Status: Clean
Analysis
| Category | Package | Started | Completed | Duration | Options | Log(s) | MalScore |
|---|---|---|---|---|---|---|---|
| FILE | dll | 2025-12-09 15:21:26 | 2025-12-09 15:21:53 | 27 seconds | Show Options | Show Analysis Log | 1.7 |
vnc_port=5900
2025-12-06 18:31:41,801 [root] INFO: Date set to: 20251209T07:11:46, timeout set to: 180 2025-12-06 18:31:41,801 [root] DEBUG: Starting analyzer from: C:\tmpw7hn3wdo 2025-12-06 18:31:41,801 [root] DEBUG: Storing results at: C:\HNxZeWN 2025-12-06 18:31:41,801 [root] DEBUG: Pipe server name: \\.\PIPE\BsJripN 2025-12-06 18:31:41,801 [root] DEBUG: Python path: C:\Python38 2025-12-06 18:31:41,801 [root] INFO: analysis running as a normal user 2025-12-06 18:31:41,801 [root] INFO: analysis package specified: "dll" 2025-12-06 18:31:41,801 [root] DEBUG: importing analysis package module: "modules.packages.dll"... 2025-12-06 18:31:41,801 [root] DEBUG: imported analysis package "dll" 2025-12-06 18:31:41,801 [root] DEBUG: initializing analysis package "dll"... 2025-12-06 18:31:41,801 [lib.common.common] INFO: wrapping 2025-12-06 18:31:41,801 [lib.core.compound] INFO: C:\Users\user\AppData\Local\Temp already exists, skipping creation 2025-12-06 18:31:41,801 [root] DEBUG: New location of moved file: C:\Users\user\AppData\Local\Temp\red_core.exe 2025-12-06 18:31:41,801 [root] INFO: Analyzer: Package modules.packages.dll does not specify a DLL option 2025-12-06 18:31:41,801 [root] INFO: Analyzer: Package modules.packages.dll does not specify a DLL_64 option 2025-12-06 18:31:41,801 [root] INFO: Analyzer: Package modules.packages.dll does not specify a loader option 2025-12-06 18:31:41,801 [root] INFO: Analyzer: Package modules.packages.dll does not specify a loader_64 option 2025-12-06 18:31:41,832 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser" 2025-12-06 18:31:41,832 [root] DEBUG: Imported auxiliary module "modules.auxiliary.curtain" 2025-12-06 18:31:41,832 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise" 2025-12-06 18:31:41,832 [root] DEBUG: Imported auxiliary module "modules.auxiliary.during_script" 2025-12-06 18:31:41,832 [root] DEBUG: Imported auxiliary module "modules.auxiliary.end_noisy_tasks" 2025-12-06 18:31:41,832 [root] DEBUG: Imported auxiliary module "modules.auxiliary.evtx" 2025-12-06 18:31:41,847 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human" 2025-12-06 18:31:41,847 [root] DEBUG: Imported auxiliary module "modules.auxiliary.pre_script" 2025-12-06 18:31:41,847 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops' 2025-12-06 18:31:41,863 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageGrab' 2025-12-06 18:31:41,863 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageDraw' 2025-12-06 18:31:41,879 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots" 2025-12-06 18:31:41,879 [root] DEBUG: Imported auxiliary module "modules.auxiliary.sysmon" 2025-12-06 18:31:41,879 [root] DEBUG: Imported auxiliary module "modules.auxiliary.tlsdump" 2025-12-06 18:31:41,879 [root] DEBUG: Imported auxiliary module "modules.auxiliary.usage" 2025-12-06 18:31:41,879 [root] DEBUG: Initialized auxiliary module "Browser" 2025-12-06 18:31:41,879 [root] DEBUG: attempting to configure 'Browser' from data 2025-12-06 18:31:41,879 [root] DEBUG: module Browser does not support data configuration, ignoring 2025-12-06 18:31:41,879 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.browser"... 2025-12-06 18:31:41,879 [root] DEBUG: Started auxiliary module modules.auxiliary.browser 2025-12-06 18:31:41,879 [root] DEBUG: Initialized auxiliary module "Curtain" 2025-12-06 18:31:41,879 [root] DEBUG: attempting to configure 'Curtain' from data 2025-12-06 18:31:41,879 [root] DEBUG: module Curtain does not support data configuration, ignoring 2025-12-06 18:31:41,879 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.curtain"... 2025-12-06 18:31:41,879 [root] DEBUG: Started auxiliary module modules.auxiliary.curtain 2025-12-06 18:31:41,879 [root] DEBUG: Initialized auxiliary module "Disguise" 2025-12-06 18:31:41,879 [root] DEBUG: attempting to configure 'Disguise' from data 2025-12-06 18:31:41,879 [root] DEBUG: module Disguise does not support data configuration, ignoring 2025-12-06 18:31:41,879 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.disguise"... 2025-12-06 18:31:41,879 [root] WARNING: Cannot execute auxiliary module modules.auxiliary.disguise: [WinError 5] Access is denied 2025-12-06 18:31:41,879 [root] DEBUG: Initialized auxiliary module "End_noisy_tasks" 2025-12-06 18:31:41,879 [root] DEBUG: attempting to configure 'End_noisy_tasks' from data 2025-12-06 18:31:41,879 [root] DEBUG: module End_noisy_tasks does not support data configuration, ignoring 2025-12-06 18:31:41,879 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.end_noisy_tasks"... 2025-12-06 18:31:41,879 [modules.auxiliary.end_noisy_tasks] DEBUG: taskkill /f /IM wuauclt.exe 2025-12-06 18:31:41,879 [root] DEBUG: Started auxiliary module modules.auxiliary.end_noisy_tasks 2025-12-06 18:31:41,879 [root] DEBUG: Initialized auxiliary module "Evtx" 2025-12-06 18:31:41,879 [root] DEBUG: attempting to configure 'Evtx' from data 2025-12-06 18:31:41,879 [root] DEBUG: module Evtx does not support data configuration, ignoring 2025-12-06 18:31:41,879 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.evtx"... 2025-12-06 18:31:41,879 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Security State Change" /success:enable /failure:enable 2025-12-06 18:31:41,879 [root] DEBUG: Started auxiliary module modules.auxiliary.evtx 2025-12-06 18:31:41,879 [root] DEBUG: Initialized auxiliary module "Human" 2025-12-06 18:31:41,879 [root] DEBUG: attempting to configure 'Human' from data 2025-12-06 18:31:41,879 [root] DEBUG: module Human does not support data configuration, ignoring 2025-12-06 18:31:41,879 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.human"... 2025-12-06 18:31:41,879 [root] DEBUG: Started auxiliary module modules.auxiliary.human 2025-12-06 18:31:41,879 [root] DEBUG: Initialized auxiliary module "Pre_script" 2025-12-06 18:31:41,879 [root] DEBUG: attempting to configure 'Pre_script' from data 2025-12-06 18:31:41,894 [root] DEBUG: module Pre_script does not support data configuration, ignoring 2025-12-06 18:31:41,894 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.pre_script"... 2025-12-06 18:31:41,894 [root] DEBUG: Started auxiliary module modules.auxiliary.pre_script 2025-12-06 18:31:41,894 [root] DEBUG: Initialized auxiliary module "Screenshots" 2025-12-06 18:31:41,894 [root] DEBUG: attempting to configure 'Screenshots' from data 2025-12-06 18:31:41,894 [root] DEBUG: module Screenshots does not support data configuration, ignoring 2025-12-06 18:31:41,894 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.screenshots"... 2025-12-06 18:31:41,894 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots 2025-12-06 18:31:41,894 [root] DEBUG: Initialized auxiliary module "Sysmon" 2025-12-06 18:31:41,894 [root] DEBUG: attempting to configure 'Sysmon' from data 2025-12-06 18:31:41,894 [root] DEBUG: module Sysmon does not support data configuration, ignoring 2025-12-06 18:31:41,894 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.sysmon"... 2025-12-06 18:31:41,973 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Security System Extension" /success:enable /failure:enable 2025-12-06 18:31:42,019 [modules.auxiliary.end_noisy_tasks] DEBUG: taskkill /f /IM wusa.exe 2025-12-06 18:31:42,050 [root] WARNING: Cannot execute auxiliary module modules.auxiliary.sysmon: In order to use the Sysmon functionality, it is required to have the SMaster(64|32).exe file and sysmonconfig-export.xml file in the bin path. Note that the SMaster(64|32).exe files are just the standard Sysmon binaries renamed to avoid anti-analysis detection techniques. 2025-12-06 18:31:42,050 [root] DEBUG: Initialized auxiliary module "TLSDumpMasterSecrets" 2025-12-06 18:31:42,050 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data 2025-12-06 18:31:42,050 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring 2025-12-06 18:31:42,050 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.tlsdump"... 2025-12-06 18:31:42,050 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 668 2025-12-06 18:31:42,050 [lib.api.process] WARNING: failed to open process 668 2025-12-06 18:31:42,050 [lib.api.process] WARNING: failed to open process 668 2025-12-06 18:31:42,050 [lib.api.process] WARNING: failed to open process 668 2025-12-06 18:31:42,050 [lib.api.process] DEBUG: Failed getting image name for pid 668 2025-12-06 18:31:42,050 [lib.api.process] WARNING: failed to open process 668 2025-12-06 18:31:42,050 [lib.api.process] DEBUG: Failed getting image name for pid 668 2025-12-06 18:31:42,050 [lib.api.process] DEBUG: Failed getting exit code for <Process 668 ???