Detections

Yara:

AgentTeslaV2

Analysis

Category Package Started Completed Duration Options Log
FILE exe 2020-10-18 06:41:02 2020-10-18 06:46:08 306 seconds Show Options Show Log
route = tor
2020-05-13 09:30:35,922 [root] INFO: Date set to: 20201018T06:41:01, timeout set to: 200
2020-10-18 06:41:01,062 [root] DEBUG: Starting analyzer from: C:\tmplodztmkc
2020-10-18 06:41:01,062 [root] DEBUG: Storing results at: C:\dgZjxUUlM
2020-10-18 06:41:01,062 [root] DEBUG: Pipe server name: \\.\PIPE\nehUJFhksy
2020-10-18 06:41:01,062 [root] DEBUG: Python path: C:\Users\Louise\AppData\Local\Programs\Python\Python38-32
2020-10-18 06:41:01,062 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2020-10-18 06:41:01,078 [root] INFO: Automatically selected analysis package "exe"
2020-10-18 06:41:01,078 [root] DEBUG: Importing analysis package "exe"...
2020-10-18 06:41:01,093 [root] DEBUG: Initializing analysis package "exe"...
2020-10-18 06:41:01,140 [root] DEBUG: Importing auxiliary module "modules.auxiliary.browser"...
2020-10-18 06:41:01,171 [root] DEBUG: Importing auxiliary module "modules.auxiliary.curtain"...
2020-10-18 06:41:01,187 [root] DEBUG: Importing auxiliary module "modules.auxiliary.digisig"...
2020-10-18 06:41:01,203 [root] DEBUG: Importing auxiliary module "modules.auxiliary.disguise"...
2020-10-18 06:41:01,249 [root] DEBUG: Importing auxiliary module "modules.auxiliary.human"...
2020-10-18 06:41:01,281 [root] DEBUG: Importing auxiliary module "modules.auxiliary.procmon"...
2020-10-18 06:41:01,281 [root] DEBUG: Importing auxiliary module "modules.auxiliary.screenshots"...
2020-10-18 06:41:01,281 [modules.auxiliary.screenshots] DEBUG: Importing 'time'
2020-10-18 06:41:01,296 [modules.auxiliary.screenshots] DEBUG: Importing 'StringIO'
2020-10-18 06:41:01,296 [modules.auxiliary.screenshots] DEBUG: Importing 'Thread'
2020-10-18 06:41:01,296 [modules.auxiliary.screenshots] DEBUG: Importing 'Auxiliary'
2020-10-18 06:41:01,296 [modules.auxiliary.screenshots] DEBUG: Importing 'NetlogFile'
2020-10-18 06:41:01,296 [modules.auxiliary.screenshots] DEBUG: Importing 'Screenshot'
2020-10-18 06:41:01,296 [lib.api.screenshot] DEBUG: Importing 'math'
2020-10-18 06:41:01,312 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2020-10-18 06:41:01,437 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageGrab'
2020-10-18 06:41:01,453 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageDraw'
2020-10-18 06:41:01,515 [modules.auxiliary.screenshots] DEBUG: Imports OK
2020-10-18 06:41:01,515 [root] DEBUG: Importing auxiliary module "modules.auxiliary.sysmon"...
2020-10-18 06:41:01,515 [root] DEBUG: Importing auxiliary module "modules.auxiliary.usage"...
2020-10-18 06:41:01,531 [root] DEBUG: Initializing auxiliary module "Browser"...
2020-10-18 06:41:01,531 [root] DEBUG: Started auxiliary module Browser
2020-10-18 06:41:01,531 [root] DEBUG: Initializing auxiliary module "Curtain"...
2020-10-18 06:41:01,531 [root] DEBUG: Started auxiliary module Curtain
2020-10-18 06:41:01,531 [root] DEBUG: Initializing auxiliary module "DigiSig"...
2020-10-18 06:41:01,531 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature.
2020-10-18 06:41:02,078 [modules.auxiliary.digisig] DEBUG: File is not signed.
2020-10-18 06:41:02,093 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2020-10-18 06:41:02,093 [root] DEBUG: Started auxiliary module DigiSig
2020-10-18 06:41:02,093 [root] DEBUG: Initializing auxiliary module "Disguise"...
2020-10-18 06:41:02,109 [modules.auxiliary.disguise] INFO: Disguising GUID to 123168b1-ced5-4775-bcf5-d730d566eedd
2020-10-18 06:41:02,109 [root] DEBUG: Started auxiliary module Disguise
2020-10-18 06:41:02,109 [root] DEBUG: Initializing auxiliary module "Human"...
2020-10-18 06:41:02,125 [root] DEBUG: Started auxiliary module Human
2020-10-18 06:41:02,125 [root] DEBUG: Initializing auxiliary module "Procmon"...
2020-10-18 06:41:02,125 [root] DEBUG: Started auxiliary module Procmon
2020-10-18 06:41:02,125 [root] DEBUG: Initializing auxiliary module "Screenshots"...
2020-10-18 06:41:02,125 [root] DEBUG: Started auxiliary module Screenshots
2020-10-18 06:41:02,125 [root] DEBUG: Initializing auxiliary module "Sysmon"...
2020-10-18 06:41:02,125 [root] DEBUG: Started auxiliary module Sysmon
2020-10-18 06:41:02,125 [root] DEBUG: Initializing auxiliary module "Usage"...
2020-10-18 06:41:02,125 [root] DEBUG: Started auxiliary module Usage
2020-10-18 06:41:02,125 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2020-10-18 06:41:02,125 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2020-10-18 06:41:02,125 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option
2020-10-18 06:41:02,125 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option
2020-10-18 06:41:02,296 [lib.api.process] INFO: Successfully executed process from path "C:\Users\Louise\AppData\Local\Temp\Money gram.exe" with arguments "" with pid 3428
2020-10-18 06:41:02,296 [lib.api.process] INFO: Monitor config for process 3428: C:\tmplodztmkc\dll\3428.ini
2020-10-18 06:41:02,312 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmplodztmkc\dll\IhThbBu.dll, loader C:\tmplodztmkc\bin\LKSLBgH.exe
2020-10-18 06:41:02,421 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\nehUJFhksy.
2020-10-18 06:41:02,437 [root] DEBUG: Loader: Injecting process 3428 (thread 3924) with C:\tmplodztmkc\dll\IhThbBu.dll.
2020-10-18 06:41:02,468 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2020-10-18 06:41:02,468 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2020-10-18 06:41:02,468 [root] DEBUG: Successfully injected DLL C:\tmplodztmkc\dll\IhThbBu.dll.
2020-10-18 06:41:04,484 [lib.api.process] INFO: Successfully resumed process with pid 3428
2020-10-18 06:41:04,625 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-10-18 06:41:04,625 [root] DEBUG: Dropped file limit defaulting to 100.
2020-10-18 06:41:04,656 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 3428 at 0x6f3e0000, image base 0xe60000, stack from 0x2f6000-0x300000
2020-10-18 06:41:04,656 [root] DEBUG: Commandline: C:\Users\Louise\AppData\Local\Temp\"C:\Users\Louise\AppData\Local\Temp\Money gram.exe"
2020-10-18 06:41:04,734 [root] INFO: Loaded monitor into process with pid 3428
2020-10-18 06:41:04,734 [root] DEBUG: set_caller_info: Adding region at 0x00200000 to caller regions list (advapi32::RegQueryInfoKeyW).
2020-10-18 06:41:04,734 [root] DEBUG: DumpPEsInRange: Scanning range 0x200000 - 0x300000.
2020-10-18 06:41:04,734 [root] DEBUG: ScanForDisguisedPE: Exception occurred scanning buffer at 0x200000
2020-10-18 06:41:04,750 [root] DEBUG: DumpMemory: Exception occurred reading memory address 0x200000
2020-10-18 06:41:04,750 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x00200000 size 0x100000.
2020-10-18 06:41:04,796 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\dgZjxUUlM\CAPE\3428_38882005444113180102020 (size 0xcb4)
2020-10-18 06:41:04,812 [root] DEBUG: DumpRegion: Dumped region at 0x002FF000, size 0x1000.
2020-10-18 06:41:04,843 [root] DEBUG: set_caller_info: Adding region at 0x02490000 to caller regions list (advapi32::RegOpenKeyExW).
2020-10-18 06:41:04,859 [root] DEBUG: DumpPEsInRange: Scanning range 0x2490000 - 0x2890000.
2020-10-18 06:41:04,859 [root] DEBUG: ScanForDisguisedPE: Exception occurred scanning buffer at 0x24d5fc1
2020-10-18 06:41:04,875 [root] DEBUG: DumpMemory: Exception occurred reading memory address 0x2490000
2020-10-18 06:41:04,875 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x02490000 size 0x400000.
2020-10-18 06:41:04,921 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\dgZjxUUlM\CAPE\3428_3950666344113180102020 (size 0x1a41)
2020-10-18 06:41:04,937 [root] DEBUG: DumpRegion: Dumped region at 0x0284D000, size 0x10000.
2020-10-18 06:41:04,968 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xe4 and local view 0x00700000 to global list.
2020-10-18 06:41:04,968 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xe0 and local view 0x00700000 to global list.
2020-10-18 06:41:05,265 [root] DEBUG: DLL loaded at 0x73390000: C:\Windows\system32\VERSION (0x9000 bytes).
2020-10-18 06:41:05,281 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x722D0000 for section view with handle 0xe4.
2020-10-18 06:41:05,296 [root] DEBUG: DLL loaded at 0x722D0000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr (0x6ef000 bytes).
2020-10-18 06:41:05,296 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x72FE0000 for section view with handle 0xe4.
2020-10-18 06:41:05,296 [root] DEBUG: DLL loaded at 0x72FE0000: C:\Windows\system32\MSVCR120_CLR0400 (0xf5000 bytes).
2020-10-18 06:41:05,359 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x108 and local view 0x00150000 to global list.
2020-10-18 06:41:05,390 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x10c and local view 0x00160000 to global list.
2020-10-18 06:41:05,390 [root] INFO: Disabling sleep skipping.
2020-10-18 06:41:05,406 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1c0 and local view 0x05EC0000 to global list.
2020-10-18 06:41:05,468 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x208 and local view 0x6E040000 to global list.
2020-10-18 06:41:05,484 [root] DEBUG: DLL loaded at 0x6E040000: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\6715dc4d04e35f16d482900c355325e9\mscorlib.ni (0x1393000 bytes).
2020-10-18 06:41:05,734 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x230 and local view 0x6D630000 to global list.
2020-10-18 06:41:05,750 [root] DEBUG: DLL loaded at 0x6D630000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System\43822396682b0ffc3cfb66137ddab95f\System.ni (0xa10000 bytes).
2020-10-18 06:41:05,781 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x22c and local view 0x6CE50000 to global list.
2020-10-18 06:41:05,781 [root] DEBUG: DLL loaded at 0x6CE50000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\c8a2021e940773064c655a6ea6ee8cb2\System.Core.ni (0x7e0000 bytes).
2020-10-18 06:41:05,843 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x228 and local view 0x6CA50000 to global list.
2020-10-18 06:41:05,843 [root] DEBUG: DLL loaded at 0x6CA50000: C:\Windows\assembly\NativeImages_v4.0.30319_32\WindowsBase\fad2ba18a244bf307910025c81b52f1e\WindowsBase.ni (0x3f3000 bytes).
2020-10-18 06:41:05,859 [root] DEBUG: DLL loaded at 0x74130000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2020-10-18 06:41:05,859 [root] DEBUG: DLL loaded at 0x74040000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2020-10-18 06:41:05,937 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x6BEA0000 for section view with handle 0x22c.
2020-10-18 06:41:05,953 [root] DEBUG: DLL loaded at 0x6BEA0000: C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\4f7c4bba7641e71c1b15384ca408fa9b\PresentationCore.ni (0xbad000 bytes).
2020-10-18 06:41:06,000 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x224 and local view 0x6AB90000 to global list.
2020-10-18 06:41:06,000 [root] DEBUG: DLL loaded at 0x6AB90000: C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\2cf8ec33054bf9d59892861776b13716\PresentationFramework.ni (0x1307000 bytes).
2020-10-18 06:41:06,078 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x6A990000 for section view with handle 0x224.
2020-10-18 06:41:06,078 [root] DEBUG: DLL loaded at 0x6A990000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xaml\15a0c54648649e65f75ca4010468c7e2\System.Xaml.ni (0x1f4000 bytes).
2020-10-18 06:41:06,156 [root] DEBUG: DLL loaded at 0x6A850000: C:\Windows\system32\dwrite (0x136000 bytes).
2020-10-18 06:41:06,187 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x6A700000 for section view with handle 0x224.
2020-10-18 06:41:06,187 [root] DEBUG: DLL loaded at 0x6A700000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\wpfgfx_v0400 (0x149000 bytes).
2020-10-18 06:41:06,203 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x6A680000 for section view with handle 0x224.
2020-10-18 06:41:06,218 [root] DEBUG: DLL loaded at 0x6A680000: C:\Windows\system32\MSVCP120_CLR0400 (0x78000 bytes).
2020-10-18 06:41:06,421 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x6A5B0000 for section view with handle 0x22c.
2020-10-18 06:41:06,593 [root] DEBUG: DLL loaded at 0x6A5B0000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\PresentationNative_v0400 (0xca000 bytes).
2020-10-18 06:41:06,609 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x6A530000 for section view with handle 0x22c.
2020-10-18 06:41:06,656 [root] DEBUG: DLL loaded at 0x6A530000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit (0x80000 bytes).
2020-10-18 06:41:06,843 [root] DEBUG: set_caller_info: Adding region at 0x001E0000 to caller regions list (ntdll::NtQueryPerformanceCounter).
2020-10-18 06:41:06,843 [root] DEBUG: DumpPEsInRange: Scanning range 0x1e0000 - 0x1f0000.
2020-10-18 06:41:06,843 [root] DEBUG: ScanForDisguisedPE: Exception occurred scanning buffer at 0x1e0fc1
2020-10-18 06:41:06,843 [root] DEBUG: ScanForNonZero: Exception occurred reading memory address 0x1f0000
2020-10-18 06:41:06,843 [root] DEBUG: DumpMemory: Nothing to dump at 0x001E0000!
2020-10-18 06:41:06,843 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x001E0000 size 0x10000.
2020-10-18 06:41:06,906 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\dgZjxUUlM\CAPE\3428_992130004264113180102020 (size 0x48c)
2020-10-18 06:41:06,906 [root] DEBUG: DumpRegion: Dumped region at 0x001E0000, size 0x1000.
2020-10-18 06:41:07,000 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x234 and local view 0x6F990000 to global list.
2020-10-18 06:41:07,000 [root] DEBUG: DLL loaded at 0x6F990000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\nlssorting (0x13000 bytes).
2020-10-18 06:41:07,031 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x063E0000 for section view with handle 0x234.
2020-10-18 06:41:07,031 [root] DEBUG: DLL loaded at 0x75180000: C:\Windows\syswow64\shell32 (0xc4c000 bytes).
2020-10-18 06:41:07,046 [root] DEBUG: DLL loaded at 0x740A0000: C:\Windows\system32\profapi (0xb000 bytes).
2020-10-18 06:41:07,078 [root] DEBUG: set_caller_info: Adding region at 0x00180000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2020-10-18 06:41:07,078 [root] DEBUG: DumpPEsInRange: Scanning range 0x180000 - 0x190000.
2020-10-18 06:41:07,078 [root] DEBUG: ScanForDisguisedPE: Exception occurred scanning buffer at 0x180fc1
2020-10-18 06:41:07,078 [root] DEBUG: ScanForNonZero: Exception occurred reading memory address 0x190000
2020-10-18 06:41:07,078 [root] DEBUG: DumpMemory: Nothing to dump at 0x00180000!
2020-10-18 06:41:07,078 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x00180000 size 0x10000.
2020-10-18 06:41:07,125 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\dgZjxUUlM\CAPE\3428_1401761624274113180102020 (size 0x5a3)
2020-10-18 06:41:07,125 [root] DEBUG: DumpRegion: Dumped region at 0x0018D000, size 0x1000.
2020-10-18 06:41:07,140 [root] DEBUG: DLL loaded at 0x74430000: C:\Windows\system32\bcrypt (0x17000 bytes).
2020-10-18 06:41:07,265 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x268 and local view 0x6A350000 to global list.
2020-10-18 06:41:07,265 [root] DEBUG: DLL loaded at 0x6A350000: C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\6090b158fd3d10686b422a455e188125\Microsoft.VisualBasic.ni (0x1d1000 bytes).
2020-10-18 06:41:07,296 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x264 and local view 0x00310000 to global list.
2020-10-18 06:41:07,359 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x260 and local view 0x02400000 to global list.
2020-10-18 06:41:07,531 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x278 and local view 0x00420000 to global list.
2020-10-18 06:41:07,578 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x2ac and local view 0x6A1B0000 to global list.
2020-10-18 06:41:07,578 [root] DEBUG: DLL loaded at 0x6A1B0000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\2c462a934e0586ac5e46c8b93e461384\System.Drawing.ni (0x194000 bytes).
2020-10-18 06:41:07,609 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x2a8 and local view 0x69490000 to global list.
2020-10-18 06:41:07,609 [root] DEBUG: DLL loaded at 0x69490000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\aece3d371c0714e60f9509d2a3137395\System.Windows.Forms.ni (0xd1d000 bytes).
2020-10-18 06:41:07,734 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x692F0000 for section view with handle 0x2a8.
2020-10-18 06:41:07,734 [root] DEBUG: DLL loaded at 0x692F0000: C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24308_none_5c028e37a0121035\gdiplus (0x192000 bytes).
2020-10-18 06:41:07,750 [root] DEBUG: DLL loaded at 0x691B0000: C:\Windows\system32\WindowsCodecs (0x131000 bytes).
2020-10-18 06:41:18,062 [root] DEBUG: DLL loaded at 0x69050000: C:\Windows\system32\PROPSYS (0xf5000 bytes).
2020-10-18 06:41:18,062 [root] DEBUG: DLL loaded at 0x73690000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\comctl32 (0x19e000 bytes).
2020-10-18 06:41:18,078 [root] DEBUG: DLL loaded at 0x74930000: C:\Windows\system32\apphelp (0x4c000 bytes).
2020-10-18 06:41:18,140 [root] DEBUG: DLL loaded at 0x75DD0000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2020-10-18 06:41:18,156 [root] DEBUG: DLL loaded at 0x67AD0000: C:\Windows\SysWOW64\ieframe (0xaba000 bytes).
2020-10-18 06:41:18,156 [root] DEBUG: DLL loaded at 0x75EF0000: C:\Windows\syswow64\api-ms-win-downlevel-advapi32-l1-1-0 (0x5000 bytes).
2020-10-18 06:41:18,156 [root] DEBUG: DLL loaded at 0x75F00000: C:\Windows\syswow64\api-ms-win-downlevel-shlwapi-l1-1-0 (0x4000 bytes).
2020-10-18 06:41:18,171 [root] DEBUG: DLL loaded at 0x76320000: C:\Windows\syswow64\api-ms-win-downlevel-user32-l1-1-0 (0x4000 bytes).
2020-10-18 06:41:18,171 [root] DEBUG: DLL loaded at 0x6F980000: C:\Windows\SysWOW64\api-ms-win-downlevel-shell32-l1-1-0 (0x4000 bytes).
2020-10-18 06:41:18,171 [root] DEBUG: DLL loaded at 0x74B50000: C:\Windows\syswow64\api-ms-win-downlevel-version-l1-1-0 (0x4000 bytes).
2020-10-18 06:41:18,171 [root] DEBUG: DLL loaded at 0x74A00000: C:\Windows\syswow64\api-ms-win-downlevel-normaliz-l1-1-0 (0x3000 bytes).
2020-10-18 06:41:18,171 [root] DEBUG: DLL loaded at 0x75170000: C:\Windows\syswow64\normaliz (0x3000 bytes).
2020-10-18 06:41:18,171 [root] DEBUG: DLL loaded at 0x74F50000: C:\Windows\syswow64\iertutil (0x215000 bytes).
2020-10-18 06:41:18,203 [root] DEBUG: DLL loaded at 0x76790000: C:\Windows\syswow64\SETUPAPI (0x19d000 bytes).
2020-10-18 06:41:18,203 [root] DEBUG: DLL loaded at 0x75E60000: C:\Windows\syswow64\CFGMGR32 (0x27000 bytes).
2020-10-18 06:41:18,203 [root] DEBUG: DLL loaded at 0x74B30000: C:\Windows\syswow64\DEVOBJ (0x12000 bytes).
2020-10-18 06:41:18,218 [root] DEBUG: DLL unloaded from 0x75180000.
2020-10-18 06:41:18,218 [root] DEBUG: DLL loaded at 0x73F70000: C:\Windows\system32\ntmarta (0x21000 bytes).
2020-10-18 06:41:18,218 [root] DEBUG: DLL loaded at 0x74B60000: C:\Windows\syswow64\WLDAP32 (0x45000 bytes).
2020-10-18 06:41:18,234 [root] DEBUG: DLL loaded at 0x76650000: C:\Windows\SysWOW64\urlmon (0x124000 bytes).
2020-10-18 06:41:18,234 [root] DEBUG: DLL loaded at 0x76330000: C:\Windows\syswow64\api-ms-win-downlevel-ole32-l1-1-0 (0x4000 bytes).
2020-10-18 06:41:18,296 [root] DEBUG: DLL loaded at 0x74C10000: C:\Windows\syswow64\WININET (0x1c4000 bytes).
2020-10-18 06:41:18,312 [root] DEBUG: DLL loaded at 0x6F740000: C:\Windows\system32\Secur32 (0x8000 bytes).
2020-10-18 06:41:18,328 [root] INFO: Announced 32-bit process name: cmd.exe pid: 3648
2020-10-18 06:41:18,328 [lib.api.process] INFO: Monitor config for process 3648: C:\tmplodztmkc\dll\3648.ini
2020-10-18 06:41:18,328 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmplodztmkc\dll\IhThbBu.dll, loader C:\tmplodztmkc\bin\LKSLBgH.exe
2020-10-18 06:41:18,343 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\nehUJFhksy.
2020-10-18 06:41:18,359 [root] DEBUG: Loader: Injecting process 3648 (thread 3632) with C:\tmplodztmkc\dll\IhThbBu.dll.
2020-10-18 06:41:18,359 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmplodztmkc\dll\IhThbBu.dll.
2020-10-18 06:41:18,375 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-10-18 06:41:18,375 [root] DEBUG: Successfully injected DLL C:\tmplodztmkc\dll\IhThbBu.dll.
2020-10-18 06:41:18,421 [root] DEBUG: CreateProcessHandler: Injection info set for new process 3648, ImageBase: 0x4A540000
2020-10-18 06:41:18,421 [root] INFO: Announced 32-bit process name: cmd.exe pid: 3648
2020-10-18 06:41:18,421 [lib.api.process] INFO: Monitor config for process 3648: C:\tmplodztmkc\dll\3648.ini
2020-10-18 06:41:18,421 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmplodztmkc\dll\IhThbBu.dll, loader C:\tmplodztmkc\bin\LKSLBgH.exe
2020-10-18 06:41:18,437 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\nehUJFhksy.
2020-10-18 06:41:18,453 [root] DEBUG: Loader: Injecting process 3648 (thread 3632) with C:\tmplodztmkc\dll\IhThbBu.dll.
2020-10-18 06:41:18,453 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmplodztmkc\dll\IhThbBu.dll.
2020-10-18 06:41:18,453 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-10-18 06:41:18,453 [root] DEBUG: Successfully injected DLL C:\tmplodztmkc\dll\IhThbBu.dll.
2020-10-18 06:41:18,468 [root] DEBUG: DLL loaded at 0x732F0000: C:\Windows\system32\RpcRtRemote (0xe000 bytes).
2020-10-18 06:41:18,515 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-10-18 06:41:18,515 [root] DEBUG: Dropped file limit defaulting to 100.
2020-10-18 06:41:18,515 [root] INFO: Disabling sleep skipping.
2020-10-18 06:41:18,515 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-10-18 06:41:18,515 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 3648 at 0x6f3e0000, image base 0x4a540000, stack from 0x363000-0x460000
2020-10-18 06:41:18,515 [root] DEBUG: Commandline: C:\Users\Louise\AppData\Local\Temp\"C:\Windows\System32\cmd.exe" \c copy "C:\Users\Louise\AppData\Local\Temp\Money gram.exe" "C:\Users\Louise\AppData\Roaming\application.exe"
2020-10-18 06:41:18,562 [root] INFO: Loaded monitor into process with pid 3648
2020-10-18 06:41:18,593 [root] INFO: Added new file to list with pid None and path C:\Users\Louise\AppData\Roaming\application.exe
2020-10-18 06:41:18,593 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xe4 and local view 0x001A0000 to global list.
2020-10-18 06:41:18,593 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 3648
2020-10-18 06:41:18,609 [root] DEBUG: GetHookCallerBase: thread 3632 (handle 0x0), return address 0x4A547302, allocation base 0x4A540000.
2020-10-18 06:41:18,609 [root] DEBUG: DoProcessDump: Dumping Imagebase at 0x4A540000.
2020-10-18 06:41:18,609 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-10-18 06:41:18,609 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x4A540000.
2020-10-18 06:41:18,609 [root] DEBUG: DumpProcess: Module entry point VA is 0x0000829A.
2020-10-18 06:41:18,640 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x49e00.
