
DynamicLoader: msvcrt.dll/?set_terminate@@YAP6AXXZP6AXXZ@Z
DynamicLoader: msvcrt.dll/_get_terminate
DynamicLoader: kernel32.dll/FindActCtxSectionStringW
DynamicLoader: kernel32.dll/GetSystemWindowsDirectoryW
DynamicLoader: mscoree.dll/GetProcessExecutableHeap
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap_RetAddr
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap
DynamicLoader: mscorwks.dll/SetLoadedByMscoree
DynamicLoader: mscorwks.dll/DllGetClassObjectInternal
DynamicLoader: mscorwks.dll/GetCLRFunction
DynamicLoader: ADVAPI32.dll/RegisterTraceGuidsW
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: ADVAPI32.dll/GetTraceLoggerHandle
DynamicLoader: ADVAPI32.dll/GetTraceEnableLevel
DynamicLoader: ADVAPI32.dll/GetTraceEnableFlags
DynamicLoader: ADVAPI32.dll/TraceEvent
DynamicLoader: mscoree.dll/IEE
DynamicLoader: mscoreei.dll/IEE_RetAddr
DynamicLoader: mscoreei.dll/IEE
DynamicLoader: mscorwks.dll/IEE
DynamicLoader: mscoree.dll/GetStartupFlags
DynamicLoader: mscoreei.dll/GetStartupFlags_RetAddr
DynamicLoader: mscoreei.dll/GetStartupFlags
DynamicLoader: mscoree.dll/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetHostConfigurationFile_RetAddr
DynamicLoader: mscoreei.dll/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetCORVersion_RetAddr
DynamicLoader: mscoreei.dll/GetCORVersion
DynamicLoader: mscoree.dll/GetCORSystemDirectory
DynamicLoader: mscoreei.dll/GetCORSystemDirectory_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream
DynamicLoader: ntdll.dll/RtlVirtualUnwind
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: kernel32.dll/GetSystemWindowsDirectoryW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: kernel32.dll/SetThreadStackGuarantee
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/AddVectoredContinueHandler
DynamicLoader: kernel32.dll/RemoveVectoredContinueHandler
DynamicLoader: ADVAPI32.dll/ConvertSidToStringSidW
DynamicLoader: shell32.dll/SHGetFolderPathW
DynamicLoader: kernel32.dll/FlushProcessWriteBuffers
DynamicLoader: kernel32.dll/GetWriteWatch
DynamicLoader: kernel32.dll/ResetWriteWatch
DynamicLoader: kernel32.dll/CreateMemoryResourceNotification
DynamicLoader: kernel32.dll/QueryMemoryResourceNotification
DynamicLoader: kernel32.dll/GlobalMemoryStatusEx
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/GetUserDefaultUILanguage
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoGetContextToken
DynamicLoader: kernel32.dll/GetVersionEx
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/GetVersionEx
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/GetFullPathName
DynamicLoader: kernel32.dll/GetFullPathNameW
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: kernel32.dll/GetFileAttributesEx
DynamicLoader: kernel32.dll/GetFileAttributesExW
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: version.dll/GetFileVersionInfoSize
DynamicLoader: version.dll/GetFileVersionInfoSizeW
DynamicLoader: version.dll/GetFileVersionInfo
DynamicLoader: version.dll/GetFileVersionInfoW
DynamicLoader: version.dll/VerQueryValue
DynamicLoader: version.dll/VerQueryValueW
DynamicLoader: kernel32.dll/lstrlen
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: mscoree.dll/ND_RI2
DynamicLoader: mscoreei.dll/ND_RI2_RetAddr
DynamicLoader: mscoreei.dll/ND_RI2
DynamicLoader: kernel32.dll/lstrlen
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: kernel32.dll/lstrcpy
DynamicLoader: kernel32.dll/lstrcpyW
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: version.dll/VerLanguageName
DynamicLoader: version.dll/VerLanguageNameW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/GetCurrentProcessId
DynamicLoader: kernel32.dll/GetCurrentProcessIdW
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValue
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValueW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivileges
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivilegesW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/OpenProcessW
DynamicLoader: PSAPI.DLL/EnumProcessModules
DynamicLoader: PSAPI.DLL/EnumProcessModulesW
DynamicLoader: PSAPI.DLL/GetModuleInformation
DynamicLoader: PSAPI.DLL/GetModuleInformationW
DynamicLoader: PSAPI.DLL/GetModuleBaseName
DynamicLoader: PSAPI.DLL/GetModuleBaseNameW
DynamicLoader: PSAPI.DLL/GetModuleFileNameEx
DynamicLoader: PSAPI.DLL/GetModuleFileNameExW
DynamicLoader: kernel32.dll/GetExitCodeProcess
DynamicLoader: kernel32.dll/GetExitCodeProcessW
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtQuerySystemInformationW
DynamicLoader: USER32.dll/EnumWindows
DynamicLoader: USER32.dll/EnumWindowsW
DynamicLoader: USER32.dll/GetWindowThreadProcessId
DynamicLoader: USER32.dll/GetWindowThreadProcessIdW
DynamicLoader: kernel32.dll/WerSetFlags
DynamicLoader: kernel32.dll/SetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/SetThreadPreferredUILanguagesW
DynamicLoader: kernel32.dll/GetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/GetThreadPreferredUILanguagesW
DynamicLoader: kernel32.dll/GetUserDefaultLocaleName
DynamicLoader: kernel32.dll/GetUserDefaultLocaleNameW
DynamicLoader: kernel32.dll/GetEnvironmentVariable
DynamicLoader: kernel32.dll/GetEnvironmentVariableW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegOpenKeyEx
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/CryptCreateHash
DynamicLoader: ADVAPI32.dll/CryptDestroyHash
DynamicLoader: ADVAPI32.dll/CryptHashData
DynamicLoader: ADVAPI32.dll/CryptGetHashParam
DynamicLoader: ADVAPI32.dll/CryptImportKey
DynamicLoader: ADVAPI32.dll/CryptExportKey
DynamicLoader: ADVAPI32.dll/CryptGenKey
DynamicLoader: ADVAPI32.dll/CryptGetKeyParam
DynamicLoader: ADVAPI32.dll/CryptDestroyKey
DynamicLoader: ADVAPI32.dll/CryptVerifySignatureA
DynamicLoader: ADVAPI32.dll/CryptSignHashA
DynamicLoader: ADVAPI32.dll/CryptGetProvParam
DynamicLoader: ADVAPI32.dll/CryptGetUserKey
DynamicLoader: ADVAPI32.dll/CryptEnumProvidersA
DynamicLoader: CRYPTSP.dll/CryptImportKey
DynamicLoader: CRYPTSP.dll/CryptHashData
DynamicLoader: CRYPTSP.dll/CryptGetHashParam
DynamicLoader: CRYPTSP.dll/CryptDestroyHash
DynamicLoader: CRYPTSP.dll/CryptDestroyKey
DynamicLoader: mscoreei.dll/_CorDllMain_RetAddr
DynamicLoader: mscoreei.dll/_CorDllMain
DynamicLoader: mscoree.dll/GetTokenForVTableEntry
DynamicLoader: mscoree.dll/SetTargetForVTableEntry
DynamicLoader: mscoree.dll/GetTargetForVTableEntry
DynamicLoader: mscoreei.dll/LoadLibraryShim_RetAddr
DynamicLoader: mscoreei.dll/LoadLibraryShim
DynamicLoader: culture.dll/ConvertLangIdToCultureName
DynamicLoader: ole32.dll/CoCreateGuid
DynamicLoader: kernel32.dll/CreateFile
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetConsoleScreenBufferInfo
DynamicLoader: kernel32.dll/GetConsoleScreenBufferInfoW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: kernel32.dll/GetCurrentProcessW
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: kernel32.dll/LocalFree
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/GetTokenInformationW
DynamicLoader: kernel32.dll/LocalAlloc
DynamicLoader: kernel32.dll/LocalAllocW
DynamicLoader: mscoree.dll/ND_RI4
DynamicLoader: mscoreei.dll/ND_RI4_RetAddr
DynamicLoader: mscoreei.dll/ND_RI4
DynamicLoader: ADVAPI32.dll/DuplicateTokenEx
DynamicLoader: ADVAPI32.dll/DuplicateTokenExW
DynamicLoader: ADVAPI32.dll/CheckTokenMembership
DynamicLoader: ADVAPI32.dll/CheckTokenMembershipW
DynamicLoader: kernel32.dll/GetConsoleTitle
DynamicLoader: kernel32.dll/GetConsoleTitleW
DynamicLoader: mscorjit.dll/getJit
DynamicLoader: mscorwks.dll/GetCLRFunction
DynamicLoader: kernel32.dll/SetConsoleTitle
DynamicLoader: kernel32.dll/SetConsoleTitleW
DynamicLoader: kernel32.dll/SetConsoleCtrlHandler
DynamicLoader: kernel32.dll/SetConsoleCtrlHandlerW
DynamicLoader: kernel32.dll/CreateEvent
DynamicLoader: kernel32.dll/CreateEventW
DynamicLoader: ntdll.dll/WinSqmIsOptedIn
DynamicLoader: kernel32.dll/ExpandEnvironmentStrings
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsW
DynamicLoader: shfolder.dll/SHGetFolderPath
DynamicLoader: shfolder.dll/SHGetFolderPathW
DynamicLoader: kernel32.dll/SetEnvironmentVariable
DynamicLoader: kernel32.dll/SetEnvironmentVariableW
DynamicLoader: kernel32.dll/GetACP
DynamicLoader: kernel32.dll/UnmapViewOfFile
DynamicLoader: kernel32.dll/CreateFile
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetFileType
DynamicLoader: kernel32.dll/ReadFile
DynamicLoader: kernel32.dll/GetSystemInfo
DynamicLoader: kernel32.dll/VirtualQuery
DynamicLoader: ADVAPI32.dll/RegQueryInfoKey
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumValue
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegEnumKeyEx
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: secur32.dll/GetUserNameEx
DynamicLoader: secur32.dll/GetUserNameExW
DynamicLoader: ADVAPI32.dll/GetUserName
DynamicLoader: ADVAPI32.dll/GetUserNameW
DynamicLoader: kernel32.dll/ReleaseMutex
DynamicLoader: ADVAPI32.dll/RegisterEventSource
DynamicLoader: ADVAPI32.dll/RegisterEventSourceW
DynamicLoader: ADVAPI32.dll/DeregisterEventSource
DynamicLoader: ADVAPI32.dll/ReportEvent
DynamicLoader: ADVAPI32.dll/ReportEventW
DynamicLoader: kernel32.dll/GetLogicalDrives
DynamicLoader: kernel32.dll/GetDriveType
DynamicLoader: kernel32.dll/GetDriveTypeW
DynamicLoader: kernel32.dll/GetVolumeInformation
DynamicLoader: kernel32.dll/GetVolumeInformationW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: kernel32.dll/GetCurrentDirectory
DynamicLoader: kernel32.dll/GetCurrentDirectoryW
DynamicLoader: mscoreei.dll/GetTokenForVTableEntry_RetAddr
DynamicLoader: mscoreei.dll/GetTokenForVTableEntry
DynamicLoader: mscoreei.dll/SetTargetForVTableEntry_RetAddr
DynamicLoader: mscoreei.dll/SetTargetForVTableEntry
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/LocalAlloc
DynamicLoader: mscoree.dll/IEE
DynamicLoader: kernel32.dll/GetStdHandle
DynamicLoader: kernel32.dll/GetStdHandleW
DynamicLoader: kernel32.dll/GetConsoleMode
DynamicLoader: kernel32.dll/GetConsoleModeW
DynamicLoader: kernel32.dll/SetEvent
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/SetThreadUILanguageW
DynamicLoader: kernel32.dll/FindFirstFile
DynamicLoader: kernel32.dll/FindFirstFileW
DynamicLoader: kernel32.dll/FindClose
DynamicLoader: CRYPTSP.dll/CryptExportKey
DynamicLoader: CRYPTSP.dll/CryptCreateHash
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: mscoree.dll/CorExitProcess
DynamicLoader: mscoreei.dll/CorExitProcess_RetAddr
DynamicLoader: mscoreei.dll/CorExitProcess
DynamicLoader: mscorwks.dll/CorExitProcess
DynamicLoader: mscorwks.dll/_CorDllMain
DynamicLoader: kernel32.dll/CreateActCtxW
DynamicLoader: kernel32.dll/AddRefActCtx
DynamicLoader: kernel32.dll/ReleaseActCtx
DynamicLoader: kernel32.dll/ActivateActCtx
DynamicLoader: kernel32.dll/DeactivateActCtx
DynamicLoader: kernel32.dll/GetCurrentActCtx
DynamicLoader: kernel32.dll/QueryActCtxW
DynamicLoader: netutils.dll/NetApiBufferFree
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: shell32.dll/
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: shell32.dll/
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ntdll.dll/RtlDllShutdownInProgress
