Analysis Report · CAPE Sandbox

Detection(s):

Analysis Details

Category	Package	Started	Completed	Duration	Logs
FILE	exe	2026-04-28 01:32:15	2026-04-28 01:39:49	454s
Reports	JSON

Analysis Log

2026-03-05 20:34:39,038 [root] INFO: Date set to: 20260428T01:32:42, timeout set to: 300
2026-04-28 01:32:42,157 [root] DEBUG: Starting analyzer from: C:\ltb6yatm
2026-04-28 01:32:42,173 [root] DEBUG: Storing results at: C:\atsPQMC
2026-04-28 01:32:42,173 [root] DEBUG: Pipe server name: \\.\PIPE\HAyCBZRUua
2026-04-28 01:32:42,173 [root] DEBUG: Python path: C:\Python310
2026-04-28 01:32:42,173 [root] INFO: analysis running as an admin
2026-04-28 01:32:42,173 [root] INFO: analysis package specified: "exe"
2026-04-28 01:32:42,173 [root] DEBUG: importing analysis package module: "modules.packages.exe"...
2026-04-28 01:32:42,173 [root] DEBUG: imported analysis package "exe"
2026-04-28 01:32:42,173 [root] DEBUG: initializing analysis package "exe"...
2026-04-28 01:32:42,173 [lib.common.common] INFO: wrapping
2026-04-28 01:32:42,173 [lib.core.compound] INFO: C:\Users\cape\AppData\Local\Temp already exists, skipping creation
2026-04-28 01:32:42,173 [root] DEBUG: New location of moved file: C:\Users\cape\AppData\Local\Temp\2026-04-28_1db227e867a99
2026-04-28 01:32:42,173 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2026-04-28 01:32:42,173 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2026-04-28 01:32:42,188 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option
2026-04-28 01:32:42,266 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option
2026-04-28 01:32:42,329 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser"
2026-04-28 01:32:42,345 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig"
2026-04-28 01:32:42,376 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise"
2026-04-28 01:32:42,407 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human"
2026-04-28 01:32:42,454 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2026-04-28 01:32:42,485 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageGrab'
2026-04-28 01:32:42,641 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageDraw'
2026-04-28 01:32:42,688 [lib.api.screenshot] INFO: Please upgrade Pillow to >= 5.4.1 for best performance
2026-04-28 01:32:42,704 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots"
2026-04-28 01:32:42,720 [root] DEBUG: Imported auxiliary module "modules.auxiliary.tlsdump"
2026-04-28 01:32:42,720 [root] DEBUG: Initialized auxiliary module "Browser"
2026-04-28 01:32:42,735 [root] DEBUG: attempting to configure 'Browser' from data
2026-04-28 01:32:42,735 [root] DEBUG: module Browser does not support data configuration, ignoring
2026-04-28 01:32:42,735 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.browser"...
2026-04-28 01:32:42,766 [root] DEBUG: Started auxiliary module modules.auxiliary.browser
2026-04-28 01:32:42,782 [root] DEBUG: Initialized auxiliary module "DigiSig"
2026-04-28 01:32:42,798 [root] DEBUG: attempting to configure 'DigiSig' from data
2026-04-28 01:32:42,798 [root] DEBUG: module DigiSig does not support data configuration, ignoring
2026-04-28 01:32:42,798 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.digisig"...
2026-04-28 01:32:42,798 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature
2026-04-28 01:33:10,501 [modules.auxiliary.digisig] DEBUG: File is not signed
2026-04-28 01:33:10,501 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2026-04-28 01:33:10,517 [root] DEBUG: Started auxiliary module modules.auxiliary.digisig
2026-04-28 01:33:10,517 [root] DEBUG: Initialized auxiliary module "Disguise"
2026-04-28 01:33:10,517 [root] DEBUG: attempting to configure 'Disguise' from data
2026-04-28 01:33:10,517 [root] DEBUG: module Disguise does not support data configuration, ignoring
2026-04-28 01:33:10,517 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.disguise"...
2026-04-28 01:33:10,548 [modules.auxiliary.disguise] INFO: Disguising GUID to 6b9a3844-e5e9-4b8f-8273-3d933544835e
2026-04-28 01:33:10,548 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise
2026-04-28 01:33:10,548 [root] DEBUG: Initialized auxiliary module "Human"
2026-04-28 01:33:10,548 [root] DEBUG: attempting to configure 'Human' from data
2026-04-28 01:33:10,548 [root] DEBUG: module Human does not support data configuration, ignoring
2026-04-28 01:33:10,548 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.human"...
2026-04-28 01:33:10,563 [root] DEBUG: Started auxiliary module modules.auxiliary.human
2026-04-28 01:33:10,563 [root] DEBUG: Initialized auxiliary module "Screenshots"
2026-04-28 01:33:10,563 [root] DEBUG: attempting to configure 'Screenshots' from data
2026-04-28 01:33:10,563 [root] DEBUG: module Screenshots does not support data configuration, ignoring
2026-04-28 01:33:10,563 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.screenshots"...
2026-04-28 01:33:10,610 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots
2026-04-28 01:33:10,688 [root] DEBUG: Initialized auxiliary module "TLSDumpMasterSecrets"
2026-04-28 01:33:10,688 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data
2026-04-28 01:33:10,688 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring
2026-04-28 01:33:10,704 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.tlsdump"...
2026-04-28 01:33:10,704 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 644
2026-04-28 01:33:11,001 [lib.api.process] INFO: Monitor config for <Process 644 lsass.exe>: C:\ltb6yatm\dll\644.ini
2026-04-28 01:33:11,001 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor
2026-04-28 01:33:11,032 [lib.api.process] INFO: 64-bit DLL to inject is C:\ltb6yatm\dll\xzHEKGQ.dll, loader C:\ltb6yatm\bin\FktMnuSd.exe
2026-04-28 01:33:11,126 [root] DEBUG: Loader: Injecting process 644 with C:\ltb6yatm\dll\xzHEKGQ.dll.
2026-04-28 01:33:11,595 [root] DEBUG: 644: Python path set to 'C:\Python310'.
2026-04-28 01:33:11,610 [root] DEBUG: 644: Disabling sleep skipping.
2026-04-28 01:33:11,610 [root] DEBUG: 644: TLS secret dump mode enabled.
2026-04-28 01:33:12,204 [root] DEBUG: 644: RtlInsertInvertedFunctionTable 0x00007FFEFE86090E, LdrpInvertedFunctionTableSRWLock 0x00007FFEFE9BD500
2026-04-28 01:33:12,220 [root] DEBUG: 644: Monitor initialised: 64-bit capemon loaded in process 644 at 0x00007FFEABCB0000, thread 6112, image base 0x00007FF7C23E0000, stack from 0x0000008E4C472000-0x0000008E4C480000
2026-04-28 01:33:12,220 [root] DEBUG: 644: Commandline: C:\Windows\system32\lsass.exe
2026-04-28 01:33:12,251 [root] DEBUG: 644: Hooked 5 out of 5 functions
2026-04-28 01:33:12,251 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2026-04-28 01:33:12,251 [root] DEBUG: Successfully injected DLL C:\ltb6yatm\dll\xzHEKGQ.dll.
2026-04-28 01:33:12,266 [lib.api.process] INFO: Injected into 64-bit <Process 644 lsass.exe>
2026-04-28 01:33:12,266 [root] DEBUG: Started auxiliary module modules.auxiliary.tlsdump
2026-04-28 01:33:12,345 [root] DEBUG: 644: TLS 1.2 secrets logged to: C:\atsPQMC\tlsdump\tlsdump.log
2026-04-28 01:33:19,220 [root] INFO: Restarting WMI Service
2026-04-28 01:33:19,266 [root] DEBUG: package modules.packages.exe does not support configure, ignoring
2026-04-28 01:33:19,266 [root] WARNING: configuration error for package modules.packages.exe: error importing data.packages.exe: No module named 'data.packages'
2026-04-28 01:33:19,360 [lib.common.common] INFO: Submitted file is missing extension, adding .exe
2026-04-28 01:33:19,360 [lib.core.compound] INFO: C:\Users\cape\AppData\Local\Temp already exists, skipping creation
2026-04-28 01:33:19,876 [lib.api.process] INFO: Successfully executed process from path "C:\Users\cape\AppData\Local\Temp\2026-04-28_1db227e867a99.exe" with arguments "" with pid 7508
2026-04-28 01:33:19,876 [lib.api.process] INFO: Monitor config for <Process 7508 2026-04-28_1db227e867a99.exe>: C:\ltb6yatm\dll\7508.ini
2026-04-28 01:33:19,892 [lib.api.process] INFO: 32-bit DLL to inject is C:\ltb6yatm\dll\aUdGyWws.dll, loader C:\ltb6yatm\bin\ReIIPbe.exe
2026-04-28 01:33:20,001 [root] DEBUG: Loader: Injecting process 7508 (thread 6940) with C:\ltb6yatm\dll\aUdGyWws.dll.
2026-04-28 01:33:20,017 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2026-04-28 01:33:20,017 [root] DEBUG: Successfully injected DLL C:\ltb6yatm\dll\aUdGyWws.dll.
2026-04-28 01:33:20,032 [lib.api.process] INFO: Injected into 32-bit <Process 7508 2026-04-28_1db227e867a99.exe>
2026-04-28 01:33:22,048 [lib.api.process] INFO: Successfully resumed <Process 7508 2026-04-28_1db227e867a99.exe>
2026-04-28 01:33:22,595 [root] DEBUG: 7508: Python path set to 'C:\Python310'.
2026-04-28 01:33:22,642 [root] DEBUG: 7508: Disabling sleep skipping.
2026-04-28 01:33:22,642 [root] DEBUG: 7508: Dropped file limit defaulting to 100.
2026-04-28 01:33:22,704 [root] DEBUG: 7508: YaraInit: Compiled 44 rule files
2026-04-28 01:33:22,704 [root] DEBUG: 7508: YaraInit: Compiled rules saved to file C:\ltb6yatm\data\yara\capemon.yac
2026-04-28 01:33:22,704 [root] DEBUG: 7508: YaraScan: Scanning 0x00400000, size 0x1ff800
2026-04-28 01:33:22,751 [root] DEBUG: 7508: Monitor initialised: 32-bit capemon loaded in process 7508 at 0x73f00000, thread 6940, image base 0x400000, stack from 0x192000-0x1a0000
2026-04-28 01:33:22,751 [root] DEBUG: 7508: Commandline: "C:\Users\cape\AppData\Local\Temp\2026-04-28_1db227e867a99.exe"
2026-04-28 01:33:23,845 [root] DEBUG: 7508: Yara error: Scanning timed out
2026-04-28 01:33:24,970 [root] DEBUG: 7508: Yara error: Scanning timed out
2026-04-28 01:33:25,001 [root] DEBUG: 7508: hook_api: Warning - SetWindowLongW export address 0x75D45420 differs from GetProcAddress -> 0x750E59E0 (apphelp.dll::0xff3d59e0)
2026-04-28 01:33:25,001 [root] DEBUG: 7508: hook_api: Warning - EnumDisplayDevicesA export address 0x75D395A0 differs from GetProcAddress -> 0x750E6780 (apphelp.dll::0xff3d6780)
2026-04-28 01:33:25,001 [root] DEBUG: 7508: hook_api: Warning - EnumDisplayDevicesW export address 0x75D4FB70 differs from GetProcAddress -> 0x7510E4D0 (apphelp.dll::0xff3fe4d0)
2026-04-28 01:33:25,079 [root] WARNING: b'Unable to place hook on GetCommandLineA'
2026-04-28 01:33:25,079 [root] DEBUG: 7508: set_hooks: Unable to hook GetCommandLineA
2026-04-28 01:33:25,079 [root] WARNING: b'Unable to place hook on GetCommandLineW'
2026-04-28 01:33:25,095 [root] DEBUG: 7508: set_hooks: Unable to hook GetCommandLineW
2026-04-28 01:33:25,517 [root] DEBUG: 7508: Hooked 630 out of 632 functions
2026-04-28 01:33:25,548 [root] DEBUG: 7508: Syscall hook installed, syscall logging level 1
2026-04-28 01:33:25,563 [root] DEBUG: 7508: RestoreHeaders: Restored original import table.
2026-04-28 01:33:25,563 [root] INFO: Loaded monitor into process with pid 7508
2026-04-28 01:33:25,563 [root] DEBUG: 7508: caller_dispatch: Added region at 0x00400000 to tracked regions list (kernel32::HeapCreate returns to 0x0040D54F, thread 6940).
2026-04-28 01:33:25,579 [root] DEBUG: 7508: YaraScan: Scanning 0x00400000, size 0x1ff800
2026-04-28 01:33:25,611 [root] DEBUG: 7508: ProcessImageBase: Main module image at 0x00400000 unmodified (entropy change 0.000000e+00)
2026-04-28 01:33:25,626 [root] DEBUG: 7508: set_hooks_by_export_directory: Hooked 0 out of 632 functions
2026-04-28 01:33:25,626 [root] DEBUG: 7508: DLL loaded at 0x75250000: C:\Windows\SYSTEM32\kernel.appcore (0xf000 bytes).
2026-04-28 01:33:25,626 [root] DEBUG: 7508: DLL loaded at 0x76D80000: C:\Windows\System32\bcryptPrimitives (0x5f000 bytes).
2026-04-28 01:33:25,626 [root] DEBUG: 7508: DLL loaded at 0x745D0000: C:\Windows\system32\uxtheme (0x74000 bytes).
2026-04-28 01:33:27,610 [root] DEBUG: 7508: DLL loaded at 0x73EA0000: C:\Windows\SYSTEM32\mscoree (0x52000 bytes).
2026-04-28 01:33:30,095 [root] DEBUG: 7508: DLL loaded at 0x73E10000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei (0x8d000 bytes).
2026-04-28 01:33:35,986 [root] DEBUG: 7508: DLL loaded at 0x734F0000: C:\Windows\SYSTEM32\ucrtbase_clr0400 (0xab000 bytes).
2026-04-28 01:33:35,986 [root] DEBUG: 7508: DLL loaded at 0x735A0000: C:\Windows\SYSTEM32\VCRUNTIME140_CLR0400 (0x14000 bytes).
2026-04-28 01:33:36,079 [root] DEBUG: 7508: DLL loaded at 0x735C0000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr (0x848000 bytes).
2026-04-28 01:33:43,266 [root] DEBUG: 7508: AllocationHandler: Adding allocation to tracked region list: 0x023A3000, size: 0x1000.
2026-04-28 01:33:43,282 [root] DEBUG: 7508: GetEntropy: Error - Supplied address inaccessible: 0x023A0000
2026-04-28 01:33:43,282 [root] DEBUG: 7508: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:33:43,642 [root] DEBUG: 7508: api-rate-cap: NtQueryPerformanceCounter hook disabled due to rate
2026-04-28 01:33:46,048 [root] DEBUG: 7508: InstrumentationCallback: Added region at 0x772833EC (base 0x77150000) to tracked regions list (thread 6940).
2026-04-28 01:33:46,048 [root] DEBUG: 7508: ProcessTrackedRegion: Region at 0x77150000 mapped as \Device\HarddiskVolume1\Windows\SysWOW64\KernelBase.dll is in known range, skipping
2026-04-28 01:33:49,142 [root] DEBUG: 7508: DLL loaded at 0x720E0000: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni (0x140e000 bytes).
2026-04-28 01:33:49,517 [root] DEBUG: 7508: AllocationHandler: Adding allocation to tracked region list: 0x04C50000, size: 0x1000.
2026-04-28 01:33:49,517 [root] DEBUG: 7508: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:33:49,548 [root] DEBUG: 7508: AllocationHandler: Adding allocation to tracked region list: 0x078C1000, size: 0x1000.
2026-04-28 01:33:49,642 [root] DEBUG: 7508: AllocationHandler: Allocation already in tracked region list: 0x078C0000.
2026-04-28 01:33:49,767 [root] DEBUG: 7508: AllocationHandler: Allocation already in tracked region list: 0x023A0000.
2026-04-28 01:33:49,782 [root] DEBUG: 7508: DumpPEsInRange: Scanning range 0x023A0000 - 0x023A1615.
2026-04-28 01:33:49,782 [root] DEBUG: 7508: ScanForDisguisedPE: No PE image located in range 0x023A0000-0x023A1615.
2026-04-28 01:33:49,798 [lib.common.results] INFO: Uploading file C:\atsPQMC\CAPE\7508_1900357249332227142026 to CAPE\98c41c58fa8ebef34271abaf600052a48ae6f4a2b8964e4e7017b1248c1df17a; Size is 5653; Max size: 100000000
2026-04-28 01:33:49,813 [root] DEBUG: 7508: DumpMemory: Payload successfully created: C:\atsPQMC\CAPE\7508_1900357249332227142026 (size 5653 bytes)
2026-04-28 01:33:49,813 [root] DEBUG: 7508: DumpRegion: Dumped entire allocation from 0x023A0000, size 8192 bytes.
2026-04-28 01:33:49,813 [root] DEBUG: 7508: ProcessTrackedRegion: Dumped region at 0x023A0000.
2026-04-28 01:33:49,813 [root] DEBUG: 7508: YaraScan: Scanning 0x023A0000, size 0x1615
2026-04-28 01:33:50,095 [root] DEBUG: 7508: DLL loaded at 0x756D0000: C:\Windows\SYSTEM32\wldp (0x27000 bytes).
2026-04-28 01:33:50,110 [root] DEBUG: 7508: DLL loaded at 0x720C0000: C:\Windows\SYSTEM32\amsi (0x19000 bytes).
2026-04-28 01:33:50,142 [root] DEBUG: 7508: DLL loaded at 0x75280000: C:\Windows\SYSTEM32\CRYPTSP (0x13000 bytes).
2026-04-28 01:33:50,142 [root] DEBUG: 7508: DLL loaded at 0x74C10000: C:\Windows\system32\rsaenh (0x2f000 bytes).
2026-04-28 01:33:50,438 [root] DEBUG: 7508: AllocationHandler: Allocation already in tracked region list: 0x078C0000.
2026-04-28 01:33:50,438 [root] DEBUG: 7508: AllocationHandler: Allocation already in tracked region list: 0x078C0000.
2026-04-28 01:33:50,536 [root] DEBUG: 7508: AllocationHandler: Adding allocation to tracked region list: 0x03CFB000, size: 0x1000.
2026-04-28 01:33:50,536 [root] DEBUG: 7508: GetEntropy: Error - Supplied address inaccessible: 0x03CF0000
2026-04-28 01:33:50,548 [root] DEBUG: 7508: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:33:50,548 [root] DEBUG: 7508: AllocationHandler: Allocation already in tracked region list: 0x03CF0000.
2026-04-28 01:33:50,595 [root] DEBUG: 7508: hook_api: clrjit::compileMethod export address 0x72033700 obtained via GetFunctionAddress
2026-04-28 01:33:50,595 [root] DEBUG: 7508: DLL loaded at 0x72030000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit (0x8a000 bytes).
2026-04-28 01:33:50,630 [root] DEBUG: 7508: .NET JIT native cache at 0x04C50000: scans and dumps active.
2026-04-28 01:33:50,782 [root] DEBUG: 7508: DLL loaded at 0x75460000: C:\Windows\SYSTEM32\VERSION (0x8000 bytes).
2026-04-28 01:33:50,939 [root] DEBUG: 7508: ProcessTrackedRegion: .NET cache region at 0x04C50000 skipped
2026-04-28 01:33:50,955 [root] DEBUG: 7508: AllocationHandler: Allocation already in tracked region list: 0x03CF0000.
2026-04-28 01:33:51,501 [root] DEBUG: 7508: DLL loaded at 0x715D0000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni (0xa56000 bytes).
2026-04-28 01:33:52,329 [root] DEBUG: 7508: DLL loaded at 0x76A70000: C:\Windows\System32\psapi (0x6000 bytes).
2026-04-28 01:33:52,595 [root] DEBUG: 7508: api-rate-cap: NtReadVirtualMemory hook disabled due to rate
2026-04-28 01:33:52,673 [root] DEBUG: 7508: AllocationHandler: Adding allocation to tracked region list: 0x023CA000, size: 0x1000.
2026-04-28 01:33:52,673 [root] DEBUG: 7508: AllocationHandler: Allocation already in tracked region list: 0x023C0000.
2026-04-28 01:33:53,814 [root] DEBUG: 7508: api-cap: NtProtectVirtualMemory hook disabled due to count: 5000
2026-04-28 01:33:53,829 [root] DEBUG: 7508: .NET JIT native cache at 0x08540000: scans and dumps active.
2026-04-28 01:33:54,314 [root] DEBUG: 7508: caller_dispatch: Added region at 0x08540000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x0854525B, thread 6940).
2026-04-28 01:33:54,329 [root] DEBUG: 7508: ProcessTrackedRegion: .NET cache region at 0x08540000 skipped
2026-04-28 01:33:54,376 [root] DEBUG: 7508: .NET JIT native cache at 0x078B0000: scans and dumps active.
2026-04-28 01:33:54,861 [root] DEBUG: 7508: .NET JIT native cache at 0x089E0000: scans and dumps active.
2026-04-28 01:33:54,876 [root] DEBUG: 7508: caller_dispatch: Added region at 0x089E0000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x089F58E3, thread 6940).
2026-04-28 01:33:54,876 [root] DEBUG: 7508: ProcessTrackedRegion: .NET cache region at 0x089E0000 skipped
2026-04-28 01:33:55,110 [root] DEBUG: 7508: DLL loaded at 0x77400000: C:\Windows\System32\clbcatq (0x7e000 bytes).
2026-04-28 01:33:55,189 [lib.api.process] INFO: Monitor config for <Process 752 svchost.exe>: C:\ltb6yatm\dll\752.ini
2026-04-28 01:33:55,204 [lib.api.process] INFO: 64-bit DLL to inject is C:\ltb6yatm\dll\xzHEKGQ.dll, loader C:\ltb6yatm\bin\FktMnuSd.exe
2026-04-28 01:33:55,220 [root] DEBUG: Loader: Injecting process 752 with C:\ltb6yatm\dll\xzHEKGQ.dll.
2026-04-28 01:33:55,220 [root] DEBUG: 752: Python path set to 'C:\Python310'.
2026-04-28 01:33:55,235 [root] DEBUG: 752: Disabling sleep skipping.
2026-04-28 01:33:55,235 [root] DEBUG: 752: Dropped file limit defaulting to 100.
2026-04-28 01:33:55,235 [root] DEBUG: 752: Services hook set enabled
2026-04-28 01:33:55,251 [root] DEBUG: 752: YaraInit: Compiled rules loaded from existing file C:\ltb6yatm\data\yara\capemon.yac
2026-04-28 01:33:55,282 [root] DEBUG: 752: RtlInsertInvertedFunctionTable 0x00007FFEFE86090E, LdrpInvertedFunctionTableSRWLock 0x00007FFEFE9BD500
2026-04-28 01:33:55,282 [root] DEBUG: 752: Monitor initialised: 64-bit capemon loaded in process 752 at 0x00007FFEABCB0000, thread 1636, image base 0x00007FF7AB6E0000, stack from 0x000000AE36B74000-0x000000AE36B80000
2026-04-28 01:33:55,282 [root] DEBUG: 752: Commandline: C:\Windows\system32\svchost.exe -k DcomLaunch -p
2026-04-28 01:33:55,329 [root] DEBUG: 752: Hooked 69 out of 69 functions
2026-04-28 01:33:55,345 [root] INFO: Loaded monitor into process with pid 752
2026-04-28 01:33:55,345 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2026-04-28 01:33:55,345 [root] DEBUG: Successfully injected DLL C:\ltb6yatm\dll\xzHEKGQ.dll.
2026-04-28 01:33:55,360 [lib.api.process] INFO: Injected into 64-bit <Process 752 svchost.exe>
2026-04-28 01:33:56,845 [root] INFO: Announced starting service "b'edgeupdate'"
2026-04-28 01:33:56,845 [lib.api.process] INFO: Monitor config for <Process 632 services.exe>: C:\ltb6yatm\dll\632.ini
2026-04-28 01:33:56,986 [lib.api.process] INFO: 64-bit DLL to inject is C:\ltb6yatm\dll\xzHEKGQ.dll, loader C:\ltb6yatm\bin\FktMnuSd.exe
2026-04-28 01:33:57,048 [root] DEBUG: Loader: Injecting process 632 with C:\ltb6yatm\dll\xzHEKGQ.dll.
2026-04-28 01:33:57,064 [root] DEBUG: Loader: Copied config file C:\ltb6yatm\dll\632.ini to system path C:\632.ini
2026-04-28 01:33:57,064 [root] DEBUG: Loader: Unable to open process, launched: PPLinject64.exe 632 C:\ltb6yatm\dll\xzHEKGQ.dll
2026-04-28 01:33:57,064 [root] DEBUG: Successfully injected DLL C:\ltb6yatm\dll\xzHEKGQ.dll.
2026-04-28 01:33:57,079 [lib.api.process] INFO: Injected into 64-bit <Process 632 services.exe>
2026-04-28 01:33:57,642 [root] DEBUG: 7508: DEBUG:Initialized 9 com hooks
2026-04-28 01:33:58,673 [root] DEBUG: 7508: .NET JIT native cache at 0x08D80000: scans and dumps active.
2026-04-28 01:33:58,720 [root] DEBUG: 7508: caller_dispatch: Added region at 0x08D80000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x08D81562, thread 5980).
2026-04-28 01:33:58,720 [root] DEBUG: 7508: ProcessTrackedRegion: .NET cache region at 0x08D80000 skipped
2026-04-28 01:33:59,298 [root] DEBUG: 7508: DLL loaded at 0x70D50000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni (0x818000 bytes).
2026-04-28 01:33:59,501 [root] DEBUG: 7508: DLL loaded at 0x70C40000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni (0x106000 bytes).
2026-04-28 01:33:59,907 [root] DEBUG: 7508: DLL loaded at 0x704C0000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni (0x774000 bytes).
2026-04-28 01:33:59,970 [root] DEBUG: 7508: DLL loaded at 0x77590000: C:\Windows\System32\shell32 (0x5b5000 bytes).
2026-04-28 01:33:59,985 [root] DEBUG: 7508: DLL loaded at 0x75700000: C:\Windows\SYSTEM32\windows.storage (0x60d000 bytes).
2026-04-28 01:33:59,985 [root] DEBUG: 7508: DLL loaded at 0x76F70000: C:\Windows\System32\SHCORE (0x87000 bytes).
2026-04-28 01:34:00,002 [root] DEBUG: 7508: DLL loaded at 0x75260000: C:\Windows\SYSTEM32\profapi (0x18000 bytes).
2026-04-28 01:34:00,736 [root] DEBUG: 7508: .NET JIT native cache at 0x08A00000: scans and dumps active.
2026-04-28 01:34:00,876 [root] DEBUG: 7508: caller_dispatch: Added region at 0x08A00000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x08A002AD, thread 5976).
2026-04-28 01:34:00,892 [root] DEBUG: 7508: ProcessTrackedRegion: .NET cache region at 0x08A00000 skipped
2026-04-28 01:34:01,689 [root] DEBUG: 7508: caller_dispatch: Added region at 0x078B0000 to tracked regions list (ntdll::NtWaitForSingleObject returns to 0x078B235B, thread 5976).
2026-04-28 01:34:01,689 [root] DEBUG: 7508: ProcessTrackedRegion: .NET cache region at 0x078B0000 skipped
2026-04-28 01:34:02,782 [root] DEBUG: 7508: AllocationHandler: Previously reserved region at 0x08A00000, committing at: 0x08A06000.
2026-04-28 01:34:02,908 [root] DEBUG: 7508: AllocationHandler: Allocation already in tracked region list: 0x08A00000.
2026-04-28 01:34:03,017 [root] DEBUG: 7508: AllocationHandler: Allocation already in tracked region list: 0x08A00000.
2026-04-28 01:34:03,251 [root] DEBUG: 7508: AllocationHandler: Allocation already in tracked region list: 0x08A00000.
2026-04-28 01:34:03,345 [root] DEBUG: 7508: AllocationHandler: Allocation already in tracked region list: 0x08A00000.
2026-04-28 01:34:03,501 [root] DEBUG: 7508: .NET JIT native cache at 0x08D30000: scans and dumps active.
2026-04-28 01:34:03,532 [root] DEBUG: 7508: caller_dispatch: Added region at 0x08D30000 to tracked regions list (kernel32::GetSystemInfo returns to 0x08D3173E, thread 5976).
2026-04-28 01:34:03,532 [root] DEBUG: 7508: ProcessTrackedRegion: .NET cache region at 0x08D30000 skipped
2026-04-28 01:34:04,001 [root] DEBUG: 7508: DLL loaded at 0x6FD50000: C:\Windows\SYSTEM32\edputil (0x1b000 bytes).
2026-04-28 01:34:04,142 [root] DEBUG: 7508: .NET JIT native cache at 0x09260000: scans and dumps active.
2026-04-28 01:34:04,142 [root] DEBUG: 7508: .NET JIT native cache at 0x09260000: scans and dumps active.
2026-04-28 01:34:04,142 [root] DEBUG: 7508: caller_dispatch: Added region at 0x09260000 to tracked regions list (advapi32::CryptCreateHash returns to 0x092600CF, thread 5976).
2026-04-28 01:34:04,142 [root] DEBUG: 7508: ProcessTrackedRegion: .NET cache region at 0x09260000 skipped
2026-04-28 01:34:04,157 [root] DEBUG: 7508: AllocationHandler: Allocation already in tracked region list: 0x023C0000.
2026-04-28 01:34:04,173 [root] INFO: Added new file to list with pid 7508 and path C:\Windows\System32\drivers\etc\hosts
2026-04-28 01:34:04,829 [root] DEBUG: 7508: AllocationHandler: Previously reserved region at 0x09260000, committing at: 0x0926A000.
2026-04-28 01:34:05,001 [root] DEBUG: 7508: AllocationHandler: Allocation already in tracked region list: 0x09260000.
2026-04-28 01:34:05,017 [root] DEBUG: 7508: .NET JIT native cache at 0x09470000: scans and dumps active.
2026-04-28 01:34:05,048 [root] DEBUG: 7508: caller_dispatch: Added region at 0x09470000 to tracked regions list (advapi32::CryptAcquireContextW returns to 0x09471053, thread 5976).
2026-04-28 01:34:05,048 [root] DEBUG: 7508: ProcessTrackedRegion: .NET cache region at 0x09470000 skipped
2026-04-28 01:34:05,298 [root] DEBUG: 7508: AllocationHandler: Previously reserved region at 0x09470000, committing at: 0x09474000.
2026-04-28 01:34:05,439 [root] DEBUG: 7508: AllocationHandler: Adding allocation to tracked region list: 0x023BD000, size: 0x1000.
2026-04-28 01:34:05,486 [root] DEBUG: 7508: DumpPEsInRange: Scanning range 0x023B0000 - 0x023B156D.
2026-04-28 01:34:05,501 [root] DEBUG: 7508: ScanForDisguisedPE: No PE image located in range 0x023B0000-0x023B156D.
2026-04-28 01:34:05,501 [lib.common.results] INFO: Uploading file C:\atsPQMC\CAPE\7508_31733345342227142026 to CAPE\d0a56f2fc7d55badb1c748d78e693340e282c84d97a5665711281d546226b122; Size is 5485; Max size: 100000000
2026-04-28 01:34:05,517 [root] DEBUG: 7508: DumpMemory: Payload successfully created: C:\atsPQMC\CAPE\7508_31733345342227142026 (size 5485 bytes)
2026-04-28 01:34:05,517 [root] DEBUG: 7508: AllocationHandler: Allocation already in tracked region list: 0x09470000.
2026-04-28 01:34:05,517 [root] DEBUG: 7508: DumpRegion: Dumped entire allocation from 0x023B0000, size 8192 bytes.
2026-04-28 01:34:05,532 [root] DEBUG: 7508: ProcessTrackedRegion: Dumped region at 0x023B0000.
2026-04-28 01:34:05,532 [root] DEBUG: 7508: OpenProcessHandler: Injection info created for process 592, handle 0x70c: C:\Windows\System32\winlogon.exe
2026-04-28 01:34:05,564 [root] DEBUG: 7508: AllocationHandler: Allocation already in tracked region list: 0x078C0000.
2026-04-28 01:34:05,579 [root] DEBUG: 7508: AllocationHandler: Allocation already in tracked region list: 0x078C0000.
2026-04-28 01:34:05,579 [root] DEBUG: 7508: AllocationHandler: Adding allocation to tracked region list: 0x0AD20000, size: 0x8000.
2026-04-28 01:34:05,579 [root] DEBUG: 7508: GetEntropy: Error - Supplied address inaccessible: 0x0AD20000
2026-04-28 01:34:05,579 [root] DEBUG: 7508: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:34:05,579 [root] DEBUG: 7508: AllocationHandler: Processing previous tracked region at: 0x023B0000.
2026-04-28 01:34:05,596 [root] DEBUG: 7508: AllocationHandler: Memory region (size 0x8000) reserved but not committed at 0x0AD20000.
2026-04-28 01:34:05,596 [root] DEBUG: 7508: AllocationHandler: Previously reserved region at 0x0AD20000, committing at: 0x0AD20000.
2026-04-28 01:34:05,657 [root] DEBUG: 7508: OpenProcessHandler: Injection info created for process 7716, handle 0x6e4: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\145.0.3800.82\msedgewebview2.exe
2026-04-28 01:34:05,751 [root] DEBUG: 7508: .NET JIT native cache at 0x0AD50000: scans and dumps active.
2026-04-28 01:34:05,751 [root] DEBUG: 7508: caller_dispatch: Added region at 0x0AD50000 to tracked regions list (ntdll::LdrGetProcedureAddressForCaller returns to 0x0AD505FB, thread 5980).
2026-04-28 01:34:05,767 [root] DEBUG: 7508: ProcessTrackedRegion: .NET cache region at 0x0AD50000 skipped
2026-04-28 01:34:05,845 [root] DEBUG: 7508: DLL loaded at 0x6FD20000: C:\Windows\SYSTEM32\ntmarta (0x29000 bytes).
2026-04-28 01:34:05,845 [root] INFO: Added new file to list with pid 7508 and path C:\sqbmEUPTwi\CAPE\msedgewebview2.exe
2026-04-28 01:34:05,907 [root] INFO: Added new file to list with pid 7508 and path C:\sqbmEUPTwi\CAPE\441ebb83624b0b
2026-04-28 01:34:06,063 [root] DEBUG: 7508: DLL loaded at 0x6FCF0000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\wminet_utils (0x21000 bytes).
2026-04-28 01:34:06,079 [root] DEBUG: 7508: AllocationHandler: Previously reserved region at 0x0AD50000, committing at: 0x0AD58000.
2026-04-28 01:34:06,110 [root] DEBUG: 7508: AllocationHandler: Adding allocation to tracked region list: 0xFFDF0000, size: 0x50000.
2026-04-28 01:34:06,110 [root] DEBUG: 7508: GetEntropy: Error - Supplied address inaccessible: 0xFFDF0000
2026-04-28 01:34:06,110 [root] DEBUG: 7508: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:34:06,126 [root] DEBUG: 7508: AllocationHandler: Processing previous tracked region at: 0x0AD50000.
2026-04-28 01:34:06,126 [root] DEBUG: 7508: ProcessTrackedRegion: .NET cache region at 0x0AD50000 skipped
2026-04-28 01:34:06,126 [root] DEBUG: 7508: AllocationHandler: Memory region (size 0x50000) reserved but not committed at 0xFFDF0000.
2026-04-28 01:34:06,126 [root] DEBUG: 7508: AllocationHandler: Previously reserved region at 0xFFDF0000, committing at: 0xFFDF0000.
2026-04-28 01:34:06,142 [root] DEBUG: 7508: AllocationHandler: Allocation already in tracked region list: 0xFFDF0000.
2026-04-28 01:34:06,142 [root] DEBUG: 7508: AllocationHandler: Allocation already in tracked region list: 0xFFDF0000.
2026-04-28 01:34:06,142 [root] DEBUG: 7508: AllocationHandler: Adding allocation to tracked region list: 0xFFDE0000, size: 0x10000.
2026-04-28 01:34:06,142 [root] DEBUG: 7508: GetEntropy: Error - Supplied address inaccessible: 0xFFDE0000
2026-04-28 01:34:06,157 [root] DEBUG: 7508: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:34:06,157 [root] DEBUG: 7508: AllocationHandler: Processing previous tracked region at: 0xFFDF0000.
2026-04-28 01:34:06,173 [root] DEBUG: 7508: DumpPEsInRange: Scanning range 0xFFDF0000 - 0xFFDF003C.
2026-04-28 01:34:06,173 [root] DEBUG: 7508: ScanForDisguisedPE: Size too small: 0x3c bytes
2026-04-28 01:34:06,173 [lib.common.results] INFO: Uploading file C:\atsPQMC\CAPE\7508_30166016342227142026 to CAPE\33800b7010cf32347c9814a57b3960d201f7290b162f48f0bb563d4ddacda9ee; Size is 60; Max size: 100000000
2026-04-28 01:34:06,173 [root] DEBUG: 7508: DumpMemory: Payload successfully created: C:\atsPQMC\CAPE\7508_30166016342227142026 (size 60 bytes)
2026-04-28 01:34:06,189 [root] DEBUG: 7508: DumpRegion: Dumped entire allocation from 0xFFDF0000, size 4096 bytes.
2026-04-28 01:34:06,189 [root] DEBUG: 7508: ProcessTrackedRegion: Dumped region at 0xFFDF0000.
2026-04-28 01:34:06,189 [root] DEBUG: 7508: AllocationHandler: Memory region (size 0x10000) reserved but not committed at 0xFFDE0000.
2026-04-28 01:34:06,189 [root] DEBUG: 7508: AllocationHandler: Previously reserved region at 0xFFDE0000, committing at: 0xFFDE0000.
2026-04-28 01:34:06,204 [lib.api.process] INFO: Monitor config for <Process 780 svchost.exe>: C:\ltb6yatm\dll\780.ini
2026-04-28 01:34:06,204 [lib.api.process] INFO: 64-bit DLL to inject is C:\ltb6yatm\dll\xzHEKGQ.dll, loader C:\ltb6yatm\bin\FktMnuSd.exe
2026-04-28 01:34:06,222 [root] DEBUG: Loader: Injecting process 780 with C:\ltb6yatm\dll\xzHEKGQ.dll.
2026-04-28 01:34:06,235 [root] DEBUG: 780: Python path set to 'C:\Python310'.
2026-04-28 01:34:06,235 [root] DEBUG: 780: Disabling sleep skipping.
2026-04-28 01:34:06,235 [root] DEBUG: 780: Dropped file limit defaulting to 100.
2026-04-28 01:34:06,235 [root] DEBUG: 780: Services hook set enabled
2026-04-28 01:34:06,235 [root] DEBUG: 780: YaraInit: Compiled rules loaded from existing file C:\ltb6yatm\data\yara\capemon.yac
2026-04-28 01:34:06,267 [root] DEBUG: 780: RtlInsertInvertedFunctionTable 0x00007FFEFE86090E, LdrpInvertedFunctionTableSRWLock 0x00007FFEFE9BD500
2026-04-28 01:34:06,267 [root] DEBUG: 780: Monitor initialised: 64-bit capemon loaded in process 780 at 0x00007FFEABCB0000, thread 812, image base 0x00007FF7AB6E0000, stack from 0x000000F370075000-0x000000F370080000
2026-04-28 01:34:06,282 [root] DEBUG: 780: Commandline: C:\Windows\system32\svchost.exe -k netsvcs -p
2026-04-28 01:34:06,313 [root] DEBUG: 780: Hooked 69 out of 69 functions
2026-04-28 01:34:06,313 [root] INFO: Loaded monitor into process with pid 780
2026-04-28 01:34:06,329 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2026-04-28 01:34:06,329 [root] DEBUG: Successfully injected DLL C:\ltb6yatm\dll\xzHEKGQ.dll.
2026-04-28 01:34:06,329 [lib.api.process] INFO: Injected into 64-bit <Process 780 svchost.exe>
2026-04-28 01:34:06,454 [root] DEBUG: 7508: AllocationHandler: Allocation already in tracked region list: 0x078C0000.
2026-04-28 01:34:08,423 [root] DEBUG: 7508: DLL loaded at 0x6FC60000: C:\Windows\SYSTEM32\wbemcomn (0x70000 bytes).
2026-04-28 01:34:08,423 [root] DEBUG: 7508: DLL loaded at 0x6FCD0000: C:\Windows\system32\wbem\wmiutils (0x1d000 bytes).
2026-04-28 01:34:08,470 [root] DEBUG: 7508: DLL loaded at 0x6FC50000: C:\Windows\system32\wbem\wbemprox (0xd000 bytes).
2026-04-28 01:34:08,520 [root] DEBUG: 780: DEBUG:Initialized 9 com hooks
2026-04-28 01:34:08,532 [root] DEBUG: 7508: DLL loaded at 0x6FC40000: C:\Windows\system32\wbem\wbemsvc (0x10000 bytes).
2026-04-28 01:34:08,548 [root] DEBUG: 7508: DLL loaded at 0x6FB70000: C:\Windows\system32\wbem\fastprox (0xc9000 bytes).
2026-04-28 01:34:08,563 [root] DEBUG: 7508: Unable to set COM hook on WbemLocator_ConnectServer
2026-04-28 01:34:08,657 [root] DEBUG: 7508: Unable to set COM hook on WbemLocator_ConnectServer
2026-04-28 01:34:08,688 [root] DEBUG: 7508: .NET JIT native cache at 0x0ACC0000: scans and dumps active.
2026-04-28 01:34:08,891 [root] DEBUG: 7508: caller_dispatch: Added region at 0x0ACC0000 to tracked regions list (combase::CoCreateInstance returns to 0x0ACC0DC8, thread 5980).
2026-04-28 01:34:08,891 [root] DEBUG: 7508: ProcessTrackedRegion: .NET cache region at 0x0ACC0000 skipped
2026-04-28 01:34:08,970 [root] DEBUG: 7508: Unable to set COM hook on WbemLocator_ConnectServer
2026-04-28 01:34:08,985 [root] DEBUG: 7508: Unable to set COM hook on WbemLocator_ConnectServer
2026-04-28 01:34:09,079 [root] DEBUG: 7508: AllocationHandler: Adding allocation to tracked region list: 0x0AF40000, size: 0x100000.
2026-04-28 01:34:09,095 [root] DEBUG: 7508: GetEntropy: Error - Supplied address inaccessible: 0x0AF40000
2026-04-28 01:34:09,095 [root] DEBUG: 7508: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:34:09,095 [root] DEBUG: 7508: AllocationHandler: Memory region (size 0x100000) reserved but not committed at 0x0AF40000.
2026-04-28 01:34:09,095 [root] DEBUG: 7508: AllocationHandler: Previously reserved region at 0x0AF40000, committing at: 0x0AF40000.
2026-04-28 01:34:09,110 [root] DEBUG: 7508: Unable to set COM hook on WbemLocator_ConnectServer
2026-04-28 01:34:09,220 [root] DEBUG: 7508: Unable to set COM hook on WbemLocator_ConnectServer
2026-04-28 01:34:09,298 [root] INFO: Added new file to list with pid 7508 and path C:\Recovery\WindowsRE\winlogon.exe
2026-04-28 01:34:09,298 [root] INFO: Added new file to list with pid 7508 and path C:\Recovery\WindowsRE\cc11b995f2a76d
2026-04-28 01:34:09,329 [root] DEBUG: 7508: Unable to set COM hook on WbemLocator_ConnectServer
2026-04-28 01:34:09,345 [root] DEBUG: 7508: Unable to set COM hook on WbemLocator_ConnectServer
2026-04-28 01:34:09,423 [root] DEBUG: 7508: Unable to set COM hook on WbemLocator_ConnectServer
2026-04-28 01:34:09,438 [root] DEBUG: 7508: Unable to set COM hook on WbemLocator_ConnectServer
2026-04-28 01:34:09,517 [root] DEBUG: 7508: Unable to set COM hook on WbemLocator_ConnectServer
2026-04-28 01:34:09,548 [root] DEBUG: 7508: Unable to set COM hook on WbemLocator_ConnectServer
2026-04-28 01:34:09,595 [root] DEBUG: 7508: OpenProcessHandler: Injection info created for process 7516, handle 0x57c: C:\Program Files\WindowsApps\Microsoft.WindowsStore_22601.1401.3.0_x64__8wekyb3d8bbwe\StoreDesktopExtension.exe
2026-04-28 01:34:09,610 [root] DEBUG: 7508: OpenProcessHandler: Injection info created for process 3808, handle 0x588: C:\Windows\System32\taskhostw.exe
2026-04-28 01:34:09,626 [root] INFO: Added new file to list with pid 7508 and path C:\Program Files (x86)\Microsoft\Temp\OneDriveStandaloneUpdater.exe
2026-04-28 01:34:09,626 [root] INFO: Added new file to list with pid 7508 and path C:\Program Files (x86)\Microsoft\Temp\11ddf1f96e1556
2026-04-28 01:34:09,657 [root] DEBUG: 7508: Unable to set COM hook on WbemLocator_ConnectServer
2026-04-28 01:34:09,688 [root] DEBUG: 7508: Unable to set COM hook on WbemLocator_ConnectServer
2026-04-28 01:34:09,813 [root] DEBUG: 7508: Unable to set COM hook on WbemLocator_ConnectServer
2026-04-28 01:34:09,829 [root] DEBUG: 7508: Unable to set COM hook on WbemLocator_ConnectServer
2026-04-28 01:34:09,954 [root] DEBUG: 7508: Unable to set COM hook on WbemLocator_ConnectServer
2026-04-28 01:34:09,985 [root] DEBUG: 7508: Unable to set COM hook on WbemLocator_ConnectServer
2026-04-28 01:34:10,048 [root] INFO: Added new file to list with pid 7508 and path C:\5o722xtn\prescripts\SgrmBroker.exe
2026-04-28 01:34:10,048 [root] INFO: Added new file to list with pid 7508 and path C:\5o722xtn\prescripts\91e168f4ec1147
2026-04-28 01:34:10,079 [root] DEBUG: 7508: Unable to set COM hook on WbemLocator_ConnectServer
2026-04-28 01:34:10,095 [root] DEBUG: 7508: Unable to set COM hook on WbemLocator_ConnectServer
2026-04-28 01:34:10,173 [root] DEBUG: 7508: Unable to set COM hook on WbemLocator_ConnectServer
2026-04-28 01:34:10,188 [root] DEBUG: 7508: Unable to set COM hook on WbemLocator_ConnectServer
2026-04-28 01:34:10,329 [root] DEBUG: 7508: Unable to set COM hook on WbemLocator_ConnectServer
2026-04-28 01:34:10,345 [root] DEBUG: 7508: Unable to set COM hook on WbemLocator_ConnectServer
2026-04-28 01:34:10,454 [root] INFO: Added new file to list with pid 7508 and path C:\Users\Все пользователи\Memory Compression.exe
2026-04-28 01:34:10,454 [root] INFO: Added new file to list with pid 7508 and path C:\Users\Все пользователи\1a5d5b8dcee3d8
2026-04-28 01:34:10,470 [root] DEBUG: 7508: Unable to set COM hook on WbemLocator_ConnectServer
2026-04-28 01:34:10,501 [root] DEBUG: 7508: Unable to set COM hook on WbemLocator_ConnectServer
2026-04-28 01:34:10,595 [root] DEBUG: 7508: Unable to set COM hook on WbemLocator_ConnectServer
2026-04-28 01:34:10,610 [root] DEBUG: 7508: Unable to set COM hook on WbemLocator_ConnectServer
2026-04-28 01:34:10,704 [root] DEBUG: 752: CreateProcessHandler: Injection info set for new process 3060: C:\Windows\System32\SecurityHealthHost.exe, ImageBase: 0x00007FF6D2F10000
2026-04-28 01:34:10,735 [root] INFO: Announced 64-bit process name: SecurityHealthHost.exe pid: 3060
2026-04-28 01:34:10,735 [lib.api.process] INFO: Monitor config for <Process 3060 SecurityHealthHost.exe>: C:\ltb6yatm\dll\3060.ini
2026-04-28 01:34:10,735 [lib.api.process] INFO: 64-bit DLL to inject is C:\ltb6yatm\dll\xzHEKGQ.dll, loader C:\ltb6yatm\bin\FktMnuSd.exe
2026-04-28 01:34:10,766 [root] DEBUG: Loader: Injecting process 3060 (thread 2768) with C:\ltb6yatm\dll\xzHEKGQ.dll.
2026-04-28 01:34:10,782 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2026-04-28 01:34:10,798 [root] DEBUG: Successfully injected DLL C:\ltb6yatm\dll\xzHEKGQ.dll.
2026-04-28 01:34:10,798 [lib.api.process] INFO: Injected into 64-bit <Process 3060 SecurityHealthHost.exe>
2026-04-28 01:34:10,813 [root] INFO: Announced 64-bit process name: SecurityHealthHost.exe pid: 3060
2026-04-28 01:34:10,813 [lib.api.process] INFO: Monitor config for <Process 3060 SecurityHealthHost.exe>: C:\ltb6yatm\dll\3060.ini
2026-04-28 01:34:10,813 [lib.api.process] INFO: 64-bit DLL to inject is C:\ltb6yatm\dll\xzHEKGQ.dll, loader C:\ltb6yatm\bin\FktMnuSd.exe
2026-04-28 01:34:10,845 [root] DEBUG: Loader: Injecting process 3060 (thread 2768) with C:\ltb6yatm\dll\xzHEKGQ.dll.
2026-04-28 01:34:10,845 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2026-04-28 01:34:10,845 [root] DEBUG: 7508: Unable to set COM hook on WbemLocator_ConnectServer
2026-04-28 01:34:10,860 [root] DEBUG: Successfully injected DLL C:\ltb6yatm\dll\xzHEKGQ.dll.
2026-04-28 01:34:10,860 [lib.api.process] INFO: Injected into 64-bit <Process 3060 SecurityHealthHost.exe>
2026-04-28 01:34:10,907 [root] DEBUG: 3060: Python path set to 'C:\Python310'.
2026-04-28 01:34:10,907 [root] DEBUG: 3060: Dropped file limit defaulting to 100.
2026-04-28 01:34:10,923 [root] DEBUG: 3060: Disabling sleep skipping.
2026-04-28 01:34:10,923 [root] DEBUG: 7508: Unable to set COM hook on WbemLocator_ConnectServer
2026-04-28 01:34:10,923 [root] DEBUG: 3060: YaraInit: Compiled rules loaded from existing file C:\ltb6yatm\data\yara\capemon.yac
2026-04-28 01:34:10,954 [root] DEBUG: 3060: RtlInsertInvertedFunctionTable 0x00007FFEFE86090E, LdrpInvertedFunctionTableSRWLock 0x00007FFEFE9BD500
2026-04-28 01:34:10,954 [root] DEBUG: 3060: YaraScan: Scanning 0x00007FF6D2F10000, size 0x19174
2026-04-28 01:34:10,954 [root] DEBUG: 3060: Monitor initialised: 64-bit capemon loaded in process 3060 at 0x00007FFEABCB0000, thread 2768, image base 0x00007FF6D2F10000, stack from 0x0000004FE4874000-0x0000004FE4880000
2026-04-28 01:34:10,970 [root] DEBUG: 3060: Commandline: C:\Windows\System32\SecurityHealthHost.exe {08728914-3F57-4D52-9E31-49DAECA5A80A} -Embedding
2026-04-28 01:34:11,001 [root] DEBUG: 3060: hook_api: LdrpCallInitRoutine export address 0x00007FFEFE8699BC obtained via GetFunctionAddress
2026-04-28 01:34:11,032 [root] INFO: Added new file to list with pid 7508 and path C:\5o722xtn\dll\csrss.exe
2026-04-28 01:34:11,032 [root] INFO: Added new file to list with pid 7508 and path C:\5o722xtn\dll\886983d96e3d3e
2026-04-28 01:34:11,079 [root] DEBUG: 7508: Unable to set COM hook on WbemLocator_ConnectServer
2026-04-28 01:34:11,095 [root] DEBUG: 7508: Unable to set COM hook on WbemLocator_ConnectServer
2026-04-28 01:34:11,110 [root] WARNING: b'Unable to place hook on LockResource'
2026-04-28 01:34:11,110 [root] DEBUG: 3060: set_hooks: Unable to hook LockResource
2026-04-28 01:34:11,142 [root] DEBUG: 3060: Hooked 627 out of 628 functions
2026-04-28 01:34:11,142 [root] DEBUG: 3060: Syscall hook installed, syscall logging level 1
2026-04-28 01:34:11,157 [root] DEBUG: 3060: RestoreHeaders: Restored original import table.
2026-04-28 01:34:11,173 [root] INFO: Loaded monitor into process with pid 3060
2026-04-28 01:34:11,173 [root] DEBUG: 3060: caller_dispatch: Added region at 0x00007FF6D2F10000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x00007FF6D2F1D3B2, thread 2768).
2026-04-28 01:34:11,188 [root] DEBUG: 3060: YaraScan: Scanning 0x00007FF6D2F10000, size 0x19174
2026-04-28 01:34:11,188 [root] DEBUG: 3060: ProcessImageBase: Main module image at 0x00007FF6D2F10000 unmodified (entropy change 0.000000e+00)
2026-04-28 01:34:11,204 [root] DEBUG: 3060: set_hooks_by_export_directory: Hooked 0 out of 628 functions
2026-04-28 01:34:11,204 [root] DEBUG: 3060: DLL loaded at 0x00007FFEF9E80000: C:\Windows\SYSTEM32\kernel.appcore (0x12000 bytes).
2026-04-28 01:34:11,204 [root] DEBUG: 3060: DLL loaded at 0x00007FFEFC380000: C:\Windows\System32\bcryptPrimitives (0x82000 bytes).
2026-04-28 01:34:11,204 [root] DEBUG: 3060: DEBUG:Initialized 9 com hooks
2026-04-28 01:34:11,220 [root] DEBUG: 7508: Unable to set COM hook on WbemLocator_ConnectServer
2026-04-28 01:34:11,220 [root] DEBUG: 3060: DLL loaded at 0x00007FFEFCC00000: C:\Windows\System32\clbcatq (0xa9000 bytes).
2026-04-28 01:34:11,251 [root] DEBUG: 7508: Unable to set COM hook on WbemLocator_ConnectServer
2026-04-28 01:34:11,329 [root] DEBUG: 7508: Unable to set COM hook on WbemLocator_ConnectServer
2026-04-28 01:34:11,392 [root] DEBUG: 3060: DLL loaded at 0x00007FFEFDBE0000: C:\Windows\System32\SHELL32 (0x743000 bytes).
2026-04-28 01:34:11,407 [root] DEBUG: 3060: DLL loaded at 0x00007FFEFB900000: C:\Windows\system32\Wldp (0x30000 bytes).
2026-04-28 01:34:11,407 [root] DEBUG: 3060: DLL loaded at 0x00007FFEFAC70000: C:\Windows\SYSTEM32\ntmarta (0x33000 bytes).
2026-04-28 01:34:11,423 [root] DEBUG: 3060: DLL loaded at 0x00007FFEF0150000: C:\Windows\system32\SecurityHealthAgent (0x6d000 bytes).
2026-04-28 01:34:11,485 [root] DEBUG: 7508: Unable to set COM hook on WbemLocator_ConnectServer
2026-04-28 01:34:11,485 [root] DEBUG: 3060: DLL loaded at 0x00007FFEECE40000: C:\Windows\system32\SecurityHealthProxyStub (0x1f000 bytes).
2026-04-28 01:34:11,501 [root] DEBUG: 3060: DLL loaded at 0x00007FFEE7170000: C:\Windows\System32\msxml6 (0x25f000 bytes).
2026-04-28 01:34:11,517 [root] DEBUG: 3060: DLL loaded at 0x00007FFEFE330000: C:\Windows\System32\shcore (0xad000 bytes).
2026-04-28 01:34:11,532 [root] DEBUG: 3060: DLL loaded at 0x00007FFEF8C40000: C:\Windows\SYSTEM32\wintypes (0x154000 bytes).
2026-04-28 01:34:11,532 [root] DEBUG: 3060: DLL loaded at 0x00007FFEF9CA0000: C:\Windows\System32\RMCLIENT (0x2a000 bytes).
2026-04-28 01:34:11,548 [root] DEBUG: 3060: DLL loaded at 0x00007FFEF60C0000: C:\Windows\System32\XmlLite (0x36000 bytes).
2026-04-28 01:34:11,548 [root] DEBUG: 3060: DLL loaded at 0x00007FFEEF4B0000: C:\Windows\System32\twinapi.appcore (0x200000 bytes).
2026-04-28 01:34:11,548 [root] DEBUG: 3060: DLL loaded at 0x00007FFEE32A0000: C:\Windows\System32\wpnapps (0x156000 bytes).
2026-04-28 01:34:11,579 [root] DEBUG: 3060: DLL loaded at 0x00007FFEF7A20000: C:\Windows\SYSTEM32\usermgrcli (0x16000 bytes).
2026-04-28 01:34:11,610 [root] DEBUG: 3060: DLL loaded at 0x00007FFEF09F0000: C:\Windows\System32\OneCoreUAPCommonProxyStub (0x7c9000 bytes).
2026-04-28 01:34:11,641 [root] DEBUG: 3060: DLL loaded at 0x00007FFEE1060000: C:\Windows\System32\ShellCommonCommonProxyStub (0xd0000 bytes).
2026-04-28 01:34:11,735 [root] DEBUG: 7508: OpenProcessHandler: Injection info created for process 6096, handle 0x580: C:\Windows\servicing\TrustedInstaller.exe
2026-04-28 01:34:11,735 [root] DEBUG: 7508: OpenProcessHandler: Injection info created for process 5904, handle 0x584: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
2026-04-28 01:34:11,860 [root] DEBUG: 7508: OpenProcessHandler: Injection info created for process 6564, handle 0x55c: C:\Windows\System32\RuntimeBroker.exe
2026-04-28 01:34:11,860 [root] DEBUG: 7508: OpenProcessHandler: Injection info created for process 8072, handle 0x554: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\145.0.3800.82\msedgewebview2.exe
2026-04-28 01:34:11,860 [root] DEBUG: 7508: OpenProcessHandler: Injection info created for process 6440, handle 0x568: C:\Windows\System32\DeviceCensus.exe
2026-04-28 01:34:11,891 [root] INFO: Added new file to list with pid 7508 and path C:\Users\Все пользователи\qemu-ga\conhost.exe
2026-04-28 01:34:11,923 [root] DEBUG: 3060: DLL loaded at 0x00007FFEFA080000: C:\Windows\SYSTEM32\windows.storage (0x795000 bytes).
2026-04-28 01:34:11,938 [root] INFO: Added new file to list with pid 7508 and path C:\Users\Все пользователи\qemu-ga\088424020bedd6
2026-04-28 01:34:11,985 [root] DEBUG: 3060: NtTerminateProcess hook: Attempting to dump process 3060
2026-04-28 01:34:12,017 [root] DEBUG: 3060: DoProcessDump: Skipping process dump as code is identical on disk.
2026-04-28 01:34:12,032 [root] DEBUG: 752: CreateProcessHandler: Injection info set for new process 3644: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe, ImageBase: 0x00007FF76BCF0000
2026-04-28 01:34:12,048 [root] INFO: Process with pid 3060 has terminated
2026-04-28 01:34:12,079 [root] INFO: Announced 64-bit process name: ShellExperienceHost.exe pid: 3644
2026-04-28 01:34:12,079 [lib.api.process] INFO: Monitor config for <Process 3644 ShellExperienceHost.exe>: C:\ltb6yatm\dll\3644.ini
2026-04-28 01:34:12,095 [root] DEBUG: 7508: Unable to set COM hook on WbemLocator_ConnectServer
2026-04-28 01:34:12,126 [root] DEBUG: 7508: Unable to set COM hook on WbemLocator_ConnectServer
2026-04-28 01:34:12,657 [root] DEBUG: 7508: Unable to set COM hook on WbemLocator_ConnectServer
2026-04-28 01:34:12,704 [root] DEBUG: 7508: Unable to set COM hook on WbemLocator_ConnectServer
2026-04-28 01:34:12,845 [root] DEBUG: 7508: Unable to set COM hook on WbemLocator_ConnectServer
2026-04-28 01:34:12,891 [root] DEBUG: 7508: Unable to set COM hook on WbemLocator_ConnectServer
2026-04-28 01:34:13,048 [root] INFO: Added new file to list with pid 7508 and path C:\Program Files\Windows Security\BrowserCore\en-US\qemu-ga.exe
2026-04-28 01:34:13,063 [root] INFO: Added new file to list with pid 7508 and path C:\Program Files\Windows Security\BrowserCore\en-US\013344b676d731
2026-04-28 01:34:13,095 [root] DEBUG: 7508: Unable to set COM hook on WbemLocator_ConnectServer
2026-04-28 01:34:13,345 [root] DEBUG: 7508: Unable to set COM hook on WbemLocator_ConnectServer
2026-04-28 01:34:13,641 [lib.api.process] INFO: 64-bit DLL to inject is C:\ltb6yatm\dll\xzHEKGQ.dll, loader C:\ltb6yatm\bin\FktMnuSd.exe
2026-04-28 01:34:13,688 [root] DEBUG: Loader: Injecting process 3644 (thread 3440) with C:\ltb6yatm\dll\xzHEKGQ.dll.
2026-04-28 01:34:13,688 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2026-04-28 01:34:13,704 [root] DEBUG: Successfully injected DLL C:\ltb6yatm\dll\xzHEKGQ.dll.
2026-04-28 01:34:13,720 [lib.api.process] INFO: Injected into 64-bit <Process 3644 ShellExperienceHost.exe>
2026-04-28 01:34:13,751 [root] INFO: Announced 64-bit process name: ShellExperienceHost.exe pid: 3644
2026-04-28 01:34:13,751 [lib.api.process] INFO: Monitor config for <Process 3644 ShellExperienceHost.exe>: C:\ltb6yatm\dll\3644.ini
2026-04-28 01:34:13,751 [root] DEBUG: 7508: Unable to set COM hook on WbemLocator_ConnectServer
2026-04-28 01:34:13,798 [root] DEBUG: 7508: Unable to set COM hook on WbemLocator_ConnectServer
2026-04-28 01:34:13,954 [root] DEBUG: 7508: Unable to set COM hook on WbemLocator_ConnectServer
2026-04-28 01:34:13,985 [root] DEBUG: 7508: Unable to set COM hook on WbemLocator_ConnectServer
2026-04-28 01:34:14,407 [root] DEBUG: 7508: OpenProcessHandler: Injection info created for process 7884, handle 0x5a8: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\145.0.3800.82\msedgewebview2.exe
2026-04-28 01:34:14,423 [root] INFO: Added new file to list with pid 7508 and path C:\Users\Public\Downloads\msedgewebview2.exe
2026-04-28 01:34:14,438 [root] INFO: Added new file to list with pid 7508 and path C:\Users\Public\Downloads\441ebb83624b0b
2026-04-28 01:34:14,470 [root] DEBUG: 7508: Unable to set COM hook on WbemLocator_ConnectServer
2026-04-28 01:34:14,485 [lib.api.process] INFO: 64-bit DLL to inject is C:\ltb6yatm\dll\xzHEKGQ.dll, loader C:\ltb6yatm\bin\FktMnuSd.exe
2026-04-28 01:34:14,516 [root] DEBUG: Loader: Injecting process 3644 (thread 3440) with C:\ltb6yatm\dll\xzHEKGQ.dll.
2026-04-28 01:34:14,516 [root] DEBUG: 7508: Unable to set COM hook on WbemLocator_ConnectServer
2026-04-28 01:34:14,516 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2026-04-28 01:34:14,548 [root] DEBUG: Successfully injected DLL C:\ltb6yatm\dll\xzHEKGQ.dll.
2026-04-28 01:34:14,563 [lib.api.process] INFO: Injected into 64-bit <Process 3644 ShellExperienceHost.exe>
2026-04-28 01:34:14,595 [root] INFO: Announced 64-bit process name: ShellExperienceHost.exe pid: 3644
2026-04-28 01:34:14,595 [lib.api.process] INFO: Monitor config for <Process 3644 ShellExperienceHost.exe>: C:\ltb6yatm\dll\3644.ini
2026-04-28 01:34:14,813 [root] DEBUG: 7508: Unable to set COM hook on WbemLocator_ConnectServer
2026-04-28 01:34:15,095 [root] DEBUG: 7508: Unable to set COM hook on WbemLocator_ConnectServer
2026-04-28 01:34:15,282 [lib.api.process] INFO: 64-bit DLL to inject is C:\ltb6yatm\dll\xzHEKGQ.dll, loader C:\ltb6yatm\bin\FktMnuSd.exe
2026-04-28 01:34:15,298 [root] DEBUG: Loader: Injecting process 3644 (thread 3440) with C:\ltb6yatm\dll\xzHEKGQ.dll.
2026-04-28 01:34:15,298 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2026-04-28 01:34:15,313 [root] DEBUG: Successfully injected DLL C:\ltb6yatm\dll\xzHEKGQ.dll.
2026-04-28 01:34:15,313 [lib.api.process] INFO: Injected into 64-bit <Process 3644 ShellExperienceHost.exe>
2026-04-28 01:34:15,454 [root] DEBUG: 7508: Unable to set COM hook on WbemLocator_ConnectServer
2026-04-28 01:34:15,501 [root] DEBUG: 7508: Unable to set COM hook on WbemLocator_ConnectServer
2026-04-28 01:34:15,985 [root] DEBUG: 7508: DLL loaded at 0x6F890000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runteb92aa12#\a3127677749631df61e96a8400ddcb87\System.Runtime.Serialization.ni (0x2d4000 bytes).
2026-04-28 01:34:16,735 [root] INFO: Added new file to list with pid 7508 and path C:\Users\cape\AppData\Local\Temp\RCX3072.tmp
2026-04-28 01:34:16,923 [lib.common.results] INFO: Uploading file C:\Users\cape\AppData\Local\Temp\RCX3072.tmp to files\272298ddadd5a7680d2baa42c2d2b6d208d6777d514ce8e31fdd24831094603c; Size is 2078720; Max size: 100000000
2026-04-28 01:34:17,251 [root] INFO: Added new file to list with pid 7508 and path C:\Users\cape\AppData\Local\Temp\RCX3239.tmp
2026-04-28 01:34:17,282 [lib.common.results] INFO: Uploading file C:\Users\cape\AppData\Local\Temp\RCX3239.tmp to files\e3838ab038244b7fe90972c13cba37fc924641fd0d125e185a03e268993d6289; Size is 2078720; Max size: 100000000
2026-04-28 01:34:17,860 [root] INFO: Added new file to list with pid 7508 and path C:\Users\cape\AppData\Local\Temp\2026-04-28_1db227e867a99.exe
2026-04-28 01:34:17,970 [root] INFO: Added new file to list with pid 7508 and path C:\sqbmEUPTwi\CAPE\RCX35B4.tmp
2026-04-28 01:34:18,376 [root] INFO: Added new file to list with pid 7508 and path C:\sqbmEUPTwi\CAPE\RCX36A0.tmp
2026-04-28 01:34:19,235 [root] INFO: Added new file to list with pid 7508 and path C:\Recovery\WindowsRE\RCX3A89.tmp
2026-04-28 01:34:19,626 [root] INFO: Added new file to list with pid 7508 and path C:\Recovery\WindowsRE\RCX3BC2.tmp
2026-04-28 01:34:20,407 [root] INFO: Added new file to list with pid 7508 and path C:\Program Files (x86)\Microsoft\Temp\RCX3F5D.tmp
2026-04-28 01:34:20,642 [root] INFO: Added new file to list with pid 7508 and path C:\Program Files (x86)\Microsoft\Temp\RCX4029.tmp
2026-04-28 01:34:21,423 [root] INFO: Added new file to list with pid 7508 and path C:\5o722xtn\prescripts\RCX4318.tmp
2026-04-28 01:34:21,720 [root] INFO: Added new file to list with pid 7508 and path C:\5o722xtn\prescripts\RCX4452.tmp
2026-04-28 01:34:22,532 [root] INFO: Added new file to list with pid 7508 and path C:\Users\Все пользователи\RCX47AE.tmp
2026-04-28 01:34:22,751 [root] INFO: Added new file to list with pid 7508 and path C:\Users\Все пользователи\RCX487A.tmp
2026-04-28 01:34:23,876 [root] INFO: Added new file to list with pid 7508 and path C:\5o722xtn\dll\RCX4B4A.tmp
2026-04-28 01:34:24,485 [root] INFO: Added new file to list with pid 7508 and path C:\5o722xtn\dll\RCX4E39.tmp
2026-04-28 01:34:25,282 [root] INFO: Added new file to list with pid 7508 and path C:\Users\Все пользователи\qemu-ga\RCX5231.tmp
2026-04-28 01:34:25,579 [root] INFO: Added new file to list with pid 7508 and path C:\Users\Все пользователи\qemu-ga\RCX533C.tmp
2026-04-28 01:34:26,438 [root] INFO: Added new file to list with pid 7508 and path C:\Program Files\Windows Security\BrowserCore\en-US\RCX56C7.tmp
2026-04-28 01:34:26,782 [root] INFO: Added new file to list with pid 7508 and path C:\Program Files\Windows Security\BrowserCore\en-US\RCX57C2.tmp
2026-04-28 01:34:27,610 [root] INFO: Added new file to list with pid 7508 and path C:\Users\Public\Downloads\RCX5B1F.tmp
2026-04-28 01:34:27,954 [root] INFO: Added new file to list with pid 7508 and path C:\Users\Public\Downloads\RCX5C58.tmp
2026-04-28 01:34:29,142 [root] DEBUG: 7508: CreateProcessHandler: Injection info set for new process 5200: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ImageBase: 0x00D20000
2026-04-28 01:34:29,157 [root] INFO: Announced 32-bit process name: powershell.exe pid: 5200
2026-04-28 01:34:29,173 [lib.api.process] INFO: Monitor config for <Process 5200 powershell.exe>: C:\ltb6yatm\dll\5200.ini
2026-04-28 01:34:29,751 [lib.api.process] INFO: 32-bit DLL to inject is C:\ltb6yatm\dll\aUdGyWws.dll, loader C:\ltb6yatm\bin\ReIIPbe.exe
2026-04-28 01:34:29,767 [root] DEBUG: Loader: Injecting process 5200 (thread 4104) with C:\ltb6yatm\dll\aUdGyWws.dll.
2026-04-28 01:34:29,798 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2026-04-28 01:34:29,813 [root] DEBUG: Successfully injected DLL C:\ltb6yatm\dll\aUdGyWws.dll.
2026-04-28 01:34:29,813 [lib.api.process] INFO: Injected into 32-bit <Process 5200 powershell.exe>
2026-04-28 01:34:29,923 [root] DEBUG: 7508: ProcessTrackedRegion: Region at 0x77150000 mapped as \Device\HarddiskVolume1\Windows\SysWOW64\KernelBase.dll is in known range, skipping
2026-04-28 01:34:29,938 [root] DEBUG: 7508: CreateProcessHandler: Injection info set for new process 3488: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ImageBase: 0x00D20000
2026-04-28 01:34:29,954 [root] INFO: Announced 32-bit process name: powershell.exe pid: 3488
2026-04-28 01:34:29,954 [lib.api.process] INFO: Monitor config for <Process 3488 powershell.exe>: C:\ltb6yatm\dll\3488.ini
2026-04-28 01:34:30,079 [root] DEBUG: 5200: Python path set to 'C:\Python310'.
2026-04-28 01:34:30,110 [root] DEBUG: 5200: Dropped file limit defaulting to 100.
2026-04-28 01:34:30,173 [root] DEBUG: 5200: Disabling sleep skipping.
2026-04-28 01:34:30,173 [root] DEBUG: 5200: YaraInit: Compiled rules loaded from existing file C:\ltb6yatm\data\yara\capemon.yac
2026-04-28 01:34:30,173 [root] DEBUG: 5200: YaraScan: Scanning 0x00D20000, size 0x6c27a
2026-04-28 01:34:30,345 [root] DEBUG: 5200: Monitor initialised: 32-bit capemon loaded in process 5200 at 0x73f00000, thread 4104, image base 0xd20000, stack from 0x2d5000-0x2e0000
2026-04-28 01:34:30,548 [root] DEBUG: 5200: Commandline: "powershell"  -Command Add-MpPreference -ExclusionPath 'C:\Users\cape\AppData\Local\Temp\2026-04-28_1db227e867a99.exe'
2026-04-28 01:34:30,595 [root] DEBUG: 5200: hook_api: LdrpCallInitRoutine export address 0x77EB2A40 obtained via GetFunctionAddress
2026-04-28 01:34:30,626 [root] WARNING: b'Unable to place hook on GetCommandLineA'
2026-04-28 01:34:30,626 [root] DEBUG: 5200: set_hooks: Unable to hook GetCommandLineA
2026-04-28 01:34:30,641 [root] WARNING: b'Unable to place hook on GetCommandLineW'
2026-04-28 01:34:30,641 [root] DEBUG: 5200: set_hooks: Unable to hook GetCommandLineW
2026-04-28 01:34:30,657 [root] DEBUG: 5200: Hooked 630 out of 632 functions
2026-04-28 01:34:30,673 [root] DEBUG: 5200: Syscall hook installed, syscall logging level 1
2026-04-28 01:34:30,673 [lib.api.process] INFO: 32-bit DLL to inject is C:\ltb6yatm\dll\aUdGyWws.dll, loader C:\ltb6yatm\bin\ReIIPbe.exe
2026-04-28 01:34:30,688 [root] DEBUG: 5200: RestoreHeaders: Restored original import table.
2026-04-28 01:34:30,704 [root] INFO: Loaded monitor into process with pid 5200
2026-04-28 01:34:30,704 [root] DEBUG: Loader: Injecting process 3488 (thread 5156) with C:\ltb6yatm\dll\aUdGyWws.dll.
2026-04-28 01:34:30,704 [root] DEBUG: 5200: caller_dispatch: Added region at 0x00D20000 to tracked regions list (kernel32::SetUnhandledExceptionFilter returns to 0x00D2B4FB, thread 4104).
2026-04-28 01:34:30,704 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2026-04-28 01:34:30,720 [root] DEBUG: 5200: YaraScan: Scanning 0x00D20000, size 0x6c27a
2026-04-28 01:34:30,720 [root] DEBUG: Successfully injected DLL C:\ltb6yatm\dll\aUdGyWws.dll.
2026-04-28 01:34:30,735 [root] DEBUG: 5200: ProcessImageBase: Main module image at 0x00D20000 unmodified (entropy change 0.000000e+00)
2026-04-28 01:34:30,751 [lib.api.process] INFO: Injected into 32-bit <Process 3488 powershell.exe>
2026-04-28 01:34:30,766 [root] DEBUG: 5200: DLL loaded at 0x73E10000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei (0x8d000 bytes).
2026-04-28 01:34:30,782 [root] DEBUG: 7508: ProcessTrackedRegion: Region at 0x77150000 mapped as \Device\HarddiskVolume1\Windows\SysWOW64\KernelBase.dll is in known range, skipping
2026-04-28 01:34:30,782 [root] DEBUG: 5200: set_hooks_by_export_directory: Hooked 0 out of 632 functions
2026-04-28 01:34:30,798 [root] DEBUG: 7508: CreateProcessHandler: Injection info set for new process 3596: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ImageBase: 0x00D20000
2026-04-28 01:34:30,798 [root] DEBUG: 5200: DLL loaded at 0x75250000: C:\Windows\SYSTEM32\kernel.appcore (0xf000 bytes).
2026-04-28 01:34:30,829 [root] INFO: Announced 32-bit process name: powershell.exe pid: 3596
2026-04-28 01:34:30,829 [lib.api.process] INFO: Monitor config for <Process 3596 powershell.exe>: C:\ltb6yatm\dll\3596.ini
2026-04-28 01:34:30,845 [root] DEBUG: 5200: DLL loaded at 0x75460000: C:\Windows\SYSTEM32\VERSION (0x8000 bytes).
2026-04-28 01:34:30,845 [root] DEBUG: 3488: Python path set to 'C:\Python310'.
2026-04-28 01:34:30,845 [root] DEBUG: 5200: DLL loaded at 0x734F0000: C:\Windows\SYSTEM32\ucrtbase_clr0400 (0xab000 bytes).
2026-04-28 01:34:30,860 [root] DEBUG: 3488: Dropped file limit defaulting to 100.
2026-04-28 01:34:30,876 [root] DEBUG: 5200: DLL loaded at 0x735A0000: C:\Windows\SYSTEM32\VCRUNTIME140_CLR0400 (0x14000 bytes).
2026-04-28 01:34:30,876 [root] DEBUG: 5200: DLL loaded at 0x735C0000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr (0x848000 bytes).
2026-04-28 01:34:30,892 [root] DEBUG: 3488: Disabling sleep skipping.
2026-04-28 01:34:30,970 [root] DEBUG: 3488: YaraInit: Compiled rules loaded from existing file C:\ltb6yatm\data\yara\capemon.yac
2026-04-28 01:34:30,970 [root] DEBUG: 5200: AllocationHandler: Adding allocation to tracked region list: 0x00CE3000, size: 0x1000.
2026-04-28 01:34:30,970 [root] DEBUG: 3488: YaraScan: Scanning 0x00D20000, size 0x6c27a
2026-04-28 01:34:30,985 [root] DEBUG: 5200: GetEntropy: Error - Supplied address inaccessible: 0x00CE0000
2026-04-28 01:34:31,001 [root] DEBUG: 3488: Monitor initialised: 32-bit capemon loaded in process 3488 at 0x73f00000, thread 5156, image base 0xd20000, stack from 0xb15000-0xb20000
2026-04-28 01:34:31,001 [root] DEBUG: 5200: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:34:31,048 [root] DEBUG: 3488: Commandline: "powershell"  -Command Add-MpPreference -ExclusionPath 'C:\sqbmEUPTwi\CAPE\msedgewebview2.exe'
2026-04-28 01:34:31,282 [root] DEBUG: 5200: InstrumentationCallback: Added region at 0x772833EC (base 0x77150000) to tracked regions list (thread 4104).