2020-10-18 06:41:18,640 [root] DEBUG: DLL unloaded from 0x76AB0000.
2020-10-18 06:41:18,640 [root] INFO: Process with pid 3648 has terminated
2020-10-18 06:41:28,687 [root] INFO: Announced 32-bit process name: cmd.exe pid: 2136
2020-10-18 06:41:28,687 [lib.api.process] INFO: Monitor config for process 2136: C:\tmplodztmkc\dll\2136.ini
2020-10-18 06:41:28,750 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmplodztmkc\dll\IhThbBu.dll, loader C:\tmplodztmkc\bin\LKSLBgH.exe
2020-10-18 06:41:28,812 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\nehUJFhksy.
2020-10-18 06:41:28,843 [root] DEBUG: Loader: Injecting process 2136 (thread 3968) with C:\tmplodztmkc\dll\IhThbBu.dll.
2020-10-18 06:41:28,843 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmplodztmkc\dll\IhThbBu.dll.
2020-10-18 06:41:28,843 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-10-18 06:41:28,843 [root] DEBUG: Successfully injected DLL C:\tmplodztmkc\dll\IhThbBu.dll.
2020-10-18 06:41:28,906 [root] DEBUG: CreateProcessHandler: Injection info set for new process 2136, ImageBase: 0x4A130000
2020-10-18 06:41:28,953 [root] INFO: Announced 32-bit process name: cmd.exe pid: 2136
2020-10-18 06:41:28,968 [lib.api.process] INFO: Monitor config for process 2136: C:\tmplodztmkc\dll\2136.ini
2020-10-18 06:41:28,968 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmplodztmkc\dll\IhThbBu.dll, loader C:\tmplodztmkc\bin\LKSLBgH.exe
2020-10-18 06:41:29,015 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\nehUJFhksy.
2020-10-18 06:41:29,015 [root] DEBUG: Loader: Injecting process 2136 (thread 3968) with C:\tmplodztmkc\dll\IhThbBu.dll.
2020-10-18 06:41:29,015 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmplodztmkc\dll\IhThbBu.dll.
2020-10-18 06:41:29,015 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-10-18 06:41:29,031 [root] DEBUG: Successfully injected DLL C:\tmplodztmkc\dll\IhThbBu.dll.
2020-10-18 06:41:29,046 [root] DEBUG: DLL unloaded from 0x6A700000.
2020-10-18 06:41:29,078 [root] DEBUG: DLL unloaded from 0x6A5B0000.
2020-10-18 06:41:29,093 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 3428
2020-10-18 06:41:29,093 [root] DEBUG: GetHookCallerBase: thread 3924 (handle 0x0), return address 0x001ECB3D, allocation base 0x001E0000.
2020-10-18 06:41:29,093 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-10-18 06:41:29,109 [root] DEBUG: DoProcessDump: Dumping Imagebase at 0x00E60000.
2020-10-18 06:41:29,109 [root] DEBUG: Dropped file limit defaulting to 100.
2020-10-18 06:41:29,109 [root] DEBUG: LooksLikeSectionBoundary: Exception occured reading around suspected boundary at 0x00E62000
2020-10-18 06:41:29,109 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image.
2020-10-18 06:41:29,109 [root] INFO: Disabling sleep skipping.
2020-10-18 06:41:29,109 [root] DEBUG: DumpPE: Instantiating PeParser with address: 0x00E60000.
2020-10-18 06:41:29,125 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-10-18 06:41:29,125 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 2136 at 0x6f3e0000, image base 0x4a130000, stack from 0x333000-0x430000
2020-10-18 06:41:29,125 [root] DEBUG: Commandline: C:\Users\Louise\AppData\Local\Temp\"C:\Windows\System32\cmd.exe" \c, "C:\Users\Louise\AppData\Roaming\application.exe"
2020-10-18 06:41:29,156 [root] DEBUG: DumpPE: Error: Cannot dump PE file from memory.
2020-10-18 06:41:29,156 [root] DEBUG: DumpImageInCurrentProcess: Failed to dump 'raw' PE image from 0x00E60000, dumping memory region.
2020-10-18 06:41:29,171 [root] INFO: Loaded monitor into process with pid 2136
2020-10-18 06:41:29,171 [root] DEBUG: DLL unloaded from 0x763D0000.
2020-10-18 06:41:29,171 [root] DEBUG: DLL unloaded from 0x69050000.
2020-10-18 06:41:29,187 [root] DEBUG: DLL unloaded from 0x76AB0000.
2020-10-18 06:41:29,187 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xf0 and local view 0x03820000 to global list.
2020-10-18 06:41:29,218 [root] DEBUG: DLL unloaded from 0x73F70000.
2020-10-18 06:41:29,218 [root] DEBUG: DLL unloaded from 0x722D0000.
2020-10-18 06:41:29,218 [root] DEBUG: DLL unloaded from 0x729C0000.
2020-10-18 06:41:29,218 [root] INFO: Announced 32-bit process name: application.exe pid: 3192
2020-10-18 06:41:29,234 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 3428
2020-10-18 06:41:29,234 [lib.api.process] INFO: Monitor config for process 3192: C:\tmplodztmkc\dll\3192.ini
2020-10-18 06:41:29,234 [root] DEBUG: GetHookCallerBase: thread 3924 (handle 0x0), return address 0x001ECB3D, allocation base 0x001E0000.
2020-10-18 06:41:29,249 [root] DEBUG: DoProcessDump: Dumping Imagebase at 0x00E60000.
2020-10-18 06:41:29,249 [root] DEBUG: LooksLikeSectionBoundary: Exception occured reading around suspected boundary at 0x00E62000
2020-10-18 06:41:29,249 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image.
2020-10-18 06:41:29,265 [root] DEBUG: DumpPE: Instantiating PeParser with address: 0x00E60000.
2020-10-18 06:41:29,265 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmplodztmkc\dll\IhThbBu.dll, loader C:\tmplodztmkc\bin\LKSLBgH.exe
2020-10-18 06:41:29,281 [root] DEBUG: DumpPE: Error: Cannot dump PE file from memory.
2020-10-18 06:41:29,296 [root] DEBUG: DumpImageInCurrentProcess: Failed to dump 'raw' PE image from 0x00E60000, dumping memory region.
2020-10-18 06:41:29,312 [root] INFO: Process with pid 3428 has terminated
2020-10-18 06:41:29,328 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\nehUJFhksy.
2020-10-18 06:41:29,328 [root] DEBUG: Loader: Injecting process 3192 (thread 3624) with C:\tmplodztmkc\dll\IhThbBu.dll.
2020-10-18 06:41:29,328 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2020-10-18 06:41:29,328 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2020-10-18 06:41:29,359 [root] DEBUG: Successfully injected DLL C:\tmplodztmkc\dll\IhThbBu.dll.
2020-10-18 06:41:29,375 [root] DEBUG: DLL loaded at 0x74930000: C:\Windows\system32\apphelp (0x4c000 bytes).
2020-10-18 06:41:29,406 [root] DEBUG: CreateProcessHandler: Injection info set for new process 3192, ImageBase: 0x00E80000
2020-10-18 06:41:29,484 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-10-18 06:41:29,500 [root] DEBUG: Dropped file limit defaulting to 100.
2020-10-18 06:41:29,515 [root] INFO: Disabling sleep skipping.
2020-10-18 06:41:29,515 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 3192 at 0x6f3e0000, image base 0xe80000, stack from 0x3b6000-0x3c0000
2020-10-18 06:41:29,515 [root] DEBUG: Commandline: C:\Users\Louise\AppData\Local\Temp\"C:\Users\Louise\AppData\Roaming\application.exe"
2020-10-18 06:41:29,562 [root] INFO: Loaded monitor into process with pid 3192
2020-10-18 06:41:29,593 [root] DEBUG: set_caller_info: Adding region at 0x002C0000 to caller regions list (advapi32::RegQueryInfoKeyW).
2020-10-18 06:41:29,593 [root] DEBUG: DumpPEsInRange: Scanning range 0x2c0000 - 0x3c0000.
2020-10-18 06:41:29,609 [root] DEBUG: ScanForDisguisedPE: Exception occurred scanning buffer at 0x2c0000
2020-10-18 06:41:29,609 [root] DEBUG: DumpMemory: Exception occurred reading memory address 0x2c0000
2020-10-18 06:41:29,625 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x002C0000 size 0x100000.
2020-10-18 06:41:29,687 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\dgZjxUUlM\CAPE\3192_811544608294113180102020 (size 0xcec)
2020-10-18 06:41:29,687 [root] DEBUG: DumpRegion: Dumped region at 0x003BF000, size 0x1000.
2020-10-18 06:41:29,703 [root] DEBUG: set_caller_info: Adding region at 0x02550000 to caller regions list (advapi32::RegOpenKeyExW).
2020-10-18 06:41:29,703 [root] DEBUG: DumpPEsInRange: Scanning range 0x2550000 - 0x2950000.
2020-10-18 06:41:29,718 [root] DEBUG: ScanForDisguisedPE: Exception occurred scanning buffer at 0x2595fc1
2020-10-18 06:41:29,734 [root] DEBUG: DumpMemory: Exception occurred reading memory address 0x2550000
2020-10-18 06:41:29,734 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x02550000 size 0x400000.
2020-10-18 06:41:29,812 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\dgZjxUUlM\CAPE\3192_1453496074294113180102020 (size 0x1a41)
2020-10-18 06:41:29,812 [root] DEBUG: DumpRegion: Dumped region at 0x0290D000, size 0x10000.
2020-10-18 06:41:29,828 [root] DEBUG: set_caller_info: Adding region at 0x00530000 to caller regions list (kernel32::FindFirstFileExW).
2020-10-18 06:41:29,828 [root] DEBUG: DumpPEsInRange: Scanning range 0x530000 - 0x5b0000.
2020-10-18 06:41:29,828 [root] DEBUG: TestPERequirements: Exception occurred reading region at 0x54700a
2020-10-18 06:41:29,843 [root] DEBUG: ScanForDisguisedPE: Exception occurred scanning buffer at 0x546fc1
2020-10-18 06:41:29,843 [root] DEBUG: ScanForNonZero: Exception occurred reading memory address 0x5b0000
2020-10-18 06:41:29,843 [root] DEBUG: DumpMemory: Nothing to dump at 0x00530000!
2020-10-18 06:41:29,859 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x00530000 size 0x80000.
2020-10-18 06:41:29,875 [root] DEBUG: ScanForNonZero: Exception occurred reading memory address 0x5b0000
2020-10-18 06:41:29,875 [root] DEBUG: DumpMemory: Nothing to dump at 0x00570000!
2020-10-18 06:41:29,890 [root] DEBUG: DumpRegion: Failed to dump region at 0x00570000 size 0x40000.
2020-10-18 06:41:29,906 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xd4 and local view 0x729C0000 to global list.
2020-10-18 06:41:29,906 [root] DEBUG: DLL loaded at 0x729C0000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei (0x7d000 bytes).
2020-10-18 06:41:29,921 [root] DEBUG: DLL unloaded from 0x74A80000.
2020-10-18 06:41:29,937 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xe4 and local view 0x003C0000 to global list.
2020-10-18 06:41:29,937 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xe0 and local view 0x003C0000 to global list.
2020-10-18 06:41:29,953 [root] DEBUG: DLL loaded at 0x73390000: C:\Windows\system32\VERSION (0x9000 bytes).
2020-10-18 06:41:29,953 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x722D0000 for section view with handle 0xe4.
2020-10-18 06:41:29,953 [root] DEBUG: DLL loaded at 0x722D0000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr (0x6ef000 bytes).
2020-10-18 06:41:29,968 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x72FE0000 for section view with handle 0xe4.
2020-10-18 06:41:29,984 [root] DEBUG: DLL loaded at 0x72FE0000: C:\Windows\system32\MSVCR120_CLR0400 (0xf5000 bytes).
2020-10-18 06:41:30,031 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x108 and local view 0x00110000 to global list.
2020-10-18 06:41:30,046 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x10c and local view 0x00120000 to global list.
2020-10-18 06:41:30,093 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1c0 and local view 0x05E90000 to global list.
2020-10-18 06:41:30,109 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1c4 and local view 0x6CCA0000 to global list.
2020-10-18 06:41:30,109 [root] DEBUG: DLL loaded at 0x6CCA0000: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\6715dc4d04e35f16d482900c355325e9\mscorlib.ni (0x1393000 bytes).
2020-10-18 06:41:30,156 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x230 and local view 0x6FE20000 to global list.
2020-10-18 06:41:30,156 [root] DEBUG: DLL loaded at 0x6FE20000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System\43822396682b0ffc3cfb66137ddab95f\System.ni (0xa10000 bytes).
2020-10-18 06:41:30,171 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x22c and local view 0x6EC00000 to global list.
2020-10-18 06:41:30,187 [root] DEBUG: DLL loaded at 0x6EC00000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\c8a2021e940773064c655a6ea6ee8cb2\System.Core.ni (0x7e0000 bytes).
2020-10-18 06:41:30,187 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x228 and local view 0x70B70000 to global list.
2020-10-18 06:41:30,187 [root] DEBUG: DLL loaded at 0x70B70000: C:\Windows\assembly\NativeImages_v4.0.30319_32\WindowsBase\fad2ba18a244bf307910025c81b52f1e\WindowsBase.ni (0x3f3000 bytes).
2020-10-18 06:41:30,203 [root] DEBUG: DLL loaded at 0x74130000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2020-10-18 06:41:30,203 [root] DEBUG: DLL loaded at 0x74040000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2020-10-18 06:41:30,218 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x6E050000 for section view with handle 0x22c.
2020-10-18 06:41:30,218 [root] DEBUG: DLL loaded at 0x6E050000: C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\4f7c4bba7641e71c1b15384ca408fa9b\PresentationCore.ni (0xbad000 bytes).
2020-10-18 06:41:30,249 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x224 and local view 0x6B990000 to global list.
2020-10-18 06:41:30,249 [root] DEBUG: DLL loaded at 0x6B990000: C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\2cf8ec33054bf9d59892861776b13716\PresentationFramework.ni (0x1307000 bytes).
2020-10-18 06:41:30,265 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x6FC20000 for section view with handle 0x224.
2020-10-18 06:41:30,265 [root] DEBUG: DLL loaded at 0x6FC20000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xaml\15a0c54648649e65f75ca4010468c7e2\System.Xaml.ni (0x1f4000 bytes).
2020-10-18 06:41:30,296 [root] DEBUG: DLL loaded at 0x6FAE0000: C:\Windows\system32\dwrite (0x136000 bytes).
2020-10-18 06:41:30,312 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x6F860000 for section view with handle 0x224.
2020-10-18 06:41:30,312 [root] DEBUG: DLL loaded at 0x6F860000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\wpfgfx_v0400 (0x149000 bytes).
2020-10-18 06:41:30,328 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x72AD0000 for section view with handle 0x224.
2020-10-18 06:41:30,328 [root] DEBUG: DLL loaded at 0x72AD0000: C:\Windows\system32\MSVCP120_CLR0400 (0x78000 bytes).
2020-10-18 06:41:30,343 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x70AA0000 for section view with handle 0x22c.
2020-10-18 06:41:30,343 [root] DEBUG: DLL loaded at 0x70AA0000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\PresentationNative_v0400 (0xca000 bytes).
2020-10-18 06:41:30,343 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x72A50000 for section view with handle 0x22c.
2020-10-18 06:41:30,343 [root] DEBUG: DLL loaded at 0x72A50000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit (0x80000 bytes).
2020-10-18 06:41:30,359 [root] DEBUG: set_caller_info: Adding region at 0x002A0000 to caller regions list (ntdll::NtQueryPerformanceCounter).
2020-10-18 06:41:30,359 [root] DEBUG: DumpPEsInRange: Scanning range 0x2a0000 - 0x2b0000.
2020-10-18 06:41:30,375 [root] DEBUG: ScanForDisguisedPE: Exception occurred scanning buffer at 0x2a0fc1
2020-10-18 06:41:30,375 [root] DEBUG: ScanForNonZero: Exception occurred reading memory address 0x2b0000
2020-10-18 06:41:30,421 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\dgZjxUUlM\CAPE\3192_1406126636504113180102020 (size 0x48c)
2020-10-18 06:41:30,437 [root] DEBUG: DumpRegion: Dumped region at 0x002A0000, size 0x1000.
2020-10-18 06:41:30,468 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x234 and local view 0x73200000 to global list.
2020-10-18 06:41:30,484 [root] DEBUG: DLL loaded at 0x73200000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\nlssorting (0x13000 bytes).
2020-10-18 06:41:30,484 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x06320000 for section view with handle 0x234.
2020-10-18 06:41:30,500 [root] DEBUG: ScanForNonZero: Exception occurred reading memory address 0x150000
2020-10-18 06:41:30,515 [root] DEBUG: DumpMemory: Nothing to dump at 0x00140000!
2020-10-18 06:41:30,515 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x00140000 size 0x10000.
2020-10-18 06:41:30,562 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\dgZjxUUlM\CAPE\3192_1083680991504113180102020 (size 0x5a3)
2020-10-18 06:41:30,718 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x278 and local view 0x00450000 to global list.
2020-10-18 06:41:30,781 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x298 and local view 0x6F4E0000 to global list.
2020-10-18 06:41:30,796 [root] DEBUG: DLL loaded at 0x6F4E0000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\2c462a934e0586ac5e46c8b93e461384\System.Drawing.ni (0x194000 bytes).
2020-10-18 06:41:30,796 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x294 and local view 0x6AC70000 to global list.
2020-10-18 06:41:30,812 [root] DEBUG: DLL loaded at 0x6AC70000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\aece3d371c0714e60f9509d2a3137395\System.Windows.Forms.ni (0xd1d000 bytes).
2020-10-18 06:41:30,843 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x6AAD0000 for section view with handle 0x294.
2020-10-18 06:41:30,859 [root] DEBUG: DLL loaded at 0x6AAD0000: C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24308_none_5c028e37a0121035\gdiplus (0x192000 bytes).
2020-10-18 06:41:30,875 [root] DEBUG: DLL loaded at 0x6A990000: C:\Windows\system32\WindowsCodecs (0x131000 bytes).
2020-10-18 06:41:41,156 [root] DEBUG: DLL loaded at 0x6A890000: C:\Windows\system32\PROPSYS (0xf5000 bytes).
2020-10-18 06:41:41,171 [root] DEBUG: DLL loaded at 0x73690000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\comctl32 (0x19e000 bytes).
2020-10-18 06:41:41,171 [root] DEBUG: DLL loaded at 0x74930000: C:\Windows\system32\apphelp (0x4c000 bytes).
2020-10-18 06:41:41,187 [root] DEBUG: DLL loaded at 0x75DD0000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2020-10-18 06:41:41,203 [root] DEBUG: DLL loaded at 0x69DD0000: C:\Windows\SysWOW64\ieframe (0xaba000 bytes).
2020-10-18 06:41:41,218 [root] DEBUG: DLL loaded at 0x75EF0000: C:\Windows\syswow64\api-ms-win-downlevel-advapi32-l1-1-0 (0x5000 bytes).
2020-10-18 06:41:41,218 [root] DEBUG: DLL loaded at 0x75F00000: C:\Windows\syswow64\api-ms-win-downlevel-shlwapi-l1-1-0 (0x4000 bytes).
2020-10-18 06:41:41,234 [root] DEBUG: DLL loaded at 0x76320000: C:\Windows\syswow64\api-ms-win-downlevel-user32-l1-1-0 (0x4000 bytes).
2020-10-18 06:41:41,249 [root] DEBUG: DLL loaded at 0x731F0000: C:\Windows\SysWOW64\api-ms-win-downlevel-shell32-l1-1-0 (0x4000 bytes).
2020-10-18 06:41:41,249 [root] DEBUG: DLL loaded at 0x74B50000: C:\Windows\syswow64\api-ms-win-downlevel-version-l1-1-0 (0x4000 bytes).
2020-10-18 06:41:41,312 [root] INFO: Announced 32-bit process name: cmd.exe pid: 4948
2020-10-18 06:41:41,312 [root] DEBUG: DLL loaded at 0x76790000: C:\Windows\syswow64\SETUPAPI (0x19d000 bytes).
2020-10-18 06:41:41,328 [lib.api.process] INFO: Monitor config for process 4948: C:\tmplodztmkc\dll\4948.ini
2020-10-18 06:41:41,328 [root] DEBUG: DLL loaded at 0x75E60000: C:\Windows\syswow64\CFGMGR32 (0x27000 bytes).
2020-10-18 06:41:41,328 [root] DEBUG: DLL loaded at 0x74B30000: C:\Windows\syswow64\DEVOBJ (0x12000 bytes).
2020-10-18 06:41:41,343 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmplodztmkc\dll\IhThbBu.dll, loader C:\tmplodztmkc\bin\LKSLBgH.exe
2020-10-18 06:41:41,359 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\nehUJFhksy.
2020-10-18 06:41:41,375 [root] DEBUG: DLL unloaded from 0x75180000.
2020-10-18 06:41:41,375 [root] DEBUG: Loader: Injecting process 4948 (thread 1480) with C:\tmplodztmkc\dll\IhThbBu.dll.
2020-10-18 06:41:41,375 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmplodztmkc\dll\IhThbBu.dll.
2020-10-18 06:41:41,390 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-10-18 06:41:41,406 [root] DEBUG: Successfully injected DLL C:\tmplodztmkc\dll\IhThbBu.dll.
2020-10-18 06:41:41,468 [root] DEBUG: CreateProcessHandler: Injection info set for new process 4948, ImageBase: 0x4A130000
2020-10-18 06:41:41,500 [root] DEBUG: DLL loaded at 0x732F0000: C:\Windows\system32\RpcRtRemote (0xe000 bytes).
2020-10-18 06:41:41,515 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-10-18 06:41:41,515 [root] DEBUG: Dropped file limit defaulting to 100.
2020-10-18 06:41:41,531 [root] INFO: Disabling sleep skipping.
2020-10-18 06:41:41,531 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-10-18 06:41:41,531 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 4948 at 0x6f3e0000, image base 0x4a130000, stack from 0x1b3000-0x2b0000
2020-10-18 06:41:41,531 [root] DEBUG: Commandline: C:\Users\Louise\AppData\Local\Temp\"C:\Windows\System32\cmd.exe" \c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" \f \v "applicat" \t REG_SZ \d "C:\Users\Louise\AppData\Roaming\application.exe"
2020-10-18 06:41:41,578 [root] INFO: Loaded monitor into process with pid 4948
2020-10-18 06:41:41,593 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xe8 and local view 0x038B0000 to global list.
2020-10-18 06:41:41,609 [root] INFO: Announced 32-bit process name: reg.exe pid: 1156
2020-10-18 06:41:41,609 [lib.api.process] INFO: Monitor config for process 1156: C:\tmplodztmkc\dll\1156.ini
2020-10-18 06:41:41,640 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmplodztmkc\dll\IhThbBu.dll, loader C:\tmplodztmkc\bin\LKSLBgH.exe
2020-10-18 06:41:41,687 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\nehUJFhksy.
2020-10-18 06:41:41,734 [root] DEBUG: Loader: Injecting process 1156 (thread 4356) with C:\tmplodztmkc\dll\IhThbBu.dll.
2020-10-18 06:41:41,734 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmplodztmkc\dll\IhThbBu.dll.
2020-10-18 06:41:41,734 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-10-18 06:41:41,734 [root] DEBUG: Successfully injected DLL C:\tmplodztmkc\dll\IhThbBu.dll.
2020-10-18 06:41:41,750 [root] DEBUG: DLL loaded at 0x74930000: C:\Windows\system32\apphelp (0x4c000 bytes).
2020-10-18 06:41:41,828 [root] DEBUG: CreateProcessHandler: Injection info set for new process 1156, ImageBase: 0x00410000
2020-10-18 06:41:41,843 [root] INFO: Announced 32-bit process name: reg.exe pid: 1156
2020-10-18 06:41:41,843 [lib.api.process] INFO: Monitor config for process 1156: C:\tmplodztmkc\dll\1156.ini
2020-10-18 06:41:41,843 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmplodztmkc\dll\IhThbBu.dll, loader C:\tmplodztmkc\bin\LKSLBgH.exe
2020-10-18 06:41:41,890 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\nehUJFhksy.
2020-10-18 06:41:41,890 [root] DEBUG: Loader: Injecting process 1156 (thread 4356) with C:\tmplodztmkc\dll\IhThbBu.dll.
2020-10-18 06:41:41,890 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmplodztmkc\dll\IhThbBu.dll.
2020-10-18 06:41:41,890 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-10-18 06:41:41,890 [root] DEBUG: Successfully injected DLL C:\tmplodztmkc\dll\IhThbBu.dll.
2020-10-18 06:41:41,937 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-10-18 06:41:41,937 [root] DEBUG: Dropped file limit defaulting to 100.
2020-10-18 06:41:41,953 [root] INFO: Disabling sleep skipping.
2020-10-18 06:41:41,953 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-10-18 06:41:41,953 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 1156 at 0x6f3e0000, image base 0x410000, stack from 0x136000-0x140000
2020-10-18 06:41:41,953 [root] DEBUG: Commandline: C:\Users\Louise\AppData\Local\Temp\REG  ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" \f \v "applicat" \t REG_SZ \d "C:\Users\Louise\AppData\Roaming\application.exe"
