Analysis

Category Package Started Completed Duration Options Log
FILE exe 2020-02-14 16:27:05 2020-02-14 16:28:33 88 seconds Show Options Show Log
route = inetsim
procdump = 1
2020-02-14 17:27:22,000 [root] INFO: Date set to: 02-14-20, time set to: 16:27:22, timeout set to: 200
2020-02-14 17:27:22,046 [root] DEBUG: Starting analyzer from: C:\ducszt
2020-02-14 17:27:22,046 [root] DEBUG: Storing results at: C:\scKNLjXN
2020-02-14 17:27:22,046 [root] DEBUG: Pipe server name: \\.\PIPE\IlyMllO
2020-02-14 17:27:22,046 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2020-02-14 17:27:22,046 [root] INFO: Automatically selected analysis package "exe"
2020-02-14 17:27:23,015 [root] DEBUG: Started auxiliary module Browser
2020-02-14 17:27:23,015 [root] DEBUG: Started auxiliary module Curtain
2020-02-14 17:27:23,015 [modules.auxiliary.digisig] DEBUG: Checking for a digitial signature.
2020-02-14 17:27:29,280 [modules.auxiliary.digisig] DEBUG: File has an invalid signature.
2020-02-14 17:27:29,280 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2020-02-14 17:27:29,280 [root] DEBUG: Started auxiliary module DigiSig
2020-02-14 17:27:29,280 [root] DEBUG: Started auxiliary module Disguise
2020-02-14 17:27:29,280 [root] DEBUG: Started auxiliary module Human
2020-02-14 17:27:29,280 [root] DEBUG: Started auxiliary module Screenshots
2020-02-14 17:27:29,280 [root] DEBUG: Started auxiliary module Sysmon
2020-02-14 17:27:29,280 [root] DEBUG: Started auxiliary module Usage
2020-02-14 17:27:29,280 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2020-02-14 17:27:29,296 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2020-02-14 17:27:30,812 [lib.api.process] INFO: Successfully executed process from path "C:\Users\Rebecca\AppData\Local\Temp\lo3maQquywTQrbs.exe" with arguments "" with pid 692
2020-02-14 17:27:32,655 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2020-02-14 17:27:32,655 [lib.api.process] INFO: 32-bit DLL to inject is C:\ducszt\dll\vxkZBMk.dll, loader C:\ducszt\bin\JAPgaJD.exe
2020-02-14 17:27:33,296 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\IlyMllO.
2020-02-14 17:27:33,296 [root] DEBUG: Loader: Injecting process 692 (thread 1876) with C:\ducszt\dll\vxkZBMk.dll.
2020-02-14 17:27:33,296 [root] DEBUG: Process image base: 0x00400000
2020-02-14 17:27:33,296 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\ducszt\dll\vxkZBMk.dll.
2020-02-14 17:27:33,296 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-02-14 17:27:33,296 [root] DEBUG: Successfully injected DLL C:\ducszt\dll\vxkZBMk.dll.
2020-02-14 17:27:33,296 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 692
2020-02-14 17:27:35,296 [lib.api.process] INFO: Successfully resumed process with pid 692
2020-02-14 17:27:35,296 [root] INFO: Added new process to list with pid: 692
2020-02-14 17:27:35,703 [root] DEBUG: Terminate processes on terminate_event disabled.
2020-02-14 17:27:35,703 [root] DEBUG: Process dumps enabled.
2020-02-14 17:27:35,828 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-02-14 17:27:35,828 [root] INFO: Disabling sleep skipping.
2020-02-14 17:27:35,828 [root] INFO: Disabling sleep skipping.
2020-02-14 17:27:35,828 [root] INFO: Disabling sleep skipping.
2020-02-14 17:27:35,828 [root] INFO: Disabling sleep skipping.
2020-02-14 17:27:35,828 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 692 at 0x6c3b0000, image base 0x400000, stack from 0x126000-0x130000
2020-02-14 17:27:35,828 [root] DEBUG: Commandline: C:\Users\Rebecca\AppData\Local\Temp\"C:\Users\Rebecca\AppData\Local\Temp\lo3maQquywTQrbs.exe".
2020-02-14 17:27:35,842 [root] INFO: Monitor successfully loaded in process with pid 692.
2020-02-14 17:27:35,875 [root] DEBUG: DLL loaded at 0x74AC0000: C:\Windows\system32\cryptbase (0xc000 bytes).
2020-02-14 17:27:35,890 [root] DEBUG: DLL loaded at 0x72D30000: C:\Windows\system32\dhcpcsvc (0x12000 bytes).
2020-02-14 17:27:35,937 [root] DEBUG: DLL loaded at 0x6CD80000: C:\Windows\system32\inetmib1 (0xf000 bytes).
2020-02-14 17:27:35,953 [root] DEBUG: DLL unloaded from 0x6CD80000.
2020-02-14 17:27:35,953 [root] DEBUG: DLL unloaded from 0x76E50000.
2020-02-14 17:27:35,983 [root] DEBUG: DLL loaded at 0x756F0000: C:\Windows\system32\CLBCatQ (0x83000 bytes).
2020-02-14 17:27:36,000 [root] DEBUG: DLL loaded at 0x737B0000: C:\Windows\system32\propsys (0xf5000 bytes).
2020-02-14 17:27:36,000 [root] DEBUG: DLL loaded at 0x73760000: C:\Windows\system32\ntmarta (0x21000 bytes).
2020-02-14 17:27:36,000 [root] DEBUG: DLL loaded at 0x76FC0000: C:\Windows\system32\WLDAP32 (0x45000 bytes).
2020-02-14 17:27:36,015 [root] DEBUG: DLL unloaded from 0x75130000.
2020-02-14 17:27:36,092 [root] DEBUG: DLL loaded at 0x75530000: C:\Windows\system32\SETUPAPI (0x19d000 bytes).
2020-02-14 17:27:36,092 [root] DEBUG: DLL loaded at 0x74D60000: C:\Windows\system32\CFGMGR32 (0x27000 bytes).
2020-02-14 17:27:36,108 [root] DEBUG: DLL loaded at 0x74DA0000: C:\Windows\system32\DEVOBJ (0x12000 bytes).
2020-02-14 17:27:36,108 [root] DEBUG: DLL loaded at 0x74590000: C:\Windows\system32\cryptsp (0x17000 bytes).
2020-02-14 17:27:36,108 [root] DEBUG: DLL loaded at 0x736A0000: C:\Windows\system32\UxTheme (0x40000 bytes).
2020-02-14 17:27:36,125 [root] DEBUG: DLL loaded at 0x74260000: C:\Windows\system32\credssp (0x8000 bytes).
2020-02-14 17:27:36,125 [root] DEBUG: DLL unloaded from 0x74590000.
2020-02-14 17:27:36,125 [root] DEBUG: DLL loaded at 0x72E20000: C:\Windows\system32\WindowsCodecs (0x131000 bytes).
2020-02-14 17:27:36,140 [root] DEBUG: DLL loaded at 0x74550000: C:\Windows\system32\mswsock (0x3c000 bytes).
2020-02-14 17:27:36,140 [root] DEBUG: DLL unloaded from 0x76200000.
2020-02-14 17:27:36,140 [root] DEBUG: DLL loaded at 0x740F0000: C:\Windows\System32\wshtcpip (0x5000 bytes).
2020-02-14 17:27:36,140 [root] DEBUG: DLL loaded at 0x74540000: C:\Windows\System32\wship6 (0x6000 bytes).
2020-02-14 17:27:36,155 [root] DEBUG: DLL loaded at 0x74410000: C:\Windows\system32\DNSAPI (0x44000 bytes).
2020-02-14 17:27:36,155 [root] DEBUG: DLL unloaded from 0x74410000.
2020-02-14 17:27:36,155 [root] DEBUG: DLL loaded at 0x71420000: C:\Windows\system32\rasadhlp (0x6000 bytes).
2020-02-14 17:27:36,171 [root] DEBUG: DLL loaded at 0x72FC0000: C:\Windows\System32\fwpuclnt (0x38000 bytes).
2020-02-14 17:27:41,030 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2020-02-14 17:27:43,015 [root] INFO: Announced 32-bit process name:  pid: 262498
2020-02-14 17:27:43,015 [lib.api.process] WARNING: The process with pid 262498 is not alive, injection aborted
2020-02-14 17:27:43,515 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 692
2020-02-14 17:27:43,515 [root] DEBUG: GetHookCallerBase: thread 1876 (handle 0x0), return address 0x00477EF3, allocation base 0x00400000.
2020-02-14 17:27:43,515 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00400000.
2020-02-14 17:27:43,515 [root] DEBUG: LooksLikeSectionBoundary: Exception occured reading around suspected boundary at 0x00400000
2020-02-14 17:27:43,515 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image.
2020-02-14 17:27:43,515 [root] DEBUG: DumpPE: Instantiating PeParser with address: 0x00400000.
2020-02-14 17:27:43,562 [root] INFO: Added new CAPE file to list with path: C:\scKNLjXN\CAPE\692_15439811224372114522020
2020-02-14 17:27:43,562 [root] DEBUG: DumpPE: PE file in memory dumped successfully - dump size 0x10fc00.
2020-02-14 17:27:43,578 [root] DEBUG: DLL unloaded from 0x737B0000.
2020-02-14 17:27:43,578 [root] DEBUG: DLL unloaded from 0x74260000.
2020-02-14 17:27:43,578 [root] DEBUG: DLL unloaded from 0x73760000.
2020-02-14 17:27:43,578 [root] INFO: Notified of termination of process with pid 692.
2020-02-14 17:28:03,608 [root] INFO: Process list is empty, terminating analysis.
2020-02-14 17:28:04,608 [root] INFO: Created shutdown mutex.
2020-02-14 17:28:05,625 [root] INFO: Shutting down package.
2020-02-14 17:28:05,625 [root] INFO: Stopping auxiliary modules.
2020-02-14 17:28:06,358 [root] INFO: Finishing auxiliary modules.
2020-02-14 17:28:06,358 [root] INFO: Shutting down pipe server and dumping dropped files.
2020-02-14 17:28:06,358 [root] WARNING: File at path "C:\scKNLjXN\debugger" does not exist, skip.
2020-02-14 17:28:06,358 [root] WARNING: Monitor injection attempted but failed for process 262498.
2020-02-14 17:28:06,358 [root] INFO: Analysis completed.

MalScore

10.0

Downer

Machine

Name Label Manager Started On Shutdown On
win7_3 win7_3 KVM 2020-02-14 16:27:05 2020-02-14 16:28:31

File Details

File Name 876F9CE62B25334829E914C45DA763849992DC02BF455F0A9F7480CCA3D2138A
File Size 1121488 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 02d14d0c82176522e6b00c49fd65c72d
SHA1 658805cd2421b9a419f5d6f4e02f2f88a667c9ec
SHA256 876f9ce62b25334829e914c45da763849992dc02bf455f0a9f7480cca3d2138a
SHA512 4d994f342fb136ca5e88a64cbfc45fe850a8af8e4c59d06279eb3fdc5d2115e161a54efdc2600514a1c2e120e25c693ba312b816b631c1706205c406102c2c61
CRC32 7941DA91
Ssdeep 24576:SnQ6HlJWhy5nT2ETfDf8xVprskywXHgwpSBCyWqBZClB4dN:Snrlz5nPjDSVJsk3XHR4MGZCl2dN
TrID None matched
ClamAV None matched
Yara None matched
CAPE Yara None matched
Download Download ZIP Resubmit sample

