Analysis

Category Package Started Completed Duration Options Log
FILE Injection 2019-08-14 00:16:44 2019-08-14 00:20:44 240 seconds Show Options Show Log
route = internet
procdump = 0
2019-08-14 01:16:48,030 [root] INFO: Date set to: 08-14-19, time set to: 00:16:48, timeout set to: 200
2019-08-14 01:16:48,187 [root] DEBUG: Starting analyzer from: C:\vjiqdb
2019-08-14 01:16:48,187 [root] DEBUG: Storing results at: C:\cHSDykXXX
2019-08-14 01:16:48,187 [root] DEBUG: Pipe server name: \\.\PIPE\OqMSZfS
2019-08-14 01:16:48,187 [root] INFO: Analysis package "Injection" has been specified.
2019-08-14 01:16:49,357 [root] DEBUG: Started auxiliary module Browser
2019-08-14 01:16:49,357 [root] DEBUG: Started auxiliary module Curtain
2019-08-14 01:16:49,357 [modules.auxiliary.digisig] DEBUG: Checking for a digitial signature.
2019-08-14 01:16:50,744 [modules.auxiliary.digisig] DEBUG: File is not signed.
2019-08-14 01:16:50,744 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2019-08-14 01:16:50,760 [root] DEBUG: Started auxiliary module DigiSig
2019-08-14 01:16:50,760 [root] DEBUG: Started auxiliary module Disguise
2019-08-14 01:16:50,760 [root] DEBUG: Started auxiliary module Human
2019-08-14 01:16:50,760 [root] DEBUG: Started auxiliary module Screenshots
2019-08-14 01:16:50,776 [root] DEBUG: Started auxiliary module Sysmon
2019-08-14 01:16:50,776 [root] DEBUG: Started auxiliary module Usage
2019-08-14 01:16:50,776 [root] INFO: Analyzer: DLL set to Injection.dll from package modules.packages.Injection
2019-08-14 01:16:50,776 [root] INFO: Analyzer: DLL_64 set to Injection_x64.dll from package modules.packages.Injection
2019-08-14 01:16:50,931 [lib.api.process] INFO: Successfully executed process from path "C:\Users\user\AppData\Local\Temp\DOCUMENTS-7821.exe" with arguments "" with pid 872
2019-08-14 01:16:50,931 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-14 01:16:50,931 [lib.api.process] INFO: 32-bit DLL to inject is C:\vjiqdb\dll\eYjpwTn.dll, loader C:\vjiqdb\bin\IezMJWb.exe
2019-08-14 01:16:50,979 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\OqMSZfS.
2019-08-14 01:16:50,979 [root] DEBUG: Loader: Injecting process 872 (thread 520) with C:\vjiqdb\dll\eYjpwTn.dll.
2019-08-14 01:16:50,979 [root] DEBUG: Process image base: 0x01220000
2019-08-14 01:16:50,979 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2019-08-14 01:16:50,979 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2019-08-14 01:16:50,979 [root] DEBUG: Successfully injected DLL C:\vjiqdb\dll\eYjpwTn.dll.
2019-08-14 01:16:50,979 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 872
2019-08-14 01:16:52,992 [lib.api.process] INFO: Successfully resumed process with pid 872
2019-08-14 01:16:52,992 [root] INFO: Added new process to list with pid: 872
2019-08-14 01:16:53,163 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-14 01:16:53,163 [root] DEBUG: Process memory dumps disabled.
2019-08-14 01:16:53,272 [root] DEBUG: CAPE initialised: 32-bit Injection package loaded in process 872 at 0x747a0000, image base 0x1220000, stack from 0x385000-0x390000
2019-08-14 01:16:53,272 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\DOCUMENTS-7821.exe".
2019-08-14 01:16:53,272 [root] INFO: Monitor successfully loaded in process with pid 872.
2019-08-14 01:16:53,272 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xcc amd local view 0x74720000 to global list ().
2019-08-14 01:16:53,288 [root] DEBUG: DLL loaded at 0x74720000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei (0x7b000 bytes).
2019-08-14 01:16:53,288 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xdc amd local view 0x03AE0000 to global list ().
2019-08-14 01:16:53,303 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xd8 amd local view 0x03AE0000 to global list ().
2019-08-14 01:16:53,319 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x74080000 for section view with handle 0xd8 ().
2019-08-14 01:16:53,319 [root] DEBUG: DLL loaded at 0x74080000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr (0x69b000 bytes).
2019-08-14 01:16:53,319 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x73FA0000 for section view with handle 0xd8 ().
2019-08-14 01:16:53,319 [root] DEBUG: DLL loaded at 0x73FA0000: C:\Windows\system32\MSVCR110_CLR0400 (0xd3000 bytes).
2019-08-14 01:16:53,335 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 872, handle 0xf4.
2019-08-14 01:16:53,335 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xf8 amd local view 0x00150000 to global list (\BaseNamedObjects\Cor_Private_IPCBlock_v4_872).
2019-08-14 01:16:53,335 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xfc amd local view 0x00160000 to global list (\...\Cor_SxSPublic_IPCBlock).
2019-08-14 01:16:53,335 [root] INFO: Disabling sleep skipping.
2019-08-14 01:16:53,365 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1dc amd local view 0x06200000 to global list ().
2019-08-14 01:16:53,397 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1e0 amd local view 0x72C30000 to global list ().
2019-08-14 01:16:53,444 [root] DEBUG: DLL loaded at 0x72C30000: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\045c9588954c3662d542b53f4462268b\mscorlib.ni (0x102e000 bytes).
2019-08-14 01:16:53,647 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x204 amd local view 0x73F20000 to global list ().
2019-08-14 01:16:53,661 [root] DEBUG: DLL loaded at 0x73F20000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit (0x7d000 bytes).
2019-08-14 01:16:53,661 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x200 amd local view 0x76EA0000 to global list (\KnownDlls32\OLEAUT32.dll).
2019-08-14 01:16:53,661 [root] DEBUG: DLL loaded at 0x76EA0000: C:\Windows\syswow64\OLEAUT32 (0x8f000 bytes).
2019-08-14 01:16:53,724 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x21c amd local view 0x72290000 to global list ().
2019-08-14 01:16:53,740 [root] DEBUG: DLL loaded at 0x72290000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System\79f6324a598a7c4446a4a1168be7c4b1\System.ni (0x99a000 bytes).
2019-08-14 01:16:53,772 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x218 amd local view 0x73D80000 to global list ().
2019-08-14 01:16:53,786 [root] DEBUG: DLL loaded at 0x73D80000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\c4477b3ce64d0d612d1ab0dba425b77f\System.Drawing.ni (0x194000 bytes).
2019-08-14 01:16:53,802 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x214 amd local view 0x71640000 to global list ().
2019-08-14 01:16:53,802 [root] DEBUG: DLL loaded at 0x71640000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\05ca0ca95b6fcc0d710b63b6200cc178\System.Windows.Forms.ni (0xc4f000 bytes).
2019-08-14 01:16:54,380 [root] DEBUG: DLL loaded at 0x715C0000: C:\Windows\system32\uxtheme (0x80000 bytes).
2019-08-14 01:16:54,489 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x71120000 for section view with handle 0x218 ().
2019-08-14 01:16:54,630 [root] DEBUG: DLL loaded at 0x74BE0000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32 (0x84000 bytes).
2019-08-14 01:16:54,739 [root] DEBUG: DLL loaded at 0x71420000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32 (0x19e000 bytes).
2019-08-14 01:16:54,786 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x238 amd local view 0x74B30000 to global list ().
2019-08-14 01:16:54,816 [root] DEBUG: DLL loaded at 0x74B30000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\nlssorting (0x12000 bytes).
2019-08-14 01:16:54,941 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x06690000 for section view with handle 0x238 ().
2019-08-14 01:16:55,644 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x240 amd local view 0x71290000 to global list ().
2019-08-14 01:16:55,674 [root] DEBUG: DLL loaded at 0x71290000: C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus (0x190000 bytes).
2019-08-14 01:16:56,049 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x24c amd local view 0x004A0000 to global list ().
2019-08-14 01:16:56,236 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x248 amd local view 0x00660000 to global list ().
2019-08-14 01:16:56,267 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x005C0000 for section view with handle 0x248 ().
2019-08-14 01:16:56,345 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00660000 for section view with handle 0x248 ().
2019-08-14 01:16:56,611 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x06B80000 for section view with handle 0x248 ().
2019-08-14 01:16:56,798 [root] DEBUG: DLL loaded at 0x71190000: C:\Windows\system32\WindowsCodecs (0xfb000 bytes).
2019-08-14 01:16:56,937 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x25c amd local view 0x05E60000 to global list ().
2019-08-14 01:16:56,984 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x074B0000 for section view with handle 0x25c ().
2019-08-14 01:16:57,453 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x03C50000 for section view with handle 0x25c ().
2019-08-14 01:16:57,717 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x260 amd local view 0x70AE0000 to global list ().
2019-08-14 01:16:57,733 [root] DEBUG: DLL loaded at 0x70AE0000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\4e69f1e7d86d79012db2d7e0dadc8880\System.Core.ni (0x6ae000 bytes).
2019-08-14 01:16:57,750 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x70900000 for section view with handle 0x25c ().
2019-08-14 01:16:57,750 [root] DEBUG: DLL loaded at 0x70900000: C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\65f7c6dcc498c7157f0ef5b72824d60a\Microsoft.VisualBasic.ni (0x1dd000 bytes).
2019-08-14 01:16:58,326 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x258 amd local view 0x00660000 to global list ().
2019-08-14 01:17:01,165 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00BA0000 for section view with handle 0x258 ().
2019-08-14 01:17:11,461 [root] DEBUG: DLL loaded at 0x75B20000: C:\Windows\syswow64\shell32 (0xc4a000 bytes).
2019-08-14 01:17:11,493 [root] DEBUG: DLL loaded at 0x74BB0000: C:\Windows\system32\ntmarta (0x21000 bytes).
2019-08-14 01:17:11,493 [root] DEBUG: DLL loaded at 0x75860000: C:\Windows\syswow64\WLDAP32 (0x45000 bytes).
2019-08-14 01:17:11,586 [root] DEBUG: DLL loaded at 0x70800000: C:\Windows\system32\PROPSYS (0xf5000 bytes).
2019-08-14 01:17:11,586 [root] DEBUG: DLL loaded at 0x74CB0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2019-08-14 01:17:11,586 [root] DEBUG: DLL loaded at 0x75670000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2019-08-14 01:17:11,634 [root] DEBUG: DLL loaded at 0x6FD80000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-14 01:17:11,680 [root] DEBUG: DLL loaded at 0x74AF0000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-14 01:17:11,680 [root] DEBUG: DLL loaded at 0x76BD0000: C:\Windows\syswow64\iertutil (0x1fb000 bytes).
2019-08-14 01:17:11,726 [root] DEBUG: DLL loaded at 0x75530000: C:\Windows\syswow64\urlmon (0x136000 bytes).
2019-08-14 01:17:11,757 [root] DEBUG: DLL loaded at 0x75370000: C:\Windows\syswow64\WININET (0xf5000 bytes).
2019-08-14 01:17:11,757 [root] DEBUG: DLL loaded at 0x76790000: C:\Windows\syswow64\CRYPT32 (0x11d000 bytes).
2019-08-14 01:17:11,757 [root] DEBUG: DLL loaded at 0x768B0000: C:\Windows\syswow64\MSASN1 (0xc000 bytes).
2019-08-14 01:17:11,821 [root] DEBUG: DLL loaded at 0x758B0000: C:\Windows\syswow64\SETUPAPI (0x19d000 bytes).
2019-08-14 01:17:11,821 [root] DEBUG: DLL loaded at 0x76A40000: C:\Windows\syswow64\CFGMGR32 (0x27000 bytes).
2019-08-14 01:17:11,821 [root] DEBUG: DLL loaded at 0x76770000: C:\Windows\syswow64\DEVOBJ (0x12000 bytes).
2019-08-14 01:17:11,821 [root] DEBUG: DLL unloaded from 0x75B20000.
2019-08-14 01:17:11,851 [root] DEBUG: DLL loaded at 0x73D70000: C:\Windows\system32\profapi (0xb000 bytes).
2019-08-14 01:17:11,930 [root] DEBUG: CreateProcessHandler: Injection info set for new process 2924, ImageBase: 0x001E0000
2019-08-14 01:17:11,960 [root] INFO: Announced 32-bit process name: schtasks.exe pid: 2924
2019-08-14 01:17:11,960 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-14 01:17:11,960 [lib.api.process] INFO: 32-bit DLL to inject is C:\vjiqdb\dll\eYjpwTn.dll, loader C:\vjiqdb\bin\IezMJWb.exe
2019-08-14 01:17:11,960 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\OqMSZfS.
2019-08-14 01:17:11,960 [root] DEBUG: Loader: Injecting process 2924 (thread 2096) with C:\vjiqdb\dll\eYjpwTn.dll.
2019-08-14 01:17:11,960 [root] DEBUG: Process image base: 0x001E0000
2019-08-14 01:17:11,960 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\vjiqdb\dll\eYjpwTn.dll.
2019-08-14 01:17:11,960 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x0020E000 - 0x002C0000
2019-08-14 01:17:11,960 [root] DEBUG: InjectDllViaIAT: Allocated 0x340 bytes for new import table at 0x00210000.
2019-08-14 01:17:11,976 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-14 01:17:11,976 [root] DEBUG: Successfully injected DLL C:\vjiqdb\dll\eYjpwTn.dll.
2019-08-14 01:17:11,976 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2924
2019-08-14 01:17:11,992 [root] DEBUG: DLL loaded at 0x74F80000: C:\Windows\system32\CRYPTSP (0x16000 bytes).
2019-08-14 01:17:11,992 [root] DEBUG: DLL loaded at 0x74F40000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2019-08-14 01:17:11,992 [root] DEBUG: DLL loaded at 0x73D60000: C:\Windows\system32\RpcRtRemote (0xe000 bytes).
2019-08-14 01:17:12,007 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-14 01:17:12,007 [root] DEBUG: Process memory dumps disabled.
2019-08-14 01:17:12,007 [root] INFO: Disabling sleep skipping.
2019-08-14 01:17:12,007 [root] DEBUG: CAPE initialised: 32-bit Injection package loaded in process 2924 at 0x747a0000, image base 0x1e0000, stack from 0x2f6000-0x300000
2019-08-14 01:17:12,007 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Windows\System32\schtasks.exe" \Create \TN "Updates\LIeDXmUzhdkSdI" \XML "C:\Users\user\AppData\Local\Temp\tmpB48F.tmp".
2019-08-14 01:17:12,007 [root] INFO: Added new process to list with pid: 2924
2019-08-14 01:17:12,007 [root] INFO: Monitor successfully loaded in process with pid 2924.
2019-08-14 01:17:12,007 [root] DEBUG: DLL loaded at 0x73D40000: C:\Windows\SysWOW64\VERSION (0x9000 bytes).
2019-08-14 01:17:12,007 [root] DEBUG: DLL unloaded from 0x001E0000.
2019-08-14 01:17:12,007 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xd4 amd local view 0x03400000 to global list ().
2019-08-14 01:17:12,257 [root] INFO: Stopped Task Scheduler Service
2019-08-14 01:17:12,273 [root] INFO: Started Task Scheduler Service
2019-08-14 01:17:12,273 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-14 01:17:12,273 [lib.api.process] INFO: 64-bit DLL to inject is C:\vjiqdb\dll\mpGklsT.dll, loader C:\vjiqdb\bin\yaxescRO.exe
2019-08-14 01:17:12,289 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\OqMSZfS.
2019-08-14 01:17:12,289 [root] DEBUG: Loader: Injecting process 816 (thread 0) with C:\vjiqdb\dll\mpGklsT.dll.
2019-08-14 01:17:12,289 [root] DEBUG: InjectDll: No thread ID supplied. Initial thread ID 820, handle 0x84
2019-08-14 01:17:12,289 [root] DEBUG: Process image base: 0x00000000FF8E0000
2019-08-14 01:17:12,289 [root] DEBUG: InjectDllViaIAT: Not a new process, aborting IAT patch
2019-08-14 01:17:12,289 [root] DEBUG: InjectDll: IAT patching failed, falling back to thread injection.
2019-08-14 01:17:12,289 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-14 01:17:12,289 [root] DEBUG: Process memory dumps disabled.
2019-08-14 01:17:12,303 [root] INFO: Disabling sleep skipping.
2019-08-14 01:17:12,335 [root] WARNING: Unable to place hook on LockResource
2019-08-14 01:17:12,335 [root] WARNING: Unable to hook LockResource
2019-08-14 01:17:12,367 [root] DEBUG: CAPE initialised: 64-bit Injection package loaded in process 816 at 0x000000006FCA0000, image base 0x00000000FF8E0000, stack from 0x0000000000F06000-0x0000000000F10000
2019-08-14 01:17:12,367 [root] DEBUG: Commandline: C:\Windows\sysnative\svchost.exe -k netsvcs.
2019-08-14 01:17:12,367 [root] INFO: Added new process to list with pid: 816
2019-08-14 01:17:12,367 [root] INFO: Monitor successfully loaded in process with pid 816.
2019-08-14 01:17:12,367 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2019-08-14 01:17:12,367 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2019-08-14 01:17:12,367 [root] DEBUG: Successfully injected DLL C:\vjiqdb\dll\mpGklsT.dll.
2019-08-14 01:17:14,378 [root] DEBUG: DLL loaded at 0x75670000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2019-08-14 01:17:14,394 [root] DEBUG: DLL loaded at 0x6FC20000: C:\Windows\SysWOW64\taskschd (0x7d000 bytes).
2019-08-14 01:17:14,582 [root] DEBUG: DLL unloaded from 0x75700000.
2019-08-14 01:17:14,582 [root] INFO: Notified of termination of process with pid 2924.
2019-08-14 01:17:14,660 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x36c amd local view 0x03740000 to global list ().
2019-08-14 01:17:14,676 [root] DEBUG: CreateProcessHandler: Injection info set for new process 2848, ImageBase: 0x01220000
2019-08-14 01:17:14,676 [root] INFO: Announced 32-bit process name: DOCUMENTS-7821.exe pid: 2848
2019-08-14 01:17:14,676 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-14 01:17:14,690 [lib.api.process] INFO: 32-bit DLL to inject is C:\vjiqdb\dll\eYjpwTn.dll, loader C:\vjiqdb\bin\IezMJWb.exe
2019-08-14 01:17:14,690 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\OqMSZfS.
2019-08-14 01:17:14,690 [root] DEBUG: Loader: Injecting process 2848 (thread 2264) with C:\vjiqdb\dll\eYjpwTn.dll.
2019-08-14 01:17:14,737 [root] DEBUG: Process image base: 0x01220000
2019-08-14 01:17:14,785 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2019-08-14 01:17:14,832 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2019-08-14 01:17:14,878 [root] DEBUG: Successfully injected DLL C:\vjiqdb\dll\eYjpwTn.dll.
2019-08-14 01:17:14,878 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2848
2019-08-14 01:17:14,878 [root] DEBUG: WriteMemoryHandler: Executable binary injected into process 2848 (ImageBase 0x400000)
2019-08-14 01:17:14,878 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image.
2019-08-14 01:17:14,878 [root] DEBUG: DumpPE: Instantiating PeParser with address: 0x04FDA830.
2019-08-14 01:17:14,924 [root] INFO: Added new CAPE file to list with path: C:\vjiqdb\CAPE\872_10067065701239714382019
2019-08-14 01:17:14,971 [root] DEBUG: DumpPE: PE file in memory dumped successfully - dump size 0x53200.
2019-08-14 01:17:15,019 [root] DEBUG: WriteMemoryHandler: Dumped PE image from buffer at 0x4fda830, SizeOfImage 0x5a000.
2019-08-14 01:17:15,019 [root] INFO: Announced 32-bit process name: DOCUMENTS-7821.exe pid: 2848
2019-08-14 01:17:15,019 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-14 01:17:15,019 [lib.api.process] INFO: 32-bit DLL to inject is C:\vjiqdb\dll\eYjpwTn.dll, loader C:\vjiqdb\bin\IezMJWb.exe
2019-08-14 01:17:15,065 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\OqMSZfS.
2019-08-14 01:17:15,065 [root] DEBUG: Loader: Injecting process 2848 (thread 0) with C:\vjiqdb\dll\eYjpwTn.dll.
2019-08-14 01:17:15,065 [root] DEBUG: InjectDll: No thread ID supplied. Initial thread ID 2264, handle 0x9c
2019-08-14 01:17:15,065 [root] DEBUG: Process image base: 0x01220000
