Analysis

Category Package Started Completed Duration Options Log
URL ie 2019-10-09 07:21:06 2019-10-09 07:25:01 235 seconds Show Options Show Log
  • Info: Behavioral log 2368.bson too big to be processed, skipped. Increase analysis_size_limit in cuckoo.conf
route = internet
procdump = 1
2019-10-09 08:21:06,015 [root] INFO: Date set to: 10-09-19, time set to: 07:21:06, timeout set to: 200
2019-10-09 08:21:06,015 [root] DEBUG: Starting analyzer from: C:\whyqyg
2019-10-09 08:21:06,015 [root] DEBUG: Storing results at: C:\kMfdnmcF
2019-10-09 08:21:06,015 [root] DEBUG: Pipe server name: \\.\PIPE\xHTHuKTTB
2019-10-09 08:21:06,015 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2019-10-09 08:21:06,015 [root] INFO: Automatically selected analysis package "ie"
2019-10-09 08:21:06,358 [root] DEBUG: Started auxiliary module Browser
2019-10-09 08:21:06,358 [root] DEBUG: Started auxiliary module Curtain
2019-10-09 08:21:06,358 [modules.auxiliary.digisig] DEBUG: Skipping authenticode validation, analysis is not a file.
2019-10-09 08:21:06,358 [root] DEBUG: Started auxiliary module DigiSig
2019-10-09 08:21:06,358 [root] DEBUG: Started auxiliary module Disguise
2019-10-09 08:21:06,358 [root] DEBUG: Started auxiliary module Human
2019-10-09 08:21:06,358 [root] DEBUG: Started auxiliary module Screenshots
2019-10-09 08:21:06,358 [root] DEBUG: Started auxiliary module Sysmon
2019-10-09 08:21:06,358 [root] DEBUG: Started auxiliary module Usage
2019-10-09 08:21:06,358 [root] INFO: Analyzer: Package modules.packages.ie does not specify a DLL option
2019-10-09 08:21:06,358 [root] INFO: Analyzer: Package modules.packages.ie does not specify a DLL_64 option
2019-10-09 08:21:06,421 [lib.api.process] INFO: Successfully executed process from path "C:\Program Files (x86)\Internet Explorer\iexplore.exe" with arguments ""https://scontent-iad3-1.xx.fbcdn.net/v/t1.0-0/s280x280/70929350_2869861603028062_5754662131123355648_n.jpg?_nc_cat=110&_nc_oc=AQmkuL4QgYxV5VpxGFAir1kO7gEbMHHJXq51yXqG9lBS8G4jbxCrqgniLlZuW8nyPRQ&_nc_ht=scontent-iad3-1.xx&oh=2d5adbdcdc9d0a67cbad0538ffd643fd&oe=5E354076"" with pid 3012
2019-10-09 08:21:06,421 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-10-09 08:21:06,421 [lib.api.process] INFO: 32-bit DLL to inject is C:\whyqyg\dll\sRimYr.dll, loader C:\whyqyg\bin\kxMXSTu.exe
2019-10-09 08:21:06,529 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\xHTHuKTTB.
2019-10-09 08:21:06,529 [root] DEBUG: Loader: Injecting process 3012 (thread 3016) with C:\whyqyg\dll\sRimYr.dll.
2019-10-09 08:21:06,529 [root] DEBUG: Process image base: 0x00300000
2019-10-09 08:21:06,529 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\whyqyg\dll\sRimYr.dll.
2019-10-09 08:21:06,529 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x003A6000 - 0x77110000
2019-10-09 08:21:06,529 [root] DEBUG: InjectDllViaIAT: Allocated 0x214 bytes for new import table at 0x003B0000.
2019-10-09 08:21:06,529 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-10-09 08:21:06,529 [root] DEBUG: Successfully injected DLL C:\whyqyg\dll\sRimYr.dll.
2019-10-09 08:21:06,546 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3012
2019-10-09 08:21:08,558 [lib.api.process] INFO: Successfully resumed process with pid 3012
2019-10-09 08:21:08,558 [root] INFO: Added new process to list with pid: 3012
2019-10-09 08:21:08,651 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-10-09 08:21:08,651 [root] DEBUG: Process dumps enabled.
2019-10-09 08:21:08,713 [root] INFO: Disabling sleep skipping.
2019-10-09 08:21:08,713 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-10-09 08:21:08,713 [root] INFO: Disabling sleep skipping.
2019-10-09 08:21:08,730 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 3012 at 0x74940000, image base 0x300000, stack from 0x2c2000-0x2d0000
2019-10-09 08:21:08,730 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Program Files (x86)\Internet Explorer\iexplore.exe" "https:\scontent-iad3-1.xx.fbcdn.net\v\t1.0-0\s280x280\70929350_2869861603028062_5754662131123355648_n.jpg?_nc_cat=110&_nc_oc=AQmkuL4QgYxV5VpxGFAir1kO7
2019-10-09 08:21:08,730 [root] INFO: Monitor successfully loaded in process with pid 3012.
2019-10-09 08:21:08,744 [root] DEBUG: DLL unloaded from 0x754F0000.
2019-10-09 08:21:08,808 [root] DEBUG: DLL loaded at 0x72F70000: C:\Windows\system32\IEFRAME (0xa80000 bytes).
2019-10-09 08:21:08,838 [root] DEBUG: DLL loaded at 0x74830000: C:\Windows\system32\OLEACC (0x3c000 bytes).
2019-10-09 08:21:08,854 [root] DEBUG: DLL loaded at 0x743A0000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32 (0x19e000 bytes).
2019-10-09 08:21:08,885 [root] DEBUG: DLL loaded at 0x74930000: C:\Windows\system32\profapi (0xb000 bytes).
2019-10-09 08:21:08,901 [root] DEBUG: DLL loaded at 0x75D00000: C:\Windows\syswow64\ws2_32 (0x35000 bytes).
2019-10-09 08:21:08,901 [root] DEBUG: DLL loaded at 0x75130000: C:\Windows\syswow64\NSI (0x6000 bytes).
2019-10-09 08:21:08,917 [root] DEBUG: DLL loaded at 0x74B50000: C:\Windows\system32\dnsapi (0x44000 bytes).
2019-10-09 08:21:08,917 [root] DEBUG: DLL loaded at 0x74810000: C:\Windows\system32\iphlpapi (0x1c000 bytes).
2019-10-09 08:21:08,917 [root] DEBUG: DLL loaded at 0x74800000: C:\Windows\system32\WINNSI (0x7000 bytes).
2019-10-09 08:21:08,917 [root] DEBUG: DLL loaded at 0x74EB0000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2019-10-09 08:21:08,947 [root] DEBUG: DLL loaded at 0x74340000: C:\Windows\System32\netprofm (0x5a000 bytes).
2019-10-09 08:21:08,963 [root] DEBUG: DLL loaded at 0x74BD0000: C:\Windows\System32\nlaapi (0x10000 bytes).
2019-10-09 08:21:08,979 [root] DEBUG: DLL loaded at 0x74C70000: C:\Windows\system32\CRYPTSP (0x16000 bytes).
2019-10-09 08:21:08,979 [root] DEBUG: DLL loaded at 0x74C30000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2019-10-09 08:21:08,979 [root] DEBUG: DLL loaded at 0x747F0000: C:\Windows\system32\RpcRtRemote (0xe000 bytes).
2019-10-09 08:21:08,994 [root] DEBUG: DLL unloaded from 0x74340000.
2019-10-09 08:21:08,994 [root] DEBUG: DLL loaded at 0x750B0000: C:\Windows\syswow64\comdlg32 (0x7b000 bytes).
2019-10-09 08:21:09,056 [root] DEBUG: DLL loaded at 0x74360000: C:\Program Files (x86)\Internet Explorer\sqmapi (0x33000 bytes).
2019-10-09 08:21:09,072 [root] DEBUG: DLL unloaded from 0x76C00000.
2019-10-09 08:21:09,072 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-10-09 08:21:09,072 [root] DEBUG: DLL unloaded from 0x74360000.
2019-10-09 08:21:09,072 [root] DEBUG: DLL loaded at 0x74870000: C:\Windows\system32\ntmarta (0x21000 bytes).
2019-10-09 08:21:09,072 [root] DEBUG: DLL loaded at 0x76EA0000: C:\Windows\syswow64\WLDAP32 (0x45000 bytes).
2019-10-09 08:21:09,088 [root] DEBUG: DLL unloaded from 0x772F0000.
2019-10-09 08:21:09,104 [root] DEBUG: DLL loaded at 0x747E0000: C:\Windows\system32\VERSION (0x9000 bytes).
2019-10-09 08:21:09,213 [root] DEBUG: DLL unloaded from 0x74F40000.
2019-10-09 08:21:09,213 [root] DEBUG: DLL loaded at 0x74AF0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2019-10-09 08:21:09,229 [root] INFO: Announced 32-bit process name: iexplore.exe pid: 2320
2019-10-09 08:21:12,240 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-10-09 08:21:12,348 [lib.api.process] INFO: 32-bit DLL to inject is C:\whyqyg\dll\sRimYr.dll, loader C:\whyqyg\bin\kxMXSTu.exe
2019-10-09 08:21:12,348 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\xHTHuKTTB.
2019-10-09 08:21:12,348 [root] DEBUG: Loader: Injecting process 2320 (thread 336) with C:\whyqyg\dll\sRimYr.dll.
2019-10-09 08:21:12,348 [root] DEBUG: Process image base: 0x00300000
2019-10-09 08:21:12,348 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\whyqyg\dll\sRimYr.dll.
2019-10-09 08:21:12,348 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x003A6000 - 0x004A0000
2019-10-09 08:21:12,348 [root] DEBUG: InjectDllViaIAT: Allocated 0x214 bytes for new import table at 0x003B0000.
2019-10-09 08:21:12,348 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-10-09 08:21:12,348 [root] DEBUG: Successfully injected DLL C:\whyqyg\dll\sRimYr.dll.
2019-10-09 08:21:12,348 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2320
2019-10-09 08:21:12,348 [root] DEBUG: DLL unloaded from 0x00300000.
2019-10-09 08:21:12,348 [root] INFO: Announced 32-bit process name: iexplore.exe pid: 2320
2019-10-09 08:21:12,348 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-10-09 08:21:12,348 [lib.api.process] INFO: 32-bit DLL to inject is C:\whyqyg\dll\sRimYr.dll, loader C:\whyqyg\bin\kxMXSTu.exe
2019-10-09 08:21:12,348 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\xHTHuKTTB.
2019-10-09 08:21:12,348 [root] DEBUG: Loader: Injecting process 2320 (thread 336) with C:\whyqyg\dll\sRimYr.dll.
2019-10-09 08:21:12,348 [root] DEBUG: Process image base: 0x00300000
2019-10-09 08:21:12,364 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\whyqyg\dll\sRimYr.dll.
2019-10-09 08:21:12,364 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2019-10-09 08:21:12,364 [root] DEBUG: Successfully injected DLL C:\whyqyg\dll\sRimYr.dll.
2019-10-09 08:21:12,364 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2320
2019-10-09 08:21:12,364 [root] DEBUG: DLL loaded at 0x74340000: C:\Windows\system32\RASAPI32 (0x52000 bytes).
2019-10-09 08:21:12,364 [root] DEBUG: DLL loaded at 0x74320000: C:\Windows\system32\rasman (0x15000 bytes).
2019-10-09 08:21:12,364 [root] DEBUG: DLL unloaded from 0x74340000.
2019-10-09 08:21:12,364 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-10-09 08:21:12,364 [root] DEBUG: Process dumps enabled.
2019-10-09 08:21:12,364 [root] INFO: Disabling sleep skipping.
2019-10-09 08:21:12,380 [root] DEBUG: DLL loaded at 0x747D0000: C:\Windows\system32\rtutils (0xd000 bytes).
2019-10-09 08:21:12,380 [root] DEBUG: DLL unloaded from 0x747D0000.
2019-10-09 08:21:12,380 [root] DEBUG: DLL unloaded from 0x75600000.
2019-10-09 08:21:12,380 [root] DEBUG: DLL unloaded from 0x74320000.
2019-10-09 08:21:12,380 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-10-09 08:21:12,380 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 2320 at 0x74940000, image base 0x300000, stack from 0x592000-0x5a0000
2019-10-09 08:21:12,380 [root] DEBUG: DLL loaded at 0x74310000: C:\Windows\system32\sensapi (0x6000 bytes).
2019-10-09 08:21:12,395 [root] DEBUG: Commandline: C:\Users\user\Desktop\"C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:3012 CREDAT:79873.
2019-10-09 08:21:12,395 [root] INFO: Added new process to list with pid: 2320
2019-10-09 08:21:12,395 [root] INFO: Monitor successfully loaded in process with pid 2320.
2019-10-09 08:21:12,395 [root] DEBUG: DLL unloaded from 0x754F0000.
2019-10-09 08:21:12,411 [root] DEBUG: DLL loaded at 0x72F70000: C:\Windows\system32\IEFRAME (0xa80000 bytes).
2019-10-09 08:21:12,411 [root] DEBUG: DLL loaded at 0x74BD0000: C:\Windows\system32\NLAapi (0x10000 bytes).
2019-10-09 08:21:12,411 [root] DEBUG: DLL loaded at 0x74830000: C:\Windows\system32\OLEACC (0x3c000 bytes).
2019-10-09 08:21:12,411 [root] DEBUG: DLL loaded at 0x743A0000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32 (0x19e000 bytes).
2019-10-09 08:21:12,411 [root] DEBUG: DLL loaded at 0x750B0000: C:\Windows\syswow64\comdlg32 (0x7b000 bytes).
2019-10-09 08:21:12,441 [root] DEBUG: DLL loaded at 0x74BC0000: C:\Windows\system32\napinsp (0x10000 bytes).
2019-10-09 08:21:12,473 [root] DEBUG: DLL loaded at 0x74BA0000: C:\Windows\system32\pnrpnsp (0x12000 bytes).
2019-10-09 08:21:12,489 [root] DEBUG: DLL loaded at 0x742D0000: C:\Program Files (x86)\Internet Explorer\IEShims (0x35000 bytes).
2019-10-09 08:21:12,505 [root] DEBUG: DLL loaded at 0x74BF0000: C:\Windows\System32\mswsock (0x3c000 bytes).
2019-10-09 08:21:12,505 [root] DEBUG: DLL loaded at 0x747F0000: C:\Windows\system32\RpcRtRemote (0xe000 bytes).
2019-10-09 08:21:12,519 [root] DEBUG: DLL loaded at 0x74B40000: C:\Windows\System32\winrnr (0x8000 bytes).
2019-10-09 08:21:12,519 [root] DEBUG: DLL loaded at 0x74290000: C:\Program Files (x86)\Internet Explorer\sqmapi (0x33000 bytes).
2019-10-09 08:21:12,519 [root] DEBUG: DLL unloaded from 0x76C00000.
2019-10-09 08:21:12,519 [root] DEBUG: DLL loaded at 0x74BE0000: C:\Windows\System32\wshtcpip (0x5000 bytes).
2019-10-09 08:21:12,519 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-10-09 08:21:12,536 [root] DEBUG: DLL loaded at 0x74280000: C:\Windows\System32\wship6 (0x6000 bytes).
2019-10-09 08:21:12,536 [root] DEBUG: DLL unloaded from 0x74290000.
2019-10-09 08:21:12,536 [root] DEBUG: DLL loaded at 0x742C0000: C:\Windows\system32\rasadhlp (0x6000 bytes).
2019-10-09 08:21:12,536 [root] DEBUG: DLL loaded at 0x74240000: C:\Windows\System32\fwpuclnt (0x38000 bytes).
2019-10-09 08:21:12,582 [root] DEBUG: DLL loaded at 0x741E0000: C:\Windows\System32\netprofm (0x5a000 bytes).
2019-10-09 08:21:12,582 [root] DEBUG: DLL loaded at 0x742A0000: C:\Windows\system32\DHCPCSVC (0x12000 bytes).
2019-10-09 08:21:12,582 [root] DEBUG: DLL loaded at 0x74290000: C:\Windows\system32\dhcpcsvc6 (0xd000 bytes).
2019-10-09 08:21:12,582 [root] DEBUG: DLL unloaded from 0x74810000.
2019-10-09 08:21:12,582 [root] DEBUG: DLL unloaded from 0x742A0000.
2019-10-09 08:21:12,582 [root] DEBUG: DLL loaded at 0x75A70000: C:\Windows\syswow64\SETUPAPI (0x19d000 bytes).
2019-10-09 08:21:12,582 [root] DEBUG: DLL loaded at 0x75A10000: C:\Windows\syswow64\CFGMGR32 (0x27000 bytes).
2019-10-09 08:21:12,582 [root] DEBUG: DLL loaded at 0x75D40000: C:\Windows\syswow64\DEVOBJ (0x12000 bytes).
2019-10-09 08:21:12,598 [root] INFO: Announced 64-bit process name: explorer.exe pid: 1632
2019-10-09 08:21:12,598 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-10-09 08:21:12,598 [lib.api.process] INFO: 64-bit DLL to inject is C:\whyqyg\dll\lToEOtyd.dll, loader C:\whyqyg\bin\dmrTeeXr.exe
2019-10-09 08:21:12,598 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\xHTHuKTTB.
2019-10-09 08:21:12,598 [root] DEBUG: Loader: Injecting process 1632 (thread 0) with C:\whyqyg\dll\lToEOtyd.dll.
2019-10-09 08:21:12,598 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed.
2019-10-09 08:21:12,630 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-10-09 08:21:12,630 [root] DEBUG: Process dumps enabled.
2019-10-09 08:21:12,630 [root] INFO: Disabling sleep skipping.
2019-10-09 08:21:12,630 [root] DEBUG: DLL unloaded from 0x75E70000.
2019-10-09 08:21:12,644 [root] DEBUG: DLL loaded at 0x74EB0000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2019-10-09 08:21:12,644 [root] DEBUG: DLL loaded at 0x74000000: C:\Windows\system32\propsys (0xf5000 bytes).
2019-10-09 08:21:12,661 [root] DEBUG: DLL loaded at 0x74870000: C:\Windows\system32\ntmarta (0x21000 bytes).
2019-10-09 08:21:12,661 [root] DEBUG: DLL loaded at 0x76EA0000: C:\Windows\syswow64\WLDAP32 (0x45000 bytes).
2019-10-09 08:21:12,691 [root] WARNING: Unable to place hook on LockResource
2019-10-09 08:21:12,691 [root] WARNING: Unable to hook LockResource
2019-10-09 08:21:12,707 [root] DEBUG: DLL loaded at 0x74930000: C:\Windows\system32\profapi (0xb000 bytes).
2019-10-09 08:21:12,769 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 1632 at 0x0000000074100000, image base 0x00000000FF900000, stack from 0x0000000006D22000-0x0000000006D30000
2019-10-09 08:21:12,769 [root] DEBUG: Commandline: C:\Windows\explorer.exe.
2019-10-09 08:21:12,769 [root] INFO: Added new process to list with pid: 1632
2019-10-09 08:21:12,769 [root] INFO: Monitor successfully loaded in process with pid 1632.
2019-10-09 08:21:12,769 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2019-10-09 08:21:12,769 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2019-10-09 08:21:12,786 [root] DEBUG: Successfully injected DLL C:\whyqyg\dll\lToEOtyd.dll.
2019-10-09 08:21:12,816 [root] DEBUG: DLL loaded at 0x73FD0000: C:\Windows\system32\IEUI (0x2d000 bytes).
2019-10-09 08:21:12,848 [root] DEBUG: DLL loaded at 0x73FC0000: C:\Windows\system32\MSIMG32 (0x5000 bytes).
2019-10-09 08:21:12,894 [root] DEBUG: DLL loaded at 0x73F90000: C:\Program Files (x86)\Internet Explorer\ieproxy (0x2b000 bytes).
2019-10-09 08:21:12,926 [root] DEBUG: DLL loaded at 0x74000000: C:\Windows\system32\propsys (0xf5000 bytes).
2019-10-09 08:21:12,941 [root] DEBUG: DLL unloaded from 0x74000000.
2019-10-09 08:21:12,957 [root] DEBUG: DLL loaded at 0x73F80000: C:\Windows\system32\mssprxy (0xc000 bytes).
2019-10-09 08:21:12,973 [root] DEBUG: DLL loaded at 0x73F00000: C:\Windows\system32\UxTheme (0x80000 bytes).
2019-10-09 08:21:13,160 [root] DEBUG: DLL loaded at 0x75A70000: C:\Windows\syswow64\SETUPAPI (0x19d000 bytes).
2019-10-09 08:21:13,160 [root] DEBUG: DLL loaded at 0x75A10000: C:\Windows\syswow64\CFGMGR32 (0x27000 bytes).
2019-10-09 08:21:13,160 [root] DEBUG: DLL loaded at 0x75D40000: C:\Windows\syswow64\DEVOBJ (0x12000 bytes).
2019-10-09 08:21:13,176 [root] DEBUG: DLL unloaded from 0x75E70000.
2019-10-09 08:21:13,207 [root] DEBUG: DLL loaded at 0x73ED0000: C:\Windows\system32\xmllite (0x2f000 bytes).
2019-10-09 08:21:13,299 [root] DEBUG: DLL loaded at 0x73D60000: C:\Windows\system32\explorerframe (0x16f000 bytes).
2019-10-09 08:21:13,346 [root] DEBUG: DLL loaded at 0x73D30000: C:\Windows\system32\DUser (0x2f000 bytes).
2019-10-09 08:21:13,362 [root] DEBUG: DLL loaded at 0x73C70000: C:\Windows\system32\DUI70 (0xb2000 bytes).
2019-10-09 08:21:13,487 [root] DEBUG: DLL loaded at 0x75D00000: C:\Windows\syswow64\ws2_32 (0x35000 bytes).
2019-10-09 08:21:13,487 [root] DEBUG: DLL loaded at 0x75130000: C:\Windows\syswow64\NSI (0x6000 bytes).
2019-10-09 08:21:13,487 [root] DEBUG: DLL loaded at 0x74B50000: C:\Windows\system32\dnsapi (0x44000 bytes).
2019-10-09 08:21:13,487 [root] DEBUG: DLL loaded at 0x74810000: C:\Windows\system32\iphlpapi (0x1c000 bytes).