Signatures

SetUnhandledExceptionFilter detected (possible anti-debug)
Attempts to connect to a dead IP:Port (1 unique times)
IP: 192.0.2.123:80
Yara rule detections observed from a process memory dump/dropped files/CAPE
Hit: PID 692 trigged the Yara rule 'vmdetect'
Presents an Authenticode digital signature
md5_fingerprint: 6a8c3013294926b9074b017c1fd5cdba
cn: Beijing Yundongshidai Network Technology Co.,Ltd/ST=北京
sha1_fingerprint: cbb30d7d10291559dc6cf18e9c9b1481bf96f3a8
sn: 54259649863439552958416474110402396205
Possible date expiration check, exits too soon after checking local time
process: lo3maQquywTQrbs.exe, PID 692
Dynamic (imported) function loading detected
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/RegisterTraceGuidsW
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/OpenThreadToken
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/OpenProcessToken
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/AllocateAndInitializeSid
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/CheckTokenMembership
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/FreeSid
DynamicLoader: kernel32.dll/AcquireSRWLockExclusive
DynamicLoader: kernel32.dll/ReleaseSRWLockExclusive
DynamicLoader: ADVAPI32.dll/RegisterTraceGuidsA
DynamicLoader: ADVAPI32.dll/EventSetInformation
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/SetDefaultPrinterW
DynamicLoader: WINSPOOL.DRV/GetDefaultPrinterW
DynamicLoader: WINSPOOL.DRV/GetPrinterDriverPackagePathW
DynamicLoader: WINSPOOL.DRV/CorePrinterDriverInstalledW
DynamicLoader: WINSPOOL.DRV/GetCorePrinterDriversW
DynamicLoader: WINSPOOL.DRV/UploadPrinterDriverPackageW
DynamicLoader: WINSPOOL.DRV/InstallPrinterDriverFromPackageW
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/AddPrinterConnection2W
DynamicLoader: WINSPOOL.DRV/OpenPrinter2W
DynamicLoader: WINSPOOL.DRV/DeletePrinterKeyW
DynamicLoader: WINSPOOL.DRV/DeletePrinterDataExW
DynamicLoader: WINSPOOL.DRV/EnumPrinterKeyW
DynamicLoader: WINSPOOL.DRV/EnumPrinterDataExW
DynamicLoader: WINSPOOL.DRV/GetPrinterDataExW
DynamicLoader: WINSPOOL.DRV/SetPrinterDataExW
DynamicLoader: WINSPOOL.DRV/DeletePrinterDataW
DynamicLoader: WINSPOOL.DRV/EnumPrinterDataW
DynamicLoader: WINSPOOL.DRV/SpoolerPrinterEvent
DynamicLoader: WINSPOOL.DRV/SetPortW
DynamicLoader: WINSPOOL.DRV/DocumentPropertySheets
DynamicLoader: WINSPOOL.DRV/DevicePropertySheets
DynamicLoader: WINSPOOL.DRV/IsValidDevmodeW
DynamicLoader: WINSPOOL.DRV/IsValidDevmodeA
DynamicLoader: WINSPOOL.DRV/AddPortExW
DynamicLoader: WINSPOOL.DRV/DeletePrintProvidorW
DynamicLoader: WINSPOOL.DRV/AddPrintProvidorW
DynamicLoader: WINSPOOL.DRV/DeletePrintProcessorW
DynamicLoader: WINSPOOL.DRV/DeleteMonitorW
DynamicLoader: WINSPOOL.DRV/AddMonitorW
DynamicLoader: WINSPOOL.DRV/StartDocDlgW
DynamicLoader: WINSPOOL.DRV/AdvancedDocumentPropertiesW
DynamicLoader: WINSPOOL.DRV/AdvancedDocumentPropertiesA
DynamicLoader: WINSPOOL.DRV/DocumentPropertiesW
DynamicLoader: WINSPOOL.DRV/DeviceCapabilitiesW
DynamicLoader: WINSPOOL.DRV/DeletePrinterIC
DynamicLoader: WINSPOOL.DRV/PlayGdiScriptOnPrinterIC
DynamicLoader: WINSPOOL.DRV/CreatePrinterIC
DynamicLoader: WINSPOOL.DRV/SetJobW
DynamicLoader: WINSPOOL.DRV/GetJobW
DynamicLoader: WINSPOOL.DRV/EnumJobsW
DynamicLoader: WINSPOOL.DRV/AddPrinterW
DynamicLoader: WINSPOOL.DRV/SetPrinterW
DynamicLoader: WINSPOOL.DRV/GetPrinterDriverW
DynamicLoader: WINSPOOL.DRV/GetPrinterDriverDirectoryW
DynamicLoader: WINSPOOL.DRV/EnumPrintersW
DynamicLoader: WINSPOOL.DRV/AddPrinterConnectionW
DynamicLoader: WINSPOOL.DRV/DeletePrinterConnectionW
DynamicLoader: WINSPOOL.DRV/AddPrinterDriverExW
DynamicLoader: WINSPOOL.DRV/AddPrinterDriverExA
DynamicLoader: WINSPOOL.DRV/EnumPrinterDriversW
DynamicLoader: WINSPOOL.DRV/DeletePrinterDriverW
DynamicLoader: WINSPOOL.DRV/DeletePrinterDriverExW
DynamicLoader: WINSPOOL.DRV/AddPrintProcessorW
DynamicLoader: WINSPOOL.DRV/EnumPrintProcessorsW
DynamicLoader: WINSPOOL.DRV/GetPrintProcessorDirectoryW
DynamicLoader: WINSPOOL.DRV/EnumPrintProcessorDatatypesW
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/SplDriverUnloadComplete
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/OpenPrinterW
DynamicLoader: WINSPOOL.DRV/OpenPrinterA
DynamicLoader: WINSPOOL.DRV/ResetPrinterW
DynamicLoader: WINSPOOL.DRV/StartDocPrinterW
DynamicLoader: WINSPOOL.DRV/FlushPrinter
DynamicLoader: WINSPOOL.DRV/GetPrinterDataW
DynamicLoader: WINSPOOL.DRV/SetPrinterDataW
DynamicLoader: WINSPOOL.DRV/AddJobW
DynamicLoader: WINSPOOL.DRV/ScheduleJob
DynamicLoader: WINSPOOL.DRV/WaitForPrinterChange
DynamicLoader: WINSPOOL.DRV/FindNextPrinterChangeNotification
DynamicLoader: WINSPOOL.DRV/PrinterMessageBoxW
DynamicLoader: WINSPOOL.DRV/ClosePrinter
DynamicLoader: WINSPOOL.DRV/AddFormW
DynamicLoader: WINSPOOL.DRV/DeleteFormW
DynamicLoader: WINSPOOL.DRV/GetFormW
DynamicLoader: WINSPOOL.DRV/SetFormW
DynamicLoader: WINSPOOL.DRV/EnumFormsW
DynamicLoader: WINSPOOL.DRV/EnumPortsW
DynamicLoader: WINSPOOL.DRV/EnumMonitorsW
DynamicLoader: WINSPOOL.DRV/AddPortW
DynamicLoader: WINSPOOL.DRV/ConfigurePortW
DynamicLoader: WINSPOOL.DRV/DeletePortW
DynamicLoader: WINSPOOL.DRV/GetPrinterW
DynamicLoader: WINSPOOL.DRV/DeletePrinterDriverPackageW
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: kernel32.dll/CreateMutexW
DynamicLoader: kernel32.dll/OpenMutexW
DynamicLoader: kernel32.dll/GetCommandLineW
DynamicLoader: kernel32.dll/DeleteCriticalSection
DynamicLoader: kernel32.dll/RaiseException
DynamicLoader: kernel32.dll/HeapReAlloc
DynamicLoader: kernel32.dll/HeapSize
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: kernel32.dll/GlobalUnlock
DynamicLoader: kernel32.dll/GlobalLock
DynamicLoader: kernel32.dll/InterlockedExchange
DynamicLoader: kernel32.dll/lstrlenA
DynamicLoader: kernel32.dll/MoveFileW
DynamicLoader: kernel32.dll/GetLongPathNameW
DynamicLoader: kernel32.dll/lstrcatW
DynamicLoader: kernel32.dll/OpenMutexA
DynamicLoader: kernel32.dll/CreateDirectoryW
DynamicLoader: kernel32.dll/SetCurrentDirectoryW
DynamicLoader: kernel32.dll/GetEnvironmentVariableW
DynamicLoader: kernel32.dll/GetModuleFileNameW
DynamicLoader: kernel32.dll/GetModuleHandleA
DynamicLoader: kernel32.dll/InitializeCriticalSectionAndSpinCount
DynamicLoader: kernel32.dll/SetEndOfFile
DynamicLoader: kernel32.dll/SetFilePointer
DynamicLoader: kernel32.dll/WriteFile
DynamicLoader: kernel32.dll/Sleep
DynamicLoader: kernel32.dll/EnterCriticalSection
DynamicLoader: kernel32.dll/LeaveCriticalSection
DynamicLoader: kernel32.dll/ReadFile
DynamicLoader: kernel32.dll/QueryPerformanceFrequency
DynamicLoader: kernel32.dll/QueryPerformanceCounter
DynamicLoader: kernel32.dll/lstrcpynW
DynamicLoader: kernel32.dll/MultiByteToWideChar
DynamicLoader: kernel32.dll/GlobalFree
DynamicLoader: kernel32.dll/GlobalAlloc
DynamicLoader: kernel32.dll/WideCharToMultiByte
DynamicLoader: kernel32.dll/lstrcpyW
DynamicLoader: kernel32.dll/GetFileSize
DynamicLoader: kernel32.dll/CreateProcessW
DynamicLoader: kernel32.dll/GetDiskFreeSpaceExW
DynamicLoader: kernel32.dll/GetDriveTypeW
DynamicLoader: kernel32.dll/GetLogicalDriveStringsW
DynamicLoader: kernel32.dll/GetLogicalDrives
DynamicLoader: kernel32.dll/Process32NextW
DynamicLoader: kernel32.dll/Process32FirstW
DynamicLoader: kernel32.dll/CreateToolhelp32Snapshot
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: kernel32.dll/GetModuleHandleW
DynamicLoader: kernel32.dll/GetTickCount
DynamicLoader: kernel32.dll/LoadLibraryW
DynamicLoader: kernel32.dll/GetVolumeInformationA
DynamicLoader: kernel32.dll/GetEnvironmentVariableA
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/DeviceIoControl
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: kernel32.dll/RemoveDirectoryW
DynamicLoader: kernel32.dll/FindClose
DynamicLoader: kernel32.dll/FindNextFileW
DynamicLoader: kernel32.dll/DeleteFileW
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/SetFileAttributesW
DynamicLoader: kernel32.dll/FindFirstFileW
DynamicLoader: kernel32.dll/GetFileAttributesW
DynamicLoader: kernel32.dll/GetShortPathNameW
DynamicLoader: kernel32.dll/OutputDebugStringW
DynamicLoader: kernel32.dll/OutputDebugStringA
DynamicLoader: kernel32.dll/LockResource
DynamicLoader: kernel32.dll/SizeofResource
DynamicLoader: kernel32.dll/FreeResource
DynamicLoader: kernel32.dll/LoadResource
DynamicLoader: kernel32.dll/FindResourceW
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/FormatMessageW
DynamicLoader: kernel32.dll/HeapFree
DynamicLoader: kernel32.dll/GetProcessHeap
DynamicLoader: kernel32.dll/HeapAlloc
DynamicLoader: kernel32.dll/GetNativeSystemInfo
DynamicLoader: kernel32.dll/FreeLibrary
DynamicLoader: kernel32.dll/GetProcAddress
DynamicLoader: kernel32.dll/UnregisterWaitEx
DynamicLoader: kernel32.dll/QueryDepthSList
DynamicLoader: kernel32.dll/InterlockedPopEntrySList
DynamicLoader: kernel32.dll/ReleaseSemaphore
DynamicLoader: kernel32.dll/GetThreadTimes
DynamicLoader: kernel32.dll/UnregisterWait
DynamicLoader: kernel32.dll/RegisterWaitForSingleObject
DynamicLoader: kernel32.dll/SetThreadAffinityMask
DynamicLoader: kernel32.dll/GetProcessAffinityMask
DynamicLoader: kernel32.dll/GetNumaHighestNodeNumber
DynamicLoader: kernel32.dll/DeleteTimerQueueTimer
DynamicLoader: kernel32.dll/ChangeTimerQueueTimer
DynamicLoader: kernel32.dll/CreateTimerQueueTimer
DynamicLoader: kernel32.dll/GetLogicalProcessorInformation
DynamicLoader: kernel32.dll/GetThreadPriority
DynamicLoader: kernel32.dll/SignalObjectAndWait
DynamicLoader: kernel32.dll/CreateTimerQueue
DynamicLoader: kernel32.dll/WriteConsoleW
DynamicLoader: kernel32.dll/SetStdHandle
DynamicLoader: kernel32.dll/SetEnvironmentVariableA
DynamicLoader: kernel32.dll/FreeEnvironmentStringsW
DynamicLoader: kernel32.dll/GetEnvironmentStringsW
DynamicLoader: kernel32.dll/GetOEMCP
DynamicLoader: kernel32.dll/IsValidCodePage
DynamicLoader: kernel32.dll/FindNextFileA
DynamicLoader: kernel32.dll/FindFirstFileExA
DynamicLoader: kernel32.dll/ReadConsoleW
DynamicLoader: kernel32.dll/SetFilePointerEx
DynamicLoader: kernel32.dll/GetTimeZoneInformation
DynamicLoader: kernel32.dll/GetFileType
DynamicLoader: kernel32.dll/EnumSystemLocalesW
DynamicLoader: kernel32.dll/IsValidLocale
DynamicLoader: kernel32.dll/GetConsoleMode
DynamicLoader: kernel32.dll/GetConsoleCP
DynamicLoader: kernel32.dll/GetStdHandle
DynamicLoader: kernel32.dll/GetModuleFileNameA
DynamicLoader: kernel32.dll/HeapQueryInformation
DynamicLoader: kernel32.dll/GetModuleHandleExW
DynamicLoader: kernel32.dll/FreeLibraryAndExitThread
DynamicLoader: kernel32.dll/ExitThread
DynamicLoader: kernel32.dll/CreateThread
DynamicLoader: kernel32.dll/GetCommandLineA
DynamicLoader: kernel32.dll/VirtualQuery
DynamicLoader: kernel32.dll/GetSystemInfo
DynamicLoader: kernel32.dll/InterlockedFlushSList
DynamicLoader: kernel32.dll/InterlockedPushEntrySList
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/IsBadReadPtr
DynamicLoader: kernel32.dll/RtlUnwind
DynamicLoader: kernel32.dll/GetCPInfo
DynamicLoader: kernel32.dll/LCMapStringW
DynamicLoader: kernel32.dll/GetExitCodeThread
DynamicLoader: kernel32.dll/SwitchToThread
DynamicLoader: kernel32.dll/TryEnterCriticalSection
DynamicLoader: kernel32.dll/GetStringTypeW
DynamicLoader: kernel32.dll/InitializeSListHead
DynamicLoader: kernel32.dll/GetSystemTimeAsFileTime
DynamicLoader: kernel32.dll/GetStartupInfoW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/IsProcessorFeaturePresent
DynamicLoader: kernel32.dll/TerminateProcess
DynamicLoader: kernel32.dll/SetUnhandledExceptionFilter
DynamicLoader: kernel32.dll/UnhandledExceptionFilter
DynamicLoader: kernel32.dll/WaitForSingleObjectEx
DynamicLoader: kernel32.dll/ResetEvent
DynamicLoader: kernel32.dll/GetUserDefaultLCID
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/SetLastError
DynamicLoader: kernel32.dll/SystemTimeToTzSpecificLocalTime
DynamicLoader: kernel32.dll/GetFileAttributesExW
DynamicLoader: kernel32.dll/GetACP
DynamicLoader: kernel32.dll/GetCurrentDirectoryW
DynamicLoader: kernel32.dll/InterlockedIncrement
DynamicLoader: kernel32.dll/InterlockedDecrement
DynamicLoader: kernel32.dll/MulDiv
DynamicLoader: kernel32.dll/GetCurrentProcessId
DynamicLoader: kernel32.dll/LocalFree
DynamicLoader: kernel32.dll/SetFileTime
DynamicLoader: kernel32.dll/SystemTimeToFileTime
DynamicLoader: kernel32.dll/LocalFileTimeToFileTime
DynamicLoader: kernel32.dll/lstrcmpA
DynamicLoader: kernel32.dll/lstrcpyA
DynamicLoader: kernel32.dll/lstrcmpiW
DynamicLoader: kernel32.dll/GetCurrentThreadId
DynamicLoader: kernel32.dll/GetSystemDirectoryW
DynamicLoader: kernel32.dll/LoadLibraryExW
DynamicLoader: kernel32.dll/GlobalDeleteAtom
DynamicLoader: kernel32.dll/lstrcmpW
DynamicLoader: kernel32.dll/GlobalAddAtomW
DynamicLoader: kernel32.dll/GlobalFindAtomW
DynamicLoader: kernel32.dll/CompareStringW
DynamicLoader: kernel32.dll/GetCurrentThread
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: kernel32.dll/InitializeCriticalSection
DynamicLoader: kernel32.dll/TlsAlloc
DynamicLoader: kernel32.dll/TlsGetValue
DynamicLoader: kernel32.dll/TlsSetValue
DynamicLoader: kernel32.dll/TlsFree