DynamicLoader: LINKINFO.dll/IsValidLinkInfo
DynamicLoader: propsys.dll/
DynamicLoader: propsys.dll/PSGetNameFromPropertyKey
DynamicLoader: propsys.dll/PSStringFromPropertyKey
DynamicLoader: propsys.dll/InitVariantFromBuffer
DynamicLoader: OLEAUT32.dll/
DynamicLoader: propsys.dll/PropVariantToGUID
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: profapi.dll/
DynamicLoader: LINKINFO.dll/CreateLinkInfoW
DynamicLoader: USER32.dll/IsCharAlphaW
DynamicLoader: USER32.dll/CharPrevW
DynamicLoader: ntshrui.dll/GetNetResourceFromLocalPathW
DynamicLoader: srvcli.dll/NetShareEnum
DynamicLoader: cscapi.dll/CscNetApiGetInterface
DynamicLoader: slc.dll/SLGetWindowsInformationDWORD
DynamicLoader: SHLWAPI.dll/PathRemoveFileSpecW
DynamicLoader: LINKINFO.dll/DestroyLinkInfo
DynamicLoader: propsys.dll/PropVariantToBoolean
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/GetSecurityInfo
DynamicLoader: ADVAPI32.dll/SetSecurityInfo
DynamicLoader: ADVAPI32.dll/GetSecurityDescriptorControl
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: mscoree.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx_RetAddr
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: kernel32.dll/GetCurrentPackageId
DynamicLoader: kernel32.dll/InitializeCriticalSectionAndSpinCount
DynamicLoader: msvcrt.dll/_set_error_mode
DynamicLoader: msvcrt.dll/?set_terminate@@YAP6AXXZP6AXXZ@Z
DynamicLoader: msvcrt.dll/_get_terminate
DynamicLoader: kernel32.dll/FindActCtxSectionStringW
DynamicLoader: kernel32.dll/GetSystemWindowsDirectoryW
DynamicLoader: mscoree.dll/GetProcessExecutableHeap
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap_RetAddr
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap
DynamicLoader: mscorwks.dll/SetLoadedByMscoree
DynamicLoader: mscorwks.dll/DllGetClassObjectInternal
DynamicLoader: mscorwks.dll/GetCLRFunction
DynamicLoader: ADVAPI32.dll/RegisterTraceGuidsW
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: ADVAPI32.dll/GetTraceLoggerHandle
DynamicLoader: ADVAPI32.dll/GetTraceEnableLevel
DynamicLoader: ADVAPI32.dll/GetTraceEnableFlags
DynamicLoader: ADVAPI32.dll/TraceEvent
DynamicLoader: mscoree.dll/IEE
DynamicLoader: mscoreei.dll/IEE_RetAddr
DynamicLoader: mscoreei.dll/IEE
DynamicLoader: mscorwks.dll/IEE
DynamicLoader: mscoree.dll/GetStartupFlags
DynamicLoader: mscoreei.dll/GetStartupFlags_RetAddr
DynamicLoader: mscoreei.dll/GetStartupFlags
DynamicLoader: mscoree.dll/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetHostConfigurationFile_RetAddr
DynamicLoader: mscoreei.dll/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetCORVersion_RetAddr
DynamicLoader: mscoreei.dll/GetCORVersion
DynamicLoader: mscoree.dll/GetCORSystemDirectory
DynamicLoader: mscoreei.dll/GetCORSystemDirectory_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream
DynamicLoader: ntdll.dll/RtlVirtualUnwind
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: kernel32.dll/GetSystemWindowsDirectoryW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: kernel32.dll/SetThreadStackGuarantee
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/AddVectoredContinueHandler
DynamicLoader: kernel32.dll/RemoveVectoredContinueHandler
DynamicLoader: ADVAPI32.dll/ConvertSidToStringSidW
DynamicLoader: shell32.dll/SHGetFolderPathW
DynamicLoader: kernel32.dll/FlushProcessWriteBuffers
DynamicLoader: kernel32.dll/GetWriteWatch
DynamicLoader: kernel32.dll/ResetWriteWatch
DynamicLoader: kernel32.dll/CreateMemoryResourceNotification
DynamicLoader: kernel32.dll/QueryMemoryResourceNotification
DynamicLoader: kernel32.dll/GlobalMemoryStatusEx
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/GetUserDefaultUILanguage
DynamicLoader: ole32.dll/CoGetContextToken
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/GetVersionEx
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/GetVersionEx
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/GetFullPathName
DynamicLoader: kernel32.dll/GetFullPathNameW
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: kernel32.dll/GetFileAttributesEx
DynamicLoader: kernel32.dll/GetFileAttributesExW
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: version.dll/GetFileVersionInfoSize
DynamicLoader: version.dll/GetFileVersionInfoSizeW
DynamicLoader: version.dll/GetFileVersionInfo
DynamicLoader: version.dll/GetFileVersionInfoW
DynamicLoader: version.dll/VerQueryValue
DynamicLoader: version.dll/VerQueryValueW
DynamicLoader: kernel32.dll/lstrlen
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: mscoree.dll/ND_RI2
DynamicLoader: mscoreei.dll/ND_RI2_RetAddr
DynamicLoader: mscoreei.dll/ND_RI2
DynamicLoader: kernel32.dll/lstrlen
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: kernel32.dll/lstrcpy
DynamicLoader: kernel32.dll/lstrcpyW
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: version.dll/VerLanguageName
DynamicLoader: version.dll/VerLanguageNameW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/GetCurrentProcessId
DynamicLoader: kernel32.dll/GetCurrentProcessIdW
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValue
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValueW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivileges
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivilegesW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/OpenProcessW
DynamicLoader: PSAPI.DLL/EnumProcessModules
DynamicLoader: PSAPI.DLL/EnumProcessModulesW
DynamicLoader: PSAPI.DLL/GetModuleInformation
DynamicLoader: PSAPI.DLL/GetModuleInformationW
DynamicLoader: PSAPI.DLL/GetModuleBaseName
DynamicLoader: PSAPI.DLL/GetModuleBaseNameW
DynamicLoader: PSAPI.DLL/GetModuleFileNameEx
DynamicLoader: PSAPI.DLL/GetModuleFileNameExW
DynamicLoader: kernel32.dll/GetExitCodeProcess
DynamicLoader: kernel32.dll/GetExitCodeProcessW
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtQuerySystemInformationW
DynamicLoader: USER32.dll/EnumWindows
DynamicLoader: USER32.dll/EnumWindowsW
DynamicLoader: USER32.dll/GetWindowThreadProcessId
DynamicLoader: USER32.dll/GetWindowThreadProcessIdW
DynamicLoader: kernel32.dll/WerSetFlags
DynamicLoader: kernel32.dll/SetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/SetThreadPreferredUILanguagesW
DynamicLoader: kernel32.dll/GetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/GetThreadPreferredUILanguagesW
DynamicLoader: kernel32.dll/GetUserDefaultLocaleName
DynamicLoader: kernel32.dll/GetUserDefaultLocaleNameW
DynamicLoader: kernel32.dll/GetEnvironmentVariable
DynamicLoader: kernel32.dll/GetEnvironmentVariableW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegOpenKeyEx
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/CryptCreateHash
DynamicLoader: ADVAPI32.dll/CryptDestroyHash
DynamicLoader: ADVAPI32.dll/CryptHashData
DynamicLoader: ADVAPI32.dll/CryptGetHashParam
DynamicLoader: ADVAPI32.dll/CryptImportKey
DynamicLoader: ADVAPI32.dll/CryptExportKey
DynamicLoader: ADVAPI32.dll/CryptGenKey
DynamicLoader: ADVAPI32.dll/CryptGetKeyParam
DynamicLoader: ADVAPI32.dll/CryptDestroyKey
DynamicLoader: ADVAPI32.dll/CryptVerifySignatureA
DynamicLoader: ADVAPI32.dll/CryptSignHashA
DynamicLoader: ADVAPI32.dll/CryptGetProvParam
DynamicLoader: ADVAPI32.dll/CryptGetUserKey
DynamicLoader: ADVAPI32.dll/CryptEnumProvidersA
DynamicLoader: CRYPTSP.dll/CryptImportKey
DynamicLoader: CRYPTSP.dll/CryptHashData
DynamicLoader: CRYPTSP.dll/CryptGetHashParam
DynamicLoader: CRYPTSP.dll/CryptDestroyHash
DynamicLoader: CRYPTSP.dll/CryptDestroyKey
DynamicLoader: mscoreei.dll/_CorDllMain_RetAddr
DynamicLoader: mscoreei.dll/_CorDllMain
DynamicLoader: mscoree.dll/GetTokenForVTableEntry
DynamicLoader: mscoree.dll/SetTargetForVTableEntry
DynamicLoader: mscoree.dll/GetTargetForVTableEntry
DynamicLoader: mscoreei.dll/LoadLibraryShim_RetAddr
DynamicLoader: mscoreei.dll/LoadLibraryShim
DynamicLoader: culture.dll/ConvertLangIdToCultureName
DynamicLoader: ole32.dll/CoCreateGuid
DynamicLoader: kernel32.dll/CreateFile
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetConsoleScreenBufferInfo
DynamicLoader: kernel32.dll/GetConsoleScreenBufferInfoW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: kernel32.dll/GetCurrentProcessW
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: kernel32.dll/LocalFree
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/GetTokenInformationW
DynamicLoader: kernel32.dll/LocalAlloc
DynamicLoader: kernel32.dll/LocalAllocW
DynamicLoader: mscoree.dll/ND_RI4
DynamicLoader: mscoreei.dll/ND_RI4_RetAddr
DynamicLoader: mscoreei.dll/ND_RI4
DynamicLoader: ADVAPI32.dll/DuplicateTokenEx
DynamicLoader: ADVAPI32.dll/DuplicateTokenExW
DynamicLoader: ADVAPI32.dll/CheckTokenMembership
DynamicLoader: ADVAPI32.dll/CheckTokenMembershipW
DynamicLoader: kernel32.dll/GetConsoleTitle
DynamicLoader: kernel32.dll/GetConsoleTitleW
DynamicLoader: mscorjit.dll/getJit
DynamicLoader: mscorwks.dll/GetCLRFunction
DynamicLoader: kernel32.dll/SetConsoleTitle
DynamicLoader: kernel32.dll/SetConsoleTitleW
DynamicLoader: kernel32.dll/SetConsoleCtrlHandler
DynamicLoader: kernel32.dll/SetConsoleCtrlHandlerW
DynamicLoader: kernel32.dll/CreateEvent
DynamicLoader: kernel32.dll/CreateEventW
DynamicLoader: ntdll.dll/WinSqmIsOptedIn
DynamicLoader: kernel32.dll/ExpandEnvironmentStrings
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsW
DynamicLoader: shfolder.dll/SHGetFolderPath
DynamicLoader: shfolder.dll/SHGetFolderPathW
DynamicLoader: kernel32.dll/SetEnvironmentVariable
DynamicLoader: kernel32.dll/SetEnvironmentVariableW
DynamicLoader: kernel32.dll/GetACP
DynamicLoader: kernel32.dll/UnmapViewOfFile
DynamicLoader: kernel32.dll/CreateFile
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetFileType
DynamicLoader: kernel32.dll/ReadFile
DynamicLoader: kernel32.dll/GetSystemInfo
DynamicLoader: kernel32.dll/VirtualQuery
DynamicLoader: ADVAPI32.dll/RegQueryInfoKey
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumValue
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegEnumKeyEx
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: secur32.dll/GetUserNameEx
DynamicLoader: secur32.dll/GetUserNameExW
DynamicLoader: ADVAPI32.dll/GetUserName
DynamicLoader: ADVAPI32.dll/GetUserNameW
DynamicLoader: kernel32.dll/ReleaseMutex
DynamicLoader: ADVAPI32.dll/RegisterEventSource
DynamicLoader: ADVAPI32.dll/RegisterEventSourceW
DynamicLoader: ADVAPI32.dll/DeregisterEventSource
DynamicLoader: ADVAPI32.dll/ReportEvent
DynamicLoader: ADVAPI32.dll/ReportEventW
DynamicLoader: kernel32.dll/GetLogicalDrives
DynamicLoader: kernel32.dll/GetDriveType
DynamicLoader: kernel32.dll/GetDriveTypeW
DynamicLoader: kernel32.dll/GetVolumeInformation
DynamicLoader: kernel32.dll/GetVolumeInformationW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: kernel32.dll/GetCurrentDirectory
DynamicLoader: kernel32.dll/GetCurrentDirectoryW
DynamicLoader: mscoreei.dll/GetTokenForVTableEntry_RetAddr
DynamicLoader: mscoreei.dll/GetTokenForVTableEntry
DynamicLoader: mscoreei.dll/SetTargetForVTableEntry_RetAddr
DynamicLoader: mscoreei.dll/SetTargetForVTableEntry
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/LocalAlloc
DynamicLoader: mscoree.dll/IEE
