Analysis Report · ACUBE Sandbox

Status: Malicious

Analysis

Category	Package	Started	Completed	Duration	Options	Log(s)	MalScore
FILE	dll	2025-12-09 15:14:52	2025-12-09 15:18:16	204 seconds	Show Options	Show Analysis Log	8.0

vnc_port=5902

2025-12-06 10:13:09,665 [root] INFO: Date set to: 20251209T07:11:46, timeout set to: 180
2025-12-09 07:11:46,000 [root] DEBUG: Starting analyzer from: C:\tmpe2ctq1nb
2025-12-09 07:11:46,000 [root] DEBUG: Storing results at: C:\VmtIcCTsP
2025-12-09 07:11:46,000 [root] DEBUG: Pipe server name: \\.\PIPE\tzXQbIoOAA
2025-12-09 07:11:46,000 [root] DEBUG: Python path: C:\Python38
2025-12-09 07:11:46,000 [root] INFO: analysis running as an admin
2025-12-09 07:11:46,000 [root] INFO: analysis package specified: "dll"
2025-12-09 07:11:46,000 [root] DEBUG: importing analysis package module: "modules.packages.dll"...
2025-12-09 07:11:46,000 [root] DEBUG: imported analysis package "dll"
2025-12-09 07:11:46,000 [root] DEBUG: initializing analysis package "dll"...
2025-12-09 07:11:46,000 [lib.common.common] INFO: wrapping
2025-12-09 07:11:46,000 [lib.core.compound] INFO: C:\Users\user\AppData\Local\Temp already exists, skipping creation
2025-12-09 07:11:46,000 [root] DEBUG: New location of moved file: C:\Users\user\AppData\Local\Temp\red_core.exe
2025-12-09 07:11:46,000 [root] INFO: Analyzer: Package modules.packages.dll does not specify a DLL option
2025-12-09 07:11:46,000 [root] INFO: Analyzer: Package modules.packages.dll does not specify a DLL_64 option
2025-12-09 07:11:46,000 [root] INFO: Analyzer: Package modules.packages.dll does not specify a loader option
2025-12-09 07:11:46,000 [root] INFO: Analyzer: Package modules.packages.dll does not specify a loader_64 option
2025-12-09 07:11:46,031 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser"
2025-12-09 07:11:46,046 [root] DEBUG: Imported auxiliary module "modules.auxiliary.curtain"
2025-12-09 07:11:46,046 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise"
2025-12-09 07:11:46,046 [root] DEBUG: Imported auxiliary module "modules.auxiliary.during_script"
2025-12-09 07:11:46,046 [root] DEBUG: Imported auxiliary module "modules.auxiliary.end_noisy_tasks"
2025-12-09 07:11:46,046 [root] DEBUG: Imported auxiliary module "modules.auxiliary.evtx"
2025-12-09 07:11:46,046 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human"
2025-12-09 07:11:46,046 [root] DEBUG: Imported auxiliary module "modules.auxiliary.pre_script"
2025-12-09 07:11:46,062 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2025-12-09 07:11:46,078 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageGrab'
2025-12-09 07:11:46,078 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageDraw'
2025-12-09 07:11:46,093 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots"
2025-12-09 07:11:46,093 [root] DEBUG: Imported auxiliary module "modules.auxiliary.sysmon"
2025-12-09 07:11:46,093 [root] DEBUG: Imported auxiliary module "modules.auxiliary.tlsdump"
2025-12-09 07:11:46,093 [root] DEBUG: Imported auxiliary module "modules.auxiliary.usage"
2025-12-09 07:11:46,093 [root] DEBUG: Initialized auxiliary module "Browser"
2025-12-09 07:11:46,093 [root] DEBUG: attempting to configure 'Browser' from data
2025-12-09 07:11:46,093 [root] DEBUG: module Browser does not support data configuration, ignoring
2025-12-09 07:11:46,093 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.browser"...
2025-12-09 07:11:46,093 [root] DEBUG: Started auxiliary module modules.auxiliary.browser
2025-12-09 07:11:46,093 [root] DEBUG: Initialized auxiliary module "Curtain"
2025-12-09 07:11:46,093 [root] DEBUG: attempting to configure 'Curtain' from data
2025-12-09 07:11:46,093 [root] DEBUG: module Curtain does not support data configuration, ignoring
2025-12-09 07:11:46,093 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.curtain"...
2025-12-09 07:11:46,093 [root] DEBUG: Started auxiliary module modules.auxiliary.curtain
2025-12-09 07:11:46,093 [root] DEBUG: Initialized auxiliary module "Disguise"
2025-12-09 07:11:46,093 [root] DEBUG: attempting to configure 'Disguise' from data
2025-12-09 07:11:46,093 [root] DEBUG: module Disguise does not support data configuration, ignoring
2025-12-09 07:11:46,093 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.disguise"...
2025-12-09 07:11:46,093 [modules.auxiliary.disguise] INFO: Disguising GUID to 2d2c969c-b425-4c97-99af-36b212a58368
2025-12-09 07:11:46,093 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise
2025-12-09 07:11:46,093 [root] DEBUG: Initialized auxiliary module "End_noisy_tasks"
2025-12-09 07:11:46,093 [root] DEBUG: attempting to configure 'End_noisy_tasks' from data
2025-12-09 07:11:46,093 [root] DEBUG: module End_noisy_tasks does not support data configuration, ignoring
2025-12-09 07:11:46,093 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.end_noisy_tasks"...
2025-12-09 07:11:46,093 [modules.auxiliary.end_noisy_tasks] DEBUG: taskkill /f /IM wuauclt.exe
2025-12-09 07:11:46,093 [root] DEBUG: Started auxiliary module modules.auxiliary.end_noisy_tasks
2025-12-09 07:11:46,093 [root] DEBUG: Initialized auxiliary module "Evtx"
2025-12-09 07:11:46,093 [root] DEBUG: attempting to configure 'Evtx' from data
2025-12-09 07:11:46,093 [root] DEBUG: module Evtx does not support data configuration, ignoring
2025-12-09 07:11:46,093 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.evtx"...
2025-12-09 07:11:46,093 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Security State Change" /success:enable /failure:enable
2025-12-09 07:11:46,093 [root] DEBUG: Started auxiliary module modules.auxiliary.evtx
2025-12-09 07:11:46,109 [root] DEBUG: Initialized auxiliary module "Human"
2025-12-09 07:11:46,109 [root] DEBUG: attempting to configure 'Human' from data
2025-12-09 07:11:46,109 [root] DEBUG: module Human does not support data configuration, ignoring
2025-12-09 07:11:46,109 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.human"...
2025-12-09 07:11:46,109 [root] DEBUG: Started auxiliary module modules.auxiliary.human
2025-12-09 07:11:46,109 [root] DEBUG: Initialized auxiliary module "Pre_script"
2025-12-09 07:11:46,109 [root] DEBUG: attempting to configure 'Pre_script' from data
2025-12-09 07:11:46,109 [root] DEBUG: module Pre_script does not support data configuration, ignoring
2025-12-09 07:11:46,109 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.pre_script"...
2025-12-09 07:11:46,109 [root] DEBUG: Started auxiliary module modules.auxiliary.pre_script
2025-12-09 07:11:46,109 [root] DEBUG: Initialized auxiliary module "Screenshots"
2025-12-09 07:11:46,109 [root] DEBUG: attempting to configure 'Screenshots' from data
2025-12-09 07:11:46,109 [root] DEBUG: module Screenshots does not support data configuration, ignoring
2025-12-09 07:11:46,109 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.screenshots"...
2025-12-09 07:11:46,109 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots
2025-12-09 07:11:46,109 [root] DEBUG: Initialized auxiliary module "Sysmon"
2025-12-09 07:11:46,109 [root] DEBUG: attempting to configure 'Sysmon' from data
2025-12-09 07:11:46,109 [root] DEBUG: module Sysmon does not support data configuration, ignoring
2025-12-09 07:11:46,109 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.sysmon"...
2025-12-09 07:11:46,203 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Security System Extension" /success:enable /failure:enable
2025-12-09 07:11:46,249 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"System Integrity" /success:enable /failure:enable
2025-12-09 07:11:46,265 [root] WARNING: Cannot execute auxiliary module modules.auxiliary.sysmon: In order to use the Sysmon functionality, it is required to have the SMaster(64|32).exe file and sysmonconfig-export.xml file in the bin path. Note that the SMaster(64|32).exe files are just the standard Sysmon binaries renamed to avoid anti-analysis detection techniques.
2025-12-09 07:11:46,265 [root] DEBUG: Initialized auxiliary module "TLSDumpMasterSecrets"
2025-12-09 07:11:46,265 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data
2025-12-09 07:11:46,265 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring
2025-12-09 07:11:46,265 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.tlsdump"...
2025-12-09 07:11:46,265 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 448
2025-12-09 07:11:46,265 [lib.api.process] INFO: Monitor config for <Process 448 lsass.exe>: C:\tmpe2ctq1nb\dll\448.ini
2025-12-09 07:11:46,281 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor
2025-12-09 07:11:46,281 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmpe2ctq1nb\dll\kMmFpTMI.dll, loader C:\tmpe2ctq1nb\bin\rvHFiZWl.exe
2025-12-09 07:11:46,296 [root] DEBUG: Loader: Injecting process 448 with C:\tmpe2ctq1nb\dll\kMmFpTMI.dll.
2025-12-09 07:11:46,296 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"IPsec Driver" /success:disable /failure:disable
2025-12-09 07:11:46,312 [root] DEBUG: 448: Python path set to 'C:\Python38'.
2025-12-09 07:11:46,312 [root] INFO: Disabling sleep skipping.
2025-12-09 07:11:46,312 [root] DEBUG: 448: TLS secret dump mode enabled.
2025-12-09 07:11:46,312 [root] DEBUG: 448: Monitor initialised: 64-bit capemon loaded in process 448 at 0x000007FEF3CA0000, thread 760, image base 0x00000000FF850000, stack from 0x0000000001864000-0x0000000001870000
2025-12-09 07:11:46,312 [root] DEBUG: 448: Commandline: C:\Windows\system32\lsass.exe
2025-12-09 07:11:46,328 [root] DEBUG: 448: Hooked 5 out of 5 functions
2025-12-09 07:11:46,328 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2025-12-09 07:11:46,328 [root] DEBUG: Successfully injected DLL C:\tmpe2ctq1nb\dll\kMmFpTMI.dll.
2025-12-09 07:11:46,328 [lib.api.process] INFO: Injected into 64-bit <Process 448 lsass.exe>
2025-12-09 07:11:46,328 [root] DEBUG: Started auxiliary module modules.auxiliary.tlsdump
2025-12-09 07:11:46,328 [root] DEBUG: Initialized auxiliary module "Usage"
2025-12-09 07:11:46,328 [root] DEBUG: attempting to configure 'Usage' from data
2025-12-09 07:11:46,328 [root] DEBUG: module Usage does not support data configuration, ignoring
2025-12-09 07:11:46,328 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.usage"...
2025-12-09 07:11:46,328 [root] DEBUG: Started auxiliary module modules.auxiliary.usage
2025-12-09 07:11:46,328 [root] DEBUG: Initialized auxiliary module "During_script"
2025-12-09 07:11:46,328 [root] DEBUG: attempting to configure 'During_script' from data
2025-12-09 07:11:46,328 [root] DEBUG: module During_script does not support data configuration, ignoring
2025-12-09 07:11:46,328 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.during_script"...
2025-12-09 07:11:46,343 [root] DEBUG: Started auxiliary module modules.auxiliary.during_script
2025-12-09 07:11:46,343 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Other System Events" /success:disable /failure:enable
2025-12-09 07:11:46,390 [modules.auxiliary.end_noisy_tasks] DEBUG: taskkill /f /IM wusa.exe
2025-12-09 07:11:46,406 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Logon" /success:enable /failure:enable
2025-12-09 07:11:46,453 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Logoff" /success:enable /failure:enable
2025-12-09 07:11:46,468 [modules.auxiliary.end_noisy_tasks] DEBUG: taskkill /f /IM WindowsUpdate.exe
2025-12-09 07:11:46,484 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Account Lockout" /success:enable /failure:enable
2025-12-09 07:11:46,500 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"IPsec Main Mode" /success:disable /failure:disable
2025-12-09 07:11:46,515 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"IPsec Quick Mode" /success:disable /failure:disable
2025-12-09 07:11:46,531 [modules.auxiliary.end_noisy_tasks] DEBUG: taskkill /f /IM GoogleUpdate.exe
2025-12-09 07:11:46,531 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"IPsec Extended Mode" /success:disable /failure:disable
2025-12-09 07:11:46,546 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Other Logon/Logoff Events" /success:enable /failure:enable
2025-12-09 07:11:46,562 [modules.auxiliary.end_noisy_tasks] DEBUG: taskkill /f /IM MicrosoftEdgeUpdate.exe
2025-12-09 07:11:46,578 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Network Policy Server" /success:enable /failure:enable
2025-12-09 07:11:46,593 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Special Logon" /success:enable /failure:enable
2025-12-09 07:11:46,609 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"File System" /success:enable /failure:enable
2025-12-09 07:11:46,640 [modules.auxiliary.end_noisy_tasks] DEBUG: Command executed with exit code 0: reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v DisableWindowsUpdateAccess /t REG_DWORD /d 1 /f
2025-12-09 07:11:46,640 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Registry" /success:enable /failure:enable
2025-12-09 07:11:46,656 [modules.auxiliary.end_noisy_tasks] DEBUG: Command executed with exit code 0: reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v AllowTelemetry /t REG_DWORD /d 0 /f
2025-12-09 07:11:46,671 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Kernel Object" /success:enable /failure:enable
2025-12-09 07:11:46,687 [modules.auxiliary.end_noisy_tasks] DEBUG: Command executed with exit code 0: reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v EnableICMPRedirect /t REG_DWORD /d 0 /f
2025-12-09 07:11:46,687 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"SAM" /success:disable /failure:disable
2025-12-09 07:11:46,703 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Certification Services" /success:enable /failure:enable
2025-12-09 07:11:46,718 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Handle Manipulation" /success:disable /failure:disable
2025-12-09 07:11:46,734 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Application Generated" /success:enable /failure:enable
2025-12-09 07:11:46,750 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"File Share" /success:enable /failure:enable
2025-12-09 07:11:46,765 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Filtering Platform Packet Drop" /success:disable /failure:disable
2025-12-09 07:11:46,781 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Filtering Platform Connection" /success:disable /failure:disable
2025-12-09 07:11:46,796 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Other Object Access Events" /success:disable /failure:disable
2025-12-09 07:11:46,812 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Sensitive Privilege Use" /success:disable /failure:disable
2025-12-09 07:11:46,828 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Non Sensitive Privilege Use" /success:disable /failure:disable
2025-12-09 07:11:46,843 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Other Privilege Use Events" /success:disable /failure:disable
2025-12-09 07:11:46,859 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"RPC Events" /success:enable /failure:enable
2025-12-09 07:11:46,875 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Audit Policy Change" /success:enable /failure:enable
2025-12-09 07:11:46,890 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Authentication Policy Change" /success:enable /failure:enable
2025-12-09 07:11:46,906 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"MPSSVC Rule-Level Policy Change" /success:disable /failure:disable
2025-12-09 07:11:46,921 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Filtering Platform Policy Change" /success:disable /failure:disable
2025-12-09 07:11:46,937 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Other Policy Change Events" /success:disable /failure:enable
2025-12-09 07:11:46,953 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable
2025-12-09 07:11:46,953 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Computer Account Management" /success:enable /failure:enable
2025-12-09 07:11:46,968 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Security Group Management" /success:enable /failure:enable
2025-12-09 07:11:46,984 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Distribution Group Management" /success:enable /failure:enable
2025-12-09 07:11:47,000 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Application Group Management" /success:enable /failure:enable
2025-12-09 07:11:47,015 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Other Account Management Events" /success:enable /failure:enable
2025-12-09 07:11:47,031 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Directory Service Access" /success:enable /failure:enable
2025-12-09 07:11:47,046 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Directory Service Changes" /success:enable /failure:enable
2025-12-09 07:11:47,062 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Directory Service Replication" /success:disable /failure:enable
2025-12-09 07:11:47,078 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Detailed Directory Service Replication" /success:disable /failure:disable
2025-12-09 07:11:47,093 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Credential Validation" /success:enable /failure:enable
2025-12-09 07:11:47,109 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Kerberos Service Ticket Operations" /success:enable /failure:enable
2025-12-09 07:11:47,125 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Other Account Logon Events" /success:enable /failure:enable
2025-12-09 07:11:47,140 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Kerberos Authentication Service" /success:enable /failure:enable
2025-12-09 07:11:47,156 [modules.auxiliary.evtx] DEBUG: Wiping Application
2025-12-09 07:11:47,171 [modules.auxiliary.evtx] DEBUG: Wiping HardwareEvents
2025-12-09 07:11:47,187 [modules.auxiliary.evtx] DEBUG: Wiping Internet Explorer
2025-12-09 07:11:47,203 [modules.auxiliary.evtx] DEBUG: Wiping Key Management Service
2025-12-09 07:11:47,218 [modules.auxiliary.evtx] DEBUG: Wiping OAlerts
2025-12-09 07:11:47,234 [modules.auxiliary.evtx] DEBUG: Wiping Security
2025-12-09 07:11:47,249 [modules.auxiliary.evtx] DEBUG: Wiping Setup
2025-12-09 07:11:47,265 [modules.auxiliary.evtx] DEBUG: Wiping System
2025-12-09 07:11:47,296 [modules.auxiliary.evtx] DEBUG: Wiping Windows PowerShell
2025-12-09 07:11:47,296 [modules.auxiliary.evtx] DEBUG: Wiping Microsoft-Windows-Sysmon/Operational
2025-12-09 07:11:51,562 [root] INFO: Restarting WMI Service
2025-12-09 07:11:53,593 [root] DEBUG: package modules.packages.dll does not support configure, ignoring
2025-12-09 07:11:53,593 [root] WARNING: configuration error for package modules.packages.dll: error importing data.packages.dll: No module named 'data.packages'
2025-12-09 07:11:53,593 [lib.common.common] INFO: Submitted file is missing extension, adding .dll
2025-12-09 07:11:53,593 [lib.core.compound] INFO: C:\Users\user\AppData\Local\Temp already exists, skipping creation
2025-12-09 07:11:53,593 [lib.api.process] INFO: Successfully executed process from path "C:\Windows\System32\rundll32.exe" with arguments ""C:\Users\user\AppData\Local\Temp\red_core.exe.dll",#1" with pid 2648