2019-10-09 08:21:13,487 [root] DEBUG: DLL loaded at 0x74800000: C:\Windows\system32\WINNSI (0x7000 bytes).
2019-10-09 08:21:13,487 [root] DEBUG: DLL loaded at 0x74C70000: C:\Windows\system32\CRYPTSP (0x16000 bytes).
2019-10-09 08:21:13,487 [root] DEBUG: DLL loaded at 0x74C30000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2019-10-09 08:21:13,487 [root] DEBUG: DLL loaded at 0x73F90000: C:\Program Files (x86)\Internet Explorer\ieproxy (0x2b000 bytes).
2019-10-09 08:21:13,503 [root] DEBUG: DLL loaded at 0x73BD0000: C:\Windows\system32\msfeeds (0x96000 bytes).
2019-10-09 08:21:13,596 [root] DEBUG: DLL loaded at 0x73BA0000: C:\Windows\system32\MLANG (0x2e000 bytes).
2019-10-09 08:21:13,596 [root] DEBUG: DLL loaded at 0x751A0000: C:\Windows\syswow64\Normaliz (0x3000 bytes).
2019-10-09 08:21:13,628 [root] DEBUG: DLL loaded at 0x74AF0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2019-10-09 08:21:13,628 [root] DEBUG: DLL loaded at 0x73BA0000: C:\Windows\system32\MLANG (0x2e000 bytes).
2019-10-09 08:21:13,644 [root] DEBUG: DLL loaded at 0x73F00000: C:\Windows\system32\UxTheme (0x80000 bytes).
2019-10-09 08:21:13,658 [root] DEBUG: DLL loaded at 0x73B80000: C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim (0x11000 bytes).
2019-10-09 08:21:13,658 [root] DEBUG: DLL loaded at 0x73AE0000: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\MSVCR80 (0x9b000 bytes).
2019-10-09 08:21:13,674 [root] DEBUG: DLL loaded at 0x72EE0000: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\MSVCP80 (0x87000 bytes).
2019-10-09 08:21:13,706 [root] DEBUG: DLL loaded at 0x73AD0000: C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper (0x10000 bytes).
2019-10-09 08:21:13,970 [root] DEBUG: DLL loaded at 0x74CE0000: C:\PROGRA~2\MICROS~1\Office14\URLREDIR (0x91000 bytes).
2019-10-09 08:21:13,986 [root] DEBUG: DLL loaded at 0x747E0000: C:\Windows\system32\VERSION (0x9000 bytes).
2019-10-09 08:21:14,049 [root] DEBUG: DLL loaded at 0x74CD0000: C:\Windows\system32\Secur32 (0x8000 bytes).
2019-10-09 08:21:14,049 [root] DEBUG: DLL loaded at 0x74D80000: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\MSVCR90 (0xa3000 bytes).
2019-10-09 08:21:14,065 [root] DEBUG: DLL loaded at 0x74CB0000: C:\PROGRA~2\MICROS~1\Office14\MSOHEV (0x14000 bytes).
2019-10-09 08:21:14,127 [root] DEBUG: DLL loaded at 0x74CA0000: C:\Program Files (x86)\Java\jre7\bin\jp2ssv (0xf000 bytes).
2019-10-09 08:21:14,142 [root] DEBUG: DLL loaded at 0x746A0000: C:\Program Files (x86)\Java\jre7\bin\MSVCR100 (0xbe000 bytes).
2019-10-09 08:21:14,174 [root] DEBUG: set_caller_info: Adding region at 0x04480000 to caller regions list (ntdll::LdrLoadDll).
2019-10-09 08:21:14,204 [root] DEBUG: set_caller_info: Adding region at 0x01FB0000 to caller regions list (advapi32::RegOpenKeyExA).
2019-10-09 08:21:14,204 [root] DEBUG: DLL unloaded from 0x74F40000.
2019-10-09 08:21:14,220 [root] DEBUG: DLL loaded at 0x74770000: C:\Windows\system32\SXS (0x5f000 bytes).
2019-10-09 08:21:14,313 [root] DEBUG: DLL loaded at 0x74340000: C:\Windows\system32\RASAPI32 (0x52000 bytes).
2019-10-09 08:21:14,313 [root] DEBUG: DLL loaded at 0x74320000: C:\Windows\system32\rasman (0x15000 bytes).
2019-10-09 08:21:14,313 [root] DEBUG: DLL loaded at 0x747D0000: C:\Windows\system32\rtutils (0xd000 bytes).
2019-10-09 08:21:14,329 [root] DEBUG: DLL unloaded from 0x74340000.
2019-10-09 08:21:14,329 [root] DEBUG: DLL loaded at 0x74310000: C:\Windows\system32\sensapi (0x6000 bytes).
2019-10-09 08:21:14,329 [root] DEBUG: DLL unloaded from 0x75600000.
2019-10-09 08:21:14,345 [root] DEBUG: DLL unloaded from 0x74320000.
2019-10-09 08:21:14,345 [root] DEBUG: DLL loaded at 0x74BD0000: C:\Windows\system32\NLAapi (0x10000 bytes).
2019-10-09 08:21:14,345 [root] DEBUG: DLL loaded at 0x74BC0000: C:\Windows\system32\napinsp (0x10000 bytes).
2019-10-09 08:21:14,345 [root] DEBUG: DLL loaded at 0x74BA0000: C:\Windows\system32\pnrpnsp (0x12000 bytes).
2019-10-09 08:21:14,361 [root] DEBUG: DLL loaded at 0x74BF0000: C:\Windows\System32\mswsock (0x3c000 bytes).
2019-10-09 08:21:14,361 [root] DEBUG: DLL loaded at 0x74B40000: C:\Windows\System32\winrnr (0x8000 bytes).
2019-10-09 08:21:14,361 [root] DEBUG: DLL loaded at 0x74BE0000: C:\Windows\System32\wshtcpip (0x5000 bytes).
2019-10-09 08:21:14,361 [root] DEBUG: DLL loaded at 0x74280000: C:\Windows\System32\wship6 (0x6000 bytes).
2019-10-09 08:21:14,361 [root] DEBUG: DLL loaded at 0x742C0000: C:\Windows\system32\rasadhlp (0x6000 bytes).
2019-10-09 08:21:14,361 [root] DEBUG: DLL loaded at 0x74240000: C:\Windows\System32\fwpuclnt (0x38000 bytes).
2019-10-09 08:21:14,361 [root] DEBUG: DLL loaded at 0x741E0000: C:\Windows\System32\netprofm (0x5a000 bytes).
2019-10-09 08:21:14,361 [root] DEBUG: DLL loaded at 0x742A0000: C:\Windows\system32\DHCPCSVC (0x12000 bytes).
2019-10-09 08:21:14,361 [root] DEBUG: DLL loaded at 0x74290000: C:\Windows\system32\dhcpcsvc6 (0xd000 bytes).
2019-10-09 08:21:14,377 [root] DEBUG: DLL unloaded from 0x74810000.
2019-10-09 08:21:14,377 [root] DEBUG: DLL unloaded from 0x742A0000.
2019-10-09 08:21:14,502 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-10-09 08:21:14,516 [root] DEBUG: DLL loaded at 0x751A0000: C:\Windows\syswow64\Normaliz (0x3000 bytes).
2019-10-09 08:21:14,563 [root] DEBUG: DLL loaded at 0x74680000: C:\Windows\system32\USERENV (0x17000 bytes).
2019-10-09 08:21:14,563 [root] DEBUG: DLL loaded at 0x75470000: C:\Windows\syswow64\wintrust (0x2d000 bytes).
2019-10-09 08:21:14,595 [root] DEBUG: DLL loaded at 0x74640000: C:\Windows\system32\schannel (0x3a000 bytes).
2019-10-09 08:21:14,628 [root] INFO: Process with pid 1632 has terminated
2019-10-09 08:21:14,632 [root] DEBUG: DLL loaded at 0x74620000: C:\Windows\system32\DWMAPI (0x13000 bytes).
2019-10-09 08:21:14,635 [root] DEBUG: DLL unloaded from 0x72F70000.
2019-10-09 08:21:14,645 [root] DEBUG: DLL loaded at 0x74770000: C:\Windows\system32\SXS (0x5f000 bytes).
2019-10-09 08:21:14,676 [root] INFO: Announced 64-bit process name: explorer.exe pid: 3056
2019-10-09 08:21:14,865 [root] DEBUG: DLL unloaded from 0x75600000.
2019-10-09 08:21:14,946 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2019-10-09 08:21:16,640 [root] DEBUG: DLL unloaded from 0x75600000.
2019-10-09 08:21:16,750 [root] DEBUG: DLL loaded at 0x74760000: C:\Windows\system32\credssp (0x8000 bytes).
2019-10-09 08:21:16,765 [root] DEBUG: DLL unloaded from 0x74C70000.
2019-10-09 08:21:17,029 [root] DEBUG: DLL loaded at 0x745E0000: C:\Windows\system32\ncrypt (0x38000 bytes).
2019-10-09 08:21:17,029 [root] DEBUG: DLL loaded at 0x745C0000: C:\Windows\system32\bcrypt (0x17000 bytes).
2019-10-09 08:21:17,029 [root] DEBUG: DLL loaded at 0x74580000: C:\Windows\SysWOW64\bcryptprimitives (0x3d000 bytes).
2019-10-09 08:21:17,062 [root] DEBUG: DLL loaded at 0x74560000: C:\Windows\system32\GPAPI (0x16000 bytes).
2019-10-09 08:21:17,092 [root] DEBUG: DLL loaded at 0x74540000: C:\Windows\system32\cryptnet (0x1c000 bytes).
2019-10-09 08:21:17,171 [root] DEBUG: DLL loaded at 0x741C0000: C:\Windows\system32\Cabinet (0x15000 bytes).
2019-10-09 08:21:17,201 [root] DEBUG: DLL loaded at 0x741B0000: C:\Windows\system32\DEVRTL (0xe000 bytes).
2019-10-09 08:21:17,201 [root] DEBUG: DLL unloaded from 0x75A70000.
2019-10-09 08:21:17,263 [root] DEBUG: DLL loaded at 0x74150000: C:\Windows\system32\WINHTTP (0x58000 bytes).
2019-10-09 08:21:17,279 [root] DEBUG: DLL loaded at 0x74100000: C:\Windows\system32\webio (0x4f000 bytes).
2019-10-09 08:21:17,296 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-10-09 08:21:17,296 [root] DEBUG: DLL unloaded from 0x772F0000.
2019-10-09 08:21:17,311 [root] DEBUG: DLL unloaded from 0x74150000.
2019-10-09 08:21:17,342 [root] DEBUG: DLL unloaded from 0x772F0000.
2019-10-09 08:21:17,342 [root] DEBUG: DLL unloaded from 0x74150000.
2019-10-09 08:21:17,483 [root] DEBUG: DLL unloaded from 0x75A70000.
2019-10-09 08:21:17,483 [root] DEBUG: DLL unloaded from 0x74540000.
2019-10-09 08:21:17,592 [root] DEBUG: DLL unloaded from 0x772F0000.
2019-10-09 08:21:17,608 [root] DEBUG: DLL unloaded from 0x74150000.
2019-10-09 08:21:17,622 [root] DEBUG: DLL unloaded from 0x772F0000.
2019-10-09 08:21:17,622 [root] DEBUG: DLL unloaded from 0x74150000.
2019-10-09 08:21:17,717 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-10-09 08:21:17,717 [lib.api.process] INFO: 64-bit DLL to inject is C:\whyqyg\dll\lToEOtyd.dll, loader C:\whyqyg\bin\dmrTeeXr.exe
2019-10-09 08:21:17,717 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\xHTHuKTTB.
2019-10-09 08:21:17,717 [root] DEBUG: Loader: Injecting process 3056 (thread 0) with C:\whyqyg\dll\lToEOtyd.dll.
2019-10-09 08:21:17,717 [root] DEBUG: InjectDll: No thread ID supplied. Initial thread ID 884, handle 0x84
2019-10-09 08:21:17,732 [root] DEBUG: Process image base: 0x00000000FF7E0000
2019-10-09 08:21:17,732 [root] DEBUG: InjectDllViaIAT: Not a new process, aborting IAT patch
2019-10-09 08:21:17,747 [root] DEBUG: InjectDll: IAT patching failed, falling back to thread injection.
2019-10-09 08:21:17,747 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-10-09 08:21:17,747 [root] DEBUG: Process dumps enabled.
2019-10-09 08:21:17,747 [root] INFO: Disabling sleep skipping.
2019-10-09 08:21:17,747 [root] DEBUG: DLL unloaded from 0x74540000.
2019-10-09 08:21:17,747 [root] WARNING: Unable to place hook on LockResource
2019-10-09 08:21:17,763 [root] WARNING: Unable to hook LockResource
2019-10-09 08:21:17,763 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 3056 at 0x0000000072E00000, image base 0x00000000FF7E0000, stack from 0x0000000004BD2000-0x0000000004BE0000
2019-10-09 08:21:17,763 [root] DEBUG: Commandline: C:\Windows\sysnative\explorer.exe.
2019-10-09 08:21:17,763 [root] INFO: Added new process to list with pid: 3056
2019-10-09 08:21:17,763 [root] INFO: Monitor successfully loaded in process with pid 3056.
2019-10-09 08:21:17,763 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2019-10-09 08:21:17,779 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2019-10-09 08:21:17,779 [root] DEBUG: DLL unloaded from 0x772F0000.
2019-10-09 08:21:17,779 [root] DEBUG: Successfully injected DLL C:\whyqyg\dll\lToEOtyd.dll.
2019-10-09 08:21:17,779 [root] DEBUG: DLL unloaded from 0x74150000.
2019-10-09 08:21:17,779 [root] DEBUG: DLL unloaded from 0x772F0000.
2019-10-09 08:21:17,795 [root] DEBUG: DLL unloaded from 0x74150000.
2019-10-09 08:21:17,825 [root] DEBUG: DLL unloaded from 0x74540000.
2019-10-09 08:21:17,842 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-10-09 08:21:17,966 [root] WARNING: File at path "C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R8OP9ZJC\favicon[1].ico" does not exist, skip.
2019-10-09 08:21:18,043 [root] DEBUG: DLL loaded at 0x72840000: C:\Windows\SysWOW64\mshtml (0x5b7000 bytes).
2019-10-09 08:21:18,107 [root] DEBUG: DLL loaded at 0x72810000: C:\Windows\SysWOW64\msls31 (0x2a000 bytes).
2019-10-09 08:21:18,184 [root] DEBUG: DLL loaded at 0x739F0000: C:\Windows\system32\msimtf (0xb000 bytes).
2019-10-09 08:21:18,232 [root] DEBUG: DLL unloaded from 0x74F40000.
2019-10-09 08:21:18,232 [root] DEBUG: DLL unloaded from 0x72F70000.
2019-10-09 08:21:18,341 [root] DEBUG: DLL unloaded from 0x75E70000.
2019-10-09 08:21:18,341 [root] DEBUG: DLL loaded at 0x000007FEF22D0000: C:\Windows\System32\ieframe (0xbb7000 bytes).
2019-10-09 08:21:18,355 [root] DEBUG: DLL loaded at 0x000007FEF96B0000: C:\Windows\System32\OLEACC (0x54000 bytes).
2019-10-09 08:21:18,355 [root] DEBUG: DLL loaded at 0x000007FEFF1C0000: C:\Windows\system32\iertutil (0x259000 bytes).
2019-10-09 08:21:18,730 [root] WARNING: File at path "C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4W7O9ARC\favicon[1].ico" does not exist, skip.
2019-10-09 08:21:18,746 [root] DEBUG: DLL unloaded from 0x72F70000.
2019-10-09 08:21:19,433 [root] DEBUG: DLL loaded at 0x000007FEF8020000: C:\Windows\system32\stobject (0x43000 bytes).
2019-10-09 08:21:19,480 [root] DEBUG: DLL loaded at 0x000007FEF7F60000: C:\Windows\system32\BatMeter (0xba000 bytes).
2019-10-09 08:21:19,494 [root] DEBUG: DLL loaded at 0x000007FEFAFA0000: C:\Windows\system32\WTSAPI32 (0x11000 bytes).
2019-10-09 08:21:19,558 [root] DEBUG: DLL loaded at 0x000007FEFB0D0000: C:\Windows\system32\es (0x67000 bytes).
2019-10-09 08:21:19,572 [root] DEBUG: DLL loaded at 0x000007FEF7EF0000: C:\Windows\system32\prnfldr (0x69000 bytes).
2019-10-09 08:21:19,588 [root] DEBUG: DLL loaded at 0x000007FEF8A20000: C:\Windows\system32\WINSPOOL.DRV (0x71000 bytes).
2019-10-09 08:21:19,838 [root] DEBUG: DLL loaded at 0x000007FEF7E70000: C:\Windows\system32\dxp (0x74000 bytes).
2019-10-09 08:21:19,869 [root] DEBUG: DLL loaded at 0x000007FEFEB00000: C:\Windows\system32\urlmon (0x178000 bytes).
2019-10-09 08:21:19,869 [root] DEBUG: DLL loaded at 0x000007FEFEC80000: C:\Windows\system32\WININET (0x12a000 bytes).
2019-10-09 08:21:19,884 [root] DEBUG: set_caller_info: Adding region at 0x000007FEFEC80000 to caller regions list (kernel32::GetSystemTimeAsFileTime).
2019-10-09 08:21:19,915 [root] DEBUG: set_caller_info: Adding region at 0x000007FEFEB00000 to caller regions list (kernel32::GetSystemTimeAsFileTime).
2019-10-09 08:21:19,931 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF7E70000 to caller regions list (kernel32::GetSystemTimeAsFileTime).
2019-10-09 08:21:19,931 [root] DEBUG: DLL loaded at 0x000007FEFB000000: C:\Windows\system32\Syncreg (0x16000 bytes).
2019-10-09 08:21:19,947 [root] DEBUG: set_caller_info: Adding region at 0x000007FEFB000000 to caller regions list (kernel32::GetSystemTimeAsFileTime).
2019-10-09 08:21:20,056 [root] DEBUG: DLL loaded at 0x000007FEFB0A0000: C:\Windows\ehome\ehSSO (0xb000 bytes).
2019-10-09 08:21:20,088 [root] DEBUG: set_caller_info: Adding region at 0x000007FEFB0A0000 to caller regions list (kernel32::GetSystemTimeAsFileTime).
2019-10-09 08:21:20,088 [root] DEBUG: DLL unloaded from 0x000007FEFB0A0000.
2019-10-09 08:21:20,165 [root] DEBUG: DLL loaded at 0x000007FEF6F60000: C:\Windows\System32\netshell (0x28b000 bytes).
2019-10-09 08:21:20,165 [root] DEBUG: DLL loaded at 0x000007FEFAF10000: C:\Windows\System32\IPHLPAPI (0x27000 bytes).
2019-10-09 08:21:20,165 [root] DEBUG: DLL loaded at 0x000007FEFE2F0000: C:\Windows\system32\NSI (0x8000 bytes).
2019-10-09 08:21:20,197 [root] DEBUG: DLL loaded at 0x000007FEFAED0000: C:\Windows\System32\WINNSI (0xb000 bytes).
2019-10-09 08:21:20,197 [root] DEBUG: DLL loaded at 0x000007FEFB300000: C:\Windows\System32\nlaapi (0x15000 bytes).
2019-10-09 08:21:20,213 [root] DEBUG: set_caller_info: Adding region at 0x000007FEFAED0000 to caller regions list (kernel32::GetSystemTimeAsFileTime).
2019-10-09 08:21:20,227 [root] DEBUG: set_caller_info: Adding region at 0x000007FEFAF10000 to caller regions list (kernel32::GetSystemTimeAsFileTime).
2019-10-09 08:21:20,227 [root] DEBUG: set_caller_info: Adding region at 0x000007FEFB300000 to caller regions list (kernel32::GetSystemTimeAsFileTime).
2019-10-09 08:21:20,227 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF6F60000 to caller regions list (kernel32::GetSystemTimeAsFileTime).
2019-10-09 08:21:20,275 [root] DEBUG: DLL unloaded from 0x000007FEFD560000.
2019-10-09 08:21:20,384 [root] DEBUG: DLL loaded at 0x000007FEFAFF0000: C:\Windows\System32\AltTab (0x10000 bytes).
2019-10-09 08:21:20,384 [root] DEBUG: set_caller_info: Adding region at 0x000007FEFAFF0000 to caller regions list (kernel32::GetSystemTimeAsFileTime).
2019-10-09 08:21:20,493 [root] DEBUG: DLL loaded at 0x000007FEF8710000: C:\Windows\system32\wpdshserviceobj (0x20000 bytes).
2019-10-09 08:21:20,493 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF8710000 to caller regions list (kernel32::GetSystemTimeAsFileTime).
2019-10-09 08:21:20,509 [root] DEBUG: DLL loaded at 0x000007FEF7E30000: C:\Windows\system32\PortableDeviceTypes (0x39000 bytes).
2019-10-09 08:21:20,539 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF7E30000 to caller regions list (kernel32::GetSystemTimeAsFileTime).
2019-10-09 08:21:20,539 [root] DEBUG: DLL loaded at 0x000007FEF91F0000: C:\Windows\system32\PortableDeviceApi (0xbd000 bytes).
2019-10-09 08:21:20,602 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF91F0000 to caller regions list (kernel32::GetSystemTimeAsFileTime).
2019-10-09 08:21:20,602 [root] DEBUG: DLL loaded at 0x000007FEF6280000: C:\Windows\System32\pnidui (0x1bd000 bytes).
2019-10-09 08:21:20,602 [root] DEBUG: DLL loaded at 0x000007FEF7E10000: C:\Windows\System32\QUtil (0x1f000 bytes).
2019-10-09 08:21:20,602 [root] DEBUG: DLL loaded at 0x000007FEFCB00000: C:\Windows\System32\wevtapi (0x6d000 bytes).
2019-10-09 08:21:20,650 [root] DEBUG: set_caller_info: Adding region at 0x000007FEFCB00000 to caller regions list (kernel32::GetSystemTimeAsFileTime).
2019-10-09 08:21:20,664 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF7E10000 to caller regions list (kernel32::GetSystemTimeAsFileTime).
2019-10-09 08:21:20,664 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF6280000 to caller regions list (kernel32::GetSystemTimeAsFileTime).
2019-10-09 08:21:20,680 [root] DEBUG: DLL unloaded from 0x000007FEFB9C0000.
2019-10-09 08:21:20,696 [root] DEBUG: DLL loaded at 0x000007FEFD360000: C:\Windows\system32\WINTRUST (0x3a000 bytes).
2019-10-09 08:21:20,711 [root] DEBUG: set_caller_info: Adding region at 0x000007FEFD360000 to caller regions list (kernel32::GetSystemTimeAsFileTime).
2019-10-09 08:21:20,727 [root] DEBUG: DLL unloaded from 0x000007FEFB3A0000.
2019-10-09 08:21:20,727 [root] DEBUG: DLL loaded at 0x000007FEFEAE0000: C:\Windows\system32\imagehlp (0x17000 bytes).
2019-10-09 08:21:20,759 [root] DEBUG: set_caller_info: Adding region at 0x000007FEFEAE0000 to caller regions list (kernel32::GetSystemTimeAsFileTime).