2020-10-18 06:41:42,000 [root] INFO: Loaded monitor into process with pid 1156
2020-10-18 06:41:42,015 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xd0 and local view 0x03650000 to global list.
2020-10-18 06:41:42,015 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xcc and local view 0x03920000 to global list.
2020-10-18 06:41:42,015 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 1156
2020-10-18 06:41:42,015 [root] DEBUG: GetHookCallerBase: thread 4356 (handle 0x0), return address 0x00411CAD, allocation base 0x00410000.
2020-10-18 06:41:42,031 [root] DEBUG: DoProcessDump: Dumping Imagebase at 0x00410000.
2020-10-18 06:41:42,031 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-10-18 06:41:42,031 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00410000.
2020-10-18 06:41:42,031 [root] DEBUG: DumpProcess: Module entry point VA is 0x00001BCA.
2020-10-18 06:41:42,093 [root] DEBUG: DumpProcess: Module image dump success - dump size 0xf400.
2020-10-18 06:41:42,093 [root] DEBUG: DLL unloaded from 0x76AB0000.
2020-10-18 06:41:42,109 [root] INFO: Process with pid 1156 has terminated
2020-10-18 06:41:42,125 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 4948
2020-10-18 06:41:42,140 [root] DEBUG: GetHookCallerBase: thread 1480 (handle 0x0), return address 0x4A137302, allocation base 0x4A130000.
2020-10-18 06:41:42,140 [root] DEBUG: DoProcessDump: Dumping Imagebase at 0x4A130000.
2020-10-18 06:41:42,156 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-10-18 06:41:42,171 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x4A130000.
2020-10-18 06:41:42,187 [root] DEBUG: DumpProcess: Module entry point VA is 0x0000829A.
2020-10-18 06:41:42,343 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x49e00.
2020-10-18 06:41:42,343 [root] DEBUG: DLL unloaded from 0x76AB0000.
2020-10-18 06:41:42,375 [root] INFO: Process with pid 4948 has terminated
2020-10-18 06:41:42,453 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x374 and local view 0x00CA0000 to global list.
2020-10-18 06:41:42,468 [root] DEBUG: set_caller_info: Adding region at 0x024C0000 to caller regions list (ntdll::memcpy).
2020-10-18 06:41:42,484 [root] DEBUG: DumpPEsInRange: Scanning range 0x24c0000 - 0x24d0000.
2020-10-18 06:41:42,484 [root] DEBUG: ScanForDisguisedPE: Exception occurred scanning buffer at 0x24c2fc1
2020-10-18 06:41:42,484 [root] DEBUG: ScanForNonZero: Exception occurred reading memory address 0x24d0000
2020-10-18 06:41:42,484 [root] DEBUG: DumpMemory: Nothing to dump at 0x024C0000!
2020-10-18 06:41:42,515 [root] INFO: Announced 32-bit process name: InstallUtil.exe pid: 3940
2020-10-18 06:41:42,515 [lib.api.process] INFO: Monitor config for process 3940: C:\tmplodztmkc\dll\3940.ini
2020-10-18 06:41:42,546 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmplodztmkc\dll\IhThbBu.dll, loader C:\tmplodztmkc\bin\LKSLBgH.exe
2020-10-18 06:41:42,562 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\nehUJFhksy.
2020-10-18 06:41:42,562 [root] DEBUG: Loader: Injecting process 3940 (thread 5116) with C:\tmplodztmkc\dll\IhThbBu.dll.
2020-10-18 06:41:42,578 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2020-10-18 06:41:42,578 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2020-10-18 06:41:42,578 [root] DEBUG: Successfully injected DLL C:\tmplodztmkc\dll\IhThbBu.dll.
2020-10-18 06:41:43,078 [root] DEBUG: CreateProcessHandler: Injection info set for new process 3940, ImageBase: 0x010E0000
2020-10-18 06:41:43,109 [root] INFO: Announced 32-bit process name: InstallUtil.exe pid: 3940
2020-10-18 06:41:43,125 [lib.api.process] INFO: Monitor config for process 3940: C:\tmplodztmkc\dll\3940.ini
2020-10-18 06:41:43,140 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmplodztmkc\dll\IhThbBu.dll, loader C:\tmplodztmkc\bin\LKSLBgH.exe
2020-10-18 06:41:43,156 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\nehUJFhksy.
2020-10-18 06:41:43,171 [root] DEBUG: Loader: Injecting process 3940 (thread 5116) with C:\tmplodztmkc\dll\IhThbBu.dll.
2020-10-18 06:41:43,171 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2020-10-18 06:41:43,187 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2020-10-18 06:41:43,187 [root] DEBUG: Successfully injected DLL C:\tmplodztmkc\dll\IhThbBu.dll.
2020-10-18 06:41:43,203 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x3fc and local view 0x70A50000 to global list.
2020-10-18 06:41:43,218 [root] DEBUG: DLL loaded at 0x70A50000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Numerics\ee81fa2e7f333ee787a423c2e39ee3a3\System.Numerics.ni (0x45000 bytes).
2020-10-18 06:41:43,390 [root] DEBUG: WriteMemoryHandler: Executable binary injected into process 3940 (ImageBase 0x400000)
2020-10-18 06:41:43,406 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image.
2020-10-18 06:41:43,406 [root] DEBUG: DumpPE: Instantiating PeParser with address: 0x0599B538.
2020-10-18 06:41:43,515 [root] DEBUG: DumpPE: PE file in memory dumped successfully - dump size 0x49000.
2020-10-18 06:41:43,531 [root] DEBUG: WriteMemoryHandler: Dumped PE image from buffer at 0x599b538, SizeOfImage 0x50000.
2020-10-18 06:41:43,546 [root] INFO: Announced 32-bit process name: InstallUtil.exe pid: 3940
2020-10-18 06:41:43,546 [lib.api.process] INFO: Monitor config for process 3940: C:\tmplodztmkc\dll\3940.ini
2020-10-18 06:41:43,562 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmplodztmkc\dll\IhThbBu.dll, loader C:\tmplodztmkc\bin\LKSLBgH.exe
2020-10-18 06:41:43,578 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\nehUJFhksy.
2020-10-18 06:41:43,578 [root] DEBUG: Loader: Injecting process 3940 (thread 0) with C:\tmplodztmkc\dll\IhThbBu.dll.
2020-10-18 06:41:43,593 [root] DEBUG: InjectDll: No thread ID supplied, initial thread ID 5116, handle 0xbc
2020-10-18 06:41:43,609 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2020-10-18 06:41:43,609 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2020-10-18 06:41:43,609 [root] DEBUG: Successfully injected DLL C:\tmplodztmkc\dll\IhThbBu.dll.
2020-10-18 06:41:43,656 [root] DEBUG: WriteMemoryHandler: injection of section of PE image which has already been dumped.
2020-10-18 06:41:43,671 [root] INFO: Announced 32-bit process name: InstallUtil.exe pid: 3940
2020-10-18 06:41:43,671 [lib.api.process] INFO: Monitor config for process 3940: C:\tmplodztmkc\dll\3940.ini
2020-10-18 06:41:43,687 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmplodztmkc\dll\IhThbBu.dll, loader C:\tmplodztmkc\bin\LKSLBgH.exe
2020-10-18 06:41:43,703 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\nehUJFhksy.
2020-10-18 06:41:43,703 [root] DEBUG: Loader: Injecting process 3940 (thread 0) with C:\tmplodztmkc\dll\IhThbBu.dll.
2020-10-18 06:41:43,718 [root] DEBUG: InjectDll: No thread ID supplied, initial thread ID 5116, handle 0xbc
2020-10-18 06:41:43,718 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2020-10-18 06:41:43,750 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2020-10-18 06:41:43,750 [root] DEBUG: Successfully injected DLL C:\tmplodztmkc\dll\IhThbBu.dll.
2020-10-18 06:41:43,765 [root] DEBUG: WriteMemoryHandler: shellcode at 0x04058FDC (size 0x400) injected into process 3940.
2020-10-18 06:41:43,890 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\dgZjxUUlM\CAPE\3192_1760528686134313180102020 (size 0x301)
2020-10-18 06:41:43,890 [root] DEBUG: WriteMemoryHandler: Dumped injected code/data from buffer.
2020-10-18 06:41:43,906 [root] INFO: Announced 32-bit process name: InstallUtil.exe pid: 3940
2020-10-18 06:41:43,921 [lib.api.process] INFO: Monitor config for process 3940: C:\tmplodztmkc\dll\3940.ini
2020-10-18 06:41:43,921 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmplodztmkc\dll\IhThbBu.dll, loader C:\tmplodztmkc\bin\LKSLBgH.exe
2020-10-18 06:41:43,953 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\nehUJFhksy.
2020-10-18 06:41:43,968 [root] DEBUG: Loader: Injecting process 3940 (thread 0) with C:\tmplodztmkc\dll\IhThbBu.dll.
2020-10-18 06:41:43,968 [root] DEBUG: InjectDll: No thread ID supplied, initial thread ID 5116, handle 0xbc
2020-10-18 06:41:43,984 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2020-10-18 06:41:43,984 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2020-10-18 06:41:44,000 [root] DEBUG: Successfully injected DLL C:\tmplodztmkc\dll\IhThbBu.dll.
2020-10-18 06:41:44,031 [root] DEBUG: WriteMemoryHandler: shellcode at 0x040617AC (size 0x200) injected into process 3940.
2020-10-18 06:41:44,093 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\dgZjxUUlM\CAPE\3192_513127231144313180102020 (size 0xa)
2020-10-18 06:41:44,109 [root] DEBUG: WriteMemoryHandler: Dumped injected code/data from buffer.
2020-10-18 06:41:44,109 [root] INFO: Announced 32-bit process name: InstallUtil.exe pid: 3940
2020-10-18 06:41:44,125 [lib.api.process] INFO: Monitor config for process 3940: C:\tmplodztmkc\dll\3940.ini
2020-10-18 06:41:44,140 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmplodztmkc\dll\IhThbBu.dll, loader C:\tmplodztmkc\bin\LKSLBgH.exe
2020-10-18 06:41:44,171 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\nehUJFhksy.
2020-10-18 06:41:44,203 [root] DEBUG: Loader: Injecting process 3940 (thread 0) with C:\tmplodztmkc\dll\IhThbBu.dll.
2020-10-18 06:41:44,203 [root] DEBUG: InjectDll: No thread ID supplied, initial thread ID 5116, handle 0xbc
2020-10-18 06:41:44,218 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2020-10-18 06:41:44,218 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2020-10-18 06:41:44,234 [root] DEBUG: Successfully injected DLL C:\tmplodztmkc\dll\IhThbBu.dll.
2020-10-18 06:41:44,265 [root] INFO: Announced 32-bit process name: InstallUtil.exe pid: 3940
2020-10-18 06:41:44,281 [lib.api.process] INFO: Monitor config for process 3940: C:\tmplodztmkc\dll\3940.ini
2020-10-18 06:41:44,296 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmplodztmkc\dll\IhThbBu.dll, loader C:\tmplodztmkc\bin\LKSLBgH.exe
2020-10-18 06:41:44,328 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\nehUJFhksy.
2020-10-18 06:41:44,343 [root] DEBUG: Loader: Injecting process 3940 (thread 0) with C:\tmplodztmkc\dll\IhThbBu.dll.
2020-10-18 06:41:44,343 [root] DEBUG: InjectDll: No thread ID supplied, initial thread ID 5116, handle 0xbc
2020-10-18 06:41:44,375 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2020-10-18 06:41:44,390 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2020-10-18 06:41:44,390 [root] DEBUG: Successfully injected DLL C:\tmplodztmkc\dll\IhThbBu.dll.
2020-10-18 06:41:45,406 [root] DEBUG: SetThreadContextHandler: Hollow process entry point reset via NtSetContextThread to 0x0004A78E (process 3940).
2020-10-18 06:41:45,406 [root] INFO: Announced 32-bit process name: InstallUtil.exe pid: 3940
2020-10-18 06:41:45,421 [lib.api.process] INFO: Monitor config for process 3940: C:\tmplodztmkc\dll\3940.ini
2020-10-18 06:41:45,421 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmplodztmkc\dll\IhThbBu.dll, loader C:\tmplodztmkc\bin\LKSLBgH.exe
2020-10-18 06:41:45,437 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\nehUJFhksy.
2020-10-18 06:41:45,484 [root] DEBUG: Loader: Injecting process 3940 (thread 5116) with C:\tmplodztmkc\dll\IhThbBu.dll.
2020-10-18 06:41:45,484 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2020-10-18 06:41:45,484 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2020-10-18 06:41:45,484 [root] DEBUG: Successfully injected DLL C:\tmplodztmkc\dll\IhThbBu.dll.
2020-10-18 06:41:45,500 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 3940.
2020-10-18 06:41:45,546 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-10-18 06:41:45,546 [root] DEBUG: DLL unloaded from 0x6F860000.
2020-10-18 06:41:45,546 [root] DEBUG: Dropped file limit defaulting to 100.
2020-10-18 06:41:45,578 [root] DEBUG: DLL unloaded from 0x70AA0000.
2020-10-18 06:41:45,750 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2136
2020-10-18 06:41:45,765 [root] DEBUG: GetHookCallerBase: thread 3968 (handle 0x0), return address 0x4A137302, allocation base 0x4A130000.
2020-10-18 06:41:45,796 [root] DEBUG: DoProcessDump: Dumping Imagebase at 0x4A130000.
2020-10-18 06:41:45,796 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-10-18 06:41:45,812 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x4A130000.
2020-10-18 06:41:45,828 [root] DEBUG: DumpProcess: Module entry point VA is 0x0000829A.
2020-10-18 06:41:45,859 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\dgZjxUUlM\CAPE\3940_1571442273454113180102020 (size 0x12b)
2020-10-18 06:41:45,859 [root] DEBUG: DumpRegion: Dumped entire allocation from 0x00110000, size 0x1000.
2020-10-18 06:41:45,875 [root] DEBUG: DLL loaded at 0x03780000: C:\tmplodztmkc\dll\IhThbBu (0xd6000 bytes).
2020-10-18 06:41:45,875 [root] DEBUG: DLL unloaded from 0x731E0000.
2020-10-18 06:41:45,890 [root] DEBUG: DLL unloaded from 0x763D0000.
2020-10-18 06:41:45,890 [root] DEBUG: DLL unloaded from 0x731E0000.
2020-10-18 06:41:45,906 [root] DEBUG: DLL unloaded from 0x763D0000.
2020-10-18 06:41:45,906 [root] DEBUG: DLL unloaded from 0x03780000.
2020-10-18 06:41:45,921 [root] DEBUG: set_caller_info: Adding region at 0x00120000 to caller regions list (ntdll::LdrLoadDll).
2020-10-18 06:41:45,921 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x49e00.
2020-10-18 06:41:46,062 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\dgZjxUUlM\CAPE\3940_1945225439454113180102020 (size 0x12b)
2020-10-18 06:41:46,062 [root] DEBUG: DumpRegion: Dumped entire allocation from 0x00120000, size 0x1000.
2020-10-18 06:41:46,078 [root] DEBUG: DLL loaded at 0x03780000: C:\tmplodztmkc\dll\IhThbBu (0xd6000 bytes).
2020-10-18 06:41:46,078 [root] DEBUG: DLL unloaded from 0x731E0000.
2020-10-18 06:41:46,078 [root] DEBUG: DLL unloaded from 0x763D0000.
2020-10-18 06:41:46,125 [root] DEBUG: DLL unloaded from 0x731E0000.
2020-10-18 06:41:46,140 [root] DEBUG: DLL unloaded from 0x763D0000.
2020-10-18 06:41:46,140 [root] DEBUG: DLL unloaded from 0x03780000.
2020-10-18 06:41:46,156 [root] DEBUG: DLL unloaded from 0x731E0000.
2020-10-18 06:41:46,156 [root] DEBUG: DLL unloaded from 0x763D0000.
2020-10-18 06:41:46,171 [root] DEBUG: DLL unloaded from 0x731E0000.
2020-10-18 06:41:46,171 [root] DEBUG: DLL unloaded from 0x763D0000.
2020-10-18 06:41:46,187 [root] DEBUG: DLL unloaded from 0x03780000.
2020-10-18 06:41:46,203 [root] DEBUG: set_caller_info: Adding region at 0x00140000 to caller regions list (ntdll::LdrLoadDll).
2020-10-18 06:41:46,218 [root] DEBUG: DumpPEsInRange: Scanning range 0x140000 - 0x141000.
2020-10-18 06:41:46,218 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x140000-0x141000.
2020-10-18 06:41:46,296 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\dgZjxUUlM\CAPE\3940_1465322572464113180102020 (size 0x12b)
2020-10-18 06:41:46,296 [root] DEBUG: DumpRegion: Dumped entire allocation from 0x00140000, size 0x1000.
2020-10-18 06:41:46,312 [root] DEBUG: DLL loaded at 0x03780000: C:\tmplodztmkc\dll\IhThbBu (0xd6000 bytes).
2020-10-18 06:41:46,312 [root] DEBUG: DLL unloaded from 0x731E0000.
2020-10-18 06:41:46,328 [root] DEBUG: DLL unloaded from 0x763D0000.
2020-10-18 06:41:46,328 [root] DEBUG: DLL unloaded from 0x731E0000.
2020-10-18 06:41:46,328 [root] DEBUG: DLL unloaded from 0x763D0000.
2020-10-18 06:41:46,343 [root] DEBUG: DLL unloaded from 0x03780000.
2020-10-18 06:41:46,343 [root] DEBUG: set_caller_info: Adding region at 0x00290000 to caller regions list (advapi32::RegQueryInfoKeyW).
2020-10-18 06:41:46,359 [root] DEBUG: DumpPEsInRange: Scanning range 0x290000 - 0x390000.
2020-10-18 06:41:46,375 [root] DEBUG: ScanForDisguisedPE: Exception occurred scanning buffer at 0x290000
2020-10-18 06:41:46,406 [root] DEBUG: DumpMemory: Exception occurred reading memory address 0x290000
2020-10-18 06:41:46,421 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x00290000 size 0x100000.
2020-10-18 06:41:46,437 [root] DEBUG: ScanForDisguisedPE: Exception occurred scanning buffer at 0x518fc1
2020-10-18 06:41:46,468 [root] DEBUG: ScanForNonZero: Exception occurred reading memory address 0x5e0000
2020-10-18 06:41:46,468 [root] DEBUG: DumpMemory: Nothing to dump at 0x004E0000!
2020-10-18 06:41:46,500 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x004E0000 size 0x100000.
2020-10-18 06:41:46,515 [root] DEBUG: ScanForNonZero: Exception occurred reading memory address 0x5e0000
2020-10-18 06:41:46,515 [root] DEBUG: DumpMemory: Nothing to dump at 0x00570000!
2020-10-18 06:41:46,531 [root] DEBUG: DumpRegion: Failed to dump region at 0x00570000 size 0x70000.
2020-10-18 06:41:46,531 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xc8 and local view 0x729C0000 to global list.
2020-10-18 06:41:46,546 [root] DEBUG: DLL loaded at 0x729C0000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei (0x7d000 bytes).
2020-10-18 06:41:46,562 [root] DEBUG: DLL unloaded from 0x74A80000.
2020-10-18 06:41:46,578 [root] DEBUG: DLL loaded at 0x73390000: C:\Windows\system32\VERSION (0x9000 bytes).
2020-10-18 06:41:46,609 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xe4 and local view 0x722D0000 to global list.
2020-10-18 06:41:46,609 [root] DEBUG: DLL loaded at 0x722D0000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr (0x6ef000 bytes).
2020-10-18 06:41:46,625 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x72FE0000 for section view with handle 0xe4.
2020-10-18 06:41:46,625 [root] DEBUG: DLL loaded at 0x72FE0000: C:\Windows\system32\MSVCR120_CLR0400 (0xf5000 bytes).
2020-10-18 06:41:46,640 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x108 and local view 0x001D0000 to global list.
2020-10-18 06:41:46,671 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x10c and local view 0x00260000 to global list.
2020-10-18 06:41:46,687 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1c0 and local view 0x05DE0000 to global list.
2020-10-18 06:41:46,703 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1f0 and local view 0x6E040000 to global list.
2020-10-18 06:41:46,703 [root] INFO: Announced 32-bit process name: InstallUtil.exe pid: 3940
2020-10-18 06:41:46,703 [lib.api.process] INFO: Monitor config for process 3940: C:\tmplodztmkc\dll\3940.ini
2020-10-18 06:41:46,703 [root] DEBUG: DLL loaded at 0x6E040000: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\6715dc4d04e35f16d482900c355325e9\mscorlib.ni (0x1393000 bytes).
2020-10-18 06:41:46,734 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1f4 and local view 0x72AD0000 to global list.
2020-10-18 06:41:46,734 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmplodztmkc\dll\IhThbBu.dll, loader C:\tmplodztmkc\bin\LKSLBgH.exe
2020-10-18 06:41:46,734 [root] DEBUG: DLL loaded at 0x72AD0000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit (0x80000 bytes).
2020-10-18 06:41:46,781 [root] DEBUG: set_caller_info: Adding region at 0x06130000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2020-10-18 06:41:46,781 [root] DEBUG: DumpPEsInRange: Scanning range 0x6130000 - 0x6150000.
2020-10-18 06:41:46,796 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\nehUJFhksy.
2020-10-18 06:41:46,796 [root] DEBUG: Loader: Injecting process 3940 (thread 3248) with C:\tmplodztmkc\dll\IhThbBu.dll.
2020-10-18 06:41:46,796 [root] DEBUG: ScanForDisguisedPE: Exception occurred scanning buffer at 0x6140fc1
2020-10-18 06:41:46,796 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2020-10-18 06:41:46,796 [root] DEBUG: ScanForNonZero: Exception occurred reading memory address 0x6150000
2020-10-18 06:41:46,812 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2020-10-18 06:41:46,828 [root] DEBUG: Successfully injected DLL C:\tmplodztmkc\dll\IhThbBu.dll.
2020-10-18 06:41:46,828 [root] DEBUG: DumpMemory: Nothing to dump at 0x06130000!
2020-10-18 06:41:46,843 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x06130000 size 0x20000.
2020-10-18 06:41:46,859 [root] DEBUG: set_caller_info: Adding region at 0x004A0000 to caller regions list (ntdll::LdrLoadDll).
2020-10-18 06:41:46,859 [root] DEBUG: DumpPEsInRange: Scanning range 0x4a0000 - 0x4a1000.
2020-10-18 06:41:46,875 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x4a0000-0x4a1000.
2020-10-18 06:41:46,906 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\dgZjxUUlM\CAPE\3940_1716328637464113180102020 (size 0x1089c)
2020-10-18 06:41:46,906 [root] DEBUG: DumpRegion: Dumped region at 0x06130000, size 0x11000.
2020-10-18 06:41:46,937 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x210 and local view 0x6D630000 to global list.
2020-10-18 06:41:46,937 [root] DEBUG: DLL loaded at 0x6D630000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System\43822396682b0ffc3cfb66137ddab95f\System.ni (0xa10000 bytes).
2020-10-18 06:41:47,015 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x70DD0000 for section view with handle 0x210.
2020-10-18 06:41:47,078 [root] DEBUG: DLL loaded at 0x70DD0000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\2c462a934e0586ac5e46c8b93e461384\System.Drawing.ni (0x194000 bytes).
2020-10-18 06:41:47,093 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x20c and local view 0x6FB10000 to global list.
2020-10-18 06:41:47,109 [root] DEBUG: DLL loaded at 0x6FB10000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\aece3d371c0714e60f9509d2a3137395\System.Windows.Forms.ni (0xd1d000 bytes).
2020-10-18 06:41:47,125 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\dgZjxUUlM\CAPE\3940_945709051464113180102020 (size 0x12b)
2020-10-18 06:41:47,125 [root] DEBUG: DumpRegion: Dumped entire allocation from 0x004A0000, size 0x1000.
2020-10-18 06:41:47,156 [root] DEBUG: DLL loaded at 0x06280000: C:\tmplodztmkc\dll\IhThbBu (0xd6000 bytes).
2020-10-18 06:41:47,156 [root] DEBUG: RtlDispatchException: Unhandled exception! Address 0x76FD6BA4, code 0xc0000005, flags 0x0, parameters 0x1 and 0x0.
2020-10-18 06:44:24,906 [root] INFO: Analysis timeout hit, terminating analysis.
2020-10-18 06:44:24,921 [lib.api.process] ERROR: Failed to open terminate event for pid 2136
2020-10-18 06:44:24,921 [root] INFO: Terminate event set for process 2136.
2020-10-18 06:44:24,921 [lib.api.process] ERROR: Failed to open terminate event for pid 3192
2020-10-18 06:44:24,921 [root] INFO: Terminate event set for process 3192.
2020-10-18 06:44:24,921 [root] INFO: Created shutdown mutex.
2020-10-18 06:44:25,937 [root] INFO: Shutting down package.
2020-10-18 06:44:25,937 [root] INFO: Stopping auxiliary modules.
2020-10-18 06:44:26,218 [lib.common.results] WARNING: File C:\dgZjxUUlM\bin\procmon.xml doesn't exist anymore
2020-10-18 06:44:26,218 [root] INFO: Finishing auxiliary modules.
2020-10-18 06:44:26,218 [root] INFO: Shutting down pipe server and dumping dropped files.
2020-10-18 06:44:26,281 [root] WARNING: Folder at path "C:\dgZjxUUlM\debugger" does not exist, skip.
2020-10-18 06:44:26,281 [root] WARNING: Monitor injection attempted but failed for process 3940.
2020-10-18 06:44:26,312 [root] INFO: Analysis completed.