2025-12-09 07:11:53,593 [lib.api.process] INFO: Monitor config for <Process 2648 rundll32.exe>: C:\tmpe2ctq1nb\dll\2648.ini
2025-12-09 07:11:53,593 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpe2ctq1nb\dll\YOHostJz.dll, loader C:\tmpe2ctq1nb\bin\ESyjZHE.exe
2025-12-09 07:11:53,609 [root] DEBUG: Loader: Injecting process 2648 (thread 2728) with C:\tmpe2ctq1nb\dll\YOHostJz.dll.
2025-12-09 07:11:53,609 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2025-12-09 07:11:53,609 [root] DEBUG: Successfully injected DLL C:\tmpe2ctq1nb\dll\YOHostJz.dll.
2025-12-09 07:11:53,609 [lib.api.process] INFO: Injected into 32-bit <Process 2648 rundll32.exe>
2025-12-09 07:11:55,609 [lib.api.process] INFO: Successfully resumed <Process 2648 rundll32.exe>
2025-12-09 07:11:55,640 [root] DEBUG: 2648: Python path set to 'C:\Python38'.
2025-12-09 07:11:55,640 [root] INFO: Disabling sleep skipping.
2025-12-09 07:11:55,640 [root] DEBUG: 2648: Dropped file limit defaulting to 100.
2025-12-09 07:11:55,640 [root] DEBUG: 2648: YaraInit: Compiled 41 rule files
2025-12-09 07:11:55,640 [root] DEBUG: 2648: YaraInit: Compiled rules saved to file C:\tmpe2ctq1nb\data\yara\capemon.yac
2025-12-09 07:11:55,640 [root] DEBUG: 2648: YaraScan: Scanning 0x00FA0000, size 0xd260
2025-12-09 07:11:55,640 [root] DEBUG: 2648: Monitor initialised: 32-bit capemon loaded in process 2648 at 0x74110000, thread 2728, image base 0xfa0000, stack from 0xa4000-0xb0000
2025-12-09 07:11:55,640 [root] DEBUG: 2648: Commandline: "C:\Windows\System32\rundll32.exe" "C:\Users\user\AppData\Local\Temp\red_core.exe.dll",#1
2025-12-09 07:11:55,640 [root] DEBUG: 2648: GetAddressByYara: ModuleBase 0x77650000 FunctionName LdrpCallInitRoutine
2025-12-09 07:11:55,640 [root] DEBUG: 2648: hook_api: Warning - CreateProcessA export address 0x764D1072 differs from GetProcAddress -> 0x74442437 (AcLayers.DLL::0x12437)
2025-12-09 07:11:55,640 [root] DEBUG: 2648: hook_api: Warning - CreateProcessW export address 0x764D103D differs from GetProcAddress -> 0x744425AB (AcLayers.DLL::0x125ab)
2025-12-09 07:11:55,640 [root] DEBUG: 2648: hook_api: Warning - WinExec export address 0x76553301 differs from GetProcAddress -> 0x7444271F (AcLayers.DLL::0x1271f)
2025-12-09 07:11:55,656 [root] DEBUG: 2648: hook_api: Warning - CreateRemoteThreadEx export address 0x7658A337 differs from GetProcAddress -> 0x76BA403A (KERNELBASE.dll::0x1403a)
2025-12-09 07:11:55,656 [root] DEBUG: 2648: hook_api: Warning - UpdateProcThreadAttribute export address 0x7658ABB7 differs from GetProcAddress -> 0x76B9FA26 (KERNELBASE.dll::0xfa26)
2025-12-09 07:11:55,656 [root] WARNING: b'Unable to place hook on GetCommandLineA'
2025-12-09 07:11:55,656 [root] DEBUG: 2648: set_hooks: Unable to hook GetCommandLineA
2025-12-09 07:11:55,656 [root] WARNING: b'Unable to place hook on GetCommandLineW'
2025-12-09 07:11:55,656 [root] DEBUG: 2648: set_hooks: Unable to hook GetCommandLineW
2025-12-09 07:11:55,656 [root] DEBUG: 2648: Hooked 611 out of 613 functions
2025-12-09 07:11:55,656 [root] DEBUG: 2648: WoW64 detected: 64-bit ntdll base: 0x77490000, KiUserExceptionDispatcher: 0x0, NtSetContextThread: 0x774fb510, Wow64PrepareForException: 0x0
2025-12-09 07:11:55,656 [root] DEBUG: 2648: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x110000
2025-12-09 07:11:55,656 [root] INFO: Loaded monitor into process with pid 2648
2025-12-09 07:11:55,656 [root] DEBUG: 2648: caller_dispatch: Added region at 0x00FA0000 to tracked regions list (kernel32::GetSystemTimeAsFileTime returns to 0x00FA15D3, thread 2728).
2025-12-09 07:11:55,656 [root] DEBUG: 2648: YaraScan: Scanning 0x00FA0000, size 0xd260
2025-12-09 07:11:55,656 [root] DEBUG: 2648: ProcessImageBase: Main module image at 0x00FA0000 unmodified (entropy change 0.000000e+00)
2025-12-09 07:11:55,671 [root] DEBUG: 2648: Target DLL loaded at 0x73FD0000: C:\Users\user\AppData\Local\Temp\red_core.exe (0x6c000 bytes).
2025-12-09 07:11:55,671 [root] DEBUG: 2648: YaraScan: Scanning 0x73FD0000, size 0x6a272
2025-12-09 07:11:55,687 [root] DEBUG: 2648: DLL loaded at 0x75FA0000: C:\Windows\syswow64\WININET (0x437000 bytes).
2025-12-09 07:11:55,687 [root] DEBUG: 2648: DLL loaded at 0x76AF0000: C:\Windows\syswow64\api-ms-win-downlevel-user32-l1-1-0 (0x4000 bytes).
2025-12-09 07:11:55,687 [root] DEBUG: 2648: DLL loaded at 0x74F30000: C:\Windows\syswow64\api-ms-win-downlevel-shlwapi-l1-1-0 (0x4000 bytes).
2025-12-09 07:11:55,687 [root] DEBUG: 2648: DLL loaded at 0x76630000: C:\Windows\syswow64\api-ms-win-downlevel-version-l1-1-0 (0x4000 bytes).
2025-12-09 07:11:55,687 [root] DEBUG: 2648: DLL loaded at 0x752D0000: C:\Windows\syswow64\api-ms-win-downlevel-normaliz-l1-1-0 (0x3000 bytes).
2025-12-09 07:11:55,687 [root] DEBUG: 2648: DLL loaded at 0x752C0000: C:\Windows\syswow64\normaliz (0x3000 bytes).
2025-12-09 07:11:55,687 [root] DEBUG: 2648: DLL loaded at 0x76640000: C:\Windows\syswow64\iertutil (0x238000 bytes).
2025-12-09 07:11:55,687 [root] DEBUG: 2648: DLL loaded at 0x76ED0000: C:\Windows\syswow64\api-ms-win-downlevel-advapi32-l1-1-0 (0x5000 bytes).
2025-12-09 07:11:55,703 [root] DEBUG: 2648: DLL loaded at 0x740A0000: C:\Windows\system32\WTSAPI32 (0xd000 bytes).
2025-12-09 07:11:55,703 [root] DEBUG: 2648: DLL loaded at 0x74050000: C:\Windows\system32\wevtapi (0x42000 bytes).
2025-12-09 07:11:55,703 [root] DEBUG: 2648: DLL loaded at 0x74C70000: C:\Windows\system32\IPHLPAPI (0x1c000 bytes).
2025-12-09 07:11:55,703 [root] DEBUG: 2648: DLL loaded at 0x74C60000: C:\Windows\system32\WINNSI (0x7000 bytes).
2025-12-09 07:11:55,703 [root] DEBUG: 2648: caller_dispatch: Added region at 0x73FD0000 to tracked regions list (kernel32::GetSystemTimeAsFileTime returns to 0x73FED6B1, thread 2728).
2025-12-09 07:11:55,703 [root] DEBUG: 2648: caller_dispatch: Scanning calling region at 0x73FD0000...
2025-12-09 07:11:55,703 [root] DEBUG: 2648: DLL loaded at 0x74040000: C:\Windows\SysWOW64\Secur32 (0x8000 bytes).
2025-12-09 07:11:55,703 [root] DEBUG: 2648: DLL loaded at 0x73FC0000: C:\Windows\SysWOW64\api-ms-win-downlevel-advapi32-l2-1-0 (0x4000 bytes).
2025-12-09 07:11:55,703 [root] DEBUG: 2648: DLL loaded at 0x75F30000: C:\Windows\syswow64\api-ms-win-downlevel-ole32-l1-1-0 (0x4000 bytes).
2025-12-09 07:11:55,703 [root] DEBUG: 2648: DLL loaded at 0x73F60000: C:\Windows\system32\winhttp (0x58000 bytes).
2025-12-09 07:11:55,718 [root] DEBUG: 2648: DLL loaded at 0x73F10000: C:\Windows\system32\webio (0x50000 bytes).
2025-12-09 07:11:55,718 [root] DEBUG: 2648: DLL loaded at 0x73FB0000: C:\Windows\system32\NLAapi (0x10000 bytes).
2025-12-09 07:11:55,718 [root] DEBUG: 2648: DLL loaded at 0x73FA0000: C:\Windows\system32\napinsp (0x10000 bytes).
2025-12-09 07:11:55,718 [root] DEBUG: 2648: DLL loaded at 0x73F80000: C:\Windows\system32\pnrpnsp (0x12000 bytes).
2025-12-09 07:11:55,718 [root] DEBUG: 2648: DLL loaded at 0x74BF0000: C:\Windows\System32\mswsock (0x3c000 bytes).
2025-12-09 07:11:55,718 [root] DEBUG: 2648: DLL loaded at 0x73F30000: C:\Windows\SysWOW64\DNSAPI (0x44000 bytes).
2025-12-09 07:11:55,718 [root] DEBUG: 2648: DLL loaded at 0x73F20000: C:\Windows\System32\winrnr (0x8000 bytes).
2025-12-09 07:11:55,718 [root] DEBUG: 2648: DLL loaded at 0x73EE0000: C:\Windows\System32\fwpuclnt (0x38000 bytes).
2025-12-09 07:11:55,734 [root] DEBUG: 2648: DLL loaded at 0x73ED0000: C:\Windows\SysWOW64\rasadhlp (0x6000 bytes).
2025-12-09 07:11:55,734 [root] DEBUG: 2648: DLL loaded at 0x74C30000: C:\Windows\SysWOW64\dhcpcsvc (0x12000 bytes).
2025-12-09 07:11:55,734 [root] DEBUG: 2648: DLL loaded at 0x74900000: C:\Windows\system32\uxtheme (0x80000 bytes).
2025-12-09 07:11:55,734 [root] DEBUG: 2648: DLL loaded at 0x73EB0000: C:\Windows\SysWOW64\dwmapi (0x13000 bytes).
2025-12-09 07:11:55,734 [root] DEBUG: 2648: DLL loaded at 0x74BD0000: C:\Windows\System32\wship6 (0x6000 bytes).
2025-12-09 07:11:56,734 [root] DEBUG: 2648: DLL loaded at 0x76B00000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2025-12-09 07:11:56,734 [root] DEBUG: 2648: DLL loaded at 0x73990000: C:\Windows\SysWOW64\FirewallAPI (0x76000 bytes).
2025-12-09 07:11:56,734 [root] DEBUG: 2648: api-rate-cap: LdrGetProcedureAddress hook disabled due to rate
2025-12-09 07:11:56,734 [root] DEBUG: 2648: api-rate-cap: LdrGetProcedureAddress hook disabled due to rate
2025-12-09 07:11:56,750 [root] DEBUG: 2648: DLL loaded at 0x77180000: C:\Windows\syswow64\COMDLG32 (0x7b000 bytes).
2025-12-09 07:11:56,750 [root] DEBUG: 2648: DLL loaded at 0x73900000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\COMCTL32 (0x84000 bytes).
2025-12-09 07:11:56,750 [root] DEBUG: 2648: DLL loaded at 0x738C0000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2025-12-09 07:11:56,750 [root] DEBUG: 2648: ProtectionHandler: Adding region at 0x10001000 to tracked regions.
2025-12-09 07:11:56,750 [root] DEBUG: 2648: DumpPEsInRange: Scanning range 0x10000000 - 0x1004C200.
2025-12-09 07:11:56,750 [root] DEBUG: 2648: ScanForDisguisedPE: PE image located at: 0x10000000
2025-12-09 07:11:56,750 [root] DEBUG: 2648: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2025-12-09 07:11:56,750 [root] DEBUG: 2648: DumpProcess: Instantiating PeParser with address: 0x10000000.
2025-12-09 07:11:56,750 [root] DEBUG: 2648: DumpProcess: Module entry point VA is 0x0001C50E.
2025-12-09 07:11:56,750 [root] DEBUG: 2648: PeParser: readPeSectionsFromProcess: readSectionFromProcess failed address 0x1004D000, section 5
2025-12-09 07:11:56,765 [lib.common.results] INFO: Uploading file C:\VmtIcCTsP\CAPE\2648_307505651892122025 to CAPE\87982825681fd22d68877614bba19345454e0e14bbb33cc35158dce7c1324ff4; Size is 279040; Max size: 100000000
2025-12-09 07:11:56,765 [root] DEBUG: 2648: api-rate-cap: memcpy hook disabled due to rate
2025-12-09 07:11:56,765 [root] DEBUG: 2648: DLL loaded at 0x74BE0000: C:\Windows\System32\wshtcpip (0x5000 bytes).
2025-12-09 07:11:56,765 [root] DEBUG: 2648: CreateProcessHandler: Injection info set for new process 1336: C:\Windows\SysWOW64\TASKKILL.exe, ImageBase: 0x00B30000
2025-12-09 07:11:56,765 [root] INFO: Announced 32-bit process name: taskkill.exe pid: 1336
2025-12-09 07:11:56,765 [lib.api.process] INFO: Monitor config for <Process 1336 taskkill.exe>: C:\tmpe2ctq1nb\dll\1336.ini
2025-12-09 07:11:56,781 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpe2ctq1nb\dll\YOHostJz.dll, loader C:\tmpe2ctq1nb\bin\ESyjZHE.exe
2025-12-09 07:11:56,781 [root] DEBUG: 2648: DumpProcess: Module image dump success - dump size 0x44200.
2025-12-09 07:11:56,781 [root] DEBUG: 2648: ScanForDisguisedPE: No PE image located in range 0x10001000-0x1004C200.
2025-12-09 07:11:56,781 [root] DEBUG: 2648: DumpRegion: Dumped PE image(s) from base address 0x10000000, size 315392 bytes.
2025-12-09 07:11:56,781 [root] DEBUG: 2648: ProcessTrackedRegion: Dumped region at 0x10000000.
2025-12-09 07:11:56,781 [root] DEBUG: 2648: YaraScan: Scanning 0x10000000, size 0x4c200
2025-12-09 07:11:56,781 [root] DEBUG: Loader: Injecting process 1336 (thread 532) with C:\tmpe2ctq1nb\dll\YOHostJz.dll.
2025-12-09 07:11:56,781 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2025-12-09 07:11:56,781 [root] DEBUG: Successfully injected DLL C:\tmpe2ctq1nb\dll\YOHostJz.dll.
2025-12-09 07:11:56,781 [root] DEBUG: 2648: DLL loaded at 0x73A00000: C:\Windows\SysWOW64\api-ms-win-downlevel-shlwapi-l2-1-0 (0x4000 bytes).
2025-12-09 07:11:56,781 [lib.api.process] INFO: Injected into 32-bit <Process 1336 taskkill.exe>
2025-12-09 07:11:56,796 [root] INFO: Announced 32-bit process name: taskkill.exe pid: 1336
2025-12-09 07:11:56,796 [lib.api.process] INFO: Monitor config for <Process 1336 taskkill.exe>: C:\tmpe2ctq1nb\dll\1336.ini
2025-12-09 07:11:56,796 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpe2ctq1nb\dll\YOHostJz.dll, loader C:\tmpe2ctq1nb\bin\ESyjZHE.exe
2025-12-09 07:11:56,796 [root] DEBUG: Loader: Injecting process 1336 (thread 532) with C:\tmpe2ctq1nb\dll\YOHostJz.dll.
2025-12-09 07:11:56,796 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2025-12-09 07:11:56,796 [root] DEBUG: Successfully injected DLL C:\tmpe2ctq1nb\dll\YOHostJz.dll.
2025-12-09 07:11:56,796 [lib.api.process] INFO: Injected into 32-bit <Process 1336 taskkill.exe>
2025-12-09 07:11:56,812 [root] DEBUG: 1336: Python path set to 'C:\Python38'.
2025-12-09 07:11:56,812 [root] DEBUG: 1336: Dropped file limit defaulting to 100.
2025-12-09 07:11:56,812 [root] INFO: Disabling sleep skipping.
2025-12-09 07:11:56,812 [root] DEBUG: 1336: YaraInit: Compiled rules loaded from existing file C:\tmpe2ctq1nb\data\yara\capemon.yac
2025-12-09 07:11:56,812 [root] DEBUG: 1336: YaraScan: Scanning 0x00B30000, size 0x15b2c
2025-12-09 07:11:56,812 [root] DEBUG: 1336: Monitor initialised: 32-bit capemon loaded in process 1336 at 0x74110000, thread 532, image base 0xb30000, stack from 0x236000-0x240000
2025-12-09 07:11:56,812 [root] DEBUG: 1336: Commandline: TASKKILL /F /IM rundll32.exe
2025-12-09 07:11:56,828 [root] DEBUG: 1336: GetAddressByYara: ModuleBase 0x77650000 FunctionName LdrpCallInitRoutine
2025-12-09 07:11:56,828 [root] DEBUG: 1336: hook_api: Warning - CreateRemoteThreadEx export address 0x7658A337 differs from GetProcAddress -> 0x76BA403A (KERNELBASE.dll::0x1403a)
2025-12-09 07:11:56,828 [root] DEBUG: 1336: hook_api: Warning - UpdateProcThreadAttribute export address 0x7658ABB7 differs from GetProcAddress -> 0x76B9FA26 (KERNELBASE.dll::0xfa26)
2025-12-09 07:11:56,828 [root] WARNING: b'Unable to place hook on GetCommandLineA'
2025-12-09 07:11:56,828 [root] DEBUG: 1336: set_hooks: Unable to hook GetCommandLineA
2025-12-09 07:11:56,828 [root] WARNING: b'Unable to place hook on GetCommandLineW'
2025-12-09 07:11:56,828 [root] DEBUG: 1336: set_hooks: Unable to hook GetCommandLineW
2025-12-09 07:11:56,828 [root] DEBUG: 1336: hook_api: Warning - NetUserGetInfo export address 0x739A528E differs from GetProcAddress -> 0x73881BE2 (SAMCLI.DLL::0x1be2)
2025-12-09 07:11:56,828 [root] DEBUG: 1336: hook_api: Warning - NetGetJoinInformation export address 0x739A4AD2 differs from GetProcAddress -> 0x73892C3F (wkscli.dll::0x2c3f)
2025-12-09 07:11:56,828 [root] DEBUG: 1336: hook_api: Warning - NetUserGetLocalGroups export address 0x739A52A4 differs from GetProcAddress -> 0x738828AA (SAMCLI.DLL::0x28aa)
2025-12-09 07:11:56,828 [root] DEBUG: 1336: hook_api: Warning - DsEnumerateDomainTrustsW export address 0x739A3C9E differs from GetProcAddress -> 0x7368B202 (LOGONCLI.DLL::0xb202)
2025-12-09 07:11:56,828 [root] DEBUG: 1336: Hooked 611 out of 613 functions
2025-12-09 07:11:56,828 [root] DEBUG: 1336: WoW64 detected: 64-bit ntdll base: 0x77490000, KiUserExceptionDispatcher: 0x0, NtSetContextThread: 0x774fb510, Wow64PrepareForException: 0x0
2025-12-09 07:11:56,828 [root] DEBUG: 1336: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x1d0000
2025-12-09 07:11:56,828 [root] INFO: Loaded monitor into process with pid 1336
2025-12-09 07:11:56,828 [root] DEBUG: 1336: caller_dispatch: Added region at 0x00B30000 to tracked regions list (kernel32::GetSystemTimeAsFileTime returns to 0x00B35CCC, thread 532).
2025-12-09 07:11:56,828 [root] DEBUG: 1336: YaraScan: Scanning 0x00B30000, size 0x15b2c
2025-12-09 07:11:56,828 [root] DEBUG: 1336: ProcessImageBase: Main module image at 0x00B30000 unmodified (entropy change 0.000000e+00)
2025-12-09 07:11:56,843 [lib.api.process] INFO: Monitor config for <Process 556 svchost.exe>: C:\tmpe2ctq1nb\dll\556.ini
2025-12-09 07:11:56,843 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmpe2ctq1nb\dll\kMmFpTMI.dll, loader C:\tmpe2ctq1nb\bin\rvHFiZWl.exe
2025-12-09 07:11:56,843 [root] DEBUG: Loader: Injecting process 556 with C:\tmpe2ctq1nb\dll\kMmFpTMI.dll.
2025-12-09 07:11:56,843 [root] DEBUG: 556: Python path set to 'C:\Python38'.
2025-12-09 07:11:56,843 [root] INFO: Disabling sleep skipping.
2025-12-09 07:11:56,843 [root] DEBUG: 556: Dropped file limit defaulting to 100.
2025-12-09 07:11:56,843 [root] DEBUG: 556: parent_has_path: unable to get path for parent process 432
2025-12-09 07:11:56,843 [root] DEBUG: 556: YaraInit: Compiled rules loaded from existing file C:\tmpe2ctq1nb\data\yara\capemon.yac
2025-12-09 07:11:56,843 [root] DEBUG: 556: YaraScan: Scanning 0x00000000FF2E0000, size 0xa052
2025-12-09 07:11:56,843 [root] DEBUG: 556: Monitor initialised: 64-bit capemon loaded in process 556 at 0x000007FEF3CA0000, thread 860, image base 0x00000000FF2E0000, stack from 0x0000000001776000-0x0000000001780000
2025-12-09 07:11:56,843 [root] DEBUG: 556: Commandline: C:\Windows\system32\svchost.exe -k DcomLaunch
2025-12-09 07:11:56,843 [root] DEBUG: 556: GetAddressByYara: ModuleBase 0x0000000077490000 FunctionName LdrpCallInitRoutine
2025-12-09 07:11:56,859 [root] WARNING: b'Unable to place hook on LockResource'
2025-12-09 07:11:56,859 [root] DEBUG: 556: set_hooks: Unable to hook LockResource
2025-12-09 07:11:56,859 [root] DEBUG: 556: Hooked 605 out of 606 functions
2025-12-09 07:11:56,875 [root] INFO: Loaded monitor into process with pid 556
2025-12-09 07:11:56,875 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2025-12-09 07:11:56,875 [root] DEBUG: Successfully injected DLL C:\tmpe2ctq1nb\dll\kMmFpTMI.dll.
2025-12-09 07:11:56,875 [lib.api.process] INFO: Injected into 64-bit <Process 556 svchost.exe>
2025-12-09 07:11:57,546 [root] DEBUG: 2648: api-cap: GetAsyncKeyState hook disabled due to count: 5000
2025-12-09 07:11:57,562 [root] DEBUG: 556: OpenProcessHandler: Injection info created for process 2912, handle 0x5c: C:\Windows\System32\audiodg.exe
2025-12-09 07:11:57,625 [root] DEBUG: 556: OpenProcessHandler: Injection info created for process 2008, handle 0x5f0: C:\Windows\System32\taskhost.exe
2025-12-09 07:11:58,290 [modules.auxiliary.human] INFO: Found button "ok", clicking it
2025-12-09 07:11:58,883 [lib.api.process] INFO: Monitor config for <Process 1184 svchost.exe>: C:\tmpe2ctq1nb\dll\1184.ini
2025-12-09 07:11:58,883 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmpe2ctq1nb\dll\kMmFpTMI.dll, loader C:\tmpe2ctq1nb\bin\rvHFiZWl.exe
2025-12-09 07:11:58,883 [root] DEBUG: Loader: Injecting process 1184 with C:\tmpe2ctq1nb\dll\kMmFpTMI.dll.
2025-12-09 07:11:58,883 [root] DEBUG: 1184: Python path set to 'C:\Python38'.
2025-12-09 07:11:58,883 [root] INFO: Disabling sleep skipping.
2025-12-09 07:11:58,883 [root] DEBUG: 1184: Dropped file limit defaulting to 100.
2025-12-09 07:11:58,883 [root] DEBUG: 1184: parent_has_path: unable to get path for parent process 432
2025-12-09 07:11:58,883 [root] DEBUG: 1184: YaraInit: Compiled rules loaded from existing file C:\tmpe2ctq1nb\data\yara\capemon.yac
2025-12-09 07:11:58,883 [root] DEBUG: 1184: YaraScan: Scanning 0x00000000FF2E0000, size 0xa052
2025-12-09 07:11:58,883 [root] DEBUG: 1184: Monitor initialised: 64-bit capemon loaded in process 1184 at 0x000007FEF3CA0000, thread 1264, image base 0x00000000FF2E0000, stack from 0x0000000000F86000-0x0000000000F90000
2025-12-09 07:11:58,883 [root] DEBUG: 1184: Commandline: C:\Windows\system32\svchost.exe -k netsvcs
2025-12-09 07:11:58,883 [root] DEBUG: 1184: GetAddressByYara: ModuleBase 0x0000000077490000 FunctionName LdrpCallInitRoutine
2025-12-09 07:11:58,899 [root] WARNING: b'Unable to place hook on LockResource'
2025-12-09 07:11:58,899 [root] DEBUG: 1184: set_hooks: Unable to hook LockResource
2025-12-09 07:11:58,915 [root] DEBUG: 1184: Hooked 605 out of 606 functions
