Analysis

Category Package Started Completed Duration Options Log
FILE exe 2020-02-14 15:01:50 2020-02-14 15:09:57 487 seconds Show Options Show Log
route = inetsim
procdump = 1
2020-02-14 16:03:44,046 [root] INFO: Date set to: 02-14-20, time set to: 15:03:44, timeout set to: 200
2020-02-14 16:03:44,983 [root] DEBUG: Starting analyzer from: C:\wdqkrwk
2020-02-14 16:03:44,983 [root] DEBUG: Storing results at: C:\fxEAhsLSEy
2020-02-14 16:03:44,983 [root] DEBUG: Pipe server name: \\.\PIPE\DvJLbO
2020-02-14 16:03:44,983 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2020-02-14 16:03:44,983 [root] INFO: Automatically selected analysis package "exe"
2020-02-14 16:04:00,015 [root] DEBUG: Started auxiliary module Browser
2020-02-14 16:04:00,015 [root] DEBUG: Started auxiliary module Curtain
2020-02-14 16:04:00,015 [modules.auxiliary.digisig] DEBUG: Checking for a digitial signature.
2020-02-14 16:04:02,453 [modules.auxiliary.digisig] DEBUG: File is not signed.
2020-02-14 16:04:02,453 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2020-02-14 16:04:02,453 [root] DEBUG: Started auxiliary module DigiSig
2020-02-14 16:04:02,453 [root] DEBUG: Started auxiliary module Disguise
2020-02-14 16:04:02,453 [root] DEBUG: Started auxiliary module Human
2020-02-14 16:04:02,483 [root] DEBUG: Started auxiliary module Screenshots
2020-02-14 16:04:02,483 [root] DEBUG: Started auxiliary module Sysmon
2020-02-14 16:04:02,483 [root] DEBUG: Started auxiliary module Usage
2020-02-14 16:04:02,483 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2020-02-14 16:04:02,483 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2020-02-14 16:04:05,467 [lib.api.process] INFO: Successfully executed process from path "C:\Users\Rebecca\AppData\Local\Temp\pafish.exe" with arguments "" with pid 920
2020-02-14 16:04:16,953 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2020-02-14 16:04:16,953 [lib.api.process] INFO: 32-bit DLL to inject is C:\wdqkrwk\dll\LHBqJrux.dll, loader C:\wdqkrwk\bin\vbDTxZy.exe
2020-02-14 16:04:16,967 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\DvJLbO.
2020-02-14 16:04:16,967 [root] DEBUG: Loader: Injecting process 920 (thread 700) with C:\wdqkrwk\dll\LHBqJrux.dll.
2020-02-14 16:04:16,983 [root] DEBUG: Process image base: 0x00400000
2020-02-14 16:04:16,983 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\wdqkrwk\dll\LHBqJrux.dll.
2020-02-14 16:04:16,983 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-02-14 16:04:16,983 [root] DEBUG: Successfully injected DLL C:\wdqkrwk\dll\LHBqJrux.dll.
2020-02-14 16:04:16,983 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 920
2020-02-14 16:04:18,983 [lib.api.process] INFO: Successfully resumed process with pid 920
2020-02-14 16:04:18,983 [root] INFO: Added new process to list with pid: 920
2020-02-14 16:04:19,515 [root] DEBUG: Terminate processes on terminate_event disabled.
2020-02-14 16:04:19,515 [root] DEBUG: Process dumps enabled.
2020-02-14 16:04:20,000 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-02-14 16:04:20,000 [root] INFO: Disabling sleep skipping.
2020-02-14 16:04:20,000 [root] INFO: Disabling sleep skipping.
2020-02-14 16:04:20,000 [root] INFO: Disabling sleep skipping.
2020-02-14 16:04:20,000 [root] INFO: Disabling sleep skipping.
2020-02-14 16:04:20,000 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 920 at 0x6a660000, image base 0x400000, stack from 0x226000-0x230000
2020-02-14 16:04:20,000 [root] DEBUG: Commandline: C:\Users\Rebecca\AppData\Local\Temp\"C:\Users\Rebecca\AppData\Local\Temp\pafish.exe".
2020-02-14 16:04:20,000 [root] INFO: Monitor successfully loaded in process with pid 920.
2020-02-14 16:04:30,108 [root] DEBUG: DLL loaded at 0x74AC0000: C:\Windows\system32\cryptbase (0xc000 bytes).
2020-02-14 16:04:32,625 [root] DEBUG: DLL loaded at 0x72D80000: C:\Windows\system32\dhcpcsvc6 (0xd000 bytes).
2020-02-14 16:04:32,640 [root] DEBUG: DLL loaded at 0x72D30000: C:\Windows\system32\dhcpcsvc (0x12000 bytes).
2020-02-14 16:04:32,640 [root] DEBUG: DLL loaded at 0x73AE0000: C:\Windows\System32\drprov (0x8000 bytes).
2020-02-14 16:04:32,640 [root] DEBUG: DLL loaded at 0x74B40000: C:\Windows\System32\WINSTA (0x29000 bytes).
2020-02-14 16:04:32,640 [root] DEBUG: DLL loaded at 0x71700000: C:\Windows\System32\ntlanman (0x14000 bytes).
2020-02-14 16:04:32,655 [root] DEBUG: DLL loaded at 0x716E0000: C:\Windows\System32\davclnt (0x18000 bytes).
2020-02-14 16:04:32,655 [root] DEBUG: DLL loaded at 0x73AD0000: C:\Windows\System32\DAVHLPR (0x8000 bytes).
2020-02-14 16:04:40,765 [root] INFO: Stopped WMI Service
2020-02-14 16:04:40,780 [root] INFO: Attaching to DcomLaunch service (pid 552)
2020-02-14 16:04:40,812 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2020-02-14 16:04:40,812 [lib.api.process] INFO: 32-bit DLL to inject is C:\wdqkrwk\dll\LHBqJrux.dll, loader C:\wdqkrwk\bin\vbDTxZy.exe
2020-02-14 16:04:40,812 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\DvJLbO.
2020-02-14 16:04:40,812 [root] DEBUG: Loader: Injecting process 552 (thread 0) with C:\wdqkrwk\dll\LHBqJrux.dll.
2020-02-14 16:04:40,812 [root] DEBUG: InjectDll: No thread ID supplied. Initial thread ID 556, handle 0x7c
2020-02-14 16:04:40,828 [root] DEBUG: Process image base: 0x00B60000
2020-02-14 16:04:40,828 [root] DEBUG: InjectDllViaIAT: Not a new process, aborting IAT patch
2020-02-14 16:04:40,828 [root] DEBUG: InjectDll: IAT patching failed, falling back to thread injection.
2020-02-14 16:04:40,828 [root] DEBUG: Terminate processes on terminate_event disabled.
2020-02-14 16:04:40,828 [root] DEBUG: Process dumps enabled.
2020-02-14 16:04:40,828 [root] INFO: Disabling sleep skipping.
2020-02-14 16:04:40,842 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 552 at 0x6a660000, image base 0xb60000, stack from 0xe36000-0xe40000
2020-02-14 16:04:40,842 [root] DEBUG: Commandline: C:\Windows\System32\svchost.exe -k DcomLaunch.
2020-02-14 16:04:40,842 [root] INFO: Added new process to list with pid: 552
2020-02-14 16:04:40,842 [root] INFO: Monitor successfully loaded in process with pid 552.
2020-02-14 16:04:40,842 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2020-02-14 16:04:40,842 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2020-02-14 16:04:40,842 [root] DEBUG: Successfully injected DLL C:\wdqkrwk\dll\LHBqJrux.dll.
2020-02-14 16:04:44,875 [root] INFO: Started WMI Service
2020-02-14 16:04:44,875 [root] INFO: Attaching to WMI service (pid 3368)
2020-02-14 16:04:44,875 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2020-02-14 16:04:44,875 [lib.api.process] INFO: 32-bit DLL to inject is C:\wdqkrwk\dll\LHBqJrux.dll, loader C:\wdqkrwk\bin\vbDTxZy.exe
2020-02-14 16:04:44,875 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\DvJLbO.
2020-02-14 16:04:44,875 [root] DEBUG: Loader: Injecting process 3368 (thread 0) with C:\wdqkrwk\dll\LHBqJrux.dll.
2020-02-14 16:04:44,875 [root] DEBUG: InjectDll: No thread ID supplied. Initial thread ID 1268, handle 0x7c
2020-02-14 16:04:44,890 [root] DEBUG: Process image base: 0x00B60000
2020-02-14 16:04:44,890 [root] DEBUG: InjectDllViaIAT: Not a new process, aborting IAT patch
2020-02-14 16:04:44,890 [root] DEBUG: InjectDll: IAT patching failed, falling back to thread injection.
2020-02-14 16:04:44,890 [root] DEBUG: Terminate processes on terminate_event disabled.
2020-02-14 16:04:44,890 [root] DEBUG: Process dumps enabled.
2020-02-14 16:04:44,890 [root] INFO: Disabling sleep skipping.
2020-02-14 16:04:44,905 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 3368 at 0x6a660000, image base 0xb60000, stack from 0xae6000-0xaf0000
2020-02-14 16:04:44,905 [root] DEBUG: Commandline: C:\Windows\System32\svchost.exe -k netsvcs.
2020-02-14 16:04:44,905 [root] INFO: Added new process to list with pid: 3368
2020-02-14 16:04:44,905 [root] INFO: Monitor successfully loaded in process with pid 3368.
2020-02-14 16:04:44,905 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2020-02-14 16:04:44,905 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2020-02-14 16:04:44,905 [root] DEBUG: Successfully injected DLL C:\wdqkrwk\dll\LHBqJrux.dll.
2020-02-14 16:04:46,905 [root] DEBUG: DLL loaded at 0x756F0000: C:\Windows\system32\CLBCatQ (0x83000 bytes).
2020-02-14 16:04:46,905 [root] DEBUG: DLL loaded at 0x71A90000: C:\Windows\system32\wbem\wbemprox (0xb000 bytes).
2020-02-14 16:04:46,905 [root] DEBUG: DLL loaded at 0x72200000: C:\Windows\system32\wbemcomn2 (0x61000 bytes).
2020-02-14 16:04:46,905 [root] DEBUG: DLL loaded at 0x746E0000: C:\Windows\system32\bcrypt (0x17000 bytes).
2020-02-14 16:04:46,905 [root] DEBUG: DLL loaded at 0x74590000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2020-02-14 16:04:46,905 [root] DEBUG: DLL loaded at 0x74320000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2020-02-14 16:04:46,905 [root] DEBUG: DLL loaded at 0x74B30000: C:\Windows\system32\RpcRtRemote (0xe000 bytes).
2020-02-14 16:04:46,921 [root] DEBUG: DLL loaded at 0x722A0000: C:\Windows\system32\VSSAPI (0x116000 bytes).
2020-02-14 16:04:46,921 [root] DEBUG: DLL loaded at 0x73140000: C:\Windows\system32\ATL (0x14000 bytes).
2020-02-14 16:04:46,921 [root] DEBUG: DLL loaded at 0x72F70000: C:\Windows\system32\VssTrace (0x10000 bytes).
2020-02-14 16:04:46,921 [root] DEBUG: DLL loaded at 0x72C60000: C:\Windows\system32\samcli (0xf000 bytes).
2020-02-14 16:04:46,921 [root] DEBUG: DLL loaded at 0x738C0000: C:\Windows\system32\SAMLIB (0x12000 bytes).
2020-02-14 16:04:46,921 [root] DEBUG: DLL loaded at 0x738B0000: C:\Windows\system32\netutils (0x9000 bytes).
2020-02-14 16:04:46,953 [root] DEBUG: DLL loaded at 0x730F0000: C:\Windows\system32\es (0x47000 bytes).
2020-02-14 16:04:47,015 [root] DEBUG: DLL loaded at 0x737B0000: C:\Windows\system32\PROPSYS (0xf5000 bytes).
2020-02-14 16:04:47,030 [root] DEBUG: DLL loaded at 0x71850000: C:\Windows\system32\wbem\wbemcore (0xf1000 bytes).
2020-02-14 16:04:47,030 [root] DEBUG: DLL loaded at 0x74060000: C:\Windows\system32\VERSION (0x9000 bytes).
2020-02-14 16:04:47,030 [root] DEBUG: DLL loaded at 0x717C0000: C:\Windows\system32\wbem\esscli (0x4a000 bytes).
2020-02-14 16:04:47,030 [root] DEBUG: DLL loaded at 0x720D0000: C:\Windows\system32\wbem\FastProx (0xa6000 bytes).