DynamicLoader: kernel32.dll/GetStdHandle
DynamicLoader: kernel32.dll/GetStdHandleW
DynamicLoader: kernel32.dll/GetConsoleMode
DynamicLoader: kernel32.dll/GetConsoleModeW
DynamicLoader: kernel32.dll/SetEvent
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/SetThreadUILanguageW
DynamicLoader: kernel32.dll/FindFirstFile
DynamicLoader: kernel32.dll/FindFirstFileW
DynamicLoader: kernel32.dll/FindClose
DynamicLoader: CRYPTSP.dll/CryptExportKey
DynamicLoader: CRYPTSP.dll/CryptCreateHash
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: mscoree.dll/CorExitProcess
DynamicLoader: mscoreei.dll/CorExitProcess_RetAddr
DynamicLoader: mscoreei.dll/CorExitProcess
DynamicLoader: mscorwks.dll/CorExitProcess
DynamicLoader: mscorwks.dll/_CorDllMain
DynamicLoader: kernel32.dll/CreateActCtxW
DynamicLoader: kernel32.dll/AddRefActCtx
DynamicLoader: kernel32.dll/ReleaseActCtx
DynamicLoader: kernel32.dll/ActivateActCtx
DynamicLoader: kernel32.dll/DeactivateActCtx
DynamicLoader: kernel32.dll/GetCurrentActCtx
DynamicLoader: kernel32.dll/QueryActCtxW
DynamicLoader: netutils.dll/NetApiBufferFree
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: shell32.dll/
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: shell32.dll/
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: comctl32.dll/
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ntdll.dll/RtlDllShutdownInProgress
DynamicLoader: LINKINFO.dll/IsValidLinkInfo
DynamicLoader: propsys.dll/
DynamicLoader: propsys.dll/PSGetNameFromPropertyKey
DynamicLoader: propsys.dll/PSStringFromPropertyKey
DynamicLoader: propsys.dll/InitVariantFromBuffer
DynamicLoader: OLEAUT32.dll/
DynamicLoader: propsys.dll/PropVariantToGUID
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: profapi.dll/
DynamicLoader: LINKINFO.dll/CreateLinkInfoW
DynamicLoader: USER32.dll/IsCharAlphaW
DynamicLoader: USER32.dll/CharPrevW
DynamicLoader: ntshrui.dll/GetNetResourceFromLocalPathW
DynamicLoader: srvcli.dll/NetShareEnum
DynamicLoader: cscapi.dll/CscNetApiGetInterface
DynamicLoader: slc.dll/SLGetWindowsInformationDWORD
DynamicLoader: SHLWAPI.dll/PathRemoveFileSpecW
DynamicLoader: LINKINFO.dll/DestroyLinkInfo
DynamicLoader: propsys.dll/PropVariantToBoolean
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/GetSecurityInfo
DynamicLoader: ADVAPI32.dll/SetSecurityInfo
DynamicLoader: ADVAPI32.dll/GetSecurityDescriptorControl
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: mscoree.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx_RetAddr
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: kernel32.dll/GetCurrentPackageId
DynamicLoader: kernel32.dll/InitializeCriticalSectionAndSpinCount
DynamicLoader: msvcrt.dll/_set_error_mode
DynamicLoader: msvcrt.dll/?set_terminate@@YAP6AXXZP6AXXZ@Z
DynamicLoader: msvcrt.dll/_get_terminate
DynamicLoader: kernel32.dll/FindActCtxSectionStringW
DynamicLoader: kernel32.dll/GetSystemWindowsDirectoryW
DynamicLoader: mscoree.dll/GetProcessExecutableHeap
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap_RetAddr
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap
DynamicLoader: mscorwks.dll/SetLoadedByMscoree
DynamicLoader: mscorwks.dll/DllGetClassObjectInternal
DynamicLoader: mscorwks.dll/GetCLRFunction
DynamicLoader: ADVAPI32.dll/RegisterTraceGuidsW
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: ADVAPI32.dll/GetTraceLoggerHandle
DynamicLoader: ADVAPI32.dll/GetTraceEnableLevel
DynamicLoader: ADVAPI32.dll/GetTraceEnableFlags
DynamicLoader: ADVAPI32.dll/TraceEvent
DynamicLoader: mscoree.dll/IEE
DynamicLoader: mscoreei.dll/IEE_RetAddr
DynamicLoader: mscoreei.dll/IEE
DynamicLoader: mscorwks.dll/IEE
DynamicLoader: mscoree.dll/GetStartupFlags
DynamicLoader: mscoreei.dll/GetStartupFlags_RetAddr
DynamicLoader: mscoreei.dll/GetStartupFlags
DynamicLoader: mscoree.dll/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetHostConfigurationFile_RetAddr
DynamicLoader: mscoreei.dll/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetCORVersion_RetAddr
DynamicLoader: mscoreei.dll/GetCORVersion
DynamicLoader: mscoree.dll/GetCORSystemDirectory
DynamicLoader: mscoreei.dll/GetCORSystemDirectory_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream
DynamicLoader: ntdll.dll/RtlVirtualUnwind
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: kernel32.dll/GetSystemWindowsDirectoryW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: kernel32.dll/SetThreadStackGuarantee
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/AddVectoredContinueHandler
DynamicLoader: kernel32.dll/RemoveVectoredContinueHandler
DynamicLoader: ADVAPI32.dll/ConvertSidToStringSidW
DynamicLoader: shell32.dll/SHGetFolderPathW
DynamicLoader: kernel32.dll/FlushProcessWriteBuffers
DynamicLoader: kernel32.dll/GetWriteWatch
DynamicLoader: kernel32.dll/ResetWriteWatch
DynamicLoader: kernel32.dll/CreateMemoryResourceNotification
DynamicLoader: kernel32.dll/QueryMemoryResourceNotification
DynamicLoader: kernel32.dll/GlobalMemoryStatusEx
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CoGetContextToken
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/GetUserDefaultUILanguage
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/GetVersionEx
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/GetVersionEx
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/GetFullPathName
DynamicLoader: kernel32.dll/GetFullPathNameW
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: kernel32.dll/GetFileAttributesEx
DynamicLoader: kernel32.dll/GetFileAttributesExW
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: version.dll/GetFileVersionInfoSize
DynamicLoader: version.dll/GetFileVersionInfoSizeW
DynamicLoader: version.dll/GetFileVersionInfo
DynamicLoader: version.dll/GetFileVersionInfoW
DynamicLoader: version.dll/VerQueryValue
DynamicLoader: version.dll/VerQueryValueW
DynamicLoader: kernel32.dll/lstrlen
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: mscoree.dll/ND_RI2
DynamicLoader: mscoreei.dll/ND_RI2_RetAddr
DynamicLoader: mscoreei.dll/ND_RI2
DynamicLoader: kernel32.dll/lstrlen
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: kernel32.dll/lstrcpy
DynamicLoader: kernel32.dll/lstrcpyW
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: version.dll/VerLanguageName
DynamicLoader: version.dll/VerLanguageNameW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/GetCurrentProcessId
DynamicLoader: kernel32.dll/GetCurrentProcessIdW
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValue
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValueW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivileges
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivilegesW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/OpenProcessW
DynamicLoader: PSAPI.DLL/EnumProcessModules
DynamicLoader: PSAPI.DLL/EnumProcessModulesW
DynamicLoader: PSAPI.DLL/GetModuleInformation
DynamicLoader: PSAPI.DLL/GetModuleInformationW
DynamicLoader: PSAPI.DLL/GetModuleBaseName
DynamicLoader: PSAPI.DLL/GetModuleBaseNameW
DynamicLoader: PSAPI.DLL/GetModuleFileNameEx
DynamicLoader: PSAPI.DLL/GetModuleFileNameExW
DynamicLoader: kernel32.dll/GetExitCodeProcess
DynamicLoader: kernel32.dll/GetExitCodeProcessW
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtQuerySystemInformationW
DynamicLoader: USER32.dll/EnumWindows
DynamicLoader: USER32.dll/EnumWindowsW
DynamicLoader: USER32.dll/GetWindowThreadProcessId
DynamicLoader: USER32.dll/GetWindowThreadProcessIdW
DynamicLoader: kernel32.dll/WerSetFlags
DynamicLoader: kernel32.dll/SetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/SetThreadPreferredUILanguagesW
DynamicLoader: kernel32.dll/GetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/GetThreadPreferredUILanguagesW
DynamicLoader: kernel32.dll/GetUserDefaultLocaleName
DynamicLoader: kernel32.dll/GetUserDefaultLocaleNameW
DynamicLoader: kernel32.dll/GetEnvironmentVariable
DynamicLoader: kernel32.dll/GetEnvironmentVariableW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegOpenKeyEx
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/CryptCreateHash
DynamicLoader: ADVAPI32.dll/CryptDestroyHash
DynamicLoader: ADVAPI32.dll/CryptHashData
DynamicLoader: ADVAPI32.dll/CryptGetHashParam
DynamicLoader: ADVAPI32.dll/CryptImportKey
DynamicLoader: ADVAPI32.dll/CryptExportKey
DynamicLoader: ADVAPI32.dll/CryptGenKey
DynamicLoader: ADVAPI32.dll/CryptGetKeyParam
DynamicLoader: ADVAPI32.dll/CryptDestroyKey
DynamicLoader: ADVAPI32.dll/CryptVerifySignatureA
DynamicLoader: ADVAPI32.dll/CryptSignHashA
DynamicLoader: ADVAPI32.dll/CryptGetProvParam
DynamicLoader: ADVAPI32.dll/CryptGetUserKey
DynamicLoader: ADVAPI32.dll/CryptEnumProvidersA
DynamicLoader: CRYPTSP.dll/CryptImportKey
DynamicLoader: CRYPTSP.dll/CryptHashData
DynamicLoader: CRYPTSP.dll/CryptGetHashParam
DynamicLoader: CRYPTSP.dll/CryptDestroyHash
DynamicLoader: CRYPTSP.dll/CryptDestroyKey
DynamicLoader: mscoreei.dll/_CorDllMain_RetAddr
DynamicLoader: mscoreei.dll/_CorDllMain
DynamicLoader: mscoree.dll/GetTokenForVTableEntry
DynamicLoader: mscoree.dll/SetTargetForVTableEntry
DynamicLoader: mscoree.dll/GetTargetForVTableEntry
DynamicLoader: mscoreei.dll/LoadLibraryShim_RetAddr
DynamicLoader: mscoreei.dll/LoadLibraryShim
DynamicLoader: culture.dll/ConvertLangIdToCultureName
DynamicLoader: ole32.dll/CoCreateGuid
DynamicLoader: kernel32.dll/CreateFile
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetConsoleScreenBufferInfo
DynamicLoader: kernel32.dll/GetConsoleScreenBufferInfoW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: kernel32.dll/GetCurrentProcessW
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: kernel32.dll/LocalFree
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/GetTokenInformationW
DynamicLoader: kernel32.dll/LocalAlloc
DynamicLoader: kernel32.dll/LocalAllocW
DynamicLoader: mscoree.dll/ND_RI4
DynamicLoader: mscoreei.dll/ND_RI4_RetAddr
DynamicLoader: mscoreei.dll/ND_RI4
DynamicLoader: ADVAPI32.dll/DuplicateTokenEx
DynamicLoader: ADVAPI32.dll/DuplicateTokenExW
DynamicLoader: ADVAPI32.dll/CheckTokenMembership
DynamicLoader: ADVAPI32.dll/CheckTokenMembershipW
DynamicLoader: kernel32.dll/GetConsoleTitle
DynamicLoader: kernel32.dll/GetConsoleTitleW
DynamicLoader: mscorjit.dll/getJit
DynamicLoader: mscorwks.dll/GetCLRFunction
DynamicLoader: kernel32.dll/SetConsoleTitle
DynamicLoader: kernel32.dll/SetConsoleTitleW
DynamicLoader: kernel32.dll/SetConsoleCtrlHandler
DynamicLoader: kernel32.dll/SetConsoleCtrlHandlerW
DynamicLoader: kernel32.dll/CreateEvent
DynamicLoader: kernel32.dll/CreateEventW
DynamicLoader: ntdll.dll/WinSqmIsOptedIn
DynamicLoader: kernel32.dll/ExpandEnvironmentStrings
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsW
DynamicLoader: shfolder.dll/SHGetFolderPath
DynamicLoader: shfolder.dll/SHGetFolderPathW
DynamicLoader: kernel32.dll/SetEnvironmentVariable
DynamicLoader: kernel32.dll/SetEnvironmentVariableW
DynamicLoader: kernel32.dll/GetACP
DynamicLoader: kernel32.dll/UnmapViewOfFile
DynamicLoader: kernel32.dll/CreateFile
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetFileType
DynamicLoader: kernel32.dll/ReadFile