2025-12-09 07:11:58,915 [root] INFO: Loaded monitor into process with pid 1184
2025-12-09 07:11:58,915 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2025-12-09 07:11:58,915 [root] DEBUG: Successfully injected DLL C:\tmpe2ctq1nb\dll\kMmFpTMI.dll.
2025-12-09 07:11:58,915 [lib.api.process] INFO: Injected into 64-bit <Process 1184 svchost.exe>
2025-12-09 07:11:59,290 [root] INFO: Process with pid 2648 has terminated
2025-12-09 07:11:59,305 [root] DEBUG: 2648: NtTerminateProcess hook: Attempting to dump process 2648
2025-12-09 07:11:59,321 [root] DEBUG: 2648: DoProcessDump: Skipping process dump as code is identical on disk.
2025-12-09 07:12:00,915 [root] DEBUG: 1336: DLL loaded at 0x76B00000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2025-12-09 07:12:00,915 [root] DEBUG: 1336: DLL loaded at 0x744B0000: C:\Windows\system32\wbem\wbemprox (0xb000 bytes).
2025-12-09 07:12:00,915 [root] DEBUG: 1336: DLL loaded at 0x74440000: C:\Windows\system32\wbemcomn2 (0x61000 bytes).
2025-12-09 07:12:00,915 [root] DEBUG: 1336: DLL loaded at 0x740E0000: C:\Windows\system32\Winsta (0x29000 bytes).
2025-12-09 07:12:00,915 [root] DEBUG: 1336: DLL loaded at 0x72E70000: C:\Windows\SysWOW64\CRYPTSP (0x17000 bytes).
2025-12-09 07:12:00,915 [root] DEBUG: 1336: DLL loaded at 0x72E10000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2025-12-09 07:12:00,915 [root] DEBUG: 1336: DLL loaded at 0x74430000: C:\Windows\SysWOW64\RpcRtRemote (0xe000 bytes).
2025-12-09 07:12:00,930 [root] DEBUG: 1184: DLL loaded at 0x000007FEF9670000: C:\Windows\system32\VSSAPI (0x1b0000 bytes).
2025-12-09 07:12:00,930 [root] DEBUG: 1184: DLL loaded at 0x000007FEFABB0000: C:\Windows\system32\ATL (0x19000 bytes).
2025-12-09 07:12:00,946 [root] DEBUG: 1184: DLL loaded at 0x000007FEF9F30000: C:\Windows\system32\VssTrace (0x17000 bytes).
2025-12-09 07:12:00,946 [root] DEBUG: 1184: DLL loaded at 0x000007FEFAEA0000: C:\Windows\system32\samcli (0x14000 bytes).
2025-12-09 07:12:00,946 [root] DEBUG: 1184: DLL loaded at 0x000007FEFB9E0000: C:\Windows\system32\SAMLIB (0x1d000 bytes).
2025-12-09 07:12:00,946 [root] DEBUG: 1184: DLL loaded at 0x000007FEFAEE0000: C:\Windows\system32\netutils (0xc000 bytes).
2025-12-09 07:12:00,946 [root] DEBUG: 1184: DLL loaded at 0x000007FEFAA10000: C:\Windows\system32\es (0x67000 bytes).
2025-12-09 07:12:00,961 [root] DEBUG: 1184: DLL loaded at 0x000007FEFB8B0000: C:\Windows\system32\PROPSYS (0x12c000 bytes).
2025-12-09 07:12:00,977 [root] DEBUG: 1184: api-rate-cap: memcpy hook disabled due to rate
2025-12-09 07:12:00,993 [root] DEBUG: 1184: DLL loaded at 0x000007FEF7D70000: C:\Windows\system32\wbem\wbemcore (0x12c000 bytes).
2025-12-09 07:12:00,993 [root] DEBUG: 1184: DLL loaded at 0x000007FEFC0C0000: C:\Windows\system32\VERSION (0xc000 bytes).
2025-12-09 07:12:00,993 [root] DEBUG: 1184: DLL loaded at 0x000007FEF7D00000: C:\Windows\system32\wbem\esscli (0x62000 bytes).
2025-12-09 07:12:00,993 [root] DEBUG: 1184: DLL loaded at 0x000007FEF7F40000: C:\Windows\system32\wbem\FastProx (0xd3000 bytes).
2025-12-09 07:12:01,008 [root] DEBUG: 1184: DLL loaded at 0x000007FEF7F10000: C:\Windows\system32\NTDSAPI (0x27000 bytes).
2025-12-09 07:12:01,008 [root] DEBUG: 1184: DLL loaded at 0x000007FEF7BE0000: C:\Windows\system32\wbem\wbemsvc (0x13000 bytes).
2025-12-09 07:12:01,008 [root] DEBUG: 1336: DLL loaded at 0x74400000: C:\Windows\system32\wbem\wbemsvc (0xf000 bytes).
2025-12-09 07:12:01,008 [root] DEBUG: 1336: DLL loaded at 0x73F90000: C:\Windows\system32\wbem\fastprox (0xa6000 bytes).
2025-12-09 07:12:01,008 [root] DEBUG: 1336: DLL loaded at 0x740C0000: C:\Windows\system32\NTDSAPI (0x18000 bytes).
2025-12-09 07:12:01,008 [root] DEBUG: 1184: DLL loaded at 0x000007FEFC9A0000: C:\Windows\system32\authZ (0x2f000 bytes).
2025-12-09 07:12:01,008 [root] DEBUG: 1184: DLL loaded at 0x000007FEF7BA0000: C:\Windows\system32\wbem\wmiutils (0x21000 bytes).
2025-12-09 07:12:01,024 [root] DEBUG: 1184: set_hooks_by_export_directory: Hooked 0 out of 606 functions
2025-12-09 07:12:01,024 [root] DEBUG: 1184: DLL loaded at 0x000007FEF7AD0000: C:\Windows\system32\wbem\repdrvfs (0x5a000 bytes).
2025-12-09 07:12:01,024 [root] DEBUG: 1184: DLL loaded at 0x000007FEFC9E0000: C:\Windows\system32\Wevtapi (0x6d000 bytes).
2025-12-09 07:12:01,165 [root] DEBUG: 1184: set_hooks_by_export_directory: Hooked 0 out of 606 functions
2025-12-09 07:12:01,165 [root] DEBUG: 1184: DLL loaded at 0x000007FEF7A10000: C:\Windows\system32\wbem\wmiprvsd (0xb5000 bytes).
2025-12-09 07:12:01,165 [root] DEBUG: 1184: DLL loaded at 0x000007FEF79F0000: C:\Windows\system32\NCObjAPI (0x12000 bytes).
2025-12-09 07:12:01,180 [root] DEBUG: 1184: OpenProcessHandler: Injection info created for process 556, handle 0x2c4: C:\Windows\System32\svchost.exe
2025-12-09 07:12:01,180 [root] DEBUG: 1184: DLL loaded at 0x000007FEF1880000: C:\Windows\system32\wbem\wbemess (0x71000 bytes).
2025-12-09 07:12:01,290 [root] DEBUG: 556: CreateProcessHandler: Injection info set for new process 1268: C:\Windows\system32\wbem\wmiprvse.exe, ImageBase: 0x000000013F260000
2025-12-09 07:12:01,290 [root] INFO: Announced 64-bit process name: WmiPrvSE.exe pid: 1268
2025-12-09 07:12:01,290 [lib.api.process] INFO: Monitor config for <Process 1268 WmiPrvSE.exe>: C:\tmpe2ctq1nb\dll\1268.ini
2025-12-09 07:12:01,305 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmpe2ctq1nb\dll\kMmFpTMI.dll, loader C:\tmpe2ctq1nb\bin\rvHFiZWl.exe
2025-12-09 07:12:01,305 [root] DEBUG: 1184: DLL loaded at 0x000007FEF7970000: C:\Windows\system32\wbem\ncprov (0x17000 bytes).
2025-12-09 07:12:01,305 [root] DEBUG: Loader: Injecting process 1268 (thread 740) with C:\tmpe2ctq1nb\dll\kMmFpTMI.dll.
2025-12-09 07:12:01,321 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2025-12-09 07:12:01,321 [root] DEBUG: Successfully injected DLL C:\tmpe2ctq1nb\dll\kMmFpTMI.dll.
2025-12-09 07:12:01,321 [lib.api.process] INFO: Injected into 64-bit <Process 1268 WmiPrvSE.exe>
2025-12-09 07:12:01,321 [root] INFO: Announced 64-bit process name: WmiPrvSE.exe pid: 1268
2025-12-09 07:12:01,321 [lib.api.process] INFO: Monitor config for <Process 1268 WmiPrvSE.exe>: C:\tmpe2ctq1nb\dll\1268.ini
2025-12-09 07:12:01,321 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmpe2ctq1nb\dll\kMmFpTMI.dll, loader C:\tmpe2ctq1nb\bin\rvHFiZWl.exe
2025-12-09 07:12:01,321 [root] DEBUG: Loader: Injecting process 1268 (thread 740) with C:\tmpe2ctq1nb\dll\kMmFpTMI.dll.
2025-12-09 07:12:01,321 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2025-12-09 07:12:01,321 [root] DEBUG: Successfully injected DLL C:\tmpe2ctq1nb\dll\kMmFpTMI.dll.
2025-12-09 07:12:01,321 [lib.api.process] INFO: Injected into 64-bit <Process 1268 WmiPrvSE.exe>
2025-12-09 07:12:01,336 [root] DEBUG: 1268: Python path set to 'C:\Python38'.
2025-12-09 07:12:01,336 [root] DEBUG: 1268: Dropped file limit defaulting to 100.
2025-12-09 07:12:01,336 [root] INFO: Disabling sleep skipping.
2025-12-09 07:12:01,336 [root] DEBUG: 1268: Services hook set enabled
2025-12-09 07:12:01,336 [root] DEBUG: 1268: YaraInit: Compiled rules loaded from existing file C:\tmpe2ctq1nb\data\yara\capemon.yac
2025-12-09 07:12:01,336 [root] DEBUG: 1268: Monitor initialised: 64-bit capemon loaded in process 1268 at 0x000007FEF3CA0000, thread 740, image base 0x000000013F260000, stack from 0x0000000000230000-0x0000000000240000
2025-12-09 07:12:01,336 [root] DEBUG: 1268: Commandline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
2025-12-09 07:12:01,352 [root] DEBUG: 1268: Hooked 69 out of 69 functions
2025-12-09 07:12:01,352 [root] INFO: Loaded monitor into process with pid 1268
2025-12-09 07:12:01,352 [root] DEBUG: 1268: DLL loaded at 0x000007FEFCE40000: C:\Windows\system32\CRYPTBASE (0xf000 bytes).
2025-12-09 07:12:01,352 [root] DEBUG: 1268: DLL loaded at 0x000007FEFAD00000: C:\Windows\system32\ntmarta (0x2d000 bytes).
2025-12-09 07:12:01,368 [root] DEBUG: 1268: DLL loaded at 0x000007FEFE0A0000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2025-12-09 07:12:01,368 [root] DEBUG: 1268: DLL loaded at 0x000007FEFE6B0000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2025-12-09 07:12:01,368 [root] DEBUG: 1268: DLL loaded at 0x000007FEF8650000: C:\Windows\system32\wbem\wbemprox (0xe000 bytes).
2025-12-09 07:12:01,368 [root] DEBUG: 1268: DLL loaded at 0x000007FEFC780000: C:\Windows\system32\CRYPTSP (0x18000 bytes).
2025-12-09 07:12:01,383 [root] DEBUG: 1268: DLL loaded at 0x000007FEFC480000: C:\Windows\system32\rsaenh (0x47000 bytes).
2025-12-09 07:12:01,383 [root] DEBUG: 1268: DLL loaded at 0x000007FEFCF30000: C:\Windows\system32\RpcRtRemote (0x14000 bytes).
2025-12-09 07:12:01,383 [root] DEBUG: 1268: DLL loaded at 0x000007FEF7BE0000: C:\Windows\system32\wbem\wbemsvc (0x13000 bytes).
2025-12-09 07:12:01,399 [root] DEBUG: 1184: OpenProcessHandler: Injection info created for process 1268, handle 0x540: C:\Windows\System32\wbem\WmiPrvSE.exe
2025-12-09 07:12:01,399 [root] DEBUG: 1268: DLL loaded at 0x000007FEF7BA0000: C:\Windows\system32\wbem\wmiutils (0x21000 bytes).
2025-12-09 07:12:01,415 [root] DEBUG: 1268: DLL loaded at 0x000007FEF1680000: C:\Windows\system32\wbem\cimwin32 (0x1fa000 bytes).
2025-12-09 07:12:01,415 [root] DEBUG: 1268: DLL loaded at 0x000007FEF43D0000: C:\Windows\system32\framedynos (0x43000 bytes).
2025-12-09 07:12:01,461 [root] DEBUG: 1268: DLL loaded at 0x000007FEFB240000: C:\Windows\system32\WINBRAND (0x8000 bytes).
2025-12-09 07:12:01,477 [root] DEBUG: 1336: NtTerminateProcess hook: Attempting to dump process 1336
2025-12-09 07:12:01,477 [root] DEBUG: 1336: DoProcessDump: Skipping process dump as code is identical on disk.
2025-12-09 07:12:01,477 [root] INFO: Process with pid 1336 has terminated
2025-12-09 07:12:12,196 [root] DEBUG: 556: OpenProcessHandler: Injection info created for process 2240, handle 0x5f4: C:\Windows\System32\taskeng.exe
2025-12-09 07:12:12,336 [root] DEBUG: 556: OpenProcessHandler: Injection info created for process 2728, handle 0x5f4: C:\Windows\System32\taskeng.exe
2025-12-09 07:12:12,915 [root] DEBUG: 556: OpenProcessHandler: Injection info created for process 2620, handle 0x5f4: C:\Program Files (x86)\Microsoft Office\root\Office16\msoia.exe
2025-12-09 07:12:12,993 [root] DEBUG: 556: OpenProcessHandler: Injection info created for process 2256, handle 0x5f0: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe
2025-12-09 07:12:13,071 [root] DEBUG: 556: OpenProcessHandler: Injection info created for process 1548, handle 0x5f0: C:\Program Files (x86)\Microsoft Office\root\Office16\msoia.exe
2025-12-09 07:12:21,602 [root] DEBUG: 1184: caller_dispatch: Added region at 0x00000000FF2E0000 to tracked regions list (ntdll::NtWaitForSingleObject returns to 0x00000000FF2E1318, thread 2732).
2025-12-09 07:12:21,649 [root] DEBUG: 1184: YaraScan: Scanning 0x00000000FF2E0000, size 0xa052
2025-12-09 07:12:21,649 [root] DEBUG: 1184: ProcessImageBase: Main module image at 0x00000000FF2E0000 unmodified (entropy change 0.000000e+00)
2025-12-09 07:12:32,133 [root] DEBUG: 556: CreateProcessHandler: Injection info set for new process 1620: C:\Windows\system32\DllHost.exe, ImageBase: 0x00000000FFA70000
2025-12-09 07:12:32,211 [root] INFO: Announced 64-bit process name: dllhost.exe pid: 1620
2025-12-09 07:12:32,211 [lib.api.process] INFO: Monitor config for <Process 1620 dllhost.exe>: C:\tmpe2ctq1nb\dll\1620.ini
2025-12-09 07:12:32,258 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmpe2ctq1nb\dll\kMmFpTMI.dll, loader C:\tmpe2ctq1nb\bin\rvHFiZWl.exe
2025-12-09 07:12:32,540 [root] DEBUG: Loader: Injecting process 1620 (thread 224) with C:\tmpe2ctq1nb\dll\kMmFpTMI.dll.
2025-12-09 07:12:32,586 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2025-12-09 07:12:32,665 [root] DEBUG: Successfully injected DLL C:\tmpe2ctq1nb\dll\kMmFpTMI.dll.
2025-12-09 07:12:32,711 [lib.api.process] INFO: Injected into 64-bit <Process 1620 dllhost.exe>
2025-12-09 07:12:32,711 [root] INFO: Announced 64-bit process name: dllhost.exe pid: 1620
2025-12-09 07:12:32,711 [lib.api.process] INFO: Monitor config for <Process 1620 dllhost.exe>: C:\tmpe2ctq1nb\dll\1620.ini
2025-12-09 07:12:32,790 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmpe2ctq1nb\dll\kMmFpTMI.dll, loader C:\tmpe2ctq1nb\bin\rvHFiZWl.exe
2025-12-09 07:12:33,352 [root] DEBUG: Loader: Injecting process 1620 (thread 224) with C:\tmpe2ctq1nb\dll\kMmFpTMI.dll.
2025-12-09 07:12:33,352 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2025-12-09 07:12:33,415 [root] DEBUG: Successfully injected DLL C:\tmpe2ctq1nb\dll\kMmFpTMI.dll.
2025-12-09 07:12:33,461 [lib.api.process] INFO: Injected into 64-bit <Process 1620 dllhost.exe>
2025-12-09 07:12:33,743 [root] DEBUG: 1620: Python path set to 'C:\Python38'.
2025-12-09 07:12:33,790 [root] DEBUG: 1620: Dropped file limit defaulting to 100.
2025-12-09 07:12:33,930 [root] INFO: Disabling sleep skipping.
2025-12-09 07:12:33,930 [root] DEBUG: 1620: YaraInit: Compiled rules loaded from existing file C:\tmpe2ctq1nb\data\yara\capemon.yac
2025-12-09 07:12:33,977 [root] DEBUG: 1620: YaraScan: Scanning 0x00000000FFA70000, size 0x6012
2025-12-09 07:12:33,977 [root] DEBUG: 1620: Monitor initialised: 64-bit capemon loaded in process 1620 at 0x000007FEF3CA0000, thread 224, image base 0x00000000FFA70000, stack from 0x0000000000175000-0x0000000000180000
2025-12-09 07:12:34,071 [root] DEBUG: 1620: Commandline: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
2025-12-09 07:12:34,071 [root] DEBUG: 1620: GetAddressByYara: ModuleBase 0x0000000077490000 FunctionName LdrpCallInitRoutine
2025-12-09 07:12:34,165 [root] WARNING: b'Unable to place hook on LockResource'
2025-12-09 07:12:34,165 [root] DEBUG: 1620: set_hooks: Unable to hook LockResource
2025-12-09 07:12:34,227 [root] DEBUG: 1620: Hooked 605 out of 606 functions
2025-12-09 07:12:34,227 [root] INFO: Loaded monitor into process with pid 1620
2025-12-09 07:12:34,290 [root] DEBUG: 1620: caller_dispatch: Added region at 0x00000000FFA70000 to tracked regions list (kernel32::GetSystemTimeAsFileTime returns to 0x00000000FFA711B5, thread 224).
2025-12-09 07:12:34,290 [root] DEBUG: 1620: YaraScan: Scanning 0x00000000FFA70000, size 0x6012
2025-12-09 07:12:34,352 [root] DEBUG: 1620: ProcessImageBase: Main module image at 0x00000000FFA70000 unmodified (entropy change 0.000000e+00)
2025-12-09 07:12:34,352 [root] DEBUG: 1620: DLL loaded at 0x000007FEFCE40000: C:\Windows\system32\CRYPTBASE (0xf000 bytes).
2025-12-09 07:12:34,415 [root] DEBUG: 1620: DLL loaded at 0x000007FEFE6B0000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2025-12-09 07:12:34,415 [root] DEBUG: 1620: DLL loaded at 0x000007FEFE3D0000: C:\Windows\system32\OLEAUT32 (0xdb000 bytes).
2025-12-09 07:12:34,602 [root] DEBUG: 1620: DLL loaded at 0x000007FEFC780000: C:\Windows\system32\CRYPTSP (0x18000 bytes).
2025-12-09 07:12:34,602 [root] DEBUG: 1620: DLL loaded at 0x000007FEFC480000: C:\Windows\system32\rsaenh (0x47000 bytes).
2025-12-09 07:12:34,696 [root] DEBUG: 1620: DLL loaded at 0x000007FEFCF30000: C:\Windows\system32\RpcRtRemote (0x14000 bytes).
2025-12-09 07:12:34,711 [root] DEBUG: 1620: DLL loaded at 0x000007FEFB850000: C:\Windows\system32\uxtheme (0x56000 bytes).
2025-12-09 07:12:35,415 [root] DEBUG: 1620: DLL loaded at 0x000007FEFD540000: C:\Windows\System32\wininet (0x4ac000 bytes).
2025-12-09 07:12:35,415 [root] DEBUG: 1620: DLL loaded at 0x000007FEFD2E0000: C:\Windows\system32\api-ms-win-downlevel-user32-l1-1-0 (0x4000 bytes).
2025-12-09 07:12:35,508 [root] DEBUG: 1620: DLL loaded at 0x000007FEFD2D0000: C:\Windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0 (0x4000 bytes).
2025-12-09 07:12:35,508 [root] DEBUG: 1620: DLL loaded at 0x000007FEFD0A0000: C:\Windows\system32\api-ms-win-downlevel-version-l1-1-0 (0x4000 bytes).
2025-12-09 07:12:35,586 [root] DEBUG: 1620: DLL loaded at 0x000007FEFC0C0000: C:\Windows\system32\version (0xc000 bytes).
2025-12-09 07:12:35,586 [root] DEBUG: 1620: DLL loaded at 0x000007FEFD070000: C:\Windows\system32\api-ms-win-downlevel-normaliz-l1-1-0 (0x3000 bytes).
2025-12-09 07:12:35,711 [root] DEBUG: 1620: DLL loaded at 0x0000000077630000: C:\Windows\system32\normaliz (0x3000 bytes).
2025-12-09 07:12:35,711 [root] DEBUG: 1620: DLL loaded at 0x000007FEFE100000: C:\Windows\system32\iertutil (0x2cc000 bytes).
2025-12-09 07:12:35,790 [root] DEBUG: 1620: DLL loaded at 0x000007FEFD0B0000: C:\Windows\system32\api-ms-win-downlevel-advapi32-l1-1-0 (0x5000 bytes).
2025-12-09 07:12:35,790 [root] DEBUG: 1620: DLL loaded at 0x000007FEFD080000: C:\Windows\system32\USERENV (0x1f000 bytes).
2025-12-09 07:12:35,868 [root] DEBUG: 1620: DLL loaded at 0x000007FEFCFF0000: C:\Windows\system32\profapi (0xf000 bytes).
2025-12-09 07:12:35,868 [root] DEBUG: 1620: DLL loaded at 0x000007FEFD040000: C:\Windows\system32\api-ms-win-downlevel-ole32-l1-1-0 (0x4000 bytes).
2025-12-09 07:12:36,055 [root] DEBUG: 1620: DLL loaded at 0x000007FEFCBF0000: C:\Windows\system32\Secur32 (0xb000 bytes).
2025-12-09 07:12:36,055 [root] DEBUG: 1620: DLL loaded at 0x000007FEFE750000: C:\Windows\system32\SHELL32 (0xd8b000 bytes).
2025-12-09 07:12:36,149 [root] DEBUG: 1620: DLL loaded at 0x000007FEF9FC0000: C:\Windows\system32\api-ms-win-downlevel-advapi32-l2-1-0 (0x4000 bytes).
2025-12-09 07:12:36,196 [root] DEBUG: 1620: DLL loaded at 0x000007FEF92C0000: C:\Windows\system32\winhttp (0x71000 bytes).
2025-12-09 07:12:36,290 [root] DEBUG: 1620: DLL loaded at 0x000007FEF9250000: C:\Windows\system32\webio (0x65000 bytes).
2025-12-09 07:12:36,290 [root] DEBUG: 1620: DLL loaded at 0x000007FEFC720000: C:\Windows\system32\mswsock (0x55000 bytes).
2025-12-09 07:12:36,368 [root] DEBUG: 1620: DLL loaded at 0x000007FEFC710000: C:\Windows\System32\wship6 (0x7000 bytes).
2025-12-09 07:12:36,368 [root] DEBUG: 1620: DLL loaded at 0x000007FEFA8B0000: C:\Windows\system32\IPHLPAPI (0x27000 bytes).
2025-12-09 07:12:36,493 [root] DEBUG: 1620: DLL loaded at 0x000007FEFA920000: C:\Windows\system32\WINNSI (0xb000 bytes).
2025-12-09 07:12:41,602 [root] INFO: Added new file to list with pid None and path C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat
2025-12-09 07:12:41,602 [root] INFO: Process with pid 1620 has terminated
2025-12-09 07:12:41,649 [root] DEBUG: 1620: NtTerminateProcess hook: Attempting to dump process 1620
2025-12-09 07:12:41,696 [root] DEBUG: 1620: DoProcessDump: Skipping process dump as code is identical on disk.
2025-12-09 07:12:42,368 [root] DEBUG: 556: OpenProcessHandler: Injection info created for process 2056, handle 0x604: C:\Windows\System32\schtasks.exe
2025-12-09 07:12:42,852 [root] DEBUG: 556: OpenProcessHandler: Injection info created for process 2988, handle 0x604: C:\Windows\System32\schtasks.exe
2025-12-09 07:12:43,258 [root] DEBUG: 556: OpenProcessHandler: Injection info created for process 504, handle 0x604: C:\Windows\System32\schtasks.exe
2025-12-09 07:12:44,633 [root] DEBUG: 556: CreateProcessHandler: Injection info set for new process 1932: C:\Windows\system32\DllHost.exe, ImageBase: 0x00000000FF300000
2025-12-09 07:12:44,649 [root] INFO: Announced 64-bit process name: dllhost.exe pid: 1932
2025-12-09 07:12:44,649 [lib.api.process] INFO: Monitor config for <Process 1932 dllhost.exe>: C:\tmpe2ctq1nb\dll\1932.ini