DynamicLoader: kernel32.dll/GlobalReAlloc
DynamicLoader: kernel32.dll/GlobalHandle
DynamicLoader: kernel32.dll/LocalAlloc
DynamicLoader: kernel32.dll/LocalReAlloc
DynamicLoader: kernel32.dll/SetEvent
DynamicLoader: kernel32.dll/CreateEventW
DynamicLoader: kernel32.dll/SetThreadPriority
DynamicLoader: kernel32.dll/GlobalFlags
DynamicLoader: kernel32.dll/GetLocaleInfoW
DynamicLoader: kernel32.dll/GetSystemDefaultUILanguage
DynamicLoader: kernel32.dll/GetUserDefaultUILanguage
DynamicLoader: kernel32.dll/GetPrivateProfileIntW
DynamicLoader: kernel32.dll/GetPrivateProfileStringW
DynamicLoader: kernel32.dll/WritePrivateProfileStringW
DynamicLoader: kernel32.dll/FileTimeToSystemTime
DynamicLoader: kernel32.dll/FlushFileBuffers
DynamicLoader: kernel32.dll/GetFullPathNameW
DynamicLoader: kernel32.dll/GetVolumeInformationW
DynamicLoader: kernel32.dll/DuplicateHandle
DynamicLoader: kernel32.dll/FileTimeToLocalFileTime
DynamicLoader: ADVAPI32.dll/RegDeleteValueW
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: ADVAPI32.dll/RegQueryValueW
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegFlushKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegSetValueExW
DynamicLoader: ADVAPI32.dll/RegDeleteKeyW
DynamicLoader: ADVAPI32.dll/RegCreateKeyExW
DynamicLoader: ADVAPI32.dll/OpenSCManagerW
DynamicLoader: ADVAPI32.dll/OpenServiceW
DynamicLoader: ADVAPI32.dll/QueryServiceStatus
DynamicLoader: ADVAPI32.dll/CloseServiceHandle
DynamicLoader: COMCTL32.dll/_TrackMouseEvent
DynamicLoader: COMCTL32.dll/
DynamicLoader: GDI32.dll/GetTextExtentPoint32W
DynamicLoader: GDI32.dll/LineTo
DynamicLoader: GDI32.dll/RoundRect
DynamicLoader: GDI32.dll/SelectClipRgn
DynamicLoader: GDI32.dll/ExtSelectClipRgn
DynamicLoader: GDI32.dll/SetBkColor
DynamicLoader: GDI32.dll/GetCharABCWidthsW
DynamicLoader: GDI32.dll/StretchBlt
DynamicLoader: GDI32.dll/SetStretchBltMode
DynamicLoader: GDI32.dll/SetTextColor
DynamicLoader: GDI32.dll/GetObjectA
DynamicLoader: GDI32.dll/MoveToEx
DynamicLoader: GDI32.dll/TextOutW
DynamicLoader: GDI32.dll/GdiFlush
DynamicLoader: GDI32.dll/GetClipBox
DynamicLoader: GDI32.dll/CreateSolidBrush
DynamicLoader: GDI32.dll/SetBkMode
DynamicLoader: GDI32.dll/CreatePatternBrush
DynamicLoader: GDI32.dll/CreateBitmap
DynamicLoader: GDI32.dll/ExtTextOutW
DynamicLoader: GDI32.dll/Escape
DynamicLoader: GDI32.dll/PtVisible
DynamicLoader: GDI32.dll/RectVisible
DynamicLoader: GDI32.dll/CreateRectRgnIndirect
DynamicLoader: GDI32.dll/CreatePenIndirect
DynamicLoader: GDI32.dll/CombineRgn
DynamicLoader: GDI32.dll/PtInRegion
DynamicLoader: GDI32.dll/CreateRectRgn
DynamicLoader: GDI32.dll/SetWindowOrgEx
DynamicLoader: GDI32.dll/GetTextMetricsW
DynamicLoader: GDI32.dll/PlayEnhMetaFile
DynamicLoader: GDI32.dll/GetEnhMetaFileHeader
DynamicLoader: GDI32.dll/CreateEnhMetaFileW
DynamicLoader: GDI32.dll/CloseEnhMetaFile
DynamicLoader: GDI32.dll/SaveDC
DynamicLoader: GDI32.dll/RestoreDC
DynamicLoader: GDI32.dll/GetStockObject
DynamicLoader: GDI32.dll/Rectangle
DynamicLoader: GDI32.dll/RemoveFontMemResourceEx
DynamicLoader: GDI32.dll/AddFontMemResourceEx
DynamicLoader: GDI32.dll/GetDeviceCaps
DynamicLoader: GDI32.dll/CreatePen
DynamicLoader: GDI32.dll/CreateFontIndirectW
DynamicLoader: GDI32.dll/CreateDIBitmap
DynamicLoader: GDI32.dll/CreateCompatibleBitmap
DynamicLoader: GDI32.dll/SetDIBColorTable
DynamicLoader: GDI32.dll/SelectObject
DynamicLoader: GDI32.dll/CreateDIBSection
DynamicLoader: GDI32.dll/BitBlt
DynamicLoader: GDI32.dll/CreateCompatibleDC
DynamicLoader: GDI32.dll/ScaleWindowExtEx
DynamicLoader: GDI32.dll/ScaleViewportExtEx
DynamicLoader: GDI32.dll/OffsetViewportOrgEx
DynamicLoader: GDI32.dll/SetWindowExtEx
DynamicLoader: GDI32.dll/SetViewportOrgEx
DynamicLoader: GDI32.dll/SetViewportExtEx
DynamicLoader: GDI32.dll/SetMapMode
DynamicLoader: GDI32.dll/CreateRoundRectRgn
DynamicLoader: GDI32.dll/DeleteObject
DynamicLoader: GDI32.dll/GetObjectW
DynamicLoader: GDI32.dll/DeleteDC
DynamicLoader: gdiplus.dll/GdipGetImageHeight
DynamicLoader: gdiplus.dll/GdipCloneImage
DynamicLoader: gdiplus.dll/GdipGetImagePaletteSize
DynamicLoader: gdiplus.dll/GdipGetImagePalette
DynamicLoader: gdiplus.dll/GdipBitmapLockBits
DynamicLoader: gdiplus.dll/GdipBitmapUnlockBits
DynamicLoader: gdiplus.dll/GdipCreateBitmapFromScan0
DynamicLoader: gdiplus.dll/GdipGetImagePixelFormat
DynamicLoader: gdiplus.dll/GdipDrawImageI
DynamicLoader: gdiplus.dll/GdipCloneBrush
DynamicLoader: gdiplus.dll/GdipDeleteBrush
DynamicLoader: gdiplus.dll/GdipCreateSolidFill
DynamicLoader: gdiplus.dll/GdipCreatePen1
DynamicLoader: gdiplus.dll/GdipDeletePen
DynamicLoader: gdiplus.dll/GdipSetPenMode
DynamicLoader: gdiplus.dll/GdipCreateBitmapFromStream
DynamicLoader: gdiplus.dll/GdipDeleteGraphics
DynamicLoader: gdiplus.dll/GdipGetImageGraphicsContext
DynamicLoader: gdiplus.dll/GdipLoadImageFromStream
DynamicLoader: gdiplus.dll/GdipLoadImageFromStreamICM
DynamicLoader: gdiplus.dll/GdipCreateFromHDC
DynamicLoader: gdiplus.dll/GdipSetSmoothingMode
DynamicLoader: gdiplus.dll/GdipAlloc
DynamicLoader: gdiplus.dll/GdipSetTextRenderingHint
DynamicLoader: gdiplus.dll/GdipSetInterpolationMode
DynamicLoader: gdiplus.dll/GdipDrawRectangleI
DynamicLoader: gdiplus.dll/GdipFillRectangleI
DynamicLoader: gdiplus.dll/GdipFree
DynamicLoader: gdiplus.dll/GdiplusShutdown
DynamicLoader: gdiplus.dll/GdiplusStartup
DynamicLoader: gdiplus.dll/GdipDisposeImage
DynamicLoader: gdiplus.dll/GdipGetImageWidth
DynamicLoader: gdiplus.dll/GdipDrawImageRectI
DynamicLoader: gdiplus.dll/GdipGetPropertyItem
DynamicLoader: gdiplus.dll/GdipGetPropertyItemSize
DynamicLoader: gdiplus.dll/GdipImageSelectActiveFrame
DynamicLoader: gdiplus.dll/GdipImageGetFrameCount
DynamicLoader: gdiplus.dll/GdipImageGetFrameDimensionsList
DynamicLoader: gdiplus.dll/GdipImageGetFrameDimensionsCount
DynamicLoader: gdiplus.dll/GdipSetStringFormatTrimming
DynamicLoader: gdiplus.dll/GdipSetStringFormatLineAlign
DynamicLoader: gdiplus.dll/GdipSetStringFormatAlign
DynamicLoader: gdiplus.dll/GdipSetStringFormatFlags
DynamicLoader: gdiplus.dll/GdipCloneStringFormat
DynamicLoader: gdiplus.dll/GdipDeleteStringFormat
DynamicLoader: gdiplus.dll/GdipStringFormatGetGenericTypographic
DynamicLoader: gdiplus.dll/GdipMeasureString
DynamicLoader: gdiplus.dll/GdipDrawString
DynamicLoader: gdiplus.dll/GdipDeleteFont
DynamicLoader: gdiplus.dll/GdipCreateFontFromLogfontA
DynamicLoader: gdiplus.dll/GdipCreateFontFromDC
DynamicLoader: IMM32.dll/ImmSetCompositionWindow
DynamicLoader: IMM32.dll/ImmReleaseContext
DynamicLoader: IMM32.dll/ImmGetContext
DynamicLoader: IPHLPAPI.DLL/GetAdaptersInfo
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/ReleaseStgMedium
DynamicLoader: ole32.dll/OleLockRunning
DynamicLoader: ole32.dll/CLSIDFromProgID
DynamicLoader: ole32.dll/CLSIDFromString
DynamicLoader: ole32.dll/OleDuplicateData
DynamicLoader: ole32.dll/DoDragDrop
DynamicLoader: ole32.dll/RegisterDragDrop
DynamicLoader: ole32.dll/CoCreateGuid
DynamicLoader: ole32.dll/OleInitialize
DynamicLoader: ole32.dll/CreateStreamOnHGlobal
DynamicLoader: ole32.dll/CoInitialize
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: OLEACC.dll/LresultFromObject
DynamicLoader: OLEACC.dll/CreateStdAccessibleObject
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: SHELL32.dll/DragQueryFileW
DynamicLoader: SHELL32.dll/SHBrowseForFolderW
DynamicLoader: SHELL32.dll/ShellExecuteW
DynamicLoader: SHELL32.dll/SHGetPathFromIDListW
DynamicLoader: SHELL32.dll/SHGetSpecialFolderLocation
DynamicLoader: SHELL32.dll/SHGetMalloc
DynamicLoader: SHELL32.dll/Shell_NotifyIconW
DynamicLoader: SHLWAPI.dll/wnsprintfA
DynamicLoader: SHLWAPI.dll/StrCmpIW
DynamicLoader: SHLWAPI.dll/SHGetValueW
DynamicLoader: SHLWAPI.dll/SHSetValueW
DynamicLoader: SHLWAPI.dll/PathFileExistsW
DynamicLoader: SHLWAPI.dll/StrCmpW
DynamicLoader: SHLWAPI.dll/StrChrA
DynamicLoader: SHLWAPI.dll/PathStripPathW
DynamicLoader: SHLWAPI.dll/PathAddBackslashW
DynamicLoader: SHLWAPI.dll/PathAppendW
DynamicLoader: SHLWAPI.dll/PathRemoveBackslashW
DynamicLoader: SHLWAPI.dll/StrToIntW
DynamicLoader: SHLWAPI.dll/PathIsDirectoryW
DynamicLoader: SHLWAPI.dll/PathFindExtensionW
DynamicLoader: SHLWAPI.dll/PathRemoveExtensionW
DynamicLoader: SHLWAPI.dll/PathCombineW
DynamicLoader: SHLWAPI.dll/PathAddExtensionW
DynamicLoader: SHLWAPI.dll/StrStrIW
DynamicLoader: SHLWAPI.dll/StrCpyW
DynamicLoader: SHLWAPI.dll/StrStrW
DynamicLoader: SHLWAPI.dll/StrCatW
DynamicLoader: SHLWAPI.dll/PathFindFileNameW
DynamicLoader: SHLWAPI.dll/PathIsUNCW
DynamicLoader: SHLWAPI.dll/PathStripToRootW
DynamicLoader: SHLWAPI.dll/wnsprintfW
DynamicLoader: snmpapi.dll/SnmpUtilOidNCmp
DynamicLoader: snmpapi.dll/SnmpUtilOidCpy
DynamicLoader: snmpapi.dll/SnmpUtilVarBindFree
DynamicLoader: urlmon.dll/URLDownloadToFileW
DynamicLoader: USER32.dll/DestroyWindow
DynamicLoader: USER32.dll/SetFocus
DynamicLoader: USER32.dll/GetActiveWindow
DynamicLoader: USER32.dll/GetFocus
DynamicLoader: USER32.dll/GetKeyState
DynamicLoader: USER32.dll/GetDC
DynamicLoader: USER32.dll/ReleaseDC
DynamicLoader: USER32.dll/BeginPaint
DynamicLoader: USER32.dll/EndPaint
DynamicLoader: USER32.dll/GetUpdateRect
DynamicLoader: USER32.dll/MapWindowPoints
DynamicLoader: USER32.dll/GetSysColor
DynamicLoader: USER32.dll/GetParent
DynamicLoader: USER32.dll/GetWindow
DynamicLoader: USER32.dll/LoadImageW
DynamicLoader: USER32.dll/IsWindowEnabled
DynamicLoader: USER32.dll/DefWindowProcW
DynamicLoader: USER32.dll/MoveWindow
DynamicLoader: USER32.dll/CreateAcceleratorTableW
DynamicLoader: USER32.dll/InvalidateRgn
DynamicLoader: USER32.dll/GetCaretBlinkTime
DynamicLoader: USER32.dll/ClientToScreen
DynamicLoader: USER32.dll/FillRect
DynamicLoader: USER32.dll/GetGUIThreadInfo
DynamicLoader: USER32.dll/RegisterClassExW
DynamicLoader: USER32.dll/UpdateLayeredWindow
DynamicLoader: USER32.dll/GetWindowRgn
DynamicLoader: USER32.dll/CallWindowProcW
DynamicLoader: USER32.dll/RegisterClassW
DynamicLoader: USER32.dll/GetClassInfoExW
DynamicLoader: USER32.dll/GetMenu
DynamicLoader: USER32.dll/SetPropW
DynamicLoader: USER32.dll/GetPropW
DynamicLoader: USER32.dll/AdjustWindowRectEx
DynamicLoader: USER32.dll/CharPrevW
DynamicLoader: USER32.dll/DrawTextW
DynamicLoader: USER32.dll/SetRect
DynamicLoader: USER32.dll/DestroyMenu
DynamicLoader: USER32.dll/CreateCaret
DynamicLoader: USER32.dll/HideCaret
DynamicLoader: USER32.dll/ShowCaret
DynamicLoader: USER32.dll/SetCaretPos
DynamicLoader: USER32.dll/GetCaretPos
DynamicLoader: USER32.dll/SetWindowTextW
DynamicLoader: USER32.dll/GetWindowTextW
DynamicLoader: USER32.dll/GetWindowTextLengthW
DynamicLoader: USER32.dll/SendDlgItemMessageA
DynamicLoader: USER32.dll/SetRectEmpty
DynamicLoader: USER32.dll/GetSubMenu
DynamicLoader: USER32.dll/GetMenuItemID
DynamicLoader: USER32.dll/GetMenuItemCount
DynamicLoader: USER32.dll/CreateDialogIndirectParamW
DynamicLoader: USER32.dll/GetMonitorInfoW
DynamicLoader: USER32.dll/GetDlgItem
DynamicLoader: USER32.dll/GetNextDlgTabItem
DynamicLoader: USER32.dll/SetActiveWindow
DynamicLoader: USER32.dll/UnhookWindowsHookEx
DynamicLoader: USER32.dll/GetDlgCtrlID
DynamicLoader: USER32.dll/IsDialogMessageW
DynamicLoader: USER32.dll/RegisterWindowMessageW
DynamicLoader: USER32.dll/PeekMessageW
DynamicLoader: USER32.dll/GetMessagePos
DynamicLoader: USER32.dll/DispatchMessageW
DynamicLoader: USER32.dll/GetClassInfoW
DynamicLoader: USER32.dll/IsMenu
DynamicLoader: USER32.dll/IsChild
DynamicLoader: USER32.dll/BeginDeferWindowPos
DynamicLoader: USER32.dll/DeferWindowPos
DynamicLoader: USER32.dll/EndDeferWindowPos
DynamicLoader: USER32.dll/GetCapture
DynamicLoader: USER32.dll/SetMenu
DynamicLoader: USER32.dll/UpdateWindow
DynamicLoader: USER32.dll/GetForegroundWindow
DynamicLoader: USER32.dll/ValidateRect
DynamicLoader: USER32.dll/RedrawWindow
DynamicLoader: USER32.dll/GetScrollPos
DynamicLoader: USER32.dll/RemovePropW
DynamicLoader: USER32.dll/CopyRect
DynamicLoader: USER32.dll/GetClassLongW
DynamicLoader: USER32.dll/GetClassNameW
DynamicLoader: USER32.dll/GetTopWindow
DynamicLoader: USER32.dll/GetLastActivePopup
DynamicLoader: USER32.dll/SetWindowsHookExW
DynamicLoader: USER32.dll/CallNextHookEx
DynamicLoader: USER32.dll/WinHelpW
DynamicLoader: USER32.dll/CheckMenuItem
DynamicLoader: USER32.dll/SetMenuItemBitmaps
DynamicLoader: USER32.dll/GetMenuCheckMarkDimensions
DynamicLoader: USER32.dll/SetMenuItemInfoW
DynamicLoader: USER32.dll/KillTimer
DynamicLoader: USER32.dll/LoadBitmapW
DynamicLoader: USER32.dll/GrayStringW
DynamicLoader: USER32.dll/TabbedTextOutW
DynamicLoader: USER32.dll/GetSysColorBrush
DynamicLoader: USER32.dll/GetWindowThreadProcessId
DynamicLoader: USER32.dll/RealChildWindowFromPoint
DynamicLoader: USER32.dll/CharUpperW
DynamicLoader: USER32.dll/SetTimer
DynamicLoader: USER32.dll/SystemParametersInfoW
DynamicLoader: USER32.dll/SetWindowPos
DynamicLoader: USER32.dll/MessageBeep
DynamicLoader: USER32.dll/GetSystemMenu
DynamicLoader: USER32.dll/EnableMenuItem
DynamicLoader: USER32.dll/ModifyMenuW
DynamicLoader: USER32.dll/PtInRect
DynamicLoader: USER32.dll/IsWindowVisible
DynamicLoader: USER32.dll/InvalidateRect
