Analysis Report · CAPE Sandbox

Analysis

Category	Package	Started	Completed	Duration	Log(s)
FILE	exe	2025-05-06 07:12:10	2025-05-06 07:16:20	250 seconds	Show Analysis Log

2024-11-25 13:37:15,397 [root] INFO: Date set to: 20250506T07:12:09, timeout set to: 200
2025-05-06 08:12:09,032 [root] DEBUG: Starting analyzer from: C:\tmp_gell1p8
2025-05-06 08:12:09,032 [root] DEBUG: Storing results at: C:\uyHCokWh
2025-05-06 08:12:09,032 [root] DEBUG: Pipe server name: \\.\PIPE\IpEgLKC
2025-05-06 08:12:09,032 [root] DEBUG: Python path: C:\Users\Packager\AppData\Local\Programs\Python\Python310-32
2025-05-06 08:12:09,032 [root] INFO: analysis running as an admin
2025-05-06 08:12:09,032 [root] INFO: analysis package specified: "exe"
2025-05-06 08:12:09,032 [root] DEBUG: importing analysis package module: "modules.packages.exe"...
2025-05-06 08:12:10,095 [root] DEBUG: imported analysis package "exe"
2025-05-06 08:12:10,095 [root] DEBUG: initializing analysis package "exe"...
2025-05-06 08:12:10,095 [lib.common.common] INFO: wrapping
2025-05-06 08:12:10,095 [lib.core.compound] INFO: C:\Users\Packager\AppData\Local\Temp already exists, skipping creation
2025-05-06 08:12:10,110 [root] DEBUG: New location of moved file: C:\Users\Packager\AppData\Local\Temp\1.exe
2025-05-06 08:12:10,110 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2025-05-06 08:12:10,110 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2025-05-06 08:12:10,110 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option
2025-05-06 08:12:10,110 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option
2025-05-06 08:12:10,330 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser"
2025-05-06 08:12:10,345 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig"
2025-05-06 08:12:10,376 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise"
2025-05-06 08:12:10,392 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human"
2025-05-06 08:12:10,392 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2025-05-06 08:12:10,392 [lib.api.screenshot] ERROR: No module named 'PIL'
2025-05-06 08:12:10,392 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots"
2025-05-06 08:12:10,407 [root] DEBUG: Imported auxiliary module "modules.auxiliary.tlsdump"
2025-05-06 08:12:10,407 [root] DEBUG: Initialized auxiliary module "Browser"
2025-05-06 08:12:10,407 [root] DEBUG: attempting to configure 'Browser' from data
2025-05-06 08:12:10,407 [root] DEBUG: module Browser does not support data configuration, ignoring
2025-05-06 08:12:10,407 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.browser"...
2025-05-06 08:12:10,407 [root] DEBUG: Started auxiliary module modules.auxiliary.browser
2025-05-06 08:12:10,407 [root] DEBUG: Initialized auxiliary module "DigiSig"
2025-05-06 08:12:10,407 [root] DEBUG: attempting to configure 'DigiSig' from data
2025-05-06 08:12:10,407 [root] DEBUG: module DigiSig does not support data configuration, ignoring
2025-05-06 08:12:10,407 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.digisig"...
2025-05-06 08:12:10,423 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature
2025-05-06 08:12:10,689 [modules.auxiliary.digisig] DEBUG: File is not signed
2025-05-06 08:12:10,689 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2025-05-06 08:12:10,689 [root] DEBUG: Started auxiliary module modules.auxiliary.digisig
2025-05-06 08:12:10,689 [root] DEBUG: Initialized auxiliary module "Disguise"
2025-05-06 08:12:10,689 [root] DEBUG: attempting to configure 'Disguise' from data
2025-05-06 08:12:10,689 [root] DEBUG: module Disguise does not support data configuration, ignoring
2025-05-06 08:12:10,689 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.disguise"...
2025-05-06 08:12:10,689 [modules.auxiliary.disguise] INFO: Disguising GUID to 9b7cdcea-e4d9-4c24-8a0c-bc615bd315ed
2025-05-06 08:12:10,689 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise
2025-05-06 08:12:10,689 [root] DEBUG: Initialized auxiliary module "Human"
2025-05-06 08:12:10,689 [root] DEBUG: attempting to configure 'Human' from data
2025-05-06 08:12:10,689 [root] DEBUG: module Human does not support data configuration, ignoring
2025-05-06 08:12:10,689 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.human"...
2025-05-06 08:12:10,689 [root] DEBUG: Started auxiliary module modules.auxiliary.human
2025-05-06 08:12:10,689 [root] DEBUG: Initialized auxiliary module "Screenshots"
2025-05-06 08:12:10,689 [root] DEBUG: attempting to configure 'Screenshots' from data
2025-05-06 08:12:10,689 [root] DEBUG: module Screenshots does not support data configuration, ignoring
2025-05-06 08:12:10,689 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.screenshots"...
2025-05-06 08:12:10,704 [modules.auxiliary.screenshots] WARNING: Python Image Library is not installed, screenshots are disabled
2025-05-06 08:12:10,704 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots
2025-05-06 08:12:10,704 [root] DEBUG: Initialized auxiliary module "TLSDumpMasterSecrets"
2025-05-06 08:12:10,704 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data
2025-05-06 08:12:10,704 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring
2025-05-06 08:12:10,704 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.tlsdump"...
2025-05-06 08:12:10,704 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 696
2025-05-06 08:12:10,751 [lib.api.process] INFO: Monitor config for <Process 696 lsass.exe>: C:\tmp_gell1p8\dll\696.ini
2025-05-06 08:12:10,751 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor
2025-05-06 08:12:10,751 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmp_gell1p8\dll\pQxbIz.dll, loader C:\tmp_gell1p8\bin\EPCPTrhb.exe
2025-05-06 08:12:10,814 [root] DEBUG: Loader: Injecting process 696 with C:\tmp_gell1p8\dll\pQxbIz.dll.
2025-05-06 08:12:10,845 [root] DEBUG: 696: Python path set to 'C:\Users\Packager\AppData\Local\Programs\Python\Python310-32'.
2025-05-06 08:12:10,845 [root] INFO: Disabling sleep skipping.
2025-05-06 08:12:10,845 [root] DEBUG: 696: TLS secret dump mode enabled.
2025-05-06 08:12:10,860 [root] DEBUG: 696: InternalYaraScan: Scanning 0x00007FF84A790000, size 0x1f4542
2025-05-06 08:12:10,860 [root] DEBUG: 696: InternalYaraScan hit: RtlInsertInvertedFunctionTable
2025-05-06 08:12:10,860 [root] DEBUG: 696: RtlInsertInvertedFunctionTable 0x00007FF84A7A090E, LdrpInvertedFunctionTableSRWLock 0x00007FF84A8FB4F0
2025-05-06 08:12:10,860 [root] DEBUG: 696: Monitor initialised: 64-bit capemon loaded in process 696 at 0x00007FF8234D0000, thread 6892, image base 0x00007FF60D500000, stack from 0x0000008EFAA74000-0x0000008EFAA80000
2025-05-06 08:12:10,860 [root] DEBUG: 696: Commandline: C:\Windows\system32\lsass.exe
2025-05-06 08:12:10,876 [root] DEBUG: 696: Hooked 5 out of 5 functions
2025-05-06 08:12:10,876 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2025-05-06 08:12:10,876 [root] DEBUG: Successfully injected DLL C:\tmp_gell1p8\dll\pQxbIz.dll.
2025-05-06 08:12:10,876 [lib.api.process] INFO: Injected into 64-bit <Process 696 lsass.exe>
2025-05-06 08:12:10,876 [root] DEBUG: Started auxiliary module modules.auxiliary.tlsdump
2025-05-06 08:12:16,298 [root] INFO: Restarting WMI Service
2025-05-06 08:12:18,376 [root] DEBUG: package modules.packages.exe does not support configure, ignoring
2025-05-06 08:12:18,376 [root] WARNING: configuration error for package modules.packages.exe: error importing data.packages.exe: No module named 'data.packages'
2025-05-06 08:12:18,376 [lib.core.compound] INFO: C:\Users\Packager\AppData\Local\Temp already exists, skipping creation
2025-05-06 08:12:18,689 [lib.api.process] INFO: Successfully executed process from path "C:\Users\Packager\AppData\Local\Temp\1.exe" with arguments "" with pid 6444
2025-05-06 08:12:18,689 [lib.api.process] INFO: Monitor config for <Process 6444 1.exe>: C:\tmp_gell1p8\dll\6444.ini
2025-05-06 08:12:18,704 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmp_gell1p8\dll\pQxbIz.dll, loader C:\tmp_gell1p <truncated>