DynamicLoader: kernel32.dll/GetSystemInfo
DynamicLoader: kernel32.dll/VirtualQuery
DynamicLoader: ADVAPI32.dll/RegQueryInfoKey
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumValue
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegEnumKeyEx
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: secur32.dll/GetUserNameEx
DynamicLoader: secur32.dll/GetUserNameExW
DynamicLoader: ADVAPI32.dll/GetUserName
DynamicLoader: ADVAPI32.dll/GetUserNameW
DynamicLoader: kernel32.dll/ReleaseMutex
DynamicLoader: ADVAPI32.dll/RegisterEventSource
DynamicLoader: ADVAPI32.dll/RegisterEventSourceW
DynamicLoader: ADVAPI32.dll/DeregisterEventSource
DynamicLoader: ADVAPI32.dll/ReportEvent
DynamicLoader: ADVAPI32.dll/ReportEventW
DynamicLoader: kernel32.dll/GetLogicalDrives
DynamicLoader: kernel32.dll/GetDriveType
DynamicLoader: kernel32.dll/GetDriveTypeW
DynamicLoader: kernel32.dll/GetVolumeInformation
DynamicLoader: kernel32.dll/GetVolumeInformationW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: kernel32.dll/GetCurrentDirectory
DynamicLoader: kernel32.dll/GetCurrentDirectoryW
DynamicLoader: mscoreei.dll/GetTokenForVTableEntry_RetAddr
DynamicLoader: mscoreei.dll/GetTokenForVTableEntry
DynamicLoader: mscoreei.dll/SetTargetForVTableEntry_RetAddr
DynamicLoader: mscoreei.dll/SetTargetForVTableEntry
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/LocalAlloc
DynamicLoader: mscoree.dll/IEE
DynamicLoader: kernel32.dll/GetStdHandle
DynamicLoader: kernel32.dll/GetStdHandleW
DynamicLoader: kernel32.dll/GetConsoleMode
DynamicLoader: kernel32.dll/GetConsoleModeW
DynamicLoader: kernel32.dll/SetEvent
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/SetThreadUILanguageW
DynamicLoader: kernel32.dll/FindFirstFile
DynamicLoader: kernel32.dll/FindFirstFileW
DynamicLoader: kernel32.dll/FindClose
DynamicLoader: CRYPTSP.dll/CryptExportKey
DynamicLoader: CRYPTSP.dll/CryptCreateHash
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: mscoree.dll/CorExitProcess
DynamicLoader: mscoreei.dll/CorExitProcess_RetAddr
DynamicLoader: mscoreei.dll/CorExitProcess
DynamicLoader: mscorwks.dll/CorExitProcess
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: shell32.dll/
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: shell32.dll/
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ntdll.dll/RtlDllShutdownInProgress
DynamicLoader: LINKINFO.dll/IsValidLinkInfo
DynamicLoader: propsys.dll/
DynamicLoader: propsys.dll/PSGetNameFromPropertyKey
DynamicLoader: propsys.dll/PSStringFromPropertyKey
DynamicLoader: propsys.dll/InitVariantFromBuffer
DynamicLoader: OLEAUT32.dll/
DynamicLoader: propsys.dll/PropVariantToGUID
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: profapi.dll/
DynamicLoader: LINKINFO.dll/CreateLinkInfoW
DynamicLoader: USER32.dll/IsCharAlphaW
DynamicLoader: USER32.dll/CharPrevW
DynamicLoader: ntshrui.dll/GetNetResourceFromLocalPathW
DynamicLoader: srvcli.dll/NetShareEnum
DynamicLoader: cscapi.dll/CscNetApiGetInterface
DynamicLoader: slc.dll/SLGetWindowsInformationDWORD
DynamicLoader: SHLWAPI.dll/PathRemoveFileSpecW
DynamicLoader: LINKINFO.dll/DestroyLinkInfo
DynamicLoader: propsys.dll/PropVariantToBoolean
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/GetSecurityInfo
DynamicLoader: ADVAPI32.dll/SetSecurityInfo
DynamicLoader: ADVAPI32.dll/GetSecurityDescriptorControl
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: mscoree.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx_RetAddr
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: kernel32.dll/GetCurrentPackageId
DynamicLoader: kernel32.dll/InitializeCriticalSectionAndSpinCount
DynamicLoader: msvcrt.dll/_set_error_mode
DynamicLoader: msvcrt.dll/?set_terminate@@YAP6AXXZP6AXXZ@Z
DynamicLoader: msvcrt.dll/_get_terminate
DynamicLoader: kernel32.dll/FindActCtxSectionStringW
DynamicLoader: kernel32.dll/GetSystemWindowsDirectoryW
DynamicLoader: mscoree.dll/GetProcessExecutableHeap
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap_RetAddr
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap
DynamicLoader: mscorwks.dll/SetLoadedByMscoree
DynamicLoader: mscorwks.dll/DllGetClassObjectInternal
DynamicLoader: mscorwks.dll/GetCLRFunction
DynamicLoader: ADVAPI32.dll/RegisterTraceGuidsW
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: ADVAPI32.dll/GetTraceLoggerHandle
DynamicLoader: ADVAPI32.dll/GetTraceEnableLevel
DynamicLoader: ADVAPI32.dll/GetTraceEnableFlags
DynamicLoader: ADVAPI32.dll/TraceEvent
DynamicLoader: mscoree.dll/IEE
DynamicLoader: mscoreei.dll/IEE_RetAddr
DynamicLoader: mscoreei.dll/IEE
DynamicLoader: mscorwks.dll/IEE
DynamicLoader: mscoree.dll/GetStartupFlags
DynamicLoader: mscoreei.dll/GetStartupFlags_RetAddr
DynamicLoader: mscoreei.dll/GetStartupFlags
DynamicLoader: mscoree.dll/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetHostConfigurationFile_RetAddr
DynamicLoader: mscoreei.dll/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetCORVersion_RetAddr
DynamicLoader: mscoreei.dll/GetCORVersion
DynamicLoader: mscoree.dll/GetCORSystemDirectory
DynamicLoader: mscoreei.dll/GetCORSystemDirectory_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream
DynamicLoader: ntdll.dll/RtlVirtualUnwind
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: kernel32.dll/GetSystemWindowsDirectoryW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: kernel32.dll/SetThreadStackGuarantee
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/AddVectoredContinueHandler
DynamicLoader: kernel32.dll/RemoveVectoredContinueHandler
DynamicLoader: ADVAPI32.dll/ConvertSidToStringSidW
DynamicLoader: shell32.dll/SHGetFolderPathW
DynamicLoader: kernel32.dll/FlushProcessWriteBuffers
DynamicLoader: kernel32.dll/GetWriteWatch
DynamicLoader: kernel32.dll/ResetWriteWatch
DynamicLoader: kernel32.dll/CreateMemoryResourceNotification
DynamicLoader: kernel32.dll/QueryMemoryResourceNotification
DynamicLoader: kernel32.dll/GlobalMemoryStatusEx
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/GetUserDefaultUILanguage
DynamicLoader: ole32.dll/CoGetContextToken
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/GetVersionEx
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/GetVersionEx
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/GetFullPathName
DynamicLoader: kernel32.dll/GetFullPathNameW
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: kernel32.dll/GetFileAttributesEx
DynamicLoader: kernel32.dll/GetFileAttributesExW
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: version.dll/GetFileVersionInfoSize
DynamicLoader: version.dll/GetFileVersionInfoSizeW
DynamicLoader: version.dll/GetFileVersionInfo
DynamicLoader: version.dll/GetFileVersionInfoW
DynamicLoader: version.dll/VerQueryValue
DynamicLoader: version.dll/VerQueryValueW
DynamicLoader: kernel32.dll/lstrlen
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: mscoree.dll/ND_RI2
DynamicLoader: mscoreei.dll/ND_RI2_RetAddr
DynamicLoader: mscoreei.dll/ND_RI2
DynamicLoader: kernel32.dll/lstrlen
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: kernel32.dll/lstrcpy
DynamicLoader: kernel32.dll/lstrcpyW
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: version.dll/VerLanguageName
DynamicLoader: version.dll/VerLanguageNameW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/GetCurrentProcessId
DynamicLoader: kernel32.dll/GetCurrentProcessIdW
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValue
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValueW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivileges
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivilegesW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/OpenProcessW
DynamicLoader: PSAPI.DLL/EnumProcessModules
DynamicLoader: PSAPI.DLL/EnumProcessModulesW
DynamicLoader: PSAPI.DLL/GetModuleInformation
DynamicLoader: PSAPI.DLL/GetModuleInformationW
DynamicLoader: PSAPI.DLL/GetModuleBaseName
DynamicLoader: PSAPI.DLL/GetModuleBaseNameW
DynamicLoader: PSAPI.DLL/GetModuleFileNameEx
DynamicLoader: PSAPI.DLL/GetModuleFileNameExW
DynamicLoader: kernel32.dll/GetExitCodeProcess
DynamicLoader: kernel32.dll/GetExitCodeProcessW
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtQuerySystemInformationW
DynamicLoader: USER32.dll/EnumWindows
DynamicLoader: USER32.dll/EnumWindowsW
DynamicLoader: USER32.dll/GetWindowThreadProcessId
DynamicLoader: USER32.dll/GetWindowThreadProcessIdW
DynamicLoader: kernel32.dll/WerSetFlags
DynamicLoader: kernel32.dll/SetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/SetThreadPreferredUILanguagesW
DynamicLoader: kernel32.dll/GetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/GetThreadPreferredUILanguagesW
DynamicLoader: kernel32.dll/GetUserDefaultLocaleName
DynamicLoader: kernel32.dll/GetUserDefaultLocaleNameW
DynamicLoader: kernel32.dll/GetEnvironmentVariable
DynamicLoader: kernel32.dll/GetEnvironmentVariableW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegOpenKeyEx
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/CryptCreateHash
DynamicLoader: ADVAPI32.dll/CryptDestroyHash
DynamicLoader: ADVAPI32.dll/CryptHashData
DynamicLoader: ADVAPI32.dll/CryptGetHashParam
DynamicLoader: ADVAPI32.dll/CryptImportKey
DynamicLoader: ADVAPI32.dll/CryptExportKey
DynamicLoader: ADVAPI32.dll/CryptGenKey
DynamicLoader: ADVAPI32.dll/CryptGetKeyParam
DynamicLoader: ADVAPI32.dll/CryptDestroyKey
DynamicLoader: ADVAPI32.dll/CryptVerifySignatureA
DynamicLoader: ADVAPI32.dll/CryptSignHashA
DynamicLoader: ADVAPI32.dll/CryptGetProvParam
DynamicLoader: ADVAPI32.dll/CryptGetUserKey
DynamicLoader: ADVAPI32.dll/CryptEnumProvidersA
DynamicLoader: CRYPTSP.dll/CryptImportKey
DynamicLoader: CRYPTSP.dll/CryptHashData
DynamicLoader: CRYPTSP.dll/CryptGetHashParam
DynamicLoader: CRYPTSP.dll/CryptDestroyHash
DynamicLoader: CRYPTSP.dll/CryptDestroyKey
DynamicLoader: mscoreei.dll/_CorDllMain_RetAddr
DynamicLoader: mscoreei.dll/_CorDllMain
DynamicLoader: mscoree.dll/GetTokenForVTableEntry
DynamicLoader: mscoree.dll/SetTargetForVTableEntry
DynamicLoader: mscoree.dll/GetTargetForVTableEntry
DynamicLoader: mscoreei.dll/LoadLibraryShim_RetAddr
DynamicLoader: mscoreei.dll/LoadLibraryShim
DynamicLoader: culture.dll/ConvertLangIdToCultureName
DynamicLoader: ole32.dll/CoCreateGuid
DynamicLoader: kernel32.dll/CreateFile
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetConsoleScreenBufferInfo
DynamicLoader: kernel32.dll/GetConsoleScreenBufferInfoW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: kernel32.dll/GetCurrentProcessW
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: kernel32.dll/LocalFree
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/GetTokenInformationW
DynamicLoader: kernel32.dll/LocalAlloc
DynamicLoader: kernel32.dll/LocalAllocW
DynamicLoader: mscoree.dll/ND_RI4
DynamicLoader: mscoreei.dll/ND_RI4_RetAddr
DynamicLoader: mscoreei.dll/ND_RI4
DynamicLoader: ADVAPI32.dll/DuplicateTokenEx
DynamicLoader: ADVAPI32.dll/DuplicateTokenExW
DynamicLoader: ADVAPI32.dll/CheckTokenMembership
DynamicLoader: ADVAPI32.dll/CheckTokenMembershipW
DynamicLoader: kernel32.dll/GetConsoleTitle