2020-02-14 16:04:47,030 [root] DEBUG: DLL loaded at 0x71D00000: C:\Windows\system32\NTDSAPI (0x18000 bytes).
2020-02-14 16:04:47,078 [root] DEBUG: DLL unloaded from 0x71850000.
2020-02-14 16:04:47,078 [root] DEBUG: DLL loaded at 0x716A0000: C:\Windows\system32\wbem\wbemsvc (0xf000 bytes).
2020-02-14 16:04:47,078 [root] DEBUG: DLL loaded at 0x716A0000: C:\Windows\system32\wbem\wbemsvc (0xf000 bytes).
2020-02-14 16:04:47,078 [root] DEBUG: DLL loaded at 0x74740000: C:\Windows\system32\authZ (0x1b000 bytes).
2020-02-14 16:04:47,125 [root] DEBUG: DLL loaded at 0x6EFD0000: C:\Windows\system32\wbem\wmiutils (0x1a000 bytes).
2020-02-14 16:04:47,125 [root] DEBUG: DLL loaded at 0x6EE40000: C:\Windows\system32\wbem\repdrvfs (0x47000 bytes).
2020-02-14 16:04:47,140 [root] WARNING: File at path "C:\Windows\System32\wbem\repository\WRITABLE.TST" does not exist, skip.
2020-02-14 16:04:47,140 [root] DEBUG: DLL loaded at 0x74790000: C:\Windows\system32\Wevtapi (0x42000 bytes).
2020-02-14 16:04:47,140 [root] DEBUG: DLL unloaded from 0x74790000.
2020-02-14 16:04:47,328 [root] DEBUG: DLL loaded at 0x6D360000: C:\Windows\system32\wbem\wmiprvsd (0x91000 bytes).
2020-02-14 16:04:47,328 [root] DEBUG: DLL loaded at 0x6D350000: C:\Windows\system32\NCObjAPI (0xf000 bytes).
2020-02-14 16:04:47,342 [root] DEBUG: DLL loaded at 0x6C9C0000: C:\Windows\system32\wbem\wbemess (0x5b000 bytes).
2020-02-14 16:04:47,421 [root] DEBUG: DLL loaded at 0x720D0000: C:\Windows\system32\wbem\fastprox (0xa6000 bytes).
2020-02-14 16:04:47,437 [root] DEBUG: DLL loaded at 0x71D00000: C:\Windows\system32\NTDSAPI (0x18000 bytes).
2020-02-14 16:04:47,530 [root] INFO: Announced 32-bit process name: WmiPrvSE.exe pid: 3724
2020-02-14 16:04:47,530 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2020-02-14 16:04:47,530 [lib.api.process] INFO: 32-bit DLL to inject is C:\wdqkrwk\dll\LHBqJrux.dll, loader C:\wdqkrwk\bin\vbDTxZy.exe
2020-02-14 16:04:47,530 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\DvJLbO.
2020-02-14 16:04:47,546 [root] DEBUG: DLL loaded at 0x72280000: C:\Windows\system32\wbem\ncprov (0x12000 bytes).
2020-02-14 16:04:47,562 [root] DEBUG: Loader: Injecting process 3724 (thread 3976) with C:\wdqkrwk\dll\LHBqJrux.dll.
2020-02-14 16:04:47,562 [root] DEBUG: Process image base: 0x00AB0000
2020-02-14 16:04:47,562 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\wdqkrwk\dll\LHBqJrux.dll.
2020-02-14 16:04:47,562 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-02-14 16:04:47,562 [root] DEBUG: Successfully injected DLL C:\wdqkrwk\dll\LHBqJrux.dll.
2020-02-14 16:04:47,562 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3724
2020-02-14 16:04:47,562 [root] INFO: Announced 32-bit process name: WmiPrvSE.exe pid: 3724
2020-02-14 16:04:47,562 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2020-02-14 16:04:47,562 [lib.api.process] INFO: 32-bit DLL to inject is C:\wdqkrwk\dll\LHBqJrux.dll, loader C:\wdqkrwk\bin\vbDTxZy.exe
2020-02-14 16:04:47,562 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\DvJLbO.
2020-02-14 16:04:47,562 [root] DEBUG: Loader: Injecting process 3724 (thread 3976) with C:\wdqkrwk\dll\LHBqJrux.dll.
2020-02-14 16:04:47,578 [root] DEBUG: Process image base: 0x00AB0000
2020-02-14 16:04:47,578 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\wdqkrwk\dll\LHBqJrux.dll.
2020-02-14 16:04:47,578 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-02-14 16:04:47,578 [root] DEBUG: Successfully injected DLL C:\wdqkrwk\dll\LHBqJrux.dll.
2020-02-14 16:04:47,578 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3724
2020-02-14 16:04:47,578 [root] DEBUG: Terminate processes on terminate_event disabled.
2020-02-14 16:04:47,578 [root] DEBUG: Process dumps enabled.
2020-02-14 16:04:47,578 [root] INFO: Disabling sleep skipping.
2020-02-14 16:04:47,592 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-02-14 16:04:47,592 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 3724 at 0x6a660000, image base 0xab0000, stack from 0x120000-0x130000
2020-02-14 16:04:47,592 [root] DEBUG: Commandline: C:\Windows\System32\wbem\wmiprvse.exe -secured -Embedding.
2020-02-14 16:04:47,592 [root] INFO: Added new process to list with pid: 3724
2020-02-14 16:04:47,592 [root] INFO: Monitor successfully loaded in process with pid 3724.
2020-02-14 16:04:47,608 [root] DEBUG: DLL loaded at 0x74AC0000: C:\Windows\system32\CRYPTBASE (0xc000 bytes).
2020-02-14 16:04:47,608 [root] DEBUG: DLL loaded at 0x73760000: C:\Windows\system32\ntmarta (0x21000 bytes).
2020-02-14 16:04:47,608 [root] DEBUG: DLL loaded at 0x76FC0000: C:\Windows\system32\WLDAP32 (0x45000 bytes).
2020-02-14 16:04:47,608 [root] DEBUG: DLL loaded at 0x756F0000: C:\Windows\system32\CLBCatQ (0x83000 bytes).
2020-02-14 16:04:47,625 [root] DEBUG: DLL loaded at 0x71A90000: C:\Windows\system32\wbem\wbemprox (0xb000 bytes).
2020-02-14 16:04:47,625 [root] DEBUG: DLL loaded at 0x74590000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2020-02-14 16:04:47,625 [root] DEBUG: DLL loaded at 0x74320000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2020-02-14 16:04:47,640 [root] DEBUG: DLL loaded at 0x74B30000: C:\Windows\system32\RpcRtRemote (0xe000 bytes).
2020-02-14 16:04:47,640 [root] DEBUG: DLL unloaded from 0x71850000.
2020-02-14 16:04:47,640 [root] DEBUG: DLL loaded at 0x716A0000: C:\Windows\system32\wbem\wbemsvc (0xf000 bytes).
2020-02-14 16:04:47,671 [root] DEBUG: DLL loaded at 0x6EFD0000: C:\Windows\system32\wbem\wmiutils (0x1a000 bytes).
2020-02-14 16:04:47,733 [root] DEBUG: DLL loaded at 0x6A070000: C:\Windows\system32\wbem\cimwin32 (0x14a000 bytes).
2020-02-14 16:04:47,733 [root] DEBUG: DLL loaded at 0x6CD10000: C:\Windows\system32\framedynos (0x35000 bytes).
2020-02-14 16:04:47,750 [root] DEBUG: DLL loaded at 0x74DA0000: C:\Windows\system32\DEVOBJ (0x12000 bytes).
2020-02-14 16:04:47,750 [root] DEBUG: DLL loaded at 0x74D60000: C:\Windows\system32\CFGMGR32 (0x27000 bytes).
2020-02-14 16:04:47,905 [root] DEBUG: DLL unloaded from 0x720D0000.
2020-02-14 16:04:47,921 [root] DEBUG: DLL unloaded from 0x716A0000.
2020-02-14 16:04:47,921 [root] DEBUG: DLL unloaded from 0x71A90000.
2020-02-14 16:04:47,937 [root] DEBUG: DLL loaded at 0x71A90000: C:\Windows\system32\wbem\wbemprox (0xb000 bytes).
2020-02-14 16:04:47,937 [root] DEBUG: DLL loaded at 0x72200000: C:\Windows\system32\wbemcomn2 (0x61000 bytes).
2020-02-14 16:04:47,937 [root] DEBUG: DLL loaded at 0x746E0000: C:\Windows\system32\bcrypt (0x17000 bytes).
2020-02-14 16:04:47,953 [root] DEBUG: DLL loaded at 0x716A0000: C:\Windows\system32\wbem\wbemsvc (0xf000 bytes).
2020-02-14 16:04:47,953 [root] DEBUG: DLL loaded at 0x720D0000: C:\Windows\system32\wbem\fastprox (0xa6000 bytes).
2020-02-14 16:04:47,953 [root] DEBUG: DLL loaded at 0x71D00000: C:\Windows\system32\NTDSAPI (0x18000 bytes).
2020-02-14 16:04:47,967 [root] DEBUG: DLL loaded at 0x72270000: C:\Windows\system32\WMI (0x3000 bytes).
2020-02-14 16:04:47,983 [root] DEBUG: DLL unloaded from 0x720D0000.
2020-02-14 16:04:47,983 [root] DEBUG: DLL unloaded from 0x716A0000.
2020-02-14 16:04:47,983 [root] DEBUG: DLL unloaded from 0x71A90000.
2020-02-14 16:04:57,905 [root] DEBUG: DLL unloaded from 0x74D60000.
2020-02-14 16:05:06,921 [root] DEBUG: DLL unloaded from 0x75980000.
2020-02-14 16:05:07,905 [root] DEBUG: DLL unloaded from 0x72270000.
2020-02-14 16:05:17,640 [root] DEBUG: DLL unloaded from 0x75980000.
2020-02-14 16:05:47,467 [root] DEBUG: DLL unloaded from 0x730F0000.
2020-02-14 16:06:17,467 [root] DEBUG: DLL unloaded from 0x6A070000.
2020-02-14 16:06:17,467 [root] DEBUG: DLL unloaded from 0x6EFD0000.
2020-02-14 16:06:17,467 [root] DEBUG: DLL unloaded from 0x720D0000.
2020-02-14 16:06:17,483 [root] DEBUG: DLL unloaded from 0x716A0000.
2020-02-14 16:06:17,483 [root] DEBUG: DLL unloaded from 0x71A90000.
2020-02-14 16:06:17,483 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 3724
2020-02-14 16:06:17,483 [root] DEBUG: GetHookCallerBase: thread 3976 (handle 0x0), return address 0x00AEA976, allocation base 0x00AB0000.
2020-02-14 16:06:17,483 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00AB0000.
2020-02-14 16:06:17,483 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-02-14 16:06:17,483 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00AB0000.
2020-02-14 16:06:17,483 [root] DEBUG: DumpProcess: Module entry point VA is 0x0003A810.
2020-02-14 16:06:17,500 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x0.
2020-02-14 16:06:17,500 [root] DEBUG: DLL unloaded from 0x73760000.
2020-02-14 16:06:17,500 [root] DEBUG: DLL unloaded from 0x75270000.
2020-02-14 16:06:17,500 [root] INFO: Notified of termination of process with pid 3724.
2020-02-14 16:07:39,437 [root] INFO: Analysis timeout hit (200 seconds), terminating analysis.
2020-02-14 16:07:39,437 [root] INFO: Created shutdown mutex.
2020-02-14 16:07:40,500 [lib.api.process] INFO: Terminate event set for process 920
2020-02-14 16:07:40,592 [root] DEBUG: Terminate Event: Attempting to dump process 920
2020-02-14 16:07:40,640 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00400000.
2020-02-14 16:07:40,687 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-02-14 16:07:40,733 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00400000.
2020-02-14 16:07:40,780 [root] DEBUG: DumpProcess: Module entry point VA is 0x000014E0.
2020-02-14 16:07:41,030 [root] INFO: Added new CAPE file to list with path: C:\fxEAhsLSEy\CAPE\920_15167777464071514522020
2020-02-14 16:07:41,078 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x13000.
2020-02-14 16:07:41,125 [root] DEBUG: Terminate Event: Skipping dump of process 920
2020-02-14 16:07:41,125 [lib.api.process] INFO: Termination confirmed for process 920
2020-02-14 16:07:41,125 [root] INFO: Terminate event set for process 920.
2020-02-14 16:07:41,125 [root] INFO: Shutting down package.
2020-02-14 16:07:41,125 [root] INFO: Stopping auxiliary modules.
2020-02-14 16:07:41,171 [root] DEBUG: Terminate Event: CAPE shutdown complete for process 920
2020-02-14 16:07:41,828 [root] INFO: Finishing auxiliary modules.
2020-02-14 16:07:41,828 [root] INFO: Shutting down pipe server and dumping dropped files.
2020-02-14 16:07:41,828 [root] WARNING: File at path "C:\fxEAhsLSEy\debugger" does not exist, skip.
2020-02-14 16:07:41,828 [root] INFO: Analysis completed.