Machine

Name	Label	Manager	Started On	Shutdown On	Route
win10-2	win10-2	KVM	2025-05-06 07:12:10	2025-05-06 07:16:00	none

CobaltStrikeStager Config

Type

CobaltStrikeStager Config

Extracted From

sha256: 629c428cb4a9e4232f9fd8108a0bfe9213c077ac65ca799f5a411b82b558ce85

md5: 701fa5ddd821e37dc8cd2ce03b9338ab
sha1: dad93a9ca824ef3a251f79f3d31301a5d29195b5
sha256: 629c428cb4a9e4232f9fd8108a0bfe9213c077ac65ca799f5a411b82b558ce85
sha3_384: 7bd82a8150a98557b9eceb343b4b6308af5f281e7f12b198bc03bcd6a9f0c81e3384d906a4b7e9469767ab0912c47842
sha512: 9070503a8265d79954f6ade6c2198796b8005569a847688bf30e1b8263ed639190d8e84a1e9bd796ccf73622b5bab69c57b13937350fcb111e7a32155bc15f37

netloc

118.24.173.126

path

/Select/gifs/E1A12889V

port

headers

User-Agent

Mozilla/5.0 (Macintosh; Intel Mac OS X 10_07_00) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.56 Safari/535.11

inet_flags

INTERNET_FLAG_RELOAD
INTERNET_FLAG_NO_CACHE_WRITE
INTERNET_FLAG_KEEP_CONNECTION
INTERNET_FLAG_NO_UI

watermark

987654321

type

HTTP

File Details

File Name	1.exe
File Type	PE32+ executable (GUI) x86-64, for MS Windows
File Size	233472 bytes
MD5	a61481f5377130bc28a67ef4ccb90e59
SHA1	1857d8fea8320c8865d9301bbce4d3da2481fd81
SHA256	8af4fda691439a2c58a65c2dc1ba085f47d1c53ce82a720b272c657dd8b17141 [VT] [MWDB] [Bazaar]
SHA3-384	55d440d9be6b99b8656e9087054b4a0a5d7410789bc0a00068df5b47b53da4f7a8b86f12ff6aa9369798e4d9d033b14c
CRC32	A910F0F3
TLSH	T16D348C17739570F4E46A42348B5289B5A3327C3283D4AF6F0EE87AE62D336D55D39A20
Ssdeep	3072:T6IMDsVAmT8d92YYVhJYtH3v52JhL/tfxq8+DViY5HMXxzftw8uP8RNP8RY:uIMDsVBTC9rGCHgdfKVB5s1tw8uy
PE	File Strings BinGraph Vba2Graph

VirusTotal (29/76)

Full Results

Engine	Result	Engine	Result	Engine	Result
Bkav	W64.AIDetectMalware	Elastic	malicious (high confidence)	Skyhigh	BehavesLike.Win64.Generic.dh
McAfee	Artemis!A61481F53771	Cylance	Unsafe	Sangfor	Trojan.Win64.Agent.V9le
CrowdStrike	win/malicious_confidence_70% (W)	Symantec	ML.Attribute.HighConfidence	ESET-NOD32	a variant of Generik.CYDHKBZ
APEX	Malicious	Kaspersky	Trojan.Win64.Ogneglazka.asx	Avast	Win64:MalwareX-gen [Misc]
Rising	Trojan.Kryptik@AI.91 (RDML:9lFd8Hvg1yf13yrM+5J4lw)	F-Secure	Trojan.TR/AVI.Agent.dpnxp	McAfeeD	ti!8AF4FDA69143
Trapmine	suspicious.low.ml.score	CTX	exe.trojan.generic	Sophos	Mal/Generic-S
Ikarus	Win32.Outbreak	GData	MSIL.Backdoor.Rozena.8SL6SK	Avira	TR/AVI.Agent.dpnxp
Antiy-AVL	Trojan/Win32.Sonbokli	Kingsoft	malware.kb.a.987	Microsoft	VirTool:Win64/CobaltStrike!rfn
Cynet	Malicious (score: 100)	Panda	Trj/Chgt.AD	Fortinet	W32/PossibleThreat
AVG	Win64:MalwareX-gen [Misc]	DeepInstinct	MALICIOUS