2019-08-14 01:17:15,065 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2019-08-14 01:17:15,065 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2019-08-14 01:17:15,111 [root] DEBUG: Successfully injected DLL C:\vjiqdb\dll\eYjpwTn.dll.
2019-08-14 01:17:15,111 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2848
2019-08-14 01:17:15,111 [root] DEBUG: WriteMemoryHandler: shellcode at 0x05913C98 (size 0x52a00) injected into process 2848.
2019-08-14 01:17:15,111 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\vjiqdb\CAPE\872_9208430121339714382019
2019-08-14 01:17:15,111 [root] INFO: Added new CAPE file to list with path: C:\vjiqdb\CAPE\872_9208430121339714382019
2019-08-14 01:17:15,111 [root] DEBUG: WriteMemoryHandler: Dumped injected code/data from buffer.
2019-08-14 01:17:15,111 [root] INFO: Announced 32-bit process name: DOCUMENTS-7821.exe pid: 2848
2019-08-14 01:17:15,111 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-14 01:17:15,128 [lib.api.process] INFO: 32-bit DLL to inject is C:\vjiqdb\dll\eYjpwTn.dll, loader C:\vjiqdb\bin\IezMJWb.exe
2019-08-14 01:17:15,128 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\OqMSZfS.
2019-08-14 01:17:15,128 [root] DEBUG: Loader: Injecting process 2848 (thread 0) with C:\vjiqdb\dll\eYjpwTn.dll.
2019-08-14 01:17:15,158 [root] DEBUG: InjectDll: No thread ID supplied. Initial thread ID 2264, handle 0x9c
2019-08-14 01:17:15,206 [root] DEBUG: Process image base: 0x01220000
2019-08-14 01:17:15,206 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2019-08-14 01:17:15,206 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2019-08-14 01:17:15,221 [root] DEBUG: Successfully injected DLL C:\vjiqdb\dll\eYjpwTn.dll.
2019-08-14 01:17:15,221 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2848
2019-08-14 01:17:15,221 [root] DEBUG: WriteMemoryHandler: shellcode at 0x03EAF794 (size 0x400) injected into process 2848.
2019-08-14 01:17:15,221 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\vjiqdb\CAPE\872_19127145681339714382019
2019-08-14 01:17:15,221 [root] INFO: Added new CAPE file to list with path: C:\vjiqdb\CAPE\872_19127145681339714382019
2019-08-14 01:17:15,221 [root] DEBUG: WriteMemoryHandler: Dumped injected code/data from buffer.
2019-08-14 01:17:15,267 [root] INFO: Announced 32-bit process name: DOCUMENTS-7821.exe pid: 2848
2019-08-14 01:17:15,267 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-14 01:17:15,267 [lib.api.process] INFO: 32-bit DLL to inject is C:\vjiqdb\dll\eYjpwTn.dll, loader C:\vjiqdb\bin\IezMJWb.exe
2019-08-14 01:17:15,267 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\OqMSZfS.
2019-08-14 01:17:15,267 [root] DEBUG: Loader: Injecting process 2848 (thread 0) with C:\vjiqdb\dll\eYjpwTn.dll.
2019-08-14 01:17:15,299 [root] DEBUG: InjectDll: No thread ID supplied. Initial thread ID 2264, handle 0x9c
2019-08-14 01:17:15,299 [root] INFO: Process with pid 2924 has terminated
2019-08-14 01:17:15,299 [root] DEBUG: Process image base: 0x01220000
2019-08-14 01:17:15,315 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2019-08-14 01:17:15,331 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2019-08-14 01:17:15,361 [root] DEBUG: Successfully injected DLL C:\vjiqdb\dll\eYjpwTn.dll.
2019-08-14 01:17:15,361 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2848
2019-08-14 01:17:15,361 [root] DEBUG: WriteMemoryHandler: shellcode at 0x03EAFBA0 (size 0x200) injected into process 2848.
2019-08-14 01:17:15,361 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\vjiqdb\CAPE\872_219301441339714382019
2019-08-14 01:17:15,361 [root] INFO: Added new CAPE file to list with path: C:\vjiqdb\CAPE\872_219301441339714382019
2019-08-14 01:17:15,408 [root] DEBUG: WriteMemoryHandler: Dumped injected code/data from buffer.
2019-08-14 01:17:15,408 [root] INFO: Announced 32-bit process name: DOCUMENTS-7821.exe pid: 2848
2019-08-14 01:17:15,408 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-14 01:17:15,408 [lib.api.process] INFO: 32-bit DLL to inject is C:\vjiqdb\dll\eYjpwTn.dll, loader C:\vjiqdb\bin\IezMJWb.exe
2019-08-14 01:17:15,408 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\OqMSZfS.
2019-08-14 01:17:15,456 [root] DEBUG: Loader: Injecting process 2848 (thread 0) with C:\vjiqdb\dll\eYjpwTn.dll.
2019-08-14 01:17:15,456 [root] DEBUG: InjectDll: No thread ID supplied. Initial thread ID 2264, handle 0x9c
2019-08-14 01:17:15,456 [root] DEBUG: Process image base: 0x01220000
2019-08-14 01:17:15,502 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2019-08-14 01:17:15,502 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2019-08-14 01:17:15,502 [root] DEBUG: Successfully injected DLL C:\vjiqdb\dll\eYjpwTn.dll.
2019-08-14 01:17:15,502 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2848
2019-08-14 01:17:15,549 [root] INFO: Announced 32-bit process name: DOCUMENTS-7821.exe pid: 2848
2019-08-14 01:17:15,549 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-14 01:17:15,549 [lib.api.process] INFO: 32-bit DLL to inject is C:\vjiqdb\dll\eYjpwTn.dll, loader C:\vjiqdb\bin\IezMJWb.exe
2019-08-14 01:17:15,642 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\OqMSZfS.
2019-08-14 01:17:15,690 [root] DEBUG: Loader: Injecting process 2848 (thread 0) with C:\vjiqdb\dll\eYjpwTn.dll.
2019-08-14 01:17:15,690 [root] DEBUG: InjectDll: No thread ID supplied. Initial thread ID 2264, handle 0x9c
2019-08-14 01:17:15,690 [root] DEBUG: Process image base: 0x00400000
2019-08-14 01:17:15,690 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2019-08-14 01:17:15,690 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2019-08-14 01:17:15,690 [root] DEBUG: Successfully injected DLL C:\vjiqdb\dll\eYjpwTn.dll.
2019-08-14 01:17:15,690 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2848
2019-08-14 01:17:15,736 [root] DEBUG: SetThreadContextHandler: Hollow process entry point reset via NtSetContextThread to 0x0005495E (process 2848).
2019-08-14 01:17:15,736 [root] INFO: Announced 32-bit process name: DOCUMENTS-7821.exe pid: 2848
2019-08-14 01:17:15,736 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-14 01:17:15,736 [lib.api.process] INFO: 32-bit DLL to inject is C:\vjiqdb\dll\eYjpwTn.dll, loader C:\vjiqdb\bin\IezMJWb.exe
2019-08-14 01:17:15,736 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\OqMSZfS.
2019-08-14 01:17:15,736 [root] DEBUG: Loader: Injecting process 2848 (thread 2264) with C:\vjiqdb\dll\eYjpwTn.dll.
2019-08-14 01:17:15,752 [root] DEBUG: Process image base: 0x00400000
2019-08-14 01:17:15,752 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2019-08-14 01:17:15,752 [root] DEBUG: DLL unloaded from 0x000007FEFBAC0000.
2019-08-14 01:17:15,752 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2019-08-14 01:17:15,752 [root] DEBUG: Successfully injected DLL C:\vjiqdb\dll\eYjpwTn.dll.
2019-08-14 01:17:15,752 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2848
2019-08-14 01:17:15,782 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 2848.
2019-08-14 01:17:15,782 [root] DEBUG: DumpSectionViewsForPid: no shared section views found for pid 2848.
2019-08-14 01:17:15,829 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-14 01:17:15,907 [root] DEBUG: Process memory dumps disabled.
2019-08-14 01:17:15,924 [root] INFO: Disabling sleep skipping.
2019-08-14 01:17:15,924 [root] DEBUG: DLL unloaded from 0x77050000.
2019-08-14 01:17:15,924 [root] DEBUG: CAPE initialised: 32-bit Injection package loaded in process 2848 at 0x747a0000, image base 0x400000, stack from 0x286000-0x290000
2019-08-14 01:17:15,938 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\DOCUMENTS-7821.exe".
2019-08-14 01:17:15,938 [root] DEBUG: DLL unloaded from 0x70800000.
2019-08-14 01:17:15,938 [root] INFO: Added new process to list with pid: 2848
2019-08-14 01:17:15,938 [root] DEBUG: DLL unloaded from 0x75700000.
2019-08-14 01:17:15,938 [root] INFO: Monitor successfully loaded in process with pid 2848.
2019-08-14 01:17:15,954 [root] DEBUG: DLL unloaded from 0x74BB0000.
2019-08-14 01:17:15,954 [root] DEBUG: DLL loaded at 0x03980000: C:\vjiqdb\dll\eYjpwTn (0xb6000 bytes).
2019-08-14 01:17:15,954 [root] DEBUG: DLL unloaded from 0x77050000.
2019-08-14 01:17:15,954 [root] DEBUG: DLL unloaded from 0x77050000.
2019-08-14 01:17:15,954 [root] DEBUG: DLL unloaded from 0x74080000.
2019-08-14 01:17:15,954 [root] DEBUG: DLL unloaded from 0x03980000.
2019-08-14 01:17:15,986 [root] DEBUG: DLL unloaded from 0x74720000.
2019-08-14 01:17:15,986 [root] DEBUG: DLL loaded at 0x03980000: C:\vjiqdb\dll\eYjpwTn (0xb6000 bytes).
2019-08-14 01:17:15,986 [root] INFO: Notified of termination of process with pid 872.
2019-08-14 01:17:15,986 [root] DEBUG: DLL unloaded from 0x77050000.
2019-08-14 01:17:15,986 [root] DEBUG: DLL unloaded from 0x03980000.
2019-08-14 01:17:16,095 [root] DEBUG: DLL loaded at 0x03980000: C:\vjiqdb\dll\eYjpwTn (0xb6000 bytes).
2019-08-14 01:17:16,095 [root] DEBUG: DLL unloaded from 0x77050000.
2019-08-14 01:17:16,095 [root] DEBUG: DLL unloaded from 0x03980000.
2019-08-14 01:17:16,095 [root] DEBUG: DLL loaded at 0x03980000: C:\vjiqdb\dll\eYjpwTn (0xb6000 bytes).
2019-08-14 01:17:16,095 [root] DEBUG: DLL unloaded from 0x77050000.
2019-08-14 01:17:16,095 [root] DEBUG: DLL unloaded from 0x03980000.
2019-08-14 01:17:16,157 [root] DEBUG: DLL loaded at 0x03980000: C:\vjiqdb\dll\eYjpwTn (0xb6000 bytes).
2019-08-14 01:17:16,157 [root] DEBUG: DLL unloaded from 0x77050000.
2019-08-14 01:17:16,157 [root] DEBUG: DLL unloaded from 0x03980000.
2019-08-14 01:17:16,173 [root] DEBUG: DLL loaded at 0x03980000: C:\vjiqdb\dll\eYjpwTn (0xb6000 bytes).
2019-08-14 01:17:16,173 [root] DEBUG: DLL unloaded from 0x77050000.
2019-08-14 01:17:16,173 [root] DEBUG: DLL unloaded from 0x03980000.
2019-08-14 01:17:16,236 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xd0 amd local view 0x746A0000 to global list ().
2019-08-14 01:17:16,250 [root] DEBUG: DLL loaded at 0x746A0000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei (0x7b000 bytes).
2019-08-14 01:17:16,250 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xd8 amd local view 0x03980000 to global list ().
2019-08-14 01:17:16,250 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xc8 amd local view 0x03980000 to global list ().
2019-08-14 01:17:16,250 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x74000000 for section view with handle 0xc8 ().
2019-08-14 01:17:16,250 [root] DEBUG: DLL loaded at 0x74000000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr (0x69b000 bytes).
2019-08-14 01:17:16,266 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x73F20000 for section view with handle 0xc8 ().
2019-08-14 01:17:16,266 [root] DEBUG: DLL loaded at 0x73F20000: C:\Windows\system32\MSVCR110_CLR0400 (0xd3000 bytes).
2019-08-14 01:17:16,266 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 2848, handle 0xf0.
2019-08-14 01:17:16,266 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xf4 amd local view 0x00140000 to global list (\BaseNamedObjects\Cor_Private_IPCBlock_v4_2848).
2019-08-14 01:17:16,266 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xf8 amd local view 0x00150000 to global list (\...\Cor_SxSPublic_IPCBlock).
2019-08-14 01:17:16,313 [root] INFO: Process with pid 872 has terminated
2019-08-14 01:17:16,313 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1ac amd local view 0x061C0000 to global list ().
2019-08-14 01:17:16,328 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1f4 amd local view 0x71C00000 to global list ().
2019-08-14 01:17:16,328 [root] DEBUG: DLL loaded at 0x71C00000: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\045c9588954c3662d542b53f4462268b\mscorlib.ni (0x102e000 bytes).
2019-08-14 01:17:16,345 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x204 amd local view 0x74720000 to global list ().
2019-08-14 01:17:16,345 [root] DEBUG: DLL loaded at 0x74720000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit (0x7d000 bytes).
2019-08-14 01:17:16,345 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x200 amd local view 0x76EA0000 to global list (\KnownDlls32\OLEAUT32.dll).
2019-08-14 01:17:16,345 [root] DEBUG: DLL loaded at 0x76EA0000: C:\Windows\syswow64\OLEAUT32 (0x8f000 bytes).
2019-08-14 01:17:16,437 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x218 amd local view 0x732C0000 to global list ().
2019-08-14 01:17:16,437 [root] DEBUG: DLL loaded at 0x732C0000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System\79f6324a598a7c4446a4a1168be7c4b1\System.ni (0x99a000 bytes).
2019-08-14 01:17:16,437 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x71550000 for section view with handle 0x218 ().
2019-08-14 01:17:16,437 [root] DEBUG: DLL loaded at 0x71550000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\4e69f1e7d86d79012db2d7e0dadc8880\System.Core.ni (0x6ae000 bytes).
2019-08-14 01:17:16,453 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x214 amd local view 0x73D40000 to global list ().
2019-08-14 01:17:16,453 [root] DEBUG: DLL loaded at 0x73D40000: C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\65f7c6dcc498c7157f0ef5b72824d60a\Microsoft.VisualBasic.ni (0x1dd000 bytes).
2019-08-14 01:17:16,500 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x73120000 for section view with handle 0x218 ().
2019-08-14 01:17:16,516 [root] DEBUG: DLL loaded at 0x73120000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\c4477b3ce64d0d612d1ab0dba425b77f\System.Drawing.ni (0x194000 bytes).
2019-08-14 01:17:16,516 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x70900000 for section view with handle 0x214 ().
2019-08-14 01:17:16,516 [root] DEBUG: DLL loaded at 0x70900000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\05ca0ca95b6fcc0d710b63b6200cc178\System.Windows.Forms.ni (0xc4f000 bytes).
2019-08-14 01:17:16,578 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x21c amd local view 0x74B10000 to global list ().
2019-08-14 01:17:16,578 [root] DEBUG: DLL loaded at 0x74B10000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\nlssorting (0x12000 bytes).
2019-08-14 01:17:16,641 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x06490000 for section view with handle 0x21c ().
2019-08-14 01:17:16,641 [root] DEBUG: DLL loaded at 0x75B20000: C:\Windows\syswow64\shell32 (0xc4a000 bytes).
2019-08-14 01:17:16,641 [root] DEBUG: DLL loaded at 0x74B40000: C:\Windows\system32\profapi (0xb000 bytes).
2019-08-14 01:17:16,687 [root] DEBUG: DLL loaded at 0x74AF0000: C:\Windows\system32\bcrypt (0x17000 bytes).
2019-08-14 01:17:16,719 [root] DEBUG: DLL loaded at 0x74F80000: C:\Windows\system32\CRYPTSP (0x16000 bytes).
2019-08-14 01:17:16,719 [root] DEBUG: DLL loaded at 0x74F40000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2019-08-14 01:17:16,750 [root] DEBUG: DLL loaded at 0x74B30000: C:\Windows\system32\RpcRtRemote (0xe000 bytes).
2019-08-14 01:17:17,030 [root] DEBUG: DLL loaded at 0x75670000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2019-08-14 01:17:17,094 [root] DEBUG: DLL loaded at 0x730E0000: C:\Windows\system32\wbem\wbemdisp (0x31000 bytes).
2019-08-14 01:17:17,125 [root] DEBUG: DLL loaded at 0x73080000: C:\Windows\system32\wbemcomn (0x5c000 bytes).
2019-08-14 01:17:17,187 [root] DEBUG: DLL loaded at 0x752D0000: C:\Windows\syswow64\WS2_32 (0x35000 bytes).
2019-08-14 01:17:17,187 [root] DEBUG: DLL loaded at 0x75850000: C:\Windows\syswow64\NSI (0x6000 bytes).
2019-08-14 01:17:17,250 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x10ac amd local view 0x0000000005EC0000 to global list ().
2019-08-14 01:17:17,280 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xe0 amd local view 0x0000000000C10000 to global list ().
2019-08-14 01:17:17,296 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xf4 amd local view 0x0000000005EC0000 to global list ().
2019-08-14 01:17:37,154 [root] DEBUG: DLL unloaded from 0x76A70000.
2019-08-14 01:17:47,825 [root] INFO: Stopped WMI Service
2019-08-14 01:17:47,825 [root] INFO: Attaching to DcomLaunch service (pid 568)
2019-08-14 01:17:47,825 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-14 01:17:47,825 [lib.api.process] INFO: 64-bit DLL to inject is C:\vjiqdb\dll\mpGklsT.dll, loader C:\vjiqdb\bin\yaxescRO.exe
2019-08-14 01:17:47,857 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\OqMSZfS.
2019-08-14 01:17:47,857 [root] DEBUG: Loader: Injecting process 568 (thread 0) with C:\vjiqdb\dll\mpGklsT.dll.
2019-08-14 01:17:47,857 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed.
2019-08-14 01:17:47,918 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-14 01:17:47,918 [root] DEBUG: Process memory dumps disabled.
2019-08-14 01:17:47,982 [root] INFO: Disabling sleep skipping.
2019-08-14 01:17:48,043 [root] WARNING: Unable to place hook on LockResource
2019-08-14 01:17:48,043 [root] WARNING: Unable to hook LockResource
2019-08-14 01:17:48,105 [root] DEBUG: CAPE initialised: 64-bit Injection package loaded in process 568 at 0x000000006FCA0000, image base 0x00000000FF8E0000, stack from 0x0000000000616000-0x0000000000620000
2019-08-14 01:17:48,168 [root] DEBUG: Commandline: C:\Windows\sysnative\svchost.exe -k DcomLaunch.
2019-08-14 01:17:48,184 [root] INFO: Added new process to list with pid: 568
2019-08-14 01:17:48,184 [root] INFO: Monitor successfully loaded in process with pid 568.
2019-08-14 01:17:48,184 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2019-08-14 01:17:48,200 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2019-08-14 01:17:48,200 [root] DEBUG: Successfully injected DLL C:\vjiqdb\dll\mpGklsT.dll.
2019-08-14 01:18:20,319 [root] INFO: Started WMI Service
2019-08-14 01:18:20,319 [root] INFO: Attaching to WMI service (pid 816)
2019-08-14 01:18:20,335 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-14 01:18:20,335 [lib.api.process] INFO: 64-bit DLL to inject is C:\vjiqdb\dll\mpGklsT.dll, loader C:\vjiqdb\bin\yaxescRO.exe
2019-08-14 01:18:20,335 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\OqMSZfS.
2019-08-14 01:18:20,335 [root] DEBUG: Loader: Injecting process 816 (thread 0) with C:\vjiqdb\dll\mpGklsT.dll.
2019-08-14 01:18:20,335 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed.
2019-08-14 01:20:14,887 [root] INFO: Analysis timeout hit (200 seconds), terminating analysis.
2019-08-14 01:20:14,887 [root] INFO: Created shutdown mutex.
2019-08-14 01:20:15,901 [lib.api.process] INFO: Successfully received reply to terminate_event, pid 2848
2019-08-14 01:20:15,901 [root] INFO: Terminate event set for process 2848.
2019-08-14 01:20:15,901 [root] INFO: Terminating process 2848 before shutdown.
2019-08-14 01:20:15,901 [root] INFO: Waiting for process 2848 to exit.
2019-08-14 01:20:16,914 [root] INFO: Waiting for process 2848 to exit.
2019-08-14 01:20:17,928 [root] INFO: Waiting for process 2848 to exit.
2019-08-14 01:20:18,943 [root] INFO: Waiting for process 2848 to exit.
2019-08-14 01:20:19,957 [lib.api.process] INFO: Successfully terminated process with pid 2848.
2019-08-14 01:20:19,957 [root] INFO: Waiting for process 2848 to exit.
2019-08-14 01:20:20,970 [root] INFO: Shutting down package.
2019-08-14 01:20:20,970 [root] INFO: Stopping auxiliary modules.
2019-08-14 01:20:20,970 [root] INFO: Finishing auxiliary modules.
2019-08-14 01:20:20,970 [root] INFO: Shutting down pipe server and dumping dropped files.
2019-08-14 01:20:20,970 [root] WARNING: File at path "C:\cHSDykXXX\debugger" does not exist, skip.
2019-08-14 01:20:20,970 [root] INFO: Analysis completed.