> 2025-12-06 18:31:42,050 [lib.api.process] WARNING: failed to open process 668 2025-12-06 18:31:42,050 [lib.api.process] DEBUG: Failed getting image name for pid 668 2025-12-06 18:31:42,050 [lib.api.process] WARNING: failed to open process 668 2025-12-06 18:31:42,050 [lib.api.process] DEBUG: Failed getting image name for pid 668 2025-12-06 18:31:42,050 [lib.api.process] WARNING: the <Process 668 ???> is not alive, injection aborted 2025-12-06 18:31:42,050 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"System Integrity" /success:enable /failure:enable 2025-12-06 18:31:42,050 [root] DEBUG: Started auxiliary module modules.auxiliary.tlsdump 2025-12-06 18:31:42,050 [root] DEBUG: Initialized auxiliary module "Usage" 2025-12-06 18:31:42,050 [root] DEBUG: attempting to configure 'Usage' from data 2025-12-06 18:31:42,050 [root] DEBUG: module Usage does not support data configuration, ignoring 2025-12-06 18:31:42,050 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.usage"... 2025-12-06 18:31:42,050 [root] DEBUG: Started auxiliary module modules.auxiliary.usage 2025-12-06 18:31:42,050 [root] DEBUG: Initialized auxiliary module "During_script" 2025-12-06 18:31:42,050 [root] DEBUG: attempting to configure 'During_script' from data 2025-12-06 18:31:42,050 [root] DEBUG: module During_script does not support data configuration, ignoring 2025-12-06 18:31:42,050 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.during_script"... 2025-12-06 18:31:42,050 [root] DEBUG: Started auxiliary module modules.auxiliary.during_script 2025-12-06 18:31:42,097 [modules.auxiliary.end_noisy_tasks] DEBUG: taskkill /f /IM WindowsUpdate.exe 2025-12-06 18:31:42,097 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"IPsec Driver" /success:disable /failure:disable 2025-12-06 18:31:42,144 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Other System Events" /success:disable /failure:enable 2025-12-06 18:31:42,176 [modules.auxiliary.end_noisy_tasks] DEBUG: taskkill /f /IM GoogleUpdate.exe 2025-12-06 18:31:42,191 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Logon" /success:enable /failure:enable 2025-12-06 18:31:42,222 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Logoff" /success:enable /failure:enable 2025-12-06 18:31:42,254 [modules.auxiliary.end_noisy_tasks] DEBUG: taskkill /f /IM MicrosoftEdgeUpdate.exe 2025-12-06 18:31:42,269 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Account Lockout" /success:enable /failure:enable 2025-12-06 18:31:42,285 [root] INFO: Restarting WMI Service 2025-12-06 18:31:42,301 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"IPsec Main Mode" /success:disable /failure:disable 2025-12-06 18:31:42,332 [root] DEBUG: package modules.packages.dll does not support configure, ignoring 2025-12-06 18:31:42,332 [root] WARNING: configuration error for package modules.packages.dll: error importing data.packages.dll: No module named 'data.packages' 2025-12-06 18:31:42,332 [lib.common.common] INFO: Submitted file is missing extension, adding .dll 2025-12-06 18:31:42,332 [lib.core.compound] INFO: C:\Users\user\AppData\Local\Temp already exists, skipping creation 2025-12-06 18:31:42,348 [lib.api.process] INFO: Successfully executed process from path "C:\Windows\System32\rundll32.exe" with arguments ""C:\Users\user\AppData\Local\Temp\red_core.exe.dll",#1" with pid 1140 2025-12-06 18:31:42,348 [lib.api.process] INFO: Monitor config for <Process 1140 rundll32.exe>: C:\tmpw7hn3wdo\dll\1140.ini 2025-12-06 18:31:42,348 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpw7hn3wdo\dll\lHwYLJyL.dll, loader C:\tmpw7hn3wdo\bin\dvcRkcJ.exe 2025-12-06 18:31:42,348 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"IPsec Quick Mode" /success:disable /failure:disable 2025-12-06 18:31:42,363 [root] DEBUG: Loader: Injecting process 1140 (thread 1104) with C:\tmpw7hn3wdo\dll\lHwYLJyL.dll. 2025-12-06 18:31:42,363 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT. 2025-12-06 18:31:42,363 [root] DEBUG: Successfully injected DLL C:\tmpw7hn3wdo\dll\lHwYLJyL.dll. 2025-12-06 18:31:42,363 [lib.api.process] INFO: Injected into 32-bit <Process 1140 rundll32.exe> 2025-12-06 18:31:42,363 [modules.auxiliary.end_noisy_tasks] DEBUG: Command executed with exit code 1: reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v DisableWindowsUpdateAccess /t REG_DWORD /d 1 /f 2025-12-06 18:31:42,379 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"IPsec Extended Mode" /success:disable /failure:disable 2025-12-06 18:31:42,394 [modules.auxiliary.end_noisy_tasks] DEBUG: Command executed with exit code 1: reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v AllowTelemetry /t REG_DWORD /d 0 /f 2025-12-06 18:31:42,410 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Other Logon/Logoff Events" /success:enable /failure:enable 2025-12-06 18:31:42,426 [modules.auxiliary.end_noisy_tasks] DEBUG: Command executed with exit code 1: reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v EnableICMPRedirect /t REG_DWORD /d 0 /f 2025-12-06 18:31:42,441 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Network Policy Server" /success:enable /failure:enable 2025-12-06 18:31:42,473 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Special Logon" /success:enable /failure:enable 2025-12-06 18:31:42,504 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"File System" /success:enable /failure:enable 2025-12-06 18:31:42,535 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Registry" /success:enable /failure:enable 2025-12-06 18:31:42,566 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Kernel Object" /success:enable /failure:enable 2025-12-06 18:31:42,598 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"SAM" /success:disable /failure:disable 2025-12-06 18:31:42,613 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Certification Services" /success:enable /failure:enable 2025-12-06 18:31:42,644 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Handle Manipulation" /success:disable /failure:disable 2025-12-06 18:31:42,676 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Application Generated" /success:enable /failure:enable 2025-12-06 18:31:42,707 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"File Share" /success:enable /failure:enable 2025-12-06 18:31:42,738 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Filtering Platform Packet Drop" /success:disable /failure:disable 2025-12-06 18:31:42,769 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Filtering Platform Connection" /success:disable /failure:disable 2025-12-06 18:31:42,785 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Other Object Access Events" /success:disable /failure:disable 2025-12-06 18:31:42,816 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Sensitive Privilege Use" /success:disable /failure:disable 2025-12-06 18:31:42,847 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Non Sensitive Privilege Use" /success:disable /failure:disable 2025-12-06 18:31:42,879 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Other Privilege Use Events" /success:disable /failure:disable 2025-12-06 18:31:42,910 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"RPC Events" /success:enable /failure:enable 2025-12-06 18:31:42,925 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Audit Policy Change" /success:enable /failure:enable 2025-12-06 18:31:42,957 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Authentication Policy Change" /success:enable /failure:enable 2025-12-06 18:31:42,988 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"MPSSVC Rule-Level Policy Change" /success:disable /failure:disable 2025-12-06 18:31:43,019 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Filtering Platform Policy Change" /success:disable /failure:disable 2025-12-06 18:31:43,050 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Other Policy Change Events" /success:disable /failure:enable 2025-12-06 18:31:43,082 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable 2025-12-06 18:31:43,113 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Computer Account Management" /success:enable /failure:enable 2025-12-06 18:31:43,129 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Security Group Management" /success:enable /failure:enable 2025-12-06 18:31:43,160 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Distribution Group Management" /success:enable /failure:enable 2025-12-06 18:31:43,191 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Application Group Management" /success:enable /failure:enable 2025-12-06 18:31:43,222 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Other Account Management Events" /success:enable /failure:enable 2025-12-06 18:31:43,254 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Directory Service Access" /success:enable /failure:enable 2025-12-06 18:31:43,269 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Directory Service Changes" /success:enable /failure:enable 2025-12-06 18:31:43,300 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Directory Service Replication" /success:disable /failure:enable 2025-12-06 18:31:43,332 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Detailed Directory Service Replication" /success:disable /failure:disable 2025-12-06 18:31:43,363 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Credential Validation" /success:enable /failure:enable 2025-12-06 18:31:43,394 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Kerberos Service Ticket Operations" /success:enable /failure:enable 2025-12-06 18:31:43,410 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Other Account Logon Events" /success:enable /failure:enable 2025-12-06 18:31:43,441 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Kerberos Authentication Service" /success:enable /failure:enable 2025-12-06 18:31:43,472 [modules.auxiliary.evtx] DEBUG: Wiping Application 2025-12-06 18:31:43,504 [modules.auxiliary.evtx] DEBUG: Wiping HardwareEvents 2025-12-06 18:31:43,519 [modules.auxiliary.evtx] DEBUG: Wiping Internet Explorer 2025-12-06 18:31:43,551 [modules.auxiliary.evtx] DEBUG: Wiping Key Management Service 2025-12-06 18:31:43,582 [modules.auxiliary.evtx] DEBUG: Wiping OAlerts 2025-12-06 18:31:43,613 [modules.auxiliary.evtx] DEBUG: Wiping Security 2025-12-06 18:31:43,629 [modules.auxiliary.evtx] DEBUG: Wiping Setup 2025-12-06 18:31:43,660 [modules.auxiliary.evtx] DEBUG: Wiping System 2025-12-06 18:31:43,691 [modules.auxiliary.evtx] DEBUG: Wiping Windows PowerShell 2025-12-06 18:31:43,722 [modules.auxiliary.evtx] DEBUG: Wiping Microsoft-Windows-Sysmon/Operational 2025-12-06 18:31:44,378 [lib.api.process] INFO: Successfully resumed <Process 1140 rundll32.exe> 2025-12-06 18:31:44,410 [root] DEBUG: 1140: Python path set to 'C:\Python38'. 2025-12-06 18:31:44,410 [root] INFO: Disabling sleep skipping. 2025-12-06 18:31:44,410 [root] DEBUG: 1140: Dropped file limit defaulting to 100. 2025-12-06 18:31:44,425 [root] DEBUG: 1140: YaraInit: Compiled 41 rule files 2025-12-06 18:31:44,425 [root] DEBUG: 1140: YaraInit: Compiled rules saved to file C:\tmpw7hn3wdo\data\yara\capemon.yac 2025-12-06 18:31:44,425 [root] DEBUG: 1140: YaraScan: Scanning 0x00450000, size 0x136e8 2025-12-06 18:31:44,425 [root] DEBUG: Error 5 (0x5) - AmsiDumper: Is CAPE agent running elevated? Initialisation failed: Access is denied. 2025-12-06 18:31:44,425 [root] DEBUG: 1140: Monitor initialised: 32-bit capemon loaded in process 1140 at 0x73450000, thread 1104, image base 0x450000, stack from 0x2ff4000-0x3000000 2025-12-06 18:31:44,425 [root] DEBUG: 1140: Commandline: "C:\Windows\System32\rundll32.exe" "C:\Users\user\AppData\Local\Temp\red_core.exe.dll",#1 2025-12-06 18:31:44,425 [root] DEBUG: 1140: GetAddressByYara: ModuleBase 0x77030000 FunctionName LdrpCallInitRoutine 2025-12-06 18:31:44,441 [root] DEBUG: 1140: hook_api: LdrpCallInitRoutine export address 0x770A2A30 obtained via GetFunctionAddress 2025-12-06 18:31:44,441 [root] DEBUG: 1140: hook_api: Warning - CreateProcessA export address 0x75924110 differs from GetProcAddress -> 0x737422A0 (AcLayers.DLL::0x222a0) 2025-12-06 18:31:44,441 [root] DEBUG: 1140: hook_api: Warning - CreateProcessW export address 0x759088E0 differs from GetProcAddress -> 0x737424E0 (AcLayers.DLL::0x224e0) 2025-12-06 18:31:44,441 [root] DEBUG: 1140: hook_api: Warning - WinExec export address 0x7594E1C0 differs from GetProcAddress -> 0x737427A0 (AcLayers.DLL::0x227a0) 2025-12-06 18:31:44,441 [root] DEBUG: 1140: hook_api: Warning - CreateRemoteThreadEx export address 0x7598866C differs from GetProcAddress -> 0x75BD7630 (KERNELBASE.dll::0x137630) 2025-12-06 18:31:44,441 [root] DEBUG: 1140: hook_api: Warning - CoCreateInstance export address 0x76C0569D differs from GetProcAddress -> 0x756395D0 (combase.dll::0xd95d0) 2025-12-06 18:31:44,441 [root] DEBUG: 1140: hook_api: Warning - CoCreateInstanceEx export address 0x76C056DC differs from GetProcAddress -> 0x7561C540 (combase.dll::0xbc540) 2025-12-06 18:31:44,441 [root] DEBUG: 1140: hook_api: Warning - CoGetClassObject export address 0x76C05C6C differs from GetProcAddress -> 0x756051A0 (combase.dll::0xa51a0) 2025-12-06 18:31:44,441 [root] DEBUG: 1140: hook_api: Warning - UpdateProcThreadAttribute export address 0x7598FFD2 differs from GetProcAddress -> 0x75BA47B0 (KERNELBASE.dll::0x1047b0) 2025-12-06 18:31:44,441 [root] WARNING: b'Unable to place hook on GetCommandLineA' 2025-12-06 18:31:44,441 [root] DEBUG: 1140: set_hooks: Unable to hook GetCommandLineA 2025-12-06 18:31:44,441 [root] WARNING: b'Unable to place hook on GetCommandLineW' 2025-12-06 18:31:44,441 [root] DEBUG: 1140: set_hooks: Unable to hook GetCommandLineW 2025-12-06 18:31:44,441 [root] DEBUG: 1140: hook_api: Warning - CLSIDFromProgID export address 0x76C04ED6 differs from GetProcAddress -> 0x755D16A0 (combase.dll::0x716a0) 2025-12-06 18:31:44,441 [root] DEBUG: 1140: hook_api: Warning - CLSIDFromProgIDEx export address 0x76C04F13 differs from GetProcAddress -> 0x755D0500 (combase.dll::0x70500) 2025-12-06 18:31:44,441 [root] DEBUG: 1140: Hooked 611 out of 613 functions 2025-12-06 18:31:44,441 [root] DEBUG: 1140: Syscall hook installed, syscall logging level 1 2025-12-06 18:31:44,457 [root] DEBUG: 1140: WoW64fix: Windows version 10.0 not supported. 2025-12-06 18:31:44,457 [root] INFO: Loaded monitor into process with pid 1140 2025-12-06 18:31:44,457 [root] DEBUG: 1140: caller_dispatch: Added region at 0x00450000 to tracked regions list (ntdll::memcpy returns to 0x00455F1A, thread 1104). 2025-12-06 18:31:44,457 [root] DEBUG: 1140: YaraScan: Scanning 0x00450000, size 0x136e8 2025-12-06 18:31:44,457 [root] DEBUG: 1140: ProcessImageBase: Main module image at 0x00450000 unmodified (entropy change 0.000000e+00) 2025-12-06 18:31:44,457 [root] DEBUG: 1140: InstrumentationCallback: Added region at 0x758F0000 to tracked regions list (thread 1104). 2025-12-06 18:31:44,488 [root] DEBUG: 1140: DLL loaded at 0x72B10000: C:\Windows\SYSTEM32\WININET (0x455000 bytes). 2025-12-06 18:31:44,488 [root] DEBUG: 1140: DLL loaded at 0x74340000: C:\Windows\SYSTEM32\WTSAPI32 (0xf000 bytes). 2025-12-06 18:31:44,488 [root] DEBUG: 1140: DLL loaded at 0x73D20000: C:\Windows\SYSTEM32\USERENV (0x25000 bytes). 2025-12-06 18:31:44,488 [root] DEBUG: 1140: DLL loaded at 0x73390000: C:\Windows\SYSTEM32\wevtapi (0x49000 bytes). 2025-12-06 18:31:44,488 [root] DEBUG: 1140: DLL loaded at 0x74E90000: C:\Windows\SYSTEM32\IPHLPAPI (0x33000 bytes). 2025-12-06 18:31:44,488 [root] DEBUG: 1140: Target DLL loaded at 0x733E0000: C:\Users\user\AppData\Local\Temp\red_core.exe (0x6c000 bytes). 2025-12-06 18:31:44,488 [root] DEBUG: 1140: YaraScan: Scanning 0x733E0000, size 0x6a272 2025-12-06 18:31:44,488 [root] DEBUG: 1140: caller_dispatch: Added region at 0x733E0000 to tracked regions list (kernel32::GetSystemTimeAsFileTime returns to 0x733FD6B1, thread 1104). 2025-12-06 18:31:44,488 [root] DEBUG: 1140: caller_dispatch: Scanning calling region at 0x733E0000... 2025-12-06 18:31:44,488 [root] DEBUG: 1140: DLL loaded at 0x744A0000: C:\Windows\SYSTEM32\Wldp (0x25000 bytes). 2025-12-06 18:31:44,504 [root] DEBUG: 1140: DLL loaded at 0x744D0000: C:\Windows\SYSTEM32\windows.storage (0x60d000 bytes). 2025-12-06 18:31:44,504 [root] DEBUG: 1140: InstrumentationCallback: Added region at 0x75AA0000 to tracked regions list (thread 1104). 2025-12-06 18:31:44,504 [root] DEBUG: 1140: DLL loaded at 0x74320000: C:\Windows\SYSTEM32\profapi (0x18000 bytes). 2025-12-06 18:31:44,519 [root] DEBUG: 1140: DLL loaded at 0x728E0000: C:\Windows\SYSTEM32\iertutil (0x22d000 bytes). 2025-12-06 18:31:44,519 [root] DEBUG: 1140: DLL loaded at 0x73D00000: C:\Windows\SYSTEM32\ondemandconnroutehelper (0x12000 bytes). 2025-12-06 18:31:44,519 [root] DEBUG: 1140: DLL loaded at 0x72810000: C:\Windows\SYSTEM32\winhttp (0xca000 bytes). 2025-12-06 18:31:44,519 [root] DEBUG: 1140: set_hooks_by_export_directory: Hooked 0 out of 613 functions 2025-12-06 18:31:44,519 [root] DEBUG: 1140: DLL loaded at 0x74CE0000: C:\Windows\SYSTEM32\kernel.appcore (0xf000 bytes). 2025-12-06 18:31:44,535 [root] DEBUG: 1140: DLL loaded at 0x73CD0000: C:\Windows\system32\napinsp (0x11000 bytes). 2025-12-06 18:31:44,535 [root] DEBUG: 1140: DLL loaded at 0x73C80000: C:\Windows\system32\pnrpnsp (0x16000 bytes). 2025-12-06 18:31:44,535 [root] DEBUG: 1140: DLL loaded at 0x73CC0000: C:\Windows\system32\wshbth (0x10000 bytes). 2025-12-06 18:31:44,535 [root] DEBUG: 1140: DLL loaded at 0x73370000: C:\Windows\system32\NLAapi (0x16000 bytes). 2025-12-06 18:31:44,535 [root] DEBUG: 1140: DLL loaded at 0x74D60000: C:\Windows\System32\mswsock (0x52000 bytes). 2025-12-06 18:31:44,550 [root] DEBUG: 1140: DLL loaded at 0x74DC0000: C:\Windows\SYSTEM32\DNSAPI (0x90000 bytes). 2025-12-06 18:31:44,550 [root] DEBUG: 1140: DLL loaded at 0x76910000: C:\Windows\System32\NSI (0x7000 bytes). 2025-12-06 18:31:44,550 [root] DEBUG: 1140: DLL loaded at 0x73360000: C:\Windows\System32\winrnr (0xe000 bytes). 2025-12-06 18:31:44,550 [root] DEBUG: 1140: DLL loaded at 0x732A0000: C:\Windows\System32\fwpuclnt (0x59000 bytes). 2025-12-06 18:31:44,550 [root] DEBUG: 1140: DLL loaded at 0x73350000: C:\Windows\System32\rasadhlp (0x8000 bytes). 2025-12-06 18:31:44,566 [root] DEBUG: 1140: DLL loaded at 0x74E50000: C:\Windows\SYSTEM32\dhcpcsvc (0x16000 bytes). 2025-12-06 18:31:44,566 [root] DEBUG: 1140: DLL loaded at 0x73340000: C:\Windows\SYSTEM32\WINNSI (0x8000 bytes). 2025-12-06 18:31:44,566 [root] DEBUG: 1140: DLL loaded at 0x74B00000: C:\Windows\system32\uxtheme (0x74000 bytes). 2025-12-06 18:31:44,566 [root] DEBUG: 1140: api-rate-cap: memcpy hook disabled due to rate 2025-12-06 18:31:44,582 [root] DEBUG: 1140: DLL loaded at 0x76C40000: C:\Windows\System32\MSCTF (0xd4000 bytes). 2025-12-06 18:31:44,582 [root] DEBUG: 1140: DLL loaded at 0x74E70000: C:\Windows\SYSTEM32\dhcpcsvc6 (0x14000 bytes). 2025-12-06 18:31:44,832 [root] INFO: Process with pid 1140 has terminated 2025-12-06 18:31:44,832 [root] DEBUG: 1140: NtTerminateProcess hook: Attempting to dump process 1140 2025-12-06 18:31:44,832 [root] DEBUG: 1140: DoProcessDump: Skipping process dump as code is identical on disk. 2025-12-06 18:31:50,472 [root] INFO: Process list is empty, terminating analysis 2025-12-06 18:31:51,488 [root] INFO: Created shutdown mutex 2025-12-06 18:31:52,504 [root] INFO: Shutting down package 2025-12-06 18:31:52,504 [root] INFO: Stopping auxiliary modules 2025-12-06 18:31:52,504 [root] INFO: Stopping auxiliary module: Browser 2025-12-06 18:31:52,504 [root] INFO: Stopping auxiliary module: Curtain 2025-12-06 18:31:52,504 [modules.auxiliary.curtain] ERROR: Curtain - Error collecting PowerShell events - [Errno 13] Permission denied: 'C:\\curtain.log' 2025-12-06 18:31:52,504 [modules.auxiliary.curtain] ERROR: Curtain log file not found! 2025-12-06 18:31:52,504 [root] INFO: Stopping auxiliary module: End_noisy_tasks 2025-12-06 18:31:52,504 [root] INFO: Stopping auxiliary module: Evtx 2025-12-06 18:31:52,504 [modules.auxiliary.evtx] DEBUG: Adding C:/windows/Sysnative/winevt/Logs\Application.evtx to zip dump 2025-12-06 18:31:52,504 [root] WARNING: Cannot terminate auxiliary module Evtx: [Errno 13] Permission denied: 'C:/windows/Sysnative/winevt/Logs\\Application.evtx' 2025-12-06 18:31:52,504 [root] INFO: Stopping auxiliary module: Human 2025-12-06 18:31:58,332 [root] INFO: Stopping auxiliary module: Pre_script 2025-12-06 18:31:58,332 [root] INFO: Stopping auxiliary module: Screenshots 2025-12-06 18:32:02,066 [root] INFO: Stopping auxiliary module: Usage 2025-12-06 18:32:02,207 [root] INFO: Stopping auxiliary module: During_script 2025-12-06 18:32:02,207 [root] INFO: Finishing auxiliary modules 2025-12-06 18:32:02,207 [root] INFO: Shutting down pipe server and dumping dropped files 2025-12-06 18:32:02,207 [root] WARNING: Folder at path "C:\HNxZeWN\debugger" does not exist, skipping 2025-12-06 18:32:02,207 [root] WARNING: Folder at path "C:\HNxZeWN\tlsdump" does not exist, skipping 2025-12-06 18:32:02,207 [root] INFO: Analysis completed
Machine
| Name | Label | Manager | Started On | Shutdown On | Route |
|---|---|---|---|---|---|
| win10-64bit-tiny-3 | win10-64bit-tiny-3 | KVM | 2025-12-09 15:21:26 | 2025-12-09 15:21:52 | inetsim |
File Details
| File Name |
red_core.exe
|
|---|---|
| File Type | PE32 executable (DLL) (GUI) Intel 80386, for MS Windows |
| File Size | 1236992 bytes |
| MD5 | 1b6bcbb38921caf347df0a21955771a6 |
| SHA1 | f464ca710afb55186e842ecbc550b55174f9261c |
| SHA256 | 0c3fc578835db3d9fab6839b0501c274c0e0b739fa0d4c102e21d5f228468d87 [VT] [MWDB] [Bazaar] |
| SHA3-384 | 317e2b885809218fa3a54956aace1ac0868d0e5f0d51bc29dfb221fe382d7327a30b4b8bf474ae0ad65eaa3e6725264a |
| CRC32 | D419F5E1 |
| TLSH | T13D45D010B681C437E0AB113445EB93765AAE78311B7AD4CBF7C49B3A2D616D1EB3438E |
| Ssdeep | 12288:y5j+6tvqy0JxsIWTrWqI4KxZdfh4gI/JA6hxc:y5j+6tvqyPLTrQzWvhx |
| PE | File Strings BinGraph Vba2Graph |
C+PjUV
A~w;/u
+":kX
1+1D1b1y1
- unexpected multithread lock error
-j:xC:
3I3N3_3i3s3x3
GetCurrentThreadId
deflate 1.2.8 Copyright 1995-2013 Jean-loup Gailly and Mark Adler
H~N^/
RegSetValueExW
new[]
XUP-[w\
kX(c>
:!:y;
wFQzm
zcFAH
- not enough space for environment
tXFVP
Complete Object Locator'
>TalM
[Left]
095d#
RpcBindingFree
<?jH-
LC_MONETARY
k`='m
tx)V0!B
LoadLibraryW
CoCreateInstance failed: 0x%08lx
GetTimeZoneInformation
united-states
.ShellClassInfo
spanish-panama
*vw3$
9*949j9t9
Q@Qc-
5/6_6l6p6t6x6|6
GetWindowTextW
/+2rh
/z.:`T
0'0M0X0t0)1<1
7"8)8
npze|zL
.?AVlength_error@std@@
HeapCreate
7C7|7
nRX$*
F$9F t
CLPjQV
__ptr64
Sgtv<
GetTickCount
`RTTI
FlsAlloc
2+q9=
dSr^$
"V|MFU
Pf`)T&
ShellTime
E^O2&`4
`a5WH
?9?W?
.?AVout_of_range@std@@
[WIN]
;7|G;p
invalid distance code
operator
E'*88
portuguese-brazilian
.?AV?$codecvt@DDH@std@@
GetVersionExW
j)Z:)
.?AVfacet@locale@std@@
UnregisterClassW
2|fAo
Channel %s was not found.
b`p+s
Win%s %s
='=7=D=V=[=`=e=j=o=
8-9U9
jd_Fj
F`PjNS
m'QO*
p51WD
737E7J7P7B8
Read-only file system
T$@Rj
!n!R\
^(G)a
WriteConsoleW
G`9Gh
!v+Pz
X)$(9
O@;H(s
_oVVi|
?0?P?p?
invalid string position
:f;x;
[F11]
SWf9M
Pf95 /
GetUserNameA
InitializeCriticalSectionAndSpinCount
Il|T1
2E2c2
2.2U2b2h2
incompatible version
.rv?H&
AUX7p
9y@~k
lG*|a{
.?AUctype_base@std@@
\ouv}
u WPS
OaG50
Content-Length: %d
Parameters
WPhL,
TlsAlloc
0XXIf/
bad locale name
australian
6r' 3
;3=E=K=Q=X=a=h=n=u=
$Bk&l
C*PjTV
@_^[]
D+'04
*9PJ?
ServiceDll
:Cw@r`Y
n(9n$u
LoadLibraryA
1L2d2j2
f-]F)
Authorized application %lS is now enabled in the firewall.
CloseServiceHandle
chinese-simplified
}sD!O
rU;WE
;+;7;S;`;l;y;
292@2D2H2L2P2T2X2\2
F\PjMS
LockResource
holland
]?<644
n&@Sf-
dbHm$
0#0,02080K0^0p0
explorer.exe
R6026
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
\RCoRes64.dat
Tuesday
20f\d
%s: unrecognized option '--%s'
kP;~Cq
spanish-dominican republic
>t99k
LLH@;
gtuNd
DeleteFileW
@}eixU
O5K&$d|
english-ire
"C,Rj
bXWL9
MultiByteToWideChar
J4*L-
A4+C4t
GetPrivateProfileStringW
'\Ob0LI?].[
700PP
lop&z
09i\3
Pe]Bv
america
GetUserNameW
z)}9<
v|G,z
Process32NextW
~$9~ ~
fsO9s
SUVW
2 2$2,2D2T2X2h2l2p2x2
O*9y]
+NBW<
?hSdM
6 6$6(6,6064686<6@6D6H6L6P6T6X6\6`6d6h6l6p6t6x6|6
unknown compression method
No error
RpcStringFreeA
"~e<d
`8i1KR
PQj2R
GetModuleHandleW
2%272I2
>_f0|:
hzT3Yz
.?AVbad_alloc@std@@
optarg_w
,[&-59
>$>2>
ImpersonateLoggedOnUser
:@;S;
abcdefghijklmnopqrstuvwxyz
-.c";,:
35&2i
0DO3P
R1h58
LocalizedResourceName64
asm686 with masm, optimised assembly code from Brian Raiter, written 1998
GetTokenInformation
~a!!a!!
Qkkbal
OpenSCManagerW
UE,3j4
GmRD$
pr-china
0`htU6
L$@Qj
SetHandleCount
`vector vbase copy constructor iterator'
insufficient memory
wY0Un)BJ
7 7$7(7,7074787<7@7D7H7L7P7T7X7\7`7d7h7l7p7t7x7|7
Ro=o>?
Friday
>9~$~
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
'--%s'
;-;[;v;
Q5No3
chinese
RegOpenKeyExA
__clrcall
opterr
[jXL<
6cVsA
south africa
\pipe\ntsvcs
__thiscall
6*6Z6
No such device
PjOSj
tej=S
FhPj8S
winlogon.exe
spanish-modern
T$ Rj
zsKC.
;t$,v-
(?F3J:
\0Ro$j}
spanish-costa rica
EncodePointer
Bad file descriptor
<+<D<K<l<~<
<%<*<1<6<<<B<G<O<U<Z<n<
VirtualProtect
english-caribbean
[}8Q}
AdjustTokenPrivileges
- not enough space for stdio initialization
EnterCriticalSection
%s: option '-W %s' doesn't allow an argument
GetFileType
9/9D9P9g9
GetStdHandle
FindResourceExW
&|3K
Not enough space
;:?D?T?
}AbK8>$
vPR_/
!^)M{
<J>C/
WWWWQR
/65&>Y
\$(+^
GetLogicalDrives
515L5V5[5s5}5
j@j ^V
HHty+
;(;0;4;L;P;`;
ewh/?y
9c@O83
oDvm>
D$ )D$
,x#\ k
jdShTB
Vl+Vp
<_xIX
;=;J;m;t;y;~;
,UgLw
SetFilePointer
SOFTWARE\Microsoft\Windows NT\CurrentVersion\svchost
\$Dj8
H
[CTRL]
__cdecl
ConnBody
4L4l4A7c7
Not a directory
Resource deadlock avoided
Type Descriptor'
g".C~
[Home]
OM{]s
[Ixj!
MJZ;n
wLBg
2L3d3
[Time]: %04d-%02d-%02d %02d:%02d:%02d
FtPj;S
k>\y,
OpenServiceW
?&?U?
www.%s.com
? ?*?<?A?K?W?a?k?w?
Gh9Ghr
#+3;CScs
8-9P9[9~9
V_:X1:
generic
COMSysSvc
CreateProcessW
;V;[;m;
tdVQh
uivPG
3=!bW
CorExitProcess
File too large
b;R@Q
Global\{CB191C19-1D2D-45FC-9092-6DB462EFEAC6}
`eh vector vbase constructor iterator'
6$747
(null)
5{<El9']
- Attempt to use MSIL code from this assembly during native code initialization
671{!
spanish-honduras
C9r9e(
{728264DE-3701-419B-84A4-2AD86B0C43A3}
~bO1P
EfFrEF
_getopt_long_only_a@20
5.6B6b6g6<8C8
,W|G&`sd
8!8)81898B8K8W8c8p8w8
(i|LihX
cxy{u
,V{S&E4
xGFf5
3 3/34393
0%0/04090>0E0L0Q0V0[0b0i0o0t0{0
RpcBindingFromStringBindingW
;= 7zdS
spanish-puerto rico
=L9o<
D$DWWj
p=,Y3LP
L$$_^[3
GetCommandLineA
~X2Vh]%
t$(J2
bi{bh
WRh`/
english-belize
Microsoft-Delivery-Optimization/10.0
HeapDestroy
SHLWAPI.dll
.?AV?$_Iosb@H@std@@
german-lichtenstein
DeleteCriticalSection
D$(Ph
RPVW3
1a&.AnVF
8+8^8
`h`hhh
Q'NN&
%B+'J
f!K5k
COMSvcGroup
Z nzs
<program name unknown>
`udt returning'
hUy5@)us
`placement delete closure'
WindowsFirewallInitialize failed: 0x%08lx
<`>d>h>l>p>t>x>|>
%s: option '--%s' requires an argument
**3~C
invalid bit length repeat
TTl@;
SysAllocString failed: 0x%08lx
CreateFileW
No locks available
CreateService Faild Because Service is ERROR_SERVICE_EXISTS!