2025-12-09 07:12:44,649 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmpe2ctq1nb\dll\kMmFpTMI.dll, loader C:\tmpe2ctq1nb\bin\rvHFiZWl.exe
2025-12-09 07:12:44,680 [root] DEBUG: Loader: Injecting process 1932 (thread 300) with C:\tmpe2ctq1nb\dll\kMmFpTMI.dll.
2025-12-09 07:12:44,680 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2025-12-09 07:12:44,696 [root] DEBUG: Successfully injected DLL C:\tmpe2ctq1nb\dll\kMmFpTMI.dll.
2025-12-09 07:12:44,696 [lib.api.process] INFO: Injected into 64-bit <Process 1932 dllhost.exe>
2025-12-09 07:12:44,696 [root] INFO: Announced 64-bit process name: dllhost.exe pid: 1932
2025-12-09 07:12:44,696 [lib.api.process] INFO: Monitor config for <Process 1932 dllhost.exe>: C:\tmpe2ctq1nb\dll\1932.ini
2025-12-09 07:12:44,696 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmpe2ctq1nb\dll\kMmFpTMI.dll, loader C:\tmpe2ctq1nb\bin\rvHFiZWl.exe
2025-12-09 07:12:44,711 [root] DEBUG: Loader: Injecting process 1932 (thread 300) with C:\tmpe2ctq1nb\dll\kMmFpTMI.dll.
2025-12-09 07:12:44,711 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2025-12-09 07:12:44,711 [root] DEBUG: Successfully injected DLL C:\tmpe2ctq1nb\dll\kMmFpTMI.dll.
2025-12-09 07:12:44,711 [lib.api.process] INFO: Injected into 64-bit <Process 1932 dllhost.exe>
2025-12-09 07:12:44,727 [root] DEBUG: 1932: Python path set to 'C:\Python38'.
2025-12-09 07:12:44,727 [root] DEBUG: 1932: Dropped file limit defaulting to 100.
2025-12-09 07:12:44,727 [root] INFO: Disabling sleep skipping.
2025-12-09 07:12:44,743 [root] DEBUG: 1932: YaraInit: Compiled rules loaded from existing file C:\tmpe2ctq1nb\data\yara\capemon.yac
2025-12-09 07:12:44,743 [root] DEBUG: 1932: YaraScan: Scanning 0x00000000FF300000, size 0x6012
2025-12-09 07:12:44,758 [root] DEBUG: 1932: Monitor initialised: 64-bit capemon loaded in process 1932 at 0x000007FEF3CA0000, thread 300, image base 0x00000000FF300000, stack from 0x0000000000315000-0x0000000000320000
2025-12-09 07:12:44,758 [root] DEBUG: 1932: Commandline: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
2025-12-09 07:12:44,758 [root] DEBUG: 1932: GetAddressByYara: ModuleBase 0x0000000077490000 FunctionName LdrpCallInitRoutine
2025-12-09 07:12:44,774 [root] WARNING: b'Unable to place hook on LockResource'
2025-12-09 07:12:44,774 [root] DEBUG: 1932: set_hooks: Unable to hook LockResource
2025-12-09 07:12:44,805 [root] DEBUG: 1932: Hooked 605 out of 606 functions
2025-12-09 07:12:44,805 [root] INFO: Loaded monitor into process with pid 1932
2025-12-09 07:12:44,805 [root] DEBUG: 1932: caller_dispatch: Added region at 0x00000000FF300000 to tracked regions list (kernel32::GetSystemTimeAsFileTime returns to 0x00000000FF3011B5, thread 300).
2025-12-09 07:12:44,805 [root] DEBUG: 1932: YaraScan: Scanning 0x00000000FF300000, size 0x6012
2025-12-09 07:12:44,805 [root] DEBUG: 1932: ProcessImageBase: Main module image at 0x00000000FF300000 unmodified (entropy change 0.000000e+00)
2025-12-09 07:12:44,805 [root] DEBUG: 1932: DLL loaded at 0x000007FEFCE40000: C:\Windows\system32\CRYPTBASE (0xf000 bytes).
2025-12-09 07:12:44,821 [root] DEBUG: 1932: DLL loaded at 0x000007FEFE6B0000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2025-12-09 07:12:44,821 [root] DEBUG: 1932: DLL loaded at 0x000007FEFE3D0000: C:\Windows\system32\OLEAUT32 (0xdb000 bytes).
2025-12-09 07:12:44,821 [root] DEBUG: 1932: DLL loaded at 0x000007FEFC780000: C:\Windows\system32\CRYPTSP (0x18000 bytes).
2025-12-09 07:12:44,821 [root] DEBUG: 1932: DLL loaded at 0x000007FEFC480000: C:\Windows\system32\rsaenh (0x47000 bytes).
2025-12-09 07:12:44,821 [root] DEBUG: 1932: DLL loaded at 0x000007FEFCF30000: C:\Windows\system32\RpcRtRemote (0x14000 bytes).
2025-12-09 07:12:44,868 [root] DEBUG: 1932: DLL loaded at 0x000007FEFB850000: C:\Windows\system32\uxtheme (0x56000 bytes).
2025-12-09 07:12:44,946 [root] DEBUG: 1932: DLL loaded at 0x000007FEFD540000: C:\Windows\System32\wininet (0x4ac000 bytes).
2025-12-09 07:12:44,977 [root] DEBUG: 1932: DLL loaded at 0x000007FEFD2E0000: C:\Windows\system32\api-ms-win-downlevel-user32-l1-1-0 (0x4000 bytes).
2025-12-09 07:12:44,977 [root] DEBUG: 1932: DLL loaded at 0x000007FEFD2D0000: C:\Windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0 (0x4000 bytes).
2025-12-09 07:12:44,977 [root] DEBUG: 1932: DLL loaded at 0x000007FEFD0A0000: C:\Windows\system32\api-ms-win-downlevel-version-l1-1-0 (0x4000 bytes).
2025-12-09 07:12:44,977 [root] DEBUG: 1932: DLL loaded at 0x000007FEFC0C0000: C:\Windows\system32\version (0xc000 bytes).
2025-12-09 07:12:44,993 [root] DEBUG: 1932: DLL loaded at 0x000007FEFD070000: C:\Windows\system32\api-ms-win-downlevel-normaliz-l1-1-0 (0x3000 bytes).
2025-12-09 07:12:45,024 [root] DEBUG: 1932: DLL loaded at 0x0000000077630000: C:\Windows\system32\normaliz (0x3000 bytes).
2025-12-09 07:12:45,024 [root] DEBUG: 1932: DLL loaded at 0x000007FEFE100000: C:\Windows\system32\iertutil (0x2cc000 bytes).
2025-12-09 07:12:45,024 [root] DEBUG: 1932: DLL loaded at 0x000007FEFD0B0000: C:\Windows\system32\api-ms-win-downlevel-advapi32-l1-1-0 (0x5000 bytes).
2025-12-09 07:12:45,024 [root] DEBUG: 1932: DLL loaded at 0x000007FEFD080000: C:\Windows\system32\USERENV (0x1f000 bytes).
2025-12-09 07:12:45,024 [root] DEBUG: 1932: DLL loaded at 0x000007FEFCFF0000: C:\Windows\system32\profapi (0xf000 bytes).
2025-12-09 07:12:45,024 [root] DEBUG: 1932: DLL loaded at 0x000007FEFD040000: C:\Windows\system32\api-ms-win-downlevel-ole32-l1-1-0 (0x4000 bytes).
2025-12-09 07:12:45,071 [root] DEBUG: 1932: DLL loaded at 0x000007FEFCBF0000: C:\Windows\system32\Secur32 (0xb000 bytes).
2025-12-09 07:12:45,071 [root] DEBUG: 1932: DLL loaded at 0x000007FEFE750000: C:\Windows\system32\SHELL32 (0xd8b000 bytes).
2025-12-09 07:12:45,071 [root] DEBUG: 1932: DLL loaded at 0x000007FEF9FC0000: C:\Windows\system32\api-ms-win-downlevel-advapi32-l2-1-0 (0x4000 bytes).
2025-12-09 07:12:45,102 [root] DEBUG: 1932: DLL loaded at 0x000007FEF92C0000: C:\Windows\system32\winhttp (0x71000 bytes).
2025-12-09 07:12:45,102 [root] DEBUG: 1932: DLL loaded at 0x000007FEF9250000: C:\Windows\system32\webio (0x65000 bytes).
2025-12-09 07:12:45,118 [root] DEBUG: 1932: DLL loaded at 0x000007FEFC720000: C:\Windows\system32\mswsock (0x55000 bytes).
2025-12-09 07:12:45,118 [root] DEBUG: 1932: DLL loaded at 0x000007FEFC710000: C:\Windows\System32\wship6 (0x7000 bytes).
2025-12-09 07:12:45,133 [root] DEBUG: 1932: DLL loaded at 0x000007FEFA8B0000: C:\Windows\system32\IPHLPAPI (0x27000 bytes).
2025-12-09 07:12:45,133 [root] DEBUG: 1932: DLL loaded at 0x000007FEFA920000: C:\Windows\system32\WINNSI (0xb000 bytes).
2025-12-09 07:12:50,180 [root] INFO: Process with pid 1932 has terminated
2025-12-09 07:12:50,180 [root] DEBUG: 1932: NtTerminateProcess hook: Attempting to dump process 1932
2025-12-09 07:12:50,180 [root] DEBUG: 1932: DoProcessDump: Skipping process dump as code is identical on disk.
2025-12-09 07:13:06,493 [root] DEBUG: 556: OpenProcessHandler: Injection info created for process 2084, handle 0x5f0: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
2025-12-09 07:13:06,711 [root] DEBUG: 556: CreateProcessHandler: Injection info set for new process 2488: C:\Windows\system32\DllHost.exe, ImageBase: 0x00000000FFE10000
2025-12-09 07:13:06,727 [root] INFO: Announced 64-bit process name: dllhost.exe pid: 2488
2025-12-09 07:13:06,727 [lib.api.process] INFO: Monitor config for <Process 2488 dllhost.exe>: C:\tmpe2ctq1nb\dll\2488.ini
2025-12-09 07:13:06,758 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmpe2ctq1nb\dll\kMmFpTMI.dll, loader C:\tmpe2ctq1nb\bin\rvHFiZWl.exe
2025-12-09 07:13:06,790 [root] DEBUG: Loader: Injecting process 2488 (thread 908) with C:\tmpe2ctq1nb\dll\kMmFpTMI.dll.
2025-12-09 07:13:06,790 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2025-12-09 07:13:06,790 [root] DEBUG: Successfully injected DLL C:\tmpe2ctq1nb\dll\kMmFpTMI.dll.
2025-12-09 07:13:06,790 [lib.api.process] INFO: Injected into 64-bit <Process 2488 dllhost.exe>
2025-12-09 07:13:06,790 [root] INFO: Announced 64-bit process name: dllhost.exe pid: 2488
2025-12-09 07:13:06,790 [lib.api.process] INFO: Monitor config for <Process 2488 dllhost.exe>: C:\tmpe2ctq1nb\dll\2488.ini
2025-12-09 07:13:06,790 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmpe2ctq1nb\dll\kMmFpTMI.dll, loader C:\tmpe2ctq1nb\bin\rvHFiZWl.exe
2025-12-09 07:13:06,836 [root] DEBUG: Loader: Injecting process 2488 (thread 908) with C:\tmpe2ctq1nb\dll\kMmFpTMI.dll.
2025-12-09 07:13:06,836 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2025-12-09 07:13:06,836 [root] DEBUG: Successfully injected DLL C:\tmpe2ctq1nb\dll\kMmFpTMI.dll.
2025-12-09 07:13:06,852 [lib.api.process] INFO: Injected into 64-bit <Process 2488 dllhost.exe>
2025-12-09 07:13:06,868 [root] DEBUG: 2488: Python path set to 'C:\Python38'.
2025-12-09 07:13:06,868 [root] DEBUG: 2488: Dropped file limit defaulting to 100.
2025-12-09 07:13:06,868 [root] INFO: Disabling sleep skipping.
2025-12-09 07:13:06,868 [root] DEBUG: 2488: YaraInit: Compiled rules loaded from existing file C:\tmpe2ctq1nb\data\yara\capemon.yac
2025-12-09 07:13:06,868 [root] DEBUG: 2488: YaraScan: Scanning 0x00000000FFE10000, size 0x6012
2025-12-09 07:13:06,868 [root] DEBUG: 2488: Monitor initialised: 64-bit capemon loaded in process 2488 at 0x000007FEF3CA0000, thread 908, image base 0x00000000FFE10000, stack from 0x0000000000216000-0x0000000000220000
2025-12-09 07:13:06,868 [root] DEBUG: 2488: Commandline: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
2025-12-09 07:13:06,883 [root] DEBUG: 2488: GetAddressByYara: ModuleBase 0x0000000077490000 FunctionName LdrpCallInitRoutine
2025-12-09 07:13:06,899 [root] WARNING: b'Unable to place hook on LockResource'
2025-12-09 07:13:06,899 [root] DEBUG: 2488: set_hooks: Unable to hook LockResource
2025-12-09 07:13:06,915 [root] DEBUG: 2488: Hooked 605 out of 606 functions
2025-12-09 07:13:06,915 [root] INFO: Loaded monitor into process with pid 2488
2025-12-09 07:13:06,915 [root] DEBUG: 2488: caller_dispatch: Added region at 0x00000000FFE10000 to tracked regions list (kernel32::GetSystemTimeAsFileTime returns to 0x00000000FFE111B5, thread 908).
2025-12-09 07:13:06,930 [root] DEBUG: 2488: YaraScan: Scanning 0x00000000FFE10000, size 0x6012
2025-12-09 07:13:06,930 [root] DEBUG: 2488: ProcessImageBase: Main module image at 0x00000000FFE10000 unmodified (entropy change 0.000000e+00)
2025-12-09 07:13:06,930 [root] DEBUG: 2488: DLL loaded at 0x000007FEFCE40000: C:\Windows\system32\CRYPTBASE (0xf000 bytes).
2025-12-09 07:13:06,930 [root] DEBUG: 2488: DLL loaded at 0x000007FEFE6B0000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2025-12-09 07:13:06,930 [root] DEBUG: 2488: DLL loaded at 0x000007FEFE3D0000: C:\Windows\system32\OLEAUT32 (0xdb000 bytes).
2025-12-09 07:13:06,946 [root] DEBUG: 2488: DLL loaded at 0x000007FEFC780000: C:\Windows\system32\CRYPTSP (0x18000 bytes).
2025-12-09 07:13:06,946 [root] DEBUG: 2488: DLL loaded at 0x000007FEFC480000: C:\Windows\system32\rsaenh (0x47000 bytes).
2025-12-09 07:13:06,961 [root] DEBUG: 2488: DLL loaded at 0x000007FEFCF30000: C:\Windows\system32\RpcRtRemote (0x14000 bytes).
2025-12-09 07:13:07,008 [root] DEBUG: 2488: DLL loaded at 0x000007FEFB850000: C:\Windows\system32\uxtheme (0x56000 bytes).
2025-12-09 07:13:07,055 [root] DEBUG: 2488: DLL loaded at 0x000007FEFD540000: C:\Windows\System32\wininet (0x4ac000 bytes).
2025-12-09 07:13:07,055 [root] DEBUG: 2488: DLL loaded at 0x000007FEFD2E0000: C:\Windows\system32\api-ms-win-downlevel-user32-l1-1-0 (0x4000 bytes).
2025-12-09 07:13:07,071 [root] DEBUG: 2488: DLL loaded at 0x000007FEFD2D0000: C:\Windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0 (0x4000 bytes).
2025-12-09 07:13:07,071 [root] DEBUG: 2488: DLL loaded at 0x000007FEFD0A0000: C:\Windows\system32\api-ms-win-downlevel-version-l1-1-0 (0x4000 bytes).
2025-12-09 07:13:07,071 [root] DEBUG: 2488: DLL loaded at 0x000007FEFC0C0000: C:\Windows\system32\version (0xc000 bytes).
2025-12-09 07:13:07,071 [root] DEBUG: 2488: DLL loaded at 0x000007FEFD070000: C:\Windows\system32\api-ms-win-downlevel-normaliz-l1-1-0 (0x3000 bytes).
2025-12-09 07:13:07,071 [root] DEBUG: 2488: DLL loaded at 0x0000000077630000: C:\Windows\system32\normaliz (0x3000 bytes).
2025-12-09 07:13:07,071 [root] DEBUG: 2488: DLL loaded at 0x000007FEFE100000: C:\Windows\system32\iertutil (0x2cc000 bytes).
2025-12-09 07:13:07,071 [root] DEBUG: 2488: DLL loaded at 0x000007FEFD0B0000: C:\Windows\system32\api-ms-win-downlevel-advapi32-l1-1-0 (0x5000 bytes).
2025-12-09 07:13:07,071 [root] DEBUG: 2488: DLL loaded at 0x000007FEFD080000: C:\Windows\system32\USERENV (0x1f000 bytes).
2025-12-09 07:13:07,086 [root] DEBUG: 2488: DLL loaded at 0x000007FEFCFF0000: C:\Windows\system32\profapi (0xf000 bytes).
2025-12-09 07:13:07,086 [root] DEBUG: 2488: DLL loaded at 0x000007FEFD040000: C:\Windows\system32\api-ms-win-downlevel-ole32-l1-1-0 (0x4000 bytes).
2025-12-09 07:13:07,102 [root] DEBUG: 2488: DLL loaded at 0x000007FEFCBF0000: C:\Windows\system32\Secur32 (0xb000 bytes).
2025-12-09 07:13:07,102 [root] DEBUG: 2488: DLL loaded at 0x000007FEFE750000: C:\Windows\system32\SHELL32 (0xd8b000 bytes).
2025-12-09 07:13:07,118 [root] DEBUG: 2488: DLL loaded at 0x000007FEF9FC0000: C:\Windows\system32\api-ms-win-downlevel-advapi32-l2-1-0 (0x4000 bytes).
2025-12-09 07:13:07,133 [root] DEBUG: 2488: DLL loaded at 0x000007FEF92C0000: C:\Windows\system32\winhttp (0x71000 bytes).
2025-12-09 07:13:07,133 [root] DEBUG: 2488: DLL loaded at 0x000007FEF9250000: C:\Windows\system32\webio (0x65000 bytes).
2025-12-09 07:13:07,165 [root] DEBUG: 2488: DLL loaded at 0x000007FEFC720000: C:\Windows\system32\mswsock (0x55000 bytes).
2025-12-09 07:13:07,165 [root] DEBUG: 2488: DLL loaded at 0x000007FEFC710000: C:\Windows\System32\wship6 (0x7000 bytes).
2025-12-09 07:13:07,180 [root] DEBUG: 2488: DLL loaded at 0x000007FEFA8B0000: C:\Windows\system32\IPHLPAPI (0x27000 bytes).
2025-12-09 07:13:07,196 [root] DEBUG: 2488: DLL loaded at 0x000007FEFA920000: C:\Windows\system32\WINNSI (0xb000 bytes).
2025-12-09 07:13:12,165 [root] INFO: Process with pid 2488 has terminated
2025-12-09 07:13:12,180 [root] DEBUG: 2488: NtTerminateProcess hook: Attempting to dump process 2488
2025-12-09 07:13:12,180 [root] DEBUG: 2488: DoProcessDump: Skipping process dump as code is identical on disk.
2025-12-09 07:13:31,290 [root] DEBUG: 1268: NtTerminateProcess hook: Attempting to dump process 1268
2025-12-09 07:13:31,290 [root] DEBUG: 1268: DoProcessDump: Skipping process dump as code is identical on disk.
2025-12-09 07:13:31,290 [root] INFO: Process with pid 1268 has terminated
2025-12-09 07:14:55,758 [root] INFO: Analysis timeout hit, terminating analysis
2025-12-09 07:14:55,758 [lib.api.process] INFO: Terminate event set for <Process 556 svchost.exe>
2025-12-09 07:14:55,758 [root] DEBUG: 556: Terminate Event: Attempting to dump process 556
2025-12-09 07:14:55,758 [root] DEBUG: 556: DoProcessDump: Skipping process dump as code is identical on disk.
2025-12-09 07:14:55,758 [root] DEBUG: 556: Terminate Event: Current region empty
2025-12-09 07:14:55,758 [lib.api.process] INFO: Termination confirmed for <Process 556 svchost.exe>
2025-12-09 07:14:55,758 [root] DEBUG: 556: Terminate Event: CAPE shutdown complete for process 556
2025-12-09 07:14:55,758 [root] INFO: Terminate event set for process 556
2025-12-09 07:14:55,758 [lib.api.process] INFO: Terminate event set for <Process 1184 svchost.exe>
2025-12-09 07:14:55,758 [root] DEBUG: 1184: Terminate Event: Attempting to dump process 1184
2025-12-09 07:14:55,758 [root] DEBUG: 1184: DoProcessDump: Skipping process dump as code is identical on disk.
2025-12-09 07:14:55,758 [root] DEBUG: 1184: Terminate Event: Current region empty
2025-12-09 07:14:55,758 [lib.api.process] INFO: Termination confirmed for <Process 1184 svchost.exe>
2025-12-09 07:14:55,758 [root] DEBUG: 1184: Terminate Event: CAPE shutdown complete for process 1184
2025-12-09 07:14:55,758 [root] INFO: Terminate event set for process 1184
2025-12-09 07:14:55,758 [root] INFO: Created shutdown mutex
2025-12-09 07:14:56,758 [root] INFO: Shutting down package
2025-12-09 07:14:56,758 [root] INFO: Stopping auxiliary modules
2025-12-09 07:14:56,758 [root] INFO: Stopping auxiliary module: Browser
2025-12-09 07:14:56,758 [root] INFO: Stopping auxiliary module: Curtain
2025-12-09 07:14:56,805 [lib.common.results] INFO: Uploading file C:\curtain.log to curtain/1765235696.805664.curtain.log; Size is 36; Max size: 100000000
2025-12-09 07:14:56,805 [root] INFO: Stopping auxiliary module: End_noisy_tasks
2025-12-09 07:14:56,805 [root] INFO: Stopping auxiliary module: Evtx
2025-12-09 07:14:56,805 [modules.auxiliary.evtx] DEBUG: Adding C:/windows/Sysnative/winevt/Logs\Application.evtx to zip dump
2025-12-09 07:14:56,805 [modules.auxiliary.evtx] DEBUG: Adding C:/windows/Sysnative/winevt/Logs\HardwareEvents.evtx to zip dump
2025-12-09 07:14:56,821 [modules.auxiliary.evtx] DEBUG: Adding C:/windows/Sysnative/winevt/Logs\Internet Explorer.evtx to zip dump
2025-12-09 07:14:56,821 [modules.auxiliary.evtx] DEBUG: Adding C:/windows/Sysnative/winevt/Logs\Key Management Service.evtx to zip dump
2025-12-09 07:14:56,821 [modules.auxiliary.evtx] DEBUG: Adding C:/windows/Sysnative/winevt/Logs\Microsoft-Windows-Sysmon%4Operational.evtx to zip dump
2025-12-09 07:14:56,836 [modules.auxiliary.evtx] DEBUG: Adding C:/windows/Sysnative/winevt/Logs\OAlerts.evtx to zip dump
2025-12-09 07:14:56,836 [modules.auxiliary.evtx] DEBUG: Adding C:/windows/Sysnative/winevt/Logs\Security.evtx to zip dump
2025-12-09 07:14:56,836 [modules.auxiliary.evtx] DEBUG: Adding C:/windows/Sysnative/winevt/Logs\Setup.evtx to zip dump
2025-12-09 07:14:56,836 [modules.auxiliary.evtx] DEBUG: Adding C:/windows/Sysnative/winevt/Logs\System.evtx to zip dump
2025-12-09 07:14:56,852 [modules.auxiliary.evtx] DEBUG: Adding C:/windows/Sysnative/winevt/Logs\Windows PowerShell.evtx to zip dump
2025-12-09 07:14:56,868 [modules.auxiliary.evtx] DEBUG: Uploading evtx.zip to host
2025-12-09 07:14:56,868 [lib.common.results] INFO: Uploading file evtx.zip to evtx/evtx.zip; Size is 101609; Max size: 100000000
2025-12-09 07:14:56,868 [root] INFO: Stopping auxiliary module: Human
2025-12-09 07:14:56,930 [root] INFO: Stopping auxiliary module: Pre_script
2025-12-09 07:14:56,930 [root] INFO: Stopping auxiliary module: Screenshots
2025-12-09 07:15:01,368 [root] INFO: Stopping auxiliary module: Usage
2025-12-09 07:15:03,102 [root] INFO: Stopping auxiliary module: During_script
2025-12-09 07:15:03,102 [root] INFO: Finishing auxiliary modules
2025-12-09 07:15:03,102 [root] INFO: Shutting down pipe server and dumping dropped files
2025-12-09 07:15:03,102 [lib.common.results] INFO: Uploading file C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat to files\76583c27a362f61dfb9ae5b76b869851fab55c2c67559ac0534ebe82b390c072; Size is 128; Max size: 100000000
2025-12-09 07:15:03,102 [root] WARNING: Folder at path "C:\VmtIcCTsP\debugger" does not exist, skipping
2025-12-09 07:15:03,102 [root] WARNING: Folder at path "C:\VmtIcCTsP\tlsdump" does not exist, skipping
2025-12-09 07:15:03,102 [root] INFO: Analysis completed