DynamicLoader: USER32.dll/SetCapture
DynamicLoader: USER32.dll/CreateWindowExW
DynamicLoader: USER32.dll/TranslateMessage
DynamicLoader: USER32.dll/GetMessageW
DynamicLoader: USER32.dll/IsRectEmpty
DynamicLoader: USER32.dll/LoadCursorW
DynamicLoader: USER32.dll/UnionRect
DynamicLoader: USER32.dll/InflateRect
DynamicLoader: USER32.dll/SetCursor
DynamicLoader: USER32.dll/OffsetRect
DynamicLoader: USER32.dll/IntersectRect
DynamicLoader: USER32.dll/EnableWindow
DynamicLoader: USER32.dll/GetSystemMetrics
DynamicLoader: USER32.dll/SendMessageW
DynamicLoader: USER32.dll/ShowWindow
DynamicLoader: USER32.dll/TrackPopupMenu
DynamicLoader: USER32.dll/AppendMenuW
DynamicLoader: USER32.dll/CreatePopupMenu
DynamicLoader: USER32.dll/GetCursorPos
DynamicLoader: USER32.dll/LoadIconW
DynamicLoader: USER32.dll/PostMessageW
DynamicLoader: USER32.dll/PostQuitMessage
DynamicLoader: USER32.dll/SetWindowRgn
DynamicLoader: USER32.dll/GetWindowRect
DynamicLoader: USER32.dll/GetClientRect
DynamicLoader: USER32.dll/ScreenToClient
DynamicLoader: USER32.dll/IsIconic
DynamicLoader: USER32.dll/GetMessageTime
DynamicLoader: USER32.dll/GetDesktopWindow
DynamicLoader: USER32.dll/MessageBoxW
DynamicLoader: USER32.dll/SetWindowLongW
DynamicLoader: USER32.dll/GetWindowLongW
DynamicLoader: USER32.dll/LoadStringW
DynamicLoader: USER32.dll/ReleaseCapture
DynamicLoader: USER32.dll/IsWindow
DynamicLoader: USER32.dll/SetForegroundWindow
DynamicLoader: USER32.dll/BringWindowToTop
DynamicLoader: USER32.dll/CharNextW
DynamicLoader: USER32.dll/MonitorFromWindow
DynamicLoader: USER32.dll/wsprintfW
DynamicLoader: USER32.dll/EndDialog
DynamicLoader: USER32.dll/DrawTextExW
DynamicLoader: WINHTTP.dll/WinHttpQueryHeaders
DynamicLoader: WINHTTP.dll/WinHttpSetCredentials
DynamicLoader: WINHTTP.dll/WinHttpQueryAuthSchemes
DynamicLoader: WINHTTP.dll/WinHttpReceiveResponse
DynamicLoader: WINHTTP.dll/WinHttpCloseHandle
DynamicLoader: WINHTTP.dll/WinHttpSetStatusCallback
DynamicLoader: WINHTTP.dll/WinHttpOpen
DynamicLoader: WINHTTP.dll/WinHttpWriteData
DynamicLoader: WINHTTP.dll/WinHttpAddRequestHeaders
DynamicLoader: WINHTTP.dll/WinHttpOpenRequest
DynamicLoader: WINHTTP.dll/WinHttpConnect
DynamicLoader: WINHTTP.dll/WinHttpSetOption
DynamicLoader: WINHTTP.dll/WinHttpSendRequest
DynamicLoader: WINHTTP.dll/WinHttpReadData
DynamicLoader: WINHTTP.dll/WinHttpSetTimeouts
DynamicLoader: WINHTTP.dll/WinHttpCrackUrl
DynamicLoader: WINSPOOL.DRV/DocumentPropertiesW
DynamicLoader: WINSPOOL.DRV/OpenPrinterW
DynamicLoader: WINSPOOL.DRV/ClosePrinter
DynamicLoader: api-ms-win-core-synch-l1-2-0.DLL/InitializeCriticalSectionEx
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: api-ms-win-core-synch-l1-2-0.DLL/InitializeCriticalSectionEx
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/LCMapStringEx
DynamicLoader: api-ms-win-core-synch-l1-2-0.DLL/InitializeConditionVariable
DynamicLoader: api-ms-win-core-synch-l1-2-0.DLL/SleepConditionVariableCS
DynamicLoader: api-ms-win-core-synch-l1-2-0.DLL/WakeAllConditionVariable
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/InitializeCriticalSectionEx
DynamicLoader: kernel32.dll/InitOnceExecuteOnce
DynamicLoader: kernel32.dll/CreateEventExW
DynamicLoader: kernel32.dll/CreateSemaphoreW
DynamicLoader: kernel32.dll/CreateSemaphoreExW
DynamicLoader: kernel32.dll/CreateThreadpoolTimer
DynamicLoader: kernel32.dll/SetThreadpoolTimer
DynamicLoader: kernel32.dll/WaitForThreadpoolTimerCallbacks
DynamicLoader: kernel32.dll/CloseThreadpoolTimer
DynamicLoader: kernel32.dll/CreateThreadpoolWait
DynamicLoader: kernel32.dll/SetThreadpoolWait
DynamicLoader: kernel32.dll/CloseThreadpoolWait
DynamicLoader: kernel32.dll/FlushProcessWriteBuffers
DynamicLoader: kernel32.dll/FreeLibraryWhenCallbackReturns
DynamicLoader: kernel32.dll/GetCurrentProcessorNumber
DynamicLoader: kernel32.dll/CreateSymbolicLinkW
DynamicLoader: kernel32.dll/GetCurrentPackageId
DynamicLoader: kernel32.dll/GetTickCount64
DynamicLoader: kernel32.dll/GetFileInformationByHandleEx
DynamicLoader: kernel32.dll/SetFileInformationByHandle
DynamicLoader: kernel32.dll/GetSystemTimePreciseAsFileTime
DynamicLoader: kernel32.dll/InitializeConditionVariable
DynamicLoader: kernel32.dll/WakeConditionVariable
DynamicLoader: kernel32.dll/WakeAllConditionVariable
DynamicLoader: kernel32.dll/SleepConditionVariableCS
DynamicLoader: kernel32.dll/InitializeSRWLock
DynamicLoader: kernel32.dll/AcquireSRWLockExclusive
DynamicLoader: kernel32.dll/TryAcquireSRWLockExclusive
DynamicLoader: kernel32.dll/ReleaseSRWLockExclusive
DynamicLoader: kernel32.dll/SleepConditionVariableSRW
DynamicLoader: kernel32.dll/CreateThreadpoolWork
DynamicLoader: kernel32.dll/SubmitThreadpoolWork
DynamicLoader: kernel32.dll/CloseThreadpoolWork
DynamicLoader: kernel32.dll/CompareStringEx
DynamicLoader: kernel32.dll/GetLocaleInfoEx
DynamicLoader: kernel32.dll/LCMapStringEx
DynamicLoader: cryptbase.dll/SystemFunction036
DynamicLoader: inetmib1.dll/SnmpExtensionInit
DynamicLoader: inetmib1.dll/SnmpExtensionInitEx
DynamicLoader: inetmib1.dll/SnmpExtensionQuery
DynamicLoader: inetmib1.dll/SnmpExtensionTrap
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: ntdll.dll/RtlGetNtVersionNumbers
DynamicLoader: SHLWAPI.dll/StrCmpNW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: ntdll.dll/ZwClose
DynamicLoader: ntdll.dll/RtlInitUnicodeString
DynamicLoader: ntdll.dll/ZwOpenDirectoryObject
DynamicLoader: ntdll.dll/ZwQueryDirectoryObject
DynamicLoader: kernel32.dll/GetNativeSystemInfo
DynamicLoader: kernel32.dll/GetSystemFirmwareTable
DynamicLoader: kernel32.dll/EnumSystemFirmwareTables
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/StringFromGUID2
DynamicLoader: ADVAPI32.dll/OpenThreadToken
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: COMCTL32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: COMCTL32.dll/
DynamicLoader: COMCTL32.dll/
DynamicLoader: COMCTL32.dll/
DynamicLoader: COMCTL32.dll/
DynamicLoader: COMCTL32.dll/
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: COMCTL32.dll/
DynamicLoader: COMCTL32.dll/
DynamicLoader: COMCTL32.dll/
DynamicLoader: SHELL32.dll/
DynamicLoader: COMCTL32.dll/
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: kernel32.dll/QueryActCtxW
DynamicLoader: kernel32.dll/GetModuleHandleExW
DynamicLoader: kernel32.dll/CreateActCtxW
DynamicLoader: kernel32.dll/ActivateActCtx
DynamicLoader: kernel32.dll/FindActCtxSectionStringW
DynamicLoader: kernel32.dll/DeactivateActCtx
DynamicLoader: COMCTL32.dll/InitCommonControlsEx
DynamicLoader: SHELL32.dll/InitNetworkAddressControl
DynamicLoader: COMCTL32.dll/RegisterClassNameW
DynamicLoader: COMCTL32.dll/RegisterClassNameW
DynamicLoader: UxTheme.dll/EnableThemeDialogTexture
DynamicLoader: kernel32.dll/IsProcessorFeaturePresent
DynamicLoader: USER32.dll/GetWindowInfo
DynamicLoader: USER32.dll/GetAncestor
DynamicLoader: USER32.dll/GetMonitorInfoA
DynamicLoader: USER32.dll/EnumDisplayMonitors
DynamicLoader: USER32.dll/EnumDisplayDevicesA
DynamicLoader: GDI32.dll/ExtTextOutW
DynamicLoader: GDI32.dll/GdiIsMetaPrintDC
DynamicLoader: WindowsCodecs.dll/DllGetClassObject
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: USER32.dll/SwitchToThisWindow
DynamicLoader: GDI32.dll/GetLayout
DynamicLoader: GDI32.dll/GdiRealizationInfo
DynamicLoader: GDI32.dll/FontIsLinked
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: GDI32.dll/GetTextFaceAliasW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: GDI32.dll/GetFontAssocStatus
DynamicLoader: ADVAPI32.dll/RegQueryValueExA
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: GDI32.dll/GetTextFaceAliasW
DynamicLoader: GDI32.dll/GetTextExtentExPointWPri
DynamicLoader: WS2_32.dll/GetAddrInfoW
DynamicLoader: WS2_32.dll/WSASocketW
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/WSAIoctl
DynamicLoader: WS2_32.dll/FreeAddrInfoW
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/WSARecv
DynamicLoader: WS2_32.dll/WSASend
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: GDI32.dll/GdiIsMetaPrintDC
DynamicLoader: RPCRT4.dll/RpcBindingFree
DynamicLoader: RPCRT4.dll/RpcBindingFree
DynamicLoader: COMCTL32.dll/RegisterClassNameW
DynamicLoader: UxTheme.dll/OpenThemeData
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/UnregisterTraceGuids
DynamicLoader: COMCTL32.dll/
HTTP traffic contains suspicious features which may be indicative of malware related traffic
post_no_referer: HTTP traffic contains a POST request with no referer header
suspicious_request: http://s.symcd.com/
suspicious_request: http://s.symcb.com/pca3-g5.crl
suspicious_request: http://sw.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSbgiNwvmjR4M%2B9oE39sZR%2FxyzMPwQUFmbeSjTjUKcRhgOxbKnGrM1ZbpsCECjSB0ghyLvdOxWMHxDmgC0%3D
suspicious_request: http://sw.symcd.com/
suspicious_request: http://sw.symcb.com/sw.crl
suspicious_request: http://api.downerapi.com/newerror?step=0&theme=-1&softid=&webid=&channelid=&error=1&errorcode=1&user=4bf2b5e497e5724db5e86d5aefa8bb79&session=&city=0
suspicious_request: http://api.downerapi.com/newxml/34?winver=6.1&sdsoft=0&webid=34&channelid=&softid=5&ver=3.6.6.20&usesnum=1&mac=4bf2b5e497e5724db5e86d5aefa8bb79&filename=lo3maQquywTQrbs.exe&errcode=0&userev=0&encry=1&rnd=36831
suspicious_request: http://api.downerapi.com/newxml/38?winver=6.1&sdsoft=0&webid=38&channelid=&softid=5&ver=3.6.6.20&usesnum=1&mac=4bf2b5e497e5724db5e86d5aefa8bb79&filename=lo3maQquywTQrbs.exe&errcode=0&userev=0&encry=1&rnd=36835
suspicious_request: http://api.downerapi.com/newerror?step=0&theme=-1&softid=5&webid=38&channelid=&error=6&errorcode=6&user=4bf2b5e497e5724db5e86d5aefa8bb79&session=&city=0
Queries or connects to DNS-Over-HTTPS/DNS-Over-TLS domain or IP address
ip: 1.1.1.1
Performs some HTTP requests
url: http://s.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEBkaMst1nJe4z6wRjdUSf0k%3D
url: http://s.symcd.com/
url: http://s.symcb.com/pca3-g5.crl
url: http://sw.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSbgiNwvmjR4M%2B9oE39sZR%2FxyzMPwQUFmbeSjTjUKcRhgOxbKnGrM1ZbpsCECjSB0ghyLvdOxWMHxDmgC0%3D
url: http://sw.symcd.com/
url: http://sw.symcb.com/sw.crl
url: http://api.downerapi.com/newerror?step=0&theme=-1&softid=&webid=&channelid=&error=1&errorcode=1&user=4bf2b5e497e5724db5e86d5aefa8bb79&session=&city=0
url: http://api.downerapi.com/newxml/34?winver=6.1&sdsoft=0&webid=34&channelid=&softid=5&ver=3.6.6.20&usesnum=1&mac=4bf2b5e497e5724db5e86d5aefa8bb79&filename=lo3maQquywTQrbs.exe&errcode=0&userev=0&encry=1&rnd=36831
url: http://api.downerapi.com/newxml/38?winver=6.1&sdsoft=0&webid=38&channelid=&softid=5&ver=3.6.6.20&usesnum=1&mac=4bf2b5e497e5724db5e86d5aefa8bb79&filename=lo3maQquywTQrbs.exe&errcode=0&userev=0&encry=1&rnd=36835
url: http://api.downerapi.com/newerror?step=0&theme=-1&softid=5&webid=38&channelid=&error=6&errorcode=6&user=4bf2b5e497e5724db5e86d5aefa8bb79&session=&city=0
Unconventionial binary language: Chinese (Simplified)
Unconventionial language used in binary resources: Chinese (Simplified)
The binary contains an unknown PE section name indicative of packing
unknown section: name: PNG0, entropy: 0.00, characteristics: IMAGE_SCN_CNT_UNINITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x00000000, virtual_size: 0x0011f000
unknown section: name: PNG1, entropy: 7.89, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x00108e00, virtual_size: 0x00109000
The binary likely contains encrypted or compressed data.
section: name: PNG1, entropy: 7.89, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x00108e00, virtual_size: 0x00109000
File has been identified by 44 Antiviruses on VirusTotal as malicious
McAfee: GenericRXIN-AA!02D14D0C8217
Cylance: Unsafe
Zillya: Tool.Downer.Win32.15
SUPERAntiSpyware: PUP.Bundler/Variant
K7AntiVirus: Riskware ( 00544e421 )
Alibaba: AdWare:Win32/Downer.e0fdd2c5
K7GW: Riskware ( 00544e421 )
Invincea: heuristic
Cyren: W32/Trojan.DVFA-2441
APEX: Malicious
Paloalto: generic.ml
Kaspersky: not-a-virus:HEUR:AdWare.Win32.Downer.gen
BitDefender: Gen:Variant.Razy.558009
NANO-Antivirus: Riskware.Win32.Downer.gaeela
ViRobot: Adware.Downer.1121488.A
Tencent: Malware.Win32.Gencirc.10b0c464
Emsisoft: Gen:Variant.Razy.558009 (B)
Comodo: [email protected]#2owfm78n1l68k
F-Secure: Adware.ADWARE/Siggen.rguvg
DrWeb: Adware.Siggen.32918
TrendMicro: PUA.Win32.Downer.AF
McAfee-GW-Edition: GenericRXIN-AA!02D14D0C8217
FireEye: Generic.mg.02d14d0c82176522
Sophos: Generic PUA GF (PUA)
Jiangmin: AdWare.Downer.d
Webroot: W32.Adware.Gen
Avira: ADWARE/Siggen.rguvg
Antiy-AVL: Trojan/Win32.Fuerboos
Microsoft: PUA:Win32/Downer
Endgame: malicious (high confidence)
ZoneAlarm: not-a-virus:HEUR:AdWare.Win32.Downer.gen
GData: Gen:Variant.Razy.558009
AhnLab-V3: PUP/Win32.Downloader.C3168192
VBA32: Adware.Puasson
Malwarebytes: PUP.Optional.FastDownloader
ESET-NOD32: a variant of Win32/RiskWare.Downer.A
TrendMicro-HouseCall: PUA.Win32.Downer.AF
Rising: Adware.Downloader!1.BD64 (CLASSIC)
Yandex: PUA.Downer!
Ikarus: PUA.RiskWare.Downer
MaxSecure: Trojan.Malware.74558628.susgen
Fortinet: Riskware/Downer
AVG: FileRepMalware [PUP]
Panda: PUP/DownloadAssistant