__fastcall

0?-b``

l$ VWATAVAWH

\HLLL

es-py

@.data

DC'PAA9

@8j(t

0P0ptzuz

}|{<5

af-za

WQP/X

de-DE

====2

GetStartupInfoW

^DEE5a@

mscoree.dll

F565: d<

v5C9_

en-TT

L<tVu

<rsss

Saturday

zh-HK

Sunday

vJ+khFV

sma-NO

O>C:;:5y

x}|s;22x

smj-se

af-ZA

se-fi

mn-MN

A>pP&

__thiscall

zxxf/$U-

0vUWQ4

rK[|}}}

D$8L9

By?////

HHH69

`local vftable constructor closure'

lnflf

$$$$"

u8???

~8A9i

t7HcP

A\]]]

t$xfI

0A_A^A]A\_^[

Qwvvt

ftdc\

040904b0

`vector copy constructor iterator'

sl-SI

}}}}>

LCMapStringW

'wX_F__-]/

LoadLibraryExW

[[[[*

!*u**

vyfffff

X>7k/

new[]

ta-IN

m>===q+

ppppp

XY#}}}Ra

L$ |+L;

JE=CGG7

W_NDC

p"PPc

)W'"""

en-zw

otajif

mk-mk

SetStdHandle

rQP/W

tt-RU

0NJI&h

vAD8s(t

log10

uuuehjjidA

lPwDq>

f/V,U

sms-FI

es-AR

ZI$AII1

.pdata

es-sv

de-AT

`vector vbase copy constructor iterator'

ofbfe

__vectorcall

Gc#""

ar-TN

e7s-Q`

pu%N2

H]JBA>d

[#RLL*

v7F<e

zu-ZA

syr-SY

fD91uTL9r

+LTS,b

ar-om

A*[+jh

smn-fi

sk-SK

`virtual displacement map'

5===t

y|{t2

?f`Y4

`local static guard'

ky-KG

Q}d=a

VBXYYY

`local static thread guard'

V;`P&;

nb-no

ar-bh

0J7zt6Z

B>)Qommm

bp(=>?g

qzc|o

t1Lcc

aD5-(

xw?$`

8===$

da-DK

de-lu

bs-BA-Latn

@<???

_\[R5`)

000.O

X4444

EDD29yQ

GetCommandLineW

AN(YXXV'

smj-no

Q?<%E

ineIA

GetStringTypeW

sq-al

sl-si

'g+@!5

`A^_^

9.9.16.29927

L$@;|

CZRR(

/\b``^

{zu9B>

ca-es

(!.$CAA9

ffffff

FED;c

es-PA

sa-IN

ihhhV

FileDescription

FLNMHe$@3

I?>9b

?7zQ6$

_onnn

SPO(R

e9SgQuy

|XTVVF

8&.1b

ED$`H

IYXXV

=,lddb

gum4O

EACCC0)

it-it

adGp)^

=886G<

zh-CHT

t$`L#

e`_^[

ar-eg

A_A^A\_^

'Hz_g`

6111N7=g

`eh vector vbase copy constructor iterator'

mmmm)

sr-SP-Cyrl

9)~P3

TC*yhh

u/HcH<H

LT,f/O

&JJJJJ

WUT#W

xh-ZA

it-CH

0A_A^_^]

ar-DZ

es-HN

^0Y'cbJ2^f

en-GB

ml-IN

fi-FI

en-nz

UVWAVAWH

54YxCq

L$8H3

ka-GE

nl-nl

< t=<

cssc+

c7AjMc7>

TerminateProcess

en-jm

AkZ)^VV$

fr-ch

`string'

en-BZ

y3111N

?e[2.)(

Daeee

`udt returning'

@_RDATA

{www4E

sr-sp-latn

ar-AE

hr-ba

delete

!eR3v~}z S

}!"f"

E0HcH

,X|bccc

pt-pt

ko-KR

kV>7>

GetModuleHandleA

NCB=z

__based(

q{ /#BSS+

fCED;c

*,,*KJ

MEEEE5M

ar-YE

en-CB

GetModuleHandleW

D$PI;

ar-sa

PEBB8

HcQ<H

tPLNNL

syr-sy

es-mx

[ssssk,`

ru-RU

:rFMU

:R;065

sv-fi

Ur?4)

pa-IN

OriginalFilename

:8}8-

en-us

en-JM

|tttd

pt-PT

61I|mm

33333

es-DO

de-li

Ce"S#

4f\K/

IIII(

pB]P67

nooovx{z

b[ZZ

GetFileType

L$&8\$&t,8Y

ar-ye

0?;)88

UVWATAUAVAWH

zv~~|%

GetOEMCP

CloseHandle

x>???2

`RTTI

.?AVexception@std@@

__clrcall

@.reloc

VWATAVAW

@SUWH

wVUU%

en-ie

v@D8s(t

GetSystemTimeAsFileTime

T||||r5i

nlfln

!Hw"-

ar-LB

LnDl)

Wednesday

February

llllll

ZXXV'

ogvY?

et-ee

api-ms-win-appmodel-runtime-l1-1-2

SetUnhandledExceptionFilter

ja-jp

)a)X,

fa-ir

es-hn

dVsBk

id-id

bad exception

.?AVtype_info@@

QFPO.o

y6EqI/

D$ E3

.text

BF>^G

3$bccS

restrict(

November

Yh} vq

@UATAUAVAWH

FlsGetValue

4usrm

b=pr6

HQ466

[TZZZ

98t H

@USVWATAUAVH

GetEnvironmentStringsW

it-ch

fo-FO

pt-BR

cj,43

]^F6k

mt-mt

id-ID

vvvd-T,

SquirrelAwareVersion

Tencent

%!)))

B1>@AA9

Class Hierarchy Descriptor'

e0A_A^A]A\]

QbU9s

{xwv#B;2

api-ms-win-core-file-l1-2-4

GetACP

abcdefghijklmnopqrstuvwxyz

api-ms-win-rtcore-ntuser-window-l1-1-0

mk-MK

ar-ae

se-FI

C@@>?

`managed vector destructor iterator'

<;;;89

ATAUAVH

n03>Pu

mi-nz

w~,G+

sms-fi

1999F?

=imb;D

tr-tr

j_6&$#

api-ms-win-core-file-l1-2-2

en-IE

eu-es

da-dk

P]\[V

Q+zY.

D8t$ht

t$ WH

es-co

SetLastError

ru-ru

uAIHH6?s

ar-OM

3>N;kU

MJ`{V

,e`iax

A_A^A]A\_^[]

~1HRi

%"Dq``

en-ZW

8oML#k

Q<n;I

ntelD

p0R^G'

I]\\Z

u$D8r(t

UUUUUU

Eqf]^]

lflflf

Lp!o':

InitializeSListHead

uz-uz-latn

p1NAx

l2Hi,

CA@?c

m}4ic

NNMHe%G2

,/KPip

LeaveCriticalSection

WUT+S

VT1rX

NFE m

A8z(u

8~m_)

ko-kr

!"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~

en-ZA

sr-SP-Latn

__restrict

D$(H;

LocaleNameToLCID

sq-AL

E0Lc`

eu-ES

qvsmx

uz-UZ-Latn

szzz

DACC;

`local vftable'

ar-SA

LcA<E3

}``_^'FGGG4

(~.cs

Qw(l(

R]f2%

sma-no

fr-BE

Type Descriptor'

BBB2:zd

October

ONM"T

es-bo

o,_tc

`A_A^A]A\_^]

gu-in

0iN>/

`vector vbase constructor iterator'

o]T&0q

LegalCopyright

([_^A^A_]

nl-BE

.'-+*

fr-MC

Hc}`I

bSB|qpo\i

he-il

@8{(u

zh-mo

~}}}<

ar-ma

]\[ZY

gDqn>

ns-za

is-IS

ntdll

@.00cfg

L$0H3

sw-KE

LLL29#g;

@r;.cS

7JE9HJJ0

9.9.16.29927-bf4701c1

wSSRRB

div-MV

WAVAWH

fr-LU

0n:::p

api-ms-win-core-localization-l1-2-1

/ZZYT

ZPXW$P

ur-PK

c(>\,

ar-SY

Y]\\B)3w

z][ZU

ar-jo

L$ WH

1IDATx

cs-cz

pA_A^A]A\_^[

fr-mc

~wwg/&

KGF9v

GetConsoleOutputCP

6%'~*

hi-in

\$8I;

/>58d%

GGGG4

Z6666

?<<:;<

SVWATAUAVAWH

JB@@>

ONN0?

az-az-cyrl

fr-FR

ka-ge

,/<-w

_qed[

Zcw\Ilk

sv-se

be-by

+h->|

/..,)

P_#QWWG

@@@>?

HTUU%

tuuu.CE

P1:76

4221

1=<<:;:

+M<7>

?>>>d

uzKs@>

se-se

vd*S*\

Ui&WJ

`eh vector vbase constructor iterator'

QNWOBA

HeapFree

es-CR

I+4$H

EH*?H

T$PE3

VK\k4

fSFzVFA

Friday

K&>.yC

L$@H3

az-AZ-Cyrl

IsValidCodePage

]dZU8|

-?>@sb

|.G&h

en-au

K:5NOO/

pe?('

@702C@@>

WQQQQ!X

UWAVH

~Nmpn

\$0H;

MultiByteToWideChar

@ppp`

H;xXu5

zh-MO

es-CL

HlBAAA

kXAE#32

1IDDD4r

c [1>H'