DynamicLoader: kernel32.dll/GetConsoleTitleW
DynamicLoader: mscorjit.dll/getJit
DynamicLoader: mscorwks.dll/GetCLRFunction
DynamicLoader: kernel32.dll/SetConsoleTitle
DynamicLoader: kernel32.dll/SetConsoleTitleW
DynamicLoader: kernel32.dll/SetConsoleCtrlHandler
DynamicLoader: kernel32.dll/SetConsoleCtrlHandlerW
DynamicLoader: kernel32.dll/CreateEvent
DynamicLoader: kernel32.dll/CreateEventW
DynamicLoader: ntdll.dll/WinSqmIsOptedIn
DynamicLoader: kernel32.dll/ExpandEnvironmentStrings
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsW
DynamicLoader: shfolder.dll/SHGetFolderPath
DynamicLoader: shfolder.dll/SHGetFolderPathW
DynamicLoader: kernel32.dll/SetEnvironmentVariable
DynamicLoader: kernel32.dll/SetEnvironmentVariableW
DynamicLoader: kernel32.dll/GetACP
DynamicLoader: kernel32.dll/UnmapViewOfFile
DynamicLoader: kernel32.dll/CreateFile
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetFileType
DynamicLoader: kernel32.dll/ReadFile
DynamicLoader: kernel32.dll/GetSystemInfo
DynamicLoader: kernel32.dll/VirtualQuery
DynamicLoader: ADVAPI32.dll/RegQueryInfoKey
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumValue
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegEnumKeyEx
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: secur32.dll/GetUserNameEx
DynamicLoader: secur32.dll/GetUserNameExW
DynamicLoader: ADVAPI32.dll/GetUserName
DynamicLoader: ADVAPI32.dll/GetUserNameW
DynamicLoader: kernel32.dll/ReleaseMutex
DynamicLoader: ADVAPI32.dll/RegisterEventSource
DynamicLoader: ADVAPI32.dll/RegisterEventSourceW
DynamicLoader: ADVAPI32.dll/DeregisterEventSource
DynamicLoader: ADVAPI32.dll/ReportEvent
DynamicLoader: ADVAPI32.dll/ReportEventW
DynamicLoader: kernel32.dll/GetLogicalDrives
DynamicLoader: kernel32.dll/GetDriveType
DynamicLoader: kernel32.dll/GetDriveTypeW
DynamicLoader: kernel32.dll/GetVolumeInformation
DynamicLoader: kernel32.dll/GetVolumeInformationW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: kernel32.dll/GetCurrentDirectory
DynamicLoader: kernel32.dll/GetCurrentDirectoryW
DynamicLoader: mscoreei.dll/GetTokenForVTableEntry_RetAddr
DynamicLoader: mscoreei.dll/GetTokenForVTableEntry
DynamicLoader: mscoreei.dll/SetTargetForVTableEntry_RetAddr
DynamicLoader: mscoreei.dll/SetTargetForVTableEntry
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/LocalAlloc
DynamicLoader: mscoree.dll/IEE
DynamicLoader: kernel32.dll/GetStdHandle
DynamicLoader: kernel32.dll/GetStdHandleW
DynamicLoader: kernel32.dll/GetConsoleMode
DynamicLoader: kernel32.dll/GetConsoleModeW
DynamicLoader: kernel32.dll/SetEvent
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/SetThreadUILanguageW
DynamicLoader: kernel32.dll/FindFirstFile
DynamicLoader: kernel32.dll/FindFirstFileW
DynamicLoader: kernel32.dll/FindClose
DynamicLoader: CRYPTSP.dll/CryptExportKey
DynamicLoader: CRYPTSP.dll/CryptCreateHash
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: mscoree.dll/CorExitProcess
DynamicLoader: mscoreei.dll/CorExitProcess_RetAddr
DynamicLoader: mscoreei.dll/CorExitProcess
DynamicLoader: mscorwks.dll/CorExitProcess
DynamicLoader: mscorwks.dll/_CorDllMain
DynamicLoader: kernel32.dll/CreateActCtxW
DynamicLoader: kernel32.dll/AddRefActCtx
DynamicLoader: kernel32.dll/ReleaseActCtx
DynamicLoader: kernel32.dll/ActivateActCtx
DynamicLoader: kernel32.dll/DeactivateActCtx
DynamicLoader: kernel32.dll/GetCurrentActCtx
DynamicLoader: kernel32.dll/QueryActCtxW
DynamicLoader: netutils.dll/NetApiBufferFree
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: shell32.dll/
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: shell32.dll/
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ntdll.dll/RtlDllShutdownInProgress
DynamicLoader: LINKINFO.dll/IsValidLinkInfo
DynamicLoader: propsys.dll/
DynamicLoader: propsys.dll/PSGetNameFromPropertyKey
DynamicLoader: propsys.dll/PSStringFromPropertyKey
DynamicLoader: propsys.dll/InitVariantFromBuffer
DynamicLoader: OLEAUT32.dll/
DynamicLoader: propsys.dll/PropVariantToGUID
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: profapi.dll/
DynamicLoader: LINKINFO.dll/CreateLinkInfoW
DynamicLoader: USER32.dll/IsCharAlphaW
DynamicLoader: USER32.dll/CharPrevW
DynamicLoader: ntshrui.dll/GetNetResourceFromLocalPathW
DynamicLoader: srvcli.dll/NetShareEnum
DynamicLoader: cscapi.dll/CscNetApiGetInterface
DynamicLoader: slc.dll/SLGetWindowsInformationDWORD
DynamicLoader: SHLWAPI.dll/PathRemoveFileSpecW
DynamicLoader: LINKINFO.dll/DestroyLinkInfo
DynamicLoader: propsys.dll/PropVariantToBoolean
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/GetSecurityInfo
DynamicLoader: ADVAPI32.dll/SetSecurityInfo
DynamicLoader: ADVAPI32.dll/GetSecurityDescriptorControl
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: mscoree.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx_RetAddr
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: kernel32.dll/GetCurrentPackageId
DynamicLoader: kernel32.dll/InitializeCriticalSectionAndSpinCount
DynamicLoader: msvcrt.dll/_set_error_mode
DynamicLoader: msvcrt.dll/?set_terminate@@YAP6AXXZP6AXXZ@Z
DynamicLoader: msvcrt.dll/_get_terminate
DynamicLoader: kernel32.dll/FindActCtxSectionStringW
DynamicLoader: kernel32.dll/GetSystemWindowsDirectoryW
DynamicLoader: mscoree.dll/GetProcessExecutableHeap
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap_RetAddr
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap
DynamicLoader: mscorwks.dll/SetLoadedByMscoree
DynamicLoader: mscorwks.dll/DllGetClassObjectInternal
DynamicLoader: mscorwks.dll/GetCLRFunction
DynamicLoader: ADVAPI32.dll/RegisterTraceGuidsW
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: ADVAPI32.dll/GetTraceLoggerHandle
DynamicLoader: ADVAPI32.dll/GetTraceEnableLevel
DynamicLoader: ADVAPI32.dll/GetTraceEnableFlags
DynamicLoader: ADVAPI32.dll/TraceEvent
DynamicLoader: mscoree.dll/IEE
DynamicLoader: mscoreei.dll/IEE_RetAddr
DynamicLoader: mscoreei.dll/IEE
DynamicLoader: mscorwks.dll/IEE
DynamicLoader: mscoree.dll/GetStartupFlags
DynamicLoader: mscoreei.dll/GetStartupFlags_RetAddr
DynamicLoader: mscoreei.dll/GetStartupFlags
DynamicLoader: mscoree.dll/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetHostConfigurationFile_RetAddr
DynamicLoader: mscoreei.dll/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetCORVersion_RetAddr
DynamicLoader: mscoreei.dll/GetCORVersion
DynamicLoader: mscoree.dll/GetCORSystemDirectory
DynamicLoader: mscoreei.dll/GetCORSystemDirectory_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream
DynamicLoader: ntdll.dll/RtlVirtualUnwind
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: kernel32.dll/GetSystemWindowsDirectoryW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: kernel32.dll/SetThreadStackGuarantee
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/AddVectoredContinueHandler
DynamicLoader: kernel32.dll/RemoveVectoredContinueHandler
DynamicLoader: ADVAPI32.dll/ConvertSidToStringSidW
DynamicLoader: shell32.dll/SHGetFolderPathW
DynamicLoader: kernel32.dll/FlushProcessWriteBuffers
DynamicLoader: kernel32.dll/GetWriteWatch
DynamicLoader: kernel32.dll/ResetWriteWatch
DynamicLoader: kernel32.dll/CreateMemoryResourceNotification
DynamicLoader: kernel32.dll/QueryMemoryResourceNotification
DynamicLoader: kernel32.dll/GlobalMemoryStatusEx
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CoGetContextToken
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/GetUserDefaultUILanguage
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/GetVersionEx
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/GetVersionEx
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/GetFullPathName
DynamicLoader: kernel32.dll/GetFullPathNameW
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: kernel32.dll/GetFileAttributesEx
DynamicLoader: kernel32.dll/GetFileAttributesExW
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: version.dll/GetFileVersionInfoSize
DynamicLoader: version.dll/GetFileVersionInfoSizeW
DynamicLoader: version.dll/GetFileVersionInfo
DynamicLoader: version.dll/GetFileVersionInfoW
DynamicLoader: version.dll/VerQueryValue
DynamicLoader: version.dll/VerQueryValueW
DynamicLoader: kernel32.dll/lstrlen
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: mscoree.dll/ND_RI2
DynamicLoader: mscoreei.dll/ND_RI2_RetAddr
DynamicLoader: mscoreei.dll/ND_RI2
DynamicLoader: kernel32.dll/lstrlen
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: kernel32.dll/lstrcpy
DynamicLoader: kernel32.dll/lstrcpyW
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: version.dll/VerLanguageName
DynamicLoader: version.dll/VerLanguageNameW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/GetCurrentProcessId
DynamicLoader: kernel32.dll/GetCurrentProcessIdW
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValue
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValueW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivileges
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivilegesW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/OpenProcessW
DynamicLoader: PSAPI.DLL/EnumProcessModules
DynamicLoader: PSAPI.DLL/EnumProcessModulesW
DynamicLoader: PSAPI.DLL/GetModuleInformation
DynamicLoader: PSAPI.DLL/GetModuleInformationW
DynamicLoader: PSAPI.DLL/GetModuleBaseName
DynamicLoader: PSAPI.DLL/GetModuleBaseNameW
DynamicLoader: PSAPI.DLL/GetModuleFileNameEx
DynamicLoader: PSAPI.DLL/GetModuleFileNameExW
DynamicLoader: kernel32.dll/GetExitCodeProcess
DynamicLoader: kernel32.dll/GetExitCodeProcessW
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtQuerySystemInformationW
DynamicLoader: USER32.dll/EnumWindows
DynamicLoader: USER32.dll/EnumWindowsW
DynamicLoader: USER32.dll/GetWindowThreadProcessId
DynamicLoader: USER32.dll/GetWindowThreadProcessIdW
DynamicLoader: kernel32.dll/WerSetFlags
DynamicLoader: kernel32.dll/SetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/SetThreadPreferredUILanguagesW
DynamicLoader: kernel32.dll/GetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/GetThreadPreferredUILanguagesW
DynamicLoader: kernel32.dll/GetUserDefaultLocaleName
DynamicLoader: kernel32.dll/GetUserDefaultLocaleNameW
DynamicLoader: kernel32.dll/GetEnvironmentVariable
DynamicLoader: kernel32.dll/GetEnvironmentVariableW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegOpenKeyEx
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/CryptCreateHash
DynamicLoader: ADVAPI32.dll/CryptDestroyHash
DynamicLoader: ADVAPI32.dll/CryptHashData
DynamicLoader: ADVAPI32.dll/CryptGetHashParam
DynamicLoader: ADVAPI32.dll/CryptImportKey
DynamicLoader: ADVAPI32.dll/CryptExportKey
DynamicLoader: ADVAPI32.dll/CryptGenKey
DynamicLoader: ADVAPI32.dll/CryptGetKeyParam
DynamicLoader: ADVAPI32.dll/CryptDestroyKey
DynamicLoader: ADVAPI32.dll/CryptVerifySignatureA
DynamicLoader: ADVAPI32.dll/CryptSignHashA
DynamicLoader: ADVAPI32.dll/CryptGetProvParam
DynamicLoader: ADVAPI32.dll/CryptGetUserKey
DynamicLoader: ADVAPI32.dll/CryptEnumProvidersA
DynamicLoader: CRYPTSP.dll/CryptImportKey
DynamicLoader: CRYPTSP.dll/CryptHashData
DynamicLoader: CRYPTSP.dll/CryptGetHashParam
DynamicLoader: CRYPTSP.dll/CryptDestroyHash