Screenshots


Hosts

Direct IP Country Name
Y 1.1.1.1 [VT] Australia

DNS

Name Response Post-Analysis Lookup
s.symcd.com [VT] A 192.0.2.123 [VT] 23.37.43.27 [VT]
s.symcb.com [VT] 93.184.220.29 [VT]
sw.symcd.com [VT] 23.37.43.27 [VT]
sw.symcb.com [VT] 93.184.220.29 [VT]
api.downerapi.com [VT] 47.94.215.175 [VT]

Summary

C:\Windows\WindowsShell.Manifest
C:\Users\Rebecca\AppData\Local\Temp\OLEACCRC.DLL
C:\Windows\System32\oleaccrc.dll
C:\Windows\System32\api-ms-win-core-fibers-l1-1-1.DLL
C:\Windows\System32\api-ms-win-core-localization-l1-2-1.DLL
C:\Windows\System32\api-ms-win-appmodel-runtime-l1-1-1.DLL
C:\Windows\System32\ext-ms-win-kernel32-package-current-l1-1-0.DLL
\??\PhysicalDrive0
\??\PhysicalDrive1
\??\PhysicalDrive2
\??\PhysicalDrive3
\??\PhysicalDrive4
\??\PhysicalDrive5
\??\PhysicalDrive6
\??\PhysicalDrive7
\??\PhysicalDrive8
\??\PhysicalDrive9
\??\PhysicalDrive10
\??\PhysicalDrive11
\??\PhysicalDrive12
\??\PhysicalDrive13
\??\PhysicalDrive14
\??\PhysicalDrive15
C:\
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\System32\api-ms-win-core-sysinfo-l1-2-1.DLL
C:\Users\Rebecca\Desktop
C:\Windows\System32\shell32.dll
C:\Users
C:\Users\Rebecca\AppData\Local\Microsoft\Windows\Caches
C:\Users\Rebecca\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
C:\Users\Rebecca\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000002.db
C:\Users\desktop.ini
C:\Users\Rebecca
C:\Users\Rebecca\Desktop\desktop.ini
C:\Users\Rebecca\UIDowner
C:\Users\Rebecca\AppData\Local\Temp\iMsCKNwQx7jq2dhF
C:\Users\Rebecca\AppData\Local\Temp\lo3maQquywTQrbs.exe.3.Manifest
C:\Windows\Fonts\staticcache.dat
\??\MountPointManager
C:\Users\Rebecca\AppData\Local\Temp\iMsCKNwQx7jq2dhF\*.*
C:\Windows\WindowsShell.Manifest
C:\Windows\System32\oleaccrc.dll
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\System32\shell32.dll
C:\
C:\Users\Rebecca\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
C:\Users\Rebecca\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000002.db
C:\Users\desktop.ini
C:\Users
C:\Users\Rebecca
C:\Users\Rebecca\Desktop\desktop.ini
C:\Users\Rebecca\AppData\Local\Temp\lo3maQquywTQrbs.exe.3.Manifest
C:\Windows\Fonts\staticcache.dat
C:\Users\Rebecca\AppData\Local\Temp\iMsCKNwQx7jq2dhF
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\Software\Microsoft\RFC1156Agent\CurrentVersion\Parameters
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RFC1156Agent\CurrentVersion\Parameters\TrapPollTimeMilliSecs
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\00060101.00060101
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
HKEY_CURRENT_USER\SOFTWARE
HKEY_LOCAL_MACHINE\SOFTWARE
HKEY_CURRENT_USER\Software
HKEY_CURRENT_USER\Software\UIDowner
HKEY_CURRENT_USER\Software\UIDowner\usestime
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\PropertyBag
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\KnownFolders
HKEY_CURRENT_USER
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Desktop
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\KnownFolderSettings
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\lo3maQquywTQrbs.exe
HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\CallForAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\RestrictedAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORDISPLAY
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideFolderVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\UseDropHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORPARSING
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsParseDisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\MapNetDriveVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForInfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideInWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideOnDesktopPerUser
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsAliasedNotifications
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsUniversalDelegate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\NoFileFolderJunction
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\PinToNameSpaceTree
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HasNavigationEnum
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{210acb58-272f-11e9-8326-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{210acb58-272f-11e9-8326-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{210acb58-272f-11e9-8326-806e6f6e6963}\Generation
HKEY_CLASSES_ROOT\Drive\shellex\FolderExtensions
HKEY_CLASSES_ROOT\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}\DriveMask
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\AccessProviders
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\AccessProviders\MartaExtension
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowCompColor
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\DontPrettyPath
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowInfoTip
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideIcons
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\MapNetDrvBtn
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\WebView
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Filter
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\SeparateProcess
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\NoNetCrawling
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AutoCheckSelect
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\IconsOnly
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowTypeOverlay
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Shell\RegisteredApplications\UrlAssociations\Directory\OpenWithProgids
HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\Directory
HKEY_CLASSES_ROOT\Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\CurVer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\ShellEx\IconHandler
HKEY_CLASSES_ROOT\Folder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\ShellEx\IconHandler
HKEY_CLASSES_ROOT\AllFilesystemObjects
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\ShellEx\IconHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\NeverShowExt
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_CLASSES_ROOT\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance
HKEY_CLASSES_ROOT\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance\Disabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\lo3maQquywTQrbs.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
\xec\x96\xb0\xc5\xb8EY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\MS Shell Dlg 2
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{210acb57-272f-11e9-8326-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{210acb57-272f-11e9-8326-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{210acb57-272f-11e9-8326-806e6f6e6963}\Generation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Tahoma
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SQMClient\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPSampledIn
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RFC1156Agent\CurrentVersion\Parameters\TrapPollTimeMilliSecs
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\00060101.00060101
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\InitFolderHandler
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Desktop
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\CallForAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\RestrictedAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORDISPLAY
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideFolderVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\UseDropHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORPARSING
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsParseDisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\MapNetDriveVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForInfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideInWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideOnDesktopPerUser
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsAliasedNotifications
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsUniversalDelegate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\NoFileFolderJunction
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\PinToNameSpaceTree
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HasNavigationEnum
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{210acb58-272f-11e9-8326-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{210acb58-272f-11e9-8326-806e6f6e6963}\Generation
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}\DriveMask
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\AccessProviders\MartaExtension
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowCompColor
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\DontPrettyPath
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowInfoTip
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideIcons
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\MapNetDrvBtn
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\WebView
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Filter
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\SeparateProcess
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\NoNetCrawling
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AutoCheckSelect
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\IconsOnly
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowTypeOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\NeverShowExt
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
\xec\x96\xb0\xc5\xb8EY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{210acb57-272f-11e9-8326-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{210acb57-272f-11e9-8326-806e6f6e6963}\Generation
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPSampledIn
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\Software\Microsoft\RFC1156Agent\CurrentVersion\Parameters
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RFC1156Agent\CurrentVersion\Parameters\TrapPollTimeMilliSecs
HKEY_CURRENT_USER\Software\UIDowner
HKEY_CURRENT_USER\Software\UIDowner\usestime
lpk.dll.LpkEditControl
advapi32.dll.EventWrite
advapi32.dll.EventRegister
advapi32.dll.EventUnregister
kernel32.dll.AcquireSRWLockExclusive
kernel32.dll.ReleaseSRWLockExclusive
api-ms-win-downlevel-advapi32-l1-1-0.dll.RegisterTraceGuidsW
api-ms-win-downlevel-advapi32-l1-1-0.dll.OpenThreadToken
api-ms-win-downlevel-advapi32-l1-1-0.dll.OpenProcessToken
api-ms-win-downlevel-advapi32-l1-1-0.dll.AllocateAndInitializeSid
api-ms-win-downlevel-advapi32-l1-1-0.dll.CheckTokenMembership
api-ms-win-downlevel-advapi32-l1-1-0.dll.FreeSid
advapi32.dll.RegisterTraceGuidsA
advapi32.dll.EventSetInformation
winspool.drv.#218
winspool.drv.#217
winspool.drv.SetDefaultPrinterW
winspool.drv.GetDefaultPrinterW
winspool.drv.GetPrinterDriverPackagePathW
winspool.drv.CorePrinterDriverInstalledW
winspool.drv.GetCorePrinterDriversW
winspool.drv.UploadPrinterDriverPackageW
winspool.drv.InstallPrinterDriverFromPackageW
winspool.drv.#251
winspool.drv.AddPrinterConnection2W
winspool.drv.OpenPrinter2W
winspool.drv.DeletePrinterKeyW
winspool.drv.DeletePrinterDataExW
winspool.drv.EnumPrinterKeyW
winspool.drv.EnumPrinterDataExW
winspool.drv.GetPrinterDataExW
winspool.drv.SetPrinterDataExW
winspool.drv.DeletePrinterDataW
winspool.drv.EnumPrinterDataW
winspool.drv.SpoolerPrinterEvent
winspool.drv.SetPortW
winspool.drv.DocumentPropertySheets
winspool.drv.DevicePropertySheets
winspool.drv.IsValidDevmodeW
winspool.drv.IsValidDevmodeA
winspool.drv.AddPortExW
winspool.drv.DeletePrintProvidorW
winspool.drv.AddPrintProvidorW
winspool.drv.DeletePrintProcessorW
winspool.drv.DeleteMonitorW
winspool.drv.AddMonitorW
winspool.drv.StartDocDlgW
winspool.drv.AdvancedDocumentPropertiesW
winspool.drv.AdvancedDocumentPropertiesA
winspool.drv.DocumentPropertiesW
winspool.drv.DeviceCapabilitiesW
winspool.drv.DeletePrinterIC
winspool.drv.PlayGdiScriptOnPrinterIC
winspool.drv.CreatePrinterIC
winspool.drv.SetJobW
winspool.drv.GetJobW
winspool.drv.EnumJobsW
winspool.drv.AddPrinterW
winspool.drv.SetPrinterW
winspool.drv.GetPrinterDriverW
winspool.drv.GetPrinterDriverDirectoryW
winspool.drv.EnumPrintersW
winspool.drv.AddPrinterConnectionW
winspool.drv.DeletePrinterConnectionW
winspool.drv.AddPrinterDriverExW
winspool.drv.AddPrinterDriverExA
winspool.drv.EnumPrinterDriversW
winspool.drv.DeletePrinterDriverW
winspool.drv.DeletePrinterDriverExW
winspool.drv.AddPrintProcessorW
winspool.drv.EnumPrintProcessorsW
winspool.drv.GetPrintProcessorDirectoryW
winspool.drv.EnumPrintProcessorDatatypesW
winspool.drv.#207
winspool.drv.#209
winspool.drv.#211
winspool.drv.#212
winspool.drv.SplDriverUnloadComplete
winspool.drv.#213
winspool.drv.#214
winspool.drv.OpenPrinterW
winspool.drv.OpenPrinterA
winspool.drv.ResetPrinterW
winspool.drv.StartDocPrinterW
winspool.drv.FlushPrinter
winspool.drv.GetPrinterDataW
winspool.drv.SetPrinterDataW
winspool.drv.AddJobW
winspool.drv.ScheduleJob
winspool.drv.WaitForPrinterChange
winspool.drv.FindNextPrinterChangeNotification
winspool.drv.PrinterMessageBoxW
winspool.drv.ClosePrinter
winspool.drv.AddFormW
winspool.drv.DeleteFormW
winspool.drv.GetFormW
winspool.drv.SetFormW
winspool.drv.EnumFormsW
winspool.drv.EnumPortsW
winspool.drv.EnumMonitorsW
winspool.drv.AddPortW
winspool.drv.ConfigurePortW
winspool.drv.DeletePortW
winspool.drv.GetPrinterW
winspool.drv.DeletePrinterDriverPackageW
winspool.drv.#234
kernel32.dll.CreateMutexW
kernel32.dll.OpenMutexW
kernel32.dll.GetCommandLineW
kernel32.dll.DeleteCriticalSection
kernel32.dll.RaiseException
kernel32.dll.HeapReAlloc
kernel32.dll.HeapSize
kernel32.dll.ExitProcess
kernel32.dll.GlobalUnlock
kernel32.dll.GlobalLock
kernel32.dll.InterlockedExchange
kernel32.dll.lstrlenA
kernel32.dll.MoveFileW
kernel32.dll.GetLongPathNameW
kernel32.dll.lstrcatW
kernel32.dll.OpenMutexA
kernel32.dll.CreateDirectoryW
kernel32.dll.SetCurrentDirectoryW
kernel32.dll.GetEnvironmentVariableW
kernel32.dll.GetModuleFileNameW
kernel32.dll.GetModuleHandleA
kernel32.dll.InitializeCriticalSectionAndSpinCount
kernel32.dll.SetEndOfFile
kernel32.dll.SetFilePointer
kernel32.dll.WriteFile
kernel32.dll.Sleep
kernel32.dll.EnterCriticalSection
kernel32.dll.LeaveCriticalSection
kernel32.dll.ReadFile
kernel32.dll.QueryPerformanceFrequency
kernel32.dll.QueryPerformanceCounter
kernel32.dll.lstrcpynW
kernel32.dll.MultiByteToWideChar
kernel32.dll.GlobalFree
kernel32.dll.GlobalAlloc
kernel32.dll.WideCharToMultiByte
kernel32.dll.lstrcpyW
kernel32.dll.GetFileSize
kernel32.dll.CreateProcessW
kernel32.dll.GetDiskFreeSpaceExW
kernel32.dll.GetDriveTypeW
kernel32.dll.GetLogicalDriveStringsW
kernel32.dll.GetLogicalDrives
kernel32.dll.Process32NextW
kernel32.dll.Process32FirstW
kernel32.dll.CreateToolhelp32Snapshot
kernel32.dll.GetCurrentProcess
kernel32.dll.GetModuleHandleW
kernel32.dll.GetTickCount
kernel32.dll.LoadLibraryW
kernel32.dll.GetVolumeInformationA
kernel32.dll.GetEnvironmentVariableA
kernel32.dll.CloseHandle
kernel32.dll.DeviceIoControl
kernel32.dll.CreateFileW
kernel32.dll.lstrlenW
kernel32.dll.RemoveDirectoryW
kernel32.dll.FindClose
kernel32.dll.FindNextFileW
kernel32.dll.DeleteFileW
kernel32.dll.GetLastError
kernel32.dll.SetFileAttributesW
kernel32.dll.FindFirstFileW
kernel32.dll.GetFileAttributesW
kernel32.dll.GetShortPathNameW
kernel32.dll.OutputDebugStringW
kernel32.dll.OutputDebugStringA
kernel32.dll.LockResource
kernel32.dll.SizeofResource
kernel32.dll.FreeResource
kernel32.dll.LoadResource
kernel32.dll.FindResourceW
kernel32.dll.GetVersionExW
kernel32.dll.FormatMessageW
kernel32.dll.HeapFree
kernel32.dll.GetProcessHeap
kernel32.dll.HeapAlloc
kernel32.dll.GetNativeSystemInfo
kernel32.dll.FreeLibrary
kernel32.dll.GetProcAddress
kernel32.dll.UnregisterWaitEx
kernel32.dll.QueryDepthSList
kernel32.dll.InterlockedPopEntrySList
kernel32.dll.ReleaseSemaphore
kernel32.dll.GetThreadTimes
kernel32.dll.UnregisterWait
kernel32.dll.RegisterWaitForSingleObject
kernel32.dll.SetThreadAffinityMask
kernel32.dll.GetProcessAffinityMask
kernel32.dll.GetNumaHighestNodeNumber
kernel32.dll.DeleteTimerQueueTimer
kernel32.dll.ChangeTimerQueueTimer
kernel32.dll.CreateTimerQueueTimer
kernel32.dll.GetLogicalProcessorInformation
kernel32.dll.GetThreadPriority
kernel32.dll.SignalObjectAndWait
kernel32.dll.CreateTimerQueue
kernel32.dll.WriteConsoleW