2019-10-09 08:21:20,759 [root] DEBUG: DLL loaded at 0x000007FEF7790000: C:\Windows\System32\cscobj (0x3f000 bytes).
2019-10-09 08:21:20,759 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF7790000 to caller regions list (kernel32::GetSystemTimeAsFileTime).
2019-10-09 08:21:20,789 [root] DEBUG: DLL loaded at 0x000007FEF7DD0000: C:\Windows\System32\ncsi (0x38000 bytes).
2019-10-09 08:21:20,805 [root] DEBUG: DLL loaded at 0x000007FEF4950000: C:\Windows\system32\WINHTTP (0x71000 bytes).
2019-10-09 08:21:20,821 [root] DEBUG: DLL loaded at 0x000007FEF4500000: C:\Windows\system32\webio (0x64000 bytes).
2019-10-09 08:21:20,821 [root] DEBUG: DLL loaded at 0x000007FEFAE20000: C:\Windows\system32\fwpuclnt (0x53000 bytes).
2019-10-09 08:21:20,836 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF4500000 to caller regions list (kernel32::GetSystemTimeAsFileTime).
2019-10-09 08:21:20,868 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF4950000 to caller regions list (kernel32::GetSystemTimeAsFileTime).
2019-10-09 08:21:20,884 [root] DEBUG: set_caller_info: Adding region at 0x000007FEFAE20000 to caller regions list (kernel32::GetSystemTimeAsFileTime).
2019-10-09 08:21:20,884 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF7DD0000 to caller regions list (kernel32::GetSystemTimeAsFileTime).
2019-10-09 08:21:20,884 [root] DEBUG: DLL loaded at 0x000007FEF7D70000: C:\Windows\System32\srchadmin (0x58000 bytes).
2019-10-09 08:21:20,898 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF7D70000 to caller regions list (kernel32::GetSystemTimeAsFileTime).
2019-10-09 08:21:20,898 [root] DEBUG: DLL loaded at 0x000007FEF57C0000: C:\Windows\system32\mssprxy (0x1d000 bytes).
2019-10-09 08:21:20,898 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF57C0000 to caller regions list (kernel32::GetSystemTimeAsFileTime).
2019-10-09 08:21:20,898 [root] DEBUG: DLL loaded at 0x000007FEFAD90000: C:\Windows\system32\dhcpcsvc6 (0x11000 bytes).
2019-10-09 08:21:20,914 [root] DEBUG: DLL loaded at 0x000007FEFEE90000: C:\Windows\system32\WS2_32 (0x4d000 bytes).
2019-10-09 08:21:20,930 [root] DEBUG: set_caller_info: Adding region at 0x000007FEFEE90000 to caller regions list (kernel32::GetSystemTimeAsFileTime).
2019-10-09 08:21:20,930 [root] DEBUG: set_caller_info: Adding region at 0x000007FEFAD90000 to caller regions list (kernel32::GetSystemTimeAsFileTime).
2019-10-09 08:21:20,930 [root] DEBUG: DLL unloaded from 0x000007FEF7D70000.
2019-10-09 08:21:20,930 [root] DEBUG: DLL unloaded from 0x000007FEFD560000.
2019-10-09 08:21:20,946 [root] DEBUG: DLL loaded at 0x000007FEF7D20000: C:\Windows\system32\webcheck (0x4a000 bytes).
2019-10-09 08:21:20,961 [root] DEBUG: DLL loaded at 0x000007FEF9670000: C:\Windows\system32\MLANG (0x3b000 bytes).
2019-10-09 08:21:20,961 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF9670000 to caller regions list (kernel32::GetSystemTimeAsFileTime).
2019-10-09 08:21:20,961 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF7D20000 to caller regions list (kernel32::GetSystemTimeAsFileTime).
2019-10-09 08:21:20,976 [root] DEBUG: DLL loaded at 0x000007FEFAD70000: C:\Windows\system32\dhcpcsvc (0x18000 bytes).
2019-10-09 08:21:20,976 [root] DEBUG: set_caller_info: Adding region at 0x000007FEFAD70000 to caller regions list (kernel32::GetSystemTimeAsFileTime).
2019-10-09 08:21:20,976 [root] DEBUG: DLL unloaded from 0x000007FEF7D20000.
2019-10-09 08:21:20,976 [root] DEBUG: DLL unloaded from 0x0000000077110000.
2019-10-09 08:21:20,976 [root] DEBUG: DLL unloaded from 0x000007FEF7D70000.
2019-10-09 08:21:20,976 [root] DEBUG: DLL unloaded from 0x0000000076FF0000.
2019-10-09 08:21:20,976 [root] DEBUG: DLL loaded at 0x000007FEFC500000: C:\Windows\system32\credssp (0xa000 bytes).
2019-10-09 08:21:21,039 [root] DEBUG: set_caller_info: Adding region at 0x000007FEFC500000 to caller regions list (kernel32::GetSystemTimeAsFileTime).
2019-10-09 08:21:21,101 [root] DEBUG: DLL unloaded from 0x000007FEFC8F0000.
2019-10-09 08:21:21,118 [root] DEBUG: set_caller_info: Adding region at 0x000007FEFE2F0000 to caller regions list (ntdll::NtCreateEvent).
2019-10-09 08:21:21,164 [root] DEBUG: DLL unloaded from 0x000007FEF7DD0000.
2019-10-09 08:21:21,257 [root] DEBUG: DLL loaded at 0x000007FEF61B0000: C:\Windows\System32\Actioncenter (0xc2000 bytes).
2019-10-09 08:21:21,273 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF61B0000 to caller regions list (kernel32::GetSystemTimeAsFileTime).
2019-10-09 08:21:21,289 [root] DEBUG: DLL loaded at 0x000007FEF7DD0000: C:\Windows\system32\Wlanapi (0x20000 bytes).
2019-10-09 08:21:21,289 [root] DEBUG: DLL loaded at 0x000007FEFA990000: C:\Windows\system32\wlanutil (0x7000 bytes).
2019-10-09 08:21:21,319 [root] DEBUG: set_caller_info: Adding region at 0x000007FEFA990000 to caller regions list (kernel32::GetSystemTimeAsFileTime).
2019-10-09 08:21:21,319 [root] DEBUG: DLL loaded at 0x000007FEF7D10000: C:\Windows\system32\wwanapi (0x5e000 bytes).
2019-10-09 08:21:21,335 [root] DEBUG: DLL unloaded from 0x000007FEFD560000.
2019-10-09 08:21:21,335 [root] DEBUG: DLL loaded at 0x000007FEFA890000: C:\Windows\system32\wwapi (0xd000 bytes).
2019-10-09 08:21:21,351 [root] DEBUG: set_caller_info: Adding region at 0x000007FEFA890000 to caller regions list (kernel32::GetSystemTimeAsFileTime).
2019-10-09 08:21:21,382 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF7D10000 to caller regions list (kernel32::GetSystemTimeAsFileTime).
2019-10-09 08:21:21,398 [root] DEBUG: DLL unloaded from 0x000007FEF7D10000.
2019-10-09 08:21:21,460 [root] DEBUG: DLL loaded at 0x000007FEF5220000: C:\Windows\System32\SyncCenter (0x22b000 bytes).
2019-10-09 08:21:21,460 [root] INFO: Stopped Task Scheduler Service
2019-10-09 08:21:21,476 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF5220000 to caller regions list (kernel32::GetSystemTimeAsFileTime).
2019-10-09 08:21:21,476 [root] INFO: Started Task Scheduler Service
2019-10-09 08:21:21,476 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-10-09 08:21:21,476 [lib.api.process] INFO: 64-bit DLL to inject is C:\whyqyg\dll\lToEOtyd.dll, loader C:\whyqyg\bin\dmrTeeXr.exe
2019-10-09 08:21:21,476 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\xHTHuKTTB.
2019-10-09 08:21:21,492 [root] DEBUG: Loader: Injecting process 816 (thread 0) with C:\whyqyg\dll\lToEOtyd.dll.
2019-10-09 08:21:21,492 [root] DEBUG: DLL loaded at 0x000007FEF6060000: C:\Windows\system32\imapi2 (0x7f000 bytes).
2019-10-09 08:21:21,492 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed.
2019-10-09 08:21:21,492 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-10-09 08:21:21,492 [root] DEBUG: Process dumps enabled.
2019-10-09 08:21:21,507 [root] INFO: Disabling sleep skipping.
2019-10-09 08:21:21,507 [root] WARNING: Unable to place hook on LockResource
2019-10-09 08:21:21,507 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF6060000 to caller regions list (kernel32::GetSystemTimeAsFileTime).
2019-10-09 08:21:21,507 [root] WARNING: Unable to hook LockResource
2019-10-09 08:21:21,507 [root] DEBUG: DLL loaded at 0x000007FEF75C0000: C:\Windows\System32\QAgent (0x45000 bytes).
2019-10-09 08:21:21,507 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 816 at 0x0000000072E00000, image base 0x00000000FFA10000, stack from 0x0000000003DB6000-0x0000000003DC0000
2019-10-09 08:21:21,507 [root] DEBUG: Commandline: C:\Windows\sysnative\svchost.exe -k netsvcs.
2019-10-09 08:21:21,523 [root] INFO: Added new process to list with pid: 816
2019-10-09 08:21:21,523 [root] INFO: Monitor successfully loaded in process with pid 816.
2019-10-09 08:21:21,523 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2019-10-09 08:21:21,523 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2019-10-09 08:21:21,523 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF75C0000 to caller regions list (kernel32::GetSystemTimeAsFileTime).
2019-10-09 08:21:21,523 [root] DEBUG: Successfully injected DLL C:\whyqyg\dll\lToEOtyd.dll.
2019-10-09 08:21:21,539 [root] DEBUG: DLL unloaded from 0x000007FEF6280000.
2019-10-09 08:21:21,539 [root] DEBUG: DLL loaded at 0x000007FEF5B30000: C:\Windows\System32\bthprops.cpl (0xb5000 bytes).
2019-10-09 08:21:21,553 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF5B30000 to caller regions list (kernel32::GetSystemTimeAsFileTime).
2019-10-09 08:21:21,553 [root] DEBUG: DLL loaded at 0x000007FEF5830000: C:\Windows\System32\hgcpl (0x55000 bytes).
2019-10-09 08:21:21,585 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF5830000 to caller regions list (kernel32::GetSystemTimeAsFileTime).
2019-10-09 08:21:21,585 [root] DEBUG: DLL loaded at 0x000007FEF74C0000: C:\Windows\System32\provsvc (0x31000 bytes).
2019-10-09 08:21:21,585 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF74C0000 to caller regions list (kernel32::GetSystemTimeAsFileTime).
2019-10-09 08:21:21,601 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF9A00000 to caller regions list (msvcrt::memcpy).
2019-10-09 08:21:21,617 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF97C0000 to caller regions list (msvcrt::memcpy).
2019-10-09 08:21:21,617 [root] DEBUG: DLL loaded at 0x000007FEF9450000: C:\Windows\System32\netprofm (0x74000 bytes).
2019-10-09 08:21:21,617 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF80F0000 to caller regions list (msvcrt::memcpy).
2019-10-09 08:21:21,617 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF90B0000 to caller regions list (msvcrt::memcpy).
2019-10-09 08:21:21,617 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF9450000 to caller regions list (kernel32::GetSystemTimeAsFileTime).
2019-10-09 08:21:21,631 [root] DEBUG: DLL unloaded from 0x000007FEF5830000.
2019-10-09 08:21:21,648 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF94D0000 to caller regions list (msvcrt::memcpy).
2019-10-09 08:21:21,898 [root] DEBUG: DLL unloaded from 0x000007FEFD560000.
2019-10-09 08:21:23,239 [root] DEBUG: DLL loaded at 0x72440000: C:\Windows\System32\msxml3 (0x133000 bytes).
2019-10-09 08:21:23,380 [root] INFO: Announced 32-bit process name:  pid: 1
2019-10-09 08:21:23,380 [lib.api.process] WARNING: The process with pid 1 is not alive, injection aborted
2019-10-09 08:21:23,394 [root] DEBUG: DLL unloaded from 0x72F70000.
2019-10-09 08:21:23,473 [root] DEBUG: DLL unloaded from 0x000007FEFB9C0000.
2019-10-09 08:21:23,753 [root] DEBUG: DLL loaded at 0x000007FEFB140000: C:\Windows\system32\taskschd (0x127000 bytes).
2019-10-09 08:21:23,753 [root] DEBUG: set_caller_info: Adding region at 0x000007FEFB140000 to caller regions list (kernel32::GetSystemTimeAsFileTime).
2019-10-09 08:21:23,910 [root] DEBUG: DLL unloaded from 0x000007FEF8710000.
2019-10-09 08:21:24,549 [root] DEBUG: DLL loaded at 0x000007FEF5140000: C:\Windows\system32\fxsst (0xd7000 bytes).
2019-10-09 08:21:24,565 [root] DEBUG: DLL loaded at 0x000007FEF4D70000: C:\Windows\system32\FXSAPI (0x9d000 bytes).
2019-10-09 08:21:24,581 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF4D70000 to caller regions list (kernel32::GetSystemTimeAsFileTime).
2019-10-09 08:21:24,581 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF5140000 to caller regions list (kernel32::GetSystemTimeAsFileTime).
2019-10-09 08:21:24,581 [root] DEBUG: DLL unloaded from 0x000007FEFB0B0000.
2019-10-09 08:21:24,581 [root] DEBUG: DLL loaded at 0x0000000072350000: C:\Windows\system32\FXSRESM (0xe3000 bytes).
2019-10-09 08:21:24,767 [root] DEBUG: DLL unloaded from 0x000007FEFB9C0000.
2019-10-09 08:21:26,687 [root] DEBUG: DLL unloaded from 0x75600000.
2019-10-09 08:21:28,168 [root] DEBUG: DLL unloaded from 0x72840000.
2019-10-09 08:21:28,730 [root] DEBUG: DLL unloaded from 0x75600000.
2019-10-09 08:21:31,538 [root] DEBUG: DLL unloaded from 0x000007FEFA9C0000.
2019-10-09 08:21:31,538 [root] DEBUG: DLL unloaded from 0x000007FEFA9C0000.
2019-10-09 08:21:42,941 [root] DEBUG: DLL unloaded from 0x751B0000.
2019-10-09 08:21:44,377 [root] DEBUG: DLL unloaded from 0x000007FEFD560000.
2019-10-09 08:21:47,793 [root] DEBUG: DLL unloaded from 0x74540000.
2019-10-09 08:21:47,793 [root] DEBUG: DLL unloaded from 0x75790000.
2019-10-09 08:21:50,773 [root] DEBUG: DLL unloaded from 0x000007FEFD360000.
2019-10-09 08:21:50,773 [root] DEBUG: DLL unloaded from 0x000007FEFD1F0000.
2019-10-09 08:21:51,319 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF45C0000 to caller regions list (ntdll::NtDuplicateObject).
2019-10-09 08:21:51,569 [root] DEBUG: DLL unloaded from 0x000007FEFB140000.
2019-10-09 08:21:51,569 [root] DEBUG: DLL unloaded from 0x000007FEF9450000.
2019-10-09 08:22:14,141 [root] DEBUG: DLL unloaded from 0x751B0000.
2019-10-09 08:22:14,470 [root] DEBUG: DLL unloaded from 0x000007FEFD560000.
2019-10-09 08:22:14,578 [root] DEBUG: DLL unloaded from 0x000007FEFAA20000.
2019-10-09 08:22:14,578 [root] DEBUG: DLL unloaded from 0x000007FEFD560000.
2019-10-09 08:22:14,703 [root] DEBUG: DLL unloaded from 0x000007FEF9540000.
2019-10-09 08:22:14,766 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF98D0000 to caller regions list (msvcrt::memcpy).
2019-10-09 08:22:14,828 [root] DEBUG: set_caller_info: Adding region at 0x000007FEFCEF0000 to caller regions list (ntdll::NtCreateFile).
2019-10-09 08:22:14,891 [root] DEBUG: DLL unloaded from 0x000007FEFA1C0000.
2019-10-09 08:22:15,312 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF8070000 to caller regions list (msvcrt::memcpy).
2019-10-09 08:22:17,573 [root] DEBUG: DLL unloaded from 0x74150000.
2019-10-09 08:22:17,698 [root] DEBUG: DLL unloaded from 0x000007FEF9B80000.
2019-10-09 08:22:18,058 [root] DEBUG: DLL unloaded from 0x75600000.
2019-10-09 08:22:20,631 [root] DEBUG: DLL unloaded from 0x000007FEFA1C0000.
2019-10-09 08:22:20,772 [root] DEBUG: DLL loaded at 0x000007FEFB0D0000: C:\Windows\system32\es (0x67000 bytes).
2019-10-09 08:22:20,788 [root] DEBUG: set_caller_info: Adding region at 0x000007FEFB0D0000 to caller regions list (kernel32::GetSystemTimeAsFileTime).
2019-10-09 08:22:21,161 [root] DEBUG: DLL unloaded from 0x000007FEF4950000.
2019-10-09 08:22:21,193 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF4500000 to caller regions list (kernel32::GetSystemTimeAsFileTime).
2019-10-09 08:22:21,707 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF4E10000 to caller regions list (msvcrt::memcpy).
2019-10-09 08:22:22,176 [root] DEBUG: set_caller_info: Adding region at 0x000007FEFA0C0000 to caller regions list (ntdll::NtWaitForSingleObject).
2019-10-09 08:22:22,908 [root] DEBUG: DLL unloaded from 0x000007FEF9540000.
2019-10-09 08:22:22,940 [root] DEBUG: DLL unloaded from 0x000007FEFB0D0000.
2019-10-09 08:22:22,986 [root] DEBUG: DLL unloaded from 0x000007FEF8ED0000.
2019-10-09 08:22:23,033 [root] DEBUG: DLL unloaded from 0x000007FEF45C0000.
2019-10-09 08:22:23,128 [root] DEBUG: DLL unloaded from 0x000007FEF9950000.
2019-10-09 08:22:23,142 [root] DEBUG: DLL unloaded from 0x000007FEF4E10000.
2019-10-09 08:22:23,158 [root] DEBUG: DLL unloaded from 0x000007FEF94D0000.
2019-10-09 08:22:23,267 [root] DEBUG: DLL unloaded from 0x000007FEF8070000.
2019-10-09 08:22:23,283 [root] DEBUG: DLL unloaded from 0x000007FEFA1C0000.
2019-10-09 08:22:26,138 [root] INFO: Stopped WMI Service
2019-10-09 08:22:26,138 [root] INFO: Attaching to DcomLaunch service (pid 564)
2019-10-09 08:22:26,138 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-10-09 08:22:26,138 [lib.api.process] INFO: 64-bit DLL to inject is C:\whyqyg\dll\lToEOtyd.dll, loader C:\whyqyg\bin\dmrTeeXr.exe
2019-10-09 08:22:26,371 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\xHTHuKTTB.
2019-10-09 08:22:26,371 [root] DEBUG: Loader: Injecting process 564 (thread 0) with C:\whyqyg\dll\lToEOtyd.dll.
2019-10-09 08:22:26,371 [root] DEBUG: InjectDll: No thread ID supplied. Initial thread ID 568, handle 0x84
2019-10-09 08:22:26,418 [root] DEBUG: Process image base: 0x00000000FFA10000
2019-10-09 08:22:26,418 [root] DEBUG: InjectDllViaIAT: Not a new process, aborting IAT patch
2019-10-09 08:22:26,418 [root] DEBUG: InjectDll: IAT patching failed, falling back to thread injection.
2019-10-09 08:22:26,434 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-10-09 08:22:26,466 [root] DEBUG: Process dumps enabled.
2019-10-09 08:22:26,466 [root] INFO: Disabling sleep skipping.
2019-10-09 08:22:26,482 [root] WARNING: Unable to place hook on LockResource
2019-10-09 08:22:26,482 [root] WARNING: Unable to hook LockResource
2019-10-09 08:22:26,482 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 564 at 0x0000000072E00000, image base 0x00000000FFA10000, stack from 0x00000000022F6000-0x0000000002300000
2019-10-09 08:22:26,482 [root] DEBUG: Commandline: C:\Windows\sysnative\svchost.exe -k DcomLaunch.
2019-10-09 08:22:26,482 [root] INFO: Added new process to list with pid: 564
2019-10-09 08:22:26,482 [root] INFO: Monitor successfully loaded in process with pid 564.
2019-10-09 08:22:26,482 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2019-10-09 08:22:26,482 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2019-10-09 08:22:26,482 [root] DEBUG: Successfully injected DLL C:\whyqyg\dll\lToEOtyd.dll.
2019-10-09 08:22:31,395 [root] INFO: Started WMI Service
2019-10-09 08:22:31,801 [root] INFO: Attaching to WMI service (pid 2368)
2019-10-09 08:22:31,801 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-10-09 08:22:31,801 [lib.api.process] INFO: 64-bit DLL to inject is C:\whyqyg\dll\lToEOtyd.dll, loader C:\whyqyg\bin\dmrTeeXr.exe
2019-10-09 08:22:31,987 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\xHTHuKTTB.
2019-10-09 08:22:31,987 [root] DEBUG: Loader: Injecting process 2368 (thread 0) with C:\whyqyg\dll\lToEOtyd.dll.
2019-10-09 08:22:32,299 [root] DEBUG: InjectDll: No thread ID supplied. Initial thread ID 1864, handle 0x84