2026-04-28 01:34:31,345 [root] DEBUG: 3488: hook_api: LdrpCallInitRoutine export address 0x77EB2A40 obtained via GetFunctionAddress
2026-04-28 01:34:31,423 [root] DEBUG: 5200: api-rate-cap: NtQueryPerformanceCounter hook disabled due to rate
2026-04-28 01:34:31,438 [root] DEBUG: 5200: ProcessTrackedRegion: Region at 0x77150000 mapped as \Device\HarddiskVolume1\Windows\SysWOW64\KernelBase.dll is in known range, skipping
2026-04-28 01:34:31,454 [root] WARNING: b'Unable to place hook on GetCommandLineA'
2026-04-28 01:34:31,454 [root] DEBUG: 5200: DLL loaded at 0x720E0000: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni (0x140e000 bytes).
2026-04-28 01:34:31,454 [root] DEBUG: 3488: set_hooks: Unable to hook GetCommandLineA
2026-04-28 01:34:31,485 [root] DEBUG: 5200: AllocationHandler: Adding allocation to tracked region list: 0x04450000, size: 0x1000.
2026-04-28 01:34:31,485 [root] WARNING: b'Unable to place hook on GetCommandLineW'
2026-04-28 01:34:31,501 [root] DEBUG: 5200: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:34:31,501 [root] DEBUG: 3488: set_hooks: Unable to hook GetCommandLineW
2026-04-28 01:34:31,516 [root] DEBUG: 5200: DLL loaded at 0x76D80000: C:\Windows\System32\bcryptPrimitives (0x5f000 bytes).
2026-04-28 01:34:31,516 [root] DEBUG: 3488: Hooked 630 out of 632 functions
2026-04-28 01:34:31,532 [root] DEBUG: 5200: AllocationHandler: Adding allocation to tracked region list: 0x05BF1000, size: 0x1000.
2026-04-28 01:34:31,532 [root] DEBUG: 3488: Syscall hook installed, syscall logging level 1
2026-04-28 01:34:31,548 [root] DEBUG: 5200: AllocationHandler: Allocation already in tracked region list: 0x05BF0000.
2026-04-28 01:34:31,548 [root] DEBUG: 3488: RestoreHeaders: Restored original import table.
2026-04-28 01:34:31,563 [root] DEBUG: 5200: AllocationHandler: Allocation already in tracked region list: 0x00CE0000.
2026-04-28 01:34:31,563 [root] INFO: Loaded monitor into process with pid 3488
2026-04-28 01:34:31,563 [lib.api.process] INFO: 32-bit DLL to inject is C:\ltb6yatm\dll\aUdGyWws.dll, loader C:\ltb6yatm\bin\ReIIPbe.exe
2026-04-28 01:34:31,563 [root] DEBUG: 5200: DumpPEsInRange: Scanning range 0x00CE0000 - 0x00CE1615.
2026-04-28 01:34:31,595 [root] DEBUG: 3488: caller_dispatch: Added region at 0x00D20000 to tracked regions list (kernel32::SetUnhandledExceptionFilter returns to 0x00D2B4FB, thread 5156).
2026-04-28 01:34:31,595 [root] DEBUG: Loader: Injecting process 3596 (thread 1012) with C:\ltb6yatm\dll\aUdGyWws.dll.
2026-04-28 01:34:31,595 [root] DEBUG: 5200: ScanForDisguisedPE: No PE image located in range 0x00CE0000-0x00CE1615.
2026-04-28 01:34:31,610 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2026-04-28 01:34:31,610 [root] DEBUG: 3488: YaraScan: Scanning 0x00D20000, size 0x6c27a
2026-04-28 01:34:31,626 [root] DEBUG: Successfully injected DLL C:\ltb6yatm\dll\aUdGyWws.dll.
2026-04-28 01:34:31,626 [lib.common.results] INFO: Uploading file C:\atsPQMC\CAPE\5200_1749907031342227142026 to CAPE\16f50a57193dd7d7e6df6a37aa20f7457d07a5aba287873ca41734a543db3539; Size is 5653; Max size: 100000000
2026-04-28 01:34:31,626 [root] DEBUG: 3488: ProcessImageBase: Main module image at 0x00D20000 unmodified (entropy change 0.000000e+00)
2026-04-28 01:34:31,642 [lib.api.process] INFO: Injected into 32-bit <Process 3596 powershell.exe>
2026-04-28 01:34:31,642 [root] DEBUG: 5200: DumpMemory: Payload successfully created: C:\atsPQMC\CAPE\5200_1749907031342227142026 (size 5653 bytes)
2026-04-28 01:34:31,657 [root] DEBUG: 3488: DLL loaded at 0x73E10000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei (0x8d000 bytes).
2026-04-28 01:34:31,673 [root] DEBUG: 5200: DumpRegion: Dumped entire allocation from 0x00CE0000, size 8192 bytes.
2026-04-28 01:34:31,673 [root] DEBUG: 3488: set_hooks_by_export_directory: Hooked 0 out of 632 functions
2026-04-28 01:34:31,673 [root] DEBUG: 7508: ProcessTrackedRegion: Region at 0x77150000 mapped as \Device\HarddiskVolume1\Windows\SysWOW64\KernelBase.dll is in known range, skipping
2026-04-28 01:34:31,688 [root] DEBUG: 5200: ProcessTrackedRegion: Dumped region at 0x00CE0000.
2026-04-28 01:34:31,704 [root] DEBUG: 3488: DLL loaded at 0x75250000: C:\Windows\SYSTEM32\kernel.appcore (0xf000 bytes).
2026-04-28 01:34:31,704 [root] DEBUG: 5200: YaraScan: Scanning 0x00CE0000, size 0x1615
2026-04-28 01:34:31,735 [root] DEBUG: 7508: CreateProcessHandler: Injection info set for new process 3404: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ImageBase: 0x00D20000
2026-04-28 01:34:31,751 [root] DEBUG: 3488: DLL loaded at 0x75460000: C:\Windows\SYSTEM32\VERSION (0x8000 bytes).
2026-04-28 01:34:31,767 [root] INFO: Announced 32-bit process name: powershell.exe pid: 3404
2026-04-28 01:34:31,782 [root] DEBUG: 3596: Python path set to 'C:\Python310'.
2026-04-28 01:34:31,782 [lib.api.process] INFO: Monitor config for <Process 3404 powershell.exe>: C:\ltb6yatm\dll\3404.ini
2026-04-28 01:34:31,782 [root] DEBUG: 5200: DLL loaded at 0x75280000: C:\Windows\SYSTEM32\CRYPTSP (0x13000 bytes).
2026-04-28 01:34:31,782 [root] DEBUG: 3596: Dropped file limit defaulting to 100.
2026-04-28 01:34:31,782 [root] DEBUG: 3488: DLL loaded at 0x734F0000: C:\Windows\SYSTEM32\ucrtbase_clr0400 (0xab000 bytes).
2026-04-28 01:34:31,798 [root] DEBUG: 5200: DLL loaded at 0x74C10000: C:\Windows\system32\rsaenh (0x2f000 bytes).
2026-04-28 01:34:31,798 [root] DEBUG: 3596: Disabling sleep skipping.
2026-04-28 01:34:31,798 [root] DEBUG: 3488: DLL loaded at 0x735A0000: C:\Windows\SYSTEM32\VCRUNTIME140_CLR0400 (0x14000 bytes).
2026-04-28 01:34:31,813 [root] DEBUG: 3596: YaraInit: Compiled rules loaded from existing file C:\ltb6yatm\data\yara\capemon.yac
2026-04-28 01:34:31,813 [root] DEBUG: 5200: AllocationHandler: Adding allocation to tracked region list: 0x00D1B000, size: 0x1000.
2026-04-28 01:34:31,813 [root] DEBUG: 3488: DLL loaded at 0x735C0000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr (0x848000 bytes).
2026-04-28 01:34:31,876 [root] DEBUG: 3596: YaraScan: Scanning 0x00D20000, size 0x6c27a
2026-04-28 01:34:31,891 [root] DEBUG: 3488: AllocationHandler: Adding allocation to tracked region list: 0x05F53000, size: 0x1000.
2026-04-28 01:34:31,891 [root] DEBUG: 3596: Monitor initialised: 32-bit capemon loaded in process 3596 at 0x73f00000, thread 1012, image base 0xd20000, stack from 0x585000-0x590000
2026-04-28 01:34:31,891 [root] DEBUG: 5200: GetEntropy: Error - Supplied address inaccessible: 0x00D10000
2026-04-28 01:34:31,891 [root] DEBUG: 3488: GetEntropy: Error - Supplied address inaccessible: 0x05F50000
2026-04-28 01:34:31,907 [root] DEBUG: 3596: Commandline: "powershell"  -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\winlogon.exe'
2026-04-28 01:34:31,938 [root] DEBUG: 5200: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:34:32,017 [root] DEBUG: 3488: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:34:32,095 [root] DEBUG: 3596: hook_api: LdrpCallInitRoutine export address 0x77EB2A40 obtained via GetFunctionAddress
2026-04-28 01:34:32,188 [root] DEBUG: 5200: AllocationHandler: Allocation already in tracked region list: 0x00D10000.
2026-04-28 01:34:32,282 [root] DEBUG: 3488: api-rate-cap: NtQueryPerformanceCounter hook disabled due to rate
2026-04-28 01:34:32,376 [root] WARNING: b'Unable to place hook on GetCommandLineA'
2026-04-28 01:34:32,423 [lib.api.process] INFO: 32-bit DLL to inject is C:\ltb6yatm\dll\aUdGyWws.dll, loader C:\ltb6yatm\bin\ReIIPbe.exe
2026-04-28 01:34:32,423 [root] DEBUG: 5200: hook_api: clrjit::compileMethod export address 0x72033700 obtained via GetFunctionAddress
2026-04-28 01:34:32,438 [root] DEBUG: 3596: set_hooks: Unable to hook GetCommandLineA
2026-04-28 01:34:32,438 [root] DEBUG: 3488: InstrumentationCallback: Added region at 0x772833EC (base 0x77150000) to tracked regions list (thread 5156).
2026-04-28 01:34:32,454 [root] DEBUG: 5200: DLL loaded at 0x72030000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit (0x8a000 bytes).
2026-04-28 01:34:32,454 [root] WARNING: b'Unable to place hook on GetCommandLineW'
2026-04-28 01:34:32,454 [root] DEBUG: Loader: Injecting process 3404 (thread 2252) with C:\ltb6yatm\dll\aUdGyWws.dll.
2026-04-28 01:34:32,454 [root] DEBUG: 5200: .NET JIT native cache at 0x04450000: scans and dumps active.
2026-04-28 01:34:32,470 [root] DEBUG: 3488: ProcessTrackedRegion: Region at 0x77150000 mapped as \Device\HarddiskVolume1\Windows\SysWOW64\KernelBase.dll is in known range, skipping
2026-04-28 01:34:32,485 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2026-04-28 01:34:32,485 [root] DEBUG: 3596: set_hooks: Unable to hook GetCommandLineW
2026-04-28 01:34:32,501 [root] DEBUG: 5200: AllocationHandler: Allocation already in tracked region list: 0x00D10000.
2026-04-28 01:34:32,501 [root] DEBUG: 3488: DLL loaded at 0x720E0000: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni (0x140e000 bytes).
2026-04-28 01:34:32,516 [root] DEBUG: Successfully injected DLL C:\ltb6yatm\dll\aUdGyWws.dll.
2026-04-28 01:34:32,516 [root] DEBUG: 3596: Hooked 630 out of 632 functions
2026-04-28 01:34:32,532 [lib.api.process] INFO: Injected into 32-bit <Process 3404 powershell.exe>
2026-04-28 01:34:32,532 [root] DEBUG: 3488: AllocationHandler: Adding allocation to tracked region list: 0x06300000, size: 0x1000.
2026-04-28 01:34:32,532 [root] DEBUG: 3596: Syscall hook installed, syscall logging level 1
2026-04-28 01:34:32,548 [root] DEBUG: 3488: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:34:32,548 [root] DEBUG: 3596: RestoreHeaders: Restored original import table.
2026-04-28 01:34:32,563 [root] DEBUG: 7508: ProcessTrackedRegion: Region at 0x77150000 mapped as \Device\HarddiskVolume1\Windows\SysWOW64\KernelBase.dll is in known range, skipping
2026-04-28 01:34:32,563 [root] DEBUG: 3488: DLL loaded at 0x76D80000: C:\Windows\System32\bcryptPrimitives (0x5f000 bytes).
2026-04-28 01:34:32,595 [root] DEBUG: 7508: CreateProcessHandler: Injection info set for new process 7728: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ImageBase: 0x00D20000
2026-04-28 01:34:32,595 [root] INFO: Loaded monitor into process with pid 3596
2026-04-28 01:34:32,642 [root] DEBUG: 3488: AllocationHandler: Adding allocation to tracked region list: 0x06751000, size: 0x1000.
2026-04-28 01:34:32,673 [root] DEBUG: 3596: caller_dispatch: Added region at 0x00D20000 to tracked regions list (kernel32::SetUnhandledExceptionFilter returns to 0x00D2B4FB, thread 1012).
2026-04-28 01:34:32,673 [root] INFO: Announced 32-bit process name: powershell.exe pid: 7728
2026-04-28 01:34:32,673 [root] DEBUG: 5200: DLL loaded at 0x715D0000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni (0xa56000 bytes).
2026-04-28 01:34:32,673 [lib.api.process] INFO: Monitor config for <Process 7728 powershell.exe>: C:\ltb6yatm\dll\7728.ini
2026-04-28 01:34:32,688 [root] DEBUG: 3488: AllocationHandler: Allocation already in tracked region list: 0x06750000.
2026-04-28 01:34:32,688 [root] DEBUG: 3404: Python path set to 'C:\Python310'.
2026-04-28 01:34:32,704 [root] DEBUG: 3596: YaraScan: Scanning 0x00D20000, size 0x6c27a
2026-04-28 01:34:32,704 [root] DEBUG: 5200: DLL loaded at 0x70D50000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni (0x818000 bytes).
2026-04-28 01:34:32,720 [root] DEBUG: 3488: AllocationHandler: Allocation already in tracked region list: 0x05F50000.
2026-04-28 01:34:32,720 [root] DEBUG: 3404: Dropped file limit defaulting to 100.
2026-04-28 01:34:32,735 [root] DEBUG: 3596: ProcessImageBase: Main module image at 0x00D20000 unmodified (entropy change 0.000000e+00)
2026-04-28 01:34:32,751 [root] DEBUG: 3488: DumpPEsInRange: Scanning range 0x05F50000 - 0x05F51615.
2026-04-28 01:34:32,766 [root] DEBUG: 3596: DLL loaded at 0x73E10000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei (0x8d000 bytes).
2026-04-28 01:34:32,782 [root] DEBUG: 3488: ScanForDisguisedPE: No PE image located in range 0x05F50000-0x05F51615.
2026-04-28 01:34:32,829 [root] DEBUG: 3596: set_hooks_by_export_directory: Hooked 0 out of 632 functions
2026-04-28 01:34:32,829 [root] DEBUG: 5200: ProcessTrackedRegion: .NET cache region at 0x04450000 skipped
2026-04-28 01:34:32,829 [root] DEBUG: 3404: Disabling sleep skipping.
2026-04-28 01:34:32,829 [lib.common.results] INFO: Uploading file C:\atsPQMC\CAPE\3488_2289222632342227142026 to CAPE\f122fad31e79f0aae6a056e31c5fee53ff7760c9017518f17cc596f1a25e47ec; Size is 5653; Max size: 100000000
2026-04-28 01:34:32,845 [root] DEBUG: 3596: DLL loaded at 0x75250000: C:\Windows\SYSTEM32\kernel.appcore (0xf000 bytes).
2026-04-28 01:34:32,845 [root] DEBUG: 5200: DLL loaded at 0x77400000: C:\Windows\System32\clbcatq (0x7e000 bytes).
2026-04-28 01:34:32,860 [root] DEBUG: 3404: YaraInit: Compiled rules loaded from existing file C:\ltb6yatm\data\yara\capemon.yac
2026-04-28 01:34:32,860 [root] DEBUG: 3488: DumpMemory: Payload successfully created: C:\atsPQMC\CAPE\3488_2289222632342227142026 (size 5653 bytes)
2026-04-28 01:34:32,876 [root] DEBUG: 3596: DLL loaded at 0x75460000: C:\Windows\SYSTEM32\VERSION (0x8000 bytes).
2026-04-28 01:34:32,892 [root] DEBUG: 3404: YaraScan: Scanning 0x00D20000, size 0x6c27a
2026-04-28 01:34:32,892 [root] DEBUG: 3488: DumpRegion: Dumped entire allocation from 0x05F50000, size 8192 bytes.
2026-04-28 01:34:32,892 [root] DEBUG: 3596: DLL loaded at 0x734F0000: C:\Windows\SYSTEM32\ucrtbase_clr0400 (0xab000 bytes).
2026-04-28 01:34:32,907 [root] DEBUG: 5200: DEBUG:Initialized 9 com hooks
2026-04-28 01:34:32,923 [root] DEBUG: 3404: Monitor initialised: 32-bit capemon loaded in process 3404 at 0x73f00000, thread 2252, image base 0xd20000, stack from 0xc95000-0xca0000
2026-04-28 01:34:32,923 [root] DEBUG: 3488: ProcessTrackedRegion: Dumped region at 0x05F50000.
2026-04-28 01:34:33,001 [root] DEBUG: 3596: DLL loaded at 0x735A0000: C:\Windows\SYSTEM32\VCRUNTIME140_CLR0400 (0x14000 bytes).
2026-04-28 01:34:33,095 [root] DEBUG: 3404: Commandline: "powershell"  -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft\Temp\OneDriveStandaloneUpdater.exe'
2026-04-28 01:34:33,251 [lib.api.process] INFO: 32-bit DLL to inject is C:\ltb6yatm\dll\aUdGyWws.dll, loader C:\ltb6yatm\bin\ReIIPbe.exe
2026-04-28 01:34:33,282 [root] DEBUG: 3488: YaraScan: Scanning 0x05F50000, size 0x1615
2026-04-28 01:34:33,376 [root] DEBUG: 3596: DLL loaded at 0x735C0000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr (0x848000 bytes).
2026-04-28 01:34:33,470 [root] DEBUG: 3404: hook_api: LdrpCallInitRoutine export address 0x77EB2A40 obtained via GetFunctionAddress
2026-04-28 01:34:33,532 [root] DEBUG: 3488: DLL loaded at 0x75280000: C:\Windows\SYSTEM32\CRYPTSP (0x13000 bytes).
2026-04-28 01:34:33,532 [root] DEBUG: 5200: AllocationHandler: Allocation already in tracked region list: 0x04450000.
2026-04-28 01:34:33,532 [root] DEBUG: 3596: AllocationHandler: Adding allocation to tracked region list: 0x00D03000, size: 0x1000.
2026-04-28 01:34:33,563 [root] DEBUG: Loader: Injecting process 7728 (thread 5220) with C:\ltb6yatm\dll\aUdGyWws.dll.
2026-04-28 01:34:33,563 [root] WARNING: b'Unable to place hook on GetCommandLineA'
2026-04-28 01:34:33,563 [root] DEBUG: 3488: DLL loaded at 0x74C10000: C:\Windows\system32\rsaenh (0x2f000 bytes).
2026-04-28 01:34:33,579 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2026-04-28 01:34:33,579 [root] DEBUG: 3596: GetEntropy: Error - Supplied address inaccessible: 0x00D00000
2026-04-28 01:34:33,595 [root] DEBUG: 3488: AllocationHandler: Adding allocation to tracked region list: 0x05F8B000, size: 0x1000.
2026-04-28 01:34:33,595 [root] DEBUG: Successfully injected DLL C:\ltb6yatm\dll\aUdGyWws.dll.
2026-04-28 01:34:33,595 [root] DEBUG: 3404: set_hooks: Unable to hook GetCommandLineA
2026-04-28 01:34:33,595 [root] DEBUG: 3596: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:34:33,673 [lib.api.process] INFO: Injected into 32-bit <Process 7728 powershell.exe>
2026-04-28 01:34:33,673 [root] WARNING: b'Unable to place hook on GetCommandLineW'
2026-04-28 01:34:33,704 [root] DEBUG: 3488: GetEntropy: Error - Supplied address inaccessible: 0x05F80000
2026-04-28 01:34:33,704 [root] DEBUG: 5200: DLL loaded at 0x76A70000: C:\Windows\System32\psapi (0x6000 bytes).
2026-04-28 01:34:33,704 [root] DEBUG: 3596: InstrumentationCallback: Added region at 0x772833EC (base 0x77150000) to tracked regions list (thread 1012).
2026-04-28 01:34:33,735 [root] DEBUG: 3596: api-rate-cap: NtQueryPerformanceCounter hook disabled due to rate
2026-04-28 01:34:33,735 [root] DEBUG: 7508: ProcessTrackedRegion: Region at 0x77150000 mapped as \Device\HarddiskVolume1\Windows\SysWOW64\KernelBase.dll is in known range, skipping
2026-04-28 01:34:33,735 [root] DEBUG: 3404: set_hooks: Unable to hook GetCommandLineW
2026-04-28 01:34:33,782 [root] DEBUG: 3488: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:34:33,782 [root] DEBUG: 5200: DLL loaded at 0x77590000: C:\Windows\System32\shell32 (0x5b5000 bytes).
2026-04-28 01:34:33,876 [root] DEBUG: 7508: CreateProcessHandler: Injection info set for new process 7496: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ImageBase: 0x00D20000
2026-04-28 01:34:33,907 [root] DEBUG: 3596: ProcessTrackedRegion: Region at 0x77150000 mapped as \Device\HarddiskVolume1\Windows\SysWOW64\KernelBase.dll is in known range, skipping
2026-04-28 01:34:33,954 [root] DEBUG: 3404: Hooked 630 out of 632 functions
2026-04-28 01:34:34,063 [root] DEBUG: 3488: AllocationHandler: Allocation already in tracked region list: 0x05F80000.
2026-04-28 01:34:34,110 [root] INFO: Announced 32-bit process name: powershell.exe pid: 7496
2026-04-28 01:34:34,110 [root] DEBUG: 5200: DLL loaded at 0x756D0000: C:\Windows\SYSTEM32\Wldp (0x27000 bytes).
2026-04-28 01:34:34,110 [root] DEBUG: 7728: Python path set to 'C:\Python310'.
2026-04-28 01:34:34,110 [root] DEBUG: 3596: DLL loaded at 0x720E0000: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni (0x140e000 bytes).
2026-04-28 01:34:34,126 [lib.api.process] INFO: Monitor config for <Process 7496 powershell.exe>: C:\ltb6yatm\dll\7496.ini
2026-04-28 01:34:34,126 [root] DEBUG: 3404: Syscall hook installed, syscall logging level 1
2026-04-28 01:34:34,126 [root] DEBUG: 3488: hook_api: clrjit::compileMethod export address 0x72033700 obtained via GetFunctionAddress
2026-04-28 01:34:34,142 [root] DEBUG: 5200: DLL loaded at 0x75700000: C:\Windows\SYSTEM32\windows.storage (0x60d000 bytes).
2026-04-28 01:34:34,157 [root] DEBUG: 7728: Dropped file limit defaulting to 100.
2026-04-28 01:34:34,173 [root] DEBUG: 3596: AllocationHandler: Adding allocation to tracked region list: 0x04850000, size: 0x1000.
2026-04-28 01:34:34,173 [root] DEBUG: 3488: DLL loaded at 0x72030000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit (0x8a000 bytes).
2026-04-28 01:34:34,220 [root] DEBUG: 5200: DLL loaded at 0x76F70000: C:\Windows\System32\SHCORE (0x87000 bytes).
2026-04-28 01:34:34,235 [root] DEBUG: 3404: RestoreHeaders: Restored original import table.
2026-04-28 01:34:34,251 [root] DEBUG: 3596: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:34:34,267 [root] DEBUG: 5200: DLL loaded at 0x720C0000: C:\Windows\SYSTEM32\amsi (0x19000 bytes).
2026-04-28 01:34:34,267 [root] DEBUG: 3488: .NET JIT native cache at 0x06300000: scans and dumps active.
2026-04-28 01:34:34,282 [root] DEBUG: 7728: Disabling sleep skipping.
2026-04-28 01:34:34,282 [root] INFO: Loaded monitor into process with pid 3404
2026-04-28 01:34:34,329 [root] DEBUG: 3596: DLL loaded at 0x76D80000: C:\Windows\System32\bcryptPrimitives (0x5f000 bytes).
2026-04-28 01:34:34,329 [root] DEBUG: 5200: DLL loaded at 0x704C0000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni (0x774000 bytes).
2026-04-28 01:34:34,347 [root] DEBUG: 7728: YaraInit: Compiled rules loaded from existing file C:\ltb6yatm\data\yara\capemon.yac
2026-04-28 01:34:34,391 [root] DEBUG: 3404: caller_dispatch: Added region at 0x00D20000 to tracked regions list (kernel32::SetUnhandledExceptionFilter returns to 0x00D2B4FB, thread 2252).
2026-04-28 01:34:34,407 [root] DEBUG: 3488: AllocationHandler: Allocation already in tracked region list: 0x05F80000.
2026-04-28 01:34:34,407 [root] DEBUG: 3596: AllocationHandler: Adding allocation to tracked region list: 0x08481000, size: 0x1000.
2026-04-28 01:34:34,407 [root] DEBUG: 5200: DLL loaded at 0x77DD0000: C:\Windows\System32\wintrust (0x4e000 bytes).
2026-04-28 01:34:34,454 [root] DEBUG: 7728: YaraScan: Scanning 0x00D20000, size 0x6c27a
2026-04-28 01:34:34,454 [root] DEBUG: 5200: .NET JIT native cache at 0x08440000: scans and dumps active.
2026-04-28 01:34:34,454 [root] DEBUG: 5200: .NET JIT native cache at 0x08440000: scans and dumps active.
2026-04-28 01:34:34,471 [root] DEBUG: 3404: YaraScan: Scanning 0x00D20000, size 0x6c27a
2026-04-28 01:34:34,485 [root] DEBUG: 3596: AllocationHandler: Allocation already in tracked region list: 0x08480000.
2026-04-28 01:34:34,485 [root] DEBUG: 5200: DLL loaded at 0x6FE10000: C:\Windows\SYSTEM32\MSASN1 (0xe000 bytes).
2026-04-28 01:34:34,485 [root] DEBUG: 3488: DLL loaded at 0x715D0000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni (0xa56000 bytes).
2026-04-28 01:34:34,563 [root] DEBUG: 3404: ProcessImageBase: Main module image at 0x00D20000 unmodified (entropy change 0.000000e+00)
2026-04-28 01:34:34,610 [root] DEBUG: 5200: caller_dispatch: Added region at 0x08440000 to tracked regions list (ntdll::LdrGetProcedureAddressForCaller returns to 0x08442944, thread 4104).
2026-04-28 01:34:34,610 [root] DEBUG: 7728: Monitor initialised: 32-bit capemon loaded in process 7728 at 0x73f00000, thread 5220, image base 0xd20000, stack from 0x5e5000-0x5f0000
2026-04-28 01:34:34,610 [root] DEBUG: 3596: AllocationHandler: Allocation already in tracked region list: 0x00D00000.
2026-04-28 01:34:34,626 [root] DEBUG: 3488: DLL loaded at 0x70D50000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni (0x818000 bytes).
2026-04-28 01:34:34,688 [root] DEBUG: 5200: DLL loaded at 0x6F850000: C:\Windows\SYSTEM32\gpapi (0x1e000 bytes).
2026-04-28 01:34:34,751 [root] DEBUG: 3404: DLL loaded at 0x73E10000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei (0x8d000 bytes).
2026-04-28 01:34:34,735 [lib.api.process] INFO: 32-bit DLL to inject is C:\ltb6yatm\dll\aUdGyWws.dll, loader C:\ltb6yatm\bin\ReIIPbe.exe
2026-04-28 01:34:34,892 [root] DEBUG: 5200: ProcessTrackedRegion: .NET cache region at 0x08440000 skipped
2026-04-28 01:34:34,954 [root] DEBUG: 3596: DumpPEsInRange: Scanning range 0x00D00000 - 0x00D01615.
2026-04-28 01:34:34,970 [root] DEBUG: 7728: Commandline: "powershell"  -Command Add-MpPreference -ExclusionPath 'C:\5o722xtn\prescripts\SgrmBroker.exe'
2026-04-28 01:34:34,970 [root] DEBUG: 3488: ProcessTrackedRegion: .NET cache region at 0x06300000 skipped
2026-04-28 01:34:35,017 [root] DEBUG: 5200: DLL loaded at 0x6F4F0000: C:\Windows\Microsoft.Net\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data (0x357000 bytes).
2026-04-28 01:34:35,032 [root] DEBUG: 3404: set_hooks_by_export_directory: Hooked 0 out of 632 functions
2026-04-28 01:34:35,032 [root] DEBUG: 3596: ScanForDisguisedPE: No PE image located in range 0x00D00000-0x00D01615.
2026-04-28 01:34:35,032 [root] DEBUG: Loader: Injecting process 7496 (thread 6148) with C:\ltb6yatm\dll\aUdGyWws.dll.
2026-04-28 01:34:35,032 [root] DEBUG: 3488: DLL loaded at 0x77400000: C:\Windows\System32\clbcatq (0x7e000 bytes).
2026-04-28 01:34:35,032 [root] DEBUG: 7728: hook_api: LdrpCallInitRoutine export address 0x77EB2A40 obtained via GetFunctionAddress
2026-04-28 01:34:35,048 [root] DEBUG: 3404: DLL loaded at 0x75250000: C:\Windows\SYSTEM32\kernel.appcore (0xf000 bytes).
2026-04-28 01:34:35,095 [lib.common.results] INFO: Uploading file C:\atsPQMC\CAPE\3596_104364835342227142026 to CAPE\c9ba6c5301e2748284780fb1823eecb4a1ee46d0e482b60884433a44ca03c2f5; Size is 5653; Max size: 100000000
2026-04-28 01:34:35,126 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2026-04-28 01:34:35,126 [root] INFO: Added new file to list with pid 5200 and path C:\Users\cape\AppData\Local\Temp\__PSScriptPolicyTest_ab2mmmlk.eny.ps1
2026-04-28 01:34:35,142 [root] DEBUG: 3404: DLL loaded at 0x75460000: C:\Windows\SYSTEM32\VERSION (0x8000 bytes).
2026-04-28 01:34:35,157 [root] WARNING: b'Unable to place hook on GetCommandLineA'
2026-04-28 01:34:35,157 [root] DEBUG: Successfully injected DLL C:\ltb6yatm\dll\aUdGyWws.dll.
2026-04-28 01:34:35,157 [lib.api.process] INFO: Injected into 32-bit <Process 7496 powershell.exe>
2026-04-28 01:34:35,157 [root] DEBUG: 3488: DEBUG:Initialized 9 com hooks
2026-04-28 01:34:35,188 [root] INFO: Added new file to list with pid 5200 and path C:\Users\cape\AppData\Local\Temp\__PSScriptPolicyTest_jwhrza5k.xge.psm1
2026-04-28 01:34:35,220 [root] DEBUG: 3596: DumpMemory: Payload successfully created: C:\atsPQMC\CAPE\3596_104364835342227142026 (size 5653 bytes)
2026-04-28 01:34:35,266 [root] DEBUG: 3404: DLL loaded at 0x734F0000: C:\Windows\SYSTEM32\ucrtbase_clr0400 (0xab000 bytes).
2026-04-28 01:34:35,345 [root] DEBUG: 7508: ProcessTrackedRegion: Region at 0x77150000 mapped as \Device\HarddiskVolume1\Windows\SysWOW64\KernelBase.dll is in known range, skipping
2026-04-28 01:34:35,392 [root] DEBUG: 7728: set_hooks: Unable to hook GetCommandLineA
2026-04-28 01:34:35,392 [root] DEBUG: 5200: DLL loaded at 0x6F4E0000: C:\Windows\System32\MSISIP (0x10000 bytes).
2026-04-28 01:34:35,407 [root] DEBUG: 3404: DLL loaded at 0x735A0000: C:\Windows\SYSTEM32\VCRUNTIME140_CLR0400 (0x14000 bytes).
2026-04-28 01:34:35,407 [root] DEBUG: 3488: DLL loaded at 0x76A70000: C:\Windows\System32\psapi (0x6000 bytes).
2026-04-28 01:34:35,501 [root] DEBUG: 3596: DumpRegion: Dumped entire allocation from 0x00D00000, size 8192 bytes.
2026-04-28 01:34:35,548 [root] WARNING: b'Unable to place hook on GetCommandLineW'
2026-04-28 01:34:35,626 [root] DEBUG: 5200: DLL loaded at 0x6F4C0000: C:\Windows\System32\wshext (0x18000 bytes).
2026-04-28 01:34:35,704 [root] DEBUG: 3596: ProcessTrackedRegion: Dumped region at 0x00D00000.
2026-04-28 01:34:35,798 [root] DEBUG: 7508: CreateProcessHandler: Injection info set for new process 5144: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ImageBase: 0x00D20000
2026-04-28 01:34:35,798 [root] DEBUG: 3404: DLL loaded at 0x735C0000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr (0x848000 bytes).
2026-04-28 01:34:35,845 [root] DEBUG: 7496: Python path set to 'C:\Python310'.
2026-04-28 01:34:35,845 [root] DEBUG: 3488: DLL loaded at 0x77590000: C:\Windows\System32\shell32 (0x5b5000 bytes).
2026-04-28 01:34:35,860 [root] DEBUG: 3596: YaraScan: Scanning 0x00D00000, size 0x1615
2026-04-28 01:34:35,876 [root] DEBUG: 5200: DLL loaded at 0x6F330000: C:\Windows\SYSTEM32\OpcServices (0x14d000 bytes).
2026-04-28 01:34:35,892 [root] DEBUG: 7728: set_hooks: Unable to hook GetCommandLineW
2026-04-28 01:34:35,907 [root] INFO: Announced 32-bit process name: powershell.exe pid: 5144
2026-04-28 01:34:35,907 [lib.api.process] INFO: Monitor config for <Process 5144 powershell.exe>: C:\ltb6yatm\dll\5144.ini
2026-04-28 01:34:35,923 [root] DEBUG: 7496: Dropped file limit defaulting to 100.
2026-04-28 01:34:35,923 [root] DEBUG: 3404: AllocationHandler: Adding allocation to tracked region list: 0x05FC3000, size: 0x1000.
2026-04-28 01:34:35,938 [root] DEBUG: 3596: DLL loaded at 0x75280000: C:\Windows\SYSTEM32\CRYPTSP (0x13000 bytes).
2026-04-28 01:34:35,954 [root] DEBUG: 3488: DLL loaded at 0x756D0000: C:\Windows\SYSTEM32\Wldp (0x27000 bytes).
2026-04-28 01:34:35,954 [root] DEBUG: 5200: DLL loaded at 0x6F480000: C:\Windows\System32\AppxSip (0x3c000 bytes).
2026-04-28 01:34:35,970 [root] DEBUG: 3404: GetEntropy: Error - Supplied address inaccessible: 0x05FC0000
2026-04-28 01:34:35,985 [root] DEBUG: 7728: Hooked 630 out of 632 functions
2026-04-28 01:34:35,985 [root] DEBUG: 7496: Disabling sleep skipping.
2026-04-28 01:34:35,985 [root] DEBUG: 3596: DLL loaded at 0x74C10000: C:\Windows\system32\rsaenh (0x2f000 bytes).
2026-04-28 01:34:36,001 [root] DEBUG: 3488: DLL loaded at 0x75700000: C:\Windows\SYSTEM32\windows.storage (0x60d000 bytes).
2026-04-28 01:34:36,017 [root] DEBUG: 3404: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:34:36,032 [root] DEBUG: 5200: DLL loaded at 0x6F320000: C:\Windows\System32\WindowsPowerShell\v1.0\pwrshsip (0xa000 bytes).
2026-04-28 01:34:36,095 [root] DEBUG: 7728: Syscall hook installed, syscall logging level 1
2026-04-28 01:34:36,095 [root] DEBUG: 3596: AllocationHandler: Adding allocation to tracked region list: 0x045CB000, size: 0x1000.
2026-04-28 01:34:36,126 [root] DEBUG: 7496: YaraInit: Compiled rules loaded from existing file C:\ltb6yatm\data\yara\capemon.yac
2026-04-28 01:34:36,126 [root] DEBUG: 3596: GetEntropy: Error - Supplied address inaccessible: 0x045C0000
2026-04-28 01:34:36,126 [root] DEBUG: 3488: DLL loaded at 0x76F70000: C:\Windows\System32\SHCORE (0x87000 bytes).
2026-04-28 01:34:36,157 [root] DEBUG: 3404: InstrumentationCallback: Added region at 0x772833EC (base 0x77150000) to tracked regions list (thread 2252).
2026-04-28 01:34:36,157 [root] DEBUG: 7728: RestoreHeaders: Restored original import table.
2026-04-28 01:34:36,157 [lib.common.results] INFO: Uploading file C:\Users\cape\AppData\Local\Temp\__PSScriptPolicyTest_ab2mmmlk.eny.ps1 to files\96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7; Size is 60; Max size: 100000000
2026-04-28 01:34:36,157 [root] DEBUG: 3404: api-rate-cap: NtQueryPerformanceCounter hook disabled due to rate
2026-04-28 01:34:36,173 [root] INFO: Loaded monitor into process with pid 7728
2026-04-28 01:34:36,188 [root] DEBUG: 3488: DLL loaded at 0x77DD0000: C:\Windows\System32\wintrust (0x4e000 bytes).
2026-04-28 01:34:36,204 [root] DEBUG: 3596: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:34:36,204 [root] DEBUG: 7496: YaraScan: Scanning 0x00D20000, size 0x6c27a
2026-04-28 01:34:36,220 [root] DEBUG: 3404: ProcessTrackedRegion: Region at 0x77150000 mapped as \Device\HarddiskVolume1\Windows\SysWOW64\KernelBase.dll is in known range, skipping
2026-04-28 01:34:36,235 [root] DEBUG: 7728: caller_dispatch: Added region at 0x00D20000 to tracked regions list (kernel32::SetUnhandledExceptionFilter returns to 0x00D2B4FB, thread 5220).
2026-04-28 01:34:36,235 [lib.common.results] INFO: Uploading file C:\Users\cape\AppData\Local\Temp\__PSScriptPolicyTest_jwhrza5k.xge.psm1 to files\96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7; Size is 60; Max size: 100000000
2026-04-28 01:34:36,235 [root] DEBUG: 3596: AllocationHandler: Allocation already in tracked region list: 0x045C0000.
2026-04-28 01:34:36,360 [root] DEBUG: 7496: Monitor initialised: 32-bit capemon loaded in process 7496 at 0x73f00000, thread 6148, image base 0xd20000, stack from 0x2ff4000-0x3000000
2026-04-28 01:34:36,438 [root] DEBUG: 3404: DLL loaded at 0x720E0000: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni (0x140e000 bytes).
2026-04-28 01:34:36,532 [root] DEBUG: 3488: DLL loaded at 0x6FE10000: C:\Windows\SYSTEM32\MSASN1 (0xe000 bytes).
2026-04-28 01:34:36,595 [lib.api.process] INFO: 32-bit DLL to inject is C:\ltb6yatm\dll\aUdGyWws.dll, loader C:\ltb6yatm\bin\ReIIPbe.exe
2026-04-28 01:34:36,641 [root] DEBUG: 7728: YaraScan: Scanning 0x00D20000, size 0x6c27a
2026-04-28 01:34:36,673 [root] DEBUG: 3596: hook_api: clrjit::compileMethod export address 0x72033700 obtained via GetFunctionAddress
2026-04-28 01:34:36,704 [root] DEBUG: 7496: Commandline: "powershell"  -Command Add-MpPreference -ExclusionPath 'C:\Users\??? ????????????\Memory Compression.exe'
2026-04-28 01:34:36,782 [root] DEBUG: 5200: .NET JIT native cache at 0x06240000: scans and dumps active.
2026-04-28 01:34:36,813 [root] DEBUG: 3404: AllocationHandler: Adding allocation to tracked region list: 0x06260000, size: 0x1000.
2026-04-28 01:34:36,845 [root] DEBUG: 3488: DLL loaded at 0x704C0000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni (0x774000 bytes).
2026-04-28 01:34:36,860 [root] DEBUG: 7728: ProcessImageBase: Main module image at 0x00D20000 unmodified (entropy change 0.000000e+00)
2026-04-28 01:34:36,907 [root] DEBUG: 3596: DLL loaded at 0x72030000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit (0x8a000 bytes).
2026-04-28 01:34:36,907 [root] DEBUG: Loader: Injecting process 5144 (thread 7260) with C:\ltb6yatm\dll\aUdGyWws.dll.
2026-04-28 01:34:36,907 [root] DEBUG: 5200: caller_dispatch: Added region at 0x06240000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x06240324, thread 4104).
2026-04-28 01:34:36,923 [root] DEBUG: 7496: hook_api: LdrpCallInitRoutine export address 0x77EB2A40 obtained via GetFunctionAddress
2026-04-28 01:34:36,954 [root] DEBUG: 3404: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:34:36,954 [root] DEBUG: 3488: DLL loaded at 0x720C0000: C:\Windows\SYSTEM32\amsi (0x19000 bytes).
2026-04-28 01:34:36,954 [root] DEBUG: 7728: DLL loaded at 0x73E10000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei (0x8d000 bytes).
2026-04-28 01:34:37,001 [root] DEBUG: 3596: .NET JIT native cache at 0x04850000: scans and dumps active.
2026-04-28 01:34:37,001 [root] DEBUG: 5200: ProcessTrackedRegion: .NET cache region at 0x06240000 skipped
2026-04-28 01:34:37,017 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2026-04-28 01:34:37,017 [root] DEBUG: 3404: DLL loaded at 0x76D80000: C:\Windows\System32\bcryptPrimitives (0x5f000 bytes).
2026-04-28 01:34:37,032 [root] WARNING: b'Unable to place hook on GetCommandLineA'
2026-04-28 01:34:37,032 [root] DEBUG: 3488: .NET JIT native cache at 0x095A0000: scans and dumps active.
2026-04-28 01:34:37,048 [root] DEBUG: 3488: DLL loaded at 0x6F850000: C:\Windows\SYSTEM32\gpapi (0x1e000 bytes).
2026-04-28 01:34:37,063 [root] DEBUG: 7728: set_hooks_by_export_directory: Hooked 0 out of 632 functions
2026-04-28 01:34:37,110 [root] DEBUG: 3596: AllocationHandler: Allocation already in tracked region list: 0x045C0000.
2026-04-28 01:34:37,142 [root] DEBUG: 3404: AllocationHandler: Adding allocation to tracked region list: 0x062D1000, size: 0x1000.
2026-04-28 01:34:37,157 [root] DEBUG: Successfully injected DLL C:\ltb6yatm\dll\aUdGyWws.dll.
2026-04-28 01:34:37,157 [root] DEBUG: 7496: set_hooks: Unable to hook GetCommandLineA
2026-04-28 01:34:37,157 [root] DEBUG: 3488: caller_dispatch: Added region at 0x095A0000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x095A42E5, thread 6808).
2026-04-28 01:34:37,157 [lib.api.process] INFO: Injected into 32-bit <Process 5144 powershell.exe>
2026-04-28 01:34:37,173 [root] DEBUG: 5200: AllocationHandler: Allocation already in tracked region list: 0x00D10000.
2026-04-28 01:34:37,173 [root] DEBUG: 3596: DLL loaded at 0x715D0000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni (0xa56000 bytes).
2026-04-28 01:34:37,188 [root] DEBUG: 3404: AllocationHandler: Allocation already in tracked region list: 0x062D0000.
2026-04-28 01:34:37,313 [root] DEBUG: 7728: DLL loaded at 0x75250000: C:\Windows\SYSTEM32\kernel.appcore (0xf000 bytes).
2026-04-28 01:34:37,407 [root] DEBUG: 3488: ProcessTrackedRegion: .NET cache region at 0x095A0000 skipped
2026-04-28 01:34:37,516 [root] DEBUG: 7508: ProcessTrackedRegion: Region at 0x77150000 mapped as \Device\HarddiskVolume1\Windows\SysWOW64\KernelBase.dll is in known range, skipping
2026-04-28 01:34:37,595 [root] WARNING: b'Unable to place hook on GetCommandLineW'
2026-04-28 01:34:37,610 [root] DEBUG: 3596: DLL loaded at 0x70D50000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni (0x818000 bytes).
2026-04-28 01:34:37,626 [root] DEBUG: 7728: DLL loaded at 0x75460000: C:\Windows\SYSTEM32\VERSION (0x8000 bytes).
2026-04-28 01:34:37,642 [root] DEBUG: 3404: AllocationHandler: Allocation already in tracked region list: 0x05FC0000.
2026-04-28 01:34:37,673 [root] INFO: Added new file to list with pid 3488 and path C:\Users\cape\AppData\Local\Temp\__PSScriptPolicyTest_wrefbbmw.er0.ps1
2026-04-28 01:34:37,688 [root] DEBUG: 3488: DLL loaded at 0x6F4F0000: C:\Windows\Microsoft.Net\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data (0x357000 bytes).
2026-04-28 01:34:37,704 [root] DEBUG: 7508: CreateProcessHandler: Injection info set for new process 7548: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ImageBase: 0x00D20000
2026-04-28 01:34:37,720 [root] DEBUG: 7496: set_hooks: Unable to hook GetCommandLineW
2026-04-28 01:34:37,751 [root] DEBUG: 3596: ProcessTrackedRegion: .NET cache region at 0x04850000 skipped
2026-04-28 01:34:37,767 [root] DEBUG: 3404: DumpPEsInRange: Scanning range 0x05FC0000 - 0x05FC1615.
2026-04-28 01:34:37,767 [root] DEBUG: 7728: DLL loaded at 0x734F0000: C:\Windows\SYSTEM32\ucrtbase_clr0400 (0xab000 bytes).
2026-04-28 01:34:37,767 [root] DEBUG: 5144: Python path set to 'C:\Python310'.
2026-04-28 01:34:37,767 [root] INFO: Announced 32-bit process name: powershell.exe pid: 7548
2026-04-28 01:34:37,767 [root] INFO: Added new file to list with pid 3488 and path C:\Users\cape\AppData\Local\Temp\__PSScriptPolicyTest_bsrf2pai.kew.psm1
2026-04-28 01:34:37,782 [lib.api.process] INFO: Monitor config for <Process 7548 powershell.exe>: C:\ltb6yatm\dll\7548.ini
2026-04-28 01:34:37,798 [root] DEBUG: 5200: DLL loaded at 0x70C40000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni (0x106000 bytes).
2026-04-28 01:34:37,798 [root] DEBUG: 3596: DLL loaded at 0x77400000: C:\Windows\System32\clbcatq (0x7e000 bytes).
2026-04-28 01:34:37,813 [root] DEBUG: 7496: Hooked 630 out of 632 functions
2026-04-28 01:34:37,829 [root] DEBUG: 3404: ScanForDisguisedPE: No PE image located in range 0x05FC0000-0x05FC1615.
2026-04-28 01:34:37,845 [root] DEBUG: 7728: DLL loaded at 0x735A0000: C:\Windows\SYSTEM32\VCRUNTIME140_CLR0400 (0x14000 bytes).
2026-04-28 01:34:37,892 [root] DEBUG: 3488: DLL loaded at 0x6F4E0000: C:\Windows\System32\MSISIP (0x10000 bytes).
2026-04-28 01:34:37,923 [root] DEBUG: 5200: DLL loaded at 0x75260000: C:\Windows\SYSTEM32\profapi (0x18000 bytes).
2026-04-28 01:34:37,923 [root] DEBUG: 5144: Dropped file limit defaulting to 100.
2026-04-28 01:34:37,923 [lib.common.results] INFO: Uploading file C:\atsPQMC\CAPE\3404_312781737342227142026 to CAPE\b29c15750395153469c3b347456e64b8ce027f40eb789d517ea7b07e32f89a32; Size is 5653; Max size: 100000000
2026-04-28 01:34:37,938 [root] DEBUG: 7496: Syscall hook installed, syscall logging level 1
2026-04-28 01:34:37,954 [root] DEBUG: 7728: DLL loaded at 0x735C0000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr (0x848000 bytes).
2026-04-28 01:34:38,016 [root] DEBUG: 3596: DEBUG:Initialized 9 com hooks
2026-04-28 01:34:38,079 [root] DEBUG: 3488: DLL loaded at 0x6F4C0000: C:\Windows\System32\wshext (0x18000 bytes).
2026-04-28 01:34:38,157 [root] DEBUG: 5200: AllocationHandler: Allocation already in tracked region list: 0x05BF0000.
2026-04-28 01:34:38,235 [root] DEBUG: 7496: RestoreHeaders: Restored original import table.
2026-04-28 01:34:38,266 [root] DEBUG: 5144: Disabling sleep skipping.
2026-04-28 01:34:38,266 [root] DEBUG: 3404: DumpMemory: Payload successfully created: C:\atsPQMC\CAPE\3404_312781737342227142026 (size 5653 bytes)
2026-04-28 01:34:38,282 [root] DEBUG: 7728: AllocationHandler: Adding allocation to tracked region list: 0x04603000, size: 0x1000.
2026-04-28 01:34:38,298 [root] DEBUG: 3488: DLL loaded at 0x6F330000: C:\Windows\SYSTEM32\OpcServices (0x14d000 bytes).
2026-04-28 01:34:38,298 [root] DEBUG: 7508: AllocationHandler: Allocation already in tracked region list: 0x0AF40000.
2026-04-28 01:34:38,313 [lib.api.process] INFO: 32-bit DLL to inject is C:\ltb6yatm\dll\aUdGyWws.dll, loader C:\ltb6yatm\bin\ReIIPbe.exe
2026-04-28 01:34:38,454 [root] DEBUG: 5200: AllocationHandler: Allocation already in tracked region list: 0x05BF0000.
2026-04-28 01:34:38,563 [root] INFO: Loaded monitor into process with pid 7496
2026-04-28 01:34:38,579 [root] DEBUG: 5144: YaraInit: Compiled rules loaded from existing file C:\ltb6yatm\data\yara\capemon.yac
2026-04-28 01:34:38,595 [root] DEBUG: 3596: DLL loaded at 0x76A70000: C:\Windows\System32\psapi (0x6000 bytes).
2026-04-28 01:34:38,610 [root] DEBUG: 7728: GetEntropy: Error - Supplied address inaccessible: 0x04600000
2026-04-28 01:34:38,626 [root] DEBUG: 3404: DumpRegion: Dumped entire allocation from 0x05FC0000, size 8192 bytes.
2026-04-28 01:34:38,673 [root] DEBUG: Loader: Injecting process 7548 (thread 3424) with C:\ltb6yatm\dll\aUdGyWws.dll.
2026-04-28 01:34:38,673 [root] DEBUG: 3488: DLL loaded at 0x6F480000: C:\Windows\System32\AppxSip (0x3c000 bytes).
2026-04-28 01:34:38,688 [root] DEBUG: 5200: AllocationHandler: Adding allocation to tracked region list: 0x06200000, size: 0x8000.
2026-04-28 01:34:38,688 [root] DEBUG: 7496: caller_dispatch: Added region at 0x00D20000 to tracked regions list (kernel32::SetUnhandledExceptionFilter returns to 0x00D2B4FB, thread 6148).
2026-04-28 01:34:38,688 [root] DEBUG: 5200: GetEntropy: Error - Supplied address inaccessible: 0x06200000
2026-04-28 01:34:38,688 [root] DEBUG: 5144: YaraScan: Scanning 0x00D20000, size 0x6c27a
2026-04-28 01:34:38,704 [root] DEBUG: 3596: DLL loaded at 0x77590000: C:\Windows\System32\shell32 (0x5b5000 bytes).
2026-04-28 01:34:38,720 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2026-04-28 01:34:38,720 [root] DEBUG: 7728: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:34:38,766 [root] DEBUG: 3404: ProcessTrackedRegion: Dumped region at 0x05FC0000.
2026-04-28 01:34:38,798 [root] DEBUG: 3488: DLL loaded at 0x6F320000: C:\Windows\System32\WindowsPowerShell\v1.0\pwrshsip (0xa000 bytes).
2026-04-28 01:34:38,798 [root] DEBUG: 7496: YaraScan: Scanning 0x00D20000, size 0x6c27a
2026-04-28 01:34:38,813 [root] DEBUG: 5200: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:34:38,813 [root] DEBUG: 5144: Monitor initialised: 32-bit capemon loaded in process 5144 at 0x73f00000, thread 7260, image base 0xd20000, stack from 0x675000-0x680000
2026-04-28 01:34:38,829 [root] DEBUG: 3596: DLL loaded at 0x756D0000: C:\Windows\SYSTEM32\Wldp (0x27000 bytes).
2026-04-28 01:34:38,829 [root] DEBUG: Successfully injected DLL C:\ltb6yatm\dll\aUdGyWws.dll.
2026-04-28 01:34:38,829 [root] DEBUG: 7728: InstrumentationCallback: Added region at 0x772833EC (base 0x77150000) to tracked regions list (thread 5220).
2026-04-28 01:34:38,829 [root] DEBUG: 3404: YaraScan: Scanning 0x05FC0000, size 0x1615
2026-04-28 01:34:38,860 [root] DEBUG: 7728: api-rate-cap: NtQueryPerformanceCounter hook disabled due to rate
2026-04-28 01:34:38,860 [lib.api.process] INFO: Injected into 32-bit <Process 7548 powershell.exe>
2026-04-28 01:34:38,860 [root] DEBUG: 5200: AllocationHandler: Processing previous tracked region at: 0x00D10000.
2026-04-28 01:34:38,860 [root] DEBUG: 7496: ProcessImageBase: Main module image at 0x00D20000 unmodified (entropy change 0.000000e+00)
2026-04-28 01:34:38,892 [root] DEBUG: 5144: Commandline: "powershell"  -Command Add-MpPreference -ExclusionPath 'C:\5o722xtn\dll\csrss.exe'
2026-04-28 01:34:38,954 [root] DEBUG: 5200: DumpPEsInRange: Scanning range 0x00D10000 - 0x00D1020B.
2026-04-28 01:34:38,954 [lib.common.results] INFO: Uploading file C:\Users\cape\AppData\Local\Temp\__PSScriptPolicyTest_wrefbbmw.er0.ps1 to files\96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7; Size is 60; Max size: 100000000
2026-04-28 01:34:39,017 [root] DEBUG: 3596: DLL loaded at 0x75700000: C:\Windows\SYSTEM32\windows.storage (0x60d000 bytes).
2026-04-28 01:34:39,048 [root] DEBUG: 7728: ProcessTrackedRegion: Region at 0x77150000 mapped as \Device\HarddiskVolume1\Windows\SysWOW64\KernelBase.dll is in known range, skipping
2026-04-28 01:34:39,048 [root] DEBUG: 7508: ProcessTrackedRegion: Region at 0x77150000 mapped as \Device\HarddiskVolume1\Windows\SysWOW64\KernelBase.dll is in known range, skipping
2026-04-28 01:34:39,079 [root] DEBUG: 3404: DLL loaded at 0x75280000: C:\Windows\SYSTEM32\CRYPTSP (0x13000 bytes).
2026-04-28 01:34:39,141 [root] DEBUG: 7496: DLL loaded at 0x73E10000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei (0x8d000 bytes).
2026-04-28 01:34:39,188 [root] DEBUG: 5144: hook_api: LdrpCallInitRoutine export address 0x77EB2A40 obtained via GetFunctionAddress
2026-04-28 01:34:39,313 [root] DEBUG: 5200: ScanForDisguisedPE: Size too small: 0x20b bytes
2026-04-28 01:34:39,407 [lib.common.results] INFO: Uploading file C:\Users\cape\AppData\Local\Temp\__PSScriptPolicyTest_bsrf2pai.kew.psm1 to files\96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7; Size is 60; Max size: 100000000
2026-04-28 01:34:39,423 [root] DEBUG: 3596: DLL loaded at 0x76F70000: C:\Windows\System32\SHCORE (0x87000 bytes).
2026-04-28 01:34:39,485 [root] DEBUG: 7728: DLL loaded at 0x720E0000: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni (0x140e000 bytes).
2026-04-28 01:34:39,501 [root] DEBUG: 3404: DLL loaded at 0x74C10000: C:\Windows\system32\rsaenh (0x2f000 bytes).
2026-04-28 01:34:39,501 [root] DEBUG: 7508: CreateProcessHandler: Injection info set for new process 6384: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ImageBase: 0x00D20000
2026-04-28 01:34:39,501 [root] WARNING: b'Unable to place hook on GetCommandLineA'
2026-04-28 01:34:39,501 [root] DEBUG: 7496: set_hooks_by_export_directory: Hooked 0 out of 632 functions
2026-04-28 01:34:39,516 [root] DEBUG: 7548: Python path set to 'C:\Python310'.
2026-04-28 01:34:39,516 [root] DEBUG: 3596: DLL loaded at 0x77DD0000: C:\Windows\System32\wintrust (0x4e000 bytes).
2026-04-28 01:34:39,516 [lib.common.results] INFO: Uploading file C:\atsPQMC\CAPE\5200_992917239342227142026 to CAPE\42d6a458d676867c7a784dbef52d2bbc266e5b28696e3838732508cbd720bd82; Size is 523; Max size: 100000000
2026-04-28 01:34:39,516 [root] DEBUG: 3488: .NET JIT native cache at 0x08A80000: scans and dumps active.
2026-04-28 01:34:39,532 [root] DEBUG: 7728: AllocationHandler: Adding allocation to tracked region list: 0x05AC0000, size: 0x1000.
2026-04-28 01:34:39,532 [root] INFO: Announced 32-bit process name: powershell.exe pid: 6384
2026-04-28 01:34:39,532 [root] DEBUG: 5144: set_hooks: Unable to hook GetCommandLineA
2026-04-28 01:34:39,532 [lib.api.process] INFO: Monitor config for <Process 6384 powershell.exe>: C:\ltb6yatm\dll\6384.ini
2026-04-28 01:34:39,532 [root] DEBUG: 3404: AllocationHandler: Adding allocation to tracked region list: 0x05FFB000, size: 0x1000.
2026-04-28 01:34:39,548 [root] DEBUG: 7548: Dropped file limit defaulting to 100.
2026-04-28 01:34:39,548 [root] DEBUG: 7496: DLL loaded at 0x75250000: C:\Windows\SYSTEM32\kernel.appcore (0xf000 bytes).
2026-04-28 01:34:39,563 [root] DEBUG: 3596: DLL loaded at 0x6FE10000: C:\Windows\SYSTEM32\MSASN1 (0xe000 bytes).
2026-04-28 01:34:39,610 [root] DEBUG: 5200: DumpMemory: Payload successfully created: C:\atsPQMC\CAPE\5200_992917239342227142026 (size 523 bytes)
2026-04-28 01:34:39,610 [root] DEBUG: 3488: caller_dispatch: Added region at 0x08A80000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x08A800B2, thread 5156).
2026-04-28 01:34:39,626 [root] DEBUG: 7728: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:34:39,626 [root] DEBUG: 3404: GetEntropy: Error - Supplied address inaccessible: 0x05FF0000
2026-04-28 01:34:39,626 [root] WARNING: b'Unable to place hook on GetCommandLineW'
2026-04-28 01:34:39,642 [root] DEBUG: 7496: DLL loaded at 0x75460000: C:\Windows\SYSTEM32\VERSION (0x8000 bytes).
2026-04-28 01:34:39,642 [root] DEBUG: 3596: DLL loaded at 0x6F850000: C:\Windows\SYSTEM32\gpapi (0x1e000 bytes).
2026-04-28 01:34:39,720 [root] DEBUG: 5200: DumpRegion: Dumped entire allocation from 0x00D10000, size 4096 bytes.
2026-04-28 01:34:39,720 [root] DEBUG: 3488: ProcessTrackedRegion: .NET cache region at 0x08A80000 skipped
2026-04-28 01:34:39,751 [root] DEBUG: 3404: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:34:39,751 [root] DEBUG: 7728: DLL loaded at 0x76D80000: C:\Windows\System32\bcryptPrimitives (0x5f000 bytes).
2026-04-28 01:34:39,766 [root] DEBUG: 5200: ProcessTrackedRegion: Dumped region at 0x00D10000.
2026-04-28 01:34:39,766 [root] DEBUG: 5144: set_hooks: Unable to hook GetCommandLineW
2026-04-28 01:34:39,766 [root] DEBUG: 7548: Disabling sleep skipping.
2026-04-28 01:34:39,782 [root] DEBUG: 3596: DLL loaded at 0x720C0000: C:\Windows\SYSTEM32\amsi (0x19000 bytes).
2026-04-28 01:34:39,813 [root] DEBUG: 7496: DLL loaded at 0x734F0000: C:\Windows\SYSTEM32\ucrtbase_clr0400 (0xab000 bytes).
2026-04-28 01:34:39,829 [root] DEBUG: 3488: AllocationHandler: Allocation already in tracked region list: 0x05F80000.
2026-04-28 01:34:39,861 [root] DEBUG: 3404: AllocationHandler: Allocation already in tracked region list: 0x05FF0000.
2026-04-28 01:34:39,907 [root] DEBUG: 5200: AllocationHandler: Memory region (size 0x8000) reserved but not committed at 0x06200000.
2026-04-28 01:34:40,001 [root] DEBUG: 5144: Hooked 630 out of 632 functions
2026-04-28 01:34:40,110 [root] DEBUG: 7728: AllocationHandler: Adding allocation to tracked region list: 0x06121000, size: 0x1000.
2026-04-28 01:34:40,220 [lib.api.process] INFO: 32-bit DLL to inject is C:\ltb6yatm\dll\aUdGyWws.dll, loader C:\ltb6yatm\bin\ReIIPbe.exe
2026-04-28 01:34:40,251 [root] DEBUG: 7548: YaraInit: Compiled rules loaded from existing file C:\ltb6yatm\data\yara\capemon.yac
2026-04-28 01:34:40,298 [root] DEBUG: 7496: DLL loaded at 0x735A0000: C:\Windows\SYSTEM32\VCRUNTIME140_CLR0400 (0x14000 bytes).
2026-04-28 01:34:40,345 [root] DEBUG: 3596: DLL loaded at 0x704C0000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni (0x774000 bytes).
2026-04-28 01:34:40,391 [root] DEBUG: 5200: AllocationHandler: Previously reserved region at 0x06200000, committing at: 0x06200000.
2026-04-28 01:34:40,438 [root] DEBUG: 3404: hook_api: clrjit::compileMethod export address 0x72033700 obtained via GetFunctionAddress
2026-04-28 01:34:40,470 [root] DEBUG: 5144: Syscall hook installed, syscall logging level 1
2026-04-28 01:34:40,470 [root] DEBUG: 7728: AllocationHandler: Allocation already in tracked region list: 0x06120000.
2026-04-28 01:34:40,485 [root] DEBUG: 7548: YaraScan: Scanning 0x00D20000, size 0x6c27a
2026-04-28 01:34:40,485 [root] DEBUG: 7496: DLL loaded at 0x735C0000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr (0x848000 bytes).
2026-04-28 01:34:40,532 [root] DEBUG: Loader: Injecting process 6384 (thread 1068) with C:\ltb6yatm\dll\aUdGyWws.dll.
2026-04-28 01:34:40,548 [root] DEBUG: 3596: .NET JIT native cache at 0x08A30000: scans and dumps active.
2026-04-28 01:34:40,548 [root] DEBUG: 3596: .NET JIT native cache at 0x08A30000: scans and dumps active.
2026-04-28 01:34:40,579 [root] DEBUG: 5200: AllocationHandler: Allocation already in tracked region list: 0x00D10000.
2026-04-28 01:34:40,642 [root] DEBUG: 3596: DLL loaded at 0x6F4F0000: C:\Windows\Microsoft.Net\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data (0x357000 bytes).
2026-04-28 01:34:40,642 [root] DEBUG: 3596: .NET JIT native cache at 0x08A30000: scans and dumps active.
2026-04-28 01:34:40,657 [root] DEBUG: 3404: DLL loaded at 0x72030000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit (0x8a000 bytes).
2026-04-28 01:34:40,657 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2026-04-28 01:34:40,673 [root] DEBUG: 3596: caller_dispatch: Added region at 0x08A30000 to tracked regions list (ntdll::LdrGetProcedureAddressForCaller returns to 0x08A314BE, thread 1012).
2026-04-28 01:34:40,673 [root] DEBUG: 3488: DLL loaded at 0x70C40000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni (0x106000 bytes).
2026-04-28 01:34:40,688 [root] DEBUG: 7496: AllocationHandler: Adding allocation to tracked region list: 0x065D3000, size: 0x1000.
2026-04-28 01:34:40,704 [root] DEBUG: 7548: Monitor initialised: 32-bit capemon loaded in process 7548 at 0x73f00000, thread 3424, image base 0xd20000, stack from 0x114000-0x120000
2026-04-28 01:34:40,704 [root] DEBUG: 5144: RestoreHeaders: Restored original import table.
2026-04-28 01:34:40,704 [root] DEBUG: 7548: Commandline: "powershell"  -Command Add-MpPreference -ExclusionPath 'C:\Users\??? ????????????\qemu-ga\conhost.exe'
2026-04-28 01:34:40,735 [root] DEBUG: 5200: api-rate-cap: NtReadVirtualMemory hook disabled due to rate
2026-04-28 01:34:40,767 [root] DEBUG: 7728: AllocationHandler: Allocation already in tracked region list: 0x04600000.
2026-04-28 01:34:40,767 [root] DEBUG: Successfully injected DLL C:\ltb6yatm\dll\aUdGyWws.dll.
2026-04-28 01:34:40,767 [root] DEBUG: 3404: .NET JIT native cache at 0x06260000: scans and dumps active.
2026-04-28 01:34:40,767 [root] DEBUG: 3596: ProcessTrackedRegion: .NET cache region at 0x08A30000 skipped
2026-04-28 01:34:40,782 [lib.api.process] INFO: Injected into 32-bit <Process 6384 powershell.exe>
2026-04-28 01:34:40,923 [root] DEBUG: 3488: DLL loaded at 0x75260000: C:\Windows\SYSTEM32\profapi (0x18000 bytes).
2026-04-28 01:34:41,032 [root] DEBUG: 7728: DumpPEsInRange: Scanning range 0x04600000 - 0x04601615.
2026-04-28 01:34:41,110 [root] INFO: Loaded monitor into process with pid 5144
2026-04-28 01:34:41,157 [root] DEBUG: 7548: hook_api: LdrpCallInitRoutine export address 0x77EB2A40 obtained via GetFunctionAddress
2026-04-28 01:34:41,235 [root] DEBUG: 3404: AllocationHandler: Allocation already in tracked region list: 0x05FF0000.
2026-04-28 01:34:41,266 [root] DEBUG: 7496: GetEntropy: Error - Supplied address inaccessible: 0x065D0000
2026-04-28 01:34:41,282 [root] DEBUG: 7508: ProcessTrackedRegion: Region at 0x77150000 mapped as \Device\HarddiskVolume1\Windows\SysWOW64\KernelBase.dll is in known range, skipping
2026-04-28 01:34:41,282 [root] INFO: Added new file to list with pid 3596 and path C:\Users\cape\AppData\Local\Temp\__PSScriptPolicyTest_05pcje4g.qfk.ps1
2026-04-28 01:34:41,313 [root] DEBUG: 7728: ScanForDisguisedPE: No PE image located in range 0x04600000-0x04601615.
2026-04-28 01:34:41,313 [root] DEBUG: 5144: caller_dispatch: Added region at 0x00D20000 to tracked regions list (kernel32::SetUnhandledExceptionFilter returns to 0x00D2B4FB, thread 7260).
2026-04-28 01:34:41,345 [root] DEBUG: 3488: AllocationHandler: Allocation already in tracked region list: 0x06750000.
2026-04-28 01:34:41,345 [root] DEBUG: 5200: .NET JIT native cache at 0x08580000: scans and dumps active.
2026-04-28 01:34:41,345 [root] WARNING: b'Unable to place hook on GetCommandLineA'
2026-04-28 01:34:41,360 [root] DEBUG: 3404: DLL loaded at 0x715D0000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni (0xa56000 bytes).
2026-04-28 01:34:41,360 [root] DEBUG: 7496: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:34:41,438 [root] DEBUG: 7508: CreateProcessHandler: Injection info set for new process 3836: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ImageBase: 0x00D20000
2026-04-28 01:34:41,454 [root] INFO: Added new file to list with pid 3596 and path C:\Users\cape\AppData\Local\Temp\__PSScriptPolicyTest_pqhbc0k2.am3.psm1
2026-04-28 01:34:41,485 [lib.common.results] INFO: Uploading file C:\atsPQMC\CAPE\7728_363893841342227142026 to CAPE\826e2cae305c057f85cb8e9faba9f9673cf3ffb3785894f04629a38dfa50b605; Size is 5653; Max size: 100000000
2026-04-28 01:34:41,485 [root] DEBUG: 6384: Python path set to 'C:\Python310'.
2026-04-28 01:34:41,485 [root] DEBUG: 3488: AllocationHandler: Allocation already in tracked region list: 0x06750000.
2026-04-28 01:34:41,501 [root] DEBUG: 5144: YaraScan: Scanning 0x00D20000, size 0x6c27a
2026-04-28 01:34:41,516 [root] DEBUG: 7548: set_hooks: Unable to hook GetCommandLineA
2026-04-28 01:34:41,516 [root] DEBUG: 5200: caller_dispatch: Added region at 0x08580000 to tracked regions list (advapi32::CryptImportKey returns to 0x08581BC4, thread 4104).
2026-04-28 01:34:41,516 [root] DEBUG: 3404: DLL loaded at 0x70D50000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni (0x818000 bytes).
2026-04-28 01:34:41,516 [root] INFO: Announced 32-bit process name: powershell.exe pid: 3836
2026-04-28 01:34:41,532 [lib.api.process] INFO: Monitor config for <Process 3836 powershell.exe>: C:\ltb6yatm\dll\3836.ini
2026-04-28 01:34:41,532 [root] DEBUG: 7496: InstrumentationCallback: Added region at 0x772833EC (base 0x77150000) to tracked regions list (thread 6148).
2026-04-28 01:34:41,548 [root] DEBUG: 7496: api-rate-cap: NtQueryPerformanceCounter hook disabled due to rate
2026-04-28 01:34:41,548 [root] DEBUG: 3596: AllocationHandler: Previously reserved region at 0x08A30000, committing at: 0x08A38000.
2026-04-28 01:34:41,548 [root] DEBUG: 7728: DumpMemory: Payload successfully created: C:\atsPQMC\CAPE\7728_363893841342227142026 (size 5653 bytes)
2026-04-28 01:34:41,610 [root] DEBUG: 6384: Dropped file limit defaulting to 100.
2026-04-28 01:34:41,610 [root] DEBUG: 5144: ProcessImageBase: Main module image at 0x00D20000 unmodified (entropy change 0.000000e+00)
2026-04-28 01:34:41,610 [root] DEBUG: 3488: AllocationHandler: Adding allocation to tracked region list: 0x08A40000, size: 0x8000.
2026-04-28 01:34:41,641 [root] WARNING: b'Unable to place hook on GetCommandLineW'
2026-04-28 01:34:41,641 [root] DEBUG: 5200: ProcessTrackedRegion: .NET cache region at 0x08580000 skipped
2026-04-28 01:34:41,688 [root] DEBUG: 3404: ProcessTrackedRegion: .NET cache region at 0x06260000 skipped
2026-04-28 01:34:41,704 [root] DEBUG: 7496: ProcessTrackedRegion: Region at 0x77150000 mapped as \Device\HarddiskVolume1\Windows\SysWOW64\KernelBase.dll is in known range, skipping
2026-04-28 01:34:41,813 [root] DEBUG: 3596: DLL loaded at 0x6F4E0000: C:\Windows\System32\MSISIP (0x10000 bytes).
2026-04-28 01:34:41,907 [root] DEBUG: 7728: DumpRegion: Dumped entire allocation from 0x04600000, size 8192 bytes.
2026-04-28 01:34:42,126 [lib.api.process] INFO: 32-bit DLL to inject is C:\ltb6yatm\dll\aUdGyWws.dll, loader C:\ltb6yatm\bin\ReIIPbe.exe
2026-04-28 01:34:42,235 [root] DEBUG: 5144: DLL loaded at 0x73E10000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei (0x8d000 bytes).
2026-04-28 01:34:42,313 [root] DEBUG: 3488: GetEntropy: Error - Supplied address inaccessible: 0x08A40000
2026-04-28 01:34:42,345 [root] DEBUG: 7496: DLL loaded at 0x720E0000: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni (0x140e000 bytes).
2026-04-28 01:34:42,345 [root] DEBUG: 7548: set_hooks: Unable to hook GetCommandLineW
2026-04-28 01:34:42,360 [root] DEBUG: 3404: DLL loaded at 0x77400000: C:\Windows\System32\clbcatq (0x7e000 bytes).
2026-04-28 01:34:42,376 [root] DEBUG: 5200: .NET JIT native cache at 0x095F0000: scans and dumps active.
2026-04-28 01:34:42,376 [root] DEBUG: 7728: ProcessTrackedRegion: Dumped region at 0x04600000.
2026-04-28 01:34:42,391 [root] DEBUG: 3596: DLL loaded at 0x6F4C0000: C:\Windows\System32\wshext (0x18000 bytes).
2026-04-28 01:34:42,391 [root] DEBUG: Loader: Injecting process 3836 (thread 604) with C:\ltb6yatm\dll\aUdGyWws.dll.
2026-04-28 01:34:42,391 [root] DEBUG: 6384: Disabling sleep skipping.
2026-04-28 01:34:42,407 [root] DEBUG: 5144: set_hooks_by_export_directory: Hooked 0 out of 632 functions
2026-04-28 01:34:42,407 [root] DEBUG: 752: CreateProcessHandler: Injection info set for new process 4452: C:\Windows\system32\DllHost.exe, ImageBase: 0x00007FF6F2810000
2026-04-28 01:34:42,407 [root] DEBUG: 7496: AllocationHandler: Adding allocation to tracked region list: 0x06AC0000, size: 0x1000.
2026-04-28 01:34:42,423 [root] DEBUG: 3488: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:34:42,423 [root] DEBUG: 7548: Hooked 630 out of 632 functions
2026-04-28 01:34:42,423 [root] DEBUG: 5200: caller_dispatch: Added region at 0x095F0000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x095F38A7, thread 4104).
2026-04-28 01:34:42,438 [root] DEBUG: 7728: YaraScan: Scanning 0x04600000, size 0x1615
2026-04-28 01:34:42,438 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2026-04-28 01:34:42,470 [root] DEBUG: 3596: DLL loaded at 0x6F330000: C:\Windows\SYSTEM32\OpcServices (0x14d000 bytes).
2026-04-28 01:34:42,501 [root] DEBUG: 5144: DLL loaded at 0x75250000: C:\Windows\SYSTEM32\kernel.appcore (0xf000 bytes).
2026-04-28 01:34:42,501 [root] DEBUG: 6384: YaraInit: Compiled rules loaded from existing file C:\ltb6yatm\data\yara\capemon.yac
2026-04-28 01:34:42,517 [root] DEBUG: 7496: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:34:42,533 [root] INFO: Announced 64-bit process name: dllhost.exe pid: 4452
2026-04-28 01:34:42,548 [lib.api.process] INFO: Monitor config for <Process 4452 dllhost.exe>: C:\ltb6yatm\dll\4452.ini
2026-04-28 01:34:42,548 [root] DEBUG: 5200: ProcessTrackedRegion: .NET cache region at 0x095F0000 skipped
2026-04-28 01:34:42,548 [root] DEBUG: 3488: AllocationHandler: Processing previous tracked region at: 0x05F80000.
2026-04-28 01:34:42,548 [lib.api.process] INFO: 64-bit DLL to inject is C:\ltb6yatm\dll\xzHEKGQ.dll, loader C:\ltb6yatm\bin\FktMnuSd.exe
2026-04-28 01:34:42,548 [root] DEBUG: 7548: Syscall hook installed, syscall logging level 1
2026-04-28 01:34:42,579 [root] DEBUG: 7728: DLL loaded at 0x75280000: C:\Windows\SYSTEM32\CRYPTSP (0x13000 bytes).
2026-04-28 01:34:42,579 [root] DEBUG: Successfully injected DLL C:\ltb6yatm\dll\aUdGyWws.dll.
2026-04-28 01:34:42,595 [root] DEBUG: 3404: DEBUG:Initialized 9 com hooks
2026-04-28 01:34:42,627 [lib.api.process] INFO: Injected into 32-bit <Process 3836 powershell.exe>
2026-04-28 01:34:42,627 [root] DEBUG: 5144: DLL loaded at 0x75460000: C:\Windows\SYSTEM32\VERSION (0x8000 bytes).
2026-04-28 01:34:42,690 [root] DEBUG: 6384: YaraScan: Scanning 0x00D20000, size 0x6c27a
2026-04-28 01:34:42,876 [root] DEBUG: 3596: DLL loaded at 0x6F480000: C:\Windows\System32\AppxSip (0x3c000 bytes).
2026-04-28 01:34:42,954 [root] DEBUG: 3488: DumpPEsInRange: Scanning range 0x05F80000 - 0x05F8020C.
2026-04-28 01:34:43,001 [root] DEBUG: 5200: AllocationHandler: Allocation already in tracked region list: 0x00D10000.
2026-04-28 01:34:43,095 [root] DEBUG: Loader: Injecting process 4452 (thread 1748) with C:\ltb6yatm\dll\xzHEKGQ.dll.
2026-04-28 01:34:43,126 [root] DEBUG: 7548: RestoreHeaders: Restored original import table.
2026-04-28 01:34:43,126 [root] DEBUG: 7496: DLL loaded at 0x76D80000: C:\Windows\System32\bcryptPrimitives (0x5f000 bytes).