kernel32.dll.SetStdHandle
kernel32.dll.SetEnvironmentVariableA
kernel32.dll.FreeEnvironmentStringsW
kernel32.dll.GetEnvironmentStringsW
kernel32.dll.GetOEMCP
kernel32.dll.IsValidCodePage
kernel32.dll.FindNextFileA
kernel32.dll.FindFirstFileExA
kernel32.dll.ReadConsoleW
kernel32.dll.SetFilePointerEx
kernel32.dll.GetTimeZoneInformation
kernel32.dll.GetFileType
kernel32.dll.EnumSystemLocalesW
kernel32.dll.IsValidLocale
kernel32.dll.GetConsoleMode
kernel32.dll.GetConsoleCP
kernel32.dll.GetStdHandle
kernel32.dll.GetModuleFileNameA
kernel32.dll.HeapQueryInformation
kernel32.dll.GetModuleHandleExW
kernel32.dll.FreeLibraryAndExitThread
kernel32.dll.ExitThread
kernel32.dll.CreateThread
kernel32.dll.GetCommandLineA
kernel32.dll.VirtualQuery
kernel32.dll.GetSystemInfo
kernel32.dll.InterlockedFlushSList
kernel32.dll.InterlockedPushEntrySList
kernel32.dll.LoadLibraryA
kernel32.dll.VirtualFree
kernel32.dll.VirtualAlloc
kernel32.dll.IsBadReadPtr
kernel32.dll.RtlUnwind
kernel32.dll.GetCPInfo
kernel32.dll.LCMapStringW
kernel32.dll.GetExitCodeThread
kernel32.dll.SwitchToThread
kernel32.dll.TryEnterCriticalSection
kernel32.dll.GetStringTypeW
kernel32.dll.InitializeSListHead
kernel32.dll.GetSystemTimeAsFileTime
kernel32.dll.GetStartupInfoW
kernel32.dll.IsDebuggerPresent
kernel32.dll.IsProcessorFeaturePresent
kernel32.dll.TerminateProcess
kernel32.dll.SetUnhandledExceptionFilter
kernel32.dll.UnhandledExceptionFilter
kernel32.dll.WaitForSingleObjectEx
kernel32.dll.ResetEvent
kernel32.dll.GetUserDefaultLCID
kernel32.dll.VirtualProtect
kernel32.dll.SetLastError
kernel32.dll.SystemTimeToTzSpecificLocalTime
kernel32.dll.GetFileAttributesExW
kernel32.dll.GetACP
kernel32.dll.GetCurrentDirectoryW
kernel32.dll.InterlockedIncrement
kernel32.dll.InterlockedDecrement
kernel32.dll.MulDiv
kernel32.dll.GetCurrentProcessId
kernel32.dll.LocalFree
kernel32.dll.SetFileTime
kernel32.dll.SystemTimeToFileTime
kernel32.dll.LocalFileTimeToFileTime
kernel32.dll.lstrcmpA
kernel32.dll.lstrcpyA
kernel32.dll.lstrcmpiW
kernel32.dll.GetCurrentThreadId
kernel32.dll.GetSystemDirectoryW
kernel32.dll.LoadLibraryExW
kernel32.dll.GlobalDeleteAtom
kernel32.dll.lstrcmpW
kernel32.dll.GlobalAddAtomW
kernel32.dll.GlobalFindAtomW
kernel32.dll.CompareStringW
kernel32.dll.GetCurrentThread
kernel32.dll.SetErrorMode
kernel32.dll.InitializeCriticalSection
kernel32.dll.TlsAlloc
kernel32.dll.TlsGetValue
kernel32.dll.TlsSetValue
kernel32.dll.TlsFree
kernel32.dll.GlobalReAlloc
kernel32.dll.GlobalHandle
kernel32.dll.LocalAlloc
kernel32.dll.LocalReAlloc
kernel32.dll.SetEvent
kernel32.dll.CreateEventW
kernel32.dll.SetThreadPriority
kernel32.dll.GlobalFlags
kernel32.dll.GetLocaleInfoW
kernel32.dll.GetSystemDefaultUILanguage
kernel32.dll.GetUserDefaultUILanguage
kernel32.dll.GetPrivateProfileIntW
kernel32.dll.GetPrivateProfileStringW
kernel32.dll.WritePrivateProfileStringW
kernel32.dll.FileTimeToSystemTime
kernel32.dll.FlushFileBuffers
kernel32.dll.GetFullPathNameW
kernel32.dll.GetVolumeInformationW
kernel32.dll.DuplicateHandle
kernel32.dll.FileTimeToLocalFileTime
advapi32.dll.RegDeleteValueW
advapi32.dll.RegEnumKeyW
advapi32.dll.RegQueryValueW
advapi32.dll.RegOpenKeyExW
advapi32.dll.RegCloseKey
advapi32.dll.RegQueryInfoKeyW
advapi32.dll.RegEnumKeyExW
advapi32.dll.RegEnumValueW
advapi32.dll.RegFlushKey
advapi32.dll.RegQueryValueExW
advapi32.dll.RegSetValueExW
advapi32.dll.RegDeleteKeyW
advapi32.dll.RegCreateKeyExW
advapi32.dll.OpenSCManagerW
advapi32.dll.OpenServiceW
advapi32.dll.QueryServiceStatus
advapi32.dll.CloseServiceHandle
comctl32.dll._TrackMouseEvent
comctl32.dll.#17
gdi32.dll.GetTextExtentPoint32W
gdi32.dll.LineTo
gdi32.dll.RoundRect
gdi32.dll.SelectClipRgn
gdi32.dll.ExtSelectClipRgn
gdi32.dll.SetBkColor
gdi32.dll.GetCharABCWidthsW
gdi32.dll.StretchBlt
gdi32.dll.SetStretchBltMode
gdi32.dll.SetTextColor
gdi32.dll.GetObjectA
gdi32.dll.MoveToEx
gdi32.dll.TextOutW
gdi32.dll.GdiFlush
gdi32.dll.GetClipBox
gdi32.dll.CreateSolidBrush
gdi32.dll.SetBkMode
gdi32.dll.CreatePatternBrush
gdi32.dll.CreateBitmap
gdi32.dll.ExtTextOutW
gdi32.dll.Escape
gdi32.dll.PtVisible
gdi32.dll.RectVisible
gdi32.dll.CreateRectRgnIndirect
gdi32.dll.CreatePenIndirect
gdi32.dll.CombineRgn
gdi32.dll.PtInRegion
gdi32.dll.CreateRectRgn
gdi32.dll.SetWindowOrgEx
gdi32.dll.GetTextMetricsW
gdi32.dll.PlayEnhMetaFile
gdi32.dll.GetEnhMetaFileHeader
gdi32.dll.CreateEnhMetaFileW
gdi32.dll.CloseEnhMetaFile
gdi32.dll.SaveDC
gdi32.dll.RestoreDC
gdi32.dll.GetStockObject
gdi32.dll.Rectangle
gdi32.dll.RemoveFontMemResourceEx
gdi32.dll.AddFontMemResourceEx
gdi32.dll.GetDeviceCaps
gdi32.dll.CreatePen
gdi32.dll.CreateFontIndirectW
gdi32.dll.CreateDIBitmap
gdi32.dll.CreateCompatibleBitmap
gdi32.dll.SetDIBColorTable
gdi32.dll.SelectObject
gdi32.dll.CreateDIBSection
gdi32.dll.BitBlt
gdi32.dll.CreateCompatibleDC
gdi32.dll.ScaleWindowExtEx
gdi32.dll.ScaleViewportExtEx
gdi32.dll.OffsetViewportOrgEx
gdi32.dll.SetWindowExtEx
gdi32.dll.SetViewportOrgEx
gdi32.dll.SetViewportExtEx
gdi32.dll.SetMapMode
gdi32.dll.CreateRoundRectRgn
gdi32.dll.DeleteObject
gdi32.dll.GetObjectW
gdi32.dll.DeleteDC
gdiplus.dll.GdipGetImageHeight
gdiplus.dll.GdipCloneImage
gdiplus.dll.GdipGetImagePaletteSize
gdiplus.dll.GdipGetImagePalette
gdiplus.dll.GdipBitmapLockBits
gdiplus.dll.GdipBitmapUnlockBits
gdiplus.dll.GdipCreateBitmapFromScan0
gdiplus.dll.GdipGetImagePixelFormat
gdiplus.dll.GdipDrawImageI
gdiplus.dll.GdipCloneBrush
gdiplus.dll.GdipDeleteBrush
gdiplus.dll.GdipCreateSolidFill
gdiplus.dll.GdipCreatePen1
gdiplus.dll.GdipDeletePen
gdiplus.dll.GdipSetPenMode
gdiplus.dll.GdipCreateBitmapFromStream
gdiplus.dll.GdipDeleteGraphics
gdiplus.dll.GdipGetImageGraphicsContext
gdiplus.dll.GdipLoadImageFromStream
gdiplus.dll.GdipLoadImageFromStreamICM
gdiplus.dll.GdipCreateFromHDC
gdiplus.dll.GdipSetSmoothingMode
gdiplus.dll.GdipAlloc
gdiplus.dll.GdipSetTextRenderingHint
gdiplus.dll.GdipSetInterpolationMode
gdiplus.dll.GdipDrawRectangleI
gdiplus.dll.GdipFillRectangleI
gdiplus.dll.GdipFree
gdiplus.dll.GdiplusShutdown
gdiplus.dll.GdiplusStartup
gdiplus.dll.GdipDisposeImage
gdiplus.dll.GdipGetImageWidth
gdiplus.dll.GdipDrawImageRectI
gdiplus.dll.GdipGetPropertyItem
gdiplus.dll.GdipGetPropertyItemSize
gdiplus.dll.GdipImageSelectActiveFrame
gdiplus.dll.GdipImageGetFrameCount
gdiplus.dll.GdipImageGetFrameDimensionsList
gdiplus.dll.GdipImageGetFrameDimensionsCount
gdiplus.dll.GdipSetStringFormatTrimming
gdiplus.dll.GdipSetStringFormatLineAlign
gdiplus.dll.GdipSetStringFormatAlign
gdiplus.dll.GdipSetStringFormatFlags
gdiplus.dll.GdipCloneStringFormat
gdiplus.dll.GdipDeleteStringFormat
gdiplus.dll.GdipStringFormatGetGenericTypographic
gdiplus.dll.GdipMeasureString
gdiplus.dll.GdipDrawString
gdiplus.dll.GdipDeleteFont
gdiplus.dll.GdipCreateFontFromLogfontA
gdiplus.dll.GdipCreateFontFromDC
imm32.dll.ImmSetCompositionWindow
imm32.dll.ImmReleaseContext
imm32.dll.ImmGetContext
iphlpapi.dll.GetAdaptersInfo
ole32.dll.CoUninitialize
ole32.dll.ReleaseStgMedium
ole32.dll.OleLockRunning
ole32.dll.CLSIDFromProgID
ole32.dll.CLSIDFromString
ole32.dll.OleDuplicateData
ole32.dll.DoDragDrop
ole32.dll.RegisterDragDrop
ole32.dll.CoCreateGuid
ole32.dll.OleInitialize
ole32.dll.CreateStreamOnHGlobal
ole32.dll.CoInitialize
ole32.dll.CoCreateInstance
ole32.dll.CoTaskMemFree
oleacc.dll.LresultFromObject
oleacc.dll.CreateStdAccessibleObject
oleaut32.dll.#2
oleaut32.dll.#12
oleaut32.dll.#8
oleaut32.dll.#4
oleaut32.dll.#6
oleaut32.dll.#9
shell32.dll.DragQueryFileW
shell32.dll.SHBrowseForFolderW
shell32.dll.ShellExecuteW
shell32.dll.SHGetPathFromIDListW
shell32.dll.SHGetSpecialFolderLocation
shell32.dll.SHGetMalloc
shell32.dll.Shell_NotifyIconW
shlwapi.dll.wnsprintfA
shlwapi.dll.StrCmpIW
shlwapi.dll.SHGetValueW
shlwapi.dll.SHSetValueW
shlwapi.dll.PathFileExistsW
shlwapi.dll.StrCmpW
shlwapi.dll.StrChrA
shlwapi.dll.PathStripPathW
shlwapi.dll.PathAddBackslashW
shlwapi.dll.PathAppendW
shlwapi.dll.PathRemoveBackslashW
shlwapi.dll.StrToIntW
shlwapi.dll.PathIsDirectoryW
shlwapi.dll.PathFindExtensionW
shlwapi.dll.PathRemoveExtensionW
shlwapi.dll.PathCombineW
shlwapi.dll.PathAddExtensionW
shlwapi.dll.StrStrIW
shlwapi.dll.StrCpyW
shlwapi.dll.StrStrW
shlwapi.dll.StrCatW
shlwapi.dll.PathFindFileNameW
shlwapi.dll.PathIsUNCW
shlwapi.dll.PathStripToRootW
shlwapi.dll.wnsprintfW
snmpapi.dll.SnmpUtilOidNCmp
snmpapi.dll.SnmpUtilOidCpy
snmpapi.dll.SnmpUtilVarBindFree
urlmon.dll.URLDownloadToFileW
user32.dll.DestroyWindow
user32.dll.SetFocus
user32.dll.GetActiveWindow
user32.dll.GetFocus
user32.dll.GetKeyState
user32.dll.GetDC
user32.dll.ReleaseDC
user32.dll.BeginPaint
user32.dll.EndPaint
user32.dll.GetUpdateRect
user32.dll.MapWindowPoints
user32.dll.GetSysColor
user32.dll.GetParent
user32.dll.GetWindow
user32.dll.LoadImageW
user32.dll.IsWindowEnabled
user32.dll.DefWindowProcW
user32.dll.MoveWindow
user32.dll.CreateAcceleratorTableW
user32.dll.InvalidateRgn
user32.dll.GetCaretBlinkTime
user32.dll.ClientToScreen
user32.dll.FillRect
user32.dll.GetGUIThreadInfo
user32.dll.RegisterClassExW
user32.dll.UpdateLayeredWindow
user32.dll.GetWindowRgn
user32.dll.CallWindowProcW
user32.dll.RegisterClassW
user32.dll.GetClassInfoExW
user32.dll.GetMenu
user32.dll.SetPropW
user32.dll.GetPropW
user32.dll.AdjustWindowRectEx
user32.dll.CharPrevW
user32.dll.DrawTextW
user32.dll.SetRect
user32.dll.DestroyMenu
user32.dll.CreateCaret
user32.dll.HideCaret
user32.dll.ShowCaret
user32.dll.SetCaretPos
user32.dll.GetCaretPos
user32.dll.SetWindowTextW
user32.dll.GetWindowTextW
user32.dll.GetWindowTextLengthW
user32.dll.SendDlgItemMessageA
user32.dll.SetRectEmpty
user32.dll.GetSubMenu
user32.dll.GetMenuItemID
user32.dll.GetMenuItemCount
user32.dll.CreateDialogIndirectParamW
user32.dll.GetMonitorInfoW
user32.dll.GetDlgItem
user32.dll.GetNextDlgTabItem
user32.dll.SetActiveWindow
user32.dll.UnhookWindowsHookEx
user32.dll.GetDlgCtrlID
user32.dll.IsDialogMessageW
user32.dll.RegisterWindowMessageW
user32.dll.PeekMessageW
user32.dll.GetMessagePos
user32.dll.DispatchMessageW
user32.dll.GetClassInfoW
user32.dll.IsMenu
user32.dll.IsChild
user32.dll.BeginDeferWindowPos
user32.dll.DeferWindowPos
user32.dll.EndDeferWindowPos
user32.dll.GetCapture
user32.dll.SetMenu
user32.dll.UpdateWindow
user32.dll.GetForegroundWindow
user32.dll.ValidateRect
user32.dll.RedrawWindow
user32.dll.GetScrollPos
user32.dll.RemovePropW
user32.dll.CopyRect
user32.dll.GetClassLongW
user32.dll.GetClassNameW
user32.dll.GetTopWindow
user32.dll.GetLastActivePopup
user32.dll.SetWindowsHookExW
user32.dll.CallNextHookEx
user32.dll.WinHelpW
user32.dll.CheckMenuItem
user32.dll.SetMenuItemBitmaps
user32.dll.GetMenuCheckMarkDimensions
user32.dll.SetMenuItemInfoW
user32.dll.KillTimer
user32.dll.LoadBitmapW
user32.dll.GrayStringW
user32.dll.TabbedTextOutW
user32.dll.GetSysColorBrush
user32.dll.GetWindowThreadProcessId
user32.dll.RealChildWindowFromPoint
user32.dll.CharUpperW
user32.dll.SetTimer
user32.dll.SystemParametersInfoW
user32.dll.SetWindowPos
user32.dll.MessageBeep
user32.dll.GetSystemMenu
user32.dll.EnableMenuItem
user32.dll.ModifyMenuW
user32.dll.PtInRect
user32.dll.IsWindowVisible
user32.dll.InvalidateRect
user32.dll.SetCapture
user32.dll.CreateWindowExW
user32.dll.TranslateMessage
user32.dll.GetMessageW
user32.dll.IsRectEmpty
user32.dll.LoadCursorW
user32.dll.UnionRect
user32.dll.InflateRect
user32.dll.SetCursor
user32.dll.OffsetRect
user32.dll.IntersectRect
user32.dll.EnableWindow
user32.dll.GetSystemMetrics
user32.dll.SendMessageW
user32.dll.ShowWindow
user32.dll.TrackPopupMenu
user32.dll.AppendMenuW
user32.dll.CreatePopupMenu
user32.dll.GetCursorPos
user32.dll.LoadIconW
user32.dll.PostMessageW
user32.dll.PostQuitMessage
user32.dll.SetWindowRgn
user32.dll.GetWindowRect
user32.dll.GetClientRect
user32.dll.ScreenToClient
user32.dll.IsIconic
user32.dll.GetMessageTime
user32.dll.GetDesktopWindow
user32.dll.MessageBoxW
user32.dll.SetWindowLongW
user32.dll.GetWindowLongW
user32.dll.LoadStringW
user32.dll.ReleaseCapture
user32.dll.IsWindow
user32.dll.SetForegroundWindow
user32.dll.BringWindowToTop
user32.dll.CharNextW
user32.dll.MonitorFromWindow
user32.dll.wsprintfW
user32.dll.EndDialog
user32.dll.DrawTextExW
winhttp.dll.WinHttpQueryHeaders
winhttp.dll.WinHttpSetCredentials
winhttp.dll.WinHttpQueryAuthSchemes
winhttp.dll.WinHttpReceiveResponse
winhttp.dll.WinHttpCloseHandle
winhttp.dll.WinHttpSetStatusCallback
winhttp.dll.WinHttpOpen
winhttp.dll.WinHttpWriteData
winhttp.dll.WinHttpAddRequestHeaders
winhttp.dll.WinHttpOpenRequest
winhttp.dll.WinHttpConnect
winhttp.dll.WinHttpSetOption
winhttp.dll.WinHttpSendRequest
winhttp.dll.WinHttpReadData
winhttp.dll.WinHttpSetTimeouts
winhttp.dll.WinHttpCrackUrl
kernel32.dll.FlsAlloc
kernel32.dll.FlsSetValue
kernel32.dll.FlsGetValue
kernel32.dll.LCMapStringEx
api-ms-win-core-synch-l1-2-0.dll.InitializeConditionVariable
api-ms-win-core-synch-l1-2-0.dll.SleepConditionVariableCS
api-ms-win-core-synch-l1-2-0.dll.WakeAllConditionVariable
kernel32.dll.FlsFree
kernel32.dll.InitializeCriticalSectionEx
kernel32.dll.InitOnceExecuteOnce
kernel32.dll.CreateEventExW
kernel32.dll.CreateSemaphoreW
kernel32.dll.CreateSemaphoreExW
kernel32.dll.CreateThreadpoolTimer
kernel32.dll.SetThreadpoolTimer
kernel32.dll.WaitForThreadpoolTimerCallbacks
kernel32.dll.CloseThreadpoolTimer
kernel32.dll.CreateThreadpoolWait
kernel32.dll.SetThreadpoolWait
kernel32.dll.CloseThreadpoolWait
kernel32.dll.FlushProcessWriteBuffers
kernel32.dll.FreeLibraryWhenCallbackReturns
kernel32.dll.GetCurrentProcessorNumber
kernel32.dll.CreateSymbolicLinkW
kernel32.dll.GetTickCount64
kernel32.dll.GetFileInformationByHandleEx
kernel32.dll.SetFileInformationByHandle
kernel32.dll.InitializeConditionVariable
kernel32.dll.WakeConditionVariable
kernel32.dll.WakeAllConditionVariable
kernel32.dll.SleepConditionVariableCS
kernel32.dll.InitializeSRWLock
kernel32.dll.TryAcquireSRWLockExclusive
kernel32.dll.SleepConditionVariableSRW
kernel32.dll.CreateThreadpoolWork
kernel32.dll.SubmitThreadpoolWork
kernel32.dll.CloseThreadpoolWork
kernel32.dll.CompareStringEx
kernel32.dll.GetLocaleInfoEx
cryptbase.dll.SystemFunction036
inetmib1.dll.SnmpExtensionInit
inetmib1.dll.SnmpExtensionInitEx
inetmib1.dll.SnmpExtensionQuery
inetmib1.dll.SnmpExtensionTrap
ntdll.dll.RtlGetNtVersionNumbers
shlwapi.dll.StrCmpNW
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
ntdll.dll.ZwClose
ntdll.dll.RtlInitUnicodeString
ntdll.dll.ZwOpenDirectoryObject
ntdll.dll.ZwQueryDirectoryObject
kernel32.dll.GetSystemFirmwareTable
kernel32.dll.EnumSystemFirmwareTables
ole32.dll.CoGetMalloc
ole32.dll.StringFromGUID2
advapi32.dll.OpenThreadToken
ole32.dll.CoInitializeEx
ole32.dll.CreateBindCtx
ole32.dll.CoTaskMemAlloc
ole32.dll.CoGetApartmentType
ole32.dll.CoRegisterInitializeSpy
comctl32.dll.#236
comctl32.dll.#320
comctl32.dll.#324
comctl32.dll.#323
comctl32.dll.#328
comctl32.dll.#334
advapi32.dll.InitializeSecurityDescriptor
advapi32.dll.SetEntriesInAclW
ntmarta.dll.GetMartaExtensionInterface
advapi32.dll.SetSecurityDescriptorDacl
advapi32.dll.IsTextUnicode
comctl32.dll.#332
comctl32.dll.#338
comctl32.dll.#339
shell32.dll.#102
comctl32.dll.#386
setupapi.dll.CM_Get_Device_Interface_List_Size_ExW
setupapi.dll.CM_Get_Device_Interface_List_ExW
kernel32.dll.QueryActCtxW
kernel32.dll.CreateActCtxW
kernel32.dll.ActivateActCtx
kernel32.dll.FindActCtxSectionStringW
kernel32.dll.DeactivateActCtx
comctl32.dll.InitCommonControlsEx
shell32.dll.InitNetworkAddressControl
comctl32.dll.RegisterClassNameW
uxtheme.dll.EnableThemeDialogTexture
user32.dll.GetWindowInfo
user32.dll.GetAncestor
user32.dll.GetMonitorInfoA
user32.dll.EnumDisplayMonitors
user32.dll.EnumDisplayDevicesA
gdi32.dll.GdiIsMetaPrintDC
windowscodecs.dll.DllGetClassObject
ole32.dll.CoRevokeInitializeSpy
user32.dll.SwitchToThisWindow
gdi32.dll.GetLayout
gdi32.dll.GdiRealizationInfo
gdi32.dll.FontIsLinked
gdi32.dll.GetTextFaceAliasW
gdi32.dll.GetFontAssocStatus
advapi32.dll.RegQueryValueExA
gdi32.dll.GetTextExtentExPointWPri
ws2_32.dll.GetAddrInfoW
ws2_32.dll.WSASocketW
ws2_32.dll.#2
ws2_32.dll.#21
ws2_32.dll.#9
ws2_32.dll.WSAIoctl
ws2_32.dll.FreeAddrInfoW
ws2_32.dll.#6
ws2_32.dll.#5
ws2_32.dll.WSARecv
ws2_32.dll.WSASend
ws2_32.dll.#22
ws2_32.dll.#3
rpcrt4.dll.RpcBindingFree
uxtheme.dll.OpenThemeData
oleaut32.dll.#500
advapi32.dll.UnregisterTraceGuids
api-ms-win-downlevel-advapi32-l1-1-0.dll.UnregisterTraceGuids
comctl32.dll.#321
UIDowner:39c3f1f0f71d1c76acf8109d6d7df60b
CicLoadWinStaWinSta0
Local\MSCTF.CtfMonitorInstMutexDefault1
libdebug.exe