DynamicLoader: CRYPTSP.dll/CryptDestroyKey
DynamicLoader: mscoreei.dll/_CorDllMain_RetAddr
DynamicLoader: mscoreei.dll/_CorDllMain
DynamicLoader: mscoree.dll/GetTokenForVTableEntry
DynamicLoader: mscoree.dll/SetTargetForVTableEntry
DynamicLoader: mscoree.dll/GetTargetForVTableEntry
DynamicLoader: mscoreei.dll/LoadLibraryShim_RetAddr
DynamicLoader: mscoreei.dll/LoadLibraryShim
DynamicLoader: culture.dll/ConvertLangIdToCultureName
DynamicLoader: ole32.dll/CoCreateGuid
DynamicLoader: kernel32.dll/CreateFile
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetConsoleScreenBufferInfo
DynamicLoader: kernel32.dll/GetConsoleScreenBufferInfoW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: kernel32.dll/GetCurrentProcessW
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: kernel32.dll/LocalFree
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/GetTokenInformationW
DynamicLoader: kernel32.dll/LocalAlloc
DynamicLoader: kernel32.dll/LocalAllocW
DynamicLoader: mscoree.dll/ND_RI4
DynamicLoader: mscoreei.dll/ND_RI4_RetAddr
DynamicLoader: mscoreei.dll/ND_RI4
DynamicLoader: ADVAPI32.dll/DuplicateTokenEx
DynamicLoader: ADVAPI32.dll/DuplicateTokenExW
DynamicLoader: ADVAPI32.dll/CheckTokenMembership
DynamicLoader: ADVAPI32.dll/CheckTokenMembershipW
DynamicLoader: kernel32.dll/GetConsoleTitle
DynamicLoader: kernel32.dll/GetConsoleTitleW
DynamicLoader: mscorjit.dll/getJit
DynamicLoader: mscorwks.dll/GetCLRFunction
DynamicLoader: kernel32.dll/SetConsoleTitle
DynamicLoader: kernel32.dll/SetConsoleTitleW
DynamicLoader: kernel32.dll/SetConsoleCtrlHandler
DynamicLoader: kernel32.dll/SetConsoleCtrlHandlerW
DynamicLoader: kernel32.dll/CreateEvent
DynamicLoader: kernel32.dll/CreateEventW
DynamicLoader: ntdll.dll/WinSqmIsOptedIn
DynamicLoader: kernel32.dll/ExpandEnvironmentStrings
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsW
DynamicLoader: shfolder.dll/SHGetFolderPath
DynamicLoader: shfolder.dll/SHGetFolderPathW
DynamicLoader: kernel32.dll/SetEnvironmentVariable
DynamicLoader: kernel32.dll/SetEnvironmentVariableW
DynamicLoader: kernel32.dll/GetACP
DynamicLoader: kernel32.dll/UnmapViewOfFile
DynamicLoader: kernel32.dll/CreateFile
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetFileType
DynamicLoader: kernel32.dll/ReadFile
DynamicLoader: kernel32.dll/GetSystemInfo
DynamicLoader: kernel32.dll/VirtualQuery
DynamicLoader: ADVAPI32.dll/RegQueryInfoKey
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumValue
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegEnumKeyEx
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: secur32.dll/GetUserNameEx
DynamicLoader: secur32.dll/GetUserNameExW
DynamicLoader: ADVAPI32.dll/GetUserName
DynamicLoader: ADVAPI32.dll/GetUserNameW
DynamicLoader: kernel32.dll/ReleaseMutex
DynamicLoader: ADVAPI32.dll/RegisterEventSource
DynamicLoader: ADVAPI32.dll/RegisterEventSourceW
DynamicLoader: ADVAPI32.dll/DeregisterEventSource
DynamicLoader: ADVAPI32.dll/ReportEvent
DynamicLoader: ADVAPI32.dll/ReportEventW
DynamicLoader: kernel32.dll/GetLogicalDrives
DynamicLoader: kernel32.dll/GetDriveType
DynamicLoader: kernel32.dll/GetDriveTypeW
DynamicLoader: kernel32.dll/GetVolumeInformation
DynamicLoader: kernel32.dll/GetVolumeInformationW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: kernel32.dll/GetCurrentDirectory
DynamicLoader: kernel32.dll/GetCurrentDirectoryW
DynamicLoader: mscoreei.dll/GetTokenForVTableEntry_RetAddr
DynamicLoader: mscoreei.dll/GetTokenForVTableEntry
DynamicLoader: mscoreei.dll/SetTargetForVTableEntry_RetAddr
DynamicLoader: mscoreei.dll/SetTargetForVTableEntry
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/LocalAlloc
DynamicLoader: mscoree.dll/IEE
DynamicLoader: kernel32.dll/GetStdHandle
DynamicLoader: kernel32.dll/GetStdHandleW
DynamicLoader: kernel32.dll/GetConsoleMode
DynamicLoader: kernel32.dll/GetConsoleModeW
DynamicLoader: kernel32.dll/SetEvent
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/SetThreadUILanguageW
DynamicLoader: kernel32.dll/FindFirstFile
DynamicLoader: kernel32.dll/FindFirstFileW
DynamicLoader: kernel32.dll/FindClose
DynamicLoader: CRYPTSP.dll/CryptExportKey
DynamicLoader: CRYPTSP.dll/CryptCreateHash
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: mscoree.dll/CorExitProcess
DynamicLoader: mscoreei.dll/CorExitProcess_RetAddr
DynamicLoader: mscoreei.dll/CorExitProcess
DynamicLoader: mscorwks.dll/CorExitProcess
DynamicLoader: mscorwks.dll/_CorDllMain
DynamicLoader: kernel32.dll/CreateActCtxW
DynamicLoader: kernel32.dll/AddRefActCtx
DynamicLoader: kernel32.dll/ReleaseActCtx
DynamicLoader: kernel32.dll/ActivateActCtx
DynamicLoader: kernel32.dll/DeactivateActCtx
DynamicLoader: kernel32.dll/GetCurrentActCtx
DynamicLoader: kernel32.dll/QueryActCtxW
DynamicLoader: netutils.dll/NetApiBufferFree
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: CRYPTSP.dll/CryptAcquireContextA
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: ntdll.dll/memcpy
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptImportKey
DynamicLoader: ADVAPI32.dll/CryptEncrypt
DynamicLoader: CRYPTSP.dll/CryptImportKey
DynamicLoader: CRYPTBASE.dll/SystemFunction040
DynamicLoader: CRYPTBASE.dll/SystemFunction041
DynamicLoader: CRYPT32.dll/CryptProtectData
DynamicLoader: CRYPTBASE.dll/SystemFunction040
DynamicLoader: CRYPTSP.dll/CryptEncrypt
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: comctl32.dll/
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: shell32.dll/
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: shell32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ntdll.dll/RtlDllShutdownInProgress
DynamicLoader: LINKINFO.dll/IsValidLinkInfo
DynamicLoader: propsys.dll/
DynamicLoader: propsys.dll/PSGetNameFromPropertyKey
DynamicLoader: propsys.dll/PSStringFromPropertyKey
DynamicLoader: propsys.dll/InitVariantFromBuffer
DynamicLoader: OLEAUT32.dll/
DynamicLoader: propsys.dll/PropVariantToGUID
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: profapi.dll/
DynamicLoader: LINKINFO.dll/CreateLinkInfoW
DynamicLoader: USER32.dll/IsCharAlphaW
DynamicLoader: USER32.dll/CharPrevW
DynamicLoader: ntshrui.dll/GetNetResourceFromLocalPathW
DynamicLoader: srvcli.dll/NetShareEnum
DynamicLoader: cscapi.dll/CscNetApiGetInterface
DynamicLoader: slc.dll/SLGetWindowsInformationDWORD
DynamicLoader: SHLWAPI.dll/PathRemoveFileSpecW
DynamicLoader: LINKINFO.dll/DestroyLinkInfo
DynamicLoader: propsys.dll/PropVariantToBoolean
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/GetSecurityInfo
DynamicLoader: ADVAPI32.dll/SetSecurityInfo
DynamicLoader: ADVAPI32.dll/GetSecurityDescriptorControl
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: mscoree.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx_RetAddr
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: kernel32.dll/GetCurrentPackageId
DynamicLoader: kernel32.dll/InitializeCriticalSectionAndSpinCount
DynamicLoader: msvcrt.dll/_set_error_mode
DynamicLoader: msvcrt.dll/?set_terminate@@YAP6AXXZP6AXXZ@Z
DynamicLoader: msvcrt.dll/_get_terminate
DynamicLoader: kernel32.dll/FindActCtxSectionStringW
DynamicLoader: kernel32.dll/GetSystemWindowsDirectoryW
DynamicLoader: mscoree.dll/GetProcessExecutableHeap
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap_RetAddr
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap
DynamicLoader: mscorwks.dll/SetLoadedByMscoree
DynamicLoader: mscorwks.dll/DllGetClassObjectInternal
DynamicLoader: mscorwks.dll/GetCLRFunction
DynamicLoader: ADVAPI32.dll/RegisterTraceGuidsW
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: ADVAPI32.dll/GetTraceLoggerHandle
DynamicLoader: ADVAPI32.dll/GetTraceEnableLevel
DynamicLoader: ADVAPI32.dll/GetTraceEnableFlags
DynamicLoader: ADVAPI32.dll/TraceEvent
DynamicLoader: mscoree.dll/IEE
DynamicLoader: mscoreei.dll/IEE_RetAddr
DynamicLoader: mscoreei.dll/IEE
DynamicLoader: mscorwks.dll/IEE
DynamicLoader: mscoree.dll/GetStartupFlags
DynamicLoader: mscoreei.dll/GetStartupFlags_RetAddr
DynamicLoader: mscoreei.dll/GetStartupFlags
DynamicLoader: mscoree.dll/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetHostConfigurationFile_RetAddr
DynamicLoader: mscoreei.dll/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetCORVersion_RetAddr
DynamicLoader: mscoreei.dll/GetCORVersion
DynamicLoader: mscoree.dll/GetCORSystemDirectory
DynamicLoader: mscoreei.dll/GetCORSystemDirectory_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream
DynamicLoader: ntdll.dll/RtlVirtualUnwind
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: kernel32.dll/GetSystemWindowsDirectoryW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: kernel32.dll/SetThreadStackGuarantee
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/AddVectoredContinueHandler
DynamicLoader: kernel32.dll/RemoveVectoredContinueHandler
DynamicLoader: ADVAPI32.dll/ConvertSidToStringSidW
DynamicLoader: shell32.dll/SHGetFolderPathW
DynamicLoader: kernel32.dll/FlushProcessWriteBuffers
DynamicLoader: kernel32.dll/GetWriteWatch
DynamicLoader: kernel32.dll/ResetWriteWatch
DynamicLoader: kernel32.dll/CreateMemoryResourceNotification
DynamicLoader: kernel32.dll/QueryMemoryResourceNotification
DynamicLoader: kernel32.dll/GlobalMemoryStatusEx
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/GetUserDefaultUILanguage
DynamicLoader: ole32.dll/CoGetContextToken
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/GetVersionEx
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/GetVersionEx
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/GetFullPathName
DynamicLoader: kernel32.dll/GetFullPathNameW
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: kernel32.dll/GetFileAttributesEx
DynamicLoader: kernel32.dll/GetFileAttributesExW
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: version.dll/GetFileVersionInfoSize
DynamicLoader: version.dll/GetFileVersionInfoSizeW
DynamicLoader: version.dll/GetFileVersionInfo
DynamicLoader: version.dll/GetFileVersionInfoW
DynamicLoader: version.dll/VerQueryValue
DynamicLoader: version.dll/VerQueryValueW
DynamicLoader: kernel32.dll/lstrlen
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: mscoree.dll/ND_RI2
DynamicLoader: mscoreei.dll/ND_RI2_RetAddr
DynamicLoader: mscoreei.dll/ND_RI2
DynamicLoader: kernel32.dll/lstrlen
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: kernel32.dll/lstrcpy
DynamicLoader: kernel32.dll/lstrcpyW
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: version.dll/VerLanguageName
DynamicLoader: version.dll/VerLanguageNameW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/GetCurrentProcessId
DynamicLoader: kernel32.dll/GetCurrentProcessIdW
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValue
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValueW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivileges
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivilegesW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/OpenProcessW
DynamicLoader: PSAPI.DLL/EnumProcessModules
DynamicLoader: PSAPI.DLL/EnumProcessModulesW
DynamicLoader: PSAPI.DLL/GetModuleInformation