Machine

Name	Label	Manager	Started On	Shutdown On	Route
win7-64bit-3	win7-64bit-3	KVM	2025-12-09 15:14:52	2025-12-09 15:18:15	inetsim

File Details

File Name	red_core.exe
File Type	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
File Size	1236992 bytes
MD5	1b6bcbb38921caf347df0a21955771a6
SHA1	f464ca710afb55186e842ecbc550b55174f9261c
SHA256	0c3fc578835db3d9fab6839b0501c274c0e0b739fa0d4c102e21d5f228468d87 [VT] [MWDB] [Bazaar]
SHA3-384	317e2b885809218fa3a54956aace1ac0868d0e5f0d51bc29dfb221fe382d7327a30b4b8bf474ae0ad65eaa3e6725264a
CRC32	D419F5E1
TLSH	T13D45D010B681C437E0AB113445EB93765AAE78311B7AD4CBF7C49B3A2D616D1EB3438E
Ssdeep	12288:y5j+6tvqy0JxsIWTrWqI4KxZdfh4gI/JA6hxc:y5j+6tvqyPLTrQzWvhx
PE	File Strings BinGraph Vba2Graph

C+PjUV

A~w;/u

+":kX

1+1D1b1y1

- unexpected multithread lock error

-j:xC:

3I3N3_3i3s3x3

GetCurrentThreadId

H~N^/

RegSetValueExW

new[]

XUP-[w\

kX(c>

:!:y;

wFQzm

zcFAH

- not enough space for environment

tXFVP

Complete Object Locator'

>TalM

[Left]

095d#

RpcBindingFree

<?jH-

LC_MONETARY

k`='m

tx)V0!B

LoadLibraryW

CoCreateInstance failed: 0x%08lx

GetTimeZoneInformation

united-states

.ShellClassInfo

spanish-panama

*vw3$

9*949j9t9

Q@Qc-

5/6_6l6p6t6x6|6

GetWindowTextW

/+2rh

/z.:`T

0'0M0X0t0)1<1

7"8)8

npze|zL

.?AVlength_error@std@@

HeapCreate

7C7|7

nRX$*

F$9F t

CLPjQV

__ptr64

Sgtv<

GetTickCount

`RTTI

FlsAlloc

2+q9=

dSr^$

"V|MFU

Pf`)T&

ShellTime

E^O2&`4

`a5WH

?9?W?

.?AVout_of_range@std@@

[WIN]

;7|G;p

invalid distance code

operator

E'*88

portuguese-brazilian

.?AV?$codecvt@DDH@std@@

GetVersionExW

j)Z:)

.?AVfacet@locale@std@@

UnregisterClassW

2|fAo

Channel %s was not found.

b`p+s

Win%s %s

='=7=D=V=[=`=e=j=o=

8-9U9

jd_Fj

F`PjNS

m'QO*

p51WD

737E7J7P7B8

Read-only file system

T$@Rj

!n!R\

^(G)a

WriteConsoleW

G`9Gh

!v+Pz

X)$(9

O@;H(s

_oVVi|

?0?P?p?

invalid string position

:f;x;

[F11]

SWf9M

Pf95 /

GetUserNameA

InitializeCriticalSectionAndSpinCount

Il|T1

2E2c2

2.2U2b2h2

incompatible version

.rv?H&

AUX7p

9y@~k

lG*|a{

.?AUctype_base@std@@

\ouv}

u WPS

OaG50

Content-Length: %d

Parameters

WPhL,

TlsAlloc

0XXIf/

bad locale name

australian

6r' 3

;3=E=K=Q=X=a=h=n=u=

$Bk&l

C*PjTV

@_^[]

D+'04

*9PJ?

ServiceDll

:Cw@r`Y

n(9n$u

LoadLibraryA

1L2d2j2

f-]F)

Authorized application %lS is now enabled in the firewall.

CloseServiceHandle

chinese-simplified

}sD!O

rU;WE

;+;7;S;`;l;y;

292@2D2H2L2P2T2X2\2

F\PjMS

LockResource

holland

]?<644

n&@Sf-

dbHm$

0#0,02080K0^0p0

explorer.exe

R6026

This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.

\RCoRes64.dat

Tuesday

20f\d

%s: unrecognized option '--%s'

kP;~Cq

spanish-dominican republic

>t99k

LLH@;

gtuNd

DeleteFileW

@}eixU

O5K&$d|

english-ire

"C,Rj

bXWL9

MultiByteToWideChar

J4*L-

A4+C4t

GetPrivateProfileStringW

'\Ob0LI?].[

700PP

lop&z

09i\3

Pe]Bv

america

GetUserNameW

z)}9<

v|G,z

Process32NextW

~$9~ ~

fsO9s

SUVW

2 2$2,2D2T2X2h2l2p2x2

O*9y]

+NBW<

?hSdM

6 6$6(6,6064686<6@6D6H6L6P6T6X6\6`6d6h6l6p6t6x6|6

unknown compression method

No error

RpcStringFreeA

"~e<d

`8i1KR

PQj2R

GetModuleHandleW

2%272I2

>_f0|:

hzT3Yz

.?AVbad_alloc@std@@

optarg_w

,[&-59

>$>2>

ImpersonateLoggedOnUser

:@;S;

abcdefghijklmnopqrstuvwxyz

-.c";,:

35&2i

0DO3P

R1h58

LocalizedResourceName64

asm686 with masm, optimised assembly code from Brian Raiter, written 1998

GetTokenInformation

~a!!a!!

Qkkbal

OpenSCManagerW

UE,3j4

GmRD$

pr-china

0`htU6

L$@Qj

SetHandleCount

`vector vbase copy constructor iterator'

insufficient memory

wY0Un)BJ

7 7$7(7,7074787<7@7D7H7L7P7T7X7\7`7d7h7l7p7t7x7|7

Ro=o>?

Friday

>9~$~

'--%s'

;-;[;v;

Q5No3

chinese

RegOpenKeyExA

__clrcall

opterr

[jXL<

6cVsA

south africa

\pipe\ntsvcs

__thiscall

6*6Z6

No such device

PjOSj

tej=S

FhPj8S

winlogon.exe

spanish-modern

T$ Rj

zsKC.

;t$,v-

(?F3J:

\0Ro$j}

spanish-costa rica

EncodePointer

Bad file descriptor

<+<D<K<l<~<

<%<*<1<6<<<B<G<O<U<Z<n<

VirtualProtect

english-caribbean

[}8Q}

AdjustTokenPrivileges

- not enough space for stdio initialization

EnterCriticalSection

%s: option '-W %s' doesn't allow an argument

GetFileType

9/9D9P9g9

GetStdHandle

FindResourceExW

&|3K

Not enough space

;:?D?T?

}AbK8>$

vPR_/

!^)M{

<J>C/

WWWWQR

/65&>Y

\$(+^

GetLogicalDrives

515L5V5[5s5}5

j@j ^V

HHty+

;(;0;4;L;P;`;

ewh/?y

9c@O83

oDvm>

D$ )D$

,x#\ k

jdShTB

Vl+Vp

<_xIX

;=;J;m;t;y;~;

,UgLw

SetFilePointer

SOFTWARE\Microsoft\Windows NT\CurrentVersion\svchost

\$Dj8

[CTRL]

__cdecl

ConnBody

4L4l4A7c7

Not a directory

Resource deadlock avoided

Type Descriptor'

g".C~

[Home]

OM{]s

[Ixj!

MJZ;n

wLBg

2L3d3

[Time]: %04d-%02d-%02d %02d:%02d:%02d

FtPj;S

k>\y,

OpenServiceW

?&?U?

www.%s.com

? ?*?<?A?K?W?a?k?w?

Gh9Ghr

#+3;CScs

8-9P9[9~9

V_:X1:

generic

COMSysSvc

CreateProcessW

;V;[;m;

tdVQh

uivPG

3=!bW

CorExitProcess

File too large

b;R@Q

Global\{CB191C19-1D2D-45FC-9092-6DB462EFEAC6}

`eh vector vbase constructor iterator'

6$747

(null)

5{<El9']

- Attempt to use MSIL code from this assembly during native code initialization

671{!

spanish-honduras

C9r9e(

{728264DE-3701-419B-84A4-2AD86B0C43A3}

~bO1P

EfFrEF

_getopt_long_only_a@20

5.6B6b6g6<8C8

,W|G&`sd

8!8)81898B8K8W8c8p8w8

(i|LihX

cxy{u

,V{S&E4

xGFf5

3 3/34393

0%0/04090>0E0L0Q0V0[0b0i0o0t0{0

RpcBindingFromStringBindingW

;= 7zdS

spanish-puerto rico

=L9o<

D$DWWj

p=,Y3LP

L$$_^[3

GetCommandLineA

~X2Vh]%

t$(J2

bi{bh

WRh`/

english-belize

Microsoft-Delivery-Optimization/10.0

HeapDestroy

SHLWAPI.dll

.?AV?$_Iosb@H@std@@

german-lichtenstein

DeleteCriticalSection

D$(Ph

RPVW3

1a&.AnVF

8+8^8

`h`hhh

Q'NN&

%B+'J

f!K5k

COMSvcGroup

Z nzs

`udt returning'

hUy5@)us

`placement delete closure'

WindowsFirewallInitialize failed: 0x%08lx

<`>d>h>l>p>t>x>|>

%s: option '--%s' requires an argument

**3~C

invalid bit length repeat

TTl@;

SysAllocString failed: 0x%08lx

CreateFileW

No locks available

CreateService Faild Because Service is ERROR_SERVICE_EXISTS!

[Down]

6J7g7

spanish-uruguay

SetUnhandledExceptionFilter

s'MLG

3d3s3

hong-kong

xpxxxx

NHqa}

=CbZ+

:vp=c

r!S~8

3"3N3U3z3

CoCreateInstance

.text

JXX'b

RtlUnwind

R6032

=$=9=

6*696

:!:@:E:J:P:X:

=:>I>

_getopt_long_only_w@20

q#2;Xa

;T$$f

'Jp,}|

:';7;

&$(Ug

>:u8FV

3m3}3

<P+T1

american-english

~I$1:

'ao^8

ineIu(

8Z$pc

718<8M8Y8a8g8v8

HeapReAlloc

f*(^+

bad exception

0$0)0A0d0h0o0s0z0~0

;4;o;

norwegian

_getopt_long_w@20

.?AV_Iostream_error_category@std@@

T#-H%

Directory not empty

:g873

am/pm

RegOverridePredefKey

http://%s:%d/search.jsp?referer=%s&kw=%s&psid=%s

invalid distances set

qcwnO

Is a directory

VirtualAlloc

7S8a8

( 8PX

;7`]cDe

>?j=j

ToieAX*

^e>{SL

FreeEnvironmentStringsW

3%4*4>4M4

>ZbS?

RtlGetVersion

2-2A2G2

[ E<O

Fb:U;

November

IsValidLocale

\cS0~u

pm#k{

608v9

7d7i7o7

7J7Q7X7e7w7

49563

.UG@:

> >J>P>V>l>

L$,Qh

SetEnvironmentVariableW

runtime error

w.SkX

`vbase destructor'

`vector deleting destructor'

*wDE?

%SystemRoot%\system32\svchost.exe -k

&0,0004080

4}<)}A

YM:@+

:QZje

ncacn_np

system

:P;_<

6Aymz

QHG\B

[PageUp]

L$`QR

=gXLn

RnDUFvdXN

D$8t1

G u<Y%

.?AVfailure@ios_base@std@@

S0Y0c0

[ESC]

2"393

>W>c>h>r>

}Do(@_he

DestroyEnvironmentBlock

\j,N)

|620/

!ryyx(

<$<0<<<S<e<q<~<

q![X.

GetFileSize

October

english-aus

R6008

[Num Lock]

spanish-mexican

f9;u

No such file or directory

44)2=

A/^E2

Ad}oJ.

ios_base::failbit set

ExitProcess

%s: unrecognized option '%c%s'

0ZL-i

R6019

Runtime Error!

t$HHt

File exists

qmdvucpg~oKAPMQMDV~uKLFMUQ~aWPPGLVtGPQKML~pWL

>%- B

lPB9}[0

<$xDx

][_^Y

R6016

9](SS

*0;|j

GetForegroundWindow

=H>j>z>

%F2KUO

UnhandledExceptionFilter

<5-rL

282@2L2l2t2

mscoree.dll

7Fn(i

[Context]:

;(v3N

LoadResource

-!/!_

F8PjDS

DefWindowProcW

CreateMutexW

HeapAlloc

MLMqY

IconResource64

8&9:9Q9j9x9

Genuu8

UTF-16LE

%s: option '-W %s' requires an argument

SetThreadContext

lstrcpyW

S3N}^

5!5&5+505g5

oF ej

english-american

VVVVV

SING error

-pVvF

<!<'<;<A<K<R<_<e<

3?3g3m3u3

wf93t

Class Hierarchy Descriptor'

?If90t

HMEr;)

J!=!7

TASKKILL /F /IM rundll32.exe

:Sj$h

delete

u$h@2

tRHtC

="=.=:=E=

GetProcessWindowStation

@PAQBR

xQ(-a

%03X%02X%02X%02X

get_LocalPolicy failed: 0x%08lx

t VV9u

@o'EF~

ProxyServer

Resource device

RpcStringBindingComposeA

Server: nginx/1.4.7

!sMXH

0)0@0Z0a0o0~0

RegCreateKeyW

put_ProcessImageFileName failed: 0x%08lx

LoadUserProfileW

8\cVD

PPPPPPPP

1(181<1L1P1X1p1

w+OQvr

[Title]: %s

3>1>6

2P4T4X4t4x4

4%4B4Z4_4d4i4n4

HtbHu

RWSVP

^ujwQ

9~Ttf

invalid code lengths set

(@<`*`.

{D9AE3AB0-D123-4F38-A9BE-898C8D49A214}

818D8

Y_^[]

\`%^UY

CY</#

Hardware\Description\System\CentralProcessor\0

`vector destructor iterator'

UnloadUserProfile

FTPjKS

6D{T[

mLRmw

qr8yu

[-&LMb#{'

2"2/292?2D2K2d2v2|2

1 1$1(1,1014181<1@1D1

canadian

!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~

Cookie: %s

tSj=V

__eabi

xSSSh

RPCRT4.dll

rZc9hiq

spanish-guatemala

=\=~=

tna[h<

WindowsFirewallAddApp failed: 0x%08lx

`h````

/$ah<

_ej+y

[N;E{

O(9O$u

GetProcAddress

CHPjPV

FxPj<S

TlsGetValue

_S.FYN@

2@3K3U3f3q315B5J5P5U5[5

QRh -

Permission denied

invalid block type

6E9za2

ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/

\d^uG

- not enough space for thread data

GetLastError

>oqTn>`x

Y0J}l

Norwegian-Nynorsk

SYSTEM

5)IZ$

5l?@(

dkmr}

7#7G7M7S7b7h7

T@{9{

D$0^][_

//EQ@

F<PjES

!UX:P

|!y~0

wn>Jj

svchost.exe

D$\V3

6]6i6}6

`vector constructor iterator'

Interrupted function call

nGE;5

=,=I=S=h=

YQ$Uc

RegOpenKeyExW

6D7J7X7b7l7w7}7

%s: option requires an argument -- '%c'

WU?CeA

Sunday

C.PjRV

CjRnY?