BinGraph

PE Information

Image Base 0x00400000
Entry Point 0x00628b00
Reported Checksum 0x00111f95
Actual Checksum 0x00111f95
Minimum OS Version 5.1
Compile Time 2019-08-17 09:05:24
Import Hash b5f4abc7f876ca09a37753296aea362a
Icon
Icon Exact Hash 1d90995304986bd2338b4af1cff1e9d0
Icon Similarity Hash d67765543cf1ced3f87211cc2c802669

Version Infos

LegalCopyright Copyright (C) 2018
InternalName FastDownloader.exe
FileVersion 3.2.0.8
CompanyName -
ProductName \x8f6f\x4ef6\x4e0b\x8f7d\x5668
ProductVersion 3.2.0.8
FileDescription \x8f6f\x4ef6\x4e0b\x8f7d\x5668
OriginalFilename FastDownloader.exe
Translation 0x0804 0x04b0

Digital Signers

Certificate Common Name Serial Number SHA1 Fingerprint MD5 Fingerprint
Beijing Yundongshidai Network Technology Co.,Ltd/ST=北京 54259649863439552958416474110402396205 cbb30d7d10291559dc6cf18e9c9b1481bf96f3a8 6a8c3013294926b9074b017c1fd5cdba

Sections

Name Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
PNG0 0x00001000 0x0011f000 0x00000000 IMAGE_SCN_CNT_UNINITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.00
PNG1 0x00120000 0x00109000 0x00108e00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 7.89
.rsrc 0x00229000 0x00007000 0x00006a00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 4.06

Overlay

Offset 0x0010fc00
Size 0x000020d0

Resources

Name Offset Size Language Sub-language Entropy File type
AFX_DIALOG_LAYOUT 0x001ac5d8 0x00000002 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 1.00 ASCII text, with no line terminators
AFX_DIALOG_LAYOUT 0x001ac5d8 0x00000002 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 1.00 ASCII text, with no line terminators
JPEG 0x0021bf70 0x0000283e LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 7.74 data
ZIPRES 0x0020e488 0x0000d83e LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 7.75 data
ZIPRES 0x0020e488 0x0000d83e LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 7.75 data
ZIPRES 0x0020e488 0x0000d83e LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 7.75 data
ZIPRES 0x0020e488 0x0000d83e LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 7.75 data
RT_ICON 0x0022ec04 0x00000468 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.45 GLS_BINARY_LSB_FIRST
RT_ICON 0x0022ec04 0x00000468 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.45 GLS_BINARY_LSB_FIRST
RT_ICON 0x0022ec04 0x00000468 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.45 GLS_BINARY_LSB_FIRST
RT_ICON 0x0022ec04 0x00000468 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.45 GLS_BINARY_LSB_FIRST
RT_ICON 0x0022ec04 0x00000468 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.45 GLS_BINARY_LSB_FIRST
RT_ICON 0x0022ec04 0x00000468 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.45 GLS_BINARY_LSB_FIRST
RT_ICON 0x0022ec04 0x00000468 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.45 GLS_BINARY_LSB_FIRST
RT_ICON 0x0022ec04 0x00000468 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.45 GLS_BINARY_LSB_FIRST
RT_DIALOG 0x001ac520 0x000000b0 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 6.60 data
RT_DIALOG 0x001ac520 0x000000b0 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 6.60 data
RT_GROUP_ICON 0x0022f070 0x00000076 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.81 data
RT_VERSION 0x0022f0ec 0x000002a8 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 3.48 data
RT_MANIFEST 0x0022f398 0x0000028b LANG_ENGLISH SUBLANG_ENGLISH_US 5.06 XML 1.0 document text

Imports

Library ADVAPI32.dll:
0x62f78c RegEnumKeyW
Library COMCTL32.dll:
0x62f794 None
Library GDI32.dll:
0x62f79c LineTo
Library gdiplus.dll:
0x62f7a4 GdipFree
Library IMM32.dll:
0x62f7ac ImmGetContext
Library IPHLPAPI.DLL:
0x62f7b4 GetAdaptersInfo
Library KERNEL32.DLL:
0x62f7bc LoadLibraryA
0x62f7c0 ExitProcess
0x62f7c4 GetProcAddress
0x62f7c8 VirtualProtect
Library ole32.dll:
0x62f7d0 DoDragDrop
Library OLEACC.dll:
0x62f7d8 LresultFromObject
Library OLEAUT32.dll:
0x62f7e0 VariantClear
Library SHELL32.dll:
0x62f7e8 SHGetMalloc
Library SHLWAPI.dll:
0x62f7f0 StrCmpW
Library snmpapi.dll:
0x62f7f8 SnmpUtilOidCpy
Library urlmon.dll:
0x62f800 URLDownloadToFileW
Library USER32.dll:
0x62f808 GetDC
Library WINHTTP.dll:
0x62f810 WinHttpOpen
Library WINSPOOL.DRV:
0x62f818 OpenPrinterW

t<Ksv=RichJsv=
.rsrc
F"rcf
lb%T3
*^J^R
s%h)l
meD;Js
r+3`"
kG8-!+
5YRS^
PppCFF.``
p-GNF
_ t6L
SnI!H
<\I,(k
i&-Q+
#1I]<
RVRQU
z7e#U
4k!]A
R:C)}
1Tt-l
#'#'.
]Ce`Vlf
:A986n
-A-bd
!h#7Y
du3dh
/tGx'
Hp!}{W_
h81jU
Ant<cM
[[ :v
m'mJu*ebh
tDllGetClassObject];
LMPBM
&CDialog
~Alli
!"#$%&'()*+,-./
ugVep
`V/o.K
p86qz2k1X,7*u42xCmcQ$GD
G$VOWk
ndS?A
CWs^a
fT'$00
wDJN$
n! 1Nc~?D
JTA.+
+|4l:
1Cd$H
_lMmO
=F?cF$/S
6CStAp
2HTh[hi
r<`m&
p{t0X=
BqyDCf
Mov0K`
dz~s?
wwwwwwwxp
wwwwwwww
wxtDDOp
tDDOp
wtDDOp
""""""
""""""
""""""
""""""
""""""
""""""
""""""
""""""
""""""
!!!!!!!!"
""""""
""""""
""""""
""""""
######
))))))
******
ADVAPI32.dll
COMCTL32.dll
GDI32.dll
gdiplus.dll
IMM32.dll
IPHLPAPI.DLL
KERNEL32.DLL
ole32.dll
OLEACC.dll
OLEAUT32.dll
SHELL32.dll
SHLWAPI.dll
snmpapi.dll
urlmon.dll
USER32.dll
WINHTTP.dll
WINSPOOL.DRV
RegEnumKeyW
LineTo
GdipFree
ImmGetContext
GetAdaptersInfo
ExitProcess
GetProcAddress
LoadLibraryA
VirtualProtect
DoDragDrop
LresultFromObject
SHGetMalloc
StrCmpW
SnmpUtilOidCpy
URLDownloadToFileW
GetDC
WinHttpOpen
OpenPrinterW
VS_VERSION_INFO
StringFileInfo
080404b0
CompanyName
FileDescription
FileVersion
3.2.0.8
InternalName
FastDownloader.exe
LegalCopyright
Copyright (C) 2018
OriginalFilename
FastDownloader.exe
ProductName
ProductVersion
3.2.0.8
VarFileInfo
Translation

Full Results

VirusTotal Signature
Bkav Clean
DrWeb Adware.Siggen.32918
MicroWorld-eScan Clean
CMC Clean
CAT-QuickHeal Clean
McAfee GenericRXIN-AA!02D14D0C8217
Cylance Unsafe
VIPRE Clean
AegisLab Clean
Sangfor Clean
K7AntiVirus Riskware ( 00544e421 )
BitDefender Gen:Variant.Razy.558009
K7GW Riskware ( 00544e421 )
Cybereason Clean
TrendMicro PUA.Win32.Downer.AF
BitDefenderTheta Clean
Cyren W32/Trojan.DVFA-2441
Symantec Clean
TotalDefense Clean
APEX Malicious
Paloalto generic.ml
ClamAV Clean
Kaspersky not-a-virus:HEUR:AdWare.Win32.Downer.gen
Alibaba AdWare:Win32/Downer.e0fdd2c5
NANO-Antivirus Riskware.Win32.Downer.gaeela
ViRobot Adware.Downer.1121488.A
Rising Adware.Downloader!1.BD64 (CLASSIC)
Ad-Aware Clean
Sophos Generic PUA GF (PUA)
Comodo [email protected]#2owfm78n1l68k
F-Secure Adware.ADWARE/Siggen.rguvg
Baidu Clean
Zillya Tool.Downer.Win32.15
Invincea heuristic
McAfee-GW-Edition GenericRXIN-AA!02D14D0C8217
Trapmine Clean
FireEye Generic.mg.02d14d0c82176522
Emsisoft Gen:Variant.Razy.558009 (B)
Ikarus PUA.RiskWare.Downer
F-Prot Clean
Jiangmin AdWare.Downer.d
Webroot W32.Adware.Gen
Avira ADWARE/Siggen.rguvg
Fortinet Riskware/Downer
Antiy-AVL Trojan/Win32.Fuerboos
Kingsoft Clean
Endgame malicious (high confidence)
Arcabit Clean
SUPERAntiSpyware PUP.Bundler/Variant
ZoneAlarm not-a-virus:HEUR:AdWare.Win32.Downer.gen
Avast-Mobile Clean
Microsoft PUA:Win32/Downer
TACHYON Clean
AhnLab-V3 PUP/Win32.Downloader.C3168192
Acronis Clean
VBA32 Adware.Puasson
ALYac Clean
MAX Clean
Malwarebytes PUP.Optional.FastDownloader
Panda PUP/DownloadAssistant
Zoner Clean
ESET-NOD32 a variant of Win32/RiskWare.Downer.A
TrendMicro-HouseCall PUA.Win32.Downer.AF
Tencent Malware.Win32.Gencirc.10b0c464
Yandex PUA.Downer!
SentinelOne Clean
MaxSecure Trojan.Malware.74558628.susgen
GData Gen:Variant.Razy.558009
AVG FileRepMalware [PUP]
Avast Clean
CrowdStrike Clean
Qihoo-360 Clean

Process Tree


lo3maQquywTQrbs.exe, PID: 692, Parent PID: 1736
Full Path: C:\Users\Rebecca\AppData\Local\Temp\lo3maQquywTQrbs.exe
Command Line: "C:\Users\Rebecca\AppData\Local\Temp\lo3maQquywTQrbs.exe"

Hosts

Direct IP Country Name
Y 1.1.1.1 [VT] Australia

TCP

Source Source Port Destination Destination Port
192.168.1.3 49163 192.0.2.123 s.symcd.com 80
192.168.1.3 49165 192.0.2.123 s.symcd.com 80
192.168.1.3 49167 192.0.2.123 s.symcd.com 80
192.168.1.3 49173 192.0.2.123 s.symcd.com 80
192.168.1.3 49176 192.0.2.123 s.symcd.com 80
192.168.1.3 49178 192.0.2.123 s.symcd.com 80
192.168.1.3 49180 192.0.2.123 s.symcd.com 80
192.168.1.3 49184 192.0.2.123 s.symcd.com 80
192.168.1.3 49187 192.0.2.123 s.symcd.com 80

UDP

Source Source Port Destination Destination Port
192.168.1.3 49274 1.1.1.1 53
192.168.1.3 49983 1.1.1.1 53
192.168.1.3 50041 1.1.1.1 53
192.168.1.3 50933 1.1.1.1 53
192.168.1.3 51707 1.1.1.1 53
192.168.1.3 52072 1.1.1.1 53
192.168.1.3 52876 1.1.1.1 53
192.168.1.3 53111 1.1.1.1 53
192.168.1.3 54362 1.1.1.1 53
192.168.1.3 54375 1.1.1.1 53
192.168.1.3 54419 1.1.1.1 53
192.168.1.3 54558 1.1.1.1 53
192.168.1.3 55648 1.1.1.1 53
192.168.1.3 56090 1.1.1.1 53
192.168.1.3 56293 1.1.1.1 53
192.168.1.3 56366 1.1.1.1 53
192.168.1.3 56850 1.1.1.1 53
192.168.1.3 57650 1.1.1.1 53
192.168.1.3 57998 1.1.1.1 53
192.168.1.3 58789 1.1.1.1 53
192.168.1.3 59007 1.1.1.1 53
192.168.1.3 59785 1.1.1.1 53
192.168.1.3 59801 1.1.1.1 53
192.168.1.3 59982 1.1.1.1 53
192.168.1.3 60350 1.1.1.1 53
192.168.1.3 60411 1.1.1.1 53
192.168.1.3 60715 1.1.1.1 53
192.168.1.3 60730 1.1.1.1 53
192.168.1.3 61090 1.1.1.1 53
192.168.1.3 62112 1.1.1.1 53
192.168.1.3 62595 1.1.1.1 53
192.168.1.3 62840 1.1.1.1 53
192.168.1.3 62988 1.1.1.1 53
192.168.1.3 63564 1.1.1.1 53
192.168.1.3 63679 1.1.1.1 53
192.168.1.3 64015 1.1.1.1 53
192.168.1.3 64159 1.1.1.1 53
192.168.1.3 65207 1.1.1.1 53