DynamicLoader: PSAPI.DLL/GetModuleInformationW
DynamicLoader: PSAPI.DLL/GetModuleBaseName
DynamicLoader: PSAPI.DLL/GetModuleBaseNameW
DynamicLoader: PSAPI.DLL/GetModuleFileNameEx
DynamicLoader: PSAPI.DLL/GetModuleFileNameExW
DynamicLoader: kernel32.dll/GetExitCodeProcess
DynamicLoader: kernel32.dll/GetExitCodeProcessW
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtQuerySystemInformationW
DynamicLoader: USER32.dll/EnumWindows
DynamicLoader: USER32.dll/EnumWindowsW
DynamicLoader: USER32.dll/GetWindowThreadProcessId
DynamicLoader: USER32.dll/GetWindowThreadProcessIdW
DynamicLoader: kernel32.dll/WerSetFlags
DynamicLoader: kernel32.dll/SetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/SetThreadPreferredUILanguagesW
DynamicLoader: kernel32.dll/GetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/GetThreadPreferredUILanguagesW
DynamicLoader: kernel32.dll/GetUserDefaultLocaleName
DynamicLoader: kernel32.dll/GetUserDefaultLocaleNameW
DynamicLoader: kernel32.dll/GetEnvironmentVariable
DynamicLoader: kernel32.dll/GetEnvironmentVariableW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegOpenKeyEx
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/CryptCreateHash
DynamicLoader: ADVAPI32.dll/CryptDestroyHash
DynamicLoader: ADVAPI32.dll/CryptHashData
DynamicLoader: ADVAPI32.dll/CryptGetHashParam
DynamicLoader: ADVAPI32.dll/CryptImportKey
DynamicLoader: ADVAPI32.dll/CryptExportKey
DynamicLoader: ADVAPI32.dll/CryptGenKey
DynamicLoader: ADVAPI32.dll/CryptGetKeyParam
DynamicLoader: ADVAPI32.dll/CryptDestroyKey
DynamicLoader: ADVAPI32.dll/CryptVerifySignatureA
DynamicLoader: ADVAPI32.dll/CryptSignHashA
DynamicLoader: ADVAPI32.dll/CryptGetProvParam
DynamicLoader: ADVAPI32.dll/CryptGetUserKey
DynamicLoader: ADVAPI32.dll/CryptEnumProvidersA
DynamicLoader: CRYPTSP.dll/CryptImportKey
DynamicLoader: CRYPTSP.dll/CryptHashData
DynamicLoader: CRYPTSP.dll/CryptGetHashParam
DynamicLoader: CRYPTSP.dll/CryptDestroyHash
DynamicLoader: CRYPTSP.dll/CryptDestroyKey
DynamicLoader: mscoreei.dll/_CorDllMain_RetAddr
DynamicLoader: mscoreei.dll/_CorDllMain
DynamicLoader: mscoree.dll/GetTokenForVTableEntry
DynamicLoader: mscoree.dll/SetTargetForVTableEntry
DynamicLoader: mscoree.dll/GetTargetForVTableEntry
DynamicLoader: mscoreei.dll/LoadLibraryShim_RetAddr
DynamicLoader: mscoreei.dll/LoadLibraryShim
DynamicLoader: culture.dll/ConvertLangIdToCultureName
DynamicLoader: ole32.dll/CoCreateGuid
DynamicLoader: kernel32.dll/CreateFile
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetConsoleScreenBufferInfo
DynamicLoader: kernel32.dll/GetConsoleScreenBufferInfoW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: kernel32.dll/GetCurrentProcessW
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: kernel32.dll/LocalFree
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/GetTokenInformationW
DynamicLoader: kernel32.dll/LocalAlloc
DynamicLoader: kernel32.dll/LocalAllocW
DynamicLoader: mscoree.dll/ND_RI4
DynamicLoader: mscoreei.dll/ND_RI4_RetAddr
DynamicLoader: mscoreei.dll/ND_RI4
DynamicLoader: ADVAPI32.dll/DuplicateTokenEx
DynamicLoader: ADVAPI32.dll/DuplicateTokenExW
DynamicLoader: ADVAPI32.dll/CheckTokenMembership
DynamicLoader: ADVAPI32.dll/CheckTokenMembershipW
DynamicLoader: kernel32.dll/GetConsoleTitle
DynamicLoader: kernel32.dll/GetConsoleTitleW
DynamicLoader: mscorjit.dll/getJit
DynamicLoader: mscorwks.dll/GetCLRFunction
DynamicLoader: kernel32.dll/SetConsoleTitle
DynamicLoader: kernel32.dll/SetConsoleTitleW
DynamicLoader: kernel32.dll/SetConsoleCtrlHandler
DynamicLoader: kernel32.dll/SetConsoleCtrlHandlerW
DynamicLoader: kernel32.dll/CreateEvent
DynamicLoader: kernel32.dll/CreateEventW
DynamicLoader: ntdll.dll/WinSqmIsOptedIn
DynamicLoader: kernel32.dll/ExpandEnvironmentStrings
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsW
DynamicLoader: shfolder.dll/SHGetFolderPath
DynamicLoader: shfolder.dll/SHGetFolderPathW
DynamicLoader: kernel32.dll/SetEnvironmentVariable
DynamicLoader: kernel32.dll/SetEnvironmentVariableW
DynamicLoader: kernel32.dll/GetACP
DynamicLoader: kernel32.dll/UnmapViewOfFile
DynamicLoader: kernel32.dll/CreateFile
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetFileType
DynamicLoader: kernel32.dll/ReadFile
DynamicLoader: kernel32.dll/GetSystemInfo
DynamicLoader: kernel32.dll/VirtualQuery
DynamicLoader: ADVAPI32.dll/RegQueryInfoKey
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumValue
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegEnumKeyEx
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: secur32.dll/GetUserNameEx
DynamicLoader: secur32.dll/GetUserNameExW
DynamicLoader: ADVAPI32.dll/GetUserName
DynamicLoader: ADVAPI32.dll/GetUserNameW
DynamicLoader: kernel32.dll/ReleaseMutex
DynamicLoader: ADVAPI32.dll/RegisterEventSource
DynamicLoader: ADVAPI32.dll/RegisterEventSourceW
DynamicLoader: ADVAPI32.dll/DeregisterEventSource
DynamicLoader: ADVAPI32.dll/ReportEvent
DynamicLoader: ADVAPI32.dll/ReportEventW
DynamicLoader: kernel32.dll/GetLogicalDrives
DynamicLoader: kernel32.dll/GetDriveType
DynamicLoader: kernel32.dll/GetDriveTypeW
DynamicLoader: kernel32.dll/GetVolumeInformation
DynamicLoader: kernel32.dll/GetVolumeInformationW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: kernel32.dll/GetCurrentDirectory
DynamicLoader: kernel32.dll/GetCurrentDirectoryW
DynamicLoader: mscoreei.dll/GetTokenForVTableEntry_RetAddr
DynamicLoader: mscoreei.dll/GetTokenForVTableEntry
DynamicLoader: mscoreei.dll/SetTargetForVTableEntry_RetAddr
DynamicLoader: mscoreei.dll/SetTargetForVTableEntry
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/LocalAlloc
DynamicLoader: mscoree.dll/IEE
DynamicLoader: kernel32.dll/GetStdHandle
DynamicLoader: kernel32.dll/GetStdHandleW
DynamicLoader: kernel32.dll/GetConsoleMode
DynamicLoader: kernel32.dll/GetConsoleModeW
DynamicLoader: kernel32.dll/SetEvent
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/SetThreadUILanguageW
DynamicLoader: kernel32.dll/FindFirstFile
DynamicLoader: kernel32.dll/FindFirstFileW
DynamicLoader: kernel32.dll/FindClose
DynamicLoader: CRYPTSP.dll/CryptExportKey
DynamicLoader: CRYPTSP.dll/CryptCreateHash
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: mscoree.dll/CorExitProcess
DynamicLoader: mscoreei.dll/CorExitProcess_RetAddr
DynamicLoader: mscoreei.dll/CorExitProcess
DynamicLoader: mscorwks.dll/CorExitProcess
DynamicLoader: mscorwks.dll/_CorDllMain
DynamicLoader: kernel32.dll/CreateActCtxW
DynamicLoader: kernel32.dll/AddRefActCtx
DynamicLoader: kernel32.dll/ReleaseActCtx
DynamicLoader: kernel32.dll/ActivateActCtx
DynamicLoader: kernel32.dll/DeactivateActCtx
DynamicLoader: kernel32.dll/GetCurrentActCtx
DynamicLoader: kernel32.dll/QueryActCtxW
DynamicLoader: netutils.dll/NetApiBufferFree
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: shell32.dll/
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: shell32.dll/
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ntdll.dll/RtlDllShutdownInProgress
DynamicLoader: LINKINFO.dll/IsValidLinkInfo
DynamicLoader: propsys.dll/
DynamicLoader: propsys.dll/PSGetNameFromPropertyKey
DynamicLoader: propsys.dll/PSStringFromPropertyKey
DynamicLoader: propsys.dll/InitVariantFromBuffer
DynamicLoader: OLEAUT32.dll/
DynamicLoader: propsys.dll/PropVariantToGUID
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: profapi.dll/
DynamicLoader: LINKINFO.dll/CreateLinkInfoW
DynamicLoader: USER32.dll/IsCharAlphaW
DynamicLoader: USER32.dll/CharPrevW
DynamicLoader: ntshrui.dll/GetNetResourceFromLocalPathW
DynamicLoader: srvcli.dll/NetShareEnum
DynamicLoader: cscapi.dll/CscNetApiGetInterface
DynamicLoader: slc.dll/SLGetWindowsInformationDWORD
DynamicLoader: SHLWAPI.dll/PathRemoveFileSpecW
DynamicLoader: LINKINFO.dll/DestroyLinkInfo
DynamicLoader: propsys.dll/PropVariantToBoolean
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/GetSecurityInfo
DynamicLoader: ADVAPI32.dll/SetSecurityInfo
DynamicLoader: ADVAPI32.dll/GetSecurityDescriptorControl
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: mscoree.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx_RetAddr
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: kernel32.dll/GetCurrentPackageId
DynamicLoader: kernel32.dll/InitializeCriticalSectionAndSpinCount
DynamicLoader: msvcrt.dll/_set_error_mode
DynamicLoader: msvcrt.dll/?set_terminate@@YAP6AXXZP6AXXZ@Z
DynamicLoader: msvcrt.dll/_get_terminate
DynamicLoader: kernel32.dll/FindActCtxSectionStringW
DynamicLoader: kernel32.dll/GetSystemWindowsDirectoryW
DynamicLoader: mscoree.dll/GetProcessExecutableHeap
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap_RetAddr
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap
DynamicLoader: mscorwks.dll/SetLoadedByMscoree
DynamicLoader: mscorwks.dll/DllGetClassObjectInternal
DynamicLoader: mscorwks.dll/GetCLRFunction
DynamicLoader: ADVAPI32.dll/RegisterTraceGuidsW
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: ADVAPI32.dll/GetTraceLoggerHandle
DynamicLoader: ADVAPI32.dll/GetTraceEnableLevel
DynamicLoader: ADVAPI32.dll/GetTraceEnableFlags
DynamicLoader: ADVAPI32.dll/TraceEvent
DynamicLoader: mscoree.dll/IEE
DynamicLoader: mscoreei.dll/IEE_RetAddr
DynamicLoader: mscoreei.dll/IEE
DynamicLoader: mscorwks.dll/IEE
DynamicLoader: mscoree.dll/GetStartupFlags
DynamicLoader: mscoreei.dll/GetStartupFlags_RetAddr
DynamicLoader: mscoreei.dll/GetStartupFlags
DynamicLoader: mscoree.dll/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetHostConfigurationFile_RetAddr
DynamicLoader: mscoreei.dll/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetCORVersion_RetAddr
DynamicLoader: mscoreei.dll/GetCORVersion
DynamicLoader: mscoree.dll/GetCORSystemDirectory
DynamicLoader: mscoreei.dll/GetCORSystemDirectory_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream
DynamicLoader: ntdll.dll/RtlVirtualUnwind
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: kernel32.dll/GetSystemWindowsDirectoryW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: kernel32.dll/SetThreadStackGuarantee
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/AddVectoredContinueHandler
DynamicLoader: kernel32.dll/RemoveVectoredContinueHandler
DynamicLoader: ADVAPI32.dll/ConvertSidToStringSidW
DynamicLoader: shell32.dll/SHGetFolderPathW
DynamicLoader: kernel32.dll/FlushProcessWriteBuffers
DynamicLoader: kernel32.dll/GetWriteWatch
DynamicLoader: kernel32.dll/ResetWriteWatch
DynamicLoader: kernel32.dll/CreateMemoryResourceNotification
DynamicLoader: kernel32.dll/QueryMemoryResourceNotification
DynamicLoader: kernel32.dll/GlobalMemoryStatusEx
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CoGetContextToken
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/GetUserDefaultUILanguage
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/GetVersionEx
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/GetVersionEx
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/GetFullPathName
DynamicLoader: kernel32.dll/GetFullPathNameW
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: kernel32.dll/GetFileAttributesEx
DynamicLoader: kernel32.dll/GetFileAttributesExW