MalScore

10.0

Khalesi

Machine

Name Label Manager Started On Shutdown On
win7_3 win7_3 KVM 2020-02-14 15:01:50 2020-02-14 15:09:54

File Details

File Name pafish.exe
File Size 76800 bytes
File Type PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
MD5 9159edb64c4a21d8888d088bf2db23f3
SHA1 124f46228d1e220d88ae5e9a24d6e713039a64f9
SHA256 2180f4a13add5e346e8cf6994876a9d2f5eac3fcb695db8569537010d24cd6d5
SHA512 4b6d56b81dd3cd42bb53fc8d68b5c8ef0d6c85ebcc503cd042ae5c19e8965e6477f259a02bafb9c5c66956ae1023fc30e3be5bbcd526eacc8480f93d74c1ab7c
CRC32 6F030481
Ssdeep 1536:tI05L48IVDAQVzZpJyrOM1GhFNkYL2BxNRj:tI05LBIDAuztyrOMGTkrNRj
TrID None matched
ClamAV None matched
Yara
  • vmdetect - Possibly employs anti-virtualization techniques
CAPE Yara None matched
Download Download ZIP Resubmit sample

Signatures

SetUnhandledExceptionFilter detected (possible anti-debug)
Yara rule detections observed from a process memory dump/dropped files/CAPE
Hit: PID 920 trigged the Yara rule 'vmdetect'
Dynamic (imported) function loading detected
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: cryptbase.dll/SystemFunction036
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: kernel32.dll/GetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/SetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/LocaleNameToLCID
DynamicLoader: kernel32.dll/GetLocaleInfoEx
DynamicLoader: kernel32.dll/LCIDToLocaleName
DynamicLoader: kernel32.dll/GetSystemDefaultLocaleName
DynamicLoader: fastprox.dll/DllGetClassObject
DynamicLoader: fastprox.dll/DllCanUnloadNow
DynamicLoader: ntdll.dll/EtwUnregisterTraceGuids
DynamicLoader: ntdll.dll/EtwUnregisterTraceGuids
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: kernel32.dll/GetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/SetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/LocaleNameToLCID
DynamicLoader: kernel32.dll/GetLocaleInfoEx
DynamicLoader: kernel32.dll/LCIDToLocaleName
DynamicLoader: kernel32.dll/GetSystemDefaultLocaleName
DynamicLoader: fastprox.dll/DllGetClassObject
DynamicLoader: fastprox.dll/DllCanUnloadNow
DynamicLoader: ntdll.dll/EtwUnregisterTraceGuids
DynamicLoader: ntdll.dll/EtwUnregisterTraceGuids
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: kernel32.dll/ResolveDelayLoadedAPI
DynamicLoader: VSSAPI.DLL/CreateWriter
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ADVAPI32.dll/LookupAccountNameW
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: samcli.dll/NetLocalGroupGetMembers
DynamicLoader: SAMLIB.dll/SamConnect
DynamicLoader: RPCRT4.dll/NdrClientCall2
DynamicLoader: RPCRT4.dll/RpcStringBindingComposeW
DynamicLoader: RPCRT4.dll/RpcBindingFromStringBindingW
DynamicLoader: RPCRT4.dll/RpcStringFreeW
DynamicLoader: RPCRT4.dll/RpcBindingFree
DynamicLoader: SAMLIB.dll/SamOpenDomain
DynamicLoader: SAMLIB.dll/SamLookupNamesInDomain
DynamicLoader: SAMLIB.dll/SamOpenAlias
DynamicLoader: SAMLIB.dll/SamFreeMemory
DynamicLoader: SAMLIB.dll/SamCloseHandle
DynamicLoader: SAMLIB.dll/SamGetMembersInAlias
DynamicLoader: netutils.dll/NetApiBufferFree
DynamicLoader: ole32.dll/CoCreateGuid
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/StringFromCLSID
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyW
DynamicLoader: PROPSYS.dll/VariantToPropVariant
DynamicLoader: OLEAUT32.dll/
DynamicLoader: wbemcore.dll/Reinitialize
DynamicLoader: wbemsvc.dll/DllGetClassObject
DynamicLoader: wbemsvc.dll/DllCanUnloadNow
DynamicLoader: authZ.dll/AuthzInitializeContextFromToken
DynamicLoader: authZ.dll/AuthzInitializeObjectAccessAuditEvent2
DynamicLoader: authZ.dll/AuthzAccessCheck
DynamicLoader: authZ.dll/AuthzFreeAuditEvent
DynamicLoader: authZ.dll/AuthzFreeContext
DynamicLoader: authZ.dll/AuthzInitializeResourceManager
DynamicLoader: authZ.dll/AuthzFreeResourceManager
DynamicLoader: RPCRT4.dll/NdrClientCall2
DynamicLoader: RPCRT4.dll/RpcBindingCreateW
DynamicLoader: RPCRT4.dll/RpcBindingBind
DynamicLoader: RPCRT4.dll/I_RpcMapWin32Status
DynamicLoader: RPCRT4.dll/RpcBindingFree
DynamicLoader: ADVAPI32.dll/EventRegister
DynamicLoader: ADVAPI32.dll/EventUnregister
DynamicLoader: ADVAPI32.dll/EventWrite
DynamicLoader: ADVAPI32.dll/EventActivityIdControl
DynamicLoader: ADVAPI32.dll/EventWriteTransfer
DynamicLoader: ADVAPI32.dll/EventEnabled
DynamicLoader: kernel32.dll/RegCloseKey
DynamicLoader: kernel32.dll/RegSetValueExW
DynamicLoader: kernel32.dll/RegOpenKeyExW
DynamicLoader: kernel32.dll/RegQueryValueExW
DynamicLoader: kernel32.dll/RegCloseKey
DynamicLoader: wmisvc.dll/IsImproperShutdownDetected
DynamicLoader: Wevtapi.dll/EvtRender
DynamicLoader: Wevtapi.dll/EvtNext
DynamicLoader: Wevtapi.dll/EvtClose
DynamicLoader: Wevtapi.dll/EvtQuery
DynamicLoader: Wevtapi.dll/EvtCreateRenderContext
DynamicLoader: RPCRT4.dll/RpcStringBindingComposeW
DynamicLoader: RPCRT4.dll/RpcBindingFromStringBindingW
DynamicLoader: RPCRT4.dll/RpcBindingSetAuthInfoExW
DynamicLoader: RPCRT4.dll/RpcBindingSetOption
DynamicLoader: RPCRT4.dll/RpcStringFreeW
DynamicLoader: RPCRT4.dll/NdrClientCall2
DynamicLoader: RPCRT4.dll/RpcBindingFree
DynamicLoader: kernel32.dll/ResolveDelayLoadedAPI
DynamicLoader: ole32.dll/CoCreateFreeThreadedMarshaler
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CreateStreamOnHGlobal
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: KERNELBASE.dll/InitializeAcl
DynamicLoader: KERNELBASE.dll/AddAce
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: kernel32.dll/OpenProcessToken
DynamicLoader: KERNELBASE.dll/GetTokenInformation
DynamicLoader: KERNELBASE.dll/DuplicateTokenEx
DynamicLoader: KERNELBASE.dll/AdjustTokenPrivileges
DynamicLoader: KERNELBASE.dll/AllocateAndInitializeSid
DynamicLoader: KERNELBASE.dll/CheckTokenMembership
DynamicLoader: kernel32.dll/SetThreadToken
DynamicLoader: ole32.dll/CLSIDFromString
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: authZ.dll/AuthzInitializeContextFromToken
DynamicLoader: authZ.dll/AuthzInitializeResourceManager
DynamicLoader: authZ.dll/AuthzInitializeContextFromSid
DynamicLoader: authZ.dll/AuthzInitializeContextFromToken
DynamicLoader: authZ.dll/AuthzAccessCheck
DynamicLoader: authZ.dll/AuthzFreeContext
DynamicLoader: authZ.dll/AuthzFreeResourceManager
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetCallContext
DynamicLoader: ole32.dll/CoRevertToSelf
DynamicLoader: SspiCli.dll/LogonUserExExW
DynamicLoader: ole32.dll/StringFromGUID2
DynamicLoader: ole32.dll/CoImpersonateClient
DynamicLoader: ole32.dll/CoSwitchCallContext
DynamicLoader: ole32.dll/CoCreateGuid
DynamicLoader: kernel32.dll/ResolveDelayLoadedAPI
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: wbemcore.dll/Reinitialize
DynamicLoader: wbemcore.dll/Reinitialize
DynamicLoader: OLEAUT32.dll/
DynamicLoader: wbemcore.dll/Reinitialize
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: kernel32.dll/RegCreateKeyExW
DynamicLoader: ntdll.dll/EtwRegisterTraceGuidsW
DynamicLoader: ntdll.dll/EtwRegisterTraceGuidsW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: kernel32.dll/GetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/SetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/LocaleNameToLCID
DynamicLoader: kernel32.dll/GetLocaleInfoEx
DynamicLoader: kernel32.dll/LCIDToLocaleName
DynamicLoader: kernel32.dll/GetSystemDefaultLocaleName
DynamicLoader: FastProx.dll/DllGetClassObject
DynamicLoader: FastProx.dll/DllCanUnloadNow
DynamicLoader: kernel32.dll/RegOpenKeyExW
DynamicLoader: kernel32.dll/RegQueryValueExW
DynamicLoader: kernel32.dll/RegCloseKey
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: ADVAPI32.dll/EventRegister
DynamicLoader: ADVAPI32.dll/EventUnregister
DynamicLoader: ADVAPI32.dll/EventWrite
DynamicLoader: ADVAPI32.dll/EventActivityIdControl
DynamicLoader: ADVAPI32.dll/EventWriteTransfer
DynamicLoader: ADVAPI32.dll/EventEnabled
DynamicLoader: ADVAPI32.dll/RegOpenKeyW
DynamicLoader: DEVOBJ.dll/DevObjCreateDeviceInfoList
DynamicLoader: DEVOBJ.dll/DevObjGetClassDevs
DynamicLoader: DEVOBJ.dll/DevObjEnumDeviceInfo
DynamicLoader: DEVOBJ.dll/DevObjDestroyDeviceInfoList
DynamicLoader: CFGMGR32.dll/CM_Connect_MachineA
DynamicLoader: CFGMGR32.dll/CM_Disconnect_Machine
DynamicLoader: CFGMGR32.dll/CM_Locate_DevNodeW
DynamicLoader: CFGMGR32.dll/CM_Get_DevNode_Registry_PropertyW
DynamicLoader: CFGMGR32.dll/CM_Get_Child
DynamicLoader: CFGMGR32.dll/CM_Get_Sibling
DynamicLoader: CFGMGR32.dll/CM_Get_DevNode_Status
DynamicLoader: CFGMGR32.dll/CM_Get_First_Log_Conf
DynamicLoader: CFGMGR32.dll/CM_Get_Next_Res_Des
DynamicLoader: CFGMGR32.dll/CM_Get_Res_Des_Data
DynamicLoader: CFGMGR32.dll/CM_Get_Res_Des_Data_Size
DynamicLoader: CFGMGR32.dll/CM_Free_Log_Conf_Handle
DynamicLoader: CFGMGR32.dll/CM_Free_Res_Des_Handle
DynamicLoader: CFGMGR32.dll/CM_Get_Device_IDA
DynamicLoader: CFGMGR32.dll/CM_Get_Device_ID_Size
DynamicLoader: CFGMGR32.dll/CM_Get_Parent
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: WMI.DLL/WmiQueryAllDataW
DynamicLoader: WMI.DLL/WmiQuerySingleInstanceW
DynamicLoader: WMI.DLL/WmiSetSingleItemW
DynamicLoader: WMI.DLL/WmiSetSingleInstanceW
DynamicLoader: WMI.DLL/WmiExecuteMethodW
DynamicLoader: WMI.DLL/WmiNotificationRegistrationW
DynamicLoader: WMI.DLL/WmiMofEnumerateResourcesW
DynamicLoader: WMI.DLL/WmiFileHandleToInstanceNameW
DynamicLoader: WMI.DLL/WmiDevInstToInstanceNameW
DynamicLoader: WMI.DLL/WmiQueryGuidInformation
DynamicLoader: WMI.DLL/WmiOpenBlock
DynamicLoader: WMI.DLL/WmiCloseBlock
DynamicLoader: WMI.DLL/WmiFreeBuffer
DynamicLoader: WMI.DLL/WmiEnumerateGuids
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/StringFromCLSID
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ntdll.dll/EtwUnregisterTraceGuids
DynamicLoader: ntdll.dll/EtwUnregisterTraceGuids
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
Queries or connects to DNS-Over-HTTPS/DNS-Over-TLS domain or IP address
ip: 1.1.1.1
The binary likely contains encrypted or compressed data.
section: name: .rsrc, entropy: 7.85, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE|IMAGE_SCN_ALIGN_4BYTES, raw_size: 0x00009000, virtual_size: 0x00008ef0
Queries information on disks, possibly for anti-virtualization
Detects Sandboxie through the presence of a library
Detects the presence of Wine emulator via function name
Detects VirtualBox through the presence of a window
window: VBoxTrayToolWndClass
Detects VirtualBox using WNetGetProviderName trick
Detects the presence of Wine emulator via registry key
Detects Joe or Anubis Sandboxes through the presence of a file
File has been identified by 37 Antiviruses on VirusTotal as malicious
Cylance: Unsafe
VIPRE: Trojan.Win32.Generic!BT
SUPERAntiSpyware: Trojan.Agent/Gen-ParanoidFish
Sangfor: Malware
Alibaba: Trojan:Win32/Khalesi.9e4b014c
K7GW: Unwanted-Program ( 004d38111 )
K7AntiVirus: Unwanted-Program ( 004d38111 )
Cyren: W32/Maskit.A.gen!Eldorado
ESET-NOD32: a variant of Win32/ParanoidFish.A potentially unsafe
APEX: Malicious
Kaspersky: Trojan.Win32.Khalesi.oq
NANO-Antivirus: Trojan.Win32.Khalesi.fdxhjb
Paloalto: generic.ml
ViRobot: Trojan.Win32.Z.Khalesi.76800
Tencent: Win32.Trojan.Khalesi.Hquz
Sophos: Troj/AutoG-DV
Zillya: Trojan.Khalesi.Win32.1493
Invincea: heuristic
Trapmine: malicious.high.ml.score
Ikarus: Trojan.Win32.Khalesi
F-Prot: W32/Maskit.A.gen!Eldorado
Jiangmin: Trojan.Khalesi.as
Webroot: W32.Trojan.Gen
Endgame: malicious (high confidence)
AegisLab: Trojan.Win32.Khalesi.tpxB
ZoneAlarm: Trojan.Win32.Khalesi.oq
TACHYON: Trojan/W32.Khalesi.76800
AhnLab-V3: PUP/Win32.ParanoidFish.R289290
VBA32: BScope.Trojan.Khalesi
ALYac: Trojan.Khalesi.gen
MAX: malware (ai score=63)
Rising: Trojan.Khalesi!8.F103 (CLOUD)
Yandex: Trojan.Khalesi!
Fortinet: W32/Fareit.A
MaxSecure: Trojan.Malware.11782770.susgen
AVG: FileRepMalware [PUP]
Qihoo-360: Win32/Trojan.0dd
Checks the version of Bios, possibly for anti-virtualization
Detects VirtualBox through the presence of a device
Detects VirtualBox through the presence of a file
file: C:\Windows\System32\vboxdisp.dll
file: C:\Windows\System32\vboxhook.dll
file: C:\Windows\System32\vboxmrxnp.dll
file: C:\Windows\System32\vboxogl.dll
file: C:\Windows\System32\vboxoglarrayspu.dll
file: C:\Windows\System32\vboxoglcrutil.dll
file: C:\Windows\System32\vboxoglerrorspu.dll
file: C:\Windows\System32\vboxoglfeedbackspu.dll
file: C:\Windows\System32\vboxoglpackspu.dll
file: C:\Windows\System32\vboxoglpassthroughspu.dll
file: C:\Windows\System32\drivers\VBoxSF.sys
file: C:\Windows\System32\VBoxControl.exe
file: C:\Windows\System32\vboxservice.exe
file: C:\Windows\System32\vboxtray.exe
file: C:\Windows\System32\drivers\VBoxGuest.sys
file: C:\Windows\System32\drivers\VBoxMouse.sys
file: C:\Windows\System32\drivers\VBoxVideo.sys
Detects VirtualBox through the presence of a registry key
Detects VMware through the presence of a device
Detects VMware through the presence of a file
Detects VMware through the presence of a registry key
Collects information to fingerprint the system

Screenshots


Hosts

Direct IP Country Name
Y 1.1.1.1 [VT] Australia

DNS

No domains contacted.