2019-10-09 08:22:32,299 [root] DEBUG: Process image base: 0x00000000FFA10000
2019-10-09 08:22:32,440 [root] DEBUG: InjectDllViaIAT: Not a new process, aborting IAT patch
2019-10-09 08:22:32,690 [root] DEBUG: InjectDll: IAT patching failed, falling back to thread injection.
2019-10-09 08:22:32,753 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-10-09 08:22:32,753 [root] DEBUG: Process dumps enabled.
2019-10-09 08:22:32,753 [root] INFO: Disabling sleep skipping.
2019-10-09 08:22:32,753 [root] WARNING: Unable to place hook on LockResource
2019-10-09 08:22:32,753 [root] WARNING: Unable to hook LockResource
2019-10-09 08:22:32,767 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 2368 at 0x0000000072E00000, image base 0x00000000FFA10000, stack from 0x0000000001616000-0x0000000001620000
2019-10-09 08:22:32,767 [root] DEBUG: Commandline: C:\Windows\sysnative\svchost.exe -k netsvcs.
2019-10-09 08:22:32,767 [root] INFO: Added new process to list with pid: 2368
2019-10-09 08:22:32,767 [root] INFO: Monitor successfully loaded in process with pid 2368.
2019-10-09 08:22:32,767 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2019-10-09 08:22:32,767 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2019-10-09 08:22:32,767 [root] DEBUG: Successfully injected DLL C:\whyqyg\dll\lToEOtyd.dll.
2019-10-09 08:22:34,312 [root] DEBUG: DLL unloaded from 0x000007FEFE8C0000.
2019-10-09 08:22:35,888 [root] DEBUG: DLL loaded at 0x000007FEF9E80000: C:\Windows\system32\VSSAPI (0x1b0000 bytes).
2019-10-09 08:22:35,920 [root] DEBUG: DLL loaded at 0x000007FEFB270000: C:\Windows\system32\ATL (0x19000 bytes).
2019-10-09 08:22:35,920 [root] DEBUG: DLL loaded at 0x000007FEF9E60000: C:\Windows\system32\VssTrace (0x17000 bytes).
2019-10-09 08:22:36,309 [root] DEBUG: DLL loaded at 0x000007FEFA870000: C:\Windows\system32\samcli (0x14000 bytes).
2019-10-09 08:22:36,341 [root] DEBUG: DLL loaded at 0x000007FEFB820000: C:\Windows\system32\SAMLIB (0x1d000 bytes).
2019-10-09 08:22:36,341 [root] DEBUG: DLL loaded at 0x000007FEFAC20000: C:\Windows\system32\netutils (0xc000 bytes).
2019-10-09 08:22:36,480 [root] DEBUG: DLL loaded at 0x000007FEFB0D0000: C:\Windows\system32\es (0x67000 bytes).
2019-10-09 08:22:36,823 [root] DEBUG: DLL loaded at 0x000007FEFB840000: C:\Windows\system32\PROPSYS (0x12c000 bytes).
2019-10-09 08:22:37,073 [root] DEBUG: DLL loaded at 0x000007FEF9540000: C:\Windows\system32\wbem\wbemcore (0x12f000 bytes).
2019-10-09 08:22:37,089 [root] DEBUG: DLL loaded at 0x000007FEF94D0000: C:\Windows\system32\wbem\esscli (0x6f000 bytes).
2019-10-09 08:22:37,246 [root] DEBUG: DLL loaded at 0x000007FEF9A00000: C:\Windows\system32\wbem\FastProx (0xe2000 bytes).
2019-10-09 08:22:37,246 [root] DEBUG: DLL loaded at 0x000007FEF9980000: C:\Windows\system32\NTDSAPI (0x27000 bytes).
2019-10-09 08:22:37,494 [root] DEBUG: DLL unloaded from 0x000007FEF9540000.
2019-10-09 08:22:37,526 [root] DEBUG: DLL loaded at 0x000007FEFA0A0000: C:\Windows\system32\wbem\wbemsvc (0x14000 bytes).
2019-10-09 08:22:37,915 [root] DEBUG: DLL loaded at 0x000007FEFCAC0000: C:\Windows\system32\authZ (0x2f000 bytes).
2019-10-09 08:22:37,915 [root] DEBUG: DLL loaded at 0x000007FEF97C0000: C:\Windows\system32\wbem\wmiutils (0x26000 bytes).
2019-10-09 08:22:37,963 [root] DEBUG: DLL loaded at 0x000007FEF90B0000: C:\Windows\system32\wbem\repdrvfs (0x73000 bytes).
2019-10-09 08:22:38,026 [root] WARNING: File at path "C:\Windows\sysnative\wbem\repository\WRITABLE.TST" does not exist, skip.
2019-10-09 08:22:38,088 [root] DEBUG: DLL loaded at 0x000007FEFCB00000: C:\Windows\system32\Wevtapi (0x6d000 bytes).
2019-10-09 08:22:38,243 [root] DEBUG: DLL unloaded from 0x000007FEFCB00000.
2019-10-09 08:22:38,930 [root] DEBUG: DLL loaded at 0x000007FEF80F0000: C:\Windows\system32\wbem\wmiprvsd (0xbc000 bytes).
2019-10-09 08:22:38,946 [root] DEBUG: DLL loaded at 0x000007FEFA0C0000: C:\Windows\system32\NCObjAPI (0x16000 bytes).
2019-10-09 08:22:39,118 [root] DEBUG: DLL loaded at 0x000007FEF6130000: C:\Windows\system32\wbem\wbemess (0x7e000 bytes).
2019-10-09 08:22:39,398 [root] DEBUG: DLL unloaded from 0x0000000076FF0000.
2019-10-09 08:22:41,191 [root] INFO: Announced 64-bit process name: WmiPrvSE.exe pid: 2144
2019-10-09 08:22:41,316 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-10-09 08:22:41,332 [lib.api.process] INFO: 64-bit DLL to inject is C:\whyqyg\dll\lToEOtyd.dll, loader C:\whyqyg\bin\dmrTeeXr.exe
2019-10-09 08:22:41,332 [root] DEBUG: DLL loaded at 0x000007FEFBDA0000: C:\Windows\system32\wbem\ncprov (0x16000 bytes).
2019-10-09 08:22:41,332 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\xHTHuKTTB.
2019-10-09 08:22:41,348 [root] DEBUG: Loader: Injecting process 2144 (thread 2508) with C:\whyqyg\dll\lToEOtyd.dll.
2019-10-09 08:22:41,394 [root] DEBUG: Process image base: 0x00000000FF2E0000
2019-10-09 08:22:41,441 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\whyqyg\dll\lToEOtyd.dll.
2019-10-09 08:22:41,614 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00000000FF33F000 - 0x000007FEFF430000
2019-10-09 08:22:41,614 [root] DEBUG: InjectDllViaIAT: Allocated 0x234 bytes for new import table at 0x00000000FF340000.
2019-10-09 08:22:41,644 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-10-09 08:22:41,691 [root] DEBUG: Successfully injected DLL C:\whyqyg\dll\lToEOtyd.dll.
2019-10-09 08:22:41,691 [root] DEBUG: DLL unloaded from 0x000007FEF7210000.
2019-10-09 08:22:41,691 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2144
2019-10-09 08:22:41,785 [root] INFO: Announced 64-bit process name: WmiPrvSE.exe pid: 2144
2019-10-09 08:22:41,785 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-10-09 08:22:41,785 [lib.api.process] INFO: 64-bit DLL to inject is C:\whyqyg\dll\lToEOtyd.dll, loader C:\whyqyg\bin\dmrTeeXr.exe
2019-10-09 08:22:41,894 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\xHTHuKTTB.
2019-10-09 08:22:41,971 [root] DEBUG: Loader: Injecting process 2144 (thread 2508) with C:\whyqyg\dll\lToEOtyd.dll.
2019-10-09 08:22:42,144 [root] DEBUG: Process image base: 0x00000000FF2E0000
2019-10-09 08:22:42,144 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\whyqyg\dll\lToEOtyd.dll.
2019-10-09 08:22:42,315 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2019-10-09 08:22:42,315 [root] DEBUG: Successfully injected DLL C:\whyqyg\dll\lToEOtyd.dll.
2019-10-09 08:22:42,331 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2144
2019-10-09 08:22:42,440 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-10-09 08:22:42,471 [root] DEBUG: Process dumps enabled.
2019-10-09 08:22:42,533 [root] INFO: Disabling sleep skipping.
2019-10-09 08:22:42,706 [root] WARNING: Unable to place hook on LockResource
2019-10-09 08:22:42,706 [root] WARNING: Unable to hook LockResource
2019-10-09 08:22:42,877 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-10-09 08:22:42,877 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 2144 at 0x0000000072E00000, image base 0x00000000FF2E0000, stack from 0x0000000000230000-0x0000000000240000
2019-10-09 08:22:42,924 [root] DEBUG: Commandline: C:\Windows\sysnative\wbem\wmiprvse.exe -Embedding.
2019-10-09 08:22:42,940 [root] INFO: Added new process to list with pid: 2144
2019-10-09 08:22:42,940 [root] INFO: Monitor successfully loaded in process with pid 2144.
2019-10-09 08:22:43,282 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\system32\CRYPTBASE (0xf000 bytes).
2019-10-09 08:22:43,298 [root] DEBUG: DLL loaded at 0x000007FEFC190000: C:\Windows\system32\ntmarta (0x2d000 bytes).
2019-10-09 08:22:43,548 [root] DEBUG: DLL loaded at 0x000007FEFE860000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2019-10-09 08:22:44,078 [root] DEBUG: DLL loaded at 0x000007FEFE400000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-10-09 08:22:44,421 [root] DEBUG: DLL loaded at 0x000007FEF9D50000: C:\Windows\system32\wbem\wbemprox (0xf000 bytes).
2019-10-09 08:22:44,687 [root] DEBUG: DLL loaded at 0x000007FEFC8F0000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2019-10-09 08:22:44,687 [root] DEBUG: DLL loaded at 0x000007FEFC5F0000: C:\Windows\system32\rsaenh (0x47000 bytes).
2019-10-09 08:22:44,701 [root] DEBUG: DLL loaded at 0x000007FEFD000000: C:\Windows\system32\RpcRtRemote (0x14000 bytes).
2019-10-09 08:22:45,279 [root] DEBUG: DLL loaded at 0x000007FEFA0A0000: C:\Windows\system32\wbem\wbemsvc (0x14000 bytes).
2019-10-09 08:22:45,779 [root] DEBUG: DLL loaded at 0x000007FEF97C0000: C:\Windows\system32\wbem\wmiutils (0x26000 bytes).
2019-10-09 08:22:50,864 [root] DEBUG: DLL loaded at 0x000007FEFA1C0000: C:\Windows\system32\wbem\wmiprov (0x3c000 bytes).
2019-10-09 08:22:51,348 [root] DEBUG: DLL unloaded from 0x000007FEF9540000.
2019-10-09 08:23:21,315 [root] DEBUG: DLL loaded at 0x000007FEF9C30000: C:\Windows\System32\wscinterop (0x28000 bytes).
2019-10-09 08:23:21,394 [root] DEBUG: DLL loaded at 0x000007FEF9B80000: C:\Windows\System32\WSCAPI (0x13000 bytes).
2019-10-09 08:23:21,394 [root] DEBUG: DLL loaded at 0x000007FEF7290000: C:\Windows\System32\wscui.cpl (0x11f000 bytes).
2019-10-09 08:23:22,017 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF9B80000 to caller regions list (kernel32::GetSystemTimeAsFileTime).
2019-10-09 08:23:22,032 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF9C30000 to caller regions list (kernel32::GetSystemTimeAsFileTime).
2019-10-09 08:23:22,111 [root] DEBUG: DLL loaded at 0x000007FEF5000000: C:\Windows\System32\werconcpl (0x13c000 bytes).
2019-10-09 08:23:22,188 [root] DEBUG: DLL loaded at 0x000007FEF9900000: C:\Windows\System32\framedynos (0x4c000 bytes).
2019-10-09 08:23:22,220 [root] DEBUG: DLL loaded at 0x000007FEF9690000: C:\Windows\System32\wercplsupport (0x19000 bytes).
2019-10-09 08:23:22,266 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF9900000 to caller regions list (kernel32::GetSystemTimeAsFileTime).
2019-10-09 08:23:22,313 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF9690000 to caller regions list (kernel32::GetSystemTimeAsFileTime).
2019-10-09 08:23:22,407 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF5000000 to caller regions list (kernel32::GetSystemTimeAsFileTime).
2019-10-09 08:23:22,454 [root] DEBUG: DLL loaded at 0x000007FEF8390000: C:\Windows\System32\msxml6 (0x1f2000 bytes).
2019-10-09 08:23:22,500 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF8390000 to caller regions list (ntdll::LdrLoadDll).
2019-10-09 08:23:22,563 [root] DEBUG: DLL loaded at 0x000007FEFA540000: C:\Windows\System32\hcproviders (0xb000 bytes).
2019-10-09 08:23:22,595 [root] DEBUG: set_caller_info: Adding region at 0x000007FEFA540000 to caller regions list (kernel32::GetSystemTimeAsFileTime).
2019-10-09 08:23:22,641 [root] DEBUG: DLL loaded at 0x000007FEF8070000: C:\Program Files\Internet Explorer\ieproxy (0x73000 bytes).
2019-10-09 08:23:22,657 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF8070000 to caller regions list (kernel32::GetSystemTimeAsFileTime).
2019-10-09 08:23:24,934 [root] DEBUG: DLL unloaded from 0x000007FEFB0D0000.
2019-10-09 08:23:39,490 [root] DEBUG: DLL unloaded from 0x751B0000.
2019-10-09 08:23:43,374 [root] INFO: Announced 64-bit process name: taskhost.exe pid: 1980
2019-10-09 08:23:43,374 [root] DEBUG: DLL unloaded from 0x000007FEFD560000.
2019-10-09 08:23:43,421 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-10-09 08:23:43,421 [lib.api.process] INFO: 64-bit DLL to inject is C:\whyqyg\dll\lToEOtyd.dll, loader C:\whyqyg\bin\dmrTeeXr.exe
2019-10-09 08:23:43,608 [root] ERROR: Traceback (most recent call last):
  File "C:\whyqyg\lib\core\log.py", line 79, in run
    self.handle_logs()
  File "C:\whyqyg\lib\core\log.py", line 61, in handle_logs
    data += buf.raw[:bytes_read.value]
MemoryError
Traceback (most recent call last):
  File "C:\whyqyg\lib\core\log.py", line 79, in run
    self.handle_logs()
  File "C:\whyqyg\lib\core\log.py", line 61, in handle_logs
    data += buf.raw[:bytes_read.value]
MemoryError
2019-10-09 08:23:43,733 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\xHTHuKTTB.
2019-10-09 08:23:43,733 [root] DEBUG: Loader: Injecting process 1980 (thread 0) with C:\whyqyg\dll\lToEOtyd.dll.
2019-10-09 08:23:43,733 [root] DEBUG: InjectDll: No thread ID supplied. Initial thread ID 1688, handle 0x84
2019-10-09 08:23:43,733 [root] DEBUG: Process image base: 0x00000000FFC30000
2019-10-09 08:23:43,749 [root] DEBUG: InjectDllViaIAT: Not a new process, aborting IAT patch
2019-10-09 08:23:43,749 [root] DEBUG: InjectDll: IAT patching failed, falling back to thread injection.
2019-10-09 08:23:43,749 [root] DEBUG: Error 1455 (0x5af) - InjectDllViaThread: RtlCreateUserThread injection failed: (null)
2019-10-09 08:23:43,749 [root] DEBUG: InjectDll: DLL injection via thread failed.
2019-10-09 08:23:43,749 [root] DEBUG: Failed to inject DLL C:\whyqyg\dll\lToEOtyd.dll.
2019-10-09 08:23:43,795 [lib.api.process] ERROR: Unable to inject into 64-bit process with pid 1980, error: -8
2019-10-09 08:23:44,184 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-10-09 08:23:52,750 [root] DEBUG: DLL unloaded from 0x000007FEFE8C0000.
2019-10-09 08:24:07,007 [root] DEBUG: DLL unloaded from 0x000007FEFE8C0000.
2019-10-09 08:24:37,770 [root] INFO: Analysis timeout hit (200 seconds), terminating analysis.
2019-10-09 08:24:37,770 [root] INFO: Created shutdown mutex.
2019-10-09 08:24:38,785 [lib.api.process] INFO: Successfully received reply to terminate_event, pid 3012
2019-10-09 08:24:38,785 [root] DEBUG: Terminate Event: Attempting to dump process 3012
2019-10-09 08:24:38,785 [root] INFO: Terminate event set for process 3012.
2019-10-09 08:24:38,785 [root] INFO: Terminating process 3012 before shutdown.
2019-10-09 08:24:38,785 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00300000.
2019-10-09 08:24:38,785 [root] INFO: Waiting for process 3012 to exit.
2019-10-09 08:24:38,832 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00300000.
2019-10-09 08:24:38,832 [root] DEBUG: DumpProcess: Module entry point VA is 0x00001C9A.
2019-10-09 08:24:38,940 [root] INFO: Added new CAPE file to list with path: C:\kMfdnmcF\CAPE\3012_7939795323824793102019
2019-10-09 08:24:38,973 [root] DEBUG: DumpProcess: Module image dump success - dump size 0xa1e00.
2019-10-09 08:24:38,973 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Local\Temp\~DFE9122BA5B7BC9343.TMP": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Local\\Temp\\~DFE9122BA5B7BC9343.TMP'
2019-10-09 08:24:39,019 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Local\Temp\~DF387B5CB21C3A5058.TMP": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Local\\Temp\\~DF387B5CB21C3A5058.TMP'
2019-10-09 08:24:39,051 [root] DEBUG: Terminate Event: CAPE shutdown complete for process 3012
2019-10-09 08:24:39,799 [root] INFO: Terminating process 2320 before shutdown.
2019-10-09 08:24:39,799 [lib.api.process] INFO: Successfully received reply to terminate_event, pid 3056
2019-10-09 08:24:39,799 [root] DEBUG: Terminate Event: Attempting to dump process 3056
2019-10-09 08:24:39,799 [root] INFO: Terminate event set for process 3056.
2019-10-09 08:24:39,799 [root] INFO: Terminating process 3056 before shutdown.
2019-10-09 08:24:39,799 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00000000FF7E0000.
2019-10-09 08:24:39,799 [root] INFO: Waiting for process 3056 to exit.
2019-10-09 08:24:39,799 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00000000FF7E0000.
2019-10-09 08:24:39,831 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000002B790.
2019-10-09 08:24:39,940 [root] INFO: Added new CAPE file to list with path: C:\kMfdnmcF\CAPE\3056_19398820313924793102019
2019-10-09 08:24:39,970 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x2baa00.
2019-10-09 08:24:39,970 [root] DEBUG: Terminate Event: CAPE shutdown complete for process 3056
2019-10-09 08:24:40,828 [lib.api.process] INFO: Successfully received reply to terminate_event, pid 2144
2019-10-09 08:24:40,828 [root] INFO: Terminate event set for process 2144.
2019-10-09 08:24:40,828 [root] INFO: Terminating process 2144 before shutdown.
2019-10-09 08:24:40,828 [root] DEBUG: Terminate Event: Attempting to dump process 2144
2019-10-09 08:24:40,828 [root] INFO: Waiting for process 2144 to exit.
2019-10-09 08:24:40,828 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00000000FF2E0000.
2019-10-09 08:24:40,828 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00000000FF2E0000.
2019-10-09 08:24:40,828 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000A9B4.
2019-10-09 08:24:40,859 [root] INFO: Added new CAPE file to list with path: C:\kMfdnmcF\CAPE\2144_17473646484024793102019
2019-10-09 08:24:40,875 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x5a400.
2019-10-09 08:24:40,875 [root] DEBUG: Terminate Event: CAPE shutdown complete for process 2144
2019-10-09 08:24:40,891 [root] DEBUG: DLL loaded at 0x000007FEFA780000: C:\Windows\system32\actxprxy (0xee000 bytes).
2019-10-09 08:24:40,907 [root] DEBUG: set_caller_info: Adding region at 0x000007FEFA780000 to caller regions list (kernel32::GetSystemTimeAsFileTime).
2019-10-09 08:24:41,842 [root] INFO: Shutting down package.
2019-10-09 08:24:41,842 [root] INFO: Stopping auxiliary modules.
2019-10-09 08:24:41,842 [root] INFO: Finishing auxiliary modules.
2019-10-09 08:24:41,842 [root] INFO: Shutting down pipe server and dumping dropped files.
2019-10-09 08:24:41,842 [root] WARNING: File at path "C:\kMfdnmcF\debugger" does not exist, skip.
2019-10-09 08:24:41,842 [root] WARNING: Monitor injection attempted but failed for process 1.
2019-10-09 08:24:41,842 [root] WARNING: Monitor injection attempted but failed for process 1980.
2019-10-09 08:24:41,842 [root] INFO: Analysis completed.