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: version.dll/GetFileVersionInfoSize
DynamicLoader: version.dll/GetFileVersionInfoSizeW
DynamicLoader: version.dll/GetFileVersionInfo
DynamicLoader: version.dll/GetFileVersionInfoW
DynamicLoader: version.dll/VerQueryValue
DynamicLoader: version.dll/VerQueryValueW
DynamicLoader: kernel32.dll/lstrlen
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: mscoree.dll/ND_RI2
DynamicLoader: mscoreei.dll/ND_RI2_RetAddr
DynamicLoader: mscoreei.dll/ND_RI2
DynamicLoader: kernel32.dll/lstrlen
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: kernel32.dll/lstrcpy
DynamicLoader: kernel32.dll/lstrcpyW
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: version.dll/VerLanguageName
DynamicLoader: version.dll/VerLanguageNameW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/GetCurrentProcessId
DynamicLoader: kernel32.dll/GetCurrentProcessIdW
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValue
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValueW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivileges
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivilegesW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/OpenProcessW
DynamicLoader: PSAPI.DLL/EnumProcessModules
DynamicLoader: PSAPI.DLL/EnumProcessModulesW
DynamicLoader: PSAPI.DLL/GetModuleInformation
DynamicLoader: PSAPI.DLL/GetModuleInformationW
DynamicLoader: PSAPI.DLL/GetModuleBaseName
DynamicLoader: PSAPI.DLL/GetModuleBaseNameW
DynamicLoader: PSAPI.DLL/GetModuleFileNameEx
DynamicLoader: PSAPI.DLL/GetModuleFileNameExW
DynamicLoader: kernel32.dll/GetExitCodeProcess
DynamicLoader: kernel32.dll/GetExitCodeProcessW
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtQuerySystemInformationW
DynamicLoader: USER32.dll/EnumWindows
DynamicLoader: USER32.dll/EnumWindowsW
DynamicLoader: USER32.dll/GetWindowThreadProcessId
DynamicLoader: USER32.dll/GetWindowThreadProcessIdW
DynamicLoader: kernel32.dll/WerSetFlags
DynamicLoader: kernel32.dll/SetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/SetThreadPreferredUILanguagesW
DynamicLoader: kernel32.dll/GetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/GetThreadPreferredUILanguagesW
DynamicLoader: kernel32.dll/GetUserDefaultLocaleName
DynamicLoader: kernel32.dll/GetUserDefaultLocaleNameW
DynamicLoader: kernel32.dll/GetEnvironmentVariable
DynamicLoader: kernel32.dll/GetEnvironmentVariableW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegOpenKeyEx
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/CryptCreateHash
DynamicLoader: ADVAPI32.dll/CryptDestroyHash
DynamicLoader: ADVAPI32.dll/CryptHashData
DynamicLoader: ADVAPI32.dll/CryptGetHashParam
DynamicLoader: ADVAPI32.dll/CryptImportKey
DynamicLoader: ADVAPI32.dll/CryptExportKey
DynamicLoader: ADVAPI32.dll/CryptGenKey
DynamicLoader: ADVAPI32.dll/CryptGetKeyParam
DynamicLoader: ADVAPI32.dll/CryptDestroyKey
DynamicLoader: ADVAPI32.dll/CryptVerifySignatureA
DynamicLoader: ADVAPI32.dll/CryptSignHashA
DynamicLoader: ADVAPI32.dll/CryptGetProvParam
DynamicLoader: ADVAPI32.dll/CryptGetUserKey
DynamicLoader: ADVAPI32.dll/CryptEnumProvidersA
DynamicLoader: CRYPTSP.dll/CryptImportKey
DynamicLoader: CRYPTSP.dll/CryptHashData
DynamicLoader: CRYPTSP.dll/CryptGetHashParam
DynamicLoader: CRYPTSP.dll/CryptDestroyHash
DynamicLoader: CRYPTSP.dll/CryptDestroyKey
DynamicLoader: mscoreei.dll/_CorDllMain_RetAddr
DynamicLoader: mscoreei.dll/_CorDllMain
DynamicLoader: mscoree.dll/GetTokenForVTableEntry
DynamicLoader: mscoree.dll/SetTargetForVTableEntry
DynamicLoader: mscoree.dll/GetTargetForVTableEntry
DynamicLoader: mscoreei.dll/LoadLibraryShim_RetAddr
DynamicLoader: mscoreei.dll/LoadLibraryShim
DynamicLoader: culture.dll/ConvertLangIdToCultureName
DynamicLoader: ole32.dll/CoCreateGuid
DynamicLoader: kernel32.dll/CreateFile
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetConsoleScreenBufferInfo
DynamicLoader: kernel32.dll/GetConsoleScreenBufferInfoW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: kernel32.dll/GetCurrentProcessW
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: kernel32.dll/LocalFree
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/GetTokenInformationW
DynamicLoader: kernel32.dll/LocalAlloc
DynamicLoader: kernel32.dll/LocalAllocW
DynamicLoader: mscoree.dll/ND_RI4
DynamicLoader: mscoreei.dll/ND_RI4_RetAddr
DynamicLoader: mscoreei.dll/ND_RI4
DynamicLoader: ADVAPI32.dll/DuplicateTokenEx
DynamicLoader: ADVAPI32.dll/DuplicateTokenExW
DynamicLoader: ADVAPI32.dll/CheckTokenMembership
DynamicLoader: ADVAPI32.dll/CheckTokenMembershipW
DynamicLoader: kernel32.dll/GetConsoleTitle
DynamicLoader: kernel32.dll/GetConsoleTitleW
DynamicLoader: mscorjit.dll/getJit
DynamicLoader: mscorwks.dll/GetCLRFunction
DynamicLoader: kernel32.dll/SetConsoleTitle
DynamicLoader: kernel32.dll/SetConsoleTitleW
DynamicLoader: kernel32.dll/SetConsoleCtrlHandler
DynamicLoader: kernel32.dll/SetConsoleCtrlHandlerW
DynamicLoader: kernel32.dll/CreateEvent
DynamicLoader: kernel32.dll/CreateEventW
DynamicLoader: ntdll.dll/WinSqmIsOptedIn
DynamicLoader: kernel32.dll/ExpandEnvironmentStrings
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsW
DynamicLoader: shfolder.dll/SHGetFolderPath
DynamicLoader: shfolder.dll/SHGetFolderPathW
DynamicLoader: kernel32.dll/SetEnvironmentVariable
DynamicLoader: kernel32.dll/SetEnvironmentVariableW
DynamicLoader: kernel32.dll/GetACP
DynamicLoader: kernel32.dll/UnmapViewOfFile
DynamicLoader: kernel32.dll/CreateFile
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetFileType
DynamicLoader: kernel32.dll/ReadFile
DynamicLoader: kernel32.dll/GetSystemInfo
DynamicLoader: kernel32.dll/VirtualQuery
DynamicLoader: ADVAPI32.dll/RegQueryInfoKey
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumValue
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegEnumKeyEx
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: secur32.dll/GetUserNameEx
DynamicLoader: secur32.dll/GetUserNameExW
DynamicLoader: ADVAPI32.dll/GetUserName
DynamicLoader: ADVAPI32.dll/GetUserNameW
DynamicLoader: kernel32.dll/ReleaseMutex
DynamicLoader: ADVAPI32.dll/RegisterEventSource
DynamicLoader: ADVAPI32.dll/RegisterEventSourceW
DynamicLoader: ADVAPI32.dll/DeregisterEventSource
DynamicLoader: ADVAPI32.dll/ReportEvent
DynamicLoader: ADVAPI32.dll/ReportEventW
DynamicLoader: kernel32.dll/GetLogicalDrives
DynamicLoader: kernel32.dll/GetDriveType
DynamicLoader: kernel32.dll/GetDriveTypeW
DynamicLoader: kernel32.dll/GetVolumeInformation
DynamicLoader: kernel32.dll/GetVolumeInformationW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: kernel32.dll/GetCurrentDirectory
DynamicLoader: kernel32.dll/GetCurrentDirectoryW
DynamicLoader: mscoreei.dll/GetTokenForVTableEntry_RetAddr
DynamicLoader: mscoreei.dll/GetTokenForVTableEntry
DynamicLoader: mscoreei.dll/SetTargetForVTableEntry_RetAddr
DynamicLoader: mscoreei.dll/SetTargetForVTableEntry
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/LocalAlloc
DynamicLoader: mscoree.dll/IEE
DynamicLoader: kernel32.dll/GetStdHandle
DynamicLoader: kernel32.dll/GetStdHandleW
DynamicLoader: kernel32.dll/GetConsoleMode
DynamicLoader: kernel32.dll/GetConsoleModeW
DynamicLoader: kernel32.dll/SetEvent
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/SetThreadUILanguageW
DynamicLoader: kernel32.dll/FindFirstFile
DynamicLoader: kernel32.dll/FindFirstFileW
DynamicLoader: kernel32.dll/FindClose
DynamicLoader: CRYPTSP.dll/CryptExportKey
DynamicLoader: CRYPTSP.dll/CryptCreateHash
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: mscoree.dll/CorExitProcess
DynamicLoader: mscoreei.dll/CorExitProcess_RetAddr
DynamicLoader: mscoreei.dll/CorExitProcess
DynamicLoader: mscorwks.dll/CorExitProcess
DynamicLoader: mscorwks.dll/_CorDllMain
DynamicLoader: kernel32.dll/CreateActCtxW
DynamicLoader: kernel32.dll/AddRefActCtx
DynamicLoader: kernel32.dll/ReleaseActCtx
DynamicLoader: kernel32.dll/ActivateActCtx
DynamicLoader: kernel32.dll/DeactivateActCtx
DynamicLoader: kernel32.dll/GetCurrentActCtx
DynamicLoader: kernel32.dll/QueryActCtxW
DynamicLoader: netutils.dll/NetApiBufferFree
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: shell32.dll/
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: shell32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ntdll.dll/RtlDllShutdownInProgress
DynamicLoader: LINKINFO.dll/IsValidLinkInfo
DynamicLoader: propsys.dll/
DynamicLoader: propsys.dll/PSGetNameFromPropertyKey
DynamicLoader: propsys.dll/PSStringFromPropertyKey
DynamicLoader: propsys.dll/InitVariantFromBuffer
DynamicLoader: OLEAUT32.dll/
DynamicLoader: propsys.dll/PropVariantToGUID
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: profapi.dll/
DynamicLoader: LINKINFO.dll/CreateLinkInfoW
DynamicLoader: USER32.dll/IsCharAlphaW
DynamicLoader: USER32.dll/CharPrevW
DynamicLoader: ntshrui.dll/GetNetResourceFromLocalPathW
DynamicLoader: srvcli.dll/NetShareEnum
DynamicLoader: cscapi.dll/CscNetApiGetInterface
DynamicLoader: slc.dll/SLGetWindowsInformationDWORD
DynamicLoader: SHLWAPI.dll/PathRemoveFileSpecW
DynamicLoader: LINKINFO.dll/DestroyLinkInfo
DynamicLoader: propsys.dll/PropVariantToBoolean
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/GetSecurityInfo
DynamicLoader: ADVAPI32.dll/SetSecurityInfo
DynamicLoader: ADVAPI32.dll/GetSecurityDescriptorControl
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: mscoree.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx_RetAddr
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: kernel32.dll/GetCurrentPackageId
DynamicLoader: kernel32.dll/InitializeCriticalSectionAndSpinCount
DynamicLoader: msvcrt.dll/_set_error_mode
DynamicLoader: msvcrt.dll/?set_terminate@@YAP6AXXZP6AXXZ@Z
DynamicLoader: msvcrt.dll/_get_terminate
DynamicLoader: kernel32.dll/FindActCtxSectionStringW
DynamicLoader: kernel32.dll/GetSystemWindowsDirectoryW
DynamicLoader: mscoree.dll/GetProcessExecutableHeap
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap_RetAddr
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap
DynamicLoader: mscorwks.dll/SetLoadedByMscoree
DynamicLoader: mscorwks.dll/DllGetClassObjectInternal
DynamicLoader: mscorwks.dll/GetCLRFunction
DynamicLoader: ADVAPI32.dll/RegisterTraceGuidsW
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: ADVAPI32.dll/GetTraceLoggerHandle
DynamicLoader: ADVAPI32.dll/GetTraceEnableLevel
DynamicLoader: ADVAPI32.dll/GetTraceEnableFlags
DynamicLoader: ADVAPI32.dll/TraceEvent
DynamicLoader: mscoree.dll/IEE
DynamicLoader: mscoreei.dll/IEE_RetAddr
DynamicLoader: mscoreei.dll/IEE
DynamicLoader: mscorwks.dll/IEE
DynamicLoader: mscoree.dll/GetStartupFlags
DynamicLoader: mscoreei.dll/GetStartupFlags_RetAddr
DynamicLoader: mscoreei.dll/GetStartupFlags
DynamicLoader: mscoree.dll/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetHostConfigurationFile_RetAddr
DynamicLoader: mscoreei.dll/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetCORVersion_RetAddr
DynamicLoader: mscoreei.dll/GetCORVersion
DynamicLoader: mscoree.dll/GetCORSystemDirectory
DynamicLoader: mscoreei.dll/GetCORSystemDirectory_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream