Analysis

Category Package Started Completed Duration Options Log
FILE Extraction 2020-05-23 05:13:05 2020-05-23 05:17:19 254 seconds Show Options Show Log
route = inetsim
2020-05-13 09:30:33,891 [root] INFO: Date set to: 20200523T05:13:48, timeout set to: 200
2020-05-23 05:13:48,062 [root] DEBUG: Starting analyzer from: C:\tmplodztmkc
2020-05-23 05:13:48,062 [root] DEBUG: Storing results at: C:\gdljofuM
2020-05-23 05:13:48,062 [root] DEBUG: Pipe server name: \\.\PIPE\Wzdwcl
2020-05-23 05:13:48,062 [root] DEBUG: Python path: C:\Users\Louise\AppData\Local\Programs\Python\Python38-32
2020-05-23 05:13:48,062 [root] INFO: Analysis package "Extraction" has been specified.
2020-05-23 05:13:48,062 [root] DEBUG: Trying to import analysis package "Extraction"...
2020-05-23 05:13:48,062 [root] DEBUG: Imported analysis package "Extraction".
2020-05-23 05:13:48,062 [root] DEBUG: Trying to initialize analysis package "Extraction"...
2020-05-23 05:13:48,062 [root] DEBUG: Initialized analysis package "Extraction".
2020-05-23 05:13:48,109 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.browser"...
2020-05-23 05:13:48,109 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser".
2020-05-23 05:13:48,109 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.curtain"...
2020-05-23 05:13:48,125 [root] DEBUG: Imported auxiliary module "modules.auxiliary.curtain".
2020-05-23 05:13:48,125 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.digisig"...
2020-05-23 05:13:48,140 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig".
2020-05-23 05:13:48,140 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.disguise"...
2020-05-23 05:13:48,140 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise".
2020-05-23 05:13:48,140 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.human"...
2020-05-23 05:13:48,156 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human".
2020-05-23 05:13:48,156 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.procmon"...
2020-05-23 05:13:48,156 [root] DEBUG: Imported auxiliary module "modules.auxiliary.procmon".
2020-05-23 05:13:48,156 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.screenshots"...
2020-05-23 05:13:48,171 [modules.auxiliary.screenshots] DEBUG: Importing 'time'
2020-05-23 05:13:48,171 [modules.auxiliary.screenshots] DEBUG: Importing 'StringIO'
2020-05-23 05:13:48,171 [modules.auxiliary.screenshots] DEBUG: Importing 'Thread'
2020-05-23 05:13:48,187 [modules.auxiliary.screenshots] DEBUG: Importing 'Auxiliary'
2020-05-23 05:13:48,187 [modules.auxiliary.screenshots] DEBUG: Importing 'NetlogFile'
2020-05-23 05:13:48,187 [modules.auxiliary.screenshots] DEBUG: Importing 'Screenshot'
2020-05-23 05:13:48,187 [lib.api.screenshot] DEBUG: Importing 'math'
2020-05-23 05:13:48,187 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2020-05-23 05:13:48,312 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageGrab'
2020-05-23 05:13:48,328 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageDraw'
2020-05-23 05:13:48,328 [modules.auxiliary.screenshots] DEBUG: Imports OK
2020-05-23 05:13:48,328 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots".
2020-05-23 05:13:48,328 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.sysmon"...
2020-05-23 05:13:48,343 [root] DEBUG: Imported auxiliary module "modules.auxiliary.sysmon".
2020-05-23 05:13:48,343 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.usage"...
2020-05-23 05:13:48,343 [root] DEBUG: Imported auxiliary module "modules.auxiliary.usage".
2020-05-23 05:13:48,343 [root] DEBUG: Trying to initialize auxiliary module "Browser"...
2020-05-23 05:13:48,343 [root] DEBUG: Initialized auxiliary module "Browser".
2020-05-23 05:13:48,343 [root] DEBUG: Trying to start auxiliary module "Browser"...
2020-05-23 05:13:48,343 [root] DEBUG: Started auxiliary module Browser
2020-05-23 05:13:48,343 [root] DEBUG: Trying to initialize auxiliary module "Curtain"...
2020-05-23 05:13:48,343 [root] DEBUG: Initialized auxiliary module "Curtain".
2020-05-23 05:13:48,343 [root] DEBUG: Trying to start auxiliary module "Curtain"...
2020-05-23 05:13:48,343 [root] DEBUG: Started auxiliary module Curtain
2020-05-23 05:13:48,343 [root] DEBUG: Trying to initialize auxiliary module "DigiSig"...
2020-05-23 05:13:48,343 [root] DEBUG: Initialized auxiliary module "DigiSig".
2020-05-23 05:13:48,359 [root] DEBUG: Trying to start auxiliary module "DigiSig"...
2020-05-23 05:13:48,359 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature.
2020-05-23 05:13:48,656 [modules.auxiliary.digisig] DEBUG: File is not signed.
2020-05-23 05:13:48,656 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2020-05-23 05:13:48,656 [root] DEBUG: Started auxiliary module DigiSig
2020-05-23 05:13:48,656 [root] DEBUG: Trying to initialize auxiliary module "Disguise"...
2020-05-23 05:13:48,656 [root] DEBUG: Initialized auxiliary module "Disguise".
2020-05-23 05:13:48,656 [root] DEBUG: Trying to start auxiliary module "Disguise"...
2020-05-23 05:13:48,687 [root] DEBUG: Started auxiliary module Disguise
2020-05-23 05:13:48,687 [root] DEBUG: Trying to initialize auxiliary module "Human"...
2020-05-23 05:13:48,687 [root] DEBUG: Initialized auxiliary module "Human".
2020-05-23 05:13:48,687 [root] DEBUG: Trying to start auxiliary module "Human"...
2020-05-23 05:13:48,687 [root] DEBUG: Started auxiliary module Human
2020-05-23 05:13:48,687 [root] DEBUG: Trying to initialize auxiliary module "Procmon"...
2020-05-23 05:13:48,687 [root] DEBUG: Initialized auxiliary module "Procmon".
2020-05-23 05:13:48,687 [root] DEBUG: Trying to start auxiliary module "Procmon"...
2020-05-23 05:13:48,687 [root] DEBUG: Started auxiliary module Procmon
2020-05-23 05:13:48,687 [root] DEBUG: Trying to initialize auxiliary module "Screenshots"...
2020-05-23 05:13:48,687 [root] DEBUG: Initialized auxiliary module "Screenshots".
2020-05-23 05:13:48,687 [root] DEBUG: Trying to start auxiliary module "Screenshots"...
2020-05-23 05:13:48,687 [root] DEBUG: Started auxiliary module Screenshots
2020-05-23 05:13:48,687 [root] DEBUG: Trying to initialize auxiliary module "Sysmon"...
2020-05-23 05:13:48,703 [root] DEBUG: Initialized auxiliary module "Sysmon".
2020-05-23 05:13:48,703 [root] DEBUG: Trying to start auxiliary module "Sysmon"...
2020-05-23 05:13:48,703 [root] DEBUG: Started auxiliary module Sysmon
2020-05-23 05:13:48,703 [root] DEBUG: Trying to initialize auxiliary module "Usage"...
2020-05-23 05:13:48,703 [root] DEBUG: Initialized auxiliary module "Usage".
2020-05-23 05:13:48,703 [root] DEBUG: Trying to start auxiliary module "Usage"...
2020-05-23 05:13:48,703 [root] DEBUG: Started auxiliary module Usage
2020-05-23 05:13:48,703 [root] INFO: Analyzer: Package modules.packages.Extraction does not specify a DLL option
2020-05-23 05:13:48,703 [root] INFO: Analyzer: Package modules.packages.Extraction does not specify a DLL_64 option
2020-05-23 05:13:48,703 [root] INFO: Analyzer: Package modules.packages.Extraction does not specify a loader option
2020-05-23 05:13:48,703 [root] INFO: Analyzer: Package modules.packages.Extraction does not specify a loader_64 option
2020-05-23 05:13:48,765 [lib.api.process] INFO: Successfully executed process from path "C:\Users\Louise\AppData\Local\Temp\BaZooka Updater V.1.exe" with arguments "" with pid 3676
2020-05-23 05:13:48,765 [lib.api.process] INFO: Monitor config for process 3676: C:\tmplodztmkc\dll\3676.ini
2020-05-23 05:13:48,812 [lib.api.process] INFO: Option 'extraction' with value '1' sent to monitor
2020-05-23 05:13:48,812 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-05-23 05:13:48,812 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmplodztmkc\dll\FvqNVoqE.dll, loader C:\tmplodztmkc\bin\IYacyTe.exe
2020-05-23 05:13:48,875 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\Wzdwcl.
2020-05-23 05:13:48,875 [root] DEBUG: Loader: Injecting process 3676 (thread 2616) with C:\tmplodztmkc\dll\FvqNVoqE.dll.
2020-05-23 05:13:48,875 [root] DEBUG: Process image base: 0x00400000
2020-05-23 05:13:48,875 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmplodztmkc\dll\FvqNVoqE.dll.
2020-05-23 05:13:48,875 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-05-23 05:13:48,890 [root] DEBUG: Error 2 (0x2) - Loader: Failed to call named pipe \\.\PIPE\Wzdwcl: The system cannot find the file specified.
2020-05-23 05:13:48,890 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3676
2020-05-23 05:13:50,890 [lib.api.process] INFO: Successfully resumed process with pid 3676
2020-05-23 05:13:51,078 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-05-23 05:13:51,078 [root] DEBUG: Capture of extracted payloads enabled.
2020-05-23 05:13:51,078 [root] DEBUG: Process dumps disabled.
2020-05-23 05:13:51,078 [root] DEBUG: Dropped file limit defaulting to 100.
2020-05-23 05:13:51,093 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-05-23 05:13:51,093 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 3676 at 0x6f4e0000, image base 0x400000, stack from 0x186000-0x190000
2020-05-23 05:13:51,093 [root] DEBUG: Commandline: C:\Users\Louise\AppData\Local\Temp\"C:\Users\Louise\AppData\Local\Temp\BaZooka Updater V.1.exe".
2020-05-23 05:13:51,125 [root] INFO: Disabling sleep skipping.
2020-05-23 05:13:51,140 [root] INFO: Disabling sleep skipping.
2020-05-23 05:13:51,140 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x76de0000, KiUserExceptionDispatcher: 0x0, NtSetContextThread: 0x76e4b5f0, Wow64PrepareForException: 0x0
2020-05-23 05:13:51,140 [root] INFO: Disabling sleep skipping.
2020-05-23 05:13:51,140 [root] INFO: Disabling sleep skipping.
2020-05-23 05:13:51,140 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x290000
2020-05-23 05:13:51,140 [root] DEBUG: ExtractionInit: Debugger initialised.
2020-05-23 05:13:51,140 [root] DEBUG: AddTrackedRegion: Created new tracked region for address 0x00400000.
2020-05-23 05:13:51,140 [root] DEBUG: AddTrackedRegion: New region at 0x00400000 size 0x1000 added to tracked regions: EntryPoint 0x290c, Entropy 5.270963e+00
2020-05-23 05:13:51,156 [root] DEBUG: ExtractionInit: Adding main image base to tracked regions.
2020-05-23 05:13:51,156 [root] INFO: loaded: b'3676'
2020-05-23 05:13:51,156 [root] INFO: Loaded monitor into process with pid 3676
2020-05-23 05:13:51,203 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-05-23 05:13:51,203 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-05-23 05:13:51,203 [root] DEBUG: ProcessImageBase: EP 0x0000290C image base 0x00400000 size 0x0 entropy 5.270963e+00.
2020-05-23 05:13:51,203 [root] DEBUG: ProtectionHandler: Adding region at 0x002A0000 to tracked regions.
2020-05-23 05:13:51,203 [root] DEBUG: AddTrackedRegion: Created new tracked region for address 0x002A0000.
2020-05-23 05:13:51,203 [root] DEBUG: AddTrackedRegion: New region at 0x002A0000 size 0x6000 added to tracked regions.
2020-05-23 05:13:51,203 [root] DEBUG: ProtectionHandler: Address: 0x002A0000 (alloc base 0x002A0000), NumberOfBytesToProtect: 0x6000, NewAccessProtection: 0x20
2020-05-23 05:13:51,203 [root] DEBUG: ProtectionHandler: New code detected at (0x002A0000), scanning for PE images.
2020-05-23 05:13:51,218 [root] DEBUG: DumpPEsInRange: Scanning range 0x2a0000 - 0x2a6000.
2020-05-23 05:13:51,218 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x2a0000-0x2a6000.
2020-05-23 05:13:51,218 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x002A0000 - 0x002A6000.
2020-05-23 05:13:51,218 [root] INFO: ('dump_file', 'C:\\gdljofuM\\CAPE\\3676_85057790051131123652020', b'9;?C:\\Users\\Louise\\AppData\\Local\\Temp\\BaZooka Updater V.1.exe;?C:\\Users\\Louise\\AppData\\Local\\Temp\\BaZooka Updater V.1.exe;?0x002A0000;?', ['3676'], 'CAPE')
2020-05-23 05:13:51,281 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\gdljofuM\CAPE\3676_85057790051131123652020 (size 0x5161)
2020-05-23 05:13:51,281 [root] DEBUG: ProtectionHandler: dumped memory (sub)region at 0x002A0000, size 0x6000
2020-05-23 05:13:51,296 [root] DEBUG: DLL loaded at 0x73220000: C:\Windows\system32\SXS (0x5f000 bytes).
2020-05-23 05:13:51,468 [root] DEBUG: ProtectionHandler: Address 0x002A0000 already in tracked region at 0x002A0000, size 0x6000
2020-05-23 05:13:51,468 [root] DEBUG: ProtectionHandler: Address: 0x002A0000 (alloc base 0x002A0000), NumberOfBytesToProtect: 0xa000, NewAccessProtection: 0x20
2020-05-23 05:13:51,468 [root] DEBUG: ProtectionHandler: Increased region size at 0x002A0000 to 0xa000.
2020-05-23 05:13:51,484 [root] DEBUG: ProtectionHandler: New code detected at (0x002A0000), scanning for PE images.
2020-05-23 05:13:51,484 [root] DEBUG: DumpPEsInRange: Scanning range 0x2a0000 - 0x2aa000.
2020-05-23 05:13:51,484 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x2a0000-0x2aa000.
2020-05-23 05:13:51,484 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x002A0000 - 0x002AA000.
2020-05-23 05:13:51,484 [root] INFO: ('dump_file', 'C:\\gdljofuM\\CAPE\\3676_52624552451131123652020', b'9;?C:\\Users\\Louise\\AppData\\Local\\Temp\\BaZooka Updater V.1.exe;?C:\\Users\\Louise\\AppData\\Local\\Temp\\BaZooka Updater V.1.exe;?0x002A0000;?', ['3676'], 'CAPE')
2020-05-23 05:13:51,531 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\gdljofuM\CAPE\3676_52624552451131123652020 (size 0x9600)
2020-05-23 05:13:51,531 [root] DEBUG: ProtectionHandler: dumped memory (sub)region at 0x002A0000, size 0xa000
2020-05-23 05:13:51,531 [root] DEBUG: DLL loaded at 0x75DD0000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2020-05-23 05:13:51,593 [root] DEBUG: DLL loaded at 0x74130000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2020-05-23 05:13:51,609 [root] DEBUG: DLL loaded at 0x74040000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2020-05-23 05:13:51,703 [root] DEBUG: ProtectionHandler: Address 0x002A0000 already in tracked region at 0x002A0000, size 0xa000
2020-05-23 05:13:51,703 [root] DEBUG: ProtectionHandler: Address: 0x002A0000 (alloc base 0x002A0000), NumberOfBytesToProtect: 0xa000, NewAccessProtection: 0x20
2020-05-23 05:13:51,718 [root] DEBUG: ProtectionHandler: New code detected at (0x002A0000), scanning for PE images.
2020-05-23 05:13:51,718 [root] DEBUG: DumpPEsInRange: Scanning range 0x2a0000 - 0x2aa000.
2020-05-23 05:13:51,718 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x2a0000-0x2aa000.
2020-05-23 05:13:51,750 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x002A0000 - 0x002AA000.
2020-05-23 05:13:51,765 [root] INFO: ('dump_file', 'C:\\gdljofuM\\CAPE\\3676_88266120051131123652020', b'9;?C:\\Users\\Louise\\AppData\\Local\\Temp\\BaZooka Updater V.1.exe;?C:\\Users\\Louise\\AppData\\Local\\Temp\\BaZooka Updater V.1.exe;?0x002A0000;?', ['3676'], 'CAPE')
2020-05-23 05:13:51,859 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\gdljofuM\CAPE\3676_88266120051131123652020 (size 0x9e11)
2020-05-23 05:13:51,859 [root] DEBUG: ProtectionHandler: dumped memory (sub)region at 0x002A0000, size 0xa000
2020-05-23 05:13:51,875 [root] DEBUG: DLL loaded at 0x73690000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\comctl32 (0x19e000 bytes).
2020-05-23 05:13:51,906 [root] DEBUG: DLL loaded at 0x73FA0000: C:\Windows\system32\UxTheme (0x80000 bytes).
2020-05-23 05:13:52,406 [root] INFO: ('dump_file', 'C:\\Windows\\Resources\\Themes\\icsys.icn.exe', '', False, 'files')
2020-05-23 05:13:52,453 [root] INFO: ('dump_file', 'C:\\Users\\Louise\\AppData\\Local\\Temp\\bazooka updater v.1.exe\xa0', '', False, 'files')
2020-05-23 05:13:52,484 [root] INFO: ('dump_file', 'C:\\Users\\Louise\\AppData\\Local\\Temp\\bazooka updater v.1.exe\xa0', '', False, 'files')
2020-05-23 05:13:52,593 [root] INFO: ('dump_file', 'C:\\Users\\Louise\\AppData\\Local\\Temp\\bazooka updater v.1.exe\xa0', '', False, 'files')
2020-05-23 05:13:52,734 [root] INFO: Announced 32-bit process name: bazooka updater v.1.exe  pid: 1860
2020-05-23 05:13:52,734 [lib.api.process] INFO: Monitor config for process 1860: C:\tmplodztmkc\dll\1860.ini
2020-05-23 05:13:52,734 [lib.api.process] INFO: Option 'extraction' with value '1' sent to monitor
2020-05-23 05:13:52,734 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-05-23 05:13:52,734 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmplodztmkc\dll\FvqNVoqE.dll, loader C:\tmplodztmkc\bin\IYacyTe.exe
2020-05-23 05:13:52,781 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\Wzdwcl.
2020-05-23 05:13:52,781 [root] DEBUG: Loader: Injecting process 1860 (thread 4972) with C:\tmplodztmkc\dll\FvqNVoqE.dll.
2020-05-23 05:13:52,781 [root] DEBUG: Process image base: 0x00DC0000
2020-05-23 05:13:52,781 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2020-05-23 05:13:52,781 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2020-05-23 05:13:52,781 [root] DEBUG: Successfully injected DLL C:\tmplodztmkc\dll\FvqNVoqE.dll.
2020-05-23 05:13:52,812 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1860
2020-05-23 05:13:52,812 [root] DEBUG: DLL loaded at 0x74930000: C:\Windows\system32\apphelp (0x4c000 bytes).
2020-05-23 05:13:52,843 [root] INFO: Announced 32-bit process name: bazooka updater v.1.exe  pid: 1860
2020-05-23 05:13:52,843 [lib.api.process] INFO: Monitor config for process 1860: C:\tmplodztmkc\dll\1860.ini
2020-05-23 05:13:52,843 [lib.api.process] INFO: Option 'extraction' with value '1' sent to monitor
2020-05-23 05:13:52,843 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-05-23 05:13:52,843 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmplodztmkc\dll\FvqNVoqE.dll, loader C:\tmplodztmkc\bin\IYacyTe.exe
2020-05-23 05:13:52,906 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\Wzdwcl.
2020-05-23 05:13:52,906 [root] DEBUG: Loader: Injecting process 1860 (thread 4972) with C:\tmplodztmkc\dll\FvqNVoqE.dll.
2020-05-23 05:13:52,906 [root] DEBUG: Process image base: 0x00DC0000
2020-05-23 05:13:52,906 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2020-05-23 05:13:52,906 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2020-05-23 05:13:52,921 [root] DEBUG: Successfully injected DLL C:\tmplodztmkc\dll\FvqNVoqE.dll.
2020-05-23 05:13:52,953 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1860
2020-05-23 05:13:53,046 [root] INFO: Announced 32-bit process name: icsys.icn.exe pid: 1140
2020-05-23 05:13:53,046 [lib.api.process] INFO: Monitor config for process 1140: C:\tmplodztmkc\dll\1140.ini
2020-05-23 05:13:53,093 [lib.api.process] INFO: Option 'extraction' with value '1' sent to monitor
2020-05-23 05:13:53,093 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-05-23 05:13:53,093 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmplodztmkc\dll\FvqNVoqE.dll, loader C:\tmplodztmkc\bin\IYacyTe.exe
2020-05-23 05:13:53,125 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-05-23 05:13:53,125 [root] DEBUG: Capture of extracted payloads enabled.
2020-05-23 05:13:53,125 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\Wzdwcl.
2020-05-23 05:13:53,125 [root] DEBUG: Process dumps disabled.
2020-05-23 05:13:53,125 [root] DEBUG: Loader: Injecting process 1140 (thread 2304) with C:\tmplodztmkc\dll\FvqNVoqE.dll.
2020-05-23 05:13:53,125 [root] DEBUG: Dropped file limit defaulting to 100.
2020-05-23 05:13:53,140 [root] DEBUG: Process image base: 0x00400000
2020-05-23 05:13:53,140 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmplodztmkc\dll\FvqNVoqE.dll.
2020-05-23 05:13:53,140 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-05-23 05:13:53,156 [root] INFO: Disabling sleep skipping.
2020-05-23 05:13:53,156 [root] DEBUG: Successfully injected DLL C:\tmplodztmkc\dll\FvqNVoqE.dll.
2020-05-23 05:13:53,156 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 1860 at 0x6f4e0000, image base 0xdc0000, stack from 0x306000-0x310000
2020-05-23 05:13:53,156 [root] DEBUG: Commandline: C:\Users\Louise\AppData\Local\Temp\"c:\users\louise\appdata\local\temp\bazooka updater v.1.exeᅠ".
2020-05-23 05:13:53,156 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1140
2020-05-23 05:13:53,421 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x76de0000, KiUserExceptionDispatcher: 0x0, NtSetContextThread: 0x76e4b5f0, Wow64PrepareForException: 0x0
2020-05-23 05:13:53,421 [root] INFO: Announced 32-bit process name: icsys.icn.exe pid: 1140
2020-05-23 05:13:53,421 [lib.api.process] INFO: Monitor config for process 1140: C:\tmplodztmkc\dll\1140.ini
2020-05-23 05:13:53,421 [lib.api.process] INFO: Option 'extraction' with value '1' sent to monitor
2020-05-23 05:13:53,421 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-05-23 05:13:53,421 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmplodztmkc\dll\FvqNVoqE.dll, loader C:\tmplodztmkc\bin\IYacyTe.exe
2020-05-23 05:13:53,453 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0xd0000
2020-05-23 05:13:53,468 [root] DEBUG: ExtractionInit: Debugger initialised.
2020-05-23 05:13:53,468 [root] DEBUG: AddTrackedRegion: Created new tracked region for address 0x00DC0000.
2020-05-23 05:13:53,468 [root] DEBUG: set_caller_info: Adding region at 0x00050000 to caller regions list (ntdll::RtlDispatchException).
2020-05-23 05:13:53,468 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\Wzdwcl.
2020-05-23 05:13:53,468 [root] DEBUG: CAPEExceptionFilter: Exception 0xc0000005 caught at RVA 0x1c04 in capemon caught accessing 0xdc1000 (expected in memory scans), passing to next handler.
2020-05-23 05:13:53,468 [root] DEBUG: Loader: Injecting process 1140 (thread 2304) with C:\tmplodztmkc\dll\FvqNVoqE.dll.
2020-05-23 05:13:53,484 [root] DEBUG: GetEntropy: Exception occured attempting to get PE entropy at 0x00DC1000
2020-05-23 05:13:53,484 [root] DEBUG: Process image base: 0x00400000
2020-05-23 05:13:53,484 [root] DEBUG: AddTrackedRegion: GetEntropy failed.
2020-05-23 05:13:53,484 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmplodztmkc\dll\FvqNVoqE.dll.
2020-05-23 05:13:53,484 [root] DEBUG: AddTrackedRegion: New region at 0x00DC0000 size 0x1000 added to tracked regions: EntryPoint 0x72887cef, Entropy 0.000000e+00
2020-05-23 05:13:53,484 [root] DEBUG: ExtractionInit: Adding main image base to tracked regions.
2020-05-23 05:13:53,484 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-05-23 05:13:53,484 [root] INFO: loaded: b'1860'
2020-05-23 05:13:53,484 [root] INFO: Loaded monitor into process with pid 1860
2020-05-23 05:13:53,484 [root] DEBUG: Successfully injected DLL C:\tmplodztmkc\dll\FvqNVoqE.dll.
2020-05-23 05:13:53,484 [root] DEBUG: set_caller_info: Adding region at 0x000A0000 to caller regions list (ntdll::LdrLoadDll).
2020-05-23 05:13:53,500 [root] DEBUG: DLL loaded at 0x00C60000: C:\tmplodztmkc\dll\FvqNVoqE (0xd5000 bytes).
2020-05-23 05:13:53,500 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1140
2020-05-23 05:13:53,500 [root] DEBUG: DLL unloaded from 0x731E0000.
2020-05-23 05:13:53,546 [root] DEBUG: DLL unloaded from 0x763D0000.
2020-05-23 05:13:53,546 [root] DEBUG: DLL unloaded from 0x731E0000.
2020-05-23 05:13:53,546 [root] DEBUG: DLL unloaded from 0x763D0000.
2020-05-23 05:13:53,546 [root] DEBUG: DLL unloaded from 0x00C60000.
2020-05-23 05:13:53,562 [root] DEBUG: set_caller_info: Adding region at 0x00210000 to caller regions list (advapi32::RegQueryInfoKeyW).
2020-05-23 05:13:53,562 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-05-23 05:13:53,562 [root] DEBUG: set_caller_info: Adding region at 0x02320000 to caller regions list (advapi32::RegOpenKeyExW).
2020-05-23 05:13:53,562 [root] DEBUG: Capture of extracted payloads enabled.
2020-05-23 05:13:53,562 [root] DEBUG: set_caller_info: Adding region at 0x00530000 to caller regions list (kernel32::FindFirstFileExW).
2020-05-23 05:13:53,562 [root] DEBUG: Process dumps disabled.
2020-05-23 05:13:53,578 [root] DEBUG: DLL loaded at 0x729C0000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei (0x7d000 bytes).
2020-05-23 05:13:53,578 [root] DEBUG: Dropped file limit defaulting to 100.
2020-05-23 05:13:53,578 [root] DEBUG: DLL unloaded from 0x74A80000.
2020-05-23 05:13:53,609 [root] DEBUG: DLL loaded at 0x73390000: C:\Windows\system32\VERSION (0x9000 bytes).
2020-05-23 05:13:53,609 [root] INFO: Disabling sleep skipping.
2020-05-23 05:13:53,625 [root] DEBUG: DLL loaded at 0x722D0000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr (0x6ef000 bytes).
2020-05-23 05:13:53,625 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-05-23 05:13:53,640 [root] DEBUG: DLL loaded at 0x72FE0000: C:\Windows\system32\MSVCR120_CLR0400 (0xf5000 bytes).
2020-05-23 05:13:53,640 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 1140 at 0x6f4e0000, image base 0x400000, stack from 0x186000-0x190000
2020-05-23 05:13:53,640 [root] DEBUG: Commandline: C:\Windows\Resources\Themes\icsys.icn.exe.
2020-05-23 05:13:53,687 [root] DEBUG: CreateThread: Initialising breakpoints for thread 4176.
2020-05-23 05:13:53,718 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x76de0000, KiUserExceptionDispatcher: 0x0, NtSetContextThread: 0x76e4b5f0, Wow64PrepareForException: 0x0
2020-05-23 05:13:53,718 [root] DEBUG: Allocation: 0x001C3000 - 0x001C4000, size: 0x1000, protection: 0x40.
2020-05-23 05:13:53,718 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-05-23 05:13:53,718 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x1d0000
2020-05-23 05:13:53,718 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00DC0000.
2020-05-23 05:13:53,718 [root] DEBUG: ExtractionInit: Debugger initialised.
2020-05-23 05:13:53,718 [root] DEBUG: GetEntropy: Exception occured attempting to get PE entropy at 0x00DC1000
2020-05-23 05:13:53,718 [root] DEBUG: AddTrackedRegion: Created new tracked region for address 0x00400000.
2020-05-23 05:13:53,734 [root] DEBUG: ProcessImageBase: EP 0x72887CEF image base 0x00DC0000 size 0x0 entropy 0.000000e+00.
2020-05-23 05:13:53,734 [root] DEBUG: AddTrackedRegion: New region at 0x00400000 size 0x1000 added to tracked regions: EntryPoint 0x290c, Entropy 5.270963e+00
2020-05-23 05:13:53,734 [root] DEBUG: AllocationHandler: Adding allocation to tracked region list: 0x001C3000, size: 0x1000.
2020-05-23 05:13:53,734 [root] DEBUG: ExtractionInit: Adding main image base to tracked regions.
2020-05-23 05:13:53,734 [root] DEBUG: AddTrackedRegion: Created new tracked region for address 0x001C3000.
2020-05-23 05:13:53,734 [root] INFO: loaded: b'1140'
2020-05-23 05:13:53,734 [root] INFO: Loaded monitor into process with pid 1140
2020-05-23 05:13:53,781 [root] DEBUG: AddTrackedRegion: New region at 0x001C0000 size 0x1000 added to tracked regions.
2020-05-23 05:13:53,781 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 4972 type 1 at address 0x001C3000, size 2 with Callback 0x6f4e7ee0.
2020-05-23 05:13:53,781 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-05-23 05:13:53,781 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on empty protect address: 0x001C3000
2020-05-23 05:13:53,781 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-05-23 05:13:53,781 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 4972 type 1 at address 0x001C003C, size 4 with Callback 0x6f4e7b30.
2020-05-23 05:13:53,796 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x001C003C
2020-05-23 05:13:53,796 [root] DEBUG: ProcessImageBase: EP 0x0000290C image base 0x00400000 size 0x0 entropy 5.270963e+00.
2020-05-23 05:13:53,796 [root] DEBUG: AllocationHandler: Breakpoints set on newly-allocated executable region at: 0x001C3000 (size 0x1000).
2020-05-23 05:13:53,796 [root] DEBUG: ProtectionHandler: Adding region at 0x00260000 to tracked regions.
2020-05-23 05:13:53,796 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x723096AA (thread 4972)
2020-05-23 05:13:53,796 [root] DEBUG: AddTrackedRegion: Created new tracked region for address 0x00260000.
2020-05-23 05:13:53,796 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x001C3000.
2020-05-23 05:13:53,796 [root] DEBUG: AddTrackedRegion: New region at 0x00260000 size 0x6000 added to tracked regions.
2020-05-23 05:13:53,796 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x1c3000: 0x0.
2020-05-23 05:13:53,796 [root] DEBUG: ProtectionHandler: Address: 0x00260000 (alloc base 0x00260000), NumberOfBytesToProtect: 0x6000, NewAccessProtection: 0x20
2020-05-23 05:13:53,796 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2020-05-23 05:13:53,875 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 3628 type 1 at address 0x001C3000, size 2 with Callback 0x6f4e7ee0.
2020-05-23 05:13:53,875 [root] DEBUG: ProtectionHandler: Address 0x00260000 already in tracked region at 0x00260000, size 0x6000
2020-05-23 05:13:53,875 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 3628 type 1 at address 0x001C003C, size 4 with Callback 0x6f4e7b30.
2020-05-23 05:13:53,875 [root] DEBUG: ProtectionHandler: Address: 0x00260000 (alloc base 0x00260000), NumberOfBytesToProtect: 0xa000, NewAccessProtection: 0x20
2020-05-23 05:13:53,890 [root] DEBUG: SetThreadBreakpoint: Set bp 2 thread id 3628 type 0 at address 0x001C3000, size 0 with Callback 0x6f4e7d30.
2020-05-23 05:13:53,906 [root] DEBUG: ProtectionHandler: Increased region size at 0x00260000 to 0xa000.
2020-05-23 05:13:53,921 [root] DEBUG: ProtectionHandler: New code detected at (0x00260000), scanning for PE images.
2020-05-23 05:13:53,968 [root] DEBUG: DumpPEsInRange: Scanning range 0x260000 - 0x26a000.
2020-05-23 05:13:53,968 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x260000-0x26a000.
2020-05-23 05:13:53,984 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x00260000 - 0x0026A000.
2020-05-23 05:13:54,000 [root] INFO: ('dump_file', 'C:\\gdljofuM\\CAPE\\1140_054131123652020', b'9;?C:\\Windows\\Resources\\Themes\\icsys.icn.exe;?C:\\Windows\\Resources\\Themes\\icsys.icn.exe;?0x00260000;?', ['1140'], 'CAPE')
2020-05-23 05:13:54,046 [root] DEBUG: DLL loaded at 0x6E140000: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\6715dc4d04e35f16d482900c355325e9\mscorlib.ni (0x1393000 bytes).
2020-05-23 05:13:54,078 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\gdljofuM\CAPE\1140_054131123652020 (size 0x9600)
2020-05-23 05:13:54,078 [root] DEBUG: ProtectionHandler: dumped memory (sub)region at 0x00260000, size 0xa000
2020-05-23 05:13:54,093 [root] DEBUG: DLL loaded at 0x75DD0000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2020-05-23 05:13:54,125 [root] DEBUG: DLL loaded at 0x74130000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2020-05-23 05:13:54,125 [root] DEBUG: DLL loaded at 0x74040000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2020-05-23 05:13:54,281 [root] DEBUG: ProtectionHandler: Address 0x00260000 already in tracked region at 0x00260000, size 0xa000
2020-05-23 05:13:54,281 [root] DEBUG: ProtectionHandler: Address: 0x00260000 (alloc base 0x00260000), NumberOfBytesToProtect: 0xa000, NewAccessProtection: 0x20
2020-05-23 05:13:54,296 [root] DEBUG: ProtectionHandler: New code detected at (0x00260000), scanning for PE images.
2020-05-23 05:13:54,296 [root] DEBUG: DumpPEsInRange: Scanning range 0x260000 - 0x26a000.
2020-05-23 05:13:54,296 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x260000-0x26a000.
2020-05-23 05:13:54,296 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x00260000 - 0x0026A000.
2020-05-23 05:13:54,312 [root] INFO: ('dump_file', 'C:\\gdljofuM\\CAPE\\1140_136016409654131123652020', b'9;?C:\\Windows\\Resources\\Themes\\icsys.icn.exe;?C:\\Windows\\Resources\\Themes\\icsys.icn.exe;?0x00260000;?', ['1140'], 'CAPE')
2020-05-23 05:13:54,375 [root] DEBUG: Allocation: 0x001F5000 - 0x001F6000, size: 0x1000, protection: 0x40.
2020-05-23 05:13:54,375 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-05-23 05:13:54,390 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00DC0000.
2020-05-23 05:13:54,390 [root] DEBUG: GetEntropy: Exception occured attempting to get PE entropy at 0x00DC1000
2020-05-23 05:13:54,390 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\gdljofuM\CAPE\1140_136016409654131123652020 (size 0x9e11)
2020-05-23 05:13:54,390 [root] DEBUG: ProcessImageBase: EP 0x72887CEF image base 0x00DC0000 size 0x0 entropy 0.000000e+00.
2020-05-23 05:13:54,390 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x001C0000.
2020-05-23 05:13:54,390 [root] DEBUG: ProtectionHandler: dumped memory (sub)region at 0x00260000, size 0xa000
2020-05-23 05:13:54,406 [root] DEBUG: AllocationHandler: Adding allocation to tracked region list: 0x001F5000, size: 0x1000.
2020-05-23 05:13:54,406 [root] DEBUG: DLL loaded at 0x73690000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\comctl32 (0x19e000 bytes).
2020-05-23 05:13:54,406 [root] DEBUG: AddTrackedRegion: Created new tracked region for address 0x001F5000.
2020-05-23 05:13:54,406 [root] DEBUG: AddTrackedRegion: New region at 0x001F0000 size 0x1000 added to tracked regions.
2020-05-23 05:13:54,406 [root] DEBUG: DLL loaded at 0x73FA0000: C:\Windows\system32\UxTheme (0x80000 bytes).
2020-05-23 05:13:54,406 [root] DEBUG: ActivateBreakpoints: TrackedRegion->AllocationBase: 0x001F0000, TrackedRegion->RegionSize: 0x1000, thread 4972
2020-05-23 05:13:54,406 [root] DEBUG: ActivateBreakpoints: Switching breakpoints from region 0x001C0000 to 0x001F0000.
2020-05-23 05:13:54,421 [root] DEBUG: DumpPEsInRange: Scanning range 0x1c0000 - 0x1c1000.
2020-05-23 05:13:54,421 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x1c0000-0x1c1000.
2020-05-23 05:13:54,421 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x001C0000 - 0x001C1000.
2020-05-23 05:13:54,421 [root] INFO: ('dump_file', 'C:\\gdljofuM\\CAPE\\1860_8114702254131123652020', b'9;?C:\\Users\\Louise\\AppData\\Local\\Temp\\bazooka updater v.1.exe?;?C:\\Users\\Louise\\AppData\\Local\\Temp\\bazooka updater v.1.exe?;?0x001C0000;?', ['1860'], 'CAPE')
2020-05-23 05:13:54,531 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\gdljofuM\CAPE\1860_8114702254131123652020 (size 0x14)
2020-05-23 05:13:54,609 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 4972 type 1 at address 0x001F5000, size 2 with Callback 0x6f4e7ee0.
2020-05-23 05:13:54,625 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on empty protect address: 0x001F5000
2020-05-23 05:13:54,625 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 4972 type 1 at address 0x001F003C, size 4 with Callback 0x6f4e7b30.
2020-05-23 05:13:54,625 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x001F003C
2020-05-23 05:13:54,640 [root] DEBUG: AllocationHandler: Breakpoints set on newly-allocated executable region at: 0x001F5000 (size 0x1000).
2020-05-23 05:13:54,640 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x723096AA (thread 4972)
2020-05-23 05:13:54,640 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x001F5000.
2020-05-23 05:13:54,640 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x1f5000: 0x0.
2020-05-23 05:13:54,640 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2020-05-23 05:13:54,656 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x7237E297 (thread 4972)
2020-05-23 05:13:54,656 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x001F003C.
2020-05-23 05:13:54,656 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header zero.
2020-05-23 05:13:54,656 [root] DEBUG: Allocation: 0x001FB000 - 0x001FC000, size: 0x1000, protection: 0x40.
2020-05-23 05:13:54,656 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-05-23 05:13:54,656 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00DC0000.
2020-05-23 05:13:54,671 [root] DEBUG: GetEntropy: Exception occured attempting to get PE entropy at 0x00DC1000
2020-05-23 05:13:54,671 [root] DEBUG: ProcessImageBase: EP 0x72887CEF image base 0x00DC0000 size 0x0 entropy 0.000000e+00.
2020-05-23 05:13:54,671 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x001C0000.
2020-05-23 05:13:54,671 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x001F0000.
2020-05-23 05:13:54,671 [root] DEBUG: AllocationHandler: New allocation already in tracked region list: 0x001F0000, size: 0x1000.
2020-05-23 05:13:54,671 [root] DEBUG: Allocation: 0x001F7000 - 0x001F8000, size: 0x1000, protection: 0x40.
2020-05-23 05:13:54,671 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-05-23 05:13:54,687 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00DC0000.
2020-05-23 05:13:54,687 [root] DEBUG: GetEntropy: Exception occured attempting to get PE entropy at 0x00DC1000
2020-05-23 05:13:54,687 [root] DEBUG: ProcessImageBase: EP 0x72887CEF image base 0x00DC0000 size 0x0 entropy 0.000000e+00.
2020-05-23 05:13:54,687 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x001C0000.
2020-05-23 05:13:54,687 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x001F0000.
2020-05-23 05:13:54,687 [root] DEBUG: AllocationHandler: New allocation already in tracked region list: 0x001F0000, size: 0x1000.
2020-05-23 05:13:54,703 [root] DEBUG: Allocation: 0x007E0000 - 0x007E1000, size: 0x1000, protection: 0x40.
2020-05-23 05:13:54,703 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-05-23 05:13:54,718 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00DC0000.
2020-05-23 05:13:54,718 [root] DEBUG: GetEntropy: Exception occured attempting to get PE entropy at 0x00DC1000
2020-05-23 05:13:54,718 [root] DEBUG: ProcessImageBase: EP 0x72887CEF image base 0x00DC0000 size 0x0 entropy 0.000000e+00.
2020-05-23 05:13:54,734 [root] DEBUG: AddTrackedRegion: Created new tracked region for address 0x007E0000.
2020-05-23 05:13:54,734 [root] INFO: ('dump_file', 'C:\\Windows\\resources\\Themes\\explorer.exe', '', False, 'files')
2020-05-23 05:13:54,734 [root] DEBUG: AddTrackedRegion: New region at 0x007E0000 size 0x1000 added to tracked regions.
2020-05-23 05:13:54,734 [root] DEBUG: ActivateBreakpoints: TrackedRegion->AllocationBase: 0x007E0000, TrackedRegion->RegionSize: 0x1000, thread 4972
2020-05-23 05:13:54,734 [root] DEBUG: ActivateBreakpoints: Switching breakpoints from region 0x001F0000 to 0x007E0000.
2020-05-23 05:13:54,734 [root] DEBUG: DumpPEsInRange: Scanning range 0x1f0000 - 0x1f1000.
2020-05-23 05:13:54,750 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x1f0000-0x1f1000.
2020-05-23 05:13:54,750 [root] INFO: ('delete_file', 'C:\\Windows\\resources\\Themes\\explorer.exe')
2020-05-23 05:13:54,750 [root] INFO: ('dump_file', 'C:\\Windows\\resources\\Themes\\explorer.exe', '', False, 'files')
2020-05-23 05:13:54,750 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x001F0000 - 0x001F1000.
2020-05-23 05:13:54,765 [root] INFO: ('dump_file', 'C:\\gdljofuM\\CAPE\\1860_44731075054131123652020', b'9;?C:\\Users\\Louise\\AppData\\Local\\Temp\\bazooka updater v.1.exe?;?C:\\Users\\Louise\\AppData\\Local\\Temp\\bazooka updater v.1.exe?;?0x001F0000;?', ['1860'], 'CAPE')
2020-05-23 05:13:54,828 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\gdljofuM\CAPE\1860_44731075054131123652020 (size 0x8a)
2020-05-23 05:13:54,828 [root] DEBUG: DLL unloaded from 0x763D0000.
2020-05-23 05:13:54,828 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x001F0000.
2020-05-23 05:13:54,828 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x1f0000 - 0x1f1000.
2020-05-23 05:13:54,828 [root] DEBUG: DLL unloaded from 0x75E90000.
2020-05-23 05:13:54,828 [root] DEBUG: DLL unloaded from 0x763D0000.
2020-05-23 05:13:54,843 [root] INFO: ('dump_file', 'C:\\Windows\\resources\\Themes\\explorer.exe', '', False, 'files')
2020-05-23 05:13:54,859 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 4972 type 1 at address 0x007E0000, size 2 with Callback 0x6f4e7ee0.
2020-05-23 05:13:54,859 [root] DEBUG: FreeHandler: Address: 0x002A0000.
2020-05-23 05:13:54,859 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on empty protect address: 0x007E0000
2020-05-23 05:13:54,859 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x2a0000 - 0x2aa000.
2020-05-23 05:13:54,859 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 4972 type 1 at address 0x007E003C, size 4 with Callback 0x6f4e7b30.
2020-05-23 05:13:54,875 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x1e0ff00, AllocationBase 0x0.
2020-05-23 05:13:54,875 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x007E003C
2020-05-23 05:13:54,875 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x218f428, AllocationBase 0x400000.
2020-05-23 05:13:54,875 [root] DEBUG: AllocationHandler: Breakpoints set on newly-allocated executable region at: 0x007E0000 (size 0x1000).
2020-05-23 05:13:54,875 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x218fd50, AllocationBase 0x2a0000.
2020-05-23 05:13:54,875 [root] DEBUG: DropTrackedRegion: removed pages 0x2a0000-0x2aa000 from the end of the tracked region list.
2020-05-23 05:13:54,890 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x723096AA (thread 4972)
2020-05-23 05:13:54,890 [root] INFO: ('dump_file', 'C:\\Windows\\resources\\Themes\\explorer.exe', '', False, 'files')
2020-05-23 05:13:54,890 [root] DEBUG: DLL unloaded from 0x76930000.
2020-05-23 05:13:54,890 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x007E0000.
2020-05-23 05:13:54,890 [root] INFO: ('dump_file', 'C:\\Users\\Louise\\AppData\\Local\\Temp\\~DF9EB8B661A8C25A01.TMP', '', False, 'files')
2020-05-23 05:13:54,890 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x7e0000: 0x0.
2020-05-23 05:13:54,890 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2020-05-23 05:13:54,906 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x72302FD6 (thread 4972)
2020-05-23 05:13:54,906 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x007E003C.
2020-05-23 05:13:54,906 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0x5e00 (at 0x007E003C).
2020-05-23 05:13:54,906 [root] DEBUG: ContextSetNextAvailableBreakpoint: An identical breakpoint (2) at 0x007E0000 already exists for thread 4972 (process 1860), skipping.
2020-05-23 05:13:54,921 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x007E0000.
2020-05-23 05:13:54,921 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x72302FDE (thread 4972)
2020-05-23 05:13:54,921 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 3676).
2020-05-23 05:13:54,937 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x007E003C.
2020-05-23 05:13:54,937 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-05-23 05:13:54,937 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0x1005e00 (at 0x007E003C).
2020-05-23 05:13:54,937 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-05-23 05:13:54,937 [root] DEBUG: ContextSetNextAvailableBreakpoint: An identical breakpoint (2) at 0x007E0000 already exists for thread 4972 (process 1860), skipping.
2020-05-23 05:13:54,937 [root] DEBUG: ProcessImageBase: EP 0x0000290C image base 0x00400000 size 0x0 entropy 5.479403e+00.
2020-05-23 05:13:54,937 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x007E0000.
2020-05-23 05:13:54,937 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x72302FEF (thread 4972)
2020-05-23 05:13:54,937 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x007E003C.
2020-05-23 05:13:54,953 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0x1005e00 (at 0x007E003C).
2020-05-23 05:13:54,953 [root] DEBUG: ContextSetNextAvailableBreakpoint: An identical breakpoint (2) at 0x007E0000 already exists for thread 4972 (process 1860), skipping.
2020-05-23 05:13:54,953 [root] INFO: ('dump_file', 'C:\\Users\\Louise\\AppData\\Local\\Temp\\~DF9EB8B661A8C25A01.TMP', '', False, 'files')
2020-05-23 05:13:54,953 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x007E0000.
2020-05-23 05:13:54,953 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x7230301B (thread 4972)
2020-05-23 05:13:54,968 [root] INFO: Announced 32-bit process name: explorer.exe pid: 3340
2020-05-23 05:13:54,968 [lib.api.process] INFO: Monitor config for process 3340: C:\tmplodztmkc\dll\3340.ini
2020-05-23 05:13:54,968 [lib.api.process] INFO: Option 'extraction' with value '1' sent to monitor
2020-05-23 05:13:54,968 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-05-23 05:13:54,968 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x007E003C.
2020-05-23 05:13:54,968 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmplodztmkc\dll\FvqNVoqE.dll, loader C:\tmplodztmkc\bin\IYacyTe.exe
2020-05-23 05:13:54,968 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0x1005e71 (at 0x007E003C).
2020-05-23 05:13:54,984 [root] DEBUG: ContextSetNextAvailableBreakpoint: An identical breakpoint (2) at 0x007E0000 already exists for thread 4972 (process 1860), skipping.
2020-05-23 05:13:54,984 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x007E0000.
2020-05-23 05:13:55,000 [root] INFO: ('delete_file', 'C:\\Users\\Louise\\AppData\\Local\\Temp\\~DF9EB8B661A8C25A01.TMP')
2020-05-23 05:13:55,000 [root] INFO: ('dump_file', 'C:\\Users\\Louise\\AppData\\Local\\Temp\\~DF9EB8B661A8C25A01.TMP', '', False, 'files')
2020-05-23 05:13:55,031 [root] DEBUG: DLL unloaded from 0x76AB0000.
2020-05-23 05:13:55,031 [root] DEBUG: DLL loaded at 0x6E0C0000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit (0x80000 bytes).
2020-05-23 05:13:55,031 [root] WARNING: Unable to open termination event for pid 3676.
2020-05-23 05:13:55,062 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 3676).
2020-05-23 05:13:55,078 [root] DEBUG: DLL loaded at 0x76930000: C:\Windows\syswow64\OLEAUT32 (0x91000 bytes).
2020-05-23 05:13:55,078 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\Wzdwcl.
2020-05-23 05:13:55,093 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-05-23 05:13:55,093 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-05-23 05:13:55,109 [root] DEBUG: ProcessImageBase: EP 0x0000290C image base 0x00400000 size 0x0 entropy 5.479403e+00.
2020-05-23 05:13:55,109 [root] DEBUG: Loader: Injecting process 3340 (thread 3764) with C:\tmplodztmkc\dll\FvqNVoqE.dll.
2020-05-23 05:13:55,171 [root] DEBUG: Process image base: 0x00400000
2020-05-23 05:13:55,187 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmplodztmkc\dll\FvqNVoqE.dll.
2020-05-23 05:13:55,187 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-05-23 05:13:55,187 [root] DEBUG: Successfully injected DLL C:\tmplodztmkc\dll\FvqNVoqE.dll.
2020-05-23 05:13:55,203 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3340
2020-05-23 05:13:55,203 [root] DEBUG: DLL loaded at 0x74930000: C:\Windows\system32\apphelp (0x4c000 bytes).
2020-05-23 05:13:55,249 [root] INFO: Announced 32-bit process name: explorer.exe pid: 3340
2020-05-23 05:13:55,265 [lib.api.process] INFO: Monitor config for process 3340: C:\tmplodztmkc\dll\3340.ini
2020-05-23 05:13:55,265 [lib.api.process] INFO: Option 'extraction' with value '1' sent to monitor
2020-05-23 05:13:55,265 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-05-23 05:13:55,265 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmplodztmkc\dll\FvqNVoqE.dll, loader C:\tmplodztmkc\bin\IYacyTe.exe
2020-05-23 05:13:55,296 [root] DEBUG: DLL loaded at 0x6D6B0000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System\43822396682b0ffc3cfb66137ddab95f\System.ni (0xa10000 bytes).
2020-05-23 05:13:55,312 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\Wzdwcl.
2020-05-23 05:13:55,312 [root] DEBUG: Loader: Injecting process 3340 (thread 3764) with C:\tmplodztmkc\dll\FvqNVoqE.dll.
2020-05-23 05:13:55,328 [root] DEBUG: Process image base: 0x00400000
2020-05-23 05:13:55,328 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmplodztmkc\dll\FvqNVoqE.dll.
2020-05-23 05:13:55,328 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-05-23 05:13:55,328 [root] DEBUG: Successfully injected DLL C:\tmplodztmkc\dll\FvqNVoqE.dll.
2020-05-23 05:13:55,343 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3340
2020-05-23 05:13:55,390 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-05-23 05:13:55,390 [root] DEBUG: Capture of extracted payloads enabled.
2020-05-23 05:13:55,406 [root] INFO: Disabling sleep skipping.
2020-05-23 05:13:55,406 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-05-23 05:13:55,421 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 3340 at 0x6f4e0000, image base 0x400000, stack from 0x186000-0x190000
2020-05-23 05:13:55,421 [root] DEBUG: Commandline: C:\Windows\resources\Themes\explorer.exe.
2020-05-23 05:13:55,468 [root] DEBUG: set_caller_info: Adding region at 0x007E0000 to caller regions list (kernel32::SetErrorMode).
2020-05-23 05:13:55,484 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x76de0000, KiUserExceptionDispatcher: 0x0, NtSetContextThread: 0x76e4b5f0, Wow64PrepareForException: 0x0
2020-05-23 05:13:55,484 [root] DEBUG: DumpPEsInRange: Scanning range 0x7e0000 - 0x7e1000.
2020-05-23 05:13:55,484 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x240000
2020-05-23 05:13:55,484 [root] DEBUG: ExtractionInit: Debugger initialised.
2020-05-23 05:13:55,484 [root] DEBUG: AddTrackedRegion: Created new tracked region for address 0x00400000.
2020-05-23 05:13:55,484 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x7e0000-0x7e1000.
2020-05-23 05:13:55,500 [root] DEBUG: AddTrackedRegion: New region at 0x00400000 size 0x1000 added to tracked regions: EntryPoint 0x290c, Entropy 5.270963e+00
2020-05-23 05:13:55,500 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x007E0000 - 0x007E1000.
2020-05-23 05:13:55,500 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-05-23 05:13:55,515 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-05-23 05:13:55,515 [root] INFO: ('dump_file', 'C:\\gdljofuM\\CAPE\\1860_136346514445211823652020', b'9;?C:\\Users\\Louise\\AppData\\Local\\Temp\\bazooka updater v.1.exe?;?C:\\Users\\Louise\\AppData\\Local\\Temp\\bazooka updater v.1.exe?;?0x007E0000;?', ['1860'], 'CAPE')
2020-05-23 05:13:55,515 [root] DEBUG: ProcessImageBase: EP 0x0000290C image base 0x00400000 size 0x0 entropy 5.270963e+00.
2020-05-23 05:13:55,546 [root] DEBUG: ProtectionHandler: Adding region at 0x00250000 to tracked regions.
2020-05-23 05:13:55,546 [root] DEBUG: AddTrackedRegion: Created new tracked region for address 0x00250000.
2020-05-23 05:13:55,546 [root] DEBUG: AddTrackedRegion: New region at 0x00250000 size 0x6000 added to tracked regions.
2020-05-23 05:13:55,562 [root] DEBUG: ProtectionHandler: Address: 0x00250000 (alloc base 0x00250000), NumberOfBytesToProtect: 0x6000, NewAccessProtection: 0x20
2020-05-23 05:13:55,562 [root] DEBUG: ProtectionHandler: New code detected at (0x00250000), scanning for PE images.
2020-05-23 05:13:55,562 [root] DEBUG: DumpPEsInRange: Scanning range 0x250000 - 0x256000.
2020-05-23 05:13:55,578 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\gdljofuM\CAPE\1860_136346514445211823652020 (size 0x6a0)
2020-05-23 05:13:55,578 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x250000-0x256000.
2020-05-23 05:13:55,593 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x00250000 - 0x00256000.
2020-05-23 05:13:55,609 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x007E0000.
2020-05-23 05:13:55,609 [root] INFO: ('dump_file', 'C:\\gdljofuM\\CAPE\\3340_118039082255131123652020', b'9;?C:\\Windows\\resources\\Themes\\explorer.exe;?C:\\Windows\\resources\\Themes\\explorer.exe;?0x00250000;?', ['3340'], 'CAPE')
2020-05-23 05:13:55,609 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x7e0000 - 0x7e1000.
2020-05-23 05:13:55,609 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x007E0000.
2020-05-23 05:13:55,656 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x007E003C.
2020-05-23 05:13:55,734 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 2 address 0x007E0000.
2020-05-23 05:13:55,750 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\gdljofuM\CAPE\3340_118039082255131123652020 (size 0x5161)
2020-05-23 05:13:55,765 [root] DEBUG: Allocation: 0x001CD000 - 0x001CE000, size: 0x1000, protection: 0x40.
2020-05-23 05:13:55,765 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-05-23 05:13:55,781 [root] DEBUG: ProtectionHandler: dumped memory (sub)region at 0x00250000, size 0x6000
2020-05-23 05:13:55,781 [root] DEBUG: DLL loaded at 0x73220000: C:\Windows\system32\SXS (0x5f000 bytes).
2020-05-23 05:13:55,781 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00DC0000.
2020-05-23 05:13:55,796 [root] DEBUG: GetEntropy: Exception occured attempting to get PE entropy at 0x00DC1000
2020-05-23 05:13:55,796 [root] DEBUG: ProcessImageBase: EP 0x72887CEF image base 0x00DC0000 size 0x0 entropy 0.000000e+00.
2020-05-23 05:13:55,796 [root] DEBUG: ProtectionHandler: Address 0x00250000 already in tracked region at 0x00250000, size 0x6000
2020-05-23 05:13:55,796 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x001C0000.
2020-05-23 05:13:55,812 [root] INFO: ('dump_file', 'C:\\gdljofuM\\CAPE\\3340_107972126855131123652020', b'9;?C:\\Windows\\resources\\Themes\\explorer.exe;?C:\\Windows\\resources\\Themes\\explorer.exe;?0x00250000;?', ['3340'], 'CAPE')
2020-05-23 05:13:55,890 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\gdljofuM\CAPE\3340_107972126855131123652020 (size 0x9600)
2020-05-23 05:13:55,890 [root] DEBUG: ProtectionHandler: dumped memory (sub)region at 0x00250000, size 0xa000
2020-05-23 05:13:55,890 [root] DEBUG: DLL loaded at 0x75DD0000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2020-05-23 05:13:55,906 [root] DEBUG: DLL loaded at 0x74130000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2020-05-23 05:13:55,906 [root] DEBUG: DLL loaded at 0x74040000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2020-05-23 05:13:55,937 [root] DEBUG: ProtectionHandler: Address 0x00250000 already in tracked region at 0x00250000, size 0xa000
2020-05-23 05:13:55,984 [root] DEBUG: ProtectionHandler: Address: 0x00250000 (alloc base 0x00250000), NumberOfBytesToProtect: 0xa000, NewAccessProtection: 0x20
2020-05-23 05:13:55,984 [root] DEBUG: ProtectionHandler: New code detected at (0x00250000), scanning for PE images.
2020-05-23 05:13:55,984 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x250000-0x25a000.
2020-05-23 05:13:56,000 [root] INFO: ('dump_file', 'C:\\gdljofuM\\CAPE\\3340_056131123652020', b'9;?C:\\Windows\\resources\\Themes\\explorer.exe;?C:\\Windows\\resources\\Themes\\explorer.exe;?0x00250000;?', ['3340'], 'CAPE')
2020-05-23 05:13:56,015 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\gdljofuM\CAPE\3340_056131123652020 (size 0x9e11)
2020-05-23 05:13:56,046 [root] DEBUG: DLL loaded at 0x73690000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\comctl32 (0x19e000 bytes).
2020-05-23 05:13:56,062 [root] DEBUG: DLL loaded at 0x73FA0000: C:\Windows\system32\UxTheme (0x80000 bytes).
2020-05-23 05:13:56,281 [root] INFO: ('dump_file', 'C:\\Windows\\resources\\spoolsv.exe', '', False, 'files')
2020-05-23 05:13:56,296 [root] INFO: ('delete_file', 'C:\\Windows\\resources\\spoolsv.exe')
2020-05-23 05:13:56,296 [root] INFO: ('dump_file', 'C:\\Windows\\resources\\spoolsv.exe', '', False, 'files')
2020-05-23 05:13:56,390 [root] INFO: ('dump_file', 'C:\\Windows\\resources\\spoolsv.exe', '', False, 'files')
2020-05-23 05:13:56,437 [root] INFO: ('dump_file', 'C:\\Windows\\resources\\spoolsv.exe', '', False, 'files')
2020-05-23 05:13:56,531 [root] INFO: Announced 32-bit process name: spoolsv.exe pid: 2864
2020-05-23 05:13:56,531 [lib.api.process] INFO: Monitor config for process 2864: C:\tmplodztmkc\dll\2864.ini
2020-05-23 05:13:56,546 [lib.api.process] INFO: Option 'extraction' with value '1' sent to monitor
2020-05-23 05:13:56,546 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-05-23 05:13:56,546 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmplodztmkc\dll\FvqNVoqE.dll, loader C:\tmplodztmkc\bin\IYacyTe.exe
2020-05-23 05:13:56,578 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\Wzdwcl.
2020-05-23 05:13:56,578 [root] DEBUG: Loader: Injecting process 2864 (thread 2636) with C:\tmplodztmkc\dll\FvqNVoqE.dll.
2020-05-23 05:13:56,578 [root] DEBUG: Process image base: 0x00400000
2020-05-23 05:13:56,578 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmplodztmkc\dll\FvqNVoqE.dll.
2020-05-23 05:13:56,593 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-05-23 05:13:56,593 [root] DEBUG: Successfully injected DLL C:\tmplodztmkc\dll\FvqNVoqE.dll.
2020-05-23 05:13:56,593 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2864
2020-05-23 05:13:56,625 [root] DEBUG: DLL loaded at 0x74930000: C:\Windows\system32\apphelp (0x4c000 bytes).
2020-05-23 05:13:56,656 [root] INFO: Announced 32-bit process name: spoolsv.exe pid: 2864
2020-05-23 05:13:56,656 [lib.api.process] INFO: Monitor config for process 2864: C:\tmplodztmkc\dll\2864.ini
2020-05-23 05:13:56,671 [lib.api.process] INFO: Option 'extraction' with value '1' sent to monitor
2020-05-23 05:13:56,671 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-05-23 05:13:56,671 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmplodztmkc\dll\FvqNVoqE.dll, loader C:\tmplodztmkc\bin\IYacyTe.exe
2020-05-23 05:13:56,703 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\Wzdwcl.
2020-05-23 05:13:56,703 [root] DEBUG: Loader: Injecting process 2864 (thread 2636) with C:\tmplodztmkc\dll\FvqNVoqE.dll.
2020-05-23 05:13:56,718 [root] DEBUG: Process image base: 0x00400000
2020-05-23 05:13:56,718 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmplodztmkc\dll\FvqNVoqE.dll.
2020-05-23 05:13:56,718 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-05-23 05:13:56,718 [root] DEBUG: Successfully injected DLL C:\tmplodztmkc\dll\FvqNVoqE.dll.
2020-05-23 05:13:56,734 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2864
2020-05-23 05:13:56,750 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-05-23 05:13:56,765 [root] INFO: Disabling sleep skipping.
2020-05-23 05:13:56,765 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-05-23 05:13:56,765 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 2864 at 0x6f4e0000, image base 0x400000, stack from 0x186000-0x190000
2020-05-23 05:13:56,859 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x76de0000, KiUserExceptionDispatcher: 0x0, NtSetContextThread: 0x76e4b5f0, Wow64PrepareForException: 0x0
2020-05-23 05:13:56,953 [root] DEBUG: ProtectionHandler: Address 0x003E0000 already in tracked region at 0x003E0000, size 0xa000
2020-05-23 05:13:56,953 [root] DEBUG: ProtectionHandler: Address: 0x003E0000 (alloc base 0x003E0000), NumberOfBytesToProtect: 0xa000, NewAccessProtection: 0x20
2020-05-23 05:13:56,953 [root] DEBUG: ProtectionHandler: New code detected at (0x003E0000), scanning for PE images.
2020-05-23 05:13:56,953 [root] DEBUG: DumpPEsInRange: Scanning range 0x3e0000 - 0x3ea000.
2020-05-23 05:13:56,968 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x3e0000-0x3ea000.
2020-05-23 05:13:56,968 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x003E0000 - 0x003EA000.
2020-05-23 05:13:56,984 [root] INFO: ('dump_file', 'C:\\gdljofuM\\CAPE\\2864_181082475256131123652020', b'9;?C:\\Windows\\resources\\spoolsv.exe;?C:\\Windows\\resources\\spoolsv.exe;?0x003E0000;?', ['2864'], 'CAPE')
2020-05-23 05:13:57,031 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\gdljofuM\CAPE\2864_181082475256131123652020 (size 0x9e11)
2020-05-23 05:13:57,031 [root] DEBUG: ProtectionHandler: dumped memory (sub)region at 0x003E0000, size 0xa000
2020-05-23 05:13:57,031 [root] DEBUG: DLL loaded at 0x73690000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\comctl32 (0x19e000 bytes).
2020-05-23 05:13:57,046 [root] DEBUG: DLL loaded at 0x73FA0000: C:\Windows\system32\UxTheme (0x80000 bytes).
2020-05-23 05:13:57,078 [root] INFO: ('dump_file', 'C:\\Windows\\resources\\svchost.exe', '', False, 'files')
2020-05-23 05:13:57,125 [root] INFO: ('delete_file', 'C:\\Windows\\resources\\svchost.exe')
2020-05-23 05:13:57,125 [root] INFO: ('dump_file', 'C:\\Windows\\resources\\svchost.exe', '', False, 'files')
2020-05-23 05:13:57,218 [root] INFO: ('dump_file', 'C:\\Windows\\resources\\svchost.exe', '', False, 'files')
2020-05-23 05:13:57,328 [root] INFO: ('dump_file', 'C:\\Windows\\resources\\svchost.exe', '', False, 'files')
2020-05-23 05:13:57,390 [root] INFO: Announced 32-bit process name: svchost.exe pid: 4908
2020-05-23 05:13:57,390 [lib.api.process] INFO: Monitor config for process 4908: C:\tmplodztmkc\dll\4908.ini
2020-05-23 05:13:57,406 [lib.api.process] INFO: Option 'extraction' with value '1' sent to monitor
2020-05-23 05:13:57,406 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-05-23 05:13:57,421 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmplodztmkc\dll\FvqNVoqE.dll, loader C:\tmplodztmkc\bin\IYacyTe.exe
2020-05-23 05:13:57,437 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\Wzdwcl.
2020-05-23 05:13:57,468 [root] DEBUG: Loader: Injecting process 4908 (thread 2624) with C:\tmplodztmkc\dll\FvqNVoqE.dll.
2020-05-23 05:13:57,468 [root] DEBUG: Process image base: 0x00400000
2020-05-23 05:13:57,468 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmplodztmkc\dll\FvqNVoqE.dll.
2020-05-23 05:13:57,484 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-05-23 05:13:57,484 [root] DEBUG: Successfully injected DLL C:\tmplodztmkc\dll\FvqNVoqE.dll.
2020-05-23 05:13:57,500 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 4908
2020-05-23 05:13:57,500 [root] DEBUG: DLL loaded at 0x74930000: C:\Windows\system32\apphelp (0x4c000 bytes).
2020-05-23 05:13:57,546 [root] INFO: Announced 32-bit process name: svchost.exe pid: 4908
2020-05-23 05:13:57,546 [lib.api.process] INFO: Monitor config for process 4908: C:\tmplodztmkc\dll\4908.ini
2020-05-23 05:13:57,546 [lib.api.process] INFO: Option 'extraction' with value '1' sent to monitor
2020-05-23 05:13:57,546 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-05-23 05:13:57,546 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmplodztmkc\dll\FvqNVoqE.dll, loader C:\tmplodztmkc\bin\IYacyTe.exe
2020-05-23 05:13:57,578 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\Wzdwcl.
2020-05-23 05:13:57,593 [root] DEBUG: Loader: Injecting process 4908 (thread 2624) with C:\tmplodztmkc\dll\FvqNVoqE.dll.
2020-05-23 05:13:57,593 [root] DEBUG: Process image base: 0x00400000
2020-05-23 05:13:57,593 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmplodztmkc\dll\FvqNVoqE.dll.
2020-05-23 05:13:57,625 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-05-23 05:13:57,625 [root] DEBUG: Successfully injected DLL C:\tmplodztmkc\dll\FvqNVoqE.dll.
2020-05-23 05:13:57,640 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 4908
2020-05-23 05:13:57,656 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-05-23 05:13:57,671 [root] INFO: Disabling sleep skipping.
2020-05-23 05:13:57,671 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-05-23 05:13:57,671 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 4908 at 0x6f4e0000, image base 0x400000, stack from 0x186000-0x190000
2020-05-23 05:13:57,671 [root] DEBUG: Commandline: C:\Windows\resources\svchost.exe.
2020-05-23 05:13:57,734 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x76de0000, KiUserExceptionDispatcher: 0x0, NtSetContextThread: 0x76e4b5f0, Wow64PrepareForException: 0x0
2020-05-23 05:13:57,750 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x280000
2020-05-23 05:13:57,750 [root] DEBUG: ExtractionInit: Debugger initialised.
2020-05-23 05:13:57,796 [root] DEBUG: ProtectionHandler: Address 0x00290000 already in tracked region at 0x00290000, size 0x6000
2020-05-23 05:13:57,796 [root] DEBUG: ProtectionHandler: Address: 0x00290000 (alloc base 0x00290000), NumberOfBytesToProtect: 0xa000, NewAccessProtection: 0x20
2020-05-23 05:13:57,796 [root] DEBUG: ProtectionHandler: Increased region size at 0x00290000 to 0xa000.
2020-05-23 05:13:57,812 [root] DEBUG: ProtectionHandler: New code detected at (0x00290000), scanning for PE images.
2020-05-23 05:13:57,812 [root] DEBUG: DumpPEsInRange: Scanning range 0x290000 - 0x29a000.
2020-05-23 05:13:57,812 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x290000-0x29a000.
2020-05-23 05:13:57,828 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x00290000 - 0x0029A000.
2020-05-23 05:13:57,843 [root] INFO: ('dump_file', 'C:\\gdljofuM\\CAPE\\4908_5863915657131123652020', b'9;?C:\\Windows\\resources\\svchost.exe;?C:\\Windows\\resources\\svchost.exe;?0x00290000;?', ['4908'], 'CAPE')
2020-05-23 05:13:57,968 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\gdljofuM\CAPE\4908_5863915657131123652020 (size 0x9600)
2020-05-23 05:13:58,031 [root] DEBUG: ProtectionHandler: dumped memory (sub)region at 0x00290000, size 0xa000
2020-05-23 05:13:58,046 [root] DEBUG: DLL loaded at 0x75DD0000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2020-05-23 05:13:58,046 [root] DEBUG: DLL loaded at 0x74130000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2020-05-23 05:13:58,062 [root] DEBUG: DLL loaded at 0x74040000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2020-05-23 05:13:58,093 [root] DEBUG: ProtectionHandler: Address 0x00290000 already in tracked region at 0x00290000, size 0xa000
2020-05-23 05:13:58,109 [root] DEBUG: ProtectionHandler: Address: 0x00290000 (alloc base 0x00290000), NumberOfBytesToProtect: 0xa000, NewAccessProtection: 0x20
2020-05-23 05:13:58,125 [root] DEBUG: ProtectionHandler: New code detected at (0x00290000), scanning for PE images.
2020-05-23 05:13:58,125 [root] DEBUG: DumpPEsInRange: Scanning range 0x290000 - 0x29a000.
2020-05-23 05:13:58,125 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x290000-0x29a000.
2020-05-23 05:13:58,140 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x00290000 - 0x0029A000.
2020-05-23 05:13:58,140 [root] INFO: ('dump_file', 'C:\\gdljofuM\\CAPE\\4908_93774130858131123652020', b'9;?C:\\Windows\\resources\\svchost.exe;?C:\\Windows\\resources\\svchost.exe;?0x00290000;?', ['4908'], 'CAPE')
2020-05-23 05:13:58,203 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\gdljofuM\CAPE\4908_93774130858131123652020 (size 0x9e11)
2020-05-23 05:13:58,203 [root] DEBUG: ProtectionHandler: dumped memory (sub)region at 0x00290000, size 0xa000
2020-05-23 05:13:58,218 [root] DEBUG: DLL loaded at 0x73690000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\comctl32 (0x19e000 bytes).
2020-05-23 05:13:58,234 [root] DEBUG: DLL loaded at 0x73FA0000: C:\Windows\system32\UxTheme (0x80000 bytes).
2020-05-23 05:13:58,515 [root] INFO: Announced 32-bit process name: spoolsv.exe pid: 2516
2020-05-23 05:13:58,546 [lib.api.process] INFO: Monitor config for process 2516: C:\tmplodztmkc\dll\2516.ini
2020-05-23 05:13:58,578 [lib.api.process] INFO: Option 'extraction' with value '1' sent to monitor
2020-05-23 05:13:58,578 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-05-23 05:13:58,593 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmplodztmkc\dll\FvqNVoqE.dll, loader C:\tmplodztmkc\bin\IYacyTe.exe
2020-05-23 05:13:58,625 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\Wzdwcl.
2020-05-23 05:13:58,625 [root] DEBUG: Loader: Injecting process 2516 (thread 4168) with C:\tmplodztmkc\dll\FvqNVoqE.dll.
2020-05-23 05:13:58,625 [root] DEBUG: Process image base: 0x00400000
2020-05-23 05:13:58,640 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmplodztmkc\dll\FvqNVoqE.dll.
2020-05-23 05:13:58,656 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-05-23 05:13:58,656 [root] DEBUG: Successfully injected DLL C:\tmplodztmkc\dll\FvqNVoqE.dll.
2020-05-23 05:13:58,671 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2516
2020-05-23 05:13:58,703 [root] DEBUG: DLL loaded at 0x74930000: C:\Windows\system32\apphelp (0x4c000 bytes).
2020-05-23 05:13:58,734 [root] INFO: Announced 32-bit process name: spoolsv.exe pid: 2516
2020-05-23 05:13:58,734 [lib.api.process] INFO: Monitor config for process 2516: C:\tmplodztmkc\dll\2516.ini
2020-05-23 05:13:58,750 [lib.api.process] INFO: Option 'extraction' with value '1' sent to monitor
2020-05-23 05:13:58,750 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-05-23 05:13:58,750 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmplodztmkc\dll\FvqNVoqE.dll, loader C:\tmplodztmkc\bin\IYacyTe.exe
2020-05-23 05:13:58,765 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\Wzdwcl.
2020-05-23 05:13:58,796 [root] DEBUG: Loader: Injecting process 2516 (thread 4168) with C:\tmplodztmkc\dll\FvqNVoqE.dll.
2020-05-23 05:13:58,812 [root] DEBUG: Process image base: 0x00400000
2020-05-23 05:13:58,812 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmplodztmkc\dll\FvqNVoqE.dll.
2020-05-23 05:13:58,828 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-05-23 05:13:58,828 [root] DEBUG: Successfully injected DLL C:\tmplodztmkc\dll\FvqNVoqE.dll.
2020-05-23 05:13:58,843 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2516
2020-05-23 05:13:58,906 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-05-23 05:13:58,906 [root] DEBUG: Capture of extracted payloads enabled.
2020-05-23 05:13:58,921 [root] DEBUG: Process dumps disabled.
2020-05-23 05:13:58,921 [root] DEBUG: Dropped file limit defaulting to 100.
2020-05-23 05:13:58,937 [root] INFO: Disabling sleep skipping.
2020-05-23 05:13:58,937 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-05-23 05:13:58,984 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x76de0000, KiUserExceptionDispatcher: 0x0, NtSetContextThread: 0x76e4b5f0, Wow64PrepareForException: 0x0
2020-05-23 05:13:58,984 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x280000
2020-05-23 05:13:58,984 [root] DEBUG: ExtractionInit: Debugger initialised.
2020-05-23 05:13:58,984 [root] DEBUG: AddTrackedRegion: Created new tracked region for address 0x00400000.
2020-05-23 05:13:59,000 [root] DEBUG: AddTrackedRegion: New region at 0x00400000 size 0x1000 added to tracked regions: EntryPoint 0x290c, Entropy 5.270963e+00
2020-05-23 05:13:59,015 [root] DEBUG: ExtractionInit: Adding main image base to tracked regions.
2020-05-23 05:13:59,015 [root] INFO: loaded: b'2516'
2020-05-23 05:13:59,015 [root] INFO: Loaded monitor into process with pid 2516
2020-05-23 05:13:59,031 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-05-23 05:13:59,078 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-05-23 05:13:59,125 [root] DEBUG: ProcessImageBase: EP 0x0000290C image base 0x00400000 size 0x0 entropy 5.270963e+00.
2020-05-23 05:13:59,171 [root] DEBUG: ProtectionHandler: Adding region at 0x00290000 to tracked regions.
2020-05-23 05:13:59,187 [root] DEBUG: AddTrackedRegion: Created new tracked region for address 0x00290000.
2020-05-23 05:13:59,187 [root] DEBUG: AddTrackedRegion: New region at 0x00290000 size 0x6000 added to tracked regions.
2020-05-23 05:13:59,203 [root] DEBUG: ProtectionHandler: Address: 0x00290000 (alloc base 0x00290000), NumberOfBytesToProtect: 0x6000, NewAccessProtection: 0x20
2020-05-23 05:13:59,203 [root] DEBUG: ProtectionHandler: New code detected at (0x00290000), scanning for PE images.
2020-05-23 05:13:59,234 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x290000-0x296000.
2020-05-23 05:13:59,234 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x00290000 - 0x00296000.
2020-05-23 05:13:59,249 [root] INFO: ('dump_file', 'C:\\gdljofuM\\CAPE\\2516_214550245059131123652020', b'9;?C:\\Windows\\resources\\spoolsv.exe;?C:\\Windows\\resources\\spoolsv.exe;?0x00290000;?', ['2516'], 'CAPE')
2020-05-23 05:13:59,375 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\gdljofuM\CAPE\2516_214550245059131123652020 (size 0x5161)
2020-05-23 05:13:59,468 [root] DEBUG: ProtectionHandler: Address 0x00290000 already in tracked region at 0x00290000, size 0xa000
2020-05-23 05:13:59,468 [root] DEBUG: ProtectionHandler: Address: 0x00290000 (alloc base 0x00290000), NumberOfBytesToProtect: 0xa000, NewAccessProtection: 0x20
2020-05-23 05:13:59,484 [root] DEBUG: ProtectionHandler: New code detected at (0x00290000), scanning for PE images.
2020-05-23 05:13:59,484 [root] DEBUG: DumpPEsInRange: Scanning range 0x290000 - 0x29a000.
2020-05-23 05:13:59,484 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x290000-0x29a000.
2020-05-23 05:13:59,484 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x00290000 - 0x0029A000.
2020-05-23 05:13:59,500 [root] INFO: ('dump_file', 'C:\\gdljofuM\\CAPE\\2516_192338118459131123652020', b'9;?C:\\Windows\\resources\\spoolsv.exe;?C:\\Windows\\resources\\spoolsv.exe;?0x00290000;?', ['2516'], 'CAPE')
2020-05-23 05:13:59,531 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\gdljofuM\CAPE\2516_192338118459131123652020 (size 0x9e11)
2020-05-23 05:13:59,531 [root] DEBUG: ProtectionHandler: dumped memory (sub)region at 0x00290000, size 0xa000
2020-05-23 05:13:59,546 [root] DEBUG: DLL loaded at 0x73690000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\comctl32 (0x19e000 bytes).
2020-05-23 05:13:59,546 [root] DEBUG: DLL loaded at 0x73FA0000: C:\Windows\system32\UxTheme (0x80000 bytes).
2020-05-23 05:13:59,578 [root] DEBUG: FreeHandler: Address: 0x00290000.
2020-05-23 05:13:59,593 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x290000 - 0x29a000.
2020-05-23 05:13:59,593 [root] DEBUG: DLL loaded at 0x732F0000: C:\Windows\system32\RpcRtRemote (0xe000 bytes).
2020-05-23 05:13:59,609 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x219ec98, AllocationBase 0x0.
2020-05-23 05:13:59,609 [root] DEBUG: DLL unloaded from 0x763D0000.
2020-05-23 05:13:59,625 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x219ed40, AllocationBase 0x400000.
2020-05-23 05:13:59,640 [root] DEBUG: FreeHandler: Address: 0x003E0000.
2020-05-23 05:13:59,640 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x219fde8, AllocationBase 0x290000.
2020-05-23 05:13:59,640 [root] DEBUG: DropTrackedRegion: removed pages 0x290000-0x29a000 from the end of the tracked region list.
2020-05-23 05:13:59,640 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x3e0000 - 0x3ea000.
2020-05-23 05:13:59,640 [root] INFO: Announced 64-bit process name: explorer.exe pid: 2660
2020-05-23 05:13:59,656 [lib.api.process] INFO: Monitor config for process 2660: C:\tmplodztmkc\dll\2660.ini
2020-05-23 05:13:59,656 [lib.api.process] INFO: Option 'extraction' with value '1' sent to monitor
2020-05-23 05:13:59,656 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-05-23 05:13:59,656 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmplodztmkc\dll\IgGXdq.dll, loader C:\tmplodztmkc\bin\UzMnCgbG.exe
2020-05-23 05:13:59,656 [root] DEBUG: DLL unloaded from 0x76930000.
2020-05-23 05:13:59,671 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x220ec98, AllocationBase 0x0.
2020-05-23 05:13:59,671 [root] INFO: ('dump_file', 'C:\\Users\\Louise\\AppData\\Local\\Temp\\~DFA4988132E1D63F1B.TMP', '', False, 'files')
2020-05-23 05:13:59,703 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x220ed40, AllocationBase 0x400000.
2020-05-23 05:13:59,703 [root] INFO: Announced 32-bit process name: schtasks.exe pid: 4280
2020-05-23 05:13:59,718 [lib.api.process] INFO: Monitor config for process 4280: C:\tmplodztmkc\dll\4280.ini
2020-05-23 05:13:59,718 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 2516).
2020-05-23 05:13:59,718 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x220ede8, AllocationBase 0x3e0000.
2020-05-23 05:13:59,718 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\Wzdwcl.
2020-05-23 05:13:59,718 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-05-23 05:13:59,734 [root] DEBUG: DropTrackedRegion: removed pages 0x3e0000-0x3ea000 from the end of the tracked region list.
2020-05-23 05:13:59,734 [lib.api.process] INFO: Option 'extraction' with value '1' sent to monitor
2020-05-23 05:13:59,734 [root] DEBUG: Loader: Injecting process 2660 (thread 4416) with C:\tmplodztmkc\dll\IgGXdq.dll.
2020-05-23 05:13:59,734 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-05-23 05:13:59,750 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-05-23 05:13:59,750 [root] DEBUG: DLL unloaded from 0x76930000.
2020-05-23 05:13:59,750 [root] DEBUG: Process image base: 0x00000000FFE40000
2020-05-23 05:13:59,750 [root] DEBUG: ProcessImageBase: EP 0x0000290C image base 0x00400000 size 0x0 entropy 5.479476e+00.
2020-05-23 05:13:59,750 [root] INFO: ('dump_file', 'C:\\Users\\Louise\\AppData\\Local\\Temp\\~DF88AD69C4AE2573FB.TMP', '', False, 'files')
2020-05-23 05:13:59,750 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmplodztmkc\dll\IgGXdq.dll.
2020-05-23 05:13:59,750 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmplodztmkc\dll\FvqNVoqE.dll, loader C:\tmplodztmkc\bin\IYacyTe.exe
2020-05-23 05:13:59,765 [root] INFO: ('dump_file', 'C:\\Users\\Louise\\AppData\\Local\\Temp\\~DFA4988132E1D63F1B.TMP', '', False, 'files')
2020-05-23 05:13:59,765 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 2864).
2020-05-23 05:13:59,765 [root] DEBUG: InjectDllViaIAT: Failed to allocate region in target process for new import table.
2020-05-23 05:13:59,781 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-05-23 05:13:59,796 [root] DEBUG: InjectDll: IAT patching failed, falling back to thread injection.
2020-05-23 05:13:59,828 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-05-23 05:13:59,843 [root] INFO: ('delete_file', 'C:\\Users\\Louise\\AppData\\Local\\Temp\\~DFA4988132E1D63F1B.TMP')
2020-05-23 05:13:59,843 [root] INFO: ('dump_file', 'C:\\Users\\Louise\\AppData\\Local\\Temp\\~DFA4988132E1D63F1B.TMP', '', False, 'files')
2020-05-23 05:13:59,859 [root] DEBUG: ProcessImageBase: EP 0x0000290C image base 0x00400000 size 0x0 entropy 5.479476e+00.
2020-05-23 05:13:59,875 [root] DEBUG: Error -1073741515 (0xc0000135) - InjectDllViaThread: RtlCreateUserThread injection failed: (null)
2020-05-23 05:13:59,875 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\Wzdwcl.
2020-05-23 05:13:59,875 [root] DEBUG: DLL unloaded from 0x76AB0000.
2020-05-23 05:13:59,875 [root] DEBUG: InjectDll: DLL injection via thread failed.
2020-05-23 05:13:59,890 [root] DEBUG: Loader: Injecting process 4280 (thread 5104) with C:\tmplodztmkc\dll\FvqNVoqE.dll.
2020-05-23 05:13:59,890 [root] DEBUG: Process image base: 0x00A00000
2020-05-23 05:13:59,890 [root] WARNING: Unable to open termination event for pid 2516.
2020-05-23 05:13:59,890 [root] INFO: ('dump_file', 'C:\\Users\\Louise\\AppData\\Local\\Temp\\~DF88AD69C4AE2573FB.TMP', '', False, 'files')
2020-05-23 05:13:59,890 [root] DEBUG: Failed to inject DLL C:\tmplodztmkc\dll\IgGXdq.dll.
2020-05-23 05:13:59,906 [lib.api.process] ERROR: Unable to inject into 64-bit process with pid 2660, error: 4294967288
2020-05-23 05:13:59,906 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmplodztmkc\dll\FvqNVoqE.dll.
2020-05-23 05:13:59,953 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-05-23 05:13:59,953 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 2516).
2020-05-23 05:13:59,953 [root] INFO: ('delete_file', 'C:\\Users\\Louise\\AppData\\Local\\Temp\\~DF88AD69C4AE2573FB.TMP')
2020-05-23 05:13:59,953 [root] INFO: ('dump_file', 'C:\\Users\\Louise\\AppData\\Local\\Temp\\~DF88AD69C4AE2573FB.TMP', '', False, 'files')
2020-05-23 05:13:59,968 [root] INFO: ('delete_file', 'C:\\Windows\\System32\\explorer.exe')
2020-05-23 05:13:59,968 [root] DEBUG: Successfully injected DLL C:\tmplodztmkc\dll\FvqNVoqE.dll.
2020-05-23 05:13:59,968 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-05-23 05:13:59,968 [root] INFO: ('dump_file', 'C:\\Windows\\System32\\explorer.exe', '', False, 'files')
2020-05-23 05:13:59,984 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 4280
2020-05-23 05:13:59,984 [root] DEBUG: DLL unloaded from 0x763D0000.
2020-05-23 05:14:00,000 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-05-23 05:14:00,062 [root] DEBUG: DLL unloaded from 0x76AB0000.
2020-05-23 05:14:00,093 [root] INFO: Announced 32-bit process name: schtasks.exe pid: 4280
2020-05-23 05:14:00,125 [root] DEBUG: ProcessImageBase: EP 0x0000290C image base 0x00400000 size 0x0 entropy 5.479476e+00.
2020-05-23 05:14:00,140 [lib.api.process] INFO: Monitor config for process 4280: C:\tmplodztmkc\dll\4280.ini
2020-05-23 05:14:00,140 [lib.api.process] INFO: Option 'extraction' with value '1' sent to monitor
2020-05-23 05:14:00,140 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-05-23 05:14:00,140 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmplodztmkc\dll\FvqNVoqE.dll, loader C:\tmplodztmkc\bin\IYacyTe.exe
2020-05-23 05:14:00,156 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 2864).
2020-05-23 05:14:00,171 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-05-23 05:14:00,281 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-05-23 05:14:00,281 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\Wzdwcl.
2020-05-23 05:14:00,281 [root] DEBUG: ProcessImageBase: EP 0x0000290C image base 0x00400000 size 0x0 entropy 5.479476e+00.
2020-05-23 05:14:00,296 [root] DEBUG: Loader: Injecting process 4280 (thread 5104) with C:\tmplodztmkc\dll\FvqNVoqE.dll.
2020-05-23 05:14:00,312 [root] DEBUG: Process image base: 0x00A00000
2020-05-23 05:14:00,328 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmplodztmkc\dll\FvqNVoqE.dll.
2020-05-23 05:14:00,328 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-05-23 05:14:00,343 [root] DEBUG: Successfully injected DLL C:\tmplodztmkc\dll\FvqNVoqE.dll.
2020-05-23 05:14:00,375 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 4280
2020-05-23 05:14:00,375 [root] INFO: ('delete_file', 'C:\\Windows\\System32\\explorer.exe')
2020-05-23 05:14:00,375 [root] INFO: ('dump_file', 'C:\\Windows\\System32\\explorer.exe', '', False, 'files')
2020-05-23 05:14:00,437 [root] INFO: ('delete_file', 'C:\\Windows\\System32\\explorer.exe')
2020-05-23 05:14:00,453 [root] INFO: ('dump_file', 'C:\\Windows\\System32\\explorer.exe', '', False, 'files')
2020-05-23 05:14:00,531 [root] INFO: ('delete_file', 'C:\\Windows\\System32\\explorer.exe')
2020-05-23 05:14:00,531 [root] INFO: ('dump_file', 'C:\\Windows\\System32\\explorer.exe', '', False, 'files')
2020-05-23 05:14:00,578 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-05-23 05:14:00,578 [root] DEBUG: Capture of extracted payloads enabled.
2020-05-23 05:14:00,625 [root] DEBUG: Process dumps disabled.
2020-05-23 05:14:00,625 [root] DEBUG: Dropped file limit defaulting to 100.
2020-05-23 05:14:00,640 [root] INFO: Disabling sleep skipping.
2020-05-23 05:14:00,640 [root] INFO: ('delete_file', 'C:\\Windows\\System32\\explorer.exe')
2020-05-23 05:14:00,640 [root] INFO: ('dump_file', 'C:\\Windows\\System32\\explorer.exe', '', False, 'files')
2020-05-23 05:14:00,718 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-05-23 05:14:00,734 [root] INFO: ('delete_file', 'C:\\Windows\\System32\\explorer.exe')
2020-05-23 05:14:00,734 [root] INFO: ('dump_file', 'C:\\Windows\\System32\\explorer.exe', '', False, 'files')
2020-05-23 05:14:00,734 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 4280 at 0x6f4e0000, image base 0xa00000, stack from 0x1e6000-0x1f0000
2020-05-23 05:14:00,750 [root] DEBUG: DLL unloaded from 0x763D0000.
2020-05-23 05:14:00,765 [root] DEBUG: Commandline: C:\Users\Louise\AppData\Local\Temp\schtasks \create \tn "svchost" \tr "c:\windows\resources\svchost.exe" \sc daily \st 12:16 \f.
2020-05-23 05:14:00,796 [root] DEBUG: DLL unloaded from 0x75E90000.
2020-05-23 05:14:00,890 [root] DEBUG: DLL unloaded from 0x763D0000.
2020-05-23 05:14:00,906 [root] DEBUG: FreeHandler: Address: 0x00260000.
2020-05-23 05:14:00,906 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x76de0000, KiUserExceptionDispatcher: 0x0, NtSetContextThread: 0x76e4b5f0, Wow64PrepareForException: 0x0
2020-05-23 05:14:00,921 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x180000
2020-05-23 05:14:00,937 [root] INFO: ('delete_file', 'C:\\Windows\\System32\\explorer.exe')
2020-05-23 05:14:00,937 [root] INFO: ('dump_file', 'C:\\Windows\\System32\\explorer.exe', '', False, 'files')
2020-05-23 05:14:00,937 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x260000 - 0x26a000.
2020-05-23 05:14:00,953 [root] DEBUG: ExtractionInit: Debugger initialised.
2020-05-23 05:14:01,000 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x219ecd0, AllocationBase 0x0.
2020-05-23 05:14:01,015 [root] DEBUG: AddTrackedRegion: Created new tracked region for address 0x00A00000.
2020-05-23 05:14:01,031 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x219ed78, AllocationBase 0x400000.
2020-05-23 05:14:01,078 [root] INFO: Stopping Task Scheduler Service
2020-05-23 05:14:01,453 [root] INFO: Stopped Task Scheduler Service
2020-05-23 05:14:01,562 [root] INFO: Starting Task Scheduler Service
2020-05-23 05:14:01,734 [root] INFO: Started Task Scheduler Service
2020-05-23 05:14:01,781 [lib.api.process] INFO: Monitor config for process 848: C:\tmplodztmkc\dll\848.ini
2020-05-23 05:14:01,812 [lib.api.process] INFO: Option 'extraction' with value '1' sent to monitor
2020-05-23 05:14:01,812 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-05-23 05:14:01,828 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmplodztmkc\dll\IgGXdq.dll, loader C:\tmplodztmkc\bin\UzMnCgbG.exe
2020-05-23 05:14:01,859 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\Wzdwcl.
2020-05-23 05:14:01,859 [root] DEBUG: Loader: Injecting process 848 (thread 0) with C:\tmplodztmkc\dll\IgGXdq.dll.
2020-05-23 05:14:01,875 [root] DEBUG: Error 0 (0x0) - GetProcessInitialThreadId: Remote PEB 0x000007FFFFFDB000 Local PEB 0x000007FFFFFDE000 Local TEB 0x000007FFFFFD5000: The operation completed successfully.
2020-05-23 05:14:01,890 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2020-05-23 05:14:01,890 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed, falling back to thread injection.
2020-05-23 05:14:01,937 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-05-23 05:14:02,000 [root] DEBUG: Capture of extracted payloads enabled.
2020-05-23 05:14:02,000 [root] DEBUG: Process dumps disabled.
2020-05-23 05:14:02,031 [root] DEBUG: Dropped file limit defaulting to 100.
2020-05-23 05:14:02,093 [root] INFO: Disabling sleep skipping.
2020-05-23 05:14:02,109 [root] DEBUG: CAPE initialised: 64-bit monitor loaded in process 848 at 0x000000006D5A0000, image base 0x00000000FFAF0000, stack from 0x0000000003A06000-0x0000000003A10000
2020-05-23 05:14:02,125 [root] DEBUG: Commandline: C:\Windows\sysnative\svchost.exe -k netsvcs.
2020-05-23 05:14:02,187 [root] WARNING: b'Unable to place hook on LockResource'
2020-05-23 05:14:02,203 [root] WARNING: b'Unable to hook LockResource'
2020-05-23 05:14:02,218 [root] DEBUG: ExtractionInit: Debugger initialised.
2020-05-23 05:14:02,249 [root] DEBUG: AddTrackedRegion: Created new tracked region for address 0x00000000FFAF0000.
2020-05-23 05:14:02,265 [root] DEBUG: AddTrackedRegion: New region at 0x00000000FFAF0000 size 0x1000 added to tracked regions: EntryPoint 0x246c, Entropy 3.679267e+00
2020-05-23 05:14:02,281 [root] DEBUG: ExtractionInit: Adding main image base to tracked regions.
2020-05-23 05:14:02,281 [root] INFO: loaded: b'848'
2020-05-23 05:14:02,281 [root] INFO: Loaded monitor into process with pid 848
2020-05-23 05:14:02,296 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2020-05-23 05:14:02,312 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2020-05-23 05:14:02,328 [root] DEBUG: Successfully injected DLL C:\tmplodztmkc\dll\IgGXdq.dll.
2020-05-23 05:14:04,390 [root] DEBUG: DLL loaded at 0x75DD0000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2020-05-23 05:14:04,406 [root] DEBUG: DLL loaded at 0x73310000: C:\Windows\SysWOW64\taskschd (0x7d000 bytes).
2020-05-23 05:14:04,640 [root] DEBUG: DLL loaded at 0x731F0000: C:\Windows\SysWOW64\XmlLite (0x2f000 bytes).
2020-05-23 05:14:05,218 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 4280).
2020-05-23 05:14:05,218 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-05-23 05:14:05,218 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00A00000.
2020-05-23 05:14:05,218 [root] DEBUG: ProcessImageBase: EP 0x00017683 image base 0x00A00000 size 0x0 entropy 5.591475e+00.
2020-05-23 05:14:05,234 [root] DEBUG: DLL unloaded from 0x76AB0000.
2020-05-23 05:14:05,234 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 4280).
2020-05-23 05:14:05,234 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-05-23 05:14:05,234 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00A00000.
2020-05-23 05:14:05,265 [root] DEBUG: ProcessImageBase: EP 0x00017683 image base 0x00A00000 size 0x0 entropy 5.591475e+00.
2020-05-23 05:14:18,187 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF17F0000 to caller regions list (ntdll::NtWaitForSingleObject).
2020-05-23 05:14:22,859 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF6BA0000 to caller regions list (kernel32::GetSystemTimeAsFileTime).
2020-05-23 05:14:29,593 [root] DEBUG: DLL unloaded from 0x74DF0000.
2020-05-23 05:14:30,140 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF5780000 to caller regions list (advapi32::RegOpenKeyExW).
2020-05-23 05:14:30,140 [root] DEBUG: DLL unloaded from 0x000007FEFBCE0000.
2020-05-23 05:14:31,921 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF4D80000 to caller regions list (ntdll::NtWaitForSingleObject).
2020-05-23 05:15:00,406 [root] DEBUG: CreateThread: Initialising breakpoints for thread 4260.
2020-05-23 05:15:00,468 [root] INFO: Announced 32-bit process name: schtasks.exe pid: 1692
2020-05-23 05:15:00,468 [lib.api.process] INFO: Monitor config for process 1692: C:\tmplodztmkc\dll\1692.ini
2020-05-23 05:15:00,484 [lib.api.process] INFO: Option 'extraction' with value '1' sent to monitor
2020-05-23 05:15:00,484 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-05-23 05:15:00,484 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmplodztmkc\dll\FvqNVoqE.dll, loader C:\tmplodztmkc\bin\IYacyTe.exe
2020-05-23 05:15:00,578 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\Wzdwcl.
2020-05-23 05:15:00,578 [root] DEBUG: Loader: Injecting process 1692 (thread 2648) with C:\tmplodztmkc\dll\FvqNVoqE.dll.
2020-05-23 05:15:00,593 [root] DEBUG: Process image base: 0x00F50000
2020-05-23 05:15:00,593 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmplodztmkc\dll\FvqNVoqE.dll.
2020-05-23 05:15:00,593 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-05-23 05:15:00,593 [root] DEBUG: Successfully injected DLL C:\tmplodztmkc\dll\FvqNVoqE.dll.
2020-05-23 05:15:00,609 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1692
2020-05-23 05:15:00,656 [root] DEBUG: set_caller_info: Adding region at 0x000007FEEF9B0000 to caller regions list (msvcrt::memcpy).
2020-05-23 05:15:00,656 [root] INFO: Announced 32-bit process name: schtasks.exe pid: 1692
2020-05-23 05:15:00,671 [lib.api.process] INFO: Monitor config for process 1692: C:\tmplodztmkc\dll\1692.ini
2020-05-23 05:15:00,671 [lib.api.process] INFO: Option 'extraction' with value '1' sent to monitor
2020-05-23 05:15:00,671 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-05-23 05:15:00,671 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmplodztmkc\dll\FvqNVoqE.dll, loader C:\tmplodztmkc\bin\IYacyTe.exe
2020-05-23 05:15:00,781 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\Wzdwcl.
2020-05-23 05:15:00,796 [root] DEBUG: Loader: Injecting process 1692 (thread 2648) with C:\tmplodztmkc\dll\FvqNVoqE.dll.
2020-05-23 05:15:00,843 [root] DEBUG: Process image base: 0x00F50000
2020-05-23 05:15:00,859 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmplodztmkc\dll\FvqNVoqE.dll.
2020-05-23 05:15:00,859 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-05-23 05:15:00,859 [root] DEBUG: Successfully injected DLL C:\tmplodztmkc\dll\FvqNVoqE.dll.
2020-05-23 05:15:00,859 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1692
2020-05-23 05:15:00,921 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-05-23 05:15:00,937 [root] DEBUG: Capture of extracted payloads enabled.
2020-05-23 05:15:00,937 [root] DEBUG: Process dumps disabled.
2020-05-23 05:15:01,062 [root] DEBUG: Dropped file limit defaulting to 100.
2020-05-23 05:15:01,281 [root] DEBUG: DLL loaded at 0x72B20000: C:\Windows\SysWOW64\XmlLite (0x2f000 bytes).
2020-05-23 05:15:01,531 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 1692).
2020-05-23 05:15:01,531 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-05-23 05:15:01,546 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00F50000.
2020-05-23 05:15:01,546 [root] DEBUG: ProcessImageBase: EP 0x00017683 image base 0x00F50000 size 0x0 entropy 5.588291e+00.
2020-05-23 05:15:22,000 [root] DEBUG: DLL unloaded from 0x000007FEFD7A0000.
2020-05-23 05:16:00,875 [root] DEBUG: CreateThread: Initialising breakpoints for thread 1528.
2020-05-23 05:16:00,875 [root] DEBUG: DLL unloaded from 0x76FA0000.
2020-05-23 05:16:00,906 [root] INFO: Announced 32-bit process name: schtasks.exe pid: 3192
2020-05-23 05:16:00,906 [lib.api.process] INFO: Monitor config for process 3192: C:\tmplodztmkc\dll\3192.ini
2020-05-23 05:16:00,921 [lib.api.process] INFO: Option 'extraction' with value '1' sent to monitor
2020-05-23 05:16:00,921 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-05-23 05:16:00,921 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmplodztmkc\dll\FvqNVoqE.dll, loader C:\tmplodztmkc\bin\IYacyTe.exe
2020-05-23 05:16:00,937 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\Wzdwcl.
2020-05-23 05:16:00,953 [root] DEBUG: Loader: Injecting process 3192 (thread 3624) with C:\tmplodztmkc\dll\FvqNVoqE.dll.
2020-05-23 05:16:00,953 [root] DEBUG: Process image base: 0x00BE0000
2020-05-23 05:16:00,953 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmplodztmkc\dll\FvqNVoqE.dll.
2020-05-23 05:16:00,968 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-05-23 05:16:00,968 [root] DEBUG: Successfully injected DLL C:\tmplodztmkc\dll\FvqNVoqE.dll.
2020-05-23 05:16:00,968 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3192
2020-05-23 05:16:01,015 [root] INFO: Announced 32-bit process name: schtasks.exe pid: 3192
2020-05-23 05:16:01,015 [lib.api.process] INFO: Monitor config for process 3192: C:\tmplodztmkc\dll\3192.ini
2020-05-23 05:16:01,015 [lib.api.process] INFO: Option 'extraction' with value '1' sent to monitor
2020-05-23 05:16:01,015 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-05-23 05:16:01,015 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmplodztmkc\dll\FvqNVoqE.dll, loader C:\tmplodztmkc\bin\IYacyTe.exe
2020-05-23 05:16:01,125 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\Wzdwcl.
2020-05-23 05:16:01,125 [root] DEBUG: Loader: Injecting process 3192 (thread 3624) with C:\tmplodztmkc\dll\FvqNVoqE.dll.
2020-05-23 05:16:01,125 [root] DEBUG: Process image base: 0x00BE0000
2020-05-23 05:16:01,125 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmplodztmkc\dll\FvqNVoqE.dll.
2020-05-23 05:16:01,125 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-05-23 05:16:01,140 [root] DEBUG: Successfully injected DLL C:\tmplodztmkc\dll\FvqNVoqE.dll.
2020-05-23 05:16:01,140 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3192
2020-05-23 05:16:01,187 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-05-23 05:16:01,265 [root] DEBUG: DLL loaded at 0x75DD0000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2020-05-23 05:16:01,281 [root] DEBUG: DLL loaded at 0x73310000: C:\Windows\SysWOW64\taskschd (0x7d000 bytes).
2020-05-23 05:16:01,296 [root] DEBUG: DLL loaded at 0x72AF0000: C:\Windows\SysWOW64\XmlLite (0x2f000 bytes).
2020-05-23 05:16:01,531 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 3192).
2020-05-23 05:16:01,546 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-05-23 05:16:30,906 [root] DEBUG: DLL unloaded from 0x74DF0000.
2020-05-23 05:17:01,140 [root] DEBUG: CreateThread: Initialising breakpoints for thread 4048.
2020-05-23 05:17:01,156 [root] DEBUG: DLL unloaded from 0x76FA0000.
2020-05-23 05:17:01,203 [root] INFO: Announced 32-bit process name: schtasks.exe pid: 3360
2020-05-23 05:17:01,218 [lib.api.process] INFO: Monitor config for process 3360: C:\tmplodztmkc\dll\3360.ini
2020-05-23 05:17:01,234 [lib.api.process] INFO: Option 'extraction' with value '1' sent to monitor
2020-05-23 05:17:01,234 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-05-23 05:17:01,234 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmplodztmkc\dll\FvqNVoqE.dll, loader C:\tmplodztmkc\bin\IYacyTe.exe
2020-05-23 05:17:01,265 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\Wzdwcl.
2020-05-23 05:17:01,281 [root] DEBUG: Loader: Injecting process 3360 (thread 3468) with C:\tmplodztmkc\dll\FvqNVoqE.dll.
2020-05-23 05:17:01,281 [root] DEBUG: Process image base: 0x00F60000
2020-05-23 05:17:01,281 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmplodztmkc\dll\FvqNVoqE.dll.
2020-05-23 05:17:01,281 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-05-23 05:17:01,281 [root] DEBUG: Successfully injected DLL C:\tmplodztmkc\dll\FvqNVoqE.dll.
2020-05-23 05:17:01,296 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3360
2020-05-23 05:17:01,375 [root] INFO: Announced 32-bit process name: schtasks.exe pid: 3360
2020-05-23 05:17:01,375 [lib.api.process] INFO: Monitor config for process 3360: C:\tmplodztmkc\dll\3360.ini
2020-05-23 05:17:01,453 [lib.api.process] INFO: Option 'extraction' with value '1' sent to monitor
2020-05-23 05:17:01,453 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-05-23 05:17:01,500 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmplodztmkc\dll\FvqNVoqE.dll, loader C:\tmplodztmkc\bin\IYacyTe.exe
2020-05-23 05:17:01,578 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\Wzdwcl.
2020-05-23 05:17:01,640 [root] DEBUG: Loader: Injecting process 3360 (thread 3468) with C:\tmplodztmkc\dll\FvqNVoqE.dll.
2020-05-23 05:17:01,640 [root] DEBUG: Process image base: 0x00F60000
2020-05-23 05:17:01,640 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmplodztmkc\dll\FvqNVoqE.dll.
2020-05-23 05:17:01,656 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-05-23 05:17:01,656 [root] DEBUG: Successfully injected DLL C:\tmplodztmkc\dll\FvqNVoqE.dll.
2020-05-23 05:17:01,656 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3360
2020-05-23 05:17:01,859 [root] INFO: Announced 32-bit process name: schtasks.exe pid: 3360
2020-05-23 05:17:01,859 [lib.api.process] INFO: Monitor config for process 3360: C:\tmplodztmkc\dll\3360.ini
2020-05-23 05:17:01,859 [lib.api.process] INFO: Option 'extraction' with value '1' sent to monitor
2020-05-23 05:17:01,859 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-05-23 05:17:01,859 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmplodztmkc\dll\FvqNVoqE.dll, loader C:\tmplodztmkc\bin\IYacyTe.exe
2020-05-23 05:17:01,921 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\Wzdwcl.
2020-05-23 05:17:01,921 [root] DEBUG: Loader: Injecting process 3360 (thread 656) with C:\tmplodztmkc\dll\FvqNVoqE.dll.
2020-05-23 05:17:01,921 [root] DEBUG: Process image base: 0x00F60000
2020-05-23 05:17:01,921 [root] DEBUG: InjectDllViaIAT: Not a new process, aborting IAT patch
2020-05-23 05:17:01,921 [root] DEBUG: InjectDll: IAT patching failed, falling back to thread injection.
2020-05-23 05:17:01,921 [root] DEBUG: set_caller_info: Adding region at 0x002C0000 to caller regions list (ntdll::LdrLoadDll).
2020-05-23 05:17:01,937 [root] DEBUG: DLL loaded at 0x03AB0000: C:\tmplodztmkc\dll\FvqNVoqE (0xd5000 bytes).
2020-05-23 05:17:01,968 [root] DEBUG: DLL unloaded from 0x731E0000.
2020-05-23 05:17:01,984 [root] DEBUG: DLL unloaded from 0x763D0000.
2020-05-23 05:17:01,984 [root] DEBUG: DLL unloaded from 0x731E0000.
2020-05-23 05:17:02,031 [root] DEBUG: DLL unloaded from 0x763D0000.
2020-05-23 05:17:02,031 [root] DEBUG: DLL unloaded from 0x03AB0000.
2020-05-23 05:17:02,031 [root] DEBUG: Error 998 (0x3e6) - InjectDllViaThread: RtlCreateUserThread injection failed: Invalid access to memory location.
2020-05-23 05:17:02,046 [root] DEBUG: InjectDll: DLL injection via thread failed.
2020-05-23 05:17:02,046 [root] DEBUG: Failed to inject DLL C:\tmplodztmkc\dll\FvqNVoqE.dll.
2020-05-23 05:17:02,109 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 3360, error: 4294967288
2020-05-23 05:17:02,125 [root] DEBUG: DLL loaded at 0x75DD0000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2020-05-23 05:17:02,125 [root] DEBUG: DLL loaded at 0x73310000: C:\Windows\SysWOW64\taskschd (0x7d000 bytes).
2020-05-23 05:17:02,249 [root] DEBUG: DLL loaded at 0x731F0000: C:\Windows\SysWOW64\XmlLite (0x2f000 bytes).
2020-05-23 05:17:02,468 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 3360).
2020-05-23 05:17:02,484 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-05-23 05:17:02,484 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00F60000.
2020-05-23 05:17:02,484 [root] DEBUG: ProcessImageBase: EP 0x00017683 image base 0x00F60000 size 0x0 entropy 5.581552e+00.
2020-05-23 05:17:02,484 [root] DEBUG: DLL unloaded from 0x76AB0000.
2020-05-23 05:17:11,828 [root] INFO: Analysis timeout hit, terminating analysis.
2020-05-23 05:17:11,843 [lib.api.process] ERROR: Failed to open terminate event for pid 3676
2020-05-23 05:17:11,843 [root] INFO: Terminate event set for process 3676.
2020-05-23 05:17:11,843 [lib.api.process] INFO: Terminate event set for process 1860
2020-05-23 05:17:11,859 [root] DEBUG: Terminate Event: Processing tracked regions before shutdown (process 1860).
2020-05-23 05:17:11,906 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-05-23 05:17:11,906 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00DC0000.
2020-05-23 05:17:11,937 [lib.api.process] INFO: Termination confirmed for process 1860
2020-05-23 05:17:11,937 [root] INFO: Terminate event set for process 1860.
2020-05-23 05:17:11,937 [lib.api.process] ERROR: Failed to open terminate event for pid 1140
2020-05-23 05:17:11,937 [root] INFO: Terminate event set for process 1140.
2020-05-23 05:17:11,937 [lib.api.process] ERROR: Failed to open terminate event for pid 2516
2020-05-23 05:17:11,937 [root] INFO: Terminate event set for process 2516.
2020-05-23 05:17:11,937 [lib.api.process] INFO: Terminate event set for process 848
2020-05-23 05:17:11,953 [root] DEBUG: Terminate Event: Processing tracked regions before shutdown (process 848).
2020-05-23 05:17:11,953 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x0000000000000000.
2020-05-23 05:17:11,953 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000FFAF0000.
2020-05-23 05:17:11,953 [root] DEBUG: ProcessImageBase: EP 0x000000000000246C image base 0x00000000FFAF0000 size 0x0 entropy 3.679267e+00.
2020-05-23 05:17:11,953 [root] DEBUG: ClearAllBreakpoints: Error getting thread context (thread 4100, handle 0xef0).
2020-05-23 05:17:11,953 [root] DEBUG: Terminate Event: Skipping dump of process 848
2020-05-23 05:17:11,968 [lib.api.process] INFO: Termination confirmed for process 848
2020-05-23 05:17:11,984 [root] INFO: Terminate event set for process 848.
2020-05-23 05:17:11,984 [root] INFO: Created shutdown mutex.
2020-05-23 05:17:12,984 [root] INFO: Shutting down package.
2020-05-23 05:17:12,984 [root] INFO: Stopping auxiliary modules.
2020-05-23 05:17:13,031 [root] INFO: ('dump_file', 'C:\\Windows\\appcompat\\Programs\\RecentFileCache.bcf', '', False, 'files')
2020-05-23 05:17:13,296 [lib.common.results] WARNING: File C:\gdljofuM\bin\procmon.xml doesn't exist anymore
2020-05-23 05:17:13,296 [root] INFO: Finishing auxiliary modules.
2020-05-23 05:17:13,296 [root] INFO: Shutting down pipe server and dumping dropped files.
2020-05-23 05:17:13,296 [root] WARNING: Folder at path "C:\gdljofuM\debugger" does not exist, skip.
2020-05-23 05:17:13,390 [root] WARNING: Monitor injection attempted but failed for process 3340.
2020-05-23 05:17:13,390 [root] WARNING: Monitor injection attempted but failed for process 2864.
2020-05-23 05:17:13,437 [root] WARNING: Monitor injection attempted but failed for process 4908.
2020-05-23 05:17:13,437 [root] WARNING: Monitor injection attempted but failed for process 2660.
2020-05-23 05:17:13,437 [root] WARNING: Monitor injection attempted but failed for process 4280.
2020-05-23 05:17:13,437 [root] WARNING: Monitor injection attempted but failed for process 1692.
2020-05-23 05:17:13,437 [root] WARNING: Monitor injection attempted but failed for process 3192.
2020-05-23 05:17:13,437 [root] WARNING: Monitor injection attempted but failed for process 3360.
2020-05-23 05:17:13,437 [root] INFO: Analysis completed.

Machine

Name Label Manager Started On Shutdown On
win7x64_4 win7x64_8 KVM 2020-05-23 05:13:05 2020-05-23 05:17:19

File Details

File Name BaZooka Updater V.1.exe
File Size 145020 bytes
File Type MS-DOS executable, MZ for MS-DOS
PE timestamp 2013-04-01 07:08:22
MD5 4d7fdf4d057a3a039fff349c1576175f
SHA1 c145750af1aa742abbef41e6e614baea3470e364
SHA256 7ae701b0db8e0bc86f1c9d084fb3bb3ffd1d45fbe7ca73644083da8d9d231ab3
SHA512 664399c3041777f89b8860ec6c7f94b66a2f6b1efe1c8114d08291f1fe35b21ffd348bd7da0dc67ba674487df1c5fa70ad9f78764328744d1c9774a1fe480991
CRC32 BC3B7ACA
Ssdeep 3072:UVqoCl/YgjxEufVU0TbTyDDalRt////////////////////////////////////Z:UsLqdufVUNDa5//////////////////5
Download Download ZIP Resubmit sample

Signatures

Behavioural detection: Executable code extraction
SetUnhandledExceptionFilter detected (possible anti-debug)
Anomalous file deletion behavior detected (10+)
DeletedFile: C:\Users\Louise\AppData\Local\Temp\~DF9EB8B661A8C25A01.TMP
DeletedFile: C:\Windows\resources\Themes\explorer.exe
DeletedFile: C:\Users\Louise\AppData\Local\Temp\~DFD352ACF08747F73A.TMP
DeletedFile: C:\Windows\resources\spoolsv.exe
DeletedFile: C:\Windows\System32\explorer.exe
DeletedFile: C:\Windows\System32\explorer.exe
DeletedFile: C:\Windows\System32\explorer.exe
DeletedFile: C:\Windows\System32\explorer.exe
DeletedFile: C:\Windows\Resources\tjud.exe
DeletedFile: C:\Windows\Resources\tjud.exe
DeletedFile: C:\Windows\Resources\tjud.exe
DeletedFile: C:\Windows\resources\svchost.exe
DeletedFile: C:\Users\Louise\AppData\Local\Temp\~DF88AD69C4AE2573FB.TMP
DeletedFile: C:\Windows\System32\explorer.exe
DeletedFile: C:\Windows\System32\explorer.exe
DeletedFile: C:\Windows\System32\explorer.exe
DeletedFile: C:\Windows\System32\explorer.exe
DeletedFile: C:\Users\Louise\AppData\Local\Temp\~DFA4988132E1D63F1B.TMP
DeletedFile: C:\Windows\Tasks\svchost.job
DeletedFile: C:\Windows\Tasks\svchost.job
DeletedFile: C:\Windows\Tasks\svchost.job
DeletedFile: C:\Windows\Tasks\svchost.job
Guard pages use detected - possible anti-debugging.
A process attempted to delay the analysis task.
Process: svchost.exe tried to sleep 540.36 seconds, actually delayed analysis time by 0.0 seconds
Dynamic (imported) function loading detected
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: OLEAUT32.dll/OleLoadPictureEx
DynamicLoader: OLEAUT32.dll/DispCallFunc
DynamicLoader: OLEAUT32.dll/LoadTypeLibEx
DynamicLoader: OLEAUT32.dll/UnRegisterTypeLib
DynamicLoader: OLEAUT32.dll/CreateTypeLib2
DynamicLoader: OLEAUT32.dll/VarDateFromUdate
DynamicLoader: OLEAUT32.dll/VarUdateFromDate
DynamicLoader: OLEAUT32.dll/GetAltMonthNames
DynamicLoader: OLEAUT32.dll/VarNumFromParseNum
DynamicLoader: OLEAUT32.dll/VarParseNumFromStr
DynamicLoader: OLEAUT32.dll/VarDecFromR4
DynamicLoader: OLEAUT32.dll/VarDecFromR8
DynamicLoader: OLEAUT32.dll/VarDecFromDate
DynamicLoader: OLEAUT32.dll/VarDecFromI4
DynamicLoader: OLEAUT32.dll/VarDecFromCy
DynamicLoader: OLEAUT32.dll/VarR4FromDec
DynamicLoader: OLEAUT32.dll/GetRecordInfoFromTypeInfo
DynamicLoader: OLEAUT32.dll/GetRecordInfoFromGuids
DynamicLoader: OLEAUT32.dll/SafeArrayGetRecordInfo
DynamicLoader: OLEAUT32.dll/SafeArraySetRecordInfo
DynamicLoader: OLEAUT32.dll/SafeArrayGetIID
DynamicLoader: OLEAUT32.dll/SafeArraySetIID
DynamicLoader: OLEAUT32.dll/SafeArrayCopyData
DynamicLoader: OLEAUT32.dll/SafeArrayAllocDescriptorEx
DynamicLoader: OLEAUT32.dll/SafeArrayCreateEx
DynamicLoader: OLEAUT32.dll/VarFormat
DynamicLoader: OLEAUT32.dll/VarFormatDateTime
DynamicLoader: OLEAUT32.dll/VarFormatNumber
DynamicLoader: OLEAUT32.dll/VarFormatPercent
DynamicLoader: OLEAUT32.dll/VarFormatCurrency
DynamicLoader: OLEAUT32.dll/VarWeekdayName
DynamicLoader: OLEAUT32.dll/VarMonthName
DynamicLoader: OLEAUT32.dll/VarAdd
DynamicLoader: OLEAUT32.dll/VarAnd
DynamicLoader: OLEAUT32.dll/VarCat
DynamicLoader: OLEAUT32.dll/VarDiv
DynamicLoader: OLEAUT32.dll/VarEqv
DynamicLoader: OLEAUT32.dll/VarIdiv
DynamicLoader: OLEAUT32.dll/VarImp
DynamicLoader: OLEAUT32.dll/VarMod
DynamicLoader: OLEAUT32.dll/VarMul
DynamicLoader: OLEAUT32.dll/VarOr
DynamicLoader: OLEAUT32.dll/VarPow
DynamicLoader: OLEAUT32.dll/VarSub
DynamicLoader: OLEAUT32.dll/VarXor
DynamicLoader: OLEAUT32.dll/VarAbs
DynamicLoader: OLEAUT32.dll/VarFix
DynamicLoader: OLEAUT32.dll/VarInt
DynamicLoader: OLEAUT32.dll/VarNeg
DynamicLoader: OLEAUT32.dll/VarNot
DynamicLoader: OLEAUT32.dll/VarRound
DynamicLoader: OLEAUT32.dll/VarCmp
DynamicLoader: OLEAUT32.dll/VarDecAdd
DynamicLoader: OLEAUT32.dll/VarDecCmp
DynamicLoader: OLEAUT32.dll/VarBstrCat
DynamicLoader: OLEAUT32.dll/VarCyMulI4
DynamicLoader: OLEAUT32.dll/VarBstrCmp
DynamicLoader: ole32.dll/CoCreateInstanceEx
DynamicLoader: ole32.dll/CLSIDFromProgIDEx
DynamicLoader: SXS.DLL/SxsOleAut32MapIIDOrCLSIDToTypeLibrary
DynamicLoader: USER32.dll/GetSystemMetrics
DynamicLoader: USER32.dll/MonitorFromWindow
DynamicLoader: USER32.dll/MonitorFromRect
DynamicLoader: USER32.dll/MonitorFromPoint
DynamicLoader: USER32.dll/EnumDisplayMonitors
DynamicLoader: USER32.dll/GetMonitorInfoA
DynamicLoader: ole32.dll/CLSIDFromOle1Class
DynamicLoader: CLBCatQ.DLL/GetCatalogObject
DynamicLoader: CLBCatQ.DLL/GetCatalogObject2
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: comctl32.dll/RegisterClassNameW
DynamicLoader: UxTheme.dll/EnableThemeDialogTexture
DynamicLoader: kernel32.dll/CreateToolhelp32Snapshot
DynamicLoader: kernel32.dll/Process32First
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: PSAPI.DLL/GetModuleFileNameExA
DynamicLoader: kernel32.dll/Process32Next
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/GetFileAttributesA
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: KERNEL32.dll/FlsAlloc
DynamicLoader: KERNEL32.dll/FlsFree
DynamicLoader: KERNEL32.dll/FlsGetValue
DynamicLoader: KERNEL32.dll/FlsSetValue
DynamicLoader: KERNEL32.dll/InitializeCriticalSectionEx
DynamicLoader: KERNEL32.dll/CreateEventExW
DynamicLoader: KERNEL32.dll/CreateSemaphoreExW
DynamicLoader: KERNEL32.dll/SetThreadStackGuarantee
DynamicLoader: KERNEL32.dll/CreateThreadpoolTimer
DynamicLoader: KERNEL32.dll/SetThreadpoolTimer
DynamicLoader: KERNEL32.dll/WaitForThreadpoolTimerCallbacks
DynamicLoader: KERNEL32.dll/CloseThreadpoolTimer
DynamicLoader: KERNEL32.dll/CreateThreadpoolWait
DynamicLoader: KERNEL32.dll/SetThreadpoolWait
DynamicLoader: KERNEL32.dll/CloseThreadpoolWait
DynamicLoader: KERNEL32.dll/FlushProcessWriteBuffers
DynamicLoader: KERNEL32.dll/FreeLibraryWhenCallbackReturns
DynamicLoader: KERNEL32.dll/GetCurrentProcessorNumber
DynamicLoader: KERNEL32.dll/GetLogicalProcessorInformation
DynamicLoader: KERNEL32.dll/CreateSymbolicLinkW
DynamicLoader: KERNEL32.dll/SetDefaultDllDirectories
DynamicLoader: KERNEL32.dll/EnumSystemLocalesEx
DynamicLoader: KERNEL32.dll/CompareStringEx
DynamicLoader: KERNEL32.dll/GetDateFormatEx
DynamicLoader: KERNEL32.dll/GetLocaleInfoEx
DynamicLoader: KERNEL32.dll/GetTimeFormatEx
DynamicLoader: KERNEL32.dll/GetUserDefaultLocaleName
DynamicLoader: KERNEL32.dll/IsValidLocaleName
DynamicLoader: KERNEL32.dll/LCMapStringEx
DynamicLoader: KERNEL32.dll/GetCurrentPackageId
DynamicLoader: KERNEL32.dll/GetTickCount64
DynamicLoader: KERNEL32.dll/GetFileInformationByHandleExW
DynamicLoader: KERNEL32.dll/SetFileInformationByHandleW
DynamicLoader: KERNEL32.dll/AcquireSRWLockExclusive
DynamicLoader: KERNEL32.dll/ReleaseSRWLockExclusive
DynamicLoader: ADVAPI32.dll/EventRegister
DynamicLoader: ADVAPI32.dll/EventSetInformation
DynamicLoader: MSCOREE.DLL/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/_CorExeMain_RetAddr
DynamicLoader: mscoreei.dll/_CorExeMain
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: VERSION.dll/GetFileVersionInfoSizeW
DynamicLoader: VERSION.dll/GetFileVersionInfoW
DynamicLoader: VERSION.dll/VerQueryValueW
DynamicLoader: KERNEL32.dll/FlsAlloc
DynamicLoader: KERNEL32.dll/FlsFree
DynamicLoader: KERNEL32.dll/FlsGetValue
DynamicLoader: KERNEL32.dll/FlsSetValue
DynamicLoader: KERNEL32.dll/InitializeCriticalSectionEx
DynamicLoader: KERNEL32.dll/CreateEventExW
DynamicLoader: KERNEL32.dll/CreateSemaphoreExW
DynamicLoader: KERNEL32.dll/SetThreadStackGuarantee
DynamicLoader: KERNEL32.dll/CreateThreadpoolTimer
DynamicLoader: KERNEL32.dll/SetThreadpoolTimer
DynamicLoader: KERNEL32.dll/WaitForThreadpoolTimerCallbacks
DynamicLoader: KERNEL32.dll/CloseThreadpoolTimer
DynamicLoader: KERNEL32.dll/CreateThreadpoolWait
DynamicLoader: KERNEL32.dll/SetThreadpoolWait
DynamicLoader: KERNEL32.dll/CloseThreadpoolWait
DynamicLoader: KERNEL32.dll/FlushProcessWriteBuffers
DynamicLoader: KERNEL32.dll/FreeLibraryWhenCallbackReturns
DynamicLoader: KERNEL32.dll/GetCurrentProcessorNumber
DynamicLoader: KERNEL32.dll/GetLogicalProcessorInformation
DynamicLoader: KERNEL32.dll/CreateSymbolicLinkW
DynamicLoader: KERNEL32.dll/SetDefaultDllDirectories
DynamicLoader: KERNEL32.dll/EnumSystemLocalesEx
DynamicLoader: KERNEL32.dll/CompareStringEx
DynamicLoader: KERNEL32.dll/GetDateFormatEx
DynamicLoader: KERNEL32.dll/GetLocaleInfoEx
DynamicLoader: KERNEL32.dll/GetTimeFormatEx
DynamicLoader: KERNEL32.dll/GetUserDefaultLocaleName
DynamicLoader: KERNEL32.dll/IsValidLocaleName
DynamicLoader: KERNEL32.dll/LCMapStringEx
DynamicLoader: KERNEL32.dll/GetCurrentPackageId
DynamicLoader: KERNEL32.dll/GetTickCount64
DynamicLoader: KERNEL32.dll/GetFileInformationByHandleExW
DynamicLoader: KERNEL32.dll/SetFileInformationByHandleW
DynamicLoader: ADVAPI32.dll/EventSetInformation
DynamicLoader: clr.dll/SetRuntimeInfo
DynamicLoader: USER32.dll/GetProcessWindowStation
DynamicLoader: USER32.dll/GetUserObjectInformationW
DynamicLoader: clr.dll/_CorExeMain
DynamicLoader: KERNEL32.dll/AcquireSRWLockExclusive
DynamicLoader: KERNEL32.dll/ReleaseSRWLockExclusive
DynamicLoader: MSCOREE.DLL/CreateConfigStream
DynamicLoader: mscoreei.dll/CreateConfigStream_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream
DynamicLoader: KERNEL32.dll/GetNumaHighestNodeNumber
DynamicLoader: KERNEL32.dll/FlsSetValue
DynamicLoader: KERNEL32.dll/FlsGetValue
DynamicLoader: KERNEL32.dll/FlsAlloc
DynamicLoader: KERNEL32.dll/FlsFree
DynamicLoader: KERNEL32.dll/GetSystemWindowsDirectoryW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: KERNEL32.dll/AddSIDToBoundaryDescriptor
DynamicLoader: KERNEL32.dll/CreateBoundaryDescriptorW
DynamicLoader: KERNEL32.dll/CreatePrivateNamespaceW
DynamicLoader: KERNEL32.dll/OpenPrivateNamespaceW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: KERNEL32.dll/DeleteBoundaryDescriptor
DynamicLoader: KERNEL32.dll/WerRegisterRuntimeExceptionModule
DynamicLoader: KERNEL32.dll/RaiseException
DynamicLoader: MSCOREE.DLL/
DynamicLoader: mscoreei.dll/
DynamicLoader: KERNELBASE.dll/SetSystemFileCacheSize
DynamicLoader: ntdll.dll/NtSetSystemInformation
DynamicLoader: KERNELBASE.dll/PrivIsDllSynchronizationHeld
DynamicLoader: KERNEL32.dll/AddDllDirectory
DynamicLoader: KERNEL32.dll/SortGetHandle
DynamicLoader: KERNEL32.dll/SortCloseHandle
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: clrjit.dll/sxsJitStartup
DynamicLoader: clrjit.dll/jitStartup
DynamicLoader: clrjit.dll/getJit
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/SetConsoleTitle
DynamicLoader: KERNEL32.dll/SetConsoleTitleW
DynamicLoader: KERNEL32.dll/GetStdHandle
DynamicLoader: KERNEL32.dll/GetConsoleScreenBufferInfo
DynamicLoader: KERNEL32.dll/SetConsoleTextAttribute
DynamicLoader: KERNEL32.dll/CloseHandle
DynamicLoader: KERNEL32.dll/WriteFile
DynamicLoader: KERNEL32.dll/GetConsoleOutputCP
DynamicLoader: KERNEL32.dll/GetLocaleInfoEx
DynamicLoader: KERNEL32.dll/LocaleNameToLCID
DynamicLoader: KERNEL32.dll/GetUserDefaultLocaleName
DynamicLoader: KERNEL32.dll/LCIDToLocaleName
DynamicLoader: KERNEL32.dll/GetUserPreferredUILanguages
DynamicLoader: KERNEL32.dll/UnmapViewOfFile
DynamicLoader: KERNEL32.dll/GetFileType
DynamicLoader: KERNEL32.dll/GetConsoleCP
DynamicLoader: KERNEL32.dll/ReadFile
DynamicLoader: kernel32.dll/IsTNT
DynamicLoader: kernel32.dll/IsProcessorFeaturePresent
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: OLEAUT32.dll/OleLoadPictureEx
DynamicLoader: OLEAUT32.dll/DispCallFunc
DynamicLoader: OLEAUT32.dll/LoadTypeLibEx
DynamicLoader: OLEAUT32.dll/UnRegisterTypeLib
DynamicLoader: OLEAUT32.dll/CreateTypeLib2
DynamicLoader: OLEAUT32.dll/VarDateFromUdate
DynamicLoader: OLEAUT32.dll/VarUdateFromDate
DynamicLoader: OLEAUT32.dll/GetAltMonthNames
DynamicLoader: OLEAUT32.dll/VarNumFromParseNum
DynamicLoader: OLEAUT32.dll/VarParseNumFromStr
DynamicLoader: OLEAUT32.dll/VarDecFromR4
DynamicLoader: OLEAUT32.dll/VarDecFromR8
DynamicLoader: OLEAUT32.dll/VarDecFromDate
DynamicLoader: OLEAUT32.dll/VarDecFromI4
DynamicLoader: OLEAUT32.dll/VarDecFromCy
DynamicLoader: OLEAUT32.dll/VarR4FromDec
DynamicLoader: OLEAUT32.dll/GetRecordInfoFromTypeInfo
DynamicLoader: OLEAUT32.dll/GetRecordInfoFromGuids
DynamicLoader: OLEAUT32.dll/SafeArrayGetRecordInfo
DynamicLoader: OLEAUT32.dll/SafeArraySetRecordInfo
DynamicLoader: OLEAUT32.dll/SafeArrayGetIID
DynamicLoader: OLEAUT32.dll/SafeArraySetIID
DynamicLoader: OLEAUT32.dll/SafeArrayCopyData
DynamicLoader: OLEAUT32.dll/SafeArrayAllocDescriptorEx
DynamicLoader: OLEAUT32.dll/SafeArrayCreateEx
DynamicLoader: OLEAUT32.dll/VarFormat
DynamicLoader: OLEAUT32.dll/VarFormatDateTime
DynamicLoader: OLEAUT32.dll/VarFormatNumber
DynamicLoader: OLEAUT32.dll/VarFormatPercent
DynamicLoader: OLEAUT32.dll/VarFormatCurrency
DynamicLoader: OLEAUT32.dll/VarWeekdayName
DynamicLoader: OLEAUT32.dll/VarMonthName
DynamicLoader: OLEAUT32.dll/VarAdd
DynamicLoader: OLEAUT32.dll/VarAnd
DynamicLoader: OLEAUT32.dll/VarCat
DynamicLoader: OLEAUT32.dll/VarDiv
DynamicLoader: OLEAUT32.dll/VarEqv
DynamicLoader: OLEAUT32.dll/VarIdiv
DynamicLoader: OLEAUT32.dll/VarImp
DynamicLoader: OLEAUT32.dll/VarMod
DynamicLoader: OLEAUT32.dll/VarMul
DynamicLoader: OLEAUT32.dll/VarOr
DynamicLoader: OLEAUT32.dll/VarPow
DynamicLoader: OLEAUT32.dll/VarSub
DynamicLoader: OLEAUT32.dll/VarXor
DynamicLoader: OLEAUT32.dll/VarAbs
DynamicLoader: OLEAUT32.dll/VarFix
DynamicLoader: OLEAUT32.dll/VarInt
DynamicLoader: OLEAUT32.dll/VarNeg
DynamicLoader: OLEAUT32.dll/VarNot
DynamicLoader: OLEAUT32.dll/VarRound
DynamicLoader: OLEAUT32.dll/VarCmp
DynamicLoader: OLEAUT32.dll/VarDecAdd
DynamicLoader: OLEAUT32.dll/VarDecCmp
DynamicLoader: OLEAUT32.dll/VarBstrCat
DynamicLoader: OLEAUT32.dll/VarCyMulI4
DynamicLoader: OLEAUT32.dll/VarBstrCmp
DynamicLoader: ole32.dll/CoCreateInstanceEx
DynamicLoader: ole32.dll/CLSIDFromProgIDEx
DynamicLoader: SXS.DLL/SxsOleAut32MapIIDOrCLSIDToTypeLibrary
DynamicLoader: USER32.dll/GetSystemMetrics
DynamicLoader: USER32.dll/MonitorFromWindow
DynamicLoader: USER32.dll/MonitorFromRect
DynamicLoader: USER32.dll/MonitorFromPoint
DynamicLoader: USER32.dll/EnumDisplayMonitors
DynamicLoader: USER32.dll/GetMonitorInfoA
DynamicLoader: ole32.dll/CLSIDFromOle1Class
DynamicLoader: CLBCatQ.DLL/GetCatalogObject
DynamicLoader: CLBCatQ.DLL/GetCatalogObject2
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: comctl32.dll/RegisterClassNameW
DynamicLoader: UxTheme.dll/EnableThemeDialogTexture
DynamicLoader: kernel32.dll/NlsGetCacheUpdateCount
DynamicLoader: kernel32.dll/CreateToolhelp32Snapshot
DynamicLoader: kernel32.dll/Process32First
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: PSAPI.DLL/GetModuleFileNameExA
DynamicLoader: kernel32.dll/Process32Next
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/GetFileAttributesA
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: kernel32.dll/IsTNT
DynamicLoader: kernel32.dll/IsProcessorFeaturePresent
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: OLEAUT32.dll/OleLoadPictureEx
DynamicLoader: OLEAUT32.dll/DispCallFunc
DynamicLoader: OLEAUT32.dll/LoadTypeLibEx
DynamicLoader: OLEAUT32.dll/UnRegisterTypeLib
DynamicLoader: OLEAUT32.dll/CreateTypeLib2
DynamicLoader: OLEAUT32.dll/VarDateFromUdate
DynamicLoader: OLEAUT32.dll/VarUdateFromDate
DynamicLoader: OLEAUT32.dll/GetAltMonthNames
DynamicLoader: OLEAUT32.dll/VarNumFromParseNum
DynamicLoader: OLEAUT32.dll/VarParseNumFromStr
DynamicLoader: OLEAUT32.dll/VarDecFromR4
DynamicLoader: OLEAUT32.dll/VarDecFromR8
DynamicLoader: OLEAUT32.dll/VarDecFromDate
DynamicLoader: OLEAUT32.dll/VarDecFromI4
DynamicLoader: OLEAUT32.dll/VarDecFromCy
DynamicLoader: OLEAUT32.dll/VarR4FromDec
DynamicLoader: OLEAUT32.dll/GetRecordInfoFromTypeInfo
DynamicLoader: OLEAUT32.dll/GetRecordInfoFromGuids
DynamicLoader: OLEAUT32.dll/SafeArrayGetRecordInfo
DynamicLoader: OLEAUT32.dll/SafeArraySetRecordInfo
DynamicLoader: OLEAUT32.dll/SafeArrayGetIID
DynamicLoader: OLEAUT32.dll/SafeArraySetIID
DynamicLoader: OLEAUT32.dll/SafeArrayCopyData
DynamicLoader: OLEAUT32.dll/SafeArrayAllocDescriptorEx
DynamicLoader: OLEAUT32.dll/SafeArrayCreateEx
DynamicLoader: OLEAUT32.dll/VarFormat
DynamicLoader: OLEAUT32.dll/VarFormatDateTime
DynamicLoader: OLEAUT32.dll/VarFormatNumber
DynamicLoader: OLEAUT32.dll/VarFormatPercent
DynamicLoader: OLEAUT32.dll/VarFormatCurrency
DynamicLoader: OLEAUT32.dll/VarWeekdayName
DynamicLoader: OLEAUT32.dll/VarMonthName
DynamicLoader: OLEAUT32.dll/VarAdd
DynamicLoader: OLEAUT32.dll/VarAnd
DynamicLoader: OLEAUT32.dll/VarCat
DynamicLoader: OLEAUT32.dll/VarDiv
DynamicLoader: OLEAUT32.dll/VarEqv
DynamicLoader: OLEAUT32.dll/VarIdiv
DynamicLoader: OLEAUT32.dll/VarImp
DynamicLoader: OLEAUT32.dll/VarMod
DynamicLoader: OLEAUT32.dll/VarMul
DynamicLoader: OLEAUT32.dll/VarOr
DynamicLoader: OLEAUT32.dll/VarPow
DynamicLoader: OLEAUT32.dll/VarSub
DynamicLoader: OLEAUT32.dll/VarXor
DynamicLoader: OLEAUT32.dll/VarAbs
DynamicLoader: OLEAUT32.dll/VarFix
DynamicLoader: OLEAUT32.dll/VarInt
DynamicLoader: OLEAUT32.dll/VarNeg
DynamicLoader: OLEAUT32.dll/VarNot
DynamicLoader: OLEAUT32.dll/VarRound
DynamicLoader: OLEAUT32.dll/VarCmp
DynamicLoader: OLEAUT32.dll/VarDecAdd
DynamicLoader: OLEAUT32.dll/VarDecCmp
DynamicLoader: OLEAUT32.dll/VarBstrCat
DynamicLoader: OLEAUT32.dll/VarCyMulI4
DynamicLoader: OLEAUT32.dll/VarBstrCmp
DynamicLoader: ole32.dll/CoCreateInstanceEx
DynamicLoader: ole32.dll/CLSIDFromProgIDEx
DynamicLoader: SXS.DLL/SxsOleAut32MapIIDOrCLSIDToTypeLibrary
DynamicLoader: USER32.dll/GetSystemMetrics
DynamicLoader: USER32.dll/MonitorFromWindow
DynamicLoader: USER32.dll/MonitorFromRect
DynamicLoader: USER32.dll/MonitorFromPoint
DynamicLoader: USER32.dll/EnumDisplayMonitors
DynamicLoader: USER32.dll/GetMonitorInfoA
DynamicLoader: ole32.dll/CLSIDFromOle1Class
DynamicLoader: CLBCatQ.DLL/GetCatalogObject
DynamicLoader: CLBCatQ.DLL/GetCatalogObject2
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: comctl32.dll/RegisterClassNameW
DynamicLoader: UxTheme.dll/EnableThemeDialogTexture
DynamicLoader: kernel32.dll/NlsGetCacheUpdateCount
DynamicLoader: kernel32.dll/CreateToolhelp32Snapshot
DynamicLoader: kernel32.dll/Process32First
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: PSAPI.DLL/GetModuleFileNameExA
DynamicLoader: kernel32.dll/Process32Next
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/GetFileAttributesA
DynamicLoader: ADVAPI32.dll/RegCreateKeyA
DynamicLoader: ADVAPI32.dll/RegSetValueExA
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegOpenKeyA
DynamicLoader: ADVAPI32.dll/RegDeleteValueA
DynamicLoader: USER32.dll/GetForegroundWindow
DynamicLoader: USER32.dll/GetWindowThreadProcessId
DynamicLoader: kernel32.dll/Thread32First
DynamicLoader: kernel32.dll/Thread32Next
DynamicLoader: kernel32.dll/OpenThread
DynamicLoader: kernel32.dll/ResumeThread
DynamicLoader: kernel32.dll/DeleteFileA
DynamicLoader: kernel32.dll/IsTNT
DynamicLoader: kernel32.dll/IsProcessorFeaturePresent
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: OLEAUT32.dll/OleLoadPictureEx
DynamicLoader: OLEAUT32.dll/DispCallFunc
DynamicLoader: OLEAUT32.dll/LoadTypeLibEx
DynamicLoader: OLEAUT32.dll/UnRegisterTypeLib
DynamicLoader: OLEAUT32.dll/CreateTypeLib2
DynamicLoader: OLEAUT32.dll/VarDateFromUdate
DynamicLoader: OLEAUT32.dll/VarUdateFromDate
DynamicLoader: OLEAUT32.dll/GetAltMonthNames
DynamicLoader: OLEAUT32.dll/VarNumFromParseNum
DynamicLoader: OLEAUT32.dll/VarParseNumFromStr
DynamicLoader: OLEAUT32.dll/VarDecFromR4
DynamicLoader: OLEAUT32.dll/VarDecFromR8
DynamicLoader: OLEAUT32.dll/VarDecFromDate
DynamicLoader: OLEAUT32.dll/VarDecFromI4
DynamicLoader: OLEAUT32.dll/VarDecFromCy
DynamicLoader: OLEAUT32.dll/VarR4FromDec
DynamicLoader: OLEAUT32.dll/GetRecordInfoFromTypeInfo
DynamicLoader: OLEAUT32.dll/GetRecordInfoFromGuids
DynamicLoader: OLEAUT32.dll/SafeArrayGetRecordInfo
DynamicLoader: OLEAUT32.dll/SafeArraySetRecordInfo
DynamicLoader: OLEAUT32.dll/SafeArrayGetIID
DynamicLoader: OLEAUT32.dll/SafeArraySetIID
DynamicLoader: OLEAUT32.dll/SafeArrayCopyData
DynamicLoader: OLEAUT32.dll/SafeArrayAllocDescriptorEx
DynamicLoader: OLEAUT32.dll/SafeArrayCreateEx
DynamicLoader: OLEAUT32.dll/VarFormat
DynamicLoader: OLEAUT32.dll/VarFormatDateTime
DynamicLoader: OLEAUT32.dll/VarFormatNumber
DynamicLoader: OLEAUT32.dll/VarFormatPercent
DynamicLoader: OLEAUT32.dll/VarFormatCurrency
DynamicLoader: OLEAUT32.dll/VarWeekdayName
DynamicLoader: OLEAUT32.dll/VarMonthName
DynamicLoader: OLEAUT32.dll/VarAdd
DynamicLoader: OLEAUT32.dll/VarAnd
DynamicLoader: OLEAUT32.dll/VarCat
DynamicLoader: OLEAUT32.dll/VarDiv
DynamicLoader: OLEAUT32.dll/VarEqv
DynamicLoader: OLEAUT32.dll/VarIdiv
DynamicLoader: OLEAUT32.dll/VarImp
DynamicLoader: OLEAUT32.dll/VarMod
DynamicLoader: OLEAUT32.dll/VarMul
DynamicLoader: OLEAUT32.dll/VarOr
DynamicLoader: OLEAUT32.dll/VarPow
DynamicLoader: OLEAUT32.dll/VarSub
DynamicLoader: OLEAUT32.dll/VarXor
DynamicLoader: OLEAUT32.dll/VarAbs
DynamicLoader: OLEAUT32.dll/VarFix
DynamicLoader: OLEAUT32.dll/VarInt
DynamicLoader: OLEAUT32.dll/VarNeg
DynamicLoader: OLEAUT32.dll/VarNot
DynamicLoader: OLEAUT32.dll/VarRound
DynamicLoader: OLEAUT32.dll/VarCmp
DynamicLoader: OLEAUT32.dll/VarDecAdd
DynamicLoader: OLEAUT32.dll/VarDecCmp
DynamicLoader: OLEAUT32.dll/VarBstrCat
DynamicLoader: OLEAUT32.dll/VarCyMulI4
DynamicLoader: OLEAUT32.dll/VarBstrCmp
DynamicLoader: ole32.dll/CoCreateInstanceEx
DynamicLoader: ole32.dll/CLSIDFromProgIDEx
DynamicLoader: SXS.DLL/SxsOleAut32MapIIDOrCLSIDToTypeLibrary
DynamicLoader: USER32.dll/GetSystemMetrics
DynamicLoader: USER32.dll/MonitorFromWindow
DynamicLoader: USER32.dll/MonitorFromRect
DynamicLoader: USER32.dll/MonitorFromPoint
DynamicLoader: USER32.dll/EnumDisplayMonitors
DynamicLoader: USER32.dll/GetMonitorInfoA
DynamicLoader: ole32.dll/CLSIDFromOle1Class
DynamicLoader: CLBCatQ.DLL/GetCatalogObject
DynamicLoader: CLBCatQ.DLL/GetCatalogObject2
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: comctl32.dll/RegisterClassNameW
DynamicLoader: UxTheme.dll/EnableThemeDialogTexture
DynamicLoader: kernel32.dll/NlsGetCacheUpdateCount
DynamicLoader: kernel32.dll/GetFileAttributesA
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: kernel32.dll/IsTNT
DynamicLoader: kernel32.dll/IsProcessorFeaturePresent
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: OLEAUT32.dll/OleLoadPictureEx
DynamicLoader: OLEAUT32.dll/DispCallFunc
DynamicLoader: OLEAUT32.dll/LoadTypeLibEx
DynamicLoader: OLEAUT32.dll/UnRegisterTypeLib
DynamicLoader: OLEAUT32.dll/CreateTypeLib2
DynamicLoader: OLEAUT32.dll/VarDateFromUdate
DynamicLoader: OLEAUT32.dll/VarUdateFromDate
DynamicLoader: OLEAUT32.dll/GetAltMonthNames
DynamicLoader: OLEAUT32.dll/VarNumFromParseNum
DynamicLoader: OLEAUT32.dll/VarParseNumFromStr
DynamicLoader: OLEAUT32.dll/VarDecFromR4
DynamicLoader: OLEAUT32.dll/VarDecFromR8
DynamicLoader: OLEAUT32.dll/VarDecFromDate
DynamicLoader: OLEAUT32.dll/VarDecFromI4
DynamicLoader: OLEAUT32.dll/VarDecFromCy
DynamicLoader: OLEAUT32.dll/VarR4FromDec
DynamicLoader: OLEAUT32.dll/GetRecordInfoFromTypeInfo
DynamicLoader: OLEAUT32.dll/GetRecordInfoFromGuids
DynamicLoader: OLEAUT32.dll/SafeArrayGetRecordInfo
DynamicLoader: OLEAUT32.dll/SafeArraySetRecordInfo
DynamicLoader: OLEAUT32.dll/SafeArrayGetIID
DynamicLoader: OLEAUT32.dll/SafeArraySetIID
DynamicLoader: OLEAUT32.dll/SafeArrayCopyData
DynamicLoader: OLEAUT32.dll/SafeArrayAllocDescriptorEx
DynamicLoader: OLEAUT32.dll/SafeArrayCreateEx
DynamicLoader: OLEAUT32.dll/VarFormat
DynamicLoader: OLEAUT32.dll/VarFormatDateTime
DynamicLoader: OLEAUT32.dll/VarFormatNumber
DynamicLoader: OLEAUT32.dll/VarFormatPercent
DynamicLoader: OLEAUT32.dll/VarFormatCurrency
DynamicLoader: OLEAUT32.dll/VarWeekdayName
DynamicLoader: OLEAUT32.dll/VarMonthName
DynamicLoader: OLEAUT32.dll/VarAdd
DynamicLoader: OLEAUT32.dll/VarAnd
DynamicLoader: OLEAUT32.dll/VarCat
DynamicLoader: OLEAUT32.dll/VarDiv
DynamicLoader: OLEAUT32.dll/VarEqv
DynamicLoader: OLEAUT32.dll/VarIdiv
DynamicLoader: OLEAUT32.dll/VarImp
DynamicLoader: OLEAUT32.dll/VarMod
DynamicLoader: OLEAUT32.dll/VarMul
DynamicLoader: OLEAUT32.dll/VarOr
DynamicLoader: OLEAUT32.dll/VarPow
DynamicLoader: OLEAUT32.dll/VarSub
DynamicLoader: OLEAUT32.dll/VarXor
DynamicLoader: OLEAUT32.dll/VarAbs
DynamicLoader: OLEAUT32.dll/VarFix
DynamicLoader: OLEAUT32.dll/VarInt
DynamicLoader: OLEAUT32.dll/VarNeg
DynamicLoader: OLEAUT32.dll/VarNot
DynamicLoader: OLEAUT32.dll/VarRound
DynamicLoader: OLEAUT32.dll/VarCmp
DynamicLoader: OLEAUT32.dll/VarDecAdd
DynamicLoader: OLEAUT32.dll/VarDecCmp
DynamicLoader: OLEAUT32.dll/VarBstrCat
DynamicLoader: OLEAUT32.dll/VarCyMulI4
DynamicLoader: OLEAUT32.dll/VarBstrCmp
DynamicLoader: ole32.dll/CoCreateInstanceEx
DynamicLoader: ole32.dll/CLSIDFromProgIDEx
DynamicLoader: SXS.DLL/SxsOleAut32MapIIDOrCLSIDToTypeLibrary
DynamicLoader: USER32.dll/GetSystemMetrics
DynamicLoader: USER32.dll/MonitorFromWindow
DynamicLoader: USER32.dll/MonitorFromRect
DynamicLoader: USER32.dll/MonitorFromPoint
DynamicLoader: USER32.dll/EnumDisplayMonitors
DynamicLoader: USER32.dll/GetMonitorInfoA
DynamicLoader: ole32.dll/CLSIDFromOle1Class
DynamicLoader: CLBCatQ.DLL/GetCatalogObject
DynamicLoader: CLBCatQ.DLL/GetCatalogObject2
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: comctl32.dll/RegisterClassNameW
DynamicLoader: UxTheme.dll/EnableThemeDialogTexture
DynamicLoader: kernel32.dll/NlsGetCacheUpdateCount
DynamicLoader: kernel32.dll/CreateToolhelp32Snapshot
DynamicLoader: kernel32.dll/Process32First
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: PSAPI.DLL/GetModuleFileNameExA
DynamicLoader: kernel32.dll/Process32Next
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: ntdll.dll/RtlGetVersion
DynamicLoader: kernel32.dll/GetCalendarInfoW
DynamicLoader: ADVAPI32.dll/RegCreateKeyA
DynamicLoader: ADVAPI32.dll/RegSetValueExA
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegOpenKeyA
DynamicLoader: ADVAPI32.dll/RegDeleteValueA
DynamicLoader: kernel32.dll/GetFileAttributesA
DynamicLoader: USER32.dll/GetForegroundWindow
DynamicLoader: USER32.dll/GetWindowThreadProcessId
DynamicLoader: kernel32.dll/Thread32First
DynamicLoader: kernel32.dll/Thread32Next
DynamicLoader: kernel32.dll/OpenThread
DynamicLoader: kernel32.dll/ResumeThread
DynamicLoader: kernel32.dll/IsTNT
DynamicLoader: kernel32.dll/IsProcessorFeaturePresent
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: OLEAUT32.dll/OleLoadPictureEx
DynamicLoader: OLEAUT32.dll/DispCallFunc
DynamicLoader: OLEAUT32.dll/LoadTypeLibEx
DynamicLoader: OLEAUT32.dll/UnRegisterTypeLib
DynamicLoader: OLEAUT32.dll/CreateTypeLib2
DynamicLoader: OLEAUT32.dll/VarDateFromUdate
DynamicLoader: OLEAUT32.dll/VarUdateFromDate
DynamicLoader: OLEAUT32.dll/GetAltMonthNames
DynamicLoader: OLEAUT32.dll/VarNumFromParseNum
DynamicLoader: OLEAUT32.dll/VarParseNumFromStr
DynamicLoader: OLEAUT32.dll/VarDecFromR4
DynamicLoader: OLEAUT32.dll/VarDecFromR8
DynamicLoader: OLEAUT32.dll/VarDecFromDate
DynamicLoader: OLEAUT32.dll/VarDecFromI4
DynamicLoader: OLEAUT32.dll/VarDecFromCy
DynamicLoader: OLEAUT32.dll/VarR4FromDec
DynamicLoader: OLEAUT32.dll/GetRecordInfoFromTypeInfo
DynamicLoader: OLEAUT32.dll/GetRecordInfoFromGuids
DynamicLoader: OLEAUT32.dll/SafeArrayGetRecordInfo
DynamicLoader: OLEAUT32.dll/SafeArraySetRecordInfo
DynamicLoader: OLEAUT32.dll/SafeArrayGetIID
DynamicLoader: OLEAUT32.dll/SafeArraySetIID
DynamicLoader: OLEAUT32.dll/SafeArrayCopyData
DynamicLoader: OLEAUT32.dll/SafeArrayAllocDescriptorEx
DynamicLoader: OLEAUT32.dll/SafeArrayCreateEx
DynamicLoader: OLEAUT32.dll/VarFormat
DynamicLoader: OLEAUT32.dll/VarFormatDateTime
DynamicLoader: OLEAUT32.dll/VarFormatNumber
DynamicLoader: OLEAUT32.dll/VarFormatPercent
DynamicLoader: OLEAUT32.dll/VarFormatCurrency
DynamicLoader: OLEAUT32.dll/VarWeekdayName
DynamicLoader: OLEAUT32.dll/VarMonthName
DynamicLoader: OLEAUT32.dll/VarAdd
DynamicLoader: OLEAUT32.dll/VarAnd
DynamicLoader: OLEAUT32.dll/VarCat
DynamicLoader: OLEAUT32.dll/VarDiv
DynamicLoader: OLEAUT32.dll/VarEqv
DynamicLoader: OLEAUT32.dll/VarIdiv
DynamicLoader: OLEAUT32.dll/VarImp
DynamicLoader: OLEAUT32.dll/VarMod
DynamicLoader: OLEAUT32.dll/VarMul
DynamicLoader: OLEAUT32.dll/VarOr
DynamicLoader: OLEAUT32.dll/VarPow
DynamicLoader: OLEAUT32.dll/VarSub
DynamicLoader: OLEAUT32.dll/VarXor
DynamicLoader: OLEAUT32.dll/VarAbs
DynamicLoader: OLEAUT32.dll/VarFix
DynamicLoader: OLEAUT32.dll/VarInt
DynamicLoader: OLEAUT32.dll/VarNeg
DynamicLoader: OLEAUT32.dll/VarNot
DynamicLoader: OLEAUT32.dll/VarRound
DynamicLoader: OLEAUT32.dll/VarCmp
DynamicLoader: OLEAUT32.dll/VarDecAdd
DynamicLoader: OLEAUT32.dll/VarDecCmp
DynamicLoader: OLEAUT32.dll/VarBstrCat
DynamicLoader: OLEAUT32.dll/VarCyMulI4
DynamicLoader: OLEAUT32.dll/VarBstrCmp
DynamicLoader: ole32.dll/CoCreateInstanceEx
DynamicLoader: ole32.dll/CLSIDFromProgIDEx
DynamicLoader: SXS.DLL/SxsOleAut32MapIIDOrCLSIDToTypeLibrary
DynamicLoader: USER32.dll/GetSystemMetrics
DynamicLoader: USER32.dll/MonitorFromWindow
DynamicLoader: USER32.dll/MonitorFromRect
DynamicLoader: USER32.dll/MonitorFromPoint
DynamicLoader: USER32.dll/EnumDisplayMonitors
DynamicLoader: USER32.dll/GetMonitorInfoA
DynamicLoader: ole32.dll/CLSIDFromOle1Class
DynamicLoader: CLBCatQ.DLL/GetCatalogObject
DynamicLoader: CLBCatQ.DLL/GetCatalogObject2
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: comctl32.dll/RegisterClassNameW
DynamicLoader: UxTheme.dll/EnableThemeDialogTexture
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: VERSION.dll/GetFileVersionInfoSizeW
DynamicLoader: VERSION.dll/GetFileVersionInfoW
DynamicLoader: VERSION.dll/VerQueryValueW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: SspiCli.dll/GetUserNameExW
DynamicLoader: ADVAPI32.dll/GetUserNameW
DynamicLoader: XmlLite.dll/CreateXmlWriter
DynamicLoader: XmlLite.dll/CreateXmlWriterOutputWithEncodingName
DynamicLoader: VERSION.dll/GetFileVersionInfoSizeW
DynamicLoader: VERSION.dll/GetFileVersionInfoW
DynamicLoader: VERSION.dll/VerQueryValueW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: SspiCli.dll/GetUserNameExW
DynamicLoader: ADVAPI32.dll/GetUserNameW
DynamicLoader: XmlLite.dll/CreateXmlWriter
DynamicLoader: XmlLite.dll/CreateXmlWriterOutputWithEncodingName
DynamicLoader: VERSION.dll/GetFileVersionInfoSizeW
DynamicLoader: VERSION.dll/GetFileVersionInfoW
DynamicLoader: VERSION.dll/VerQueryValueW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: SspiCli.dll/GetUserNameExW
DynamicLoader: ADVAPI32.dll/GetUserNameW
DynamicLoader: XmlLite.dll/CreateXmlWriter
DynamicLoader: XmlLite.dll/CreateXmlWriterOutputWithEncodingName
DynamicLoader: VERSION.dll/GetFileVersionInfoSizeW
DynamicLoader: VERSION.dll/GetFileVersionInfoW
DynamicLoader: VERSION.dll/VerQueryValueW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: SspiCli.dll/GetUserNameExW
DynamicLoader: ADVAPI32.dll/GetUserNameW
DynamicLoader: XmlLite.dll/CreateXmlWriter
DynamicLoader: XmlLite.dll/CreateXmlWriterOutputWithEncodingName
Expresses interest in specific running processes
process: svchost.exe
process: explorer.exe
Reads data out of its own binary image
self_read: process: BaZooka Updater V.1.exe, pid: 3676, offset: 0x00000000, length: 0x0002367c
self_read: process: icsys.icn.exe, pid: 1140, offset: 0x00000000, length: 0x0001e000
self_read: process: icsys.icn.exe, pid: 1140, offset: 0x00021c4a, length: 0x00000019
self_read: process: explorer.exe, pid: 3340, offset: 0x00000000, length: 0x0001e000
self_read: process: explorer.exe, pid: 3340, offset: 0x00021c74, length: 0x00000019
self_read: process: spoolsv.exe, pid: 2864, offset: 0x00000000, length: 0x0001e000
self_read: process: spoolsv.exe, pid: 2864, offset: 0x021c9cc2, length: 0x00000004
self_read: process: spoolsv.exe, pid: 2864, offset: 0x021ca0c2, length: 0x00000015
self_read: process: svchost.exe, pid: 4908, offset: 0x021c84c2, length: 0x00000015
CAPE extracted potentially suspicious content
explorer.exe: Extracted Shellcode
bazooka updater v.1.exe?: Extracted Shellcode
icsys.icn.exe: Extracted Shellcode
svchost.exe: Extracted Shellcode
spoolsv.exe: Extracted Shellcode
bazooka updater v.1.exe?: Extracted Shellcode
svchost.exe: Extracted Shellcode
BaZooka Updater V.1.exe: Extracted Shellcode
spoolsv.exe: Extracted Shellcode
explorer.exe: Extracted Shellcode
bazooka updater v.1.exe?: Extracted Shellcode
BaZooka Updater V.1.exe: Extracted Shellcode
explorer.exe: Extracted Shellcode
icsys.icn.exe: Extracted Shellcode
BaZooka Updater V.1.exe: Extracted Shellcode
Queries or connects to DNS-Over-HTTPS/DNS-Over-TLS domain or IP address
ip: 1.1.1.1
Queries or connects to DNS-Over-HTTPS/DNS-Over-TLS domain or IP address
ip: 1.1.1.1
Authenticode signature is invalid
authenticode error: No signature found. SignTool Error File not valid C\Users\Louise\AppData\Local\Temp\BaZooka Updater V.1.exe
Uses Windows utilities for basic functionality
command: schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 12:16 /f
command: schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 12:29 /f
command: schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 12:44 /f
command: schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 12:58 /f
Uses Windows utilities for basic functionality
command: schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 12:16 /f
command: schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 12:29 /f
command: schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 12:44 /f
command: schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 12:58 /f
Installs itself for autorun at Windows startup
key: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost
data: c:\windows\resources\svchost.exe RO
key: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer
data: c:\windows\resources\themes\explorer.exe RO
Installs itself for autorun at Windows startup
task: schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 12:16 /f
Network activity detected but not expressed in API logs
File has been identified by 64 Antiviruses on VirusTotal as malicious
Bkav: W32.WatermarkHQc.PE
MicroWorld-eScan: Trojan.GenericKD.30681149
CMC: Trojan.Win32.Agent!O
CAT-QuickHeal: W32.Mofksys.A4
Qihoo-360: HEUR/QVM03.0.68D5.Malware.Gen
McAfee: W32/Swisyn.b
Cylance: Unsafe
Zillya: Virus.HLLP.Win32.1
Sangfor: Malware
K7AntiVirus: P2PWorm ( 00526bf61 )
K7GW: P2PWorm ( 00526bf61 )
Cybereason: malicious.d057a3
Invincea: heuristic
Baidu: Win32.Worm.VB.b
F-Prot: W32/Trojan2.PWYM
Symantec: W32.Gosys
ESET-NOD32: Win32/VB.OOF
APEX: Malicious
ClamAV: Win.Trojan.VBGeneric-6735875-0
Kaspersky: Trojan.Win32.Agent.xjgj
BitDefender: Trojan.GenericKD.30681149
NANO-Antivirus: Trojan.Win32.Swisyn.flhacn
Avast: Win32:VB-OJQ [Wrm]
Rising: Trojan.Agent!1.6A70 (CLASSIC)
Ad-Aware: Trojan.GenericKD.30681149
Sophos: Troj/Agent-ABZF
F-Secure: Worm.WORM/Mofksys.bouem
DrWeb: Win32.HLLP.Swisyn
VIPRE: Trojan.Win32.Agent.abzf (v)
TrendMicro: PE_SWISB.A
McAfee-GW-Edition: BehavesLike.Win32.Swisyn.cm
Trapmine: malicious.high.ml.score
FireEye: Generic.mg.4d7fdf4d057a3a03
Emsisoft: Trojan.GenericKD.30681149 (B)
Ikarus: Worm.Mofksys
Cyren: W32/Trojan.UEJO-9077
Jiangmin: Trojan/Agent.hxgb
Webroot: W32.Malware.Gen
Avira: WORM/Mofksys.bouem
Antiy-AVL: Trojan/Win32.Agent
Microsoft: Worm:Win32/Mofksys.R!MTB
Endgame: malicious (high confidence)
Arcabit: Trojan.Generic.D1D4283D
ZoneAlarm: Trojan.Win32.Agent.xjgj
GData: Trojan.GenericKD.30681149
AhnLab-V3: Worm/Win32.Mofksys.R198176
Acronis: suspicious
BitDefenderTheta: AI:Packer.FB4C4F7A20
ALYac: Trojan.GenericKD.30681149
MAX: malware (ai score=84)
VBA32: TScope.Trojan.VB
Malwarebytes: Trojan.Dropper
Zoner: Trojan.Win32.88925
TrendMicro-HouseCall: PE_SWISB.A
Tencent: Malware.Win32.Gencirc.10b08f85
Yandex: Trojan.Agent!UzORkEWgCoA
SentinelOne: DFI - Malicious PE
eGambit: Unsafe.AI_Score_72%
Fortinet: W32/VB.QCC!tr.dldr
AVG: Win32:VB-OJQ [Wrm]
Panda: Trj/Spy.AT
CrowdStrike: win/malicious_confidence_100% (D)
MaxSecure: Virus.W32.Agent.xjgj
Drops a binary and executes it
binary: C:\Windows\resources\spoolsv.exe
binary: C:\Windows\resources\svchost.exe
binary: C:\Windows\Resources\Themes\icsys.icn.exe
binary: C:\Windows\resources\Themes\explorer.exe
Anomalous binary characteristics
anomaly: Actual checksum does not match that reported in PE header
Attempts to modify Explorer settings to prevent hidden files from being displayed

Screenshots


Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
Y 1.1.1.1 [VT] Australia

DNS

No domains contacted.