MalScore

10.0

Malicious

Machine

Name Label Manager Started On Shutdown On
target-02 target-02 ESX 2019-08-14 00:16:44 2019-08-14 00:20:40

File Details

File Name DOCUMENTS-7821.exe
File Size 798208 bytes
File Type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5 1e09a996ff682c8f96fcad4e5ebe5e22
SHA1 001c6eea49802b3e685d9b85917ba6e9053165e8
SHA256 cba21a1002265fdd1da16a1fb54bdddff5edeba67abeb72643abba54116605f1
SHA512 4393e9e4317358ba4d1e6121f11404e33336c1e766c38e5a5b83ae8235b115fb12d9c590fa3fb721f86431d773afae792eba1545cac729053eb962d49fc35ac0
CRC32 A0191D11
Ssdeep 12288:lTc5UVfzfP+yJIUTZkNXCs+/KsQ1tjSYwjmU99ym:lQEfrP+yJhAys+0dwom
TrID
  • 61.7% (.EXE) Win64 Executable (generic) (27625/18/4)
  • 14.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
  • 10.0% (.EXE) Win32 Executable (generic) (4508/7/1)
  • 4.5% (.EXE) OS/2 Executable (generic) (2029/13)
  • 4.4% (.EXE) Generic Win/DOS Executable (2002/3)
ClamAV None matched
Yara None matched
CAPE Yara None matched
Resubmit sample