DNS

Name Response Post-Analysis Lookup
s.symcd.com [VT] A 192.0.2.123 [VT] 23.37.43.27 [VT]
s.symcb.com [VT] 93.184.220.29 [VT]
sw.symcd.com [VT] 23.37.43.27 [VT]
sw.symcb.com [VT] 93.184.220.29 [VT]
api.downerapi.com [VT] 47.94.215.175 [VT]

HTTP Requests

URI Data
http://s.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEBkaMst1nJe4z6wRjdUSf0k%3D
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEBkaMst1nJe4z6wRjdUSf0k%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: s.symcd.com

http://s.symcd.com/
POST / HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: application/ocsp-request
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Content-Length: 83
Host: s.symcd.com

http://s.symcd.com/
POST / HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: application/ocsp-request
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Content-Length: 83
Host: s.symcd.com

0Q0O0M0K0I0	\x06\x05+\x0e\x03\x02\x1a\x05\x00\x04\x14\xb9\xe9\xb2\x87\x02\x85\x03\xf8\xec\xa5\xfbB\xe1>\x0fI\xc7$&\xe2\x04\x14\x7f\xd3e\xa7\xc2\xdd\xec\xbb\xf00	\xf3C9\xfa\x02\xaf313\x02\x10\x19\x1a2\xcbu\x9c\x97\xb8\xcf\xac\x11\x8d\xd5\x12\x7fI
http://s.symcb.com/pca3-g5.crl
GET /pca3-g5.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: s.symcb.com

http://sw.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSbgiNwvmjR4M%2B9oE39sZR%2FxyzMPwQUFmbeSjTjUKcRhgOxbKnGrM1ZbpsCECjSB0ghyLvdOxWMHxDmgC0%3D
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSbgiNwvmjR4M%2B9oE39sZR%2FxyzMPwQUFmbeSjTjUKcRhgOxbKnGrM1ZbpsCECjSB0ghyLvdOxWMHxDmgC0%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: sw.symcd.com

http://sw.symcd.com/
POST / HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: application/ocsp-request
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Content-Length: 83
Host: sw.symcd.com

http://sw.symcd.com/
POST / HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: application/ocsp-request
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Content-Length: 83
Host: sw.symcd.com

0Q0O0M0K0I0	\x06\x05+\x0e\x03\x02\x1a\x05\x00\x04\x14\x9b\x82#p\xbeh\xd1\xe0\xcf\xbd\xa0M\xfd\xb1\x94\x7f\xc7,\xcc?\x04\x14\x16f\xdeJ4\xe3P\xa7\x11\x86\x03\xb1l\xa9\xc6\xac\xcdYn\x9b\x02\x10(\xd2\x07H!\xc8\xbb\xdd;\x15\x8c\x1f\x10\xe6\x80-
http://sw.symcb.com/sw.crl
GET /sw.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: sw.symcb.com

http://api.downerapi.com/newerror?step=0&theme=-1&softid=&webid=&channelid=&error=1&errorcode=1&user=4bf2b5e497e5724db5e86d5aefa8bb79&session=&city=0
GET /newerror?step=0&theme=-1&softid=&webid=&channelid=&error=1&errorcode=1&user=4bf2b5e497e5724db5e86d5aefa8bb79&session=&city=0 HTTP/1.1
Cache-Control: no-store
Connection: Keep-Alive
Expires: 0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36
Host: api.downerapi.com

http://api.downerapi.com/newxml/34?winver=6.1&sdsoft=0&webid=34&channelid=&softid=5&ver=3.6.6.20&usesnum=1&mac=4bf2b5e497e5724db5e86d5aefa8bb79&filename=lo3maQquywTQrbs.exe&errcode=0&userev=0&encry=1&rnd=36831
GET /newxml/34?winver=6.1&sdsoft=0&webid=34&channelid=&softid=5&ver=3.6.6.20&usesnum=1&mac=4bf2b5e497e5724db5e86d5aefa8bb79&filename=lo3maQquywTQrbs.exe&errcode=0&userev=0&encry=1&rnd=36831 HTTP/1.1
Cache-Control: no-store
Connection: Keep-Alive
Expires: 0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36
Host: api.downerapi.com

http://api.downerapi.com/newxml/38?winver=6.1&sdsoft=0&webid=38&channelid=&softid=5&ver=3.6.6.20&usesnum=1&mac=4bf2b5e497e5724db5e86d5aefa8bb79&filename=lo3maQquywTQrbs.exe&errcode=0&userev=0&encry=1&rnd=36835
GET /newxml/38?winver=6.1&sdsoft=0&webid=38&channelid=&softid=5&ver=3.6.6.20&usesnum=1&mac=4bf2b5e497e5724db5e86d5aefa8bb79&filename=lo3maQquywTQrbs.exe&errcode=0&userev=0&encry=1&rnd=36835 HTTP/1.1
Cache-Control: no-store
Connection: Keep-Alive
Expires: 0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36
Host: api.downerapi.com

http://api.downerapi.com/newerror?step=0&theme=-1&softid=5&webid=38&channelid=&error=6&errorcode=6&user=4bf2b5e497e5724db5e86d5aefa8bb79&session=&city=0
GET /newerror?step=0&theme=-1&softid=5&webid=38&channelid=&error=6&errorcode=6&user=4bf2b5e497e5724db5e86d5aefa8bb79&session=&city=0 HTTP/1.1
Cache-Control: no-store
Connection: Keep-Alive
Expires: 0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36
Host: api.downerapi.com

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

Timestamp Source IP Source Port Destination IP Destination Port Method Status Hostname URI Content Type User Agent Referrer Length
2020-02-14 16:27:47.660 192.168.1.3 [VT] 49162 192.0.2.123 [VT] 80 GET 200 s.symcd.com [VT] /MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEBkaMst1nJe4z6wRjdUSf0k%3D text/html Microsoft-CryptoAPI/6.1 None 1410
2020-02-14 16:27:48.818 192.168.1.3 [VT] 49163 192.0.2.123 [VT] 80 POST 200 s.symcd.com [VT] / text/html Microsoft-CryptoAPI/6.1 None 1410
2020-02-14 16:27:49.608 192.168.1.3 [VT] 49164 192.0.2.123 [VT] 80 GET 200 s.symcb.com [VT] /pca3-g5.crl application/x-pkcs7-crl Microsoft-CryptoAPI/6.1 None 1410
2020-02-14 16:27:51.023 192.168.1.3 [VT] 49165 192.0.2.123 [VT] 80 GET 200 sw.symcd.com [VT] /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSbgiNwvmjR4M%2B9oE39sZR%2FxyzMPwQUFmbeSjTjUKcRhgOxbKnGrM1ZbpsCECjSB0ghyLvdOxWMHxDmgC0%3D text/html Microsoft-CryptoAPI/6.1 None 1410
2020-02-14 16:27:51.650 192.168.1.3 [VT] 49166 192.0.2.123 [VT] 80 POST 200 sw.symcd.com [VT] / text/html Microsoft-CryptoAPI/6.1 None 1410
2020-02-14 16:27:51.772 192.168.1.3 [VT] 49167 192.0.2.123 [VT] 80 GET 200 sw.symcb.com [VT] /sw.crl application/x-pkcs7-crl Microsoft-CryptoAPI/6.1 None 1410
2020-02-14 16:27:59.409 192.168.1.3 [VT] 49172 192.0.2.123 [VT] 80 GET 200 api.downerapi.com [VT] /newerror?step=0&theme=-1&softid=&webid=&channelid=&error=1&errorcode=1&user=4bf2b5e497e5724db5e86d5aefa8bb79&session=&city=0 text/html Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36 None 1410
2020-02-14 16:27:59.800 192.168.1.3 [VT] 49173 192.0.2.123 [VT] 80 GET 200 api.downerapi.com [VT] /newxml/34?winver=6.1&sdsoft=0&webid=34&channelid=&softid=5&ver=3.6.6.20&usesnum=1&mac=4bf2b5e497e5724db5e86d5aefa8bb79&filename=lo3maQquywTQrbs.exe&errcode=0&userev=0&encry=1&rnd=36831 text/html Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36 None 1410
2020-02-14 16:28:00.255 192.168.1.3 [VT] 49175 192.0.2.123 [VT] 80 GET 200 api.downerapi.com [VT] /newxml/34?winver=6.1&sdsoft=0&webid=34&channelid=&softid=5&ver=3.6.6.20&usesnum=1&mac=4bf2b5e497e5724db5e86d5aefa8bb79&filename=lo3maQquywTQrbs.exe&errcode=0&userev=0&encry=1&rnd=36831 text/html Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36 None 1410
2020-02-14 16:28:00.782 192.168.1.3 [VT] 49176 192.0.2.123 [VT] 80 GET 200 api.downerapi.com [VT] /newxml/34?winver=6.1&sdsoft=0&webid=34&channelid=&softid=5&ver=3.6.6.20&usesnum=1&mac=4bf2b5e497e5724db5e86d5aefa8bb79&filename=lo3maQquywTQrbs.exe&errcode=0&userev=0&encry=1&rnd=36831 text/html Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36 None 1410
2020-02-14 16:28:00.905 192.168.1.3 [VT] 49177 192.0.2.123 [VT] 80 GET 200 api.downerapi.com [VT] /newxml/34?winver=6.1&sdsoft=0&webid=34&channelid=&softid=5&ver=3.6.6.20&usesnum=1&mac=4bf2b5e497e5724db5e86d5aefa8bb79&filename=lo3maQquywTQrbs.exe&errcode=0&userev=0&encry=1&rnd=36831 text/html Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36 None 1410
2020-02-14 16:28:01.016 192.168.1.3 [VT] 49178 192.0.2.123 [VT] 80 GET 200 api.downerapi.com [VT] /newxml/38?winver=6.1&sdsoft=0&webid=38&channelid=&softid=5&ver=3.6.6.20&usesnum=1&mac=4bf2b5e497e5724db5e86d5aefa8bb79&filename=lo3maQquywTQrbs.exe&errcode=0&userev=0&encry=1&rnd=36835 text/html Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36 None 1410
2020-02-14 16:28:01.426 192.168.1.3 [VT] 49179 192.0.2.123 [VT] 80 GET 200 api.downerapi.com [VT] /newxml/38?winver=6.1&sdsoft=0&webid=38&channelid=&softid=5&ver=3.6.6.20&usesnum=1&mac=4bf2b5e497e5724db5e86d5aefa8bb79&filename=lo3maQquywTQrbs.exe&errcode=0&userev=0&encry=1&rnd=36835 text/html Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36 None 1410
2020-02-14 16:28:01.849 192.168.1.3 [VT] 49180 192.0.2.123 [VT] 80 GET 200 api.downerapi.com [VT] /newxml/38?winver=6.1&sdsoft=0&webid=38&channelid=&softid=5&ver=3.6.6.20&usesnum=1&mac=4bf2b5e497e5724db5e86d5aefa8bb79&filename=lo3maQquywTQrbs.exe&errcode=0&userev=0&encry=1&rnd=36835 text/html Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36 None 1410
2020-02-14 16:28:02.262 192.168.1.3 [VT] 49181 192.0.2.123 [VT] 80 GET 200 api.downerapi.com [VT] /newxml/38?winver=6.1&sdsoft=0&webid=38&channelid=&softid=5&ver=3.6.6.20&usesnum=1&mac=4bf2b5e497e5724db5e86d5aefa8bb79&filename=lo3maQquywTQrbs.exe&errcode=0&userev=0&encry=1&rnd=36835 text/html Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36 None 1410
2020-02-14 16:28:05.767 192.168.1.3 [VT] 49184 192.0.2.123 [VT] 80 GET 200 api.downerapi.com [VT] /newxml/38?winver=6.1&sdsoft=0&webid=38&channelid=&softid=5&ver=3.6.6.20&usesnum=1&mac=4bf2b5e497e5724db5e86d5aefa8bb79&filename=lo3maQquywTQrbs.exe&errcode=0&userev=0&encry=1&rnd=36835 text/html Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36 None 1410
2020-02-14 16:28:06.191 192.168.1.3 [VT] 49185 192.0.2.123 [VT] 80 GET 200 api.downerapi.com [VT] /newxml/38?winver=6.1&sdsoft=0&webid=38&channelid=&softid=5&ver=3.6.6.20&usesnum=1&mac=4bf2b5e497e5724db5e86d5aefa8bb79&filename=lo3maQquywTQrbs.exe&errcode=0&userev=0&encry=1&rnd=36835 text/html Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36 None 1410
2020-02-14 16:28:06.697 192.168.1.3 [VT] 49187 192.0.2.123 [VT] 80 GET 200 api.downerapi.com [VT] /newerror?step=0&theme=-1&softid=5&webid=38&channelid=&error=6&errorcode=6&user=4bf2b5e497e5724db5e86d5aefa8bb79&session=&city=0 text/html Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36 None 1410
Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

Sorry! No dropped files.
Sorry! No CAPE files.
Process Name lo3maQquywTQrbs.exe
PID 692
Dump Size 1113088 bytes
Module Path C:\Users\Rebecca\AppData\Local\Temp\lo3maQquywTQrbs.exe
Type PE image: 32-bit executable
MD5 dd3deed821d620d08bbd6fec4a2a18f7
SHA1 9baf53ca15bc9aadb45bfd4b42af679f32e12e78
SHA256 cedf13e01a1f6da28ee69882da6b78a1e28866412272149fb8a8e0ef976ec17f
CRC32 23E98A93
Ssdeep 24576:MPJnSvQI05dCg3yRsqShviRcAFJ148+8CJ+gu+h/ly1:M1dXhvucAz146CuJ
ClamAV None
Yara
  • vmdetect - Possibly employs anti-virtualization techniques
CAPE Yara None matched
Dump Filename cedf13e01a1f6da28ee69882da6b78a1e28866412272149fb8a8e0ef976ec17f
Download Download ZIP Submit file

BinGraph

JSON Report Download
MAEC Report Download

Comments



No comments posted
Defense Evasion
  • T1045 - Software Packing
    • Signature - packer_unknown_pe_section_name

    Processing ( 8.122 seconds )

    • 5.05 Suricata
    • 1.02 Static
    • 0.596 NetworkAnalysis
    • 0.32 peid
    • 0.316 BehaviorAnalysis
    • 0.248 VirusTotal
    • 0.246 Deduplicate
    • 0.15 CAPE
    • 0.086 TargetInfo
    • 0.066 ProcDump
    • 0.011 Strings
    • 0.01 AnalysisInfo
    • 0.003 Debug

    Signatures ( 0.286 seconds )

    • 0.055 antiav_detectreg
    • 0.019 infostealer_ftp
    • 0.015 stealth_timeout
    • 0.014 antidbg_windows
    • 0.013 api_spamming
    • 0.012 NewtWire Behavior
    • 0.012 decoy_document
    • 0.011 antianalysis_detectreg
    • 0.011 infostealer_im
    • 0.008 antiemu_wine_func
    • 0.007 malicious_dynamic_function_loading
    • 0.007 dynamic_function_loading
    • 0.006 kovter_behavior
    • 0.006 antivm_vbox_keys
    • 0.005 infostealer_browser_password
    • 0.005 antiav_detectfile
    • 0.004 exploit_getbasekerneladdress
    • 0.004 exploit_gethaldispatchtable
    • 0.004 antivm_vmware_keys
    • 0.004 infostealer_mail
    • 0.004 ransomware_files
    • 0.003 mimics_filetime
    • 0.003 antivm_generic_disk
    • 0.003 antivm_parallels_keys
    • 0.003 antivm_xen_keys
    • 0.003 infostealer_bitcoin
    • 0.002 bootkit
    • 0.002 Doppelganging
    • 0.002 stealth_file
    • 0.002 antivm_generic_services
    • 0.002 antivm_generic_scsi
    • 0.002 reads_self
    • 0.002 persistence_autorun
    • 0.002 virus
    • 0.002 antivm_generic_diskreg
    • 0.002 antivm_vpc_keys
    • 0.002 masquerade_process_name
    • 0.002 ransomware_extensions
    • 0.001 antivm_vbox_libs
    • 0.001 injection_runpe
    • 0.001 recon_programs
    • 0.001 injection_createremotethread
    • 0.001 stealth_network
    • 0.001 betabot_behavior
    • 0.001 InjectionCreateRemoteThread
    • 0.001 InjectionProcessHollowing
    • 0.001 kibex_behavior
    • 0.001 hancitor_behavior
    • 0.001 antianalysis_detectfile
    • 0.001 antivm_hyperv_keys
    • 0.001 antivm_vbox_files
    • 0.001 geodo_banking_trojan
    • 0.001 browser_security
    • 0.001 bypass_firewall
    • 0.001 disables_browser_warn
    • 0.001 network_torgateway
    • 0.001 limerat_regkeys
    • 0.001 recon_checkip
    • 0.001 recon_fingerprint

    Reporting ( 3.059 seconds )

    • 1.565 BinGraph
    • 0.922 MaecReport
    • 0.548 JsonDump
    • 0.024 MITRE_TTPS
    Task ID 12818
    Mongo ID 5e46cac171fb3667b8667310
    Cuckoo release 1.3-CAPE
    Delete