Summary

C:\Users\Rebecca\AppData\Local\Temp\pafish.log
C:\Users\Rebecca\AppData\Local\Temp\hi_CPU_VM_rdtsc_force_vm_exit
C:\sample.exe
C:\malware.exe
\??\PhysicalDrive0
C:\
C:\Windows\System32\drivers\VBoxMouse.sys
C:\Windows\System32\drivers\VBoxGuest.sys
C:\Windows\System32\drivers\VBoxSF.sys
C:\Windows\System32\drivers\VBoxVideo.sys
C:\Windows\System32\vboxdisp.dll
C:\Windows\System32\vboxhook.dll
C:\Windows\System32\vboxmrxnp.dll
C:\Windows\System32\vboxogl.dll
C:\Windows\System32\vboxoglarrayspu.dll
C:\Windows\System32\vboxoglcrutil.dll
C:\Windows\System32\vboxoglerrorspu.dll
C:\Windows\System32\vboxoglfeedbackspu.dll
C:\Windows\System32\vboxoglpackspu.dll
C:\Windows\System32\vboxoglpassthroughspu.dll
C:\Windows\System32\vboxservice.exe
C:\Windows\System32\vboxtray.exe
C:\Windows\System32\VBoxControl.exe
C:\program files\oracle\virtualbox guest additions\
\??\VBoxMiniRdrDN
\??\pipe\VBoxMiniRdDN
\??\VBoxTrayIPC
\??\pipe\VBoxTrayIPC
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\System32\drivers\vmmouse.sys
C:\Windows\System32\drivers\vmhgfs.sys
\??\HGFS
\??\vmci
C:\Windows\System32\en-US\VssTrace.DLL.mui
\??\PIPE\samr
C:\Windows\System32\wbem\repository
C:\Windows\System32\wbem\Logs
C:\Windows\System32\wbem\AutoRecover
C:\Windows\System32\wbem\MOF
C:\Windows\System32\wbem\repository\INDEX.BTR
C:\Windows\System32\wbem\repository\WRITABLE.TST
C:\Windows\System32\wbem\repository\MAPPING1.MAP
C:\Windows\System32\wbem\repository\MAPPING2.MAP
C:\Windows\System32\wbem\repository\MAPPING3.MAP
C:\Windows\System32\wbem\repository\OBJECTS.DATA
\??\pipe\PIPE_EVENTROOT\CIMV2WMI SELF-INSTRUMENTATION EVENT PROVIDER
\??\pipe\PIPE_EVENTROOT\CIMV2PROVIDERSUBSYSTEM
\Device\KsecDD
C:\Windows\System32\wbem\Logs\
\??\WMIDataDevice
\??\PhysicalDrive0
\??\VBoxMiniRdrDN
\??\pipe\VBoxMiniRdDN
\??\VBoxTrayIPC
\??\pipe\VBoxTrayIPC
C:\Windows\Globalization\Sorting\sortdefault.nls
\??\HGFS
\??\vmci
C:\Windows\System32\en-US\VssTrace.DLL.mui
\??\PIPE\samr
C:\Windows\System32\wbem\repository\MAPPING1.MAP
C:\Windows\System32\wbem\repository\MAPPING2.MAP
C:\Windows\System32\wbem\repository\MAPPING3.MAP
C:\Windows\System32\wbem\repository\OBJECTS.DATA
C:\Windows\System32\wbem\repository\INDEX.BTR
\??\pipe\PIPE_EVENTROOT\CIMV2WMI SELF-INSTRUMENTATION EVENT PROVIDER
\??\pipe\PIPE_EVENTROOT\CIMV2PROVIDERSUBSYSTEM
\Device\KsecDD
\??\WMIDataDevice
C:\Users\Rebecca\AppData\Local\Temp\pafish.log
C:\Users\Rebecca\AppData\Local\Temp\hi_CPU_VM_rdtsc_force_vm_exit
\??\PIPE\samr
C:\Windows\System32\wbem\repository\WRITABLE.TST
C:\Windows\System32\wbem\repository\MAPPING1.MAP
C:\Windows\System32\wbem\repository\MAPPING2.MAP
C:\Windows\System32\wbem\repository\MAPPING3.MAP
C:\Windows\System32\wbem\repository\OBJECTS.DATA
C:\Windows\System32\wbem\repository\INDEX.BTR
\??\pipe\PIPE_EVENTROOT\CIMV2WMI SELF-INSTRUMENTATION EVENT PROVIDER
\??\pipe\PIPE_EVENTROOT\CIMV2PROVIDERSUBSYSTEM
\Device\KsecDD
\??\WMIDataDevice
HKEY_LOCAL_MACHINE\system\CurrentControlSet\control\NetworkProvider\HwOrder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT
DisableUserModeCallbackFilter
HKEY_CURRENT_USER\SOFTWARE\Wine
HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0
HKEY_LOCAL_MACHINE\HARDWARE\Description\System
\xef\xb6\xb8\xc5\xafEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion
HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
HKEY_LOCAL_MACHINE\HARDWARE\ACPI\FADT\VBOX__
HKEY_LOCAL_MACHINE\HARDWARE\ACPI\RSDT\VBOX__
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VBoxMouse
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VBoxService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VBoxSF
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System
\xef\xb6\xb8\xc5\xafEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\00060101.00060101
HKEY_CURRENT_USER\Software\Classes
HKEY_CURRENT_USER\Software\Classes\AppID\pafish.exe
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Hostname
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\System\DNSclient
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Domain
HKEY_CURRENT_USER\Software\Classes\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en
HKEY_CURRENT_USER\Software\Classes\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocHandler
HKEY_CURRENT_USER\Software\Classes\Interface\{027947E1-D731-11CE-A357-000000000001}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{027947E1-D731-11CE-A357-000000000001}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{027947E1-D731-11CE-A357-000000000001}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocHandler
HKEY_CURRENT_USER\Software\Classes\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0
HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0
HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware Tools
\xe7\x96\x90\xc4\xb0EY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\Tracing\WMI
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\SessionEnabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\Level
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\AreaFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\Session
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\LogFile
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\BufferSize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\MinimumBuffers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\MaximumBuffers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\MaximumFileSize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\LogFileMode
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\FlushTimer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\AgeLimit
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\Setup
HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
HKEY_LOCAL_MACHINE\SYSTEM\Setup\UpgradeInProgress
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Safeboot\Option
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\VssAccessControl
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\Settings
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Settings\ActiveWriterStateTimeout
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\Diag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\(Default)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\Diag\WMI Writer
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Settings\TornComponentsMax
HKEY_LOCAL_MACHINE\Software\Classes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000100-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000100-0000-0000-C000-000000000046}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000100-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{609B9555-4FB6-11D1-9971-00C04FBBB345}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{609B9555-4FB6-11D1-9971-00C04FBBB345}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{609B9555-4FB6-11D1-9971-00C04FBBB345}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\Software\Microsoft\OleAut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{609B9557-4FB6-11D1-9971-00C04FBBB345}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{609B9557-4FB6-11D1-9971-00C04FBBB345}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{609B9557-4FB6-11D1-9971-00C04FBBB345}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F309AD18-D86A-11D0-A075-00C04FB68820}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F309AD18-D86A-11D0-A075-00C04FB68820}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F309AD18-D86A-11D0-A075-00C04FB68820}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}
HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\IdentifierLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\QueryLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\PathLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbThrottlingEnabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighMaxLimitFactor
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbTaskMaxSleep
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold1Mult
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold2Mult
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold3Mult
HKEY_LOCAL_MACHINE\system\Setup
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Unchecked Task Count
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\LastServiceStart
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Working Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Repository Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Build
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Logging Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\MOF Self-Install Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Default Repository Driver
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ConfigValueCoreFsrepVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Repository Cache Spill Ratio
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\CheckPointValue
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\SnapShotValue
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\CheckRepositoryOnNextStartup
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\NumWriteIdCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Class Cache Size
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Class Cache Item Age (ms)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\EnableObjectValidation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\NextAutoRecoverFile
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Enable Provider Subsystem
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Transports\Decoupled\Client
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Transports\Decoupled\Client\{0B1CB1D4-F6D5-4EF6-845D-1E1F781B1702}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{0B1CB1D4-F6D5-4EF6-845D-1E1F781B1702}\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{0B1CB1D4-F6D5-4EF6-845D-1E1F781B1702}\Provider
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{0B1CB1D4-F6D5-4EF6-845D-1E1F781B1702}\Scope
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{0B1CB1D4-F6D5-4EF6-845D-1E1F781B1702}\Locale
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{0B1CB1D4-F6D5-4EF6-845D-1E1F781B1702}\User
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{0B1CB1D4-F6D5-4EF6-845D-1E1F781B1702}\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{0B1CB1D4-F6D5-4EF6-845D-1E1F781B1702}\ProcessIdentifier
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Transports\Decoupled\Client\{2EEFB342-9D26-4F24-8029-736CBADE07B0}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{2EEFB342-9D26-4F24-8029-736CBADE07B0}\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{2EEFB342-9D26-4F24-8029-736CBADE07B0}\Provider
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{2EEFB342-9D26-4F24-8029-736CBADE07B0}\Scope
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{2EEFB342-9D26-4F24-8029-736CBADE07B0}\Locale
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{2EEFB342-9D26-4F24-8029-736CBADE07B0}\User
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{2EEFB342-9D26-4F24-8029-736CBADE07B0}\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{2EEFB342-9D26-4F24-8029-736CBADE07B0}\ProcessIdentifier
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Transports\Decoupled\Client\{4E021867-30E2-44BE-ADB9-706DB67AE1AC}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{4E021867-30E2-44BE-ADB9-706DB67AE1AC}\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{4E021867-30E2-44BE-ADB9-706DB67AE1AC}\Provider
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{4E021867-30E2-44BE-ADB9-706DB67AE1AC}\Scope
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{4E021867-30E2-44BE-ADB9-706DB67AE1AC}\Locale
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{4E021867-30E2-44BE-ADB9-706DB67AE1AC}\User
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{4E021867-30E2-44BE-ADB9-706DB67AE1AC}\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{4E021867-30E2-44BE-ADB9-706DB67AE1AC}\ProcessIdentifier
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Transports\Decoupled\Client\{65E325E9-A264-47EC-B1B6-B5DF8694799F}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{65E325E9-A264-47EC-B1B6-B5DF8694799F}\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{65E325E9-A264-47EC-B1B6-B5DF8694799F}\Provider
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{65E325E9-A264-47EC-B1B6-B5DF8694799F}\Scope
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{65E325E9-A264-47EC-B1B6-B5DF8694799F}\Locale
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{65E325E9-A264-47EC-B1B6-B5DF8694799F}\User
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{65E325E9-A264-47EC-B1B6-B5DF8694799F}\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{65E325E9-A264-47EC-B1B6-B5DF8694799F}\ProcessIdentifier
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Transports\Decoupled\Server
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Server\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Server\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Server\ProcessIdentifier
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\EnableEvents
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ConfigValueEssToBeInitialized
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Low Threshold On Events (B)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\High Threshold On Events (B)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Wait On Events (ms)
HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\ESS
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Merger Query Arbitration Enabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ConfigValueEssNeedsLoading
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SQMClient\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPSampledIn
HKEY_LOCAL_MACHINE\software\microsoft\wbem\cimom
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\SetupDate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Async Result Queue Size
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\List of event-active namespaces
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\ESS\//./root/subscription
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\ESS\//./root/CIMV2
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\cimv2
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\cimv2
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\CIMOM
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\FinalizerBatchSize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ClientCallbackTimeout
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\FinalizerQueueThreshold
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Tasks
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}
HKEY_CLASSES_ROOT\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InProcServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InprocServer32\Synchronization
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InprocServer32\(Default)
HKEY_CLASSES_ROOT\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\LocalServer32
HKEY_CLASSES_ROOT\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\AppId
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\ESS\//./root/CIMV2\SCM Event Provider
HKEY_CLASSES_ROOT\CLSID\{d63a5850-8f16-11cf-9f47-00aa00bf345c}\InProcServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\InprocServer32\Synchronization
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\InprocServer32\(Default)
HKEY_CLASSES_ROOT\CLSID\{d63a5850-8f16-11cf-9f47-00aa00bf345c}\LocalServer32
HKEY_CLASSES_ROOT\CLSID\{d63a5850-8f16-11cf-9f47-00aa00bf345c}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\AppId
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\SecuredHostProviders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\SecuredHostProviders\ROOT\CIMV2:__Win32Provider.Name="CIMWin32"
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\minint
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\Root
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\Root
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B7B31DF9-D515-11D3-A11C-00105A1F515A}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B7B31DF9-D515-11D3-A11C-00105A1F515A}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B7B31DF9-D515-11D3-A11C-00105A1F515A}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{07435309-D440-41B7-83F3-EB82DB6C622F}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{07435309-D440-41B7-83F3-EB82DB6C622F}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{07435309-D440-41B7-83F3-EB82DB6C622F}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{21CD80A2-B305-4F37-9D4C-4534A8D9B568}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{21CD80A2-B305-4F37-9D4C-4534A8D9B568}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{21CD80A2-B305-4F37-9D4C-4534A8D9B568}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{06413D98-405C-4A5A-8D6F-19B8B7C6ACF7}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{06413D98-405C-4A5A-8D6F-19B8B7C6ACF7}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{06413D98-405C-4A5A-8D6F-19B8B7C6ACF7}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{027947E1-D731-11CE-A357-000000000001}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F50A28CF-5C9C-4F7E-9D80-E25E16E18C59}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F50A28CF-5C9C-4F7E-9D80-E25E16E18C59}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F50A28CF-5C9C-4F7E-9D80-E25E16E18C59}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6B3FC272-BF37-4968-933A-6DF9222A2607}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6B3FC272-BF37-4968-933A-6DF9222A2607}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6B3FC272-BF37-4968-933A-6DF9222A2607}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0FC8C622-1728-4149-A57F-AD19D0970710}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0FC8C622-1728-4149-A57F-AD19D0970710}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0FC8C622-1728-4149-A57F-AD19D0970710}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FEC1B0AC-5808-4033-A915-C0185934581E}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FEC1B0AC-5808-4033-A915-C0185934581E}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FEC1B0AC-5808-4033-A915-C0185934581E}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EB658B8A-7A64-4DDC-9B8D-A92610DB0206}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EB658B8A-7A64-4DDC-9B8D-A92610DB0206}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EB658B8A-7A64-4DDC-9B8D-A92610DB0206}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{7C857801-7381-11CF-884D-00AA004B2E24}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{7C857801-7381-11CF-884D-00AA004B2E24}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{7C857801-7381-11CF-884D-00AA004B2E24}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ProcessID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\EnablePrivateObjectHeap