hr-HR

li~iy

ms-bn

~~~p7k/

>jtm}S

E8q(u

operator

sssc+

?=.uh1

en-CA

advapi32

Fd``^

544"+3{

tn-ZA

api-ms-win-core-datetime-l1-1-1

sr-ba-cyrl

ZWVQb

O8B}yyy

sw-ke

)&Brpp

vIKK3

`managed vector copy constructor iterator'

@SUVWATAVAWH

WATAUAVAWH

UAWAVVWSH

ro-RO

WQP/W

?qC(M:8SBB8

en-ph

bv_^Q

quz-PE

NNM"`

A_A^A]A\_

|$ E3

E20vrrp

@EE5i

lv-LV

J97PRRP!

KMLKh

vi-vn

/ P6pL

l/sh`

tLLLL

es-uy

FreeLibrary

^+?'

az-AZ-Latn

__swift_1

YXXV'

DC7z{{{

CompanyName

5O|AV

DPw(C

GetCurrentThreadId

quz-ec

sAE8l

C+..,

'L>[

K0HcQ

@SVWATAUAVAWH

((((( H

=q'2s

MNMR\

GetProcessHeap

5o|||\

fD94H}aD

es-EC

|'Hbgg

)OHGF

|QSS+

api-ms-

dddd, MMMM dd, yyyy

th-th

AGF9a

fD9t$b

NhvGw

ABCDEFGHIJKLMNOPQRSTUVWXYZ

ar-sy

is-is

mi-NZ

fr-lu

@.gxfg

]t5D<

0A_A^A]

/-P?pR

DNM0m

kn-IN

PA_A^A]A\_^]

E*9:96x

pppn/$

AAAA1I

CCC30r

lv-lv

USVWAVH

kernelbase

zh-CN

es-BO

IyD&WV

th-TH

en-NZ

sk-sk

de-ch

D$0HcH

_SRR(

DZ[[[

lnfff

`vftable'

H;XXs

uk-ua

Mb9[T

`dynamic atexit destructor for '

ext-ms-win-ntuser-windowstation-l1-1-0

__stdcall

YON)U

gl-ES

ext-ms-win-ntuser-dialogbox-l1-1-0

bn-in

fr-CA

61Jy{zu-

ov.43

hy-AM

de-de

1999|

fr-be

*Tbkkk

XE)1l;*E-//

$bto

QTS,V

ar-MA

;H9>&X

f9)u4H9j

nh]Gj

sa-in

CIH'o

nnmhQR

!rM;%

ar-dz

tttd*+

u4I9}(

!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~

>[ITPH

tttr3L

qr587C9((

]J({yyy

en-PH

WF%vrrp

OXZZ

A_A^A]A\_^]

`vbtable'

ZY5$+iaa

mn-mn

__eabi

es-es

cy-gb

L$ L;

kk-kz

ry}:]S+

`vector deleting destructor'

hy-am

*StO9>T

ms-MY

September

"C{sss

^>>>>

NKJ5m

cy-GB

_______

operator<=>

HQPPN/

KH]J@?

WideCharToMultiByte

@SVWH

VarFileInfo

8D$@t

Complete Object Locator'

FindFirstFileExW

B^Xs>

BC?>6t9^

`omni callsig'

tDED;.}

`vector constructor iterator'

9Q\\\

y\PD>!

++++H

smn-FI

l+.-,

CreateFileW

es-cl

smj-NO

zh-TW

L$ VWAVH

qvvf(!

m5:5M<==

hr-hr

/H=*L5$$

ro-ro

fi-fi

ca-ES

zh-hk

s~~~$

`eh vector copy constructor iterator'

HH:mm:ss

sr-ba-latn

:::::r4

HcK H

nl-NL

et-EE

bg-bg

InitializeCriticalSectionAndSpinCount

user32

fB9<I}1L

xh-za

ar-ly

A_A^A]A\_

es-pr

Lj[;>

DeleteCriticalSection

RaiseException

yyyy6G

yxxxf

\$ WH

~ZPQQM6x

GXA'J*

RtlCaptureContext

nPRR(

@@_,\+

bg-BG

\~Y87,365

_e``^

vWs(d

@FE:`

VHKKK0

^I*+)(

RSS#c

uz-UZ-Cyrl

^z::::

<999

Nu\|zyv

A^A]A\_^[]

CL43$5/.

HeapReAlloc

ECB=m

1:96x

es-do

GetStdHandle

dddb#Z

es-pa

H!D$ H

|}}}6

A_A^_

@>%>b

~t#?b

WriteFile

,X|JKKK

`%rN9

he-IL

vKfffff

hu-hu

L;2Y]]

Ft&#g

"$$"SJ*

'`YHn

u3HcH<H

@A_A^A\_^][

be-BY

43(/('

lt-LT

(((&WNB

HcE_H

March

nb-NO

ja-JP

LCMapStringEx

elTLK

CorExitProcess

Tuesday

ZU)JMM-

Thursday

RtlLookupFunctionEntry

rqzb(

|b=})>

s;*f"

de-CH

QueryPerformanceCounter

December

`scalar deleting destructor'

GetCommandLineA

!te6c

AHYY!

StringFileInfo

ar-EG

AppPolicyGetProcessTerminationMethod

<<<:A=

|UVU*\

0A_A^A]A\_

}z;{

uz-uz-cyrl

@8<)u

GetCPInfo

`copy constructor closure'

DEDC2wF

es-ES

:<8'V

<i{<+.

1>B8::

)>6{1n

""}}})$8

tn-za

3<6GBB09

kn-in

es-pe

te-in

kok-IN

(t$PH

m}Y}-

ywvq0

_\["c

DI>77

ar-lb

uk-UA

es-cr

`eh vector constructor iterator'

x#"'GFFD

.xJ>Hf

Llr|&

@8k(t

`placement delete[] closure'

IS\[X.b&

^^^\)

se-no

GUSR-]

bs-ba-latn

quz-bo

i\w,ih

HcO H

-3dK`

CONOUT$

_SRRH

ar-LY

:::89

=yxwvi

ZRRP!

aNw/m

H```PV

IsDebuggerPresent

47a6L

hu-HU

+**(I

RtlVirtualUnwind

api-ms-win-core-string-l1-1-0

#v5mZ

gl-es

B.rsrc

sr-BA-Cyrl

April

GetModuleFileNameW

__unaligned

LdffV

Base Class Descriptor at (

Vfa`_Z

Monday

Vr.>T

('#>===

aF]XW

^M3TWW'

KERNEL32.dll

en-ca

es-SV

L!|$(L!

;I9}(tiH

#MTS,R

t$8H+

__swift_3

XQP/k

UnhandledExceptionFilter

ZOsoY

]L+6H

?:kP<

#{A6l

*l<?a

VS_VERSION_INFO

ffe`]}

dtpp`

x9q&)

uED8r(t

sma-SE

6|}u=

sv-SE

ss{{{

nn-NO

*%][^^\

B-4#L(,,

kernel32

__pascal

.'qlk

lt-lt

_PZHt

w)E4z

RtlUnwindEx

zKHLK

sma-se

en-tt

^aba\aa!

api-ms-win-core-xstate-l2-1-0

mt-MT

#+++H

GetProcAddress

ProductName

Hx3> /

TlsGetValue

Jx}}}

3>fvw

sr-sp-cyrl

ZZZT'_[

IGGGG

u>KO82wvv

eWRQN

\Y|}e

6>><u

ExitProcess

zh-sg

el-GR

fr-fr

kok-in

tr-TR

AkIH'o

?QY^&

es-gt

0%rzyt5.

!!!!^

LAriQv

te-IN

?UUUUUU

FileVersion

HeapSize

ar-tn

\Z{>Y

Q.'~&

!>6'Y

TlsAlloc

d)\ i

!This program cannot be run in DOS mode.$

ar-JO

(4\ T

GetConsoleMode

ext-ms-

RtlPcToFileHeader

zh-cn

ar-KW

pc5%E

}B,`6

H9>u+A

wr0?-a5

operator ""

r3Kgk

&GA@?g

nn-no

quz-EC

A^A]A\

div-mv

Unknown exception

en-za

`dynamic initializer for '

__ptr64

xA_A^A]A\_^[]

ar-iq

i|LgfaX

operator co_await

p@\xV.

U#,&ETT*

I4z{#

es-GT

HcG H

Npp":

fr-ca

es-PR

kk-KZ

ot$ H

GFE@yz

llkjW

n+Ht9

}z4o6

"-TNHG

__swift_2

pqppn

$?sAT

}ai08

gn^\[

wv9}|f

de-LU

ms-my

HeapAlloc

A_A^A\_^

WLGFF

+<w{zu-

ZZYT9xyyy

COJJJ*h

tt-ru

es-PY

FlsFree

C@R}x%

Kgggg

api-ms-win-core-winrt-l1-1-0

)r`{n

p*W4H

1b$$5

FreeEnvironmentStringsW

PON)L

InternalName

7N]*&;_

ZU-XII1

en-AU

Q,zNj

hr-BA

WjgR]

hi-IN

C1r('[wtt

IsProcessorFeaturePresent

August

`vector destructor iterator'

MM/dd/yy

}r.:bQ

en-US

'0777D=

FindNextFileW

TlsSetValue

D$0@8{

FlsAlloc

FindClose

es-ve

tutsl0

en-gb

3CbSK@

*%]vppng

VATAUAVAWH

VWATAVAWH

gssssc

api-ms-win-security-systemfunctions-l1-1-0

api-ms-win-core-sysinfo-l1-2-1

|$ D!

GetCurrentProcessId

ky-kg

`default constructor closure'

Ef +BD

es-PE

`vbase destructor'

YFO;<;

Base Class Array'

>>>>xO

pl-PL

111-N

vi-VN

`placement delete closure'

u%@8j(t

9.wsss

1_\["

ar-kw

`-4f}|{<p

ar-QA

WriteConsoleW

7SQPO

`vcall'

Ry6G?

uddb#RHM

V6E>`"(5

\zyyy1(

^xfL#

el-gr

IF:pss

^~E/Q

p*Z\h

ms-BN

1z.qe~

lsqpo

'PwF\]

tRLcY

[YX'`

)zzytE

quz-pe

Fw^lts

gT{A,n

InitializeCriticalSectionEx

EncodePointer

P=eaO

jJI&h

es-ar

!eR3Wut

AreFileApisANSI

2Aqppn

,r8&5

L$ I;

D$PH+

HHH6O

K~Je#>!

.?AVbad_exception@std@@

A^_^[]

BBB@1

`eh vector destructor iterator'

January

+f)>0'

zu-za

KoGFF

KH,{K

Kurqn

imlk&

utttd

EnterCriticalSection

es-NI

+9:5N

`typeof'

stsr/

GetCurrentProcess

og+

u=B#o

cs-CZ

nl-be

K2#u,

Tr{n*b/

fa-IR

p;Y>u

z E7t

__cdecl

D$@H+

z&&&&

E)XG&wsss

B(I9A(u

oYOi,

smj-SE

|~}x9L

Translation

HIIE6

[XW(^

en-cb

ar-qa

FlsSetValue

mr-IN

ffffff.

se-NO

YXW&g

TlsFree

WD2|}}}

it-IT

;;:5}

delete[]

L@rk3q0$

L$ fff

zh-SG

L$0H;

ProductVersion

FlushFileBuffers

sv-FI

KJIDu

`managed vector constructor iterator'

RNN.T

/////////...(+++++++

gu-IN

X&++++++

4r@O+

szzyt

XTEE5

HGcQJ

mw[_J+4

pa-in

D!|$xA

D81uUL9r

es-ni

5 $\n

api-ms-win-core-processthreads-l1-1-2

ta-in

KJI&T

quz-BO

p}}}|

Im)VO

Fy>_L<CBB8

xSVU*P

x AVH

~|t{w

!.@lnn

9j YE

fffff

pl-pl

ns-ZA

DxC5$

api-ms-win-core-synch-l1-2-0

az-az-latn

zh-CHS

.Z~lmmm%"

<NRQ.P

en-bz

VONM*n*

de-at

Kt)ps

api-ms-win-core-fibers-l1-1-1

kE>fvw

vm+>?

TUUUU

GetModuleHandleExW

api-ms-win-core-localization-obsolete-l1-2-0

^=F] _

fr-CH

Pd*+++

es-UY

se-SE

SetFilePointerEx

es-CO

t$ WATAUAVAWH

GetLastError

@USVWATAUAVAWH

~ '0q

nJ@AA1e

ar-IQ

\$@H;

zh-chs

xxxx>

fffffff

gPRRP!

es-VE

`anonymous namespace'

AUAVAWH

i*hOw

yA@@>?

0||{r[

mr-in

0A_A^A]A\^

zh-cht

RzS\WVI

zh-tw

es-MX

pt-br

}?===

tsrm,

ur-pk

bn-IN

sr-BA-Latn

(fgggW

A_A^A]A\]

es-ec

gu:n[

ml-in

`.rdata

ar-BH

?]^P/nP

GG7o=

fo-fo

---)

de-LI

=dM@sQ

OkCCCC

PE Information

Image Base	Entry Point	Reported Checksum	Actual Checksum	Minimum OS Version	Compile Time	Import Hash
0x140000000	0x0000cb74	0x00000000	0x0003916e	6.0	2025-04-30 06:45:15	7dd43f69585b7ae9b0797243b0c3da8d

Version Infos

CompanyName	Tencent
FileDescription	QQEX
FileVersion	9.9.16.29927
InternalName	QQ
LegalCopyright	Copyright (C) 1999-2024 Tencent. All Rights Reserved
OriginalFilename
ProductName	QQEX
ProductVersion	9.9.16.29927-bf4701c1
SquirrelAwareVersion	1
Translation	0x0409 0x04b0

Sections

Name	RAW Address	Virtual Address	Virtual Size	Size of Raw Data	Characteristics	Entropy
.text	0x00000400	0x00001000	0x0000ef86	0x0000f000	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	6.52
.rdata	0x0000f400	0x00010000	0x000091d4	0x00009200	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	4.71
.data	0x00018600	0x0001a000	0x0000fa9c	0x0000ea00	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	7.90
.pdata	0x00027000	0x0002a000	0x00000fcc	0x00001000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	4.83
.00cfg	0x00028000	0x0002b000	0x00000038	0x00000200	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	0.39
.gxfg	0x00028200	0x0002c000	0x00001000	0x00001000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	5.08
_RDATA	0x00029200	0x0002d000	0x000001f4	0x00000200	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	3.69
.reloc	0x00029400	0x0002e000	0x00000688	0x00000800	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_DISCARDABLE\|IMAGE_SCN_MEM_READ	4.95
.rsrc	0x00029c00	0x0002f000	0x00001000	0x00001000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	0.00
.l2	0x0002ac00	0x00030000	0x00007000	0x00007000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	4.36
.l2	0x00031c00	0x00037000	0x00007400	0x00007400	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	4.37

Name	Offset	Size	Language	Sub-language	Entropy	File type
RT_ICON	0x00037258	0x00000128	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.09	None
RT_ICON	0x00037380	0x000002e8	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.50	None
RT_ICON	0x00037668	0x00000568	LANG_ENGLISH	SUBLANG_ENGLISH_US	4.16	None
RT_ICON	0x00037bd0	0x000008a8	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.52	None
RT_ICON	0x00038478	0x00000ea8	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.70	None
RT_ICON	0x00039320	0x00000468	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.97	None
RT_ICON	0x00039788	0x000010a8	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.60	None
RT_ICON	0x0003a830	0x000025a8	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.26	None
RT_ICON	0x0003cdd8	0x0000116a	LANG_ENGLISH	SUBLANG_ENGLISH_US	7.76	None
RT_VERSION	0x0003dfc8	0x00000314	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.48	None

Imports

Name	Address
CloseHandle	0x140017c80
CreateFileW	0x140017c88
DeleteCriticalSection	0x140017c90
EncodePointer	0x140017c98
EnterCriticalSection	0x140017ca0
ExitProcess	0x140017ca8
FindClose	0x140017cb0
FindFirstFileExW	0x140017cb8
FindNextFileW	0x140017cc0
FlsAlloc	0x140017cc8
FlsFree	0x140017cd0
FlsGetValue	0x140017cd8
FlsSetValue	0x140017ce0
FlushFileBuffers	0x140017ce8
FreeEnvironmentStringsW	0x140017cf0
FreeLibrary	0x140017cf8
GetACP	0x140017d00
GetCPInfo	0x140017d08
GetCommandLineA	0x140017d10
GetCommandLineW	0x140017d18
GetConsoleMode	0x140017d20
GetConsoleOutputCP	0x140017d28
GetCurrentProcess	0x140017d30
GetCurrentProcessId	0x140017d38
GetCurrentThreadId	0x140017d40
GetEnvironmentStringsW	0x140017d48
GetFileType	0x140017d50
GetLastError	0x140017d58
GetModuleFileNameW	0x140017d60
GetModuleHandleA	0x140017d68
GetModuleHandleExW	0x140017d70