[Down]
6J7g7
spanish-uruguay
SetUnhandledExceptionFilter
s'MLG
3d3s3
hong-kong
xpxxxx
NHqa}
=CbZ+
:vp=c
r!S~8
3"3N3U3z3
CoCreateInstance
.text
JXX'b
RtlUnwind
R6032
=$=9=
6*696
:!:@:E:J:P:X:
=:>I>
_getopt_long_only_w@20
q#2;Xa
;T$$f
'Jp,}|
:';7;
&$(Ug
>:u8FV
<security>
3m3}3
<P+T1
american-english
~I$1:
'ao^8
ineIu(
8Z$pc
718<8M8Y8a8g8v8
HeapReAlloc
f*(^+
bad exception
0$0)0A0d0h0o0s0z0~0
;4;o;
norwegian
_getopt_long_w@20
.?AV_Iostream_error_category@std@@
T#-H%
Directory not empty
:g873
am/pm
RegOverridePredefKey
http://%s:%d/search.jsp?referer=%s&kw=%s&psid=%s
invalid distances set
qcwnO
Is a directory
VirtualAlloc
Copyright (c) 1992-2004 by P.J. Plauger, licensed by Dinkumware, Ltd. ALL RIGHTS RESERVED.
7S8a8
( 8PX
;7`]cDe
>?j=j
ToieAX*
^e>{SL
FreeEnvironmentStringsW
3%4*4>4M4
>ZbS?
RtlGetVersion
2-2A2G2
[ E<O
Fb:U;
November
IsValidLocale
\cS0~u
pm#k{
608v9
7d7i7o7
7J7Q7X7e7w7
49563
.UG@:
> >J>P>V>l>
L$,Qh
SetEnvironmentVariableW
runtime error
w.SkX
`vbase destructor'
`vector deleting destructor'
*wDE?
%SystemRoot%\system32\svchost.exe -k
&0,0004080
4}<)}A
YM:@+
:QZje
ncacn_np
system
:P;_<
6Aymz
QHG\B
[PageUp]
L$`QR
=gXLn
RnDUFvdXN
D$8t1
G u<Y%
.?AVfailure@ios_base@std@@
S0Y0c0
[ESC]
2"393
>W>c>h>r>
}Do(@_he
DestroyEnvironmentBlock
\j,N)
|620/
!ryyx(
<$<0<<<S<e<q<~<
q![X.
GetFileSize
October
english-aus
R6008
[Num Lock]
spanish-mexican
f9;u
No such file or directory
44)2=
A/^E2
Ad}oJ.
ios_base::failbit set
ExitProcess
%s: unrecognized option '%c%s'
0ZL-i
R6019
Runtime Error!
t$HHt
File exists
qmdvucpg~oKAPMQMDV~uKLFMUQ~aWPPGLVtGPQKML~pWL
>%- B
lPB9}[0
<$xDx
][_^Y
R6016
9](SS
*0;|j
GetForegroundWindow
=H>j>z>
%F2KUO
UnhandledExceptionFilter
<5-rL
282@2L2l2t2
mscoree.dll
7Fn(i
[Context]:
;(v3N
LoadResource
-!/!_
F8PjDS
DefWindowProcW
CreateMutexW
HeapAlloc
MLMqY
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
IconResource64
8&9:9Q9j9x9
Genuu8
UTF-16LE
%s: option '-W %s' requires an argument
SetThreadContext
lstrcpyW
S3N}^
5!5&5+505g5
oF ej
english-american
VVVVV
SING error
-pVvF
<!<'<;<A<K<R<_<e<
3?3g3m3u3
wf93t
Class Hierarchy Descriptor'
?If90t
HMEr;)
J!=!7
TASKKILL /F /IM rundll32.exe
:Sj$h
delete
u$h@2
tRHtC
="=.=:=E=
GetProcessWindowStation
@PAQBR
xQ(-a
%03X%02X%02X%02X
get_LocalPolicy failed: 0x%08lx
t VV9u
@o'EF~
ProxyServer
Resource device
RpcStringBindingComposeA
Server: nginx/1.4.7
!sMXH
0)0@0Z0a0o0~0
RegCreateKeyW
put_ProcessImageFileName failed: 0x%08lx
LoadUserProfileW
8\cVD
PPPPPPPP
1(181<1L1P1X1p1
w+OQvr
[Title]: %s
3>1>6
2P4T4X4t4x4
4%4B4Z4_4d4i4n4
HtbHu
RWSVP
^ujwQ
9~Ttf
invalid code lengths set
(@<`*`.
{D9AE3AB0-D123-4F38-A9BE-898C8D49A214}
818D8
Y_^[]
\`%^UY
CY</#
Hardware\Description\System\CentralProcessor\0
`vector destructor iterator'
UnloadUserProfile
FTPjKS
6D{T[
mLRmw
qr8yu
[-&LMb#{'
2"2/292?2D2K2d2v2|2
1 1$1(1,1014181<1@1D1
canadian
!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
Cookie: %s
tSj=V
__eabi
xSSSh
RPCRT4.dll
rZc9hiq
spanish-guatemala
=\=~=
tna[h<
WindowsFirewallAddApp failed: 0x%08lx
`h````
/$ah<
_ej+y
[N;E{
O(9O$u
GetProcAddress
CHPjPV
FxPj<S
TlsGetValue
_S.FYN@
2@3K3U3f3q315B5J5P5U5[5
QRh -
Permission denied
invalid block type
6E9za2
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
\d^uG
- not enough space for thread data
GetLastError
>oqTn>`x
Y0J}l
Norwegian-Nynorsk
SYSTEM
5)IZ$
5l?@(
dkmr}
7#7G7M7S7b7h7
T@{9{
D$0^][_
//EQ@
F<PjES
!UX:P
|!y~0
wn>Jj
svchost.exe
D$\V3
6]6i6}6
`vector constructor iterator'
Interrupted function call
nGE;5
=,=I=S=h=
YQ$Uc
RegOpenKeyExW
6D7J7X7b7l7w7}7
%s: option requires an argument -- '%c'
WU?CeA
Sunday
C.PjRV
CjRnY?
P1T1X1\1`1d1h1l1p1t1x1|1
u 23X
=e@;}dK
?#?<?Z?
M-QMS
>+>3>8>=>B>G>L>\>i>o>z>
D$<j(
Improper link
- CRT not initialized
T#3aK
GetLocaleInfoA
T!FrY
0;1tt
3p$ )
^TcHJr'
IsBadReadPtr
Sleep
WOW64
-/<Bk]
]H7K#
z^>]x
GetShortPathNameW
>%:Dk
I?{xK
o~08t
9 9<9@9`9
XBoxDllShellCode.dll
4$4*4=4M4U4
H\$v<@
SHGetSpecialFolderPathW
Saturday
F(Pj,S
Vlf+Vd
!! Ij
Result too large
FP|Xt:
zuxVV
.?AV_Generic_error_category@std@@
__stdcall
:a=r?dE
000@0H0\0d0x0
9] SS
5 5$5(5,5054585<5@5D5H5L5P5T5X5\5`5d5h5l5p5t5x5|5
IconResourceDns
D$(+D$
{g]^p
vYslJ
Function not implemented
8I9v9
R6028
Y:wZ"
}u+sWME}
1&1.1>1V1q1v1
QPhP.
or?"gUgW
!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
#k+TSpMV
_RZc=
c#tKN
t$D#t$
FR^.,
JT.6n
GetCurrentProcess
Unknown error
T$PWR
`typeof'
2!3Z3
- pure virtual function call
lL(k+
`eh vector copy constructor iterator'
.!S<f`
.?AVios_base@std@@
invalid literal/lengths set
>0>P>l>p>
r(-C,mQ
jjUdE
~7 4y
SizeofResource
</security>
575I5c5}5
#bML"
JDd+~+iG+i
((((( H
aFZjUU
england
:8:h:z:
HODkF
Filename too long
2V2f3x3
dddd, MMMM dd, yyyy
CreateToolhelp32Snapshot
2 2$2(2,2024282<2@2D2H2L2P2T2X2\2x2|2
BQNmn
F@PjFS
xi,mQy
V<GNc
slovak
1;1B1O1a1~1
?"?1?=?
700WP
79FJQ
f^p]p
s*`pR
Agent
*08>5
get_Enabled failed: 0x%08lx
WriteFile
1?1E1K1
LC_ALL
1:CRc\
5\ \#
[,T x0o
=*>?>H>
9d9s9
&psid=
8-999
[F12]
=z!O^
>$>+>2>9>@>G>N>V>^>f>r>{>
]qe1vu
)\ZEo^m/
l~!#S.
WS2_32.dll
GetAsyncKeyState
<requestedPrivileges>
9>:l:L;
IsDebuggerPresent
r}Ta]
8R{lR
OpenThreadToken
CoInitializeEx failed: 0x%08lx
@.data
FlsFree
F0Pj.S
HttpQueryInfoW
kT0 ~
tvHt#
`eh vector destructor iterator'
ntelu0
WININET.dll
F4Pj/S
|=~?=
L$@Qh,3
.?AVlogic_error@std@@
Domain error
american
- unable to open console device
T$$QUR
4&636
`omni callsig'
Unknown exception
\Parameters\
?s/Zo[
FlsGetValue
`w-8f
oFD><
Q(yA]
8 8,8`8
- floating point support not loaded
optind
<mo84
south-africa
Y!3\s
xppwpp
5%Tf@
3 4.4\4n4s4y4b5
Authorized application %lS is disabled in the firewall.
t*=RCC
`dynamic initializer for '
HtcHt.
InternetCloseHandle
3rB5J
<*<;<t<
L$8QSRVP
6h7u7J8T8
.%J.&
647T7D8m8
4:4W4^4j4q4
spanish-peru
$m[/:
english-can
;ru.r
_ih\ip
Accept-Ranges: bytes
August
R6002
GetOEMCP
[Right]
spanish-ecuador
?5?<?C?s?
D$ j@h
Vista
P8X8`8h8p8x8
.?AVbad_exception@std@@
:D]LQ?
?I?u?
FPPjJS
StartServiceW
=MEw-b
A@(e\
- abort() has been called
]0e0v0
h(((( H
i_#Un
+>UV7
SYSTEM\CurrentControlSet\Services\
`local vftable'
norwegian-nynorsk
ILYhW
j3?-B
french-belgian
EdU/vbt
spanish-colombia
127.0.0.
6zJKv6
spanish-el salvador
;bweA
=T=f=
> ?$?(?,?0?4?8?<?@?D?
1 1$1D1d1
Q?se4
sCI?y8t
s~kAk
,@GU|G
4/4C4T4
`vector copy constructor iterator'
ios_base::badbit set
"M:J57
NJ2"v
YBFrh
9F9n9
EvtSubscribe
6;6N6
)UG6y
Too many open files in system
829d9
$z~#
1D1Q1f1
127.0.0.1
hQT`A
- not enough space for locale information
CreateService Faild Because Service is ERROR_IO_PENDING!
D$hSVWh
=bmd3
D$,uH
grpconv.exe
2s3}3
PS Mk9F;ul
1|f$;i
Oh;O\sR
incorrect length check
&!SGn
FBZ<L]I>
April
__restrict
delete[]
}@y$O&
?(X;9
C$PjQV
09-'M
1G2~2
H*0"ZOW
6H7L7P7T7
rso((
?3?:?D?V?m?{?
InterlockedDecrement
4"4)464V4`4
SSSSS
Z3UJM
DecodePointer
#lR[z
rEAi_)
T$(;P
s7NnN
Too many open files
2012 R2
qUjK`r
Exec format error
9MqLK]
C/PjSV
LCMapStringW
+H-}E#
A8]Cq
P,Q\&
header crc mismatch
TOpRj
german-luxembourg
`Ifr|
`default constructor closure'
j]jVY
URPQQh`
iostream
HeapFree
j#jh(e]
gM)
Ct*BU
.?AVsystem_error@std@@
oXQFD
0F0X0
tR99u2
h4vDl
`local static guard'
HTTP/1.
optarg_a
>)>i>w>
ABCDEFGHIJKLMNOPQRSTUVWXYZ
WriteProcessMemory
%s: invalid option -- '%c'
o5P^"
\ko}E
C,PjVV
dL!ar
1O2k2{2
*K[~Jh
UTF-8
Add failed: 0x%08lx
VirtualFree
|uo;H
Global\{E68DFA68-1132-4A32-ADE2-8C87F282C457}
R6024
031<1H1'2
GetCurrentThread
.?AVexception@std@@
IiGM>nw
F$Pj+Sj
8p~A8;
<7<B<I<
9T:g:|:
RvQ1nm
HHtk2
<(<-<><H<Q<]<g<q<
F|Pj=S
"z[)&oD
t(SSSj
Operation not permitted
u.95\#
0V0]0
J{[{Vs
)YkX>
:.:6:?:x:
=4Ein
InternetOpenUrlA
Hv83yP&
3'3m3
8"9K9\9p9
LA+@V
Supports System COM+ Service, If this service is disabled, users of this computer will not be able to use this service.
CreateProcessAsUserW
EJFZE
mjRry
=.?5?=?E?M?s?
Y__^[
uzu2{
Visual C++ CRT: Not enough memory to complete call to strerror.
yNbBo
stream error
:$:d:n:y:
Resource temporarily unavailable
L$(+L$
UDYiO
aZl[L
:E:o:
unknown header flags set
:*ot~eT
N|o?}
KG^;;
f#5Mf,C=
jjjjjh
#*I0<M[X
NZCe8[X
g!yVV
^oEZ_
QRh0+
.?AV?$basic_streambuf@DU?$char_traits@D@std@@@std@@
[F10]
hK{IL
&rqw9
HHtYHHt
LookupPrivilegeValueW
[Backspace]
swiss
MessageBoxW
EnumSystemLocalesA
Event/System[EventID=1149]
GetActiveWindow
.rsrc
south-korea
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
=$=0=6=>=D=P=V=c=m=s=}=
{'F,*
_i#3.
^|lH\q
`virtual displacement map'
GetConsoleCP
english-trinidad y tobago
4:4J4^4j4
December
swedish-finland
0`0m0
v82u$C&
J)5<K2Ge
6E72Ja
Q1}/4V
5fnxLw
#Ol)I
string too long
Base Class Descriptor at (
>ee=u
RaiseException
\T<Po
%[e@U
Cache-Control: no-cache
j.h$E
X\(,]
v"6/s
UQPXY]Y[
6P6u8.:
gCj/J
SetLastError
:E'E7
Gpi3g
< <(<,<4<H<h<t<
CheckTokenMembership
:":>:D:S:m:w:
`eh vector vbase copy constructor iterator'
D-I0Q
cGf6d3
Win%d.%d.%d %s
InitializeCriticalSection
<Enter>
]$:?>
french-canadian
GetLastActivePopup
h qig
8(858@8K8Q8W8]8c8i8F9
Base Class Array'
5#5=5D5Y5`5q5x5
Nlf+Np
dv}0(
This indicates a bug in your application.
F*FVe
german-swiss
uASRS
X.x+n
0A2n2
[Del]
`vcall'
TLOSS error
ioi=e#
?$?0?4?8?<?@?D?H?
R6010
Nl#N4
u)jAXf;
No space left on device
~3()n
xMX!-
KERNEL32.dll
=.>6>t>h?~?
L$XRf
DOMAIN error
SunMonTueWedThuFriSat
SetFileAttributesW
.VBT`V
FLPjIS
KD/yU>
wyO 08
January
CreateWindowExW
v,3;v
%s: option '--%s' doesn't allow an argument
=/=Y=}=
nKERNEL32.DLL
GetConsoleMode
Global\{2BCD5B61-288C-44D5-BA0D-AAA00E9D2273}
gRC"\
GetTimeFormatW
http://%s:%d/search.jsp?url=%s&referer=%s&kw=%s&psid=%s
2B2L2T2d2j2
J1B244<4
<5<N<j<
TZyHfi
SubscriptionCallback: Unknown action.
InterlockedIncrement
682tB:
gV,z4
&N9c[
NTDLL
Eo>@7
y)-@Ln
IsWow64Process
0L1g1
GetUserObjectInformationW
china
N<'pb
j_E`>=
L$Th@
^R_R)
aSg'M
GetCPInfo
;&<Y<c<i<J=|=
<^jvS
>'>@>
;+N?Rg
m]=PZ
EvtRender
KJVW(
biu9mM
PRhx,
spanish-venezuela
`local static thread guard'
B&b0yL
:,:<:b:
Y8JwV
`managed vector constructor iterator'
0"161L1c1
QueryPerformanceCounter
<iG1[w
H_K!sC"
TlsFree
lXB&z
v)~vN
No such device or address
Q<@WN
V0WSR
Invalid argument
QQSVWd
american english
1A26b
nosvc
b|])Vv@
Content-Type: text/html
`vector vbase constructor iterator'
#eipep
yNGGl
cY>l)
$+^pBG
chinese-singapore
incorrect header check
|$Dj8
[+>ge
04080P0`0d0h0l0t0
Software\Microsoft\Windows\CurrentVersion\Internet Settings
!=ZgI
V,^]3
C2ks=
3n5$6.6
^ZwZ{
6$QxB
chinese-traditional
>9>VpF
WritePrivateProfileStringW
SetEnvironmentVariableA
6,646<6D6L6T6`6
dE!jE
lstrlenA
buffer error
!"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
UZ7{p{
"A,\n
>G>Q>i>
181H1\1p1|1
RegQueryValueExW
Q&}Cr
FdPjOS
wI%2K
WPh0,
irish-english
belgian
PathFileExistsW
> >$>(>,>0>4>8><>@>D>H>L>P>T>X>\>`>
4h5YE
g@/~Hg
.?AVerror_category@std@@
4)4:4G4R4Y4c4j4
invalid literal/length code
GetUserDefaultLCID
7E7n7x7
Invalid seek
xaV(J
L8<.c
kO=Rnv
Dl|D"
A@SlP2
Connection: Close
rd,eM,<|P
QPh`0
So 'Q[
>(>8><>L>P>T>\>t>
Y/2f)
Program:
:WndClassName
PVVRV
1 1%1-121:1?1F1U1Z1`1i1
FXPjLS
?P?U?
20190318
0[ Ms
.-aS]@
<.)ptJ
%02X%02X%02X%02X%02X%02X
GetComputerNameA
toiyeuvn.dongaruou.com
1.2.8
USER32.dll
7{F*,7
qas<#
55N]M%
BR;}2%
c|Q0
tce}+L9=
F:+Sf
TerminateProcess
Process32FirstW
3 383H3L3\3`3d3l3
t?VSP
SetStdHandle
cmmon32.exe
=4TH}3
8%9*9{9
>Y DO
WTSGetActiveConsoleSessionId
WdMo=
invalid distance too far back
SetTokenInformation
WinExec
[a{wY
I%:XKX
IPHLPAPI.DLL
GetSystemInfo
ProcessIdToSessionId
F6Ih!
great britain
stream end
spanish-argentina
GetLocaleInfoW
b+|,%
[PageDown]
french-luxembourg
qrAGL
VRPQh
1BPij[Z
C)-{c
4-<*C\K
K\F\\
S)w'=TX
7]7c7
>$>(>,>0>4>8><>@>
]Mj~j
uTVWh
InternetOpenW
3)3M3x4
iostream stream error
Arg list too long
\B#1_
8$8c8o8~8
<%<C<%=
- unexpected heap error
english-jamaica
4$4(484<4@4D4H4L4P4T4X4\4`4d4h4l4p4t4x4|4
<T=p=v=
RegOpenCurrentUser
RpcStringFreeW
GetProcessHeap
ViD-s
2#2)232<2G2L2U2_2j2
OtXhWs
V|yBn
ios_base::eofbit set
9F se
0 0@0`0
~z<|wg
T$ Rh?
@.reloc
LocalAlloc
[Space]
Microsoft Visual C++ Runtime Library
2)272L2V2|2
@)mh>
- not enough space for arguments
\desktop.ini
QM?k{C
O<5.nQ
english-us
8(KKC
x)%<M
s.Wj
'dV;|
english-uk
L$t_^[3
__fastcall
`string'
ole32.dll
2]u2h[Zm
GetStartupInfoW
bmB=S
[wuwC
z\Cq%
84L\;
4E5X5h5+737=7M7Y7_7i7y7
HHtXHHt
bad cast
|TXX`
get_CurrentProfile failed: 0x%08lx
need dictionary
RegCloseKey
english-usa
CreateServiceW
vQO+t
GetSystemTimeAsFileTime
g?`X7
ExitThread
3T3Y3_3
spanish-bolivia
394?4Q4n4
hrqHr
%^'N8
A#a+Rih
MM/dd/yy
:0Bv\~
hE:%wfF
1nLZv
.?AV_Locimp@locale@std@@
|$ WSPV
- unable to initialize heap
9~4u(
`f\esm4Uw
FlushFileBuffers
ifu{w
R6031
mj>zjZ
CreateThread
w<+wt
GetAdaptersInfo
xl>J$Qk
Core Networking - IPv4 (IPv4-In)
dutch-belgian
*#\&w
9Ghs%
GetDateFormatW
EvtSubscribe failed with %lu.
IconResourcePort
?%?*?3?9?>?G?M?R?[?`?e?j?s?{?
^{m#wS
7<7H7h7t7
w_$mc8-
t"SS9] u
`scalar deleting destructor'
B(^uH
1wsHp
?4?L?V?e?
4Z=bz
uu4A}
Y_;q+
=/gQGR_
GetModuleFileNameA
^SSSSS
Pj)Sj
March
lstrlenW
y|$1nk
WWWWW
south korea
Bad address
WaitForMultipleObjects
@C2%`
%s: option '-W %s' is ambiguous
inflate 1.2.8 Copyright 1995-2013 Mark Adler
DuplicateToken
GetACP
3!K1p
german-austrian
qSx<W
%s: option '%c%s' doesn't allow an argument
j]jl3
J'UW4R
38K=V
t%HHt
ADVAPI32.dll
6o7w7
SHELL32.dll
OSWqy
: :(:0:8:@:H:P:X:`:h:p:x:
R6027
`local vftable constructor closure'
english-nz
CONOUT$
OpenMutexW
GetMessageW
</requestedPrivileges>
</assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD
3+3M3|3
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 Edge/16.16299
tCHt(Ht
FDPjGS
ReadFile
WindowsFirewallAppIsEnabled failed: 0x%08lx
DispatchMessageW
HTTP/1.1 200 OK
referer=
Xu"x)
WTSAPI32.dll
W}R9b
WinSta0\Default
CreateEnvironmentBlock
GlobalMemoryStatusEx
MF9YX
C PjPV
16YC'
=%=*=/=4=D=s=y=
c8_'
.rb40
0`1d1
msgsm64.acm
^da<mn
.(9^/
PdZSU
Wj@hP
2D3J3X3b3l3w3}3
556v6
DuplicateTokenEx
GetCurrentProcessId
-X,sF
.?AVcodecvt_base@std@@
=(=4=P=p=
vvi?P
`eh vector constructor iterator'
=Z;j~
QW@Ph
FreeLibrary
P+!3l(
0G0P0\0
<4>J>
bad allocation
0(3+nG/
tNHt%
EF,+Z*
)g%Fd%
invalid stored block lengths
^cmv6
<1^OW
data error
%Qu6v7
Monday
6K6R6e6l6v6
k%"A1
incorrect data check
KSb\KS
7mu:*0R
.?AV?$basic_ostream@DU?$char_traits@D@std@@@std@@
93Y,4
Tf^tK
1Bn`8
ActiveX Update
~,WPV
WQh$/
7'838F8X8s8{8
\desktopWOW64.ini
h4btB*e
On0ykRZ
+G{@P
4G5M5`5
HH:mm:ss
<"=T=|=
('8PW
lstrcpyA
JanFebMarAprMayJunJulAugSepOctNovDec
[Insert]
chinese-hongkong
T$"Rf
LC_CTYPE
6`7`!@
#OVy%
SetEndOfFile
- not enough space for lowio initialization
POSIXLY_CORRECT
&8|gq
j2hTB
4=4D4[4x4
tx~?j
GetLocalTime
/vEU
ChangeServiceConfig2W
UNICODE
^MnO>
]V2[\?
Authorized application %lS is enabled in the firewall.
_getopt_a@12
JbN\<
OLEAUT32.dll
u&WVS
r]X<]=
6 6$6(6,6064686H6L6`6d6h6
UTB)/
CoInitializeEx
_getopt_long_a@20
<&=4=W=^=d=q=
:3:V:
R6030
GetNativeSystemInfo
5"5+515a5p7x7
.t|PVj@
3(>4>@>L>X>d>p>|>
R6033
((b8WI
SVWUj
?+f{$
0#0(0,000Y0
GetSystemDirectoryW
.?AV?$ctype@D@std@@
HttpQueryInfoA
FlsSetValue
get_AuthorizedApplications failed: 0x%08lx
/hPj<
6Cj>M
LeaveCriticalSection
britain
U]Ofm7
Cs->%
jjjjj
Y/L '?
February
`7]=G
= =$=(=,=0=4=8=<=@=D=H=L=P=T=X=\=`=d=h=l=p=t=x=|=
v}{f[Fi{F
Q%dm1
FYY;u
?(?/?4?8?<?]?
20393?3D3\3v3
[End]
[Enter]
SetErrorMode
Wednesday
;]xs_r+
.?AVruntime_error@std@@
7lUJL
IsValidCodePage
WaitForSingleObject
IJB/m
Fast decoding Code from Chris Anderson
+D$(;
xsfRO
Thursday
September
FHPjHS
[~_=d
roF l
w_hZ=_
_a->D
.?AV_System_error_category@std@@
8'8/8?8E8V8
<%<f<
:;];!
__pascal
6[ZYw
F,Pj-S
\ws^o
spanish-nicaragua
CoUninitialize
:*P|Rs
;4;Q;
WUSER32.DLL
:-8[:]
PijU19hgT
1-1:1?1M1(2
The query "%s" is not valid.
_<<K*D
1}0.}'W^g
*N4Nj*
OpenProcessToken
G\.@6
OZw3(?
`vbtable'
- Attempt to initialize the CRT more than once.
4(4,4044484@4X4h4l4|4
Fwr:b
%s: option '%s' is ambiguous; possibilities:
8)8L8
M9=$t
FpPj:S
<6O/v/
No such process
`copy constructor closure'
r] `=
WQhL,
2,2h2
>8?d?y?
<3<R<
.?AVCAtlException@ATL@@
2Q2i2
CYLHq#g
2008R2
4C5@6
&v%OVA
]5->@WM2
;+Y;g
.?AVtype_info@@
mR/@c
Illegal byte sequence
8 8$8(8,8084888<8@8D8H8L8P8T8X8\8`8d8h8l8p8t8x8|8
[TAB]
T$`RP
wsc.dll
C{rHh
UumTM
VG\K}Q
wkPSQR
434D4Q4X4h4z4
RpcBindingFromStringBindingA
SQuK<
F,^]3
Win%s Sp%d %s
R6018
D$8+F
LC_COLLATE
R6025
AO-q4
CreateWellKnownSid
1 1@1
PPPh`I
uvh 5
8sPv^
+SXN[
=3Zo]
WGqrI0
english-south africa
RpcStringBindingComposeW
put_Name failed: 0x%08lx
FlPj9S
`placement delete[] closure'
s^{IG
(|>U>
GetModuleFileNameW
TlsSetValue
</trustInfo>
{F0062B9A-15F8-4D5F-9DE8-02F39EBF71FB}
H#5`t[
optopt
GetCommandLineW
)G^`M
COM+ Support Service
__unaligned
PPPPP
GetStringTypeW
"meI[N~n
/1q`L<aN
<Backspace>
CloseHandle
0$060H0Z0l0~0
J'T?v/
[Print Screen]
USERENV.dll
WTSQueryUserToken
Y_)*#K
FindResourceW
:4)o;
ZJY2/
>$?G?Q?
Rc8-(
5 6?6^6
Af9q.
/AjV'<i
!p;"6
Input/output error
Inappropriate I/O control operation
]M`|_M
.?AV?$basic_filebuf@DU?$char_traits@D@std@@@std@@
3 3(343T3\3h3
l6qnk
__based(
< tK<
SeDebugPrivilege
new-zealand
gU<CJn
}8Dp]
Too many links
R~??@Z$
&AZQ+6G
wrbg?
GetThreadContext
O.[/s"wP
tAVWP
>*?<?
LocalFree
@e3@e)
O92vI
O@;H s
LC_NUMERIC
Dn#]&
X_U*
`dynamic atexit destructor for '
a+-C}
QU3t;P
PKCRi7
QQSV3
[#p^f
5B5V5j5
C-PjWV
>%>?>K>h>
2G2]2t2
ProxyEnable
KA!H;
9|$`r
=<S;D
%>--v
@PSVV
Broken pipe
pr china
t$j4j
OpenProcess
;Q;g;
2 2$2(2,2024282<2@2D2H2L2P2T2X2\2`2d2h2l2p2t2x2|2
invalid code -- missing end-of-block
-GGhB
F Pj*S
0l1r1
[Scroll Lock]
%!DVDN
5R@FV
737_7l7
too many length or distance symbols
#;6Y;
Ap{Fx
tl9_ tg9_$tb
norwegian-bokmal
RegisterClassExW
]5+lj
4(454@4K4Q4W4]4c4i4
file error
5 6J6}6
5"5,5`5k5u5
`managed vector copy constructor iterator'
3/3I3
- not enough space for _onexit/atexit table
InternetSetOptionW
K#~0 }
4.4}4
invalid window size
.?AVbad_cast@std@@
9%:?:H:o:|:
PQP7X
TranslateMessage
N,_^]3
CompareStringW
?H>(=
=o<~Q
= =$=,=D=T=X=h=l=p=t=|=
1O0<O
No child processes
italian-swiss
french-swiss
? ?$?,?D?T?X?h?l?p?x?
HjdSh
;-]sI
QSWVj
Ea=2yQ|
'n):2
PRhh+
R6017
=*=3=8=B=L=X=]=
5w",
spanish-paraguay
i]=Avd
$[^_]
4ordJ
^Gupl
J/jx>
spanish-chile
WAsN.
czech
cTt-A;
trinidad & tobago
|~M/<Vy
L$ H#
h:l:p:t:x:|:
F ;F$t
QQQQV
Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational
qwJBg
P^HVn
~@yqu`H
WideCharToMultiByte
3l4t4
ReleaseMutex
OPqjg
http://%s:%d/
/dy_M
HeapSize
WSAIoctl
0g1w1
LC_TIME
9|$(t
t!WVj
VirtualAllocEx
RJ/RJ
BnKeN
O.kB!
tEHt0
5v8z8~8
N5"a}
>L>T>b>r>x>
_,`'>
IsProcessorFeaturePresent
R6009
0"010?0I0O0e0j0r0x0
F0WSP
`managed vector destructor iterator'
$3Ljq\
9F9M9b9
t-u"=%N(
IconResourceNoSvc
,jWRM
.?AV?$basic_ios@DU?$char_traits@D@std@@@std@@
K39X@%
united-kingdom
`VTH/2:
L$ Qh
9$9,949<9D9L9T9\9d9l9t9|9
CreateEventW
VVVVj
_getopt_w@12
GetEnvironmentStringsW
$\"|Fr
% *;WD
`vftable'
5 5(50585<5@5H5\5d5l5t5x5|5
wevtapi.dll
f6B@E
P>OTq
puerto-rico
9c:h:q:
9 9(90989@9H9P9X9`9h9p9x9
GF?.x
: :<:@:`:
:IW`(L]
mZKk~O.I
}}l;Fuf
mF3$d
6]O7*U
9|$|r
`.rdata
3=4W4
ResumeThread
qX1g2c:
GD)op)ol
GetKeyState
q:Pl?!
D$8SVW
OutputDebugStringW
VVVVVQRSSj
PE Information
| Image Base | Entry Point | Reported Checksum | Actual Checksum | Minimum OS Version | Compile Time | Import Hash | Exported DLL Name |
|---|---|---|---|---|---|---|---|
| 0x10000000 | 0x00012bf2 | 0x00067f0d | 0x0013206b | 5.1 | 2019-03-06 10:20:32 | 37e48d0816c7485d18b7cc3e0d8ed0a0 | XBoxDllShellCode.dll |
Sections
| Name | RAW Address | Virtual Address | Virtual Size | Size of Raw Data | Characteristics | Entropy |
|---|---|---|---|---|---|---|
| .text | 0x00000400 | 0x00001000 | 0x0002a106 | 0x0002a200 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ | 6.67 |
| .rdata | 0x0002a600 | 0x0002c000 | 0x0000c99e | 0x0000ca00 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 5.80 |
| .data | 0x00037000 | 0x00039000 | 0x0002d8ac | 0x00029200 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 7.94 |
| .rsrc | 0x00060200 | 0x00067000 | 0x000001b4 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 5.12 |
| .reloc | 0x00060400 | 0x00068000 | 0x0000311e | 0x00003200 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ | 5.35 |
Overlay
| Offset | 0x00063600 |
| Size | 0x000caa00 |
| Name | Offset | Size | Language | Sub-language | Entropy | File type |
|---|---|---|---|---|---|---|
| RT_MANIFEST | 0x00067058 | 0x0000015a | LANG_ENGLISH | SUBLANG_ENGLISH_US | 4.80 | None |
Imports
| Name | Address |
|---|---|
| GetAsyncKeyState | 0x1002c2e0 |
| GetForegroundWindow | 0x1002c2e4 |
| GetKeyState | 0x1002c2e8 |
| GetWindowTextW | 0x1002c2ec |
| GetMessageW | 0x1002c2f0 |
| TranslateMessage | 0x1002c2f4 |
| RegisterClassExW | 0x1002c2f8 |
| CreateWindowExW | 0x1002c2fc |
| DefWindowProcW | 0x1002c300 |
| DispatchMessageW | 0x1002c304 |
| UnregisterClassW | 0x1002c308 |
| Name | Address |
|---|---|
| ImpersonateLoggedOnUser | 0x1002c000 |
| StartServiceW | 0x1002c004 |
| ChangeServiceConfig2W | 0x1002c008 |
| RegCreateKeyW | 0x1002c00c |
| OpenServiceW | 0x1002c010 |
| OpenSCManagerW | 0x1002c014 |
| CloseServiceHandle | 0x1002c018 |
| CreateServiceW | 0x1002c01c |
| CreateWellKnownSid | 0x1002c020 |
| CheckTokenMembership | 0x1002c024 |
| GetUserNameA | 0x1002c028 |
| RegOpenCurrentUser | 0x1002c02c |
| OpenProcessToken | 0x1002c030 |
| DuplicateToken | 0x1002c034 |
| GetTokenInformation | 0x1002c038 |
| RegOverridePredefKey | 0x1002c03c |
| OpenThreadToken | 0x1002c040 |
| GetUserNameW | 0x1002c044 |
| RegSetValueExW | 0x1002c048 |
| RegCloseKey | 0x1002c04c |
| AdjustTokenPrivileges | 0x1002c050 |
| RegOpenKeyExW | 0x1002c054 |
| DuplicateTokenEx | 0x1002c058 |
| RegOpenKeyExA | 0x1002c05c |
| LookupPrivilegeValueW | 0x1002c060 |
| SetTokenInformation | 0x1002c064 |
| CreateProcessAsUserW | 0x1002c068 |
| RegQueryValueExW | 0x1002c06c |
| Name | Address |
|---|---|
| SHGetSpecialFolderPathW | 0x1002c2d0 |
| Name | Address |
|---|---|
| CoInitializeEx | 0x1002c39c |
| CoUninitialize | 0x1002c3a0 |
| CoCreateInstance | 0x1002c3a4 |
| Name | Address |
|---|---|
| SysStringLen | 0x1002c2a0 |
| SysAllocString | 0x1002c2a4 |
| SysFreeString | 0x1002c2a8 |
| Name | Address |
|---|---|
| PathFileExistsW | 0x1002c2d8 |
| Name | Address |
|---|---|
| HttpQueryInfoA | 0x1002c324 |
| InternetOpenUrlA | 0x1002c328 |
| InternetSetOptionW | 0x1002c32c |
| HttpQueryInfoW | 0x1002c330 |
| InternetCloseHandle | 0x1002c334 |
| InternetOpenW | 0x1002c338 |
| Name | Address |
|---|---|
| WTSQueryUserToken | 0x1002c394 |
| Name | Address |
|---|---|
| CreateEnvironmentBlock | 0x1002c310 |
| DestroyEnvironmentBlock | 0x1002c314 |
| LoadUserProfileW | 0x1002c318 |
| UnloadUserProfile | 0x1002c31c |
| Name | Address |
|---|---|
| EvtSubscribe | 0x1002c3ac |
| EvtRender | 0x1002c3b0 |
| Name | Address |
|---|---|
| connect | 0x1002c340 |
| accept | 0x1002c344 |
| getpeername | 0x1002c348 |
| gethostname | 0x1002c34c |
| socket | 0x1002c350 |
| inet_ntoa | 0x1002c354 |
| listen | 0x1002c358 |
| send | 0x1002c35c |
| gethostbyname | 0x1002c360 |
| closesocket | 0x1002c364 |
| __WSAFDIsSet | 0x1002c368 |
| WSAStartup | 0x1002c36c |
| inet_addr | 0x1002c370 |
| select | 0x1002c374 |
| htons | 0x1002c378 |
| bind | 0x1002c37c |
| recv | 0x1002c380 |
| WSACleanup | 0x1002c384 |
| setsockopt | 0x1002c388 |
| WSAIoctl | 0x1002c38c |
| Name | Address |
|---|---|
| GetAdaptersInfo | 0x1002c074 |
| Name | Address |
|---|---|
| RpcBindingFree | 0x1002c2b0 |
| RpcStringBindingComposeW | 0x1002c2b4 |
| RpcBindingFromStringBindingW | 0x1002c2b8 |
| RpcStringFreeA | 0x1002c2bc |
| RpcStringBindingComposeA | 0x1002c2c0 |
| RpcStringFreeW | 0x1002c2c4 |
| RpcBindingFromStringBindingA | 0x1002c2c8 |
Exports
| Name | Address | Ordinal |
|---|---|---|
| _getopt_a@12 | 0x10002740 | 1 |
| _getopt_long_a@20 | 0x100027a0 | 2 |
| _getopt_long_only_a@20 | 0x10002810 | 3 |
| _getopt_long_only_w@20 | 0x10003410 | 4 |
| _getopt_long_w@20 | 0x100033a0 | 5 |
| _getopt_w@12 | 0x10003340 | 6 |
| optarg_a | 0x100668a8 | 7 |
| optarg_w | 0x100668a4 | 8 |
| opterr | 0x1006190c | 9 |
| optind | 0x1006178c | 10 |
| optopt | 0x10061aac | 11 |
| Command and Control | Defense Evasion |
|
|---|
Usage
Processing ( 0.58 seconds )
- 0.563 CAPE
- 0.007 Heatmap
- 0.005 BehaviorAnalysis
- 0.004 AnalysisInfo
Signatures ( 0.02 seconds )
- 0.004 ransomware_files
- 0.002 antianalysis_detectfile
- 0.002 antiav_detectreg
- 0.002 ransomware_extensions
- 0.001 antiav_detectfile
- 0.001 antivm_vbox_files
- 0.001 browser_security
- 0.001 infostealer_bitcoin
- 0.001 infostealer_ftp
- 0.001 infostealer_im
- 0.001 infostealer_mail
- 0.001 poullight_files
- 0.001 masquerade_process_name
- 0.001 revil_mutexes
- 0.001 territorial_disputes_sigs
- 0.001 ursnif_behavior
Reporting ( 0.05 seconds )
- 0.048 ReportHTML
- 0.002 MITRE_TTPS
- 0.001 LiteReport
- 0.001 JsonDump
Signatures
At least one process apparently crashed during execution
Possible date expiration check, exits too soon after checking local time
process: rundll32.exe, PID 1140
The binary likely contains encrypted or compressed data
section: {'name': '.data', 'raw_address': '0x00037000', 'virtual_address': '0x00039000', 'virtual_size': '0x0002d8ac', 'size_of_data': '0x00029200', 'characteristics': 'IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE', 'characteristics_raw': '0xc0000040', 'entropy': '7.94'}
Checks for presence of debugger via IsDebuggerPresent
Anomalous binary characteristics
anomaly: Entrypoint of binary is located outside of any mapped sections
anomaly: Actual checksum does not match that reported in PE header
Screenshots
Session Playback
No playback available.
Hosts
No hosts contacted.
DNS
No domains contacted.
Summary
C:\Users\user\AppData\Local\Temp\red_core.exe.dll.manifest
C:\Users\user\AppData\Local\Temp\red_core.exe.dll
C:\Users\user\AppData\Local\Temp\red_core.exe.dll.123.Manifest
C:\Users\user\AppData\Local\Temp\red_core.exe.dll.124.Manifest
C:\Windows\System32\winnsi.dll
C:\Windows\System32\msctf.dll
C:\Users\user\AppData\Local\Temp\red_core.exe.dll
C:\Users\user\AppData\Local\Temp\red_core.exe.dll.123.Manifest
C:\Users\user\AppData\Local\Temp\red_core.exe.dll.124.Manifest
C:\Windows\System32\winnsi.dll
C:\Windows\System32\msctf.dll
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_CURRENT_USER
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_CURRENT_USER
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme
Local\SM0:1140:168:WilStaging_02
Sorry! No behavior.
Sorry! No tracee.
Sorry! No strace.
Sorry! No tracee.
No hosts contacted.
No TCP connections recorded.
No UDP connections recorded.
No domains contacted.
HTTP Requests
No HTTP(s) requests performed.
SMTP traffic
No SMTP traffic performed.
IRC traffic
No IRC requests performed.
No ICMP traffic performed.
CIF Results
No CIF Results
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
Suricata HTTP
No Suricata HTTP
Sorry! No Suricata Extracted files.
Sorry! No dropped files.
Sorry! No process dumps.