Summary

C:\Windows\Globalization\Sorting\sortdefault.nls
\Device\KsecDD
C:\Users\Louise\AppData\Local\Temp\BaZooka Updater V.1.exe.cfg
C:\Windows\sysnative\C_932.NLS
C:\Windows\sysnative\C_949.NLS
C:\Windows\sysnative\C_950.NLS
C:\Windows\sysnative\C_936.NLS
C:\Users\Louise\AppData\Local\Temp\~DF9EB8B661A8C25A01.TMP
C:\Users\Louise\AppData\Local\Temp\bazooka updater v.1.exe
C:\Windows\Resources\Themes\icsys.icn.exe
C:\Users\Louise\AppData\Local\Temp\bazooka updater v.1.exe\xa0
C:\Windows\System32\MSCOREE.DLL.local
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
C:\Windows\Microsoft.NET\Framework\*
C:\Windows\Microsoft.NET\Framework\v1.0.3705\clr.dll
C:\Windows\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v1.1.4322\clr.dll
C:\Windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\clr.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll
C:\Users\Louise\AppData\Local\Temp\bazooka updater v.1.exe\xa0.config
C:\Windows\System32\api-ms-win-appmodel-runtime-l1-1-2.dll
C:\Windows\System32\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSVCR120_CLR0400.dll
C:\Windows\System32\MSVCR120_CLR0400.dll
C:\Windows\System32\api-ms-win-core-quirks-l1-1-0.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoree.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config
C:\Windows\Microsoft.NET\Framework\v4.0.30319\fusion.localgac
C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\6715dc4d04e35f16d482900c355325e9\mscorlib.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\6715dc4d04e35f16d482900c355325e9\mscorlib.ni.dll.aux
C:\Users
C:\Users\Louise
C:\Users\Louise\AppData
C:\Users\Louise\AppData\Local
C:\Users\Louise\AppData\Local\Temp
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ole32.dll
C:\Users\Louise\AppData\Local\Temp\bazooka updater v.1.config
C:\Windows\assembly\NativeImages_v4.0.30319_32\BaZooka Updater V.1\*
C:\Users\Louise\AppData\Local\Temp\bazooka updater v.1.INI
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit.dll
C:\Windows\assembly\pubpol214.dat
C:\Windows\assembly\GAC\PublisherPolicy.tme
C:\Windows\Microsoft.Net\assembly\GAC_32\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\43822396682b0ffc3cfb66137ddab95f\System.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\43822396682b0ffc3cfb66137ddab95f\System.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Configuration\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.Xml.dll
C:\Windows\Resources\Themes\icsys.icn.exe.cfg
C:\Users\Louise\AppData\Local\Temp\~DFD352ACF08747F73A.TMP
C:\Windows\resources\Themes\icsys.icn.exe
C:\Windows\resources\Themes\explorer.exe
C:\Windows\System32\tzres.dll
C:\Windows\resources\Themes\explorer.exe.cfg
C:\Users\Louise\AppData\Local\Temp\~DF5A122C12BB88B70D.TMP
C:\Windows\resources\spoolsv.exe
C:\Windows\userinit.exe
C:\Windows\svchost.exe
C:\Windows\spoolsv.exe
C:\Windows\system\explorer.exe
C:\Windows\system\svchost.exe
C:\Windows\system\spoolsv.exe
C:\Windows\System32\explorer.exe
C:\Windows\System32\drivers\explorer.exe
C:\Windows\System32\drivers\userinit.exe
C:\Windows\System32\drivers\svchost.exe
C:\Windows\System32\drivers\spoolsv.exe
C:\Windows\Resources\Themes\tjcm.cmn
C:\Windows\Resources\tjud.exe
C:\Windows\resources\spoolsv.exe.cfg
C:\Users\Louise\AppData\Local\Temp\~DF88AD69C4AE2573FB.TMP
C:\Windows\resources\svchost.exe
C:\Windows\resources\svchost.exe.cfg
C:\Users\Louise\AppData\Local\Temp\~DF9293E81FC7D6314B.TMP
C:\Users\Louise\AppData\Local\Temp\~DFA4988132E1D63F1B.TMP
C:\Windows\sysnative\Tasks
C:\Windows\sysnative\Tasks\*
C:\Windows\sysnative\Tasks\AutoKMS
C:\Windows\Tasks\svchost.job
C:\Windows\sysnative\Tasks\svchost
C:\Windows\sysnative\Tasks\
\??\MountPointManager
C:\Windows\SysWOW64\schtasks.exe
C:\Windows
C:\Windows\SysWOW64
C:\Windows\AppPatch\sysmain.sdb
C:\Windows\SysWOW64\
C:\Windows\SysWOW64\*.*
C:\Windows\SysWOW64\ui\SwDRM.dll
C:\Windows\SysWOW64\cmd.exe
C:\Windows\appcompat\Programs\RecentFileCache.bcf
C:\Windows\Globalization\Sorting\sortdefault.nls
\Device\KsecDD
C:\Users\Louise\AppData\Local\Temp\~DF9EB8B661A8C25A01.TMP
C:\Users\Louise\AppData\Local\Temp\bazooka updater v.1.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
C:\Users\Louise\AppData\Local\Temp\bazooka updater v.1.exe\xa0.config
C:\Users\Louise\AppData\Local\Temp\bazooka updater v.1.exe\xa0
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll
C:\Windows\System32\MSVCR120_CLR0400.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\6715dc4d04e35f16d482900c355325e9\mscorlib.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\6715dc4d04e35f16d482900c355325e9\mscorlib.ni.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit.dll
C:\Windows\assembly\pubpol214.dat
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\43822396682b0ffc3cfb66137ddab95f\System.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\43822396682b0ffc3cfb66137ddab95f\System.ni.dll
C:\Users\Louise\AppData\Local\Temp\~DFD352ACF08747F73A.TMP
C:\Windows\resources\Themes\icsys.icn.exe
C:\Windows\resources\Themes\explorer.exe
C:\Windows\System32\tzres.dll
C:\Users\Louise\AppData\Local\Temp\~DF5A122C12BB88B70D.TMP
C:\Windows\resources\spoolsv.exe
C:\Windows\Resources\Themes\tjcm.cmn
C:\Users\Louise\AppData\Local\Temp\~DF88AD69C4AE2573FB.TMP
C:\Windows\resources\svchost.exe
C:\Users\Louise\AppData\Local\Temp\~DF9293E81FC7D6314B.TMP
C:\Users\Louise\AppData\Local\Temp\~DFA4988132E1D63F1B.TMP
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\AppPatch\sysmain.sdb
C:\Windows\SysWOW64\
C:\Windows\SysWOW64\cmd.exe
C:\Windows\appcompat\Programs\RecentFileCache.bcf
C:\Users\Louise\AppData\Local\Temp\~DF9EB8B661A8C25A01.TMP
C:\Windows\Resources\Themes\icsys.icn.exe
C:\Users\Louise\AppData\Local\Temp\bazooka updater v.1.exe\xa0
C:\Users\Louise\AppData\Local\Temp\~DFD352ACF08747F73A.TMP
C:\Windows\resources\Themes\explorer.exe
C:\Users\Louise\AppData\Local\Temp\~DF5A122C12BB88B70D.TMP
C:\Windows\resources\spoolsv.exe
C:\Users\Louise\AppData\Local\Temp\~DF88AD69C4AE2573FB.TMP
C:\Windows\resources\svchost.exe
C:\Users\Louise\AppData\Local\Temp\~DF9293E81FC7D6314B.TMP
C:\Users\Louise\AppData\Local\Temp\~DFA4988132E1D63F1B.TMP
C:\Windows\appcompat\Programs\RecentFileCache.bcf
C:\Users\Louise\AppData\Local\Temp\~DF9EB8B661A8C25A01.TMP
C:\Windows\resources\Themes\explorer.exe
C:\Users\Louise\AppData\Local\Temp\~DFD352ACF08747F73A.TMP
C:\Windows\resources\spoolsv.exe
C:\Windows\System32\explorer.exe
C:\Windows\Resources\tjud.exe
C:\Windows\resources\svchost.exe
C:\Users\Louise\AppData\Local\Temp\~DF88AD69C4AE2573FB.TMP
C:\Users\Louise\AppData\Local\Temp\~DFA4988132E1D63F1B.TMP
C:\Windows\Tasks\svchost.job
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\00060101.00060101
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SESSION MANAGER\SafeProcessSearchMode
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Codepage
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\932
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\949
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\950
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\936
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VBA\Monitors
HKEY_CURRENT_USER\Software\Classes
HKEY_LOCAL_MACHINE\Software\Microsoft\COM3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\Com+Enabled
HKEY_CURRENT_USER\Software\Classes\CLSID\{ED6CA17F-B4CC-4BF9-B426-0BDE01CB7E81}
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\MaxSxSHashCount
HKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process
HKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process\LO
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\v4.0
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\InstallRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\CLRLoadLogDir
HKEY_CURRENT_USER\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\OnlyUseLatestCLR
Policy\Standards
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\Standards
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\Standards\v4.0.30319
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\v4.0.30319\SKUs\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319\SKUs\default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\NET Framework Setup\NDP\v4\Full\Release
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DisableConfigCache
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bazooka updater v.1.exe\xa0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\CacheLocation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DownloadCacheQuotaInKB
HKEY_CURRENT_USER\Software\Microsoft\Fusion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\EnableLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LoggingLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\ForceLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogFailures
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogResourceBinds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseRetryAttempts
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseMillisecondsBetweenRetries
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\UseLegacyIdentityFormat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DisableMSIPeek
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\NGen\Policy\v4.0
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGen\Policy\v4.0\OptimizeUsedBinaries
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\Servicing
HKEY_LOCAL_MACHINE\Software\Microsoft\StrongName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full\Release
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\FeatureSIMD
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\AltJit
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\Latest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\index214
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Configuration__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Configuration__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Xml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Xml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\APTCA
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Svchost
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden
HKEY_CURRENT_USER\Software\Classes\Interface\{B196B284-BAB4-101A-B69C-00AA00341D07}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B196B284-BAB4-101A-B69C-00AA00341D07}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B196B284-BAB4-101A-B69C-00AA00341D07}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\Interface\{B196B286-BAB4-101A-B69C-00AA00341D07}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B196B286-BAB4-101A-B69C-00AA00341D07}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B196B286-BAB4-101A-B69C-00AA00341D07}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\Interface\{FE4106E0-399A-11D0-A48C-00A0C90A8F39}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FE4106E0-399A-11D0-A48C-00A0C90A8F39}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FE4106E0-399A-11D0-A48C-00A0C90A8F39}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\Interface\{FE4106E0-399A-11D0-A48C-00A0C90A8F39}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT\UserEra
HKEY_CURRENT_USER
HKEY_CURRENT_USER\Software\Policies\Microsoft\Control Panel\International\Calendars\TwoDigitYearMax
HKEY_CURRENT_USER\Control Panel\International\Calendars\TwoDigitYearMax
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Schedule\Start
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Start
HKEY_CURRENT_USER\Software\Classes\Interface\{B196B287-BAB4-101A-B69C-00AA00341D07}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B196B287-BAB4-101A-B69C-00AA00341D07}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B196B287-BAB4-101A-B69C-00AA00341D07}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SQMClient\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPSampledIn
HKEY_CURRENT_USER\Software\Classes\AppID\schtasks.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AutoKMS
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AutoKMS\Id
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Time Zones\Canada Central Standard Time\Dynamic DST
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\SchedulingEngineKnob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\CompatibilityAdapter\Signatures
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\CompatibilityAdapter\Signatures\svchost.job
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\CompatibilityAdapter\Signatures\svchost.job.fp
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000\Control Panel\International
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000\Control Panel\International\LocaleName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\svchost
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E9B36EE2-84E5-4648-B588-FB47A7D92EAC}\Path
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E9B36EE2-84E5-4648-B588-FB47A7D92EAC}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\svchost\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\svchost\Index
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E9B36EE2-84E5-4648-B588-FB47A7D92EAC}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E9B36EE2-84E5-4648-B588-FB47A7D92EAC}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E9B36EE2-84E5-4648-B588-FB47A7D92EAC}\DynamicInfo
HKEY_LOCAL_MACHINE\system\Setup
HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\RepositoryRestoreInProgress
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\schtasks.exe
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\00060101.00060101
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SESSION MANAGER\SafeProcessSearchMode
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\932
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\949
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\950
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\936
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\Com+Enabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\MaxSxSHashCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\InstallRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\CLRLoadLogDir
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\OnlyUseLatestCLR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\NET Framework Setup\NDP\v4\Full\Release
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DisableConfigCache
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\CacheLocation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DownloadCacheQuotaInKB
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\EnableLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LoggingLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\ForceLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogFailures
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogResourceBinds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseRetryAttempts
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseMillisecondsBetweenRetries
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\UseLegacyIdentityFormat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DisableMSIPeek
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGen\Policy\v4.0\OptimizeUsedBinaries
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full\Release
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\FeatureSIMD
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\AltJit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\Latest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\index214
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B196B284-BAB4-101A-B69C-00AA00341D07}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B196B286-BAB4-101A-B69C-00AA00341D07}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FE4106E0-399A-11D0-A48C-00A0C90A8F39}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B196B287-BAB4-101A-B69C-00AA00341D07}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPSampledIn
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AutoKMS\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\SchedulingEngineKnob
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000\Control Panel\International\LocaleName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E9B36EE2-84E5-4648-B588-FB47A7D92EAC}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E9B36EE2-84E5-4648-B588-FB47A7D92EAC}\DynamicInfo
HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\svchost\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E9B36EE2-84E5-4648-B588-FB47A7D92EAC}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E9B36EE2-84E5-4648-B588-FB47A7D92EAC}\Path
HKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process
HKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process\LO
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Schedule\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Start
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E9B36EE2-84E5-4648-B588-FB47A7D92EAC}\Path
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E9B36EE2-84E5-4648-B588-FB47A7D92EAC}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\svchost\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\svchost\Index
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E9B36EE2-84E5-4648-B588-FB47A7D92EAC}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E9B36EE2-84E5-4648-B588-FB47A7D92EAC}\DynamicInfo
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Svchost
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\CompatibilityAdapter\Signatures\svchost.job
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\CompatibilityAdapter\Signatures\svchost.job.fp
kernel32.dll.IsProcessorFeaturePresent
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
cryptbase.dll.SystemFunction036
oleaut32.dll.OleLoadPictureEx
oleaut32.dll.DispCallFunc
oleaut32.dll.LoadTypeLibEx
oleaut32.dll.UnRegisterTypeLib
oleaut32.dll.CreateTypeLib2
oleaut32.dll.VarDateFromUdate
oleaut32.dll.VarUdateFromDate
oleaut32.dll.GetAltMonthNames
oleaut32.dll.VarNumFromParseNum
oleaut32.dll.VarParseNumFromStr
oleaut32.dll.VarDecFromR4
oleaut32.dll.VarDecFromR8
oleaut32.dll.VarDecFromDate
oleaut32.dll.VarDecFromI4
oleaut32.dll.VarDecFromCy
oleaut32.dll.VarR4FromDec
oleaut32.dll.GetRecordInfoFromTypeInfo
oleaut32.dll.GetRecordInfoFromGuids
oleaut32.dll.SafeArrayGetRecordInfo
oleaut32.dll.SafeArraySetRecordInfo
oleaut32.dll.SafeArrayGetIID
oleaut32.dll.SafeArraySetIID
oleaut32.dll.SafeArrayCopyData
oleaut32.dll.SafeArrayAllocDescriptorEx
oleaut32.dll.SafeArrayCreateEx
oleaut32.dll.VarFormat
oleaut32.dll.VarFormatDateTime
oleaut32.dll.VarFormatNumber
oleaut32.dll.VarFormatPercent
oleaut32.dll.VarFormatCurrency
oleaut32.dll.VarWeekdayName
oleaut32.dll.VarMonthName
oleaut32.dll.VarAdd
oleaut32.dll.VarAnd
oleaut32.dll.VarCat
oleaut32.dll.VarDiv
oleaut32.dll.VarEqv
oleaut32.dll.VarIdiv
oleaut32.dll.VarImp
oleaut32.dll.VarMod
oleaut32.dll.VarMul
oleaut32.dll.VarOr
oleaut32.dll.VarPow
oleaut32.dll.VarSub
oleaut32.dll.VarXor
oleaut32.dll.VarAbs
oleaut32.dll.VarFix
oleaut32.dll.VarInt
oleaut32.dll.VarNeg
oleaut32.dll.VarNot
oleaut32.dll.VarRound
oleaut32.dll.VarCmp
oleaut32.dll.VarDecAdd
oleaut32.dll.VarDecCmp
oleaut32.dll.VarBstrCat
oleaut32.dll.VarCyMulI4
oleaut32.dll.VarBstrCmp
ole32.dll.CoCreateInstanceEx
ole32.dll.CLSIDFromProgIDEx
sxs.dll.SxsOleAut32MapIIDOrCLSIDToTypeLibrary
user32.dll.GetSystemMetrics
user32.dll.MonitorFromWindow
user32.dll.MonitorFromRect
user32.dll.MonitorFromPoint
user32.dll.EnumDisplayMonitors
user32.dll.GetMonitorInfoA
ole32.dll.CLSIDFromOle1Class
clbcatq.dll.GetCatalogObject
clbcatq.dll.GetCatalogObject2
cryptsp.dll.CryptAcquireContextW
cryptsp.dll.CryptGenRandom
comctl32.dll.RegisterClassNameW
uxtheme.dll.EnableThemeDialogTexture
kernel32.dll.CreateToolhelp32Snapshot
kernel32.dll.Process32First
kernel32.dll.OpenProcess
psapi.dll.GetModuleFileNameExA
kernel32.dll.Process32Next
kernel32.dll.CloseHandle
kernel32.dll.GetFileAttributesA
oleaut32.dll.#2
oleaut32.dll.#500
cryptsp.dll.CryptReleaseContext
advapi32.dll.RegOpenKeyExW
advapi32.dll.RegQueryInfoKeyW
advapi32.dll.RegEnumKeyExW
advapi32.dll.RegEnumValueW
advapi32.dll.RegCloseKey
advapi32.dll.RegQueryValueExW
kernel32.dll.FlsAlloc
kernel32.dll.FlsFree
kernel32.dll.FlsGetValue
kernel32.dll.FlsSetValue
kernel32.dll.InitializeCriticalSectionEx
kernel32.dll.CreateEventExW
kernel32.dll.CreateSemaphoreExW
kernel32.dll.SetThreadStackGuarantee
kernel32.dll.CreateThreadpoolTimer
kernel32.dll.SetThreadpoolTimer
kernel32.dll.WaitForThreadpoolTimerCallbacks
kernel32.dll.CloseThreadpoolTimer
kernel32.dll.CreateThreadpoolWait
kernel32.dll.SetThreadpoolWait
kernel32.dll.CloseThreadpoolWait
kernel32.dll.FlushProcessWriteBuffers
kernel32.dll.FreeLibraryWhenCallbackReturns
kernel32.dll.GetCurrentProcessorNumber
kernel32.dll.GetLogicalProcessorInformation
kernel32.dll.CreateSymbolicLinkW
kernel32.dll.SetDefaultDllDirectories
kernel32.dll.EnumSystemLocalesEx
kernel32.dll.CompareStringEx
kernel32.dll.GetDateFormatEx
kernel32.dll.GetLocaleInfoEx
kernel32.dll.GetTimeFormatEx
kernel32.dll.GetUserDefaultLocaleName
kernel32.dll.IsValidLocaleName
kernel32.dll.LCMapStringEx
kernel32.dll.GetTickCount64
kernel32.dll.AcquireSRWLockExclusive
kernel32.dll.ReleaseSRWLockExclusive
advapi32.dll.EventRegister
advapi32.dll.EventSetInformation
mscoree.dll.#142
mscoreei.dll.RegisterShimImplCallback
mscoreei.dll.OnShimDllMainCalled
mscoreei.dll._CorExeMain
shlwapi.dll.UrlIsW
version.dll.GetFileVersionInfoSizeW
version.dll.GetFileVersionInfoW
version.dll.VerQueryValueW
clr.dll.SetRuntimeInfo
user32.dll.GetProcessWindowStation
user32.dll.GetUserObjectInformationW
clr.dll._CorExeMain
mscoree.dll.CreateConfigStream
mscoreei.dll.CreateConfigStream
kernel32.dll.GetNumaHighestNodeNumber
kernel32.dll.GetSystemWindowsDirectoryW
advapi32.dll.AllocateAndInitializeSid
advapi32.dll.OpenProcessToken
advapi32.dll.GetTokenInformation
advapi32.dll.InitializeAcl
advapi32.dll.AddAccessAllowedAce
advapi32.dll.FreeSid
kernel32.dll.AddSIDToBoundaryDescriptor
kernel32.dll.CreateBoundaryDescriptorW
kernel32.dll.CreatePrivateNamespaceW
kernel32.dll.OpenPrivateNamespaceW
kernel32.dll.DeleteBoundaryDescriptor
kernel32.dll.WerRegisterRuntimeExceptionModule
kernel32.dll.RaiseException
mscoree.dll.#24
mscoreei.dll.#24
ntdll.dll.NtSetSystemInformation
kernel32.dll.AddDllDirectory
kernel32.dll.GetNativeSystemInfo
ole32.dll.CoInitializeEx
clrjit.dll.sxsJitStartup
clrjit.dll.getJit
kernel32.dll.SetConsoleTitleW
kernel32.dll.GetStdHandle
kernel32.dll.GetConsoleScreenBufferInfo
kernel32.dll.SetConsoleTextAttribute
kernel32.dll.WriteFile
kernel32.dll.GetConsoleOutputCP
kernel32.dll.LocaleNameToLCID
kernel32.dll.LCIDToLocaleName
kernel32.dll.GetUserPreferredUILanguages
kernel32.dll.UnmapViewOfFile
kernel32.dll.GetFileType
kernel32.dll.GetConsoleCP
kernel32.dll.ReadFile
kernel32.dll.NlsGetCacheUpdateCount
advapi32.dll.RegCreateKeyA
advapi32.dll.RegSetValueExA
advapi32.dll.RegOpenKeyA
advapi32.dll.RegDeleteValueA
user32.dll.GetForegroundWindow
user32.dll.GetWindowThreadProcessId
kernel32.dll.Thread32First
kernel32.dll.Thread32Next
kernel32.dll.OpenThread
kernel32.dll.ResumeThread
kernel32.dll.DeleteFileA
ntdll.dll.RtlGetVersion
kernel32.dll.GetCalendarInfoW
sechost.dll.LookupAccountNameLocalW
advapi32.dll.LookupAccountSidW
sechost.dll.LookupAccountSidLocalW
sspicli.dll.GetUserNameExW
advapi32.dll.GetUserNameW
xmllite.dll.CreateXmlWriter
xmllite.dll.CreateXmlWriterOutputWithEncodingName
"c:\users\louise\appdata\local\temp\bazooka updater v.1.exe\xa0"
c:\users\louise\appdata\local\temp\bazooka updater v.1.exe\xa0
C:\Windows\Resources\Themes\icsys.icn.exe
c:\windows\resources\themes\explorer.exe
c:\windows\resources\spoolsv.exe SE
C:\Windows\Explorer.exe
c:\windows\resources\svchost.exe
c:\windows\resources\spoolsv.exe PR
schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 12:16 /f
schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 12:29 /f
schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 12:44 /f
schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 12:58 /f

BinGraph Download graph

PE Information

Image Base Entry Point Reported Checksum Actual Checksum Minimum OS Version Compile Time Import Hash Icon Icon Exact Hash Icon Similarity Hash
0x00400000 0x0040290c 0x04bf451a 0x00031d76 4.0 2013-04-01 07:08:22 8c16c795b57934183422be5f6df7d891 84d0844e3378fac4a78d41560b3340f1 404177248e68b6afc831e3b6d4e1e485

Sections

Name RAW Address Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00001000 0x00001000 0x000191d4 0x0001a000 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 5.73
.data 0x0001b000 0x0001b000 0x0000180c 0x00001000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.00
.rsrc 0x0001c000 0x0001d000 0x000013f0 0x00002000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 3.08

Overlay

Offset 0x0001e000
Size 0x0000567c

Resources

Name Offset Size Language Sub-language Entropy File type
RT_ICON 0x0001d130 0x00000cd0 LANG_NEUTRAL SUBLANG_NEUTRAL 3.33 None
RT_GROUP_ICON 0x0001de00 0x00000014 LANG_NEUTRAL SUBLANG_NEUTRAL 1.97 None
RT_VERSION 0x0001de14 0x000001ec LANG_ENGLISH SUBLANG_ENGLISH_US 3.14 None
RT_MANIFEST 0x0001e000 0x000003e7 LANG_ENGLISH SUBLANG_ENGLISH_US 4.71 None

Imports

0x401004 None
0x401008 _CIcos
0x40100c _adj_fptan
0x401010 __vbaStrI4
0x401014 __vbaVarVargNofree
0x401018 __vbaFreeVar
0x40101c __vbaLenBstr
0x401020 __vbaLateIdCall
0x401024 __vbaPut3
0x401028 __vbaEnd
0x40102c __vbaFreeVarList
0x401030 _adj_fdiv_m64
0x401034 EVENT_SINK_Invoke
0x401038 __vbaRaiseEvent
0x40103c __vbaFreeObjList
0x401040 None
0x401044 __vbaStrErrVarCopy
0x401048 None
0x40104c _adj_fprem1
0x401050 __vbaRecAnsiToUni
0x401054 None
0x401058 __vbaCopyBytes
0x40105c __vbaStrCat
0x401060 __vbaLsetFixstr
0x401064 __vbaRecDestruct
0x401068 __vbaSetSystemError
0x40106c None
0x401074 __vbaNameFile
0x401078 _adj_fdiv_m32
0x40107c Zombie_GetTypeInfo
0x401080 __vbaAryDestruct
0x401084 None
0x401088 None
0x40108c __vbaExitProc
0x401090 None
0x401094 __vbaOnError
0x401098 __vbaObjSet
0x40109c _adj_fdiv_m16i
0x4010a0 __vbaObjSetAddref
0x4010a4 _adj_fdivr_m16i
0x4010a8 None
0x4010ac __vbaFpR4
0x4010b0 None
0x4010b4 __vbaStrFixstr
0x4010b8 _CIsin
0x4010bc None
0x4010c0 None
0x4010c4 None
0x4010c8 __vbaChkstk
0x4010cc __vbaFileClose
0x4010d0 EVENT_SINK_AddRef
0x4010d8 __vbaGet3
0x4010dc __vbaStrCmp
0x4010e0 None
0x4010e4 __vbaGet4
0x4010e8 __vbaPutOwner3
0x4010ec __vbaAryConstruct2
0x4010f0 __vbaVarTstEq
0x4010f4 __vbaI2I4
0x4010f8 DllFunctionCall
0x4010fc __vbaFpUI1
0x401100 __vbaRedimPreserve
0x401104 __vbaStrR4
0x401108 _adj_fpatan
0x40110c __vbaLateIdCallLd
0x401114 __vbaRedim
0x401118 __vbaRecUniToAnsi
0x40111c EVENT_SINK_Release
0x401120 __vbaNew
0x401124 None
0x401128 __vbaUI1I2
0x40112c _CIsqrt
0x401134 __vbaExceptHandler
0x401138 None
0x40113c __vbaStrToUnicode
0x401140 None
0x401144 _adj_fprem
0x401148 _adj_fdivr_m64
0x40114c None
0x401150 None
0x401154 __vbaFPException
0x401158 None
0x40115c __vbaGetOwner3
0x401160 __vbaUbound
0x401164 None
0x401168 __vbaFileSeek
0x40116c None
0x401170 _CIlog
0x401174 __vbaErrorOverflow
0x401178 __vbaFileOpen
0x40117c None
0x401180 None
0x401184 __vbaNew2
0x401188 __vbaInStr
0x40118c _adj_fdiv_m32i
0x401190 None
0x401194 _adj_fdivr_m32i
0x401198 __vbaStrCopy
0x40119c __vbaI4Str
0x4011a0 __vbaFreeStrList
0x4011a4 _adj_fdivr_m32
0x4011a8 _adj_fdiv_r
0x4011ac None
0x4011b0 __vbaI4Var
0x4011b4 None
0x4011b8 __vbaAryLock
0x4011bc __vbaVarAdd
0x4011c0 None
0x4011c4 None
0x4011c8 __vbaVarDup
0x4011cc __vbaStrToAnsi
0x4011d0 None
0x4011d4 __vbaFpI2
0x4011d8 __vbaFpI4
0x4011dc None
0x4011e0 __vbaLateMemCallLd
0x4011e4 _CIatan
0x4011e8 __vbaStrMove
0x4011ec None
0x4011f0 __vbaCastObj
0x4011f4 __vbaR8IntI4
0x4011f8 None
0x4011fc _allmul
0x401200 _CItan
0x401204 __vbaAryUnlock
0x401208 _CIexp
0x40120c __vbaFreeObj
0x401210 __vbaFreeStr
0x401214 None
0x401218 None