2026-04-28 01:34:43,126 [root] DEBUG: 7508: ProcessTrackedRegion: Region at 0x77150000 mapped as \Device\HarddiskVolume1\Windows\SysWOW64\KernelBase.dll is in known range, skipping
2026-04-28 01:34:43,220 [root] DEBUG: 6384: Monitor initialised: 32-bit capemon loaded in process 6384 at 0x73f00000, thread 1068, image base 0xd20000, stack from 0x2dc5000-0x2dd0000
2026-04-28 01:34:43,220 [root] DEBUG: 5144: DLL loaded at 0x734F0000: C:\Windows\SYSTEM32\ucrtbase_clr0400 (0xab000 bytes).
2026-04-28 01:34:43,235 [root] DEBUG: 7728: DLL loaded at 0x74C10000: C:\Windows\system32\rsaenh (0x2f000 bytes).
2026-04-28 01:34:43,251 [root] DEBUG: 3488: ScanForDisguisedPE: Size too small: 0x20c bytes
2026-04-28 01:34:43,251 [root] DEBUG: 3404: DLL loaded at 0x76A70000: C:\Windows\System32\psapi (0x6000 bytes).
2026-04-28 01:34:43,313 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2026-04-28 01:34:43,313 [root] DEBUG: 5200: .NET JIT native cache at 0x08950000: scans and dumps active.
2026-04-28 01:34:43,423 [root] DEBUG: 3596: DLL loaded at 0x6F320000: C:\Windows\System32\WindowsPowerShell\v1.0\pwrshsip (0xa000 bytes).
2026-04-28 01:34:43,516 [root] DEBUG: 7496: AllocationHandler: Adding allocation to tracked region list: 0x08CD1000, size: 0x1000.
2026-04-28 01:34:43,516 [root] INFO: Loaded monitor into process with pid 7548
2026-04-28 01:34:43,532 [root] DEBUG: 5144: DLL loaded at 0x735A0000: C:\Windows\SYSTEM32\VCRUNTIME140_CLR0400 (0x14000 bytes).
2026-04-28 01:34:43,532 [root] DEBUG: 6384: Commandline: "powershell"  -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Security\BrowserCore\en-US\qemu-ga.exe'
2026-04-28 01:34:43,563 [root] INFO: Added new file to list with pid 7508 and path C:\Users\cape\AppData\Local\Temp\wQLGPu91Uq
2026-04-28 01:34:43,579 [root] DEBUG: 7728: AllocationHandler: Adding allocation to tracked region list: 0x05A5B000, size: 0x1000.
2026-04-28 01:34:43,595 [root] DEBUG: 3404: DLL loaded at 0x77590000: C:\Windows\System32\shell32 (0x5b5000 bytes).
2026-04-28 01:34:43,610 [lib.common.results] INFO: Uploading file C:\atsPQMC\CAPE\3488_569995943342227142026 to CAPE\3a3e6fa5cbc9dff5904aa4582bfb4e59dc3641459d35517e5bd3d84fe9f14ae6; Size is 524; Max size: 100000000
2026-04-28 01:34:43,610 [root] DEBUG: 3836: Python path set to 'C:\Python310'.
2026-04-28 01:34:43,626 [root] DEBUG: Successfully injected DLL C:\ltb6yatm\dll\xzHEKGQ.dll.
2026-04-28 01:34:43,704 [root] DEBUG: 5200: .NET JIT native cache at 0x09640000: scans and dumps active.
2026-04-28 01:34:43,751 [lib.api.process] INFO: Injected into 64-bit <Process 4452 dllhost.exe>
2026-04-28 01:34:43,751 [lib.common.results] INFO: Uploading file C:\Users\cape\AppData\Local\Temp\__PSScriptPolicyTest_05pcje4g.qfk.ps1 to files\96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7; Size is 60; Max size: 100000000
2026-04-28 01:34:43,798 [root] DEBUG: 5200: .NET JIT native cache at 0x09640000: scans and dumps active.
2026-04-28 01:34:43,845 [root] DEBUG: 5200: .NET JIT native cache at 0x09640000: scans and dumps active.
2026-04-28 01:34:43,923 [root] DEBUG: 7496: AllocationHandler: Allocation already in tracked region list: 0x08CD0000.
2026-04-28 01:34:43,970 [root] DEBUG: 5144: DLL loaded at 0x735C0000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr (0x848000 bytes).
2026-04-28 01:34:43,987 [root] DEBUG: 7548: caller_dispatch: Added region at 0x00D20000 to tracked regions list (kernel32::SetUnhandledExceptionFilter returns to 0x00D2B4FB, thread 3424).
2026-04-28 01:34:44,019 [root] DEBUG: 6384: hook_api: LdrpCallInitRoutine export address 0x77EB2A40 obtained via GetFunctionAddress
2026-04-28 01:34:44,063 [lib.common.results] INFO: Uploading file C:\Users\cape\AppData\Local\Temp\wQLGPu91Uq to files\44eda8d8682d41917c36bbeba564c491cc1c3c25ec31528f155022b1b93c8d65; Size is 25; Max size: 100000000
2026-04-28 01:34:44,063 [root] DEBUG: 7548: YaraScan: Scanning 0x00D20000, size 0x6c27a
2026-04-28 01:34:44,095 [root] DEBUG: 3488: DumpMemory: Payload successfully created: C:\atsPQMC\CAPE\3488_569995943342227142026 (size 524 bytes)
2026-04-28 01:34:44,110 [root] DEBUG: 3836: Dropped file limit defaulting to 100.
2026-04-28 01:34:44,110 [root] DEBUG: 3404: DLL loaded at 0x756D0000: C:\Windows\SYSTEM32\Wldp (0x27000 bytes).
2026-04-28 01:34:44,126 [root] DEBUG: 7728: GetEntropy: Error - Supplied address inaccessible: 0x05A50000
2026-04-28 01:34:44,142 [lib.common.results] INFO: Uploading file C:\Users\cape\AppData\Local\Temp\__PSScriptPolicyTest_pqhbc0k2.am3.psm1 to files\96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7; Size is 60; Max size: 100000000
2026-04-28 01:34:44,142 [root] DEBUG: 5200: caller_dispatch: Added region at 0x09640000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x096400C9, thread 2156).
2026-04-28 01:34:44,142 [root] DEBUG: 7496: AllocationHandler: Allocation already in tracked region list: 0x065D0000.
2026-04-28 01:34:44,205 [root] DEBUG: 5200: AllocationHandler: Allocation already in tracked region list: 0x00D10000.
2026-04-28 01:34:44,220 [root] INFO: Announced 64-bit process name: dllhost.exe pid: 4452
2026-04-28 01:34:44,220 [lib.api.process] INFO: Monitor config for <Process 4452 dllhost.exe>: C:\ltb6yatm\dll\4452.ini
2026-04-28 01:34:44,220 [root] WARNING: b'Unable to place hook on GetCommandLineA'
2026-04-28 01:34:44,220 [root] DEBUG: 5144: AllocationHandler: Adding allocation to tracked region list: 0x044A3000, size: 0x1000.
2026-04-28 01:34:44,220 [lib.api.process] INFO: 64-bit DLL to inject is C:\ltb6yatm\dll\xzHEKGQ.dll, loader C:\ltb6yatm\bin\FktMnuSd.exe
2026-04-28 01:34:44,235 [root] INFO: Added new file to list with pid 7508 and path C:\Users\cape\AppData\Local\Temp\IMjSYhT8km.bat
2026-04-28 01:34:44,298 [root] DEBUG: 3488: DumpRegion: Dumped entire allocation from 0x05F80000, size 4096 bytes.
2026-04-28 01:34:44,313 [root] DEBUG: 3404: DLL loaded at 0x75700000: C:\Windows\SYSTEM32\windows.storage (0x60d000 bytes).
2026-04-28 01:34:44,329 [root] DEBUG: 5200: ProcessTrackedRegion: .NET cache region at 0x09640000 skipped
2026-04-28 01:34:44,345 [root] DEBUG: 7548: ProcessImageBase: Main module image at 0x00D20000 unmodified (entropy change 0.000000e+00)
2026-04-28 01:34:44,425 [root] DEBUG: 7496: DumpPEsInRange: Scanning range 0x065D0000 - 0x065D1615.
2026-04-28 01:34:44,438 [root] DEBUG: 7728: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:34:44,438 [root] DEBUG: 6384: set_hooks: Unable to hook GetCommandLineA
2026-04-28 01:34:44,548 [root] DEBUG: 3836: Disabling sleep skipping.
2026-04-28 01:34:44,595 [root] DEBUG: Loader: Injecting process 4452 (thread 1748) with C:\ltb6yatm\dll\xzHEKGQ.dll.
2026-04-28 01:34:44,704 [root] DEBUG: 3488: ProcessTrackedRegion: Dumped region at 0x05F80000.
2026-04-28 01:34:44,782 [root] DEBUG: 5144: GetEntropy: Error - Supplied address inaccessible: 0x044A0000
2026-04-28 01:34:44,813 [root] DEBUG: 3404: DLL loaded at 0x76F70000: C:\Windows\System32\SHCORE (0x87000 bytes).
2026-04-28 01:34:44,845 [root] DEBUG: 3596: .NET JIT native cache at 0x08520000: scans and dumps active.
2026-04-28 01:34:44,845 [root] DEBUG: 7508: DLL loaded at 0x703C0000: C:\Windows\SYSTEM32\PROPSYS (0xc2000 bytes).
2026-04-28 01:34:44,845 [root] DEBUG: 5200: DLL loaded at 0x6F2D0000: C:\Windows\Microsoft.Net\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions (0x4c000 bytes).
2026-04-28 01:34:44,876 [root] DEBUG: 5200: .NET JIT native cache at 0x09BD0000: scans and dumps active.
2026-04-28 01:34:44,954 [root] DEBUG: 5200: .NET JIT native cache at 0x09BD0000: scans and dumps active.
2026-04-28 01:34:45,063 [root] DEBUG: 7496: ScanForDisguisedPE: No PE image located in range 0x065D0000-0x065D1615.
2026-04-28 01:34:45,063 [root] DEBUG: 7548: DLL loaded at 0x73E10000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei (0x8d000 bytes).
2026-04-28 01:34:45,063 [root] DEBUG: 7728: AllocationHandler: Allocation already in tracked region list: 0x05A50000.
2026-04-28 01:34:45,079 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2026-04-28 01:34:45,095 [root] DEBUG: 3836: YaraInit: Compiled rules loaded from existing file C:\ltb6yatm\data\yara\capemon.yac
2026-04-28 01:34:45,095 [root] WARNING: b'Unable to place hook on GetCommandLineW'
2026-04-28 01:34:45,095 [root] DEBUG: 3488: AllocationHandler: Memory region (size 0x8000) reserved but not committed at 0x08A40000.
2026-04-28 01:34:45,110 [root] DEBUG: 3404: DLL loaded at 0x77DD0000: C:\Windows\System32\wintrust (0x4e000 bytes).
2026-04-28 01:34:45,110 [root] DEBUG: 7508: DLL loaded at 0x6F280000: C:\Windows\System32\dlnashext (0x43000 bytes).
2026-04-28 01:34:45,110 [root] DEBUG: 5144: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:34:45,173 [root] DEBUG: 5200: caller_dispatch: Added region at 0x09BD0000 to tracked regions list (advapi32::CryptImportKey returns to 0x09BEAACC, thread 2156).
2026-04-28 01:34:45,188 [root] DEBUG: 3596: AllocationHandler: Allocation already in tracked region list: 0x045C0000.
2026-04-28 01:34:45,220 [root] DEBUG: 5200: .NET JIT native cache at 0x09650000: scans and dumps active.
2026-04-28 01:34:45,220 [root] DEBUG: 5200: .NET JIT native cache at 0x09650000: scans and dumps active.
2026-04-28 01:34:45,282 [root] DEBUG: 7548: set_hooks_by_export_directory: Hooked 0 out of 632 functions
2026-04-28 01:34:45,282 [lib.common.results] INFO: Uploading file C:\atsPQMC\CAPE\7496_97983945342227142026 to CAPE\fceac3c92ae5d1ee84c0add3b9b9335d35fe5eea247e04f935f6c98c5f844185; Size is 5653; Max size: 100000000
2026-04-28 01:34:45,298 [root] DEBUG: 3836: YaraScan: Scanning 0x00D20000, size 0x6c27a
2026-04-28 01:34:45,313 [root] DEBUG: 7728: hook_api: clrjit::compileMethod export address 0x72033700 obtained via GetFunctionAddress
2026-04-28 01:34:45,313 [root] DEBUG: 3488: AllocationHandler: Previously reserved region at 0x08A40000, committing at: 0x08A40000.
2026-04-28 01:34:45,391 [root] DEBUG: 6384: set_hooks: Unable to hook GetCommandLineW
2026-04-28 01:34:45,470 [root] DEBUG: 3404: DLL loaded at 0x6FE10000: C:\Windows\SYSTEM32\MSASN1 (0xe000 bytes).
2026-04-28 01:34:45,548 [root] DEBUG: Successfully injected DLL C:\ltb6yatm\dll\xzHEKGQ.dll.
2026-04-28 01:34:45,626 [root] DEBUG: 5200: ProcessTrackedRegion: .NET cache region at 0x09BD0000 skipped
2026-04-28 01:34:45,720 [lib.api.process] INFO: Injected into 64-bit <Process 4452 dllhost.exe>
2026-04-28 01:34:45,735 [root] DEBUG: 7508: InstrumentationCallback: Added region at 0x76AD24AC (base 0x76AB0000) to tracked regions list (thread 3428).
2026-04-28 01:34:45,753 [root] DEBUG: 5144: InstrumentationCallback: Added region at 0x772833EC (base 0x77150000) to tracked regions list (thread 7260).
2026-04-28 01:34:45,782 [root] DEBUG: 5144: api-rate-cap: NtQueryPerformanceCounter hook disabled due to rate
2026-04-28 01:34:45,798 [root] DEBUG: 5200: caller_dispatch: Added region at 0x09650000 to tracked regions list (advapi32::CryptImportKey returns to 0x09653804, thread 5224).
2026-04-28 01:34:45,798 [root] DEBUG: 3596: caller_dispatch: Added region at 0x08520000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x08525E3A, thread 1012).
2026-04-28 01:34:45,813 [root] DEBUG: 7548: DLL loaded at 0x75250000: C:\Windows\SYSTEM32\kernel.appcore (0xf000 bytes).
2026-04-28 01:34:45,813 [root] DEBUG: 7496: DumpMemory: Payload successfully created: C:\atsPQMC\CAPE\7496_97983945342227142026 (size 5653 bytes)
2026-04-28 01:34:45,813 [root] DEBUG: 3836: Monitor initialised: 32-bit capemon loaded in process 3836 at 0x73f00000, thread 604, image base 0xd20000, stack from 0x875000-0x880000
2026-04-28 01:34:45,829 [root] DEBUG: 7728: DLL loaded at 0x72030000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit (0x8a000 bytes).
2026-04-28 01:34:45,829 [root] DEBUG: 6384: Hooked 630 out of 632 functions
2026-04-28 01:34:45,845 [root] DEBUG: 7496: DumpRegion: Dumped entire allocation from 0x065D0000, size 8192 bytes.
2026-04-28 01:34:45,845 [root] DEBUG: 3488: AllocationHandler: Allocation already in tracked region list: 0x05F80000.
2026-04-28 01:34:45,860 [root] DEBUG: 3404: DLL loaded at 0x6F850000: C:\Windows\SYSTEM32\gpapi (0x1e000 bytes).
2026-04-28 01:34:45,892 [root] DEBUG: 7508: ProcessTrackedRegion: Region at 0x76AB0000 mapped as \Device\HarddiskVolume1\Windows\SysWOW64\kernel32.dll is in known range, skipping
2026-04-28 01:34:45,939 [root] DEBUG: 5200: DLL loaded at 0x6F1E0000: C:\Windows\SYSTEM32\secur32 (0xa000 bytes).
2026-04-28 01:34:45,954 [root] DEBUG: 4452: Python path set to 'C:\Python310'.
2026-04-28 01:34:45,985 [root] DEBUG: 5144: ProcessTrackedRegion: Region at 0x77150000 mapped as \Device\HarddiskVolume1\Windows\SysWOW64\KernelBase.dll is in known range, skipping
2026-04-28 01:34:46,001 [root] DEBUG: 5200: ProcessTrackedRegion: .NET cache region at 0x09650000 skipped
2026-04-28 01:34:46,016 [root] DEBUG: 3596: ProcessTrackedRegion: .NET cache region at 0x08520000 skipped
2026-04-28 01:34:46,079 [root] DEBUG: 3836: Commandline: "powershell"  -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Downloads\msedgewebview2.exe'
2026-04-28 01:34:46,173 [root] DEBUG: 7728: .NET JIT native cache at 0x05AC0000: scans and dumps active.
2026-04-28 01:34:46,188 [root] DEBUG: 7496: ProcessTrackedRegion: Dumped region at 0x065D0000.
2026-04-28 01:34:46,204 [root] DEBUG: 7548: DLL loaded at 0x75460000: C:\Windows\SYSTEM32\VERSION (0x8000 bytes).
2026-04-28 01:34:46,282 [root] DEBUG: 6384: Syscall hook installed, syscall logging level 1
2026-04-28 01:34:46,376 [root] DEBUG: 3404: DLL loaded at 0x704C0000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni (0x774000 bytes).
2026-04-28 01:34:46,470 [root] DEBUG: 3488: AllocationHandler: Previously reserved region at 0x08A80000, committing at: 0x08A8C000.
2026-04-28 01:34:46,548 [root] DEBUG: 7508: DLL loaded at 0x6F070000: C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.2006_none_d94bc80de1097097\gdiplus (0x167000 bytes).
2026-04-28 01:34:46,642 [root] DEBUG: 4452: Dropped file limit defaulting to 100.
2026-04-28 01:34:46,642 [root] DEBUG: 5200: .NET JIT native cache at 0x09790000: scans and dumps active.
2026-04-28 01:34:46,688 [root] DEBUG: 5200: .NET JIT native cache at 0x09790000: scans and dumps active.
2026-04-28 01:34:46,767 [root] DEBUG: 5144: DLL loaded at 0x720E0000: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni (0x140e000 bytes).
2026-04-28 01:34:46,798 [root] DEBUG: 3836: hook_api: LdrpCallInitRoutine export address 0x77EB2A40 obtained via GetFunctionAddress
2026-04-28 01:34:46,876 [root] DEBUG: 7548: DLL loaded at 0x734F0000: C:\Windows\SYSTEM32\ucrtbase_clr0400 (0xab000 bytes).
2026-04-28 01:34:46,923 [root] DEBUG: 6384: RestoreHeaders: Restored original import table.
2026-04-28 01:34:46,923 [root] DEBUG: 3596: DLL loaded at 0x70C40000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni (0x106000 bytes).
2026-04-28 01:34:46,938 [root] DEBUG: 7728: AllocationHandler: Allocation already in tracked region list: 0x05A50000.
2026-04-28 01:34:46,938 [root] DEBUG: 7496: YaraScan: Scanning 0x065D0000, size 0x1615
2026-04-28 01:34:47,017 [root] DEBUG: 3488: api-rate-cap: NtReadVirtualMemory hook disabled due to rate
2026-04-28 01:34:47,049 [root] INFO: Added new file to list with pid 3404 and path C:\Users\cape\AppData\Local\Temp\__PSScriptPolicyTest_n3ecg4wk.v01.ps1
2026-04-28 01:34:47,188 [root] DEBUG: 7508: DLL loaded at 0x6F1F0000: C:\Windows\system32\wpdshext (0x8b000 bytes).
2026-04-28 01:34:47,298 [root] DEBUG: 5200: .NET JIT native cache at 0x09790000: scans and dumps active.
2026-04-28 01:34:47,376 [root] DEBUG: 5200: caller_dispatch: Added region at 0x09790000 to tracked regions list (kernel32::SetErrorMode returns to 0x09790333, thread 2156).
2026-04-28 01:34:47,470 [root] WARNING: b'Unable to place hook on GetCommandLineA'
2026-04-28 01:34:47,485 [root] DEBUG: 3404: DLL loaded at 0x720C0000: C:\Windows\SYSTEM32\amsi (0x19000 bytes).
2026-04-28 01:34:47,516 [root] DEBUG: 7548: DLL loaded at 0x735A0000: C:\Windows\SYSTEM32\VCRUNTIME140_CLR0400 (0x14000 bytes).
2026-04-28 01:34:47,516 [root] DEBUG: 5144: AllocationHandler: Adding allocation to tracked region list: 0x05C50000, size: 0x1000.
2026-04-28 01:34:47,516 [root] DEBUG: 5200: .NET JIT native cache at 0x09840000: scans and dumps active.
2026-04-28 01:34:47,516 [root] DEBUG: 3596: DLL loaded at 0x75260000: C:\Windows\SYSTEM32\profapi (0x18000 bytes).
2026-04-28 01:34:47,579 [root] INFO: Loaded monitor into process with pid 6384
2026-04-28 01:34:47,595 [root] DEBUG: 7496: DLL loaded at 0x75280000: C:\Windows\SYSTEM32\CRYPTSP (0x13000 bytes).
2026-04-28 01:34:47,595 [root] DEBUG: 7508: DLL loaded at 0x77480000: C:\Windows\System32\CFGMGR32 (0x3b000 bytes).
2026-04-28 01:34:47,610 [root] DEBUG: 5200: .NET JIT native cache at 0x09840000: scans and dumps active.
2026-04-28 01:34:47,642 [root] DEBUG: 4452: Disabling sleep skipping.
2026-04-28 01:34:47,720 [root] INFO: Added new file to list with pid 3404 and path C:\Users\cape\AppData\Local\Temp\__PSScriptPolicyTest_aoj0euxm.0vz.psm1
2026-04-28 01:34:47,735 [root] DEBUG: 7728: DLL loaded at 0x715D0000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni (0xa56000 bytes).
2026-04-28 01:34:47,751 [root] DEBUG: 3488: .NET JIT native cache at 0x08AB0000: scans and dumps active.
2026-04-28 01:34:47,751 [root] DEBUG: 3404: .NET JIT native cache at 0x09630000: scans and dumps active.
2026-04-28 01:34:47,813 [root] DEBUG: 5200: ProcessTrackedRegion: .NET cache region at 0x09790000 skipped
2026-04-28 01:34:47,845 [root] DEBUG: 7548: DLL loaded at 0x735C0000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr (0x848000 bytes).
2026-04-28 01:34:47,860 [root] DEBUG: 5144: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:34:47,907 [root] DEBUG: 3836: set_hooks: Unable to hook GetCommandLineA
2026-04-28 01:34:47,923 [root] DEBUG: 3596: AllocationHandler: Allocation already in tracked region list: 0x08480000.
2026-04-28 01:34:47,923 [root] DEBUG: 6384: caller_dispatch: Added region at 0x00D20000 to tracked regions list (kernel32::SetUnhandledExceptionFilter returns to 0x00D2B4FB, thread 1068).
2026-04-28 01:34:47,923 [root] DEBUG: 7496: DLL loaded at 0x74C10000: C:\Windows\system32\rsaenh (0x2f000 bytes).
2026-04-28 01:34:47,938 [root] DEBUG: 4452: YaraInit: Compiled rules loaded from existing file C:\ltb6yatm\data\yara\capemon.yac
2026-04-28 01:34:47,970 [root] DEBUG: 3404: .NET JIT native cache at 0x09630000: scans and dumps active.
2026-04-28 01:34:47,970 [root] DEBUG: 7728: DLL loaded at 0x70D50000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni (0x818000 bytes).
2026-04-28 01:34:48,048 [root] DEBUG: 3488: caller_dispatch: Added region at 0x08AB0000 to tracked regions list (advapi32::CryptImportKey returns to 0x08AB1B04, thread 5156).
2026-04-28 01:34:48,141 [root] DEBUG: 3404: caller_dispatch: Added region at 0x09630000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x0963562D, thread 2748).
2026-04-28 01:34:48,188 [root] DEBUG: 7508: DLL loaded at 0x6EFD0000: C:\Windows\System32\Windows.StateRepositoryPS (0x93000 bytes).
2026-04-28 01:34:48,235 [root] DEBUG: 7548: AllocationHandler: Adding allocation to tracked region list: 0x00CB3000, size: 0x1000.
2026-04-28 01:34:48,284 [root] DEBUG: 5144: DLL loaded at 0x76D80000: C:\Windows\System32\bcryptPrimitives (0x5f000 bytes).
2026-04-28 01:34:48,313 [root] WARNING: b'Unable to place hook on GetCommandLineW'
2026-04-28 01:34:48,345 [root] DEBUG: 3404: ProcessTrackedRegion: .NET cache region at 0x09630000 skipped
2026-04-28 01:34:48,360 [root] DEBUG: 6384: YaraScan: Scanning 0x00D20000, size 0x6c27a
2026-04-28 01:34:48,360 [root] DEBUG: 3596: AllocationHandler: Allocation already in tracked region list: 0x08480000.
2026-04-28 01:34:48,360 [root] DEBUG: 5200: caller_dispatch: Added region at 0x09840000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x0984596D, thread 4104).
2026-04-28 01:34:48,376 [root] DEBUG: 4452: RtlInsertInvertedFunctionTable 0x00007FFEFE86090E, LdrpInvertedFunctionTableSRWLock 0x00007FFEFE9BD500
2026-04-28 01:34:48,376 [root] DEBUG: 3488: ProcessTrackedRegion: .NET cache region at 0x08AB0000 skipped
2026-04-28 01:34:48,408 [root] DEBUG: 3404: DLL loaded at 0x6F4E0000: C:\Windows\System32\MSISIP (0x10000 bytes).
2026-04-28 01:34:48,454 [root] DEBUG: 7728: ProcessTrackedRegion: .NET cache region at 0x05AC0000 skipped
2026-04-28 01:34:48,454 [root] DEBUG: 7496: AllocationHandler: Adding allocation to tracked region list: 0x0660B000, size: 0x1000.
2026-04-28 01:34:48,454 [root] DEBUG: 7548: GetEntropy: Error - Supplied address inaccessible: 0x00CB0000
2026-04-28 01:34:48,470 [root] DEBUG: 7508: DLL loaded at 0x6EBF0000: C:\Windows\SYSTEM32\iertutil (0x22d000 bytes).
2026-04-28 01:34:48,470 [root] DEBUG: 3836: set_hooks: Unable to hook GetCommandLineW
2026-04-28 01:34:48,470 [root] DEBUG: 6384: ProcessImageBase: Main module image at 0x00D20000 unmodified (entropy change 0.000000e+00)
2026-04-28 01:34:48,517 [root] DEBUG: 5144: AllocationHandler: Adding allocation to tracked region list: 0x05CB1000, size: 0x1000.
2026-04-28 01:34:48,517 [root] DEBUG: 3596: AllocationHandler: Adding allocation to tracked region list: 0x084E0000, size: 0x8000.
2026-04-28 01:34:48,517 [root] DEBUG: 5200: ProcessTrackedRegion: .NET cache region at 0x09840000 skipped
2026-04-28 01:34:48,517 [root] DEBUG: 4452: YaraScan: Scanning 0x00007FF6F2810000, size 0x8026
2026-04-28 01:34:48,517 [root] DEBUG: 3488: .NET JIT native cache at 0x09EA0000: scans and dumps active.
2026-04-28 01:34:48,532 [root] DEBUG: 3404: DLL loaded at 0x6F4C0000: C:\Windows\System32\wshext (0x18000 bytes).
2026-04-28 01:34:48,532 [root] DEBUG: 7728: DLL loaded at 0x77400000: C:\Windows\System32\clbcatq (0x7e000 bytes).
2026-04-28 01:34:48,532 [root] DEBUG: 7496: GetEntropy: Error - Supplied address inaccessible: 0x06600000
2026-04-28 01:34:48,548 [root] DEBUG: 7508: DLL loaded at 0x6EBD0000: C:\Windows\SYSTEM32\srvcli (0x1d000 bytes).
2026-04-28 01:34:48,548 [root] DEBUG: 7548: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:34:48,595 [root] DEBUG: 3836: Hooked 630 out of 632 functions
2026-04-28 01:34:48,626 [root] DEBUG: 6384: DLL loaded at 0x73E10000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei (0x8d000 bytes).
2026-04-28 01:34:48,659 [root] DEBUG: 5144: AllocationHandler: Allocation already in tracked region list: 0x05CB0000.
2026-04-28 01:34:48,688 [root] DEBUG: 5200: AllocationHandler: Allocation already in tracked region list: 0x00D10000.
2026-04-28 01:34:48,688 [root] DEBUG: 4452: Monitor initialised: 64-bit capemon loaded in process 4452 at 0x00007FFEABCB0000, thread 1748, image base 0x00007FF6F2810000, stack from 0x00000059A8754000-0x00000059A8760000
2026-04-28 01:34:48,704 [root] DEBUG: 3596: GetEntropy: Error - Supplied address inaccessible: 0x084E0000
2026-04-28 01:34:48,767 [root] DEBUG: 3404: DLL loaded at 0x6F330000: C:\Windows\SYSTEM32\OpcServices (0x14d000 bytes).
2026-04-28 01:34:48,798 [root] DEBUG: 3488: caller_dispatch: Added region at 0x09EA0000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x09EA3676, thread 5156).
2026-04-28 01:34:48,798 [root] DEBUG: 7496: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:34:48,829 [root] DEBUG: 7548: InstrumentationCallback: Added region at 0x772833EC (base 0x77150000) to tracked regions list (thread 3424).
2026-04-28 01:34:48,829 [root] DEBUG: 3836: Syscall hook installed, syscall logging level 1
2026-04-28 01:34:48,829 [root] DEBUG: 7728: DEBUG:Initialized 9 com hooks
2026-04-28 01:34:48,892 [root] DEBUG: 7548: api-rate-cap: NtQueryPerformanceCounter hook disabled due to rate
2026-04-28 01:34:49,017 [root] DEBUG: 5144: AllocationHandler: Allocation already in tracked region list: 0x044A0000.
2026-04-28 01:34:49,126 [root] DEBUG: 7508: DLL loaded at 0x75440000: C:\Windows\SYSTEM32\netutils (0xb000 bytes).
2026-04-28 01:34:49,204 [root] DEBUG: 6384: set_hooks_by_export_directory: Hooked 0 out of 632 functions
2026-04-28 01:34:49,266 [root] DEBUG: 4452: Commandline: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
2026-04-28 01:34:49,329 [root] DEBUG: 3404: DLL loaded at 0x6F480000: C:\Windows\System32\AppxSip (0x3c000 bytes).
2026-04-28 01:34:49,345 [root] DEBUG: 3596: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:34:49,345 [root] DEBUG: 3488: ProcessTrackedRegion: .NET cache region at 0x09EA0000 skipped
2026-04-28 01:34:49,345 [root] DEBUG: 5200: .NET JIT native cache at 0x09580000: scans and dumps active.
2026-04-28 01:34:49,360 [root] DEBUG: 3596: AllocationHandler: Processing previous tracked region at: 0x08A30000.
2026-04-28 01:34:49,376 [root] DEBUG: 7548: ProcessTrackedRegion: Region at 0x77150000 mapped as \Device\HarddiskVolume1\Windows\SysWOW64\KernelBase.dll is in known range, skipping
2026-04-28 01:34:49,407 [root] DEBUG: 7496: AllocationHandler: Allocation already in tracked region list: 0x06600000.
2026-04-28 01:34:49,438 [root] DEBUG: 3836: RestoreHeaders: Restored original import table.
2026-04-28 01:34:49,438 [root] INFO: Loaded monitor into process with pid 3836
2026-04-28 01:34:49,438 [root] DEBUG: 5144: DumpPEsInRange: Scanning range 0x044A0000 - 0x044A1615.
2026-04-28 01:34:49,455 [root] DEBUG: 7728: DLL loaded at 0x76A70000: C:\Windows\System32\psapi (0x6000 bytes).
2026-04-28 01:34:49,455 [root] DEBUG: 6384: DLL loaded at 0x75250000: C:\Windows\SYSTEM32\kernel.appcore (0xf000 bytes).
2026-04-28 01:34:49,470 [root] DEBUG: 7508: DLL loaded at 0x6EE20000: C:\Windows\SYSTEM32\urlmon (0x1a8000 bytes).
2026-04-28 01:34:49,470 [root] DEBUG: 4452: hook_api: LdrpCallInitRoutine export address 0x00007FFEFE8699BC obtained via GetFunctionAddress
2026-04-28 01:34:49,501 [root] DEBUG: 3404: DLL loaded at 0x6F4F0000: C:\Windows\Microsoft.Net\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data (0x357000 bytes).
2026-04-28 01:34:49,532 [root] DEBUG: 3488: AllocationHandler: Allocation already in tracked region list: 0x05F80000.
2026-04-28 01:34:49,579 [root] DEBUG: 3596: ProcessTrackedRegion: .NET cache region at 0x08A30000 skipped
2026-04-28 01:34:49,595 [root] DEBUG: 7548: DLL loaded at 0x720E0000: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni (0x140e000 bytes).
2026-04-28 01:34:49,595 [root] DEBUG: 7496: hook_api: clrjit::compileMethod export address 0x72033700 obtained via GetFunctionAddress
2026-04-28 01:34:49,595 [root] DEBUG: 5200: caller_dispatch: Added region at 0x09580000 to tracked regions list (advapi32::RegOpenKeyExW returns to 0x09585A7A, thread 4104).
2026-04-28 01:34:49,610 [root] DEBUG: 5144: ScanForDisguisedPE: No PE image located in range 0x044A0000-0x044A1615.
2026-04-28 01:34:49,610 [root] DEBUG: 7728: DLL loaded at 0x77590000: C:\Windows\System32\shell32 (0x5b5000 bytes).
2026-04-28 01:34:49,626 [root] DEBUG: 3836: caller_dispatch: Added region at 0x00D20000 to tracked regions list (kernel32::SetUnhandledExceptionFilter returns to 0x00D2B4FB, thread 604).
2026-04-28 01:34:49,626 [root] WARNING: b'Unable to place hook on LockResource'
2026-04-28 01:34:49,657 [root] DEBUG: 6384: DLL loaded at 0x75460000: C:\Windows\SYSTEM32\VERSION (0x8000 bytes).
2026-04-28 01:34:49,657 [root] DEBUG: 3488: .NET JIT native cache at 0x09DC0000: scans and dumps active.
2026-04-28 01:34:49,813 [root] DEBUG: 3596: AllocationHandler: Memory region (size 0x8000) reserved but not committed at 0x084E0000.
2026-04-28 01:34:49,876 [root] DEBUG: 7548: AllocationHandler: Adding allocation to tracked region list: 0x04240000, size: 0x1000.
2026-04-28 01:34:49,954 [root] DEBUG: 7496: DLL loaded at 0x72030000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit (0x8a000 bytes).
2026-04-28 01:34:50,032 [root] DEBUG: 3596: AllocationHandler: Previously reserved region at 0x084E0000, committing at: 0x084E0000.
2026-04-28 01:34:50,157 [root] DEBUG: 3404: DLL loaded at 0x6F320000: C:\Windows\System32\WindowsPowerShell\v1.0\pwrshsip (0xa000 bytes).
2026-04-28 01:34:50,173 [root] DEBUG: 5200: ProcessTrackedRegion: .NET cache region at 0x09580000 skipped
2026-04-28 01:34:50,173 [lib.common.results] INFO: Uploading file C:\atsPQMC\CAPE\5144_1667313049342227142026 to CAPE\f7d79832acc85d89e0366450039bbba3324dfee201b62a3c00ec66d268789b1e; Size is 5653; Max size: 100000000
2026-04-28 01:34:50,204 [root] DEBUG: 7728: DLL loaded at 0x756D0000: C:\Windows\SYSTEM32\Wldp (0x27000 bytes).
2026-04-28 01:34:50,220 [root] DEBUG: 4452: set_hooks: Unable to hook LockResource
2026-04-28 01:34:50,220 [root] DEBUG: 3836: YaraScan: Scanning 0x00D20000, size 0x6c27a
2026-04-28 01:34:50,251 [root] DEBUG: 7508: DLL loaded at 0x6EAF0000: C:\Windows\System32\wintypes (0xdb000 bytes).
2026-04-28 01:34:50,251 [root] DEBUG: 6384: DLL loaded at 0x734F0000: C:\Windows\SYSTEM32\ucrtbase_clr0400 (0xab000 bytes).
2026-04-28 01:34:50,267 [root] DEBUG: 3488: .NET JIT native cache at 0x0A3F0000: scans and dumps active.
2026-04-28 01:34:50,267 [root] DEBUG: 3488: .NET JIT native cache at 0x0A3F0000: scans and dumps active.
2026-04-28 01:34:50,282 [root] DEBUG: 3488: .NET JIT native cache at 0x0A3F0000: scans and dumps active.
2026-04-28 01:34:50,282 [root] DEBUG: 7496: .NET JIT native cache at 0x06AC0000: scans and dumps active.
2026-04-28 01:34:50,298 [root] DEBUG: 3488: .NET JIT native cache at 0x0A480000: scans and dumps active.
2026-04-28 01:34:50,313 [root] DEBUG: 7548: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:34:50,313 [root] DEBUG: 3596: AllocationHandler: Allocation already in tracked region list: 0x045C0000.
2026-04-28 01:34:50,313 [lib.common.results] INFO: Uploading file C:\Users\cape\AppData\Local\Temp\__PSScriptPolicyTest_n3ecg4wk.v01.ps1 to files\96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7; Size is 60; Max size: 100000000
2026-04-28 01:34:50,360 [root] DEBUG: 7728: DLL loaded at 0x75700000: C:\Windows\SYSTEM32\windows.storage (0x60d000 bytes).
2026-04-28 01:34:50,376 [root] DEBUG: 5144: DumpMemory: Payload successfully created: C:\atsPQMC\CAPE\5144_1667313049342227142026 (size 5653 bytes)
2026-04-28 01:34:50,392 [root] DEBUG: 4452: Hooked 627 out of 628 functions
2026-04-28 01:34:50,392 [root] DEBUG: 5200: AllocationHandler: Allocation already in tracked region list: 0x00D10000.
2026-04-28 01:34:50,392 [root] DEBUG: 3836: ProcessImageBase: Main module image at 0x00D20000 unmodified (entropy change 0.000000e+00)
2026-04-28 01:34:50,470 [root] DEBUG: 6384: DLL loaded at 0x735A0000: C:\Windows\SYSTEM32\VCRUNTIME140_CLR0400 (0x14000 bytes).
2026-04-28 01:34:50,470 [root] DEBUG: 3488: .NET JIT native cache at 0x0A480000: scans and dumps active.
2026-04-28 01:34:50,485 [root] DEBUG: 3488: .NET JIT native cache at 0x0A480000: scans and dumps active.
2026-04-28 01:34:50,501 [root] DEBUG: 3488: .NET JIT native cache at 0x0A480000: scans and dumps active.
2026-04-28 01:34:50,532 [root] DEBUG: 3488: caller_dispatch: Added region at 0x0A480000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x0A499080, thread 5156).
2026-04-28 01:34:50,532 [root] DEBUG: 7496: AllocationHandler: Allocation already in tracked region list: 0x06600000.
2026-04-28 01:34:50,579 [root] DEBUG: 7508: DLL loaded at 0x6EA20000: C:\Windows\System32\Bcp47Langs (0x48000 bytes).
2026-04-28 01:34:50,579 [lib.common.results] INFO: Uploading file C:\Users\cape\AppData\Local\Temp\__PSScriptPolicyTest_aoj0euxm.0vz.psm1 to files\96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7; Size is 60; Max size: 100000000
2026-04-28 01:34:50,596 [root] DEBUG: 3596: api-rate-cap: NtReadVirtualMemory hook disabled due to rate
2026-04-28 01:34:50,642 [root] DEBUG: 7548: DLL loaded at 0x76D80000: C:\Windows\System32\bcryptPrimitives (0x5f000 bytes).
2026-04-28 01:34:50,782 [root] DEBUG: 3836: DLL loaded at 0x73E10000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei (0x8d000 bytes).
2026-04-28 01:34:50,845 [root] DEBUG: 5144: DumpRegion: Dumped entire allocation from 0x044A0000, size 8192 bytes.
2026-04-28 01:34:50,938 [root] DEBUG: 7728: DLL loaded at 0x76F70000: C:\Windows\System32\SHCORE (0x87000 bytes).
2026-04-28 01:34:51,048 [root] DEBUG: 6384: DLL loaded at 0x735C0000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr (0x848000 bytes).
2026-04-28 01:34:51,157 [root] DEBUG: 7496: DLL loaded at 0x715D0000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni (0xa56000 bytes).
2026-04-28 01:34:51,173 [root] DEBUG: 5200: DLL loaded at 0x745D0000: C:\Windows\system32\uxtheme (0x74000 bytes).
2026-04-28 01:34:51,220 [root] DEBUG: 3488: ProcessTrackedRegion: .NET cache region at 0x0A480000 skipped
2026-04-28 01:34:51,235 [root] DEBUG: 7508: DLL loaded at 0x6E9E0000: C:\Windows\System32\sppc (0x1c000 bytes).
2026-04-28 01:34:51,235 [root] DEBUG: 3404: .NET JIT native cache at 0x09600000: scans and dumps active.
2026-04-28 01:34:51,235 [root] DEBUG: 7548: AllocationHandler: Adding allocation to tracked region list: 0x08141000, size: 0x1000.
2026-04-28 01:34:51,251 [root] DEBUG: 3836: set_hooks_by_export_directory: Hooked 0 out of 632 functions
2026-04-28 01:34:51,266 [root] DEBUG: 7508: DLL loaded at 0x6EA00000: C:\Windows\System32\SLC (0x1f000 bytes).
2026-04-28 01:34:51,266 [root] DEBUG: 5144: ProcessTrackedRegion: Dumped region at 0x044A0000.
2026-04-28 01:34:51,266 [root] DEBUG: 3596: .NET JIT native cache at 0x08930000: scans and dumps active.
2026-04-28 01:34:51,266 [root] DEBUG: 7728: DLL loaded at 0x77DD0000: C:\Windows\System32\wintrust (0x4e000 bytes).
2026-04-28 01:34:51,282 [root] DEBUG: 6384: AllocationHandler: Adding allocation to tracked region list: 0x04D23000, size: 0x1000.
2026-04-28 01:34:51,298 [root] DEBUG: 7496: DLL loaded at 0x70D50000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni (0x818000 bytes).
2026-04-28 01:34:51,329 [root] DEBUG: 7548: AllocationHandler: Allocation already in tracked region list: 0x08140000.
2026-04-28 01:34:51,329 [root] DEBUG: 3488: AllocationHandler: Allocation already in tracked region list: 0x05F80000.
2026-04-28 01:34:51,454 [root] DEBUG: 3836: DLL loaded at 0x75250000: C:\Windows\SYSTEM32\kernel.appcore (0xf000 bytes).
2026-04-28 01:34:51,485 [root] DEBUG: 5200: .NET JIT native cache at 0x09610000: scans and dumps active.
2026-04-28 01:34:51,501 [root] DEBUG: 7508: DLL loaded at 0x70490000: C:\Windows\System32\USERENV (0x25000 bytes).
2026-04-28 01:34:51,501 [root] DEBUG: 3404: caller_dispatch: Added region at 0x09600000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x09600324, thread 2252).
2026-04-28 01:34:51,501 [root] DEBUG: 5144: YaraScan: Scanning 0x044A0000, size 0x1615
2026-04-28 01:34:51,532 [root] DEBUG: 6384: GetEntropy: Error - Supplied address inaccessible: 0x04D20000
2026-04-28 01:34:51,532 [root] DEBUG: 3596: caller_dispatch: Added region at 0x08930000 to tracked regions list (advapi32::CryptImportKey returns to 0x08931E6C, thread 1012).
2026-04-28 01:34:51,548 [root] DEBUG: 7728: DLL loaded at 0x6FE10000: C:\Windows\SYSTEM32\MSASN1 (0xe000 bytes).
2026-04-28 01:34:51,579 [root] DEBUG: 7496: ProcessTrackedRegion: .NET cache region at 0x06AC0000 skipped
2026-04-28 01:34:51,595 [root] DEBUG: 3488: caller_dispatch: Added region at 0x0A3F0000 to tracked regions list (ntdll::LdrGetProcedureAddressForCaller returns to 0x0A3F1D3A, thread 6328).
2026-04-28 01:34:51,595 [root] DEBUG: 7548: AllocationHandler: Allocation already in tracked region list: 0x00CB0000.
2026-04-28 01:34:51,595 [root] DEBUG: 3488: .NET JIT native cache at 0x09F20000: scans and dumps active.
2026-04-28 01:34:51,595 [root] DEBUG: 3488: .NET JIT native cache at 0x09F20000: scans and dumps active.
2026-04-28 01:34:51,798 [root] DEBUG: 3836: DLL loaded at 0x75460000: C:\Windows\SYSTEM32\VERSION (0x8000 bytes).
2026-04-28 01:34:51,845 [root] DEBUG: 7508: DLL loaded at 0x6EA70000: C:\Windows\System32\appresolver (0x71000 bytes).
2026-04-28 01:34:51,891 [root] DEBUG: 3404: ProcessTrackedRegion: .NET cache region at 0x09600000 skipped
2026-04-28 01:34:51,954 [root] DEBUG: 5200: caller_dispatch: Added region at 0x09610000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x09610D5A, thread 2888).
2026-04-28 01:34:52,001 [root] DEBUG: 5144: DLL loaded at 0x75280000: C:\Windows\SYSTEM32\CRYPTSP (0x13000 bytes).
2026-04-28 01:34:52,016 [root] DEBUG: 3596: ProcessTrackedRegion: .NET cache region at 0x08930000 skipped
2026-04-28 01:34:52,110 [root] DEBUG: 6384: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:34:52,141 [root] DEBUG: 7728: DLL loaded at 0x6F850000: C:\Windows\SYSTEM32\gpapi (0x1e000 bytes).
2026-04-28 01:34:52,188 [root] DEBUG: 5144: DLL loaded at 0x74C10000: C:\Windows\system32\rsaenh (0x2f000 bytes).
2026-04-28 01:34:52,267 [root] DEBUG: 7496: DLL loaded at 0x77400000: C:\Windows\System32\clbcatq (0x7e000 bytes).
2026-04-28 01:34:52,282 [root] DEBUG: 3488: ProcessTrackedRegion: .NET cache region at 0x0A3F0000 skipped
2026-04-28 01:34:52,313 [root] DEBUG: 7548: DumpPEsInRange: Scanning range 0x00CB0000 - 0x00CB1615.
2026-04-28 01:34:52,329 [root] DEBUG: 3488: caller_dispatch: Added region at 0x09F20000 to tracked regions list (advapi32::CryptImportKey returns to 0x09F295C4, thread 264).
2026-04-28 01:34:52,329 [root] DEBUG: 3836: DLL loaded at 0x734F0000: C:\Windows\SYSTEM32\ucrtbase_clr0400 (0xab000 bytes).
2026-04-28 01:34:52,329 [root] DEBUG: 7508: DLL loaded at 0x6FD70000: C:\Windows\System32\OneCoreCommonProxyStub (0x3d000 bytes).
2026-04-28 01:34:52,345 [root] DEBUG: 5200: ProcessTrackedRegion: .NET cache region at 0x09610000 skipped
2026-04-28 01:34:52,376 [root] DEBUG: 7728: DLL loaded at 0x704C0000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni (0x774000 bytes).
2026-04-28 01:34:52,423 [root] DEBUG: 3596: AllocationHandler: Previously reserved region at 0x08930000, committing at: 0x0893B000.
2026-04-28 01:34:52,438 [root] DEBUG: 3404: AllocationHandler: Allocation already in tracked region list: 0x05FF0000.
2026-04-28 01:34:52,438 [root] DEBUG: 6384: InstrumentationCallback: Added region at 0x772833EC (base 0x77150000) to tracked regions list (thread 1068).
2026-04-28 01:34:52,485 [root] DEBUG: 5144: AllocationHandler: Adding allocation to tracked region list: 0x044DB000, size: 0x1000.
2026-04-28 01:34:52,595 [root] DEBUG: 3488: DLL loaded at 0x6F1E0000: C:\Windows\SYSTEM32\secur32 (0xa000 bytes).
2026-04-28 01:34:52,782 [root] DEBUG: 7548: ScanForDisguisedPE: No PE image located in range 0x00CB0000-0x00CB1615.
2026-04-28 01:34:52,876 [root] DEBUG: 3488: ProcessTrackedRegion: .NET cache region at 0x09F20000 skipped
2026-04-28 01:34:52,892 [root] DEBUG: 6384: api-rate-cap: NtQueryPerformanceCounter hook disabled due to rate
2026-04-28 01:34:52,892 [root] DEBUG: 3836: DLL loaded at 0x735A0000: C:\Windows\SYSTEM32\VCRUNTIME140_CLR0400 (0x14000 bytes).
2026-04-28 01:34:52,907 [root] DEBUG: 5200: AllocationHandler: Adding allocation to tracked region list: 0x09620000, size: 0x1000.
2026-04-28 01:34:52,923 [root] DEBUG: 7508: DLL loaded at 0x6E620000: C:\Windows\System32\OneCoreUAPCommonProxyStub (0x3b9000 bytes).
2026-04-28 01:34:52,954 [root] DEBUG: 7728: DLL loaded at 0x720C0000: C:\Windows\SYSTEM32\amsi (0x19000 bytes).
2026-04-28 01:34:52,985 [lib.common.results] INFO: Uploading file C:\atsPQMC\CAPE\7548_2738376052342227142026 to CAPE\bd542c0083f5c5a0420b5102c1a6919435e5073ed2b7f60ffa7f2999cfefa8eb; Size is 5653; Max size: 100000000
2026-04-28 01:34:53,001 [root] DEBUG: 3596: AllocationHandler: Allocation already in tracked region list: 0x08930000.
2026-04-28 01:34:53,001 [root] DEBUG: 6384: ProcessTrackedRegion: Region at 0x77150000 mapped as \Device\HarddiskVolume1\Windows\SysWOW64\KernelBase.dll is in known range, skipping
2026-04-28 01:34:53,032 [root] DEBUG: 5144: GetEntropy: Error - Supplied address inaccessible: 0x044D0000
2026-04-28 01:34:53,032 [root] DEBUG: 7496: DEBUG:Initialized 9 com hooks
2026-04-28 01:34:53,063 [root] DEBUG: 3488: .NET JIT native cache at 0x09E30000: scans and dumps active.
2026-04-28 01:34:53,110 [root] DEBUG: 3488: .NET JIT native cache at 0x09E30000: scans and dumps active.
2026-04-28 01:34:53,220 [root] DEBUG: 3836: DLL loaded at 0x735C0000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr (0x848000 bytes).
2026-04-28 01:34:53,360 [root] DEBUG: 4452: Syscall hook installed, syscall logging level 1
2026-04-28 01:34:53,532 [root] DEBUG: 5200: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:34:53,735 [root] DEBUG: 7728: .NET JIT native cache at 0x091B0000: scans and dumps active.
2026-04-28 01:34:53,813 [root] DEBUG: 3404: DLL loaded at 0x70C40000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni (0x106000 bytes).
2026-04-28 01:34:53,829 [root] DEBUG: 7728: .NET JIT native cache at 0x091B0000: scans and dumps active.
2026-04-28 01:34:53,845 [root] DEBUG: 7728: .NET JIT native cache at 0x091B0000: scans and dumps active.
2026-04-28 01:34:53,860 [root] DEBUG: 7728: caller_dispatch: Added region at 0x091B0000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x091B09A2, thread 6492).
2026-04-28 01:34:53,860 [root] DEBUG: 6384: DLL loaded at 0x720E0000: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni (0x140e000 bytes).
2026-04-28 01:34:53,860 [root] DEBUG: 7548: DumpMemory: Payload successfully created: C:\atsPQMC\CAPE\7548_2738376052342227142026 (size 5653 bytes)
2026-04-28 01:34:53,876 [root] DEBUG: 3596: .NET JIT native cache at 0x09770000: scans and dumps active.
2026-04-28 01:34:53,891 [root] DEBUG: 7496: DLL loaded at 0x76A70000: C:\Windows\System32\psapi (0x6000 bytes).
2026-04-28 01:34:53,907 [root] DEBUG: 5144: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:34:53,923 [root] DEBUG: 3488: .NET JIT native cache at 0x09E40000: scans and dumps active.
2026-04-28 01:34:53,970 [root] DEBUG: 3836: AllocationHandler: Adding allocation to tracked region list: 0x05CC3000, size: 0x1000.
2026-04-28 01:34:54,016 [root] DEBUG: 3488: caller_dispatch: Added region at 0x09E30000 to tracked regions list (kernel32::SetErrorMode returns to 0x09E3030B, thread 6328).
2026-04-28 01:34:54,032 [root] DEBUG: 7508: CreateProcessHandler: Injection info set for new process 6396: C:\Windows\System32\cmd.exe, ImageBase: 0x00450000
2026-04-28 01:34:54,048 [root] DEBUG: 5200: .NET JIT native cache at 0x098E0000: scans and dumps active.
2026-04-28 01:34:54,048 [root] DEBUG: 7728: ProcessTrackedRegion: .NET cache region at 0x091B0000 skipped
2026-04-28 01:34:54,126 [root] DEBUG: 6384: AllocationHandler: Adding allocation to tracked region list: 0x06520000, size: 0x1000.
2026-04-28 01:34:54,141 [root] DEBUG: 3404: DLL loaded at 0x75260000: C:\Windows\SYSTEM32\profapi (0x18000 bytes).
2026-04-28 01:34:54,157 [root] DEBUG: 7496: DLL loaded at 0x77590000: C:\Windows\System32\shell32 (0x5b5000 bytes).
2026-04-28 01:34:54,173 [root] DEBUG: 3596: caller_dispatch: Added region at 0x09770000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x09772E04, thread 1012).
2026-04-28 01:34:54,173 [root] DEBUG: 7548: DumpRegion: Dumped entire allocation from 0x00CB0000, size 8192 bytes.
2026-04-28 01:34:54,173 [root] DEBUG: 3836: GetEntropy: Error - Supplied address inaccessible: 0x05CC0000
2026-04-28 01:34:54,173 [root] DEBUG: 4452: RestoreHeaders: Restored original import table.
2026-04-28 01:34:54,188 [root] DEBUG: 5144: AllocationHandler: Allocation already in tracked region list: 0x044D0000.
2026-04-28 01:34:54,204 [root] DEBUG: 3488: ProcessTrackedRegion: .NET cache region at 0x09E30000 skipped
2026-04-28 01:34:54,220 [root] DEBUG: 5200: caller_dispatch: Added region at 0x098E0000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x098E05E9, thread 2888).
2026-04-28 01:34:54,235 [root] INFO: Added new file to list with pid 7728 and path C:\Users\cape\AppData\Local\Temp\__PSScriptPolicyTest_x2qdsu4c.iic.ps1
2026-04-28 01:34:54,235 [root] INFO: Announced 32-bit process name: cmd.exe pid: 6396
2026-04-28 01:34:54,251 [lib.api.process] INFO: Monitor config for <Process 6396 cmd.exe>: C:\ltb6yatm\dll\6396.ini
2026-04-28 01:34:54,251 [root] DEBUG: 7728: DLL loaded at 0x6F4F0000: C:\Windows\Microsoft.Net\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data (0x357000 bytes).
2026-04-28 01:34:54,251 [root] DEBUG: 6384: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:34:54,251 [root] DEBUG: 7496: DLL loaded at 0x756D0000: C:\Windows\SYSTEM32\Wldp (0x27000 bytes).
2026-04-28 01:34:54,266 [root] DEBUG: 3404: AllocationHandler: Allocation already in tracked region list: 0x062D0000.
2026-04-28 01:34:54,266 [root] DEBUG: 3596: ProcessTrackedRegion: .NET cache region at 0x09770000 skipped
2026-04-28 01:34:54,266 [root] DEBUG: 5144: hook_api: clrjit::compileMethod export address 0x72033700 obtained via GetFunctionAddress
2026-04-28 01:34:54,282 [root] DEBUG: 7548: ProcessTrackedRegion: Dumped region at 0x00CB0000.
2026-04-28 01:34:54,298 [root] DEBUG: 3488: caller_dispatch: Added region at 0x09E40000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x09E45971, thread 5156).
2026-04-28 01:34:54,298 [root] DEBUG: 3836: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:34:54,392 [lib.api.process] INFO: 32-bit DLL to inject is C:\ltb6yatm\dll\aUdGyWws.dll, loader C:\ltb6yatm\bin\ReIIPbe.exe
2026-04-28 01:34:54,516 [root] DEBUG: 5200: ProcessTrackedRegion: .NET cache region at 0x098E0000 skipped
2026-04-28 01:34:54,641 [root] DEBUG: 6384: DLL loaded at 0x76D80000: C:\Windows\System32\bcryptPrimitives (0x5f000 bytes).
2026-04-28 01:34:54,688 [root] INFO: Loaded monitor into process with pid 4452
2026-04-28 01:34:54,704 [root] DEBUG: 3404: AllocationHandler: Allocation already in tracked region list: 0x062D0000.
2026-04-28 01:34:54,735 [root] DEBUG: 7496: DLL loaded at 0x75700000: C:\Windows\SYSTEM32\windows.storage (0x60d000 bytes).
2026-04-28 01:34:54,735 [root] DEBUG: 3596: AllocationHandler: Allocation already in tracked region list: 0x045C0000.
2026-04-28 01:34:54,735 [root] DEBUG: 5144: DLL loaded at 0x72030000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit (0x8a000 bytes).
2026-04-28 01:34:54,751 [root] DEBUG: 3488: ProcessTrackedRegion: .NET cache region at 0x09E40000 skipped
2026-04-28 01:34:54,766 [root] DEBUG: 7548: YaraScan: Scanning 0x00CB0000, size 0x1615
2026-04-28 01:34:54,782 [root] DEBUG: 3836: InstrumentationCallback: Added region at 0x772833EC (base 0x77150000) to tracked regions list (thread 604).
2026-04-28 01:34:54,798 [root] DEBUG: 3836: api-rate-cap: NtQueryPerformanceCounter hook disabled due to rate
2026-04-28 01:34:54,798 [root] DEBUG: Loader: Injecting process 6396 (thread 6048) with C:\ltb6yatm\dll\aUdGyWws.dll.
2026-04-28 01:34:54,798 [root] INFO: Added new file to list with pid 7728 and path C:\Users\cape\AppData\Local\Temp\__PSScriptPolicyTest_y1n3c0hs.uzj.psm1
2026-04-28 01:34:54,798 [root] DEBUG: 3836: ProcessTrackedRegion: Region at 0x77150000 mapped as \Device\HarddiskVolume1\Windows\SysWOW64\KernelBase.dll is in known range, skipping
2026-04-28 01:34:54,813 [root] DEBUG: 5200: AllocationHandler: Allocation already in tracked region list: 0x09620000.
2026-04-28 01:34:54,860 [root] DEBUG: 6384: AllocationHandler: Adding allocation to tracked region list: 0x06A71000, size: 0x1000.
2026-04-28 01:34:54,891 [root] DEBUG: 4452: caller_dispatch: Added region at 0x00007FF6F2810000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x00007FF6F28117A9, thread 1748).
2026-04-28 01:34:54,923 [root] DEBUG: 3404: AllocationHandler: Adding allocation to tracked region list: 0x08A20000, size: 0x8000.
2026-04-28 01:34:54,923 [root] DEBUG: 7496: DLL loaded at 0x76F70000: C:\Windows\System32\SHCORE (0x87000 bytes).
2026-04-28 01:34:54,938 [root] DEBUG: 3404: GetEntropy: Error - Supplied address inaccessible: 0x08A20000
2026-04-28 01:34:54,954 [root] DEBUG: 3596: .NET JIT native cache at 0x08A10000: scans and dumps active.
2026-04-28 01:34:55,095 [root] DEBUG: 7548: DLL loaded at 0x75280000: C:\Windows\SYSTEM32\CRYPTSP (0x13000 bytes).
2026-04-28 01:34:55,110 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2026-04-28 01:34:55,110 [root] DEBUG: 5144: .NET JIT native cache at 0x05C50000: scans and dumps active.
2026-04-28 01:34:55,110 [root] DEBUG: 3488: AllocationHandler: Allocation already in tracked region list: 0x05F80000.
2026-04-28 01:34:55,126 [root] DEBUG: 7728: DLL loaded at 0x6F4E0000: C:\Windows\System32\MSISIP (0x10000 bytes).
2026-04-28 01:34:55,204 [root] DEBUG: 3836: DLL loaded at 0x720E0000: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni (0x140e000 bytes).
2026-04-28 01:34:55,298 [root] DEBUG: 6384: AllocationHandler: Allocation already in tracked region list: 0x06A70000.
2026-04-28 01:34:55,298 [root] DEBUG: 4452: YaraScan: Scanning 0x00007FF6F2810000, size 0x8026
2026-04-28 01:34:55,345 [root] DEBUG: 5200: .NET JIT native cache at 0x09990000: scans and dumps active.
2026-04-28 01:34:55,407 [root] DEBUG: 7496: DLL loaded at 0x77DD0000: C:\Windows\System32\wintrust (0x4e000 bytes).
2026-04-28 01:34:55,502 [root] DEBUG: 3596: .NET JIT native cache at 0x09750000: scans and dumps active.
2026-04-28 01:34:55,595 [root] DEBUG: 3404: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:34:55,595 [root] DEBUG: 3596: .NET JIT native cache at 0x09750000: scans and dumps active.
2026-04-28 01:34:55,595 [root] DEBUG: 3596: DLL loaded at 0x6F2D0000: C:\Windows\Microsoft.Net\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions (0x4c000 bytes).
2026-04-28 01:34:55,610 [root] DEBUG: 7548: DLL loaded at 0x74C10000: C:\Windows\system32\rsaenh (0x2f000 bytes).
2026-04-28 01:34:55,673 [root] DEBUG: Successfully injected DLL C:\ltb6yatm\dll\aUdGyWws.dll.
2026-04-28 01:34:55,688 [root] DEBUG: 7728: DLL loaded at 0x6F4C0000: C:\Windows\System32\wshext (0x18000 bytes).
2026-04-28 01:34:55,704 [lib.api.process] INFO: Injected into 32-bit <Process 6396 cmd.exe>
2026-04-28 01:34:55,704 [root] DEBUG: 5144: AllocationHandler: Allocation already in tracked region list: 0x044D0000.
2026-04-28 01:34:55,720 [root] DEBUG: 3488: .NET JIT native cache at 0x0A050000: scans and dumps active.
2026-04-28 01:34:55,766 [root] DEBUG: 6384: AllocationHandler: Allocation already in tracked region list: 0x04D20000.
2026-04-28 01:34:55,782 [root] DEBUG: 3836: AllocationHandler: Adding allocation to tracked region list: 0x081C0000, size: 0x1000.
2026-04-28 01:34:55,782 [root] DEBUG: 7496: DLL loaded at 0x6FE10000: C:\Windows\SYSTEM32\MSASN1 (0xe000 bytes).
2026-04-28 01:34:55,813 [root] DEBUG: 4452: ProcessImageBase: Main module image at 0x00007FF6F2810000 unmodified (entropy change 0.000000e+00)
2026-04-28 01:34:55,829 [root] DEBUG: 3596: caller_dispatch: Added region at 0x09750000 to tracked regions list (kernel32::GetSystemTimeAsFileTime returns to 0x09751598, thread 5168).
2026-04-28 01:34:55,845 [root] DEBUG: 5200: caller_dispatch: Added region at 0x09990000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x09991DB8, thread 2888).
2026-04-28 01:34:55,845 [root] DEBUG: 3404: AllocationHandler: Processing previous tracked region at: 0x05FF0000.
2026-04-28 01:34:55,845 [root] DEBUG: 3596: .NET JIT native cache at 0x09E70000: scans and dumps active.
2026-04-28 01:34:55,860 [root] DEBUG: 7548: AllocationHandler: Adding allocation to tracked region list: 0x00CEB000, size: 0x1000.
2026-04-28 01:34:55,860 [root] DEBUG: 3596: .NET JIT native cache at 0x09E70000: scans and dumps active.
2026-04-28 01:34:55,876 [root] DEBUG: 5144: DLL loaded at 0x715D0000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni (0xa56000 bytes).
2026-04-28 01:34:55,892 [root] DEBUG: 7508: ProcessTrackedRegion: Region at 0x77150000 mapped as \Device\HarddiskVolume1\Windows\SysWOW64\KernelBase.dll is in known range, skipping
2026-04-28 01:34:55,892 [root] DEBUG: 6384: DumpPEsInRange: Scanning range 0x04D20000 - 0x04D21615.
2026-04-28 01:34:55,908 [root] DEBUG: 7728: DLL loaded at 0x6F330000: C:\Windows\SYSTEM32\OpcServices (0x14d000 bytes).
2026-04-28 01:34:55,954 [root] DEBUG: 3488: caller_dispatch: Added region at 0x0A050000 to tracked regions list (advapi32::RegOpenKeyExW returns to 0x0A05038F, thread 5156).
2026-04-28 01:34:56,017 [root] DEBUG: 7728: DLL loaded at 0x6F480000: C:\Windows\System32\AppxSip (0x3c000 bytes).
2026-04-28 01:34:56,017 [root] DEBUG: 7496: DLL loaded at 0x704C0000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni (0x774000 bytes).
2026-04-28 01:34:56,048 [root] DEBUG: 3596: ProcessTrackedRegion: .NET cache region at 0x09750000 skipped
2026-04-28 01:34:56,095 [root] DEBUG: 3836: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:34:56,141 [root] DEBUG: 3596: AllocationHandler: Allocation already in tracked region list: 0x045C0000.
2026-04-28 01:34:56,282 [root] DEBUG: 5200: ProcessTrackedRegion: .NET cache region at 0x09990000 skipped
2026-04-28 01:34:56,548 [root] DEBUG: 3404: DumpPEsInRange: Scanning range 0x05FF0000 - 0x05FF020C.
2026-04-28 01:34:56,579 [root] DEBUG: 3596: caller_dispatch: Added region at 0x09E70000 to tracked regions list (kernel32::SwitchToThread returns to 0x09E89280, thread 1012).
2026-04-28 01:34:56,579 [root] DEBUG: 7548: GetEntropy: Error - Supplied address inaccessible: 0x00CE0000
2026-04-28 01:34:56,579 [root] DEBUG: 6384: ScanForDisguisedPE: No PE image located in range 0x04D20000-0x04D21615.
2026-04-28 01:34:56,579 [root] DEBUG: 4452: set_hooks_by_export_directory: Hooked 0 out of 628 functions
2026-04-28 01:34:56,579 [root] DEBUG: 3488: ProcessTrackedRegion: .NET cache region at 0x0A050000 skipped
2026-04-28 01:34:56,688 [root] DEBUG: 7728: DLL loaded at 0x6F320000: C:\Windows\System32\WindowsPowerShell\v1.0\pwrshsip (0xa000 bytes).
2026-04-28 01:34:56,704 [root] DEBUG: 6396: Python path set to 'C:\Python310'.
2026-04-28 01:34:56,720 [root] DEBUG: 5144: DLL loaded at 0x70D50000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni (0x818000 bytes).
2026-04-28 01:34:56,720 [root] DEBUG: 3596: DLL loaded at 0x6F1E0000: C:\Windows\SYSTEM32\secur32 (0xa000 bytes).
2026-04-28 01:34:56,735 [root] DEBUG: 7496: DLL loaded at 0x720C0000: C:\Windows\SYSTEM32\amsi (0x19000 bytes).
2026-04-28 01:34:56,751 [root] DEBUG: 3836: DLL loaded at 0x76D80000: C:\Windows\System32\bcryptPrimitives (0x5f000 bytes).
2026-04-28 01:34:56,767 [root] INFO: Added new file to list with pid 7508 and path C:\Users\cape\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\2026-04-28_1db227e867a99.exe.log
2026-04-28 01:34:56,798 [root] DEBUG: 3596: .NET JIT native cache at 0x09A10000: scans and dumps active.
2026-04-28 01:34:56,798 [root] DEBUG: 5200: .NET JIT native cache at 0x09920000: scans and dumps active.
2026-04-28 01:34:56,798 [root] DEBUG: 3596: ProcessTrackedRegion: .NET cache region at 0x09E70000 skipped
2026-04-28 01:34:56,845 [root] DEBUG: 7548: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:34:56,845 [lib.common.results] INFO: Uploading file C:\atsPQMC\CAPE\6384_594748856342227142026 to CAPE\a830fee097d9f81169ee30c0ae9f7418f85754564bd67b5ddcd48e6a201567a9; Size is 5653; Max size: 100000000
2026-04-28 01:34:56,845 [root] DEBUG: 3404: ScanForDisguisedPE: Size too small: 0x20c bytes
2026-04-28 01:34:56,860 [root] DEBUG: 3488: AllocationHandler: Allocation already in tracked region list: 0x05F80000.
2026-04-28 01:34:56,938 [lib.common.results] INFO: Uploading file C:\Users\cape\AppData\Local\Temp\__PSScriptPolicyTest_x2qdsu4c.iic.ps1 to files\96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7; Size is 60; Max size: 100000000
2026-04-28 01:34:56,954 [root] DEBUG: 6396: Dropped file limit defaulting to 100.
2026-04-28 01:34:56,970 [root] DEBUG: 5144: ProcessTrackedRegion: .NET cache region at 0x05C50000 skipped
2026-04-28 01:34:56,970 [root] DEBUG: 3596: .NET JIT native cache at 0x09A10000: scans and dumps active.
2026-04-28 01:34:56,970 [root] DEBUG: 7496: DLL loaded at 0x6F850000: C:\Windows\SYSTEM32\gpapi (0x1e000 bytes).
2026-04-28 01:34:57,001 [root] DEBUG: 4452: DLL loaded at 0x00007FFEF9E80000: C:\Windows\SYSTEM32\kernel.appcore (0x12000 bytes).
2026-04-28 01:34:57,032 [root] DEBUG: 3836: AllocationHandler: Adding allocation to tracked region list: 0x08361000, size: 0x1000.
2026-04-28 01:34:57,079 [root] DEBUG: 3596: caller_dispatch: Added region at 0x09A10000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x09A100B9, thread 5168).
2026-04-28 01:34:57,079 [root] DEBUG: 7508: NtTerminateProcess hook: Attempting to dump process 7508
2026-04-28 01:34:57,095 [root] DEBUG: 5200: caller_dispatch: Added region at 0x09920000 to tracked regions list (ntdll::NtQueryFullAttributesFile returns to 0x09922DAB, thread 2888).
2026-04-28 01:34:57,095 [root] DEBUG: 6384: DumpMemory: Payload successfully created: C:\atsPQMC\CAPE\6384_594748856342227142026 (size 5653 bytes)
2026-04-28 01:34:57,095 [root] DEBUG: 7548: AllocationHandler: Allocation already in tracked region list: 0x00CE0000.
2026-04-28 01:34:57,110 [lib.common.results] INFO: Uploading file C:\atsPQMC\CAPE\3404_1663326056342227142026 to CAPE\cefa7423de69313ab5f68633460a9a5d9c2b31e09277d4f81427bd86fd00a3ab; Size is 524; Max size: 100000000
2026-04-28 01:34:57,157 [root] DEBUG: 3488: DLL loaded at 0x745D0000: C:\Windows\system32\uxtheme (0x74000 bytes).
2026-04-28 01:34:57,173 [lib.common.results] INFO: Uploading file C:\Users\cape\AppData\Local\Temp\__PSScriptPolicyTest_y1n3c0hs.uzj.psm1 to files\96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7; Size is 60; Max size: 100000000
2026-04-28 01:34:57,282 [root] DEBUG: 5144: DLL loaded at 0x77400000: C:\Windows\System32\clbcatq (0x7e000 bytes).
2026-04-28 01:34:57,313 [root] INFO: Added new file to list with pid 7496 and path C:\Users\cape\AppData\Local\Temp\__PSScriptPolicyTest_34fs34hk.hxy.ps1
2026-04-28 01:34:57,329 [root] DEBUG: 7496: .NET JIT native cache at 0x09B60000: scans and dumps active.
2026-04-28 01:34:57,345 [root] DEBUG: 4452: DLL loaded at 0x00007FFEFC380000: C:\Windows\System32\bcryptPrimitives (0x82000 bytes).
2026-04-28 01:34:57,345 [root] DEBUG: 3836: AllocationHandler: Allocation already in tracked region list: 0x08360000.
2026-04-28 01:34:57,360 [root] DEBUG: 7496: .NET JIT native cache at 0x09B60000: scans and dumps active.
2026-04-28 01:34:57,360 [root] DEBUG: 7508: DoProcessDump: Skipping process dump as code is identical on disk.
2026-04-28 01:34:57,376 [root] DEBUG: 5200: ProcessTrackedRegion: .NET cache region at 0x09920000 skipped
2026-04-28 01:34:57,438 [root] DEBUG: 3596: ProcessTrackedRegion: .NET cache region at 0x09A10000 skipped
2026-04-28 01:34:57,563 [root] DEBUG: 7548: hook_api: clrjit::compileMethod export address 0x72033700 obtained via GetFunctionAddress
2026-04-28 01:34:57,641 [root] DEBUG: 3404: DumpMemory: Payload successfully created: C:\atsPQMC\CAPE\3404_1663326056342227142026 (size 524 bytes)
2026-04-28 01:34:57,688 [root] DEBUG: 6384: DumpRegion: Dumped entire allocation from 0x04D20000, size 8192 bytes.
2026-04-28 01:34:57,704 [root] DEBUG: 6396: Disabling sleep skipping.
2026-04-28 01:34:57,829 [root] DEBUG: 7728: .NET JIT native cache at 0x090A0000: scans and dumps active.
2026-04-28 01:34:57,860 [root] DEBUG: 3488: .NET JIT native cache at 0x09E80000: scans and dumps active.
2026-04-28 01:34:57,923 [root] INFO: Added new file to list with pid 7496 and path C:\Users\cape\AppData\Local\Temp\__PSScriptPolicyTest_dnlnomdl.a4v.psm1
2026-04-28 01:34:57,954 [root] DEBUG: 3836: AllocationHandler: Allocation already in tracked region list: 0x05CC0000.
2026-04-28 01:34:57,954 [root] DEBUG: 7496: caller_dispatch: Added region at 0x09B60000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x09B64355, thread 1484).
2026-04-28 01:34:57,970 [root] DEBUG: 7508: DumpInterestingRegions: Skipping .NET JIT native cache at 0x04C50000 (jit-dumps=0)
2026-04-28 01:34:57,970 [root] DEBUG: 3596: YaraScan: Scanning 0x09A12498, size 0x70
2026-04-28 01:34:57,985 [root] DEBUG: 4452: DLL loaded at 0x00007FFEFCC00000: C:\Windows\System32\clbcatq (0xa9000 bytes).
2026-04-28 01:34:58,001 [root] DEBUG: 7548: DLL loaded at 0x72030000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit (0x8a000 bytes).
2026-04-28 01:34:58,032 [root] DEBUG: 3596: .NET JIT native cache at 0x09AC0000: scans and dumps active.
2026-04-28 01:34:58,048 [root] DEBUG: 3596: .NET JIT native cache at 0x09AC0000: scans and dumps active.
2026-04-28 01:34:58,048 [root] DEBUG: 7728: caller_dispatch: Added region at 0x090A0000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x090A00B2, thread 5220).
2026-04-28 01:34:58,157 [root] DEBUG: 6384: ProcessTrackedRegion: Dumped region at 0x04D20000.
2026-04-28 01:34:58,220 [root] DEBUG: 3488: caller_dispatch: Added region at 0x09E80000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x09E81D04, thread 6580).
2026-04-28 01:34:58,251 [root] DEBUG: 6396: YaraInit: Compiled rules loaded from existing file C:\ltb6yatm\data\yara\capemon.yac
2026-04-28 01:34:58,251 [root] DEBUG: 3404: DumpRegion: Dumped entire allocation from 0x05FF0000, size 4096 bytes.
2026-04-28 01:34:58,267 [root] DEBUG: 5200: AllocationHandler: Allocation already in tracked region list: 0x00CE0000.
2026-04-28 01:34:58,282 [root] DEBUG: 5144: DEBUG:Initialized 9 com hooks
2026-04-28 01:34:58,313 [root] DEBUG: 3836: DumpPEsInRange: Scanning range 0x05CC0000 - 0x05CC1615.
2026-04-28 01:34:58,407 [root] DEBUG: 7508: DumpInterestingRegions: Dumping .NET image at 0x07370000.
2026-04-28 01:34:58,485 [root] DEBUG: 7496: ProcessTrackedRegion: .NET cache region at 0x09B60000 skipped
2026-04-28 01:34:58,579 [root] DEBUG: 3596: caller_dispatch: Added region at 0x09AC0000 to tracked regions list (advapi32::CryptImportKey returns to 0x09AC032C, thread 1012).
2026-04-28 01:34:58,595 [root] DEBUG: 7548: .NET JIT native cache at 0x04240000: scans and dumps active.
2026-04-28 01:34:58,610 [root] DEBUG: 3596: .NET JIT native cache at 0x09AC0000: scans and dumps active.
2026-04-28 01:34:58,610 [root] DEBUG: 7728: ProcessTrackedRegion: .NET cache region at 0x090A0000 skipped
2026-04-28 01:34:58,642 [root] DEBUG: 6384: YaraScan: Scanning 0x04D20000, size 0x1615
2026-04-28 01:34:58,673 [root] DEBUG: 3596: .NET JIT native cache at 0x09700000: scans and dumps active.
2026-04-28 01:34:58,735 [root] DEBUG: 7728: AllocationHandler: Allocation already in tracked region list: 0x05A50000.
2026-04-28 01:34:58,782 [root] DEBUG: 3488: ProcessTrackedRegion: .NET cache region at 0x09E80000 skipped
2026-04-28 01:34:58,845 [root] DEBUG: 6396: YaraScan: Scanning 0x00450000, size 0x595ee
2026-04-28 01:34:58,970 [root] DEBUG: 3404: ProcessTrackedRegion: Dumped region at 0x05FF0000.
2026-04-28 01:34:59,001 [root] DEBUG: 4452: DLL loaded at 0x00007FFEF9980000: C:\Windows\system32\uxtheme (0x9e000 bytes).
2026-04-28 01:34:59,017 [root] DEBUG: 5200: AllocationHandler: Allocation already in tracked region list: 0x09620000.
2026-04-28 01:34:59,032 [root] DEBUG: 3836: ScanForDisguisedPE: No PE image located in range 0x05CC0000-0x05CC1615.
2026-04-28 01:34:59,048 [root] DEBUG: 7508: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image (process 7508)
2026-04-28 01:34:59,048 [root] DEBUG: 5144: DLL loaded at 0x77590000: C:\Windows\System32\shell32 (0x5b5000 bytes).
2026-04-28 01:34:59,063 [root] DEBUG: 6396: YaraScan hit: FindFixAndRun
2026-04-28 01:34:59,079 [root] DEBUG: 7496: DLL loaded at 0x6F4F0000: C:\Windows\Microsoft.Net\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data (0x357000 bytes).
2026-04-28 01:34:59,095 [root] DEBUG: 3596: .NET JIT native cache at 0x09700000: scans and dumps active.
2026-04-28 01:34:59,126 [root] DEBUG: 3596: ProcessTrackedRegion: .NET cache region at 0x09AC0000 skipped
2026-04-28 01:34:59,142 [root] DEBUG: 7548: AllocationHandler: Allocation already in tracked region list: 0x00CE0000.
2026-04-28 01:34:59,188 [root] DEBUG: 3488: AllocationHandler: Adding allocation to tracked region list: 0x0A030000, size: 0x1000.
2026-04-28 01:34:59,188 [root] DEBUG: 3404: YaraScan: Scanning 0x05FF0000, size 0x20c
2026-04-28 01:34:59,204 [root] DEBUG: 5200: .NET JIT native cache at 0x09980000: scans and dumps active.
2026-04-28 01:34:59,235 [root] DEBUG: 6384: DLL loaded at 0x75280000: C:\Windows\SYSTEM32\CRYPTSP (0x13000 bytes).
2026-04-28 01:34:59,251 [lib.common.results] INFO: Uploading file C:\atsPQMC\CAPE\3836_87000059342227142026 to CAPE\453d9c52b48b3a803538d0d387132630bc19cdb49a534bc2cdb3d5312987c9a9; Size is 5653; Max size: 100000000
2026-04-28 01:34:59,251 [root] DEBUG: 4452: DEBUG:Initialized 9 com hooks
2026-04-28 01:34:59,251 [root] DEBUG: 7728: DLL loaded at 0x70C40000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni (0x106000 bytes).
2026-04-28 01:34:59,251 [root] DEBUG: 7508: DumpPE: Instantiating PeParser with address: 0x07370000.
2026-04-28 01:34:59,298 [root] DEBUG: 6396: Monitor initialised: 32-bit capemon loaded in process 6396 at 0x73f00000, thread 6048, image base 0x450000, stack from 0x3203000-0x3300000
2026-04-28 01:34:59,298 [root] DEBUG: 5144: DLL loaded at 0x756D0000: C:\Windows\SYSTEM32\Wldp (0x27000 bytes).
2026-04-28 01:34:59,313 [root] DEBUG: 7496: DLL loaded at 0x6F4E0000: C:\Windows\System32\MSISIP (0x10000 bytes).
2026-04-28 01:34:59,313 [root] DEBUG: 3596: AllocationHandler: Adding allocation to tracked region list: 0x09701000, size: 0x1000.
2026-04-28 01:34:59,360 [root] DEBUG: 7548: DLL loaded at 0x715D0000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni (0xa56000 bytes).
2026-04-28 01:34:59,376 [root] DEBUG: 3488: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:34:59,376 [root] DEBUG: 3404: AllocationHandler: Memory region (size 0x8000) reserved but not committed at 0x08A20000.
2026-04-28 01:34:59,470 [root] DEBUG: 5200: caller_dispatch: Added region at 0x09980000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x0998388C, thread 2888).
2026-04-28 01:34:59,517 [root] DEBUG: 6384: DLL loaded at 0x74C10000: C:\Windows\system32\rsaenh (0x2f000 bytes).
2026-04-28 01:34:59,548 [root] DEBUG: 3836: DumpMemory: Payload successfully created: C:\atsPQMC\CAPE\3836_87000059342227142026 (size 5653 bytes)
2026-04-28 01:34:59,548 [lib.common.results] INFO: Uploading file C:\atsPQMC\CAPE\7508_783710259342227142026 to CAPE\a6961717611d5e276dc288c7a79e4b53db54326e46ca7b6c516247aaf1539071; Size is 85504; Max size: 100000000
2026-04-28 01:34:59,548 [root] DEBUG: 7728: DLL loaded at 0x75260000: C:\Windows\SYSTEM32\profapi (0x18000 bytes).
2026-04-28 01:34:59,548 [root] DEBUG: 6396: Commandline: "C:\Windows\System32\cmd.exe" /C "C:\Users\cape\AppData\Local\Temp\IMjSYhT8km.bat"
2026-04-28 01:34:59,563 [root] DEBUG: 3596: AllocationHandler: Allocation already in tracked region list: 0x045C0000.
2026-04-28 01:34:59,626 [root] DEBUG: 5144: DLL loaded at 0x75700000: C:\Windows\SYSTEM32\windows.storage (0x60d000 bytes).
2026-04-28 01:34:59,720 [root] DEBUG: 4452: DLL loaded at 0x00007FFEFE330000: C:\Windows\System32\shcore (0xad000 bytes).
2026-04-28 01:34:59,720 [root] DEBUG: 7548: DLL loaded at 0x70D50000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni (0x818000 bytes).
2026-04-28 01:34:59,751 [root] DEBUG: 7496: DLL loaded at 0x6F4C0000: C:\Windows\System32\wshext (0x18000 bytes).
2026-04-28 01:34:59,751 [root] DEBUG: 5200: ProcessTrackedRegion: .NET cache region at 0x09980000 skipped
2026-04-28 01:34:59,751 [root] DEBUG: 3404: AllocationHandler: Previously reserved region at 0x08A20000, committing at: 0x08A20000.
2026-04-28 01:34:59,782 [root] DEBUG: 6384: AllocationHandler: Adding allocation to tracked region list: 0x061BB000, size: 0x1000.
2026-04-28 01:34:59,782 [root] DEBUG: 3488: .NET JIT native cache at 0x0A0E0000: scans and dumps active.
2026-04-28 01:34:59,798 [root] DEBUG: 3836: DumpRegion: Dumped entire allocation from 0x05CC0000, size 8192 bytes.
2026-04-28 01:34:59,813 [root] DEBUG: 6384: GetEntropy: Error - Supplied address inaccessible: 0x061B0000
2026-04-28 01:34:59,813 [root] DEBUG: 7508: DumpPE: PE file at 0x07370000 dumped successfully - dump size 0x14e00.
2026-04-28 01:34:59,829 [root] DEBUG: 7728: AllocationHandler: Allocation already in tracked region list: 0x06120000.
2026-04-28 01:34:59,829 [root] DEBUG: 6396: hook_api: LdrpCallInitRoutine export address 0x77EB2A40 obtained via GetFunctionAddress
2026-04-28 01:34:59,860 [root] DEBUG: 5144: DLL loaded at 0x76F70000: C:\Windows\System32\SHCORE (0x87000 bytes).
2026-04-28 01:34:59,892 [root] DEBUG: 7548: ProcessTrackedRegion: .NET cache region at 0x04240000 skipped
2026-04-28 01:34:59,907 [root] DEBUG: 3596: .NET JIT native cache at 0x09730000: scans and dumps active.
2026-04-28 01:34:59,923 [root] DEBUG: 7496: DLL loaded at 0x6F330000: C:\Windows\SYSTEM32\OpcServices (0x14d000 bytes).
2026-04-28 01:34:59,938 [root] DEBUG: 5200: AllocationHandler: Allocation already in tracked region list: 0x00D10000.
2026-04-28 01:34:59,954 [root] DEBUG: 3404: AllocationHandler: Allocation already in tracked region list: 0x05FF0000.
2026-04-28 01:35:00,173 [root] DEBUG: 3488: caller_dispatch: Added region at 0x0A0E0000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x0A0E11E0, thread 6580).
2026-04-28 01:35:00,282 [root] DEBUG: 6384: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:35:00,345 [root] DEBUG: 3836: ProcessTrackedRegion: Dumped region at 0x05CC0000.
2026-04-28 01:35:00,360 [root] DEBUG: 7508: DumpInterestingRegions: Dumping .NET image at 0x07400000.
2026-04-28 01:35:00,376 [root] DEBUG: 4452: DLL loaded at 0x00007FFEE2610000: C:\Windows\System32\thumbcache (0x66000 bytes).
2026-04-28 01:35:00,392 [root] DEBUG: 7728: AllocationHandler: Allocation already in tracked region list: 0x06120000.
2026-04-28 01:35:00,407 [root] DEBUG: 5144: DLL loaded at 0x76A70000: C:\Windows\System32\psapi (0x6000 bytes).
2026-04-28 01:35:00,455 [root] WARNING: b'Unable to place hook on GetCommandLineA'
2026-04-28 01:35:00,470 [root] DEBUG: 7548: DLL loaded at 0x77400000: C:\Windows\System32\clbcatq (0x7e000 bytes).
2026-04-28 01:35:00,470 [root] DEBUG: 3596: caller_dispatch: Added region at 0x09730000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x09731450, thread 1012).
2026-04-28 01:35:00,485 [root] DEBUG: 3488: ProcessTrackedRegion: .NET cache region at 0x0A0E0000 skipped
2026-04-28 01:35:00,501 [root] DEBUG: 5200: .NET JIT native cache at 0x09930000: scans and dumps active.
2026-04-28 01:35:00,563 [root] DEBUG: 7496: DLL loaded at 0x6F480000: C:\Windows\System32\AppxSip (0x3c000 bytes).
2026-04-28 01:35:00,626 [root] DEBUG: 3836: YaraScan: Scanning 0x05CC0000, size 0x1615
2026-04-28 01:35:00,673 [root] DEBUG: 3404: .NET JIT native cache at 0x09620000: scans and dumps active.
2026-04-28 01:35:00,720 [root] DEBUG: 6384: AllocationHandler: Allocation already in tracked region list: 0x061B0000.
2026-04-28 01:35:00,720 [root] DEBUG: 7728: AllocationHandler: Adding allocation to tracked region list: 0x08520000, size: 0x8000.
2026-04-28 01:35:00,735 [root] DEBUG: 7508: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2026-04-28 01:35:00,735 [root] DEBUG: 6396: set_hooks: Unable to hook GetCommandLineA
2026-04-28 01:35:00,735 [root] DEBUG: 5144: DLL loaded at 0x77DD0000: C:\Windows\System32\wintrust (0x4e000 bytes).
2026-04-28 01:35:00,735 [root] DEBUG: 4452: DLL loaded at 0x00007FFEF6F00000: C:\Windows\system32\propsys (0xf6000 bytes).
2026-04-28 01:35:00,766 [root] DEBUG: 3596: ProcessTrackedRegion: .NET cache region at 0x09730000 skipped
2026-04-28 01:35:00,766 [root] DEBUG: 3488: AllocationHandler: Allocation already in tracked region list: 0x0A030000.
2026-04-28 01:35:00,907 [root] DEBUG: 3836: DLL loaded at 0x75280000: C:\Windows\SYSTEM32\CRYPTSP (0x13000 bytes).
2026-04-28 01:35:00,970 [root] DEBUG: 7496: DLL loaded at 0x6F320000: C:\Windows\System32\WindowsPowerShell\v1.0\pwrshsip (0xa000 bytes).
2026-04-28 01:35:01,001 [root] DEBUG: 3404: caller_dispatch: Added region at 0x09620000 to tracked regions list (advapi32::CryptImportKey returns to 0x096220D4, thread 2252).
2026-04-28 01:35:01,017 [root] DEBUG: 5200: caller_dispatch: Added region at 0x09930000 to tracked regions list (advapi32::CryptImportKey returns to 0x0993CDDC, thread 2888).
2026-04-28 01:35:01,017 [root] DEBUG: 6384: hook_api: clrjit::compileMethod export address 0x72033700 obtained via GetFunctionAddress
2026-04-28 01:35:01,017 [root] DEBUG: 7728: GetEntropy: Error - Supplied address inaccessible: 0x08520000
2026-04-28 01:35:01,032 [root] WARNING: b'Unable to place hook on GetCommandLineW'
2026-04-28 01:35:01,032 [root] DEBUG: 7508: DumpProcess: Instantiating PeParser with address: 0x07400000.
2026-04-28 01:35:01,032 [root] DEBUG: 5144: DLL loaded at 0x6FE10000: C:\Windows\SYSTEM32\MSASN1 (0xe000 bytes).
2026-04-28 01:35:01,063 [root] DEBUG: 7548: DEBUG:Initialized 9 com hooks
2026-04-28 01:35:01,079 [root] DEBUG: 3488: .NET JIT native cache at 0x0A150000: scans and dumps active.
2026-04-28 01:35:01,126 [root] DEBUG: 3836: DLL loaded at 0x74C10000: C:\Windows\system32\rsaenh (0x2f000 bytes).
2026-04-28 01:35:01,251 [root] DEBUG: 3596: AllocationHandler: Allocation already in tracked region list: 0x045C0000.
2026-04-28 01:35:01,329 [lib.common.results] INFO: Uploading file C:\Users\cape\AppData\Local\Temp\__PSScriptPolicyTest_34fs34hk.hxy.ps1 to files\96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7; Size is 60; Max size: 100000000
2026-04-28 01:35:01,391 [root] DEBUG: 7508: DumpProcess: Module entry point VA is 0x074026BE.
2026-04-28 01:35:01,391 [root] DEBUG: 3404: ProcessTrackedRegion: .NET cache region at 0x09620000 skipped
2026-04-28 01:35:01,423 [root] DEBUG: 5200: ProcessTrackedRegion: .NET cache region at 0x09930000 skipped
2026-04-28 01:35:01,501 [root] DEBUG: 6384: DLL loaded at 0x72030000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit (0x8a000 bytes).
2026-04-28 01:35:01,579 [root] DEBUG: 7728: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:35:01,579 [root] DEBUG: 5144: DLL loaded at 0x6F850000: C:\Windows\SYSTEM32\gpapi (0x1e000 bytes).
2026-04-28 01:35:01,626 [root] DEBUG: 3488: caller_dispatch: Added region at 0x0A150000 to tracked regions list (advapi32::CryptAcquireContextW returns to 0x0A152604, thread 6580).
2026-04-28 01:35:01,642 [root] DEBUG: 3836: AllocationHandler: Adding allocation to tracked region list: 0x0604B000, size: 0x1000.
2026-04-28 01:35:01,642 [root] DEBUG: 6396: set_hooks: Unable to hook GetCommandLineW
2026-04-28 01:35:01,657 [root] DEBUG: 7508: PeParser: End of section 1 RVA 0x4000 is beyond allocated size 0x1000
2026-04-28 01:35:01,673 [root] DEBUG: 7548: DLL loaded at 0x76A70000: C:\Windows\System32\psapi (0x6000 bytes).
2026-04-28 01:35:01,673 [root] DEBUG: 3596: DLL loaded at 0x745D0000: C:\Windows\system32\uxtheme (0x74000 bytes).
2026-04-28 01:35:01,688 [lib.common.results] INFO: Uploading file C:\Users\cape\AppData\Local\Temp\__PSScriptPolicyTest_dnlnomdl.a4v.psm1 to files\96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7; Size is 60; Max size: 100000000
2026-04-28 01:35:01,782 [root] DEBUG: 5200: .NET JIT native cache at 0x09970000: scans and dumps active.
2026-04-28 01:35:01,876 [root] DEBUG: 3404: .NET JIT native cache at 0x09EB0000: scans and dumps active.
2026-04-28 01:35:01,892 [root] DEBUG: 6384: .NET JIT native cache at 0x06520000: scans and dumps active.
2026-04-28 01:35:01,892 [root] DEBUG: 7728: AllocationHandler: Processing previous tracked region at: 0x05A50000.
2026-04-28 01:35:01,907 [root] DEBUG: 5144: DLL loaded at 0x704C0000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni (0x774000 bytes).
2026-04-28 01:35:01,923 [root] DEBUG: 3488: ProcessTrackedRegion: .NET cache region at 0x0A150000 skipped
2026-04-28 01:35:02,048 [root] DEBUG: 3836: GetEntropy: Error - Supplied address inaccessible: 0x06040000
2026-04-28 01:35:02,095 [root] DEBUG: 7508: PeParser: End of section 2 RVA 0x6000 is beyond allocated size 0x1000
2026-04-28 01:35:02,095 [root] DEBUG: 7548: DLL loaded at 0x704C0000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni (0x774000 bytes).
2026-04-28 01:35:02,142 [root] DEBUG: 3596: .NET JIT native cache at 0x09910000: scans and dumps active.
2026-04-28 01:35:02,157 [root] DEBUG: 6396: Hooked 630 out of 632 functions
2026-04-28 01:35:02,173 [root] DEBUG: 7496: .NET JIT native cache at 0x09B40000: scans and dumps active.
2026-04-28 01:35:02,173 [root] DEBUG: 5200: caller_dispatch: Added region at 0x09970000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x09974EB8, thread 2888).
2026-04-28 01:35:02,173 [root] DEBUG: 3404: caller_dispatch: Added region at 0x09EB0000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x09EB27DC, thread 2252).
2026-04-28 01:35:02,173 [root] DEBUG: 6384: AllocationHandler: Allocation already in tracked region list: 0x061B0000.
2026-04-28 01:35:02,188 [root] DEBUG: 7728: DumpPEsInRange: Scanning range 0x05A50000 - 0x05A5020C.
2026-04-28 01:35:02,188 [root] INFO: Added new file to list with pid 5144 and path C:\Users\cape\AppData\Local\Temp\__PSScriptPolicyTest_nkbilvuh.55p.ps1
2026-04-28 01:35:02,220 [root] DEBUG: 3488: .NET JIT native cache at 0x0A0C0000: scans and dumps active.
2026-04-28 01:35:02,235 [root] DEBUG: 3836: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:35:02,251 [root] DEBUG: 5144: DLL loaded at 0x720C0000: C:\Windows\SYSTEM32\amsi (0x19000 bytes).
2026-04-28 01:35:02,267 [root] DEBUG: 7508: PeParser: End of section 3 RVA 0x8000 is beyond allocated size 0x1000
2026-04-28 01:35:02,282 [root] DEBUG: 3596: caller_dispatch: Added region at 0x09910000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x09910E3A, thread 4676).
2026-04-28 01:35:02,298 [root] DEBUG: 7548: DLL loaded at 0x77590000: C:\Windows\System32\shell32 (0x5b5000 bytes).
2026-04-28 01:35:02,360 [root] DEBUG: 6396: set_hooks_exe: Hooked FindFixAndRun at 0x0045AD60
2026-04-28 01:35:02,376 [root] DEBUG: 5200: ProcessTrackedRegion: .NET cache region at 0x09970000 skipped
2026-04-28 01:35:02,392 [root] DEBUG: 3404: ProcessTrackedRegion: .NET cache region at 0x09EB0000 skipped
2026-04-28 01:35:02,407 [root] DEBUG: 7496: caller_dispatch: Added region at 0x09B40000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x09B40324, thread 6148).
2026-04-28 01:35:02,407 [root] DEBUG: 6384: DLL loaded at 0x715D0000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni (0xa56000 bytes).
2026-04-28 01:35:02,407 [root] DEBUG: 7728: ScanForDisguisedPE: Size too small: 0x20c bytes
2026-04-28 01:35:02,423 [root] DEBUG: 3488: caller_dispatch: Added region at 0x0A0C0000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x0A0C1AAF, thread 6580).
2026-04-28 01:35:02,438 [root] INFO: Added new file to list with pid 5144 and path C:\Users\cape\AppData\Local\Temp\__PSScriptPolicyTest_dabnzqnf.lni.psm1
2026-04-28 01:35:02,438 [root] DEBUG: 3836: AllocationHandler: Allocation already in tracked region list: 0x06040000.
2026-04-28 01:35:02,438 [root] DEBUG: 5144: .NET JIT native cache at 0x083D0000: scans and dumps active.
2026-04-28 01:35:02,470 [root] DEBUG: 3596: ProcessTrackedRegion: .NET cache region at 0x09910000 skipped
2026-04-28 01:35:02,502 [root] DEBUG: 7508: CAPEExceptionFilter: Exception 0xc0000005 accessing 0x7406004 caught at RVA 0x14cb9 in capemon (expected in memory scans), passing to next handler.
2026-04-28 01:35:02,502 [root] DEBUG: 7548: DLL loaded at 0x756D0000: C:\Windows\SYSTEM32\Wldp (0x27000 bytes).
2026-04-28 01:35:02,502 [root] DEBUG: 5200: AllocationHandler: Allocation already in tracked region list: 0x09620000.
2026-04-28 01:35:02,564 [root] DEBUG: 3404: AllocationHandler: Allocation already in tracked region list: 0x05FF0000.
2026-04-28 01:35:02,595 [root] DEBUG: 6384: DLL loaded at 0x70D50000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni (0x818000 bytes).
2026-04-28 01:35:02,595 [root] DEBUG: 6396: Syscall hook installed, syscall logging level 1
2026-04-28 01:35:02,642 [root] DEBUG: 7496: ProcessTrackedRegion: .NET cache region at 0x09B40000 skipped
2026-04-28 01:35:02,673 [root] DEBUG: 3836: hook_api: clrjit::compileMethod export address 0x72033700 obtained via GetFunctionAddress
2026-04-28 01:35:02,688 [root] DEBUG: 5144: .NET JIT native cache at 0x083D0000: scans and dumps active.
2026-04-28 01:35:02,704 [lib.common.results] INFO: Uploading file C:\atsPQMC\CAPE\7728_67565792352227142026 to CAPE\0fb9e1dce37ec0cf163015dddc02cd6f706b1e3a89bf4604564c247392afeb0d; Size is 524; Max size: 100000000
2026-04-28 01:35:02,704 [root] DEBUG: 3488: ProcessTrackedRegion: .NET cache region at 0x0A0C0000 skipped
2026-04-28 01:35:02,704 [root] DEBUG: 5144: caller_dispatch: Added region at 0x083D0000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x083D561D, thread 4448).
2026-04-28 01:35:02,704 [root] DEBUG: 3596: AllocationHandler: Adding allocation to tracked region list: 0x09AD0000, size: 0x1000.
2026-04-28 01:35:02,798 [root] DEBUG: 7508: reBasePEImage: Exception rebasing image from 0x07400000 to 0x10000000.
2026-04-28 01:35:02,829 [root] DEBUG: 5144: ProcessTrackedRegion: .NET cache region at 0x083D0000 skipped
2026-04-28 01:35:02,985 [root] DEBUG: 7508: readPeSectionsFromProcess: Failed to relocate image back to header image base 0x10000000.
2026-04-28 01:35:03,032 [root] DEBUG: 3596: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:35:03,126 [root] DEBUG: 7548: DLL loaded at 0x75700000: C:\Windows\SYSTEM32\windows.storage (0x60d000 bytes).
2026-04-28 01:35:03,173 [root] DEBUG: 6384: ProcessTrackedRegion: .NET cache region at 0x06520000 skipped
2026-04-28 01:35:03,188 [root] DEBUG: 6396: RestoreHeaders: Restored original import table.
2026-04-28 01:35:03,188 [root] DEBUG: 3404: .NET JIT native cache at 0x09CC0000: scans and dumps active.
2026-04-28 01:35:03,329 [root] DEBUG: 7496: AllocationHandler: Allocation already in tracked region list: 0x06600000.
2026-04-28 01:35:03,392 [root] DEBUG: 5200: .NET JIT native cache at 0x09A30000: scans and dumps active.
2026-04-28 01:35:03,517 [root] DEBUG: 5144: DLL loaded at 0x6F4E0000: C:\Windows\System32\MSISIP (0x10000 bytes).
2026-04-28 01:35:03,517 [root] DEBUG: 3836: DLL loaded at 0x72030000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit (0x8a000 bytes).
2026-04-28 01:35:03,532 [root] DEBUG: 5144: DLL loaded at 0x6F4C0000: C:\Windows\System32\wshext (0x18000 bytes).
2026-04-28 01:35:03,548 [root] DEBUG: 3488: AllocationHandler: Allocation already in tracked region list: 0x0A030000.
2026-04-28 01:35:03,548 [root] DEBUG: 7508: DumpProcess: Failed to dump image at 0x07400000.
2026-04-28 01:35:03,548 [root] DEBUG: 7728: DumpMemory: Payload successfully created: C:\atsPQMC\CAPE\7728_67565792352227142026 (size 524 bytes)
2026-04-28 01:35:03,548 [root] DEBUG: 7548: DLL loaded at 0x76F70000: C:\Windows\System32\SHCORE (0x87000 bytes).
2026-04-28 01:35:03,548 [root] INFO: Added new file to list with pid 7548 and path C:\Users\cape\AppData\Local\Temp\__PSScriptPolicyTest_fwegxp4c.3lk.ps1
2026-04-28 01:35:03,579 [root] DEBUG: 3596: .NET JIT native cache at 0x09AF0000: scans and dumps active.
2026-04-28 01:35:03,595 [root] DEBUG: 6384: DLL loaded at 0x77400000: C:\Windows\System32\clbcatq (0x7e000 bytes).
2026-04-28 01:35:03,610 [root] DEBUG: 3404: DLL loaded at 0x6F2D0000: C:\Windows\Microsoft.Net\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions (0x4c000 bytes).
2026-04-28 01:35:03,626 [root] INFO: Loaded monitor into process with pid 6396
2026-04-28 01:35:03,626 [root] DEBUG: 3404: .NET JIT native cache at 0x09F10000: scans and dumps active.
2026-04-28 01:35:03,642 [root] DEBUG: 3404: .NET JIT native cache at 0x09F10000: scans and dumps active.
2026-04-28 01:35:03,642 [root] DEBUG: 3404: .NET JIT native cache at 0x09F10000: scans and dumps active.
2026-04-28 01:35:03,657 [root] DEBUG: 3404: .NET JIT native cache at 0x09F10000: scans and dumps active.
2026-04-28 01:35:03,657 [root] DEBUG: 7496: DLL loaded at 0x70C40000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni (0x106000 bytes).
2026-04-28 01:35:03,673 [root] DEBUG: 5200: caller_dispatch: Added region at 0x09A30000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x09A32072, thread 2888).
2026-04-28 01:35:03,673 [root] DEBUG: 5144: DLL loaded at 0x6F330000: C:\Windows\SYSTEM32\OpcServices (0x14d000 bytes).
2026-04-28 01:35:03,688 [root] DEBUG: 3836: .NET JIT native cache at 0x081C0000: scans and dumps active.
2026-04-28 01:35:03,704 [root] DEBUG: 7508: DumpImageInCurrentProcess: Failed to dump virtual PE image from 0x07400000, dumping memory region.
2026-04-28 01:35:03,704 [root] DEBUG: 3488: AllocationHandler: Allocation already in tracked region list: 0x05F50000.
2026-04-28 01:35:03,720 [root] DEBUG: 7728: DumpRegion: Dumped entire allocation from 0x05A50000, size 4096 bytes.
2026-04-28 01:35:03,720 [root] INFO: Added new file to list with pid 7548 and path C:\Users\cape\AppData\Local\Temp\__PSScriptPolicyTest_xycr1kwh.bia.psm1
2026-04-28 01:35:03,735 [root] DEBUG: 3596: caller_dispatch: Added region at 0x09AF0000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x09AF0CAB, thread 4676).
2026-04-28 01:35:03,735 [root] DEBUG: 7548: DLL loaded at 0x720C0000: C:\Windows\SYSTEM32\amsi (0x19000 bytes).
2026-04-28 01:35:03,767 [root] DEBUG: 3404: .NET JIT native cache at 0x09F10000: scans and dumps active.
2026-04-28 01:35:03,782 [root] DEBUG: 6396: caller_dispatch: Added region at 0x00450000 to tracked regions list (ntdll::NtOpenThread returns to 0x004609DE, thread 6048).
2026-04-28 01:35:03,798 [root] DEBUG: 3404: caller_dispatch: Added region at 0x09F10000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x09F105D6, thread 2252).
2026-04-28 01:35:03,813 [root] DEBUG: 5200: ProcessTrackedRegion: .NET cache region at 0x09A30000 skipped
2026-04-28 01:35:03,813 [root] DEBUG: 7496: DLL loaded at 0x75260000: C:\Windows\SYSTEM32\profapi (0x18000 bytes).
2026-04-28 01:35:03,813 [root] DEBUG: 3836: AllocationHandler: Allocation already in tracked region list: 0x06040000.
2026-04-28 01:35:03,907 [root] DEBUG: 5144: DLL loaded at 0x6F480000: C:\Windows\System32\AppxSip (0x3c000 bytes).
2026-04-28 01:35:03,923 [root] DEBUG: 7508: DumpInterestingRegions: Skipping .NET JIT native cache at 0x078B0000 (jit-dumps=0)
2026-04-28 01:35:03,923 [root] DEBUG: 3488: .NET JIT native cache at 0x0A260000: scans and dumps active.
2026-04-28 01:35:04,001 [root] DEBUG: 7728: ProcessTrackedRegion: Dumped region at 0x05A50000.
2026-04-28 01:35:04,063 [root] DEBUG: 3596: ProcessTrackedRegion: .NET cache region at 0x09AF0000 skipped
2026-04-28 01:35:04,142 [root] DEBUG: 7548: DLL loaded at 0x77DD0000: C:\Windows\System32\wintrust (0x4e000 bytes).
2026-04-28 01:35:04,267 [root] DEBUG: 7548: .NET JIT native cache at 0x08470000: scans and dumps active.
2026-04-28 01:35:04,298 [root] DEBUG: 3404: ProcessTrackedRegion: .NET cache region at 0x09F10000 skipped
2026-04-28 01:35:04,298 [root] DEBUG: 6396: YaraScan: Scanning 0x00450000, size 0x595ee
2026-04-28 01:35:04,329 [root] DEBUG: 6384: DEBUG:Initialized 9 com hooks
2026-04-28 01:35:04,329 [root] DEBUG: 3836: DLL loaded at 0x715D0000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni (0xa56000 bytes).
2026-04-28 01:35:04,360 [root] DEBUG: 7496: AllocationHandler: Allocation already in tracked region list: 0x08CD0000.
2026-04-28 01:35:04,376 [root] DEBUG: 5144: DLL loaded at 0x6F320000: C:\Windows\System32\WindowsPowerShell\v1.0\pwrshsip (0xa000 bytes).
2026-04-28 01:35:04,454 [root] DEBUG: 3488: caller_dispatch: Added region at 0x0A260000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x0A262051, thread 6580).
2026-04-28 01:35:04,579 [root] DEBUG: 7508: DumpInterestingRegions: Dumping .NET image at 0x078D0000.
2026-04-28 01:35:04,641 [root] DEBUG: 7548: DLL loaded at 0x6FE10000: C:\Windows\SYSTEM32\MSASN1 (0xe000 bytes).
2026-04-28 01:35:04,673 [root] DEBUG: 7728: YaraScan: Scanning 0x05A50000, size 0x20c
2026-04-28 01:35:04,688 [root] DEBUG: 3596: AllocationHandler: Allocation already in tracked region list: 0x09AD0000.
2026-04-28 01:35:04,704 [root] DEBUG: 5200: AllocationHandler: Allocation already in tracked region list: 0x09620000.
2026-04-28 01:35:04,782 [root] DEBUG: 7548: caller_dispatch: Added region at 0x08470000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x08473ABA, thread 2384).
2026-04-28 01:35:04,782 [root] DEBUG: 3836: DLL loaded at 0x70D50000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni (0x818000 bytes).
2026-04-28 01:35:04,798 [root] DEBUG: 3404: AllocationHandler: Allocation already in tracked region list: 0x05FF0000.
2026-04-28 01:35:04,829 [root] DEBUG: 7496: AllocationHandler: Allocation already in tracked region list: 0x08CD0000.
2026-04-28 01:35:04,970 [root] DEBUG: 6396: ProcessImageBase: Main module image at 0x00450000 unmodified (entropy change 0.000000e+00)
2026-04-28 01:35:05,016 [root] DEBUG: 5144: DLL loaded at 0x6F4F0000: C:\Windows\Microsoft.Net\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data (0x357000 bytes).
2026-04-28 01:35:05,110 [lib.common.results] INFO: Uploading file C:\Users\cape\AppData\Local\Temp\__PSScriptPolicyTest_nkbilvuh.55p.ps1 to files\96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7; Size is 60; Max size: 100000000
2026-04-28 01:35:05,126 [root] DEBUG: 6384: DLL loaded at 0x76A70000: C:\Windows\System32\psapi (0x6000 bytes).
2026-04-28 01:35:05,157 [root] DEBUG: 3488: ProcessTrackedRegion: .NET cache region at 0x0A260000 skipped
2026-04-28 01:35:05,282 [root] DEBUG: 7548: DLL loaded at 0x6F4E0000: C:\Windows\System32\MSISIP (0x10000 bytes).
2026-04-28 01:35:05,329 [root] DEBUG: 7728: AllocationHandler: Memory region (size 0x8000) reserved but not committed at 0x08520000.
2026-04-28 01:35:05,329 [root] DEBUG: 3596: .NET JIT native cache at 0x09BA0000: scans and dumps active.
2026-04-28 01:35:05,376 [root] DEBUG: 7548: ProcessTrackedRegion: .NET cache region at 0x08470000 skipped
2026-04-28 01:35:05,391 [root] DEBUG: 7508: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image (process 7508)
2026-04-28 01:35:05,407 [root] DEBUG: 3836: ProcessTrackedRegion: .NET cache region at 0x081C0000 skipped
2026-04-28 01:35:05,423 [root] DEBUG: 3404: .NET JIT native cache at 0x0A4B0000: scans and dumps active.
2026-04-28 01:35:05,438 [root] DEBUG: 3404: .NET JIT native cache at 0x0A4B0000: scans and dumps active.
2026-04-28 01:35:05,501 [root] DEBUG: 3404: DLL loaded at 0x6F1E0000: C:\Windows\SYSTEM32\secur32 (0xa000 bytes).
2026-04-28 01:35:05,501 [root] DEBUG: 3404: .NET JIT native cache at 0x0A4B0000: scans and dumps active.
2026-04-28 01:35:05,532 [root] DEBUG: 7496: AllocationHandler: Adding allocation to tracked region list: 0x08EF0000, size: 0x8000.
2026-04-28 01:35:05,532 [root] DEBUG: 6396: InstrumentationCallback: Added region at 0x772833EC (base 0x77150000) to tracked regions list (thread 6048).
2026-04-28 01:35:05,548 [root] DEBUG: 6384: DLL loaded at 0x77590000: C:\Windows\System32\shell32 (0x5b5000 bytes).
2026-04-28 01:35:05,563 [lib.common.results] INFO: Uploading file C:\Users\cape\AppData\Local\Temp\__PSScriptPolicyTest_dabnzqnf.lni.psm1 to files\96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7; Size is 60; Max size: 100000000
2026-04-28 01:35:05,563 [root] DEBUG: 3488: AllocationHandler: Allocation already in tracked region list: 0x05F80000.
2026-04-28 01:35:05,751 [root] DEBUG: 3596: caller_dispatch: Added region at 0x09BA0000 to tracked regions list (advapi32::CryptAcquireContextW returns to 0x09BA2604, thread 4676).
2026-04-28 01:35:05,798 [root] DEBUG: 7548: DLL loaded at 0x6F4C0000: C:\Windows\System32\wshext (0x18000 bytes).
2026-04-28 01:35:05,798 [root] DEBUG: 7728: AllocationHandler: Previously reserved region at 0x08520000, committing at: 0x08520000.
2026-04-28 01:35:05,813 [root] DEBUG: 7508: DumpPE: Instantiating PeParser with address: 0x078D0000.
2026-04-28 01:35:05,829 [root] DEBUG: 3404: caller_dispatch: Added region at 0x0A4B0000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x0A4C9EAB, thread 2252).
2026-04-28 01:35:05,845 [root] DEBUG: 3836: DLL loaded at 0x77400000: C:\Windows\System32\clbcatq (0x7e000 bytes).
2026-04-28 01:35:05,860 [root] DEBUG: 5200: AllocationHandler: Adding allocation to tracked region list: 0x7F2D0000, size: 0x50000.
2026-04-28 01:35:05,876 [root] DEBUG: 7496: GetEntropy: Error - Supplied address inaccessible: 0x08EF0000
2026-04-28 01:35:05,876 [root] DEBUG: 6396: ProcessTrackedRegion: Region at 0x77150000 mapped as \Device\HarddiskVolume1\Windows\SysWOW64\KernelBase.dll is in known range, skipping
2026-04-28 01:35:05,876 [root] DEBUG: 5144: .NET JIT native cache at 0x09080000: scans and dumps active.
2026-04-28 01:35:05,876 [root] DEBUG: 6384: DLL loaded at 0x756D0000: C:\Windows\SYSTEM32\Wldp (0x27000 bytes).
2026-04-28 01:35:05,892 [root] DEBUG: 3488: .NET JIT native cache at 0x0A1E0000: scans and dumps active.
2026-04-28 01:35:05,923 [root] DEBUG: 3596: ProcessTrackedRegion: .NET cache region at 0x09BA0000 skipped
2026-04-28 01:35:05,970 [root] DEBUG: 7548: DLL loaded at 0x6F330000: C:\Windows\SYSTEM32\OpcServices (0x14d000 bytes).
2026-04-28 01:35:06,126 [root] DEBUG: 7728: AllocationHandler: Allocation already in tracked region list: 0x05A50000.
2026-04-28 01:35:06,173 [lib.common.results] INFO: Uploading file C:\atsPQMC\CAPE\7508_143945755352227142026 to CAPE\5e705a2851bd4ef110d54f748fae76c55ec731f6cc30993440976ca2d089565f; Size is 2819584; Max size: 100000000
2026-04-28 01:35:06,204 [root] DEBUG: 3404: ProcessTrackedRegion: .NET cache region at 0x0A4B0000 skipped
2026-04-28 01:35:06,204 [root] DEBUG: 5200: GetEntropy: Error - Supplied address inaccessible: 0x7F2D0000
2026-04-28 01:35:06,298 [root] DEBUG: 5144: caller_dispatch: Added region at 0x09080000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x090800B2, thread 7260).
2026-04-28 01:35:06,329 [root] DEBUG: 6384: DLL loaded at 0x75700000: C:\Windows\SYSTEM32\windows.storage (0x60d000 bytes).
2026-04-28 01:35:06,329 [root] DEBUG: 7496: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:35:06,360 [root] DEBUG: 6396: DLL loaded at 0x6E610000: C:\Windows\SYSTEM32\cmdext (0xa000 bytes).
2026-04-28 01:35:06,360 [root] DEBUG: 3488: caller_dispatch: Added region at 0x0A1E0000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x0A1E2F65, thread 6580).
2026-04-28 01:35:06,391 [root] DEBUG: 7548: DLL loaded at 0x6F480000: C:\Windows\System32\AppxSip (0x3c000 bytes).
2026-04-28 01:35:06,423 [root] INFO: Process with pid 4452 has terminated
2026-04-28 01:35:06,439 [root] DEBUG: 3836: DEBUG:Initialized 9 com hooks
2026-04-28 01:35:06,454 [root] DEBUG: 3596: .NET JIT native cache at 0x09C00000: scans and dumps active.
2026-04-28 01:35:06,517 [root] DEBUG: 7728: AllocationHandler: Previously reserved region at 0x090A0000, committing at: 0x090AC000.
2026-04-28 01:35:06,595 [root] DEBUG: 7508: DumpPE: PE file at 0x078D0000 dumped successfully - dump size 0x2b0600.
2026-04-28 01:35:06,688 [root] DEBUG: 3404: .NET JIT native cache at 0x09E70000: scans and dumps active.
2026-04-28 01:35:06,782 [root] DEBUG: 3404: .NET JIT native cache at 0x09E70000: scans and dumps active.
2026-04-28 01:35:06,782 [root] DEBUG: 3404: .NET JIT native cache at 0x09E70000: scans and dumps active.
2026-04-28 01:35:06,845 [root] DEBUG: 5200: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:35:06,907 [root] DEBUG: 3404: .NET JIT native cache at 0x09E70000: scans and dumps active.
2026-04-28 01:35:06,938 [root] DEBUG: 6384: DLL loaded at 0x76F70000: C:\Windows\System32\SHCORE (0x87000 bytes).
2026-04-28 01:35:07,017 [root] DEBUG: 5144: ProcessTrackedRegion: .NET cache region at 0x09080000 skipped
2026-04-28 01:35:07,110 [root] DEBUG: 7496: AllocationHandler: Processing previous tracked region at: 0x06600000.
2026-04-28 01:35:07,126 [root] DEBUG: 3488: ProcessTrackedRegion: .NET cache region at 0x0A1E0000 skipped
2026-04-28 01:35:07,206 [root] DEBUG: 7548: DLL loaded at 0x6F320000: C:\Windows\System32\WindowsPowerShell\v1.0\pwrshsip (0xa000 bytes).
2026-04-28 01:35:07,266 [root] DEBUG: 3596: caller_dispatch: Added region at 0x09C00000 to tracked regions list (ntdll::NtQueryFullAttributesFile returns to 0x09C031AB, thread 4676).
2026-04-28 01:35:07,298 [root] DEBUG: 6396: CreateProcessHandler: Injection info set for new process 7104: C:\Windows\system32\w32tm.exe, ImageBase: 0x00690000
2026-04-28 01:35:07,298 [root] DEBUG: 7508: DumpInterestingRegions: Dumping .NET image at 0x07B90000.
2026-04-28 01:35:07,298 [root] DEBUG: 7728: api-rate-cap: NtReadVirtualMemory hook disabled due to rate
2026-04-28 01:35:07,313 [root] DEBUG: 4452: NtTerminateProcess hook: Attempting to dump process 4452
2026-04-28 01:35:07,407 [root] DEBUG: 3836: DLL loaded at 0x76A70000: C:\Windows\System32\psapi (0x6000 bytes).
2026-04-28 01:35:07,532 [root] DEBUG: 5200: AllocationHandler: Processing previous tracked region at: 0x09620000.
2026-04-28 01:35:07,657 [root] DEBUG: 3404: caller_dispatch: Added region at 0x09E70000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x09E70271, thread 2252).
2026-04-28 01:35:07,798 [root] DEBUG: 5144: AllocationHandler: Allocation already in tracked region list: 0x044D0000.
2026-04-28 01:35:07,876 [root] DEBUG: 7496: DumpPEsInRange: Scanning range 0x06600000 - 0x0660020C.
2026-04-28 01:35:08,016 [root] DEBUG: 6384: DLL loaded at 0x704C0000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni (0x774000 bytes).
2026-04-28 01:35:08,032 [lib.common.results] INFO: Uploading file C:\Users\cape\AppData\Local\Temp\__PSScriptPolicyTest_fwegxp4c.3lk.ps1 to files\96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7; Size is 60; Max size: 100000000
2026-04-28 01:35:08,095 [root] DEBUG: 3488: .NET JIT native cache at 0x0A200000: scans and dumps active.
2026-04-28 01:35:08,095 [root] DEBUG: 3596: ProcessTrackedRegion: .NET cache region at 0x09C00000 skipped
2026-04-28 01:35:08,220 [root] INFO: Announced 32-bit process name: w32tm.exe pid: 7104
2026-04-28 01:35:08,220 [lib.api.process] INFO: Monitor config for <Process 7104 w32tm.exe>: C:\ltb6yatm\dll\7104.ini
2026-04-28 01:35:08,282 [root] DEBUG: 7548: DLL loaded at 0x6F4F0000: C:\Windows\Microsoft.Net\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data (0x357000 bytes).
2026-04-28 01:35:08,376 [lib.api.process] INFO: 32-bit DLL to inject is C:\ltb6yatm\dll\aUdGyWws.dll, loader C:\ltb6yatm\bin\ReIIPbe.exe
2026-04-28 01:35:08,391 [root] DEBUG: 5200: DumpPEsInRange: Scanning range 0x09620000 - 0x096240BD.
2026-04-28 01:35:08,595 [root] DEBUG: 7728: .NET JIT native cache at 0x09190000: scans and dumps active.
2026-04-28 01:35:08,720 [root] DEBUG: 7508: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image (process 7508)
2026-04-28 01:35:08,767 [lib.common.results] INFO: Uploading file C:\Users\cape\AppData\Local\Temp\__PSScriptPolicyTest_xycr1kwh.bia.psm1 to files\96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7; Size is 60; Max size: 100000000
2026-04-28 01:35:08,767 [root] DEBUG: 3404: ProcessTrackedRegion: .NET cache region at 0x09E70000 skipped
2026-04-28 01:35:08,782 [root] DEBUG: 4452: DoProcessDump: Skipping process dump as code is identical on disk.
2026-04-28 01:35:08,891 [root] DEBUG: 3836: DLL loaded at 0x77590000: C:\Windows\System32\shell32 (0x5b5000 bytes).
2026-04-28 01:35:09,079 [root] DEBUG: 7496: ScanForDisguisedPE: Size too small: 0x20c bytes
2026-04-28 01:35:09,141 [root] DEBUG: 5144: DLL loaded at 0x70C40000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni (0x106000 bytes).
2026-04-28 01:35:09,173 [root] DEBUG: 3836: DLL loaded at 0x756D0000: C:\Windows\SYSTEM32\Wldp (0x27000 bytes).
2026-04-28 01:35:09,204 [root] DEBUG: 6384: DLL loaded at 0x720C0000: C:\Windows\SYSTEM32\amsi (0x19000 bytes).
2026-04-28 01:35:09,204 [root] DEBUG: Loader: Injecting process 7104 (thread 5532) with C:\ltb6yatm\dll\aUdGyWws.dll.
2026-04-28 01:35:09,235 [root] DEBUG: 3488: caller_dispatch: Added region at 0x0A200000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x0A204EB8, thread 6580).
2026-04-28 01:35:09,235 [root] DEBUG: 7548: DLL loaded at 0x6F850000: C:\Windows\SYSTEM32\gpapi (0x1e000 bytes).
2026-04-28 01:35:09,298 [root] DEBUG: 5200: ScanForDisguisedPE: No PE image located in range 0x09620000-0x096240BD.
2026-04-28 01:35:09,313 [root] DEBUG: 3596: AllocationHandler: Allocation already in tracked region list: 0x00D00000.
2026-04-28 01:35:09,313 [root] DEBUG: 7728: caller_dispatch: Added region at 0x09190000 to tracked regions list (advapi32::CryptImportKey returns to 0x09191B04, thread 5220).
2026-04-28 01:35:09,313 [root] DEBUG: 7508: DumpPE: Instantiating PeParser with address: 0x07B90000.
2026-04-28 01:35:09,313 [root] DEBUG: 3404: .NET JIT native cache at 0x09FA0000: scans and dumps active.
2026-04-28 01:35:09,329 [root] DEBUG: 3404: .NET JIT native cache at 0x09FA0000: scans and dumps active.
2026-04-28 01:35:09,329 [root] DEBUG: 7548: .NET JIT native cache at 0x084C0000: scans and dumps active.
2026-04-28 01:35:09,438 [lib.common.results] INFO: Uploading file C:\atsPQMC\CAPE\7496_20147499352227142026 to CAPE\3a08152a030cec631c87fc8509d0239b26ab4afb656c8345589ed4b857d890f0; Size is 524; Max size: 100000000
2026-04-28 01:35:09,501 [root] DEBUG: 5144: DLL loaded at 0x75260000: C:\Windows\SYSTEM32\profapi (0x18000 bytes).
2026-04-28 01:35:09,516 [root] DEBUG: 3836: DLL loaded at 0x75700000: C:\Windows\SYSTEM32\windows.storage (0x60d000 bytes).
2026-04-28 01:35:09,516 [root] DEBUG: 6384: .NET JIT native cache at 0x097A0000: scans and dumps active.
2026-04-28 01:35:09,563 [root] DEBUG: 3596: AllocationHandler: Allocation already in tracked region list: 0x09AD0000.
2026-04-28 01:35:09,563 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2026-04-28 01:35:09,579 [root] DEBUG: 6384: DLL loaded at 0x77DD0000: C:\Windows\System32\wintrust (0x4e000 bytes).
2026-04-28 01:35:09,579 [root] DEBUG: 3488: ProcessTrackedRegion: .NET cache region at 0x0A200000 skipped
2026-04-28 01:35:09,579 [root] DEBUG: 7548: .NET JIT native cache at 0x084C0000: scans and dumps active.
2026-04-28 01:35:09,579 [lib.common.results] INFO: Uploading file C:\atsPQMC\CAPE\5200_61507209352227142026 to CAPE\a672b4a57767ed7b8616e7d66ae6ba9ae03d630f1cf04498a7be9ade375d380f; Size is 16573; Max size: 100000000
2026-04-28 01:35:09,595 [root] DEBUG: 7728: ProcessTrackedRegion: .NET cache region at 0x09190000 skipped
2026-04-28 01:35:09,641 [root] DEBUG: 7548: AllocationHandler: Allocation already in tracked region list: 0x00CE0000.
2026-04-28 01:35:09,673 [root] DEBUG: 3404: caller_dispatch: Added region at 0x09FA0000 to tracked regions list (advapi32::CryptImportKey returns to 0x09FA0C9C, thread 2252).
2026-04-28 01:35:09,704 [root] DEBUG: 3404: .NET JIT native cache at 0x0A070000: scans and dumps active.
2026-04-28 01:35:09,735 [root] DEBUG: 7496: DumpMemory: Payload successfully created: C:\atsPQMC\CAPE\7496_20147499352227142026 (size 524 bytes)
2026-04-28 01:35:09,751 [root] DEBUG: 5144: AllocationHandler: Allocation already in tracked region list: 0x05CB0000.
2026-04-28 01:35:09,766 [lib.common.results] INFO: Uploading file C:\atsPQMC\CAPE\7508_49568949352227142026 to CAPE\ed7891a3c2b53ae3b1601bf6c98be0fae55fb0b5975caf5e1a27ff9f960a31a9; Size is 2825728; Max size: 100000000
2026-04-28 01:35:09,766 [root] DEBUG: 3836: DLL loaded at 0x76F70000: C:\Windows\System32\SHCORE (0x87000 bytes).
2026-04-28 01:35:09,766 [root] DEBUG: Successfully injected DLL C:\ltb6yatm\dll\aUdGyWws.dll.
2026-04-28 01:35:09,845 [root] DEBUG: 3596: .NET JIT native cache at 0x09D40000: scans and dumps active.
2026-04-28 01:35:09,876 [root] DEBUG: 6384: caller_dispatch: Added region at 0x097A0000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x097A09A2, thread 2632).
2026-04-28 01:35:09,876 [lib.api.process] INFO: Injected into 32-bit <Process 7104 w32tm.exe>
2026-04-28 01:35:09,876 [root] DEBUG: 3488: AllocationHandler: Allocation already in tracked region list: 0x0A030000.
2026-04-28 01:35:09,907 [root] DEBUG: 5200: DumpMemory: Payload successfully created: C:\atsPQMC\CAPE\5200_61507209352227142026 (size 16573 bytes)
2026-04-28 01:35:09,985 [root] DEBUG: 7548: caller_dispatch: Added region at 0x084C0000 to tracked regions list (ntdll::LdrGetProcedureAddressForCaller returns to 0x084C4140, thread 3472).
2026-04-28 01:35:10,079 [root] DEBUG: 6384: DLL loaded at 0x6FE10000: C:\Windows\SYSTEM32\MSASN1 (0xe000 bytes).
2026-04-28 01:35:10,110 [root] DEBUG: 7728: .NET JIT native cache at 0x09A10000: scans and dumps active.
2026-04-28 01:35:10,126 [root] DEBUG: 5144: AllocationHandler: Allocation already in tracked region list: 0x05CB0000.
2026-04-28 01:35:10,173 [root] DEBUG: 3404: ProcessTrackedRegion: .NET cache region at 0x09FA0000 skipped
2026-04-28 01:35:10,188 [root] DEBUG: 7496: DumpRegion: Dumped entire allocation from 0x06600000, size 4096 bytes.
2026-04-28 01:35:10,251 [root] DEBUG: 3836: DLL loaded at 0x704C0000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni (0x774000 bytes).
2026-04-28 01:35:10,298 [root] DEBUG: 3596: caller_dispatch: Added region at 0x09D40000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x09D4388C, thread 4676).
2026-04-28 01:35:10,345 [root] DEBUG: 7508: DumpPE: PE file at 0x07B90000 dumped successfully - dump size 0x2b1e00.
2026-04-28 01:35:10,360 [root] DEBUG: 6384: ProcessTrackedRegion: .NET cache region at 0x097A0000 skipped
2026-04-28 01:35:10,376 [root] DEBUG: 6396: ProcessTrackedRegion: Region at 0x77150000 mapped as \Device\HarddiskVolume1\Windows\SysWOW64\KernelBase.dll is in known range, skipping
2026-04-28 01:35:10,376 [root] DEBUG: 3488: .NET JIT native cache at 0x0A1C0000: scans and dumps active.
2026-04-28 01:35:10,454 [root] DEBUG: 5200: DumpRegion: Dumped entire allocation from 0x09620000, size 20480 bytes.
2026-04-28 01:35:10,501 [root] DEBUG: 7548: ProcessTrackedRegion: .NET cache region at 0x084C0000 skipped
2026-04-28 01:35:10,579 [root] DEBUG: 7728: caller_dispatch: Added region at 0x09A10000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x09A127DC, thread 5220).
2026-04-28 01:35:10,626 [root] DEBUG: 5144: AllocationHandler: Adding allocation to tracked region list: 0x08F50000, size: 0x8000.
2026-04-28 01:35:10,641 [root] DEBUG: 3404: caller_dispatch: Added region at 0x0A070000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x0A074852, thread 2252).
2026-04-28 01:35:10,641 [root] DEBUG: 7548: DLL loaded at 0x70C40000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni (0x106000 bytes).
2026-04-28 01:35:10,657 [root] DEBUG: 7496: ProcessTrackedRegion: Dumped region at 0x06600000.
2026-04-28 01:35:10,673 [root] DEBUG: 3836: DLL loaded at 0x720C0000: C:\Windows\SYSTEM32\amsi (0x19000 bytes).
2026-04-28 01:35:10,688 [root] DEBUG: 3596: ProcessTrackedRegion: .NET cache region at 0x09D40000 skipped
2026-04-28 01:35:10,688 [root] DEBUG: 7508: DumpInterestingRegions: Skipping .NET JIT native cache at 0x08540000 (jit-dumps=0)
2026-04-28 01:35:10,688 [root] DEBUG: 6384: DLL loaded at 0x6F850000: C:\Windows\SYSTEM32\gpapi (0x1e000 bytes).
2026-04-28 01:35:10,720 [root] DEBUG: 3488: caller_dispatch: Added region at 0x0A1C0000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x0A1C1A27, thread 6580).
2026-04-28 01:35:10,766 [root] DEBUG: 6384: AllocationHandler: Previously reserved region at 0x097A0000, committing at: 0x097A4000.
2026-04-28 01:35:10,829 [root] DEBUG: 7728: ProcessTrackedRegion: .NET cache region at 0x09A10000 skipped
2026-04-28 01:35:10,876 [root] DEBUG: 5144: GetEntropy: Error - Supplied address inaccessible: 0x08F50000
2026-04-28 01:35:10,938 [root] DEBUG: 5200: ProcessTrackedRegion: Dumped region at 0x09620000.
2026-04-28 01:35:10,954 [root] DEBUG: 3404: ProcessTrackedRegion: .NET cache region at 0x0A070000 skipped
2026-04-28 01:35:10,985 [root] DEBUG: 7548: DLL loaded at 0x75260000: C:\Windows\SYSTEM32\profapi (0x18000 bytes).
2026-04-28 01:35:10,985 [root] DEBUG: 7496: AllocationHandler: Memory region (size 0x8000) reserved but not committed at 0x08EF0000.
2026-04-28 01:35:10,985 [root] DEBUG: 3836: DLL loaded at 0x77DD0000: C:\Windows\System32\wintrust (0x4e000 bytes).
2026-04-28 01:35:11,001 [root] DEBUG: 7508: DumpInterestingRegions: Skipping .NET JIT native cache at 0x089E0000 (jit-dumps=0)
2026-04-28 01:35:11,001 [root] DEBUG: 3596: AllocationHandler: Allocation already in tracked region list: 0x045C0000.
2026-04-28 01:35:11,063 [root] DEBUG: 3488: ProcessTrackedRegion: .NET cache region at 0x0A1C0000 skipped
2026-04-28 01:35:11,157 [root] INFO: Added new file to list with pid 6384 and path C:\Users\cape\AppData\Local\Temp\__PSScriptPolicyTest_3omthraf.xje.ps1
2026-04-28 01:35:11,235 [root] DEBUG: 7104: Python path set to 'C:\Python310'.
2026-04-28 01:35:11,345 [root] DEBUG: 7728: AllocationHandler: Allocation already in tracked region list: 0x05A50000.
2026-04-28 01:35:11,391 [root] DEBUG: 6384: DLL loaded at 0x6F4F0000: C:\Windows\Microsoft.Net\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data (0x357000 bytes).
2026-04-28 01:35:11,532 [root] DEBUG: 5200: AllocationHandler: Memory region (size 0x50000) reserved but not committed at 0x7F2D0000.
2026-04-28 01:35:11,579 [root] DEBUG: 5144: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:35:11,626 [root] DEBUG: 7548: AllocationHandler: Allocation already in tracked region list: 0x08140000.
2026-04-28 01:35:11,626 [root] DEBUG: 3404: AllocationHandler: Allocation already in tracked region list: 0x05FF0000.
2026-04-28 01:35:11,720 [root] DEBUG: 7496: AllocationHandler: Previously reserved region at 0x08EF0000, committing at: 0x08EF0000.
2026-04-28 01:35:11,766 [root] DEBUG: 7508: DumpInterestingRegions: Skipping .NET JIT native cache at 0x08A00000 (jit-dumps=0)
2026-04-28 01:35:11,766 [root] INFO: Added new file to list with pid 6384 and path C:\Users\cape\AppData\Local\Temp\__PSScriptPolicyTest_egfuysds.53k.psm1
2026-04-28 01:35:11,766 [root] DEBUG: 3836: DLL loaded at 0x6FE10000: C:\Windows\SYSTEM32\MSASN1 (0xe000 bytes).
2026-04-28 01:35:11,876 [root] DEBUG: 3596: .NET JIT native cache at 0x087A0000: scans and dumps active.
2026-04-28 01:35:11,938 [root] DEBUG: 7104: Dropped file limit defaulting to 100.
2026-04-28 01:35:11,954 [root] DEBUG: 7728: .NET JIT native cache at 0x091D0000: scans and dumps active.
2026-04-28 01:35:12,001 [root] DEBUG: 5200: AllocationHandler: Previously reserved region at 0x7F2D0000, committing at: 0x7F2D0000.
2026-04-28 01:35:12,204 [root] DEBUG: 5144: AllocationHandler: Processing previous tracked region at: 0x044D0000.
2026-04-28 01:35:12,251 [root] DEBUG: 7548: AllocationHandler: Allocation already in tracked region list: 0x08140000.
2026-04-28 01:35:12,267 [root] DEBUG: 3488: AllocationHandler: Allocation already in tracked region list: 0x0A030000.
2026-04-28 01:35:12,345 [root] DEBUG: 3404: .NET JIT native cache at 0x09FC0000: scans and dumps active.
2026-04-28 01:35:12,438 [root] DEBUG: 7496: AllocationHandler: Allocation already in tracked region list: 0x06600000.
2026-04-28 01:35:12,579 [root] DEBUG: 6384: DLL loaded at 0x6F4E0000: C:\Windows\System32\MSISIP (0x10000 bytes).
2026-04-28 01:35:12,673 [root] DEBUG: 7548: AllocationHandler: Adding allocation to tracked region list: 0x08030000, size: 0x8000.
2026-04-28 01:35:12,704 [root] DEBUG: 7508: DumpInterestingRegions: Dumping .NET image at 0x08B70000.
2026-04-28 01:35:12,720 [root] DEBUG: 3836: DLL loaded at 0x6F850000: C:\Windows\SYSTEM32\gpapi (0x1e000 bytes).
2026-04-28 01:35:12,829 [root] DEBUG: 3596: caller_dispatch: Added region at 0x087A0000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x087A2E55, thread 4676).
2026-04-28 01:35:12,829 [root] DEBUG: 7728: DLL loaded at 0x6F2D0000: C:\Windows\Microsoft.Net\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions (0x4c000 bytes).
2026-04-28 01:35:12,860 [root] DEBUG: 5200: AllocationHandler: Allocation already in tracked region list: 0x7F2D0000.
2026-04-28 01:35:12,954 [root] DEBUG: 7728: .NET JIT native cache at 0x09DF0000: scans and dumps active.
2026-04-28 01:35:13,001 [root] DEBUG: 7728: .NET JIT native cache at 0x09DF0000: scans and dumps active.
2026-04-28 01:35:13,032 [root] DEBUG: 7728: .NET JIT native cache at 0x09DF0000: scans and dumps active.
2026-04-28 01:35:13,032 [root] DEBUG: 7728: .NET JIT native cache at 0x09FF0000: scans and dumps active.
2026-04-28 01:35:13,048 [root] DEBUG: 3404: caller_dispatch: Added region at 0x09FC0000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x09FC073D, thread 2252).
2026-04-28 01:35:13,048 [root] DEBUG: 5144: DumpPEsInRange: Scanning range 0x044D0000 - 0x044D020C.
2026-04-28 01:35:13,095 [root] DEBUG: 7496: api-rate-cap: NtReadVirtualMemory hook disabled due to rate
2026-04-28 01:35:13,157 [root] DEBUG: 7728: .NET JIT native cache at 0x09FF0000: scans and dumps active.
2026-04-28 01:35:13,360 [root] DEBUG: 7548: GetEntropy: Error - Supplied address inaccessible: 0x08030000
2026-04-28 01:35:13,423 [root] DEBUG: 6384: DLL loaded at 0x6F4C0000: C:\Windows\System32\wshext (0x18000 bytes).
2026-04-28 01:35:13,470 [root] DEBUG: 7508: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image (process 7508)
2026-04-28 01:35:13,470 [root] DEBUG: 3488: AllocationHandler: Adding allocation to tracked region list: 0x7FA90000, size: 0x50000.
2026-04-28 01:35:13,470 [root] DEBUG: 3836: .NET JIT native cache at 0x092C0000: scans and dumps active.
2026-04-28 01:35:13,485 [root] DEBUG: 3836: .NET JIT native cache at 0x092C0000: scans and dumps active.
2026-04-28 01:35:13,501 [root] DEBUG: 3836: .NET JIT native cache at 0x092C0000: scans and dumps active.
2026-04-28 01:35:13,532 [root] DEBUG: 7728: .NET JIT native cache at 0x09FF0000: scans and dumps active.
2026-04-28 01:35:13,548 [root] DEBUG: 3596: ProcessTrackedRegion: .NET cache region at 0x087A0000 skipped
2026-04-28 01:35:13,688 [root] DEBUG: 7728: .NET JIT native cache at 0x09FF0000: scans and dumps active.
2026-04-28 01:35:13,704 [root] DEBUG: 7104: Disabling sleep skipping.
2026-04-28 01:35:13,720 [root] DEBUG: 5200: AllocationHandler: Allocation already in tracked region list: 0x7F2D0000.
2026-04-28 01:35:13,735 [root] DEBUG: 7728: .NET JIT native cache at 0x09FF0000: scans and dumps active.
2026-04-28 01:35:13,751 [root] DEBUG: 3404: ProcessTrackedRegion: .NET cache region at 0x09FC0000 skipped
2026-04-28 01:35:13,829 [root] DEBUG: 7728: caller_dispatch: Added region at 0x09FF0000 to tracked regions list (kernel32::GetSystemTimeAsFileTime returns to 0x0A009271, thread 1916).
2026-04-28 01:35:13,876 [root] DEBUG: 5144: ScanForDisguisedPE: Size too small: 0x20c bytes
2026-04-28 01:35:13,891 [root] DEBUG: 6384: DLL loaded at 0x6F330000: C:\Windows\SYSTEM32\OpcServices (0x14d000 bytes).
2026-04-28 01:35:13,891 [root] DEBUG: 7508: DumpPE: Instantiating PeParser with address: 0x08B70000.
2026-04-28 01:35:13,938 [root] DEBUG: 7548: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:35:14,001 [root] DEBUG: 3488: GetEntropy: Error - Supplied address inaccessible: 0x7FA90000
2026-04-28 01:35:14,016 [root] DEBUG: 3836: caller_dispatch: Added region at 0x092C0000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x092C09A2, thread 2768).
2026-04-28 01:35:14,048 [root] DEBUG: 7496: .NET JIT native cache at 0x09B20000: scans and dumps active.
2026-04-28 01:35:14,063 [root] DEBUG: 7728: AllocationHandler: Allocation already in tracked region list: 0x05A50000.
2026-04-28 01:35:14,141 [root] DEBUG: 3596: .NET JIT native cache at 0x08790000: scans and dumps active.
2026-04-28 01:35:14,157 [root] DEBUG: 7104: YaraInit: Compiled rules loaded from existing file C:\ltb6yatm\data\yara\capemon.yac
2026-04-28 01:35:14,173 [root] DEBUG: 3404: AllocationHandler: Allocation already in tracked region list: 0x05FF0000.
2026-04-28 01:35:14,220 [root] DEBUG: 7728: ProcessTrackedRegion: .NET cache region at 0x09FF0000 skipped
2026-04-28 01:35:14,329 [root] DEBUG: 5200: AllocationHandler: Adding allocation to tracked region list: 0x7F2C0000, size: 0x10000.
2026-04-28 01:35:14,360 [lib.common.results] INFO: Uploading file C:\atsPQMC\CAPE\5144_809073613352227142026 to CAPE\5ce6e77979b407811f3790f41ce91414c8818d6f0399c8acdab6f56569ea191f; Size is 524; Max size: 100000000
2026-04-28 01:35:14,407 [root] DEBUG: 6384: DLL loaded at 0x6F480000: C:\Windows\System32\AppxSip (0x3c000 bytes).
2026-04-28 01:35:14,423 [root] DEBUG: 7548: AllocationHandler: Processing previous tracked region at: 0x00CE0000.
2026-04-28 01:35:14,423 [lib.common.results] INFO: Uploading file C:\atsPQMC\CAPE\7508_2603362113352227142026 to CAPE\b8f2297493ec805c84a38dce4ed667c9c7c8602dab506bbaff62b03a20f5ad58; Size is 39424; Max size: 100000000
2026-04-28 01:35:14,470 [root] DEBUG: 7728: caller_dispatch: Added region at 0x09DF0000 to tracked regions list (kernel32::SwitchToThread returns to 0x09DF06EB, thread 5220).
2026-04-28 01:35:14,485 [root] DEBUG: 3836: ProcessTrackedRegion: .NET cache region at 0x092C0000 skipped
2026-04-28 01:35:14,548 [root] INFO: Added new file to list with pid 5200 and path C:\Users\cape\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
2026-04-28 01:35:14,548 [root] DEBUG: 3488: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:35:14,548 [root] INFO: Added new file to list with pid 5200 and path C:\Users\cape\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
2026-04-28 01:35:14,610 [root] DEBUG: 7728: DLL loaded at 0x6F1E0000: C:\Windows\SYSTEM32\secur32 (0xa000 bytes).
2026-04-28 01:35:14,626 [root] DEBUG: 7496: caller_dispatch: Added region at 0x09B20000 to tracked regions list (advapi32::CryptImportKey returns to 0x09B21E6C, thread 6148).
2026-04-28 01:35:14,626 [root] DEBUG: 3596: caller_dispatch: Added region at 0x08790000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x08791EE6, thread 4676).
2026-04-28 01:35:14,657 [root] DEBUG: 7728: .NET JIT native cache at 0x099F0000: scans and dumps active.
2026-04-28 01:35:14,720 [root] DEBUG: 3404: DLL loaded at 0x745D0000: C:\Windows\system32\uxtheme (0x74000 bytes).
2026-04-28 01:35:14,845 [root] DEBUG: 5200: GetEntropy: Error - Supplied address inaccessible: 0x7F2C0000
2026-04-28 01:35:14,845 [root] DEBUG: 7104: YaraScan: Scanning 0x00690000, size 0x1a0a0
2026-04-28 01:35:14,845 [root] DEBUG: 6384: DLL loaded at 0x6F320000: C:\Windows\System32\WindowsPowerShell\v1.0\pwrshsip (0xa000 bytes).
2026-04-28 01:35:14,876 [root] DEBUG: 7548: DumpPEsInRange: Scanning range 0x00CE0000 - 0x00CE020B.
2026-04-28 01:35:14,891 [root] DEBUG: 7508: DumpPE: PE file at 0x08B70000 dumped successfully - dump size 0x9a00.
2026-04-28 01:35:14,891 [root] DEBUG: 5144: DumpMemory: Payload successfully created: C:\atsPQMC\CAPE\5144_809073613352227142026 (size 524 bytes)
2026-04-28 01:35:14,891 [root] DEBUG: 7728: ProcessTrackedRegion: .NET cache region at 0x09DF0000 skipped
2026-04-28 01:35:15,016 [root] DEBUG: 3488: AllocationHandler: Processing previous tracked region at: 0x0A030000.
2026-04-28 01:35:15,016 [root] DEBUG: 3836: DLL loaded at 0x6F4F0000: C:\Windows\Microsoft.Net\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data (0x357000 bytes).
2026-04-28 01:35:15,032 [root] INFO: Added new file to list with pid 3836 and path C:\Users\cape\AppData\Local\Temp\__PSScriptPolicyTest_0ry005l1.f54.ps1
2026-04-28 01:35:15,032 [root] DEBUG: 7496: ProcessTrackedRegion: .NET cache region at 0x09B20000 skipped
2026-04-28 01:35:15,079 [root] DEBUG: 7728: .NET JIT native cache at 0x099F0000: scans and dumps active.
2026-04-28 01:35:15,095 [root] DEBUG: 3596: ProcessTrackedRegion: .NET cache region at 0x08790000 skipped
2026-04-28 01:35:15,141 [root] DEBUG: 7728: caller_dispatch: Added region at 0x099F0000 to tracked regions list (advapi32::CryptImportKey returns to 0x099F6B44, thread 1916).
2026-04-28 01:35:15,157 [root] DEBUG: 3404: .NET JIT native cache at 0x0A040000: scans and dumps active.
2026-04-28 01:35:15,173 [root] DEBUG: 5200: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:35:15,173 [root] DEBUG: 7104: Monitor initialised: 32-bit capemon loaded in process 7104 at 0x73f00000, thread 5532, image base 0x690000, stack from 0x2725000-0x2730000
2026-04-28 01:35:15,188 [root] DEBUG: 7548: ScanForDisguisedPE: Size too small: 0x20b bytes
2026-04-28 01:35:15,188 [lib.common.results] INFO: Uploading file C:\Users\cape\AppData\Local\Temp\__PSScriptPolicyTest_3omthraf.xje.ps1 to files\96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7; Size is 60; Max size: 100000000
2026-04-28 01:35:15,188 [root] DEBUG: 5144: DumpRegion: Dumped entire allocation from 0x044D0000, size 4096 bytes.
2026-04-28 01:35:15,188 [root] DEBUG: 7508: DumpInterestingRegions: Dumping .NET image at 0x08B80000.
2026-04-28 01:35:15,188 [root] INFO: Added new file to list with pid 3836 and path C:\Users\cape\AppData\Local\Temp\__PSScriptPolicyTest_asxvh2ut.bcn.psm1
2026-04-28 01:35:15,220 [root] DEBUG: 3488: DumpPEsInRange: Scanning range 0x0A030000 - 0x0A03410D.
2026-04-28 01:35:15,235 [root] DEBUG: 7728: .NET JIT native cache at 0x09AD0000: scans and dumps active.
2026-04-28 01:35:15,235 [root] DEBUG: 7496: AllocationHandler: Previously reserved region at 0x09B20000, committing at: 0x09B2B000.
2026-04-28 01:35:15,251 [root] DEBUG: 3404: caller_dispatch: Added region at 0x0A040000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x0A041B0A, thread 5524).
2026-04-28 01:35:15,251 [root] DEBUG: 3596: AllocationHandler: Allocation already in tracked region list: 0x09AD0000.
2026-04-28 01:35:15,360 [root] DEBUG: 7496: AllocationHandler: Allocation already in tracked region list: 0x09B20000.
2026-04-28 01:35:15,360 [root] DEBUG: 5200: AllocationHandler: Processing previous tracked region at: 0x7F2D0000.
2026-04-28 01:35:15,376 [root] DEBUG: 7728: ProcessTrackedRegion: .NET cache region at 0x099F0000 skipped
2026-04-28 01:35:15,532 [lib.common.results] INFO: Uploading file C:\atsPQMC\CAPE\7548_141977615352227142026 to CAPE\10dc50eeed51f3a1c739d1a80a667bd39518b932939da37b2b945068128a6a99; Size is 523; Max size: 100000000
2026-04-28 01:35:15,579 [lib.common.results] INFO: Uploading file C:\Users\cape\AppData\Local\Temp\__PSScriptPolicyTest_egfuysds.53k.psm1 to files\96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7; Size is 60; Max size: 100000000
2026-04-28 01:35:15,579 [root] DEBUG: 5144: ProcessTrackedRegion: Dumped region at 0x044D0000.
2026-04-28 01:35:15,626 [root] DEBUG: 7104: Commandline: w32tm  /stripchart /computer:localhost /period:5 /dataonly /samples:2
2026-04-28 01:35:15,673 [root] DEBUG: 3836: DLL loaded at 0x6F4E0000: C:\Windows\System32\MSISIP (0x10000 bytes).
2026-04-28 01:35:15,688 [root] DEBUG: 7508: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image (process 7508)
2026-04-28 01:35:15,688 [root] DEBUG: 7728: caller_dispatch: Added region at 0x09AD0000 to tracked regions list (ntdll::LdrGetProcedureAddressForCaller returns to 0x09AD0098, thread 7980).
2026-04-28 01:35:15,688 [root] DEBUG: 3488: ScanForDisguisedPE: No PE image located in range 0x0A030000-0x0A03410D.
2026-04-28 01:35:15,705 [root] DEBUG: 3596: .NET JIT native cache at 0x09BE0000: scans and dumps active.
2026-04-28 01:35:15,798 [root] DEBUG: 3404: ProcessTrackedRegion: .NET cache region at 0x0A040000 skipped
2026-04-28 01:35:15,907 [root] DEBUG: 7496: .NET JIT native cache at 0x0A3B0000: scans and dumps active.
2026-04-28 01:35:16,016 [root] DEBUG: 7728: .NET JIT native cache at 0x09AF0000: scans and dumps active.
2026-04-28 01:35:16,188 [root] DEBUG: 5200: DumpPEsInRange: Scanning range 0x7F2D0000 - 0x7F2D003C.
2026-04-28 01:35:16,235 [root] DEBUG: 7548: DumpMemory: Payload successfully created: C:\atsPQMC\CAPE\7548_141977615352227142026 (size 523 bytes)
2026-04-28 01:35:16,235 [root] DEBUG: 7104: hook_api: LdrpCallInitRoutine export address 0x77EB2A40 obtained via GetFunctionAddress
2026-04-28 01:35:16,235 [root] DEBUG: 5144: YaraScan: Scanning 0x044D0000, size 0x20c
2026-04-28 01:35:16,282 [root] DEBUG: 6384: .NET JIT native cache at 0x09D00000: scans and dumps active.
2026-04-28 01:35:16,282 [root] DEBUG: 3836: DLL loaded at 0x6F4C0000: C:\Windows\System32\wshext (0x18000 bytes).
2026-04-28 01:35:16,298 [root] DEBUG: 7508: DumpPE: Instantiating PeParser with address: 0x08B80000.
2026-04-28 01:35:16,298 [root] DEBUG: 7728: ProcessTrackedRegion: .NET cache region at 0x09AD0000 skipped
2026-04-28 01:35:16,313 [lib.common.results] INFO: Uploading file C:\atsPQMC\CAPE\3488_1455120015352227142026 to CAPE\48fc59c0b7ea7861796b7acb93791e29abfc2a1307cdc00a7bdf8e519eab3acc; Size is 16653; Max size: 100000000
2026-04-28 01:35:16,313 [root] DEBUG: 3404: AllocationHandler: Adding allocation to tracked region list: 0x0A050000, size: 0x1000.
2026-04-28 01:35:16,313 [root] DEBUG: 3596: caller_dispatch: Added region at 0x09BE0000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x09BE600A, thread 4676).
2026-04-28 01:35:16,329 [root] DEBUG: 7496: caller_dispatch: Added region at 0x0A3B0000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x0A3B264F, thread 6148).
2026-04-28 01:35:16,329 [root] DEBUG: 5200: ScanForDisguisedPE: Size too small: 0x3c bytes
2026-04-28 01:35:16,329 [root] DEBUG: 3596: ProcessTrackedRegion: .NET cache region at 0x09BE0000 skipped
2026-04-28 01:35:16,376 [root] WARNING: b'Unable to place hook on GetCommandLineA'
2026-04-28 01:35:16,454 [root] DEBUG: 5144: AllocationHandler: Memory region (size 0x8000) reserved but not committed at 0x08F50000.
2026-04-28 01:35:16,454 [root] DEBUG: 7548: DumpRegion: Dumped entire allocation from 0x00CE0000, size 4096 bytes.
2026-04-28 01:35:16,454 [root] DEBUG: 6384: caller_dispatch: Added region at 0x09D00000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x09D00324, thread 1068).
2026-04-28 01:35:16,454 [root] DEBUG: 3836: DLL loaded at 0x6F330000: C:\Windows\SYSTEM32\OpcServices (0x14d000 bytes).
2026-04-28 01:35:16,501 [root] DEBUG: 7728: caller_dispatch: Added region at 0x09AF0000 to tracked regions list (kernel32::SetErrorMode returns to 0x09AF4B13, thread 7980).
2026-04-28 01:35:16,501 [root] DEBUG: 3488: DumpMemory: Payload successfully created: C:\atsPQMC\CAPE\3488_1455120015352227142026 (size 16653 bytes)
2026-04-28 01:35:16,501 [lib.common.results] INFO: Uploading file C:\atsPQMC\CAPE\7508_709567816352227142026 to CAPE\4e7559a9539caf9238081cc71ca062ac4b5cf35c132ab2cff639f96f71878bb6; Size is 66048; Max size: 100000000
2026-04-28 01:35:16,501 [root] DEBUG: 3404: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:35:16,516 [root] DEBUG: 7496: ProcessTrackedRegion: .NET cache region at 0x0A3B0000 skipped
2026-04-28 01:35:16,641 [root] DEBUG: 3596: AllocationHandler: Allocation already in tracked region list: 0x09AD0000.
2026-04-28 01:35:16,720 [lib.common.results] INFO: Uploading file C:\atsPQMC\CAPE\5200_7764416352227142026 to CAPE\8b2912b8bd40e4ed9a924d0aa48c505d331e3eb01f70bf983da911ae11b3d5ef; Size is 60; Max size: 100000000
2026-04-28 01:35:16,766 [root] DEBUG: 7104: set_hooks: Unable to hook GetCommandLineA
2026-04-28 01:35:16,860 [root] DEBUG: 5144: AllocationHandler: Previously reserved region at 0x08F50000, committing at: 0x08F50000.
2026-04-28 01:35:16,923 [root] DEBUG: 3836: DLL loaded at 0x6F480000: C:\Windows\System32\AppxSip (0x3c000 bytes).
2026-04-28 01:35:17,001 [root] DEBUG: 7548: ProcessTrackedRegion: Dumped region at 0x00CE0000.
2026-04-28 01:35:17,032 [root] DEBUG: 7728: ProcessTrackedRegion: .NET cache region at 0x09AF0000 skipped
2026-04-28 01:35:17,079 [root] DEBUG: 6384: ProcessTrackedRegion: .NET cache region at 0x09D00000 skipped
2026-04-28 01:35:17,095 [root] DEBUG: 3404: .NET JIT native cache at 0x0A0A0000: scans and dumps active.
2026-04-28 01:35:17,126 [root] DEBUG: 7508: DumpPE: PE file at 0x08B80000 dumped successfully - dump size 0x10200.
2026-04-28 01:35:17,157 [root] DEBUG: 3488: DumpRegion: Dumped entire allocation from 0x0A030000, size 20480 bytes.
2026-04-28 01:35:17,157 [root] DEBUG: 7496: AllocationHandler: Allocation already in tracked region list: 0x06600000.
2026-04-28 01:35:17,173 [root] DEBUG: 5200: DumpMemory: Payload successfully created: C:\atsPQMC\CAPE\5200_7764416352227142026 (size 60 bytes)
2026-04-28 01:35:17,173 [root] WARNING: b'Unable to place hook on GetCommandLineW'
2026-04-28 01:35:17,173 [root] DEBUG: 5144: AllocationHandler: Allocation already in tracked region list: 0x044D0000.
2026-04-28 01:35:17,220 [root] DEBUG: 3836: DLL loaded at 0x6F320000: C:\Windows\System32\WindowsPowerShell\v1.0\pwrshsip (0xa000 bytes).
2026-04-28 01:35:17,220 [root] DEBUG: 7548: YaraScan: Scanning 0x00CE0000, size 0x20b
2026-04-28 01:35:17,235 [root] DEBUG: 3596: AllocationHandler: Adding allocation to tracked region list: 0x7F230000, size: 0x50000.
2026-04-28 01:35:17,235 [root] DEBUG: 7728: AllocationHandler: Allocation already in tracked region list: 0x05A50000.
2026-04-28 01:35:17,345 [root] DEBUG: 6384: AllocationHandler: Allocation already in tracked region list: 0x061B0000.
2026-04-28 01:35:17,345 [root] DEBUG: 3488: ProcessTrackedRegion: Dumped region at 0x0A030000.
2026-04-28 01:35:17,438 [root] DEBUG: 7508: DumpInterestingRegions: Dumping .NET image at 0x08BB0000.
2026-04-28 01:35:17,454 [root] DEBUG: 3404: caller_dispatch: Added region at 0x0A0A0000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x0A0A1A28, thread 5524).
2026-04-28 01:35:17,485 [root] DEBUG: 7496: .NET JIT native cache at 0x0A1C0000: scans and dumps active.
2026-04-28 01:35:17,626 [root] DEBUG: 5200: DumpRegion: Dumped entire allocation from 0x7F2D0000, size 4096 bytes.
2026-04-28 01:35:17,673 [root] DEBUG: 7104: set_hooks: Unable to hook GetCommandLineW
2026-04-28 01:35:17,688 [root] DEBUG: 5144: api-rate-cap: NtReadVirtualMemory hook disabled due to rate
2026-04-28 01:35:17,782 [lib.common.results] INFO: Uploading file C:\Users\cape\AppData\Local\Temp\__PSScriptPolicyTest_0ry005l1.f54.ps1 to files\96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7; Size is 60; Max size: 100000000
2026-04-28 01:35:17,891 [root] DEBUG: 7548: AllocationHandler: Memory region (size 0x8000) reserved but not committed at 0x08030000.
2026-04-28 01:35:17,923 [root] DEBUG: 3596: GetEntropy: Error - Supplied address inaccessible: 0x7F230000
2026-04-28 01:35:17,938 [root] DEBUG: 7496: .NET JIT native cache at 0x0A3A0000: scans and dumps active.
2026-04-28 01:35:17,970 [root] DEBUG: 7728: .NET JIT native cache at 0x09BE0000: scans and dumps active.
2026-04-28 01:35:17,970 [root] DEBUG: 3404: ProcessTrackedRegion: .NET cache region at 0x0A0A0000 skipped
2026-04-28 01:35:18,063 [root] DEBUG: 7508: DumpImageInCurrentProcess: Dump at 0x08BB0000 skipped due to dump limit 10
2026-04-28 01:35:18,110 [root] DEBUG: 3488: AllocationHandler: Memory region (size 0x50000) reserved but not committed at 0x7FA90000.
2026-04-28 01:35:18,110 [root] DEBUG: 6384: DLL loaded at 0x70C40000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni (0x106000 bytes).
2026-04-28 01:35:18,110 [root] DEBUG: 7496: .NET JIT native cache at 0x0A3A0000: scans and dumps active.
2026-04-28 01:35:18,235 [root] DEBUG: 7496: DLL loaded at 0x6F2D0000: C:\Windows\Microsoft.Net\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions (0x4c000 bytes).
2026-04-28 01:35:18,251 [root] DEBUG: 5200: ProcessTrackedRegion: Dumped region at 0x7F2D0000.
2026-04-28 01:35:18,266 [root] DEBUG: 7104: Hooked 630 out of 632 functions
2026-04-28 01:35:18,266 [root] DEBUG: 5144: .NET JIT native cache at 0x08FC0000: scans and dumps active.
2026-04-28 01:35:18,282 [lib.common.results] INFO: Uploading file C:\Users\cape\AppData\Local\Temp\__PSScriptPolicyTest_asxvh2ut.bcn.psm1 to files\96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7; Size is 60; Max size: 100000000
2026-04-28 01:35:18,313 [root] DEBUG: 7548: AllocationHandler: Previously reserved region at 0x08030000, committing at: 0x08030000.
2026-04-28 01:35:18,313 [root] DEBUG: 3596: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:35:18,376 [root] DEBUG: 7496: caller_dispatch: Added region at 0x0A3A0000 to tracked regions list (kernel32::GetSystemTimeAsFileTime returns to 0x0A3A1BF0, thread 4576).
2026-04-28 01:35:18,376 [root] DEBUG: 7728: caller_dispatch: Added region at 0x09BE0000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x09BE0480, thread 5220).
2026-04-28 01:35:18,376 [root] DEBUG: 7508: DumpInterestingRegions: Dumping .NET image at 0x08BC0000.
2026-04-28 01:35:18,376 [root] DEBUG: 3404: .NET JIT native cache at 0x08DE0000: scans and dumps active.
2026-04-28 01:35:18,391 [root] DEBUG: 3488: AllocationHandler: Previously reserved region at 0x7FA90000, committing at: 0x7FA90000.
2026-04-28 01:35:18,407 [root] DEBUG: 6384: DLL loaded at 0x75260000: C:\Windows\SYSTEM32\profapi (0x18000 bytes).
2026-04-28 01:35:18,407 [root] DEBUG: 7728: ProcessTrackedRegion: .NET cache region at 0x09BE0000 skipped
2026-04-28 01:35:18,438 [root] DEBUG: 7496: AllocationHandler: Allocation already in tracked region list: 0x06600000.
2026-04-28 01:35:18,579 [root] DEBUG: 7496: .NET JIT native cache at 0x0A990000: scans and dumps active.
2026-04-28 01:35:18,579 [root] DEBUG: 7496: .NET JIT native cache at 0x0A990000: scans and dumps active.
2026-04-28 01:35:18,610 [root] DEBUG: 5144: caller_dispatch: Added region at 0x08FC0000 to tracked regions list (advapi32::CryptImportKey returns to 0x08FC1E6C, thread 7260).
2026-04-28 01:35:18,610 [root] DEBUG: 5200: AllocationHandler: Memory region (size 0x10000) reserved but not committed at 0x7F2C0000.
2026-04-28 01:35:18,641 [root] DEBUG: 7104: Syscall hook installed, syscall logging level 1
2026-04-28 01:35:18,641 [root] DEBUG: 7548: AllocationHandler: Allocation already in tracked region list: 0x00CE0000.
2026-04-28 01:35:18,641 [root] DEBUG: 3596: AllocationHandler: Processing previous tracked region at: 0x09AD0000.
2026-04-28 01:35:18,673 [root] DEBUG: 3836: .NET JIT native cache at 0x09260000: scans and dumps active.
2026-04-28 01:35:18,751 [root] DEBUG: 7496: ProcessTrackedRegion: .NET cache region at 0x0A3A0000 skipped
2026-04-28 01:35:18,798 [root] DEBUG: 7508: DumpImageInCurrentProcess: Dump at 0x08BC0000 skipped due to dump limit 10
2026-04-28 01:35:18,891 [root] DEBUG: 3404: caller_dispatch: Added region at 0x08DE0000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x08DE0117, thread 5524).
2026-04-28 01:35:18,954 [root] DEBUG: 7496: .NET JIT native cache at 0x0A990000: scans and dumps active.
2026-04-28 01:35:19,001 [root] DEBUG: 3488: AllocationHandler: Allocation already in tracked region list: 0x7FA90000.
2026-04-28 01:35:19,016 [root] DEBUG: 6384: AllocationHandler: Allocation already in tracked region list: 0x06A70000.
2026-04-28 01:35:19,032 [root] DEBUG: 7496: caller_dispatch: Added region at 0x0A990000 to tracked regions list (advapi32::CryptImportKey returns to 0x0A9A97FC, thread 1936).
2026-04-28 01:35:19,032 [root] DEBUG: 7728: AllocationHandler: Allocation already in tracked region list: 0x05A50000.
2026-04-28 01:35:19,095 [root] DEBUG: 5144: ProcessTrackedRegion: .NET cache region at 0x08FC0000 skipped
2026-04-28 01:35:19,188 [root] DEBUG: 5200: AllocationHandler: Previously reserved region at 0x7F2C0000, committing at: 0x7F2C0000.
2026-04-28 01:35:19,204 [root] DEBUG: 7104: RestoreHeaders: Restored original import table.
2026-04-28 01:35:19,220 [root] DEBUG: 3596: DumpPEsInRange: Scanning range 0x09AD0000 - 0x09AD40BD.
2026-04-28 01:35:19,266 [root] DEBUG: 7548: api-rate-cap: NtReadVirtualMemory hook disabled due to rate
2026-04-28 01:35:19,391 [root] DEBUG: 3836: caller_dispatch: Added region at 0x09260000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x092600B2, thread 604).
2026-04-28 01:35:19,454 [root] DEBUG: 7496: .NET JIT native cache at 0x0A400000: scans and dumps active.
2026-04-28 01:35:19,532 [root] DEBUG: 3596: ScanForDisguisedPE: No PE image located in range 0x09AD0000-0x09AD40BD.
2026-04-28 01:35:19,532 [root] DEBUG: 7508: DumpInterestingRegions: Dumping .NET image at 0x08BE0000.
2026-04-28 01:35:19,548 [root] DEBUG: 3404: ProcessTrackedRegion: .NET cache region at 0x08DE0000 skipped
2026-04-28 01:35:19,548 [root] DEBUG: 7496: .NET JIT native cache at 0x0A400000: scans and dumps active.
2026-04-28 01:35:19,548 [root] DEBUG: 7496: ProcessTrackedRegion: .NET cache region at 0x0A990000 skipped
2026-04-28 01:35:19,563 [root] DEBUG: 3488: AllocationHandler: Allocation already in tracked region list: 0x7FA90000.
2026-04-28 01:35:19,595 [root] DEBUG: 6384: AllocationHandler: Allocation already in tracked region list: 0x06A70000.
2026-04-28 01:35:19,595 [root] DEBUG: 7728: DLL loaded at 0x745D0000: C:\Windows\system32\uxtheme (0x74000 bytes).
2026-04-28 01:35:19,641 [root] DEBUG: 5144: AllocationHandler: Previously reserved region at 0x08FC0000, committing at: 0x08FCB000.
2026-04-28 01:35:19,673 [root] DEBUG: 5200: AllocationHandler: Adding allocation to tracked region list: 0x09A40000, size: 0x1000.
2026-04-28 01:35:19,688 [root] DEBUG: 7496: caller_dispatch: Added region at 0x0A400000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x0A404B74, thread 4576).
2026-04-28 01:35:19,704 [root] INFO: Loaded monitor into process with pid 7104
2026-04-28 01:35:19,704 [root] DEBUG: 3836: ProcessTrackedRegion: .NET cache region at 0x09260000 skipped
2026-04-28 01:35:19,720 [root] DEBUG: 7548: .NET JIT native cache at 0x08080000: scans and dumps active.
2026-04-28 01:35:19,751 [lib.common.results] INFO: Uploading file C:\atsPQMC\CAPE\3596_1098048019352227142026 to CAPE\e6f6ba96e1b83a8cd7ea124907742cc41c661d2e3bfaa1b00966bc05b4589f44; Size is 16573; Max size: 100000000
2026-04-28 01:35:19,766 [root] DEBUG: 7508: DumpImageInCurrentProcess: Dump at 0x08BE0000 skipped due to dump limit 10
2026-04-28 01:35:19,766 [root] DEBUG: 3404: AllocationHandler: Allocation already in tracked region list: 0x0A050000.
2026-04-28 01:35:19,891 [root] DEBUG: 3488: AllocationHandler: Adding allocation to tracked region list: 0x7FA80000, size: 0x10000.
2026-04-28 01:35:19,891 [root] DEBUG: 7728: .NET JIT native cache at 0x09BD0000: scans and dumps active.
2026-04-28 01:35:19,907 [root] DEBUG: 6384: AllocationHandler: Adding allocation to tracked region list: 0x09CD0000, size: 0x8000.
2026-04-28 01:35:19,907 [root] DEBUG: 5200: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:35:19,923 [root] DEBUG: 5144: AllocationHandler: Allocation already in tracked region list: 0x08FC0000.
2026-04-28 01:35:19,923 [root] DEBUG: 7496: ProcessTrackedRegion: .NET cache region at 0x0A400000 skipped
2026-04-28 01:35:20,032 [root] DEBUG: 3836: AllocationHandler: Allocation already in tracked region list: 0x06040000.
2026-04-28 01:35:20,126 [root] DEBUG: 7508: DumpInterestingRegions: Skipping .NET JIT native cache at 0x08D30000 (jit-dumps=0)
2026-04-28 01:35:20,204 [root] DEBUG: 7104: caller_dispatch: Added region at 0x00690000 to tracked regions list (kernel32::CreateProcessW returns to 0x0069CCDA, thread 5532).
2026-04-28 01:35:20,235 [root] DEBUG: 3596: DumpMemory: Payload successfully created: C:\atsPQMC\CAPE\3596_1098048019352227142026 (size 16573 bytes)
2026-04-28 01:35:20,266 [root] DEBUG: 7548: caller_dispatch: Added region at 0x08080000 to tracked regions list (advapi32::CryptImportKey returns to 0x08081D64, thread 3424).
2026-04-28 01:35:20,298 [root] DEBUG: 3404: .NET JIT native cache at 0x0A0E0000: scans and dumps active.
2026-04-28 01:35:20,376 [root] DEBUG: 7728: caller_dispatch: Added region at 0x09BD0000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x09BD115A, thread 616).
2026-04-28 01:35:20,376 [root] DEBUG: 5200: AllocationHandler: Allocation already in tracked region list: 0x7F2D0000.
2026-04-28 01:35:20,391 [root] DEBUG: 3488: GetEntropy: Error - Supplied address inaccessible: 0x7FA80000
2026-04-28 01:35:20,391 [root] DEBUG: 6384: GetEntropy: Error - Supplied address inaccessible: 0x09CD0000
2026-04-28 01:35:20,407 [root] DEBUG: 5144: .NET JIT native cache at 0x098A0000: scans and dumps active.
2026-04-28 01:35:20,407 [root] DEBUG: 7496: .NET JIT native cache at 0x0A450000: scans and dumps active.
2026-04-28 01:35:20,423 [root] DEBUG: 7496: .NET JIT native cache at 0x0A450000: scans and dumps active.
2026-04-28 01:35:20,423 [root] DEBUG: 7496: .NET JIT native cache at 0x0A450000: scans and dumps active.
2026-04-28 01:35:20,516 [root] DEBUG: 7508: DumpInterestingRegions: Skipping .NET JIT native cache at 0x08D80000 (jit-dumps=0)
2026-04-28 01:35:20,548 [root] DEBUG: 7104: YaraScan: Scanning 0x00690000, size 0x1a0a0
2026-04-28 01:35:20,548 [root] DEBUG: 3596: DumpRegion: Dumped entire allocation from 0x09AD0000, size 20480 bytes.
2026-04-28 01:35:20,563 [root] DEBUG: 3836: DLL loaded at 0x70C40000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni (0x106000 bytes).
2026-04-28 01:35:20,563 [root] DEBUG: 7548: ProcessTrackedRegion: .NET cache region at 0x08080000 skipped
2026-04-28 01:35:20,641 [root] DEBUG: 3404: caller_dispatch: Added region at 0x0A0E0000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x0A0E1209, thread 5524).
2026-04-28 01:35:20,657 [root] DEBUG: 5200: AllocationHandler: Allocation already in tracked region list: 0x7F2D0000.
2026-04-28 01:35:20,657 [root] DEBUG: 7728: ProcessTrackedRegion: .NET cache region at 0x09BD0000 skipped
2026-04-28 01:35:20,688 [root] DEBUG: 6384: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:35:20,688 [root] DEBUG: 3488: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:35:20,798 [root] DEBUG: 5200: AllocationHandler: Allocation already in tracked region list: 0x7F2C0000.
2026-04-28 01:35:20,813 [root] DEBUG: 5144: caller_dispatch: Added region at 0x098A0000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x098A26AD, thread 7260).
2026-04-28 01:35:20,813 [root] DEBUG: 7496: caller_dispatch: Added region at 0x0A450000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x0A4514E3, thread 6148).
2026-04-28 01:35:20,829 [root] DEBUG: 7508: DumpInterestingRegions: Dumping .NET image at 0x08F90000.
2026-04-28 01:35:20,829 [root] DEBUG: 7104: ProcessImageBase: Main module image at 0x00690000 unmodified (entropy change 0.000000e+00)
2026-04-28 01:35:20,829 [root] DEBUG: 3596: ProcessTrackedRegion: Dumped region at 0x09AD0000.
2026-04-28 01:35:20,829 [root] DEBUG: 3836: DLL loaded at 0x75260000: C:\Windows\SYSTEM32\profapi (0x18000 bytes).
2026-04-28 01:35:20,845 [root] DEBUG: 3404: ProcessTrackedRegion: .NET cache region at 0x0A0E0000 skipped
2026-04-28 01:35:20,891 [root] DEBUG: 7548: .NET JIT native cache at 0x094B0000: scans and dumps active.
2026-04-28 01:35:21,095 [root] DEBUG: 6384: AllocationHandler: Memory region (size 0x8000) reserved but not committed at 0x09CD0000.
2026-04-28 01:35:21,188 [root] DEBUG: 7728: AllocationHandler: Adding allocation to tracked region list: 0x09BF0000, size: 0x1000.
2026-04-28 01:35:21,204 [root] DEBUG: 3488: AllocationHandler: Processing previous tracked region at: 0x7FA90000.
2026-04-28 01:35:21,251 [root] DEBUG: 5144: ProcessTrackedRegion: .NET cache region at 0x098A0000 skipped
2026-04-28 01:35:21,266 [root] DEBUG: 7728: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:35:21,376 [root] DEBUG: 7508: DumpImageInCurrentProcess: Dump at 0x08F90000 skipped due to dump limit 10
2026-04-28 01:35:21,407 [root] DEBUG: 7496: ProcessTrackedRegion: .NET cache region at 0x0A450000 skipped
2026-04-28 01:35:21,423 [root] DEBUG: 3596: AllocationHandler: Memory region (size 0x50000) reserved but not committed at 0x7F230000.
2026-04-28 01:35:21,579 [root] DEBUG: 7508: DumpInterestingRegions: Dumping .NET image at 0x091D0000.
2026-04-28 01:35:21,610 [root] DEBUG: 7104: CreateProcessHandler: Injection info set for new process 6228: C:\Windows\Sysnative\w32tm.exe, ImageBase: 0x00000000
2026-04-28 01:35:21,626 [root] DEBUG: 3836: AllocationHandler: Allocation already in tracked region list: 0x08360000.
2026-04-28 01:35:21,626 [root] DEBUG: 7548: caller_dispatch: Added region at 0x094B0000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x094B29B1, thread 3424).
2026-04-28 01:35:21,626 [root] INFO: Added new file to list with pid 5200 and path C:\Users\cape\AppData\Local\Temp\__PSScriptPolicyTest_guit3no5.0dq.ps1
2026-04-28 01:35:21,641 [root] DEBUG: 3488: DumpPEsInRange: Scanning range 0x7FA90000 - 0x7FA9003C.
2026-04-28 01:35:21,641 [root] DEBUG: 6384: AllocationHandler: Previously reserved region at 0x09CD0000, committing at: 0x09CD0000.
2026-04-28 01:35:21,673 [root] DEBUG: 3404: AllocationHandler: Allocation already in tracked region list: 0x05FC0000.
2026-04-28 01:35:21,688 [root] DEBUG: 7496: DLL loaded at 0x6F1E0000: C:\Windows\SYSTEM32\secur32 (0xa000 bytes).
2026-04-28 01:35:21,688 [root] DEBUG: 5144: AllocationHandler: Allocation already in tracked region list: 0x044D0000.
2026-04-28 01:35:21,704 [root] DEBUG: 3596: AllocationHandler: Previously reserved region at 0x7F230000, committing at: 0x7F230000.
2026-04-28 01:35:21,704 [root] DEBUG: 7496: .NET JIT native cache at 0x0A4F0000: scans and dumps active.
2026-04-28 01:35:21,704 [root] DEBUG: 7728: .NET JIT native cache at 0x09C90000: scans and dumps active.
2026-04-28 01:35:21,735 [root] DEBUG: 7508: DumpImageInCurrentProcess: Dump at 0x091D0000 skipped due to dump limit 10
2026-04-28 01:35:21,751 [root] INFO: Announced 64-bit process name: w32tm.exe pid: 6228
2026-04-28 01:35:21,860 [lib.api.process] INFO: Monitor config for <Process 6228 w32tm.exe>: C:\ltb6yatm\dll\6228.ini
2026-04-28 01:35:21,891 [root] DEBUG: 3836: AllocationHandler: Allocation already in tracked region list: 0x08360000.
2026-04-28 01:35:21,891 [root] DEBUG: 7548: ProcessTrackedRegion: .NET cache region at 0x094B0000 skipped
2026-04-28 01:35:21,891 [lib.api.process] INFO: 64-bit DLL to inject is C:\ltb6yatm\dll\xzHEKGQ.dll, loader C:\ltb6yatm\bin\FktMnuSd.exe
2026-04-28 01:35:21,923 [root] INFO: Added new file to list with pid 5200 and path C:\Users\cape\AppData\Local\Temp\__PSScriptPolicyTest_24ffz0eo.bdn.psm1
2026-04-28 01:35:21,938 [root] DEBUG: 3488: ScanForDisguisedPE: Size too small: 0x3c bytes
2026-04-28 01:35:21,938 [root] DEBUG: 6384: AllocationHandler: Allocation already in tracked region list: 0x061B0000.
2026-04-28 01:35:21,970 [root] DEBUG: 7496: .NET JIT native cache at 0x0A4F0000: scans and dumps active.
2026-04-28 01:35:21,985 [root] DEBUG: 3404: .NET JIT native cache at 0x0A1A0000: scans and dumps active.
2026-04-28 01:35:22,016 [root] DEBUG: 5144: .NET JIT native cache at 0x09030000: scans and dumps active.
2026-04-28 01:35:22,220 [root] DEBUG: 3596: AllocationHandler: Allocation already in tracked region list: 0x7F230000.
2026-04-28 01:35:22,235 [root] DEBUG: 7728: caller_dispatch: Added region at 0x09C90000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x09C90CAB, thread 616).
2026-04-28 01:35:22,235 [root] DEBUG: 7496: caller_dispatch: Added region at 0x0A4F0000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x0A4F007D, thread 4576).
2026-04-28 01:35:22,251 [root] DEBUG: 7508: DumpInterestingRegions: Dumping .NET image at 0x091E0000.
2026-04-28 01:35:22,298 [root] DEBUG: 3836: AllocationHandler: Adding allocation to tracked region list: 0x085B0000, size: 0x8000.
2026-04-28 01:35:22,313 [root] DEBUG: 7548: AllocationHandler: Allocation already in tracked region list: 0x00CE0000.
2026-04-28 01:35:22,313 [root] DEBUG: Loader: Injecting process 6228 (thread 6716) with C:\ltb6yatm\dll\xzHEKGQ.dll.
2026-04-28 01:35:22,345 [root] DEBUG: 5200: DLL loaded at 0x6F4E0000: C:\Windows\System32\MSISIP (0x10000 bytes).
2026-04-28 01:35:22,360 [root] DEBUG: 6384: api-rate-cap: NtReadVirtualMemory hook disabled due to rate
2026-04-28 01:35:22,470 [lib.common.results] INFO: Uploading file C:\atsPQMC\CAPE\3488_22136821352227142026 to CAPE\2b5b7e4b1ac0bdc4262f42d4c641d63e15e1067705a2242cc4e3eee64c2bf060; Size is 60; Max size: 100000000
2026-04-28 01:35:22,501 [root] DEBUG: 5144: DLL loaded at 0x6F2D0000: C:\Windows\Microsoft.Net\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions (0x4c000 bytes).
2026-04-28 01:35:22,610 [root] DEBUG: 3404: caller_dispatch: Added region at 0x0A1A0000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x0A1A06DB, thread 5524).
2026-04-28 01:35:22,735 [root] DEBUG: 5144: .NET JIT native cache at 0x09C00000: scans and dumps active.
2026-04-28 01:35:22,735 [root] DEBUG: 5144: .NET JIT native cache at 0x09C00000: scans and dumps active.
2026-04-28 01:35:22,751 [root] DEBUG: 5144: .NET JIT native cache at 0x09C00000: scans and dumps active.
2026-04-28 01:35:22,751 [root] DEBUG: 5144: .NET JIT native cache at 0x09E80000: scans and dumps active.
2026-04-28 01:35:22,766 [root] DEBUG: 7728: ProcessTrackedRegion: .NET cache region at 0x09C90000 skipped
2026-04-28 01:35:22,766 [root] DEBUG: 3596: AllocationHandler: Allocation already in tracked region list: 0x7F230000.
2026-04-28 01:35:22,829 [root] DEBUG: 7496: ProcessTrackedRegion: .NET cache region at 0x0A4F0000 skipped
2026-04-28 01:35:22,907 [root] DEBUG: 7508: DumpImageInCurrentProcess: Dump at 0x091E0000 skipped due to dump limit 10
2026-04-28 01:35:22,923 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2026-04-28 01:35:22,970 [root] DEBUG: 3836: GetEntropy: Error - Supplied address inaccessible: 0x085B0000
2026-04-28 01:35:22,970 [root] DEBUG: 7548: AllocationHandler: Previously reserved region at 0x08080000, committing at: 0x0808D000.
2026-04-28 01:35:22,986 [root] DEBUG: 5144: .NET JIT native cache at 0x09E80000: scans and dumps active.
2026-04-28 01:35:22,986 [root] DEBUG: 5200: DLL loaded at 0x6F4C0000: C:\Windows\System32\wshext (0x18000 bytes).
2026-04-28 01:35:23,001 [root] DEBUG: 5144: .NET JIT native cache at 0x09E80000: scans and dumps active.
2026-04-28 01:35:23,032 [root] DEBUG: 3488: DumpMemory: Payload successfully created: C:\atsPQMC\CAPE\3488_22136821352227142026 (size 60 bytes)
2026-04-28 01:35:23,048 [root] DEBUG: 3404: ProcessTrackedRegion: .NET cache region at 0x0A1A0000 skipped
2026-04-28 01:35:23,063 [root] DEBUG: 6384: .NET JIT native cache at 0x09F50000: scans and dumps active.
2026-04-28 01:35:23,063 [root] DEBUG: 5144: .NET JIT native cache at 0x09E80000: scans and dumps active.
2026-04-28 01:35:23,063 [root] DEBUG: 5144: .NET JIT native cache at 0x09E80000: scans and dumps active.
2026-04-28 01:35:23,079 [root] DEBUG: 5144: caller_dispatch: Added region at 0x09E80000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x09E994A0, thread 7260).
2026-04-28 01:35:23,095 [root] DEBUG: 7728: AllocationHandler: Allocation already in tracked region list: 0x09BF0000.
2026-04-28 01:35:23,095 [root] DEBUG: 3596: AllocationHandler: Adding allocation to tracked region list: 0x7F220000, size: 0x10000.
2026-04-28 01:35:23,220 [root] DEBUG: 7508: DumpInterestingRegions: Dumping .NET image at 0x09220000.
2026-04-28 01:35:23,235 [root] DEBUG: 7496: AllocationHandler: Allocation already in tracked region list: 0x06600000.
2026-04-28 01:35:23,313 [root] DEBUG: Successfully injected DLL C:\ltb6yatm\dll\xzHEKGQ.dll.
2026-04-28 01:35:23,360 [root] DEBUG: 3836: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:35:23,376 [lib.api.process] INFO: Injected into 64-bit <Process 6228 w32tm.exe>
2026-04-28 01:35:23,376 [root] DEBUG: 7548: .NET JIT native cache at 0x092B0000: scans and dumps active.
2026-04-28 01:35:23,532 [root] DEBUG: 5200: DLL loaded at 0x6F330000: C:\Windows\SYSTEM32\OpcServices (0x14d000 bytes).
2026-04-28 01:35:23,532 [root] DEBUG: 3488: DumpRegion: Dumped entire allocation from 0x7FA90000, size 4096 bytes.
2026-04-28 01:35:23,548 [root] DEBUG: 3404: AllocationHandler: Allocation already in tracked region list: 0x05FF0000.
2026-04-28 01:35:23,548 [root] DEBUG: 6384: caller_dispatch: Added region at 0x09F50000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x09F505FD, thread 1068).
2026-04-28 01:35:23,548 [root] DEBUG: 5144: ProcessTrackedRegion: .NET cache region at 0x09E80000 skipped
2026-04-28 01:35:23,548 [root] DEBUG: 7728: .NET JIT native cache at 0x087F0000: scans and dumps active.
2026-04-28 01:35:23,579 [root] DEBUG: 3488: ProcessTrackedRegion: Dumped region at 0x7FA90000.
2026-04-28 01:35:23,579 [root] DEBUG: 7508: DumpImageInCurrentProcess: Dump at 0x09220000 skipped due to dump limit 10
2026-04-28 01:35:23,579 [root] DEBUG: 3596: GetEntropy: Error - Supplied address inaccessible: 0x7F220000
2026-04-28 01:35:23,595 [root] DEBUG: 7496: .NET JIT native cache at 0x0A3E0000: scans and dumps active.
2026-04-28 01:35:23,610 [root] DEBUG: 7104: InstrumentationCallback: Added region at 0x7728341C (base 0x77150000) to tracked regions list (thread 5532).
2026-04-28 01:35:23,626 [root] DEBUG: 3836: AllocationHandler: Processing previous tracked region at: 0x06040000.
2026-04-28 01:35:23,626 [root] DEBUG: 7548: .NET JIT native cache at 0x094E0000: scans and dumps active.
2026-04-28 01:35:23,626 [root] DEBUG: 7548: .NET JIT native cache at 0x094E0000: scans and dumps active.
2026-04-28 01:35:23,689 [root] DEBUG: 5200: DLL loaded at 0x6F480000: C:\Windows\System32\AppxSip (0x3c000 bytes).
2026-04-28 01:35:23,704 [root] DEBUG: 7548: .NET JIT native cache at 0x094E0000: scans and dumps active.
2026-04-28 01:35:23,704 [root] DEBUG: 3404: AllocationHandler: Allocation already in tracked region list: 0x0A050000.
2026-04-28 01:35:23,813 [root] DEBUG: 5144: AllocationHandler: Allocation already in tracked region list: 0x044D0000.
2026-04-28 01:35:23,985 [root] DEBUG: 7548: .NET JIT native cache at 0x094E0000: scans and dumps active.
2026-04-28 01:35:24,001 [root] DEBUG: 7728: caller_dispatch: Added region at 0x087F0000 to tracked regions list (advapi32::CryptAcquireContextW returns to 0x087F2604, thread 616).
2026-04-28 01:35:24,048 [root] DEBUG: 6384: ProcessTrackedRegion: .NET cache region at 0x09F50000 skipped
2026-04-28 01:35:24,110 [root] DEBUG: 7508: DumpInterestingRegions: Dumping .NET image at 0x09230000.
2026-04-28 01:35:24,126 [root] DEBUG: 3488: AllocationHandler: Memory region (size 0x10000) reserved but not committed at 0x7FA80000.
2026-04-28 01:35:24,126 [root] DEBUG: 3596: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:35:24,126 [root] DEBUG: 7104: ProcessTrackedRegion: Region at 0x77150000 mapped as \Device\HarddiskVolume1\Windows\SysWOW64\KernelBase.dll is in known range, skipping
2026-04-28 01:35:24,126 [root] DEBUG: 7496: caller_dispatch: Added region at 0x0A3E0000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x0A3E0E44, thread 6148).
2026-04-28 01:35:24,141 [root] DEBUG: 7548: caller_dispatch: Added region at 0x094E0000 to tracked regions list (kernel32::GetSystemTimeAsFileTime returns to 0x094E1478, thread 2384).
2026-04-28 01:35:24,157 [root] DEBUG: 3596: AllocationHandler: Processing previous tracked region at: 0x7F230000.
2026-04-28 01:35:24,157 [root] DEBUG: 3836: DumpPEsInRange: Scanning range 0x06040000 - 0x0604020C.
2026-04-28 01:35:24,157 [root] DEBUG: 7548: .NET JIT native cache at 0x09A40000: scans and dumps active.
2026-04-28 01:35:24,173 [root] DEBUG: 7548: .NET JIT native cache at 0x09A40000: scans and dumps active.
2026-04-28 01:35:24,188 [root] DEBUG: 5200: DLL loaded at 0x6F320000: C:\Windows\System32\WindowsPowerShell\v1.0\pwrshsip (0xa000 bytes).
2026-04-28 01:35:24,204 [root] DEBUG: 3596: DumpPEsInRange: Scanning range 0x7F230000 - 0x7F23003C.
2026-04-28 01:35:24,204 [root] DEBUG: 5144: caller_dispatch: Added region at 0x09C00000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x09C01A14, thread 6216).
2026-04-28 01:35:24,204 [root] DEBUG: 3404: .NET JIT native cache at 0x0AEB0000: scans and dumps active.
2026-04-28 01:35:24,235 [root] DEBUG: 7548: .NET JIT native cache at 0x09A40000: scans and dumps active.
2026-04-28 01:35:24,235 [root] DEBUG: 7728: ProcessTrackedRegion: .NET cache region at 0x087F0000 skipped
2026-04-28 01:35:24,282 [root] DEBUG: 7508: DumpImageInCurrentProcess: Dump at 0x09230000 skipped due to dump limit 10
2026-04-28 01:35:24,376 [root] DEBUG: 6384: AllocationHandler: Previously reserved region at 0x09F50000, committing at: 0x09F5B000.
2026-04-28 01:35:24,391 [root] DEBUG: 3488: AllocationHandler: Previously reserved region at 0x7FA80000, committing at: 0x7FA80000.
2026-04-28 01:35:24,391 [root] DEBUG: 6228: Python path set to 'C:\Python310'.
2026-04-28 01:35:24,391 [root] DEBUG: 7496: ProcessTrackedRegion: .NET cache region at 0x0A3E0000 skipped
2026-04-28 01:35:24,470 [root] DEBUG: 7548: ProcessTrackedRegion: .NET cache region at 0x094E0000 skipped
2026-04-28 01:35:24,470 [root] DEBUG: 3488: AllocationHandler: Adding allocation to tracked region list: 0x0A2E0000, size: 0x1000.
2026-04-28 01:35:24,485 [root] DEBUG: 7548: caller_dispatch: Added region at 0x09A40000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x09A58BC0, thread 3424).
2026-04-28 01:35:24,485 [root] DEBUG: 3596: ScanForDisguisedPE: Size too small: 0x3c bytes
2026-04-28 01:35:24,485 [root] DEBUG: 3836: ScanForDisguisedPE: Size too small: 0x20c bytes
2026-04-28 01:35:24,485 [lib.common.results] INFO: Uploading file C:\atsPQMC\CAPE\3596_11446024352227142026 to CAPE\4c283fe1e571b81b070de4f596bf868020a98e457bd548e9dc73165d9bf47aaa; Size is 60; Max size: 100000000
2026-04-28 01:35:24,501 [lib.common.results] INFO: Uploading file C:\Users\cape\AppData\Local\Temp\__PSScriptPolicyTest_guit3no5.0dq.ps1 to files\96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7; Size is 60; Max size: 100000000
2026-04-28 01:35:24,563 [root] DEBUG: 5144: ProcessTrackedRegion: .NET cache region at 0x09C00000 skipped
2026-04-28 01:35:24,563 [lib.common.results] INFO: Uploading file C:\atsPQMC\CAPE\3836_1547101524352227142026 to CAPE\d907b06ddbbe1539ee618a003476b357a0e7531f6301533ac61a8fef67a8a0bb; Size is 524; Max size: 100000000
2026-04-28 01:35:24,704 [root] DEBUG: 3404: caller_dispatch: Added region at 0x0AEB0000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x0AEB8355, thread 5524).
2026-04-28 01:35:24,751 [root] DEBUG: 7508: DumpInterestingRegions: Dumping .NET image at 0x09240000.
2026-04-28 01:35:24,751 [root] DEBUG: 7728: .NET JIT native cache at 0x09C10000: scans and dumps active.
2026-04-28 01:35:24,782 [root] DEBUG: 6228: Dropped file limit defaulting to 100.
2026-04-28 01:35:24,782 [root] DEBUG: 6384: AllocationHandler: Allocation already in tracked region list: 0x09F50000.
2026-04-28 01:35:24,798 [root] DEBUG: 7496: AllocationHandler: Allocation already in tracked region list: 0x06600000.
2026-04-28 01:35:24,845 [root] DEBUG: 7548: AllocationHandler: Allocation already in tracked region list: 0x00CE0000.
2026-04-28 01:35:24,860 [root] DEBUG: 3488: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:35:24,923 [root] DEBUG: 7548: ProcessTrackedRegion: .NET cache region at 0x09A40000 skipped
2026-04-28 01:35:25,126 [lib.common.results] INFO: Uploading file C:\Users\cape\AppData\Local\Temp\__PSScriptPolicyTest_24ffz0eo.bdn.psm1 to files\96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7; Size is 60; Max size: 100000000
2026-04-28 01:35:25,188 [root] DEBUG: 5144: DLL loaded at 0x6F1E0000: C:\Windows\SYSTEM32\secur32 (0xa000 bytes).
2026-04-28 01:35:25,188 [root] DEBUG: 3596: DumpMemory: Payload successfully created: C:\atsPQMC\CAPE\3596_11446024352227142026 (size 60 bytes)
2026-04-28 01:35:25,235 [root] DEBUG: 5144: .NET JIT native cache at 0x09890000: scans and dumps active.
2026-04-28 01:35:25,360 [root] DEBUG: 3404: ProcessTrackedRegion: .NET cache region at 0x0AEB0000 skipped
2026-04-28 01:35:25,454 [root] DEBUG: 3836: DumpMemory: Payload successfully created: C:\atsPQMC\CAPE\3836_1547101524352227142026 (size 524 bytes)
2026-04-28 01:35:25,516 [root] DEBUG: 5144: .NET JIT native cache at 0x09890000: scans and dumps active.
2026-04-28 01:35:25,548 [root] DEBUG: 7728: caller_dispatch: Added region at 0x09C10000 to tracked regions list (ntdll::NtQueryFullAttributesFile returns to 0x09C12DAB, thread 616).
2026-04-28 01:35:25,657 [root] DEBUG: 7508: DumpImageInCurrentProcess: Dump at 0x09240000 skipped due to dump limit 10
2026-04-28 01:35:25,704 [root] DEBUG: 7496: DLL loaded at 0x745D0000: C:\Windows\system32\uxtheme (0x74000 bytes).
2026-04-28 01:35:25,813 [root] DEBUG: 6384: .NET JIT native cache at 0x0A180000: scans and dumps active.
2026-04-28 01:35:25,876 [root] DEBUG: 7548: DLL loaded at 0x6F2D0000: C:\Windows\Microsoft.Net\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions (0x4c000 bytes).
2026-04-28 01:35:25,954 [root] DEBUG: 7548: .NET JIT native cache at 0x09620000: scans and dumps active.
2026-04-28 01:35:26,017 [root] DEBUG: 7548: .NET JIT native cache at 0x09620000: scans and dumps active.
2026-04-28 01:35:26,095 [root] DEBUG: 3488: AllocationHandler: Allocation already in tracked region list: 0x7FA90000.
2026-04-28 01:35:26,126 [root] DEBUG: 5200: DLL loaded at 0x6EBF0000: C:\Windows\SYSTEM32\iertutil (0x22d000 bytes).
2026-04-28 01:35:26,126 [root] DEBUG: 5144: .NET JIT native cache at 0x09890000: scans and dumps active.
2026-04-28 01:35:26,141 [root] DEBUG: 5144: caller_dispatch: Added region at 0x09890000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x09899BC5, thread 4448).
2026-04-28 01:35:26,157 [root] DEBUG: 3404: AllocationHandler: Adding allocation to tracked region list: 0x7F090000, size: 0x50000.
2026-04-28 01:35:26,173 [root] DEBUG: 3596: DumpRegion: Dumped entire allocation from 0x7F230000, size 4096 bytes.
2026-04-28 01:35:26,173 [root] DEBUG: 6228: Disabling sleep skipping.
2026-04-28 01:35:26,188 [root] DEBUG: 3836: DumpRegion: Dumped entire allocation from 0x06040000, size 4096 bytes.
2026-04-28 01:35:26,251 [root] DEBUG: 7728: ProcessTrackedRegion: .NET cache region at 0x09C10000 skipped
2026-04-28 01:35:26,345 [root] DEBUG: 7508: DumpInterestingRegions: Skipping .NET JIT native cache at 0x09260000 (jit-dumps=0)
2026-04-28 01:35:26,407 [root] DEBUG: 7496: .NET JIT native cache at 0x0A570000: scans and dumps active.
2026-04-28 01:35:26,485 [root] DEBUG: 6384: caller_dispatch: Added region at 0x0A180000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x0A182021, thread 1068).
2026-04-28 01:35:26,704 [root] DEBUG: 7548: .NET JIT native cache at 0x09620000: scans and dumps active.
2026-04-28 01:35:26,751 [root] DEBUG: 752: CreateProcessHandler: Injection info set for new process 3676: C:\Windows\system32\backgroundTaskHost.exe, ImageBase: 0x00007FF785FC0000
2026-04-28 01:35:26,766 [root] DEBUG: 752: CreateProcessHandler: Injection info set for new process 6024: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.22342.0_x64__8wekyb3d8bbwe\HxTsr.exe, ImageBase: 0x00007FF628C60000
2026-04-28 01:35:26,766 [root] DEBUG: 752: CreateProcessHandler: Injection info set for new process 6360: C:\Windows\system32\backgroundTaskHost.exe, ImageBase: 0x00007FF785FC0000
2026-04-28 01:35:26,798 [root] DEBUG: 752: CreateProcessHandler: Injection info set for new process 6432: C:\Windows\system32\backgroundTaskHost.exe, ImageBase: 0x00007FF785FC0000
2026-04-28 01:35:26,813 [root] DEBUG: 3488: AllocationHandler: Allocation already in tracked region list: 0x7FA90000.
2026-04-28 01:35:26,829 [root] DEBUG: 752: CreateProcessHandler: Injection info set for new process 1928: C:\Windows\system32\backgroundTaskHost.exe, ImageBase: 0x00007FF785FC0000
2026-04-28 01:35:26,845 [root] DEBUG: 7548: caller_dispatch: Added region at 0x09620000 to tracked regions list (advapi32::CryptImportKey returns to 0x096284A4, thread 2384).
2026-04-28 01:35:26,845 [root] DEBUG: 5200: DLL loaded at 0x6EBD0000: C:\Windows\SYSTEM32\srvcli (0x1d000 bytes).
2026-04-28 01:35:26,860 [root] INFO: Announced 64-bit process name: backgroundTaskHost.exe pid: 1928
2026-04-28 01:35:26,860 [lib.api.process] INFO: Monitor config for <Process 1928 backgroundTaskHost.exe>: C:\ltb6yatm\dll\1928.ini
2026-04-28 01:35:26,860 [root] DEBUG: 5144: ProcessTrackedRegion: .NET cache region at 0x09890000 skipped
2026-04-28 01:35:26,907 [root] DEBUG: 3404: GetEntropy: Error - Supplied address inaccessible: 0x7F090000
2026-04-28 01:35:26,923 [lib.api.process] INFO: 64-bit DLL to inject is C:\ltb6yatm\dll\xzHEKGQ.dll, loader C:\ltb6yatm\bin\FktMnuSd.exe
2026-04-28 01:35:26,923 [root] DEBUG: 6228: YaraInit: Compiled rules loaded from existing file C:\ltb6yatm\data\yara\capemon.yac
2026-04-28 01:35:26,970 [root] DEBUG: 3596: ProcessTrackedRegion: Dumped region at 0x7F230000.
2026-04-28 01:35:26,970 [root] DEBUG: 6384: ProcessTrackedRegion: .NET cache region at 0x0A180000 skipped
2026-04-28 01:35:26,985 [root] DEBUG: 3836: ProcessTrackedRegion: Dumped region at 0x06040000.
2026-04-28 01:35:27,001 [root] DEBUG: 7496: caller_dispatch: Added region at 0x0A570000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x0A575DE2, thread 5940).
2026-04-28 01:35:27,001 [root] DEBUG: 7728: AllocationHandler: Allocation already in tracked region list: 0x04600000.
2026-04-28 01:35:27,001 [root] DEBUG: 7508: DumpInterestingRegions: Dumping .NET image at 0x09410000.
2026-04-28 01:35:27,016 [root] DEBUG: 7548: DLL loaded at 0x6F1E0000: C:\Windows\SYSTEM32\secur32 (0xa000 bytes).
2026-04-28 01:35:27,079 [root] INFO: Announced 64-bit process name: HxTsr.exe pid: 6024
2026-04-28 01:35:27,110 [lib.api.process] INFO: Monitor config for <Process 6024 HxTsr.exe>: C:\ltb6yatm\dll\6024.ini
2026-04-28 01:35:27,126 [root] INFO: Announced 64-bit process name: backgroundTaskHost.exe pid: 3676
2026-04-28 01:35:27,142 [root] INFO: Announced 64-bit process name: backgroundTaskHost.exe pid: 6432
2026-04-28 01:35:27,142 [lib.api.process] INFO: Monitor config for <Process 3676 backgroundTaskHost.exe>: C:\ltb6yatm\dll\3676.ini
2026-04-28 01:35:27,157 [lib.api.process] INFO: Monitor config for <Process 6432 backgroundTaskHost.exe>: C:\ltb6yatm\dll\6432.ini
2026-04-28 01:35:27,157 [root] DEBUG: 3488: AllocationHandler: Allocation already in tracked region list: 0x7FA80000.
2026-04-28 01:35:27,220 [root] INFO: Announced 64-bit process name: backgroundTaskHost.exe pid: 6360
2026-04-28 01:35:27,220 [lib.api.process] INFO: Monitor config for <Process 6360 backgroundTaskHost.exe>: C:\ltb6yatm\dll\6360.ini
2026-04-28 01:35:27,220 [lib.api.process] INFO: 64-bit DLL to inject is C:\ltb6yatm\dll\xzHEKGQ.dll, loader C:\ltb6yatm\bin\FktMnuSd.exe
2026-04-28 01:35:27,282 [root] DEBUG: 7548: ProcessTrackedRegion: .NET cache region at 0x09620000 skipped
2026-04-28 01:35:27,376 [root] DEBUG: 5200: DLL loaded at 0x75440000: C:\Windows\SYSTEM32\netutils (0xb000 bytes).
2026-04-28 01:35:27,376 [root] DEBUG: 5144: .NET JIT native cache at 0x09950000: scans and dumps active.
2026-04-28 01:35:27,376 [root] DEBUG: 5144: .NET JIT native cache at 0x09950000: scans and dumps active.
2026-04-28 01:35:27,407 [root] DEBUG: 5144: .NET JIT native cache at 0x09950000: scans and dumps active.
2026-04-28 01:35:27,425 [root] DEBUG: 6228: RtlInsertInvertedFunctionTable 0x00007FFEFE86090E, LdrpInvertedFunctionTableSRWLock 0x00007FFEFE9BD500
2026-04-28 01:35:27,438 [root] DEBUG: 3404: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:35:27,438 [root] DEBUG: Loader: Injecting process 1928 (thread 4320) with C:\ltb6yatm\dll\xzHEKGQ.dll.
2026-04-28 01:35:27,470 [root] DEBUG: 3596: AllocationHandler: Memory region (size 0x10000) reserved but not committed at 0x7F220000.
2026-04-28 01:35:27,470 [root] DEBUG: 3836: YaraScan: Scanning 0x06040000, size 0x20c
2026-04-28 01:35:27,501 [root] DEBUG: 6384: AllocationHandler: Allocation already in tracked region list: 0x061B0000.
2026-04-28 01:35:27,501 [root] DEBUG: 7496: ProcessTrackedRegion: .NET cache region at 0x0A570000 skipped
2026-04-28 01:35:27,501 [root] DEBUG: 7728: AllocationHandler: Allocation already in tracked region list: 0x09BF0000.
2026-04-28 01:35:27,532 [root] DEBUG: 7508: DumpImageInCurrentProcess: Dump at 0x09410000 skipped due to dump limit 10
2026-04-28 01:35:27,532 [root] DEBUG: Loader: Injecting process 3676 (thread 6724) with C:\ltb6yatm\dll\xzHEKGQ.dll.
2026-04-28 01:35:27,548 [root] DEBUG: 7548: .NET JIT native cache at 0x09340000: scans and dumps active.
2026-04-28 01:35:27,563 [root] DEBUG: 752: CreateProcessHandler: Injection info set for new process 3444: C:\Windows\system32\wbem\wmiprvse.exe, ImageBase: 0x00007FF6402C0000
2026-04-28 01:35:27,579 [root] DEBUG: 7548: .NET JIT native cache at 0x09340000: scans and dumps active.
2026-04-28 01:35:27,579 [lib.api.process] INFO: 64-bit DLL to inject is C:\ltb6yatm\dll\xzHEKGQ.dll, loader C:\ltb6yatm\bin\FktMnuSd.exe
2026-04-28 01:35:27,595 [lib.api.process] INFO: 64-bit DLL to inject is C:\ltb6yatm\dll\xzHEKGQ.dll, loader C:\ltb6yatm\bin\FktMnuSd.exe
2026-04-28 01:35:27,641 [root] DEBUG: 5200: DLL loaded at 0x6EE20000: C:\Windows\SYSTEM32\urlmon (0x1a8000 bytes).
2026-04-28 01:35:27,891 [root] DEBUG: 6228: YaraScan: Scanning 0x00007FF709300000, size 0x1e05c
2026-04-28 01:35:27,907 [root] DEBUG: 5144: caller_dispatch: Added region at 0x09950000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x09952521, thread 4448).
2026-04-28 01:35:27,923 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2026-04-28 01:35:27,938 [root] DEBUG: 3836: AllocationHandler: Memory region (size 0x8000) reserved but not committed at 0x085B0000.
2026-04-28 01:35:27,954 [root] DEBUG: 3404: AllocationHandler: Processing previous tracked region at: 0x0A050000.
2026-04-28 01:35:27,954 [root] DEBUG: 3596: AllocationHandler: Previously reserved region at 0x7F220000, committing at: 0x7F220000.
2026-04-28 01:35:27,970 [root] DEBUG: 6384: AllocationHandler: Allocation already in tracked region list: 0x09F50000.
2026-04-28 01:35:27,985 [root] DEBUG: 7728: .NET JIT native cache at 0x09D00000: scans and dumps active.
2026-04-28 01:35:28,048 [root] DEBUG: 7496: AllocationHandler: Adding allocation to tracked region list: 0x09280000, size: 0x1000.
2026-04-28 01:35:28,048 [root] INFO: Added new file to list with pid 3488 and path C:\Users\cape\AppData\Local\Temp\__PSScriptPolicyTest_kaprrb5w.qee.ps1
2026-04-28 01:35:28,063 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2026-04-28 01:35:28,063 [root] DEBUG: 7508: DumpInterestingRegions: Dumping .NET image at 0x09420000.
2026-04-28 01:35:28,079 [root] DEBUG: 7548: caller_dispatch: Added region at 0x09340000 to tracked regions list (ntdll::LdrGetProcedureAddressForCaller returns to 0x09340098, thread 3472).
2026-04-28 01:35:28,079 [root] DEBUG: Loader: Injecting process 6360 (thread 3684) with C:\ltb6yatm\dll\xzHEKGQ.dll.
2026-04-28 01:35:28,095 [root] INFO: Announced 64-bit process name: WmiPrvSE.exe pid: 3444
2026-04-28 01:35:28,095 [lib.api.process] INFO: Monitor config for <Process 3444 WmiPrvSE.exe>: C:\ltb6yatm\dll\3444.ini
2026-04-28 01:35:28,095 [root] DEBUG: Loader: Injecting process 6432 (thread 4592) with C:\ltb6yatm\dll\xzHEKGQ.dll.
2026-04-28 01:35:28,126 [root] DEBUG: 7548: .NET JIT native cache at 0x09470000: scans and dumps active.
2026-04-28 01:35:28,267 [root] DEBUG: 5200: DLL loaded at 0x703C0000: C:\Windows\SYSTEM32\PROPSYS (0xc2000 bytes).
2026-04-28 01:35:28,298 [root] DEBUG: 6228: Monitor initialised: 64-bit capemon loaded in process 6228 at 0x00007FFEABCB0000, thread 6716, image base 0x00007FF709300000, stack from 0x000000E253D24000-0x000000E253D30000
2026-04-28 01:35:28,313 [root] DEBUG: 5144: ProcessTrackedRegion: .NET cache region at 0x09950000 skipped
2026-04-28 01:35:28,485 [lib.api.process] INFO: 64-bit DLL to inject is C:\ltb6yatm\dll\xzHEKGQ.dll, loader C:\ltb6yatm\bin\FktMnuSd.exe
2026-04-28 01:35:28,516 [root] DEBUG: Successfully injected DLL C:\ltb6yatm\dll\xzHEKGQ.dll.
2026-04-28 01:35:28,563 [root] DEBUG: 3404: DumpPEsInRange: Scanning range 0x0A050000 - 0x0A0525DD.
2026-04-28 01:35:28,579 [lib.api.process] INFO: Injected into 64-bit <Process 1928 backgroundTaskHost.exe>
2026-04-28 01:35:28,579 [root] DEBUG: 3596: AllocationHandler: Adding allocation to tracked region list: 0x09D60000, size: 0x1000.
2026-04-28 01:35:28,579 [root] DEBUG: 3836: AllocationHandler: Previously reserved region at 0x085B0000, committing at: 0x085B0000.
2026-04-28 01:35:28,579 [root] DEBUG: 6384: .NET JIT native cache at 0x0A090000: scans and dumps active.
2026-04-28 01:35:28,735 [root] DEBUG: 7728: caller_dispatch: Added region at 0x09D00000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x09D03216, thread 616).
2026-04-28 01:35:28,829 [root] DEBUG: 7496: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:35:28,829 [root] DEBUG: Successfully injected DLL C:\ltb6yatm\dll\xzHEKGQ.dll.
2026-04-28 01:35:28,829 [lib.api.process] INFO: 64-bit DLL to inject is C:\ltb6yatm\dll\xzHEKGQ.dll, loader C:\ltb6yatm\bin\FktMnuSd.exe
2026-04-28 01:35:28,985 [root] INFO: Added new file to list with pid 3488 and path C:\Users\cape\AppData\Local\Temp\__PSScriptPolicyTest_3xh1bvfz.3dp.psm1
2026-04-28 01:35:29,048 [root] DEBUG: 7508: DumpImageInCurrentProcess: Dump at 0x09420000 skipped due to dump limit 10
2026-04-28 01:35:29,048 [lib.api.process] INFO: Injected into 64-bit <Process 3676 backgroundTaskHost.exe>
2026-04-28 01:35:29,063 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2026-04-28 01:35:29,079 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2026-04-28 01:35:29,095 [root] DEBUG: 7548: ProcessTrackedRegion: .NET cache region at 0x09340000 skipped
2026-04-28 01:35:29,110 [root] DEBUG: 6228: Commandline: w32tm  /stripchart /computer:localhost /period:5 /dataonly /samples:2
2026-04-28 01:35:29,157 [root] DEBUG: 5200: AllocationHandler: Adding allocation to tracked region list: 0x09A90000, size: 0x1000.
2026-04-28 01:35:29,157 [root] DEBUG: 5144: .NET JIT native cache at 0x09980000: scans and dumps active.
2026-04-28 01:35:29,188 [root] DEBUG: Loader: Injecting process 6024 (thread 1576) with C:\ltb6yatm\dll\xzHEKGQ.dll.
2026-04-28 01:35:29,188 [root] DEBUG: 5144: .NET JIT native cache at 0x09980000: scans and dumps active.
2026-04-28 01:35:29,204 [root] DEBUG: 3836: AllocationHandler: Allocation already in tracked region list: 0x06040000.
2026-04-28 01:35:29,267 [root] DEBUG: 3404: ScanForDisguisedPE: No PE image located in range 0x0A050000-0x0A0525DD.
2026-04-28 01:35:29,282 [root] DEBUG: 6384: .NET JIT native cache at 0x0A160000: scans and dumps active.
2026-04-28 01:35:29,345 [root] DEBUG: 3596: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:35:29,376 [root] DEBUG: 6384: .NET JIT native cache at 0x0A160000: scans and dumps active.
2026-04-28 01:35:29,407 [root] INFO: Announced 64-bit process name: backgroundTaskHost.exe pid: 1928
2026-04-28 01:35:29,407 [lib.api.process] INFO: Monitor config for <Process 1928 backgroundTaskHost.exe>: C:\ltb6yatm\dll\1928.ini
2026-04-28 01:35:29,407 [root] DEBUG: 6384: .NET JIT native cache at 0x0A160000: scans and dumps active.
2026-04-28 01:35:29,438 [lib.api.process] INFO: 64-bit DLL to inject is C:\ltb6yatm\dll\xzHEKGQ.dll, loader C:\ltb6yatm\bin\FktMnuSd.exe
2026-04-28 01:35:29,454 [root] DEBUG: 6384: .NET JIT native cache at 0x0A160000: scans and dumps active.
2026-04-28 01:35:29,485 [root] DEBUG: 7728: ProcessTrackedRegion: .NET cache region at 0x09D00000 skipped
2026-04-28 01:35:29,501 [root] DEBUG: 7496: .NET JIT native cache at 0x092F0000: scans and dumps active.
2026-04-28 01:35:29,532 [root] DEBUG: 3488: DLL loaded at 0x6F4E0000: C:\Windows\System32\MSISIP (0x10000 bytes).
2026-04-28 01:35:29,563 [root] DEBUG: 7508: DumpInterestingRegions: Dumping .NET image at 0x09430000.
2026-04-28 01:35:29,563 [root] DEBUG: Loader: Injecting process 3444 (thread 1060) with C:\ltb6yatm\dll\xzHEKGQ.dll.
2026-04-28 01:35:29,563 [root] DEBUG: Successfully injected DLL C:\ltb6yatm\dll\xzHEKGQ.dll.
2026-04-28 01:35:29,595 [lib.api.process] INFO: Injected into 64-bit <Process 6360 backgroundTaskHost.exe>
2026-04-28 01:35:29,595 [root] DEBUG: Successfully injected DLL C:\ltb6yatm\dll\xzHEKGQ.dll.
2026-04-28 01:35:29,595 [root] INFO: Announced 64-bit process name: backgroundTaskHost.exe pid: 3676
2026-04-28 01:35:29,610 [lib.api.process] INFO: Monitor config for <Process 3676 backgroundTaskHost.exe>: C:\ltb6yatm\dll\3676.ini
2026-04-28 01:35:29,626 [lib.api.process] INFO: Injected into 64-bit <Process 6432 backgroundTaskHost.exe>
2026-04-28 01:35:29,626 [root] DEBUG: 6228: hook_api: LdrpCallInitRoutine export address 0x00007FFEFE8699BC obtained via GetFunctionAddress
2026-04-28 01:35:29,626 [lib.api.process] INFO: 64-bit DLL to inject is C:\ltb6yatm\dll\xzHEKGQ.dll, loader C:\ltb6yatm\bin\FktMnuSd.exe
2026-04-28 01:35:29,673 [root] DEBUG: 5200: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:35:29,704 [root] DEBUG: 5144: caller_dispatch: Added region at 0x09980000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x09981223, thread 4448).
2026-04-28 01:35:29,735 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2026-04-28 01:35:29,735 [root] DEBUG: 7548: caller_dispatch: Added region at 0x09470000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x09474FF3, thread 3472).
2026-04-28 01:35:29,751 [root] DEBUG: 3836: api-rate-cap: NtReadVirtualMemory hook disabled due to rate
2026-04-28 01:35:29,907 [root] DEBUG: 6384: AllocationHandler: Allocation already in tracked region list: 0x061B0000.
2026-04-28 01:35:30,110 [root] DEBUG: 7496: caller_dispatch: Added region at 0x092F0000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x092F10C0, thread 5940).
2026-04-28 01:35:30,157 [root] DEBUG: 7728: AllocationHandler: Allocation already in tracked region list: 0x05A50000.
2026-04-28 01:35:30,329 [root] DEBUG: 3488: DLL loaded at 0x6F4C0000: C:\Windows\System32\wshext (0x18000 bytes).
2026-04-28 01:35:30,423 [root] DEBUG: 7508: DumpImageInCurrentProcess: Dump at 0x09430000 skipped due to dump limit 10
2026-04-28 01:35:30,501 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2026-04-28 01:35:30,501 [lib.common.results] INFO: Uploading file C:\atsPQMC\CAPE\3404_13395029352227142026 to CAPE\cc46ac71cc357adc9233c8ef79ef422d9eb75298faae85049b8b2ff7643d10f0; Size is 9693; Max size: 100000000
2026-04-28 01:35:30,501 [root] DEBUG: Loader: Injecting process 1928 (thread 4320) with C:\ltb6yatm\dll\xzHEKGQ.dll.
2026-04-28 01:35:30,501 [root] DEBUG: 6384: caller_dispatch: Added region at 0x0A160000 to tracked regions list (ntdll::LdrLoadDll returns to 0x0A160EE0, thread 3972).
2026-04-28 01:35:30,517 [root] DEBUG: 3596: AllocationHandler: Allocation already in tracked region list: 0x7F230000.
2026-04-28 01:35:30,532 [root] WARNING: b'Unable to place hook on LockResource'
2026-04-28 01:35:30,532 [root] INFO: Announced 64-bit process name: backgroundTaskHost.exe pid: 6360
2026-04-28 01:35:30,532 [lib.api.process] INFO: Monitor config for <Process 6360 backgroundTaskHost.exe>: C:\ltb6yatm\dll\6360.ini
2026-04-28 01:35:30,548 [root] INFO: Announced 64-bit process name: backgroundTaskHost.exe pid: 6432
2026-04-28 01:35:30,548 [root] DEBUG: Loader: Injecting process 3676 (thread 6724) with C:\ltb6yatm\dll\xzHEKGQ.dll.
2026-04-28 01:35:30,548 [lib.api.process] INFO: Monitor config for <Process 6432 backgroundTaskHost.exe>: C:\ltb6yatm\dll\6432.ini
2026-04-28 01:35:30,563 [lib.api.process] INFO: 64-bit DLL to inject is C:\ltb6yatm\dll\xzHEKGQ.dll, loader C:\ltb6yatm\bin\FktMnuSd.exe
2026-04-28 01:35:30,563 [root] DEBUG: Successfully injected DLL C:\ltb6yatm\dll\xzHEKGQ.dll.
2026-04-28 01:35:30,563 [root] DEBUG: 7548: ProcessTrackedRegion: .NET cache region at 0x09470000 skipped
2026-04-28 01:35:30,563 [lib.api.process] INFO: 64-bit DLL to inject is C:\ltb6yatm\dll\xzHEKGQ.dll, loader C:\ltb6yatm\bin\FktMnuSd.exe
2026-04-28 01:35:30,610 [lib.api.process] INFO: Injected into 64-bit <Process 6024 HxTsr.exe>
2026-04-28 01:35:30,610 [root] DEBUG: 5144: ProcessTrackedRegion: .NET cache region at 0x09980000 skipped
2026-04-28 01:35:30,704 [root] DEBUG: 6384: .NET JIT native cache at 0x0A730000: scans and dumps active.
2026-04-28 01:35:30,860 [root] DEBUG: 5200: DLL loaded at 0x773F0000: C:\Windows\System32\Normaliz (0x7000 bytes).
2026-04-28 01:35:30,970 [root] DEBUG: 6384: .NET JIT native cache at 0x0A730000: scans and dumps active.
2026-04-28 01:35:31,032 [root] DEBUG: 6384: .NET JIT native cache at 0x0A730000: scans and dumps active.
2026-04-28 01:35:31,032 [root] DEBUG: 7496: ProcessTrackedRegion: .NET cache region at 0x092F0000 skipped
2026-04-28 01:35:31,141 [root] DEBUG: 3836: .NET JIT native cache at 0x09290000: scans and dumps active.
2026-04-28 01:35:31,173 [root] DEBUG: 3488: DLL loaded at 0x6F330000: C:\Windows\SYSTEM32\OpcServices (0x14d000 bytes).
2026-04-28 01:35:31,173 [root] DEBUG: 7728: .NET JIT native cache at 0x0AA10000: scans and dumps active.
2026-04-28 01:35:31,188 [root] DEBUG: 7508: DumpInterestingRegions: Dumping .NET image at 0x09450000.
2026-04-28 01:35:31,220 [root] DEBUG: Successfully injected DLL C:\ltb6yatm\dll\xzHEKGQ.dll.
2026-04-28 01:35:31,235 [lib.api.process] INFO: Injected into 64-bit <Process 3444 WmiPrvSE.exe>
2026-04-28 01:35:31,235 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2026-04-28 01:35:31,235 [root] DEBUG: 6384: ProcessTrackedRegion: .NET cache region at 0x0A160000 skipped
2026-04-28 01:35:31,251 [root] DEBUG: 3596: AllocationHandler: Allocation already in tracked region list: 0x7F230000.
2026-04-28 01:35:31,251 [root] DEBUG: 3404: DumpMemory: Payload successfully created: C:\atsPQMC\CAPE\3404_13395029352227142026 (size 9693 bytes)
2026-04-28 01:35:31,267 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2026-04-28 01:35:31,267 [root] DEBUG: Loader: Injecting process 6360 (thread 3684) with C:\ltb6yatm\dll\xzHEKGQ.dll.
2026-04-28 01:35:31,298 [root] DEBUG: 6228: set_hooks: Unable to hook LockResource
2026-04-28 01:35:31,313 [root] DEBUG: 6228: Hooked 627 out of 628 functions
2026-04-28 01:35:31,329 [root] DEBUG: Loader: Injecting process 6432 (thread 4592) with C:\ltb6yatm\dll\xzHEKGQ.dll.
2026-04-28 01:35:31,329 [root] DEBUG: 7548: AllocationHandler: Allocation already in tracked region list: 0x00CE0000.
2026-04-28 01:35:31,470 [root] DEBUG: 5144: AllocationHandler: Allocation already in tracked region list: 0x044D0000.
2026-04-28 01:35:31,470 [root] INFO: Announced 64-bit process name: HxTsr.exe pid: 6024
2026-04-28 01:35:31,610 [root] DEBUG: 6384: .NET JIT native cache at 0x0A2F0000: scans and dumps active.
2026-04-28 01:35:31,626 [lib.api.process] INFO: Monitor config for <Process 6024 HxTsr.exe>: C:\ltb6yatm\dll\6024.ini
2026-04-28 01:35:31,657 [root] DEBUG: 6384: .NET JIT native cache at 0x0A2F0000: scans and dumps active.
2026-04-28 01:35:31,688 [root] DEBUG: 5200: DLL loaded at 0x6FEB0000: C:\Windows\SYSTEM32\WININET (0x454000 bytes).
2026-04-28 01:35:31,688 [root] DEBUG: 7496: AllocationHandler: Allocation already in tracked region list: 0x09280000.
2026-04-28 01:35:31,766 [root] DEBUG: 6384: .NET JIT native cache at 0x0A2F0000: scans and dumps active.
2026-04-28 01:35:31,845 [root] DEBUG: 5200: DLL loaded at 0x70310000: C:\Windows\Microsoft.Net\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer (0xa3000 bytes).
2026-04-28 01:35:31,860 [root] DEBUG: 3836: caller_dispatch: Added region at 0x09290000 to tracked regions list (advapi32::CryptImportKey returns to 0x09291954, thread 604).
2026-04-28 01:35:31,923 [root] INFO: Announced 64-bit process name: WmiPrvSE.exe pid: 3444
2026-04-28 01:35:32,001 [root] DEBUG: 3488: DLL loaded at 0x6F480000: C:\Windows\System32\AppxSip (0x3c000 bytes).
2026-04-28 01:35:32,016 [lib.api.process] INFO: Monitor config for <Process 3444 WmiPrvSE.exe>: C:\ltb6yatm\dll\3444.ini
2026-04-28 01:35:32,032 [root] DEBUG: 7728: caller_dispatch: Added region at 0x0AA10000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x0AA17FAD, thread 616).
2026-04-28 01:35:32,032 [root] DEBUG: 6384: DLL loaded at 0x6F2D0000: C:\Windows\Microsoft.Net\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions (0x4c000 bytes).
2026-04-28 01:35:32,095 [root] DEBUG: Successfully injected DLL C:\ltb6yatm\dll\xzHEKGQ.dll.
2026-04-28 01:35:32,126 [root] DEBUG: 7508: DumpImageInCurrentProcess: Dump at 0x09450000 skipped due to dump limit 10
2026-04-28 01:35:32,173 [lib.api.process] INFO: Injected into 64-bit <Process 1928 backgroundTaskHost.exe>
2026-04-28 01:35:32,173 [root] DEBUG: 3404: DumpRegion: Dumped entire allocation from 0x0A050000, size 12288 bytes.
2026-04-28 01:35:32,188 [root] DEBUG: Successfully injected DLL C:\ltb6yatm\dll\xzHEKGQ.dll.
2026-04-28 01:35:32,204 [root] DEBUG: 3596: AllocationHandler: Allocation already in tracked region list: 0x7F220000.
2026-04-28 01:35:32,298 [lib.api.process] INFO: Injected into 64-bit <Process 3676 backgroundTaskHost.exe>
2026-04-28 01:35:32,298 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2026-04-28 01:35:32,345 [lib.api.process] INFO: 64-bit DLL to inject is C:\ltb6yatm\dll\xzHEKGQ.dll, loader C:\ltb6yatm\bin\FktMnuSd.exe
2026-04-28 01:35:32,423 [root] DEBUG: 7548: .NET JIT native cache at 0x094A0000: scans and dumps active.
2026-04-28 01:35:32,454 [root] DEBUG: 6384: caller_dispatch: Added region at 0x0A2F0000 to tracked regions list (advapi32::CryptImportKey returns to 0x0A2F3FC4, thread 7776).
2026-04-28 01:35:32,454 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2026-04-28 01:35:32,470 [root] DEBUG: 6384: caller_dispatch: Added region at 0x0A730000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x0A73CFD6, thread 2632).
2026-04-28 01:35:32,470 [root] DEBUG: 5144: .NET JIT native cache at 0x099A0000: scans and dumps active.
2026-04-28 01:35:32,548 [root] DEBUG: 7496: .NET JIT native cache at 0x0A5B0000: scans and dumps active.
2026-04-28 01:35:32,579 [root] DEBUG: 5200: AllocationHandler: Adding allocation to tracked region list: 0x00370000, size: 0x1000.
2026-04-28 01:35:32,579 [root] DEBUG: 3836: ProcessTrackedRegion: .NET cache region at 0x09290000 skipped
2026-04-28 01:35:32,610 [lib.api.process] INFO: 64-bit DLL to inject is C:\ltb6yatm\dll\xzHEKGQ.dll, loader C:\ltb6yatm\bin\FktMnuSd.exe
2026-04-28 01:35:32,626 [root] DEBUG: 7728: ProcessTrackedRegion: .NET cache region at 0x0AA10000 skipped
2026-04-28 01:35:32,657 [root] DEBUG: 3488: DLL loaded at 0x6F320000: C:\Windows\System32\WindowsPowerShell\v1.0\pwrshsip (0xa000 bytes).
2026-04-28 01:35:32,751 [root] DEBUG: 7508: DumpInterestingRegions: Dumping .NET image at 0x09460000.
2026-04-28 01:35:32,782 [root] DEBUG: 6228: Syscall hook installed, syscall logging level 1
2026-04-28 01:35:32,798 [root] DEBUG: 3404: ProcessTrackedRegion: Dumped region at 0x0A050000.
2026-04-28 01:35:32,798 [root] INFO: Announced 64-bit process name: backgroundTaskHost.exe pid: 1928
2026-04-28 01:35:32,798 [root] DEBUG: Successfully injected DLL C:\ltb6yatm\dll\xzHEKGQ.dll.
2026-04-28 01:35:32,813 [lib.api.process] INFO: Monitor config for <Process 1928 backgroundTaskHost.exe>: C:\ltb6yatm\dll\1928.ini
2026-04-28 01:35:32,813 [root] INFO: Announced 64-bit process name: backgroundTaskHost.exe pid: 3676
2026-04-28 01:35:32,813 [lib.api.process] INFO: Monitor config for <Process 3676 backgroundTaskHost.exe>: C:\ltb6yatm\dll\3676.ini
2026-04-28 01:35:32,829 [lib.api.process] INFO: 64-bit DLL to inject is C:\ltb6yatm\dll\xzHEKGQ.dll, loader C:\ltb6yatm\bin\FktMnuSd.exe
2026-04-28 01:35:32,829 [root] DEBUG: 7548: caller_dispatch: Added region at 0x094A0000 to tracked regions list (advapi32::RegOpenKeyExW returns to 0x094A038F, thread 3424).
2026-04-28 01:35:32,829 [lib.api.process] INFO: 64-bit DLL to inject is C:\ltb6yatm\dll\xzHEKGQ.dll, loader C:\ltb6yatm\bin\FktMnuSd.exe
2026-04-28 01:35:32,845 [lib.api.process] INFO: Injected into 64-bit <Process 6360 backgroundTaskHost.exe>
2026-04-28 01:35:32,860 [root] DEBUG: Loader: Injecting process 6024 (thread 1576) with C:\ltb6yatm\dll\xzHEKGQ.dll.
2026-04-28 01:35:32,907 [root] DEBUG: 6384: ProcessTrackedRegion: .NET cache region at 0x0A2F0000 skipped
2026-04-28 01:35:32,907 [root] INFO: Added new file to list with pid 3596 and path C:\Users\cape\AppData\Local\Temp\__PSScriptPolicyTest_r0hrvezo.u2n.ps1
2026-04-28 01:35:32,923 [root] DEBUG: Successfully injected DLL C:\ltb6yatm\dll\xzHEKGQ.dll.
2026-04-28 01:35:32,923 [root] DEBUG: 6384: ProcessTrackedRegion: .NET cache region at 0x0A730000 skipped
2026-04-28 01:35:33,001 [lib.api.process] INFO: Injected into 64-bit <Process 6432 backgroundTaskHost.exe>
2026-04-28 01:35:33,016 [root] DEBUG: 5144: caller_dispatch: Added region at 0x099A0000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x099A0340, thread 7260).
2026-04-28 01:35:33,048 [root] DEBUG: 5200: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:35:33,110 [root] DEBUG: 3836: .NET JIT native cache at 0x09B20000: scans and dumps active.
2026-04-28 01:35:33,110 [root] DEBUG: Loader: Injecting process 3444 (thread 1060) with C:\ltb6yatm\dll\xzHEKGQ.dll.
2026-04-28 01:35:33,126 [root] DEBUG: 7496: caller_dispatch: Added region at 0x0A5B0000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x0A5B181A, thread 5940).
2026-04-28 01:35:33,126 [root] DEBUG: 7728: AllocationHandler: Adding allocation to tracked region list: 0x7F980000, size: 0x50000.
2026-04-28 01:35:33,141 [lib.common.results] INFO: Uploading file C:\Users\cape\AppData\Local\Temp\__PSScriptPolicyTest_kaprrb5w.qee.ps1 to files\96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7; Size is 60; Max size: 100000000
2026-04-28 01:35:33,141 [root] DEBUG: Loader: Injecting process 1928 (thread 4320) with C:\ltb6yatm\dll\xzHEKGQ.dll.
2026-04-28 01:35:33,141 [root] DEBUG: 7508: DumpImageInCurrentProcess: Dump at 0x09460000 skipped due to dump limit 10
2026-04-28 01:35:33,141 [root] DEBUG: 3404: AllocationHandler: Memory region (size 0x50000) reserved but not committed at 0x7F090000.
2026-04-28 01:35:33,157 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2026-04-28 01:35:33,157 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2026-04-28 01:35:33,157 [root] DEBUG: Loader: Injecting process 3676 (thread 6724) with C:\ltb6yatm\dll\xzHEKGQ.dll.
2026-04-28 01:35:33,173 [root] DEBUG: 7548: ProcessTrackedRegion: .NET cache region at 0x094A0000 skipped
2026-04-28 01:35:33,251 [root] INFO: Announced 64-bit process name: backgroundTaskHost.exe pid: 6360
2026-04-28 01:35:33,251 [root] DEBUG: 6384: .NET JIT native cache at 0x0A2E0000: scans and dumps active.
2026-04-28 01:35:33,251 [lib.api.process] INFO: Monitor config for <Process 6360 backgroundTaskHost.exe>: C:\ltb6yatm\dll\6360.ini
2026-04-28 01:35:33,345 [root] INFO: Added new file to list with pid 3596 and path C:\Users\cape\AppData\Local\Temp\__PSScriptPolicyTest_0wnuplft.kc1.psm1
2026-04-28 01:35:33,345 [lib.api.process] INFO: 64-bit DLL to inject is C:\ltb6yatm\dll\xzHEKGQ.dll, loader C:\ltb6yatm\bin\FktMnuSd.exe
2026-04-28 01:35:33,438 [root] DEBUG: 6384: .NET JIT native cache at 0x0A2E0000: scans and dumps active.
2026-04-28 01:35:33,454 [root] DEBUG: 5144: ProcessTrackedRegion: .NET cache region at 0x099A0000 skipped
2026-04-28 01:35:33,516 [root] INFO: Announced 64-bit process name: backgroundTaskHost.exe pid: 6432
2026-04-28 01:35:33,563 [lib.api.process] INFO: Monitor config for <Process 6432 backgroundTaskHost.exe>: C:\ltb6yatm\dll\6432.ini
2026-04-28 01:35:33,563 [root] DEBUG: 5200: AllocationHandler: Previously reserved region at 0x09A30000, committing at: 0x09A3C000.
2026-04-28 01:35:33,579 [lib.api.process] INFO: 64-bit DLL to inject is C:\ltb6yatm\dll\xzHEKGQ.dll, loader C:\ltb6yatm\bin\FktMnuSd.exe
2026-04-28 01:35:33,626 [root] DEBUG: 7496: ProcessTrackedRegion: .NET cache region at 0x0A5B0000 skipped
2026-04-28 01:35:33,766 [root] DEBUG: 7728: GetEntropy: Error - Supplied address inaccessible: 0x7F980000
2026-04-28 01:35:33,766 [root] DEBUG: 3836: caller_dispatch: Added region at 0x09B20000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x09B2241B, thread 604).
2026-04-28 01:35:33,782 [root] DEBUG: 7508: DumpInterestingRegions: Skipping .NET JIT native cache at 0x09470000 (jit-dumps=0)
2026-04-28 01:35:33,782 [root] DEBUG: 7728: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:35:33,782 [root] DEBUG: 3404: AllocationHandler: Previously reserved region at 0x7F090000, committing at: 0x7F090000.
2026-04-28 01:35:33,782 [root] DEBUG: Successfully injected DLL C:\ltb6yatm\dll\xzHEKGQ.dll.
2026-04-28 01:35:33,829 [root] DEBUG: Successfully injected DLL C:\ltb6yatm\dll\xzHEKGQ.dll.
2026-04-28 01:35:33,845 [lib.api.process] INFO: Injected into 64-bit <Process 3444 WmiPrvSE.exe>
2026-04-28 01:35:33,845 [lib.common.results] INFO: Uploading file C:\Users\cape\AppData\Local\Temp\__PSScriptPolicyTest_3xh1bvfz.3dp.psm1 to files\96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7; Size is 60; Max size: 100000000
2026-04-28 01:35:33,907 [lib.api.process] INFO: Injected into 64-bit <Process 6024 HxTsr.exe>
2026-04-28 01:35:33,923 [root] DEBUG: 3596: DLL loaded at 0x6F4E0000: C:\Windows\System32\MSISIP (0x10000 bytes).
2026-04-28 01:35:33,970 [root] DEBUG: 7548: AllocationHandler: Allocation already in tracked region list: 0x00CE0000.
2026-04-28 01:35:34,032 [root] DEBUG: Loader: Injecting process 6360 (thread 3684) with C:\ltb6yatm\dll\xzHEKGQ.dll.
2026-04-28 01:35:34,048 [root] DEBUG: 6384: .NET JIT native cache at 0x0A300000: scans and dumps active.
2026-04-28 01:35:34,063 [root] DEBUG: 6384: .NET JIT native cache at 0x0A300000: scans and dumps active.
2026-04-28 01:35:34,110 [root] DEBUG: 6228: RestoreHeaders: Restored original import table.
2026-04-28 01:35:34,141 [root] DEBUG: Loader: Injecting process 6432 (thread 4592) with C:\ltb6yatm\dll\xzHEKGQ.dll.
2026-04-28 01:35:34,141 [root] DEBUG: 5144: AllocationHandler: Allocation already in tracked region list: 0x044D0000.
2026-04-28 01:35:34,204 [root] DEBUG: 5200: AllocationHandler: Allocation already in tracked region list: 0x09A90000.
2026-04-28 01:35:34,329 [root] DEBUG: 7508: DumpInterestingRegions: Dumping .NET image at 0x094C0000.
2026-04-28 01:35:34,360 [root] DEBUG: 7496: .NET JIT native cache at 0x0A600000: scans and dumps active.
2026-04-28 01:35:34,391 [root] DEBUG: 3404: AllocationHandler: Allocation already in tracked region list: 0x7F090000.
2026-04-28 01:35:34,439 [root] DEBUG: 7728: AllocationHandler: Processing previous tracked region at: 0x09BF0000.
2026-04-28 01:35:34,454 [root] DEBUG: 3444: Python path set to 'C:\Python310'.
2026-04-28 01:35:34,502 [root] DEBUG: 3836: ProcessTrackedRegion: .NET cache region at 0x09B20000 skipped
2026-04-28 01:35:34,626 [root] DEBUG: 3488: DLL loaded at 0x6EBF0000: C:\Windows\SYSTEM32\iertutil (0x22d000 bytes).
2026-04-28 01:35:34,688 [root] DEBUG: 7548: DLL loaded at 0x745D0000: C:\Windows\system32\uxtheme (0x74000 bytes).
2026-04-28 01:35:34,735 [root] INFO: Announced 64-bit process name: HxTsr.exe pid: 6024
2026-04-28 01:35:34,782 [root] DEBUG: 6384: caller_dispatch: Added region at 0x0A2E0000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x0A2EC1D4, thread 7776).
2026-04-28 01:35:34,782 [lib.api.process] INFO: Monitor config for <Process 6024 HxTsr.exe>: C:\ltb6yatm\dll\6024.ini
2026-04-28 01:35:34,798 [root] DEBUG: 3596: DLL loaded at 0x6F4C0000: C:\Windows\System32\wshext (0x18000 bytes).
2026-04-28 01:35:34,829 [root] DEBUG: 5144: DLL loaded at 0x745D0000: C:\Windows\system32\uxtheme (0x74000 bytes).
2026-04-28 01:35:34,876 [root] DEBUG: 7508: DumpImageInCurrentProcess: Dump at 0x094C0000 skipped due to dump limit 10
2026-04-28 01:35:34,923 [root] DEBUG: 7496: caller_dispatch: Added region at 0x0A600000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x0A60137A, thread 5940).
2026-04-28 01:35:34,938 [root] DEBUG: 7728: DumpPEsInRange: Scanning range 0x09BF0000 - 0x09BF26CD.
2026-04-28 01:35:34,938 [root] DEBUG: 3404: AllocationHandler: Allocation already in tracked region list: 0x7F090000.
2026-04-28 01:35:34,954 [root] INFO: Loaded monitor into process with pid 6228
2026-04-28 01:35:34,954 [root] DEBUG: 3444: Dropped file limit defaulting to 100.
2026-04-28 01:35:34,954 [root] DEBUG: 3488: DLL loaded at 0x6EBD0000: C:\Windows\SYSTEM32\srvcli (0x1d000 bytes).
2026-04-28 01:35:34,954 [root] DEBUG: 3836: AllocationHandler: Allocation already in tracked region list: 0x06040000.
2026-04-28 01:35:34,954 [root] DEBUG: 7548: .NET JIT native cache at 0x08610000: scans and dumps active.
2026-04-28 01:35:35,017 [root] DEBUG: 3596: DLL loaded at 0x6F330000: C:\Windows\SYSTEM32\OpcServices (0x14d000 bytes).
2026-04-28 01:35:35,032 [root] DEBUG: 6384: ProcessTrackedRegion: .NET cache region at 0x0A2E0000 skipped
2026-04-28 01:35:35,048 [root] DEBUG: 7508: DumpInterestingRegions: Dumping .NET image at 0x0AC40000.
2026-04-28 01:35:35,204 [root] DEBUG: 5144: .NET JIT native cache at 0x08E30000: scans and dumps active.
2026-04-28 01:35:35,235 [root] DEBUG: 5200: AllocationHandler: Adding allocation to tracked region list: 0x061D0000, size: 0x1000.
2026-04-28 01:35:35,235 [root] DEBUG: 7728: ScanForDisguisedPE: No PE image located in range 0x09BF0000-0x09BF26CD.
2026-04-28 01:35:35,235 [root] DEBUG: 7496: ProcessTrackedRegion: .NET cache region at 0x0A600000 skipped
2026-04-28 01:35:35,251 [root] DEBUG: 3444: Disabling sleep skipping.
2026-04-28 01:35:35,345 [root] DEBUG: 3836: .NET JIT native cache at 0x08500000: scans and dumps active.
2026-04-28 01:35:35,423 [root] DEBUG: 3404: AllocationHandler: Adding allocation to tracked region list: 0x7F080000, size: 0x10000.
2026-04-28 01:35:35,657 [root] DEBUG: 3488: DLL loaded at 0x75440000: C:\Windows\SYSTEM32\netutils (0xb000 bytes).
2026-04-28 01:35:35,782 [lib.api.process] INFO: 64-bit DLL to inject is C:\ltb6yatm\dll\xzHEKGQ.dll, loader C:\ltb6yatm\bin\FktMnuSd.exe
2026-04-28 01:35:35,798 [root] DEBUG: 6228: caller_dispatch: Added region at 0x00007FF709300000 to tracked regions list (kernel32::SetUnhandledExceptionFilter returns to 0x00007FF709310749, thread 6716).
2026-04-28 01:35:35,892 [root] DEBUG: 7548: caller_dispatch: Added region at 0x08610000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x0861038F, thread 8948).
2026-04-28 01:35:35,938 [root] DEBUG: 3596: DLL loaded at 0x6F480000: C:\Windows\System32\AppxSip (0x3c000 bytes).
2026-04-28 01:35:35,938 [root] DEBUG: 6384: DLL loaded at 0x6F1E0000: C:\Windows\SYSTEM32\secur32 (0xa000 bytes).
2026-04-28 01:35:35,954 [root] DEBUG: 7508: DumpImageInCurrentProcess: Dump at 0x0AC40000 skipped due to dump limit 10
2026-04-28 01:35:35,970 [root] DEBUG: 5200: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:35:35,970 [root] DEBUG: 5144: caller_dispatch: Added region at 0x08E30000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x08E34E4C, thread 8980).
2026-04-28 01:35:35,970 [root] DEBUG: 3444: Services hook set enabled
2026-04-28 01:35:35,985 [lib.common.results] INFO: Uploading file C:\atsPQMC\CAPE\7728_11162535352227142026 to CAPE\0930500a7f60cae2d3e20e784d8238e613a750a1bad664af6887380a287b7510; Size is 9933; Max size: 100000000
2026-04-28 01:35:35,985 [root] DEBUG: 3836: .NET JIT native cache at 0x09990000: scans and dumps active.
2026-04-28 01:35:35,985 [root] DEBUG: 3836: .NET JIT native cache at 0x09F30000: scans and dumps active.
2026-04-28 01:35:36,001 [root] DEBUG: 3836: .NET JIT native cache at 0x09990000: scans and dumps active.
2026-04-28 01:35:36,032 [root] DEBUG: 3404: GetEntropy: Error - Supplied address inaccessible: 0x7F080000
2026-04-28 01:35:36,032 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2026-04-28 01:35:36,048 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2026-04-28 01:35:36,063 [root] DEBUG: 3488: DLL loaded at 0x6EE20000: C:\Windows\SYSTEM32\urlmon (0x1a8000 bytes).
2026-04-28 01:35:36,235 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2026-04-28 01:35:36,282 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2026-04-28 01:35:36,298 [root] DEBUG: 7548: ProcessTrackedRegion: .NET cache region at 0x08610000 skipped
2026-04-28 01:35:36,345 [root] DEBUG: Loader: Injecting process 6024 (thread 1576) with C:\ltb6yatm\dll\xzHEKGQ.dll.
2026-04-28 01:35:36,345 [root] DEBUG: 7496: AllocationHandler: Allocation already in tracked region list: 0x065D0000.
2026-04-28 01:35:36,376 [root] DEBUG: 3596: DLL loaded at 0x6F320000: C:\Windows\System32\WindowsPowerShell\v1.0\pwrshsip (0xa000 bytes).
2026-04-28 01:35:36,376 [root] DEBUG: 6228: YaraScan: Scanning 0x00007FF709300000, size 0x1e05c
2026-04-28 01:35:36,407 [root] DEBUG: 7508: DumpInterestingRegions: Dumping .NET image at 0x0AC70000.
2026-04-28 01:35:36,407 [root] DEBUG: 5200: AllocationHandler: Allocation already in tracked region list: 0x061D0000.
2026-04-28 01:35:36,438 [root] DEBUG: 6384: caller_dispatch: Added region at 0x0A300000 to tracked regions list (advapi32::CryptImportKey returns to 0x0A303B2B, thread 3972).
2026-04-28 01:35:36,438 [root] DEBUG: 5144: ProcessTrackedRegion: .NET cache region at 0x08E30000 skipped
2026-04-28 01:35:36,470 [root] DEBUG: 3836: .NET JIT native cache at 0x09F30000: scans and dumps active.
2026-04-28 01:35:36,579 [root] DEBUG: 3836: caller_dispatch: Added region at 0x09F30000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x09F4866B, thread 604).
2026-04-28 01:35:36,579 [root] DEBUG: 7728: DumpMemory: Payload successfully created: C:\atsPQMC\CAPE\7728_11162535352227142026 (size 9933 bytes)
2026-04-28 01:35:36,579 [root] DEBUG: Successfully injected DLL C:\ltb6yatm\dll\xzHEKGQ.dll.
2026-04-28 01:35:36,641 [root] DEBUG: Successfully injected DLL C:\ltb6yatm\dll\xzHEKGQ.dll.
2026-04-28 01:35:36,641 [lib.api.process] INFO: Injected into 64-bit <Process 3676 backgroundTaskHost.exe>
2026-04-28 01:35:36,641 [root] DEBUG: 3404: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:35:36,657 [root] DEBUG: Successfully injected DLL C:\ltb6yatm\dll\xzHEKGQ.dll.
2026-04-28 01:35:36,688 [lib.api.process] INFO: Injected into 64-bit <Process 1928 backgroundTaskHost.exe>
2026-04-28 01:35:36,735 [lib.api.process] INFO: Injected into 64-bit <Process 6432 backgroundTaskHost.exe>
2026-04-28 01:35:36,735 [root] DEBUG: 3488: DLL loaded at 0x703C0000: C:\Windows\SYSTEM32\PROPSYS (0xc2000 bytes).
2026-04-28 01:35:36,735 [root] DEBUG: Successfully injected DLL C:\ltb6yatm\dll\xzHEKGQ.dll.
2026-04-28 01:35:36,813 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2026-04-28 01:35:36,829 [root] DEBUG: 7496: .NET JIT native cache at 0x034D0000: scans and dumps active.
2026-04-28 01:35:36,829 [lib.api.process] INFO: Injected into 64-bit <Process 6360 backgroundTaskHost.exe>
2026-04-28 01:35:36,860 [lib.common.results] INFO: Uploading file C:\Users\cape\AppData\Local\Temp\__PSScriptPolicyTest_r0hrvezo.u2n.ps1 to files\96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7; Size is 60; Max size: 100000000
2026-04-28 01:35:36,876 [root] DEBUG: 7548: AllocationHandler: Adding allocation to tracked region list: 0x08620000, size: 0x1000.
2026-04-28 01:35:36,876 [root] DEBUG: 7508: DumpImageInCurrentProcess: Dump at 0x0AC70000 skipped due to dump limit 10
2026-04-28 01:35:36,876 [root] DEBUG: 6228: ProcessImageBase: Main module image at 0x00007FF709300000 unmodified (entropy change 0.000000e+00)
2026-04-28 01:35:36,876 [root] DEBUG: 3444: YaraInit: Compiled rules loaded from existing file C:\ltb6yatm\data\yara\capemon.yac
2026-04-28 01:35:36,923 [root] DEBUG: 5200: AllocationHandler: Allocation already in tracked region list: 0x061D0000.
2026-04-28 01:35:36,954 [root] DEBUG: 3836: ProcessTrackedRegion: .NET cache region at 0x09F30000 skipped
2026-04-28 01:35:36,970 [root] DEBUG: 5144: AllocationHandler: Adding allocation to tracked region list: 0x099B0000, size: 0x1000.
2026-04-28 01:35:36,970 [root] DEBUG: 3836: DLL loaded at 0x6F2D0000: C:\Windows\Microsoft.Net\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions (0x4c000 bytes).
2026-04-28 01:35:36,985 [root] DEBUG: 6384: ProcessTrackedRegion: .NET cache region at 0x0A300000 skipped
2026-04-28 01:35:37,033 [root] DEBUG: 7728: DumpRegion: Dumped entire allocation from 0x09BF0000, size 12288 bytes.
2026-04-28 01:35:37,033 [root] DEBUG: 3404: AllocationHandler: Processing previous tracked region at: 0x7F090000.
2026-04-28 01:35:37,048 [root] DEBUG: 3488: AllocationHandler: Adding allocation to tracked region list: 0x02D90000, size: 0x1000.
2026-04-28 01:35:37,048 [root] DEBUG: Successfully injected DLL C:\ltb6yatm\dll\xzHEKGQ.dll.
2026-04-28 01:35:37,048 [root] DEBUG: 752: DEBUG:Initialized 9 com hooks
2026-04-28 01:35:37,064 [lib.api.process] INFO: Injected into 64-bit <Process 6024 HxTsr.exe>
2026-04-28 01:35:37,064 [root] DEBUG: 752: DEBUG:Initialized 9 com hooks
2026-04-28 01:35:37,079 [root] DEBUG: 752: DEBUG:Initialized 9 com hooks
2026-04-28 01:35:37,095 [root] DEBUG: 7496: caller_dispatch: Added region at 0x034D0000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x034D06DB, thread 5940).
2026-04-28 01:35:37,110 [root] DEBUG: 5200: AllocationHandler: Allocation already in tracked region list: 0x061D0000.
2026-04-28 01:35:37,110 [root] DEBUG: 752: DEBUG:Initialized 9 com hooks
2026-04-28 01:35:37,110 [lib.common.results] INFO: Uploading file C:\Users\cape\AppData\Local\Temp\__PSScriptPolicyTest_0wnuplft.kc1.psm1 to files\96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7; Size is 60; Max size: 100000000
2026-04-28 01:35:37,110 [root] DEBUG: 7548: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:35:37,235 [root] DEBUG: 7508: DumpInterestingRegions: Dumping .NET image at 0x0AC80000.
2026-04-28 01:35:37,267 [root] DEBUG: 3444: RtlInsertInvertedFunctionTable 0x00007FFEFE86090E, LdrpInvertedFunctionTableSRWLock 0x00007FFEFE9BD500
2026-04-28 01:35:37,267 [root] DEBUG: 3836: AllocationHandler: Allocation already in tracked region list: 0x06040000.
2026-04-28 01:35:37,329 [root] DEBUG: 5144: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:35:37,454 [root] DEBUG: 6228: DLL loaded at 0x00007FFEFB660000: C:\Windows\system32\mswsock (0x6a000 bytes).
2026-04-28 01:35:37,548 [root] DEBUG: 6384: AllocationHandler: Allocation already in tracked region list: 0x061B0000.
2026-04-28 01:35:37,626 [root] DEBUG: 3404: DumpPEsInRange: Scanning range 0x7F090000 - 0x7F09003C.
2026-04-28 01:35:37,641 [root] DEBUG: 7728: ProcessTrackedRegion: Dumped region at 0x09BF0000.
2026-04-28 01:35:37,641 [root] DEBUG: 3488: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:35:37,657 [root] DEBUG: 7496: ProcessTrackedRegion: .NET cache region at 0x034D0000 skipped
2026-04-28 01:35:37,673 [root] DEBUG: 5200: .NET JIT native cache at 0x061D0000: scans and dumps active.
2026-04-28 01:35:37,720 [root] DEBUG: 3596: DLL loaded at 0x6EBF0000: C:\Windows\SYSTEM32\iertutil (0x22d000 bytes).
2026-04-28 01:35:37,782 [root] DEBUG: 7548: .NET JIT native cache at 0x09490000: scans and dumps active.
2026-04-28 01:35:37,829 [root] DEBUG: 3444: Monitor initialised: 64-bit capemon loaded in process 3444 at 0x00007FFEABCB0000, thread 1060, image base 0x00007FF6402C0000, stack from 0x000000E310110000-0x000000E310120000
2026-04-28 01:35:37,829 [root] DEBUG: 7508: DumpImageInCurrentProcess: Dump at 0x0AC80000 skipped due to dump limit 10
2026-04-28 01:35:37,829 [root] DEBUG: 3836: caller_dispatch: Added region at 0x09990000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x099929F4, thread 604).
2026-04-28 01:35:37,845 [root] DEBUG: 5144: .NET JIT native cache at 0x09AB0000: scans and dumps active.
2026-04-28 01:35:37,891 [root] DEBUG: 3404: ScanForDisguisedPE: Size too small: 0x3c bytes
2026-04-28 01:35:37,891 [root] DEBUG: 6228: DLL loaded at 0x00007FFEFB3A0000: C:\Windows\SYSTEM32\DNSAPI (0xca000 bytes).
2026-04-28 01:35:37,907 [root] DEBUG: 6384: .NET JIT native cache at 0x0A330000: scans and dumps active.
2026-04-28 01:35:37,907 [root] DEBUG: 7728: AllocationHandler: Memory region (size 0x50000) reserved but not committed at 0x7F980000.
2026-04-28 01:35:37,923 [root] DEBUG: 7496: AllocationHandler: Allocation already in tracked region list: 0x09280000.
2026-04-28 01:35:37,923 [root] DEBUG: 5200: ProcessTrackedRegion: .NET cache region at 0x061D0000 skipped
2026-04-28 01:35:37,923 [root] DEBUG: 3488: DLL loaded at 0x773F0000: C:\Windows\System32\Normaliz (0x7000 bytes).
2026-04-28 01:35:38,001 [root] DEBUG: 3596: DLL loaded at 0x6EBD0000: C:\Windows\SYSTEM32\srvcli (0x1d000 bytes).
2026-04-28 01:35:38,048 [root] DEBUG: 3444: Commandline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
2026-04-28 01:35:38,095 [root] DEBUG: 7548: caller_dispatch: Added region at 0x09490000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x09494805, thread 8948).
2026-04-28 01:35:38,110 [root] DEBUG: 3836: ProcessTrackedRegion: .NET cache region at 0x09990000 skipped
2026-04-28 01:35:38,126 [root] DEBUG: 7508: DumpInterestingRegions: Dumping .NET image at 0x0AC90000.
2026-04-28 01:35:38,235 [root] DEBUG: 7728: AllocationHandler: Previously reserved region at 0x7F980000, committing at: 0x7F980000.
2026-04-28 01:35:38,345 [root] DEBUG: 5144: caller_dispatch: Added region at 0x09AB0000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x09AB04CE, thread 8980).
2026-04-28 01:35:38,345 [root] DEBUG: 6384: caller_dispatch: Added region at 0x0A330000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x0A330488, thread 1068).
2026-04-28 01:35:38,360 [root] DEBUG: 3488: DLL loaded at 0x6FEB0000: C:\Windows\SYSTEM32\WININET (0x454000 bytes).
2026-04-28 01:35:38,360 [lib.common.results] INFO: Uploading file C:\atsPQMC\CAPE\3404_1829044837352227142026 to CAPE\ce5856a742cad92e7879f5b3c70e4191e931619e148286db4b6524e1bce8e5c8; Size is 60; Max size: 100000000
2026-04-28 01:35:38,391 [root] DEBUG: 7496: AllocationHandler: Allocation already in tracked region list: 0x06600000.
2026-04-28 01:35:38,454 [root] DEBUG: 3596: DLL loaded at 0x75440000: C:\Windows\SYSTEM32\netutils (0xb000 bytes).
2026-04-28 01:35:38,595 [root] DEBUG: 6228: DLL loaded at 0x00007FFEF52E0000: C:\Windows\System32\rasadhlp (0xa000 bytes).
2026-04-28 01:35:38,595 [root] DEBUG: 5200: AllocationHandler: Allocation already in tracked region list: 0x09620000.
2026-04-28 01:35:38,641 [root] DEBUG: 3444: Hooked 69 out of 69 functions
2026-04-28 01:35:38,688 [root] DEBUG: 7548: ProcessTrackedRegion: .NET cache region at 0x09490000 skipped
2026-04-28 01:35:38,720 [root] DEBUG: 3836: DLL loaded at 0x6F1E0000: C:\Windows\SYSTEM32\secur32 (0xa000 bytes).
2026-04-28 01:35:38,720 [root] DEBUG: 3836: .NET JIT native cache at 0x09B10000: scans and dumps active.
2026-04-28 01:35:38,735 [root] DEBUG: 3836: .NET JIT native cache at 0x09B10000: scans and dumps active.
2026-04-28 01:35:38,829 [root] DEBUG: 7508: DumpImageInCurrentProcess: Dump at 0x0AC90000 skipped due to dump limit 10
2026-04-28 01:35:38,923 [root] DEBUG: 5144: ProcessTrackedRegion: .NET cache region at 0x09AB0000 skipped
2026-04-28 01:35:39,001 [root] DEBUG: 7728: AllocationHandler: Allocation already in tracked region list: 0x7F980000.
2026-04-28 01:35:39,016 [root] DEBUG: 3404: DumpMemory: Payload successfully created: C:\atsPQMC\CAPE\3404_1829044837352227142026 (size 60 bytes)
2026-04-28 01:35:39,016 [root] DEBUG: 6384: ProcessTrackedRegion: .NET cache region at 0x0A330000 skipped
2026-04-28 01:35:39,095 [root] DEBUG: 3488: DLL loaded at 0x70310000: C:\Windows\Microsoft.Net\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer (0xa3000 bytes).
2026-04-28 01:35:39,110 [root] DEBUG: 7496: .NET JIT native cache at 0x0A900000: scans and dumps active.
2026-04-28 01:35:39,126 [root] DEBUG: 3596: DLL loaded at 0x6EE20000: C:\Windows\SYSTEM32\urlmon (0x1a8000 bytes).
2026-04-28 01:35:39,173 [root] DEBUG: 5200: .NET JIT native cache at 0x061E0000: scans and dumps active.
2026-04-28 01:35:39,251 [root] DEBUG: 6228: DLL loaded at 0x00007FFEF5D30000: C:\Windows\System32\fwpuclnt (0x80000 bytes).
2026-04-28 01:35:39,266 [root] DEBUG: 3444: RestoreHeaders: Restored original import table.
2026-04-28 01:35:39,282 [root] DEBUG: 7548: AllocationHandler: Allocation already in tracked region list: 0x08620000.
2026-04-28 01:35:39,345 [root] DEBUG: 3836: caller_dispatch: Added region at 0x09B10000 to tracked regions list (advapi32::CryptImportKey returns to 0x09B1048C, thread 604).
2026-04-28 01:35:39,392 [root] DEBUG: 3836: .NET JIT native cache at 0x09B10000: scans and dumps active.
2026-04-28 01:35:39,392 [root] DEBUG: 7508: DumpInterestingRegions: Skipping .NET JIT native cache at 0x0ACC0000 (jit-dumps=0)
2026-04-28 01:35:39,423 [root] DEBUG: 3836: .NET JIT native cache at 0x08600000: scans and dumps active.
2026-04-28 01:35:39,485 [root] DEBUG: 5144: AllocationHandler: Allocation already in tracked region list: 0x099B0000.
2026-04-28 01:35:39,657 [root] DEBUG: 7728: AllocationHandler: Allocation already in tracked region list: 0x7F980000.
2026-04-28 01:35:39,704 [root] DEBUG: 6384: AllocationHandler: Allocation already in tracked region list: 0x061B0000.
2026-04-28 01:35:39,766 [root] DEBUG: 5200: caller_dispatch: Added region at 0x061E0000 to tracked regions list (advapi32::RegQueryValueExW returns to 0x061E0091, thread 2888).
2026-04-28 01:35:39,782 [root] DEBUG: 3404: DumpRegion: Dumped entire allocation from 0x7F090000, size 4096 bytes.
2026-04-28 01:35:39,798 [root] DEBUG: 3488: AllocationHandler: Adding allocation to tracked region list: 0x02DB0000, size: 0x1000.
2026-04-28 01:35:39,798 [root] DEBUG: 7496: caller_dispatch: Added region at 0x0A900000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x0A9084D7, thread 5940).
2026-04-28 01:35:39,798 [root] DEBUG: 3596: DLL loaded at 0x703C0000: C:\Windows\SYSTEM32\PROPSYS (0xc2000 bytes).
2026-04-28 01:35:39,829 [root] INFO: Loaded monitor into process with pid 3444
2026-04-28 01:35:39,829 [root] DEBUG: 7548: .NET JIT native cache at 0x096C0000: scans and dumps active.
2026-04-28 01:35:39,860 [root] DEBUG: 3836: .NET JIT native cache at 0x08600000: scans and dumps active.
2026-04-28 01:35:39,876 [root] DEBUG: 7508: DumpInterestingRegions: Skipping .NET JIT native cache at 0x0AD50000 (jit-dumps=0)
2026-04-28 01:35:39,876 [root] DEBUG: 7728: AllocationHandler: Adding allocation to tracked region list: 0x7F970000, size: 0x10000.
2026-04-28 01:35:39,891 [root] DEBUG: 3836: ProcessTrackedRegion: .NET cache region at 0x09B10000 skipped
2026-04-28 01:35:39,907 [root] DEBUG: 5144: .NET JIT native cache at 0x00850000: scans and dumps active.
2026-04-28 01:35:39,923 [root] DEBUG: 6384: DLL loaded at 0x745D0000: C:\Windows\system32\uxtheme (0x74000 bytes).
2026-04-28 01:35:39,954 [root] DEBUG: 3836: .NET JIT native cache at 0x08610000: scans and dumps active.
2026-04-28 01:35:40,048 [root] DEBUG: 5200: ProcessTrackedRegion: .NET cache region at 0x061E0000 skipped
2026-04-28 01:35:40,079 [root] DEBUG: 3488: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:35:40,095 [root] DEBUG: 3404: ProcessTrackedRegion: Dumped region at 0x7F090000.
2026-04-28 01:35:40,095 [root] DEBUG: 3596: AllocationHandler: Adding allocation to tracked region list: 0x00920000, size: 0x1000.
2026-04-28 01:35:40,110 [root] DEBUG: 7496: ProcessTrackedRegion: .NET cache region at 0x0A900000 skipped
2026-04-28 01:35:40,204 [root] DEBUG: 3836: .NET JIT native cache at 0x08610000: scans and dumps active.
2026-04-28 01:35:40,251 [root] DEBUG: 7548: caller_dispatch: Added region at 0x096C0000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x096C1C52, thread 8948).
2026-04-28 01:35:40,251 [root] DEBUG: 7728: GetEntropy: Error - Supplied address inaccessible: 0x7F970000
2026-04-28 01:35:40,282 [root] DEBUG: 7508: DumpInterestingRegions: Dumping .NET image at 0x0ADE0000.
2026-04-28 01:35:40,407 [root] DEBUG: 3836: .NET JIT native cache at 0x08610000: scans and dumps active.
2026-04-28 01:35:40,470 [root] DEBUG: 3444: set_hooks_by_export_directory: Hooked 0 out of 69 functions
2026-04-28 01:35:40,595 [root] DEBUG: 5144: caller_dispatch: Added region at 0x00850000 to tracked regions list (advapi32::CryptAcquireContextW returns to 0x00852604, thread 8980).
2026-04-28 01:35:40,595 [root] DEBUG: 3488: AllocationHandler: Previously reserved region at 0x0A1C0000, committing at: 0x0A1CC000.
2026-04-28 01:35:40,595 [root] DEBUG: 6384: .NET JIT native cache at 0x0A2C0000: scans and dumps active.
2026-04-28 01:35:40,626 [root] DEBUG: 3404: AllocationHandler: Memory region (size 0x10000) reserved but not committed at 0x7F080000.
2026-04-28 01:35:40,626 [root] DEBUG: 3596: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:35:40,641 [root] DEBUG: 3836: caller_dispatch: Added region at 0x08610000 to tracked regions list (advapi32::CryptImportKey returns to 0x0861023B, thread 1920).
2026-04-28 01:35:40,641 [root] DEBUG: 7496: AllocationHandler: Adding allocation to tracked region list: 0x7EF60000, size: 0x50000.
2026-04-28 01:35:40,657 [root] DEBUG: 7548: ProcessTrackedRegion: .NET cache region at 0x096C0000 skipped
2026-04-28 01:35:40,751 [root] DEBUG: 7728: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:35:40,829 [root] DEBUG: 5144: ProcessTrackedRegion: .NET cache region at 0x00850000 skipped
2026-04-28 01:35:40,938 [root] DEBUG: 7508: DumpImageInCurrentProcess: Dump at 0x0ADE0000 skipped due to dump limit 10
2026-04-28 01:35:40,985 [root] DEBUG: 3488: AllocationHandler: Allocation already in tracked region list: 0x02D90000.
2026-04-28 01:35:41,126 [root] DEBUG: 3404: AllocationHandler: Previously reserved region at 0x7F080000, committing at: 0x7F080000.
2026-04-28 01:35:41,235 [root] DEBUG: 6384: caller_dispatch: Added region at 0x0A2C0000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x0A2C115A, thread 8768).
2026-04-28 01:35:41,360 [root] DEBUG: 3444: DLL loaded at 0x00007FFEF9E80000: C:\Windows\SYSTEM32\kernel.appcore (0x12000 bytes).
2026-04-28 01:35:41,454 [root] DEBUG: 3596: DLL loaded at 0x773F0000: C:\Windows\System32\Normaliz (0x7000 bytes).
2026-04-28 01:35:41,516 [root] DEBUG: 3836: ProcessTrackedRegion: .NET cache region at 0x08610000 skipped
2026-04-28 01:35:41,641 [root] DEBUG: 7496: GetEntropy: Error - Supplied address inaccessible: 0x7EF60000
2026-04-28 01:35:41,673 [root] DEBUG: 7728: AllocationHandler: Processing previous tracked region at: 0x7F980000.
2026-04-28 01:35:41,673 [root] DEBUG: 7548: .NET JIT native cache at 0x00520000: scans and dumps active.
2026-04-28 01:35:41,704 [root] DEBUG: 5144: .NET JIT native cache at 0x00BC0000: scans and dumps active.
2026-04-28 01:35:41,704 [root] DEBUG: 7508: DumpRegion: Dump at 0x0AF40000 skipped due to dump limit 10
2026-04-28 01:35:41,720 [root] DEBUG: 5200: AllocationHandler: Allocation already in tracked region list: 0x09620000.
2026-04-28 01:35:41,720 [root] DEBUG: 6384: ProcessTrackedRegion: .NET cache region at 0x0A2C0000 skipped
2026-04-28 01:35:41,751 [root] DEBUG: 3404: AllocationHandler: Allocation already in tracked region list: 0x7F090000.
2026-04-28 01:35:41,751 [root] DEBUG: 3596: DLL loaded at 0x6FEB0000: C:\Windows\SYSTEM32\WININET (0x454000 bytes).
2026-04-28 01:35:41,782 [root] DEBUG: 3836: AllocationHandler: Allocation already in tracked region list: 0x06040000.
2026-04-28 01:35:41,860 [root] DEBUG: 3488: AllocationHandler: Adding allocation to tracked region list: 0x0A370000, size: 0x1000.
2026-04-28 01:35:41,938 [root] DEBUG: 3444: DLL loaded at 0x00007FFEFC380000: C:\Windows\System32\bcryptPrimitives (0x82000 bytes).
2026-04-28 01:35:41,954 [root] DEBUG: 7496: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:35:41,954 [root] DEBUG: 7728: DumpPEsInRange: Scanning range 0x7F980000 - 0x7F98003C.
2026-04-28 01:35:41,970 [root] DEBUG: 7548: caller_dispatch: Added region at 0x00520000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x00521D2B, thread 8948).
2026-04-28 01:35:42,063 [root] DEBUG: 5144: caller_dispatch: Added region at 0x00BC0000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x00BC1051, thread 8980).
2026-04-28 01:35:42,079 [root] DEBUG: 6384: AllocationHandler: Adding allocation to tracked region list: 0x03130000, size: 0x1000.
2026-04-28 01:35:42,079 [root] DEBUG: 7508: ProcessTrackedRegion: Failed to dump region at 0x0AF40000.
2026-04-28 01:35:42,095 [root] DEBUG: 3596: DLL loaded at 0x70310000: C:\Windows\Microsoft.Net\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer (0xa3000 bytes).
2026-04-28 01:35:42,126 [root] DEBUG: 3404: AllocationHandler: Allocation already in tracked region list: 0x7F090000.
2026-04-28 01:35:42,204 [root] DEBUG: 3488: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:35:42,235 [root] DEBUG: 3404: AllocationHandler: Allocation already in tracked region list: 0x7F080000.
2026-04-28 01:35:42,235 [root] DEBUG: 3836: .NET JIT native cache at 0x08650000: scans and dumps active.
2026-04-28 01:35:42,391 [root] DEBUG: 7496: AllocationHandler: Processing previous tracked region at: 0x09280000.
2026-04-28 01:35:42,407 [root] DEBUG: 3444: DEBUG:Initialized 9 com hooks
2026-04-28 01:35:42,407 [root] DEBUG: 7728: ScanForDisguisedPE: Size too small: 0x3c bytes
2026-04-28 01:35:42,407 [root] DEBUG: 5200: .NET JIT native cache at 0x0AAC0000: scans and dumps active.
2026-04-28 01:35:42,423 [root] DEBUG: 7548: ProcessTrackedRegion: .NET cache region at 0x00520000 skipped
2026-04-28 01:35:42,423 [root] DEBUG: 6384: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:35:42,423 [root] INFO: Process with pid 7508 has terminated
2026-04-28 01:35:42,517 [root] INFO: Process lock is locked
2026-04-28 01:35:42,579 [root] DEBUG: 5144: ProcessTrackedRegion: .NET cache region at 0x00BC0000 skipped
2026-04-28 01:35:42,829 [root] DEBUG: 3836: caller_dispatch: Added region at 0x08650000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x086503F8, thread 604).
2026-04-28 01:35:42,938 [root] DEBUG: 3596: AllocationHandler: Adding allocation to tracked region list: 0x00950000, size: 0x1000.
2026-04-28 01:35:43,032 [root] DEBUG: 3488: AllocationHandler: Allocation already in tracked region list: 0x0A370000.
2026-04-28 01:35:43,110 [root] DEBUG: 7496: DumpPEsInRange: Scanning range 0x09280000 - 0x0928262D.
2026-04-28 01:35:43,266 [root] INFO: Added new file to list with pid 3404 and path C:\Users\cape\AppData\Local\Temp\__PSScriptPolicyTest_5qom1nq3.s2n.ps1
2026-04-28 01:35:43,407 [lib.common.results] INFO: Uploading file C:\atsPQMC\CAPE\7728_835489642352227142026 to CAPE\671d8ae066bf34f35c7a7fb8f36c05ba86bd03a37e80548430469af0c7dd8c23; Size is 60; Max size: 100000000
2026-04-28 01:35:43,516 [root] DEBUG: 5200: caller_dispatch: Added region at 0x0AAC0000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x0AAC11EC, thread 2888).
2026-04-28 01:35:43,595 [root] DEBUG: 3444: DLL loaded at 0x00007FFEFCC00000: C:\Windows\System32\clbcatq (0xa9000 bytes).
2026-04-28 01:35:43,610 [root] DEBUG: 6384: .NET JIT native cache at 0x031A0000: scans and dumps active.
2026-04-28 01:35:43,704 [root] DEBUG: 3836: ProcessTrackedRegion: .NET cache region at 0x08650000 skipped
2026-04-28 01:35:43,766 [root] DEBUG: 7548: AllocationHandler: Allocation already in tracked region list: 0x00CB0000.
2026-04-28 01:35:43,782 [root] DEBUG: 3596: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:35:43,845 [root] DEBUG: 3488: AllocationHandler: Allocation already in tracked region list: 0x0A370000.
2026-04-28 01:35:43,907 [root] INFO: Added new file to list with pid 3404 and path C:\Users\cape\AppData\Local\Temp\__PSScriptPolicyTest_drr1vdji.x04.psm1
2026-04-28 01:35:43,907 [root] DEBUG: 7496: ScanForDisguisedPE: No PE image located in range 0x09280000-0x0928262D.
2026-04-28 01:35:43,907 [root] DEBUG: 7728: DumpMemory: Payload successfully created: C:\atsPQMC\CAPE\7728_835489642352227142026 (size 60 bytes)
2026-04-28 01:35:43,907 [root] DEBUG: 5200: ProcessTrackedRegion: .NET cache region at 0x0AAC0000 skipped
2026-04-28 01:35:43,923 [root] DEBUG: 5144: AllocationHandler: Allocation already in tracked region list: 0x044A0000.
2026-04-28 01:35:43,923 [root] DEBUG: 6384: caller_dispatch: Added region at 0x031A0000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x031A3260, thread 8768).
2026-04-28 01:35:43,923 [root] DEBUG: 3836: AllocationHandler: Allocation already in tracked region list: 0x06040000.
2026-04-28 01:35:43,938 [root] DEBUG: 3596: AllocationHandler: Previously reserved region at 0x09BE0000, committing at: 0x09BEC000.
2026-04-28 01:35:44,016 [root] DEBUG: 7548: .NET JIT native cache at 0x096B0000: scans and dumps active.
2026-04-28 01:35:44,095 [root] DEBUG: 3488: AllocationHandler: Allocation already in tracked region list: 0x0A370000.
2026-04-28 01:35:44,110 [root] DEBUG: 7728: DumpRegion: Dumped entire allocation from 0x7F980000, size 4096 bytes.
2026-04-28 01:35:44,110 [root] DEBUG: 5144: AllocationHandler: Allocation already in tracked region list: 0x099B0000.
2026-04-28 01:35:44,126 [root] DEBUG: 5200: AllocationHandler: Allocation already in tracked region list: 0x09A40000.
2026-04-28 01:35:44,188 [root] DEBUG: 6384: ProcessTrackedRegion: .NET cache region at 0x031A0000 skipped
2026-04-28 01:35:44,220 [root] DEBUG: 3596: AllocationHandler: Allocation already in tracked region list: 0x00920000.
2026-04-28 01:35:44,298 [root] DEBUG: 3444: DLL loaded at 0x00007FFEF1EB0000: C:\Windows\system32\wbem\wbemprox (0x11000 bytes).
2026-04-28 01:35:44,470 [root] DEBUG: 3836: DLL loaded at 0x745D0000: C:\Windows\system32\uxtheme (0x74000 bytes).
2026-04-28 01:35:44,516 [root] DEBUG: 7548: caller_dispatch: Added region at 0x096B0000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x096B382B, thread 8948).
2026-04-28 01:35:44,610 [root] DEBUG: 3488: .NET JIT native cache at 0x0A370000: scans and dumps active.
2026-04-28 01:35:44,704 [root] DEBUG: 5144: .NET JIT native cache at 0x09A70000: scans and dumps active.
2026-04-28 01:35:44,829 [root] DEBUG: 7728: ProcessTrackedRegion: Dumped region at 0x7F980000.
2026-04-28 01:35:44,954 [root] DEBUG: 5200: AllocationHandler: Allocation already in tracked region list: 0x09620000.
2026-04-28 01:35:45,063 [root] DEBUG: 6384: AllocationHandler: Allocation already in tracked region list: 0x03130000.
2026-04-28 01:35:45,188 [root] DEBUG: 3404: DLL loaded at 0x6F4E0000: C:\Windows\System32\MSISIP (0x10000 bytes).
2026-04-28 01:35:45,251 [lib.common.results] INFO: Uploading file C:\atsPQMC\CAPE\7496_43082543352227142026 to CAPE\769105eca87d880549f6f8d42e8b123c7d1c6cb3b02543c2db50fea1a9ad6e64; Size is 9773; Max size: 100000000
2026-04-28 01:35:45,266 [root] DEBUG: 3836: .NET JIT native cache at 0x00A00000: scans and dumps active.
2026-04-28 01:35:45,313 [root] DEBUG: 6228: set_hooks_by_export_directory: Hooked 0 out of 628 functions
2026-04-28 01:35:45,313 [root] DEBUG: 7548: ProcessTrackedRegion: .NET cache region at 0x096B0000 skipped
2026-04-28 01:35:45,313 [root] DEBUG: 3444: DLL loaded at 0x00007FFEF2120000: C:\Windows\system32\wbem\wbemsvc (0x14000 bytes).
2026-04-28 01:35:45,329 [root] DEBUG: 3488: ProcessTrackedRegion: .NET cache region at 0x0A370000 skipped
2026-04-28 01:35:45,345 [root] DEBUG: 5144: caller_dispatch: Added region at 0x09A70000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x09A706DB, thread 8980).
2026-04-28 01:35:45,454 [root] DEBUG: 7728: AllocationHandler: Memory region (size 0x10000) reserved but not committed at 0x7F970000.
2026-04-28 01:35:45,532 [root] DEBUG: 3596: AllocationHandler: Adding allocation to tracked region list: 0x09DB0000, size: 0x1000.
2026-04-28 01:35:45,548 [root] DEBUG: 6384: AllocationHandler: Adding allocation to tracked region list: 0x03160000, size: 0x1000.
2026-04-28 01:35:45,548 [root] DEBUG: 3404: DLL loaded at 0x6F4C0000: C:\Windows\System32\wshext (0x18000 bytes).
2026-04-28 01:35:45,548 [root] DEBUG: 5200: .NET JIT native cache at 0x0AA30000: scans and dumps active.
2026-04-28 01:35:45,548 [root] DEBUG: 7496: DumpMemory: Payload successfully created: C:\atsPQMC\CAPE\7496_43082543352227142026 (size 9773 bytes)
2026-04-28 01:35:45,563 [root] DEBUG: 3836: caller_dispatch: Added region at 0x00A00000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x00A03723, thread 9196).
2026-04-28 01:35:45,563 [root] DEBUG: 7548: AllocationHandler: Allocation already in tracked region list: 0x08620000.
2026-04-28 01:35:45,626 [root] DEBUG: 5144: ProcessTrackedRegion: .NET cache region at 0x09A70000 skipped
2026-04-28 01:35:45,641 [root] DEBUG: 6228: DLL loaded at 0x00007FFEF9E80000: C:\Windows\SYSTEM32\kernel.appcore (0x12000 bytes).
2026-04-28 01:35:45,657 [root] DEBUG: 3488: AllocationHandler: Allocation already in tracked region list: 0x0A030000.
2026-04-28 01:35:45,766 [root] DEBUG: 3596: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:35:45,798 [root] DEBUG: 7728: AllocationHandler: Previously reserved region at 0x7F970000, committing at: 0x7F970000.
2026-04-28 01:35:45,813 [root] DEBUG: 6384: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:35:45,813 [root] DEBUG: 7496: DumpRegion: Dumped entire allocation from 0x09280000, size 12288 bytes.
2026-04-28 01:35:45,813 [root] DEBUG: 3404: DLL loaded at 0x6F330000: C:\Windows\SYSTEM32\OpcServices (0x14d000 bytes).
2026-04-28 01:35:45,829 [root] DEBUG: 5200: caller_dispatch: Added region at 0x0AA30000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x0AA30801, thread 2888).
2026-04-28 01:35:45,829 [root] DEBUG: 3836: ProcessTrackedRegion: .NET cache region at 0x00A00000 skipped
2026-04-28 01:35:45,845 [root] DEBUG: 5144: AllocationHandler: Allocation already in tracked region list: 0x044D0000.
2026-04-28 01:35:45,907 [root] DEBUG: 7548: AllocationHandler: Allocation already in tracked region list: 0x00CE0000.
2026-04-28 01:35:46,266 [root] DEBUG: 3488: .NET JIT native cache at 0x0A380000: scans and dumps active.
2026-04-28 01:35:46,298 [root] DEBUG: 7728: AllocationHandler: Allocation already in tracked region list: 0x7F980000.
2026-04-28 01:35:46,298 [root] DEBUG: 3596: AllocationHandler: Allocation already in tracked region list: 0x09DB0000.
2026-04-28 01:35:46,329 [root] DEBUG: 6228: NtTerminateProcess hook: Attempting to dump process 6228
2026-04-28 01:35:46,329 [root] DEBUG: 6384: .NET JIT native cache at 0x03160000: scans and dumps active.
2026-04-28 01:35:46,345 [root] DEBUG: 7496: ProcessTrackedRegion: Dumped region at 0x09280000.
2026-04-28 01:35:46,360 [root] DEBUG: 3404: DLL loaded at 0x6F480000: C:\Windows\System32\AppxSip (0x3c000 bytes).
2026-04-28 01:35:46,360 [root] DEBUG: 5200: ProcessTrackedRegion: .NET cache region at 0x0AA30000 skipped
2026-04-28 01:35:46,454 [root] DEBUG: 3836: AllocationHandler: Adding allocation to tracked region list: 0x043A0000, size: 0x1000.
2026-04-28 01:35:46,470 [root] DEBUG: 7548: .NET JIT native cache at 0x09A10000: scans and dumps active.
2026-04-28 01:35:46,548 [root] DEBUG: 5144: .NET JIT native cache at 0x09DF0000: scans and dumps active.
2026-04-28 01:35:46,641 [root] DEBUG: 7728: AllocationHandler: Allocation already in tracked region list: 0x7F980000.
2026-04-28 01:35:46,735 [root] DEBUG: 3596: AllocationHandler: Allocation already in tracked region list: 0x09DB0000.
2026-04-28 01:35:46,829 [root] DEBUG: 7728: AllocationHandler: Allocation already in tracked region list: 0x7F970000.
2026-04-28 01:35:46,970 [root] DEBUG: 6228: DoProcessDump: Skipping process dump as code is identical on disk.
2026-04-28 01:35:47,032 [root] DEBUG: 3488: caller_dispatch: Added region at 0x0A380000 to tracked regions list (advapi32::RegQueryValueExW returns to 0x0A380091, thread 6580).
2026-04-28 01:35:47,141 [root] DEBUG: 6384: ProcessTrackedRegion: .NET cache region at 0x03160000 skipped
2026-04-28 01:35:47,251 [root] DEBUG: 3404: DLL loaded at 0x6F320000: C:\Windows\System32\WindowsPowerShell\v1.0\pwrshsip (0xa000 bytes).
2026-04-28 01:35:47,391 [root] DEBUG: 3836: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:35:47,485 [root] DEBUG: 7496: AllocationHandler: Memory region (size 0x50000) reserved but not committed at 0x7EF60000.
2026-04-28 01:35:47,595 [root] DEBUG: 7548: caller_dispatch: Added region at 0x09A10000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x09A180D7, thread 8948).
2026-04-28 01:35:47,673 [root] DEBUG: 5144: caller_dispatch: Added region at 0x09DF0000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x09DF0A50, thread 8980).
2026-04-28 01:35:47,735 [root] DEBUG: 3596: .NET JIT native cache at 0x09DB0000: scans and dumps active.
2026-04-28 01:35:47,798 [root] INFO: Added new file to list with pid 7728 and path C:\Users\cape\AppData\Local\Temp\__PSScriptPolicyTest_t0crgahm.l5e.ps1
2026-04-28 01:35:47,814 [root] DEBUG: 3488: ProcessTrackedRegion: .NET cache region at 0x0A380000 skipped
2026-04-28 01:35:47,907 [lib.common.results] INFO: Uploading file C:\Users\cape\AppData\Local\Temp\__PSScriptPolicyTest_5qom1nq3.s2n.ps1 to files\96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7; Size is 60; Max size: 100000000
2026-04-28 01:35:48,016 [root] INFO: Process with pid 6228 has terminated
2026-04-28 01:35:48,032 [root] DEBUG: 5200: FreeHandler: Address: 0x09A90000.
2026-04-28 01:35:48,173 [root] DEBUG: 6384: .NET JIT native cache at 0x04AD0000: scans and dumps active.
2026-04-28 01:35:48,298 [root] DEBUG: 3836: .NET JIT native cache at 0x04410000: scans and dumps active.
2026-04-28 01:35:48,438 [root] DEBUG: 7548: ProcessTrackedRegion: .NET cache region at 0x09A10000 skipped
2026-04-28 01:35:48,563 [root] DEBUG: 7496: AllocationHandler: Previously reserved region at 0x7EF60000, committing at: 0x7EF60000.
2026-04-28 01:35:48,595 [root] DEBUG: 5144: ProcessTrackedRegion: .NET cache region at 0x09DF0000 skipped
2026-04-28 01:35:48,970 [root] DEBUG: 3596: ProcessTrackedRegion: .NET cache region at 0x09DB0000 skipped
2026-04-28 01:35:49,095 [lib.common.results] INFO: Uploading file C:\Users\cape\AppData\Local\Temp\__PSScriptPolicyTest_drr1vdji.x04.psm1 to files\96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7; Size is 60; Max size: 100000000
2026-04-28 01:35:49,204 [root] INFO: Added new file to list with pid 7728 and path C:\Users\cape\AppData\Local\Temp\__PSScriptPolicyTest_juqnoqoc.g4z.psm1
2026-04-28 01:35:49,376 [root] DEBUG: 7104: set_hooks_by_export_directory: Hooked 0 out of 632 functions
2026-04-28 01:35:49,376 [root] DEBUG: 6384: caller_dispatch: Added region at 0x04AD0000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x04AD1888, thread 8768).
2026-04-28 01:35:49,423 [root] DEBUG: 5200: DumpPEsInRange: Scanning range 0x09A90000 - 0x09A90E82.
2026-04-28 01:35:49,423 [root] DEBUG: 3836: caller_dispatch: Added region at 0x04410000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x04411908, thread 9196).
2026-04-28 01:35:49,423 [root] DEBUG: 7496: AllocationHandler: Allocation already in tracked region list: 0x7EF60000.
2026-04-28 01:35:49,423 [root] DEBUG: 5144: AllocationHandler: Adding allocation to tracked region list: 0x7F220000, size: 0x50000.
2026-04-28 01:35:49,455 [root] DEBUG: 3488: AllocationHandler: Allocation already in tracked region list: 0x0A030000.
2026-04-28 01:35:49,455 [root] DEBUG: 7548: AllocationHandler: Adding allocation to tracked region list: 0x7EF80000, size: 0x50000.
2026-04-28 01:35:49,455 [root] DEBUG: 3444: DLL loaded at 0x00007FFEF41E0000: C:\Windows\system32\wbem\wmiutils (0x28000 bytes).
2026-04-28 01:35:49,470 [root] DEBUG: 3596: AllocationHandler: Allocation already in tracked region list: 0x09AD0000.
2026-04-28 01:35:49,688 [root] DEBUG: 3404: DLL loaded at 0x6EBF0000: C:\Windows\SYSTEM32\iertutil (0x22d000 bytes).
2026-04-28 01:35:49,782 [root] DEBUG: 7104: DLL loaded at 0x75250000: C:\Windows\SYSTEM32\kernel.appcore (0xf000 bytes).
2026-04-28 01:35:49,829 [root] DEBUG: 7728: DLL loaded at 0x6F4E0000: C:\Windows\System32\MSISIP (0x10000 bytes).
2026-04-28 01:35:49,938 [root] DEBUG: 5200: ScanForDisguisedPE: No PE image located in range 0x09A90000-0x09A90E82.
2026-04-28 01:35:49,954 [root] DEBUG: 3836: ProcessTrackedRegion: .NET cache region at 0x04410000 skipped
2026-04-28 01:35:50,001 [root] DEBUG: 6384: ProcessTrackedRegion: .NET cache region at 0x04AD0000 skipped
2026-04-28 01:35:50,157 [root] DEBUG: 7496: AllocationHandler: Allocation already in tracked region list: 0x7EF60000.
2026-04-28 01:35:50,188 [root] DEBUG: 5144: GetEntropy: Error - Supplied address inaccessible: 0x7F220000
2026-04-28 01:35:50,329 [root] DEBUG: 7548: GetEntropy: Error - Supplied address inaccessible: 0x7EF80000
2026-04-28 01:35:50,454 [root] DEBUG: 3596: .NET JIT native cache at 0x0ABE0000: scans and dumps active.
2026-04-28 01:35:50,563 [root] DEBUG: 3404: DLL loaded at 0x6EBD0000: C:\Windows\SYSTEM32\srvcli (0x1d000 bytes).
2026-04-28 01:35:50,657 [root] DEBUG: 3488: .NET JIT native cache at 0x0B380000: scans and dumps active.
2026-04-28 01:35:50,751 [root] DEBUG: 7728: DLL loaded at 0x6F4C0000: C:\Windows\System32\wshext (0x18000 bytes).
2026-04-28 01:35:50,766 [root] DEBUG: 7104: NtTerminateProcess hook: Attempting to dump process 7104
2026-04-28 01:35:50,766 [root] DEBUG: 3836: AllocationHandler: Allocation already in tracked region list: 0x043A0000.
2026-04-28 01:35:50,829 [root] DEBUG: 7496: AllocationHandler: Adding allocation to tracked region list: 0x7EF50000, size: 0x10000.
2026-04-28 01:35:50,829 [lib.common.results] INFO: Uploading file C:\atsPQMC\CAPE\5200_3911449352227142026 to CAPE\1de0793f9e4e6a72fe11760b6be65a9b567e86b33b6ed53f8ca7eb69e126ee02; Size is 3714; Max size: 100000000
2026-04-28 01:35:50,892 [root] DEBUG: 5144: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:35:50,892 [root] DEBUG: 3596: caller_dispatch: Added region at 0x0ABE0000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x0ABE0654, thread 4676).
2026-04-28 01:35:50,892 [root] DEBUG: 7548: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:35:50,907 [root] DEBUG: 3404: DLL loaded at 0x75440000: C:\Windows\SYSTEM32\netutils (0xb000 bytes).
2026-04-28 01:35:50,938 [root] DEBUG: 6384: AllocationHandler: Allocation already in tracked region list: 0x03130000.
2026-04-28 01:35:50,938 [root] DEBUG: 7728: DLL loaded at 0x6F330000: C:\Windows\SYSTEM32\OpcServices (0x14d000 bytes).
2026-04-28 01:35:50,938 [root] DEBUG: 3488: caller_dispatch: Added region at 0x0B380000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x0B381360, thread 6580).
2026-04-28 01:35:50,938 [root] DEBUG: 7104: DoProcessDump: Skipping process dump as code is identical on disk.
2026-04-28 01:35:50,970 [root] DEBUG: 7496: GetEntropy: Error - Supplied address inaccessible: 0x7EF50000
2026-04-28 01:35:50,985 [root] DEBUG: 3836: .NET JIT native cache at 0x08670000: scans and dumps active.
2026-04-28 01:35:51,080 [root] DEBUG: 5200: DumpMemory: Payload successfully created: C:\atsPQMC\CAPE\5200_3911449352227142026 (size 3714 bytes)
2026-04-28 01:35:51,095 [root] DEBUG: 5144: AllocationHandler: Processing previous tracked region at: 0x099B0000.
2026-04-28 01:35:51,095 [root] DEBUG: 3596: ProcessTrackedRegion: .NET cache region at 0x0ABE0000 skipped
2026-04-28 01:35:51,220 [root] INFO: Process with pid 7104 appears to have terminated
2026-04-28 01:35:51,282 [root] DEBUG: 7548: AllocationHandler: Processing previous tracked region at: 0x08620000.
2026-04-28 01:35:51,501 [root] DEBUG: 6384: AllocationHandler: Allocation already in tracked region list: 0x04D20000.
2026-04-28 01:35:51,626 [root] DEBUG: 3404: DLL loaded at 0x6EE20000: C:\Windows\SYSTEM32\urlmon (0x1a8000 bytes).
2026-04-28 01:35:51,860 [root] DEBUG: 7728: DLL loaded at 0x6F480000: C:\Windows\System32\AppxSip (0x3c000 bytes).
2026-04-28 01:35:51,970 [root] INFO: Process with pid 7104 has terminated
2026-04-28 01:35:52,095 [root] DEBUG: 3488: ProcessTrackedRegion: .NET cache region at 0x0B380000 skipped
2026-04-28 01:35:52,266 [root] DEBUG: 3836: caller_dispatch: Added region at 0x08670000 to tracked regions list (advapi32::CryptAcquireContextW returns to 0x08672604, thread 9196).
2026-04-28 01:35:52,391 [root] DEBUG: 7496: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:35:52,595 [root] DEBUG: 5200: DumpRegion: Dumped entire allocation from 0x09A90000, size 8192 bytes.
2026-04-28 01:35:52,610 [root] DEBUG: 7548: DumpPEsInRange: Scanning range 0x08620000 - 0x0862262D.
2026-04-28 01:35:52,610 [root] DEBUG: 6384: .NET JIT native cache at 0x0A350000: scans and dumps active.
2026-04-28 01:35:52,610 [root] DEBUG: 5144: DumpPEsInRange: Scanning range 0x099B0000 - 0x099B26CD.
2026-04-28 01:35:52,642 [root] DEBUG: 3488: AllocationHandler: Allocation already in tracked region list: 0x0A2E0000.
2026-04-28 01:35:52,642 [root] DEBUG: 3404: DLL loaded at 0x703C0000: C:\Windows\SYSTEM32\PROPSYS (0xc2000 bytes).
2026-04-28 01:35:52,860 [root] DEBUG: 7728: DLL loaded at 0x6F320000: C:\Windows\System32\WindowsPowerShell\v1.0\pwrshsip (0xa000 bytes).
2026-04-28 01:35:52,876 [root] DEBUG: 6396: CreateProcessHandler: Injection info set for new process 8632: C:\Program Files\Windows Security\BrowserCore\en-US\qemu-ga.exe, ImageBase: 0x00400000
2026-04-28 01:35:52,876 [root] DEBUG: 3836: ProcessTrackedRegion: .NET cache region at 0x08670000 skipped
2026-04-28 01:35:52,876 [root] DEBUG: 7496: AllocationHandler: Processing previous tracked region at: 0x7EF60000.
2026-04-28 01:35:52,970 [root] DEBUG: 3596: AllocationHandler: Allocation already in tracked region list: 0x09AD0000.
2026-04-28 01:35:53,220 [root] DEBUG: 5200: ProcessTrackedRegion: Dumped region at 0x09A90000.
2026-04-28 01:35:53,251 [root] DEBUG: 6384: caller_dispatch: Added region at 0x0A350000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x0A353216, thread 8768).
2026-04-28 01:35:53,251 [root] DEBUG: 7548: ScanForDisguisedPE: No PE image located in range 0x08620000-0x0862262D.
2026-04-28 01:35:53,251 [root] DEBUG: 5144: ScanForDisguisedPE: No PE image located in range 0x099B0000-0x099B26CD.
2026-04-28 01:35:53,329 [root] DEBUG: 3404: AllocationHandler: Adding allocation to tracked region list: 0x02F10000, size: 0x1000.
2026-04-28 01:35:53,345 [root] DEBUG: 3488: AllocationHandler: Allocation already in tracked region list: 0x0A030000.
2026-04-28 01:35:53,345 [root] DEBUG: 3404: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:35:53,438 [lib.common.results] INFO: Uploading file C:\Users\cape\AppData\Local\Temp\__PSScriptPolicyTest_t0crgahm.l5e.ps1 to files\96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7; Size is 60; Max size: 100000000
2026-04-28 01:35:53,704 [root] INFO: Announced 32-bit process name: qemu-ga.exe pid: 8632
2026-04-28 01:35:53,704 [root] DEBUG: 7496: DumpPEsInRange: Scanning range 0x7EF60000 - 0x7EF6003C.
2026-04-28 01:35:53,704 [lib.api.process] INFO: Monitor config for <Process 8632 qemu-ga.exe>: C:\ltb6yatm\dll\8632.ini
2026-04-28 01:35:53,720 [root] DEBUG: 3836: .NET JIT native cache at 0x09120000: scans and dumps active.
2026-04-28 01:35:53,720 [root] DEBUG: 5200: FreeHandler: Dumped executable range containing 0x09A90000.
2026-04-28 01:35:53,720 [lib.api.process] INFO: 32-bit DLL to inject is C:\ltb6yatm\dll\aUdGyWws.dll, loader C:\ltb6yatm\bin\ReIIPbe.exe
2026-04-28 01:35:53,735 [root] DEBUG: 6384: ProcessTrackedRegion: .NET cache region at 0x0A350000 skipped
2026-04-28 01:35:53,751 [root] DEBUG: 3596: .NET JIT native cache at 0x0AE00000: scans and dumps active.
2026-04-28 01:35:53,782 [lib.common.results] INFO: Uploading file C:\atsPQMC\CAPE\7548_12682553352227142026 to CAPE\ffe185e221ba9342cb5d8b58547dd2533f5addffffe592fb98a2f6e39b084d85; Size is 9773; Max size: 100000000
2026-04-28 01:35:53,782 [root] DEBUG: 3404: DLL loaded at 0x773F0000: C:\Windows\System32\Normaliz (0x7000 bytes).
2026-04-28 01:35:53,782 [lib.common.results] INFO: Uploading file C:\atsPQMC\CAPE\5144_12682553352227142026 to CAPE\2dd85704d5fffabedc8674070bdddbf2dd0dd2737ad6ea1367c00b356dbef8cc; Size is 9933; Max size: 100000000
2026-04-28 01:35:53,829 [root] DEBUG: 3488: .NET JIT native cache at 0x0A3E0000: scans and dumps active.
2026-04-28 01:35:53,860 [root] DEBUG: 7496: ScanForDisguisedPE: Size too small: 0x3c bytes
2026-04-28 01:35:53,860 [root] DEBUG: 5144: DumpMemory: Payload successfully created: C:\atsPQMC\CAPE\5144_12682553352227142026 (size 9933 bytes)
2026-04-28 01:35:53,860 [lib.common.results] INFO: Uploading file C:\Users\cape\AppData\Local\Temp\__PSScriptPolicyTest_juqnoqoc.g4z.psm1 to files\96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7; Size is 60; Max size: 100000000
2026-04-28 01:35:53,891 [root] DEBUG: 5200: DropTrackedRegion: removed region at 0x09A90000 from tracked region list.
2026-04-28 01:35:53,907 [root] DEBUG: Loader: Injecting process 8632 (thread 7908) with C:\ltb6yatm\dll\aUdGyWws.dll.
2026-04-28 01:35:53,923 [root] DEBUG: 3836: caller_dispatch: Added region at 0x09120000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x0912108C, thread 9196).
2026-04-28 01:35:54,063 [root] DEBUG: 6384: AllocationHandler: Allocation already in tracked region list: 0x061B0000.
2026-04-28 01:35:54,188 [root] DEBUG: 3596: caller_dispatch: Added region at 0x0AE00000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x0AE01360, thread 4676).
2026-04-28 01:35:54,345 [root] DEBUG: 7548: DumpMemory: Payload successfully created: C:\atsPQMC\CAPE\7548_12682553352227142026 (size 9773 bytes)
2026-04-28 01:35:54,407 [root] DEBUG: 3488: caller_dispatch: Added region at 0x0A3E0000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x0A3E0801, thread 6580).
2026-04-28 01:35:54,438 [root] DEBUG: 3404: DLL loaded at 0x6FEB0000: C:\Windows\SYSTEM32\WININET (0x454000 bytes).
2026-04-28 01:35:54,454 [lib.common.results] INFO: Uploading file C:\atsPQMC\CAPE\7496_1765408053352227142026 to CAPE\efb513311ba418c690c433d0b763a615574fb8ee9be606ba45edcea63ae72f09; Size is 60; Max size: 100000000
2026-04-28 01:35:54,470 [root] DEBUG: 7728: DLL loaded at 0x6EBF0000: C:\Windows\SYSTEM32\iertutil (0x22d000 bytes).
2026-04-28 01:35:54,470 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2026-04-28 01:35:54,485 [root] DEBUG: 5144: DumpRegion: Dumped entire allocation from 0x099B0000, size 12288 bytes.
2026-04-28 01:35:54,516 [root] DEBUG: 3836: ProcessTrackedRegion: .NET cache region at 0x09120000 skipped
2026-04-28 01:35:54,688 [root] DEBUG: 5200: .NET JIT native cache at 0x006E0000: scans and dumps active.
2026-04-28 01:35:54,954 [root] DEBUG: 6384: AllocationHandler: Previously reserved region at 0x0A350000, committing at: 0x0A356000.
2026-04-28 01:35:55,079 [root] DEBUG: 7548: DumpRegion: Dumped entire allocation from 0x08620000, size 12288 bytes.
2026-04-28 01:35:55,266 [root] DEBUG: 3596: ProcessTrackedRegion: .NET cache region at 0x0AE00000 skipped
2026-04-28 01:35:55,360 [root] DEBUG: 7496: DumpMemory: Payload successfully created: C:\atsPQMC\CAPE\7496_1765408053352227142026 (size 60 bytes)
2026-04-28 01:35:55,501 [root] DEBUG: 3404: DLL loaded at 0x70310000: C:\Windows\Microsoft.Net\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer (0xa3000 bytes).
2026-04-28 01:35:55,517 [root] DEBUG: 3488: ProcessTrackedRegion: .NET cache region at 0x0A3E0000 skipped
2026-04-28 01:35:55,657 [root] DEBUG: 7728: DLL loaded at 0x6EBD0000: C:\Windows\SYSTEM32\srvcli (0x1d000 bytes).
2026-04-28 01:35:55,860 [root] DEBUG: 7496: DumpRegion: Dumped entire allocation from 0x7EF60000, size 4096 bytes.
2026-04-28 01:35:56,298 [root] DEBUG: Successfully injected DLL C:\ltb6yatm\dll\aUdGyWws.dll.
2026-04-28 01:35:56,423 [root] DEBUG: 5200: caller_dispatch: Added region at 0x006E0000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x006E3C09, thread 2888).
2026-04-28 01:35:56,470 [lib.api.process] INFO: Injected into 32-bit <Process 8632 qemu-ga.exe>
2026-04-28 01:35:56,470 [root] DEBUG: 7548: ProcessTrackedRegion: Dumped region at 0x08620000.
2026-04-28 01:35:56,563 [root] DEBUG: 5144: ProcessTrackedRegion: Dumped region at 0x099B0000.
2026-04-28 01:35:56,595 [root] DEBUG: 3596: AllocationHandler: Allocation already in tracked region list: 0x09D60000.
2026-04-28 01:35:56,688 [root] DEBUG: 6384: .NET JIT native cache at 0x0A6A0000: scans and dumps active.
2026-04-28 01:35:56,720 [root] DEBUG: 3836: .NET JIT native cache at 0x08660000: scans and dumps active.
2026-04-28 01:35:56,720 [root] DEBUG: 7728: DLL loaded at 0x75440000: C:\Windows\SYSTEM32\netutils (0xb000 bytes).
2026-04-28 01:35:56,720 [root] DEBUG: 7496: ProcessTrackedRegion: Dumped region at 0x7EF60000.
2026-04-28 01:35:56,751 [root] DEBUG: 3404: AllocationHandler: Previously reserved region at 0x0A1A0000, committing at: 0x0A1AE000.
2026-04-28 01:35:56,766 [root] DEBUG: 5200: ProcessTrackedRegion: .NET cache region at 0x006E0000 skipped
2026-04-28 01:35:56,798 [root] DEBUG: 3488: FreeHandler: Address: 0x02D90000.
2026-04-28 01:35:56,798 [root] DEBUG: 6396: ProcessTrackedRegion: Region at 0x77150000 mapped as \Device\HarddiskVolume1\Windows\SysWOW64\KernelBase.dll is in known range, skipping
2026-04-28 01:35:56,860 [root] DEBUG: 3596: AllocationHandler: Allocation already in tracked region list: 0x09AD0000.
2026-04-28 01:35:57,016 [root] DEBUG: 7548: AllocationHandler: Memory region (size 0x50000) reserved but not committed at 0x7EF80000.
2026-04-28 01:35:57,157 [root] DEBUG: 6384: caller_dispatch: Added region at 0x0A6A0000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x0A6A80D7, thread 8768).
2026-04-28 01:35:57,157 [root] DEBUG: 5144: AllocationHandler: Memory region (size 0x50000) reserved but not committed at 0x7F220000.
2026-04-28 01:35:57,157 [root] DEBUG: 7728: DLL loaded at 0x6EE20000: C:\Windows\SYSTEM32\urlmon (0x1a8000 bytes).
2026-04-28 01:35:57,173 [root] DEBUG: 3836: caller_dispatch: Added region at 0x08660000 to tracked regions list (ntdll::NtQueryFullAttributesFile returns to 0x08661AE1, thread 9196).
2026-04-28 01:35:57,329 [root] DEBUG: 7496: AllocationHandler: Memory region (size 0x10000) reserved but not committed at 0x7EF50000.
2026-04-28 01:35:57,407 [root] DEBUG: 3404: AllocationHandler: Adding allocation to tracked region list: 0x02F40000, size: 0x1000.
2026-04-28 01:35:57,548 [root] DEBUG: 5200: AllocationHandler: Allocation already in tracked region list: 0x09620000.
2026-04-28 01:35:57,626 [root] DEBUG: 3488: DumpPEsInRange: Scanning range 0x02D90000 - 0x02D90E82.
2026-04-28 01:35:57,657 [root] DEBUG: 6396: DLL loaded at 0x750B0000: C:\Windows\system32\apphelp (0x9f000 bytes).
2026-04-28 01:35:57,704 [root] DEBUG: 3596: .NET JIT native cache at 0x0AB40000: scans and dumps active.
2026-04-28 01:35:57,720 [root] DEBUG: 7548: AllocationHandler: Previously reserved region at 0x7EF80000, committing at: 0x7EF80000.
2026-04-28 01:35:57,720 [root] DEBUG: 6384: ProcessTrackedRegion: .NET cache region at 0x0A6A0000 skipped
2026-04-28 01:35:57,860 [root] DEBUG: 7496: AllocationHandler: Previously reserved region at 0x7EF50000, committing at: 0x7EF50000.
2026-04-28 01:35:57,891 [root] DEBUG: 5144: AllocationHandler: Previously reserved region at 0x7F220000, committing at: 0x7F220000.
2026-04-28 01:35:57,891 [root] DEBUG: 3836: ProcessTrackedRegion: .NET cache region at 0x08660000 skipped
2026-04-28 01:35:57,954 [root] DEBUG: 3404: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:35:57,970 [root] DEBUG: 7728: DLL loaded at 0x703C0000: C:\Windows\SYSTEM32\PROPSYS (0xc2000 bytes).
2026-04-28 01:35:57,985 [root] DEBUG: 3488: ScanForDisguisedPE: No PE image located in range 0x02D90000-0x02D90E82.
2026-04-28 01:35:57,985 [root] DEBUG: 8632: Python path set to 'C:\Python310'.
2026-04-28 01:35:57,985 [root] DEBUG: 5200: AllocationHandler: Previously reserved region at 0x006E0000, committing at: 0x006E7000.
2026-04-28 01:35:58,173 [root] DEBUG: 3596: caller_dispatch: Added region at 0x0AB40000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x0AB40801, thread 4676).
2026-04-28 01:35:58,188 [root] DEBUG: 7548: AllocationHandler: Allocation already in tracked region list: 0x7EF80000.
2026-04-28 01:35:58,188 [root] DEBUG: 5144: AllocationHandler: Allocation already in tracked region list: 0x7F220000.
2026-04-28 01:35:58,188 [root] DEBUG: 6396: NtTerminateProcess hook: Attempting to dump process 6396
2026-04-28 01:35:58,188 [root] DEBUG: 7496: AllocationHandler: Allocation already in tracked region list: 0x7EF60000.
2026-04-28 01:35:58,204 [root] DEBUG: 6384: AllocationHandler: Adding allocation to tracked region list: 0x7F930000, size: 0x50000.
2026-04-28 01:35:58,204 [root] DEBUG: 3404: AllocationHandler: Allocation already in tracked region list: 0x02F10000.
2026-04-28 01:35:58,235 [root] DEBUG: 7728: AllocationHandler: Adding allocation to tracked region list: 0x04330000, size: 0x1000.
2026-04-28 01:35:58,235 [root] DEBUG: 3836: AllocationHandler: Allocation already in tracked region list: 0x043A0000.