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ContextLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ObjectLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Sink Transmit Buffer Size
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Cimom
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\DefaultRpcStackSize
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\AccessProviders
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\AccessProviders\MartaExtension
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\wmiprvse.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1F87137D-0E7C-44D5-8C73-4EFFB68962F2}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1F87137D-0E7C-44d5-8C73-4EFFB68962F2}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1F87137D-0E7C-44d5-8C73-4EFFB68962F2}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1F87137D-0E7C-44d5-8C73-4EFFB68962F2}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1F87137D-0E7C-44d5-8C73-4EFFB68962F2}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1F87137D-0E7C-44d5-8C73-4EFFB68962F2}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1F87137D-0E7C-44d5-8C73-4EFFB68962F2}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Logging
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
HKEY_USERS\S-1-5-21-479431668-4257340731-3059248302-1002
HKEY_USERS\S-1-5-21-479431668-4257340731-3059248302-1002\Control Panel\International
HKEY_USERS\S-1-5-21-479431668-4257340731-3059248302-1002\Control Panel\International\LocaleName
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
DisableUserModeCallbackFilter
\xef\xb6\xb8\xc5\xafEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion
\xef\xb6\xb8\xc5\xafEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\00060101.00060101
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Hostname
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Domain
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{027947E1-D731-11CE-A357-000000000001}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}\ProxyStubClsid32\(Default)
\xe7\x96\x90\xc4\xb0EY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\SessionEnabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\Level
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\AreaFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\Session
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\LogFile
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\BufferSize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\MinimumBuffers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\MaximumBuffers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\MaximumFileSize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\LogFileMode
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\FlushTimer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\AgeLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
HKEY_LOCAL_MACHINE\SYSTEM\Setup\UpgradeInProgress
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Settings\ActiveWriterStateTimeout
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\(Default)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Settings\TornComponentsMax
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000100-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{609B9555-4FB6-11D1-9971-00C04FBBB345}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{609B9557-4FB6-11D1-9971-00C04FBBB345}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F309AD18-D86A-11D0-A075-00C04FB68820}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\IdentifierLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\QueryLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\PathLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbThrottlingEnabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighMaxLimitFactor
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbTaskMaxSleep
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold1Mult
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold2Mult
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold3Mult
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Unchecked Task Count
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\LastServiceStart
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Working Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Repository Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Build
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Logging Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\MOF Self-Install Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Default Repository Driver
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ConfigValueCoreFsrepVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Repository Cache Spill Ratio
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\CheckPointValue
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\SnapShotValue
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\CheckRepositoryOnNextStartup
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\NumWriteIdCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Class Cache Size
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Class Cache Item Age (ms)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\EnableObjectValidation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\NextAutoRecoverFile
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Enable Provider Subsystem
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{0B1CB1D4-F6D5-4EF6-845D-1E1F781B1702}\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{0B1CB1D4-F6D5-4EF6-845D-1E1F781B1702}\Provider
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{0B1CB1D4-F6D5-4EF6-845D-1E1F781B1702}\Scope
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{0B1CB1D4-F6D5-4EF6-845D-1E1F781B1702}\Locale
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{0B1CB1D4-F6D5-4EF6-845D-1E1F781B1702}\User
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{0B1CB1D4-F6D5-4EF6-845D-1E1F781B1702}\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{0B1CB1D4-F6D5-4EF6-845D-1E1F781B1702}\ProcessIdentifier
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{2EEFB342-9D26-4F24-8029-736CBADE07B0}\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{2EEFB342-9D26-4F24-8029-736CBADE07B0}\Provider
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{2EEFB342-9D26-4F24-8029-736CBADE07B0}\Scope
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{2EEFB342-9D26-4F24-8029-736CBADE07B0}\Locale
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{2EEFB342-9D26-4F24-8029-736CBADE07B0}\User
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{2EEFB342-9D26-4F24-8029-736CBADE07B0}\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{2EEFB342-9D26-4F24-8029-736CBADE07B0}\ProcessIdentifier
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{4E021867-30E2-44BE-ADB9-706DB67AE1AC}\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{4E021867-30E2-44BE-ADB9-706DB67AE1AC}\Provider
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{4E021867-30E2-44BE-ADB9-706DB67AE1AC}\Scope
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{4E021867-30E2-44BE-ADB9-706DB67AE1AC}\Locale
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{4E021867-30E2-44BE-ADB9-706DB67AE1AC}\User
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{4E021867-30E2-44BE-ADB9-706DB67AE1AC}\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{4E021867-30E2-44BE-ADB9-706DB67AE1AC}\ProcessIdentifier
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{65E325E9-A264-47EC-B1B6-B5DF8694799F}\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{65E325E9-A264-47EC-B1B6-B5DF8694799F}\Provider
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{65E325E9-A264-47EC-B1B6-B5DF8694799F}\Scope
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{65E325E9-A264-47EC-B1B6-B5DF8694799F}\Locale
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{65E325E9-A264-47EC-B1B6-B5DF8694799F}\User
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{65E325E9-A264-47EC-B1B6-B5DF8694799F}\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{65E325E9-A264-47EC-B1B6-B5DF8694799F}\ProcessIdentifier
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\EnableEvents
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ConfigValueEssToBeInitialized
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Low Threshold On Events (B)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\High Threshold On Events (B)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Wait On Events (ms)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Merger Query Arbitration Enabled
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPSampledIn
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\SetupDate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Async Result Queue Size
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\cimv2
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\cimv2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\FinalizerBatchSize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ClientCallbackTimeout
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\FinalizerQueueThreshold
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Tasks
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InprocServer32\Synchronization
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\AppId
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\InprocServer32\Synchronization
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\AppId
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\SecuredHostProviders\ROOT\CIMV2:__Win32Provider.Name="CIMWin32"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\Root
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\Root
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B7B31DF9-D515-11D3-A11C-00105A1F515A}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{07435309-D440-41B7-83F3-EB82DB6C622F}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{21CD80A2-B305-4F37-9D4C-4534A8D9B568}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{06413D98-405C-4A5A-8D6F-19B8B7C6ACF7}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F50A28CF-5C9C-4F7E-9D80-E25E16E18C59}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6B3FC272-BF37-4968-933A-6DF9222A2607}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0FC8C622-1728-4149-A57F-AD19D0970710}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FEC1B0AC-5808-4033-A915-C0185934581E}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EB658B8A-7A64-4DDC-9B8D-A92610DB0206}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{7C857801-7381-11CF-884D-00AA004B2E24}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ConfigValueEssNeedsLoading
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ProcessID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\EnablePrivateObjectHeap
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ContextLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ObjectLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Sink Transmit Buffer Size
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\DefaultRpcStackSize
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\AccessProviders\MartaExtension
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1F87137D-0E7C-44d5-8C73-4EFFB68962F2}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Logging
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
HKEY_USERS\S-1-5-21-479431668-4257340731-3059248302-1002\Control Panel\International\LocaleName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\LastServiceStart
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Transports\Decoupled\Server
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Server\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Server\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Server\ProcessIdentifier
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ConfigValueEssNeedsLoading
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\List of event-active namespaces
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\ESS\//./root/CIMV2\SCM Event Provider
kernel32.dll.IsWow64Process
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
cryptbase.dll.SystemFunction036
sechost.dll.LookupAccountNameLocalW
advapi32.dll.LookupAccountSidW
sechost.dll.LookupAccountSidLocalW
kernel32.dll.GetThreadPreferredUILanguages
kernel32.dll.SetThreadPreferredUILanguages
kernel32.dll.LocaleNameToLCID
kernel32.dll.GetLocaleInfoEx
kernel32.dll.LCIDToLocaleName
kernel32.dll.GetSystemDefaultLocaleName
fastprox.dll.DllGetClassObject
fastprox.dll.DllCanUnloadNow
ntdll.dll.EtwUnregisterTraceGuids
oleaut32.dll.#500
ole32.dll.CoGetClassObject
ole32.dll.CoGetMarshalSizeMax
ole32.dll.CoMarshalInterface
ole32.dll.CoUnmarshalInterface
ole32.dll.StringFromIID
ole32.dll.CoGetPSClsid
ole32.dll.CoTaskMemAlloc
ole32.dll.CoTaskMemFree
ole32.dll.CoCreateInstance
ole32.dll.CoReleaseMarshalData
ole32.dll.DcomChannelSetHResult
vssapi.dll.CreateWriter
oleaut32.dll.#6
oleaut32.dll.#2
advapi32.dll.LookupAccountNameW
samcli.dll.NetLocalGroupGetMembers
samlib.dll.SamConnect
rpcrt4.dll.NdrClientCall2
rpcrt4.dll.RpcStringBindingComposeW
rpcrt4.dll.RpcBindingFromStringBindingW
rpcrt4.dll.RpcStringFreeW
rpcrt4.dll.RpcBindingFree
samlib.dll.SamOpenDomain
samlib.dll.SamLookupNamesInDomain
samlib.dll.SamOpenAlias
samlib.dll.SamFreeMemory
samlib.dll.SamCloseHandle
samlib.dll.SamGetMembersInAlias
netutils.dll.NetApiBufferFree
ole32.dll.CoCreateGuid
ole32.dll.StringFromCLSID
oleaut32.dll.#4
oleaut32.dll.#7
advapi32.dll.RegOpenKeyW
propsys.dll.VariantToPropVariant
wbemcore.dll.Reinitialize
wbemsvc.dll.DllGetClassObject
wbemsvc.dll.DllCanUnloadNow
authz.dll.AuthzInitializeContextFromToken
authz.dll.AuthzInitializeObjectAccessAuditEvent2
authz.dll.AuthzAccessCheck
authz.dll.AuthzFreeAuditEvent
authz.dll.AuthzFreeContext
authz.dll.AuthzInitializeResourceManager
authz.dll.AuthzFreeResourceManager
rpcrt4.dll.RpcBindingCreateW
rpcrt4.dll.RpcBindingBind
rpcrt4.dll.I_RpcMapWin32Status
advapi32.dll.EventRegister
advapi32.dll.EventUnregister
advapi32.dll.EventWrite
advapi32.dll.EventActivityIdControl
advapi32.dll.EventWriteTransfer
advapi32.dll.EventEnabled
kernel32.dll.RegCloseKey
kernel32.dll.RegSetValueExW
kernel32.dll.RegOpenKeyExW
kernel32.dll.RegQueryValueExW
wmisvc.dll.IsImproperShutdownDetected
wevtapi.dll.EvtRender
wevtapi.dll.EvtNext
wevtapi.dll.EvtClose
wevtapi.dll.EvtQuery
wevtapi.dll.EvtCreateRenderContext
rpcrt4.dll.RpcBindingSetAuthInfoExW
rpcrt4.dll.RpcBindingSetOption
ole32.dll.CoCreateFreeThreadedMarshaler
ole32.dll.CreateStreamOnHGlobal
cryptsp.dll.CryptAcquireContextW
cryptsp.dll.CryptGenRandom
cryptsp.dll.CryptReleaseContext
kernelbase.dll.InitializeAcl
kernelbase.dll.AddAce
kernel32.dll.OpenProcessToken
kernelbase.dll.GetTokenInformation
kernelbase.dll.DuplicateTokenEx
kernelbase.dll.AdjustTokenPrivileges
kernelbase.dll.AllocateAndInitializeSid
kernelbase.dll.CheckTokenMembership
kernel32.dll.SetThreadToken
ole32.dll.CLSIDFromString
authz.dll.AuthzInitializeContextFromSid
ole32.dll.CoGetCallContext
ole32.dll.CoRevertToSelf
sspicli.dll.LogonUserExExW
ole32.dll.StringFromGUID2
ole32.dll.CoImpersonateClient
ole32.dll.CoSwitchCallContext
ole32.dll.CoInitializeEx
ole32.dll.CoUninitialize
kernel32.dll.RegCreateKeyExW
ntdll.dll.EtwRegisterTraceGuidsW
ntmarta.dll.GetMartaExtensionInterface
devobj.dll.DevObjCreateDeviceInfoList
devobj.dll.DevObjGetClassDevs
devobj.dll.DevObjEnumDeviceInfo
devobj.dll.DevObjDestroyDeviceInfoList
cfgmgr32.dll.CM_Connect_MachineA
cfgmgr32.dll.CM_Disconnect_Machine
cfgmgr32.dll.CM_Locate_DevNodeW
cfgmgr32.dll.CM_Get_DevNode_Registry_PropertyW
cfgmgr32.dll.CM_Get_Child
cfgmgr32.dll.CM_Get_Sibling
cfgmgr32.dll.CM_Get_DevNode_Status
cfgmgr32.dll.CM_Get_First_Log_Conf
cfgmgr32.dll.CM_Get_Next_Res_Des
cfgmgr32.dll.CM_Get_Res_Des_Data
cfgmgr32.dll.CM_Get_Res_Des_Data_Size
cfgmgr32.dll.CM_Free_Log_Conf_Handle
cfgmgr32.dll.CM_Free_Res_Des_Handle
cfgmgr32.dll.CM_Get_Device_IDA
cfgmgr32.dll.CM_Get_Device_ID_Size
cfgmgr32.dll.CM_Get_Parent
oleaut32.dll.#15
oleaut32.dll.#26
oleaut32.dll.#16
oleaut32.dll.#23
oleaut32.dll.#24
wmi.dll.WmiQueryAllDataW
wmi.dll.WmiQuerySingleInstanceW
wmi.dll.WmiSetSingleItemW
wmi.dll.WmiSetSingleInstanceW
wmi.dll.WmiExecuteMethodW
wmi.dll.WmiNotificationRegistrationW
wmi.dll.WmiMofEnumerateResourcesW
wmi.dll.WmiFileHandleToInstanceNameW
wmi.dll.WmiDevInstToInstanceNameW
wmi.dll.WmiQueryGuidInformation
wmi.dll.WmiOpenBlock
wmi.dll.WmiCloseBlock
wmi.dll.WmiFreeBuffer
wmi.dll.WmiEnumerateGuids
oleaut32.dll.#8
oleaut32.dll.#9
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