GetModuleHandleW	0x140017d78
GetOEMCP	0x140017d80
GetProcAddress	0x140017d88
GetProcessHeap	0x140017d90
GetStartupInfoW	0x140017d98
GetStdHandle	0x140017da0
GetStringTypeW	0x140017da8
GetSystemTimeAsFileTime	0x140017db0
HeapAlloc	0x140017db8
HeapFree	0x140017dc0
HeapReAlloc	0x140017dc8
HeapSize	0x140017dd0
InitializeCriticalSectionAndSpinCount	0x140017dd8
InitializeSListHead	0x140017de0
IsDebuggerPresent	0x140017de8
IsProcessorFeaturePresent	0x140017df0
IsValidCodePage	0x140017df8
LCMapStringW	0x140017e00
LeaveCriticalSection	0x140017e08
LoadLibraryExW	0x140017e10
MultiByteToWideChar	0x140017e18
QueryPerformanceCounter	0x140017e20
RaiseException	0x140017e28
RtlCaptureContext	0x140017e30
RtlLookupFunctionEntry	0x140017e38
RtlPcToFileHeader	0x140017e40
RtlUnwindEx	0x140017e48
RtlVirtualUnwind	0x140017e50
SetFilePointerEx	0x140017e58
SetLastError	0x140017e60
SetStdHandle	0x140017e68
SetUnhandledExceptionFilter	0x140017e70
TerminateProcess	0x140017e78
TlsAlloc	0x140017e80
TlsFree	0x140017e88
TlsGetValue	0x140017e90
TlsSetValue	0x140017e98
UnhandledExceptionFilter	0x140017ea0
WideCharToMultiByte	0x140017ea8
WriteConsoleW	0x140017eb0
WriteFile	0x140017eb8

Reports: JSON

Statistics (1.72)

Usage

Processing ( 1.64 seconds )

1.532 CAPE
0.08 BehaviorAnalysis
0.023 AnalysisInfo
0.001 Debug

Signatures ( 0.07 seconds )

0.009 antiav_detectreg
0.008 ransomware_files
0.005 antianalysis_detectfile
0.005 ransomware_extensions
0.004 infostealer_ftp
0.004 territorial_disputes_sigs
0.003 antiav_detectfile
0.003 ursnif_behavior
0.002 antianalysis_detectreg
0.002 infostealer_bitcoin
0.002 infostealer_im
0.002 infostealer_mail
0.002 poullight_files
0.001 antivm_generic_diskreg
0.001 antivm_parallels_keys
0.001 antivm_vbox_files
0.001 antivm_vbox_keys
0.001 antivm_vmware_keys
0.001 ketrican_regkeys
0.001 geodo_banking_trojan
0.001 browser_security
0.001 disables_backups
0.001 disables_browser_warn
0.001 disables_power_options
0.001 azorult_mutexes
0.001 cryptbot_files
0.001 echelon_files
0.001 masquerade_process_name
0.001 revil_mutexes
0.001 modirat_behavior
0.001 recon_fingerprint

Reporting ( 0.01 seconds )

0.013 CAPASummary
0.002 JsonDump

Signatures

Attempts to connect to a dead IP:Port (1 unique times)

SetUnhandledExceptionFilter detected (possible anti-debug)

Performs HTTP requests potentially not found in PCAP.

url: 118.24.173.126:89//Select/gifs/E1A12889V

The binary contains an unknown PE section name indicative of packing

unknown section: {'name': '.00cfg', 'raw_address': '0x00028000', 'virtual_address': '0x0002b000', 'virtual_size': '0x00000038', 'size_of_data': '0x00000200', 'characteristics': 'IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ', 'characteristics_raw': '0x40000040', 'entropy': '0.39'}

unknown section: {'name': '.gxfg', 'raw_address': '0x00028200', 'virtual_address': '0x0002c000', 'virtual_size': '0x00001000', 'size_of_data': '0x00001000', 'characteristics': 'IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ', 'characteristics_raw': '0x40000040', 'entropy': '5.08'}

unknown section: {'name': '_RDATA', 'raw_address': '0x00029200', 'virtual_address': '0x0002d000', 'virtual_size': '0x000001f4', 'size_of_data': '0x00000200', 'characteristics': 'IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ', 'characteristics_raw': '0x40000040', 'entropy': '3.69'}

unknown section: {'name': '.l2', 'raw_address': '0x0002ac00', 'virtual_address': '0x00030000', 'virtual_size': '0x00007000', 'size_of_data': '0x00007000', 'characteristics': 'IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ', 'characteristics_raw': '0x40000040', 'entropy': '4.36'}

unknown section: {'name': '.l2', 'raw_address': '0x00031c00', 'virtual_address': '0x00037000', 'virtual_size': '0x00007400', 'size_of_data': '0x00007400', 'characteristics': 'IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ', 'characteristics_raw': '0x40000040', 'entropy': '4.37'}

The binary likely contains encrypted or compressed data

section: {'name': '.data', 'raw_address': '0x00018600', 'virtual_address': '0x0001a000', 'virtual_size': '0x0000fa9c', 'size_of_data': '0x0000ea00', 'characteristics': 'IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE', 'characteristics_raw': '0xc0000040', 'entropy': '7.90'}

Creates RWX memory

Touches a file containing cookies, possibly for information gathering

Process: 1.exe (6444)
file		C:\Users\Packager\AppData\Local\Microsoft\Windows\INetCookies
Process: 1.exe (6444)
file		C:\Users\Packager\AppData\Local\Microsoft\Windows\INetCookies

Yara detections observed in process dumps, payloads or dropped files

Hit: PID 6444 triggered the Yara rule 'shellcode_peb_parsing' with data '['{ 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52 20 48 8B 72 50 }']'

Hit: PID 6444 triggered the Yara rule 'CobaltStrikeStager' with data '['{ 49 BE 77 69 6E 69 6E 65 74 00 41 56 49 89 E6 4C 89 F1 41 BA 4C 77 26 07 }']'

Anomalous binary characteristics

anomaly: Found duplicated section names

anomaly: Entrypoint of binary is located outside of any mapped sections

Screenshots

No screenshots available.

Hosts

No hosts contacted.

DNS

No domains contacted.

Summary

\??\pipe\MSSE-5847-server
C:\Users\Packager\AppData\Local\Temp\IPHLPAPI.DLL
C:\Windows\System32\IPHLPAPI.DLL
C:\Windows\System32\winnsi.dll
\??\Nsi
C:\Users\Packager\AppData\Local\Temp\urlmon.dll
C:\Windows\System32\urlmon.dll
C:\Users\Packager\AppData\Local\Temp\srvcli.dll
C:\Windows\System32\srvcli.dll
C:\Users\Packager\AppData\Local\Temp\netutils.dll
C:\Windows\System32\netutils.dll