2026-04-28 01:35:58,235 [lib.common.results] INFO: Uploading file C:\atsPQMC\CAPE\3488_4038557352227142026 to CAPE\5f251a5b0a9a28a70879bc7580ec0d10c11d353e99017682d5e4264ab50a2ce4; Size is 3714; Max size: 100000000
2026-04-28 01:35:58,235 [root] DEBUG: 8632: Dropped file limit defaulting to 100.
2026-04-28 01:35:58,251 [root] DEBUG: 5200: AllocationHandler: Allocation already in tracked region list: 0x00CE0000.
2026-04-28 01:35:58,251 [root] DEBUG: 3596: ProcessTrackedRegion: .NET cache region at 0x0AB40000 skipped
2026-04-28 01:35:58,454 [root] DEBUG: 7548: AllocationHandler: Allocation already in tracked region list: 0x7EF80000.
2026-04-28 01:35:58,563 [root] DEBUG: 5144: AllocationHandler: Allocation already in tracked region list: 0x7F220000.
2026-04-28 01:35:58,751 [root] DEBUG: 6396: VerifyCodeSection: Executable code does not match, 0x9d62 of 0x2bfcb matching
2026-04-28 01:35:58,782 [root] DEBUG: 6384: GetEntropy: Error - Supplied address inaccessible: 0x7F930000
2026-04-28 01:35:58,829 [root] DEBUG: 7496: AllocationHandler: Allocation already in tracked region list: 0x7EF60000.
2026-04-28 01:35:58,845 [root] DEBUG: 7728: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:35:58,845 [root] DEBUG: 3404: .NET JIT native cache at 0x08940000: scans and dumps active.
2026-04-28 01:35:58,876 [root] DEBUG: 3836: AllocationHandler: Allocation already in tracked region list: 0x05CC0000.
2026-04-28 01:35:58,891 [root] DEBUG: 3488: DumpMemory: Payload successfully created: C:\atsPQMC\CAPE\3488_4038557352227142026 (size 3714 bytes)
2026-04-28 01:35:58,907 [root] DEBUG: 5200: DLL loaded at 0x6FE50000: C:\Windows\SYSTEM32\miutils (0x52000 bytes).
2026-04-28 01:35:58,907 [root] DEBUG: 7548: AllocationHandler: Adding allocation to tracked region list: 0x7EF70000, size: 0x10000.
2026-04-28 01:35:58,907 [root] DEBUG: 6396: DoProcessDump: Code modification detected, dumping Imagebase at 0x00450000.
2026-04-28 01:35:58,923 [root] DEBUG: 5144: AllocationHandler: Adding allocation to tracked region list: 0x7F210000, size: 0x10000.
2026-04-28 01:35:58,923 [root] DEBUG: 3836: AllocationHandler: Allocation already in tracked region list: 0x06040000.
2026-04-28 01:35:59,016 [root] DEBUG: 6384: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:35:59,110 [root] DEBUG: 7496: AllocationHandler: Allocation already in tracked region list: 0x7EF50000.
2026-04-28 01:35:59,266 [root] DEBUG: 7728: DLL loaded at 0x773F0000: C:\Windows\System32\Normaliz (0x7000 bytes).
2026-04-28 01:35:59,329 [root] DEBUG: 3596: FreeHandler: Address: 0x00920000.
2026-04-28 01:35:59,345 [root] DEBUG: 8632: Disabling sleep skipping.
2026-04-28 01:35:59,345 [root] DEBUG: 3404: caller_dispatch: Added region at 0x08940000 to tracked regions list (kernel32::GetSystemInfo returns to 0x08941320, thread 5524).
2026-04-28 01:35:59,345 [root] DEBUG: 3488: DumpRegion: Dumped entire allocation from 0x02D90000, size 8192 bytes.
2026-04-28 01:35:59,360 [root] DEBUG: 7548: GetEntropy: Error - Supplied address inaccessible: 0x7EF70000
2026-04-28 01:35:59,360 [root] DEBUG: 3404: ProcessTrackedRegion: .NET cache region at 0x08940000 skipped
2026-04-28 01:35:59,673 [root] DEBUG: 5200: DLL loaded at 0x715A0000: C:\Windows\SYSTEM32\mi (0x1c000 bytes).
2026-04-28 01:35:59,766 [root] DEBUG: 6396: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2026-04-28 01:35:59,845 [root] DEBUG: 5144: GetEntropy: Error - Supplied address inaccessible: 0x7F210000
2026-04-28 01:35:59,876 [root] DEBUG: 7728: DLL loaded at 0x6FEB0000: C:\Windows\SYSTEM32\WININET (0x454000 bytes).
2026-04-28 01:35:59,876 [root] DEBUG: 6384: AllocationHandler: Processing previous tracked region at: 0x0A350000.
2026-04-28 01:35:59,891 [root] DEBUG: 3836: .NET JIT native cache at 0x0AB20000: scans and dumps active.
2026-04-28 01:35:59,923 [root] DEBUG: 8632: YaraInit: Compiled rules loaded from existing file C:\ltb6yatm\data\yara\capemon.yac
2026-04-28 01:35:59,938 [root] INFO: Added new file to list with pid 7496 and path C:\Users\cape\AppData\Local\Temp\__PSScriptPolicyTest_42akvxyy.had.ps1
2026-04-28 01:35:59,938 [root] DEBUG: 7548: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:35:59,938 [root] DEBUG: 3596: DumpPEsInRange: Scanning range 0x00920000 - 0x00920E82.
2026-04-28 01:35:59,954 [root] DEBUG: 5200: DLL loaded at 0x715C0000: C:\Windows\SYSTEM32\Microsoft.Management.Infrastructure.Native.Unmanaged (0x8000 bytes).
2026-04-28 01:35:59,954 [root] DEBUG: 5144: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:35:59,970 [root] DEBUG: 3488: ProcessTrackedRegion: Dumped region at 0x02D90000.
2026-04-28 01:35:59,970 [root] DEBUG: 3404: AllocationHandler: Allocation already in tracked region list: 0x0A050000.
2026-04-28 01:36:00,048 [root] DEBUG: 5144: AllocationHandler: Processing previous tracked region at: 0x7F220000.
2026-04-28 01:36:00,313 [root] DEBUG: 7728: DLL loaded at 0x70310000: C:\Windows\Microsoft.Net\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer (0xa3000 bytes).
2026-04-28 01:36:00,438 [root] DEBUG: 6384: ProcessTrackedRegion: .NET cache region at 0x0A350000 skipped
2026-04-28 01:36:00,548 [root] DEBUG: 3836: caller_dispatch: Added region at 0x0AB20000 to tracked regions list (ntdll::NtQueryFullAttributesFile returns to 0x0AB2B06F, thread 9196).
2026-04-28 01:36:00,673 [root] DEBUG: 6396: DumpProcess: Instantiating PeParser with address: 0x00450000.
2026-04-28 01:36:00,876 [root] INFO: Added new file to list with pid 7496 and path C:\Users\cape\AppData\Local\Temp\__PSScriptPolicyTest_nqbxirxz.2pn.psm1
2026-04-28 01:36:00,954 [root] DEBUG: 8632: YaraScan: Scanning 0x00400000, size 0x1ff800
2026-04-28 01:36:00,985 [root] DEBUG: 3596: ScanForDisguisedPE: No PE image located in range 0x00920000-0x00920E82.
2026-04-28 01:36:01,048 [root] DEBUG: 3488: FreeHandler: Dumped executable range containing 0x02D90000.
2026-04-28 01:36:01,048 [root] DEBUG: 5200: DLL loaded at 0x704B0000: C:\Windows\SYSTEM32\DPAPI (0x8000 bytes).
2026-04-28 01:36:01,048 [root] DEBUG: 7548: AllocationHandler: Processing previous tracked region at: 0x7EF80000.
2026-04-28 01:36:01,048 [root] DEBUG: 5144: DumpPEsInRange: Scanning range 0x7F220000 - 0x7F22003C.
2026-04-28 01:36:01,063 [root] DEBUG: 7728: AllocationHandler: Previously reserved region at 0x09D00000, committing at: 0x09D0E000.
2026-04-28 01:36:01,063 [root] DEBUG: 6384: AllocationHandler: Memory region (size 0x50000) reserved but not committed at 0x7F930000.
2026-04-28 01:36:01,063 [root] DEBUG: 6396: DumpProcess: Module entry point VA is 0x00466B20.
2026-04-28 01:36:01,079 [root] DEBUG: 3836: ProcessTrackedRegion: .NET cache region at 0x0AB20000 skipped
2026-04-28 01:36:01,079 [root] DEBUG: 3404: AllocationHandler: Previously reserved region at 0x08940000, committing at: 0x0894C000.
2026-04-28 01:36:01,157 [root] DEBUG: 8632: Monitor initialised: 32-bit capemon loaded in process 8632 at 0x73f00000, thread 7908, image base 0x400000, stack from 0x195000-0x1a0000
2026-04-28 01:36:01,220 [root] DEBUG: 7496: DLL loaded at 0x6F4E0000: C:\Windows\System32\MSISIP (0x10000 bytes).
2026-04-28 01:36:01,266 [root] DEBUG: 5200: DLL loaded at 0x71570000: C:\Windows\System32\wmidcom (0x26000 bytes).
2026-04-28 01:36:01,516 [root] DEBUG: 3488: DropTrackedRegion: removed region at 0x02D90000 from tracked region list.
2026-04-28 01:36:01,626 [lib.common.results] INFO: Uploading file C:\atsPQMC\CAPE\3596_19681362227142026 to CAPE\59e4016939b6ab15302933e29b8f7d8720e1e7fff62e520910d2e69cd344ba18; Size is 3714; Max size: 100000000
2026-04-28 01:36:01,688 [root] DEBUG: 7548: DumpPEsInRange: Scanning range 0x7EF80000 - 0x7EF8003C.
2026-04-28 01:36:01,766 [root] DEBUG: 7728: AllocationHandler: Adding allocation to tracked region list: 0x04360000, size: 0x1000.
2026-04-28 01:36:01,860 [root] DEBUG: 5144: ScanForDisguisedPE: Size too small: 0x3c bytes
2026-04-28 01:36:01,938 [root] DEBUG: 6384: AllocationHandler: Previously reserved region at 0x7F930000, committing at: 0x7F930000.
2026-04-28 01:36:02,063 [lib.common.results] INFO: Uploading file C:\atsPQMC\CAPE\6396_2873231362227142026 to procdump\7089c8fecfb6cbcac37750e65dfaf7dd2b20b145130068273111258fc4d15bf8; Size is 346624; Max size: 100000000
2026-04-28 01:36:02,079 [root] DEBUG: 3404: AllocationHandler: Allocation already in tracked region list: 0x08940000.
2026-04-28 01:36:02,095 [root] DEBUG: 8632: Commandline: "C:\Program Files\Windows Security\BrowserCore\en-US\qemu-ga.exe"
2026-04-28 01:36:02,173 [root] DEBUG: 7496: DLL loaded at 0x6F4C0000: C:\Windows\System32\wshext (0x18000 bytes).
2026-04-28 01:36:02,173 [root] DEBUG: 3596: DumpMemory: Payload successfully created: C:\atsPQMC\CAPE\3596_19681362227142026 (size 3714 bytes)
2026-04-28 01:36:02,298 [root] DEBUG: 3836: AllocationHandler: Previously reserved region at 0x0AB20000, committing at: 0x0AB2C000.
2026-04-28 01:36:02,438 [root] DEBUG: 7548: ScanForDisguisedPE: Size too small: 0x3c bytes
2026-04-28 01:36:02,548 [lib.common.results] INFO: Uploading file C:\atsPQMC\CAPE\5144_176540801362227142026 to CAPE\93ab6dc32c596db2d75cbd815a03b130859b7599712280cdb7c7edaa0fb9700b; Size is 60; Max size: 100000000
2026-04-28 01:36:02,579 [root] DEBUG: 7728: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:36:02,688 [root] DEBUG: 3488: .NET JIT native cache at 0x00BC0000: scans and dumps active.
2026-04-28 01:36:02,735 [root] DEBUG: 3404: AllocationHandler: Allocation already in tracked region list: 0x08940000.
2026-04-28 01:36:02,782 [root] DEBUG: 6384: AllocationHandler: Allocation already in tracked region list: 0x7F930000.
2026-04-28 01:36:02,798 [root] DEBUG: 6396: DumpProcess: Module image dump success - dump size 0x54a00.
2026-04-28 01:36:02,813 [root] DEBUG: 8632: hook_api: LdrpCallInitRoutine export address 0x77EB2A40 obtained via GetFunctionAddress
2026-04-28 01:36:02,845 [root] DEBUG: 7496: DLL loaded at 0x6F330000: C:\Windows\SYSTEM32\OpcServices (0x14d000 bytes).
2026-04-28 01:36:02,907 [root] DEBUG: 5200: .NET JIT native cache at 0x0A990000: scans and dumps active.
2026-04-28 01:36:02,970 [root] DEBUG: 3596: DumpRegion: Dumped entire allocation from 0x00920000, size 8192 bytes.
2026-04-28 01:36:02,985 [root] INFO: Process with pid 6396 appears to have terminated
2026-04-28 01:36:03,235 [lib.common.results] INFO: Uploading file C:\atsPQMC\CAPE\7548_89912642362227142026 to CAPE\169a3f2051a3a72fe1e41db4cd40eadd26cc66987b9b352b977dcbdef58dadc1; Size is 60; Max size: 100000000
2026-04-28 01:36:03,298 [root] DEBUG: 3836: AllocationHandler: Allocation already in tracked region list: 0x043A0000.
2026-04-28 01:36:03,407 [root] DEBUG: 7728: AllocationHandler: Allocation already in tracked region list: 0x04330000.
2026-04-28 01:36:03,516 [root] DEBUG: 5144: DumpMemory: Payload successfully created: C:\atsPQMC\CAPE\5144_176540801362227142026 (size 60 bytes)
2026-04-28 01:36:03,563 [root] DEBUG: 3404: .NET JIT native cache at 0x0A3B0000: scans and dumps active.
2026-04-28 01:36:03,579 [root] DEBUG: 3488: caller_dispatch: Added region at 0x00BC0000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x00BC3C09, thread 6580).
2026-04-28 01:36:03,720 [root] DEBUG: 8632: hook_api: Warning - SetWindowLongW export address 0x75D45420 differs from GetProcAddress -> 0x750E59E0 (apphelp.dll::0xff3d59e0)
2026-04-28 01:36:03,798 [root] DEBUG: 6384: AllocationHandler: Allocation already in tracked region list: 0x7F930000.
2026-04-28 01:36:03,813 [root] DEBUG: 7496: DLL loaded at 0x6F480000: C:\Windows\System32\AppxSip (0x3c000 bytes).
2026-04-28 01:36:03,876 [root] INFO: Process with pid 6396 has terminated
2026-04-28 01:36:03,923 [root] DEBUG: 3488: ProcessTrackedRegion: .NET cache region at 0x00BC0000 skipped
2026-04-28 01:36:03,954 [root] DEBUG: 3596: ProcessTrackedRegion: Dumped region at 0x00920000.
2026-04-28 01:36:03,970 [root] DEBUG: 5200: caller_dispatch: Added region at 0x0A990000 to tracked regions list (ntdll::NtCreateEvent returns to 0x0A990D11, thread 2888).
2026-04-28 01:36:04,048 [root] DEBUG: 7548: DumpMemory: Payload successfully created: C:\atsPQMC\CAPE\7548_89912642362227142026 (size 60 bytes)
2026-04-28 01:36:04,110 [root] DEBUG: 3836: .NET JIT native cache at 0x09CB0000: scans and dumps active.
2026-04-28 01:36:04,266 [root] DEBUG: 7728: .NET JIT native cache at 0x08470000: scans and dumps active.
2026-04-28 01:36:04,376 [root] DEBUG: 5144: DumpRegion: Dumped entire allocation from 0x7F220000, size 4096 bytes.
2026-04-28 01:36:04,391 [root] DEBUG: 8632: hook_api: Warning - EnumDisplayDevicesA export address 0x75D395A0 differs from GetProcAddress -> 0x750E6780 (apphelp.dll::0xff3d6780)
2026-04-28 01:36:04,391 [root] DEBUG: 3404: caller_dispatch: Added region at 0x0A3B0000 to tracked regions list (ntdll::NtQueryFullAttributesFile returns to 0x0A3B37D7, thread 5524).
2026-04-28 01:36:04,391 [root] DEBUG: 7496: DLL loaded at 0x6F320000: C:\Windows\System32\WindowsPowerShell\v1.0\pwrshsip (0xa000 bytes).
2026-04-28 01:36:04,391 [root] DEBUG: 6384: AllocationHandler: Adding allocation to tracked region list: 0x7F920000, size: 0x10000.
2026-04-28 01:36:04,407 [root] DEBUG: 3488: AllocationHandler: Allocation already in tracked region list: 0x0A030000.
2026-04-28 01:36:04,423 [root] DEBUG: 5200: ProcessTrackedRegion: .NET cache region at 0x0A990000 skipped
2026-04-28 01:36:04,423 [root] DEBUG: 3596: FreeHandler: Dumped executable range containing 0x00920000.
2026-04-28 01:36:04,455 [root] DEBUG: 7548: DumpRegion: Dumped entire allocation from 0x7EF80000, size 4096 bytes.
2026-04-28 01:36:04,470 [root] DEBUG: 3836: caller_dispatch: Added region at 0x09CB0000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x09CBACBD, thread 9196).
2026-04-28 01:36:04,470 [root] DEBUG: 7728: caller_dispatch: Added region at 0x08470000 to tracked regions list (kernel32::GetSystemInfo returns to 0x08471320, thread 616).
2026-04-28 01:36:04,486 [root] DEBUG: 8632: hook_api: Warning - EnumDisplayDevicesW export address 0x75D4FB70 differs from GetProcAddress -> 0x7510E4D0 (apphelp.dll::0xff3fe4d0)
2026-04-28 01:36:04,486 [root] DEBUG: 5144: ProcessTrackedRegion: Dumped region at 0x7F220000.
2026-04-28 01:36:04,501 [root] DEBUG: 3404: ProcessTrackedRegion: .NET cache region at 0x0A3B0000 skipped
2026-04-28 01:36:04,563 [lib.common.results] INFO: Uploading file C:\Users\cape\AppData\Local\Temp\__PSScriptPolicyTest_42akvxyy.had.ps1 to files\96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7; Size is 60; Max size: 100000000
2026-04-28 01:36:04,626 [root] DEBUG: 3488: AllocationHandler: Previously reserved region at 0x00BC0000, committing at: 0x00BC7000.
2026-04-28 01:36:04,782 [root] DEBUG: 6384: GetEntropy: Error - Supplied address inaccessible: 0x7F920000
2026-04-28 01:36:04,985 [root] DEBUG: 3596: DropTrackedRegion: removed region at 0x00920000 from tracked region list.
2026-04-28 01:36:05,126 [root] DEBUG: 5200: api-cap: compileMethod hook disabled due to count: 5000
2026-04-28 01:36:05,204 [root] DEBUG: 3836: ProcessTrackedRegion: .NET cache region at 0x09CB0000 skipped
2026-04-28 01:36:05,220 [root] DEBUG: 7548: ProcessTrackedRegion: Dumped region at 0x7EF80000.
2026-04-28 01:36:05,251 [root] DEBUG: 7728: ProcessTrackedRegion: .NET cache region at 0x08470000 skipped
2026-04-28 01:36:05,485 [root] WARNING: b'Unable to place hook on GetCommandLineA'
2026-04-28 01:36:05,657 [root] DEBUG: 5144: AllocationHandler: Memory region (size 0x10000) reserved but not committed at 0x7F210000.
2026-04-28 01:36:05,688 [root] DEBUG: 3444: DLL loaded at 0x00007FFEFB970000: C:\Windows\SYSTEM32\ncrypt (0x27000 bytes).
2026-04-28 01:36:05,704 [lib.common.results] INFO: Uploading file C:\Users\cape\AppData\Local\Temp\__PSScriptPolicyTest_nqbxirxz.2pn.psm1 to files\96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7; Size is 60; Max size: 100000000
2026-04-28 01:36:05,704 [root] DEBUG: 3444: DLL loaded at 0x00007FFEF5C20000: C:\Windows\SYSTEM32\WINHTTP (0x10a000 bytes).
2026-04-28 01:36:05,704 [root] DEBUG: 3488: AllocationHandler: Allocation already in tracked region list: 0x05F50000.
2026-04-28 01:36:05,704 [root] DEBUG: 3596: AllocationHandler: Previously reserved region at 0x0AB40000, committing at: 0x0AB4A000.
2026-04-28 01:36:05,766 [root] DEBUG: 5200: AllocationHandler: Previously reserved region at 0x0A990000, committing at: 0x0A991000.
2026-04-28 01:36:05,782 [root] DEBUG: 3404: AllocationHandler: Allocation already in tracked region list: 0x0A050000.
2026-04-28 01:36:05,782 [root] DEBUG: 6384: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:36:05,813 [root] DEBUG: 3836: AllocationHandler: Allocation already in tracked region list: 0x043A0000.
2026-04-28 01:36:05,813 [root] DEBUG: 7548: AllocationHandler: Memory region (size 0x10000) reserved but not committed at 0x7EF70000.
2026-04-28 01:36:05,891 [root] DEBUG: 8632: set_hooks: Unable to hook GetCommandLineA
2026-04-28 01:36:05,907 [root] DEBUG: 7728: AllocationHandler: Allocation already in tracked region list: 0x09BF0000.
2026-04-28 01:36:05,907 [root] DEBUG: 3488: DLL loaded at 0x6FE50000: C:\Windows\SYSTEM32\miutils (0x52000 bytes).
2026-04-28 01:36:06,016 [root] DEBUG: 5144: AllocationHandler: Previously reserved region at 0x7F210000, committing at: 0x7F210000.
2026-04-28 01:36:06,141 [root] DEBUG: 3444: DLL loaded at 0x00007FFEFD0A0000: C:\Windows\System32\WLDAP32 (0x56000 bytes).
2026-04-28 01:36:06,204 [root] DEBUG: 7496: DLL loaded at 0x6EBF0000: C:\Windows\SYSTEM32\iertutil (0x22d000 bytes).
2026-04-28 01:36:06,407 [root] DEBUG: 5200: AllocationHandler: Allocation already in tracked region list: 0x0A990000.
2026-04-28 01:36:06,501 [root] DEBUG: 3596: .NET JIT native cache at 0x00910000: scans and dumps active.
2026-04-28 01:36:06,626 [root] DEBUG: 6384: AllocationHandler: Processing previous tracked region at: 0x7F930000.
2026-04-28 01:36:06,688 [root] DEBUG: 7548: AllocationHandler: Previously reserved region at 0x7EF70000, committing at: 0x7EF70000.
2026-04-28 01:36:06,766 [root] DEBUG: 3836: .NET JIT native cache at 0x09CD0000: scans and dumps active.
2026-04-28 01:36:06,845 [root] WARNING: b'Unable to place hook on GetCommandLineW'
2026-04-28 01:36:06,860 [root] DEBUG: 3404: .NET JIT native cache at 0x08C50000: scans and dumps active.
2026-04-28 01:36:06,907 [root] DEBUG: 3488: DLL loaded at 0x715A0000: C:\Windows\SYSTEM32\mi (0x1c000 bytes).
2026-04-28 01:36:06,923 [root] DEBUG: 5144: AllocationHandler: Allocation already in tracked region list: 0x7F220000.
2026-04-28 01:36:07,048 [root] DEBUG: 7496: DLL loaded at 0x6EBD0000: C:\Windows\SYSTEM32\srvcli (0x1d000 bytes).
2026-04-28 01:36:07,048 [root] DEBUG: 6384: DumpPEsInRange: Scanning range 0x7F930000 - 0x7F93003C.
2026-04-28 01:36:07,063 [root] DEBUG: 5200: AllocationHandler: Allocation already in tracked region list: 0x0A990000.
2026-04-28 01:36:07,079 [root] DEBUG: 3596: caller_dispatch: Added region at 0x00910000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x00913829, thread 4676).
2026-04-28 01:36:07,141 [root] DEBUG: 3444: DLL loaded at 0x00007FFEE9E70000: C:\Windows\SYSTEM32\certca (0xcd000 bytes).
2026-04-28 01:36:07,157 [root] DEBUG: 7548: AllocationHandler: Allocation already in tracked region list: 0x7EF80000.
2026-04-28 01:36:07,173 [root] DEBUG: 3836: AllocationHandler: Adding allocation to tracked region list: 0x09CC0000, size: 0x1000.
2026-04-28 01:36:07,173 [root] DEBUG: 7728: AllocationHandler: Previously reserved region at 0x08470000, committing at: 0x0847C000.
2026-04-28 01:36:07,188 [root] DEBUG: 8632: set_hooks: Unable to hook GetCommandLineW
2026-04-28 01:36:07,204 [root] DEBUG: 3404: caller_dispatch: Added region at 0x08C50000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x08C5089F, thread 5524).
2026-04-28 01:36:07,204 [root] DEBUG: 6384: ScanForDisguisedPE: Size too small: 0x3c bytes
2026-04-28 01:36:07,204 [root] DEBUG: 5144: AllocationHandler: Allocation already in tracked region list: 0x7F220000.
2026-04-28 01:36:07,220 [root] DEBUG: 7496: DLL loaded at 0x75440000: C:\Windows\SYSTEM32\netutils (0xb000 bytes).
2026-04-28 01:36:07,235 [root] DEBUG: 5200: AllocationHandler: Allocation already in tracked region list: 0x0A990000.
2026-04-28 01:36:07,235 [root] DEBUG: 3488: DLL loaded at 0x715C0000: C:\Windows\SYSTEM32\Microsoft.Management.Infrastructure.Native.Unmanaged (0x8000 bytes).
2026-04-28 01:36:07,235 [root] DEBUG: 3596: ProcessTrackedRegion: .NET cache region at 0x00910000 skipped
2026-04-28 01:36:07,282 [root] DEBUG: 7548: AllocationHandler: Allocation already in tracked region list: 0x7EF80000.
2026-04-28 01:36:07,391 [root] DEBUG: 3836: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:36:07,485 [root] DEBUG: 3444: DLL loaded at 0x00007FFEF5FF0000: C:\Windows\SYSTEM32\DSPARSE (0xc000 bytes).
2026-04-28 01:36:07,626 [root] DEBUG: 8632: Hooked 630 out of 632 functions
2026-04-28 01:36:07,751 [root] DEBUG: 7728: AllocationHandler: Allocation already in tracked region list: 0x08470000.
2026-04-28 01:36:07,891 [lib.common.results] INFO: Uploading file C:\atsPQMC\CAPE\6384_969007362227142026 to CAPE\c338cdd22842cce5bf62b6c7d9c02013164728e860aa5684d8456c9e0b270262; Size is 60; Max size: 100000000
2026-04-28 01:36:07,923 [root] DEBUG: 3404: ProcessTrackedRegion: .NET cache region at 0x08C50000 skipped
2026-04-28 01:36:07,938 [root] DEBUG: 5144: AllocationHandler: Allocation already in tracked region list: 0x7F210000.
2026-04-28 01:36:07,938 [root] DEBUG: 7496: DLL loaded at 0x6EE20000: C:\Windows\SYSTEM32\urlmon (0x1a8000 bytes).
2026-04-28 01:36:07,938 [root] DEBUG: 3488: DLL loaded at 0x704B0000: C:\Windows\SYSTEM32\DPAPI (0x8000 bytes).
2026-04-28 01:36:08,048 [root] DEBUG: 5200: AllocationHandler: Allocation already in tracked region list: 0x0A990000.
2026-04-28 01:36:08,188 [root] DEBUG: 3596: AllocationHandler: Allocation already in tracked region list: 0x09AD0000.
2026-04-28 01:36:08,298 [root] DEBUG: 7548: AllocationHandler: Allocation already in tracked region list: 0x7EF70000.
2026-04-28 01:36:08,391 [root] DEBUG: 8632: Syscall hook installed, syscall logging level 1
2026-04-28 01:36:08,391 [root] DEBUG: 3836: caller_dispatch: Added region at 0x09CD0000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x09CD1A41, thread 9196).
2026-04-28 01:36:08,407 [root] DEBUG: 7728: AllocationHandler: Allocation already in tracked region list: 0x08470000.
2026-04-28 01:36:08,485 [root] DEBUG: 6384: DumpMemory: Payload successfully created: C:\atsPQMC\CAPE\6384_969007362227142026 (size 60 bytes)
2026-04-28 01:36:08,485 [root] DEBUG: 3404: AllocationHandler: Adding allocation to tracked region list: 0x08AA0000, size: 0x1000.
2026-04-28 01:36:08,501 [root] INFO: Added new file to list with pid 5144 and path C:\Users\cape\AppData\Local\Temp\__PSScriptPolicyTest_ibzonsf5.pty.ps1
2026-04-28 01:36:08,501 [root] DEBUG: 3404: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:36:08,501 [root] DEBUG: 3444: DLL loaded at 0x00007FFEFBD00000: C:\Windows\SYSTEM32\DPAPI (0xa000 bytes).
2026-04-28 01:36:08,595 [root] DEBUG: 3488: DLL loaded at 0x71570000: C:\Windows\System32\wmidcom (0x26000 bytes).
2026-04-28 01:36:08,766 [root] DEBUG: 3596: AllocationHandler: Allocation already in tracked region list: 0x00D00000.
2026-04-28 01:36:08,766 [root] DEBUG: 5200: AllocationHandler: Allocation already in tracked region list: 0x0A990000.
2026-04-28 01:36:08,782 [root] DEBUG: 8632: RestoreHeaders: Restored original import table.
2026-04-28 01:36:08,907 [root] DEBUG: 7496: DLL loaded at 0x703C0000: C:\Windows\SYSTEM32\PROPSYS (0xc2000 bytes).
2026-04-28 01:36:09,001 [root] INFO: Added new file to list with pid 7548 and path C:\Users\cape\AppData\Local\Temp\__PSScriptPolicyTest_l1n3ntvt.qgd.ps1
2026-04-28 01:36:09,017 [root] DEBUG: 6384: DumpRegion: Dumped entire allocation from 0x7F930000, size 4096 bytes.
2026-04-28 01:36:09,017 [root] DEBUG: 7728: .NET JIT native cache at 0x09FD0000: scans and dumps active.
2026-04-28 01:36:09,032 [root] DEBUG: 3836: ProcessTrackedRegion: .NET cache region at 0x09CD0000 skipped
2026-04-28 01:36:09,110 [root] INFO: Added new file to list with pid 5144 and path C:\Users\cape\AppData\Local\Temp\__PSScriptPolicyTest_q4y0qetn.4x2.psm1
2026-04-28 01:36:09,173 [root] DEBUG: 3404: AllocationHandler: Allocation already in tracked region list: 0x0A050000.
2026-04-28 01:36:09,188 [root] DEBUG: 3444: DLL loaded at 0x00007FFEE90A0000: C:\Windows\SYSTEM32\certenroll (0x338000 bytes).
2026-04-28 01:36:09,188 [root] DEBUG: 3596: DLL loaded at 0x6FE50000: C:\Windows\SYSTEM32\miutils (0x52000 bytes).
2026-04-28 01:36:09,188 [root] DEBUG: 5200: caller_dispatch: Added region at 0x08950000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x08952992, thread 2888).
2026-04-28 01:36:09,204 [root] INFO: Loaded monitor into process with pid 8632
2026-04-28 01:36:09,204 [root] DEBUG: 5200: AllocationHandler: Allocation already in tracked region list: 0x0A990000.
2026-04-28 01:36:09,251 [root] DEBUG: 7496: AllocationHandler: Adding allocation to tracked region list: 0x08E40000, size: 0x1000.
2026-04-28 01:36:09,298 [root] INFO: Added new file to list with pid 7548 and path C:\Users\cape\AppData\Local\Temp\__PSScriptPolicyTest_0y0izcr1.cgq.psm1
2026-04-28 01:36:09,313 [root] DEBUG: 6384: ProcessTrackedRegion: Dumped region at 0x7F930000.
2026-04-28 01:36:09,313 [root] DEBUG: 7728: caller_dispatch: Added region at 0x09FD0000 to tracked regions list (ntdll::NtQueryFullAttributesFile returns to 0x09FD37D7, thread 616).
2026-04-28 01:36:09,313 [root] DEBUG: 3488: .NET JIT native cache at 0x0A3D0000: scans and dumps active.
2026-04-28 01:36:09,329 [root] DEBUG: 3836: AllocationHandler: Allocation already in tracked region list: 0x043A0000.
2026-04-28 01:36:09,391 [root] DEBUG: 5144: DLL loaded at 0x6F4E0000: C:\Windows\System32\MSISIP (0x10000 bytes).
2026-04-28 01:36:09,391 [root] DEBUG: 3404: AllocationHandler: Adding allocation to tracked region list: 0x08C40000, size: 0x1000.
2026-04-28 01:36:09,391 [root] DEBUG: 3596: DLL loaded at 0x715A0000: C:\Windows\SYSTEM32\mi (0x1c000 bytes).
2026-04-28 01:36:09,391 [root] DEBUG: 3444: DLL loaded at 0x00007FFEFBFA0000: C:\Windows\System32\cfgmgr32 (0x4e000 bytes).
2026-04-28 01:36:09,407 [root] DEBUG: 5200: ProcessTrackedRegion: .NET cache region at 0x08950000 skipped
2026-04-28 01:36:09,407 [root] DEBUG: 8632: caller_dispatch: Added region at 0x00400000 to tracked regions list (kernel32::HeapCreate returns to 0x0040D54F, thread 7908).
2026-04-28 01:36:09,423 [root] DEBUG: 5200: AllocationHandler: Allocation already in tracked region list: 0x0A990000.
2026-04-28 01:36:09,438 [root] DEBUG: 7496: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:36:09,470 [root] DEBUG: 7548: DLL loaded at 0x6F4E0000: C:\Windows\System32\MSISIP (0x10000 bytes).
2026-04-28 01:36:09,470 [root] DEBUG: 6384: AllocationHandler: Memory region (size 0x10000) reserved but not committed at 0x7F920000.
2026-04-28 01:36:09,485 [root] DEBUG: 3488: caller_dispatch: Added region at 0x0A3D0000 to tracked regions list (ntdll::NtCreateEvent returns to 0x0A3D0D11, thread 6580).
2026-04-28 01:36:09,485 [root] DEBUG: 7728: ProcessTrackedRegion: .NET cache region at 0x09FD0000 skipped
2026-04-28 01:36:09,563 [root] DEBUG: 3836: .NET JIT native cache at 0x09DB0000: scans and dumps active.
2026-04-28 01:36:09,673 [root] DEBUG: 3404: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:36:09,782 [root] DEBUG: 5144: DLL loaded at 0x6F4C0000: C:\Windows\System32\wshext (0x18000 bytes).
2026-04-28 01:36:09,923 [root] DEBUG: 3596: DLL loaded at 0x715C0000: C:\Windows\SYSTEM32\Microsoft.Management.Infrastructure.Native.Unmanaged (0x8000 bytes).
2026-04-28 01:36:10,079 [root] DEBUG: 8632: YaraScan: Scanning 0x00400000, size 0x1ff800
2026-04-28 01:36:10,220 [root] DEBUG: 3444: DLL loaded at 0x00007FFEFBCB0000: C:\Windows\SYSTEM32\DEVOBJ (0x2c000 bytes).
2026-04-28 01:36:10,329 [root] DEBUG: 7496: DLL loaded at 0x773F0000: C:\Windows\System32\Normaliz (0x7000 bytes).
2026-04-28 01:36:10,454 [root] DEBUG: 5200: AllocationHandler: Allocation already in tracked region list: 0x0A990000.
2026-04-28 01:36:10,501 [root] DEBUG: 7548: DLL loaded at 0x6F4C0000: C:\Windows\System32\wshext (0x18000 bytes).
2026-04-28 01:36:10,626 [root] DEBUG: 6384: AllocationHandler: Previously reserved region at 0x7F920000, committing at: 0x7F920000.
2026-04-28 01:36:10,735 [root] DEBUG: 3488: ProcessTrackedRegion: .NET cache region at 0x0A3D0000 skipped
2026-04-28 01:36:10,782 [root] DEBUG: 3836: caller_dispatch: Added region at 0x09DB0000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x09DB4C8A, thread 9196).
2026-04-28 01:36:10,954 [root] DEBUG: 5144: DLL loaded at 0x6F330000: C:\Windows\SYSTEM32\OpcServices (0x14d000 bytes).
2026-04-28 01:36:11,079 [root] DEBUG: 7728: AllocationHandler: Allocation already in tracked region list: 0x09BF0000.
2026-04-28 01:36:11,157 [root] DEBUG: 3596: DLL loaded at 0x704B0000: C:\Windows\SYSTEM32\DPAPI (0x8000 bytes).
2026-04-28 01:36:11,267 [root] DEBUG: 7496: DLL loaded at 0x6FEB0000: C:\Windows\SYSTEM32\WININET (0x454000 bytes).
2026-04-28 01:36:11,438 [root] DEBUG: 5200: AllocationHandler: Allocation already in tracked region list: 0x0A990000.
2026-04-28 01:36:11,579 [root] DEBUG: 8632: ProcessImageBase: Main module image at 0x00400000 unmodified (entropy change 0.000000e+00)
2026-04-28 01:36:11,735 [root] DEBUG: 6384: AllocationHandler: Allocation already in tracked region list: 0x7F930000.
2026-04-28 01:36:11,751 [root] DEBUG: 3488: api-cap: compileMethod hook disabled due to count: 5000
2026-04-28 01:36:11,766 [root] DEBUG: 3444: DLL loaded at 0x00007FFEFBDC0000: C:\Windows\SYSTEM32\UMPDC (0x12000 bytes).
2026-04-28 01:36:11,766 [root] DEBUG: 6384: AllocationHandler: Allocation already in tracked region list: 0x7F930000.
2026-04-28 01:36:11,766 [root] DEBUG: 7548: DLL loaded at 0x6F330000: C:\Windows\SYSTEM32\OpcServices (0x14d000 bytes).
2026-04-28 01:36:11,782 [root] DEBUG: 3836: ProcessTrackedRegion: .NET cache region at 0x09DB0000 skipped
2026-04-28 01:36:12,016 [root] DEBUG: 5144: DLL loaded at 0x6F480000: C:\Windows\System32\AppxSip (0x3c000 bytes).
2026-04-28 01:36:12,126 [root] DEBUG: 3596: DLL loaded at 0x71570000: C:\Windows\System32\wmidcom (0x26000 bytes).
2026-04-28 01:36:12,173 [root] DEBUG: 7728: .NET JIT native cache at 0x09040000: scans and dumps active.
2026-04-28 01:36:12,188 [root] DEBUG: 3404: AllocationHandler: Allocation already in tracked region list: 0x0A050000.
2026-04-28 01:36:12,204 [root] DEBUG: 7496: DLL loaded at 0x70310000: C:\Windows\Microsoft.Net\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer (0xa3000 bytes).
2026-04-28 01:36:12,235 [root] DEBUG: 8632: set_hooks_by_export_directory: Hooked 0 out of 632 functions
2026-04-28 01:36:12,252 [root] DEBUG: 3488: AllocationHandler: Previously reserved region at 0x0A3D0000, committing at: 0x0A3D1000.
2026-04-28 01:36:12,266 [root] DEBUG: 5200: AllocationHandler: Allocation already in tracked region list: 0x0A990000.
2026-04-28 01:36:12,266 [root] DEBUG: 6384: AllocationHandler: Allocation already in tracked region list: 0x7F920000.
2026-04-28 01:36:12,391 [root] DEBUG: 5144: DLL loaded at 0x6F320000: C:\Windows\System32\WindowsPowerShell\v1.0\pwrshsip (0xa000 bytes).
2026-04-28 01:36:12,423 [root] DEBUG: 7548: DLL loaded at 0x6F480000: C:\Windows\System32\AppxSip (0x3c000 bytes).
2026-04-28 01:36:12,438 [root] DEBUG: 3836: .NET JIT native cache at 0x09DC0000: scans and dumps active.
2026-04-28 01:36:12,470 [root] DEBUG: 3444: DLL loaded at 0x00007FFEE85B0000: C:\Windows\SYSTEM32\TpmCoreProvisioning (0x123000 bytes).
2026-04-28 01:36:12,501 [root] DEBUG: 7728: caller_dispatch: Added region at 0x09040000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x0904089F, thread 616).
2026-04-28 01:36:12,501 [root] DEBUG: 3404: .NET JIT native cache at 0x0A3C0000: scans and dumps active.
2026-04-28 01:36:12,563 [root] DEBUG: 8632: DLL loaded at 0x75250000: C:\Windows\SYSTEM32\kernel.appcore (0xf000 bytes).
2026-04-28 01:36:12,563 [root] DEBUG: 3488: AllocationHandler: Allocation already in tracked region list: 0x0A3D0000.
2026-04-28 01:36:12,579 [root] DEBUG: 7496: AllocationHandler: Previously reserved region at 0x034D0000, committing at: 0x034DE000.
2026-04-28 01:36:12,595 [root] DEBUG: 5200: AllocationHandler: Allocation already in tracked region list: 0x0A990000.
2026-04-28 01:36:12,626 [lib.common.results] INFO: Uploading file C:\Users\cape\AppData\Local\Temp\__PSScriptPolicyTest_ibzonsf5.pty.ps1 to files\96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7; Size is 60; Max size: 100000000
2026-04-28 01:36:12,641 [root] INFO: Added new file to list with pid 6384 and path C:\Users\cape\AppData\Local\Temp\__PSScriptPolicyTest_hs0k3aav.yqj.ps1
2026-04-28 01:36:12,641 [root] DEBUG: 3596: .NET JIT native cache at 0x0AB70000: scans and dumps active.
2026-04-28 01:36:12,641 [root] DEBUG: 7548: DLL loaded at 0x6F320000: C:\Windows\System32\WindowsPowerShell\v1.0\pwrshsip (0xa000 bytes).
2026-04-28 01:36:12,704 [root] DEBUG: 3836: caller_dispatch: Added region at 0x09DC0000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x09DC0757, thread 9196).
2026-04-28 01:36:12,704 [root] DEBUG: 7728: ProcessTrackedRegion: .NET cache region at 0x09040000 skipped
2026-04-28 01:36:12,704 [root] DEBUG: 8632: DLL loaded at 0x76D80000: C:\Windows\System32\bcryptPrimitives (0x5f000 bytes).
2026-04-28 01:36:12,720 [root] DEBUG: 3404: caller_dispatch: Added region at 0x0A3C0000 to tracked regions list (advapi32::RegOpenKeyExW returns to 0x0A3C32D6, thread 5524).
2026-04-28 01:36:12,720 [root] DEBUG: 7496: AllocationHandler: Adding allocation to tracked region list: 0x08E70000, size: 0x1000.
2026-04-28 01:36:12,720 [root] DEBUG: 3488: AllocationHandler: Allocation already in tracked region list: 0x0A3D0000.
2026-04-28 01:36:12,735 [root] DEBUG: 3444: DLL loaded at 0x00007FFEF6A80000: C:\Windows\System32\wbem\Win32_TPM (0x18000 bytes).
2026-04-28 01:36:12,782 [root] DEBUG: 5200: AllocationHandler: Allocation already in tracked region list: 0x0A990000.
2026-04-28 01:36:12,813 [root] INFO: Added new file to list with pid 6384 and path C:\Users\cape\AppData\Local\Temp\__PSScriptPolicyTest_ecqm2vl4.b2p.psm1
2026-04-28 01:36:12,829 [root] DEBUG: 7496: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:36:12,845 [root] DEBUG: 3596: caller_dispatch: Added region at 0x0AB70000 to tracked regions list (ntdll::NtCreateEvent returns to 0x0AB706C1, thread 4676).
2026-04-28 01:36:12,923 [lib.common.results] INFO: Uploading file C:\Users\cape\AppData\Local\Temp\__PSScriptPolicyTest_q4y0qetn.4x2.psm1 to files\96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7; Size is 60; Max size: 100000000
2026-04-28 01:36:12,985 [lib.common.results] INFO: Uploading file C:\Users\cape\AppData\Local\Temp\__PSScriptPolicyTest_l1n3ntvt.qgd.ps1 to files\96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7; Size is 60; Max size: 100000000
2026-04-28 01:36:13,001 [root] DEBUG: 7728: AllocationHandler: Adding allocation to tracked region list: 0x085C0000, size: 0x1000.
2026-04-28 01:36:13,016 [root] DEBUG: 3836: ProcessTrackedRegion: .NET cache region at 0x09DC0000 skipped
2026-04-28 01:36:13,126 [root] DEBUG: 8632: DLL loaded at 0x745D0000: C:\Windows\system32\uxtheme (0x74000 bytes).
2026-04-28 01:36:13,266 [root] DEBUG: 3488: AllocationHandler: Allocation already in tracked region list: 0x0A3D0000.
2026-04-28 01:36:13,361 [root] DEBUG: 5200: AllocationHandler: Allocation already in tracked region list: 0x0A990000.
2026-04-28 01:36:13,501 [root] DEBUG: 6384: DLL loaded at 0x6F4E0000: C:\Windows\System32\MSISIP (0x10000 bytes).
2026-04-28 01:36:13,641 [root] DEBUG: 3404: ProcessTrackedRegion: .NET cache region at 0x0A3C0000 skipped
2026-04-28 01:36:13,985 [root] DEBUG: 3596: ProcessTrackedRegion: .NET cache region at 0x0AB70000 skipped
2026-04-28 01:36:14,063 [root] DEBUG: 7496: AllocationHandler: Allocation already in tracked region list: 0x08E40000.
2026-04-28 01:36:14,110 [root] DEBUG: 3444: DLL loaded at 0x00007FFEFB930000: C:\Windows\SYSTEM32\NTASN1 (0x3b000 bytes).
2026-04-28 01:36:14,141 [root] DEBUG: 5144: DLL loaded at 0x6EBF0000: C:\Windows\SYSTEM32\iertutil (0x22d000 bytes).
2026-04-28 01:36:14,157 [lib.common.results] INFO: Uploading file C:\Users\cape\AppData\Local\Temp\__PSScriptPolicyTest_0y0izcr1.cgq.psm1 to files\96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7; Size is 60; Max size: 100000000
2026-04-28 01:36:14,157 [root] DEBUG: 7728: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:36:14,157 [root] DEBUG: 3488: AllocationHandler: Allocation already in tracked region list: 0x0A3D0000.
2026-04-28 01:36:14,157 [root] DEBUG: 5200: AllocationHandler: Allocation already in tracked region list: 0x0A990000.
2026-04-28 01:36:14,173 [root] DEBUG: 8632: DLL loaded at 0x73EA0000: C:\Windows\SYSTEM32\mscoree (0x52000 bytes).
2026-04-28 01:36:14,282 [root] DEBUG: 3836: AllocationHandler: Allocation already in tracked region list: 0x043A0000.
2026-04-28 01:36:14,407 [root] DEBUG: 6384: DLL loaded at 0x6F4C0000: C:\Windows\System32\wshext (0x18000 bytes).
2026-04-28 01:36:14,532 [root] DEBUG: 3404: AllocationHandler: Previously reserved region at 0x0A3C0000, committing at: 0x0A3CF000.
2026-04-28 01:36:14,595 [root] DEBUG: 3596: api-cap: compileMethod hook disabled due to count: 5000
2026-04-28 01:36:14,674 [root] DEBUG: 7496: .NET JIT native cache at 0x08F80000: scans and dumps active.
2026-04-28 01:36:14,798 [root] DEBUG: 7548: DLL loaded at 0x6EBF0000: C:\Windows\SYSTEM32\iertutil (0x22d000 bytes).
2026-04-28 01:36:14,907 [root] DEBUG: 5144: DLL loaded at 0x6EBD0000: C:\Windows\SYSTEM32\srvcli (0x1d000 bytes).
2026-04-28 01:36:14,907 [root] DEBUG: 3488: AllocationHandler: Allocation already in tracked region list: 0x0A3D0000.
2026-04-28 01:36:14,923 [root] DEBUG: 8632: DLL loaded at 0x73E10000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei (0x8d000 bytes).
2026-04-28 01:36:15,063 [root] DEBUG: 5200: AllocationHandler: Allocation already in tracked region list: 0x09A40000.
2026-04-28 01:36:15,157 [root] DEBUG: 6384: DLL loaded at 0x6F330000: C:\Windows\SYSTEM32\OpcServices (0x14d000 bytes).
2026-04-28 01:36:15,204 [root] DEBUG: 7728: AllocationHandler: Allocation already in tracked region list: 0x09BF0000.
2026-04-28 01:36:15,220 [root] DEBUG: 3444: DLL loaded at 0x00007FFEFBDE0000: C:\Windows\SYSTEM32\powrprof (0x4b000 bytes).
2026-04-28 01:36:15,220 [root] DEBUG: 3596: AllocationHandler: Previously reserved region at 0x0AB70000, committing at: 0x0AB71000.
2026-04-28 01:36:15,235 [root] DEBUG: 3404: AllocationHandler: Allocation already in tracked region list: 0x08AA0000.
2026-04-28 01:36:15,251 [root] DEBUG: 7548: DLL loaded at 0x6EBD0000: C:\Windows\SYSTEM32\srvcli (0x1d000 bytes).
2026-04-28 01:36:15,251 [root] DEBUG: 7496: caller_dispatch: Added region at 0x08F80000 to tracked regions list (kernel32::GetSystemInfo returns to 0x08F81320, thread 5940).
2026-04-28 01:36:15,251 [root] DEBUG: 3836: .NET JIT native cache at 0x09DD0000: scans and dumps active.
2026-04-28 01:36:15,266 [root] DEBUG: 5144: DLL loaded at 0x75440000: C:\Windows\SYSTEM32\netutils (0xb000 bytes).
2026-04-28 01:36:15,266 [root] DEBUG: 3488: caller_dispatch: Added region at 0x09DC0000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x09DC2992, thread 6580).
2026-04-28 01:36:15,282 [root] DEBUG: 3488: AllocationHandler: Allocation already in tracked region list: 0x0A3D0000.
2026-04-28 01:36:15,298 [root] DEBUG: 5200: AllocationHandler: Adding allocation to tracked region list: 0x08540000, size: 0x1000.
2026-04-28 01:36:15,298 [root] DEBUG: 8632: DLL loaded at 0x734F0000: C:\Windows\SYSTEM32\ucrtbase_clr0400 (0xab000 bytes).
2026-04-28 01:36:15,313 [root] DEBUG: 6384: DLL loaded at 0x6F480000: C:\Windows\System32\AppxSip (0x3c000 bytes).
2026-04-28 01:36:15,313 [root] DEBUG: 7728: AllocationHandler: Adding allocation to tracked region list: 0x085D0000, size: 0x1000.
2026-04-28 01:36:15,313 [root] DEBUG: 3444: DLL loaded at 0x00007FFEE8550000: C:\Windows\SYSTEM32\framedynos (0x52000 bytes).
2026-04-28 01:36:15,313 [root] DEBUG: 3404: .NET JIT native cache at 0x0A4A0000: scans and dumps active.
2026-04-28 01:36:15,345 [root] DEBUG: 3596: AllocationHandler: Allocation already in tracked region list: 0x0AB70000.
2026-04-28 01:36:15,345 [root] DEBUG: 7548: DLL loaded at 0x75440000: C:\Windows\SYSTEM32\netutils (0xb000 bytes).
2026-04-28 01:36:15,360 [root] DEBUG: 7496: ProcessTrackedRegion: .NET cache region at 0x08F80000 skipped
2026-04-28 01:36:15,454 [root] DEBUG: 3836: caller_dispatch: Added region at 0x09DD0000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x09DD0E02, thread 9196).
2026-04-28 01:36:15,610 [root] DEBUG: 5144: DLL loaded at 0x6EE20000: C:\Windows\SYSTEM32\urlmon (0x1a8000 bytes).
2026-04-28 01:36:15,751 [root] DEBUG: 3488: ProcessTrackedRegion: .NET cache region at 0x09DC0000 skipped
2026-04-28 01:36:15,891 [root] DEBUG: 3488: AllocationHandler: Allocation already in tracked region list: 0x0A3D0000.
2026-04-28 01:36:16,001 [root] DEBUG: 5200: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:36:16,095 [root] DEBUG: 6384: DLL loaded at 0x6F320000: C:\Windows\System32\WindowsPowerShell\v1.0\pwrshsip (0xa000 bytes).
2026-04-28 01:36:16,110 [root] DEBUG: 8632: DLL loaded at 0x735A0000: C:\Windows\SYSTEM32\VCRUNTIME140_CLR0400 (0x14000 bytes).
2026-04-28 01:36:16,110 [root] DEBUG: 7728: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:36:16,126 [root] DEBUG: 3404: caller_dispatch: Added region at 0x0A4A0000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x0A4A1E64, thread 5524).
2026-04-28 01:36:16,220 [root] DEBUG: 3596: AllocationHandler: Allocation already in tracked region list: 0x0AB70000.
2026-04-28 01:36:16,376 [root] DEBUG: 7548: DLL loaded at 0x6EE20000: C:\Windows\SYSTEM32\urlmon (0x1a8000 bytes).
2026-04-28 01:36:16,501 [root] DEBUG: 3836: ProcessTrackedRegion: .NET cache region at 0x09DD0000 skipped
2026-04-28 01:36:16,626 [root] DEBUG: 3444: DLL loaded at 0x00007FFEAD560000: C:\Windows\system32\wbem\cimwin32 (0x20f000 bytes).
2026-04-28 01:36:16,720 [root] DEBUG: 7496: AllocationHandler: Allocation already in tracked region list: 0x09280000.
2026-04-28 01:36:16,845 [root] DEBUG: 5144: DLL loaded at 0x703C0000: C:\Windows\SYSTEM32\PROPSYS (0xc2000 bytes).
2026-04-28 01:36:17,048 [root] DEBUG: 5200: DumpPEsInRange: Scanning range 0x08540000 - 0x0854017B.
2026-04-28 01:36:17,220 [root] DEBUG: 3488: AllocationHandler: Allocation already in tracked region list: 0x0A3D0000.
2026-04-28 01:36:17,407 [root] DEBUG: 8632: DLL loaded at 0x735C0000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr (0x848000 bytes).
2026-04-28 01:36:17,516 [lib.common.results] INFO: Uploading file C:\Users\cape\AppData\Local\Temp\__PSScriptPolicyTest_hs0k3aav.yqj.ps1 to files\96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7; Size is 60; Max size: 100000000
2026-04-28 01:36:17,657 [root] DEBUG: 3404: ProcessTrackedRegion: .NET cache region at 0x0A4A0000 skipped
2026-04-28 01:36:17,766 [root] DEBUG: 3836: AllocationHandler: Previously reserved region at 0x09DD0000, committing at: 0x09DD7000.
2026-04-28 01:36:17,923 [root] DEBUG: 3596: AllocationHandler: Allocation already in tracked region list: 0x0AB70000.
2026-04-28 01:36:18,032 [root] DEBUG: 3444: DLL loaded at 0x00007FFEFC950000: C:\Windows\System32\imagehlp (0x1d000 bytes).
2026-04-28 01:36:18,126 [root] DEBUG: 7548: DLL loaded at 0x703C0000: C:\Windows\SYSTEM32\PROPSYS (0xc2000 bytes).
2026-04-28 01:36:18,157 [root] DEBUG: 5200: ScanForDisguisedPE: Size too small: 0x17b bytes
2026-04-28 01:36:18,173 [root] DEBUG: 8632: AllocationHandler: Adding allocation to tracked region list: 0x03BB3000, size: 0x1000.
2026-04-28 01:36:18,188 [root] DEBUG: 5144: AllocationHandler: Adding allocation to tracked region list: 0x08300000, size: 0x1000.
2026-04-28 01:36:18,204 [root] DEBUG: 3488: AllocationHandler: Allocation already in tracked region list: 0x0A3D0000.
2026-04-28 01:36:18,204 [root] DEBUG: 7496: AllocationHandler: Previously reserved region at 0x08F80000, committing at: 0x08F8C000.
2026-04-28 01:36:18,313 [root] DEBUG: 7728: AllocationHandler: Allocation already in tracked region list: 0x09BF0000.
2026-04-28 01:36:18,360 [root] DEBUG: 3836: AllocationHandler: Allocation already in tracked region list: 0x09CC0000.
2026-04-28 01:36:18,438 [lib.common.results] INFO: Uploading file C:\Users\cape\AppData\Local\Temp\__PSScriptPolicyTest_ecqm2vl4.b2p.psm1 to files\96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7; Size is 60; Max size: 100000000
2026-04-28 01:36:18,563 [root] DEBUG: 3596: AllocationHandler: Allocation already in tracked region list: 0x0AB70000.
2026-04-28 01:36:19,001 [root] DEBUG: 3444: DLL loaded at 0x00007FFEF4D70000: C:\Windows\SYSTEM32\tbs (0x1a000 bytes).
2026-04-28 01:36:19,235 [root] DEBUG: 7548: AllocationHandler: Adding allocation to tracked region list: 0x07FF0000, size: 0x1000.
2026-04-28 01:36:19,266 [root] DEBUG: 8632: GetEntropy: Error - Supplied address inaccessible: 0x03BB0000
2026-04-28 01:36:19,298 [lib.common.results] INFO: Uploading file C:\atsPQMC\CAPE\5200_564135718362227142026 to CAPE\34149c1aec487c807bcf462e55b739fb0f2289692669ad4311434b281aaa9bd8; Size is 379; Max size: 100000000
2026-04-28 01:36:19,298 [root] DEBUG: 3488: AllocationHandler: Allocation already in tracked region list: 0x0A3D0000.
2026-04-28 01:36:19,298 [root] DEBUG: 5144: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:36:19,329 [root] DEBUG: 7728: .NET JIT native cache at 0x09FE0000: scans and dumps active.
2026-04-28 01:36:19,360 [root] DEBUG: 7496: AllocationHandler: Allocation already in tracked region list: 0x08F80000.
2026-04-28 01:36:19,376 [root] DEBUG: 6384: DLL loaded at 0x6EBF0000: C:\Windows\SYSTEM32\iertutil (0x22d000 bytes).
2026-04-28 01:36:19,376 [root] DEBUG: 3596: AllocationHandler: Allocation already in tracked region list: 0x0AB70000.
2026-04-28 01:36:19,407 [root] DEBUG: 3836: AllocationHandler: Allocation already in tracked region list: 0x043A0000.
2026-04-28 01:36:19,470 [root] DEBUG: 752: CreateProcessHandler: Injection info set for new process 8512: C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_7.326.2102.0_x64__8wekyb3d8bbwe\GameBar.exe, ImageBase: 0x00007FF76B460000
2026-04-28 01:36:19,501 [root] DEBUG: 3404: AllocationHandler: Allocation already in tracked region list: 0x0A050000.
2026-04-28 01:36:19,766 [root] DEBUG: 7548: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:36:19,845 [root] DEBUG: 5200: DumpMemory: Payload successfully created: C:\atsPQMC\CAPE\5200_564135718362227142026 (size 379 bytes)
2026-04-28 01:36:19,923 [root] DEBUG: 3488: AllocationHandler: Allocation already in tracked region list: 0x0A3D0000.
2026-04-28 01:36:20,016 [root] DEBUG: 8632: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:36:20,095 [root] DEBUG: 7728: caller_dispatch: Added region at 0x09FE0000 to tracked regions list (advapi32::RegOpenKeyExW returns to 0x09FE2ECE, thread 616).
2026-04-28 01:36:20,220 [root] DEBUG: 5144: DLL loaded at 0x773F0000: C:\Windows\System32\Normaliz (0x7000 bytes).
2026-04-28 01:36:20,329 [root] DEBUG: 7496: AllocationHandler: Allocation already in tracked region list: 0x08F80000.
2026-04-28 01:36:20,376 [root] DEBUG: 6384: DLL loaded at 0x6EBD0000: C:\Windows\SYSTEM32\srvcli (0x1d000 bytes).
2026-04-28 01:36:20,391 [root] DEBUG: 3836: .NET JIT native cache at 0x09EA0000: scans and dumps active.
2026-04-28 01:36:20,423 [root] DEBUG: 3596: AllocationHandler: Allocation already in tracked region list: 0x0AB70000.
2026-04-28 01:36:20,438 [root] INFO: Announced 64-bit process name: GameBar.exe pid: 8512
2026-04-28 01:36:20,454 [lib.api.process] INFO: Monitor config for <Process 8512 GameBar.exe>: C:\ltb6yatm\dll\8512.ini
2026-04-28 01:36:20,470 [root] DEBUG: 7548: DLL loaded at 0x773F0000: C:\Windows\System32\Normaliz (0x7000 bytes).
2026-04-28 01:36:20,470 [root] DEBUG: 5200: DumpRegion: Dumped entire allocation from 0x08540000, size 4096 bytes.
2026-04-28 01:36:20,485 [root] DEBUG: 3488: AllocationHandler: Allocation already in tracked region list: 0x0A3D0000.
2026-04-28 01:36:20,501 [root] DEBUG: 8632: api-rate-cap: NtQueryPerformanceCounter hook disabled due to rate
2026-04-28 01:36:20,548 [root] DEBUG: 8632: InstrumentationCallback: Added region at 0x772833EC (base 0x77150000) to tracked regions list (thread 7908).
2026-04-28 01:36:20,548 [root] DEBUG: 5144: DLL loaded at 0x6FEB0000: C:\Windows\SYSTEM32\WININET (0x454000 bytes).
2026-04-28 01:36:20,563 [root] DEBUG: 7728: ProcessTrackedRegion: .NET cache region at 0x09FE0000 skipped
2026-04-28 01:36:20,579 [root] DEBUG: 7496: .NET JIT native cache at 0x0A980000: scans and dumps active.
2026-04-28 01:36:20,595 [root] DEBUG: 6384: DLL loaded at 0x75440000: C:\Windows\SYSTEM32\netutils (0xb000 bytes).
2026-04-28 01:36:20,610 [root] DEBUG: 3404: FreeHandler: Address: 0x02F10000.
2026-04-28 01:36:20,610 [root] DEBUG: 3836: caller_dispatch: Added region at 0x09EA0000 to tracked regions list (ntdll::LdrLoadDll returns to 0x09EA28F3, thread 9196).
2026-04-28 01:36:20,610 [root] DEBUG: 5200: ProcessTrackedRegion: Dumped region at 0x08540000.
2026-04-28 01:36:20,626 [root] DEBUG: 3596: AllocationHandler: Allocation already in tracked region list: 0x0AB70000.
2026-04-28 01:36:20,673 [root] DEBUG: 7548: DLL loaded at 0x6FEB0000: C:\Windows\SYSTEM32\WININET (0x454000 bytes).
2026-04-28 01:36:20,720 [root] DEBUG: 3488: AllocationHandler: Allocation already in tracked region list: 0x0A3D0000.
2026-04-28 01:36:20,766 [root] DEBUG: 8632: ProcessTrackedRegion: Region at 0x77150000 mapped as \Device\HarddiskVolume1\Windows\SysWOW64\KernelBase.dll is in known range, skipping
2026-04-28 01:36:20,876 [root] DEBUG: 5144: DLL loaded at 0x70310000: C:\Windows\Microsoft.Net\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer (0xa3000 bytes).
2026-04-28 01:36:20,907 [root] DEBUG: 7496: caller_dispatch: Added region at 0x0A980000 to tracked regions list (ntdll::NtQueryFullAttributesFile returns to 0x0A9837D7, thread 5940).
2026-04-28 01:36:20,923 [root] DEBUG: 7728: AllocationHandler: Previously reserved region at 0x09FE0000, committing at: 0x09FE3000.
2026-04-28 01:36:21,141 [root] DEBUG: 6384: DLL loaded at 0x6EE20000: C:\Windows\SYSTEM32\urlmon (0x1a8000 bytes).
2026-04-28 01:36:21,266 [root] DEBUG: 3836: ProcessTrackedRegion: .NET cache region at 0x09EA0000 skipped
2026-04-28 01:36:21,329 [root] DEBUG: 3404: DumpPEsInRange: Scanning range 0x02F10000 - 0x02F10E82.
2026-04-28 01:36:21,376 [root] DEBUG: 5200: AllocationHandler: Allocation already in tracked region list: 0x08540000.
2026-04-28 01:36:21,454 [root] DEBUG: 3596: AllocationHandler: Allocation already in tracked region list: 0x0AB70000.
2026-04-28 01:36:21,548 [root] DEBUG: 7548: DLL loaded at 0x70310000: C:\Windows\Microsoft.Net\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer (0xa3000 bytes).
2026-04-28 01:36:21,579 [root] DEBUG: 8632: DLL loaded at 0x720E0000: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni (0x140e000 bytes).
2026-04-28 01:36:21,595 [root] DEBUG: 5144: AllocationHandler: Previously reserved region at 0x09A70000, committing at: 0x09A7E000.
2026-04-28 01:36:21,610 [root] DEBUG: 3488: AllocationHandler: Allocation already in tracked region list: 0x0A3D0000.
2026-04-28 01:36:21,610 [root] DEBUG: 7496: ProcessTrackedRegion: .NET cache region at 0x0A980000 skipped
2026-04-28 01:36:21,735 [root] DEBUG: 6384: DLL loaded at 0x703C0000: C:\Windows\SYSTEM32\PROPSYS (0xc2000 bytes).
2026-04-28 01:36:21,829 [root] DEBUG: 7728: AllocationHandler: Allocation already in tracked region list: 0x09FE0000.
2026-04-28 01:36:21,923 [lib.api.process] INFO: 64-bit DLL to inject is C:\ltb6yatm\dll\xzHEKGQ.dll, loader C:\ltb6yatm\bin\FktMnuSd.exe
2026-04-28 01:36:22,001 [root] DEBUG: 3404: ScanForDisguisedPE: No PE image located in range 0x02F10000-0x02F10E82.
2026-04-28 01:36:22,188 [root] DEBUG: 3836: AllocationHandler: Allocation already in tracked region list: 0x05CC0000.
2026-04-28 01:36:22,313 [root] DEBUG: 5200: AllocationHandler: Allocation already in tracked region list: 0x05BF0000.
2026-04-28 01:36:22,485 [root] DEBUG: 5200: AllocationHandler: Allocation already in tracked region list: 0x08540000.
2026-04-28 01:36:22,563 [root] DEBUG: 7548: AllocationHandler: Previously reserved region at 0x096B0000, committing at: 0x096BE000.
2026-04-28 01:36:22,657 [root] DEBUG: 8632: AllocationHandler: Adding allocation to tracked region list: 0x03EE0000, size: 0x1000.
2026-04-28 01:36:22,657 [root] DEBUG: 3596: AllocationHandler: Allocation already in tracked region list: 0x0AB70000.
2026-04-28 01:36:22,673 [root] DEBUG: 3488: AllocationHandler: Allocation already in tracked region list: 0x0A2E0000.
2026-04-28 01:36:22,688 [root] DEBUG: 6384: AllocationHandler: Adding allocation to tracked region list: 0x08C40000, size: 0x1000.
2026-04-28 01:36:22,704 [root] DEBUG: 7728: AllocationHandler: Allocation already in tracked region list: 0x085C0000.
2026-04-28 01:36:22,735 [root] DEBUG: 5144: AllocationHandler: Adding allocation to tracked region list: 0x08330000, size: 0x1000.
2026-04-28 01:36:22,752 [lib.common.results] INFO: Uploading file C:\atsPQMC\CAPE\3404_323922362227142026 to CAPE\3d8f2ee5ddf03b3423b7da255e29373fa1b40c92d516a81905b2febd19ff914b; Size is 3714; Max size: 100000000
2026-04-28 01:36:22,752 [root] DEBUG: Loader: Injecting process 8512 (thread 8524) with C:\ltb6yatm\dll\xzHEKGQ.dll.
2026-04-28 01:36:22,752 [root] DEBUG: 3836: DLL loaded at 0x6FE50000: C:\Windows\SYSTEM32\miutils (0x52000 bytes).
2026-04-28 01:36:22,766 [root] DEBUG: 7496: AllocationHandler: Allocation already in tracked region list: 0x09280000.
2026-04-28 01:36:22,815 [root] DEBUG: 3488: AllocationHandler: Adding allocation to tracked region list: 0x08CD0000, size: 0x1000.
2026-04-28 01:36:22,845 [root] DEBUG: 7548: AllocationHandler: Adding allocation to tracked region list: 0x08020000, size: 0x1000.
2026-04-28 01:36:22,845 [root] DEBUG: 5200: AllocationHandler: Allocation already in tracked region list: 0x08540000.
2026-04-28 01:36:22,860 [root] DEBUG: 3596: AllocationHandler: Allocation already in tracked region list: 0x0AB70000.
2026-04-28 01:36:22,860 [root] DEBUG: 8632: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:36:22,891 [root] DEBUG: 7728: .NET JIT native cache at 0x09DD0000: scans and dumps active.
2026-04-28 01:36:22,907 [root] DEBUG: 6384: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:36:22,938 [root] DEBUG: 7728: .NET JIT native cache at 0x09DD0000: scans and dumps active.
2026-04-28 01:36:22,954 [root] DEBUG: 5144: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:36:22,970 [root] DEBUG: 3404: DumpMemory: Payload successfully created: C:\atsPQMC\CAPE\3404_323922362227142026 (size 3714 bytes)
2026-04-28 01:36:22,985 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2026-04-28 01:36:22,985 [root] DEBUG: 7496: .NET JIT native cache at 0x09A00000: scans and dumps active.
2026-04-28 01:36:22,985 [root] DEBUG: 5200: DLL loaded at 0x6FDA0000: C:\Windows\SYSTEM32\wbemcomn (0x70000 bytes).
2026-04-28 01:36:23,001 [root] DEBUG: 3836: DLL loaded at 0x715A0000: C:\Windows\SYSTEM32\mi (0x1c000 bytes).
2026-04-28 01:36:23,001 [root] DEBUG: 3488: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:36:23,110 [root] DEBUG: 7548: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:36:23,110 [root] DEBUG: 3596: AllocationHandler: Allocation already in tracked region list: 0x0AB70000.
2026-04-28 01:36:23,126 [root] DEBUG: 7728: caller_dispatch: Added region at 0x09DD0000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x09DD077F, thread 616).
2026-04-28 01:36:23,157 [root] DEBUG: 7728: ProcessTrackedRegion: .NET cache region at 0x09DD0000 skipped
2026-04-28 01:36:23,266 [root] DEBUG: 6384: DLL loaded at 0x773F0000: C:\Windows\System32\Normaliz (0x7000 bytes).
2026-04-28 01:36:23,376 [root] DEBUG: 5144: AllocationHandler: Allocation already in tracked region list: 0x08300000.
2026-04-28 01:36:23,516 [root] DEBUG: Successfully injected DLL C:\ltb6yatm\dll\xzHEKGQ.dll.
2026-04-28 01:36:23,688 [root] DEBUG: 3404: DumpRegion: Dumped entire allocation from 0x02F10000, size 8192 bytes.
2026-04-28 01:36:23,688 [lib.api.process] INFO: Injected into 64-bit <Process 8512 GameBar.exe>
2026-04-28 01:36:23,735 [root] DEBUG: 8632: AllocationHandler: Adding allocation to tracked region list: 0x06BC1000, size: 0x1000.
2026-04-28 01:36:23,751 [root] DEBUG: 5200: DLL loaded at 0x704A0000: C:\Windows\system32\wbem\wbemprox (0xd000 bytes).
2026-04-28 01:36:23,751 [root] DEBUG: 7496: caller_dispatch: Added region at 0x09A00000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x09A0089F, thread 5940).
2026-04-28 01:36:23,751 [root] DEBUG: 3836: DLL loaded at 0x715C0000: C:\Windows\SYSTEM32\Microsoft.Management.Infrastructure.Native.Unmanaged (0x8000 bytes).
2026-04-28 01:36:23,782 [root] DEBUG: 7548: AllocationHandler: Allocation already in tracked region list: 0x07FF0000.
2026-04-28 01:36:23,813 [root] DEBUG: 3488: DumpPEsInRange: Scanning range 0x08CD0000 - 0x08CD0A2B.
2026-04-28 01:36:23,813 [root] DEBUG: 6384: DLL loaded at 0x6FEB0000: C:\Windows\SYSTEM32\WININET (0x454000 bytes).
2026-04-28 01:36:23,813 [root] DEBUG: 5144: .NET JIT native cache at 0x08410000: scans and dumps active.
2026-04-28 01:36:23,829 [root] DEBUG: 3596: AllocationHandler: Allocation already in tracked region list: 0x0AB70000.
2026-04-28 01:36:23,860 [root] DEBUG: 7728: AllocationHandler: Allocation already in tracked region list: 0x09BF0000.
2026-04-28 01:36:23,860 [root] DEBUG: 3404: ProcessTrackedRegion: Dumped region at 0x02F10000.
2026-04-28 01:36:24,001 [root] DEBUG: 8632: AllocationHandler: Allocation already in tracked region list: 0x06BC0000.
2026-04-28 01:36:24,110 [root] DEBUG: 7496: ProcessTrackedRegion: .NET cache region at 0x09A00000 skipped
2026-04-28 01:36:24,298 [root] DEBUG: 3836: DLL loaded at 0x704B0000: C:\Windows\SYSTEM32\DPAPI (0x8000 bytes).
2026-04-28 01:36:24,454 [root] DEBUG: 3836: DLL loaded at 0x71570000: C:\Windows\System32\wmidcom (0x26000 bytes).
2026-04-28 01:36:24,549 [root] DEBUG: 5200: DLL loaded at 0x70490000: C:\Windows\system32\wbem\wbemsvc (0x10000 bytes).
2026-04-28 01:36:24,626 [root] INFO: Announced 64-bit process name: GameBar.exe pid: 8512
2026-04-28 01:36:24,657 [lib.api.process] INFO: Monitor config for <Process 8512 GameBar.exe>: C:\ltb6yatm\dll\8512.ini
2026-04-28 01:36:24,704 [root] DEBUG: 7548: .NET JIT native cache at 0x08100000: scans and dumps active.
2026-04-28 01:36:24,798 [root] DEBUG: 6384: DLL loaded at 0x70310000: C:\Windows\Microsoft.Net\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer (0xa3000 bytes).
2026-04-28 01:36:24,813 [root] DEBUG: 5144: caller_dispatch: Added region at 0x08410000 to tracked regions list (kernel32::GetSystemInfo returns to 0x08411320, thread 8980).
2026-04-28 01:36:24,829 [root] DEBUG: 3488: ScanForDisguisedPE: No PE image located in range 0x08CD0000-0x08CD0A2B.
2026-04-28 01:36:24,829 [root] DEBUG: 3596: AllocationHandler: Allocation already in tracked region list: 0x0AB70000.
2026-04-28 01:36:24,829 [root] DEBUG: 3404: FreeHandler: Dumped executable range containing 0x02F10000.
2026-04-28 01:36:24,860 [root] DEBUG: 8632: AllocationHandler: Allocation already in tracked region list: 0x03BB0000.
2026-04-28 01:36:24,860 [root] DEBUG: 7496: AllocationHandler: Adding allocation to tracked region list: 0x099E0000, size: 0x1000.
2026-04-28 01:36:24,860 [root] DEBUG: 8632: DumpPEsInRange: Scanning range 0x03BB0000 - 0x03BB1615.
2026-04-28 01:36:25,079 [root] DEBUG: 7548: caller_dispatch: Added region at 0x08100000 to tracked regions list (kernel32::GetSystemInfo returns to 0x08101320, thread 8948).
2026-04-28 01:36:25,079 [root] DEBUG: 5200: DLL loaded at 0x6FCD0000: C:\Windows\system32\wbem\fastprox (0xc9000 bytes).
2026-04-28 01:36:25,095 [root] DEBUG: 7728: FreeHandler: Address: 0x04330000.
2026-04-28 01:36:25,110 [root] DEBUG: 5144: ProcessTrackedRegion: .NET cache region at 0x08410000 skipped
2026-04-28 01:36:25,235 [root] DEBUG: 6384: AllocationHandler: Allocation already in tracked region list: 0x0A350000.
2026-04-28 01:36:25,407 [lib.common.results] INFO: Uploading file C:\atsPQMC\CAPE\3488_1371248924362227142026 to CAPE\4555e46d77c74961e2fe82766efc989fcf551c749072586b46fb2db3377621ad; Size is 3570; Max size: 100000000
2026-04-28 01:36:25,516 [root] DEBUG: 3404: DropTrackedRegion: removed region at 0x02F10000 from tracked region list.
2026-04-28 01:36:25,579 [root] DEBUG: 7496: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:36:25,595 [root] DEBUG: 3596: AllocationHandler: Allocation already in tracked region list: 0x0AB70000.
2026-04-28 01:36:25,657 [root] DEBUG: 8632: ScanForDisguisedPE: No PE image located in range 0x03BB0000-0x03BB1615.
2026-04-28 01:36:25,751 [root] DEBUG: 3836: .NET JIT native cache at 0x09ED0000: scans and dumps active.
2026-04-28 01:36:25,907 [root] DEBUG: 7548: ProcessTrackedRegion: .NET cache region at 0x08100000 skipped
2026-04-28 01:36:26,016 [root] DEBUG: 3836: .NET JIT native cache at 0x09ED0000: scans and dumps active.
2026-04-28 01:36:26,157 [root] DEBUG: 7728: DumpPEsInRange: Scanning range 0x04330000 - 0x04330E82.
2026-04-28 01:36:26,501 [root] DEBUG: 6384: AllocationHandler: Adding allocation to tracked region list: 0x08C70000, size: 0x1000.
2026-04-28 01:36:26,516 [root] DEBUG: 3404: .NET JIT native cache at 0x02EB0000: scans and dumps active.
2026-04-28 01:36:26,563 [lib.api.process] INFO: 64-bit DLL to inject is C:\ltb6yatm\dll\xzHEKGQ.dll, loader C:\ltb6yatm\bin\FktMnuSd.exe
2026-04-28 01:36:26,610 [root] DEBUG: 3488: DumpMemory: Payload successfully created: C:\atsPQMC\CAPE\3488_1371248924362227142026 (size 3570 bytes)
2026-04-28 01:36:26,673 [root] DEBUG: 3596: AllocationHandler: Allocation already in tracked region list: 0x09D60000.