!This program cannot be run in DOS mode.
.text
.data
.rsrc
MSVBVM60.DLL
Project1
uExWatch
frmMain
Form1
picIcon
uExWatch1
Project1.uExWatch
Timer1
tmrPri
tmrSec
TJprojMain
Project1
Project1
?C[eH
Project1.uExWatch
uExWatch
frmMain
uExWatch
mdlMain
mdlTweaks
mdlJoin
mdlPE
mdlReg
mdlComp
Project1
user32
GetForegroundWindow
kernel32.dll
FindFirstFileA
FindNextFileA
FindClose
CreateToolhelp32Snapshot
Process32First
GetExitCodeProcess
Process32Next
CloseHandle
OpenProcess
Psapi.dll
GetModuleFileNameExA
kernel32
TerminateProcess
ShellIE
GetCurrentProcess
advapi32.dll
OpenProcessToken
AdjustTokenPrivileges
advapi32
LookupPrivilegeValueA
user32.dll
GetWindowThreadProcessId
tmrSec
OpenThread
ResumeThread
Thread32First
Thread32Next
urlmon
URLDownloadToFileA
wininet.dll
DeleteUrlCacheEntryA
NTDLL
RtlGetVersion
tmrPri
C:\Program Files\Microsoft Visual Studio\VB98\VB6.OLB
uExWatch1
C:\Windows\System32\ieframe.dll
SHDocVw
picIcon
Timer1
DeleteFileA
ShellIE_WindowRegistered
GetFileAttributesA
RegOpenKeyA
RegCloseKey
RegCreateKeyA
0 & R
shell32.dll
SHGetFileInfoA
DrawIconEx
DestroyIcon
RegDeleteValueA
RegSetValueExA
0 9 g
"! B
! & R
" & =
RtlMoveMemory
CreateFileA
" =
& : +
! 0 & ^
ReadFile
WriteFile
SetFilePointer
VBA6.DLL
__vbaNameFile
__vbaLsetFixstr
__vbaStrFixstr
__vbaLateMemCallLd
__vbaLateIdCallLd
__vbaI4Var
__vbaVarTstEq
__vbaAryDestruct
IEObject
__vbaExitProc
__vbaLateIdCall
__vbaFreeObjList
__vbaI2I4
__vbaCastObj
AddSubClass
__vbaLenBstr
__vbaStrToUnicode
__vbaGenerateBoundsError
__vbaStrToAnsi
__vbaRecAnsiToUni
__vbaRecUniToAnsi
__vbaAryConstruct2
__vbaErrorOverflow
__vbaFpR4
MIEKey
__vbaFreeVarList
__vbaInStr
__vbaNew
__vbaObjSet
__vbaSetSystemError
__vbaFreeVar
__vbaOnError
UserControl
__vbaStrCopy
__vbaFreeStr
__vbaStrCat
__vbaFreeStrList
__vbaStrMove
__vbaStrCmp
__vbaEnd
__vbaFreeObj
__vbaHresultCheckObj
__vbaNew2
lIEObject_DocumentComplete
IEObject_OnQuit
SetIENothing
ValidatePath
PathChange
IEClosed
__vbaVarVargNofree
__vbaStrErrVarCopy
__vbaObjSetAddref
__vbaRaiseEvent
__vbaStrR4
__vbaVarDup
__vbaFileClose
__vbaGet3
__vbaFileOpen
__vbaI4Str
__vbaVarAdd
__vbaStrI4
__vbaCopyBytes
__vbaRedimPreserve
__vbaPutOwner3
__vbaFpUI1
__vbaGet4
__vbaFpI2
__vbaFpI4
__vbaR8IntI4
__vbaRedim
__vbaPut3
__vbaFileSeek
__vbaRecDestruct
__vbaUbound
__vbaAryUnlock
__vbaAryLock
__vbaGetOwner3
__vbaUI1I2
uExWatch
lCookie
Value
pDisp
strPath
}#jhh
}#j|h
}#jPh
}#jPh
}#jPh
}#jXh
Rh<[@
}#j\h
}#jXh
}#j\h
}#j\h
}#jXh
MSVBVM60.DLL
EVENT_SINK_GetIDsOfNames
_CIcos
_adj_fptan
__vbaStrI4
__vbaVarVargNofree
__vbaFreeVar
__vbaLenBstr
__vbaLateIdCall
__vbaPut3
__vbaEnd
__vbaFreeVarList
_adj_fdiv_m64
EVENT_SINK_Invoke
__vbaRaiseEvent
__vbaFreeObjList
__vbaStrErrVarCopy
_adj_fprem1
__vbaRecAnsiToUni
__vbaCopyBytes
__vbaStrCat
__vbaLsetFixstr
__vbaRecDestruct
__vbaSetSystemError
__vbaHresultCheckObj
__vbaNameFile
_adj_fdiv_m32
Zombie_GetTypeInfo
__vbaAryDestruct
__vbaExitProc
__vbaOnError
__vbaObjSet
_adj_fdiv_m16i
__vbaObjSetAddref
_adj_fdivr_m16i
__vbaFpR4
__vbaStrFixstr
_CIsin
__vbaChkstk
__vbaFileClose
EVENT_SINK_AddRef
__vbaGenerateBoundsError
__vbaGet3
__vbaStrCmp
__vbaGet4
__vbaPutOwner3
__vbaAryConstruct2
__vbaVarTstEq
__vbaI2I4
DllFunctionCall
__vbaFpUI1
__vbaRedimPreserve
__vbaStrR4
_adj_fpatan
__vbaLateIdCallLd
Zombie_GetTypeInfoCount
__vbaRedim
__vbaRecUniToAnsi
EVENT_SINK_Release
__vbaNew
__vbaUI1I2
_CIsqrt
EVENT_SINK_QueryInterface
__vbaExceptHandler
__vbaStrToUnicode
_adj_fprem
_adj_fdivr_m64
__vbaFPException
__vbaGetOwner3
__vbaUbound
__vbaFileSeek
_CIlog
__vbaErrorOverflow
__vbaFileOpen
__vbaNew2
__vbaInStr
_adj_fdiv_m32i
_adj_fdivr_m32i
__vbaStrCopy
__vbaI4Str
__vbaFreeStrList
_adj_fdivr_m32
_adj_fdiv_r
__vbaI4Var
__vbaAryLock
__vbaVarAdd
__vbaVarDup
__vbaStrToAnsi
__vbaFpI2
__vbaFpI4
__vbaLateMemCallLd
_CIatan
__vbaStrMove
__vbaCastObj
__vbaR8IntI4
_allmul
_CItan
__vbaAryUnlock
_CIexp
__vbaFreeObj
__vbaFreeStr
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<assemblyIdentity
name="Microsoft.Windows.MyCoolApp"
processorArchitecture="x86"
version="1.0.0.0"
type="win32"/>
<description>Application description here</description>
<dependency>
<dependentAssembly>
<assemblyIdentity
type="win32"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
processorArchitecture="x86"
publicKeyToken="6595b64144ccf1df"
language="*"
/>
</dependentAssembly>
</dependency>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
<security>
<requestedPrivileges>
<requestedExecutionLevel
level="requireAdministrator"
uiAccess="False"/>
</requestedPrivileges>
</security>
</trustInfo>
</assembly>
yE,Fx
i(|=oh
IG]^C
yE,Fx
i(|=oh
IG]^C
yE,Fx
i(|=oh
IG]^C
yE,Fx
i(|=oh
IG]^C
yE,Fx
i(|=oh
IG]^C
yE,Fx
i(|=oh
IG]^C
yE,Fx
i(|=oh
IG]^C
yE,Fx
i(|=oh
IG]^C
yE,Fx
i(|=oh
IG]^C
yE,Fx
i(|=oh
IG]^C
yE,Fx
i(|=oh
IG]^C
yE,Fx
i(|=oh
IG]^C
yE,Fx
i(|=oh
IG]^C
yE,Fx
i(|=oh
IG]^C
yE,Fx
i(|=oh
IG]^C
yE,Fx
i(|=oh
IG]^C
yE,Fx
i(|=oh
IG]^C
yE,Fx
i(|=oh
IG]^C
yE,Fx
i(|=oh
IG]^C
yE,Fx
i(|=oh
IG]^C
yE,Fx
i(|=oh
IG]^C
yE,Fx
i(|=oh
IG]^C
yE,Fx
i(|=oh
IG]^C
yE,Fx
i(|=oh
IG]^C
yE,Fx
i(|=oh
IG]^C
yE,Fx
i(|=oh
IG]^C
yE,Fx
i(|=oh
IG]^C
yE,Fx
i(|=oh
IG]^C
yE,Fx
i(|=oh
IG]^C
yE,Fx
i(|=oh
IG]^C
yE,Fx
i(|=oh
IG]^C
yE,Fx
i(|=oh
IG]^C
yE,Fx
i(|=oh
IG]^C
yE,Fx
i(|=oh
IG]^C
yE,Fx
i(|=oh
IG]^C
yE,Fx
i(|=oh
IG]^C
yE,Fx
i(|=oh
IG]^C
yE,Fx
i(|=oh
IG]^C
yE,Fx
i(|=oh
IG]^C
yE,Fx
i(|=oh
IG]^C
yE,Fx
i(|=oh
IG]^C
yE,Fx
i(|=oh
IG]^C
yE,Fx
i(|=oh
IG]^C
yE,Fx
i(|=oh
IG]^C
yE,Fx
i(|=oh
IG]^C
yE,Fx
i(|=oh
IG]^C
yE,Fx
i(|=oh
IG]^C
yE,Fx
i(|=oh
IG]^C
yE,Fx
i(|=oh
IG]^C
yE,Fx
i(|=oh
IG]^C
yE,Fx
i(|=oh
IG]^C
yE,Fx
i(|=oh
IG]^C
yE,Fx
i(|=oh
IG]^C
yE,Fx
i(|=oh
IG]^C
yE,Fx
i(|=oh
IG]^C
yE,Fx
i(|=oh
IG]^C
yE,Fx
i(|=oh
IG]^C
yE,Fx
i(|=oh
IG]^C
yE,Fx
i(|=oh
IG]^C
yE,Fx
i(|=oh
IG]^C
!This program cannot be run in DOS mode.
.text
`.rsrc
@.reloc
v4.0.30319
#Strings
#GUID
#Blob
BaZooka Updater V.1
BaZooka_Updater_V._1
<Module>
System.IO
mscorlib
DownloadFile
Console
set_Title
ReadLine
WriteLine
GuidAttribute
DebuggableAttribute
ComVisibleAttribute
AssemblyTitleAttribute
AssemblyTrademarkAttribute
TargetFrameworkAttribute
AssemblyFileVersionAttribute
AssemblyConfigurationAttribute
AssemblyDescriptionAttribute
CompilationRelaxationsAttribute
AssemblyProductAttribute
AssemblyCopyrightAttribute
AssemblyCompanyAttribute
RuntimeCompatibilityAttribute
BaZooka Updater V.1.exe
System.Runtime.Versioning
DownloadString
Program
System
System.Reflection
ConsoleKeyInfo
DirectoryInfo
Clear
set_ForegroundColor
ConsoleColor
.ctor
System.Diagnostics
System.Runtime.InteropServices
System.Runtime.CompilerServices
DebuggingModes
Concat
Object
System.Net
WebClient
ReadKey
CreateDirectory
WrapNonExceptionThrows
BaZooka Updater V.1
Copyright
2020
$f9bb3f5e-597d-4535-86af-0aee539c7740
1.0.0.0
.NETFramework,Version=v4.7.2
FrameworkDisplayName
.NET Framework 4.7.2
C:\Users\rayya\source\repos\BaZooka Updater V.1\BaZooka Updater V.1\obj\Debug\BaZooka Updater V.1.pdb
_CorExeMain
mscoree.dll
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
<security>
<requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3">
<requestedExecutionLevel level="asInvoker" uiAccess="false"/>
</requestedPrivileges>
</security>
</trustInfo>
</assembly>
hZY1*9
dr(/0,J6
SA:A
_extentx
_extenty
A*\AF:\RFD\xNewCode\xNewPro\xT\trjFN\Project1.vbp
SeDebugPrivilege
hZ\1*1
dw(/.,J,
RIKVdO4>+
ms.834>1OWF
JW>yu
MGH+$2
t{=9?
DO; ;*|c`CECsee
^p73?
bTIjE]1'7
yu\sR
lhIK=
vW^=<8
_7+oL
/ toa
I0[dCi
"Yb(_jCxq
OdhIB
pf_voe=NE.M6
7*P(&QVai\gl
^k765
I-_bLk
GZDp}t
bEP>46
tv|ckVXN
bEM>43
VXR4>,
loIKH
h?1xN
vWc=<=
_9+oR
_B+oL
Un1'<vZ]
mv.8,
hF1xM
kqYPK
[e"&$
}~CBC
U?idr
T^biYjZ\nod M)z
brD=G
ksn]_
jH]1*6
jHY1*7
MG?+!5F4C
uoOTHh
I0bdCq
"Y_(_iCxy
OlhIE
pf]voj=N<.M1
7*W(&QVam
:DMjdr
7xq|<
jc: !
7Z8(V.
MGGjE[1*4
^[QOTG
YYItoc
y1xW"
I0Z:,X
wJHU!2dT`
YYStod
x1xU"
I0U:,Y
wJHU!(dTW
CB64D2OTC
CB64D0OTM
_1{Q7
;S+Qn
svvrf
mSvIE[ON]
~+~j1
Start
pxVjJ\dO
Process
file:///
<Update>
<xCommand
</xCommand>
<Download>
</Download>
Param
</Update>
Version
yymmdd
\SystemRoot\
%systemroot%
00000000
VS_VERSION_INFO
VarFileInfo
Translation
StringFileInfo
040904B0
ProductName
Project1
FileVersion
ProductVersion
InternalName
TJprojMain
OriginalFilename
TJprojMain.exe
BaZooka MultiTool
https://pastebin.com/raw/excDsppn
____ _____ _ _ _ _ _
| __ ) __ _|__ /___ ___ | | ____ _ | | | |_ __ __| | __ _| |_ ___ _ __
| _ \ / _` | / // _ \ / _ \| |/ / _` | | | | | '_ \ / _` |/ _` | __/ _ \ '__|
| |_) | (_| |/ /| (_) | (_) | < (_| | | |_| | |_) | (_| | (_| | || __/ |
|____/ \__,_/____\___/ \___/|_|\_\__,_| \___/| .__/ \__,_|\__,_|\__\___|_|
|_|
Bootstrapper
Press Any Key And Press Enter
Hello
! Welcome to
Downloading new Files...
Files\
Files
Downloaded | Updated!
Now open
and Run
VS_VERSION_INFO
VarFileInfo
Translation
StringFileInfo
000004b0
Comments
CompanyName
FileDescription
BaZooka Updater V.1
FileVersion
1.0.0.0
InternalName
BaZooka Updater V.1.exe
LegalCopyright
Copyright
2020
LegalTrademarks
OriginalFilename
BaZooka Updater V.1.exe
ProductName
BaZooka Updater V.1
ProductVersion
1.0.0.0
Assembly Version
1.0.0.0

Full Results

Engine Signature Engine Signature Engine Signature
Bkav W32.WatermarkHQc.PE MicroWorld-eScan Trojan.GenericKD.30681149 CMC Trojan.Win32.Agent!O
CAT-QuickHeal W32.Mofksys.A4 Qihoo-360 HEUR/QVM03.0.68D5.Malware.Gen McAfee W32/Swisyn.b
Cylance Unsafe Zillya Virus.HLLP.Win32.1 SUPERAntiSpyware Clean
Sangfor Malware K7AntiVirus P2PWorm ( 00526bf61 ) Alibaba Clean
K7GW P2PWorm ( 00526bf61 ) Cybereason malicious.d057a3 Invincea heuristic
Baidu Win32.Worm.VB.b F-Prot W32/Trojan2.PWYM Symantec W32.Gosys
ESET-NOD32 Win32/VB.OOF APEX Malicious Paloalto Clean
ClamAV Win.Trojan.VBGeneric-6735875-0 Kaspersky Trojan.Win32.Agent.xjgj BitDefender Trojan.GenericKD.30681149
NANO-Antivirus Trojan.Win32.Swisyn.flhacn ViRobot Clean Avast Win32:VB-OJQ [Wrm]
Rising Trojan.Agent!1.6A70 (CLASSIC) Ad-Aware Trojan.GenericKD.30681149 Sophos Troj/Agent-ABZF
Comodo [email protected] F-Secure Worm.WORM/Mofksys.bouem DrWeb Win32.HLLP.Swisyn
VIPRE Trojan.Win32.Agent.abzf (v) TrendMicro PE_SWISB.A McAfee-GW-Edition BehavesLike.Win32.Swisyn.cm
Trapmine malicious.high.ml.score FireEye Generic.mg.4d7fdf4d057a3a03 Emsisoft Trojan.GenericKD.30681149 (B)
Ikarus Worm.Mofksys Cyren W32/Trojan.UEJO-9077 Jiangmin Trojan/Agent.hxgb
Webroot W32.Malware.Gen Avira WORM/Mofksys.bouem Antiy-AVL Trojan/Win32.Agent
Kingsoft Clean Microsoft Worm:Win32/Mofksys.R!MTB Endgame malicious (high confidence)
Arcabit Trojan.Generic.D1D4283D AegisLab Clean ZoneAlarm Trojan.Win32.Agent.xjgj
Avast-Mobile Clean GData Trojan.GenericKD.30681149 TACHYON Clean
AhnLab-V3 Worm/Win32.Mofksys.R198176 Acronis suspicious BitDefenderTheta AI:Packer.FB4C4F7A20
ALYac Trojan.GenericKD.30681149 MAX malware (ai score=84) VBA32 TScope.Trojan.VB
Malwarebytes Trojan.Dropper Zoner Trojan.Win32.88925 TrendMicro-HouseCall PE_SWISB.A
Tencent Malware.Win32.Gencirc.10b08f85 Yandex Trojan.Agent!UzORkEWgCoA SentinelOne DFI - Malicious PE
eGambit Unsafe.AI_Score_72% Fortinet W32/VB.QCC!tr.dldr AVG Win32:VB-OJQ [Wrm]
Panda Trj/Spy.AT CrowdStrike win/malicious_confidence_100% (D) MaxSecure Virus.W32.Agent.xjgj
Sorry! No behavior.

Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
Y 1.1.1.1 [VT] Australia

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.1.9 53599 1.1.1.1 53
192.168.1.9 54609 1.1.1.1 53
192.168.1.9 55233 1.1.1.1 53
192.168.1.9 59058 1.1.1.1 53
192.168.1.9 59225 1.1.1.1 53
192.168.1.9 64674 1.1.1.1 53
192.168.1.9 137 192.168.1.255 137
192.168.1.9 53599 8.8.8.8 53
192.168.1.9 54609 8.8.8.8 53
192.168.1.9 55233 8.8.8.8 53
192.168.1.9 59058 8.8.8.8 53
192.168.1.9 59225 8.8.8.8 53
192.168.1.9 64674 8.8.8.8 53

DNS

No domains contacted.

HTTP Requests

No HTTP requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

Source Destination ICMP Type Data
1.1.1.1 192.168.1.9 3
1.1.1.1 192.168.1.9 3
1.1.1.1 192.168.1.9 3
1.1.1.1 192.168.1.9 3
1.1.1.1 192.168.1.9 3
1.1.1.1 192.168.1.9 3
1.1.1.1 192.168.1.9 3
1.1.1.1 192.168.1.9 3
1.1.1.1 192.168.1.9 3
8.8.8.8 192.168.1.9 3
8.8.8.8 192.168.1.9 3
8.8.8.8 192.168.1.9 3
8.8.8.8 192.168.1.9 3
8.8.8.8 192.168.1.9 3
8.8.8.8 192.168.1.9 3
8.8.8.8 192.168.1.9 3
8.8.8.8 192.168.1.9 3
8.8.8.8 192.168.1.9 3
8.8.8.8 192.168.1.9 3
8.8.8.8 192.168.1.9 3
8.8.8.8 192.168.1.9 3

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

Sorry! No dropped files.
Type Extracted Shellcode
Size 40465 bytes
Virtual Address 0x00250000
Process explorer.exe
PID 3340
Path C:\Windows\resources\Themes\explorer.exe
MD5 a99ea8c183afa5b8ee0037336a9f61e5
SHA1 b7b9245751b559536d03529fd2daec6dbfd69a48
SHA256 d49cf336f2afd6c9d14b4ab9f106e7a152d775aab5606f1e673c741a855855d2
CRC32 4354079F
Ssdeep 384:ezqWgq4NMLFIj61mIFAGp/la87pPggDr+Q15XVfB3XOKj4kML:ezqvN8FIjOptaSIUf5XVfNX3ML
Yara None matched
CAPE Yara None matched
Download Download zip

BinGraph Download graph

Type Extracted Shellcode
Size 138 bytes
Virtual Address 0x001F0000
Process bazooka updater v.1.exe?
PID 1860
Path C:\Users\Louise\AppData\Local\Temp\bazooka updater v.1.exe?
MD5 040c32f60f12cb763519d951e4281561
SHA1 8046724620a7cfb4a65af75eca5a325d04839368
SHA256 10ebec3997dab132c40f54fc581d7fbead0e15400beee33cde0959fa7edd0373
CRC32 3D6B4CF5
Ssdeep 3:iKlaEMO2wOuUOG4OucO2AOOkOmIOOB2ln:Pla1aOi2q+yyn
Yara None matched
CAPE Yara None matched
Download Download zip

BinGraph Download graph

Type Extracted Shellcode
Size 38400 bytes
Virtual Address 0x00260000
Process icsys.icn.exe
PID 1140
Path C:\Windows\Resources\Themes\icsys.icn.exe
MD5 371e82ad6640711c2c5b572102f2428d
SHA1 3918b8c5defac41249fa7ff321761c810718b69b
SHA256 c57691fbafe2d0ca6139e050b08ad37a71b7b43df834cd928267e252758fc307
CRC32 04BF9574
Ssdeep 384:ezdqcjorTQCzCRCz9G3iYWcs+svWLL76u4:ezdNjfCzCVWcBMI754
Yara None matched
CAPE Yara None matched
Download Download zip

BinGraph Download graph

Type Extracted Shellcode
Size 38400 bytes
Virtual Address 0x00290000
Process svchost.exe
PID 4908
Path C:\Windows\resources\svchost.exe
MD5 f8102a2270801b402ecfe3f5eb7ed438
SHA1 0959fd5445c0deb3dfb48592899b3e48df1dd825
SHA256 f360230473d6855516d12e55f2a537c05f765de5cc9e4811337fd9bc846d7772
CRC32 308406E3
Ssdeep 384:ezof8+cEeFCYdttu9gEHuxxXqkRMHSdHZlF2Ky9W97nScjlrQ:ez4j0xFQgEH/SdnQWdPJQ
Yara None matched
CAPE Yara None matched
Download Download zip

BinGraph Download graph

Type Extracted Shellcode
Size 40465 bytes
Virtual Address 0x003E0000
Process spoolsv.exe
PID 2864
Path C:\Windows\resources\spoolsv.exe
MD5 c47416bd754ee3aee913f116f4dd285d
SHA1 00a1275e6860c0838b0eb7bd1591c991ad193b52
SHA256 a7cf1162d1c68a3712cfc100e3e2d961330343bbf71ed63e951d3c754317c950
CRC32 95568196
Ssdeep 384:ezjgDX2ePKZK0SpFZgfZ+7V+cfu4+XyGB3jT1r:ezWjPK7S1S+0c25dNr
Yara None matched
CAPE Yara None matched
Download Download zip

BinGraph Download graph

Type Extracted Shellcode
Size 1696 bytes
Virtual Address 0x007E0000
Process bazooka updater v.1.exe?
PID 1860
Path C:\Users\Louise\AppData\Local\Temp\bazooka updater v.1.exe?
MD5 caf4740d74aa85aed4f78d676a694945
SHA1 3cd1dc65b24d2d209f9882d1251cbd6b5af22777
SHA256 bc296909bf6943b89a696555ec29c22604b1b370ddf311fad67a69886c8bb5de
CRC32 E005C660
Ssdeep 24:gfAeXvarN21pxhSQ5vEFdd04GuW5Bdck1o:gfAsaszsFdB/W5Bvo
Yara None matched
CAPE Yara None matched
Download Download zip

BinGraph Download graph

Type Extracted Shellcode
Size 40465 bytes
Virtual Address 0x00290000
Process svchost.exe
PID 4908
Path C:\Windows\resources\svchost.exe
MD5 da9c614388517b7114420f8ce5fee09c
SHA1 d9c4dcc561dbefe890e4c942d3181ccd50be0164
SHA256 a70502c750047626ac4989b29ea94b5bf86714b9f00ce400eab955222c23f665
CRC32 D76A07BF
Ssdeep 384:ezof8+cEeFCYdttu9gEHuxxXqkRMHSdHZlF2Ky9W97nScjlrqNg8L5QI:ez4j0xFQgEH/SdnQWdPJO15L
Yara None matched
CAPE Yara None matched
Download Download zip

BinGraph Download graph

Type Extracted Shellcode
Size 38400 bytes
Virtual Address 0x002A0000
Process BaZooka Updater V.1.exe
PID 3676
Path C:\Users\Louise\AppData\Local\Temp\BaZooka Updater V.1.exe
MD5 8d53ed6dcb8efc32ad44ec02986ae968
SHA1 d738985c9692388d7f15a64538f43ba4bfa764d3
SHA256 0c55dfba5193a7a569902e4dac1aae5452b47303793519a05b6457b683c3667c
CRC32 E54380B2
Ssdeep 192:ezlZoJZ/+zv5oMSOWGV+XpCT/wGKmCa9V7yNKbfhUCI4S53fH4p1Bm8VT3+ig:ezM/PGV+XpCTtKu9hs2UvCPBt+ig
Yara None matched
CAPE Yara None matched
Download Download zip

BinGraph Download graph

Type Extracted Shellcode
Size 20833 bytes
Virtual Address 0x00290000
Process spoolsv.exe
PID 2516
Path C:\Windows\resources\spoolsv.exe
MD5 93ff2a2e5418ba969fae34983e9dabbc
SHA1 192d9e98968bc0488214c83df6cccdcb3ac78fea
SHA256 596b0f833bcc231c9fcc06fc1f7461672f9e4c356fb7b4cbd0a30a68856a3bf5
CRC32 58315763
Ssdeep 192:ezlZg0uJhvE+leEeF/6JuDdttyBxtPgEHuxxXqkRMwXeSdHLx:ezof8+cEeFCYdttu9gEHuxxXqkRMHSdl
Yara None matched
CAPE Yara None matched
Download Download zip

BinGraph Download graph