MalScore

5.0

Suspicious

Machine

Name Label Manager Started On Shutdown On
target-01 target-01 ESX 2019-10-09 07:21:06 2019-10-09 07:24:56

URL Details

URL
https://scontent-iad3-1.xx.fbcdn.net/v/t1.0-0/s280x280/70929350_2869861603028062_5754662131123355648_n.jpg?_nc_cat=110&_nc_oc=AQmkuL4QgYxV5VpxGFAir1kO7gEbMHHJXq51yXqG9lBS8G4jbxCrqgniLlZuW8nyPRQ&_nc_ht=scontent-iad3-1.xx&oh=2d5adbdcdc9d0a67cbad0538ffd643fd&oe=5E354076

Signatures

Behavioural detection: Executable code extraction
SetUnhandledExceptionFilter detected (possible anti-debug)
Attempts to connect to a dead IP:Port (4 unique times)
IP: 72.247.177.169:80 (Netherlands)
IP: 93.184.220.29:80 (Europe)
IP: 204.79.197.200:80 (United States)
IP: 31.13.66.19:443 (Ireland)
Guard pages use detected - possible anti-debugging.
A process attempted to delay the analysis task.
Process: WmiPrvSE.exe tried to sleep 420 seconds, actually delayed analysis time by 0 seconds
Dynamic (imported) function loading detected
DynamicLoader: iphlpapi.DLL/GetAdaptersAddresses
DynamicLoader: DHCPCSVC.DLL/DhcpRequestParams
DynamicLoader: comctl32.dll/LoadIconWithScaleDown
DynamicLoader: IEUI.dll/InitGadgets
DynamicLoader: ieproxy.dll/DllGetClassObject
DynamicLoader: ieproxy.dll/DllCanUnloadNow
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: propsys.dll/PSGetPropertyKeyFromName
DynamicLoader: UxTheme.dll/OpenThemeData
DynamicLoader: USER32.dll/MsgWaitForMultipleObjectsEx
DynamicLoader: comctl32.dll/
DynamicLoader: UxTheme.dll/IsAppThemed
DynamicLoader: comctl32.dll/ImageList_LoadImageW
DynamicLoader: comctl32.dll/ImageList_GetIconSize
DynamicLoader: UxTheme.dll/IsCompositionActive
DynamicLoader: UxTheme.dll/SetWindowTheme
DynamicLoader: UxTheme.dll/OpenThemeData
DynamicLoader: comctl32.dll/ImageList_Create
DynamicLoader: comctl32.dll/ImageList_ReplaceIcon
DynamicLoader: OLEAUT32.dll/
DynamicLoader: comctl32.dll/ImageList_AddMasked
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: IMM32.DLL/ImmIsIME
DynamicLoader: urlmon.dll/CoInternetCreateSecurityManager
DynamicLoader: MSCTF.dll/SetInputScopes2
DynamicLoader: UxTheme.dll/EnableThemeDialogTexture
DynamicLoader: urlmon.dll/
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: comctl32.dll/
DynamicLoader: UxTheme.dll/IsThemeActive
DynamicLoader: comctl32.dll/
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: SHELL32.dll/
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore
DynamicLoader: propsys.dll/PSPropertyBag_WriteStr
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: OLEAUT32.dll/
DynamicLoader: propsys.dll/PSPropertyBag_WriteGUID
DynamicLoader: propsys.dll/PSPropertyBag_ReadGUID
DynamicLoader: IEUI.dll/CreateGadget
DynamicLoader: IEUI.dll/SetGadgetMessageFilter
DynamicLoader: IEUI.dll/SetGadgetStyle
DynamicLoader: IEUI.dll/SetGadgetRootInfo
DynamicLoader: xmllite.dll/CreateXmlReader
DynamicLoader: xmllite.dll/CreateXmlReaderInputWithEncodingName
DynamicLoader: IEUI.dll/FindStdColor
DynamicLoader: IEUI.dll/InvalidateGadget
DynamicLoader: IEUI.dll/SetGadgetParent
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: comctl32.dll/
DynamicLoader: IEUI.dll/GetGadgetTicket
DynamicLoader: IEUI.dll/SetGadgetRect
DynamicLoader: urlmon.dll/
DynamicLoader: urlmon.dll/
DynamicLoader: kernel32.dll/GetThreadUILanguage
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: SHELL32.dll/SHGetInstanceExplorer
DynamicLoader: WININET.dll/InternetSetOptionW
DynamicLoader: USER32.dll/PostMessageW
DynamicLoader: USER32.dll/PeekMessageW
DynamicLoader: USER32.dll/TranslateMessage
DynamicLoader: USER32.dll/DispatchMessageW
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: IEUI.dll/PeekMessageExW
DynamicLoader: ole32.dll/CoInitialize
DynamicLoader: ole32.dll/RegisterDragDrop
DynamicLoader: RPCRT4.dll/RpcBindingToStringBindingW
DynamicLoader: RPCRT4.dll/RpcStringBindingParseW
DynamicLoader: RPCRT4.dll/RpcStringFreeW
DynamicLoader: RPCRT4.dll/I_RpcBindingInqLocalClientPID
DynamicLoader: RPCRT4.dll/RpcServerInqCallAttributesW
DynamicLoader: RPCRT4.dll/RpcImpersonateClient
DynamicLoader: RPCRT4.dll/RpcRevertToSelf
DynamicLoader: RPCRT4.dll/NdrServerCall2
DynamicLoader: RPCRT4.dll/RpcBindingInqObject
DynamicLoader: msfeeds.dll/MsfeedsCreateInstance
DynamicLoader: SHELL32.dll/SHGetSpecialFolderPathW
DynamicLoader: SHELL32.dll/
DynamicLoader: SHELL32.dll/SHGetFolderPathW
DynamicLoader: SHELL32.dll/SHCreateDirectoryExW
DynamicLoader: WININET.dll/FindFirstUrlCacheContainerW
DynamicLoader: WININET.dll/FindNextUrlCacheContainerW
DynamicLoader: WININET.dll/FindCloseUrlCache
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: MSIMG32.dll/GradientFill
DynamicLoader: GDI32.dll/GetTextExtentExPointWPri
DynamicLoader: IEUI.dll/WaitMessageEx
DynamicLoader: RPCRT4.dll/RpcStringBindingComposeW
DynamicLoader: RPCRT4.dll/RpcBindingFromStringBindingW
DynamicLoader: RPCRT4.dll/RpcBindingSetAuthInfoExW
DynamicLoader: RPCRT4.dll/NdrClientCall2
DynamicLoader: USER32.dll/GetWindowLongW
DynamicLoader: USER32.dll/IsWindow
DynamicLoader: USER32.dll/SendMessageW
DynamicLoader: RPCRT4.dll/RpcBindingFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: OLEAUT32.dll/DllGetClassObject
DynamicLoader: OLEAUT32.dll/DllCanUnloadNow
DynamicLoader: SXS.DLL/SxsOleAut32MapIIDToProxyStubCLSID
DynamicLoader: ADVAPI32.dll/RegQueryValueW
DynamicLoader: SXS.DLL/SxsOleAut32MapIIDToTLBPath
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: ADVAPI32.dll/RegOpenKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: SXS.DLL/SxsOleAut32MapConfiguredClsidToReferenceClsid
DynamicLoader: SXS.DLL/SxsOleAut32RedirectTypeLibrary
DynamicLoader: propsys.dll/PSStringFromPropertyKey
DynamicLoader: propsys.dll/PSGetPropertyDescription
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: propsys.dll/PropVariantToString
DynamicLoader: propsys.dll/InitPropVariantFromStringAsVector
DynamicLoader: propsys.dll/PSCoerceToCanonicalValue
DynamicLoader: USP10.dll/ScriptIsComplex
DynamicLoader: urlmon.dll/
DynamicLoader: urlmon.dll/
DynamicLoader: SHELL32.dll/SHGetKnownFolderPath
DynamicLoader: urlmon.dll/URLDownloadToFileW
DynamicLoader: urlmon.dll/CoInternetCreateSecurityManager
DynamicLoader: urlmon.dll/CoInternetCreateZoneManager
DynamicLoader: urlmon.dll/CoInternetIsFeatureEnabledForUrl
DynamicLoader: MSIMG32.dll/AlphaBlend
DynamicLoader: urlmon.dll/CreateUri
DynamicLoader: OLEAUT32.dll/
DynamicLoader: WININET.dll/GetUrlCacheEntryInfoW
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: RPCRT4.dll/UuidCreateSequential
DynamicLoader: ole32.dll/StgOpenStorageEx
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: USER32.dll/CharLowerW
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptCreateHash
DynamicLoader: CRYPTSP.dll/CryptHashData
DynamicLoader: CRYPTSP.dll/CryptGetHashParam
DynamicLoader: CRYPTSP.dll/CryptDestroyHash
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: CRYPT32.dll/CryptUnprotectData
DynamicLoader: RPCRT4.dll/RpcStringBindingComposeW
DynamicLoader: RPCRT4.dll/RpcBindingFromStringBindingW
DynamicLoader: RPCRT4.dll/NdrClientCall2
DynamicLoader: CRYPTBASE.dll/SystemFunction041
DynamicLoader: RPCRT4.dll/RpcStringFreeW
DynamicLoader: RPCRT4.dll/RpcBindingFree
DynamicLoader: IEUI.dll/FindGadgetFromPoint
DynamicLoader: IEUI.dll/DUserSendEvent
DynamicLoader: IEUI.dll/GetGadgetRect
DynamicLoader: ADVAPI32.dll/EventWrite
DynamicLoader: ADVAPI32.dll/EventRegister
DynamicLoader: ADVAPI32.dll/EventUnregister
DynamicLoader: kernel32.dll/InitializeSRWLock
DynamicLoader: kernel32.dll/AcquireSRWLockExclusive
DynamicLoader: kernel32.dll/AcquireSRWLockShared
DynamicLoader: kernel32.dll/ReleaseSRWLockExclusive
DynamicLoader: kernel32.dll/ReleaseSRWLockShared
DynamicLoader: kernel32.dll/SetProcessDEPPolicy
DynamicLoader: USER32.dll/SetProcessDPIAware
DynamicLoader: SHELL32.dll/SetCurrentProcessExplicitAppUserModelID
DynamicLoader: USER32.dll/GetShellWindow
DynamicLoader: USER32.dll/GetWindowThreadProcessId
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: IEFRAME.dll/
DynamicLoader: kernel32.dll/WerSetFlags
DynamicLoader: comctl32.dll/PropertySheetW
DynamicLoader: comctl32.dll/PropertySheetA
DynamicLoader: comdlg32.dll/PageSetupDlgW
DynamicLoader: comdlg32.dll/PrintDlgW
DynamicLoader: kernel32.dll/InitializeSRWLock
DynamicLoader: kernel32.dll/AcquireSRWLockExclusive
DynamicLoader: kernel32.dll/AcquireSRWLockShared
DynamicLoader: kernel32.dll/ReleaseSRWLockExclusive
DynamicLoader: kernel32.dll/ReleaseSRWLockShared
DynamicLoader: kernel32.dll/InitializeSRWLock
DynamicLoader: kernel32.dll/AcquireSRWLockExclusive
DynamicLoader: kernel32.dll/AcquireSRWLockShared
DynamicLoader: kernel32.dll/ReleaseSRWLockExclusive
DynamicLoader: kernel32.dll/ReleaseSRWLockShared
DynamicLoader: kernel32.dll/InitializeSRWLock
DynamicLoader: kernel32.dll/AcquireSRWLockExclusive
DynamicLoader: kernel32.dll/AcquireSRWLockShared
DynamicLoader: kernel32.dll/ReleaseSRWLockExclusive
DynamicLoader: kernel32.dll/ReleaseSRWLockShared
DynamicLoader: kernel32.dll/InitializeSRWLock
DynamicLoader: kernel32.dll/AcquireSRWLockExclusive
DynamicLoader: kernel32.dll/AcquireSRWLockShared
DynamicLoader: kernel32.dll/ReleaseSRWLockExclusive
DynamicLoader: kernel32.dll/ReleaseSRWLockShared
DynamicLoader: kernel32.dll/InitializeSRWLock
DynamicLoader: kernel32.dll/AcquireSRWLockExclusive
DynamicLoader: kernel32.dll/AcquireSRWLockShared
DynamicLoader: kernel32.dll/ReleaseSRWLockExclusive
DynamicLoader: kernel32.dll/ReleaseSRWLockShared
DynamicLoader: kernel32.dll/InitializeSRWLock
DynamicLoader: kernel32.dll/AcquireSRWLockExclusive
DynamicLoader: kernel32.dll/AcquireSRWLockShared
DynamicLoader: kernel32.dll/ReleaseSRWLockExclusive
DynamicLoader: kernel32.dll/ReleaseSRWLockShared
DynamicLoader: IEShims.dll/IEShims_Initialize
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: USER32.dll/SetWindowsHookExW
DynamicLoader: USER32.dll/FindWindowExA
DynamicLoader: kernel32.dll/WaitForSingleObject
DynamicLoader: USER32.dll/GetWindowThreadProcessId
DynamicLoader: kernel32.dll/CreateProcessW
DynamicLoader: kernel32.dll/CreateProcessA
DynamicLoader: ADVAPI32.dll/RegQueryValueA
DynamicLoader: ntdll.dll/LdrRegisterDllNotification
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: kernel32.dll/WerRegisterMemoryBlock
DynamicLoader: kernel32.dll/WerUnregisterMemoryBlock
DynamicLoader: USER32.dll/RegisterWindowMessageW
DynamicLoader: RPCRT4.dll/RpcServerUseProtseqW
DynamicLoader: RPCRT4.dll/RpcServerRegisterIfEx
DynamicLoader: RpcRtRemote.dll/I_RpcExtInitializeExtensionPoint
DynamicLoader: RPCRT4.dll/RpcServerInqBindings
DynamicLoader: RPCRT4.dll/RpcEpRegisterW
DynamicLoader: RPCRT4.dll/RpcServerListen
DynamicLoader: SHELL32.dll/SHGetInstanceExplorer
DynamicLoader: USER32.dll/RegisterClassExW
DynamicLoader: USER32.dll/CreateWindowExW
DynamicLoader: USER32.dll/DefWindowProcW
DynamicLoader: USER32.dll/SetWindowLongW
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: USER32.dll/MsgWaitForMultipleObjectsEx
DynamicLoader: urlmon.dll/
DynamicLoader: SHELL32.dll/SHGetFolderPathW
DynamicLoader: ADVAPI32.dll/TraceMessage
DynamicLoader: ADVAPI32.dll/TraceMessageVa
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: sqmapi.dll/SqmGetSession
DynamicLoader: sqmapi.dll/SqmEndSession
DynamicLoader: sqmapi.dll/SqmStartSession
DynamicLoader: sqmapi.dll/SqmStartUpload
DynamicLoader: sqmapi.dll/SqmWaitForUploadComplete
DynamicLoader: sqmapi.dll/SqmSet
DynamicLoader: sqmapi.dll/SqmSetBool
DynamicLoader: sqmapi.dll/SqmSetBits
DynamicLoader: sqmapi.dll/SqmSetString
DynamicLoader: sqmapi.dll/SqmIncrement
DynamicLoader: sqmapi.dll/SqmSetIfMax
DynamicLoader: sqmapi.dll/SqmSetIfMin
DynamicLoader: sqmapi.dll/SqmAddToAverage
DynamicLoader: sqmapi.dll/SqmAddToStreamDWord
DynamicLoader: sqmapi.dll/SqmAddToStreamString
DynamicLoader: sqmapi.dll/SqmSetAppId
DynamicLoader: sqmapi.dll/SqmSetAppVersion
DynamicLoader: sqmapi.dll/SqmSetMachineId
DynamicLoader: sqmapi.dll/SqmSetUserId
DynamicLoader: sqmapi.dll/SqmCreateNewId
DynamicLoader: sqmapi.dll/SqmReadSharedMachineId
DynamicLoader: sqmapi.dll/SqmReadSharedUserId
DynamicLoader: sqmapi.dll/SqmWriteSharedMachineId
DynamicLoader: sqmapi.dll/SqmWriteSharedUserId
DynamicLoader: sqmapi.dll/SqmIsWindowsOptedIn
DynamicLoader: ADVAPI32.dll/OpenThreadToken
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: SHELL32.dll/
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: profapi.dll/
DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore
DynamicLoader: propsys.dll/PSPropertyBag_WriteStr
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: OLEAUT32.dll/
DynamicLoader: propsys.dll/PSPropertyBag_WriteGUID
DynamicLoader: propsys.dll/PSPropertyBag_ReadGUID
DynamicLoader: RPCRT4.dll/RpcStringBindingComposeW
DynamicLoader: RPCRT4.dll/RpcBindingFromStringBindingW
DynamicLoader: RPCRT4.dll/RpcBindingSetAuthInfoExW
DynamicLoader: RPCRT4.dll/RpcStringFreeW
DynamicLoader: RPCRT4.dll/NdrClientCall2
DynamicLoader: USER32.dll/PostMessageW
DynamicLoader: USER32.dll/PeekMessageW
DynamicLoader: USER32.dll/TranslateMessage
DynamicLoader: USER32.dll/DispatchMessageW
DynamicLoader: USER32.dll/GetWindowLongW
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: WININET.dll/InternetSetOptionW
DynamicLoader: RPCRT4.dll/RpcBindingFree
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: ole32.dll/NdrOleInitializeExtension
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ieproxy.dll/DllGetClassObject
DynamicLoader: ieproxy.dll/DllCanUnloadNow
DynamicLoader: SHELL32.dll/SHChangeNotifyRegisterThread
DynamicLoader: comctl32.dll/
DynamicLoader: IEShims.dll/IEShims_SetRedirectRegistryForThread
DynamicLoader: RPCRT4.dll/RpcBindingToStringBindingW
DynamicLoader: RPCRT4.dll/RpcStringBindingParseW
DynamicLoader: RPCRT4.dll/I_RpcBindingInqLocalClientPID
DynamicLoader: RPCRT4.dll/RpcServerInqCallAttributesW
DynamicLoader: RPCRT4.dll/RpcImpersonateClient
DynamicLoader: RPCRT4.dll/RpcRevertToSelf
DynamicLoader: RPCRT4.dll/NdrServerCall2
DynamicLoader: RPCRT4.dll/RpcBindingInqObject
DynamicLoader: apphelp.dll/ApphelpCheckShellObject
DynamicLoader: comctl32.dll/ImageList_Destroy
DynamicLoader: comctl32.dll/ImageList_LoadImageW
DynamicLoader: comctl32.dll/ImageList_Add
DynamicLoader: WININET.dll/GetUrlCacheEntryInfoExW
DynamicLoader: MLANG.dll/
DynamicLoader: WININET.dll/GetUrlCacheEntryInfoExA
DynamicLoader: UxTheme.dll/OpenThemeData
DynamicLoader: comctl32.dll/
DynamicLoader: UxTheme.dll/IsAppThemed
DynamicLoader: WININET.dll/InternetQueryOptionA
DynamicLoader: GDI32.dll/GetLayout
DynamicLoader: GDI32.dll/GdiRealizationInfo
DynamicLoader: GDI32.dll/FontIsLinked
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: GDI32.dll/GetTextFaceAliasW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: GDI32.dll/GetFontAssocStatus
DynamicLoader: ADVAPI32.dll/RegQueryValueExA
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: GDI32.dll/GetTextFaceAliasW
DynamicLoader: ole32.dll/CoInitialize
DynamicLoader: ole32.dll/RegisterDragDrop
DynamicLoader: UxTheme.dll/SetWindowTheme
DynamicLoader: UxTheme.dll/IsThemeActive
DynamicLoader: UxTheme.dll/OpenThemeData
DynamicLoader: GDI32.dll/GetTextExtentExPointWPri
DynamicLoader: urlmon.dll/
DynamicLoader: apphelp.dll/ApphelpCheckShellObject
DynamicLoader: kernel32.dll/FindActCtxSectionStringW
DynamicLoader: kernel32.dll/GetSystemWindowsDirectoryW
DynamicLoader: AcroIEHelper.dll/StubInit
DynamicLoader: AcroIEHelper.dll/StubSetSite
DynamicLoader: AcroIEHelper.dll/StubOnQuit
DynamicLoader: ADVAPI32.dll/RegOpenKeyExA
DynamicLoader: ADVAPI32.dll/RegEnumKeyA
DynamicLoader: ADVAPI32.dll/RegQueryValueExA
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegEnumKeyExA
DynamicLoader: ADVAPI32.dll/RegEnumKeyExA
DynamicLoader: SHLWAPI.dll/PathFileExistsA
DynamicLoader: SHLWAPI.dll/PathFileExistsA
DynamicLoader: SHLWAPI.dll/PathFileExistsA
DynamicLoader: ADVAPI32.dll/RegEnumKeyExA
DynamicLoader: ADVAPI32.dll/RegQueryValueA
DynamicLoader: urlmon.dll/CreateUri
DynamicLoader: kernel32.dll/InitializeSRWLock
DynamicLoader: kernel32.dll/AcquireSRWLockExclusive
DynamicLoader: kernel32.dll/AcquireSRWLockShared
DynamicLoader: kernel32.dll/ReleaseSRWLockExclusive
DynamicLoader: kernel32.dll/ReleaseSRWLockShared
DynamicLoader: ADVAPI32.dll/AddMandatoryAce
DynamicLoader: VERSION.dll/GetFileVersionInfoSizeW
DynamicLoader: VERSION.dll/GetFileVersionInfoW
DynamicLoader: VERSION.dll/VerQueryValueW
DynamicLoader: WININET.dll/GetUrlCacheEntryInfoW
DynamicLoader: SXS.DLL/SxsOleAut32RedirectTypeLibrary
DynamicLoader: ADVAPI32.dll/RegOpenKeyW
DynamicLoader: ADVAPI32.dll/RegQueryValueW
DynamicLoader: SXS.DLL/SxsOleAut32MapConfiguredClsidToReferenceClsid
DynamicLoader: RASAPI32.dll/RasEnumEntriesW
DynamicLoader: rtutils.dll/TraceRegisterExA
DynamicLoader: rtutils.dll/TracePrintfExA
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: profapi.dll/
DynamicLoader: SHLWAPI.dll/PathCanonicalizeW
DynamicLoader: SHLWAPI.dll/PathRemoveFileSpecW
DynamicLoader: SHLWAPI.dll/PathFindFileNameW
DynamicLoader: sensapi.dll/IsNetworkAlive
DynamicLoader: RASAPI32.dll/RasConnectionNotificationW
DynamicLoader: RPCRT4.dll/RpcBindingFromStringBindingW
DynamicLoader: RPCRT4.dll/RpcBindingSetAuthInfoExW
DynamicLoader: RPCRT4.dll/NdrClientCall2
DynamicLoader: sechost.dll/NotifyServiceStatusChangeA
DynamicLoader: NLAapi.dll/NSPStartup
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: RPCRT4.dll/NdrClientCall2
DynamicLoader: RPCRT4.dll/RpcStringBindingComposeW
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: RPCRT4.dll/RpcBindingFromStringBindingW
DynamicLoader: RPCRT4.dll/RpcStringFreeW
DynamicLoader: RPCRT4.dll/RpcBindingFree
DynamicLoader: comctl32.dll/ImageList_Create