Machine

Name Label Manager Started On Shutdown On
win7x64_4 win7x64_8 KVM 2020-10-18 06:41:03 2020-10-18 06:46:08

File Details

File Name Money gram.exe
File Size 891392 bytes
File Type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
PE timestamp 2006-07-18 14:10:00
MD5 b0cff698d1fd64ef9a159e2dbea1abaf
SHA1 44645a78e2dbe6dbd0e23c60204cb28dc4c4136b
SHA256 3027bef9e4262ad05caadb38d130aeaed53ba3df25e3987b76f4d57a286f733b
SHA512 0e5c7ae7a03840c60c5fbf3e58df15b1aeddcb841171db828c44ab1640b4d19ff29e819fd16692f0bf51637739257b4c4b4544ce1f8f62a961c15388c3d81c6b
CRC32 0EFD2EF0
Ssdeep 12288:QDCY7oJcjcxTUQV6/1A8FtwpUDLhgCJ1dUEML91pNV0vpvQc:QOYQcjcxTUu6/W8aUPJ1GHzCvJt
Download Download ZIP Resubmit sample

Signatures

SetUnhandledExceptionFilter detected (possible anti-debug)
Behavioural detection: Executable code extraction - unpacking
Executed a command line with /C or /R argument to terminate command shell on completion which can be used to hide execution
command: "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Louise\AppData\Local\Temp\Money gram.exe" "C:\Users\Louise\AppData\Roaming\application.exe"
command: cmd.exe /c copy "C:\Users\Louise\AppData\Local\Temp\Money gram.exe" "C:\Users\Louise\AppData\Roaming\application.exe"
command: "C:\Windows\System32\cmd.exe" /c, "C:\Users\Louise\AppData\Roaming\application.exe"
command: cmd.exe /c, "C:\Users\Louise\AppData\Roaming\application.exe"
command: "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "applicat" /t REG_SZ /d "C:\Users\Louise\AppData\Roaming\application.exe"
command: cmd.exe /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "applicat" /t REG_SZ /d "C:\Users\Louise\AppData\Roaming\application.exe"
Yara rule detections observed from a process memory dump/dropped files/CAPE
Hit: PID 3192 trigged the Yara rule 'AgentTeslaV2'
Creates RWX memory
Guard pages use detected - possible anti-debugging.
Dynamic (imported) function loading detected
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: KERNEL32.dll/FlsAlloc
DynamicLoader: KERNEL32.dll/FlsFree
DynamicLoader: KERNEL32.dll/FlsGetValue
DynamicLoader: KERNEL32.dll/FlsSetValue
DynamicLoader: KERNEL32.dll/InitializeCriticalSectionEx
DynamicLoader: KERNEL32.dll/CreateEventExW
DynamicLoader: KERNEL32.dll/CreateSemaphoreExW
DynamicLoader: KERNEL32.dll/SetThreadStackGuarantee
DynamicLoader: KERNEL32.dll/CreateThreadpoolTimer
DynamicLoader: KERNEL32.dll/SetThreadpoolTimer
DynamicLoader: KERNEL32.dll/WaitForThreadpoolTimerCallbacks
DynamicLoader: KERNEL32.dll/CloseThreadpoolTimer
DynamicLoader: KERNEL32.dll/CreateThreadpoolWait
DynamicLoader: KERNEL32.dll/SetThreadpoolWait
DynamicLoader: KERNEL32.dll/CloseThreadpoolWait
DynamicLoader: KERNEL32.dll/FlushProcessWriteBuffers
DynamicLoader: KERNEL32.dll/FreeLibraryWhenCallbackReturns
DynamicLoader: KERNEL32.dll/GetCurrentProcessorNumber
DynamicLoader: KERNEL32.dll/GetLogicalProcessorInformation
DynamicLoader: KERNEL32.dll/CreateSymbolicLinkW
DynamicLoader: KERNEL32.dll/SetDefaultDllDirectories
DynamicLoader: KERNEL32.dll/EnumSystemLocalesEx
DynamicLoader: KERNEL32.dll/CompareStringEx
DynamicLoader: KERNEL32.dll/GetDateFormatEx
DynamicLoader: KERNEL32.dll/GetLocaleInfoEx
DynamicLoader: KERNEL32.dll/GetTimeFormatEx
DynamicLoader: KERNEL32.dll/GetUserDefaultLocaleName
DynamicLoader: KERNEL32.dll/IsValidLocaleName
DynamicLoader: KERNEL32.dll/LCMapStringEx
DynamicLoader: KERNEL32.dll/GetCurrentPackageId
DynamicLoader: KERNEL32.dll/GetTickCount64
DynamicLoader: KERNEL32.dll/GetFileInformationByHandleExW
DynamicLoader: KERNEL32.dll/SetFileInformationByHandleW
DynamicLoader: KERNEL32.dll/AcquireSRWLockExclusive
DynamicLoader: KERNEL32.dll/ReleaseSRWLockExclusive
DynamicLoader: ADVAPI32.dll/EventRegister
DynamicLoader: ADVAPI32.dll/EventSetInformation
DynamicLoader: MSCOREE.DLL/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/_CorExeMain_RetAddr
DynamicLoader: mscoreei.dll/_CorExeMain
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: VERSION.dll/GetFileVersionInfoSizeW
DynamicLoader: VERSION.dll/GetFileVersionInfoW
DynamicLoader: VERSION.dll/VerQueryValueW
DynamicLoader: KERNEL32.dll/FlsAlloc
DynamicLoader: KERNEL32.dll/FlsFree
DynamicLoader: KERNEL32.dll/FlsGetValue
DynamicLoader: KERNEL32.dll/FlsSetValue
DynamicLoader: KERNEL32.dll/InitializeCriticalSectionEx
DynamicLoader: KERNEL32.dll/CreateEventExW
DynamicLoader: KERNEL32.dll/CreateSemaphoreExW
DynamicLoader: KERNEL32.dll/SetThreadStackGuarantee
DynamicLoader: KERNEL32.dll/CreateThreadpoolTimer
DynamicLoader: KERNEL32.dll/SetThreadpoolTimer
DynamicLoader: KERNEL32.dll/WaitForThreadpoolTimerCallbacks
DynamicLoader: KERNEL32.dll/CloseThreadpoolTimer
DynamicLoader: KERNEL32.dll/CreateThreadpoolWait
DynamicLoader: KERNEL32.dll/SetThreadpoolWait
DynamicLoader: KERNEL32.dll/CloseThreadpoolWait
DynamicLoader: KERNEL32.dll/FlushProcessWriteBuffers
DynamicLoader: KERNEL32.dll/FreeLibraryWhenCallbackReturns
DynamicLoader: KERNEL32.dll/GetCurrentProcessorNumber
DynamicLoader: KERNEL32.dll/GetLogicalProcessorInformation
DynamicLoader: KERNEL32.dll/CreateSymbolicLinkW
DynamicLoader: KERNEL32.dll/SetDefaultDllDirectories
DynamicLoader: KERNEL32.dll/EnumSystemLocalesEx
DynamicLoader: KERNEL32.dll/CompareStringEx
DynamicLoader: KERNEL32.dll/GetDateFormatEx
DynamicLoader: KERNEL32.dll/GetLocaleInfoEx
DynamicLoader: KERNEL32.dll/GetTimeFormatEx
DynamicLoader: KERNEL32.dll/GetUserDefaultLocaleName
DynamicLoader: KERNEL32.dll/IsValidLocaleName
DynamicLoader: KERNEL32.dll/LCMapStringEx
DynamicLoader: KERNEL32.dll/GetCurrentPackageId
DynamicLoader: KERNEL32.dll/GetTickCount64
DynamicLoader: KERNEL32.dll/GetFileInformationByHandleExW
DynamicLoader: KERNEL32.dll/SetFileInformationByHandleW
DynamicLoader: ADVAPI32.dll/EventSetInformation
DynamicLoader: clr.dll/SetRuntimeInfo
DynamicLoader: USER32.dll/GetProcessWindowStation
DynamicLoader: USER32.dll/GetUserObjectInformationW
DynamicLoader: clr.dll/_CorExeMain
DynamicLoader: KERNEL32.dll/AcquireSRWLockExclusive
DynamicLoader: KERNEL32.dll/ReleaseSRWLockExclusive
DynamicLoader: MSCOREE.DLL/CreateConfigStream
DynamicLoader: mscoreei.dll/CreateConfigStream_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream
DynamicLoader: KERNEL32.dll/GetNumaHighestNodeNumber
DynamicLoader: KERNEL32.dll/FlsSetValue
DynamicLoader: KERNEL32.dll/FlsGetValue
DynamicLoader: KERNEL32.dll/FlsAlloc
DynamicLoader: KERNEL32.dll/FlsFree
DynamicLoader: KERNEL32.dll/GetSystemWindowsDirectoryW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: KERNEL32.dll/AddSIDToBoundaryDescriptor
DynamicLoader: KERNEL32.dll/CreateBoundaryDescriptorW
DynamicLoader: KERNEL32.dll/CreatePrivateNamespaceW
DynamicLoader: KERNEL32.dll/OpenPrivateNamespaceW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: KERNEL32.dll/DeleteBoundaryDescriptor
DynamicLoader: KERNEL32.dll/WerRegisterRuntimeExceptionModule
DynamicLoader: KERNEL32.dll/RaiseException
DynamicLoader: MSCOREE.DLL/
DynamicLoader: mscoreei.dll/
DynamicLoader: KERNELBASE.dll/SetSystemFileCacheSize
DynamicLoader: ntdll.dll/NtSetSystemInformation
DynamicLoader: KERNELBASE.dll/PrivIsDllSynchronizationHeld
DynamicLoader: KERNEL32.dll/AddDllDirectory
DynamicLoader: KERNEL32.dll/SortGetHandle
DynamicLoader: KERNEL32.dll/SortCloseHandle
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ole32.dll/CoGetContextToken
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptImportKey
DynamicLoader: CRYPTSP.dll/CryptExportKey
DynamicLoader: CRYPTSP.dll/CryptCreateHash
DynamicLoader: CRYPTSP.dll/CryptHashData
DynamicLoader: CRYPTSP.dll/CryptGetHashParam
DynamicLoader: CRYPTSP.dll/CryptDestroyHash
DynamicLoader: CRYPTSP.dll/CryptDestroyKey
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/LocalAlloc
DynamicLoader: MSVCR120_CLR0400.dll/[email protected]@Z
DynamicLoader: USER32.dll/SetProcessDPIAware
DynamicLoader: KERNEL32.dll/GetEnvironmentVariableW
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: SHLWAPI.dll/PathAppendW
DynamicLoader: KERNEL32.dll/GetModuleHandleW
DynamicLoader: KERNEL32.dll/GetProcAddress
DynamicLoader: KERNEL32.dll/AddDllDirectory
DynamicLoader: KERNEL32.dll/LoadLibraryExW
DynamicLoader: dwrite.dll/DWriteCreateFactory
DynamicLoader: SHLWAPI.dll/PathCombineW
DynamicLoader: KERNEL32.dll/LoadLibraryW
DynamicLoader: GDI32.dll/GdiEntry13
DynamicLoader: ADVAPI32.dll/EventWrite
DynamicLoader: ADVAPI32.dll/EventRegister
DynamicLoader: ADVAPI32.dll/EventUnregister
DynamicLoader: clrjit.dll/sxsJitStartup
DynamicLoader: clrjit.dll/jitStartup
DynamicLoader: clrjit.dll/getJit
DynamicLoader: KERNEL32.dll/GetLocaleInfoEx
DynamicLoader: KERNEL32.dll/LocaleNameToLCID
DynamicLoader: KERNEL32.dll/GetUserDefaultLocaleName
DynamicLoader: KERNEL32.dll/LCIDToLocaleName
DynamicLoader: KERNEL32.dll/GetUserPreferredUILanguages
DynamicLoader: nlssorting.dll/SortGetHandle
DynamicLoader: nlssorting.dll/SortCloseHandle
DynamicLoader: ADVAPI32.dll/ConvertSidToStringSidW
DynamicLoader: shell32.dll/SHGetFolderPathW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegOpenKeyEx
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: KERNEL32.dll/GetFullPathName
DynamicLoader: KERNEL32.dll/GetFullPathNameW
DynamicLoader: KERNEL32.dll/SetThreadErrorMode
DynamicLoader: KERNEL32.dll/GetFileAttributesEx
DynamicLoader: KERNEL32.dll/GetFileAttributesExW
DynamicLoader: MSCOREE.DLL/GetProcessExecutableHeap
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap_RetAddr
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap
DynamicLoader: bcrypt.dll/BCryptGetFipsAlgorithmMode
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: ADVAPI32.dll/EventRegister
DynamicLoader: KERNEL32.dll/VirtualProtect
DynamicLoader: KERNEL32.dll/VirtualProtect
DynamicLoader: KERNEL32.dll/GetEnvironmentVariable
DynamicLoader: KERNEL32.dll/GetEnvironmentVariableW
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/DeleteFile
DynamicLoader: KERNEL32.dll/DeleteFileW
DynamicLoader: KERNEL32.dll/GetCurrentProcessId
DynamicLoader: KERNEL32.dll/GetCurrentProcessIdW
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValue
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValueW
DynamicLoader: KERNEL32.dll/GetCurrentProcess
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivileges
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivilegesW
DynamicLoader: KERNEL32.dll/CloseHandle
DynamicLoader: KERNEL32.dll/OpenProcess
DynamicLoader: KERNEL32.dll/OpenProcessW
DynamicLoader: PSAPI.DLL/EnumProcessModules
DynamicLoader: PSAPI.DLL/EnumProcessModulesW
DynamicLoader: PSAPI.DLL/GetModuleInformation
DynamicLoader: PSAPI.DLL/GetModuleInformationW
DynamicLoader: PSAPI.DLL/GetModuleBaseName
DynamicLoader: PSAPI.DLL/GetModuleBaseNameW
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: PSAPI.DLL/GetModuleFileNameEx
DynamicLoader: PSAPI.DLL/GetModuleFileNameExW
DynamicLoader: KERNEL32.dll/CompareStringOrdinal
DynamicLoader: KERNEL32.dll/ResolveLocaleName
DynamicLoader: gdiplus.dll/GdiplusStartup
DynamicLoader: KERNEL32.dll/IsProcessorFeaturePresent
DynamicLoader: USER32.dll/GetWindowInfo
DynamicLoader: USER32.dll/GetAncestor
DynamicLoader: USER32.dll/GetMonitorInfoA
DynamicLoader: USER32.dll/EnumDisplayMonitors
DynamicLoader: USER32.dll/EnumDisplayDevicesA
DynamicLoader: GDI32.dll/ExtTextOutW
DynamicLoader: GDI32.dll/GdiIsMetaPrintDC
DynamicLoader: gdiplus.dll/GdipLoadImageFromStream
DynamicLoader: WindowsCodecs.dll/DllGetClassObject
DynamicLoader: gdiplus.dll/GdipImageForceValidation
DynamicLoader: gdiplus.dll/GdipGetImageType
DynamicLoader: gdiplus.dll/GdipGetImageRawFormat
DynamicLoader: gdiplus.dll/GdipGetImageWidth
DynamicLoader: gdiplus.dll/GdipGetImageHeight
DynamicLoader: gdiplus.dll/GdipGetImageEncodersSize
DynamicLoader: gdiplus.dll/GdipGetImageEncoders
DynamicLoader: KERNEL32.dll/LocalFree
DynamicLoader: gdiplus.dll/GdipSaveImageToStream
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: gdiplus.dll/GdipCreateBitmapFromStream
DynamicLoader: gdiplus.dll/GdipBitmapLockBits
DynamicLoader: gdiplus.dll/GdipBitmapUnlockBits
DynamicLoader: gdiplus.dll/GdipDisposeImage
DynamicLoader: shell32.dll/SHGetFolderPath
DynamicLoader: shell32.dll/SHGetFolderPathW
DynamicLoader: KERNEL32.dll/DeleteFile
DynamicLoader: KERNEL32.dll/DeleteFileW
DynamicLoader: shell32.dll/ShellExecuteEx
DynamicLoader: shell32.dll/ShellExecuteExW
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: KERNEL32.dll/DuplicateHandle
DynamicLoader: KERNEL32.dll/CloseHandle
DynamicLoader: ole32.dll/CoWaitForMultipleHandles
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: ole32.dll/NdrOleInitializeExtension
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: RpcRtRemote.dll/I_RpcExtInitializeExtensionPoint
DynamicLoader: KERNEL32.dll/FreeLibrary
DynamicLoader: MSVCR120_CLR0400.dll/[email protected]@Z
DynamicLoader: MSVCR120_CLR0400.dll/_unlock
DynamicLoader: MSVCR120_CLR0400.dll/_lock
DynamicLoader: ADVAPI32.dll/EventUnregister
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/UnregisterTraceGuids
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: comctl32.dll/
DynamicLoader: KERNEL32.dll/CreateActCtxW
DynamicLoader: KERNEL32.dll/AddRefActCtx
DynamicLoader: KERNEL32.dll/ReleaseActCtx
DynamicLoader: KERNEL32.dll/ActivateActCtx
DynamicLoader: KERNEL32.dll/DeactivateActCtx
DynamicLoader: KERNEL32.dll/GetCurrentActCtx
DynamicLoader: KERNEL32.dll/QueryActCtxW
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/EventUnregister
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: KERNEL32.dll/FlsAlloc
DynamicLoader: KERNEL32.dll/FlsFree
DynamicLoader: KERNEL32.dll/FlsGetValue
DynamicLoader: KERNEL32.dll/FlsSetValue
DynamicLoader: KERNEL32.dll/InitializeCriticalSectionEx
DynamicLoader: KERNEL32.dll/CreateEventExW
DynamicLoader: KERNEL32.dll/CreateSemaphoreExW
DynamicLoader: KERNEL32.dll/SetThreadStackGuarantee
DynamicLoader: KERNEL32.dll/CreateThreadpoolTimer
DynamicLoader: KERNEL32.dll/SetThreadpoolTimer
DynamicLoader: KERNEL32.dll/WaitForThreadpoolTimerCallbacks
DynamicLoader: KERNEL32.dll/CloseThreadpoolTimer
DynamicLoader: KERNEL32.dll/CreateThreadpoolWait
DynamicLoader: KERNEL32.dll/SetThreadpoolWait
DynamicLoader: KERNEL32.dll/CloseThreadpoolWait
DynamicLoader: KERNEL32.dll/FlushProcessWriteBuffers
DynamicLoader: KERNEL32.dll/FreeLibraryWhenCallbackReturns
DynamicLoader: KERNEL32.dll/GetCurrentProcessorNumber
DynamicLoader: KERNEL32.dll/GetLogicalProcessorInformation
DynamicLoader: KERNEL32.dll/CreateSymbolicLinkW
DynamicLoader: KERNEL32.dll/SetDefaultDllDirectories
DynamicLoader: KERNEL32.dll/EnumSystemLocalesEx
DynamicLoader: KERNEL32.dll/CompareStringEx
DynamicLoader: KERNEL32.dll/GetDateFormatEx
DynamicLoader: KERNEL32.dll/GetLocaleInfoEx
DynamicLoader: KERNEL32.dll/GetTimeFormatEx
DynamicLoader: KERNEL32.dll/GetUserDefaultLocaleName
DynamicLoader: KERNEL32.dll/IsValidLocaleName
DynamicLoader: KERNEL32.dll/LCMapStringEx
DynamicLoader: KERNEL32.dll/GetCurrentPackageId
DynamicLoader: KERNEL32.dll/GetTickCount64
DynamicLoader: KERNEL32.dll/GetFileInformationByHandleExW
DynamicLoader: KERNEL32.dll/SetFileInformationByHandleW
DynamicLoader: KERNEL32.dll/AcquireSRWLockExclusive
DynamicLoader: KERNEL32.dll/ReleaseSRWLockExclusive
DynamicLoader: ADVAPI32.dll/EventRegister
DynamicLoader: ADVAPI32.dll/EventSetInformation
DynamicLoader: MSCOREE.DLL/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/_CorExeMain_RetAddr
DynamicLoader: mscoreei.dll/_CorExeMain
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: VERSION.dll/GetFileVersionInfoSizeW
DynamicLoader: VERSION.dll/GetFileVersionInfoW
DynamicLoader: VERSION.dll/VerQueryValueW
DynamicLoader: KERNEL32.dll/FlsAlloc
DynamicLoader: KERNEL32.dll/FlsFree
DynamicLoader: KERNEL32.dll/FlsGetValue
DynamicLoader: KERNEL32.dll/FlsSetValue
DynamicLoader: KERNEL32.dll/InitializeCriticalSectionEx
DynamicLoader: KERNEL32.dll/CreateEventExW
DynamicLoader: KERNEL32.dll/CreateSemaphoreExW
DynamicLoader: KERNEL32.dll/SetThreadStackGuarantee
DynamicLoader: KERNEL32.dll/CreateThreadpoolTimer
DynamicLoader: KERNEL32.dll/SetThreadpoolTimer
DynamicLoader: KERNEL32.dll/WaitForThreadpoolTimerCallbacks
DynamicLoader: KERNEL32.dll/CloseThreadpoolTimer
DynamicLoader: KERNEL32.dll/CreateThreadpoolWait
DynamicLoader: KERNEL32.dll/SetThreadpoolWait
DynamicLoader: KERNEL32.dll/CloseThreadpoolWait
DynamicLoader: KERNEL32.dll/FlushProcessWriteBuffers
DynamicLoader: KERNEL32.dll/FreeLibraryWhenCallbackReturns
DynamicLoader: KERNEL32.dll/GetCurrentProcessorNumber
DynamicLoader: KERNEL32.dll/GetLogicalProcessorInformation
DynamicLoader: KERNEL32.dll/CreateSymbolicLinkW
DynamicLoader: KERNEL32.dll/SetDefaultDllDirectories
DynamicLoader: KERNEL32.dll/EnumSystemLocalesEx
DynamicLoader: KERNEL32.dll/CompareStringEx
DynamicLoader: KERNEL32.dll/GetDateFormatEx
DynamicLoader: KERNEL32.dll/GetLocaleInfoEx
DynamicLoader: KERNEL32.dll/GetTimeFormatEx
DynamicLoader: KERNEL32.dll/GetUserDefaultLocaleName
DynamicLoader: KERNEL32.dll/IsValidLocaleName
DynamicLoader: KERNEL32.dll/LCMapStringEx
DynamicLoader: KERNEL32.dll/GetCurrentPackageId
DynamicLoader: KERNEL32.dll/GetTickCount64
DynamicLoader: KERNEL32.dll/GetFileInformationByHandleExW
DynamicLoader: KERNEL32.dll/SetFileInformationByHandleW
DynamicLoader: ADVAPI32.dll/EventSetInformation
DynamicLoader: clr.dll/SetRuntimeInfo
DynamicLoader: USER32.dll/GetProcessWindowStation
DynamicLoader: USER32.dll/GetUserObjectInformationW
DynamicLoader: clr.dll/_CorExeMain
DynamicLoader: KERNEL32.dll/AcquireSRWLockExclusive
DynamicLoader: KERNEL32.dll/ReleaseSRWLockExclusive
DynamicLoader: MSCOREE.DLL/CreateConfigStream
DynamicLoader: mscoreei.dll/CreateConfigStream_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream
DynamicLoader: KERNEL32.dll/GetNumaHighestNodeNumber
DynamicLoader: KERNEL32.dll/FlsSetValue
DynamicLoader: KERNEL32.dll/FlsGetValue
DynamicLoader: KERNEL32.dll/FlsAlloc
DynamicLoader: KERNEL32.dll/FlsFree
DynamicLoader: KERNEL32.dll/GetSystemWindowsDirectoryW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: KERNEL32.dll/AddSIDToBoundaryDescriptor