C:\Users\Packager
C:\Users\Packager\AppData\Local
C:\Users\Packager\AppData\Local\Microsoft\Windows\INetCache
C:\Users\Packager\AppData\Local\Microsoft\Windows
C:\Users\Packager\AppData\Local\Microsoft\Windows\INetCache\Content.IE5
C:\Users\Packager\AppData\Local\Microsoft\Windows\INetCache\IE
C:\Users\Packager\AppData\Local\Microsoft\Windows\INetCookies
C:\Users\Packager\AppData\Local\Microsoft\Windows\INetCookies\ESE\
C:\Windows\System32\en-US\mswsock.dll.mui
C:\Windows\System32\en-US\wshqos.dll.mui

HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\AutoDetect
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp\AutoProxyAutoLogonIfChallenged
HKEY_LOCAL_MACHINE\Software\Microsoft\windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttpLowerCaseHost
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\LanmanWorkstation\Parameters\RpcCacheTimeout
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_HKLM_only
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IGNORE_POLICIES_ZONEMAP_IF_ESC_ENABLED_KB918915
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IGNORE_POLICIES_ZONEMAP_IF_ESC_ENABLED_KB918915
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
HKEY_LOCAL_MACHINE\ZoneMap\Ranges\
HKEY_CURRENT_USER\ZoneMap\Ranges\
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONES_CHECK_ZONEMAP_POLICY_KB941001
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONES_CHECK_ZONEMAP_POLICY_KB941001
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Security
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Security\DisableSecuritySettingsCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Security\DisableSecuritySettingsCheck
HKEY_LOCAL_MACHINE\System\Setup
HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Flags
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Flags
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Flags
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Flags
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Flags
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\1.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\*
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALLOW_REVERSE_SOLIDUS_IN_USERINFO_KB932562
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALLOW_REVERSE_SOLIDUS_IN_USERINFO_KB932562
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_USE_IETLDLIST_FOR_DOMAIN_DETERMINATION
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_USE_IETLDLIST_FOR_DOMAIN_DETERMINATION
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_URI_DISABLECACHE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_URI_DISABLECACHE
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1A10
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1A10
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\DefinitionFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\PropertyBag
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-64934406-199802361-3218922526-1001
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-64934406-199802361-3218922526-1001\ProfileImagePath
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\KnownFolderSettings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\DefinitionFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\PropertyBag
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\3
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\3\KnownFolders
HKEY_CURRENT_USER
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Cookies
HKEY_LOCAL_MACHINE\Software\Microsoft\LanguageOverlay\OverlayPackages\en-US

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\AutoDetect
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp\AutoProxyAutoLogonIfChallenged
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttpLowerCaseHost
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\LanmanWorkstation\Parameters\RpcCacheTimeout
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_HKLM_only
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Security\DisableSecuritySettingsCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Security\DisableSecuritySettingsCheck
HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Flags
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Flags
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Flags
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Flags
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Flags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\1.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\*
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1A10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1A10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\DefinitionFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-64934406-199802361-3218922526-1001\ProfileImagePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\DefinitionFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\InitFolderHandler
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Cookies

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect

Local\SM0:6444:304:WilStaging_02
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
Local\SM0:6444:120:WilError_03

No results

Sorry! No behavior.

Sorry! No strace.

Sorry! No tracee.

No hosts contacted.

No TCP connections recorded.

No UDP connections recorded.

No domains contacted.

HTTP Requests

No HTTP(s) requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No Suricata Extracted files.

Sorry! No dropped files.

Sorry! No CAPE files.

Sorry! No process dumps.