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/ImageList_AddMasked
DynamicLoader: comctl32.dll/LoadIconWithScaleDown
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: comctl32.dll/ImageList_ReplaceIcon
DynamicLoader: iphlpapi.DLL/GetAdaptersAddresses
DynamicLoader: DHCPCSVC.DLL/DhcpRequestParams
DynamicLoader: urlmon.dll/CreateURLMonikerEx
DynamicLoader: urlmon.dll/CreateAsyncBindCtxEx
DynamicLoader: urlmon.dll/RegisterBindStatusCallback
DynamicLoader: urlmon.dll/CreateFormatEnumerator
DynamicLoader: urlmon.dll/UrlMkGetSessionOption
DynamicLoader: urlmon.dll/CoInternetCreateSecurityManager
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: MLANG.dll/
DynamicLoader: urlmon.dll/
DynamicLoader: urlmon.dll/
DynamicLoader: OLEAUT32.dll/DllGetClassObject
DynamicLoader: OLEAUT32.dll/DllCanUnloadNow
DynamicLoader: urlmon.dll/CreateIUriBuilder
DynamicLoader: urlmon.dll/IntlPercentEncodeNormalize
DynamicLoader: OLEAUT32.dll/
DynamicLoader: USER32.dll/ChangeWindowMessageFilter
DynamicLoader: DWMAPI.DLL/DwmSetWindowAttribute
DynamicLoader: OLEAUT32.dll/
DynamicLoader: IMM32.DLL/ImmGetContext
DynamicLoader: USER32.dll/IsWindow
DynamicLoader: USER32.dll/SendMessageW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: urlmon.dll/CoInternetCreateSecurityManager
DynamicLoader: urlmon.dll/CoInternetCreateZoneManager
DynamicLoader: urlmon.dll/CoInternetIsFeatureEnabledForUrl
DynamicLoader: CRYPTSP.dll/SystemFunction035
DynamicLoader: schannel.DLL/SpUserModeInitialize
DynamicLoader: ADVAPI32.dll/RegCreateKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: CRYPT32.dll/CertDuplicateStore
DynamicLoader: CRYPT32.dll/CertControlStore
DynamicLoader: CRYPT32.dll/CertCloseStore
DynamicLoader: Secur32.dll/FreeContextBuffer
DynamicLoader: ncrypt.dll/SslOpenProvider
DynamicLoader: ncrypt.dll/GetSChannelInterface
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: ncrypt.dll/SslIncrementProviderReferenceCount
DynamicLoader: ncrypt.dll/SslImportKey
DynamicLoader: bcryptprimitives.dll/GetCipherInterface
DynamicLoader: ncrypt.dll/SslLookupCipherSuiteInfo
DynamicLoader: CRYPT32.dll/CertDuplicateCertificateContext
DynamicLoader: wintrust.dll/HTTPSCertificateTrust
DynamicLoader: wintrust.dll/HTTPSFinalProv
DynamicLoader: wintrust.dll/SoftpubInitialize
DynamicLoader: wintrust.dll/SoftpubLoadMessage
DynamicLoader: wintrust.dll/SoftpubLoadSignature
DynamicLoader: wintrust.dll/SoftpubCheckCert
DynamicLoader: wintrust.dll/SoftpubCleanup
DynamicLoader: CRYPTSP.dll/CryptAcquireContextA
DynamicLoader: WINHTTP.dll/WinHttpOpen
DynamicLoader: WINHTTP.dll/WinHttpSetTimeouts
DynamicLoader: WINHTTP.dll/WinHttpSetOption
DynamicLoader: WINHTTP.dll/WinHttpCrackUrl
DynamicLoader: SHLWAPI.dll/StrCmpNW
DynamicLoader: WINHTTP.dll/WinHttpConnect
DynamicLoader: WINHTTP.dll/WinHttpOpenRequest
DynamicLoader: WINHTTP.dll/WinHttpGetDefaultProxyConfiguration
DynamicLoader: WINHTTP.dll/WinHttpGetIEProxyConfigForCurrentUser
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: NSI.dll/NsiAllocateAndGetTable
DynamicLoader: CFGMGR32.dll/CM_Open_Class_Key_ExW
DynamicLoader: iphlpapi.DLL/ConvertInterfaceGuidToLuid
DynamicLoader: iphlpapi.DLL/GetIfEntry2
DynamicLoader: iphlpapi.DLL/GetIpForwardTable2
DynamicLoader: iphlpapi.DLL/GetIpNetEntry2
DynamicLoader: iphlpapi.DLL/FreeMibTable
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: NSI.dll/NsiFreeTable
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: WINHTTP.dll/WinHttpGetProxyForUrl
DynamicLoader: WINHTTP.dll/WinHttpTimeFromSystemTime
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: WINHTTP.dll/WinHttpSendRequest
DynamicLoader: ws2_32.DLL/GetAddrInfoW
DynamicLoader: ws2_32.DLL/WSASocketW
DynamicLoader: ws2_32.DLL/
DynamicLoader: ws2_32.DLL/
DynamicLoader: ws2_32.DLL/
DynamicLoader: ws2_32.DLL/WSAIoctl
DynamicLoader: ws2_32.DLL/FreeAddrInfoW
DynamicLoader: ws2_32.DLL/
DynamicLoader: ws2_32.DLL/
DynamicLoader: ws2_32.DLL/WSARecv
DynamicLoader: ws2_32.DLL/WSASend
DynamicLoader: WINHTTP.dll/WinHttpReceiveResponse
DynamicLoader: WINHTTP.dll/WinHttpQueryHeaders
DynamicLoader: SHLWAPI.dll/StrStrIW
DynamicLoader: WINHTTP.dll/WinHttpQueryDataAvailable
DynamicLoader: WINHTTP.dll/WinHttpReadData
DynamicLoader: WINHTTP.dll/WinHttpCloseHandle
DynamicLoader: RPCRT4.dll/RpcBindingFree
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: UxTheme.dll/BufferedPaintInit
DynamicLoader: UxTheme.dll/BufferedPaintRenderAnimation
DynamicLoader: UxTheme.dll/BeginBufferedAnimation
DynamicLoader: UxTheme.dll/DrawThemeParentBackground
DynamicLoader: UxTheme.dll/EndBufferedAnimation
DynamicLoader: GDI32.dll/GdiIsMetaPrintDC
DynamicLoader: CRYPT32.dll/CertDuplicateCertificateChain
DynamicLoader: CRYPT32.dll/CertGetCertificateContextProperty
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: CRYPT32.dll/CertFreeCertificateChain
DynamicLoader: CRYPT32.dll/CertFreeCertificateContext
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: ncrypt.dll/SslEncryptPacket
DynamicLoader: ncrypt.dll/SslDecryptPacket
DynamicLoader: SHELL32.dll/SHCreateAssociationRegistration
DynamicLoader: kernel32.dll/InitializeSRWLock
DynamicLoader: kernel32.dll/AcquireSRWLockExclusive
DynamicLoader: kernel32.dll/AcquireSRWLockShared
DynamicLoader: kernel32.dll/ReleaseSRWLockExclusive
DynamicLoader: kernel32.dll/ReleaseSRWLockShared
DynamicLoader: WININET.dll/GetUrlCacheEntryInfoA
DynamicLoader: urlmon.dll/CoInternetQueryInfo
DynamicLoader: WININET.dll/CommitUrlCacheEntryA
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: IEFRAME.dll/
DynamicLoader: urlmon.dll/RegisterFormatEnumerator
DynamicLoader: urlmon.dll/RevokeBindStatusCallback
DynamicLoader: urlmon.dll/CoInternetCreateZoneManager
DynamicLoader: urlmon.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: urlmon.dll/CoInternetIsFeatureEnabled
DynamicLoader: OLEAUT32.dll/VariantClear
DynamicLoader: urlmon.dll/
DynamicLoader: WININET.dll/InternetGetSecurityInfoByURLW
DynamicLoader: CRYPT32.dll/CertGetCertificateContextProperty
DynamicLoader: CRYPT32.dll/CryptDecodeObject
DynamicLoader: CRYPT32.dll/CryptDecodeObject
DynamicLoader: CRYPT32.dll/CertGetNameStringW
DynamicLoader: CRYPT32.dll/CertFreeCertificateChain
DynamicLoader: urlmon.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: propsys.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegGetValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: propsys.dll/InitPropVariantFromStringAsVector
DynamicLoader: propsys.dll/PSCoerceToCanonicalValue
DynamicLoader: propsys.dll/PropVariantToStringAlloc
DynamicLoader: OLEAUT32.dll/BSTR_UserSize
DynamicLoader: OLEAUT32.dll/BSTR_UserMarshal
DynamicLoader: OLEAUT32.dll/BSTR_UserUnmarshal
DynamicLoader: OLEAUT32.dll/BSTR_UserFree
DynamicLoader: OLEAUT32.dll/VARIANT_UserSize
DynamicLoader: OLEAUT32.dll/VARIANT_UserMarshal
DynamicLoader: OLEAUT32.dll/VARIANT_UserUnmarshal
DynamicLoader: OLEAUT32.dll/VARIANT_UserFree
DynamicLoader: OLEAUT32.dll/LPSAFEARRAY_UserSize
DynamicLoader: OLEAUT32.dll/LPSAFEARRAY_UserMarshal
DynamicLoader: OLEAUT32.dll/LPSAFEARRAY_UserUnmarshal
DynamicLoader: OLEAUT32.dll/LPSAFEARRAY_UserFree
DynamicLoader: urlmon.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: WININET.dll/FindFirstUrlCacheContainerA
DynamicLoader: WININET.dll/FindNextUrlCacheContainerA
DynamicLoader: WININET.dll/FindCloseUrlCache
DynamicLoader: WININET.dll/CreateUrlCacheContainerA
DynamicLoader: WININET.dll/CommitUrlCacheEntryW
DynamicLoader: urlmon.dll/
DynamicLoader: WININET.dll/InternetGetConnectedState
DynamicLoader: OLEAUT32.dll/
DynamicLoader: urlmon.dll/
DynamicLoader: urlmon.dll/URLDownloadToCacheFileW
DynamicLoader: ncrypt.dll/SslDecrementProviderReferenceCount
DynamicLoader: ncrypt.dll/SslFreeObject
DynamicLoader: DWMAPI.DLL/DwmInvalidateIconicBitmaps
DynamicLoader: UxTheme.dll/IsAppThemed
DynamicLoader: WININET.dll/DeleteUrlCacheEntryW
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ws2_32.DLL/
DynamicLoader: PROPSYS.dll/PSCoerceToCanonicalValue
DynamicLoader: OLEAUT32.dll/BSTR_UserSize
DynamicLoader: OLEAUT32.dll/BSTR_UserMarshal
DynamicLoader: OLEAUT32.dll/BSTR_UserUnmarshal
DynamicLoader: OLEAUT32.dll/BSTR_UserFree
DynamicLoader: OLEAUT32.dll/VARIANT_UserSize
DynamicLoader: OLEAUT32.dll/VARIANT_UserMarshal
DynamicLoader: OLEAUT32.dll/VARIANT_UserUnmarshal
DynamicLoader: OLEAUT32.dll/VARIANT_UserFree
DynamicLoader: OLEAUT32.dll/LPSAFEARRAY_UserSize
DynamicLoader: OLEAUT32.dll/LPSAFEARRAY_UserMarshal
DynamicLoader: OLEAUT32.dll/LPSAFEARRAY_UserUnmarshal
DynamicLoader: OLEAUT32.dll/LPSAFEARRAY_UserFree
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: WINSTA.dll/WinStationRegisterConsoleNotification
DynamicLoader: RPCRT4.dll/RpcAsyncInitializeHandle
DynamicLoader: WTSAPI32.dll/WTSRegisterSessionNotification
DynamicLoader: USER32.dll/IsWindow
DynamicLoader: USER32.dll/GetWindowThreadProcessId
DynamicLoader: WINSTA.dll/WinStationRegisterConsoleNotification
DynamicLoader: RPCRT4.dll/Ndr64AsyncClientCall
DynamicLoader: DUI70.dll/InitProcessPriv
DynamicLoader: DUI70.dll/InitThread
DynamicLoader: USER32.dll/RegisterMessagePumpHook
DynamicLoader: DUI70.dll/?GetClassInfoPtr@Element@DirectUI@@SAPEAUIClassInfo@2@XZ
DynamicLoader: DUI70.dll/?GetFactoryLock@Element@DirectUI@@SAPEAU_RTL_CRITICAL_SECTION@@XZ
DynamicLoader: DUI70.dll/??0CritSecLock@DirectUI@@QEAA@PEAU_RTL_CRITICAL_SECTION@@@Z
DynamicLoader: DUI70.dll/?ClassExist@ClassInfoBase@DirectUI@@SA_NPEAPEAUIClassInfo@2@PEBQEBUPropertyInfo@2@IPEAU32@PEAUHINSTANCE__@@PEBG_N@Z
DynamicLoader: DUI70.dll/??0ClassInfoBase@DirectUI@@QEAA@XZ
DynamicLoader: DUI70.dll/?Initialize@ClassInfoBase@DirectUI@@QEAAJPEAUHINSTANCE__@@PEBG_NPEBQEBUPropertyInfo@2@I@Z
DynamicLoader: DUI70.dll/?Register@ClassInfoBase@DirectUI@@QEAAJXZ
DynamicLoader: DUI70.dll/?IsGlobal@ClassInfoBase@DirectUI@@UEBA_NXZ
DynamicLoader: DUI70.dll/?GetName@ClassInfoBase@DirectUI@@UEBAPEBGXZ
DynamicLoader: DUI70.dll/?GetModule@ClassInfoBase@DirectUI@@UEBAPEAUHINSTANCE__@@XZ
DynamicLoader: DUI70.dll/??1CritSecLock@DirectUI@@QEAA@XZ
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegGetValueW
DynamicLoader: ole32.dll/CLSIDFromString
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: UxTheme.dll/IsThemeActive
DynamicLoader: UxTheme.dll/IsCompositionActive
DynamicLoader: UxTheme.dll/OpenThemeData
DynamicLoader: SHELL32.dll/SHAppBarMessage
DynamicLoader: POWRPROF.dll/PowerSettingRegisterNotification
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: SHELL32.dll/SHFileOperationW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: PROPSYS.dll/InitPropVariantFromBuffer
DynamicLoader: PROPSYS.dll/PropVariantToBuffer
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: sechost.dll/ConvertStringSecurityDescriptorToSecurityDescriptorW
DynamicLoader: sechost.dll/OpenSCManagerW
DynamicLoader: sechost.dll/OpenServiceW
DynamicLoader: srvcli.dll/NetShareGetInfo
DynamicLoader: sechost.dll/NotifyServiceStatusChangeW
DynamicLoader: sechost.dll/CloseServiceHandle
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: netutils.dll/NetApiBufferFree
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ADVAPI32.dll/GetNamedSecurityInfoW
DynamicLoader: sechost.dll/ConvertStringSidToSidW
DynamicLoader: sechost.dll/ConvertStringSidToSidW
DynamicLoader: comctl32.dll/
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ncsi.dll/NcsiIdentifyUserSpecificProxies
DynamicLoader: sechost.dll/OpenSCManagerW
DynamicLoader: sechost.dll/OpenServiceW
DynamicLoader: sechost.dll/NotifyServiceStatusChangeW
DynamicLoader: sechost.dll/CloseServiceHandle
DynamicLoader: CSCAPI.dll/OfflineFilesQueryStatus
DynamicLoader: ADVAPI32.dll/RegNotifyChangeKeyValue
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: SETUPAPI.dll/SetupDiDestroyDeviceInfoList
DynamicLoader: WINTRUST.dll/WinVerifyTrust
DynamicLoader: ADVAPI32.dll/RegGetValueW
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemRealloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/RegCreateKeyExW
DynamicLoader: comctl32.dll/
DynamicLoader: USER32.dll/ChangeWindowMessageFilter
DynamicLoader: webcheck.dll/SystemFunction009
DynamicLoader: ole32.dll/CoSetProxyBlanket
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/IsValidSid
DynamicLoader: ADVAPI32.dll/GetLengthSid
DynamicLoader: ADVAPI32.dll/CopySid
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: NSI.dll/NsiAllocateAndGetTable
DynamicLoader: CFGMGR32.dll/CM_Open_Class_Key_ExW
DynamicLoader: IPHLPAPI.DLL/ConvertInterfaceGuidToLuid
DynamicLoader: IPHLPAPI.DLL/GetIfEntry2
DynamicLoader: IPHLPAPI.DLL/GetIpForwardTable2
DynamicLoader: IPHLPAPI.DLL/GetIpNetEntry2
DynamicLoader: IPHLPAPI.DLL/FreeMibTable
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: NSI.dll/NsiFreeTable
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: Wlanapi.dll/WlanOpenHandle
DynamicLoader: OLEAUT32.dll/
DynamicLoader: PROPSYS.dll/VariantCompare
DynamicLoader: OLEAUT32.dll/BSTR_UserUnmarshal64
DynamicLoader: comctl32.dll/
DynamicLoader: sechost.dll/OpenSCManagerW
DynamicLoader: sechost.dll/OpenServiceW
DynamicLoader: sechost.dll/QueryServiceConfigW
DynamicLoader: sechost.dll/CloseServiceHandle
DynamicLoader: sechost.dll/QueryServiceStatus
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: RPCRT4.dll/RpcStringBindingComposeW
DynamicLoader: RPCRT4.dll/RpcBindingFromStringBindingW
DynamicLoader: RPCRT4.dll/RpcBindingSetAuthInfoExW
DynamicLoader: RPCRT4.dll/RpcBindingSetOption
DynamicLoader: RPCRT4.dll/RpcStringFreeW
DynamicLoader: RPCRT4.dll/RpcAsyncInitializeHandle
DynamicLoader: RPCRT4.dll/NdrClientCall3
DynamicLoader: RPCRT4.dll/Ndr64AsyncClientCall
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: comctl32.dll/DPA_Create
DynamicLoader: comctl32.dll/DPA_InsertPtr
DynamicLoader: PROPSYS.dll/VariantToPropVariant
DynamicLoader: OLEAUT32.dll/
DynamicLoader: SSPICLI.DLL/GetUserNameExW
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: fxsst.dll/FaxMonitorStartup
DynamicLoader: slc.dll/SLGetWindowsInformationDWORD
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: fxsst.dll/IsFaxMessage
DynamicLoader: fxsst.dll/FaxMonitorShutdown
DynamicLoader: POWRPROF.dll/PowerSettingRegisterNotification
DynamicLoader: slc.dll/SLGetWindowsInformationDWORD
DynamicLoader: VERSION.dll/GetFileVersionInfoSizeW
DynamicLoader: VERSION.dll/GetFileVersionInfoW
DynamicLoader: VERSION.dll/VerQueryValueW
DynamicLoader: ADVAPI32.dll/RegNotifyChangeKeyValue
DynamicLoader: sechost.dll/OpenSCManagerW
DynamicLoader: sechost.dll/OpenServiceW
DynamicLoader: sechost.dll/QueryServiceStatus
DynamicLoader: sechost.dll/CloseServiceHandle
DynamicLoader: ole32.dll/StringFromGUID2
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoSetProxyBlanket
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: sechost.dll/OpenSCManagerW
DynamicLoader: sechost.dll/OpenServiceW
DynamicLoader: sechost.dll/QueryServiceStatus
DynamicLoader: sechost.dll/QueryServiceConfigW
DynamicLoader: sechost.dll/CloseServiceHandle
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: RPCRT4.dll/RpcStringBindingComposeW
DynamicLoader: RPCRT4.dll/RpcBindingFromStringBindingW
DynamicLoader: RPCRT4.dll/NdrClientCall3
DynamicLoader: CRYPTBASE.dll/SystemFunction041
DynamicLoader: RPCRT4.dll/RpcStringFreeW
DynamicLoader: RPCRT4.dll/RpcBindingFree
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegGetValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/IsValidSid
DynamicLoader: ADVAPI32.dll/GetLengthSid
DynamicLoader: ADVAPI32.dll/CopySid
DynamicLoader: SHELL32.dll/SHGetFolderPathW
DynamicLoader: SHELL32.dll/SHGetFolderPathEx
DynamicLoader: ieproxy.dll/DllGetClassObject
DynamicLoader: ieproxy.dll/DllCanUnloadNow
DynamicLoader: ntdll.dll/RtlDllShutdownInProgress
DynamicLoader: ntdll.dll/RtlDllShutdownInProgress
DynamicLoader: CRYPTBASE.dll/SystemFunction040
DynamicLoader: comctl32.dll/DPA_Create
DynamicLoader: comctl32.dll/DPA_Search
DynamicLoader: comctl32.dll/DPA_InsertPtr
DynamicLoader: WSCAPI.dll/WscGetSecurityProviderHealth
DynamicLoader: comctl32.dll/LoadIconMetric
DynamicLoader: WINTRUST.dll/DllCanUnloadNow
DynamicLoader: WINTRUST.dll/CryptSIPPutSignedDataMsg
DynamicLoader: WINTRUST.dll/CryptSIPGetSignedDataMsg
DynamicLoader: wbemcore.dll/Reinitialize
DynamicLoader: pcwum.dll/PerfDeleteInstance
DynamicLoader: pcwum.dll/PerfStopProvider
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/WmiCloseBlock
DynamicLoader: PROPSYS.dll/PropVariantToVariant
DynamicLoader: ole32.dll/CoDisconnectObject
DynamicLoader: wbemcore.dll/Shutdown
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoDisconnectObject
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ADVAPI32.dll/RegDeleteKeyExW
DynamicLoader: kernel32.dll/RegDeleteValueW
DynamicLoader: WTSAPI32.dll/WTSQueryUserToken
DynamicLoader: kernel32.dll/RegCreateKeyExW
DynamicLoader: kernel32.dll/RegQueryValueExW
DynamicLoader: kernel32.dll/RegCloseKey
DynamicLoader: ntdll.dll/EtwRegisterTraceGuidsW
DynamicLoader: ntdll.dll/EtwRegisterTraceGuidsW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: RpcRtRemote.dll/I_RpcExtInitializeExtensionPoint
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: wbemsvc.dll/DllGetClassObject
DynamicLoader: wbemsvc.dll/DllCanUnloadNow
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/RegOpenKeyExW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: sechost.dll/LookupAccountSidLocalW
Performs HTTP requests potentially not found in PCAP.
url: scontent-iad3-1.xx.fbcdn.net:443//v/t1.0-0/s280x280/70929350_2869861603028062_5754662131123355648_n.jpg?_nc_cat=110&_nc_oc=AQmkuL4QgYxV5VpxGFAir1kO7gEbMHHJXq51yXqG9lBS8G4jbxCrqgniLlZuW8nyPRQ&_nc_ht=scontent-iad3-1.xx&oh=2d5adbdcdc9d0a67cbad0538ffd643fd&oe=5E354076