DynamicLoader: KERNEL32.dll/CreateBoundaryDescriptorW
DynamicLoader: KERNEL32.dll/CreatePrivateNamespaceW
DynamicLoader: KERNEL32.dll/OpenPrivateNamespaceW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: KERNEL32.dll/DeleteBoundaryDescriptor
DynamicLoader: KERNEL32.dll/WerRegisterRuntimeExceptionModule
DynamicLoader: KERNEL32.dll/RaiseException
DynamicLoader: MSCOREE.DLL/
DynamicLoader: mscoreei.dll/
DynamicLoader: KERNELBASE.dll/SetSystemFileCacheSize
DynamicLoader: ntdll.dll/NtSetSystemInformation
DynamicLoader: KERNELBASE.dll/PrivIsDllSynchronizationHeld
DynamicLoader: KERNEL32.dll/AddDllDirectory
DynamicLoader: KERNEL32.dll/SortGetHandle
DynamicLoader: KERNEL32.dll/SortCloseHandle
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: ole32.dll/CoGetContextToken
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptImportKey
DynamicLoader: CRYPTSP.dll/CryptExportKey
DynamicLoader: CRYPTSP.dll/CryptCreateHash
DynamicLoader: CRYPTSP.dll/CryptHashData
DynamicLoader: CRYPTSP.dll/CryptGetHashParam
DynamicLoader: CRYPTSP.dll/CryptDestroyHash
DynamicLoader: CRYPTSP.dll/CryptDestroyKey
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/LocalAlloc
DynamicLoader: MSVCR120_CLR0400.dll/[email protected]@Z
DynamicLoader: USER32.dll/SetProcessDPIAware
DynamicLoader: KERNEL32.dll/GetEnvironmentVariableW
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: SHLWAPI.dll/PathAppendW
DynamicLoader: KERNEL32.dll/GetModuleHandleW
DynamicLoader: KERNEL32.dll/GetProcAddress
DynamicLoader: KERNEL32.dll/AddDllDirectory
DynamicLoader: KERNEL32.dll/LoadLibraryExW
DynamicLoader: dwrite.dll/DWriteCreateFactory
DynamicLoader: SHLWAPI.dll/PathCombineW
DynamicLoader: KERNEL32.dll/LoadLibraryW
DynamicLoader: GDI32.dll/GdiEntry13
DynamicLoader: ADVAPI32.dll/EventWrite
DynamicLoader: ADVAPI32.dll/EventRegister
DynamicLoader: ADVAPI32.dll/EventUnregister
DynamicLoader: clrjit.dll/sxsJitStartup
DynamicLoader: clrjit.dll/jitStartup
DynamicLoader: clrjit.dll/getJit
DynamicLoader: KERNEL32.dll/GetLocaleInfoEx
DynamicLoader: KERNEL32.dll/LocaleNameToLCID
DynamicLoader: KERNEL32.dll/GetUserDefaultLocaleName
DynamicLoader: KERNEL32.dll/LCIDToLocaleName
DynamicLoader: KERNEL32.dll/GetUserPreferredUILanguages
DynamicLoader: nlssorting.dll/SortGetHandle
DynamicLoader: nlssorting.dll/SortCloseHandle
DynamicLoader: ADVAPI32.dll/ConvertSidToStringSidW
DynamicLoader: shell32.dll/SHGetFolderPathW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegOpenKeyEx
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: KERNEL32.dll/GetFullPathName
DynamicLoader: KERNEL32.dll/GetFullPathNameW
DynamicLoader: KERNEL32.dll/SetThreadErrorMode
DynamicLoader: KERNEL32.dll/GetFileAttributesEx
DynamicLoader: KERNEL32.dll/GetFileAttributesExW
DynamicLoader: MSCOREE.DLL/GetProcessExecutableHeap
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap_RetAddr
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap
DynamicLoader: bcrypt.dll/BCryptGetFipsAlgorithmMode
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: ADVAPI32.dll/EventRegister
DynamicLoader: KERNEL32.dll/VirtualProtect
DynamicLoader: KERNEL32.dll/VirtualProtect
DynamicLoader: KERNEL32.dll/GetEnvironmentVariable
DynamicLoader: KERNEL32.dll/GetEnvironmentVariableW
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/DeleteFile
DynamicLoader: KERNEL32.dll/DeleteFileW
DynamicLoader: KERNEL32.dll/GetCurrentProcessId
DynamicLoader: KERNEL32.dll/GetCurrentProcessIdW
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValue
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValueW
DynamicLoader: KERNEL32.dll/GetCurrentProcess
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivileges
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivilegesW
DynamicLoader: KERNEL32.dll/CloseHandle
DynamicLoader: KERNEL32.dll/OpenProcess
DynamicLoader: KERNEL32.dll/OpenProcessW
DynamicLoader: PSAPI.DLL/EnumProcessModules
DynamicLoader: PSAPI.DLL/EnumProcessModulesW
DynamicLoader: PSAPI.DLL/GetModuleInformation
DynamicLoader: PSAPI.DLL/GetModuleInformationW
DynamicLoader: PSAPI.DLL/GetModuleBaseName
DynamicLoader: PSAPI.DLL/GetModuleBaseNameW
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: PSAPI.DLL/GetModuleFileNameEx
DynamicLoader: PSAPI.DLL/GetModuleFileNameExW
DynamicLoader: KERNEL32.dll/CompareStringOrdinal
DynamicLoader: KERNEL32.dll/ResolveLocaleName
DynamicLoader: gdiplus.dll/GdiplusStartup
DynamicLoader: KERNEL32.dll/IsProcessorFeaturePresent
DynamicLoader: USER32.dll/GetWindowInfo
DynamicLoader: USER32.dll/GetAncestor
DynamicLoader: USER32.dll/GetMonitorInfoA
DynamicLoader: USER32.dll/EnumDisplayMonitors
DynamicLoader: USER32.dll/EnumDisplayDevicesA
DynamicLoader: GDI32.dll/ExtTextOutW
DynamicLoader: GDI32.dll/GdiIsMetaPrintDC
DynamicLoader: gdiplus.dll/GdipLoadImageFromStream
DynamicLoader: WindowsCodecs.dll/DllGetClassObject
DynamicLoader: gdiplus.dll/GdipImageForceValidation
DynamicLoader: gdiplus.dll/GdipGetImageType
DynamicLoader: gdiplus.dll/GdipGetImageRawFormat
DynamicLoader: gdiplus.dll/GdipGetImageWidth
DynamicLoader: gdiplus.dll/GdipGetImageHeight
DynamicLoader: gdiplus.dll/GdipGetImageEncodersSize
DynamicLoader: gdiplus.dll/GdipGetImageEncoders
DynamicLoader: KERNEL32.dll/LocalFree
DynamicLoader: gdiplus.dll/GdipSaveImageToStream
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: gdiplus.dll/GdipCreateBitmapFromStream
DynamicLoader: gdiplus.dll/GdipBitmapLockBits
DynamicLoader: gdiplus.dll/GdipBitmapUnlockBits
DynamicLoader: gdiplus.dll/GdipDisposeImage
DynamicLoader: shell32.dll/SHGetFolderPath
DynamicLoader: shell32.dll/SHGetFolderPathW
DynamicLoader: KERNEL32.dll/CreateFile
DynamicLoader: KERNEL32.dll/CreateFileW
DynamicLoader: KERNEL32.dll/CloseHandle
DynamicLoader: KERNEL32.dll/GetFileType
DynamicLoader: KERNEL32.dll/ReadFile
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: shell32.dll/ShellExecuteEx
DynamicLoader: shell32.dll/ShellExecuteExW
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: comctl32.dll/
DynamicLoader: KERNEL32.dll/DuplicateHandle
DynamicLoader: ole32.dll/CoWaitForMultipleHandles
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: ole32.dll/NdrOleInitializeExtension
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: RpcRtRemote.dll/I_RpcExtInitializeExtensionPoint
DynamicLoader: KERNEL32.dll/VirtualProtect
DynamicLoader: KERNEL32.dll/VirtualProtect
DynamicLoader: ADVAPI32.dll/CreateProcessAsUser
DynamicLoader: ADVAPI32.dll/CreateProcessAsUserW
DynamicLoader: CRYPTSP.dll/CryptGetDefaultProviderW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: ole32.dll/CoCreateGuid
DynamicLoader: KERNEL32.dll/GetThreadContext
DynamicLoader: KERNEL32.dll/ReadProcessMemory
DynamicLoader: KERNEL32.dll/VirtualAllocEx
DynamicLoader: KERNEL32.dll/WriteProcessMemory
DynamicLoader: KERNEL32.dll/WriteProcessMemory
DynamicLoader: KERNEL32.dll/WriteProcessMemory
DynamicLoader: KERNEL32.dll/WriteProcessMemory
DynamicLoader: KERNEL32.dll/WriteProcessMemory
DynamicLoader: KERNEL32.dll/SetThreadContext
DynamicLoader: KERNEL32.dll/ResumeThread
DynamicLoader: KERNEL32.dll/FreeLibrary
DynamicLoader: MSVCR120_CLR0400.dll/[email protected]@Z
DynamicLoader: MSVCR120_CLR0400.dll/_unlock
DynamicLoader: MSVCR120_CLR0400.dll/_lock
DynamicLoader: ADVAPI32.dll/EventUnregister
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/UnregisterTraceGuids
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: comctl32.dll/
DynamicLoader: KERNEL32.dll/CreateActCtxW
DynamicLoader: KERNEL32.dll/AddRefActCtx
DynamicLoader: KERNEL32.dll/ReleaseActCtx
DynamicLoader: KERNEL32.dll/ActivateActCtx
DynamicLoader: KERNEL32.dll/DeactivateActCtx
DynamicLoader: KERNEL32.dll/GetCurrentActCtx
DynamicLoader: KERNEL32.dll/QueryActCtxW
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/EventUnregister
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: KERNEL32.dll/FlsAlloc
DynamicLoader: KERNEL32.dll/FlsFree
DynamicLoader: KERNEL32.dll/FlsGetValue
DynamicLoader: KERNEL32.dll/FlsSetValue
DynamicLoader: KERNEL32.dll/InitializeCriticalSectionEx
DynamicLoader: KERNEL32.dll/CreateEventExW
DynamicLoader: KERNEL32.dll/CreateSemaphoreExW
DynamicLoader: KERNEL32.dll/SetThreadStackGuarantee
DynamicLoader: KERNEL32.dll/CreateThreadpoolTimer
DynamicLoader: KERNEL32.dll/SetThreadpoolTimer
DynamicLoader: KERNEL32.dll/WaitForThreadpoolTimerCallbacks
DynamicLoader: KERNEL32.dll/CloseThreadpoolTimer
DynamicLoader: KERNEL32.dll/CreateThreadpoolWait
DynamicLoader: KERNEL32.dll/SetThreadpoolWait
DynamicLoader: KERNEL32.dll/CloseThreadpoolWait
DynamicLoader: KERNEL32.dll/FlushProcessWriteBuffers
DynamicLoader: KERNEL32.dll/FreeLibraryWhenCallbackReturns
DynamicLoader: KERNEL32.dll/GetCurrentProcessorNumber
DynamicLoader: KERNEL32.dll/GetLogicalProcessorInformation
DynamicLoader: KERNEL32.dll/CreateSymbolicLinkW
DynamicLoader: KERNEL32.dll/SetDefaultDllDirectories
DynamicLoader: KERNEL32.dll/EnumSystemLocalesEx
DynamicLoader: KERNEL32.dll/CompareStringEx
DynamicLoader: KERNEL32.dll/GetDateFormatEx
DynamicLoader: KERNEL32.dll/GetLocaleInfoEx
DynamicLoader: KERNEL32.dll/GetTimeFormatEx
DynamicLoader: KERNEL32.dll/GetUserDefaultLocaleName
DynamicLoader: KERNEL32.dll/IsValidLocaleName
DynamicLoader: KERNEL32.dll/LCMapStringEx
DynamicLoader: KERNEL32.dll/GetCurrentPackageId
DynamicLoader: KERNEL32.dll/GetTickCount64
DynamicLoader: KERNEL32.dll/GetFileInformationByHandleExW
DynamicLoader: KERNEL32.dll/SetFileInformationByHandleW
DynamicLoader: KERNEL32.dll/AcquireSRWLockExclusive
DynamicLoader: KERNEL32.dll/ReleaseSRWLockExclusive
DynamicLoader: ADVAPI32.dll/EventRegister
DynamicLoader: ADVAPI32.dll/EventSetInformation
DynamicLoader: MSCOREE.DLL/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/_CorExeMain_RetAddr
DynamicLoader: mscoreei.dll/_CorExeMain
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: VERSION.dll/GetFileVersionInfoSizeW
DynamicLoader: VERSION.dll/GetFileVersionInfoW
DynamicLoader: VERSION.dll/VerQueryValueW
DynamicLoader: KERNEL32.dll/FlsAlloc
DynamicLoader: KERNEL32.dll/FlsFree
DynamicLoader: KERNEL32.dll/FlsGetValue
DynamicLoader: KERNEL32.dll/FlsSetValue
DynamicLoader: KERNEL32.dll/InitializeCriticalSectionEx
DynamicLoader: KERNEL32.dll/CreateEventExW
DynamicLoader: KERNEL32.dll/CreateSemaphoreExW
DynamicLoader: KERNEL32.dll/SetThreadStackGuarantee
DynamicLoader: KERNEL32.dll/CreateThreadpoolTimer
DynamicLoader: KERNEL32.dll/SetThreadpoolTimer
DynamicLoader: KERNEL32.dll/WaitForThreadpoolTimerCallbacks
DynamicLoader: KERNEL32.dll/CloseThreadpoolTimer
DynamicLoader: KERNEL32.dll/CreateThreadpoolWait
DynamicLoader: KERNEL32.dll/SetThreadpoolWait
DynamicLoader: KERNEL32.dll/CloseThreadpoolWait
DynamicLoader: KERNEL32.dll/FlushProcessWriteBuffers
DynamicLoader: KERNEL32.dll/FreeLibraryWhenCallbackReturns
DynamicLoader: KERNEL32.dll/GetCurrentProcessorNumber
DynamicLoader: KERNEL32.dll/GetLogicalProcessorInformation
DynamicLoader: KERNEL32.dll/CreateSymbolicLinkW
DynamicLoader: KERNEL32.dll/SetDefaultDllDirectories
DynamicLoader: KERNEL32.dll/EnumSystemLocalesEx
DynamicLoader: KERNEL32.dll/CompareStringEx
DynamicLoader: KERNEL32.dll/GetDateFormatEx
DynamicLoader: KERNEL32.dll/GetLocaleInfoEx
DynamicLoader: KERNEL32.dll/GetTimeFormatEx
DynamicLoader: KERNEL32.dll/GetUserDefaultLocaleName
DynamicLoader: KERNEL32.dll/IsValidLocaleName
DynamicLoader: KERNEL32.dll/LCMapStringEx
DynamicLoader: KERNEL32.dll/GetCurrentPackageId
DynamicLoader: KERNEL32.dll/GetTickCount64
DynamicLoader: KERNEL32.dll/GetFileInformationByHandleExW
DynamicLoader: KERNEL32.dll/SetFileInformationByHandleW
DynamicLoader: ADVAPI32.dll/EventSetInformation
DynamicLoader: clr.dll/SetRuntimeInfo
DynamicLoader: USER32.dll/GetProcessWindowStation
DynamicLoader: USER32.dll/GetUserObjectInformationW
DynamicLoader: clr.dll/_CorExeMain
DynamicLoader: KERNEL32.dll/AcquireSRWLockExclusive
DynamicLoader: KERNEL32.dll/ReleaseSRWLockExclusive
DynamicLoader: MSCOREE.DLL/CreateConfigStream
DynamicLoader: mscoreei.dll/CreateConfigStream_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream
DynamicLoader: KERNEL32.dll/GetNumaHighestNodeNumber
DynamicLoader: KERNEL32.dll/FlsSetValue
DynamicLoader: KERNEL32.dll/FlsGetValue
DynamicLoader: KERNEL32.dll/FlsAlloc
DynamicLoader: KERNEL32.dll/FlsFree
DynamicLoader: KERNEL32.dll/GetSystemWindowsDirectoryW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: KERNEL32.dll/AddSIDToBoundaryDescriptor
DynamicLoader: KERNEL32.dll/CreateBoundaryDescriptorW
DynamicLoader: KERNEL32.dll/CreatePrivateNamespaceW
DynamicLoader: KERNEL32.dll/OpenPrivateNamespaceW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: KERNEL32.dll/DeleteBoundaryDescriptor
DynamicLoader: KERNEL32.dll/WerRegisterRuntimeExceptionModule
DynamicLoader: KERNEL32.dll/RaiseException
DynamicLoader: MSCOREE.DLL/
DynamicLoader: mscoreei.dll/
DynamicLoader: KERNELBASE.dll/SetSystemFileCacheSize
DynamicLoader: ntdll.dll/NtSetSystemInformation
DynamicLoader: KERNELBASE.dll/PrivIsDllSynchronizationHeld
DynamicLoader: KERNEL32.dll/AddDllDirectory
DynamicLoader: KERNEL32.dll/SortGetHandle
DynamicLoader: KERNEL32.dll/SortCloseHandle
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: clrjit.dll/sxsJitStartup
DynamicLoader: clrjit.dll/jitStartup
DynamicLoader: clrjit.dll/getJit
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetLocaleInfoEx
DynamicLoader: KERNEL32.dll/LocaleNameToLCID
DynamicLoader: KERNEL32.dll/GetUserDefaultLocaleName
DynamicLoader: KERNEL32.dll/LCIDToLocaleName
DynamicLoader: KERNEL32.dll/GetUserPreferredUILanguages
Reads data out of its own binary image
self_read: process: application.exe, pid: 3192, offset: 0x00000000, length: 0x00032000
A process created a hidden window
Process: Money gram.exe -> cmd.exe
Process: Money gram.exe -> cmd.exe
Process: application.exe -> cmd.exe
CAPE extracted potentially suspicious content
application.exe: Injected Shellcode/Data
InstallUtil.exe: Unpacked Shellcode
application.exe: Unpacked Shellcode
Money gram.exe: Unpacked Shellcode
application.exe: Unpacked Shellcode
Money gram.exe: Unpacked Shellcode
application.exe: Injected Shellcode/Data
Money gram.exe: Unpacked Shellcode
application.exe: Unpacked Shellcode
InstallUtil.exe: Unpacked Shellcode
application.exe: AgentTeslaV2 Payload: 32-bit executable
application.exe: AgentTeslaV2
Money gram.exe: Unpacked Shellcode
application.exe: Unpacked Shellcode
Drops a binary and executes it
binary: C:\Users\Louise\AppData\Roaming\application.exe
Queries or connects to DNS-Over-HTTPS/DNS-Over-TLS domain or IP address
ip: 1.1.1.1
Performs some HTTP requests
url: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt
Authenticode signature is invalid
authenticode error: No signature found. SignTool Error File not valid C\Users\Louise\AppData\Local\Temp\Money gram.exe
Uses Windows utilities for basic functionality
command: "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Louise\AppData\Local\Temp\Money gram.exe" "C:\Users\Louise\AppData\Roaming\application.exe"
command: "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Louise\AppData\Local\Temp\Money gram.exe" "C:\Users\Louise\AppData\Roaming\application.exe"
command: cmd.exe /c copy "C:\Users\Louise\AppData\Local\Temp\Money gram.exe" "C:\Users\Louise\AppData\Roaming\application.exe"
command: cmd.exe /c copy "C:\Users\Louise\AppData\Local\Temp\Money gram.exe" "C:\Users\Louise\AppData\Roaming\application.exe"
command: "C:\Windows\System32\cmd.exe" /c, "C:\Users\Louise\AppData\Roaming\application.exe"
command: cmd.exe /c, "C:\Users\Louise\AppData\Roaming\application.exe"
command: "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "applicat" /t REG_SZ /d "C:\Users\Louise\AppData\Roaming\application.exe"
command: "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "applicat" /t REG_SZ /d "C:\Users\Louise\AppData\Roaming\application.exe"
command: cmd.exe /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "applicat" /t REG_SZ /d "C:\Users\Louise\AppData\Roaming\application.exe"
command: cmd.exe /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "applicat" /t REG_SZ /d "C:\Users\Louise\AppData\Roaming\application.exe"
command: REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "applicat" /t REG_SZ /d "C:\Users\Louise\AppData\Roaming\application.exe"
command: C:\Windows\system32\reg.exe REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "applicat" /t REG_SZ /d "C:\Users\Louise\AppData\Roaming\application.exe"
command: C:\Windows\system32\reg.exe REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "applicat" /t REG_SZ /d "C:\Users\Louise\AppData\Roaming\application.exe"
Attempts to remove evidence of file being downloaded from the Internet
file: C:\Users\Louise\AppData\Local\Temp\Money gram.exe:Zone.Identifier
Behavioural detection: Injection (Process Hollowing)
Injection: application.exe(3192) -> InstallUtil.exe(3940)
Executed a process and injected code into it, probably while unpacking
Injection: application.exe(3192) -> InstallUtil.exe(3940)
Behavioural detection: Injection (inter-process)
Created a process from a suspicious location
File executed: C:\Users\Louise\AppData\Roaming\application.exe
Commandline executed: "C:\Users\Louise\AppData\Roaming\application.exe"
Installs itself for autorun at Windows startup
key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\applicat
data: C:\Users\Louise\AppData\Roaming\application.exe
Network activity detected but not expressed in API logs
Attempts to bypass application whitelisting by executing .NET utility in a suspended state, potentially for injection
Process: application.exe > C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
CAPE detected the AgentTeslaV2 malware family
Creates a copy of itself
copy: C:\Users\Louise\AppData\Roaming\application.exe
Created network traffic indicative of malicious activity
signature: ET JA3 Hash - Possible Malware - RigEK
signature: ET JA3 Hash - Possible Malware - Various Eitest