P1T1X1\1`1d1h1l1p1t1x1|1

u 23X

=e@;}dK

?#?<?Z?

M-QMS

>+>3>8>=>B>G>L>\>i>o>z>

D$<j(

Improper link

- CRT not initialized

T#3aK

GetLocaleInfoA

T!FrY

0;1tt

3p$ )

^TcHJr'

IsBadReadPtr

Sleep

WOW64

-/<Bk]

]H7K#

z^>]x

GetShortPathNameW

>%:Dk

I?{xK

o~08t

9 9<9@9`9

XBoxDllShellCode.dll

4$4*4=4M4U4

H\$v<@

SHGetSpecialFolderPathW

Saturday

F(Pj,S

Vlf+Vd

!! Ij

Result too large

FP|Xt:

zuxVV

.?AV_Generic_error_category@std@@

__stdcall

:a=r?dE

000@0H0\0d0x0

9] SS

5 5$5(5,5054585<5@5D5H5L5P5T5X5\5`5d5h5l5p5t5x5|5

IconResourceDns

D$(+D$

{g]^p

vYslJ

Function not implemented

8I9v9

R6028

Y:wZ"

}u+sWME}

1&1.1>1V1q1v1

QPhP.

or?"gUgW

!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~

#k+TSpMV

_RZc=

c#tKN

t$D#t$

FR^.,

JT.6n

GetCurrentProcess

Unknown error

T$PWR

`typeof'

2!3Z3

- pure virtual function call

lL(k+

`eh vector copy constructor iterator'

.!S<f`

.?AVios_base@std@@

invalid literal/lengths set

>0>P>l>p>

r(-C,mQ

jjUdE

~7 4y

SizeofResource

</security>

575I5c5}5

#bML"

JDd+~+iG+i

((((( H

aFZjUU

england

:8:h:z:

HODkF

Filename too long

2V2f3x3

dddd, MMMM dd, yyyy

CreateToolhelp32Snapshot

2 2$2(2,2024282<2@2D2H2L2P2T2X2\2x2|2

BQNmn

F@PjFS

xi,mQy

V<GNc

slovak

1;1B1O1a1~1

?"?1?=?

700WP

79FJQ

f^p]p

s*`pR

Agent

*08>5

get_Enabled failed: 0x%08lx

WriteFile

1?1E1K1

LC_ALL

1:CRc\

5\ \#

[,T x0o

=*>?>H>

9d9s9

&psid=

8-999

[F12]

=z!O^

>$>+>2>9>@>G>N>V>^>f>r>{>

]qe1vu

)\ZEo^m/

l~!#S.

WS2_32.dll

GetAsyncKeyState

9>:l:L;

IsDebuggerPresent

r}Ta]

8R{lR

OpenThreadToken

CoInitializeEx failed: 0x%08lx

@.data

FlsFree

F0Pj.S

HttpQueryInfoW

kT0 ~

tvHt#

`eh vector destructor iterator'

ntelu0

WININET.dll

F4Pj/S

|=~?=

L$@Qh,3

.?AVlogic_error@std@@

Domain error

american

- unable to open console device

T$$QUR

4&636

`omni callsig'

Unknown exception

\Parameters\

?s/Zo[

FlsGetValue

`w-8f

oFD><

Q(yA]

8 8,8`8

- floating point support not loaded

optind

<mo84

south-africa

Y!3\s

xppwpp

5%Tf@

3 4.4\4n4s4y4b5

Authorized application %lS is disabled in the firewall.

t*=RCC

`dynamic initializer for '

HtcHt.

InternetCloseHandle

3rB5J

<*<;<t<

L$8QSRVP

6h7u7J8T8

.%J.&

647T7D8m8

4:4W4^4j4q4

spanish-peru

$m[/:

english-can

;ru.r

_ih\ip

Accept-Ranges: bytes

August

R6002

GetOEMCP

[Right]

spanish-ecuador

?5?<?C?s?

D$ j@h

Vista

P8X8`8h8p8x8

.?AVbad_exception@std@@

:D]LQ?

?I?u?

FPPjJS

StartServiceW

=MEw-b

A@(e\

- abort() has been called

]0e0v0

h(((( H

i_#Un

+>UV7

SYSTEM\CurrentControlSet\Services\

`local vftable'

norwegian-nynorsk

ILYhW

j3?-B

french-belgian

EdU/vbt

spanish-colombia

127.0.0.

6zJKv6

spanish-el salvador

;bweA

=T=f=

> ?$?(?,?0?4?8?<?@?D?

1 1$1D1d1

Q?se4

sCI?y8t

s~kAk

,@GU|G

4/4C4T4

`vector copy constructor iterator'

ios_base::badbit set

"M:J57

NJ2"v

YBFrh

9F9n9

EvtSubscribe

6;6N6

)UG6y

Too many open files in system

829d9

$z~#

1D1Q1f1

127.0.0.1

hQT`A

- not enough space for locale information

CreateService Faild Because Service is ERROR_IO_PENDING!

D$hSVWh

=bmd3

D$,uH

grpconv.exe

2s3}3

PS Mk9F;ul

1|f$;i

Oh;O\sR

incorrect length check

&!SGn

FBZ<L]I>

April

__restrict

delete[]

}@y$O&

?(X;9

C$PjQV

09-'M

1G2~2

H*0"ZOW

6H7L7P7T7

rso((

?3?:?D?V?m?{?

InterlockedDecrement

4"4)464V4`4

SSSSS

Z3UJM

DecodePointer

#lR[z

rEAi_)

T$(;P

s7NnN

Too many open files

2012 R2

qUjK`r

Exec format error

9MqLK]

C/PjSV

LCMapStringW

+H-}E#

A8]Cq

P,Q\&

header crc mismatch

TOpRj

german-luxembourg

`Ifr|

`default constructor closure'

j]jVY

URPQQh`

iostream

HeapFree

j#jh(e]

gM)

Ct*BU

.?AVsystem_error@std@@

oXQFD

0F0X0

tR99u2

h4vDl

`local static guard'

HTTP/1.

optarg_a

>)>i>w>

ABCDEFGHIJKLMNOPQRSTUVWXYZ

WriteProcessMemory

%s: invalid option -- '%c'

o5P^"

\ko}E

C,PjVV

dL!ar

1O2k2{2

*K[~Jh

UTF-8

Add failed: 0x%08lx

VirtualFree

|uo;H

Global\{E68DFA68-1132-4A32-ADE2-8C87F282C457}

R6024

031<1H1'2

GetCurrentThread

.?AVexception@std@@

IiGM>nw

F$Pj+Sj

8p~A8;

<7<B<I<

9T:g:|:

RvQ1nm

HHtk2

<(<-<><H<Q<]<g<q<

F|Pj=S

"z[)&oD

t(SSSj

Operation not permitted

u.95\#

0V0]0

J{[{Vs

)YkX>

:.:6:?:x:

=4Ein

InternetOpenUrlA

Hv83yP&

3'3m3

8"9K9\9p9

LA+@V

Supports System COM+ Service, If this service is disabled, users of this computer will not be able to use this service.

CreateProcessAsUserW

EJFZE

mjRry

=.?5?=?E?M?s?

Y__^[

uzu2{

Visual C++ CRT: Not enough memory to complete call to strerror.

yNbBo

stream error

:$:d:n:y:

Resource temporarily unavailable

L$(+L$

UDYiO

aZl[L

:E:o:

unknown header flags set

:*ot~eT

N|o?}

KG^;;

f#5Mf,C=

jjjjjh

#*I0<M[X

NZCe8[X

g!yVV

^oEZ_

QRh0+

.?AV?$basic_streambuf@DU?$char_traits@D@std@@@std@@

[F10]

hK{IL

&rqw9

HHtYHHt

LookupPrivilegeValueW

[Backspace]

swiss

MessageBoxW

EnumSystemLocalesA

Event/System[EventID=1149]

GetActiveWindow

.rsrc

south-korea

=$=0=6=>=D=P=V=c=m=s=}=

{'F,*

_i#3.

^|lH\q

`virtual displacement map'

GetConsoleCP

english-trinidad y tobago

4:4J4^4j4

December

swedish-finland

0`0m0

v82u$C&

J)5<K2Ge

6E72Ja

Q1}/4V

5fnxLw

#Ol)I

string too long

Base Class Descriptor at (

>ee=u

RaiseException

\T<Po

%[e@U

Cache-Control: no-cache

j.h$E

X\(,]

v"6/s

UQPXY]Y[

6P6u8.:

gCj/J

SetLastError

:E'E7

Gpi3g

< <(<,<4<H<h<t<

CheckTokenMembership

:":>:D:S:m:w:

`eh vector vbase copy constructor iterator'

D-I0Q

cGf6d3

Win%d.%d.%d %s

InitializeCriticalSection

<Enter>

]$:?>

french-canadian

GetLastActivePopup

h qig

8(858@8K8Q8W8]8c8i8F9

Base Class Array'

5#5=5D5Y5`5q5x5

Nlf+Np

dv}0(

This indicates a bug in your application.

F*FVe

german-swiss

uASRS

X.x+n

0A2n2

[Del]

`vcall'

TLOSS error

ioi=e#

?$?0?4?8?<?@?D?H?

R6010

Nl#N4

u)jAXf;

No space left on device

~3()n

xMX!-

KERNEL32.dll

=.>6>t>h?~?

L$XRf

DOMAIN error

SunMonTueWedThuFriSat

SetFileAttributesW

.VBT`V

FLPjIS

KD/yU>

wyO 08

January

CreateWindowExW

v,3;v

%s: option '--%s' doesn't allow an argument

=/=Y=}=

nKERNEL32.DLL

GetConsoleMode

Global\{2BCD5B61-288C-44D5-BA0D-AAA00E9D2273}

gRC"\

GetTimeFormatW

http://%s:%d/search.jsp?url=%s&referer=%s&kw=%s&psid=%s

2B2L2T2d2j2

J1B244<4

<5<N<j<

TZyHfi

SubscriptionCallback: Unknown action.

InterlockedIncrement

682tB:

gV,z4

&N9c[

NTDLL

Eo>@7

y)-@Ln

IsWow64Process

0L1g1

GetUserObjectInformationW

china

N<'pb

j_E`>=

L$Th@

^R_R)

aSg'M

GetCPInfo

;&<Y<c<i<J=|=

<^jvS

>'>@>

;+N?Rg

m]=PZ

EvtRender

KJVW(

biu9mM

PRhx,

spanish-venezuela

`local static thread guard'

B&b0yL

:,:<:b:

Y8JwV

`managed vector constructor iterator'

0"161L1c1

QueryPerformanceCounter

<iG1[w

H_K!sC"

TlsFree

lXB&z

v)~vN

No such device or address

Q<@WN

V0WSR

Invalid argument

QQSVWd

american english

1A26b

nosvc

b|])Vv@

Content-Type: text/html

`vector vbase constructor iterator'

#eipep

yNGGl

cY>l)

$+^pBG

chinese-singapore

incorrect header check

|$Dj8

[+>ge

04080P0`0d0h0l0t0

Software\Microsoft\Windows\CurrentVersion\Internet Settings

!=ZgI

V,^]3

C2ks=

3n5$6.6

^ZwZ{

6$QxB

chinese-traditional

>9>VpF

WritePrivateProfileStringW

SetEnvironmentVariableA

6,646<6D6L6T6`6

dE!jE

lstrlenA

buffer error

!"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~

UZ7{p{

"A,\n

>G>Q>i>

181H1\1p1|1

RegQueryValueExW

Q&}Cr

FdPjOS

wI%2K

WPh0,

irish-english

belgian

PathFileExistsW

> >$>(>,>0>4>8><>@>D>H>L>P>T>X>\>`>

4h5YE

g@/~Hg

.?AVerror_category@std@@

4)4:4G4R4Y4c4j4

invalid literal/length code

GetUserDefaultLCID

7E7n7x7

Invalid seek

xaV(J

L8<.c

kO=Rnv

Dl|D"

A@SlP2

Connection: Close

rd,eM,<|P

QPh`0

So 'Q[

>(>8><>L>P>T>\>t>

Y/2f)

Program:

:WndClassName

PVVRV

1 1%1-121:1?1F1U1Z1`1i1

FXPjLS

?P?U?

20190318

0[ Ms

.-aS]@

<.)ptJ

%02X%02X%02X%02X%02X%02X

GetComputerNameA

toiyeuvn.dongaruou.com

1.2.8

USER32.dll

7{F*,7

qas<#

55N]M%

BR;}2%

c|Q0

tce}+L9=

F:+Sf

TerminateProcess

Process32FirstW

3 383H3L3\3`3d3l3

t?VSP

SetStdHandle

cmmon32.exe

=4TH}3

8%9*9{9

>Y DO

WTSGetActiveConsoleSessionId

WdMo=

invalid distance too far back

SetTokenInformation

WinExec

[a{wY

I%:XKX

IPHLPAPI.DLL

GetSystemInfo

ProcessIdToSessionId

F6Ih!

great britain

stream end

spanish-argentina

GetLocaleInfoW

b+|,%

[PageDown]

french-luxembourg

qrAGL

VRPQh

1BPij[Z

C)-{c

4-<*C\K

K\F\\

S)w'=TX

7]7c7

>$>(>,>0>4>8><>@>

]Mj~j

uTVWh

InternetOpenW

3)3M3x4

iostream stream error

Arg list too long

\B#1_

8$8c8o8~8

<%<C<%=

- unexpected heap error

english-jamaica

4$4(484<4@4D4H4L4P4T4X4\4`4d4h4l4p4t4x4|4

<T=p=v=

RegOpenCurrentUser

RpcStringFreeW

GetProcessHeap

ViD-s

2#2)232<2G2L2U2_2j2

OtXhWs

V|yBn

ios_base::eofbit set

9F se

0 0@0`0

~z<|wg

T$ Rh?

@.reloc

LocalAlloc

[Space]

Microsoft Visual C++ Runtime Library

2)272L2V2|2

@)mh>

- not enough space for arguments

\desktop.ini

QM?k{C

O<5.nQ

english-us

8(KKC

x)%<M

s.Wj

'dV;|

english-uk

L$t_^[3

__fastcall

`string'

ole32.dll

2]u2h[Zm

GetStartupInfoW

bmB=S

[wuwC

z\Cq%

84L\;

4E5X5h5+737=7M7Y7_7i7y7

HHtXHHt

bad cast

|TXX`

get_CurrentProfile failed: 0x%08lx

need dictionary

RegCloseKey

english-usa

CreateServiceW

vQO+t

GetSystemTimeAsFileTime

g?`X7

ExitThread

3T3Y3_3

spanish-bolivia

394?4Q4n4

hrqHr

%^'N8

A#a+Rih

MM/dd/yy

:0Bv\~

hE:%wfF

1nLZv

.?AV_Locimp@locale@std@@

|$ WSPV

- unable to initialize heap

9~4u(

`f\esm4Uw

FlushFileBuffers

ifu{w

R6031

mj>zjZ

CreateThread

w<+wt

GetAdaptersInfo

xl>J$Qk

Core Networking - IPv4 (IPv4-In)

dutch-belgian

*#\&w

9Ghs%

GetDateFormatW

EvtSubscribe failed with %lu.

IconResourcePort

?%?*?3?9?>?G?M?R?[?`?e?j?s?{?

^{m#wS

7<7H7h7t7

w_$mc8-

t"SS9] u

`scalar deleting destructor'

B(^uH

1wsHp

?4?L?V?e?

4Z=bz

uu4A}

Y_;q+

=/gQGR_

GetModuleFileNameA

^SSSSS

Pj)Sj

March

lstrlenW

y|$1nk

WWWWW

south korea

Bad address

WaitForMultipleObjects

@C2%`

%s: option '-W %s' is ambiguous

DuplicateToken

GetACP

3!K1p

german-austrian

qSx<W

%s: option '%c%s' doesn't allow an argument

j]jl3

J'UW4R

38K=V

t%HHt

ADVAPI32.dll

6o7w7

SHELL32.dll

OSWqy

: :(:0:8:@:H:P:X:`:h:p:x:

R6027

`local vftable constructor closure'

english-nz

CONOUT$

OpenMutexW

GetMessageW

</requestedPrivileges>

</assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD

3+3M3|3

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 Edge/16.16299

tCHt(Ht

FDPjGS

ReadFile

WindowsFirewallAppIsEnabled failed: 0x%08lx

DispatchMessageW

HTTP/1.1 200 OK

referer=

Xu"x)

WTSAPI32.dll

W}R9b

WinSta0\Default

CreateEnvironmentBlock

GlobalMemoryStatusEx

MF9YX

C PjPV

16YC'

=%=*=/=4=D=s=y=

c8_'

.rb40

0`1d1

msgsm64.acm

^da<mn

.(9^/

PdZSU

Wj@hP

2D3J3X3b3l3w3}3

556v6

DuplicateTokenEx

GetCurrentProcessId

-X,sF

.?AVcodecvt_base@std@@

=(=4=P=p=

vvi?P

`eh vector constructor iterator'

=Z;j~

QW@Ph

FreeLibrary

P+!3l(

0G0P0\0

<4>J>

bad allocation

0(3+nG/

tNHt%

EF,+Z*

)g%Fd%

invalid stored block lengths

^cmv6

<1^OW

data error

%Qu6v7

Monday

6K6R6e6l6v6

k%"A1

incorrect data check

KSb\KS

7mu:*0R

.?AV?$basic_ostream@DU?$char_traits@D@std@@@std@@

93Y,4

Tf^tK

1Bn`8

ActiveX Update

~,WPV

WQh$/

7'838F8X8s8{8

\desktopWOW64.ini

h4btB*e

On0ykRZ

+G{@P

4G5M5`5

HH:mm:ss

<"=T=|=

('8PW

lstrcpyA

JanFebMarAprMayJunJulAugSepOctNovDec

[Insert]

chinese-hongkong

T$"Rf

LC_CTYPE

6`7`!@

#OVy%

SetEndOfFile

- not enough space for lowio initialization

POSIXLY_CORRECT

&8|gq

j2hTB

4=4D4[4x4

tx~?j

GetLocalTime

/vEU

ChangeServiceConfig2W

UNICODE

^MnO>

]V2[\?

Authorized application %lS is enabled in the firewall.

_getopt_a@12

JbN\<

OLEAUT32.dll

u&WVS

r]X<]=

6 6$6(6,6064686H6L6`6d6h6

UTB)/

CoInitializeEx

_getopt_long_a@20

<&=4=W=^=d=q=

:3:V:

R6030

GetNativeSystemInfo

5"5+515a5p7x7

.t|PVj@

3(>4>@>L>X>d>p>|>

R6033

((b8WI

SVWUj

?+f{$

0#0(0,000Y0

GetSystemDirectoryW

.?AV?$ctype@D@std@@

HttpQueryInfoA

FlsSetValue

get_AuthorizedApplications failed: 0x%08lx

/hPj<

6Cj>M

LeaveCriticalSection

britain

U]Ofm7

Cs->%

jjjjj

Y/L '?

February

`7]=G

= =$=(=,=0=4=8=<=@=D=H=L=P=T=X=\=`=d=h=l=p=t=x=|=

v}{f[Fi{F

Q%dm1

FYY;u

?(?/?4?8?<?]?

20393?3D3\3v3

[End]

[Enter]

SetErrorMode

Wednesday

;]xs_r+

.?AVruntime_error@std@@

7lUJL

IsValidCodePage

WaitForSingleObject

IJB/m

Fast decoding Code from Chris Anderson

+D$(;

xsfRO

Thursday

September

FHPjHS

[~_=d

roF l

w_hZ=_

_a->D

.?AV_System_error_category@std@@

8'8/8?8E8V8

<%<f<

:;];!

__pascal

6[ZYw

F,Pj-S

\ws^o

spanish-nicaragua

CoUninitialize

:*P|Rs

;4;Q;

WUSER32.DLL

:-8[:]

PijU19hgT

1-1:1?1M1(2

The query "%s" is not valid.

_<<K*D

1}0.}'W^g

*N4Nj*

OpenProcessToken

G\.@6

OZw3(?

`vbtable'

- Attempt to initialize the CRT more than once.

4(4,4044484@4X4h4l4|4

Fwr:b

%s: option '%s' is ambiguous; possibilities:

8)8L8

M9=$t

FpPj:S

<6O/v/

No such process

`copy constructor closure'

r] `=

WQhL,

2,2h2

>8?d?y?

<3<R<

.?AVCAtlException@ATL@@

2Q2i2

CYLHq#g

2008R2

4C5@6

&v%OVA

]5->@WM2

;+Y;g

.?AVtype_info@@

mR/@c

Illegal byte sequence

8 8$8(8,8084888<8@8D8H8L8P8T8X8\8`8d8h8l8p8t8x8|8

[TAB]

T$`RP

wsc.dll

C{rHh

UumTM

VG\K}Q

wkPSQR

434D4Q4X4h4z4

RpcBindingFromStringBindingA

SQuK<

F,^]3

Win%s Sp%d %s

R6018

D$8+F

LC_COLLATE

R6025

AO-q4

CreateWellKnownSid

1 1@1

PPPh`I

uvh 5

8sPv^

+SXN[

=3Zo]

WGqrI0

english-south africa

RpcStringBindingComposeW

put_Name failed: 0x%08lx

FlPj9S

`placement delete[] closure'

s^{IG

(|>U>

GetModuleFileNameW

TlsSetValue

</trustInfo>

{F0062B9A-15F8-4D5F-9DE8-02F39EBF71FB}

H#5`t[

optopt

GetCommandLineW

)G^`M

COM+ Support Service

__unaligned

PPPPP

GetStringTypeW

"meI[N~n

/1q`L<aN

CloseHandle

0$060H0Z0l0~0

J'T?v/

[Print Screen]

USERENV.dll

WTSQueryUserToken

Y_)*#K

FindResourceW

:4)o;

ZJY2/

>$?G?Q?

Rc8-(

5 6?6^6

Af9q.