BinGraph

PE Information

Image Base 0x00400000
Entry Point 0x004014e0
Reported Checksum 0x00012d9a
Actual Checksum 0x00012d9a
Minimum OS Version 4.0
Compile Time 2016-08-27 11:37:13
Import Hash 5fd4caa76ea3c961f2d530674634f64d
Icon
Icon Exact Hash 66ca2c511eec61a6998ce35c0ffc6e7f
Icon Similarity Hash b7d6aa08bca775a10218eef9e5325e51

Version Infos

LegalCopyright
InternalName
FileVersion
CompanyName
LegalTrademarks
ProductName Paranoid Fish
ProductVersion
FileDescription Paranoid Fish is paranoid
OriginalFilename
Translation 0x0409 0x04e4

Sections

Name Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00001000 0x00004f04 0x00005000 IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_ALIGN_16BYTES 5.84
.data 0x00006000 0x00000030 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE|IMAGE_SCN_ALIGN_4BYTES 0.52
.rdata 0x00007000 0x000032b8 0x00003400 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_ALIGN_4BYTES 5.84
.bss 0x0000b000 0x00000400 0x00000000 IMAGE_SCN_CNT_UNINITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE|IMAGE_SCN_ALIGN_32BYTES 0.00
.idata 0x0000c000 0x00000d24 0x00000e00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE|IMAGE_SCN_ALIGN_4BYTES 4.76
.CRT 0x0000d000 0x00000034 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE|IMAGE_SCN_ALIGN_4BYTES 0.27
.tls 0x0000e000 0x00000020 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE|IMAGE_SCN_ALIGN_4BYTES 0.20
.rsrc 0x0000f000 0x00008ef0 0x00009000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE|IMAGE_SCN_ALIGN_4BYTES 7.85

Resources

Name Offset Size Language Sub-language Entropy File type
RT_ICON 0x00017a10 0x000001f1 LANG_ENGLISH SUBLANG_ENGLISH_US 7.42 PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
RT_ICON 0x00017a10 0x000001f1 LANG_ENGLISH SUBLANG_ENGLISH_US 7.42 PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
RT_ICON 0x00017a10 0x000001f1 LANG_ENGLISH SUBLANG_ENGLISH_US 7.42 PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
RT_ICON 0x00017a10 0x000001f1 LANG_ENGLISH SUBLANG_ENGLISH_US 7.42 PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
RT_ICON 0x00017a10 0x000001f1 LANG_ENGLISH SUBLANG_ENGLISH_US 7.42 PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
RT_ICON 0x00017a10 0x000001f1 LANG_ENGLISH SUBLANG_ENGLISH_US 7.42 PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
RT_GROUP_ICON 0x00017c08 0x0000005a LANG_ENGLISH SUBLANG_ENGLISH_US 2.99 data
RT_VERSION 0x00017c68 0x00000288 LANG_ENGLISH SUBLANG_ENGLISH_US 3.14 data

Imports

Library ADVAPI32.dll:
0x40c2a8 GetUserNameA
0x40c2ac RegCloseKey
0x40c2b0 RegOpenKeyExA
0x40c2b4 RegQueryValueExA
Library IPHLPAPI.DLL:
Library KERNEL32.dll:
0x40c2c4 CloseHandle
0x40c2c8 CreateFileA
0x40c2cc CreateProcessA
0x40c2d8 DeleteFileW
0x40c2dc DeviceIoControl
0x40c2e8 GetCurrentProcess
0x40c2ec GetCurrentProcessId
0x40c2f0 GetCurrentThreadId
0x40c2f4 GetDiskFreeSpaceExA
0x40c2f8 GetDriveTypeA
0x40c2fc GetFileAttributesA
0x40c300 GetLastError
0x40c308 GetModuleFileNameA
0x40c30c GetModuleHandleA
0x40c310 GetProcAddress
0x40c314 GetStartupInfoA
0x40c318 GetStdHandle
0x40c31c GetSystemInfo
0x40c324 GetTickCount
0x40c328 GetVersionExA
0x40c334 IsDebuggerPresent
0x40c33c LocalAlloc
0x40c340 LocalFree
0x40c344 OutputDebugStringA
0x40c348 Process32First
0x40c34c Process32Next
0x40c358 SetLastError
0x40c360 Sleep
0x40c364 TerminateProcess
0x40c368 TlsGetValue
0x40c370 VirtualProtect
0x40c374 VirtualQuery
0x40c378 lstrcmpiA
Library MPR.DLL:
Library msvcrt.dll:
0x40c388 __dllonexit
0x40c38c __getmainargs
0x40c390 __initenv
0x40c394 __lconv_init
0x40c398 __set_app_type
0x40c39c __setusermatherr
0x40c3a0 _acmdln
0x40c3a4 _amsg_exit
0x40c3a8 _cexit
0x40c3ac _fmode
0x40c3b0 _initterm
0x40c3b4 _iob
0x40c3b8 _lock
0x40c3bc _onexit
0x40c3c0 calloc
0x40c3c4 exit
0x40c3c8 fclose
0x40c3cc fopen
0x40c3d0 fprintf
0x40c3d4 fputs
0x40c3d8 free
0x40c3dc fwrite
0x40c3e0 getchar
0x40c3e4 malloc
0x40c3e8 mbstowcs
0x40c3ec memcmp
0x40c3f0 memcpy
0x40c3f4 printf
0x40c3f8 puts
0x40c3fc signal
0x40c400 sprintf
0x40c404 strlen
0x40c408 strncat
0x40c40c strncmp
0x40c410 strncpy
0x40c414 strstr
0x40c418 _unlock
0x40c41c abort
0x40c420 toupper
0x40c424 vfprintf
0x40c428 wcsstr
0x40c42c _vsnprintf
Library ole32.dll:
0x40c434 CoCreateInstance
0x40c438 CoInitializeEx
0x40c440 CoUninitialize
Library OLEAUT32.dll:
0x40c448 SysAllocString
0x40c44c SysFreeString
Library SHELL32.dll:
0x40c454 ShellExecuteExW
Library USER32.dll:
0x40c45c FindWindowA
0x40c460 GetCursorPos
Library WS2_32.dll:
0x40c468 freeaddrinfo
0x40c46c getaddrinfo