Screenshots


Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
Y 51.105.208.173 [VT] United Kingdom
N 104.18.10.39 [VT] United States
Y 1.1.1.1 [VT] Australia

DNS

Name Response Post-Analysis Lookup
cacerts.digicert.com [VT] A 104.18.10.39 [VT] 104.18.11.39 [VT]

Summary

C:\Windows\System32\MSCOREE.DLL.local
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
C:\Windows\Microsoft.NET\Framework\*
C:\Windows\Microsoft.NET\Framework\v1.0.3705\clr.dll
C:\Windows\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v1.1.4322\clr.dll
C:\Windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\clr.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll
C:\Users\Louise\AppData\Local\Temp\Money gram.exe.config
C:\Users\Louise\AppData\Local\Temp\Money gram.exe
C:\Windows\System32\api-ms-win-appmodel-runtime-l1-1-2.dll
C:\Windows\System32\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSVCR120_CLR0400.dll
C:\Windows\System32\MSVCR120_CLR0400.dll
C:\Windows\System32\api-ms-win-core-quirks-l1-1-0.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoree.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config
C:\Windows\Microsoft.NET\Framework\v4.0.30319\fusion.localgac
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\6715dc4d04e35f16d482900c355325e9\mscorlib.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\6715dc4d04e35f16d482900c355325e9\mscorlib.ni.dll.aux
C:\Users
C:\Users\Louise
C:\Users\Louise\AppData
C:\Users\Louise\AppData\Local
C:\Users\Louise\AppData\Local\Temp
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ole32.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\K^b6\*
C:\Users\Louise\AppData\Local\Temp\Money gram.INI
C:\Windows\assembly\pubpol214.dat
C:\Windows\assembly\GAC\PublisherPolicy.tme
C:\Windows\Microsoft.Net\assembly\GAC_32\PresentationFramework\v4.0_4.0.0.0__31bf3856ad364e35\PresentationFramework.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\PresentationFramework\v4.0_4.0.0.0__31bf3856ad364e35\PresentationFramework.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\2cf8ec33054bf9d59892861776b13716\PresentationFramework.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\2cf8ec33054bf9d59892861776b13716\PresentationFramework.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_32\WindowsBase\v4.0_4.0.0.0__31bf3856ad364e35\WindowsBase.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\WindowsBase\v4.0_4.0.0.0__31bf3856ad364e35\WindowsBase.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\WindowsBase\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\WindowsBase\fad2ba18a244bf307910025c81b52f1e\WindowsBase.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\WindowsBase\fad2ba18a244bf307910025c81b52f1e\WindowsBase.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_32\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\c8a2021e940773064c655a6ea6ee8cb2\System.Core.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\c8a2021e940773064c655a6ea6ee8cb2\System.Core.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_32\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\43822396682b0ffc3cfb66137ddab95f\System.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\43822396682b0ffc3cfb66137ddab95f\System.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Configuration\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.Xml.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Xaml\v4.0_4.0.0.0__b77a5c561934e089\System.Xaml.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
C:\Windows\Microsoft.Net\assembly\GAC_32\PresentationCore\v4.0_4.0.0.0__31bf3856ad364e35\PresentationCore.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\4f7c4bba7641e71c1b15384ca408fa9b\PresentationCore.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\4f7c4bba7641e71c1b15384ca408fa9b\PresentationCore.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\UIAutomationTypes\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationTypes.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Input.Manipulations\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Input.Manipulations.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\UIAutomationProvider\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationProvider.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\ReachFramework\v4.0_4.0.0.0__31bf3856ad364e35\ReachFramework.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\PresentationUI\v4.0_4.0.0.0__31bf3856ad364e35\PresentationUI.dll
C:\Windows\Microsoft.Net\assembly\GAC_32\System.Printing\v4.0_4.0.0.0__31bf3856ad364e35\System.Printing.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xaml\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xaml\15a0c54648649e65f75ca4010468c7e2\System.Xaml.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xaml\15a0c54648649e65f75ca4010468c7e2\System.Xaml.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_32\PresentationCore\v4.0_4.0.0.0__31bf3856ad364e35\MSVCR120_CLR0400.dll
C:\Windows\Microsoft.Net\assembly\GAC_32\PresentationCore\v4.0_4.0.0.0__31bf3856ad364e35\SHLWAPI.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\wpfgfx_v0400.dll
C:\Users\Louise\AppData\Local\Temp\MSVCP120_CLR0400.dll
C:\Windows\System32\MSVCP120_CLR0400.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\PresentationNative_v0400.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\nlssorting.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\SortDefault.nlp
C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\bcrypt.dll
C:\Windows\Microsoft.Net\assembly\GAC_32\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\6090b158fd3d10686b422a455e188125\Microsoft.VisualBasic.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\6090b158fd3d10686b422a455e188125\Microsoft.VisualBasic.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Xml.Linq\v4.0_4.0.0.0__b77a5c561934e089\System.Xml.Linq.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\en-US\mscorrc.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\en-US\mscorrc.dll.DLL
C:\Windows\Microsoft.NET\Framework\v4.0.30319\en\mscorrc.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\en\mscorrc.dll.DLL
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\aece3d371c0714e60f9509d2a3137395\System.Windows.Forms.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\aece3d371c0714e60f9509d2a3137395\System.Windows.Forms.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\2c462a934e0586ac5e46c8b93e461384\System.Drawing.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\2c462a934e0586ac5e46c8b93e461384\System.Drawing.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
C:\Users\Louise\AppData\Local\Temp\Money gram.exe:Zone.Identifier
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\psapi.dll
C:\Users\Louise\AppData\Local\Temp\Money gram.exe.Local\
C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24308_none_5c028e37a0121035
C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24308_none_5c028e37a0121035\GdiPlus.dll
C:\Users\Louise\AppData\Local\Temp\shell32.dll
C:\Users\Louise\AppData\Roaming\application.exe
C:\Users\Louise\AppData\Roaming
\??\MountPointManager
C:\Windows\SysWOW64\en-US\cmd.exe.mui
C:\Users\Louise\AppData\Local\Temp\"C:\Users\Louise\AppData\Roaming\application.exe"
C:\Users\Louise\AppData\Roaming\application.exe.config
C:\Users\Louise\AppData\Roaming\application.INI
C:\Users\Louise\AppData\Roaming\MSVCP120_CLR0400.dll
C:\Users\Louise\AppData\Roaming\application.exe:Zone.Identifier
C:\Users\Louise\AppData\Roaming\application.exe.Local\
C:\Users\Louise\AppData\Roaming\shell32.dll
C:\Users\Louise\AppData\Roaming\RunPe4.dll
C:\Users\Louise\AppData\Roaming\RunPe4\RunPe4.dll
C:\Users\Louise\AppData\Roaming\RunPe4.exe
C:\Users\Louise\AppData\Roaming\RunPe4\RunPe4.exe
C:\Users\Louise\AppData\Roaming\XUKelrouphgPxibFKCvvnfwSeRVm.dll
C:\Users\Louise\AppData\Roaming\XUKelrouphgPxibFKCvvnfwSeRVm\XUKelrouphgPxibFKCvvnfwSeRVm.dll
C:\Users\Louise\AppData\Roaming\XUKelrouphgPxibFKCvvnfwSeRVm.exe
C:\Users\Louise\AppData\Roaming\XUKelrouphgPxibFKCvvnfwSeRVm\XUKelrouphgPxibFKCvvnfwSeRVm.exe
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Numerics\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Numerics\ee81fa2e7f333ee787a423c2e39ee3a3\System.Numerics.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Numerics\ee81fa2e7f333ee787a423c2e39ee3a3\System.Numerics.ni.dll.aux
C:\Users\Louise\AppData\Local\Temp\REG.*
C:\Users\Louise\AppData\Local\Temp\REG
C:\Python27\REG.*
C:\Python27\REG
C:\Python27\Scripts\REG.*
C:\Python27\Scripts\REG
C:\Windows\System32\REG.*
C:\Windows\System32\reg.COM
C:\Windows\System32\reg.exe
C:\Windows\SysWOW64\en-US\KERNELBASE.dll.mui
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe.config
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows
C:\Windows\Microsoft.NET
C:\Windows\Microsoft.NET\Framework
C:\Windows\Microsoft.NET\Framework\v4.0.30319
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe.Config
C:\Windows\assembly\NativeImages_v4.0.30319_32\cxWlVgzyJXC57d566ca#\*
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.INI
C:\Windows\Microsoft.Net\assembly\GAC_32\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
C:\Windows\Microsoft.Net\assembly\GAC_32\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
C:\Users\Louise\AppData\Local\Temp\Money gram.exe.config
C:\Users\Louise\AppData\Local\Temp\Money gram.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll
C:\Windows\System32\MSVCR120_CLR0400.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\6715dc4d04e35f16d482900c355325e9\mscorlib.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\6715dc4d04e35f16d482900c355325e9\mscorlib.ni.dll
C:\Windows\assembly\pubpol214.dat
C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\2cf8ec33054bf9d59892861776b13716\PresentationFramework.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\WindowsBase\fad2ba18a244bf307910025c81b52f1e\WindowsBase.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\c8a2021e940773064c655a6ea6ee8cb2\System.Core.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\43822396682b0ffc3cfb66137ddab95f\System.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\43822396682b0ffc3cfb66137ddab95f\System.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\c8a2021e940773064c655a6ea6ee8cb2\System.Core.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\WindowsBase\fad2ba18a244bf307910025c81b52f1e\WindowsBase.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\4f7c4bba7641e71c1b15384ca408fa9b\PresentationCore.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\4f7c4bba7641e71c1b15384ca408fa9b\PresentationCore.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\2cf8ec33054bf9d59892861776b13716\PresentationFramework.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xaml\15a0c54648649e65f75ca4010468c7e2\System.Xaml.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xaml\15a0c54648649e65f75ca4010468c7e2\System.Xaml.ni.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\wpfgfx_v0400.dll
C:\Windows\System32\MSVCP120_CLR0400.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\PresentationNative_v0400.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\nlssorting.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\SortDefault.nlp
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\6090b158fd3d10686b422a455e188125\Microsoft.VisualBasic.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\6090b158fd3d10686b422a455e188125\Microsoft.VisualBasic.ni.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\aece3d371c0714e60f9509d2a3137395\System.Windows.Forms.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\2c462a934e0586ac5e46c8b93e461384\System.Drawing.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\2c462a934e0586ac5e46c8b93e461384\System.Drawing.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\aece3d371c0714e60f9509d2a3137395\System.Windows.Forms.ni.dll
C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24308_none_5c028e37a0121035\GdiPlus.dll
C:\Windows\SysWOW64\en-US\cmd.exe.mui
C:\Users\Louise\AppData\Roaming\application.exe.config
C:\Users\Louise\AppData\Roaming\application.exe
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Numerics\ee81fa2e7f333ee787a423c2e39ee3a3\System.Numerics.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Numerics\ee81fa2e7f333ee787a423c2e39ee3a3\System.Numerics.ni.dll
C:\Windows\SysWOW64\en-US\KERNELBASE.dll.mui
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe.config
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe.Config
C:\Users\Louise\AppData\Roaming\application.exe
C:\Users\Louise\AppData\Local\Temp\Money gram.exe:Zone.Identifier
C:\Users\Louise\AppData\Roaming\application.exe
C:\Users\Louise\AppData\Roaming\application.exe:Zone.Identifier
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\v4.0
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\InstallRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\CLRLoadLogDir
HKEY_CURRENT_USER\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\OnlyUseLatestCLR
Policy\Standards
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\Standards
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\Standards\v4.0.30319
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\v4.0.30319\SKUs\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319\SKUs\default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\NET Framework Setup\NDP\v4\Full\Release
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DisableConfigCache
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Money gram.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\CacheLocation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DownloadCacheQuotaInKB
HKEY_CURRENT_USER\Software\Microsoft\Fusion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\EnableLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LoggingLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\ForceLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogFailures
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogResourceBinds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseRetryAttempts
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseMillisecondsBetweenRetries
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\UseLegacyIdentityFormat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DisableMSIPeek
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\NGen\Policy\v4.0
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGen\Policy\v4.0\OptimizeUsedBinaries
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\Servicing
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\00060101.00060101
HKEY_LOCAL_MACHINE\Software\Microsoft\StrongName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full\Release
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\Latest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\index214
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.PresentationFramework__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.PresentationFramework__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.WindowsBase__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.WindowsBase__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Core__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Core__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Configuration__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Configuration__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Xml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Xml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Numerics__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Numerics__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Security__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Security__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Xaml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Xaml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.Accessibility__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.Accessibility__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.PresentationCore__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.PresentationCore__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.UIAutomationTypes__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.UIAutomationTypes__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Windows.Input.Manipulations__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Windows.Input.Manipulations__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.UIAutomationProvider__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.UIAutomationProvider__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Deployment__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Deployment__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.ReachFramework__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.ReachFramework__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.PresentationUI__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.PresentationUI__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Printing__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Printing__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\APTCA
HKEY_LOCAL_MACHINE\Software\Microsoft\Net Framework Setup\NDP\v4\Client
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\NET Framework Setup\NDP\v4\Client\InstallPath
HKEY_LOCAL_MACHINE\Software\Microsoft\Avalon.Graphics
HKEY_CURRENT_USER\Software\Microsoft\Avalon.Graphics
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\FeatureSIMD
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\AltJit
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1339698970-4093829097-1161395185-1000
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\AppContext
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.10.0.Microsoft.VisualBasic__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.10.0.Microsoft.VisualBasic__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Windows.Forms__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Windows.Forms__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Drawing__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Drawing__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Management__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Management__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Xml.Linq__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Xml.Linq__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Runtime.Remoting__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Runtime.Remoting__b77a5c561934e089
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots
HKEY_CLASSES_ROOT\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance
HKEY_CLASSES_ROOT\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance\Disabled
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{9a0b8d7d-300f-11ea-b342-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{9a0b8d7d-300f-11ea-b342-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{9a0b8d7d-300f-11ea-b342-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{80b5a657-2730-11e9-8620-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{80b5a657-2730-11e9-8620-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{80b5a657-2730-11e9-8620-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{80b5a658-2730-11e9-8620-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{80b5a658-2730-11e9-8620-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{80b5a658-2730-11e9-8620-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Classes
HKEY_CURRENT_USER\Software\Classes\AppID\Money gram.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE\AppCompat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\AppCompat\RaiseDefaultAuthnLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\DefaultAccessPermission
HKEY_CURRENT_USER\Software\Classes\Interface\{00000134-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Extensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\RemoteRpcDll
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SQMClient\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPSampledIn
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
DisableUserModeCallbackFilter
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DisableUNCCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\EnableExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DelayedExpansion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DefaultColor
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\CompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\PathCompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\AutoRun
HKEY_CURRENT_USER\Software\Microsoft\Command Processor
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\application.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\applicat
HKEY_CURRENT_USER\Software\Classes\AppID\application.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-1339698970-4093829097-1161395185-1000\Installer\Assemblies\C:|Users|Louise|AppData|Roaming|application.exe
HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies\C:|Users|Louise|AppData|Roaming|application.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Users|Louise|AppData|Roaming|application.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-1339698970-4093829097-1161395185-1000\Installer\Assemblies\Global
HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies\Global
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 024
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Defaults\Provider Types\Type 024\Name
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\InstallUtil.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\InstallRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\CLRLoadLogDir
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\OnlyUseLatestCLR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\NET Framework Setup\NDP\v4\Full\Release
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DisableConfigCache
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\CacheLocation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DownloadCacheQuotaInKB
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\EnableLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LoggingLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\ForceLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogFailures
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogResourceBinds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseRetryAttempts
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseMillisecondsBetweenRetries
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\UseLegacyIdentityFormat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DisableMSIPeek
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGen\Policy\v4.0\OptimizeUsedBinaries
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\00060101.00060101
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full\Release
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\Latest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\index214
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\NET Framework Setup\NDP\v4\Client\InstallPath
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\FeatureSIMD
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\AltJit
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{9a0b8d7d-300f-11ea-b342-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{9a0b8d7d-300f-11ea-b342-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{80b5a657-2730-11e9-8620-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{80b5a657-2730-11e9-8620-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{80b5a658-2730-11e9-8620-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{80b5a658-2730-11e9-8620-806e6f6e6963}\Generation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\AppCompat\RaiseDefaultAuthnLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\DefaultAccessPermission
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\RemoteRpcDll
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPSampledIn
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DisableUNCCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\EnableExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DelayedExpansion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DefaultColor
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\CompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\PathCompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\AutoRun
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\applicat
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Defaults\Provider Types\Type 024\Name
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\applicat
advapi32.dll.RegOpenKeyExW
advapi32.dll.RegQueryInfoKeyW
advapi32.dll.RegEnumKeyExW
advapi32.dll.RegEnumValueW
advapi32.dll.RegCloseKey
advapi32.dll.RegQueryValueExW
kernel32.dll.FlsAlloc
kernel32.dll.FlsFree
kernel32.dll.FlsGetValue
kernel32.dll.FlsSetValue
kernel32.dll.InitializeCriticalSectionEx
kernel32.dll.CreateEventExW
kernel32.dll.CreateSemaphoreExW
kernel32.dll.SetThreadStackGuarantee
kernel32.dll.CreateThreadpoolTimer
kernel32.dll.SetThreadpoolTimer
kernel32.dll.WaitForThreadpoolTimerCallbacks
kernel32.dll.CloseThreadpoolTimer
kernel32.dll.CreateThreadpoolWait
kernel32.dll.SetThreadpoolWait
kernel32.dll.CloseThreadpoolWait
kernel32.dll.FlushProcessWriteBuffers
kernel32.dll.FreeLibraryWhenCallbackReturns
kernel32.dll.GetCurrentProcessorNumber
kernel32.dll.GetLogicalProcessorInformation
kernel32.dll.CreateSymbolicLinkW
kernel32.dll.SetDefaultDllDirectories
kernel32.dll.EnumSystemLocalesEx
kernel32.dll.CompareStringEx
kernel32.dll.GetDateFormatEx
kernel32.dll.GetLocaleInfoEx
kernel32.dll.GetTimeFormatEx
kernel32.dll.GetUserDefaultLocaleName
kernel32.dll.IsValidLocaleName
kernel32.dll.LCMapStringEx
kernel32.dll.GetTickCount64
kernel32.dll.AcquireSRWLockExclusive
kernel32.dll.ReleaseSRWLockExclusive
advapi32.dll.EventRegister
advapi32.dll.EventSetInformation
mscoree.dll.#142
mscoreei.dll.RegisterShimImplCallback
mscoreei.dll.OnShimDllMainCalled
mscoreei.dll._CorExeMain
shlwapi.dll.UrlIsW
version.dll.GetFileVersionInfoSizeW
version.dll.GetFileVersionInfoW
version.dll.VerQueryValueW
clr.dll.SetRuntimeInfo
user32.dll.GetProcessWindowStation
user32.dll.GetUserObjectInformationW
clr.dll._CorExeMain
mscoree.dll.CreateConfigStream
mscoreei.dll.CreateConfigStream
kernel32.dll.GetNumaHighestNodeNumber
kernel32.dll.GetSystemWindowsDirectoryW
advapi32.dll.AllocateAndInitializeSid
advapi32.dll.OpenProcessToken
advapi32.dll.GetTokenInformation
advapi32.dll.InitializeAcl
advapi32.dll.AddAccessAllowedAce
advapi32.dll.FreeSid
kernel32.dll.AddSIDToBoundaryDescriptor
kernel32.dll.CreateBoundaryDescriptorW
kernel32.dll.CreatePrivateNamespaceW
kernel32.dll.OpenPrivateNamespaceW
kernel32.dll.DeleteBoundaryDescriptor
kernel32.dll.WerRegisterRuntimeExceptionModule
kernel32.dll.RaiseException
mscoree.dll.#24
mscoreei.dll.#24
ntdll.dll.NtSetSystemInformation
kernel32.dll.AddDllDirectory
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
kernel32.dll.GetNativeSystemInfo
ole32.dll.CoInitializeEx
cryptbase.dll.SystemFunction036
ole32.dll.CoGetContextToken
cryptsp.dll.CryptAcquireContextW
cryptsp.dll.CryptImportKey
cryptsp.dll.CryptExportKey
cryptsp.dll.CryptCreateHash
cryptsp.dll.CryptHashData
cryptsp.dll.CryptGetHashParam
cryptsp.dll.CryptDestroyHash
cryptsp.dll.CryptDestroyKey
kernel32.dll.LocalAlloc
[email protected]@Z
user32.dll.SetProcessDPIAware
kernel32.dll.GetEnvironmentVariableW
shlwapi.dll.PathAppendW
kernel32.dll.GetModuleHandleW
kernel32.dll.GetProcAddress
kernel32.dll.LoadLibraryExW
dwrite.dll.DWriteCreateFactory
shlwapi.dll.PathCombineW
kernel32.dll.LoadLibraryW
gdi32.dll.GdiEntry13
advapi32.dll.EventWrite
advapi32.dll.EventUnregister
clrjit.dll.sxsJitStartup
clrjit.dll.getJit
kernel32.dll.LocaleNameToLCID
kernel32.dll.LCIDToLocaleName
kernel32.dll.GetUserPreferredUILanguages
nlssorting.dll.SortGetHandle
nlssorting.dll.SortCloseHandle
advapi32.dll.ConvertSidToStringSidW
shell32.dll.SHGetFolderPathW
kernel32.dll.GetFullPathNameW
kernel32.dll.SetThreadErrorMode
kernel32.dll.GetFileAttributesExW
mscoree.dll.GetProcessExecutableHeap
mscoreei.dll.GetProcessExecutableHeap
bcrypt.dll.BCryptGetFipsAlgorithmMode
kernel32.dll.VirtualProtect
kernel32.dll.DeleteFileW
kernel32.dll.GetCurrentProcessId
advapi32.dll.LookupPrivilegeValueW
kernel32.dll.GetCurrentProcess
advapi32.dll.AdjustTokenPrivileges
kernel32.dll.CloseHandle
kernel32.dll.OpenProcess
psapi.dll.EnumProcessModules
psapi.dll.GetModuleInformation
psapi.dll.GetModuleBaseNameW
ole32.dll.CoTaskMemAlloc
ole32.dll.CoTaskMemFree
psapi.dll.GetModuleFileNameExW
kernel32.dll.CompareStringOrdinal
kernel32.dll.ResolveLocaleName
gdiplus.dll.GdiplusStartup
kernel32.dll.IsProcessorFeaturePresent
user32.dll.GetWindowInfo
user32.dll.GetAncestor
user32.dll.GetMonitorInfoA
user32.dll.EnumDisplayMonitors
user32.dll.EnumDisplayDevicesA
gdi32.dll.ExtTextOutW
gdi32.dll.GdiIsMetaPrintDC
gdiplus.dll.GdipLoadImageFromStream
windowscodecs.dll.DllGetClassObject
gdiplus.dll.GdipImageForceValidation
gdiplus.dll.GdipGetImageType
gdiplus.dll.GdipGetImageRawFormat
gdiplus.dll.GdipGetImageWidth
gdiplus.dll.GdipGetImageHeight
gdiplus.dll.GdipGetImageEncodersSize
gdiplus.dll.GdipGetImageEncoders
kernel32.dll.LocalFree
gdiplus.dll.GdipSaveImageToStream
oleaut32.dll.#8
oleaut32.dll.#9
oleaut32.dll.#10
gdiplus.dll.GdipCreateBitmapFromStream
gdiplus.dll.GdipBitmapLockBits
gdiplus.dll.GdipBitmapUnlockBits
gdiplus.dll.GdipDisposeImage
shell32.dll.ShellExecuteEx
shell32.dll.ShellExecuteExW
setupapi.dll.CM_Get_Device_Interface_List_Size_ExW
setupapi.dll.CM_Get_Device_Interface_List_ExW
comctl32.dll.#332
comctl32.dll.#386
kernel32.dll.DuplicateHandle
ole32.dll.CoWaitForMultipleHandles
sechost.dll.LookupAccountNameLocalW
advapi32.dll.LookupAccountSidW
sechost.dll.LookupAccountSidLocalW
cryptsp.dll.CryptGenRandom
ole32.dll.NdrOleInitializeExtension
ole32.dll.CoGetClassObject
ole32.dll.CoGetMarshalSizeMax
ole32.dll.CoMarshalInterface
ole32.dll.CoUnmarshalInterface
ole32.dll.StringFromIID
ole32.dll.CoGetPSClsid
ole32.dll.CoCreateInstance
ole32.dll.CoReleaseMarshalData
ole32.dll.DcomChannelSetHResult
rpcrtremote.dll.I_RpcExtInitializeExtensionPoint
kernel32.dll.FreeLibrary
[email protected]@Z
msvcr120_clr0400.dll._unlock
msvcr120_clr0400.dll._lock
api-ms-win-downlevel-advapi32-l1-1-0.dll.UnregisterTraceGuids
advapi32.dll.UnregisterTraceGuids
comctl32.dll.#321
kernel32.dll.CreateActCtxW
kernel32.dll.AddRefActCtx
kernel32.dll.ReleaseActCtx
kernel32.dll.ActivateActCtx
kernel32.dll.DeactivateActCtx
kernel32.dll.GetCurrentActCtx
kernel32.dll.QueryActCtxW
cryptsp.dll.CryptReleaseContext
kernel32.dll.SetThreadUILanguage
kernel32.dll.CopyFileExW
kernel32.dll.IsDebuggerPresent
kernel32.dll.SetConsoleInputExeNameW
kernel32.dll.CreateFileW
kernel32.dll.GetFileType
kernel32.dll.ReadFile
advapi32.dll.CreateProcessAsUserW
cryptsp.dll.CryptGetDefaultProviderW
ole32.dll.CoCreateGuid
kernel32.dll.GetThreadContext
kernel32.dll.ReadProcessMemory
kernel32.dll.VirtualAllocEx
kernel32.dll.WriteProcessMemory
kernel32.dll.SetThreadContext
kernel32.dll.ResumeThread
"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Louise\AppData\Local\Temp\Money gram.exe" "C:\Users\Louise\AppData\Roaming\application.exe"
cmd.exe /c copy "C:\Users\Louise\AppData\Local\Temp\Money gram.exe" "C:\Users\Louise\AppData\Roaming\application.exe"
"C:\Windows\System32\cmd.exe" /c, "C:\Users\Louise\AppData\Roaming\application.exe"
cmd.exe /c, "C:\Users\Louise\AppData\Roaming\application.exe"
"C:\Users\Louise\AppData\Roaming\application.exe"
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "applicat" /t REG_SZ /d "C:\Users\Louise\AppData\Roaming\application.exe"
cmd.exe /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "applicat" /t REG_SZ /d "C:\Users\Louise\AppData\Roaming\application.exe"
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "applicat" /t REG_SZ /d "C:\Users\Louise\AppData\Roaming\application.exe"
C:\Windows\system32\reg.exe REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "applicat" /t REG_SZ /d "C:\Users\Louise\AppData\Roaming\application.exe"

BinGraph Download graph

2020-10-18T07:13:30.376723 image/svg+xml Matplotlib v3.3.0, https://matplotlib.org/

PE Information

Image Base Entry Point Reported Checksum Actual Checksum Minimum OS Version Compile Time Import Hash Icon Icon Exact Hash Icon Similarity Hash
0x00400000 0x004b328e 0x00000000 0x000e0088 4.0 2006-07-18 14:10:00 f34d5f2d4577ed6d9ceec516c1f5a744 f2a78c80f8c0d0e79d7020ab19dd48b0 0ed104e261113f9d0ce3d16c7d60e4bc

Sections

Name RAW Address Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00000200 0x00002000 0x000b1294 0x000b1400 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.29
.rsrc 0x000b1600 0x000b4000 0x0002805a 0x00028200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 5.96
.reloc 0x000d9800 0x000de000 0x0000000c 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ 0.10

Resources

Name Offset Size Language Sub-language Entropy File type
RT_ICON 0x000db5d8 0x00000468 LANG_NEUTRAL SUBLANG_NEUTRAL 6.10 None
RT_ICON 0x000db5d8 0x00000468 LANG_NEUTRAL SUBLANG_NEUTRAL 6.10 None
RT_ICON 0x000db5d8 0x00000468 LANG_NEUTRAL SUBLANG_NEUTRAL 6.10 None
RT_ICON 0x000db5d8 0x00000468 LANG_NEUTRAL SUBLANG_NEUTRAL 6.10 None
RT_ICON 0x000db5d8 0x00000468 LANG_NEUTRAL SUBLANG_NEUTRAL 6.10 None
RT_ICON 0x000db5d8 0x00000468 LANG_NEUTRAL SUBLANG_NEUTRAL 6.10 None
RT_ICON 0x000db5d8 0x00000468 LANG_NEUTRAL SUBLANG_NEUTRAL 6.10 None
RT_ICON 0x000db5d8 0x00000468 LANG_NEUTRAL SUBLANG_NEUTRAL 6.10 None
RT_GROUP_ICON 0x000dba40 0x00000076 LANG_NEUTRAL SUBLANG_NEUTRAL 3.15 None
RT_VERSION 0x000dbab8 0x000003b8 LANG_NEUTRAL SUBLANG_NEUTRAL 3.58 None
RT_MANIFEST 0x000dbe70 0x000001ea LANG_NEUTRAL SUBLANG_NEUTRAL 5.00 None

Imports


Assembly Information

Name K^b6/
Version 1.0.0.0

Assembly References

Name Version
mscorlib 4.0.0.0
Microsoft.VisualBasic 10.0.0.0
System 4.0.0.0
PresentationFramework 4.0.0.0
System.Core 4.0.0.0

Custom Attributes

Type Name Value
Assembly [mscorlib]System.Reflection.AssemblyTitleAttribute [email protected]?EH53>D2JH<8>
Assembly [mscorlib]System.Reflection.AssemblyDescriptionAttribute JH333A2F<=9D9H
Assembly [mscorlib]System.Reflection.AssemblyCompanyAttribute [email protected]?FAD
Assembly [mscorlib]System.Reflection.AssemblyProductAttribute [email protected]?EH53>D2JH<8>
Assembly [mscorlib]System.Reflection.AssemblyCopyrightAttribute Copyright \xa9 2012 [email protected]?FAD
Assembly [mscorlib]System.Reflection.AssemblyTrademarkAttribute oP/8_z2QK5+y~e7B4)HjX1s
Assembly [mscorlib]System.Reflection.AssemblyFileVersionAttribute 7.11.15.
Property [System]System.ComponentModel.Design.HelpKeywordAttribute My.Settin

Type References

Assembly Type Name
mscorlib System.Object
Microsoft.VisualBasic Microsoft.VisualBasic.Devices.Computer
Microsoft.VisualBasic Microsoft.VisualBasic.ApplicationServices.User
Microsoft.VisualBasic Microsoft.VisualBasic.Logging.Log
mscorlib System.Collections.Hashtable
mscorlib System.Type
mscorlib System.Resources.ResourceManager
mscorlib System.Globalization.CultureInfo
System System.Configuration.ApplicationSettingsBase
PresentationFramework System.Windows.Application
mscorlib System.Reflection.Assembly
mscorlib System.Reflection.MethodInfo
mscorlib System.Security.Cryptography.ICryptoTransform
mscorlib System.Version
PresentationFramework System.Windows.Controls.Page
mscorlib System.Collections.Generic.IComparer`1
mscorlib System.Reflection.FieldInfo
mscorlib System.Runtime.Serialization.ISerializable
mscorlib System.Runtime.Serialization.SerializationInfo
mscorlib System.Runtime.Serialization.StreamingContext
mscorlib System.IO.MemoryStream
Microsoft.VisualBasic Microsoft.VisualBasic.ApplicationServices.AssemblyInfo
mscorlib System.ValueType
mscorlib System.Runtime.CompilerServices.CompilationRelaxationsAttribute
mscorlib System.Runtime.CompilerServices.RuntimeCompatibilityAttribute
mscorlib System.Diagnostics.DebuggableAttribute
mscorlib System.Diagnostics.DebuggableAttribute/DebuggingModes
mscorlib System.Reflection.AssemblyTitleAttribute
mscorlib System.Reflection.AssemblyDescriptionAttribute
mscorlib System.Reflection.AssemblyCompanyAttribute
mscorlib System.Reflection.AssemblyProductAttribute
mscorlib System.Reflection.AssemblyCopyrightAttribute
mscorlib System.Reflection.AssemblyTrademarkAttribute
mscorlib System.Runtime.InteropServices.ComVisibleAttribute
PresentationFramework System.Windows.ThemeInfoAttribute
PresentationFramework System.Windows.ResourceDictionaryLocation
mscorlib System.Runtime.InteropServices.GuidAttribute
mscorlib System.Reflection.AssemblyFileVersionAttribute
mscorlib System.Runtime.Versioning.TargetFrameworkAttribute
PresentationFramework System.Windows.Window
Microsoft.VisualBasic Microsoft.VisualBasic.CompilerServices.StandardModuleAttribute
Microsoft.VisualBasic Microsoft.VisualBasic.HideModuleNameAttribute
System System.CodeDom.Compiler.GeneratedCodeAttribute
System System.ComponentModel.EditorBrowsableAttribute
System System.ComponentModel.EditorBrowsableState
mscorlib System.Runtime.CompilerServices.CompilerGeneratedAttribute
mscorlib System.ThreadStaticAttribute
mscorlib System.Diagnostics.DebuggerHiddenAttribute
Microsoft.VisualBasic Microsoft.VisualBasic.MyGroupCollectionAttribute
mscorlib System.Diagnostics.DebuggerNonUserCodeAttribute
System System.ComponentModel.Design.HelpKeywordAttribute
mscorlib System.STAThreadAttribute
mscorlib System.Diagnostics.DebuggerBrowsableAttribute
mscorlib System.Diagnostics.DebuggerBrowsableState
mscorlib System.Runtime.ConstrainedExecution.ReliabilityContractAttribute
mscorlib System.Runtime.ConstrainedExecution.Consistency
mscorlib System.Runtime.ConstrainedExecution.Cer
mscorlib System.UIntPtr
mscorlib System.IntPtr
mscorlib System.Activator
mscorlib System.RuntimeTypeHandle
mscorlib System.InvalidOperationException
mscorlib System.Runtime.CompilerServices.RuntimeHelpers
System System.Configuration.SettingsBase
mscorlib System.Collections.Generic.IEnumerator`1
mscorlib System.Reflection.TypeInfo
mscorlib System.String
mscorlib System.Collections.Generic.IEnumerable`1
System.Core System.Linq.ParallelEnumerable
System.Core System.Linq.ParallelQuery`1
mscorlib System.Reflection.MemberInfo
mscorlib System.Collections.IEnumerator
mscorlib System.IDisposable
Microsoft.VisualBasic Microsoft.VisualBasic.CompilerServices.ProjectData
mscorlib System.Exception
mscorlib System.Reflection.MethodBase
mscorlib System.Security.Cryptography.Rijndael
mscorlib System.Byte
mscorlib System.Array
mscorlib System.RuntimeFieldHandle
mscorlib System.Security.Cryptography.SymmetricAlgorithm
mscorlib System.Security.Cryptography.CryptoStream
mscorlib System.IO.Stream
mscorlib System.Security.Cryptography.CryptoStreamMode
mscorlib System.GC