Signatures

Behavioural detection: Executable code extraction
SetUnhandledExceptionFilter detected (possible anti-debug)
Yara rule detections observed from a process memory dump/dropped files/CAPE
Hit: PID 872 trigged the Yara rule 'embedded_pe'
Hit: PID 872 trigged the Yara rule 'embedded_win_api'
Guard pages use detected - possible anti-debugging.
Dynamic (imported) function loading detected
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: MSCOREE.DLL/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/_CorExeMain_RetAddr
DynamicLoader: mscoreei.dll/_CorExeMain
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: KERNEL32.dll/GetCurrentPackageId
DynamicLoader: clr.dll/SetRuntimeInfo
DynamicLoader: clr.dll/_CorExeMain
DynamicLoader: KERNEL32.dll/GetCurrentPackageId
DynamicLoader: MSCOREE.DLL/CreateConfigStream
DynamicLoader: mscoreei.dll/CreateConfigStream_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream
DynamicLoader: KERNEL32.dll/GetNumaHighestNodeNumber
DynamicLoader: KERNEL32.dll/FlsSetValue
DynamicLoader: KERNEL32.dll/FlsGetValue
DynamicLoader: KERNEL32.dll/FlsAlloc
DynamicLoader: KERNEL32.dll/FlsFree
DynamicLoader: KERNEL32.dll/SetThreadStackGuarantee
DynamicLoader: MSCOREE.DLL/CLRCreateInstance
DynamicLoader: mscoreei.dll/CLRCreateInstance
DynamicLoader: SHLWAPI.dll/PathFindFileNameW
DynamicLoader: KERNEL32.dll/IsWow64Process
DynamicLoader: KERNEL32.dll/GetSystemWindowsDirectoryW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: KERNEL32.dll/AddSIDToBoundaryDescriptor
DynamicLoader: KERNEL32.dll/CreateBoundaryDescriptorW
DynamicLoader: KERNEL32.dll/CreatePrivateNamespaceW
DynamicLoader: KERNEL32.dll/OpenPrivateNamespaceW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: KERNEL32.dll/DeleteBoundaryDescriptor
DynamicLoader: KERNEL32.dll/WerRegisterRuntimeExceptionModule
DynamicLoader: KERNEL32.dll/RaiseException
DynamicLoader: KERNEL32.dll/AddVectoredExceptionHandler
DynamicLoader: KERNEL32.dll/RemoveVectoredExceptionHandler
DynamicLoader: KERNEL32.dll/AddVectoredContinueHandler
DynamicLoader: KERNEL32.dll/RemoveVectoredContinueHandler
DynamicLoader: MSCOREE.DLL/
DynamicLoader: mscoreei.dll/
DynamicLoader: KERNELBASE.dll/SetSystemFileCacheSize
DynamicLoader: ntdll.dll/NtSetSystemInformation
DynamicLoader: KERNELBASE.dll/PrivIsDllSynchronizationHeld
DynamicLoader: KERNEL32.dll/AddDllDirectory
DynamicLoader: KERNEL32.dll/GetWriteWatch
DynamicLoader: KERNEL32.dll/ResetWriteWatch
DynamicLoader: KERNEL32.dll/CreateMemoryResourceNotification
DynamicLoader: KERNEL32.dll/QueryMemoryResourceNotification
DynamicLoader: KERNEL32.dll/SortGetHandle
DynamicLoader: KERNEL32.dll/SortCloseHandle
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ole32.dll/CoGetContextToken
DynamicLoader: clrjit.dll/sxsJitStartup
DynamicLoader: clrjit.dll/getJit
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/QueryThreadCycleTime
DynamicLoader: KERNEL32.dll/GetFullPathName
DynamicLoader: KERNEL32.dll/GetFullPathNameW
DynamicLoader: uxtheme.dll/IsAppThemed
DynamicLoader: uxtheme.dll/IsAppThemedW
DynamicLoader: KERNEL32.dll/CreateActCtx
DynamicLoader: KERNEL32.dll/CreateActCtxA
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: USER32.dll/RegisterWindowMessage
DynamicLoader: USER32.dll/RegisterWindowMessageW
DynamicLoader: USER32.dll/GetSystemMetrics
DynamicLoader: KERNEL32.dll/GetModuleHandle
DynamicLoader: KERNEL32.dll/GetModuleHandleW
DynamicLoader: KERNEL32.dll/LoadLibrary
DynamicLoader: KERNEL32.dll/LoadLibraryW
DynamicLoader: USER32.dll/AdjustWindowRectEx
DynamicLoader: KERNEL32.dll/GetCurrentProcess
DynamicLoader: KERNEL32.dll/GetCurrentThread
DynamicLoader: KERNEL32.dll/DuplicateHandle
DynamicLoader: KERNEL32.dll/GetCurrentThreadId
DynamicLoader: KERNEL32.dll/GetCurrentActCtx
DynamicLoader: KERNEL32.dll/ActivateActCtx
DynamicLoader: KERNEL32.dll/GetProcAddress
DynamicLoader: KERNEL32.dll/WideCharToMultiByte
DynamicLoader: USER32.dll/DefWindowProcW
DynamicLoader: GDI32.dll/GetStockObject
DynamicLoader: KERNEL32.dll/GetLocaleInfoEx
DynamicLoader: KERNEL32.dll/LocaleNameToLCID
DynamicLoader: KERNEL32.dll/GetUserDefaultLocaleName
DynamicLoader: KERNEL32.dll/LCIDToLocaleName
DynamicLoader: KERNEL32.dll/GetUserPreferredUILanguages
DynamicLoader: USER32.dll/RegisterClass
DynamicLoader: USER32.dll/RegisterClassW
DynamicLoader: MSCOREE.DLL/GetProcessExecutableHeap
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap_RetAddr
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap
DynamicLoader: USER32.dll/CreateWindowEx
DynamicLoader: USER32.dll/CreateWindowExW
DynamicLoader: USER32.dll/SetWindowLong
DynamicLoader: USER32.dll/SetWindowLongW
DynamicLoader: USER32.dll/GetWindowLong
DynamicLoader: USER32.dll/GetWindowLongW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: nlssorting.dll/SortGetHandle
DynamicLoader: nlssorting.dll/SortCloseHandle
DynamicLoader: ADVAPI32.dll/RegOpenKeyEx
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: USER32.dll/SetWindowLong
DynamicLoader: USER32.dll/SetWindowLongW
DynamicLoader: USER32.dll/CallWindowProc
DynamicLoader: USER32.dll/CallWindowProcW
DynamicLoader: USER32.dll/GetClientRect
DynamicLoader: USER32.dll/GetWindowRect
DynamicLoader: USER32.dll/GetParent
DynamicLoader: KERNEL32.dll/DeactivateActCtx
DynamicLoader: ADVAPI32.dll/EventRegister
DynamicLoader: USER32.dll/GetProcessWindowStation
DynamicLoader: USER32.dll/GetUserObjectInformation
DynamicLoader: USER32.dll/GetUserObjectInformationA
DynamicLoader: KERNEL32.dll/SetConsoleCtrlHandler
DynamicLoader: KERNEL32.dll/SetConsoleCtrlHandlerW
DynamicLoader: KERNEL32.dll/GetModuleHandle
DynamicLoader: KERNEL32.dll/GetModuleHandleW
DynamicLoader: USER32.dll/GetClassInfo
DynamicLoader: USER32.dll/GetClassInfoW
DynamicLoader: USER32.dll/RegisterClass
DynamicLoader: USER32.dll/RegisterClassW
DynamicLoader: USER32.dll/CreateWindowEx
DynamicLoader: USER32.dll/CreateWindowExW
DynamicLoader: USER32.dll/DefWindowProc
DynamicLoader: USER32.dll/DefWindowProcW
DynamicLoader: USER32.dll/SystemParametersInfo
DynamicLoader: USER32.dll/SystemParametersInfoW
DynamicLoader: USER32.dll/GetDC
DynamicLoader: gdiplus.dll/GdiplusStartup
DynamicLoader: KERNEL32.dll/IsProcessorFeaturePresent
DynamicLoader: USER32.dll/GetWindowInfo
DynamicLoader: USER32.dll/GetAncestor
DynamicLoader: USER32.dll/GetMonitorInfoA
DynamicLoader: USER32.dll/EnumDisplayMonitors
DynamicLoader: USER32.dll/EnumDisplayDevicesA
DynamicLoader: GDI32.dll/ExtTextOutW
DynamicLoader: GDI32.dll/GdiIsMetaPrintDC
DynamicLoader: gdiplus.dll/GdipCreateFontFromLogfontW
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: KERNEL32.dll/RegOpenKeyExW
DynamicLoader: KERNEL32.dll/RegQueryInfoKeyA
DynamicLoader: KERNEL32.dll/RegCloseKey
DynamicLoader: KERNEL32.dll/RegCreateKeyExW
DynamicLoader: KERNEL32.dll/RegQueryValueExW
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: MSCOREE.DLL/ND_RI2
DynamicLoader: mscoreei.dll/ND_RI2_RetAddr
DynamicLoader: mscoreei.dll/ND_RI2
DynamicLoader: MSCOREE.DLL/ND_RU1
DynamicLoader: mscoreei.dll/ND_RU1_RetAddr
DynamicLoader: mscoreei.dll/ND_RU1
DynamicLoader: gdiplus.dll/GdipGetFontUnit
DynamicLoader: gdiplus.dll/GdipGetFontSize
DynamicLoader: gdiplus.dll/GdipGetFontStyle
DynamicLoader: gdiplus.dll/GdipGetFamily
DynamicLoader: USER32.dll/ReleaseDC
DynamicLoader: gdiplus.dll/GdipCreateFromHDC
DynamicLoader: gdiplus.dll/GdipGetDpiY
DynamicLoader: gdiplus.dll/GdipGetFontHeight
DynamicLoader: gdiplus.dll/GdipGetEmHeight
DynamicLoader: gdiplus.dll/GdipGetLineSpacing
DynamicLoader: gdiplus.dll/GdipDeleteGraphics
DynamicLoader: gdiplus.dll/GdipCreateFont
DynamicLoader: USER32.dll/SystemParametersInfo
DynamicLoader: USER32.dll/SystemParametersInfoW
DynamicLoader: gdiplus.dll/GdipGetFamilyName
DynamicLoader: GDI32.dll/CreateCompatibleDC
DynamicLoader: GDI32.dll/GetCurrentObject
DynamicLoader: GDI32.dll/SaveDC
DynamicLoader: GDI32.dll/GetDeviceCaps
DynamicLoader: GDI32.dll/CreateFontIndirect
DynamicLoader: GDI32.dll/CreateFontIndirectW
DynamicLoader: GDI32.dll/GetObject
DynamicLoader: GDI32.dll/GetObjectW
DynamicLoader: GDI32.dll/SelectObject
DynamicLoader: GDI32.dll/GetMapMode
DynamicLoader: GDI32.dll/GetTextMetricsW
DynamicLoader: USER32.dll/DrawTextExW
DynamicLoader: USER32.dll/DrawTextExWW
DynamicLoader: GDI32.dll/GetLayout
DynamicLoader: GDI32.dll/GdiRealizationInfo
DynamicLoader: GDI32.dll/FontIsLinked
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: GDI32.dll/GetTextFaceAliasW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: GDI32.dll/GetFontAssocStatus
DynamicLoader: ADVAPI32.dll/RegQueryValueExA
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: GDI32.dll/GetTextFaceAliasW
DynamicLoader: USER32.dll/MonitorFromRect
DynamicLoader: USER32.dll/GetMonitorInfo
DynamicLoader: USER32.dll/GetMonitorInfoW
DynamicLoader: GDI32.dll/CreateDC
DynamicLoader: GDI32.dll/CreateDCW
DynamicLoader: GDI32.dll/GetDeviceCaps
DynamicLoader: GDI32.dll/DeleteDC
DynamicLoader: USER32.dll/GetDoubleClickTime
DynamicLoader: gdiplus.dll/GdipCreateBitmapFromStream
DynamicLoader: WindowsCodecs.dll/DllGetClassObject
DynamicLoader: KERNEL32.dll/WerRegisterMemoryBlock
DynamicLoader: gdiplus.dll/GdipImageForceValidation
DynamicLoader: gdiplus.dll/GdipGetImageRawFormat
DynamicLoader: gdiplus.dll/GdipGetImageWidth
DynamicLoader: gdiplus.dll/GdipGetImageHeight
DynamicLoader: gdiplus.dll/GdipCreateBitmapFromScan0
DynamicLoader: gdiplus.dll/GdipGetImagePixelFormat
DynamicLoader: gdiplus.dll/GdipGetImageGraphicsContext
DynamicLoader: USER32.dll/GetSysColor
DynamicLoader: USER32.dll/GetSysColorW
DynamicLoader: gdiplus.dll/GdipGraphicsClear
DynamicLoader: gdiplus.dll/GdipCreateImageAttributes
DynamicLoader: gdiplus.dll/GdipSetImageAttributesColorKeys
DynamicLoader: gdiplus.dll/GdipDrawImageRectRectI
DynamicLoader: gdiplus.dll/GdipDisposeImageAttributes
DynamicLoader: gdiplus.dll/GdipDisposeImage
DynamicLoader: KERNEL32.dll/GetSystemDefaultLCID
DynamicLoader: KERNEL32.dll/GetSystemDefaultLCIDW
DynamicLoader: GDI32.dll/GetStockObject
DynamicLoader: GDI32.dll/GetObject
DynamicLoader: GDI32.dll/GetObjectW
DynamicLoader: KERNEL32.dll/RegEnumValueW
DynamicLoader: KERNEL32.dll/RegQueryInfoKeyW
DynamicLoader: gdiplus.dll/GdipDeleteFont
DynamicLoader: ole32.dll/CoCreateGuid
DynamicLoader: KERNEL32.dll/LCMapStringEx
DynamicLoader: gdiplus.dll/GdipCreateFontFamilyFromName
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/CompareStringOrdinal
DynamicLoader: KERNEL32.dll/SetThreadErrorMode
DynamicLoader: KERNEL32.dll/GetFileAttributesEx
DynamicLoader: KERNEL32.dll/GetFileAttributesExW
DynamicLoader: KERNEL32.dll/ResolveLocaleName
DynamicLoader: gdiplus.dll/GdipLoadImageFromStream
DynamicLoader: gdiplus.dll/GdipGetImageType
DynamicLoader: gdiplus.dll/GdipBitmapGetPixel
DynamicLoader: KERNEL32.dll/VirtualProtect
DynamicLoader: shell32.dll/SHGetFolderPath
DynamicLoader: shell32.dll/SHGetFolderPathW
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivileges
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivilegesW
DynamicLoader: ADVAPI32.dll/SetNamedSecurityInfoW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: KERNEL32.dll/CopyFile
DynamicLoader: KERNEL32.dll/CopyFileW
DynamicLoader: ADVAPI32.dll/GetUserName
DynamicLoader: ADVAPI32.dll/GetUserNameW
DynamicLoader: KERNEL32.dll/SetFileAttributes
DynamicLoader: KERNEL32.dll/SetFileAttributesW
DynamicLoader: ADVAPI32.dll/LsaClose
DynamicLoader: ADVAPI32.dll/LsaFreeMemory
DynamicLoader: ADVAPI32.dll/LsaOpenPolicy
DynamicLoader: ADVAPI32.dll/LsaLookupNames2
DynamicLoader: KERNEL32.dll/CloseHandle
DynamicLoader: KERNEL32.dll/GetCurrentProcess
DynamicLoader: KERNEL32.dll/GetCurrentProcessW
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: KERNEL32.dll/LocalFree
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/GetTokenInformationW
DynamicLoader: KERNEL32.dll/LocalAlloc
DynamicLoader: KERNEL32.dll/LocalAllocW
DynamicLoader: ADVAPI32.dll/LsaLookupSids
DynamicLoader: KERNEL32.dll/GetTempPath
DynamicLoader: KERNEL32.dll/GetTempPathW
DynamicLoader: KERNEL32.dll/GetTempFileName
DynamicLoader: KERNEL32.dll/GetTempFileNameW
DynamicLoader: KERNEL32.dll/CreateFile
DynamicLoader: KERNEL32.dll/CreateFileW
DynamicLoader: KERNEL32.dll/GetFileType
DynamicLoader: KERNEL32.dll/WriteFile
DynamicLoader: KERNEL32.dll/LocalAlloc
DynamicLoader: shell32.dll/ShellExecuteEx
DynamicLoader: shell32.dll/ShellExecuteExW
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: KERNEL32.dll/CloseHandle
DynamicLoader: KERNEL32.dll/GetCurrentProcess
DynamicLoader: KERNEL32.dll/DuplicateHandle
DynamicLoader: KERNEL32.dll/ReleaseMutex
DynamicLoader: KERNEL32.dll/CreateMutex
DynamicLoader: KERNEL32.dll/CreateMutexW
DynamicLoader: ole32.dll/CoWaitForMultipleHandles
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: ole32.dll/NdrOleInitializeExtension
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: RpcRtRemote.dll/I_RpcExtInitializeExtensionPoint
DynamicLoader: KERNEL32.dll/DeleteFile
DynamicLoader: KERNEL32.dll/DeleteFileW
DynamicLoader: KERNEL32.dll/CreateProcess
DynamicLoader: KERNEL32.dll/CreateProcessW
DynamicLoader: KERNEL32.dll/GetThreadContext
DynamicLoader: KERNEL32.dll/ReadProcessMemory
DynamicLoader: KERNEL32.dll/VirtualAllocEx
DynamicLoader: KERNEL32.dll/WriteProcessMemory
DynamicLoader: KERNEL32.dll/SetThreadContext
DynamicLoader: KERNEL32.dll/ResumeThread
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValue
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValueW
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivileges
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivilegesW
DynamicLoader: KERNEL32.dll/CloseHandle
DynamicLoader: PSAPI.DLL/EnumProcesses
DynamicLoader: PSAPI.DLL/EnumProcessesW
DynamicLoader: USER32.dll/SetClassLong
DynamicLoader: USER32.dll/SetClassLongW
DynamicLoader: USER32.dll/PostMessage
DynamicLoader: USER32.dll/PostMessageW
DynamicLoader: USER32.dll/UnregisterClass
DynamicLoader: USER32.dll/UnregisterClassW
DynamicLoader: USER32.dll/IsWindow
DynamicLoader: KERNEL32.dll/GetProcAddress
DynamicLoader: USER32.dll/DefWindowProcW
DynamicLoader: USER32.dll/SetWindowLong
DynamicLoader: USER32.dll/SetWindowLongW
DynamicLoader: USER32.dll/SetClassLong
DynamicLoader: USER32.dll/SetClassLongW
DynamicLoader: USER32.dll/DestroyWindow
DynamicLoader: USER32.dll/DestroyWindowW
DynamicLoader: USER32.dll/PostMessage
DynamicLoader: USER32.dll/PostMessageW
DynamicLoader: GDI32.dll/RestoreDC
DynamicLoader: GDI32.dll/DeleteDC
DynamicLoader: GDI32.dll/DeleteObject
DynamicLoader: ADVAPI32.dll/EventUnregister
DynamicLoader: KERNEL32.dll/CloseHandle
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: comctl32.dll/
DynamicLoader: KERNEL32.dll/CreateActCtxW
DynamicLoader: KERNEL32.dll/AddRefActCtx
DynamicLoader: KERNEL32.dll/ReleaseActCtx
DynamicLoader: KERNEL32.dll/ActivateActCtx
DynamicLoader: KERNEL32.dll/DeactivateActCtx
DynamicLoader: KERNEL32.dll/GetCurrentActCtx
DynamicLoader: KERNEL32.dll/QueryActCtxW
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: VERSION.dll/GetFileVersionInfoSizeW
DynamicLoader: VERSION.dll/GetFileVersionInfoW
DynamicLoader: VERSION.dll/VerQueryValueW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: SspiCli.dll/GetUserNameExW
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: MSCOREE.DLL/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/_CorExeMain_RetAddr
DynamicLoader: mscoreei.dll/_CorExeMain
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: KERNEL32.dll/GetCurrentPackageId
DynamicLoader: clr.dll/SetRuntimeInfo
DynamicLoader: clr.dll/_CorExeMain
DynamicLoader: KERNEL32.dll/GetCurrentPackageId
DynamicLoader: MSCOREE.DLL/CreateConfigStream
DynamicLoader: mscoreei.dll/CreateConfigStream_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream
DynamicLoader: KERNEL32.dll/GetNumaHighestNodeNumber
DynamicLoader: KERNEL32.dll/FlsSetValue
DynamicLoader: KERNEL32.dll/FlsGetValue
DynamicLoader: KERNEL32.dll/FlsAlloc
DynamicLoader: KERNEL32.dll/FlsFree
DynamicLoader: KERNEL32.dll/SetThreadStackGuarantee
DynamicLoader: MSCOREE.DLL/CLRCreateInstance
DynamicLoader: mscoreei.dll/CLRCreateInstance
DynamicLoader: SHLWAPI.dll/PathFindFileNameW
DynamicLoader: KERNEL32.dll/IsWow64Process
DynamicLoader: KERNEL32.dll/GetSystemWindowsDirectoryW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: KERNEL32.dll/AddSIDToBoundaryDescriptor
DynamicLoader: KERNEL32.dll/CreateBoundaryDescriptorW
DynamicLoader: KERNEL32.dll/CreatePrivateNamespaceW
DynamicLoader: KERNEL32.dll/OpenPrivateNamespaceW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: KERNEL32.dll/DeleteBoundaryDescriptor
DynamicLoader: KERNEL32.dll/WerRegisterRuntimeExceptionModule
DynamicLoader: KERNEL32.dll/RaiseException
DynamicLoader: KERNEL32.dll/AddVectoredExceptionHandler
DynamicLoader: KERNEL32.dll/RemoveVectoredExceptionHandler
DynamicLoader: KERNEL32.dll/AddVectoredContinueHandler
DynamicLoader: KERNEL32.dll/RemoveVectoredContinueHandler
DynamicLoader: MSCOREE.DLL/
DynamicLoader: mscoreei.dll/
DynamicLoader: KERNELBASE.dll/SetSystemFileCacheSize
DynamicLoader: ntdll.dll/NtSetSystemInformation
DynamicLoader: KERNELBASE.dll/PrivIsDllSynchronizationHeld
DynamicLoader: KERNEL32.dll/AddDllDirectory
DynamicLoader: KERNEL32.dll/GetWriteWatch
DynamicLoader: KERNEL32.dll/ResetWriteWatch
DynamicLoader: KERNEL32.dll/CreateMemoryResourceNotification
DynamicLoader: KERNEL32.dll/QueryMemoryResourceNotification
DynamicLoader: KERNEL32.dll/SortGetHandle
DynamicLoader: KERNEL32.dll/SortCloseHandle
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ole32.dll/CoGetContextToken
DynamicLoader: clrjit.dll/sxsJitStartup
DynamicLoader: clrjit.dll/getJit
DynamicLoader: KERNEL32.dll/QueryThreadCycleTime
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetLocaleInfoEx
DynamicLoader: KERNEL32.dll/LocaleNameToLCID
DynamicLoader: KERNEL32.dll/GetUserDefaultLocaleName
DynamicLoader: KERNEL32.dll/LCIDToLocaleName
DynamicLoader: KERNEL32.dll/GetUserPreferredUILanguages
DynamicLoader: nlssorting.dll/SortGetHandle
DynamicLoader: nlssorting.dll/SortCloseHandle
DynamicLoader: ADVAPI32.dll/ConvertSidToStringSidW
DynamicLoader: shell32.dll/SHGetFolderPathW
DynamicLoader: KERNEL32.dll/GetFullPathName
DynamicLoader: KERNEL32.dll/GetFullPathNameW
DynamicLoader: KERNEL32.dll/SetThreadErrorMode
DynamicLoader: KERNEL32.dll/GetFileAttributesEx
DynamicLoader: KERNEL32.dll/GetFileAttributesExW
DynamicLoader: MSCOREE.DLL/GetProcessExecutableHeap
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap_RetAddr
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap
DynamicLoader: bcrypt.dll/BCryptGetFipsAlgorithmMode
DynamicLoader: KERNEL32.dll/GetEnvironmentVariable
DynamicLoader: KERNEL32.dll/GetEnvironmentVariableW
DynamicLoader: CRYPTSP.dll/CryptGetDefaultProviderW
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptCreateHash
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoGetObjectContext
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: ole32.dll/NdrOleInitializeExtension
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: RpcRtRemote.dll/I_RpcExtInitializeExtensionPoint
DynamicLoader: ole32.dll/MkParseDisplayName
A process created a hidden window
Process: DOCUMENTS-7821.exe -> schtasks.exe
The binary likely contains encrypted or compressed data.
section: name: .text, entropy: 7.90, characteristics: IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ, raw_size: 0x000a5400, virtual_size: 0x000a5244
Uses Windows utilities for basic functionality
command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LIeDXmUzhdkSdI" /XML "C:\Users\user\AppData\Local\Temp\tmpB48F.tmp"
command: schtasks.exe /Create /TN "Updates\LIeDXmUzhdkSdI" /XML "C:\Users\user\AppData\Local\Temp\tmpB48F.tmp"
Behavioural detection: Injection (Process Hollowing)
Injection: DOCUMENTS-7821.exe(872) -> DOCUMENTS-7821.exe(2848)
Executed a process and injected code into it, probably while unpacking
Injection: DOCUMENTS-7821.exe(872) -> DOCUMENTS-7821.exe(2848)
Behavioural detection: Injection (inter-process)
Creates a hidden or system file
file: C:\Users\user\AppData\Roaming\LIeDXmUzhdkSdI.exe
Creates a copy of itself
copy: C:\Users\user\AppData\Roaming\LIeDXmUzhdkSdI.exe

Screenshots


Hosts

No hosts contacted.

DNS

No domains contacted.


Summary

C:\Windows\System32\MSCOREE.DLL.local
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
C:\Windows\Microsoft.NET\Framework\*
C:\Windows\Microsoft.NET\Framework\v1.0.3705\clr.dll
C:\Windows\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v1.1.4322\clr.dll
C:\Windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\clr.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll
C:\Users\user\AppData\Local\Temp\DOCUMENTS-7821.exe.config
C:\Users\user\AppData\Local\Temp\DOCUMENTS-7821.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSVCR110_CLR0400.dll
C:\Windows\System32\MSVCR110_CLR0400.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoree.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config
C:\Windows\Microsoft.NET\Framework\v4.0.30319\fusion.localgac
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\045c9588954c3662d542b53f4462268b\mscorlib.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\045c9588954c3662d542b53f4462268b\mscorlib.ni.dll.aux
C:\Users
C:\Users\user
C:\Users\user\AppData
C:\Users\user\AppData\Local
C:\Users\user\AppData\Local\Temp
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ole32.dll
\Device\KsecDD
C:\Windows\assembly\NativeImages_v4.0.30319_32\KHGX\*
C:\Users\user\AppData\Local\Temp\DOCUMENTS-7821.INI
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit.dll
C:\Windows\assembly\pubpol23.dat
C:\Windows\assembly\GAC\PublisherPolicy.tme
C:\Windows\Microsoft.Net\assembly\GAC_32\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\05ca0ca95b6fcc0d710b63b6200cc178\System.Windows.Forms.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\05ca0ca95b6fcc0d710b63b6200cc178\System.Windows.Forms.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_32\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\c4477b3ce64d0d612d1ab0dba425b77f\System.Drawing.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\c4477b3ce64d0d612d1ab0dba425b77f\System.Drawing.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_32\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\79f6324a598a7c4446a4a1168be7c4b1\System.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\79f6324a598a7c4446a4a1168be7c4b1\System.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_32\System.Configuration\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Configuration\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.dll
C:\Windows\Microsoft.Net\assembly\GAC_32\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.Xml.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.Xml.dll
C:\Windows\Microsoft.Net\assembly\GAC_32\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
C:\Windows\Microsoft.Net\assembly\GAC_32\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll
C:\Windows\Microsoft.Net\assembly\GAC_32\System.Runtime.Serialization.Formatters.Soap\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
C:\Windows\Microsoft.Net\assembly\GAC_32\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
C:\Windows\Microsoft.Net\assembly\GAC_32\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\uxtheme.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\nlssorting.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\SortDefault.nlp
C:\Users\user\AppData\Local\Temp\DOCUMENTS-7821.exe.Local\
C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80
C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\GdiPlus.dll
C:\Users\user\AppData\Local\GDIPFONTCACHEV1.DAT
C:\Windows\Fonts\ahronbd.ttf
C:\Windows\Fonts\segoeui.ttf
C:\Windows\Fonts\segoeuib.ttf
C:\Windows\Fonts\segoeuii.ttf
C:\Windows\Fonts\segoeuiz.ttf
C:\Windows\Fonts\staticcache.dat
C:\Windows\Fonts\tahoma.ttf
C:\Windows\Fonts\msjh.ttf
C:\Windows\Fonts\msyh.ttf
C:\Windows\Fonts\malgun.ttf
C:\Windows\Fonts\micross.ttf
C:\Windows\Microsoft.Net\assembly\GAC_32\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\65f7c6dcc498c7157f0ef5b72824d60a\Microsoft.VisualBasic.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\65f7c6dcc498c7157f0ef5b72824d60a\Microsoft.VisualBasic.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\4e69f1e7d86d79012db2d7e0dadc8880\System.Core.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\4e69f1e7d86d79012db2d7e0dadc8880\System.Core.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_32\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll
C:\Windows\Microsoft.Net\assembly\GAC_32\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll
C:\Windows\Microsoft.Net\assembly\GAC_32\System.Xml.Linq\v4.0_4.0.0.0__b77a5c561934e089\System.Xml.Linq.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Xml.Linq\v4.0_4.0.0.0__b77a5c561934e089\System.Xml.Linq.dll
C:\Windows\Microsoft.Net\assembly\GAC_32\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
C:\Users\user\AppData\Local\Temp\en-US\KHGX.resources.dll
C:\Users\user\AppData\Local\Temp\en-US\KHGX.resources\KHGX.resources.dll
C:\Users\user\AppData\Local\Temp\en-US\KHGX.resources.exe
C:\Users\user\AppData\Local\Temp\en-US\KHGX.resources\KHGX.resources.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\en-US\mscorrc.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\en-US\mscorrc.dll.DLL
C:\Windows\Microsoft.NET\Framework\v4.0.30319\en\mscorrc.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\en\mscorrc.dll.DLL
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
C:\Users\user\AppData\Local\Temp\en\KHGX.resources.dll
C:\Users\user\AppData\Local\Temp\en\KHGX.resources\KHGX.resources.dll
C:\Users\user\AppData\Local\Temp\en\KHGX.resources.exe
C:\Users\user\AppData\Local\Temp\en\KHGX.resources\KHGX.resources.exe
C:\Users\user\AppData\Local\Temp\en-US\fHzaVY.resources.dll
C:\Users\user\AppData\Local\Temp\en-US\fHzaVY.resources\fHzaVY.resources.dll
C:\Users\user\AppData\Local\Temp\en-US\fHzaVY.resources.exe
C:\Users\user\AppData\Local\Temp\en-US\fHzaVY.resources\fHzaVY.resources.exe
C:\Users\user\AppData\Local\Temp\en\fHzaVY.resources.dll
C:\Users\user\AppData\Local\Temp\en\fHzaVY.resources\fHzaVY.resources.dll
C:\Users\user\AppData\Local\Temp\en\fHzaVY.resources.exe
C:\Users\user\AppData\Local\Temp\en\fHzaVY.resources\fHzaVY.resources.exe
C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\shell32.dll
C:\Users\user\AppData\Roaming\LIeDXmUzhdkSdI.exe
C:\Users\user\AppData\Roaming\
C:\Users\user\AppData\Local\Temp\tmpB48F.tmp
\??\MountPointManager
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\psapi.dll
C:\Windows\sysnative\Tasks
C:\Windows\sysnative\Tasks\*
C:\Windows\sysnative\Tasks\Updates\LIeDXmUzhdkSdI
C:\Windows\sysnative\Tasks\Updates
C:\Windows\sysnative\Tasks\Updates\
C:\Windows\SysWOW64\net.exe
C:\Windows
C:\Windows\SysWOW64
C:\Windows\AppPatch\sysmain.sdb
C:\Windows\SysWOW64\
C:\Windows\SysWOW64\*.*
C:\Windows\SysWOW64\ui\SwDRM.dll
C:\Windows\SysWOW64\net1.exe
C:\Windows\assembly\NativeImages_v4.0.30319_32\FQLQFIXENZV03e8423a#\*
C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\bcrypt.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
C:\Users\user\AppData\Local\Temp\DOCUMENTS-7821.exe.config
C:\Users\user\AppData\Local\Temp\DOCUMENTS-7821.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll
C:\Windows\System32\MSVCR110_CLR0400.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\045c9588954c3662d542b53f4462268b\mscorlib.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\045c9588954c3662d542b53f4462268b\mscorlib.ni.dll
\Device\KsecDD
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit.dll
C:\Windows\assembly\pubpol23.dat
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\05ca0ca95b6fcc0d710b63b6200cc178\System.Windows.Forms.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\c4477b3ce64d0d612d1ab0dba425b77f\System.Drawing.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\79f6324a598a7c4446a4a1168be7c4b1\System.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\79f6324a598a7c4446a4a1168be7c4b1\System.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\c4477b3ce64d0d612d1ab0dba425b77f\System.Drawing.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\05ca0ca95b6fcc0d710b63b6200cc178\System.Windows.Forms.ni.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\nlssorting.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\SortDefault.nlp
C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\GdiPlus.dll
C:\Users\user\AppData\Local\GDIPFONTCACHEV1.DAT
C:\Windows\Fonts\segoeui.ttf
C:\Windows\Fonts\segoeuib.ttf
C:\Windows\Fonts\segoeuii.ttf
C:\Windows\Fonts\segoeuiz.ttf
C:\Windows\Fonts\staticcache.dat
C:\Windows\Fonts\tahoma.ttf
C:\Windows\Fonts\msjh.ttf
C:\Windows\Fonts\msyh.ttf
C:\Windows\Fonts\malgun.ttf
C:\Windows\Fonts\micross.ttf
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\65f7c6dcc498c7157f0ef5b72824d60a\Microsoft.VisualBasic.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\4e69f1e7d86d79012db2d7e0dadc8880\System.Core.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\4e69f1e7d86d79012db2d7e0dadc8880\System.Core.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\65f7c6dcc498c7157f0ef5b72824d60a\Microsoft.VisualBasic.ni.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
C:\Users\user\AppData\Local\Temp\tmpB48F.tmp
C:\Windows\SysWOW64\net.exe
C:\Windows\AppPatch\sysmain.sdb
C:\Windows\SysWOW64\
C:\Windows\SysWOW64\net1.exe
C:\Users\user\AppData\Local\GDIPFONTCACHEV1.DAT
C:\Users\user\AppData\Roaming\LIeDXmUzhdkSdI.exe
C:\Users\user\AppData\Local\Temp\tmpB48F.tmp
C:\Users\user\AppData\Local\Temp\tmpB48F.tmp
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\v4.0
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\InstallRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\CLRLoadLogDir
HKEY_CURRENT_USER\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\OnlyUseLatestCLR
Policy\Standards
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\Standards
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\Standards\v4.0.30319
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\v4.0.30319\SKUs\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319\SKUs\default
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DisableConfigCache
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DOCUMENTS-7821.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\CacheLocation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DownloadCacheQuotaInKB
HKEY_CURRENT_USER\Software\Microsoft\Fusion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\EnableLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LoggingLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\ForceLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogFailures
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogResourceBinds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseRetryAttempts
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseMillisecondsBetweenRetries
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\UseLegacyIdentityFormat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DisableMSIPeek
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\NGen\Policy\v4.0
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGen\Policy\v4.0\OptimizeUsedBinaries
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\Servicing
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-GB
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-GB
HKEY_LOCAL_MACHINE\Software\Microsoft\StrongName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\Latest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\index23
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Windows.Forms__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Windows.Forms__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Drawing__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Drawing__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Configuration__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Configuration__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Xml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Xml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.Accessibility__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.Accessibility__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Security__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Security__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Deployment__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Deployment__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Core__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Core__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\APTCA
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000809
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DbgJITDebugLaunchSetting
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DbgManagedDebugger
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts
HKEY_CURRENT_USER\Software\Microsoft\GDIPlus
HKEY_CURRENT_USER\Software\Microsoft\GDIPlus\FontCachePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
\xe7\x80\xa0\xc3\xb1EY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Segoe UI
HKEY_CLASSES_ROOT\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance
HKEY_CLASSES_ROOT\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance\Disabled
HKEY_CURRENT_USER\EUDC\1252
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.10.0.Microsoft.VisualBasic__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.10.0.Microsoft.VisualBasic__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Numerics__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Numerics__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Management__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Management__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Xml.Linq__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Xml.Linq__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Runtime.Remoting__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Runtime.Remoting__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-120665959-548228820-2376508522-1001\Installer\Assemblies\C:|Users|user|AppData|Local|Temp|DOCUMENTS-7821.exe
HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies\C:|Users|user|AppData|Local|Temp|DOCUMENTS-7821.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Users|user|AppData|Local|Temp|DOCUMENTS-7821.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-120665959-548228820-2376508522-1001\Installer\Assemblies\Global
HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies\Global
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\AccessProviders
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\AccessProviders\MartaExtension
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Classes
HKEY_CURRENT_USER\Software\Classes\AppID\DOCUMENTS-7821.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE\AppCompat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\AppCompat\RaiseDefaultAuthnLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\DefaultAccessPermission
HKEY_CURRENT_USER\Software\Classes\Interface\{00000134-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Extensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\RemoteRpcDll
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows\DisabledProcesses\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\BBB39CA1
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows\DisabledSessions\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SQMClient\Windows
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_CURRENT_USER\Software\Classes\AppID\schtasks.exe
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\SchedulingEngineKnob
HKEY_USERS\S-1-5-21-120665959-548228820-2376508522-1001
HKEY_USERS\S-1-5-21-120665959-548228820-2376508522-1001\Control Panel\International
HKEY_USERS\S-1-5-21-120665959-548228820-2376508522-1001\Control Panel\International\LocaleName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Updates\LIeDXmUzhdkSdI
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\App Paths\svchost.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\svchost.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{732A0466-7C63-4F32-87D3-D5675CCA1233}\Path
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{732A0466-7C63-4F32-87D3-D5675CCA1233}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Updates\LIeDXmUzhdkSdI\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Updates\LIeDXmUzhdkSdI\Index
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{732A0466-7C63-4F32-87D3-D5675CCA1233}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{732A0466-7C63-4F32-87D3-D5675CCA1233}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{732A0466-7C63-4F32-87D3-D5675CCA1233}\DynamicInfo
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MMCSS
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MMCSS\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MMCSS\Parameters\ServiceDllUnloadOnStop
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\net.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\net1.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-120665959-548228820-2376508522-1001
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 024
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Defaults\Provider Types\Type 024\Name
\xef\x8f\xb8\xc4\xa0EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Defaults\Provider Types\Type 024\Name
HKEY_CURRENT_USER\Software\Classes\WinMgmts
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WINMGMTS\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WINMGMTS\CLSID\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\InstallRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\CLRLoadLogDir
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\OnlyUseLatestCLR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DisableConfigCache
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\CacheLocation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DownloadCacheQuotaInKB
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\EnableLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LoggingLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\ForceLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogFailures
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogResourceBinds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseRetryAttempts
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseMillisecondsBetweenRetries
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\UseLegacyIdentityFormat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DisableMSIPeek
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGen\Policy\v4.0\OptimizeUsedBinaries
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-GB
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-GB
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\Latest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\index23
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000809
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DbgJITDebugLaunchSetting
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DbgManagedDebugger
HKEY_CURRENT_USER\Software\Microsoft\GDIPlus\FontCachePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
\xe7\x80\xa0\xc3\xb1EY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\AccessProviders\MartaExtension
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\Generation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\AppCompat\RaiseDefaultAuthnLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\DefaultAccessPermission
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\RemoteRpcDll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\BBB39CA1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\SchedulingEngineKnob
HKEY_USERS\S-1-5-21-120665959-548228820-2376508522-1001\Control Panel\International\LocaleName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{732A0466-7C63-4F32-87D3-D5675CCA1233}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{732A0466-7C63-4F32-87D3-D5675CCA1233}\DynamicInfo
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MMCSS\Parameters\ServiceDllUnloadOnStop
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Defaults\Provider Types\Type 024\Name
\xef\x8f\xb8\xc4\xa0EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Defaults\Provider Types\Type 024\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WINMGMTS\CLSID\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{732A0466-7C63-4F32-87D3-D5675CCA1233}\Path
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{732A0466-7C63-4F32-87D3-D5675CCA1233}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Updates\LIeDXmUzhdkSdI\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Updates\LIeDXmUzhdkSdI\Index
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{732A0466-7C63-4F32-87D3-D5675CCA1233}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{732A0466-7C63-4F32-87D3-D5675CCA1233}\DynamicInfo
advapi32.dll.RegOpenKeyExW
advapi32.dll.RegQueryInfoKeyW
advapi32.dll.RegEnumKeyExW
advapi32.dll.RegEnumValueW
advapi32.dll.RegCloseKey
advapi32.dll.RegQueryValueExW
mscoree.dll.#142
mscoreei.dll.RegisterShimImplCallback
mscoreei.dll.OnShimDllMainCalled
mscoreei.dll._CorExeMain
shlwapi.dll.UrlIsW
clr.dll.SetRuntimeInfo
clr.dll._CorExeMain
mscoree.dll.CreateConfigStream
mscoreei.dll.CreateConfigStream
kernel32.dll.GetNumaHighestNodeNumber
kernel32.dll.FlsSetValue
kernel32.dll.FlsGetValue
kernel32.dll.FlsAlloc
kernel32.dll.FlsFree
kernel32.dll.SetThreadStackGuarantee
mscoree.dll.CLRCreateInstance
mscoreei.dll.CLRCreateInstance
shlwapi.dll.PathFindFileNameW
kernel32.dll.IsWow64Process
kernel32.dll.GetSystemWindowsDirectoryW
advapi32.dll.AllocateAndInitializeSid
advapi32.dll.OpenProcessToken
advapi32.dll.GetTokenInformation
advapi32.dll.InitializeAcl
advapi32.dll.AddAccessAllowedAce
advapi32.dll.FreeSid
kernel32.dll.AddSIDToBoundaryDescriptor
kernel32.dll.CreateBoundaryDescriptorW
kernel32.dll.CreatePrivateNamespaceW
kernel32.dll.OpenPrivateNamespaceW
kernel32.dll.DeleteBoundaryDescriptor
kernel32.dll.WerRegisterRuntimeExceptionModule
kernel32.dll.RaiseException
kernel32.dll.AddVectoredExceptionHandler
kernel32.dll.RemoveVectoredExceptionHandler
kernel32.dll.AddVectoredContinueHandler
kernel32.dll.RemoveVectoredContinueHandler
mscoree.dll.#24
mscoreei.dll.#24
ntdll.dll.NtSetSystemInformation
kernel32.dll.GetWriteWatch
kernel32.dll.ResetWriteWatch
kernel32.dll.CreateMemoryResourceNotification
kernel32.dll.QueryMemoryResourceNotification
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
kernel32.dll.GetNativeSystemInfo
ole32.dll.CoInitializeEx
cryptbase.dll.SystemFunction036
ole32.dll.CoGetContextToken
clrjit.dll.sxsJitStartup
clrjit.dll.getJit
kernel32.dll.QueryThreadCycleTime
kernel32.dll.GetFullPathNameW
uxtheme.dll.IsAppThemed
kernel32.dll.CreateActCtxA
ole32.dll.CoTaskMemAlloc
ole32.dll.CoTaskMemFree
user32.dll.RegisterWindowMessageW
user32.dll.GetSystemMetrics
kernel32.dll.GetModuleHandleW
kernel32.dll.LoadLibraryW
user32.dll.AdjustWindowRectEx
kernel32.dll.GetCurrentProcess
kernel32.dll.GetCurrentThread
kernel32.dll.DuplicateHandle
kernel32.dll.GetCurrentThreadId
kernel32.dll.GetCurrentActCtx
kernel32.dll.ActivateActCtx
kernel32.dll.GetProcAddress
kernel32.dll.WideCharToMultiByte
user32.dll.DefWindowProcW
gdi32.dll.GetStockObject
kernel32.dll.GetLocaleInfoEx
kernel32.dll.LocaleNameToLCID
kernel32.dll.GetUserDefaultLocaleName
kernel32.dll.LCIDToLocaleName
kernel32.dll.GetUserPreferredUILanguages
user32.dll.RegisterClassW
mscoree.dll.GetProcessExecutableHeap
mscoreei.dll.GetProcessExecutableHeap
user32.dll.CreateWindowExW
user32.dll.SetWindowLongW
user32.dll.GetWindowLongW
nlssorting.dll.SortGetHandle
nlssorting.dll.SortCloseHandle
user32.dll.CallWindowProcW
user32.dll.GetClientRect
user32.dll.GetWindowRect
user32.dll.GetParent
kernel32.dll.DeactivateActCtx
advapi32.dll.EventRegister
user32.dll.GetProcessWindowStation
user32.dll.GetUserObjectInformationA
kernel32.dll.SetConsoleCtrlHandler
user32.dll.GetClassInfoW
user32.dll.SystemParametersInfoW
user32.dll.GetDC
gdiplus.dll.GdiplusStartup
kernel32.dll.IsProcessorFeaturePresent
user32.dll.GetWindowInfo
user32.dll.GetAncestor
user32.dll.GetMonitorInfoA
user32.dll.EnumDisplayMonitors
user32.dll.EnumDisplayDevicesA
gdi32.dll.ExtTextOutW
gdi32.dll.GdiIsMetaPrintDC
gdiplus.dll.GdipCreateFontFromLogfontW
kernel32.dll.RegOpenKeyExW
kernel32.dll.RegQueryInfoKeyA
kernel32.dll.RegCloseKey
kernel32.dll.RegCreateKeyExW
kernel32.dll.RegQueryValueExW
mscoree.dll.ND_RI2
mscoreei.dll.ND_RI2
mscoree.dll.ND_RU1
mscoreei.dll.ND_RU1
gdiplus.dll.GdipGetFontUnit
gdiplus.dll.GdipGetFontSize
gdiplus.dll.GdipGetFontStyle
gdiplus.dll.GdipGetFamily
user32.dll.ReleaseDC
gdiplus.dll.GdipCreateFromHDC
gdiplus.dll.GdipGetDpiY
gdiplus.dll.GdipGetFontHeight
gdiplus.dll.GdipGetEmHeight
gdiplus.dll.GdipGetLineSpacing
gdiplus.dll.GdipDeleteGraphics
gdiplus.dll.GdipCreateFont
gdiplus.dll.GdipGetFamilyName
gdi32.dll.CreateCompatibleDC
gdi32.dll.GetCurrentObject
gdi32.dll.SaveDC
gdi32.dll.GetDeviceCaps
gdi32.dll.CreateFontIndirectW
gdi32.dll.GetObjectW
gdi32.dll.SelectObject
gdi32.dll.GetMapMode
gdi32.dll.GetTextMetricsW
user32.dll.DrawTextExW
gdi32.dll.GetLayout
gdi32.dll.GdiRealizationInfo
gdi32.dll.FontIsLinked
gdi32.dll.GetTextFaceAliasW
gdi32.dll.GetFontAssocStatus
advapi32.dll.RegQueryValueExA
user32.dll.MonitorFromRect
user32.dll.GetMonitorInfoW
gdi32.dll.CreateDCW
gdi32.dll.DeleteDC
user32.dll.GetDoubleClickTime
gdiplus.dll.GdipCreateBitmapFromStream
windowscodecs.dll.DllGetClassObject
kernel32.dll.WerRegisterMemoryBlock
gdiplus.dll.GdipImageForceValidation
gdiplus.dll.GdipGetImageRawFormat
gdiplus.dll.GdipGetImageWidth
gdiplus.dll.GdipGetImageHeight
gdiplus.dll.GdipCreateBitmapFromScan0
gdiplus.dll.GdipGetImagePixelFormat
gdiplus.dll.GdipGetImageGraphicsContext
user32.dll.GetSysColor
gdiplus.dll.GdipGraphicsClear
gdiplus.dll.GdipCreateImageAttributes
gdiplus.dll.GdipSetImageAttributesColorKeys
gdiplus.dll.GdipDrawImageRectRectI
gdiplus.dll.GdipDisposeImageAttributes
gdiplus.dll.GdipDisposeImage
kernel32.dll.GetSystemDefaultLCID
kernel32.dll.RegEnumValueW
kernel32.dll.RegQueryInfoKeyW
gdiplus.dll.GdipDeleteFont
ole32.dll.CoCreateGuid
kernel32.dll.LCMapStringEx
gdiplus.dll.GdipCreateFontFamilyFromName
kernel32.dll.CompareStringOrdinal
kernel32.dll.SetThreadErrorMode
kernel32.dll.GetFileAttributesExW
kernel32.dll.ResolveLocaleName
gdiplus.dll.GdipLoadImageFromStream
gdiplus.dll.GdipGetImageType
gdiplus.dll.GdipBitmapGetPixel
kernel32.dll.VirtualProtect
shell32.dll.SHGetFolderPathW
advapi32.dll.AdjustTokenPrivileges
advapi32.dll.SetNamedSecurityInfoW
ntmarta.dll.GetMartaExtensionInterface
kernel32.dll.CopyFileW
advapi32.dll.GetUserNameW
kernel32.dll.SetFileAttributesW
advapi32.dll.LsaClose
advapi32.dll.LsaFreeMemory
advapi32.dll.LsaOpenPolicy
advapi32.dll.LsaLookupNames2
kernel32.dll.CloseHandle
kernel32.dll.LocalFree
kernel32.dll.LocalAlloc
advapi32.dll.LsaLookupSids
kernel32.dll.GetTempPathW
kernel32.dll.GetTempFileNameW
kernel32.dll.CreateFileW
kernel32.dll.GetFileType
kernel32.dll.WriteFile
shell32.dll.ShellExecuteEx
shell32.dll.ShellExecuteExW
setupapi.dll.CM_Get_Device_Interface_List_Size_ExW
setupapi.dll.CM_Get_Device_Interface_List_ExW
comctl32.dll.#332
comctl32.dll.#386
kernel32.dll.ReleaseMutex
kernel32.dll.CreateMutexW
ole32.dll.CoWaitForMultipleHandles
sechost.dll.LookupAccountNameLocalW
advapi32.dll.LookupAccountSidW
sechost.dll.LookupAccountSidLocalW
cryptsp.dll.CryptAcquireContextW
cryptsp.dll.CryptGenRandom
ole32.dll.NdrOleInitializeExtension
ole32.dll.CoGetClassObject
ole32.dll.CoGetMarshalSizeMax
ole32.dll.CoMarshalInterface
ole32.dll.CoUnmarshalInterface
ole32.dll.StringFromIID
ole32.dll.CoGetPSClsid
ole32.dll.CoCreateInstance
ole32.dll.CoReleaseMarshalData
ole32.dll.DcomChannelSetHResult
rpcrtremote.dll.I_RpcExtInitializeExtensionPoint
kernel32.dll.DeleteFileW
kernel32.dll.CreateProcessW
kernel32.dll.GetThreadContext
kernel32.dll.ReadProcessMemory
kernel32.dll.VirtualAllocEx
kernel32.dll.WriteProcessMemory
kernel32.dll.SetThreadContext
kernel32.dll.ResumeThread
advapi32.dll.LookupPrivilegeValueW
psapi.dll.EnumProcesses
user32.dll.SetClassLongW
user32.dll.PostMessageW
user32.dll.UnregisterClassW
user32.dll.IsWindow
user32.dll.DestroyWindow
gdi32.dll.RestoreDC
gdi32.dll.DeleteObject
advapi32.dll.EventUnregister
advapi32.dll.UnregisterTraceGuids
comctl32.dll.#321
kernel32.dll.CreateActCtxW
kernel32.dll.AddRefActCtx
kernel32.dll.ReleaseActCtx
kernel32.dll.QueryActCtxW
cryptsp.dll.CryptReleaseContext
version.dll.GetFileVersionInfoSizeW
version.dll.GetFileVersionInfoW
version.dll.VerQueryValueW
sspicli.dll.GetUserNameExW
advapi32.dll.ConvertSidToStringSidW
bcrypt.dll.BCryptGetFipsAlgorithmMode
kernel32.dll.GetEnvironmentVariableW
cryptsp.dll.CryptGetDefaultProviderW
cryptsp.dll.CryptCreateHash
ole32.dll.CreateBindCtx
ole32.dll.CoGetObjectContext
ole32.dll.MkParseDisplayName
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LIeDXmUzhdkSdI" /XML "C:\Users\user\AppData\Local\Temp\tmpB48F.tmp"
schtasks.exe /Create /TN "Updates\LIeDXmUzhdkSdI" /XML "C:\Users\user\AppData\Local\Temp\tmpB48F.tmp"
"C:\Users\user\AppData\Local\Temp\DOCUMENTS-7821.exe"

Binary Entropy

PE Information

Image Base 0x00400000
Entry Point 0x004a723e
Reported Checksum 0x00000000
Actual Checksum 0x000c440b
Minimum OS Version 4.0
Compile Time 2019-08-13 20:27:28
Import Hash f34d5f2d4577ed6d9ceec516c1f5a744

Sections

Name Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00002000 0x000a5244 0x000a5400 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 7.90
.rsrc 0x000a8000 0x0001d4dc 0x0001d600 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.00
.reloc 0x000c6000 0x0000000c 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ 0.10

Imports

Library mscoree.dll:
0x402000 _CorExeMain

.text
`.rsrc
@.reloc
height
wpwwp
wpxwW
wtxwwW
`pprqw
xwxwxwwGpwG
wwwww
wwwww
wwwwwwsp
wwwwwwwwwp
wwxwxwwxW
wvvwGuwp
wwwww
e7'xwp
wwwww
swwxwp
wruwwxwwwwp
wwCCp
xwwww
uaa@p
wxwww`
wxxwwwt
wxwwwsp
wxwww
h6w#~
%j%aS
QfsQ1c
_A9j)T
S4GxZ"
19@`rqTb
xSt?#
zii1!
X:'?G
%?==N
(((R<<<j>==H
cHRM
9iCCPPhotoshop ICC profile
cHRM
cHRM
cHRM
9iCCPPhotoshop ICC profile
cHRM
$>)Ef
}hh`@aZ
v4.0.30319
#Strings
#GUID
#Blob
List`1
Int32
476823
26253
77163
ToInt16
get_B
SizeF
get_G
System.IO
get_R
mscorlib
System.Collections.Generic
Microsoft.VisualBasic
get_Red
get_DarkRed
add_ValueChanged
set_Enabled
set_DoubleBuffered
Synchronized
get_AppWorkspace
set_AutoScaleMode
FileMode
set_AutoSizeMode
set_BackgroundImage
AddRange
IDisposable
set_Visible
RuntimeTypeHandle
GetTypeFromHandle
FromFile
get_Purple
set_TickStyle
set_FormBorderStyle
FontStyle
set_Name
get_FileName
DateTime
set_Multiline
GetType
ButtonBase
ApplicationSettingsBase
TextBoxBase
Close
Dispose
Create
DebuggerBrowsableState
EditorBrowsableState
STAThreadAttribute
CompilerGeneratedAttribute
GuidAttribute
GeneratedCodeAttribute
DebuggerNonUserCodeAttribute
DebuggableAttribute
DebuggerBrowsableAttribute
EditorBrowsableAttribute
ComVisibleAttribute
AssemblyTitleAttribute
XmlIgnoreAttribute
AssemblyTrademarkAttribute
TargetFrameworkAttribute
AssemblyFileVersionAttribute
AssemblyConfigurationAttribute
AssemblyDescriptionAttribute
CompilationRelaxationsAttribute
AssemblyProductAttribute
AssemblyCopyrightAttribute
XmlElementAttribute
XmlArrayAttribute
AssemblyCompanyAttribute
RuntimeCompatibilityAttribute
get_Blue
get_DarkBlue
get_Value
set_Value
set_Size
set_AutoSize
set_ClientSize
Serialize
Deserialize
ISupportInitialize
Padding
LateBinding
System.Runtime.Versioning
ToString
System.Drawing
SaveFileDialog
OpenFileDialog
CommonDialog
ShowDialog
get_Width
get_Black
add_Tick
add_Click
get_ControlDark
get_Teal
set_Interval
Label
System.ComponentModel
GetPixel
System.Xml
ContainerControl
UserControl
FileStream
Program
get_Item
ToolStripDropDownItem
ToolStripItem
ToolStripMenuItem
System
Random
get_ParentForm
set_Minimum
set_Maximum
TimeSpan
get_DarkGreen
set_TextAlign
set_Margin
set_Icon
Application
set_Location
set_CausesValidation
System.Configuration
System.Globalization
System.Xml.Serialization
System.Reflection
ControlCollection
ToolStripItemCollection
ArrangedElementCollection
ArgumentOutOfRangeException
get_Button
add_MouseDown
CultureInfo
DirectoryInfo
PropertyInfo
Bitmap
ToolStrip
MenuStrip
TrackBar
XmlReader
ComponentResourceManager
MouseEventHandler
System.CodeDom.Compiler
Timer
IContainer
Minesweeper
set_Filter
XmlSerializer
set_ForeColor
set_BackColor
set_UseVisualStyleBackColor
ToolStripSeparator
GetEnumerator
.ctor
.cctor
System.Diagnostics
System.Runtime.InteropServices
Microsoft.VisualBasic.CompilerServices
System.Runtime.CompilerServices
System.Resources
RctswZj6s8sY6oaIw8asaChdAfTnpU6JLHuWB0NmcWkIlkdXxHFz8AxJy0AVh1VGeRCjeLLaaXNLRK3lqLrR2DJicnc6jepRFDTBY5LS6EpgXAfv6kCYBzCnVF4DvC3oActMfuVtqWYmREcZs887hFGx0uq0qyhsIwDmYvp0TJYvVc.resources
Minesweeper.Controls.Cell.resources
Minesweeper.SizeForm.resources
Minesweeper.MainForm.resources
Minesweeper.Properties.Resources.resources
DebuggingModes
Minesweeper.Properties
EnableVisualStyles
BindingFlags
MouseEventArgs
Minesweeper.Controls
get_Controls
get_Items
get_DropDownItems
System.Windows.Forms
Contains
set_AutoScaleDimensions
MouseButtons
SystemColors
set_ShortcutKeys
RemoveAt
Concat
Subtract
GetObject
LateGet
get_Height
EndInit
BeginInit
GraphicsUnit
SetCompatibleTextRenderingDefault
set_DialogResult
HorizontalAlignment
Environment
IComponent
GetParent
get_Transparent
get_Current
Point
set_Font
get_Count
Start
Convert
System.Windows.Forms.Layout
SuspendLayout
set_BackgroundImageLayout
ResumeLayout
PerformLayout
MoveNext
set_Text
get_ControlText
get_Now
set_TabIndex
TextBox
get_Gray
Array
get_Assembly
set_ReadOnly
get_CurrentDirectory
op_Inequality
Empty
GetProperty
Minesweeper
2017
1.0.0.0
$89e899ae-f97e-4084-8ce0-32d5b42b0c6b
Panel Type
Neighboring Mine Count
Revealed Status
Flagged Status
X Dimension
Y Dimension
Mine Count
Matrix
First Click Status
16.0.0.0
16.1.0.0
_CorExeMain
mscoree.dll
pu+\O
Cq+\O
BG{}=
</assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD
$this.Icon
empty
RctswZj6s8sY6oaIw8asaChdAfTnpU6JLHuWB0NmcWkIlkdXxHFz8AxJy0AVh1VGeRCjeLLaaXNLRK3lqLrR2DJicnc6jepRFDTBY5LS6EpgXAfv6kCYBzCnVF4DvC3oActMfuVtqWYmREcZs887hFGx0uq0qyhsIwDmYvp0TJYvVc
VS_VERSION_INFO
VarFileInfo
Translation
StringFileInfo
000004b0
Comments
CompanyName
FileDescription
Minesweeper
FileVersion
1.0.0.0
InternalName
Minesweeper.exe
LegalCopyright
2017
LegalTrademarks
OriginalFilename
Minesweeper.exe
ProductName
Minesweeper
ProductVersion
1.0.0.0
Assembly Version
1.0.0.0
This file is not on VirusTotal.

Process Tree


DOCUMENTS-7821.exe, PID: 872, Parent PID: 2584
Full Path: C:\Users\user\AppData\Local\Temp\DOCUMENTS-7821.exe
Command Line: "C:\Users\user\AppData\Local\Temp\DOCUMENTS-7821.exe"
schtasks.exe, PID: 2924, Parent PID: 872
Full Path: C:\Windows\SysWOW64\schtasks.exe
Command Line: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LIeDXmUzhdkSdI" /XML "C:\Users\user\AppData\Local\Temp\tmpB48F.tmp"
svchost.exe, PID: 816, Parent PID: 460
Full Path: C:\Windows\sysnative\svchost.exe
Command Line: C:\Windows\system32\svchost.exe -k netsvcs
DOCUMENTS-7821.exe, PID: 2848, Parent PID: 872
Full Path: C:\Users\user\AppData\Local\Temp\DOCUMENTS-7821.exe
Command Line: "C:\Users\user\AppData\Local\Temp\DOCUMENTS-7821.exe"
svchost.exe, PID: 568, Parent PID: 460
Full Path: C:\Windows\sysnative\svchost.exe
Command Line: C:\Windows\system32\svchost.exe -k DcomLaunch

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

No UDP connections recorded.

DNS

No domains contacted.

HTTP Requests

No HTTP requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

File name GDIPFONTCACHEV1.DAT
Associated Filenames
C:\Users\user\AppData\Local\GDIPFONTCACHEV1.DAT
File Size 86096 bytes
File Type data
MD5 1bba2e8a1b56ec52dd7805093b4839d3
SHA1 8d507ec6e5c4af348304f38c85227cbdca17a1f3
SHA256 2df0e9bc46893be214dc9da3ce78ba97b4176ee761ec3f38f0139297490f5341
CRC32 AEF024B5
Ssdeep 768:3v4h0tHgTlF1AphohIqrT43MTxK8PU/NBxZysNAp:Qh0tHgTlF1AphADhTxK8PU/NBD6p
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name LIeDXmUzhdkSdI.exe
Associated Filenames
C:\Users\user\AppData\Roaming\LIeDXmUzhdkSdI.exe
File Size 798208 bytes
File Type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5 1e09a996ff682c8f96fcad4e5ebe5e22
SHA1 001c6eea49802b3e685d9b85917ba6e9053165e8
SHA256 cba21a1002265fdd1da16a1fb54bdddff5edeba67abeb72643abba54116605f1
CRC32 A0191D11
Ssdeep 12288:lTc5UVfzfP+yJIUTZkNXCs+/KsQ1tjSYwjmU99ym:lQEfrP+yJhAys+0dwom
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name tmpB48F.tmp
Associated Filenames
C:\Users\user\AppData\Local\Temp\tmpB48F.tmp
File Size 1643 bytes
File Type XML 1.0 document, ASCII text, with CRLF line terminators
MD5 c2f4bb27f11917bb6a3d63d640c3ea1e
SHA1 56ec443bbb7531153a6d9ef148942fc9d762c6f8
SHA256 2a0b30eea11d8b8b8707bd24c2779e6cb75d778f64c56bdbb6f9aabe5b3a94ed
CRC32 F4D09313
Ssdeep 24:2dH4+SEqCMm7slNMFM/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBPOtn:cbhL7slNQM/rydbz9I3YODOLNdq3Fo
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file Display Text
<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
  <RegistrationInfo>
    <Date>2014-10-25T14:27:44.8929027</Date>
    <Author>WIN7-X64-CUCKOO\user</Author>
  </RegistrationInfo>
  <Triggers>
    <LogonTrigger>
      <Enabled>true</Enabled>
      <UserId>WIN7-X64-CUCKOO\user</UserId>
    </LogonTrigger>
    <RegistrationTrigger>
      <Enabled>false</Enabled>
    </RegistrationTrigger>
  </Triggers>
  <Principals>
    <Principal id="Author">
      <UserId>WIN7-X64-CUCKOO\user</UserId>
      <LogonType>InteractiveToken</LogonType>
      <RunLevel>LeastPrivilege</RunLevel>
    </Principal>
  </Principals>
  <Settings>
    <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>
    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
    <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>
    <AllowHardTerminate>false</AllowHardTerminate>
    <StartWhenAvailable>true</StartWhenAvailable>
    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
    <IdleSettings>
      <StopOnIdleEnd>true</StopOnIdleEnd>
      <RestartOnIdle>false</RestartOnIdle>
    </IdleSettings>
    <AllowStartOnDemand>true</AllowStartOnDemand>
    <Enabled>true</Enabled>
    <Hidden>false</Hidden>
    <RunOnlyIfIdle>false</RunOnlyIfIdle>
    <WakeToRun>false</WakeToRun>
    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>
    <Priority>7</Priority>
  </Settings>
  <Actions Context="Author">
    <Exec>
      <Command>C:\Users\user\AppData\Roaming\LIeDXmUzhdkSdI.exe</Command>
    </Exec>
  </Actions>
</Task>
Type Injected PE Image: 32-bit executable
Size 340480 bytes
Target Process DOCUMENTS-7821.exe
Target PID 2848
Target Path C:\Users\user\AppData\Local\Temp\DOCUMENTS-7821.exe
Injecting Process DOCUMENTS-7821.exe
Injecting PID 872
Path C:\Users\user\AppData\Local\Temp\DOCUMENTS-7821.exe
MD5 5344e602f5d81521938f93a5cda87f10
SHA1 37ed648e13ab24ed45d558c6ff126f0d6b8be802
SHA256 0afc32748614f6b496736025a7f3545f6bc3f552161d14693ce126d3351508ca
CRC32 C6BAB7F0
Ssdeep 6144:yF62YawTfPrPxQaHYjsyNAdyJpEo4x4xluKCa8AH3Kbhz:cpwTPrPWEcse6oKwuKCa8
Yara None matched
CAPE Yara None matched
Download Download ZIP
Type Injected Shellcode/Data
Size 338432 bytes
Target Process DOCUMENTS-7821.exe
Target PID 2848
Target Path C:\Users\user\AppData\Local\Temp\DOCUMENTS-7821.exe
Injecting Process DOCUMENTS-7821.exe
Injecting PID 872
Path C:\Users\user\AppData\Local\Temp\DOCUMENTS-7821.exe
MD5 3c56af70337642aa8300cd4f35ac57b3
SHA1 f54fdc06f449860fa5e0920ca05738cf34b91fff
SHA256 041f26c8b20cb439cbf3193c46f720bb3d4382151f8502195c34f96d7d575d48
CRC32 1D8A5B34
Ssdeep 6144:zF62YawTfPrPxQaHYjsyNAdyJpEo4x4xluKCa8AH3Kbhz:ppwTPrPWEcse6oKwuKCa8
Yara
  • embedded_pe - Contains an embedded PE32 file
  • embedded_win_api - A non-Windows executable contains win32 API functions names
CAPE Yara None matched
Download Download ZIP
Type Injected Shellcode/Data
Size 1024 bytes
Target Process DOCUMENTS-7821.exe
Target PID 2848
Target Path C:\Users\user\AppData\Local\Temp\DOCUMENTS-7821.exe
Injecting Process DOCUMENTS-7821.exe
Injecting PID 872
Path C:\Users\user\AppData\Local\Temp\DOCUMENTS-7821.exe
MD5 98bb458d12daeb7ca649ff97ce9808ac
SHA1 b223c6ee877d5c9f4a2c3cc4461f324d77fc8444
SHA256 22576fad78baf049846dbec7221bb6972d97c266bf57115c74abf79a8191915a
CRC32 57F12922
Ssdeep 12:EsaEi3ntdXRAHaYAjX9aUGiqMZAiN5FkrysW1gl8rwXOdYnqqlW1gl8rwXPPN5Du:atxMIAuZhN4lVOgXlVPPNnq
Yara None matched
CAPE Yara None matched
Download Download ZIP
Type Injected Shellcode/Data
Size 512 bytes
Target Process DOCUMENTS-7821.exe
Target PID 2848
Target Path C:\Users\user\AppData\Local\Temp\DOCUMENTS-7821.exe
Injecting Process DOCUMENTS-7821.exe
Injecting PID 872
Path C:\Users\user\AppData\Local\Temp\DOCUMENTS-7821.exe
MD5 f1f826cf4bcfa0026419959f200ffeb9
SHA1 1eddc258c1d8309f926a2a2b10d5a1bfe7e12e27
SHA256 86686713b34f7eb1592b1b71fa8b0bc8db752a5720157f36ad86f6d67fb55676
CRC32 3449FCE2
Ssdeep 3:E:
Yara None matched
CAPE Yara None matched
Download Download ZIP
Sorry! No process dumps.

Comments



No comments posted

Processing ( 4.333 seconds )

  • 1.635 Static
  • 1.125 CAPE
  • 0.506 BehaviorAnalysis
  • 0.399 Dropped
  • 0.342 TargetInfo
  • 0.155 TrID
  • 0.075 static_dotnet
  • 0.051 Strings
  • 0.03 Deduplicate
  • 0.009 NetworkAnalysis
  • 0.005 AnalysisInfo
  • 0.001 Debug

Signatures ( 0.284 seconds )

  • 0.024 stealth_timeout
  • 0.019 antiav_detectreg
  • 0.017 decoy_document
  • 0.016 api_spamming
  • 0.011 stealth_file
  • 0.009 Doppelganging
  • 0.009 injection_createremotethread
  • 0.009 InjectionCreateRemoteThread
  • 0.009 antiav_detectfile
  • 0.009 infostealer_ftp
  • 0.007 mimics_filetime
  • 0.007 antivm_generic_disk
  • 0.006 infostealer_bitcoin
  • 0.006 infostealer_im
  • 0.005 injection_runpe
  • 0.005 virus
  • 0.004 malicious_dynamic_function_loading
  • 0.004 InjectionInterProcess
  • 0.004 bootkit
  • 0.004 antidebug_guardpages
  • 0.004 antiemu_wine_func
  • 0.004 InjectionProcessHollowing
  • 0.004 reads_self
  • 0.004 dynamic_function_loading
  • 0.004 antianalysis_detectreg
  • 0.004 infostealer_mail
  • 0.004 ransomware_files
  • 0.003 exploit_heapspray
  • 0.003 stack_pivot
  • 0.003 antivm_generic_scsi
  • 0.003 infostealer_browser_password
  • 0.003 persistence_autorun
  • 0.003 kovter_behavior
  • 0.003 hancitor_behavior
  • 0.003 antivm_vbox_files
  • 0.003 ransomware_extensions
  • 0.002 antiav_avast_libs
  • 0.002 exploit_getbasekerneladdress
  • 0.002 antivm_generic_services
  • 0.002 exploit_gethaldispatchtable
  • 0.002 antivm_vbox_libs
  • 0.002 antidbg_windows
  • 0.002 antianalysis_detectfile
  • 0.002 antivm_vbox_keys
  • 0.002 browser_security
  • 0.001 tinba_behavior
  • 0.001 hawkeye_behavior
  • 0.001 network_tor
  • 0.001 rat_nanocore
  • 0.001 infostealer_browser
  • 0.001 recon_programs
  • 0.001 betabot_behavior
  • 0.001 antisandbox_sunbelt_libs
  • 0.001 antisandbox_sboxie_libs
  • 0.001 kibex_behavior
  • 0.001 shifu_behavior
  • 0.001 exec_crash
  • 0.001 PlugX
  • 0.001 InjectionSetWindowLong
  • 0.001 vawtrak_behavior
  • 0.001 cerber_behavior
  • 0.001 ransomware_message
  • 0.001 antiav_bitdefender_libs
  • 0.001 antidbg_devices
  • 0.001 antivm_parallels_keys
  • 0.001 antivm_vmware_files
  • 0.001 antivm_vmware_keys
  • 0.001 antivm_xen_keys
  • 0.001 geodo_banking_trojan
  • 0.001 modify_proxy
  • 0.001 disables_browser_warn
  • 0.001 rat_pcclient

Reporting ( 0.005 seconds )

  • 0.005 CompressResults
Task ID 87760
Mongo ID 5d5353e6399c393247a5c28b
Cuckoo release 1.3-CAPE
Delete