.text
P`.data
.rdata
.idata
.rsrc
libgcj-16.dll
_Jv_RegisterClasses
Start
analysis-start
%lu.%lu build %lu
Windows version: %s
CPU: %s (HV: %s) %s
CPU: %s %s
Debuggers detection
hi_debugger_isdebuggerpresent
Debugger traced using IsDebuggerPresent()
Using IsDebuggerPresent()
hi_debugger_outputdebugstring
Debugger traced using OutputDebugString()
Using OutputDebugString()
CPU information based detections
hi_CPU_VM_rdtsc
CPU VM traced by checking the difference between CPU timestamp counters (rdtsc)
Checking the difference between CPU timestamp counters (rdtsc)
hi_CPU_VM_rdtsc_force_vm_exit
CPU VM traced by checking the difference between CPU timestamp counters (rdtsc) forcing VM exit
Checking the difference between CPU timestamp counters (rdtsc) forcing VM exit
hi_CPU_VM_hypervisor_bit
CPU VM traced by checking hypervisor bit in cpuid feature bits
Checking hypervisor bit in cpuid feature bits
hi_CPU_VM_hv_vendor_name
CPU VM traced by checking cpuid hypervisor vendor for known VM vendors
Checking cpuid hypervisor vendor for known VM vendors
Generic sandbox detection
hi_sandbox_mouse_act
Sandbox traced using mouse activity
Using mouse activity
hi_sandbox_username
Sandbox traced by checking username
Checking username
hi_sandbox_path
Sandbox traced by checking file path
Checking file path
hi_sandbox_common_names
Sandbox traced by checking common sample names in drives root
Checking common sample names in drives root
hi_sandbox_drive_size
Sandbox traced by checking disk size <= 60GB via DeviceIoControl()
Checking if disk size <= 60GB via DeviceIoControl()
hi_sandbox_drive_size2
Sandbox traced by checking disk size <= 60GB via GetDiskFreeSpaceExA()
Checking if disk size <= 60GB via GetDiskFreeSpaceExA()
hi_sandbox_sleep_gettickcount
Sandbox traced by checking if Sleep() was patched using GetTickCount()
Checking if Sleep() is patched using GetTickCount()
hi_sandbox_NumberOfProcessors_less_2_raw
Sandbox traced by checking if NumberOfProcessors is less than 2 via raw access
Checking if NumberOfProcessors is < 2 via raw access
hi_sandbox_NumberOfProcessors_less_2_GetSystemInfo
Sandbox traced by checking if NumberOfProcessors is less than 2 via GetSystemInfo()
Checking if NumberOfProcessors is < 2 via GetSystemInfo()
hi_sandbox_pysicalmemory_less_1Gb
Sandbox traced by checking if pysical memory is less than 1Gb
Checking if pysical memory is < 1Gb
hi_sandbox_uptime
Sandbox traced by checking operating system uptime using GetTickCount()
Checking operating system uptime using GetTickCount()
hi_sandbox_IsNativeVhdBoot
Sandbox traced by checking IsNativeVhdBoot()
Checking if operating system IsNativeVhdBoot()
Hooks detection
hi_hooks_shellexecuteexw_m1
Hooks traced using ShellExecuteExW method 1
Checking function ShellExecuteExW method 1
hi_hooks_createprocessa_m1
Hooks traced using CreateProcessA method 1
Checking function CreateProcessA method 1
Sandboxie detection
hi_sandboxie
Sandboxie traced using GetModuleHandle(sbiedll.dll)
Using GetModuleHandle(sbiedll.dll)
Wine detection
hi_wine
Wine traced using GetProcAddress(wine_get_unix_file_name) from kernel32.dll
Using GetProcAddress(wine_get_unix_file_name) from kernel32.dll
Wine traced using Reg key HKCU\SOFTWARE\Wine
Reg key (HKCU\SOFTWARE\Wine)
VirtualBox detection
hi_virtualbox
VirtualBox traced using Reg key HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 "Identifier"
Scsi port->bus->target id->logical unit id-> 0 identifier
VirtualBox traced using Reg key HKLM\HARDWARE\Description\System "SystemBiosVersion"
Reg key (HKLM\HARDWARE\Description\System "SystemBiosVersion")
VirtualBox traced using Reg key HKLM\SOFTWARE\Oracle\VirtualBox Guest Additions
Reg key (HKLM\SOFTWARE\Oracle\VirtualBox Guest Additions)
VirtualBox traced using Reg key HKLM\HARDWARE\Description\System "VideoBiosVersion"
Reg key (HKLM\HARDWARE\Description\System "VideoBiosVersion")
VirtualBox traced using Reg key HKLM\HARDWARE\ACPI\DSDT\VBOX__
Reg key (HKLM\HARDWARE\ACPI\DSDT\VBOX__)
VirtualBox traced using Reg key HKLM\HARDWARE\ACPI\FADT\VBOX__
Reg key (HKLM\HARDWARE\ACPI\FADT\VBOX__)
VirtualBox traced using Reg key HKLM\HARDWARE\ACPI\RSDT\VBOX__
Reg key (HKLM\HARDWARE\ACPI\RSDT\VBOX__)
Reg key (HKLM\SYSTEM\ControlSet001\Services\VBox*)
VirtualBox traced using Reg key HKLM\HARDWARE\DESCRIPTION\System "SystemBiosDate"
Reg key (HKLM\HARDWARE\DESCRIPTION\System "SystemBiosDate")
Driver files in C:\WINDOWS\system32\drivers\VBox*
Additional system files
VirtualBox traced using MAC address starting with 08:00:27
Looking for a MAC address starting with 08:00:27
Looking for pseudo devices
VirtualBox traced using VBoxTray windows
Looking for VBoxTray windows
VirtualBox traced using its network share
Looking for VBox network share
Looking for VBox processes (vboxservice.exe, vboxtray.exe)
VirtualBox device identifiers traced using WMI
Looking for VBox devices using WMI
VMware detection
hi_vmware
VMWare traced using Reg key HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0,1,2\Scsi Bus 0\Target Id 0\Logical Unit Id 0 "Identifier"
Scsi port 0,1,2 ->bus->target id->logical unit id-> 0 identifier
VMware traced using Reg key HKLM\SOFTWARE\VMware, Inc.\VMware Tools
Reg key (HKLM\SOFTWARE\VMware, Inc.\VMware Tools)
VMware traced using file C:\WINDOWS\system32\drivers\vmmouse.sys
Looking for C:\WINDOWS\system32\drivers\vmmouse.sys
VMware traced using file C:\WINDOWS\system32\drivers\vmhgfs.sys
Looking for C:\WINDOWS\system32\drivers\vmhgfs.sys
VMware traced using MAC address starting with 00:05:69, 00:0C:29, 00:1C:14 or 00:50:56
Looking for a MAC address starting with 00:05:69, 00:0C:29, 00:1C:14 or 00:50:56
VMware traced using network adapter name
Looking for network adapter name
VMware serial number traced using WMI
Looking for VMware serial number
Qemu detection
hi_qemu
Qemu traced using Reg key HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 "Identifier"
Qemu traced using Reg key HKLM\HARDWARE\Description\System "SystemBiosVersion"
Qemu traced using CPU brand string 'QEMU Virtual CPU'
cpuid CPU brand string 'QEMU Virtual CPU'
Bochs detection
hi_bochs
Bochs traced using Reg key HKLM\HARDWARE\Description\System "SystemBiosVersion"
Bochs traced using CPU AMD wrong value for processor name
cpuid AMD wrong value for processor name
Bochs traced using CPU Intel wrong value for processor name
cpuid Intel wrong value for processor name
Cuckoo detection
hi_cuckoo
Cuckoo hooks information structure traced in the TLS
Looking in the TLS for the hooks information structure
[-] Feel free to RE me, check log file for more information.
analysis-end
* Pafish (
Paranoid fish
Some anti(debugger/VM/sandbox) tricks
traced!
[pafish] %s
pafish.log
[*] %s ...
kernel32
Wow64DisableWow64FsRedirection
Wow64RevertWow64FsRedirection
IsWow64Process
useless
sbiedll.dll
Identifier
HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0
SystemBiosVersion
HARDWARE\Description\System
SOFTWARE\Oracle\VirtualBox Guest Additions
VIRTUALBOX
VideoBiosVersion
HARDWARE\ACPI\DSDT\VBOX__
HARDWARE\ACPI\FADT\VBOX__
HARDWARE\ACPI\RSDT\VBOX__
SYSTEM\ControlSet001\Services\VBoxGuest
SYSTEM\ControlSet001\Services\VBoxMouse
SYSTEM\ControlSet001\Services\VBoxService
SYSTEM\ControlSet001\Services\VBoxSF
SYSTEM\ControlSet001\Services\VBoxVideo
VirtualBox traced using Reg key HKLM\%s
06/23/99
SystemBiosDate
HARDWARE\DESCRIPTION\System
C:\WINDOWS\system32\drivers\VBoxMouse.sys
C:\WINDOWS\system32\drivers\VBoxGuest.sys
C:\WINDOWS\system32\drivers\VBoxSF.sys
C:\WINDOWS\system32\drivers\VBoxVideo.sys
VirtualBox traced using driver file %s
C:\WINDOWS\system32\vboxdisp.dll
C:\WINDOWS\system32\vboxhook.dll
C:\WINDOWS\system32\vboxmrxnp.dll
C:\WINDOWS\system32\vboxogl.dll
C:\WINDOWS\system32\vboxoglarrayspu.dll
C:\WINDOWS\system32\vboxoglcrutil.dll
C:\WINDOWS\system32\vboxoglerrorspu.dll
C:\WINDOWS\system32\vboxoglfeedbackspu.dll
C:\WINDOWS\system32\vboxoglpackspu.dll
C:\WINDOWS\system32\vboxoglpassthroughspu.dll
C:\WINDOWS\system32\vboxservice.exe
C:\WINDOWS\system32\vboxtray.exe
C:\WINDOWS\system32\VBoxControl.exe
C:\program files\oracle\virtualbox guest additions\
VirtualBox traced using system file %s
\\.\VBoxMiniRdrDN
\\.\pipe\VBoxMiniRdDN
\\.\VBoxTrayIPC
\\.\pipe\VBoxTrayIPC
VirtualBox traced using device %s
VBoxTrayToolWndClass
VBoxTrayToolWnd
VirtualBox Shared Folders
vboxservice.exe
VirtualBox traced using vboxservice.exe process
vboxtray.exe
VirtualBox traced using vboxtray.exe process
SANDBOX
VIRUS
MALWARE
\SAMPLE
\VIRUS
%ssample.exe
%smalware.exe
\\.\PhysicalDrive0
kernel32
IsNativeVhdBoot
kernel32.dll
wine_get_unix_file_name
SOFTWARE\Wine
VMWARE
Identifier
HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0
HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0
HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0
SOFTWARE\VMware, Inc.\VMware Tools
C:\WINDOWS\system32\drivers\vmmouse.sys
C:\WINDOWS\system32\drivers\vmhgfs.sys
VMware
\\.\HGFS
\\.\vmci
VMWare traced using device %s
Identifier
HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0
SystemBiosVersion
HARDWARE\Description\System
QEMU Virtual CPU
%c%c%c%c
KVMKVMKVM
Microsoft Hv
VMwareVMware
XenVMMXenVMM
prl hyperv
VBoxVBoxVBox
BOCHS
SystemBiosVersion
HARDWARE\Description\System
AMD Athlon(tm) processor
Intel(R) Pentium(R) 4 CPU
Unknown error
Argument domain error (DOMAIN)
Argument singularity (SIGN)
Overflow range error (OVERFLOW)
The result is too small to be represented (UNDERFLOW)
Total loss of significance (TLOSS)
Partial loss of significance (PLOSS)
Address %p has no image-section
VirtualQuery failed for %d bytes at address %p
VirtualProtect failed with code 0x%x
GCC: (GNU) 5.4.0 20160609
GCC: (GNU) 6.1.1 20160815
GCC: (GNU) 6.1.1 20160815
GCC: (GNU) 6.1.1 20160815
GCC: (GNU) 6.1.1 20160815
GCC: (GNU) 6.1.1 20160815
GCC: (GNU) 6.1.1 20160815
GCC: (GNU) 6.1.1 20160815
GCC: (GNU) 6.1.1 20160815
GCC: (GNU) 6.1.1 20160815
GCC: (GNU) 6.1.1 20160815
GCC: (GNU) 6.1.1 20160815
GCC: (GNU) 6.1.1 20160815
GCC: (GNU) 6.1.1 20160815
GCC: (GNU) 6.1.1 20160815
GCC: (GNU) 6.1.1 20160815
GCC: (GNU) 5.4.0 20160609
GCC: (GNU) 5.4.0 20160609
GCC: (GNU) 5.4.0 20160609
GCC: (GNU) 5.4.0 20160609
GCC: (GNU) 5.4.0 20160609
GCC: (GNU) 5.4.0 20160609
GCC: (GNU) 5.4.0 20160609
GCC: (GNU) 5.4.0 20160609
GCC: (GNU) 5.4.0 20160609
GCC: (GNU) 5.4.0 20160609
GCC: (GNU) 5.4.0 20160609
GCC: (GNU) 5.4.0 20160609
GCC: (GNU) 5.4.0 20160609
GCC: (GNU) 5.4.0 20160609
GCC: (GNU) 5.4.0 20160609
GCC: (GNU) 5.4.0 20160609
GCC: (GNU) 5.4.0 20160609
GCC: (GNU) 5.4.0 20160609
GCC: (GNU) 5.4.0 20160609
GCC: (GNU) 5.4.0 20160609
GCC: (GNU) 5.4.0 20160609
GCC: (GNU) 6.1.1 20160815
GCC: (GNU) 6.1.1 20160815
GCC: (GNU) 5.4.0 20160609
GCC: (GNU) 5.4.0 20160609
GCC: (GNU) 5.4.0 20160609
GCC: (GNU) 6.1.1 20160815
GetUserNameA
RegCloseKey
RegOpenKeyExA
RegQueryValueExA
GetAdaptersAddresses
CloseHandle
CreateFileA
CreateProcessA
CreateToolhelp32Snapshot
DeleteCriticalSection
DeleteFileW
DeviceIoControl
EnterCriticalSection
GetConsoleScreenBufferInfo
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetDiskFreeSpaceExA
GetDriveTypeA
GetFileAttributesA
GetLastError
GetLogicalDriveStringsA
GetModuleFileNameA
GetModuleHandleA
GetProcAddress
GetStartupInfoA
GetStdHandle
GetSystemInfo
GetSystemTimeAsFileTime
GetTickCount
GetVersionExA
GlobalMemoryStatusEx
InitializeCriticalSection
IsDebuggerPresent
LeaveCriticalSection
LocalAlloc
LocalFree
OutputDebugStringA
Process32First
Process32Next
QueryPerformanceCounter
SetConsoleTextAttribute
SetLastError
SetUnhandledExceptionFilter
Sleep
TerminateProcess
TlsGetValue
UnhandledExceptionFilter
VirtualProtect
VirtualQuery
lstrcmpiA
WNetGetProviderNameA
__dllonexit
__getmainargs
__initenv
__lconv_init
__set_app_type
__setusermatherr
_acmdln
_amsg_exit
_cexit
_fmode
_initterm
_lock
_onexit
calloc
fclose
fopen
fprintf
fputs
fwrite
getchar
malloc
mbstowcs
memcmp
memcpy
printf
signal
sprintf
strlen
strncat
strncmp
strncpy
strstr
_unlock
abort
toupper
vfprintf
wcsstr
_vsnprintf
CoCreateInstance
CoInitializeEx
CoInitializeSecurity
CoUninitialize
SysAllocString
SysFreeString
ShellExecuteExW
FindWindowA
GetCursorPos
freeaddrinfo
getaddrinfo
ADVAPI32.dll
IPHLPAPI.DLL
KERNEL32.dll
MPR.DLL
msvcrt.dll
ole32.dll
OLEAUT32.dll
SHELL32.dll
USER32.dll
WS2_32.dll
(p`3x
PxBo9
S&wv+b+
DeviceId
PCI\VEN_80EE&DEV_CAFE
root\cimv2
SELECT DeviceId FROM Win32_PnPEntity
sSerialNumber
VMware
root\cimv2
SELECT SerialNumber FROM Win32_Bios
VS_VERSION_INFO
StringFileInfo
040904E4
CompanyName
FileVersion
FileDescription
Paranoid Fish is paranoid
InternalName
LegalCopyright
LegalTrademarks
OriginalFilename
ProductName
Paranoid Fish
ProductVersion
VarFileInfo
Translation