Screenshots


Hosts

Direct IP Country Name
N 93.184.220.29 [VT] Europe
Y 8.8.8.8 [VT] United States
N 72.247.177.169 [VT] Netherlands
N 31.13.66.19 [VT] Ireland
N 204.79.197.200 [VT] United States
N 104.86.110.88 [VT] Netherlands

DNS

Name Response Post-Analysis Lookup
scontent-iad3-1.xx.fbcdn.net [VT] A 31.13.66.19 [VT]
www.download.windowsupdate.com [VT] A 72.247.177.161 [VT]
A 72.247.177.169 [VT]
CNAME 2-01-3cf7-0009.cdx.cedexis.net [VT]
CNAME download.windowsupdate.com.edgesuite.net [VT]
A 72.247.177.83 [VT]
CNAME a767.dspw65.akamai.net [VT]
ocsp.digicert.com [VT] A 93.184.220.29 [VT]
CNAME cs9.wac.phicdn.net [VT]
www.bing.com [VT] CNAME dual-a-0001.a-msedge.net [VT]
CNAME a-0001.a-afdentry.net.trafficmanager.net [VT]
A 204.79.197.200 [VT]
A 13.107.21.200 [VT]
crl.microsoft.com [VT] A 104.86.110.73 [VT]
A 104.86.110.88 [VT]
CNAME crl.www.ms.akadns.net [VT]
CNAME a1363.dscg.akamai.net [VT]

Summary

Process Tree

  • iexplore.exe 3012 "https://scontent-iad3-1.xx.fbcdn.net/v/t1.0-0/s280x280/70929350_2869861603028062_5754662131123355648_n.jpg?_nc_cat=110&_nc_oc=AQmkuL4QgYxV5VpxGFAir1kO7gEbMHHJXq51yXqG9lBS8G4jbxCrqgniLlZuW8nyPRQ&_nc_h ...(truncated)
  • explorer.exe 1632
  • explorer.exe 3056 explorer.exe
  • svchost.exe 816 C:\Windows\system32\svchost.exe -k netsvcs
  • svchost.exe 564 C:\Windows\system32\svchost.exe -k DcomLaunch
    • WmiPrvSE.exe 2144 C:\Windows\system32\wbem\wmiprvse.exe -Embedding

iexplore.exe, PID: 3012, Parent PID: 2480
Full Path: C:\Program Files (x86)\Internet Explorer\iexplore.exe
Command Line: "C:\Program Files (x86)\Internet Explorer\iexplore.exe" "https://scontent-iad3-1.xx.fbcdn.net/v/t1.0-0/s280x280/70929350_2869861603028062_5754662131123355648_n.jpg?_nc_cat=110&_nc_oc=AQmkuL4QgYxV5VpxGFAir1kO7gEbMHHJXq51yXqG9lBS8G4jbxCrqgniLlZuW8nyPRQ&_nc_ht=scontent-iad3-1.xx&oh=2d5adbdcdc9d0a67cbad0538ffd643fd&oe=5E354076"
iexplore.exe, PID: 2320, Parent PID: 3012
Full Path: C:\Program Files (x86)\Internet Explorer\iexplore.exe
Command Line: "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:3012 CREDAT:79873
explorer.exe, PID: 1632, Parent PID: 1496
Full Path: C:\Windows\explorer.exe
Command Line: C:\Windows\Explorer.EXE
explorer.exe, PID: 3056, Parent PID: 400
Full Path: C:\Windows\explorer.exe
Command Line: explorer.exe
svchost.exe, PID: 816, Parent PID: 460
Full Path: C:\Windows\sysnative\svchost.exe
Command Line: C:\Windows\system32\svchost.exe -k netsvcs
svchost.exe, PID: 564, Parent PID: 460
Full Path: C:\Windows\sysnative\svchost.exe
Command Line: C:\Windows\system32\svchost.exe -k DcomLaunch
WmiPrvSE.exe, PID: 2144, Parent PID: 564
Full Path: C:\Windows\sysnative\wbem\WmiPrvSE.exe
Command Line: C:\Windows\system32\wbem\wmiprvse.exe -Embedding

Hosts

Direct IP Country Name
N 93.184.220.29 [VT] Europe
Y 8.8.8.8 [VT] United States
N 72.247.177.169 [VT] Netherlands
N 31.13.66.19 [VT] Ireland
N 204.79.197.200 [VT] United States
N 104.86.110.88 [VT] Netherlands

TCP

Source Source Port Destination Destination Port
192.168.35.21 49193 104.86.110.88 crl.microsoft.com 80
192.168.35.21 49181 204.79.197.200 www.bing.com 80
192.168.35.21 49171 31.13.66.19 scontent-iad3-1.xx.fbcdn.net 443
192.168.35.21 49188 31.13.66.19 scontent-iad3-1.xx.fbcdn.net 443
192.168.35.21 49173 72.247.177.169 www.download.windowsupdate.com 80
192.168.35.21 49176 93.184.220.29 ocsp.digicert.com 80

UDP

Source Source Port Destination Destination Port
192.168.35.21 53447 8.8.8.8 53
192.168.35.21 57255 8.8.8.8 53
192.168.35.21 58094 8.8.8.8 53
192.168.35.21 65365 8.8.8.8 53
192.168.35.21 65426 8.8.8.8 53

DNS

Name Response Post-Analysis Lookup
scontent-iad3-1.xx.fbcdn.net [VT] A 31.13.66.19 [VT]
www.download.windowsupdate.com [VT] A 72.247.177.161 [VT]
A 72.247.177.169 [VT]
CNAME 2-01-3cf7-0009.cdx.cedexis.net [VT]
CNAME download.windowsupdate.com.edgesuite.net [VT]
A 72.247.177.83 [VT]
CNAME a767.dspw65.akamai.net [VT]
ocsp.digicert.com [VT] A 93.184.220.29 [VT]
CNAME cs9.wac.phicdn.net [VT]
www.bing.com [VT] CNAME dual-a-0001.a-msedge.net [VT]
CNAME a-0001.a-afdentry.net.trafficmanager.net [VT]
A 204.79.197.200 [VT]
A 13.107.21.200 [VT]
crl.microsoft.com [VT] A 104.86.110.73 [VT]
A 104.86.110.88 [VT]
CNAME crl.www.ms.akadns.net [VT]
CNAME a1363.dscg.akamai.net [VT]

HTTP Requests

URI Data
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1
Cache-Control: max-age = 86400
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Wed, 19 Apr 2017 22:43:31 GMT
If-None-Match: "80ab755e5eb9d21:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: www.download.windowsupdate.com

http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEATh56TcXPLzbcArQrhdFZ8%3D
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEATh56TcXPLzbcArQrhdFZ8%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.digicert.com

http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTPJvUY%2Bsl%2Bj4yzQuAcL2oQno5fCgQUUWj%2FkK8CB3U8zNllZGKiErhZcjsCEAUpDpu%2BF77tg1UDASST0Kw%3D
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTPJvUY%2Bsl%2Bj4yzQuAcL2oQno5fCgQUUWj%2FkK8CB3U8zNllZGKiErhZcjsCEAUpDpu%2BF77tg1UDASST0Kw%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.digicert.com

http://www.bing.com/favicon.ico
GET /favicon.ico HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: www.bing.com
Connection: Keep-Alive

http://crl.microsoft.com/pki/crl/products/WinPCA.crl
GET /pki/crl/products/WinPCA.crl HTTP/1.1
Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Wed, 02 Dec 2015 18:30:06 GMT
If-None-Match: "0cb60772f2dd11:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