/AjV'<i

!p;"6

Input/output error

Inappropriate I/O control operation

]M`|_M

.?AV?$basic_filebuf@DU?$char_traits@D@std@@@std@@

3 3(343T3\3h3

l6qnk

__based(

< tK<

SeDebugPrivilege

new-zealand

gU<CJn

}8Dp]

Too many links

R~??@Z$

&AZQ+6G

wrbg?

GetThreadContext

O.[/s"wP

tAVWP

>*?<?

LocalFree

@e3@e)

O92vI

O@;H s

LC_NUMERIC

Dn#]&

X_U*

`dynamic atexit destructor for '

a+-C}

QU3t;P

PKCRi7

QQSV3

[#p^f

5B5V5j5

C-PjWV

>%>?>K>h>

2G2]2t2

ProxyEnable

KA!H;

9|$`r

=<S;D

%>--v

@PSVV

Broken pipe

pr china

t$j4j

OpenProcess

;Q;g;

2 2$2(2,2024282<2@2D2H2L2P2T2X2\2`2d2h2l2p2t2x2|2

invalid code -- missing end-of-block

-GGhB

F Pj*S

0l1r1

[Scroll Lock]

%!DVDN

5R@FV

737_7l7

too many length or distance symbols

#;6Y;

Ap{Fx

tl9_ tg9_$tb

norwegian-bokmal

RegisterClassExW

]5+lj

4(454@4K4Q4W4]4c4i4

file error

5 6J6}6

5"5,5`5k5u5

`managed vector copy constructor iterator'

3/3I3

- not enough space for _onexit/atexit table

InternetSetOptionW

K#~0 }

4.4}4

invalid window size

.?AVbad_cast@std@@

9%:?:H:o:|:

PQP7X

TranslateMessage

N,_^]3

CompareStringW

?H>(=

=o<~Q

= =$=,=D=T=X=h=l=p=t=|=

1O0<O

No child processes

italian-swiss

french-swiss

? ?$?,?D?T?X?h?l?p?x?

HjdSh

;-]sI

QSWVj

Ea=2yQ|

'n):2

PRhh+

R6017

=*=3=8=B=L=X=]=

5w",

spanish-paraguay

i]=Avd

$[^_]

4ordJ

^Gupl

J/jx>

spanish-chile

WAsN.

czech

cTt-A;

trinidad & tobago

|~M/<Vy

L$ H#

h:l:p:t:x:|:

F ;F$t

QQQQV

Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational

qwJBg

P^HVn

~@yqu`H

WideCharToMultiByte

3l4t4

ReleaseMutex

OPqjg

http://%s:%d/

/dy_M

HeapSize

WSAIoctl

0g1w1

LC_TIME

9|$(t

t!WVj

VirtualAllocEx

RJ/RJ

BnKeN

O.kB!

tEHt0

5v8z8~8

N5"a}

>L>T>b>r>x>

_,`'>

IsProcessorFeaturePresent

R6009

0"010?0I0O0e0j0r0x0

F0WSP

`managed vector destructor iterator'

$3Ljq\

9F9M9b9

t-u"=%N(

IconResourceNoSvc

,jWRM

.?AV?$basic_ios@DU?$char_traits@D@std@@@std@@

K39X@%

united-kingdom

`VTH/2:

L$ Qh

9$9,949<9D9L9T9\9d9l9t9|9

CreateEventW

VVVVj

_getopt_w@12

GetEnvironmentStringsW

$\"|Fr

% *;WD

`vftable'

5 5(50585<5@5H5\5d5l5t5x5|5

wevtapi.dll

f6B@E

P>OTq

puerto-rico

9c:h:q:

9 9(90989@9H9P9X9`9h9p9x9

GF?.x

: :<:@:`:

:IW`(L]

mZKk~O.I

}}l;Fuf

mF3$d

6]O7*U

9|$|r

`.rdata

3=4W4

ResumeThread

qX1g2c:

GD)op)ol

GetKeyState

q:Pl?!

D$8SVW

OutputDebugStringW

VVVVVQRSSj

PE Information

Image Base	Entry Point	Reported Checksum	Actual Checksum	Minimum OS Version	Compile Time	Import Hash	Exported DLL Name
0x10000000	0x00012bf2	0x00067f0d	0x0013206b	5.1	2019-03-06 10:20:32	37e48d0816c7485d18b7cc3e0d8ed0a0	XBoxDllShellCode.dll

Sections

Name	RAW Address	Virtual Address	Virtual Size	Size of Raw Data	Characteristics	Entropy
.text	0x00000400	0x00001000	0x0002a106	0x0002a200	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	6.67
.rdata	0x0002a600	0x0002c000	0x0000c99e	0x0000ca00	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	5.80
.data	0x00037000	0x00039000	0x0002d8ac	0x00029200	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	7.94
.rsrc	0x00060200	0x00067000	0x000001b4	0x00000200	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	5.12
.reloc	0x00060400	0x00068000	0x0000311e	0x00003200	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_DISCARDABLE\|IMAGE_SCN_MEM_READ	5.35

Overlay

Offset	0x00063600
Size	0x000caa00

Name	Offset	Size	Language	Sub-language	Entropy	File type
RT_MANIFEST	0x00067058	0x0000015a	LANG_ENGLISH	SUBLANG_ENGLISH_US	4.80	None

Imports

Name	Address
SizeofResource	0x1002c07c
LockResource	0x1002c080
WaitForMultipleObjects	0x1002c084
WinExec	0x1002c088
SetFileAttributesW	0x1002c08c
lstrcpyA	0x1002c090
GetNativeSystemInfo	0x1002c094
FreeLibrary	0x1002c098
HeapAlloc	0x1002c09c
HeapFree	0x1002c0a0
VirtualFree	0x1002c0a4
GetProcessHeap	0x1002c0a8
IsBadReadPtr	0x1002c0ac
SetLastError	0x1002c0b0
GetProcAddress	0x1002c0b4
LoadLibraryA	0x1002c0b8
VirtualProtect	0x1002c0bc
WaitForSingleObject	0x1002c0c0
OpenMutexW	0x1002c0c4
GetLocalTime	0x1002c0c8
ReleaseMutex	0x1002c0cc
GetCommandLineW	0x1002c0d0
GetComputerNameA	0x1002c0d4
GetModuleHandleW	0x1002c0d8
GetCurrentThread	0x1002c0dc
OpenProcess	0x1002c0e0
GetVersionExW	0x1002c0e4
Process32FirstW	0x1002c0e8
LocalAlloc	0x1002c0ec
IsWow64Process	0x1002c0f0
GlobalMemoryStatusEx	0x1002c0f4
CreateEventW	0x1002c0f8
GetSystemInfo	0x1002c0fc
Process32NextW	0x1002c100
CreateToolhelp32Snapshot	0x1002c104
DeleteFileW	0x1002c108
LocalFree	0x1002c10c
OutputDebugStringW	0x1002c110
SetStdHandle	0x1002c114
WriteConsoleW	0x1002c118
SetEnvironmentVariableA	0x1002c11c
SetEnvironmentVariableW	0x1002c120
CompareStringW	0x1002c124
IsValidLocale	0x1002c128
EnumSystemLocalesA	0x1002c12c
GetLocaleInfoA	0x1002c130
GetUserDefaultLCID	0x1002c134
SetFilePointer	0x1002c138
LoadResource	0x1002c13c
GetSystemTimeAsFileTime	0x1002c140
FindResourceW	0x1002c144
FindResourceExW	0x1002c148
CreateThread	0x1002c14c
lstrcpyW	0x1002c150
ResumeThread	0x1002c154
WriteProcessMemory	0x1002c158
CloseHandle	0x1002c15c
GetShortPathNameW	0x1002c160
WTSGetActiveConsoleSessionId	0x1002c164
ProcessIdToSessionId	0x1002c168
VirtualAllocEx	0x1002c16c
VirtualAlloc	0x1002c170
GetLastError	0x1002c174
WritePrivateProfileStringW	0x1002c178
lstrlenW	0x1002c17c
MultiByteToWideChar	0x1002c180
CreateFileW	0x1002c184
GetModuleFileNameW	0x1002c188
ReadFile	0x1002c18c
Sleep	0x1002c190
WideCharToMultiByte	0x1002c194
GetSystemDirectoryW	0x1002c198
GetPrivateProfileStringW	0x1002c19c
GetLogicalDrives	0x1002c1a0
GetCurrentProcess	0x1002c1a4
CreateProcessW	0x1002c1a8
SetErrorMode	0x1002c1ac
lstrlenA	0x1002c1b0
SetThreadContext	0x1002c1b4
CreateMutexW	0x1002c1b8
GetFileSize	0x1002c1bc
GetThreadContext	0x1002c1c0
GetCurrentProcessId	0x1002c1c4
GetTickCount	0x1002c1c8
QueryPerformanceCounter	0x1002c1cc
GetModuleFileNameA	0x1002c1d0
GetLocaleInfoW	0x1002c1d4
SetEndOfFile	0x1002c1d8
LoadLibraryW	0x1002c1dc
GetTimeZoneInformation	0x1002c1e0
GetConsoleMode	0x1002c1e4
GetConsoleCP	0x1002c1e8
GetStringTypeW	0x1002c1ec
GetEnvironmentStringsW	0x1002c1f0
FreeEnvironmentStringsW	0x1002c1f4
GetStartupInfoW	0x1002c1f8
GetFileType	0x1002c1fc
InitializeCriticalSectionAndSpinCount	0x1002c200
SetHandleCount	0x1002c204
HeapSize	0x1002c208
TlsFree	0x1002c20c
TlsSetValue	0x1002c210
TlsGetValue	0x1002c214
TlsAlloc	0x1002c218
IsValidCodePage	0x1002c21c
GetOEMCP	0x1002c220
GetACP	0x1002c224
GetStdHandle	0x1002c228
WriteFile	0x1002c22c
HeapDestroy	0x1002c230
HeapCreate	0x1002c234
IsProcessorFeaturePresent	0x1002c238
IsDebuggerPresent	0x1002c23c
SetUnhandledExceptionFilter	0x1002c240
UnhandledExceptionFilter	0x1002c244
TerminateProcess	0x1002c248
GetCPInfo	0x1002c24c
LCMapStringW	0x1002c250
RtlUnwind	0x1002c254
RaiseException	0x1002c258
GetCommandLineA	0x1002c25c
GetCurrentThreadId	0x1002c260
GetDateFormatW	0x1002c264
GetTimeFormatW	0x1002c268
HeapReAlloc	0x1002c26c
ExitThread	0x1002c270
LeaveCriticalSection	0x1002c274
EnterCriticalSection	0x1002c278
DeleteCriticalSection	0x1002c27c
InitializeCriticalSection	0x1002c280
FlushFileBuffers	0x1002c284
ExitProcess	0x1002c288
DecodePointer	0x1002c28c
EncodePointer	0x1002c290
InterlockedDecrement	0x1002c294
InterlockedIncrement	0x1002c298

Name	Address
GetAsyncKeyState	0x1002c2e0
GetForegroundWindow	0x1002c2e4
GetKeyState	0x1002c2e8
GetWindowTextW	0x1002c2ec
GetMessageW	0x1002c2f0
TranslateMessage	0x1002c2f4
RegisterClassExW	0x1002c2f8
CreateWindowExW	0x1002c2fc
DefWindowProcW	0x1002c300
DispatchMessageW	0x1002c304
UnregisterClassW	0x1002c308

Name	Address
ImpersonateLoggedOnUser	0x1002c000
StartServiceW	0x1002c004
ChangeServiceConfig2W	0x1002c008
RegCreateKeyW	0x1002c00c
OpenServiceW	0x1002c010
OpenSCManagerW	0x1002c014
CloseServiceHandle	0x1002c018
CreateServiceW	0x1002c01c
CreateWellKnownSid	0x1002c020
CheckTokenMembership	0x1002c024
GetUserNameA	0x1002c028
RegOpenCurrentUser	0x1002c02c
OpenProcessToken	0x1002c030
DuplicateToken	0x1002c034
GetTokenInformation	0x1002c038
RegOverridePredefKey	0x1002c03c
OpenThreadToken	0x1002c040
GetUserNameW	0x1002c044
RegSetValueExW	0x1002c048
RegCloseKey	0x1002c04c
AdjustTokenPrivileges	0x1002c050
RegOpenKeyExW	0x1002c054
DuplicateTokenEx	0x1002c058
RegOpenKeyExA	0x1002c05c
LookupPrivilegeValueW	0x1002c060
SetTokenInformation	0x1002c064
CreateProcessAsUserW	0x1002c068
RegQueryValueExW	0x1002c06c

Name	Address
SHGetSpecialFolderPathW	0x1002c2d0

Name	Address
CoInitializeEx	0x1002c39c
CoUninitialize	0x1002c3a0
CoCreateInstance	0x1002c3a4

Name	Address
SysStringLen	0x1002c2a0
SysAllocString	0x1002c2a4
SysFreeString	0x1002c2a8

Name	Address
PathFileExistsW	0x1002c2d8

Name	Address
HttpQueryInfoA	0x1002c324
InternetOpenUrlA	0x1002c328
InternetSetOptionW	0x1002c32c
HttpQueryInfoW	0x1002c330
InternetCloseHandle	0x1002c334
InternetOpenW	0x1002c338

Name	Address
WTSQueryUserToken	0x1002c394

Name	Address
CreateEnvironmentBlock	0x1002c310
DestroyEnvironmentBlock	0x1002c314
LoadUserProfileW	0x1002c318
UnloadUserProfile	0x1002c31c

Name	Address
EvtSubscribe	0x1002c3ac
EvtRender	0x1002c3b0

Name	Address
connect	0x1002c340
accept	0x1002c344
getpeername	0x1002c348
gethostname	0x1002c34c
socket	0x1002c350
inet_ntoa	0x1002c354
listen	0x1002c358
send	0x1002c35c
gethostbyname	0x1002c360
closesocket	0x1002c364
__WSAFDIsSet	0x1002c368
WSAStartup	0x1002c36c
inet_addr	0x1002c370
select	0x1002c374
htons	0x1002c378
bind	0x1002c37c
recv	0x1002c380
WSACleanup	0x1002c384
setsockopt	0x1002c388
WSAIoctl	0x1002c38c

Name	Address
GetAdaptersInfo	0x1002c074

Name	Address
RpcBindingFree	0x1002c2b0
RpcStringBindingComposeW	0x1002c2b4
RpcBindingFromStringBindingW	0x1002c2b8
RpcStringFreeA	0x1002c2bc
RpcStringBindingComposeA	0x1002c2c0
RpcStringFreeW	0x1002c2c4
RpcBindingFromStringBindingA	0x1002c2c8

Exports

Name	Address	Ordinal
_getopt_a@12	0x10002740	1
_getopt_long_a@20	0x100027a0	2
_getopt_long_only_a@20	0x10002810	3
_getopt_long_only_w@20	0x10003410	4
_getopt_long_w@20	0x100033a0	5
_getopt_w@12	0x10003340	6
optarg_a	0x100668a8	7
optarg_w	0x100668a4	8
opterr	0x1006190c	9
optind	0x1006178c	10
optopt	0x10061aac	11

Reports: JSON HTML Lite

Mitre ATT&CK

Discovery	Command and Control	Defense Evasion	Privilege Escalation
T1082 - System Information Discovery antivm_checks_available_memory	T1071 - Application Layer Protocol dynamic_function_loading static_pe_anomaly network_bind	T1202 - Indirect Command Execution suspicious_command_tools T1036 - Masquerading network_connection_via_suspicious_process accesses_public_folder modifies_windows_system_files T1055 - Process Injection network_connection_via_suspicious_process resumethread_remote_process T1548 - Abuse Elevation Control Mechanism accesses_public_folder T1027 - Obfuscated Files or Information packer_entropy T1027.002 - Software Packing packer_entropy	T1055 - Process Injection network_connection_via_suspicious_process resumethread_remote_process T1548 - Abuse Elevation Control Mechanism accesses_public_folder

Statistics (1.97)

Usage

Processing ( 1.85 seconds )

1.121 CAPE
0.535 Heatmap
0.182 BehaviorAnalysis
0.012 NetworkAnalysis
0.003 AnalysisInfo
0.001 Debug

Signatures ( 0.04 seconds )

0.008 antiav_detectreg
0.003 infostealer_ftp
0.003 ransomware_files
0.003 territorial_disputes_sigs
0.002 antianalysis_detectfile
0.002 antianalysis_detectreg
0.002 infostealer_im
0.002 ransomware_extensions
0.001 network_dyndns
0.001 antiav_detectfile
0.001 antivm_vbox_files
0.001 antivm_vbox_keys
0.001 antivm_vmware_keys
0.001 geodo_banking_trojan
0.001 browser_security
0.001 infostealer_bitcoin
0.001 infostealer_mail
0.001 poullight_files
0.001 masquerade_process_name
0.001 ursnif_behavior

Reporting ( 0.07 seconds )

0.044 ReportHTML
0.014 JsonDump
0.013 LiteReport
0.004 MITRE_TTPS

Signatures

Checks available memory

Queries the keyboard layout

A file was accessed within the Public folder.

file: C:\Users\Public\Documents\desktop.ini

SetUnhandledExceptionFilter detected (possible anti-debug)