Full Results

VirusTotal Signature
Bkav Clean
MicroWorld-eScan Clean
CMC Clean
CAT-QuickHeal Clean
Qihoo-360 Win32/Trojan.0dd
McAfee Clean
Cylance Unsafe
Zillya Trojan.Khalesi.Win32.1493
AegisLab Trojan.Win32.Khalesi.tpxB
Sangfor Malware
CrowdStrike Clean
BitDefender Clean
K7GW Unwanted-Program ( 004d38111 )
K7AntiVirus Unwanted-Program ( 004d38111 )
Invincea heuristic
BitDefenderTheta Clean
Cyren W32/Maskit.A.gen!Eldorado
Symantec Clean
ESET-NOD32 a variant of Win32/ParanoidFish.A potentially unsafe
Baidu Clean
APEX Malicious
Avast Clean
ClamAV Clean
Kaspersky Trojan.Win32.Khalesi.oq
Alibaba Trojan:Win32/Khalesi.9e4b014c
NANO-Antivirus Trojan.Win32.Khalesi.fdxhjb
ViRobot Trojan.Win32.Z.Khalesi.76800
Rising Trojan.Khalesi!8.F103 (CLOUD)
Ad-Aware Clean
Emsisoft Clean
Comodo Clean
F-Secure Clean
DrWeb Clean
VIPRE Trojan.Win32.Generic!BT
TrendMicro Clean
McAfee-GW-Edition Clean
Trapmine malicious.high.ml.score
FireEye Clean
Sophos Troj/AutoG-DV
SentinelOne Clean
F-Prot W32/Maskit.A.gen!Eldorado
Jiangmin Trojan.Khalesi.as
Webroot W32.Trojan.Gen
Avira Clean
MAX malware (ai score=63)
Antiy-AVL Clean
Kingsoft Clean
Microsoft Clean
Endgame malicious (high confidence)
Arcabit Clean
SUPERAntiSpyware Trojan.Agent/Gen-ParanoidFish
ZoneAlarm Trojan.Win32.Khalesi.oq
Avast-Mobile Clean
GData Clean
AhnLab-V3 PUP/Win32.ParanoidFish.R289290
Acronis Clean
VBA32 BScope.Trojan.Khalesi
ALYac Trojan.Khalesi.gen
TACHYON Trojan/W32.Khalesi.76800
Panda Clean
Zoner Clean
TrendMicro-HouseCall Clean
Tencent Win32.Trojan.Khalesi.Hquz
Yandex Trojan.Khalesi!
Ikarus Trojan.Win32.Khalesi
eGambit Clean
Fortinet W32/Fareit.A
AVG FileRepMalware [PUP]
Cybereason Clean
Paloalto generic.ml
MaxSecure Trojan.Malware.11782770.susgen

Process Tree


pafish.exe, PID: 920, Parent PID: 1980
Full Path: C:\Users\Rebecca\AppData\Local\Temp\pafish.exe
Command Line: "C:\Users\Rebecca\AppData\Local\Temp\pafish.exe"
svchost.exe, PID: 552, Parent PID: 444
Full Path: C:\Windows\System32\svchost.exe
Command Line: C:\Windows\system32\svchost.exe -k DcomLaunch
svchost.exe, PID: 3368, Parent PID: 444
Full Path: C:\Windows\System32\svchost.exe
Command Line: C:\Windows\system32\svchost.exe -k netsvcs
WmiPrvSE.exe, PID: 3724, Parent PID: 552
Full Path: C:\Windows\System32\wbem\WmiPrvSE.exe
Command Line: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

Hosts

Direct IP Country Name
Y 1.1.1.1 [VT] Australia

TCP

Source Source Port Destination Destination Port
192.168.1.3 49172 192.0.2.123 443

UDP

Source Source Port Destination Destination Port
192.168.1.3 50933 1.1.1.1 53
192.168.1.3 53111 1.1.1.1 53
192.168.1.3 56366 1.1.1.1 53
192.168.1.3 60411 1.1.1.1 53
192.168.1.3 62840 1.1.1.1 53
192.168.1.3 62988 1.1.1.1 53

DNS

No domains contacted.

HTTP Requests

No HTTP requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

Timestamp Source IP Source Port Destination IP Destination Port Subject Issuer Fingerprint Version
2020-02-14 15:06:25.772 192.168.1.3 [VT] 49171 192.0.2.123 [VT] 443 CN=localhost a6:44:d8:14:40:2b:de:72:ea:9b:93:d1:5c:49:a9:20:4f:f9:21:0e TLS 1.2
2020-02-14 15:06:25.851 192.168.1.3 [VT] 49172 192.0.2.123 [VT] 443 CN=localhost a6:44:d8:14:40:2b:de:72:ea:9b:93:d1:5c:49:a9:20:4f:f9:21:0e TLS 1.2

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

Source Source Port Destination Destination Port JA3 Hash JA3 Description
192.168.1.3 49171 192.0.2.123 443 67f9e6835a46017b668ace14afaaac17 unknown
192.168.1.3 49172 192.0.2.123 443 67f9e6835a46017b668ace14afaaac17 unknown
File name pafish.log
Associated Filenames
C:\Users\Rebecca\AppData\Local\Temp\pafish.log
File Size 58 bytes
File Type ASCII text, with CRLF line terminators
MD5 2498aa8594578b3024d201e4a6215fd8
SHA1 19145b1afc173f3c2f23b46b85f24c81612e4a7b
SHA256 391e8e82927160795fcbf13b18a16e2e0fcf95dc89686415f48b2f70acc1c2fa
CRC32 F6E8588A
Ssdeep 3:tuDqF2iev+MXqFyKMyLKO9x6U:tueRevL6NM2KOX/
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Download Download ZIP Submit file Display Text
[pafish] Start
[pafish] Windows version: 6.1 build 7601

BinGraph

File name pafish.log
Associated Filenames
C:\Users\Rebecca\AppData\Local\Temp\pafish.log
File Size 16 bytes
File Type ASCII text, with CRLF line terminators
MD5 e8136b3426aeb7ab0dfee03dc5c99edc
SHA1 bfa28abc7d43bd3674c498bcde12534cc2f7da14
SHA256 106a0427f1700dd692c87477ee714f12e6cd0b35408307f05552a65eda46e721
CRC32 6149EF81
Ssdeep 3:tuDqF2iB:tueRB
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Download Download ZIP Submit file Display Text
[pafish] Start

BinGraph

File name pafish.log
Associated Filenames
C:\Users\Rebecca\AppData\Local\Temp\pafish.log
File Size 240 bytes
File Type ASCII text, with CRLF line terminators
MD5 2f251b205ef81a906761bf683fb13763
SHA1 00bcc13c6826f42a56921ca74bf37a46b93f6123
SHA256 026000fd89c44ec5bdbbc8db9b4968b2dd35f58bd78206795d9968cf0c0108bd
CRC32 FD9E2972
Ssdeep 6:tueRevL6NM2KOXrOXNlHMYDkfSv+81+DeO0gLLCmF:tx4D6aBO7OXfsPqMeO0gLLCmF
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Download Download ZIP Submit file Display Text
[pafish] Start
[pafish] Windows version: 6.1 build 7601
[pafish] CPU: GenuineIntel Intel(R) Core(TM)2 Duo CPU     T7700  @ 2.40GHz
[pafish] CPU VM traced by checking the difference between CPU timestamp counters (rdtsc) forcing VM exit

BinGraph

File name pafish.log
Associated Filenames
C:\Users\Rebecca\AppData\Local\Temp\pafish.log
File Size 134 bytes
File Type ASCII text, with CRLF line terminators
MD5 720be7afb64c04328ad4bbd2412f12da
SHA1 673eabe90f7b72561fcdde936317f72f3fe4f5ca
SHA256 0e1bfeff755c90d62581918a6a15f419ccb44fc07cd62e18f7b4c95267731ff9
CRC32 66634B8C
Ssdeep 3:tuDqF2iev+MXqFyKMyLKO9x6AmqFm8jGXsaJlEuI1w/RKn:tueRevL6NM2KOXrOXNlHE
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Download Download ZIP Submit file Display Text
[pafish] Start
[pafish] Windows version: 6.1 build 7601
[pafish] CPU: GenuineIntel Intel(R) Core(TM)2 Duo CPU     T7700  @ 2.40GHz

BinGraph

File name pafish.log
Associated Filenames
C:\Users\Rebecca\AppData\Local\Temp\pafish.log
File Size 254 bytes
File Type ASCII text, with CRLF line terminators
MD5 b4e9633d7ce6d02a221616370e4c1b72
SHA1 2c214ab6e902b7f49a7276b6ac33da47e2bef213
SHA256 9d9f32cf652bc4a0f9cf04ad7f0105e81a7771fdab917573b7fe464f88f91bbd
CRC32 5718EDA1
Ssdeep 6:tueRevL6NM2KOXrOXNlHMYDkfSv+81+DeO0gLLCmc+uD6AB:tx4D6aBO7OXfsPqMeO0gLLCm2D6k
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Download Download ZIP Submit file Display Text
[pafish] Start
[pafish] Windows version: 6.1 build 7601
[pafish] CPU: GenuineIntel Intel(R) Core(TM)2 Duo CPU     T7700  @ 2.40GHz
[pafish] CPU VM traced by checking the difference between CPU timestamp counters (rdtsc) forcing VM exit
[pafish] End

BinGraph

File name hi_CPU_VM_rdtsc_force_vm_exit
Associated Filenames
C:\Users\Rebecca\AppData\Local\Temp\hi_CPU_VM_rdtsc_force_vm_exit
File Size 0 bytes
File Type empty
MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
CRC32 00000000
Ssdeep 3::
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Download Download ZIP Submit file
Sorry! No CAPE files.
Process Name pafish.exe
PID 920
Dump Size 77824 bytes
Module Path C:\Users\Rebecca\AppData\Local\Temp\pafish.exe
Type PE image: 32-bit executable
MD5 f5470c3e0807bd8f20a96d4dee3953c9
SHA1 f43f81688948548f7007e10709e17f7ed28bf36a
SHA256 b55e8de1818948f019ce8afa473e4bb0297396b058560c37126673e6e753af30
CRC32 4D1EA96E
Ssdeep 1536:CI05L48IVDAQRzepJyrOM1GhFNkYL2BxNRj:CI05LBIDAqz4yrOMGTkrNRj
ClamAV None
Yara
  • vmdetect - Possibly employs anti-virtualization techniques
CAPE Yara None matched
Dump Filename b55e8de1818948f019ce8afa473e4bb0297396b058560c37126673e6e753af30
Download Download ZIP Submit file

BinGraph

JSON Report Download
MAEC Report Download

Comments



No comments posted
Defense Evasion Discovery
  • T1045 - Software Packing
    • Signature - packer_entropy
  • T1083 - File and Directory Discovery
    • Signature - antisandbox_joe_anubis_files
  • T1057 - Process Discovery
    • Signature - antiemu_wine_reg
  • T1012 - Query Registry
    • Signature - antivm_generic_bios

    Processing ( 9.234 seconds )

    • 5.132 Suricata
    • 0.943 Deduplicate
    • 0.92 BehaviorAnalysis
    • 0.762 CAPE
    • 0.411 Static
    • 0.312 peid
    • 0.22 VirusTotal
    • 0.165 NetworkAnalysis
    • 0.119 Dropped
    • 0.095 TargetInfo
    • 0.089 ProcDump
    • 0.063 AnalysisInfo
    • 0.002 Debug
    • 0.001 Strings

    Signatures ( 0.543 seconds )

    • 0.086 antiav_detectreg
    • 0.047 api_spamming
    • 0.045 stealth_timeout
    • 0.038 NewtWire Behavior
    • 0.037 decoy_document
    • 0.033 infostealer_ftp
    • 0.018 antianalysis_detectreg
    • 0.017 infostealer_im
    • 0.015 mimics_filetime
    • 0.013 stealth_file
    • 0.013 reads_self
    • 0.012 bootkit
    • 0.012 virus
    • 0.01 antivm_generic_scsi
    • 0.009 hancitor_behavior
    • 0.008 ransomware_files
    • 0.007 Doppelganging
    • 0.007 PlugX
    • 0.006 infostealer_mail
    • 0.005 infostealer_browser
    • 0.005 antivm_generic_services
    • 0.005 antiav_detectfile
    • 0.004 recon_programs
    • 0.004 injection_createremotethread
    • 0.004 InjectionCreateRemoteThread
    • 0.004 antivm_parallels_keys
    • 0.004 antivm_xen_keys
    • 0.004 masquerade_process_name
    • 0.004 ransomware_extensions
    • 0.003 injection_runpe
    • 0.003 InjectionProcessHollowing
    • 0.003 Extraction
    • 0.003 infostealer_browser_password
    • 0.003 antivm_generic_diskreg
    • 0.003 antivm_vpc_keys
    • 0.003 infostealer_bitcoin
    • 0.002 malicious_dynamic_function_loading
    • 0.002 uac_bypass_eventvwr
    • 0.002 InjectionInterProcess
    • 0.002 antidebug_guardpages
    • 0.002 exploit_heapspray
    • 0.002 injection_rwx
    • 0.002 dynamic_function_loading
    • 0.002 persistence_autorun
    • 0.002 kovter_behavior
    • 0.002 antivm_vbox_files
    • 0.002 geodo_banking_trojan
    • 0.001 tinba_behavior
    • 0.001 antivm_vbox_libs
    • 0.001 antiav_avast_libs
    • 0.001 office_flash_load
    • 0.001 stack_pivot
    • 0.001 exploit_getbasekerneladdress
    • 0.001 betabot_behavior
    • 0.001 exploit_gethaldispatchtable
    • 0.001 antisandbox_sunbelt_libs
    • 0.001 ipc_namedpipe
    • 0.001 kibex_behavior
    • 0.001 shifu_behavior
    • 0.001 antidbg_windows
    • 0.001 antianalysis_detectfile
    • 0.001 antivm_xen_keys
    • 0.001 antivm_generic_system
    • 0.001 antivm_hyperv_keys
    • 0.001 ketrican_regkeys
    • 0.001 browser_security
    • 0.001 bypass_firewall
    • 0.001 darkcomet_regkeys
    • 0.001 disables_browser_warn
    • 0.001 limerat_regkeys
    • 0.001 recon_fingerprint

    Reporting ( 6.223 seconds )

    • 2.779 BinGraph
    • 2.121 MaecReport
    • 1.299 JsonDump
    • 0.024 MITRE_TTPS
    Task ID 12809
    Mongo ID 5e46b85bc3436de9e0667412
    Cuckoo release 1.3-CAPE
    Delete