Source Source Port Destination Destination Port JA3 Hash JA3 Description
192.168.35.21 49171 31.13.66.19 scontent-iad3-1.xx.fbcdn.net 443 2201d8e006f8f005a6b415f61e677532 MSIE 10.0 Trident/6.0, Malware Test FP: blackhole-ek-traffic, sweet-orange-ek-post-infection-traffic, sweet-orange-ek-traffic, styx-ek-traffic
192.168.35.21 49188 31.13.66.19 scontent-iad3-1.xx.fbcdn.net 443 2201d8e006f8f005a6b415f61e677532 MSIE 10.0 Trident/6.0, Malware Test FP: blackhole-ek-traffic, sweet-orange-ek-post-infection-traffic, sweet-orange-ek-traffic, styx-ek-traffic
File name index.dat
Associated Filenames
C:\Users\user\AppData\Local\Microsoft\Feeds Cache\index.dat
File Size 32768 bytes
File Type Internet Explorer cache file version Ver 5.2
MD5 077eb5d924c84ec41447ad7795b38734
SHA1 e3b4793862bb370db5ddd3cb5e607034172336e1
SHA256 06813b4ee292b191c05cb15febfba874e7f4caac47a8c3081041a20880708209
CRC32 E2F624C0
Ssdeep 48:q3xbTpYVfruSYufruXYsfAjYmeKZ6MYCI:qZTuVfrutufruIsfAc26Lv
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name 94308059B57B3142E455B38A6EB92015
Associated Filenames
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
File Size 58373 bytes
File Type Microsoft Cabinet archive data, 58373 bytes, 1 file
MD5 93871e1433144c58cab0deddd1d46925
SHA1 8e587a3571eb8955887074d3eaf92b841fa76e71
SHA256 3193f3035a4f457d66bab3048880aac2eb8557027f6373e606d4621609af1068
CRC32 1ACBF958
Ssdeep 1536:R+E5BB8ZedGpm9ez1KZIpxvAa8iQ030GYTFDIC:Rx7B8uEhzZxvAajQ03DAF
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name 94308059B57B3142E455B38A6EB92015
Associated Filenames
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
File Size 344 bytes
File Type data
MD5 208aad6c806ca8610239f0f005ca8667
SHA1 a7dc3558bfec80aa4487876c8d51f26a1d4c95d0
SHA256 b2198f945602171b10223e7b33c206edd7364eecb6b4b9c0e5603a0f644a1f12
CRC32 9AC21E47
Ssdeep 6:kK9dFn8W4Y+SkQlPlEGYRMY9z+4KlDA3RUej6aUt:XFn8WokPlE99SNxAhUe7Ut
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5AB
Associated Filenames
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5AB
File Size 471 bytes
File Type data
MD5 c64f7d42d87d636090a5e113f7fdb121
SHA1 4bb7c5c5fb0ab04c30780bd4ad3f466fb08cfd38
SHA256 d09cccca6800d1a17ff436d78d02a1fea5c0c178dc972f3a190489b58c33933d
CRC32 2A33FEB0
Ssdeep 12:JY0/UC5FZt55QUnZ7X3mKVILlGkfmuJHOb3:JY0R3ZLhm0ClzS3
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5AB
Associated Filenames
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5AB
File Size 426 bytes
File Type data
MD5 1c8beb9091bed2617b588eb22370115a
SHA1 d26f745d76962c94bda382a48090839bc4963946
SHA256 1e1496e3b9b5cc27d7c51f20702ae32cfba5d4e01f0e2b42e21d5bc3bd9b8bc6
CRC32 0F1453F5
Ssdeep 6:kK3OQ8JXlRNfOAUMivhClroFn1cgvVJuIuAQbDUFwGQlhzksEUYeWq2ycSN:2QkmxMiv8sF1JbqDkwJr4bdSN
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name 35DDEDF268117918D1D277A171D8DF7B_B8D93006F9BB8A9D4CD6D37865B71D1D
Associated Filenames
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\35DDEDF268117918D1D277A171D8DF7B_B8D93006F9BB8A9D4CD6D37865B71D1D
File Size 471 bytes
File Type data
MD5 6675b3ee6803cdff55bf57eeeb900cb9
SHA1 e6d275663cc3705a5ccebd08e7c2c1f620149ee6
SHA256 6cece0bf920d223c19578a2846010f050e200762b4537a5ec6bf1bed3f599b2d
CRC32 9785B36B
Ssdeep 12:JmzXl25oXcAucpQIqKkJKct+tchE4qUvHfj2uR:JmzXl2KXcjclpG9t+gEbUvL2uR
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name 35DDEDF268117918D1D277A171D8DF7B_B8D93006F9BB8A9D4CD6D37865B71D1D
Associated Filenames
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\35DDEDF268117918D1D277A171D8DF7B_B8D93006F9BB8A9D4CD6D37865B71D1D
File Size 442 bytes
File Type data
MD5 ecea82360efbafa9f5855b0421942f86
SHA1 703ee5c489b2a4c451ccf9c8ff46c91bea93fdca
SHA256 8b55a248e6fed984ed503ff4f79c9543fcd3216eb3f62ec2c3c425e3befbdc8c
CRC32 3BFF4728
Ssdeep 6:kKFUbIQfV/1XlRNfOAUMivhClroFL5ap0KseXlNTVqQEeYlWlrq1XW/:NODmxMiv8sFL5JOEZlWlCW
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
Associated Filenames
C:\Users\user\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
File Size 237 bytes
File Type PNG image data, 16 x 16, 4-bit colormap, non-interlaced
MD5 9fb559a691078558e77d6848202f6541
SHA1 ea13848d33c2c7f4f4baa39348aeb1dbfad3df31
SHA256 6d8a01dc7647bc218d003b58fe04049e24a9359900b7e0cebae76edf85b8b914
CRC32 FC87942A
Ssdeep 6:6v/lhPIF6R/C+u1fXNg1XQ3yslRtNO+cKvAElRApGCp:6v/7b/C1fm1ZslRTvAElR47
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name 70929350_2869861603028062_5754662131123355648_n[1].jpg
Associated Filenames
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R8OP9ZJC\70929350_2869861603028062_5754662131123355648_n[1].jpg
File Size 11543 bytes
File Type JPEG image data, JFIF standard 1.02
MD5 f52bcdecf5fc72fc74f29c206888b520
SHA1 a040dae2e6dda3b4b2c17a326b68575823116244
SHA256 e349759e1a464e2200319ce3e068fd2af0c752066c6044852e47698e510a0c55
CRC32 2CF60B4A
Ssdeep 192:QCr95N5hBpzwRIUQ3wUq5IWjHhjB4VxWU7+oKKXo4TDOKBMTzvQNhP:Qy9f5dZ3MuWjz4Vx57d/CzvYP
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name index.dat
Associated Filenames
C:\Users\user\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019100920191010\index.dat
C:\Windows\Temp\fwtsqmfile00.sqm
File Size 0 bytes
File Type empty
MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
CRC32 00000000
Ssdeep 3::
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name index.dat
Associated Filenames
C:\Users\user\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019100920191010\index.dat
File Size 32768 bytes
File Type Internet Explorer cache file version Ver 5.2
MD5 15f1793d145ef06def1cba376628eef7
SHA1 b267c307bdb05bc416fa9a058b804f13e27afa57
SHA256 fe25e0555372ef6dce5e8510446a4441ab2c289bfcca834e9afbd45601da2622
CRC32 7BD6EC3E
Ssdeep 3:qRFiJ2totWIltvlVl:qjyx
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name favicon[3].png
Associated Filenames
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R8OP9ZJC\favicon[3].png
File Size 152 bytes
File Type PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
MD5 3bb1f77f50310c05f150d8c8856dded3
SHA1 6955a5c2b2cadf88d7fca8f046b4e144a62672a9
SHA256 b5b36ce1e86c25cf8f6d7451b51cff7363596e49524fb8e579fff753efbc15b9
CRC32 5B39EB70
Ssdeep 3:yionv//thPl9vt3leoKalsrdmth2YB2ICPiqZTL1i+oiW+NmeYqRBN9t9zZUCbup:6v/lhPuojnh9B2IviTAFyt9z/up
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name fwtsqmfile00.sqm
Associated Filenames
C:\Windows\Temp\fwtsqmfile00.sqm
File Size 140 bytes
File Type data
MD5 d83fc486697f251de9aa79a5a7da1272
SHA1 2ccca9b9d55983433f27646ac8a4d809f4f9789b
SHA256 f75d6908728560d207ec694679dc163afd096824218c6146c756df4e5d4eab7c
CRC32 4E55F2A0
Ssdeep 3:Hl1li9Qll+lllt/7VVeeXtzlRPWgESl5llll:F2Qm/PXtpR+y//
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name Web Slice Gallery~.feed-ms
Associated Filenames
C:\Users\user\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Web Slice Gallery~.feed-ms
File Size 28672 bytes
File Type Composite Document File V2 Document, No summary info
MD5 d4cc7ce677b6ab7b521a1659aed301c8
SHA1 e1f036a56474983c11b5369dc6d46f158b0d4e0e
SHA256 3e23031a2b91f47683115473ce73964a196b68405153b815af14f7bde5032586
CRC32 E843F4D5
Ssdeep 12:Jw77mFQCb777777777777777777777777777777/FJl8vbf+8Gc7777777777777:Jsbf+8/2As4WYiit
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name {5CBC4EB8-EA65-11E9-8662-000C2940B9FB}.dat
Associated Filenames
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{5CBC4EB8-EA65-11E9-8662-000C2940B9FB}.dat
File Size 5120 bytes
File Type Composite Document File V2 Document, No summary info
MD5 52cc74c02c84a81cceeea9ea194381f8
SHA1 48778afe9a3579f38c68ae826ca2ef8a61f9e801
SHA256 0762727df72e38ee0aa5789f8c0306dfade2d19b29b8d6cb576f99a043f74124
CRC32 54C49677
Ssdeep 24:rJ7GVGBNlj1tbbdL8GEekp3XpuctTTZolbNlS21tFnXIqYP/mI:rJ7GVGJH3dLLMp3Xp5elHHFnXIqYXj
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name RecoveryStore.{5CBC4EB7-EA65-11E9-8662-000C2940B9FB}.dat
Associated Filenames
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{5CBC4EB7-EA65-11E9-8662-000C2940B9FB}.dat
File Size 3584 bytes
File Type Composite Document File V2 Document, No summary info
MD5 a5763c9641a92d32738cf7e8e8f92b92
SHA1 00501cb2a14f3b8f5395e6f8cf69c9a607d1a959
SHA256 ad745671e85832efd183f748c0f35eb7918bb3c1bdcb7a3d657064167c0b37b9
CRC32 A68C24FA
Ssdeep 12:rl0YmGF2+rEg5+IaCrI017+FeUDrEgmf+IaCy8qgQNlTq1tDzpltZlt:rI+5/mGv/TQNlW1tDdp
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name index.dat
Associated Filenames
C:\Users\user\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
File Size 32768 bytes
File Type Internet Explorer cache file version Ver 5.2
MD5 36e98f2e00280e37da5ffdbecc926e02
SHA1 dac03652272ea4fdd2b509ec1db2a32404e4cf87
SHA256 5ecfabb4a689de7176076ac83cd890ef3ea8bbcc41d0877a7b85b58f58b183f4
CRC32 81EFB541
Ssdeep 48:qsxMzritscVK7rit6nXIqYXSdLLMp3Xp5el:q7CYSXSdLLMp3
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name index.dat
Associated Filenames
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
File Size 32768 bytes
File Type Internet Explorer cache file version Ver 5.2
MD5 e02b5c7b25280da487209bd48b4163f9
SHA1 7d440a9292567af8570c34e52d03aed14405ae00
SHA256 42bc5d24dab11bbeb8fd93b797b3c5b7e70fee667293a32691767580f1a01a73
CRC32 9703369D
Ssdeep 48:qsLf/ZJLH3ZxqT/mf7RCpwV+4igHDt/UwbmXhBgkBVGWYCIh:qsb/Zp/q0lV9Nbojbm
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name index.dat
Associated Filenames
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
File Size 65536 bytes
File Type Internet Explorer cache file version Ver 5.2
MD5 0b1d296d59547cedea65f7ef9a747bfa
SHA1 e3abfbf23bf328dcb5306a68ef95c3f8b3f470d9
SHA256 7e6cae927f52804db8253c3d9439acfbb5f2375212c8ebf179f3adbe0a906188
CRC32 D848580E
Ssdeep 384:oW81jxBNPrNa73dg3skdVQnQeW+4fTJ16ziXrAsjCCtn/NJ03x:61BNaCdBr/CSl0
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
Sorry! No CAPE files.
Process Name iexplore.exe
PID 3012
Dump Size 663040 bytes
Module Path C:\Program Files (x86)\Internet Explorer\iexplore.exe
Type PE imageexecutable
MD5 e5897d0588624287430476894e7ee03b
SHA1 ba030ec3d774e145dfc2e5591f84e94733e768f9
SHA256 2d1f93ceead344abcc6249155f0a7c80f11c8db6c1acf3eb1f663af624c5392f
CRC32 95A18D34
Ssdeep 12288:xPX+pd167QhE0s7+jM+M6ugRfMMkIM7ovX+pd167QhE0u7+:RE6Ehg7mM+M6RkMkIM7gE6Eh67
ClamAV None
Yara None matched
CAPE Yara None matched
Dump Filename 2d1f93ceead344abcc6249155f0a7c80f11c8db6c1acf3eb1f663af624c5392f
Download
Process Name explorer.exe
PID 3056
Dump Size 2861568 bytes
Module Path C:\Windows\explorer.exe
Type PE image: 64-bit executable
MD5 0269fe570750c4ff2835d52e3254d912
SHA1 08bd9284af280b2b4c6aa1dbc7aa867ddbfb7f86
SHA256 e255c37d5d75f0451e987c5c1b83260e7d36e306c9807a315592a297ad6b209c
CRC32 753EC421
Ssdeep 49152:uxrceI/lIRYraisQhFCUXSvYYYYYYYYYYYRYYYYYYYYYYE3iA7/eFUJN9ojoso2W:IrcPlIWovYYYYYYYYYYYRYYYYYYYYYY4
ClamAV None
Yara None matched
CAPE Yara None matched
Dump Filename e255c37d5d75f0451e987c5c1b83260e7d36e306c9807a315592a297ad6b209c
Download
Process Name WmiPrvSE.exe
PID 2144
Dump Size 369664 bytes
Module Path C:\Windows\sysnative\wbem\WmiPrvSE.exe
Type PE image: 64-bit executable
MD5 7f2ea4b39c79dbc9d3ea13e1771551a6
SHA1 f1e9c2bd86db030aa550cd60df6cf82d4b671c2c
SHA256 f5dbe4d7aa487bee97945c20e2d7c81f0a71d7c59c5a112d2759031aab9f2884
CRC32 617CB440
Ssdeep 6144:slwgZlm6i2aMRL86NeED45ZiZylWceBzFinXCHC7nWvOD:Uldi2RRL8GMZUylbwzFiXCHub
ClamAV None
Yara None matched
CAPE Yara None matched
Dump Filename f5dbe4d7aa487bee97945c20e2d7c81f0a71d7c59c5a112d2759031aab9f2884
Download

Comments



[2019-10-09 08:49:07]
Might be related to the sodinokibi family malware. Found this URL in network logs. Behavior seems to be similar to actions found in some incredibly powerful exploit kit that was able to attempt process hollowing via Firefox that I traced back to CredSSP's Oracle remediation bugfix that is still in remediate rather than fully patched.
[2019-10-09 08:39:41]
https://scontent-iad3-1.xx.fbcdn.net/v/t15.5256-10/s160x160/67326018_2566034363447546_7079354328678400000_n.jpg?_nc_cat=111&_nc_oc=AQlJENLWpkRiutpff7ARrXt6ewWDN29q8Flri57NHvj4wmH7SY7l1ZyZZPkNyaknM4U&_nc_ht=scontent-iad3-1.xx&oh=65560194168fa4fabc076a779249dcdb&oe=5DF34468

Processing ( 15.697 seconds )

  • 10.013 Static
  • 2.87 BehaviorAnalysis
  • 2.236 ProcDump
  • 0.311 Dropped
  • 0.211 Deduplicate
  • 0.05 NetworkAnalysis
  • 0.005 AnalysisInfo
  • 0.001 Debug

Signatures ( 1.854 seconds )

  • 0.721 antidbg_windows
  • 0.153 antiav_detectreg
  • 0.144 stealth_timeout
  • 0.094 api_spamming
  • 0.055 infostealer_ftp
  • 0.038 antivm_vbox_window
  • 0.036 antivm_generic_scsi
  • 0.034 mimics_filetime
  • 0.032 antianalysis_detectreg
  • 0.031 infostealer_im
  • 0.03 antivm_generic_disk
  • 0.03 antisandbox_script_timer
  • 0.027 Doppelganging
  • 0.022 bootkit
  • 0.021 virus
  • 0.02 infostealer_mail
  • 0.019 antivm_generic_services
  • 0.017 recon_programs
  • 0.016 antivm_vbox_keys
  • 0.014 hancitor_behavior
  • 0.011 injection_createremotethread
  • 0.011 InjectionCreateRemoteThread
  • 0.011 antivm_vmware_keys
  • 0.01 ransomware_files
  • 0.009 injection_runpe
  • 0.009 antiav_detectfile
  • 0.008 uac_bypass_eventvwr
  • 0.008 InjectionProcessHollowing
  • 0.008 kibex_behavior
  • 0.008 antivm_xen_keys
  • 0.008 darkcomet_regkeys
  • 0.007 InjectionInterProcess
  • 0.007 infostealer_browser
  • 0.007 betabot_behavior
  • 0.007 infostealer_browser_password
  • 0.007 dynamic_function_loading
  • 0.007 antivm_parallels_keys
  • 0.007 recon_fingerprint
  • 0.006 malicious_dynamic_function_loading
  • 0.006 antiemu_wine_func
  • 0.006 geodo_banking_trojan
  • 0.006 infostealer_bitcoin
  • 0.005 persistence_autorun
  • 0.005 kovter_behavior
  • 0.005 antivm_generic_diskreg
  • 0.005 antivm_vpc_keys
  • 0.005 ransomware_extensions
  • 0.004 antivm_vbox_libs
  • 0.004 stack_pivot
  • 0.004 exploit_getbasekerneladdress
  • 0.004 ipc_namedpipe
  • 0.004 InjectionSetWindowLong
  • 0.004 antivm_vbox_files
  • 0.003 antidebug_guardpages
  • 0.003 antiav_avast_libs
  • 0.003 exploit_heapspray
  • 0.003 exploit_gethaldispatchtable
  • 0.003 vawtrak_behavior
  • 0.003 browser_security
  • 0.002 office_flash_load
  • 0.002 dridex_behavior
  • 0.002 antisandbox_sunbelt_libs
  • 0.002 antisandbox_sboxie_libs
  • 0.002 EvilGrab
  • 0.002 shifu_behavior
  • 0.002 exec_crash
  • 0.002 neshta_files
  • 0.002 antiav_bitdefender_libs
  • 0.002 antianalysis_detectfile
  • 0.002 antivm_xen_keys
  • 0.002 antivm_hyperv_keys
  • 0.002 bypass_firewall
  • 0.002 disables_browser_warn
  • 0.002 packer_armadillo_regkey
  • 0.002 remcos_regkeys
  • 0.001 stack_pivot_file_created
  • 0.001 tinba_behavior
  • 0.001 andromeda_behavior
  • 0.001 hawkeye_behavior
  • 0.001 network_tor
  • 0.001 sets_autoconfig_url
  • 0.001 rat_nanocore
  • 0.001 rat_luminosity
  • 0.001 antivm_vmware_libs
  • 0.001 injection_explorer
  • 0.001 TransactedHollowing
  • 0.001 stealth_network
  • 0.001 modifies_desktop_wallpaper
  • 0.001 Locky_behavior
  • 0.001 kazybot_behavior
  • 0.001 h1n1_behavior
  • 0.001 PlugX
  • 0.001 cerber_behavior
  • 0.001 antidbg_devices
  • 0.001 antivm_generic_bios
  • 0.001 antivm_generic_cpu
  • 0.001 antivm_generic_system
  • 0.001 antivm_vmware_files
  • 0.001 ie_martian_children
  • 0.001 network_torgateway
  • 0.001 rat_pcclient
  • 0.001 recon_checkip

Reporting ( 0.026 seconds )

  • 0.026 CompressResults
Task ID 94258
Mongo ID 5d9d8b6a00d6d59231d66cb2
Cuckoo release 1.3-CAPE
Delete