!This program cannot be run in DOS mode.
.text
`.rsrc
@.reloc
!X(!)=
Rl\2o
)biQk
Qq_Iq
Us!;m)i
.gQiL
fJ;O/
5ytUo
]Cv~k
S`4Dv
wv^wa
_\z9T7,
QTdwO
snJ%A
@Ya54y?
o(HO*
)I{KzQ
fx#N|
&;pbx
c'YJ2
FZw]MUs
q{gi7
_S}i1g
[9Et8
}~Ye?/
Y3VDT
b4?6L*
p,-3
.`#qx
i=Tz|
Yv%e;-
fr7&k
:)pt_
0ZxI2:L&9
,.oKy
`z\pZ
KJoCH
~.< ]
UX?\k6
I9|$L
i](?*
9Q.1H>
IR4>&
nL)<,
6,6+y"
S-WKOfk
"FOD8
^Ik:y
fIZHB
lT$8)
^ymvqW
AU~|T
U2N\5
%I2H;
!SS.I
W^IT{.
Jk>H|
l:Tc(GN
3||zl+
QvE>]
0!sQdA
S6p^T
_AzcH!
JV9+e
m-ObN
:Ew[2Ka
H_N|s
;PEO2
0FrW5
hy_3I
al7"Y
4?zJ:l
81!=\
'd(4V
NC[;7
<hRg?j
<B(.^
}ONFi
&na+F
@Q0SW
VjG{e
&"[Eb/
Fy2sking
$UZaY
'h+[W
l#3rQ6
RN=>C
]+Y>4
we*%x
'#n:[
_Jg}?5
&FEr`
{b3hNLUW
;U4%]
pR]{0
S6;KJ
Iy`KV
yI{6s
5iVMJ
7+xjO
,pt($,
ko[EA
&+YQ.t
d_R%k
6'=(E0
"<$:{O;
:P!op
$nHg)c
(?+sa^
e>|;A
s9SvK^A
m9 (FO
/[_b[a
pjlC#
c'&_B
xdkq;
14?U9K
UQ;ox
0_0v3
q<O`K>r
nv7C!
4-{X0O
3]ODi
<LR0V
4&Qfp
{QQj*\O
FQ1C=
dP"t8
)SZ:k
i`b<(
[s==s
j-{O[]
v'e3`
4=)M4
ZfQVV}0W
n{^5J9
0O|Fl
4aaV-
(lE`S
S#,mV
JL(6]
RKTh~
Ebt;4
%rV*4g
"##AjM
Kp~yH
U?| D
Vgl9d
r6956Y
G:lmXC
:XV\8#
#P^1eX
,yi9l}
Nm+1ry
(9EmQ
[m9b|
~y;_!
kZw2ug
NTztb
MvG7>]
H<Bmp
;:'[QZ
RMbU1
.W U6
uI-kXo
d"o+{w
"~SL1
Tt8?>
)C;%9^
T]7;v
L~!c^
)e7Wa
zTi+p\
l+sj0
XDeEj{
JezL]
1IM&x%x
2E6P|
@\iEx|L
%V/?Z
=DKy-
5F#/40
htw$q
%G|<[
Q^Kk)9`6
|k-BZP
azh<`s
6vR~'
vVkzm
>H0-9
X^1k0
:MV>z
Y$D37
CQ Z_
me{#@&-
s'1Ip<
x?yIyM
cg[f;
aH3I.T
!3N{)
vFN ^
&dV\m
~#{)?
561D%
Amo'k>
b&C>C
Zf"H-h
=dZbx
7Noq|
V;N2M
j)J*hk
]W[@9
@vDc_
y9e_/{F
_9^wWp
JfoHg
cx1e_
C&7:L
I$v}L
A50"G
4n_(0
l\LIO
Qx20?
RRn_NzS
#@@v.
!]Q\l
P6'iF
9m{f^
YT%34=
8k sf
xEC|)
OgwwA
u!r3.
g}_wa
<f"q](
Kc'L\_
j$J!F
:GqS0
0[dcD
dJ[#Gl
U%f32
a^o.;
!Vm[6
7-(4S
}s<dS
-}+;N
w<[8o
U5T0M
k5kgH
VLSb6
``fi>
9b;D[
I,UebKa
IWc^f
^Rnl
ZX^(0
J7{#\V
Y&4IZa&*6
>c;=*Z;
U&bqq
66*5f
$AK*{
ZhIvr
?`j00G
[_YAy
*hHE9\
!`/\?
ifGFf
6j;4
Fj]KS+
i0PN5e
noHgtV
lnLD#
r^1-o!r[
[i,+P
WusI'
n41%>
e6Xh5=
/*q8s
9ym&:
Z-EG
$^FJ#b
|5,ZXD
NCwH8
wgu\%
}$9\u
:<o>=
{*4on
bQ!Cg
vr|u]
h/:NeJ
Nwn5w
SeOe1
"bb+:
9=AH'n
uxJAC7
{43/H#
$m$Tu
JMl?U'
MNLg,
|t.kg
Qc#EB
YB-7C
HP%Nm
JhIMtv
n>DQ-5
p!!sD:
\|{r#_{c
%_Z}i
dbUTE
"e0I^
5!ay,"@
cVfU[
R!~U*v
nQ;hZ
GQ48[\6
GW5cIH
j|_|[
a[w:5Ld
jT<&=
;4wB3
Slw1v
>1x9v
o]i;=
ipe["
%%(J]
]sI"gq
?JIJM
h}6Nv
S*.+ouP
>HS7S
V^IT4T
5B<J"
18Ab?
0Q[eJ]
-PV+J
V1`Iz
(W/+K
5g [*
O RRx
)>r]-L
^l~L0
X>_{][
ZL}zz
zgqc)
A2,U|q;
9tMXy
5.4xY
6.Qo*Ys
od"l_aN-
|?Xz`
Xz8npF#jv
bvlF8
Vp05"L
JzE_p
)A['nr
NXjKjW
Y<y1Z
^GF\G
cRR7b
D ~_Nr6
XOXWhp^.
-v~*n
KPhYn
DuW+\|
mxj5a
I\^N[
zF9>D
Zb"3u
nP{VG
}P*DE/
(a|Wb"
fbUb
:!vk`Z
*vT <
|nu?[
?EN|Z
Aw{Flw^
5sr)1y
<4g>*
L"@nF
#cv$[
SoYKw
\-\+>
lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
PADPADP
lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
A&Wl<
goP>a
oFoEuz<
1IFrY
]i^N)O8=
3*G|i%
R8p[}d
L#SC4
[?d=f8q
#k[rc
=YD<a
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
*x<@{'k
e!W\^
8G:3Z
PqkuA^
P2{:pZ[
i~2 k[
zNKIh
AJ&"A
uK6%y
S'`"E*F
_5iC^B'B
A8gZ(
|"7N|
uAtL5_kmC
Ym>G|
C{KQ<
q9_IN
;X14R
o2]}\
o}ZPd
M[R?]
~dPTm
qdu3[
@?-5Q
p\mH-b
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
=lgGQ
kHvS1
h%<5]
9.BF9k
svH6E
0(\r_
HMAqUL/
.Y7?{
@Ly.p
x t&C>
&G|/i
2!}ue
Cr]pb
nDg6z
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
r 62w
,SLkl\
3 Wnvy
}T%#%#
;wWoe
rm,QK
_mi)IS
,{"S6w
iY/zn
\hV-*$
Xq:.S
=ra%>
WHLRK
:$]oe
5G5R>
;Nt?V
b>GC T
Qp8ZM
%x+#b
|u=YtX
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
6CLp>
e<s0+
(' '`
JUmiVL
Q{&'z
DL6"6
3?s8Mm
k6IOG
D)/lLLc
{1%#l:
ou~Qg
1o,}J#
Z+"Zt
wdxtAL
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
Z<i}1
;Uq-t
_ls:F
bF)_Y
?+ag!\
e9]NE
.i7^
1/!)@
Jf'C_~
%+ :<
~Gb0e
U2;1&
07\L'^
0!P7*E
u|.&1
pb^[ox
T::l2
F1Fm#
.,0e2
T N`d
152"}j
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
<vEMDb.=
Z>y70
myki)
d`eMH
V]"k.SU>@
kMg;`
OthdJ
5~K`\
GYlG^
"3>~8
oN%Kf
[vDZ.
|PaN-
"U7QWM
yos<4F
mS)$[ l
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
1[OE\'
^Ts(p
<>p*?
^-XWS
!%!AG
\C4s$K
8O}a`
yO{qB
Z.Pu/9#
xEU>fJ
b\" 4%
B5k"R
)[Z-8#x
lyjlk`p
F""{C
gE\\k
VJKE:
e4aa5
A<+.e
jB#e4Kx
n7e*e
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
aFUfc7
O1JtpcGn
=#1;B'
@lzV|
Ul+99
{]Xi"/=I
>Q,_zU
M'<BC8t
V#7yU
_K+lt
tk1)x<
`.[BX
IXRGk
JF&EK
T7$PK~k
.}E,X
R?w-)
$"D{&
\E)o_Q#
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
FQa+X
G.y`@I
"?R'gi
)i\b-
WY7Yv
pf_n+
/M5-N
} Kxa
"Sl;l]
o'iL9
?t7w>
w(x\]
7s?bf
0^cn$
4_6{kr
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
1OU?rZ
SkFiaR
-8a?^
t^F}(W
*i-=eC="jfc)Y
u8*=N
X..rz
QwP6r5
]Q.Iu
dY2Lw
)v}%Ew0
LB4Q)
FKayA
,rWW.b"
i^a_l1
:>c8(
B!1OI)T
`iJsT
e47I1
o(N[l
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
4|"~zY"{
E?JZ&
*=6.j
G$sq r
"pC}C
~F?tz
1q6XSJ
MS`,6+
tJOz#3
lx2.U
;h;fRy
G?/=JT
!\o[g
Wb"a#
34T%Nm
5\};#V
o9;|*
(Z[NDt
fi]*^-6
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
@t,#*%:
[M;_W
lzO1C
=L.{J
o2L#@
$m's7
=R zh8
=fc(I'5B
`N|UM
o7X*kHk4w
0F0!*
Fr.Hi
1IN7l
Ai~o~Cv
O$/~p
1F"\b
Dl+D>
B?\.d$_'/
sI?18
30H%(
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
#K[ExW
!zTxr!
Jmom.
l?$}%
m6L%s
b~w^F
>!XV*>(|
J2s}UH3>
/}h,<Q
;!F &
yGbAU
CpA+ZT6
P"RnI
#2UQg
7{)o|
9;yuG
LAg)#
8vA9:'Bc}
pg?R
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
o)ad2
tB*W}@
}b[L]*V
,`Jb-
u xq<hP
NOdx4]
JJ;t]
4ocsAU
Ip9^D('{J
XG)SF
p&_5w
gbp%8
ThI*f
&&gNa
Dj!1p
%.2kE
vmXut
O2x8v
+SwH~
lebg>
rr<+a
;ew`~*~
q:-fp
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
tL.Y;
*8:WxrG
ZOwnw
;p|X'<Q
o.D5k
3>w*30
TNstt
o;|(y
exM%?>
Zh/J7
)dJAy
:P[J4
ZQE3\
1E4fd
^6CT^
t`k8(
D>'-uz=
8n}Vz
^]V'M
TY}|!
5_;j#
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
@@!Xh
"Tav>
n(N$K
MkNcB*
dC[_s
a?+obYUx
59,#y
QC#3B
5fj<t
+6Rp78w
B8AE.!c
^6CT^
u*85u
YR%F$
`K?c/{A
PCK[,
tm-%aV(B
UN-p#H
YwS(`
_Uk(+
%Q1Z%
As^{V
#qZog>
DX;.3iZ,
*66fwX6
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
L1X0 l
MF>C&
I}[9.
+['q,
V;5[?
,BO[2
*54=U7
e|$;t
,R[_s
%b=ZN
.B_p3x
6,9x'
M2P'J
S6.f60
g[Ky)
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
.._7x
Z<s1t
2D==O
_]7eMk
rU fc
:t&9Xp
#TLON
[%>'w
~_Gh1
0<W`Q
c>/!=Uj
oIs5+
S51 }
K5$Xyq&VU
7]B\.
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
$veZ.
M)`aV
'K$D:
;{tQAT.
_pZ!O
(si(x
zY-$
O&46Q
Wv3j%
O}cGH
-#/:l
4O;7_
:Y*5t3
7]FN D
E|\j%
.FE4)
Ob.#f
KlX,X
Z=|WM
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
7Bf)t
LK,&/n
KP{CkOx
"~rWL
zn>bnKQ2LR
Zg{nZ
"h5VM
W?f}h
f-hP=
NA$O`
~4-jd
&\|s|
g--3#
eiB|(
\Mb9ge
mrI]z
<|z @v
R`wS_
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
;zF:\
";"|G
\jvK-wI$
A$3cb
?-g-f
^v:*#
kZY\'*
8Xuoiz
+F]wmsQ
;=V}S
zR=eJ
7n&lA
O(7,`c
a/{_xVh
|LAvHPq*F
P"L.{
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
/nl9<'_
1rd0M
ecqQ:>
^/+%P
7[wCM0
@4k%Mk
)r+DYn
zm%)|
KKV|
A~btT
A>`/j|^C?u
lWsmI
Mng|I
($EFJ?L
QAHvp
Y7N&=
YqSgi
dxq5]
|gGnX
sQzU<
q/-8IE
vM=T),k
El*@9
q]P:PJs
-VCql
ofHb(
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
nM{jMg57s}lzY
`O;$:
z`_8H
&,,X6
%K}>kHy
Ol`5)
iWlss
rCNlQGN
+s-eb
2DZ-g;#Z
}!V~)%w
])b^B
G"U[Y
!OK&~a
h:jNJC
C/Pla
g>*/U90
#sKP {
d#Q}]U
a'G+^x
7G<C
~l"1Sm9
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
\,c*"
:/e;z
YT)!f
.Nn3<H
WyM+mA
'b%K8
~T.3#
fe{YX
F0F_&
'oPf$
e -KR
9d!?_
+3=3vr
.*;V76
xK;Z-
<rP\,
nW_6<F
&`hk`;
S_!><
c>0OAWN
5Ji;.4
]j/#E
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
K6VnU(
?G431
#<_id
8[lk`
%f?eG
T^vD*
9\'r:
!hf`Y
^3Gkh4
NWl!%ix
u54q}
5eDS{
ZeRjr
8N;:W
b/|iY
_^=dD
5B1wE
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
8{0 9,
K~g S2
y+5|v
+=QPA
o~cM8p
kSHP?3d
,,^.c
&$\g]B
f~Kw7
^:JAU
hh+y?
Bu1W#
L.-Z7Z
K_ZQz
w/Z%<e
h4*FyT|R0ZW
?x ^_0
^(Ah;
89c.%
[m!='
nezs%
h2$#(
;#j`EwkH
M5usu_
YdgNu
$O.L3c
-CEK;
.t%d,
NKGer{,
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
ILl.h^fh
7Zt}`+
;2Jhku
$\hSj
A;"ua
zzwYpO
mvwohA
;#j`EwkH
^3Gkh4
00{h#ME
<2Eq-
l;#j`EwkH
^3Gkh4
6)P;}w
;\{Xl
&q1gh
`EqCi
8`C'rM
i$r&KB
gXAn_
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
"n)dl
zFUqsl
2LLZVZ7U
m%)l!^
<2-u=P
-dV${o
<2dk}nH
(f=\f
%x=Fz
E8aR,
v{X2J
a7.W)
Zl;tJ
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
*iBp\
9\-5B
2QVlGz
ciBjK-
m^p(q
{Vi-3FV
Fj1<}y&7
x1tXJGX
D!i>{_
%1(Ip
#PSYE
Zj{(l|ooN
ZjGxY
*wzG&a
|.<hT
P O|-
PkCTJ
J^bI#
@>VdD
%O#:)
vrWhR
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
4UoFp
jQme`
:g8F1
z}iXN
'4"Zh
9~S+:
&&7R3
:|12vO$.
IZ/GvI>
$UrsA
+=dBv
5Oh:/L:
%lN a)[
3Pv9C
=3{M4
1y+a]j}w
eFAL$R
P$26a
&Y~tY
K]F w
m(ByK
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
Zc5bj
7,$T&B.Xi
sJz]
!!B,$
BH}:v
C=r/t
N]#\f
Wn.KL
~2cUN
zI23y
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
w#2W$
X#U#r
+/Knt
klkw &
2(k%q
6[+;f
B&;tpZg
fK);rm 3I
aJ4\1
.-H.&Oyn(
fg:)Ud
HAIX9
`C{o(
D:X.5?x
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
&ye6e..
A[E|u
~|tcJ
FASV#]
DBy|)`=G
!dt9+
IaC>H
8Pn_1
/r]NE
*;]W;
|E^hR:
NdAaZ
-y\wfh!
!'Si0G]
89apW
5.Jsv
TuJ35
2HA7>
'?j$O
"?sODm
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
Q2&|@
nuE;k
RwynX4^
&Vz6|
Vi6hbA"|
pC$jv
[N>|W
xP88:
tOndh
>KYd)z
n,,lkh3
"#F$V
-{z7u8
xJb=m
Z)ae/l
Np{<D
m1LpEp0yu
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
Gq50i
8<0lIq
6y~);
}|ENZ
N&vSN
rH2l?
c2Nqn
Quu~clkD
gI$Ub
hxXz_{
\N]yT#
un.IhaBy`Z
giYlAO6
XU~p*;
f!A+/
:Ll0Sm
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
_:gx0
M(vGOJ
9^*iQp
p|pp\QC
y+s^
?(4dg
AUK*azUU
It%g;
7{cR_.
nfh,}
L<I.O
jPGk#
nlb{D
MT^3s
;eT>:
M>Ay:
b>oLy
G'Jwjl
yw-DcO
cxADi
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
1?mI`
7P5M\@
Kr?o+;U"Y
vgzs*
c;7AI
GQmE~
GVy,,<
NR(\V
|NR!D
iZm'j
EU2Ji0
|}a~p"'
3qED\
tBU[!
$jbwa
DotdW
t,,q7
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
q#wW6
M[LZ`G
p]vS9
>RaZ+\#
L&i"/
`rVV>[
8Tpkga0,
gYKT6
Z4!zB
3)3fC
6+^iQ[
(f\G|
FqDv$H
1{>#<6
eu,V.
|4*"x
P8]C/
oXi8f
xjxr38VaTh
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
[==X[gu
b~X'!`tz
<)wx9<
06wsq
4 '5q
c&21-u
Fz ^!
e83S*
Rv3,
qIumeZ
o]mGKd
q1/S=
>CsTn
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
rx{/7n
yPV#gY
mCpUV?
@OER!Z
20e0%
.Mx(C
L64[q
G{?H!
BK5dc
aWrZW
#fK|'*
|!YgN
:p68a
8~F>km
z$]!>{
AmF>~
%|z$=
%({.]
e`Pt[}
j%q..
SJj_1
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
kAowU
H]=vk
Jmom.
l?$}%
*t~0EL
lbZsC
Zzs1\&
0&_"!b
s}K+
m^p(q
k/` 'P`:w
4^@yQ
Y7o?^
oBX7"
8mcW{
}Cj?g
46EA2
\>93^
^3.Im
VcJ\~
vnKPZ
g]_=>
At';i
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
qu^_[
TX*TZ
;'dTXS
M~_'t
7uw[,6y
5PVKw
nJMvg
(f QA
/2a%M
\feU2
b<h,#
ba?gf
Tnt[t
L)$A]{
E:trd
{)2$^
CCV\svc
M+2t6
dDhQYK
wb<*>
>#_O_a
bss5C
iNP?L
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
lv;Ci
`sRp!jtK
OhBIU
aytCH
H*#Vl*
"$dII
YD&_q.2
JH++J
{fe;(
IK1MA
.3uk>
{w+D++o
!_ 3>
JH++J
>?M"T
qu^_[
p,kJ
mK3A6
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
KR-Q5-
LJbP~
R~}*o
d\4:)
mD\\)
tR:C&S
+r?R/a
\pR/]
4u Ym
mx*OCa
U!)#O
|dk*&
k^O2H
,v[i2l-
!w9;U
y1X6[z
0GHo`C
pRZQ0"
]>c0A
Pk:gDQ
aN$U~
Bbm<?
gjL ?!
bP;]t
REZ<GHS
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
&u+%M
L}O.m
f/-EE
ss7,[
Te%Tm)
H]NL=
1SO6-w[j
dDQHI
IN3-t;
8`\Q'
@$PORz
~06ff
W,NQU~
[@(o(
(Ps;)
ZrTD
"Pg'%
:z$aX
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
Kh{x~{
4U,Ju#
b+JX'
w#DU=7
v6){%
b7r-~e
%FQUI
_t=3p
RS>N^
Up;Ij 3
%DS3W
NC$>,
*P22X
<U]m?
K~UI=bp
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
o ePz
|UD5A
Xi)wN
V7b5I.
'h8FO
~J8$|
]>A]Y
4D)Jrw
wDI;`
|K<!V
e[Y=!
z_Y,p6
pP-R(
wr/Y:
BAn(!
@ZgAwS
7~44uJ
wZ;;)N
{24VY
7[y{l
KRuu.9
~^f3g3
!xL%)"6
?U_,_`-
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
SH$"5
C|^&
0)-uRr
l.v,4
NWQ }
X_?5)
IG4DH>
IVs3+
BS%Hv
O ~~[
-=Eo7
GVBg5
<vOa>|
D\SuP
z!;2J
e+U7J:
4j)IU
#}p=S
TGIW|0
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
Y?Qb0
;C~Ym
&Phsq
d~:A*%
Er4xc
Ki4Q6
62yAwE
'j"1TT
]@CZ|
&LcQyIv
Iq4XF
yIK!o
SbgV5
]V_Md
gU.HS
oD'\*
/IPo }
Y)J J(
y(NK7aG
HZj'*d}
BX5I0
!#>01
xpo46
:]_z"]z
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
a1sJH
]VDe0
xp\uh
)g:G^?
%wS|G
Xt^Wck
'P8J`p]
#+.Kx
>7Iy;
b85,tgXh
P5[,_e
=3r!.
_(Omx
{*3pT
(1k54
q5}-1
Wm[#IMx
4gI|m
s#NsL_e
@.fE,
ZJ/E|~
Xl-0Q
0"$J>`\
5t9yO]
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
"bJ:k
5zH,>
%dab%d
A[YZJ
L9G.F
KJ20{
K,#!/
:-?kg
#l?|d2<Y
41gi+
"zUOP}
]!t+1`
%W%Ug+
wW}mk
"357S-
BO?E8
:;*+n
mVFUb
RAtv"
t%}Bs-&a
M_+F7
|5F`i
`.$;]
s.oD`s.
Gt8pr
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
PKQWW9>
1-%aN
,!%MM
*ni#E
F1Vf-
XRrob
[/o[O
zro"Q
TK.qy
7`5fR
A5Dx*
Cf/RR
nH~Chy
-zXL}{
s-(pZ(
4/G~p+
F>.ET
|S&D,
51K/s
-e]Ai;
l-xyL
3N1^m
uco*0
1]9}B
dImEIK1
ij{a0
|%c|}
1|rK&
B?g4}
a-gVj
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
Xw2pa
H'UBw|
>(kdD
wwEnFs
=[D"J
nv?[C
rE&(x
5~IK6
W-9!5
`)|K+z
vs Sm
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
U]X=p
FVtOa
_Gv bd]
99`iK
;9sq&pJ
Pmk*vcH'
Ot|D}LR
; [dg
r S_?
*a6OB
^d[I<
1MU$Y
7SoW#
r5!Q&
r\"vD
4xiUA
V[-dQ
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
u#)V|
@I'yoGyC
f<3e'
ufFn`
qqI.*
s23!q
!N%-2
vkmYh_
Lr((w
q(d`{
FhM`]t
,"*d,O
y]|aHo_
a\O#<
y]|aH
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
RmHv:
*|R(2,Dx
6<O1/L}h.
E"V}|*
'"n$b57
F&v.-
u$zs*
_huk{
w6W*$
ypUfL)$
<CO48)
h,[:V:
'rB!Q
We|T}
p^DI[
ndR|7
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
kO0"Q${xk
B&n6m?
j2WCEY
5;7KFl
\J9Nes
o2*_i
wp5d.
F>HWs
s2o+K(
YDO_{
hsse{$
]#pZ3
F<Lb-
{/&y~
b)e6Y
xi4(.
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
%mh%tp(t
l#\jg
0vWNV
6\Plb
w_L9U!vT%
?3-`Z
EhBD[D;tU^,
Ddw#r
fS9?>;
jJ`Yz";
cDa.:
Gd`8Z
rP9#gq
'["{W
_;ykcE
y63Vs0
K'(W2$
(h(Yy
G;j zd
,t%Qk
C{PKP}{
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
7KE)d9F
c\:]K
?B3YM"dI
5"L\S
^VX_4
&c+hJ
O=K&Z
zq\OH
ZYN?b
p]@{oc
^GXUA
%_M/^V
3j.!Q
Ls(+o~oh
o}=pa"
mW&x[?
M=K^w
E^f-l
_k]Ui#
WRKk<Q
~A"AK
5S`>=
f~)u
!9<"U
o22jsC
9}W.0
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
<1Go:
z|D%]
z[5_\"
]jZjk
sRodS
7Legx
fIRlG
fkO&:
phiUt
XedGY
UJ=_e
YKsu.
ExM%=p
BW(Ys
a(sG!x*
{M8XQ
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
K3(GeJ
&x|dnG
l8A=vd
JJI/j^
?X3&p
"OHrI
.Bt*?
K^<o8Y
*PnK7
^~ky{
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
JdueB
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
S%7efF
NTs9=
yJdPN
U<\bwG
iNcfq
E{:pi
lj5 /
E5Mkw
c0b5_
E; n|Y"0
?p(1U
<?',S{x
i/ZMdJ[}
NkC[D0
ZDjs]
V;v?\
YYk<TC
2''g-
F>}7-
Z3s%|
RWq`~,m
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
)+JMN
;>j?X
1s9,^
tO),\
gd)A_
^5iod
6/(~U9
Y&ii|n$
uG(Ytf:
:;#Mnb
*s1Q^:}
_w)MT
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
r{R<=
2hvk>
B/)%cW
)3ClL"@<
Gbd3:_
uiX:U
m&( Y
.n#76
Q*Cuz^
[#Xqc
`A5'ua
G(qADj
/vfG()
].Buo
vViE9
ChTS"L
Y-RR+
Eu(Ao
w=cuS'
QP:T+
Nnw0K
\#yMP
w{XV`
v4.0.30319
#Strings
#GUID
#Blob
Af4$8!
g&2E!
1t_F!
xG/48oZ!
Yc5|n#
8Qk*$
wH|6$
Qf9#%
t!4Q1pL%
wH$8R&
4Rk$T&
P^w2(
E&y6(
N/r8(
6z+YD(
4Ap&C)
5z*T)
n$6EK4z)
G+r2*
bQ!14*
wQ|46*
n_7F*
t~9H*
kT%3P*
bB_0/
4t&BsG6/
K^b6/
6p#X!0
M~o10
C/r40
Q%y70
G_q31
kQ(71
kG*71
wW*71
IEnumerable`1
IComparer`1
IEnumerator`1
ParallelQuery`1
o/5G(Ja1
Rm9$(Xx2
X~q8|2
Z|p0(3
2Wt&Ze*3
Y_j9f3
Yq8~3
6Lm)#4
Wq2+%4
5Wx#e&Q4
6Ei$f~Z4
D|t3z4
jR(8$5
F9A2AA256D08FF919CBE95A570D57F1789B652B7F33E1BB2A9481E70A8ADE7A5
p%0P5
4Ar!^5
R/b7~5
Rx4!6
7m$R*6
M#r86
9Ba^(7
A%k27
W+g37
9y$AC7
i/0XN7
xH%0$8
o*0Q8
Hb5&_8
Ky4%|8
aM#29
kZ*7D9
0Rj_y9
B96DB4F1581FE774FCB5231CB3B6AE080FAE60A02C4DBAF7761DE97A07BA9A5A
g)0Z^A
7w&DkA
T!y38B
D$b63C
Ht3*6$oC
Ho2!3F
e+6Q8F
Zw0%|H
o%8P3J
C%o79J
3n*TzK
8Tz)L
Pa6^/L
cQ_30)fL
Bw7%2M
J#f5%s3M
5q(WM
System.IO
E/q2sP
Zx9&)Q
7k!NQ
9j_SzQ
1Lc*_e2R
5w(YS
B~a2qT
get_IV
set_IV
Qj7!~X
Fw5+4Y
1b%SY
Ho0+#Z
fH*4+d8Z
9g/Z^
G^g84mP_
G|m1a
2z+Ma
GetObjectData
ProjectData
Fx5+b
mscorlib
7Tt_Jc
System.Collections.Generic
Microsoft.VisualBasic
jD_9/d
connectionId
_contentLoaded
s_WindowBeingCreated
Synchronized
J)g47e
CreateInstance
get_GetInstance
defaultInstance
GetHashCode
CryptoStreamMode
Invoke
ParallelEnumerable
IDisposable
Hashtable
ISerializable
RuntimeFieldHandle
RuntimeTypeHandle
GetTypeFromHandle
get_Name
ValueType
Compare
System.Core
RemoveMemoryPressure
resourceCulture
MethodBase
ApplicationSettingsBase
Release
Dispose
Create
DebuggerBrowsableState
EditorBrowsableState
ThreadStaticAttribute
STAThreadAttribute
CompilerGeneratedAttribute
GuidAttribute
HelpKeywordAttribute
GeneratedCodeAttribute
DebuggerNonUserCodeAttribute
DebuggableAttribute
DebuggerBrowsableAttribute
EditorBrowsableAttribute
ComVisibleAttribute
AssemblyTitleAttribute
StandardModuleAttribute
HideModuleNameAttribute
AssemblyTrademarkAttribute
TargetFrameworkAttribute
DebuggerHiddenAttribute
AssemblyFileVersionAttribute
MyGroupCollectionAttribute
AssemblyDescriptionAttribute
ThemeInfoAttribute
CompilationRelaxationsAttribute
ReliabilityContractAttribute
AssemblyProductAttribute
AssemblyCopyrightAttribute
AssemblyCompanyAttribute
RuntimeCompatibilityAttribute
WriteByte
m_ThreadStaticValue
GetObjectValue
GetIDispatchForObjectNative
8Xp/Gf
fQ|7/g
Microsoft.VisualBasic.Logging
System.Runtime.Versioning
ToString
Substring
s_Log
4Eo+&j
H$e41j
0f_YE/3j
yQ+2P/3j
d%3KEj
D$r3)k
q*3R~6Gk
PresentationFramework
Rijndael
System.ComponentModel
AsParallel
L~j3m
CryptoStream
MemoryStream
System
SymmetricAlgorithm
ICryptoTransform
R(e3)n
0Gw/n
aG(4B&1n
8a^LN+1n
4Lt^X$9n
resourceMan
System.ComponentModel.Design
_TargetFrameworkVersion
targetFrameworkVersion
_ComponentVersion
componentVersion
Application
ResourceDictionaryLocation
System.Configuration
System.Globalization
System.Runtime.Serialization
System.Reflection
InvalidOperationException
System.Runtime.ConstrainedExecution
7Ac/o
2x/X~9Do
CompareTo
R/d03K_o
FieldInfo
MethodInfo
TypeInfo
CultureInfo
SerializationInfo
MemberInfo
AssemblyInfo
6c|T!7Rp
1Me/Zp
9Ks$q
T*c7q
System.Linq
pH(5^r
ResourceManager
System.CodeDom.Compiler
Comparer
s_User
s_Computer
ClearProjectError
SetProjectError
IEnumerator
GetEnumerator
Activator
.ctor
.cctor
CreateDecryptor
UIntPtr
gS*7#1Ps
System.Diagnostics
GetMethods
Microsoft.VisualBasic.Devices
Microsoft.VisualBasic.ApplicationServices
System.Runtime.InteropServices
Microsoft.VisualBasic.CompilerServices
System.Runtime.CompilerServices
System.Resources
02ca346bd10b.Resources.resources
DebuggingModes
get_DefinedTypes
arrayOfBytes
Settings
ReferenceEquals
System.Windows.Controls
System.Collections
RuntimeHelpers
System.Windows
s_Windows
1e|Pt
m_WrappedObject
Connect
target
op_Explicit
Default
InitializeComponent
get_Current
MoveNext
StreamingContext
onlyInContext
W|t74w
4Nx#Kw
Window
InitializeArray
ToArray
Consistency
get_Key
set_Key
ContainsKey
_RegistryKey
registryKey
System.Security.Cryptography
get_Assembly
GetExecutingAssembly
assembly
jD|65z
pX*2|
1j~DrP5|
bK%9N|
8t*LE3y|
Qy9_2~
9p/H~
3Dr$Y~
WrapNonExceptionThrows
JH333A2F<=9D9H=4
(Copyright
2012 [email protected]?FAD86
oP/8_z2QK5+y~e7B4)HjX1s|!
$9b85a3b9-95f1-4406-9192-bf610e1b1047
7.11.15.18
.NETFramework,Version=v4.5
FrameworkDisplayName
.NET Framework 4.5
MyTemplate
11.0.0.0
System.Windows.Window
Create__Instance__
Dispose__Instance__ My.MyWpfExtenstionModule.Windows
3System.Resources.Tools.StronglyTypedResourceBuilder
16.0.0.0
KMicrosoft.VisualStudio.Editors.SettingsDesigner.SettingsSingleFileGenerator
11.0.0.0
My.Settings
_CorExeMain
mscoree.dll
qG9~>
fBhn4
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
<security>
<requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3">
<requestedExecutionLevel level="asInvoker" uiAccess="false"/>
</requestedPrivileges>
</security>
</trustInfo>
</assembly>
42be7055
94a716ae0
94a716ae1
94a716ae10
94a716ae11
94a716ae12
94a716ae13
94a716ae14
94a716ae15
94a716ae16
94a716ae17
94a716ae18
94a716ae19
94a716ae2
94a716ae20
94a716ae21
94a716ae22
94a716ae23
94a716ae24
94a716ae25
94a716ae26
94a716ae27
94a716ae28
94a716ae29
94a716ae3
94a716ae30
94a716ae31
94a716ae32
94a716ae33
94a716ae34
94a716ae35
94a716ae36
94a716ae37
94a716ae38
94a716ae39
94a716ae4
94a716ae40
94a716ae41
94a716ae42
94a716ae43
94a716ae44
94a716ae45
94a716ae46
94a716ae47
94a716ae48
94a716ae49
94a716ae5
94a716ae50
94a716ae51
94a716ae52
94a716ae53
94a716ae54
94a716ae55
94a716ae56
94a716ae57
94a716ae58
94a716ae59
94a716ae6
94a716ae60
94a716ae61
94a716ae62
94a716ae63
94a716ae64
94a716ae65
94a716ae7
94a716ae8
94a716ae9
The window cannot be accessed via My.Windows from the Window constructor.
Stub14.Resources
AqwsjFFayhA51OIHjdlajksf
VS_VERSION_INFO
VarFileInfo
Translation
StringFileInfo
000004b0
Comments
JH333A2F<=9D9H=4
CompanyName
FileDescription
FileVersion
7.11.15.18
InternalName
Money gram.exe
LegalCopyright
Copyright
2012 [email protected]?FAD86
OriginalFilename
Money gram.exe
ProductName
ProductVersion
7.11.15.18
Assembly Version
1.0.0.0
No antivirus signatures available.
Sorry! No behavior.

Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
Y 51.105.208.173 [VT] United Kingdom
N 104.18.10.39 [VT] United States
Y 1.1.1.1 [VT] Australia

TCP

Source Source Port Destination Destination Port
192.168.1.9 49210 104.121.76.105 80
192.168.1.9 49207 104.18.10.39 cacerts.digicert.com 80
192.168.1.9 49177 13.107.42.23 443
192.168.1.9 49179 13.107.42.23 443
192.168.1.9 49206 13.88.21.125 443
192.168.1.9 40492 52.114.128.75 63568
192.168.1.9 43265 52.114.128.75 16125
192.168.1.9 58449 52.114.128.75 64387
192.168.1.9 49209 52.114.128.75 443

UDP

Source Source Port Destination Destination Port
192.168.1.9 55233 1.1.1.1 53
192.168.1.9 64674 1.1.1.1 53
192.168.1.9 137 192.168.1.255 137
192.168.1.9 51751 8.8.8.8 53
192.168.1.9 53599 8.8.8.8 53
192.168.1.9 54609 8.8.8.8 53
192.168.1.9 55233 8.8.8.8 53
192.168.1.9 55319 8.8.8.8 53
192.168.1.9 59058 8.8.8.8 53
192.168.1.9 59225 8.8.8.8 53
192.168.1.9 63630 8.8.8.8 53
192.168.1.9 64674 8.8.8.8 53

DNS

Name Response Post-Analysis Lookup
cacerts.digicert.com [VT] A 104.18.10.39 [VT] 104.18.11.39 [VT]

HTTP Requests

URI Data
http://cacerts.digicert.com/DigiCertGlobalRootG2.crt
GET /DigiCertGlobalRootG2.crt HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: cacerts.digicert.com

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

Source Destination ICMP Type Data
192.168.1.9 1.1.1.1 3
192.168.1.9 8.8.8.8 3
192.168.1.9 8.8.8.8 3
192.168.1.9 8.8.8.8 3
192.168.1.9 8.8.8.8 3

CIF Results

No CIF Results

Suricata Alerts

Timestamp Source IP Source Port Destination IP Destination Port Protocol GID SID REV Signature Category Severity
2020-10-18 06:42:47.169 192.168.1.9 [VT] 49174 13.107.42.23 [VT] 443 TCP 1 2028395 2 ET JA3 Hash - Possible Malware - Various Eitest Unknown Traffic 3
2020-10-18 06:42:48.798 192.168.1.9 [VT] 49177 13.107.42.23 [VT] 443 TCP 1 2028395 2 ET JA3 Hash - Possible Malware - Various Eitest Unknown Traffic 3
2020-10-18 06:42:48.974 192.168.1.9 [VT] 49178 13.107.42.23 [VT] 443 TCP 1 2028395 2 ET JA3 Hash - Possible Malware - Various Eitest Unknown Traffic 3
2020-10-18 06:42:52.137 192.168.1.9 [VT] 49179 13.107.42.23 [VT] 443 TCP 1 2028395 2 ET JA3 Hash - Possible Malware - Various Eitest Unknown Traffic 3
2020-10-18 06:42:52.242 192.168.1.9 [VT] 49180 13.107.42.23 [VT] 443 TCP 1 2028395 2 ET JA3 Hash - Possible Malware - Various Eitest Unknown Traffic 3
2020-10-18 06:43:34.003 192.168.1.9 [VT] 49206 13.88.21.125 [VT] 443 TCP 1 2028388 2 ET JA3 Hash - Possible Malware - RigEK Unknown Traffic 3

Suricata TLS

Timestamp Source IP Source Port Destination IP Destination Port Subject Issuer Fingerprint Version
2020-10-18 06:42:47.222 192.168.1.9 [VT] 49174 13.107.42.23 [VT] 443 CN=edge.skype.com 5c:3b:53:ee:b8:65:a3:2a:66:d4:04:36:67:98:af:88:8d:96:5d:74 TLS 1.2
2020-10-18 06:42:48.896 192.168.1.9 [VT] 49177 13.107.42.23 [VT] 443 CN=edge.skype.com 5c:3b:53:ee:b8:65:a3:2a:66:d4:04:36:67:98:af:88:8d:96:5d:74 TLS 1.2
2020-10-18 06:42:49.085 192.168.1.9 [VT] 49178 13.107.42.23 [VT] 443 CN=edge.skype.com 5c:3b:53:ee:b8:65:a3:2a:66:d4:04:36:67:98:af:88:8d:96:5d:74 TLS 1.2
2020-10-18 06:42:52.145 192.168.1.9 [VT] 49179 13.107.42.23 [VT] 443 CN=edge.skype.com 5c:3b:53:ee:b8:65:a3:2a:66:d4:04:36:67:98:af:88:8d:96:5d:74 TLS 1.2
2020-10-18 06:42:52.435 192.168.1.9 [VT] 49180 13.107.42.23 [VT] 443 CN=edge.skype.com 5c:3b:53:ee:b8:65:a3:2a:66:d4:04:36:67:98:af:88:8d:96:5d:74 TLS 1.2
2020-10-18 06:43:34.089 192.168.1.9 [VT] 49206 13.88.21.125 [VT] 443 C=US, ST=WA, L=Redmond, O=Microsoft Corporation, CN=*.events.data.microsoft.com 1e:c4:c7:d6:8d:8d:a2:4a:82:99:22:21:5c:35:03:96:bd:05:43:b6 TLSv1
2020-10-18 06:44:28.900 192.168.1.9 [VT] 49209 52.114.128.75 [VT] 443 C=US, ST=WA, L=Redmond, O=Microsoft Corporation, CN=*.events.data.microsoft.com 1e:c4:c7:d6:8d:8d:a2:4a:82:99:22:21:5c:35:03:96:bd:05:43:b6 TLS 1.2

Suricata HTTP

Timestamp Source IP Source Port Destination IP Destination Port Method Status Hostname URI Content Type User Agent Referrer Length
2020-10-18 06:43:37.043 192.168.1.9 [VT] 49207 104.18.10.39 [VT] 80 403 cacerts.digicert.com [VT] /DigiCertGlobalRootG2.crt text/html Microsoft-CryptoAPI/6.1 None 2894
2020-10-18 06:43:44.050 192.168.1.9 [VT] 49208 104.121.76.105 [VT] 80 200 ctldl.windowsupdate.com [VT] /msdownload/update/v3/static/trustedr/en/authrootstl.cab?0368031b63a11ac4 application/vnd.ms-cab-compressed Microsoft-CryptoAPI/6.1 None 58918
2020-10-18 06:43:46.373 192.168.1.9 [VT] 49208 104.121.76.105 [VT] 80 200 ctldl.windowsupdate.com [VT] /msdownload/update/v3/static/trustedr/en/DF3C24F9BFD666761B268073FE06D1CC8D4F82A4.crt?c3f1a3c3cfb902aa application/x-x509-ca-cert Microsoft-CryptoAPI/6.1 None 914
2020-10-18 06:44:30.454 192.168.1.9 [VT] 49210 104.121.76.105 [VT] 80 200 ctldl.windowsupdate.com [VT] /msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?46c58957ce829b9f application/vnd.ms-cab-compressed Microsoft-CryptoAPI/6.1 None 4776
2020-10-18 06:44:31.725 192.168.1.9 [VT] 49211 93.184.220.29 [VT] 80 200 ocsp.digicert.com [VT] /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAqvpsXKY8RRQeo74ffHUxc%3D application/ocsp-response Microsoft-CryptoAPI/6.1 None 471
Sorry! No dropped Suricata Extracted files.

JA3

Source Source Port Destination Destination Port JA3 Hash JA3 Description
192.168.1.9 49174 13.107.42.23 443 1074895078955b2db60423ed2bf8ac23 unknown
192.168.1.9 49177 13.107.42.23 443 1074895078955b2db60423ed2bf8ac23 unknown
192.168.1.9 49178 13.107.42.23 443 1074895078955b2db60423ed2bf8ac23 unknown
192.168.1.9 49179 13.107.42.23 443 1074895078955b2db60423ed2bf8ac23 unknown
192.168.1.9 49180 13.107.42.23 443 1074895078955b2db60423ed2bf8ac23 unknown
192.168.1.9 49206 13.88.21.125 443 bafc6b01eae6f4350f5db6805ace208e unknown
192.168.1.9 49209 52.114.128.75 443 d124ae14809abde3528a479fe01a12bd unknown
Sorry! No dropped files.
Sorry! No CAPE files.
Process Name cmd.exe
PID 3648
Dump Size 302592 bytes
Module Path C:\Windows\SysWOW64\cmd.exe
Type PE image: 32-bit executable
PE timestamp 2010-11-20 09:00:27
MD5 a449366a68c8d9fdcf3492dcecb42a8f
SHA1 dece0822c2368ea66e07947e36af55f08a240ebe
SHA256 eba86d993c7af9a61eb3cdeddda0d74bf4e40993bb58c09517c41390ee5a43b3
CRC32 DFE3E97B
Ssdeep 3072:UAbd4vN5pKZtA43NdV0Amo60mibsGA8fpFCMkLjyGez1c:UA54lfKZtnkImcsGLpFCMkLmt+
Dump Filename eba86d993c7af9a61eb3cdeddda0d74bf4e40993bb58c09517c41390ee5a43b3
Download Download Zip Submit file

BinGraph Download graph

2020-10-18T07:13:31.588080 image/svg+xml Matplotlib v3.3.0, https://matplotlib.org/
Process Name reg.exe
PID 1156
Dump Size 62464 bytes
Module Path C:\Windows\SysWOW64\reg.exe
Type PE image: 32-bit executable
PE timestamp 2009-07-13 23:15:56
MD5 16646ee12001ebd1b1098f71a52a0d76
SHA1 28c4183ac55e8aa8e16df3447a46e7319b3898ac
SHA256 bdaefae07de2f69068b4a0708c44a6840dc99d714ca40783beb17c0d10613a30
CRC32 FF61CF1F
Ssdeep 1536:a3Z3b2t7WinNaHEpabRqeLxyGELGHq06lQk:apr2taJLrELGK06i
Dump Filename bdaefae07de2f69068b4a0708c44a6840dc99d714ca40783beb17c0d10613a30
Download Download Zip Submit file

BinGraph Download graph

2020-10-18T07:13:33.038820 image/svg+xml Matplotlib v3.3.0, https://matplotlib.org/
Process Name cmd.exe
PID 4948
Dump Size 302592 bytes
Module Path C:\Windows\SysWOW64\cmd.exe
Type PE image: 32-bit executable
PE timestamp 2010-11-20 09:00:27
MD5 357e332bc7392e49b4eabfe5d8b7b9f4
SHA1 9ec6fbcb3a96f3494763dcb1fe5b3efdf8765436
SHA256 5ea06a02db5019d46dc38c91f8f930cab2d85f17651d72ae447686f3b56d20a6
CRC32 B67EE493
Ssdeep 3072:iCoRLx+F+DnMUpf04Vv1S1o73KNh8okbRjyGez1c:iCELxfD350oQo7yh8okNmt+
Dump Filename 5ea06a02db5019d46dc38c91f8f930cab2d85f17651d72ae447686f3b56d20a6
Download Download Zip Submit file

BinGraph Download graph

2020-10-18T07:13:34.231756 image/svg+xml Matplotlib v3.3.0, https://matplotlib.org/
Process Name cmd.exe
PID 2136
Dump Size 302592 bytes
Module Path C:\Windows\SysWOW64\cmd.exe
Type PE image: 32-bit executable
PE timestamp 2010-11-20 09:00:27
MD5 a334c523e1f8547e28511fcee232f439
SHA1 3aa0efd727b61fb51ac0b99be2c59f2ef611dfea
SHA256 8209fe1b9c4f4e0210d1fbe62770db392cfa1fa754fcffe990c70aa03761568e
CRC32 0C3A7966
Ssdeep 3072:iCoRLx+F+DnMUpf04Vv1S1o73KNh8okLUjyGez1c:iCELxfD350oQo7yh8okgmt+
Dump Filename 8209fe1b9c4f4e0210d1fbe62770db392cfa1fa754fcffe990c70aa03761568e
Download Download Zip Submit file

BinGraph Download graph

2020-10-18T07:13:35.417068 image/svg+xml Matplotlib v3.3.0, https://matplotlib.org/
Defense Evasion Execution Privilege Escalation Persistence
  • T1116 - Code Signing
    • Signature - invalid_authenticode_signature
  • T1118 - InstallUtil
    • Signature - spawns_dev_util
  • T1055 - Process Injection
    • Signature - InjectionInterProcess
  • T1127 - Trusted Developer Utilities
    • Signature - spawns_dev_util
  • T1106 - Execution through API
    • Signature - process_creation_suspicious_location
  • T1129 - Execution through Module Load
    • Signature - dropper
  • T1118 - InstallUtil
    • Signature - spawns_dev_util
  • T1127 - Trusted Developer Utilities
    • Signature - spawns_dev_util
  • T1055 - Process Injection
    • Signature - InjectionInterProcess
  • T1060 - Registry Run Keys / Startup Folder
    • Signature - persistence_autorun

    Processing ( 16.935 seconds )

    • 6.657 CAPE
    • 5.295 Suricata
    • 2.005 NetworkAnalysis
    • 1.27 BehaviorAnalysis
    • 0.76 Static
    • 0.362 VirusTotal
    • 0.144 static_dotnet
    • 0.095 ProcDump
    • 0.084 TargetInfo
    • 0.079 Dropped
    • 0.078 AnalysisInfo
    • 0.059 Deduplicate
    • 0.025 Strings
    • 0.016 Debug
    • 0.005 peid
    • 0.001 Curtain

    Signatures ( 0.8450000000000004 seconds )

    • 0.095 antiav_detectreg
    • 0.046 guloader_apis
    • 0.038 infostealer_ftp
    • 0.035 Locky_behavior
    • 0.032 territorial_disputes_sigs
    • 0.026 decoy_document
    • 0.025 stealth_timeout
    • 0.025 masquerade_process_name
    • 0.022 api_spamming
    • 0.022 infostealer_im
    • 0.02 antiav_detectfile
    • 0.019 masslogger_artifacts
    • 0.019 antianalysis_detectreg
    • 0.018 NewtWire Behavior
    • 0.016 Doppelganging
    • 0.013 accesses_recyclebin
    • 0.012 infostealer_bitcoin
    • 0.012 ransomware_files
    • 0.011 InjectionCreateRemoteThread
    • 0.011 injection_createremotethread
    • 0.01 antivm_generic_disk
    • 0.01 infostealer_browser
    • 0.01 antianalysis_detectfile
    • 0.01 antivm_vbox_keys
    • 0.009 antidebug_guardpages
    • 0.009 antiemu_wine_func
    • 0.009 infostealer_mail
    • 0.009 ransomware_extensions
    • 0.008 dynamic_function_loading
    • 0.008 exec_crash
    • 0.008 antivm_vbox_files
    • 0.007 exploit_heapspray
    • 0.007 injection_runpe
    • 0.007 mimics_filetime
    • 0.007 reads_self
    • 0.007 antivm_vmware_keys
    • 0.006 InjectionProcessHollowing
    • 0.006 infostealer_browser_password
    • 0.006 malicious_dynamic_function_loading
    • 0.006 virus
    • 0.006 browser_security
    • 0.005 InjectionInterProcess
    • 0.005 antivm_generic_scsi
    • 0.005 bootkit
    • 0.005 kovter_behavior
    • 0.005 stealth_file
    • 0.005 antivm_parallels_keys
    • 0.005 antivm_xen_keys
    • 0.005 geodo_banking_trojan
    • 0.005 predatorthethief_files
    • 0.005 qulab_files
    • 0.004 antiav_360_libs
    • 0.004 antivm_vbox_libs
    • 0.004 dyre_behavior
    • 0.004 hancitor_behavior
    • 0.004 persistence_autorun
    • 0.004 stack_pivot
    • 0.003 antivm_generic_services
    • 0.003 betabot_behavior
    • 0.003 exploit_getbasekerneladdress
    • 0.003 antidbg_devices
    • 0.003 antivm_generic_diskreg
    • 0.003 antivm_vmware_files
    • 0.003 antivm_vpc_keys
    • 0.002 Unpacker
    • 0.002 antiav_ahnlab_libs
    • 0.002 antidbg_windows
    • 0.002 antisandbox_sunbelt_libs
    • 0.002 lsass_credential_dumping
    • 0.002 encrypted_ioc
    • 0.002 exploit_gethaldispatchtable
    • 0.002 hawkeye_behavior
    • 0.002 kibex_behavior
    • 0.002 network_tor
    • 0.002 OrcusRAT Behavior
    • 0.002 shifu_behavior
    • 0.002 vawtrak_behavior
    • 0.002 network_torgateway
    • 0.001 InjectionSetWindowLong
    • 0.001 antiav_avast_libs
    • 0.001 antiav_bitdefender_libs
    • 0.001 antiav_bullgaurd_libs
    • 0.001 antiav_emsisoft_libs
    • 0.001 antiav_qurb_libs
    • 0.001 antiav_apioverride_libs
    • 0.001 antiav_nthookengine_libs
    • 0.001 antisandbox_sboxie_libs
    • 0.001 antisandbox_sleep
    • 0.001 Raccoon Behavior
    • 0.001 Vidar Behavior
    • 0.001 injection_explorer
    • 0.001 ipc_namedpipe
    • 0.001 kazybot_behavior
    • 0.001 office_com_load
    • 0.001 blackrat_registry_keys
    • 0.001 rat_nanocore
    • 0.001 recon_programs
    • 0.001 tinba_behavior
    • 0.001 antivm_xen_keys
    • 0.001 antivm_hyperv_keys
    • 0.001 antivm_vbox_devices
    • 0.001 ketrican_regkeys
    • 0.001 bypass_firewall
    • 0.001 codelux_behavior
    • 0.001 darkcomet_regkeys
    • 0.001 disables_backups
    • 0.001 disables_browser_warn
    • 0.001 azorult_mutexes
    • 0.001 network_cnc_http
    • 0.001 network_dns_opennic
    • 0.001 revil_mutexes
    • 0.001 limerat_regkeys
    • 0.001 modirat_behavior
    • 0.001 obliquerat_files
    • 0.001 rat_pcclient
    • 0.001 recon_fingerprint
    • 0.001 sniffer_winpcap
    • 0.001 ursnif_behavior

    Reporting ( 17.848 seconds )

    • 17.586 BinGraph
    • 0.239 MITRE_TTPS
    • 0.023 PCAP2CERT