At least one process apparently crashed during execution

Possible date expiration check, exits too soon after checking local time

process: rundll32.exe, PID 2648

Dynamic (imported) function loading detected

DynamicLoader: red_core.exe.dll/

DynamicLoader: uxtheme.dll/ThemeInitApiHook

DynamicLoader: USER32.dll/IsProcessDPIAware

DynamicLoader: dwmapi.dll/DwmIsCompositionEnabled

DynamicLoader: WS2_32.dll/

DynamicLoader: WS2_32.dll/WSAIoctl

DynamicLoader: WS2_32.dll/

DynamicLoader: IPHLPAPI.DLL/NotifyIpInterfaceChange

DynamicLoader: IPHLPAPI.DLL/NotifyUnicastIpAddressChange

DynamicLoader: IPHLPAPI.DLL/GetBestInterfaceEx

DynamicLoader: IPHLPAPI.DLL/GetIfEntry2

DynamicLoader: CRYPTBASE.dll/SystemFunction036

DynamicLoader: kernel32.dll/GlobalFlags

DynamicLoader: kernel32.dll/GetCurrentThreadId

DynamicLoader: kernel32.dll/GlobalAddAtomW

DynamicLoader: kernel32.dll/GetModuleHandleA

DynamicLoader: kernel32.dll/GetVersionExA

DynamicLoader: kernel32.dll/LoadLibraryA

DynamicLoader: kernel32.dll/GlobalDeleteAtom

DynamicLoader: kernel32.dll/GlobalFindAtomW

DynamicLoader: kernel32.dll/CompareStringA

DynamicLoader: kernel32.dll/GetDriveTypeA

DynamicLoader: kernel32.dll/GetCurrentDirectoryA

DynamicLoader: kernel32.dll/WriteConsoleW

DynamicLoader: kernel32.dll/GetConsoleOutputCP

DynamicLoader: kernel32.dll/WriteConsoleA

DynamicLoader: kernel32.dll/GetLocaleInfoA

DynamicLoader: kernel32.dll/GetStringTypeW

DynamicLoader: kernel32.dll/GetStringTypeA

DynamicLoader: kernel32.dll/LCMapStringA

DynamicLoader: kernel32.dll/GetSystemTimeAsFileTime

DynamicLoader: kernel32.dll/GetTickCount

DynamicLoader: kernel32.dll/lstrcmpW

DynamicLoader: kernel32.dll/GetEnvironmentStringsW

DynamicLoader: kernel32.dll/FreeEnvironmentStringsW

DynamicLoader: kernel32.dll/GetEnvironmentStrings

DynamicLoader: kernel32.dll/FreeEnvironmentStringsA

DynamicLoader: kernel32.dll/InitializeCriticalSectionAndSpinCount

DynamicLoader: kernel32.dll/GetExitCodeProcess

DynamicLoader: kernel32.dll/GetDateFormatA

DynamicLoader: kernel32.dll/GetTimeFormatA

DynamicLoader: kernel32.dll/LCMapStringW

DynamicLoader: kernel32.dll/GetConsoleMode

DynamicLoader: kernel32.dll/GetConsoleCP

DynamicLoader: kernel32.dll/GetTimeZoneInformation

DynamicLoader: kernel32.dll/IsValidCodePage

DynamicLoader: kernel32.dll/GetOEMCP

DynamicLoader: kernel32.dll/GetACP

DynamicLoader: kernel32.dll/GetCPInfo

DynamicLoader: kernel32.dll/GetModuleFileNameA

DynamicLoader: kernel32.dll/VirtualFree

DynamicLoader: kernel32.dll/HeapDestroy

DynamicLoader: kernel32.dll/HeapCreate

DynamicLoader: kernel32.dll/ExitProcess

DynamicLoader: kernel32.dll/HeapSize

DynamicLoader: kernel32.dll/RaiseException

DynamicLoader: kernel32.dll/RtlUnwind

DynamicLoader: kernel32.dll/HeapReAlloc

DynamicLoader: kernel32.dll/GetCommandLineA

DynamicLoader: kernel32.dll/GetStartupInfoA

DynamicLoader: kernel32.dll/GetFileType

DynamicLoader: kernel32.dll/SetHandleCount

DynamicLoader: kernel32.dll/CreateThread

DynamicLoader: kernel32.dll/ExitThread

DynamicLoader: kernel32.dll/IsDebuggerPresent

DynamicLoader: kernel32.dll/SetUnhandledExceptionFilter

DynamicLoader: kernel32.dll/UnhandledExceptionFilter

DynamicLoader: kernel32.dll/InterlockedIncrement

DynamicLoader: kernel32.dll/CompareStringW

DynamicLoader: kernel32.dll/FreeLibrary

DynamicLoader: kernel32.dll/InterlockedDecrement

DynamicLoader: kernel32.dll/GetModuleHandleW

DynamicLoader: kernel32.dll/TlsFree

DynamicLoader: kernel32.dll/DeleteCriticalSection

DynamicLoader: kernel32.dll/LocalReAlloc

DynamicLoader: kernel32.dll/TlsSetValue

DynamicLoader: kernel32.dll/TlsAlloc

DynamicLoader: kernel32.dll/GlobalHandle

DynamicLoader: kernel32.dll/GlobalReAlloc

DynamicLoader: kernel32.dll/EnterCriticalSection

DynamicLoader: kernel32.dll/TlsGetValue

DynamicLoader: kernel32.dll/LeaveCriticalSection

DynamicLoader: kernel32.dll/LocalAlloc

DynamicLoader: kernel32.dll/GetCurrentProcessId

DynamicLoader: kernel32.dll/lstrcmpA

DynamicLoader: kernel32.dll/GetFileTime

DynamicLoader: kernel32.dll/GetFileSizeEx

DynamicLoader: kernel32.dll/GetFileAttributesW

DynamicLoader: kernel32.dll/GetProcAddress

DynamicLoader: kernel32.dll/GetModuleFileNameW

DynamicLoader: kernel32.dll/GetFullPathNameW

DynamicLoader: kernel32.dll/SetEndOfFile

DynamicLoader: kernel32.dll/UnlockFile

DynamicLoader: kernel32.dll/LockFile

DynamicLoader: kernel32.dll/FlushFileBuffers

DynamicLoader: kernel32.dll/SetFilePointer

DynamicLoader: kernel32.dll/LoadLibraryW

DynamicLoader: kernel32.dll/FindFirstFileW

DynamicLoader: kernel32.dll/FileTimeToLocalFileTime

DynamicLoader: kernel32.dll/FileTimeToSystemTime

DynamicLoader: kernel32.dll/FindNextFileW

DynamicLoader: kernel32.dll/FindClose

DynamicLoader: kernel32.dll/GlobalFree

DynamicLoader: kernel32.dll/GlobalAlloc

DynamicLoader: kernel32.dll/GlobalLock

DynamicLoader: kernel32.dll/GlobalUnlock

DynamicLoader: kernel32.dll/FormatMessageW

DynamicLoader: kernel32.dll/LocalFree

DynamicLoader: kernel32.dll/SetLastError

DynamicLoader: kernel32.dll/WideCharToMultiByte

DynamicLoader: kernel32.dll/GetLastError

DynamicLoader: kernel32.dll/MultiByteToWideChar

DynamicLoader: kernel32.dll/lstrlenA

DynamicLoader: kernel32.dll/ReleaseMutex

DynamicLoader: kernel32.dll/CreateMutexW

DynamicLoader: kernel32.dll/GetProcessHeap

DynamicLoader: kernel32.dll/HeapFree

DynamicLoader: kernel32.dll/HeapAlloc

DynamicLoader: kernel32.dll/GetComputerNameA

DynamicLoader: kernel32.dll/GetPrivateProfileStringW

DynamicLoader: kernel32.dll/GetVolumeInformationW

DynamicLoader: kernel32.dll/DeleteFileW

DynamicLoader: kernel32.dll/GetDiskFreeSpaceExW

DynamicLoader: kernel32.dll/SetCurrentDirectoryW

DynamicLoader: kernel32.dll/LockResource

DynamicLoader: kernel32.dll/MoveFileW

DynamicLoader: kernel32.dll/GetTempPathW

DynamicLoader: kernel32.dll/lstrlenW

DynamicLoader: kernel32.dll/SizeofResource

DynamicLoader: kernel32.dll/CreateDirectoryW

DynamicLoader: kernel32.dll/GetLogicalDriveStringsW

DynamicLoader: kernel32.dll/LoadResource

DynamicLoader: kernel32.dll/FindResourceW

DynamicLoader: kernel32.dll/SetErrorMode

DynamicLoader: kernel32.dll/GetDriveTypeW

DynamicLoader: kernel32.dll/Sleep

DynamicLoader: kernel32.dll/lstrcpyA

DynamicLoader: kernel32.dll/WaitForMultipleObjects

DynamicLoader: kernel32.dll/ResetEvent

DynamicLoader: kernel32.dll/CreatePipe

DynamicLoader: kernel32.dll/CreateEventW

DynamicLoader: kernel32.dll/SetStdHandle

DynamicLoader: kernel32.dll/GetStdHandle

DynamicLoader: kernel32.dll/GetCurrentProcess

DynamicLoader: kernel32.dll/CreateProcessW

DynamicLoader: kernel32.dll/GetEnvironmentVariableW

DynamicLoader: kernel32.dll/lstrcpyW

DynamicLoader: kernel32.dll/ResumeThread

DynamicLoader: kernel32.dll/WriteProcessMemory

DynamicLoader: kernel32.dll/CloseHandle

DynamicLoader: kernel32.dll/WinExec

DynamicLoader: kernel32.dll/CreateToolhelp32Snapshot

DynamicLoader: kernel32.dll/WTSGetActiveConsoleSessionId

DynamicLoader: kernel32.dll/Process32NextW

DynamicLoader: kernel32.dll/Process32FirstW

DynamicLoader: kernel32.dll/VirtualAllocEx

DynamicLoader: kernel32.dll/VirtualAlloc

DynamicLoader: kernel32.dll/WritePrivateProfileStringW

DynamicLoader: kernel32.dll/CreateFileW

DynamicLoader: kernel32.dll/ReadFile

DynamicLoader: kernel32.dll/TerminateProcess

DynamicLoader: kernel32.dll/GetSystemDirectoryW

DynamicLoader: kernel32.dll/SetEnvironmentVariableA

DynamicLoader: kernel32.dll/OpenProcess

DynamicLoader: kernel32.dll/WriteFile

DynamicLoader: kernel32.dll/GetCurrentThread

DynamicLoader: kernel32.dll/WaitForSingleObject

DynamicLoader: kernel32.dll/SetThreadContext

DynamicLoader: kernel32.dll/GetFileSize

DynamicLoader: kernel32.dll/CreateFileA

DynamicLoader: kernel32.dll/QueryPerformanceCounter

DynamicLoader: kernel32.dll/GetThreadContext

DynamicLoader: USER32.dll/SetMenu

DynamicLoader: USER32.dll/SetForegroundWindow

DynamicLoader: USER32.dll/GetClientRect

DynamicLoader: USER32.dll/PostMessageW

DynamicLoader: USER32.dll/CreateWindowExW

DynamicLoader: USER32.dll/GetClassInfoExW

DynamicLoader: USER32.dll/GetClassInfoW

DynamicLoader: USER32.dll/RegisterClassW

DynamicLoader: USER32.dll/AdjustWindowRectEx

DynamicLoader: USER32.dll/CopyRect

DynamicLoader: USER32.dll/DefWindowProcW

DynamicLoader: USER32.dll/CallWindowProcW

DynamicLoader: USER32.dll/GetMenu

DynamicLoader: USER32.dll/ExitWindowsEx

DynamicLoader: USER32.dll/mouse_event

DynamicLoader: USER32.dll/ReleaseDC

DynamicLoader: USER32.dll/SetCursorPos

DynamicLoader: USER32.dll/SystemParametersInfoA

DynamicLoader: USER32.dll/IsIconic

DynamicLoader: USER32.dll/GetWindowPlacement

DynamicLoader: USER32.dll/GrayStringW

DynamicLoader: USER32.dll/DrawTextExW

DynamicLoader: USER32.dll/DrawTextW

DynamicLoader: USER32.dll/TabbedTextOutW

DynamicLoader: USER32.dll/SetWindowsHookExW

DynamicLoader: USER32.dll/CallNextHookEx

DynamicLoader: USER32.dll/DispatchMessageW

DynamicLoader: USER32.dll/GetKeyState

DynamicLoader: USER32.dll/PeekMessageW

DynamicLoader: USER32.dll/MapWindowPoints

DynamicLoader: USER32.dll/GetMessagePos

DynamicLoader: USER32.dll/GetMessageTime

DynamicLoader: USER32.dll/DestroyWindow

DynamicLoader: USER32.dll/GetTopWindow

DynamicLoader: USER32.dll/keybd_event

DynamicLoader: USER32.dll/GetSubMenu

DynamicLoader: USER32.dll/WinHelpW

DynamicLoader: USER32.dll/GetMenuItemID

DynamicLoader: USER32.dll/GetMenuState

DynamicLoader: USER32.dll/GetSystemMetrics

DynamicLoader: USER32.dll/CharUpperW

DynamicLoader: USER32.dll/GetWindowTextW

DynamicLoader: USER32.dll/MessageBoxW

DynamicLoader: USER32.dll/EnableWindow

DynamicLoader: USER32.dll/IsWindowEnabled

DynamicLoader: USER32.dll/GetLastActivePopup

DynamicLoader: USER32.dll/GetWindowLongW

DynamicLoader: USER32.dll/GetParent

DynamicLoader: USER32.dll/RegisterWindowMessageW

DynamicLoader: USER32.dll/CheckMenuItem

DynamicLoader: USER32.dll/EnableMenuItem

DynamicLoader: USER32.dll/ModifyMenuW

DynamicLoader: USER32.dll/LoadBitmapW

DynamicLoader: USER32.dll/GetMenuCheckMarkDimensions

DynamicLoader: USER32.dll/SetMenuItemBitmaps

DynamicLoader: USER32.dll/PostQuitMessage

DynamicLoader: USER32.dll/DestroyMenu

DynamicLoader: USER32.dll/GetForegroundWindow

DynamicLoader: USER32.dll/RemovePropW

DynamicLoader: USER32.dll/GetPropW

DynamicLoader: USER32.dll/SetPropW

DynamicLoader: CRYPTBASE.dll/SystemFunction036

DynamicLoader: sechost.dll/LookupAccountNameLocalW

DynamicLoader: ADVAPI32.dll/LookupAccountSidW

DynamicLoader: sechost.dll/LookupAccountSidLocalW

DynamicLoader: Winsta.dll/WinStationFreeMemory

DynamicLoader: Winsta.dll/WinStationCloseServer

DynamicLoader: Winsta.dll/WinStationOpenServerW

DynamicLoader: Winsta.dll/WinStationFreeGAPMemory

DynamicLoader: Winsta.dll/WinStationGetAllProcesses

DynamicLoader: Winsta.dll/WinStationEnumerateProcesses

DynamicLoader: kernel32.dll/SortGetHandle

DynamicLoader: kernel32.dll/SortCloseHandle

DynamicLoader: kernel32.dll/GetThreadPreferredUILanguages

DynamicLoader: kernel32.dll/SetThreadPreferredUILanguages

DynamicLoader: kernel32.dll/LocaleNameToLCID

DynamicLoader: kernel32.dll/GetLocaleInfoEx

DynamicLoader: kernel32.dll/LCIDToLocaleName

DynamicLoader: kernel32.dll/GetSystemDefaultLocaleName

DynamicLoader: kernel32.dll/RegOpenKeyExW

DynamicLoader: ntdll.dll/EtwUnregisterTraceGuids

DynamicLoader: OLEAUT32.dll/

DynamicLoader: CRYPTSP.dll/CryptReleaseContext

DynamicLoader: ole32.dll/CoGetClassObject

DynamicLoader: ole32.dll/CoGetMarshalSizeMax

DynamicLoader: ole32.dll/CoMarshalInterface

DynamicLoader: ole32.dll/CoUnmarshalInterface

DynamicLoader: ole32.dll/StringFromIID

DynamicLoader: ole32.dll/CoGetPSClsid

DynamicLoader: ole32.dll/CoTaskMemAlloc

DynamicLoader: ole32.dll/CoTaskMemFree

DynamicLoader: ole32.dll/CoCreateInstance

DynamicLoader: ole32.dll/CoReleaseMarshalData

DynamicLoader: ole32.dll/DcomChannelSetHResult

DynamicLoader: kernel32.dll/ResolveDelayLoadedAPI

DynamicLoader: VSSAPI.DLL/CreateWriter

DynamicLoader: OLEAUT32.dll/

DynamicLoader: ole32.dll/CoTaskMemFree

DynamicLoader: ole32.dll/CoTaskMemAlloc

DynamicLoader: ADVAPI32.dll/LookupAccountNameW

DynamicLoader: sechost.dll/LookupAccountNameLocalW

DynamicLoader: ADVAPI32.dll/LookupAccountSidW

DynamicLoader: samcli.dll/NetLocalGroupGetMembers

DynamicLoader: SAMLIB.dll/SamConnect

DynamicLoader: RPCRT4.dll/NdrClientCall3

DynamicLoader: RPCRT4.dll/RpcStringBindingComposeW

DynamicLoader: RPCRT4.dll/RpcBindingFromStringBindingW

DynamicLoader: RPCRT4.dll/RpcStringFreeW

DynamicLoader: RPCRT4.dll/RpcBindingFree

DynamicLoader: SAMLIB.dll/SamOpenDomain

DynamicLoader: SAMLIB.dll/SamLookupNamesInDomain

DynamicLoader: SAMLIB.dll/SamOpenAlias

DynamicLoader: SAMLIB.dll/SamFreeMemory

DynamicLoader: SAMLIB.dll/SamCloseHandle

DynamicLoader: SAMLIB.dll/SamGetMembersInAlias

DynamicLoader: netutils.dll/NetApiBufferFree

DynamicLoader: ole32.dll/CoCreateGuid

DynamicLoader: ole32.dll/CoCreateInstance

DynamicLoader: ole32.dll/StringFromCLSID

DynamicLoader: OLEAUT32.dll/

DynamicLoader: PROPSYS.dll/VariantToPropVariant

DynamicLoader: OLEAUT32.dll/

DynamicLoader: wbemcore.dll/Reinitialize

DynamicLoader: wbemsvc.dll/DllGetClassObject

DynamicLoader: wbemsvc.dll/DllCanUnloadNow

DynamicLoader: authZ.dll/AuthzInitializeContextFromToken

DynamicLoader: authZ.dll/AuthzInitializeObjectAccessAuditEvent2

DynamicLoader: authZ.dll/AuthzAccessCheck

DynamicLoader: authZ.dll/AuthzFreeAuditEvent

DynamicLoader: authZ.dll/AuthzFreeContext

DynamicLoader: authZ.dll/AuthzInitializeResourceManager

DynamicLoader: authZ.dll/AuthzFreeResourceManager

DynamicLoader: RPCRT4.dll/NdrClientCall3

DynamicLoader: RPCRT4.dll/RpcBindingCreateW

DynamicLoader: RPCRT4.dll/RpcBindingBind

DynamicLoader: RPCRT4.dll/I_RpcMapWin32Status

DynamicLoader: RPCRT4.dll/RpcBindingFree

DynamicLoader: ADVAPI32.dll/EventRegister

DynamicLoader: ADVAPI32.dll/EventUnregister

DynamicLoader: ADVAPI32.dll/EventWrite

DynamicLoader: ADVAPI32.dll/EventActivityIdControl

DynamicLoader: ADVAPI32.dll/EventWriteTransfer

DynamicLoader: ADVAPI32.dll/EventEnabled

DynamicLoader: kernel32.dll/RegCloseKey

DynamicLoader: kernel32.dll/RegSetValueExW

DynamicLoader: kernel32.dll/RegOpenKeyExW

DynamicLoader: kernel32.dll/RegQueryValueExW

DynamicLoader: kernel32.dll/RegCloseKey

DynamicLoader: wmisvc.dll/IsImproperShutdownDetected

DynamicLoader: Wevtapi.dll/EvtRender

DynamicLoader: Wevtapi.dll/EvtNext

DynamicLoader: Wevtapi.dll/EvtClose

DynamicLoader: Wevtapi.dll/EvtQuery

DynamicLoader: Wevtapi.dll/EvtCreateRenderContext

DynamicLoader: RPCRT4.dll/RpcStringBindingComposeW

DynamicLoader: RPCRT4.dll/RpcBindingFromStringBindingW

DynamicLoader: RPCRT4.dll/RpcBindingSetAuthInfoExW

DynamicLoader: RPCRT4.dll/RpcBindingSetOption

DynamicLoader: RPCRT4.dll/RpcStringFreeW

DynamicLoader: RPCRT4.dll/NdrClientCall3

DynamicLoader: RPCRT4.dll/RpcBindingFree

DynamicLoader: kernel32.dll/ResolveDelayLoadedAPI

DynamicLoader: ole32.dll/CoCreateFreeThreadedMarshaler

DynamicLoader: ole32.dll/CoGetMarshalSizeMax

DynamicLoader: ole32.dll/CreateStreamOnHGlobal

DynamicLoader: ole32.dll/CoMarshalInterface

DynamicLoader: CRYPTSP.dll/CryptGenRandom

DynamicLoader: CRYPTSP.dll/CryptReleaseContext

DynamicLoader: KERNELBASE.dll/InitializeAcl

DynamicLoader: KERNELBASE.dll/AddAce

DynamicLoader: sechost.dll/LookupAccountSidLocalW

DynamicLoader: kernel32.dll/OpenProcessToken

DynamicLoader: KERNELBASE.dll/GetTokenInformation

DynamicLoader: KERNELBASE.dll/DuplicateTokenEx

DynamicLoader: KERNELBASE.dll/AdjustTokenPrivileges

DynamicLoader: KERNELBASE.dll/AllocateAndInitializeSid

DynamicLoader: KERNELBASE.dll/CheckTokenMembership

DynamicLoader: kernel32.dll/SetThreadToken

DynamicLoader: ADVAPI32.dll/RegOpenKeyW

DynamicLoader: ole32.dll/CLSIDFromString

DynamicLoader: ole32.dll/CoCreateInstance

DynamicLoader: authZ.dll/AuthzInitializeContextFromToken

DynamicLoader: authZ.dll/AuthzInitializeResourceManager

DynamicLoader: authZ.dll/AuthzInitializeContextFromSid

DynamicLoader: authZ.dll/AuthzInitializeContextFromToken

DynamicLoader: authZ.dll/AuthzAccessCheck

DynamicLoader: authZ.dll/AuthzFreeContext

DynamicLoader: authZ.dll/AuthzFreeResourceManager

DynamicLoader: sechost.dll/LookupAccountSidLocalW

DynamicLoader: ole32.dll/CoRevertToSelf

DynamicLoader: SspiCli.dll/LogonUserExExW

DynamicLoader: ole32.dll/CoGetClassObject

DynamicLoader: ole32.dll/CoGetCallContext

DynamicLoader: ole32.dll/StringFromGUID2

DynamicLoader: ole32.dll/CoImpersonateClient

DynamicLoader: ole32.dll/CoSwitchCallContext

DynamicLoader: ole32.dll/CoCreateGuid

DynamicLoader: kernel32.dll/ResolveDelayLoadedAPI

DynamicLoader: ole32.dll/CoInitializeEx

DynamicLoader: wbemcore.dll/Reinitialize

DynamicLoader: OLEAUT32.dll/

DynamicLoader: wbemcore.dll/Reinitialize

DynamicLoader: ole32.dll/CoInitializeEx

DynamicLoader: ole32.dll/CoUninitialize

DynamicLoader: CRYPTBASE.dll/SystemFunction036

DynamicLoader: ole32.dll/CLSIDFromOle1Class

DynamicLoader: CLBCatQ.DLL/GetCatalogObject

DynamicLoader: CLBCatQ.DLL/GetCatalogObject2

DynamicLoader: sechost.dll/LookupAccountNameLocalW

DynamicLoader: ADVAPI32.dll/LookupAccountSidW

DynamicLoader: sechost.dll/LookupAccountSidLocalW

DynamicLoader: uxtheme.dll/ThemeInitApiHook

DynamicLoader: USER32.dll/IsProcessDPIAware

DynamicLoader: ole32.dll/CoGetClassObject

DynamicLoader: ole32.dll/CoGetMarshalSizeMax

DynamicLoader: ole32.dll/CoMarshalInterface

DynamicLoader: ole32.dll/CoUnmarshalInterface

DynamicLoader: ole32.dll/StringFromIID

DynamicLoader: ole32.dll/CoGetPSClsid

DynamicLoader: ole32.dll/CoTaskMemAlloc

DynamicLoader: ole32.dll/CoTaskMemFree

DynamicLoader: ole32.dll/CoCreateInstance

DynamicLoader: ole32.dll/CoReleaseMarshalData

DynamicLoader: ole32.dll/DcomChannelSetHResult

DynamicLoader: wininet.dll/DllGetClassObject

DynamicLoader: wininet.dll/DllCanUnloadNow

DynamicLoader: api-ms-win-downlevel-ole32-l1-1-0.dll/CoCreateInstance

DynamicLoader: ole32.dll/CoGetMarshalSizeMax

DynamicLoader: ole32.dll/CoMarshalInterface

DynamicLoader: ole32.dll/CoUnmarshalInterface

DynamicLoader: ole32.dll/CoReleaseMarshalData

DynamicLoader: wininet.dll/DllGetClassObject

DynamicLoader: wininet.dll/DllCanUnloadNow

DynamicLoader: api-ms-win-downlevel-ole32-l1-1-0.dll/CoImpersonateClient

DynamicLoader: api-ms-win-downlevel-ole32-l1-1-0.dll/CoRevertToSelf

DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/GetTokenInformation

DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/CopySid

DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/EqualSid

DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/GetSidSubAuthorityCount

DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/GetSidSubAuthority

DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/EventRegister

DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/EventUnregister

DynamicLoader: Secur32.dll/GetUserNameExA

DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/RegCreateKeyExA

DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/RegQueryValueExA

DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/RegOpenKeyExW

DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/RegGetValueW

DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/RegCloseKey

DynamicLoader: SHELL32.dll/SHGetKnownFolderPath

DynamicLoader: api-ms-win-downlevel-advapi32-l2-1-0.dll/ConvertSidToStringSidW

DynamicLoader: api-ms-win-downlevel-advapi32-l2-1-0.dll/ConvertStringSecurityDescriptorToSecurityDescriptorW

DynamicLoader: api-ms-win-downlevel-ole32-l1-1-0.dll/CoTaskMemFree

DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/RegGetValueA

DynamicLoader: iertutil.dll/

DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/RegOpenKeyExA

DynamicLoader: api-ms-win-downlevel-ole32-l1-1-0.dll/CoTaskMemAlloc

DynamicLoader: WS2_32.dll/

DynamicLoader: winhttp.dll/WinHttpCreateProxyResolver

DynamicLoader: iertutil.dll/

DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/RegQueryValueExW

DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/RegCreateKeyExW