2026-04-28 01:36:26,704 [root] DEBUG: 3836: caller_dispatch: Added region at 0x09ED0000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x09ED19C1, thread 1920).
2026-04-28 01:36:26,720 [root] DEBUG: 5144: AllocationHandler: Allocation already in tracked region list: 0x099B0000.
2026-04-28 01:36:26,751 [lib.common.results] INFO: Uploading file C:\atsPQMC\CAPE\8632_1247347225362227142026 to CAPE\895d693d15d4f8994f01fe01ef372e8205795f37de03497be8c0372ddd69db7c; Size is 5653; Max size: 100000000
2026-04-28 01:36:26,798 [root] DEBUG: 7496: AllocationHandler: Allocation already in tracked region list: 0x09280000.
2026-04-28 01:36:26,923 [root] DEBUG: 7728: ScanForDisguisedPE: No PE image located in range 0x04330000-0x04330E82.
2026-04-28 01:36:27,173 [root] DEBUG: Loader: Injecting process 8512 (thread 8524) with C:\ltb6yatm\dll\xzHEKGQ.dll.
2026-04-28 01:36:27,251 [root] DEBUG: 6384: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:36:27,329 [root] DEBUG: 3404: caller_dispatch: Added region at 0x02EB0000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x02EB1571, thread 5524).
2026-04-28 01:36:27,345 [root] DEBUG: 3488: DumpRegion: Dumped entire allocation from 0x08CD0000, size 4096 bytes.
2026-04-28 01:36:27,391 [root] DEBUG: 7548: AllocationHandler: Allocation already in tracked region list: 0x08620000.
2026-04-28 01:36:27,470 [root] DEBUG: 3836: ProcessTrackedRegion: .NET cache region at 0x09ED0000 skipped
2026-04-28 01:36:27,938 [root] DEBUG: 3596: AllocationHandler: Adding allocation to tracked region list: 0x08750000, size: 0x1000.
2026-04-28 01:36:28,095 [root] DEBUG: 8632: DumpMemory: Payload successfully created: C:\atsPQMC\CAPE\8632_1247347225362227142026 (size 5653 bytes)
2026-04-28 01:36:28,173 [root] DEBUG: 7496: AllocationHandler: Adding allocation to tracked region list: 0x099F0000, size: 0x1000.
2026-04-28 01:36:28,313 [lib.common.results] INFO: Uploading file C:\atsPQMC\CAPE\7728_3977026362227142026 to CAPE\4faf3f4e69ba7b275afe4d7f97ae262fbd813657f744682ee4302842799d1854; Size is 3714; Max size: 100000000
2026-04-28 01:36:28,391 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2026-04-28 01:36:28,470 [root] DEBUG: 6384: AllocationHandler: Allocation already in tracked region list: 0x08C40000.
2026-04-28 01:36:28,641 [root] DEBUG: 3488: ProcessTrackedRegion: Dumped region at 0x08CD0000.
2026-04-28 01:36:28,673 [root] DEBUG: 3404: ProcessTrackedRegion: .NET cache region at 0x02EB0000 skipped
2026-04-28 01:36:28,766 [root] DEBUG: 5144: AllocationHandler: Previously reserved region at 0x08410000, committing at: 0x0841C000.
2026-04-28 01:36:28,891 [root] DEBUG: 3596: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:36:28,923 [root] DEBUG: 8632: DumpRegion: Dumped entire allocation from 0x03BB0000, size 8192 bytes.
2026-04-28 01:36:29,063 [root] DEBUG: 5200: Unable to set COM hook on WbemLocator_ConnectServer
2026-04-28 01:36:29,157 [root] DEBUG: 7496: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:36:29,298 [root] DEBUG: 7728: DumpMemory: Payload successfully created: C:\atsPQMC\CAPE\7728_3977026362227142026 (size 3714 bytes)
2026-04-28 01:36:29,391 [root] DEBUG: Successfully injected DLL C:\ltb6yatm\dll\xzHEKGQ.dll.
2026-04-28 01:36:29,595 [root] DEBUG: 7728: DumpRegion: Dumped entire allocation from 0x04330000, size 8192 bytes.
2026-04-28 01:36:29,735 [root] DEBUG: 6384: .NET JIT native cache at 0x08D50000: scans and dumps active.
2026-04-28 01:36:29,813 [lib.api.process] INFO: Injected into 64-bit <Process 8512 GameBar.exe>
2026-04-28 01:36:29,860 [root] DEBUG: 3488: AllocationHandler: Allocation already in tracked region list: 0x08CD0000.
2026-04-28 01:36:30,048 [root] DEBUG: 5144: AllocationHandler: Allocation already in tracked region list: 0x08410000.
2026-04-28 01:36:30,235 [root] DEBUG: 7548: AllocationHandler: Previously reserved region at 0x08100000, committing at: 0x0810C000.
2026-04-28 01:36:30,516 [root] DEBUG: 3404: AllocationHandler: Previously reserved region at 0x02EB0000, committing at: 0x02EBD000.
2026-04-28 01:36:30,704 [root] DEBUG: 3596: DumpPEsInRange: Scanning range 0x08750000 - 0x08750503.
2026-04-28 01:36:30,923 [root] DEBUG: 8632: ProcessTrackedRegion: Dumped region at 0x03BB0000.
2026-04-28 01:36:31,188 [root] DEBUG: 7728: ProcessTrackedRegion: Dumped region at 0x04330000.
2026-04-28 01:36:31,204 [root] DEBUG: 6384: caller_dispatch: Added region at 0x08D50000 to tracked regions list (kernel32::GetSystemInfo returns to 0x08D51320, thread 8768).
2026-04-28 01:36:31,204 [root] DEBUG: 3488: AllocationHandler: Allocation already in tracked region list: 0x08CD0000.
2026-04-28 01:36:31,235 [root] INFO: Announced 64-bit process name: GameBar.exe pid: 8512
2026-04-28 01:36:31,235 [lib.api.process] INFO: Monitor config for <Process 8512 GameBar.exe>: C:\ltb6yatm\dll\8512.ini
2026-04-28 01:36:31,235 [root] DEBUG: 7548: AllocationHandler: Allocation already in tracked region list: 0x08100000.
2026-04-28 01:36:31,251 [root] DEBUG: 3596: ScanForDisguisedPE: Size too small: 0x503 bytes
2026-04-28 01:36:31,266 [root] DEBUG: 5144: AllocationHandler: Allocation already in tracked region list: 0x08410000.
2026-04-28 01:36:31,313 [root] DEBUG: 3404: .NET JIT native cache at 0x02F10000: scans and dumps active.
2026-04-28 01:36:31,423 [root] DEBUG: 3444: DLL loaded at 0x00007FFEF6A30000: C:\Windows\SYSTEM32\wtsapi32 (0x14000 bytes).
2026-04-28 01:36:31,470 [root] DEBUG: 8632: YaraScan: Scanning 0x03BB0000, size 0x1615
2026-04-28 01:36:31,501 [root] DEBUG: 7496: AllocationHandler: Allocation already in tracked region list: 0x09280000.
2026-04-28 01:36:31,548 [root] DEBUG: 7728: FreeHandler: Dumped executable range containing 0x04330000.
2026-04-28 01:36:31,548 [root] DEBUG: 3488: AllocationHandler: Allocation already in tracked region list: 0x06750000.
2026-04-28 01:36:31,595 [root] DEBUG: 6384: ProcessTrackedRegion: .NET cache region at 0x08D50000 skipped
2026-04-28 01:36:31,688 [root] DEBUG: 3488: AllocationHandler: Allocation already in tracked region list: 0x08CD0000.
2026-04-28 01:36:31,798 [root] DEBUG: 7548: AllocationHandler: Allocation already in tracked region list: 0x08100000.
2026-04-28 01:36:32,016 [lib.common.results] INFO: Uploading file C:\atsPQMC\CAPE\3596_792055631362227142026 to CAPE\9a5814a604df93bf9e499069b04c7aecd4680faf34bd5dd3b74095d7f23e435a; Size is 1283; Max size: 100000000
2026-04-28 01:36:32,126 [root] DEBUG: 5144: .NET JIT native cache at 0x09E70000: scans and dumps active.
2026-04-28 01:36:32,157 [root] DEBUG: 3404: caller_dispatch: Added region at 0x02F10000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x02F109D2, thread 5524).
2026-04-28 01:36:32,157 [root] DEBUG: 8632: DLL loaded at 0x756D0000: C:\Windows\SYSTEM32\wldp (0x27000 bytes).
2026-04-28 01:36:32,188 [root] DEBUG: 7496: .NET JIT native cache at 0x0B6D0000: scans and dumps active.
2026-04-28 01:36:32,282 [root] DEBUG: 3444: DLL loaded at 0x00007FFEFBC50000: C:\Windows\SYSTEM32\WINSTA (0x5a000 bytes).
2026-04-28 01:36:32,298 [root] DEBUG: 7728: DropTrackedRegion: removed region at 0x04330000 from tracked region list.
2026-04-28 01:36:32,329 [root] DEBUG: 6384: AllocationHandler: Allocation already in tracked region list: 0x03130000.
2026-04-28 01:36:32,424 [lib.api.process] INFO: 64-bit DLL to inject is C:\ltb6yatm\dll\xzHEKGQ.dll, loader C:\ltb6yatm\bin\FktMnuSd.exe
2026-04-28 01:36:32,626 [root] DEBUG: 7548: .NET JIT native cache at 0x0A6C0000: scans and dumps active.
2026-04-28 01:36:32,860 [root] DEBUG: 3596: DumpMemory: Payload successfully created: C:\atsPQMC\CAPE\3596_792055631362227142026 (size 1283 bytes)
2026-04-28 01:36:32,923 [root] DEBUG: 5144: caller_dispatch: Added region at 0x09E70000 to tracked regions list (ntdll::NtQueryFullAttributesFile returns to 0x09E737D7, thread 8980).
2026-04-28 01:36:32,985 [root] DEBUG: 3404: ProcessTrackedRegion: .NET cache region at 0x02F10000 skipped
2026-04-28 01:36:33,188 [root] DEBUG: 8632: DLL loaded at 0x720C0000: C:\Windows\SYSTEM32\amsi (0x19000 bytes).
2026-04-28 01:36:33,345 [root] DEBUG: 7728: .NET JIT native cache at 0x00890000: scans and dumps active.
2026-04-28 01:36:33,376 [root] DEBUG: 7496: caller_dispatch: Added region at 0x0B6D0000 to tracked regions list (advapi32::RegOpenKeyExW returns to 0x0B6D32D6, thread 5940).
2026-04-28 01:36:33,407 [root] DEBUG: 3488: DLL loaded at 0x6FDA0000: C:\Windows\SYSTEM32\wbemcomn (0x70000 bytes).
2026-04-28 01:36:33,407 [root] DEBUG: Loader: Injecting process 8512 (thread 8524) with C:\ltb6yatm\dll\xzHEKGQ.dll.
2026-04-28 01:36:33,423 [root] DEBUG: 7548: caller_dispatch: Added region at 0x0A6C0000 to tracked regions list (ntdll::NtQueryFullAttributesFile returns to 0x0A6C37D7, thread 8948).
2026-04-28 01:36:33,438 [root] DEBUG: 3596: DumpRegion: Dumped entire allocation from 0x08750000, size 4096 bytes.
2026-04-28 01:36:33,438 [root] DEBUG: 5144: ProcessTrackedRegion: .NET cache region at 0x09E70000 skipped
2026-04-28 01:36:33,579 [root] DEBUG: 3444: DLL loaded at 0x0000026F47170000: C:\Windows\SYSTEM32\WMI (0x3000 bytes).
2026-04-28 01:36:33,845 [root] DEBUG: 3404: AllocationHandler: Previously reserved region at 0x02F10000, committing at: 0x02F15000.
2026-04-28 01:36:34,001 [root] DEBUG: 8632: DLL loaded at 0x75280000: C:\Windows\SYSTEM32\CRYPTSP (0x13000 bytes).
2026-04-28 01:36:34,110 [root] DEBUG: 7728: caller_dispatch: Added region at 0x00890000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x00891571, thread 616).
2026-04-28 01:36:34,220 [root] DEBUG: 6384: AllocationHandler: Previously reserved region at 0x08D50000, committing at: 0x08D5C000.
2026-04-28 01:36:34,235 [root] DEBUG: 7496: ProcessTrackedRegion: .NET cache region at 0x0B6D0000 skipped
2026-04-28 01:36:34,485 [root] DEBUG: 3488: DLL loaded at 0x704A0000: C:\Windows\system32\wbem\wbemprox (0xd000 bytes).
2026-04-28 01:36:34,641 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2026-04-28 01:36:34,782 [root] DEBUG: 7548: ProcessTrackedRegion: .NET cache region at 0x0A6C0000 skipped
2026-04-28 01:36:35,079 [root] DEBUG: 3596: ProcessTrackedRegion: Dumped region at 0x08750000.
2026-04-28 01:36:35,188 [root] DEBUG: 3444: DLL loaded at 0x00007FFEF78C0000: C:\Windows\SYSTEM32\wmiclnt (0x11000 bytes).
2026-04-28 01:36:35,485 [root] DEBUG: 3404: AllocationHandler: Allocation already in tracked region list: 0x0A050000.
2026-04-28 01:36:35,657 [root] DEBUG: 8632: DLL loaded at 0x74C10000: C:\Windows\system32\rsaenh (0x2f000 bytes).
2026-04-28 01:36:35,704 [root] DEBUG: 5144: AllocationHandler: Allocation already in tracked region list: 0x099B0000.
2026-04-28 01:36:35,735 [root] DEBUG: 6384: AllocationHandler: Allocation already in tracked region list: 0x08D50000.
2026-04-28 01:36:35,751 [root] DEBUG: 3836: DLL loaded at 0x6FDA0000: C:\Windows\SYSTEM32\wbemcomn (0x70000 bytes).
2026-04-28 01:36:35,751 [root] DEBUG: 7728: ProcessTrackedRegion: .NET cache region at 0x00890000 skipped
2026-04-28 01:36:35,891 [root] DEBUG: 7496: .NET JIT native cache at 0x0A950000: scans and dumps active.
2026-04-28 01:36:36,157 [root] DEBUG: Successfully injected DLL C:\ltb6yatm\dll\xzHEKGQ.dll.
2026-04-28 01:36:36,173 [root] DEBUG: 3596: AllocationHandler: Allocation already in tracked region list: 0x08750000.
2026-04-28 01:36:36,188 [lib.api.process] INFO: Injected into 64-bit <Process 8512 GameBar.exe>
2026-04-28 01:36:36,188 [root] DEBUG: 3488: DLL loaded at 0x70490000: C:\Windows\system32\wbem\wbemsvc (0x10000 bytes).
2026-04-28 01:36:36,391 [root] DEBUG: 7548: AllocationHandler: Allocation already in tracked region list: 0x08620000.
2026-04-28 01:36:36,438 [root] DEBUG: 3444: DLL loaded at 0x00007FFEF4A00000: C:\Windows\SYSTEM32\NETAPI32 (0x19000 bytes).
2026-04-28 01:36:36,438 [root] DEBUG: 3404: AllocationHandler: Allocation already in tracked region list: 0x05FC0000.
2026-04-28 01:36:36,454 [root] DEBUG: 8632: AllocationHandler: Allocation already in tracked region list: 0x06BC0000.
2026-04-28 01:36:36,516 [root] DEBUG: 5144: .NET JIT native cache at 0x09DC0000: scans and dumps active.
2026-04-28 01:36:36,610 [root] DEBUG: 6384: AllocationHandler: Allocation already in tracked region list: 0x08D50000.
2026-04-28 01:36:36,673 [root] DEBUG: 7496: caller_dispatch: Added region at 0x0A950000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x0A950117, thread 5940).
2026-04-28 01:36:36,673 [root] DEBUG: 3836: DLL loaded at 0x704A0000: C:\Windows\system32\wbem\wbemprox (0xd000 bytes).
2026-04-28 01:36:36,720 [root] DEBUG: 7728: .NET JIT native cache at 0x04330000: scans and dumps active.
2026-04-28 01:36:36,782 [root] DEBUG: 3596: AllocationHandler: Allocation already in tracked region list: 0x08480000.
2026-04-28 01:36:36,813 [root] DEBUG: 3488: DLL loaded at 0x6FCD0000: C:\Windows\system32\wbem\fastprox (0xc9000 bytes).
2026-04-28 01:36:36,829 [root] DEBUG: 7548: .NET JIT native cache at 0x0A680000: scans and dumps active.
2026-04-28 01:36:36,845 [root] DEBUG: 3596: AllocationHandler: Allocation already in tracked region list: 0x08750000.
2026-04-28 01:36:36,970 [root] DEBUG: 3444: DLL loaded at 0x00007FFEF5740000: C:\Windows\SYSTEM32\SAMCLI (0x19000 bytes).
2026-04-28 01:36:37,032 [root] DEBUG: 3404: DLL loaded at 0x6FE50000: C:\Windows\SYSTEM32\miutils (0x52000 bytes).
2026-04-28 01:36:37,048 [root] DEBUG: 8632: AllocationHandler: Allocation already in tracked region list: 0x06BC0000.
2026-04-28 01:36:37,048 [root] DEBUG: 5144: caller_dispatch: Added region at 0x09DC0000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x09DC089F, thread 8980).
2026-04-28 01:36:37,095 [root] DEBUG: 6384: .NET JIT native cache at 0x0A750000: scans and dumps active.
2026-04-28 01:36:37,110 [root] DEBUG: 7496: ProcessTrackedRegion: .NET cache region at 0x0A950000 skipped
2026-04-28 01:36:37,110 [root] DEBUG: 3836: DLL loaded at 0x70490000: C:\Windows\system32\wbem\wbemsvc (0x10000 bytes).
2026-04-28 01:36:37,126 [root] DEBUG: 7728: caller_dispatch: Added region at 0x04330000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x04330AF2, thread 616).
2026-04-28 01:36:37,126 [root] DEBUG: 7548: caller_dispatch: Added region at 0x0A680000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x0A68089F, thread 8948).
2026-04-28 01:36:37,204 [root] DEBUG: 3596: AllocationHandler: Allocation already in tracked region list: 0x08750000.
2026-04-28 01:36:37,220 [root] DEBUG: 8632: AllocationHandler: Adding allocation to tracked region list: 0x03BFB000, size: 0x1000.
2026-04-28 01:36:37,220 [root] DEBUG: 3404: DLL loaded at 0x715A0000: C:\Windows\SYSTEM32\mi (0x1c000 bytes).
2026-04-28 01:36:37,235 [root] DEBUG: 3444: DLL loaded at 0x00007FFEF15D0000: C:\Windows\SYSTEM32\SRVCLI (0x28000 bytes).
2026-04-28 01:36:37,235 [root] DEBUG: 8632: GetEntropy: Error - Supplied address inaccessible: 0x03BF0000
2026-04-28 01:36:37,251 [root] DEBUG: 5144: ProcessTrackedRegion: .NET cache region at 0x09DC0000 skipped
2026-04-28 01:36:37,251 [root] DEBUG: 6384: caller_dispatch: Added region at 0x0A750000 to tracked regions list (ntdll::NtQueryFullAttributesFile returns to 0x0A7537D7, thread 8768).
2026-04-28 01:36:37,251 [root] DEBUG: 3836: DLL loaded at 0x6FCD0000: C:\Windows\system32\wbem\fastprox (0xc9000 bytes).
2026-04-28 01:36:37,266 [root] DEBUG: 7496: AllocationHandler: Allocation already in tracked region list: 0x099E0000.
2026-04-28 01:36:37,329 [root] DEBUG: 7728: ProcessTrackedRegion: .NET cache region at 0x04330000 skipped
2026-04-28 01:36:37,438 [root] DEBUG: 3596: DLL loaded at 0x6FDA0000: C:\Windows\SYSTEM32\wbemcomn (0x70000 bytes).
2026-04-28 01:36:37,579 [root] DEBUG: 7548: ProcessTrackedRegion: .NET cache region at 0x0A680000 skipped
2026-04-28 01:36:37,891 [root] DEBUG: 3404: DLL loaded at 0x715C0000: C:\Windows\SYSTEM32\Microsoft.Management.Infrastructure.Native.Unmanaged (0x8000 bytes).
2026-04-28 01:36:38,048 [root] DEBUG: 3488: Unable to set COM hook on WbemLocator_ConnectServer
2026-04-28 01:36:38,141 [root] DEBUG: 8632: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:36:38,188 [root] DEBUG: 5144: AllocationHandler: Adding allocation to tracked region list: 0x08EC0000, size: 0x1000.
2026-04-28 01:36:38,188 [root] DEBUG: 6384: ProcessTrackedRegion: .NET cache region at 0x0A750000 skipped
2026-04-28 01:36:38,360 [root] DEBUG: 3444: DLL loaded at 0x00007FFEFB390000: C:\Windows\SYSTEM32\NETUTILS (0xc000 bytes).
2026-04-28 01:36:38,470 [root] DEBUG: 7728: AllocationHandler: Allocation already in tracked region list: 0x09BF0000.
2026-04-28 01:36:38,657 [root] DEBUG: 3596: DLL loaded at 0x704A0000: C:\Windows\system32\wbem\wbemprox (0xd000 bytes).
2026-04-28 01:36:38,891 [root] DEBUG: 7548: AllocationHandler: Adding allocation to tracked region list: 0x09800000, size: 0x1000.
2026-04-28 01:36:39,063 [root] DEBUG: 7496: AllocationHandler: Allocation already in tracked region list: 0x09280000.
2026-04-28 01:36:39,079 [root] DEBUG: 8632: AllocationHandler: Allocation already in tracked region list: 0x03BF0000.
2026-04-28 01:36:39,157 [root] DEBUG: 3404: DLL loaded at 0x704B0000: C:\Windows\SYSTEM32\DPAPI (0x8000 bytes).
2026-04-28 01:36:39,391 [root] DEBUG: 7728: AllocationHandler: Previously reserved region at 0x04330000, committing at: 0x04335000.
2026-04-28 01:36:39,626 [root] DEBUG: 5144: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:36:39,907 [root] DEBUG: 3444: DLL loaded at 0x00007FFEFB470000: C:\Windows\SYSTEM32\LOGONCLI (0x43000 bytes).
2026-04-28 01:36:40,063 [root] DEBUG: 6384: AllocationHandler: Allocation already in tracked region list: 0x03130000.
2026-04-28 01:36:40,095 [root] DEBUG: 3836: Unable to set COM hook on WbemLocator_ConnectServer
2026-04-28 01:36:40,173 [root] DEBUG: 3596: DLL loaded at 0x70490000: C:\Windows\system32\wbem\wbemsvc (0x10000 bytes).
2026-04-28 01:36:40,329 [root] DEBUG: 7548: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:36:40,735 [root] DEBUG: 8632: hook_api: clrjit::compileMethod export address 0x72033700 obtained via GetFunctionAddress
2026-04-28 01:36:40,860 [root] DEBUG: 3404: DLL loaded at 0x71570000: C:\Windows\System32\wmidcom (0x26000 bytes).
2026-04-28 01:36:40,907 [root] DEBUG: 7728: AllocationHandler: Allocation already in tracked region list: 0x04600000.
2026-04-28 01:36:41,032 [root] DEBUG: 7496: FreeHandler: Address: 0x08E40000.
2026-04-28 01:36:41,048 [root] DEBUG: 5144: AllocationHandler: Allocation already in tracked region list: 0x099B0000.
2026-04-28 01:36:41,095 [root] DEBUG: 6384: .NET JIT native cache at 0x090A0000: scans and dumps active.
2026-04-28 01:36:41,345 [root] DEBUG: 3444: DLL loaded at 0x00007FFEF20F0000: C:\Windows\SYSTEM32\SCHEDCLI (0xc000 bytes).
2026-04-28 01:36:41,423 [root] DEBUG: 3596: DLL loaded at 0x6FCD0000: C:\Windows\system32\wbem\fastprox (0xc9000 bytes).
2026-04-28 01:36:41,423 [root] DEBUG: 7548: AllocationHandler: Allocation already in tracked region list: 0x08620000.
2026-04-28 01:36:41,485 [root] DEBUG: 8632: DLL loaded at 0x72030000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit (0x8a000 bytes).
2026-04-28 01:36:41,501 [root] DEBUG: 7728: DLL loaded at 0x6FE50000: C:\Windows\SYSTEM32\miutils (0x52000 bytes).
2026-04-28 01:36:41,548 [root] DEBUG: 7496: DumpPEsInRange: Scanning range 0x08E40000 - 0x08E40E82.
2026-04-28 01:36:41,579 [root] DEBUG: 5144: AllocationHandler: Adding allocation to tracked region list: 0x08ED0000, size: 0x1000.
2026-04-28 01:36:41,626 [root] DEBUG: 6384: caller_dispatch: Added region at 0x090A0000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x090A089F, thread 8768).
2026-04-28 01:36:41,673 [root] DEBUG: 7548: AllocationHandler: Adding allocation to tracked region list: 0x0A670000, size: 0x1000.
2026-04-28 01:36:41,673 [root] DEBUG: 3444: DLL loaded at 0x00007FFEFB100000: C:\Windows\SYSTEM32\WKSCLI (0x19000 bytes).
2026-04-28 01:36:41,704 [root] DEBUG: 752: CreateProcessHandler: Injection info set for new process 6136: C:\Windows\system32\wbem\wmiprvse.exe, ImageBase: 0x00007FF6402C0000
2026-04-28 01:36:41,720 [root] DEBUG: 3404: .NET JIT native cache at 0x0A1D0000: scans and dumps active.
2026-04-28 01:36:41,735 [root] DEBUG: 8632: .NET JIT native cache at 0x03EE0000: scans and dumps active.
2026-04-28 01:36:41,751 [root] DEBUG: 7728: DLL loaded at 0x715A0000: C:\Windows\SYSTEM32\mi (0x1c000 bytes).
2026-04-28 01:36:41,766 [root] DEBUG: 7496: ScanForDisguisedPE: No PE image located in range 0x08E40000-0x08E40E82.
2026-04-28 01:36:41,766 [root] INFO: Announced 64-bit process name: WmiPrvSE.exe pid: 6136
2026-04-28 01:36:41,766 [root] DEBUG: 5144: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:36:41,766 [lib.api.process] INFO: Monitor config for <Process 6136 WmiPrvSE.exe>: C:\ltb6yatm\dll\6136.ini
2026-04-28 01:36:41,923 [root] DEBUG: 7548: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:36:42,391 [root] DEBUG: 6384: ProcessTrackedRegion: .NET cache region at 0x090A0000 skipped
2026-04-28 01:36:42,579 [root] DEBUG: 3596: Unable to set COM hook on WbemLocator_ConnectServer
2026-04-28 01:36:42,860 [root] DEBUG: 3404: caller_dispatch: Added region at 0x0A1D0000 to tracked regions list (kernel32::CreateThread returns to 0x0A1D02E8, thread 5524).
2026-04-28 01:36:43,141 [root] DEBUG: 3404: api-cap: compileMethod hook disabled due to count: 5000
2026-04-28 01:36:43,282 [root] DEBUG: 8632: DLL loaded at 0x75460000: C:\Windows\SYSTEM32\VERSION (0x8000 bytes).
2026-04-28 01:36:43,657 [root] DEBUG: 7728: DLL loaded at 0x715C0000: C:\Windows\SYSTEM32\Microsoft.Management.Infrastructure.Native.Unmanaged (0x8000 bytes).
2026-04-28 01:36:43,829 [root] INFO: Announced starting service "b'TrustedInstaller'"
2026-04-28 01:36:43,829 [root] DEBUG: 3444: DLL loaded at 0x00007FFEF7D00000: C:\Windows\SYSTEM32\DSROLE (0xa000 bytes).
2026-04-28 01:36:44,032 [lib.common.results] INFO: Uploading file C:\atsPQMC\CAPE\7496_3140641362227142026 to CAPE\a4f5387039d590daa4e058dde772e9dae72b586d873f9da59a3c9d8097566899; Size is 3714; Max size: 100000000
2026-04-28 01:36:44,126 [root] DEBUG: 6384: AllocationHandler: Adding allocation to tracked region list: 0x09080000, size: 0x1000.
2026-04-28 01:36:44,376 [lib.api.process] INFO: 64-bit DLL to inject is C:\ltb6yatm\dll\xzHEKGQ.dll, loader C:\ltb6yatm\bin\FktMnuSd.exe
2026-04-28 01:36:44,563 [root] DEBUG: 3404: ProcessTrackedRegion: .NET cache region at 0x0A1D0000 skipped
2026-04-28 01:36:44,688 [root] DEBUG: 3404: AllocationHandler: Previously reserved region at 0x0A1D0000, committing at: 0x0A1D2000.
2026-04-28 01:36:44,829 [root] DEBUG: 8632: ProcessTrackedRegion: .NET cache region at 0x03EE0000 skipped
2026-04-28 01:36:44,923 [root] DEBUG: 7728: DLL loaded at 0x704B0000: C:\Windows\SYSTEM32\DPAPI (0x8000 bytes).
2026-04-28 01:36:45,016 [root] DEBUG: 5144: AllocationHandler: Allocation already in tracked region list: 0x099B0000.
2026-04-28 01:36:45,063 [root] DEBUG: 7496: DumpMemory: Payload successfully created: C:\atsPQMC\CAPE\7496_3140641362227142026 (size 3714 bytes)
2026-04-28 01:36:45,298 [root] DEBUG: 6384: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:36:45,376 [root] DEBUG: Loader: Injecting process 6136 (thread 6924) with C:\ltb6yatm\dll\xzHEKGQ.dll.
2026-04-28 01:36:45,438 [root] DEBUG: 7548: AllocationHandler: Allocation already in tracked region list: 0x08620000.
2026-04-28 01:36:45,470 [root] DEBUG: 3404: AllocationHandler: Allocation already in tracked region list: 0x0A1D0000.
2026-04-28 01:36:45,470 [root] INFO: Announced 64-bit process name: GameBar.exe pid: 1928
2026-04-28 01:36:45,501 [lib.api.process] INFO: Monitor config for <Process 1928 GameBar.exe>: C:\ltb6yatm\dll\1928.ini
2026-04-28 01:36:45,501 [root] DEBUG: 8632: AllocationHandler: Allocation already in tracked region list: 0x03BF0000.
2026-04-28 01:36:45,579 [root] DEBUG: 5144: .NET JIT native cache at 0x09E30000: scans and dumps active.
2026-04-28 01:36:45,610 [root] DEBUG: 7728: DLL loaded at 0x71570000: C:\Windows\System32\wmidcom (0x26000 bytes).
2026-04-28 01:36:45,642 [root] DEBUG: 7496: DumpRegion: Dumped entire allocation from 0x08E40000, size 8192 bytes.
2026-04-28 01:36:45,688 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2026-04-28 01:36:45,907 [root] DEBUG: 7548: .NET JIT native cache at 0x0A650000: scans and dumps active.
2026-04-28 01:36:46,032 [root] DEBUG: 3404: AllocationHandler: Allocation already in tracked region list: 0x0A1D0000.
2026-04-28 01:36:46,048 [root] DEBUG: 8632: DLL loaded at 0x715D0000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni (0xa56000 bytes).
2026-04-28 01:36:46,220 [root] DEBUG: 3444: DLL loaded at 0x00007FFEF0830000: C:\Windows\servicing\CbsApi (0x12000 bytes).
2026-04-28 01:36:46,251 [root] DEBUG: 5144: caller_dispatch: Added region at 0x09E30000 to tracked regions list (advapi32::RegOpenKeyExW returns to 0x09E332CE, thread 8980).
2026-04-28 01:36:46,313 [root] DEBUG: 7496: ProcessTrackedRegion: Dumped region at 0x08E40000.
2026-04-28 01:36:46,329 [root] DEBUG: Successfully injected DLL C:\ltb6yatm\dll\xzHEKGQ.dll.
2026-04-28 01:36:46,329 [root] DEBUG: 7548: caller_dispatch: Added region at 0x0A650000 to tracked regions list (advapi32::RegOpenKeyExW returns to 0x0A6532CE, thread 8948).
2026-04-28 01:36:46,345 [lib.api.process] INFO: Injected into 64-bit <Process 6136 WmiPrvSE.exe>
2026-04-28 01:36:46,345 [root] DEBUG: 7496: FreeHandler: Dumped executable range containing 0x08E40000.
2026-04-28 01:36:46,345 [root] DEBUG: 6384: AllocationHandler: Allocation already in tracked region list: 0x03130000.
2026-04-28 01:36:46,376 [root] DEBUG: 3404: AllocationHandler: Allocation already in tracked region list: 0x0A1D0000.
2026-04-28 01:36:46,391 [root] DEBUG: 5144: ProcessTrackedRegion: .NET cache region at 0x09E30000 skipped
2026-04-28 01:36:46,485 [root] DEBUG: 8632: DLL loaded at 0x76A70000: C:\Windows\System32\psapi (0x6000 bytes).
2026-04-28 01:36:46,735 [root] DEBUG: 7728: .NET JIT native cache at 0x09D10000: scans and dumps active.
2026-04-28 01:36:46,923 [root] DEBUG: 752: CreateProcessHandler: Injection info set for new process 1820: C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1940_none_7dd80d767cb5c7b0\TiWorker.exe, ImageBase: 0x00007FF601A00000
2026-04-28 01:36:46,985 [lib.api.process] INFO: 64-bit DLL to inject is C:\ltb6yatm\dll\xzHEKGQ.dll, loader C:\ltb6yatm\bin\FktMnuSd.exe
2026-04-28 01:36:47,079 [root] DEBUG: 7548: ProcessTrackedRegion: .NET cache region at 0x0A650000 skipped
2026-04-28 01:36:47,204 [root] INFO: Announced 64-bit process name: WmiPrvSE.exe pid: 6136
2026-04-28 01:36:47,376 [lib.api.process] INFO: Monitor config for <Process 6136 WmiPrvSE.exe>: C:\ltb6yatm\dll\6136.ini
2026-04-28 01:36:47,391 [root] DEBUG: 7496: DropTrackedRegion: removed region at 0x08E40000 from tracked region list.
2026-04-28 01:36:47,766 [root] DEBUG: 6384: AllocationHandler: Adding allocation to tracked region list: 0x09090000, size: 0x1000.
2026-04-28 01:36:47,766 [root] DEBUG: 3404: AllocationHandler: Allocation already in tracked region list: 0x0A1D0000.
2026-04-28 01:36:47,798 [root] DEBUG: 8632: api-rate-cap: NtReadVirtualMemory hook disabled due to rate
2026-04-28 01:36:47,891 [root] DEBUG: 7728: caller_dispatch: Added region at 0x09D10000 to tracked regions list (kernel32::CreateThread returns to 0x09D101C8, thread 616).
2026-04-28 01:36:47,907 [root] DEBUG: 5144: AllocationHandler: Allocation already in tracked region list: 0x08EC0000.
2026-04-28 01:36:47,923 [root] DEBUG: 7728: api-cap: compileMethod hook disabled due to count: 5000
2026-04-28 01:36:47,923 [root] DEBUG: Loader: Injecting process 1928 (thread 8712) with C:\ltb6yatm\dll\xzHEKGQ.dll.
2026-04-28 01:36:47,938 [root] DEBUG: 7496: .NET JIT native cache at 0x08E40000: scans and dumps active.
2026-04-28 01:36:47,954 [root] INFO: Announced 64-bit process name: TiWorker.exe pid: 1820
2026-04-28 01:36:47,970 [root] DEBUG: 7548: AllocationHandler: Allocation already in tracked region list: 0x09800000.
2026-04-28 01:36:47,970 [lib.api.process] INFO: Monitor config for <Process 1820 TiWorker.exe>: C:\ltb6yatm\dll\1820.ini
2026-04-28 01:36:47,985 [root] DEBUG: 6384: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:36:47,985 [root] DEBUG: 8632: AllocationHandler: Adding allocation to tracked region list: 0x03BEA000, size: 0x1000.
2026-04-28 01:36:47,985 [root] DEBUG: 3404: AllocationHandler: Allocation already in tracked region list: 0x0A1D0000.
2026-04-28 01:36:48,173 [root] DEBUG: 7728: ProcessTrackedRegion: .NET cache region at 0x09D10000 skipped
2026-04-28 01:36:48,314 [root] DEBUG: 7728: AllocationHandler: Previously reserved region at 0x09D10000, committing at: 0x09D12000.
2026-04-28 01:36:48,532 [root] DEBUG: 5144: .NET JIT native cache at 0x09E20000: scans and dumps active.
2026-04-28 01:36:48,891 [lib.api.process] INFO: 64-bit DLL to inject is C:\ltb6yatm\dll\xzHEKGQ.dll, loader C:\ltb6yatm\bin\FktMnuSd.exe
2026-04-28 01:36:48,907 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2026-04-28 01:36:49,095 [root] DEBUG: 7548: .NET JIT native cache at 0x0A640000: scans and dumps active.
2026-04-28 01:36:49,329 [root] DEBUG: 7496: caller_dispatch: Added region at 0x08E40000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x08E41571, thread 5940).
2026-04-28 01:36:49,360 [lib.api.process] INFO: Potential dll side-loading detected in local directory: mspatcha.dll
2026-04-28 01:36:49,516 [root] DEBUG: 8632: AllocationHandler: Allocation already in tracked region list: 0x03BE0000.
2026-04-28 01:36:49,610 [lib.api.process] INFO: Potential dll side-loading detected in local directory: wdscore.dll
2026-04-28 01:36:49,735 [root] DEBUG: 3404: AllocationHandler: Allocation already in tracked region list: 0x0A1D0000.
2026-04-28 01:36:49,860 [lib.api.process] INFO: Potential dll side-loading detected in local directory: msdelta.dll
2026-04-28 01:36:49,985 [root] DEBUG: 5144: caller_dispatch: Added region at 0x09E20000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x09E22A54, thread 8980).
2026-04-28 01:36:50,157 [lib.api.process] INFO: Potential dll side-loading detected in local directory: dpx.dll
2026-04-28 01:36:50,204 [root] DEBUG: 7728: AllocationHandler: Allocation already in tracked region list: 0x09D10000.
2026-04-28 01:36:50,313 [root] DEBUG: Loader: Injecting process 6136 (thread 6924) with C:\ltb6yatm\dll\xzHEKGQ.dll.
2026-04-28 01:36:50,329 [lib.api.process] INFO: Potential dll side-loading detected in local directory: drvstore.dll
2026-04-28 01:36:50,516 [root] DEBUG: Successfully injected DLL C:\ltb6yatm\dll\xzHEKGQ.dll.
2026-04-28 01:36:50,782 [lib.api.process] INFO: 64-bit DLL to inject is C:\ltb6yatm\dll\xzHEKGQ.dll, loader C:\ltb6yatm\bin\FktMnuSd.exe
2026-04-28 01:36:50,798 [root] DEBUG: 7496: ProcessTrackedRegion: .NET cache region at 0x08E40000 skipped
2026-04-28 01:36:50,891 [root] DEBUG: 7548: caller_dispatch: Added region at 0x0A640000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x0A642A54, thread 8948).
2026-04-28 01:36:51,001 [lib.api.process] INFO: Injected into 64-bit <Process 1928 GameBar.exe>
2026-04-28 01:36:51,079 [root] DEBUG: 6384: AllocationHandler: Allocation already in tracked region list: 0x03130000.
2026-04-28 01:36:51,204 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2026-04-28 01:36:51,360 [root] DEBUG: 3404: AllocationHandler: Allocation already in tracked region list: 0x0A1D0000.
2026-04-28 01:36:51,438 [root] DEBUG: 7728: AllocationHandler: Allocation already in tracked region list: 0x09D10000.
2026-04-28 01:36:51,501 [root] DEBUG: 5144: ProcessTrackedRegion: .NET cache region at 0x09E20000 skipped
2026-04-28 01:36:51,579 [root] DEBUG: 8632: api-cap: NtProtectVirtualMemory hook disabled due to count: 5000
2026-04-28 01:36:51,704 [root] DEBUG: Loader: Injecting process 1820 (thread 5560) with C:\ltb6yatm\dll\xzHEKGQ.dll.
2026-04-28 01:36:51,814 [root] DEBUG: 7548: ProcessTrackedRegion: .NET cache region at 0x0A640000 skipped
2026-04-28 01:36:52,141 [root] DEBUG: 6384: .NET JIT native cache at 0x0A6F0000: scans and dumps active.
2026-04-28 01:36:52,266 [root] DEBUG: Successfully injected DLL C:\ltb6yatm\dll\xzHEKGQ.dll.
2026-04-28 01:36:52,454 [root] DEBUG: 7496: .NET JIT native cache at 0x08CF0000: scans and dumps active.
2026-04-28 01:36:52,626 [lib.api.process] INFO: Injected into 64-bit <Process 6136 WmiPrvSE.exe>
2026-04-28 01:36:52,641 [root] DEBUG: 3404: AllocationHandler: Allocation already in tracked region list: 0x0A1D0000.
2026-04-28 01:36:52,782 [root] DEBUG: 7728: AllocationHandler: Allocation already in tracked region list: 0x09D10000.
2026-04-28 01:36:52,813 [root] DEBUG: 8632: .NET JIT native cache at 0x07AE0000: scans and dumps active.
2026-04-28 01:36:52,813 [root] INFO: Announced 64-bit process name: GameBar.exe pid: 1928
2026-04-28 01:36:52,845 [lib.api.process] INFO: Monitor config for <Process 1928 GameBar.exe>: C:\ltb6yatm\dll\1928.ini
2026-04-28 01:36:52,845 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2026-04-28 01:36:52,845 [root] DEBUG: 5144: AllocationHandler: Allocation already in tracked region list: 0x099B0000.
2026-04-28 01:36:53,048 [root] DEBUG: 6384: caller_dispatch: Added region at 0x0A6F0000 to tracked regions list (advapi32::RegOpenKeyExW returns to 0x0A6F32D6, thread 8768).
2026-04-28 01:36:53,188 [root] DEBUG: 7548: AllocationHandler: Allocation already in tracked region list: 0x08620000.
2026-04-28 01:36:53,345 [root] DEBUG: 6136: Python path set to 'C:\Python310'.
2026-04-28 01:36:53,579 [root] DEBUG: 7496: caller_dispatch: Added region at 0x08CF0000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x08CF09D2, thread 5940).
2026-04-28 01:36:53,783 [root] DEBUG: 3404: AllocationHandler: Allocation already in tracked region list: 0x0A1D0000.
2026-04-28 01:36:53,829 [root] DEBUG: 7728: AllocationHandler: Allocation already in tracked region list: 0x09D10000.
2026-04-28 01:36:53,923 [root] DEBUG: Successfully injected DLL C:\ltb6yatm\dll\xzHEKGQ.dll.
2026-04-28 01:36:53,970 [root] DEBUG: 8632: caller_dispatch: Added region at 0x07AE0000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x07AE525B, thread 7908).
2026-04-28 01:36:53,970 [lib.api.process] INFO: Injected into 64-bit <Process 1820 TiWorker.exe>
2026-04-28 01:36:53,970 [root] DEBUG: 6384: ProcessTrackedRegion: .NET cache region at 0x0A6F0000 skipped
2026-04-28 01:36:54,251 [root] DEBUG: 7548: caller_dispatch: Added region at 0x092B0000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x092B0849, thread 8948).
2026-04-28 01:36:54,407 [root] DEBUG: 6136: Dropped file limit defaulting to 100.
2026-04-28 01:36:54,423 [lib.api.process] INFO: 64-bit DLL to inject is C:\ltb6yatm\dll\xzHEKGQ.dll, loader C:\ltb6yatm\bin\FktMnuSd.exe
2026-04-28 01:36:54,516 [root] DEBUG: 3404: AllocationHandler: Allocation already in tracked region list: 0x0A1D0000.
2026-04-28 01:36:54,595 [root] DEBUG: 5144: FreeHandler: Address: 0x08300000.
2026-04-28 01:36:54,641 [root] DEBUG: 7728: AllocationHandler: Allocation already in tracked region list: 0x09D10000.
2026-04-28 01:36:54,673 [root] DEBUG: 7496: ProcessTrackedRegion: .NET cache region at 0x08CF0000 skipped
2026-04-28 01:36:54,720 [root] DEBUG: 8632: ProcessTrackedRegion: .NET cache region at 0x07AE0000 skipped
2026-04-28 01:36:54,751 [root] INFO: Announced 64-bit process name: TiWorker.exe pid: 1820
2026-04-28 01:36:54,751 [lib.api.process] INFO: Monitor config for <Process 1820 TiWorker.exe>: C:\ltb6yatm\dll\1820.ini
2026-04-28 01:36:54,751 [root] DEBUG: 7548: ProcessTrackedRegion: .NET cache region at 0x092B0000 skipped
2026-04-28 01:36:54,751 [root] DEBUG: 6384: AllocationHandler: Allocation already in tracked region list: 0x09080000.
2026-04-28 01:36:54,860 [root] DEBUG: 6136: Disabling sleep skipping.
2026-04-28 01:36:55,048 [root] DEBUG: 3404: AllocationHandler: Allocation already in tracked region list: 0x0A1D0000.
2026-04-28 01:36:55,126 [root] DEBUG: 5144: DumpPEsInRange: Scanning range 0x08300000 - 0x08300E82.
2026-04-28 01:36:55,329 [root] DEBUG: Loader: Injecting process 1928 (thread 8712) with C:\ltb6yatm\dll\xzHEKGQ.dll.
2026-04-28 01:36:55,548 [root] DEBUG: 7728: caller_dispatch: Added region at 0x091D0000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x091D278A, thread 616).
2026-04-28 01:36:55,735 [root] DEBUG: 5144: ScanForDisguisedPE: No PE image located in range 0x08300000-0x08300E82.
2026-04-28 01:36:56,032 [root] DEBUG: 7728: AllocationHandler: Allocation already in tracked region list: 0x09D10000.
2026-04-28 01:36:56,110 [root] DEBUG: 7496: AllocationHandler: Previously reserved region at 0x08CF0000, committing at: 0x08CF5000.
2026-04-28 01:36:56,157 [root] DEBUG: 6384: .NET JIT native cache at 0x0A6E0000: scans and dumps active.
2026-04-28 01:36:56,188 [root] DEBUG: 8632: .NET JIT native cache at 0x07AB0000: scans and dumps active.
2026-04-28 01:36:56,235 [lib.api.process] INFO: Potential dll side-loading detected in local directory: mspatcha.dll
2026-04-28 01:36:56,329 [root] DEBUG: 6136: Services hook set enabled
2026-04-28 01:36:56,329 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2026-04-28 01:36:56,329 [lib.api.process] INFO: Potential dll side-loading detected in local directory: wdscore.dll
2026-04-28 01:36:56,329 [root] DEBUG: 7728: ProcessTrackedRegion: .NET cache region at 0x091D0000 skipped
2026-04-28 01:36:56,345 [lib.common.results] INFO: Uploading file C:\atsPQMC\CAPE\5144_3784355362227142026 to CAPE\36df3fcbc755760fdded5970a6544d0d8a6169850eb2d242ff7048ca363998ed; Size is 3714; Max size: 100000000
2026-04-28 01:36:56,360 [lib.api.process] INFO: Potential dll side-loading detected in local directory: msdelta.dll
2026-04-28 01:36:56,376 [root] DEBUG: 3404: AllocationHandler: Allocation already in tracked region list: 0x0A1D0000.
2026-04-28 01:36:56,391 [lib.api.process] INFO: Potential dll side-loading detected in local directory: dpx.dll
2026-04-28 01:36:56,407 [lib.api.process] INFO: Potential dll side-loading detected in local directory: drvstore.dll
2026-04-28 01:36:56,407 [root] DEBUG: 7548: FreeHandler: Address: 0x07FF0000.
2026-04-28 01:36:56,423 [root] DEBUG: 7728: AllocationHandler: Allocation already in tracked region list: 0x09D10000.
2026-04-28 01:36:56,438 [lib.api.process] INFO: 64-bit DLL to inject is C:\ltb6yatm\dll\xzHEKGQ.dll, loader C:\ltb6yatm\bin\FktMnuSd.exe
2026-04-28 01:36:56,485 [root] DEBUG: 6384: caller_dispatch: Added region at 0x0A6E0000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x0A6E264C, thread 8768).
2026-04-28 01:36:56,563 [root] DEBUG: 7496: AllocationHandler: Allocation already in tracked region list: 0x09280000.
2026-04-28 01:36:56,674 [root] DEBUG: 8632: .NET JIT native cache at 0x07F80000: scans and dumps active.
2026-04-28 01:36:56,688 [root] DEBUG: Successfully injected DLL C:\ltb6yatm\dll\xzHEKGQ.dll.
2026-04-28 01:36:56,720 [root] DEBUG: 5144: DumpMemory: Payload successfully created: C:\atsPQMC\CAPE\5144_3784355362227142026 (size 3714 bytes)
2026-04-28 01:36:56,720 [lib.api.process] INFO: Injected into 64-bit <Process 1928 GameBar.exe>
2026-04-28 01:36:56,735 [root] DEBUG: 3404: AllocationHandler: Allocation already in tracked region list: 0x0A1D0000.
2026-04-28 01:36:56,751 [root] DEBUG: 7548: DumpPEsInRange: Scanning range 0x07FF0000 - 0x07FF0E82.
2026-04-28 01:36:56,798 [root] DEBUG: 7728: AllocationHandler: Allocation already in tracked region list: 0x09D10000.
2026-04-28 01:36:56,813 [root] DEBUG: 6384: ProcessTrackedRegion: .NET cache region at 0x0A6E0000 skipped
2026-04-28 01:36:56,907 [root] DEBUG: Loader: Injecting process 1820 (thread 5560) with C:\ltb6yatm\dll\xzHEKGQ.dll.
2026-04-28 01:36:57,032 [root] DEBUG: 8632: caller_dispatch: Added region at 0x07F80000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x07F958E3, thread 7908).
2026-04-28 01:36:57,235 [root] DEBUG: 7496: AllocationHandler: Allocation already in tracked region list: 0x065D0000.
2026-04-28 01:36:57,423 [root] DEBUG: 6136: YaraInit: Compiled rules loaded from existing file C:\ltb6yatm\data\yara\capemon.yac
2026-04-28 01:36:57,470 [root] DEBUG: 5144: DumpRegion: Dumped entire allocation from 0x08300000, size 8192 bytes.
2026-04-28 01:36:57,485 [root] DEBUG: 3404: AllocationHandler: Allocation already in tracked region list: 0x062D0000.
2026-04-28 01:36:57,548 [root] DEBUG: 7728: AllocationHandler: Allocation already in tracked region list: 0x09D10000.
2026-04-28 01:36:57,563 [root] DEBUG: 3404: AllocationHandler: Adding allocation to tracked region list: 0x06740000, size: 0x1000.
2026-04-28 01:36:57,595 [root] DEBUG: 7548: ScanForDisguisedPE: No PE image located in range 0x07FF0000-0x07FF0E82.
2026-04-28 01:36:57,610 [root] INFO: Announced 64-bit process name: GameBar.exe pid: 1928
2026-04-28 01:36:57,610 [lib.api.process] INFO: Monitor config for <Process 1928 GameBar.exe>: C:\ltb6yatm\dll\1928.ini
2026-04-28 01:36:57,626 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2026-04-28 01:36:57,642 [root] DEBUG: 8632: ProcessTrackedRegion: .NET cache region at 0x07F80000 skipped
2026-04-28 01:36:57,688 [root] DEBUG: 7496: DLL loaded at 0x6FE50000: C:\Windows\SYSTEM32\miutils (0x52000 bytes).
2026-04-28 01:36:57,767 [root] DEBUG: 6384: AllocationHandler: Allocation already in tracked region list: 0x03130000.
2026-04-28 01:36:57,860 [root] DEBUG: 6136: RtlInsertInvertedFunctionTable 0x00007FFEFE86090E, LdrpInvertedFunctionTableSRWLock 0x00007FFEFE9BD500
2026-04-28 01:36:58,001 [root] DEBUG: 5144: ProcessTrackedRegion: Dumped region at 0x08300000.
2026-04-28 01:36:58,095 [root] DEBUG: 7728: AllocationHandler: Allocation already in tracked region list: 0x09D10000.
2026-04-28 01:36:58,485 [root] DEBUG: Successfully injected DLL C:\ltb6yatm\dll\xzHEKGQ.dll.
2026-04-28 01:36:58,626 [root] DEBUG: 3404: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:36:58,688 [lib.common.results] INFO: Uploading file C:\atsPQMC\CAPE\7548_2439557362227142026 to CAPE\6837139bfbbe05a8f393e9de07dfe1ca8a12dd70a041da7d18e4168dd1b35486; Size is 3714; Max size: 100000000
2026-04-28 01:36:58,704 [lib.api.process] INFO: Injected into 64-bit <Process 1820 TiWorker.exe>
2026-04-28 01:36:58,704 [root] DEBUG: 7496: DLL loaded at 0x715A0000: C:\Windows\SYSTEM32\mi (0x1c000 bytes).
2026-04-28 01:36:58,720 [root] DEBUG: 6136: Monitor initialised: 64-bit capemon loaded in process 6136 at 0x00007FFEABCB0000, thread 6924, image base 0x00007FF6402C0000, stack from 0x00000098B15B0000-0x00000098B15C0000
2026-04-28 01:36:58,767 [root] DEBUG: 5144: FreeHandler: Dumped executable range containing 0x08300000.
2026-04-28 01:36:58,798 [root] DEBUG: 8632: DLL loaded at 0x77400000: C:\Windows\System32\clbcatq (0x7e000 bytes).
2026-04-28 01:36:58,813 [root] DEBUG: 5144: DropTrackedRegion: removed region at 0x08300000 from tracked region list.
2026-04-28 01:36:58,829 [root] DEBUG: 6384: FreeHandler: Address: 0x08C40000.
2026-04-28 01:36:59,032 [root] DEBUG: 3404: DumpPEsInRange: Scanning range 0x06740000 - 0x06740735.
2026-04-28 01:36:59,032 [root] DEBUG: 7728: AllocationHandler: Allocation already in tracked region list: 0x09D10000.
2026-04-28 01:36:59,173 [root] DEBUG: 6136: Commandline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
2026-04-28 01:36:59,235 [root] DEBUG: 7548: DumpMemory: Payload successfully created: C:\atsPQMC\CAPE\7548_2439557362227142026 (size 3714 bytes)
2026-04-28 01:36:59,235 [root] DEBUG: 7496: DLL loaded at 0x715C0000: C:\Windows\SYSTEM32\Microsoft.Management.Infrastructure.Native.Unmanaged (0x8000 bytes).
2026-04-28 01:36:59,267 [root] DEBUG: 1820: Python path set to 'C:\Python310'.
2026-04-28 01:36:59,298 [root] DEBUG: 5144: .NET JIT native cache at 0x08300000: scans and dumps active.
2026-04-28 01:36:59,376 [root] DEBUG: 3404: ScanForDisguisedPE: Size too small: 0x735 bytes
2026-04-28 01:36:59,391 [root] DEBUG: 6384: DumpPEsInRange: Scanning range 0x08C40000 - 0x08C40E82.
2026-04-28 01:36:59,407 [root] DEBUG: 3404: DLL loaded at 0x6FDA0000: C:\Windows\SYSTEM32\wbemcomn (0x70000 bytes).
2026-04-28 01:36:59,407 [root] DEBUG: 7728: AllocationHandler: Allocation already in tracked region list: 0x09D10000.
2026-04-28 01:36:59,454 [lib.api.process] INFO: 64-bit DLL to inject is C:\ltb6yatm\dll\xzHEKGQ.dll, loader C:\ltb6yatm\bin\FktMnuSd.exe
2026-04-28 01:36:59,563 [root] DEBUG: 6136: Hooked 69 out of 69 functions
2026-04-28 01:36:59,720 [root] DEBUG: 1820: Dropped file limit defaulting to 100.
2026-04-28 01:36:59,751 [lib.common.results] INFO: Uploading file C:\atsPQMC\CAPE\3404_635414159362227142026 to CAPE\782ebf03edb6808a4d2bbb082e5ffe937d87ae14f69a7380b07073d3ca673c28; Size is 4048; Max size: 100000000
2026-04-28 01:36:59,751 [root] DEBUG: 7548: DumpRegion: Dumped entire allocation from 0x07FF0000, size 8192 bytes.
2026-04-28 01:36:59,767 [root] DEBUG: 7496: DLL loaded at 0x704B0000: C:\Windows\SYSTEM32\DPAPI (0x8000 bytes).
2026-04-28 01:36:59,782 [root] DEBUG: 8632: DEBUG:Initialized 9 com hooks
2026-04-28 01:36:59,813 [root] DEBUG: 5144: caller_dispatch: Added region at 0x08300000 to tracked regions list (ntdll::NtFreeVirtualMemory returns to 0x083009B3, thread 8980).
2026-04-28 01:37:00,157 [root] DEBUG: 7496: DLL loaded at 0x71570000: C:\Windows\System32\wmidcom (0x26000 bytes).
2026-04-28 01:37:00,282 [root] DEBUG: 7728: AllocationHandler: Allocation already in tracked region list: 0x06120000.
2026-04-28 01:37:00,313 [root] DEBUG: 6384: ScanForDisguisedPE: No PE image located in range 0x08C40000-0x08C40E82.
2026-04-28 01:37:00,345 [root] DEBUG: 3404: DLL loaded at 0x704A0000: C:\Windows\system32\wbem\wbemprox (0xd000 bytes).
2026-04-28 01:37:00,360 [root] DEBUG: 6136: RestoreHeaders: Restored original import table.
2026-04-28 01:37:00,407 [root] DEBUG: 3404: DumpMemory: Payload successfully created: C:\atsPQMC\CAPE\3404_635414159362227142026 (size 4048 bytes)
2026-04-28 01:37:00,423 [root] DEBUG: Loader: Injecting process 1928 (thread 8712) with C:\ltb6yatm\dll\xzHEKGQ.dll.
2026-04-28 01:37:00,423 [root] DEBUG: 7548: ProcessTrackedRegion: Dumped region at 0x07FF0000.
2026-04-28 01:37:00,438 [root] DEBUG: 5144: ProcessTrackedRegion: .NET cache region at 0x08300000 skipped
2026-04-28 01:37:00,751 [root] DEBUG: 8632: .NET JIT native cache at 0x07DF0000: scans and dumps active.
2026-04-28 01:37:00,876 [root] DEBUG: 7728: AllocationHandler: Allocation already in tracked region list: 0x09D10000.
2026-04-28 01:37:00,892 [lib.common.results] INFO: Uploading file C:\atsPQMC\CAPE\6384_134890372227142026 to CAPE\d1896aa6945dd1bcf2292ce826052998c7610fdae78611ff97ddf59b62307320; Size is 3714; Max size: 100000000
2026-04-28 01:37:01,001 [root] DEBUG: 1820: Disabling sleep skipping.
2026-04-28 01:37:01,001 [root] INFO: Loaded monitor into process with pid 6136
2026-04-28 01:37:01,017 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2026-04-28 01:37:01,032 [root] DEBUG: Successfully injected DLL C:\ltb6yatm\dll\xzHEKGQ.dll.
2026-04-28 01:37:01,063 [root] DEBUG: 3404: DLL loaded at 0x70490000: C:\Windows\system32\wbem\wbemsvc (0x10000 bytes).
2026-04-28 01:37:01,079 [lib.api.process] INFO: Injected into 64-bit <Process 1928 GameBar.exe>
2026-04-28 01:37:01,079 [root] DEBUG: 7548: FreeHandler: Dumped executable range containing 0x07FF0000.
2026-04-28 01:37:01,173 [root] DEBUG: 5144: AllocationHandler: Previously reserved region at 0x08300000, committing at: 0x0830D000.
2026-04-28 01:37:01,298 [root] DEBUG: 7496: .NET JIT native cache at 0x08C80000: scans and dumps active.
2026-04-28 01:37:01,407 [root] DEBUG: 8632: caller_dispatch: Added region at 0x07DF0000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x07DF1562, thread 2708).
2026-04-28 01:37:01,438 [root] DEBUG: 3404: DumpRegion: Dumped entire allocation from 0x06740000, size 4096 bytes.
2026-04-28 01:37:01,501 [root] DEBUG: 6384: DumpMemory: Payload successfully created: C:\atsPQMC\CAPE\6384_134890372227142026 (size 3714 bytes)
2026-04-28 01:37:01,517 [root] DEBUG: 7728: AllocationHandler: Adding allocation to tracked region list: 0x09D50000, size: 0x1000.
2026-04-28 01:37:01,548 [root] DEBUG: 7728: DLL loaded at 0x6FDA0000: C:\Windows\SYSTEM32\wbemcomn (0x70000 bytes).
2026-04-28 01:37:01,548 [root] DEBUG: 1820: YaraInit: Compiled rules loaded from existing file C:\ltb6yatm\data\yara\capemon.yac
2026-04-28 01:37:01,610 [root] DEBUG: 7548: DropTrackedRegion: removed region at 0x07FF0000 from tracked region list.
2026-04-28 01:37:01,673 [root] DEBUG: 5144: AllocationHandler: Adding allocation to tracked region list: 0x08130000, size: 0x1000.
2026-04-28 01:37:01,860 [root] DEBUG: 3404: DLL loaded at 0x6FCD0000: C:\Windows\system32\wbem\fastprox (0xc9000 bytes).
2026-04-28 01:37:01,907 [root] DEBUG: 8632: ProcessTrackedRegion: .NET cache region at 0x07DF0000 skipped
2026-04-28 01:37:02,142 [root] DEBUG: 6136: set_hooks_by_export_directory: Hooked 0 out of 69 functions
2026-04-28 01:37:02,298 [root] DEBUG: 7496: caller_dispatch: Added region at 0x08C80000 to tracked regions list (kernel32::GetSystemInfo returns to 0x08C802E8, thread 5940).
2026-04-28 01:37:02,376 [root] DEBUG: 3404: ProcessTrackedRegion: Dumped region at 0x06740000.
2026-04-28 01:37:02,423 [root] DEBUG: 7728: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:37:02,516 [root] DEBUG: 6384: DumpRegion: Dumped entire allocation from 0x08C40000, size 8192 bytes.
2026-04-28 01:37:02,532 [root] DEBUG: 7728: DLL loaded at 0x704A0000: C:\Windows\system32\wbem\wbemprox (0xd000 bytes).
2026-04-28 01:37:02,579 [root] DEBUG: 1820: RtlInsertInvertedFunctionTable 0x00007FFEFE86090E, LdrpInvertedFunctionTableSRWLock 0x00007FFEFE9BD500
2026-04-28 01:37:02,626 [root] DEBUG: 5144: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:37:02,641 [root] DEBUG: 7548: .NET JIT native cache at 0x07FD0000: scans and dumps active.
2026-04-28 01:37:02,688 [root] DEBUG: 6136: DLL loaded at 0x00007FFEF9E80000: C:\Windows\SYSTEM32\kernel.appcore (0x12000 bytes).
2026-04-28 01:37:02,704 [root] DEBUG: 8632: DLL loaded at 0x70D50000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni (0x818000 bytes).
2026-04-28 01:37:02,704 [root] DEBUG: 7728: DumpPEsInRange: Scanning range 0x09D50000 - 0x09D506A6.
2026-04-28 01:37:02,720 [root] DEBUG: 3404: AllocationHandler: Allocation already in tracked region list: 0x06740000.
2026-04-28 01:37:02,720 [root] DEBUG: 7496: ProcessTrackedRegion: .NET cache region at 0x08C80000 skipped
2026-04-28 01:37:02,813 [root] DEBUG: 7728: ScanForDisguisedPE: Size too small: 0x6a6 bytes
2026-04-28 01:37:02,970 [root] DEBUG: 1820: YaraScan: Scanning 0x00007FF601A00000, size 0x43128
2026-04-28 01:37:03,017 [root] DEBUG: 7728: DLL loaded at 0x70490000: C:\Windows\system32\wbem\wbemsvc (0x10000 bytes).
2026-04-28 01:37:03,032 [root] DEBUG: 6384: ProcessTrackedRegion: Dumped region at 0x08C40000.
2026-04-28 01:37:03,110 [root] DEBUG: 5144: .NET JIT native cache at 0x08130000: scans and dumps active.
2026-04-28 01:37:03,142 [root] DEBUG: 7548: caller_dispatch: Added region at 0x07FD0000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x07FD1571, thread 8948).
2026-04-28 01:37:03,157 [root] DEBUG: 3404: Unable to set COM hook on WbemLocator_ConnectServer
2026-04-28 01:37:03,173 [root] DEBUG: 8632: DLL loaded at 0x70C40000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni (0x106000 bytes).
2026-04-28 01:37:03,220 [root] DEBUG: 7496: api-cap: compileMethod hook disabled due to count: 5001
2026-04-28 01:37:03,235 [root] DEBUG: 6136: DLL loaded at 0x00007FFEFC380000: C:\Windows\System32\bcryptPrimitives (0x82000 bytes).
2026-04-28 01:37:03,235 [root] DEBUG: 1820: Monitor initialised: 64-bit capemon loaded in process 1820 at 0x00007FFEABCB0000, thread 5560, image base 0x00007FF601A00000, stack from 0x0000009DE8074000-0x0000009DE8080000
2026-04-28 01:37:03,345 [root] DEBUG: 7496: api-cap: compileMethod hook disabled due to count: 5000
2026-04-28 01:37:03,438 [lib.common.results] INFO: Uploading file C:\atsPQMC\CAPE\7728_157634702372227142026 to CAPE\1eacb62b3b40a6fbdb1bda0ae7cb1dc3b72573a3cb50e1672a0f041b38168d5b; Size is 1702; Max size: 100000000
2026-04-28 01:37:03,454 [root] DEBUG: 6384: FreeHandler: Dumped executable range containing 0x08C40000.
2026-04-28 01:37:03,532 [root] DEBUG: 7728: DLL loaded at 0x6FCD0000: C:\Windows\system32\wbem\fastprox (0xc9000 bytes).
2026-04-28 01:37:03,532 [root] DEBUG: 7548: ProcessTrackedRegion: .NET cache region at 0x07FD0000 skipped
2026-04-28 01:37:03,626 [root] DEBUG: 5144: ProcessTrackedRegion: .NET cache region at 0x08130000 skipped
2026-04-28 01:37:03,845 [root] DEBUG: 7496: AllocationHandler: Previously reserved region at 0x08C80000, committing at: 0x08C82000.
2026-04-28 01:37:03,907 [root] DEBUG: 8632: DLL loaded at 0x704C0000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni (0x774000 bytes).
2026-04-28 01:37:04,017 [root] DEBUG: 6136: DEBUG:Initialized 9 com hooks
2026-04-28 01:37:04,142 [root] DEBUG: 1820: Commandline: C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1940_none_7dd80d767cb5c7b0\TiWorker.exe -Embedding
2026-04-28 01:37:04,188 [root] DEBUG: 7728: DumpMemory: Payload successfully created: C:\atsPQMC\CAPE\7728_157634702372227142026 (size 1702 bytes)
2026-04-28 01:37:04,204 [root] DEBUG: 7728: DumpRegion: Dumped entire allocation from 0x09D50000, size 4096 bytes.
2026-04-28 01:37:04,220 [root] DEBUG: 6384: DropTrackedRegion: removed region at 0x08C40000 from tracked region list.
2026-04-28 01:37:04,266 [root] DEBUG: 5144: AllocationHandler: Allocation already in tracked region list: 0x099B0000.
2026-04-28 01:37:04,485 [root] DEBUG: 7496: AllocationHandler: Allocation already in tracked region list: 0x08C80000.
2026-04-28 01:37:04,626 [root] DEBUG: 8632: DLL loaded at 0x77590000: C:\Windows\System32\shell32 (0x5b5000 bytes).
2026-04-28 01:37:04,688 [root] DEBUG: 1820: hook_api: LdrpCallInitRoutine export address 0x00007FFEFE8699BC obtained via GetFunctionAddress
2026-04-28 01:37:04,782 [root] DEBUG: 7548: AllocationHandler: Previously reserved region at 0x07FD0000, committing at: 0x07FDD000.
2026-04-28 01:37:04,907 [root] DEBUG: 6136: DLL loaded at 0x00007FFEFCC00000: C:\Windows\System32\clbcatq (0xa9000 bytes).
2026-04-28 01:37:05,017 [root] DEBUG: 7728: ProcessTrackedRegion: Dumped region at 0x09D50000.
2026-04-28 01:37:05,157 [root] DEBUG: 7728: Unable to set COM hook on WbemLocator_ConnectServer
2026-04-28 01:37:05,282 [root] DEBUG: 6384: .NET JIT native cache at 0x06A80000: scans and dumps active.
2026-04-28 01:37:05,329 [root] DEBUG: 5144: AllocationHandler: Allocation already in tracked region list: 0x044A0000.
2026-04-28 01:37:05,360 [root] DEBUG: 7496: AllocationHandler: Allocation already in tracked region list: 0x08C80000.
2026-04-28 01:37:05,438 [root] DEBUG: 8632: DLL loaded at 0x75700000: C:\Windows\SYSTEM32\windows.storage (0x60d000 bytes).
2026-04-28 01:37:05,532 [root] DEBUG: 7548: AllocationHandler: Adding allocation to tracked region list: 0x05DA0000, size: 0x1000.
2026-04-28 01:37:05,626 [root] WARNING: b'Unable to place hook on LockResource'
2026-04-28 01:37:05,813 [root] DEBUG: 7728: AllocationHandler: Allocation already in tracked region list: 0x09D50000.
2026-04-28 01:37:05,829 [root] DEBUG: 6384: caller_dispatch: Added region at 0x06A80000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x06A816F1, thread 8768).
2026-04-28 01:37:05,829 [root] DEBUG: 8632: DLL loaded at 0x76F70000: C:\Windows\System32\SHCORE (0x87000 bytes).
2026-04-28 01:37:05,845 [root] DEBUG: 5144: DLL loaded at 0x6FE50000: C:\Windows\SYSTEM32\miutils (0x52000 bytes).
2026-04-28 01:37:05,845 [root] DEBUG: 7496: AllocationHandler: Allocation already in tracked region list: 0x08C80000.
2026-04-28 01:37:05,923 [root] DEBUG: 1820: set_hooks: Unable to hook LockResource
2026-04-28 01:37:05,985 [root] DEBUG: 7548: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:37:06,001 [root] DEBUG: 752: CreateProcessHandler: Injection info set for new process 4580: C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_7.326.2102.0_x64__8wekyb3d8bbwe\GameBar.exe, ImageBase: 0x00007FF76B460000
2026-04-28 01:37:06,017 [root] DEBUG: 6136: DLL loaded at 0x00007FFEF1EB0000: C:\Windows\system32\wbem\wbemprox (0x11000 bytes).
2026-04-28 01:37:06,032 [root] DEBUG: 8632: DLL loaded at 0x75260000: C:\Windows\SYSTEM32\profapi (0x18000 bytes).
2026-04-28 01:37:06,157 [root] DEBUG: 6384: ProcessTrackedRegion: .NET cache region at 0x06A80000 skipped
2026-04-28 01:37:06,423 [root] DEBUG: 7496: AllocationHandler: Allocation already in tracked region list: 0x08C80000.
2026-04-28 01:37:06,454 [root] DEBUG: 1820: Hooked 627 out of 628 functions
2026-04-28 01:37:06,485 [root] DEBUG: 5144: DLL loaded at 0x715A0000: C:\Windows\SYSTEM32\mi (0x1c000 bytes).
2026-04-28 01:37:06,501 [root] DEBUG: 7548: .NET JIT native cache at 0x05DA0000: scans and dumps active.
2026-04-28 01:37:06,532 [root] INFO: Announced 64-bit process name: GameBar.exe pid: 4580
2026-04-28 01:37:06,548 [lib.api.process] INFO: Monitor config for <Process 4580 GameBar.exe>: C:\ltb6yatm\dll\4580.ini
2026-04-28 01:37:06,548 [root] DEBUG: 6136: DLL loaded at 0x00007FFEF2120000: C:\Windows\system32\wbem\wbemsvc (0x14000 bytes).
2026-04-28 01:37:06,563 [root] DEBUG: 7496: AllocationHandler: Allocation already in tracked region list: 0x08C80000.
2026-04-28 01:37:06,579 [root] DEBUG: 8632: .NET JIT native cache at 0x07BF0000: scans and dumps active.
2026-04-28 01:37:06,782 [root] DEBUG: 5144: DLL loaded at 0x715C0000: C:\Windows\SYSTEM32\Microsoft.Management.Infrastructure.Native.Unmanaged (0x8000 bytes).
2026-04-28 01:37:06,829 [root] DEBUG: 6384: .NET JIT native cache at 0x08B20000: scans and dumps active.
2026-04-28 01:37:06,845 [root] DEBUG: 1820: Syscall hook installed, syscall logging level 1
2026-04-28 01:37:06,876 [root] DEBUG: 7548: ProcessTrackedRegion: .NET cache region at 0x05DA0000 skipped
2026-04-28 01:37:06,923 [root] DEBUG: 7496: AllocationHandler: Allocation already in tracked region list: 0x08C80000.
2026-04-28 01:37:07,016 [root] DEBUG: 8632: caller_dispatch: Added region at 0x07BF0000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x07BF02AD, thread 2708).
2026-04-28 01:37:07,016 [root] DEBUG: 5144: DLL loaded at 0x704B0000: C:\Windows\SYSTEM32\DPAPI (0x8000 bytes).
2026-04-28 01:37:07,032 [root] DEBUG: 6384: caller_dispatch: Added region at 0x08B20000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x08B20892, thread 8768).
2026-04-28 01:37:07,063 [root] DEBUG: 1820: RestoreHeaders: Restored original import table.
2026-04-28 01:37:07,063 [root] DEBUG: 7548: AllocationHandler: Allocation already in tracked region list: 0x08620000.
2026-04-28 01:37:07,173 [root] DEBUG: 7496: AllocationHandler: Allocation already in tracked region list: 0x08C80000.
2026-04-28 01:37:07,204 [root] DEBUG: 5144: DLL loaded at 0x71570000: C:\Windows\System32\wmidcom (0x26000 bytes).
2026-04-28 01:37:07,251 [root] DEBUG: 6384: ProcessTrackedRegion: .NET cache region at 0x08B20000 skipped
2026-04-28 01:37:07,454 [root] DEBUG: 8632: ProcessTrackedRegion: .NET cache region at 0x07BF0000 skipped
2026-04-28 01:37:07,532 [root] INFO: Loaded monitor into process with pid 1820
2026-04-28 01:37:07,720 [root] DEBUG: 7496: AllocationHandler: Allocation already in tracked region list: 0x08C80000.
2026-04-28 01:37:07,829 [root] DEBUG: 7548: AllocationHandler: Allocation already in tracked region list: 0x00CB0000.
2026-04-28 01:37:08,360 [lib.api.process] INFO: 64-bit DLL to inject is C:\ltb6yatm\dll\xzHEKGQ.dll, loader C:\ltb6yatm\bin\FktMnuSd.exe
2026-04-28 01:37:08,641 [root] DEBUG: 6384: AllocationHandler: Allocation already in tracked region list: 0x03130000.
2026-04-28 01:37:08,845 [root] DEBUG: 7496: AllocationHandler: Allocation already in tracked region list: 0x08C80000.
2026-04-28 01:37:09,063 [root] DEBUG: 1820: caller_dispatch: Added region at 0x00007FF601A00000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x00007FF601A1D4C2, thread 5560).
2026-04-28 01:37:09,282 [root] DEBUG: 5144: .NET JIT native cache at 0x081E0000: scans and dumps active.
2026-04-28 01:37:09,532 [root] DEBUG: 7548: DLL loaded at 0x6FE50000: C:\Windows\SYSTEM32\miutils (0x52000 bytes).
2026-04-28 01:37:09,798 [root] DEBUG: Loader: Injecting process 4580 (thread 6940) with C:\ltb6yatm\dll\xzHEKGQ.dll.
2026-04-28 01:37:09,985 [root] DEBUG: 7496: AllocationHandler: Allocation already in tracked region list: 0x08C80000.
2026-04-28 01:37:10,157 [root] DEBUG: 6384: AllocationHandler: Previously reserved region at 0x08B20000, committing at: 0x08B25000.
2026-04-28 01:37:10,438 [root] DEBUG: 1820: YaraScan: Scanning 0x00007FF601A00000, size 0x43128
2026-04-28 01:37:10,610 [root] DEBUG: 5144: caller_dispatch: Added region at 0x081E0000 to tracked regions list (kernel32::GetSystemTimeAsFileTime returns to 0x081E0F6D, thread 8980).
2026-04-28 01:37:10,766 [root] DEBUG: 5144: api-cap: compileMethod hook disabled due to count: 5000
2026-04-28 01:37:11,157 [root] DEBUG: 7548: DLL loaded at 0x715A0000: C:\Windows\SYSTEM32\mi (0x1c000 bytes).
2026-04-28 01:37:11,220 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2026-04-28 01:37:11,220 [root] DEBUG: 7496: AllocationHandler: Allocation already in tracked region list: 0x08C80000.
2026-04-28 01:37:11,235 [root] DEBUG: 6384: AllocationHandler: Allocation already in tracked region list: 0x04D20000.
2026-04-28 01:37:11,251 [root] DEBUG: 5144: ProcessTrackedRegion: .NET cache region at 0x081E0000 skipped
2026-04-28 01:37:11,266 [root] DEBUG: 1820: ProcessImageBase: Main module image at 0x00007FF601A00000 unmodified (entropy change 0.000000e+00)
2026-04-28 01:37:11,282 [root] DEBUG: 5144: AllocationHandler: Previously reserved region at 0x081E0000, committing at: 0x081E2000.
2026-04-28 01:37:11,298 [root] DEBUG: 8632: AllocationHandler: Previously reserved region at 0x07BF0000, committing at: 0x07BF6000.
2026-04-28 01:37:11,376 [root] DEBUG: Successfully injected DLL C:\ltb6yatm\dll\xzHEKGQ.dll.
2026-04-28 01:37:11,376 [root] DEBUG: 7548: DLL loaded at 0x715C0000: C:\Windows\SYSTEM32\Microsoft.Management.Infrastructure.Native.Unmanaged (0x8000 bytes).
2026-04-28 01:37:11,407 [lib.api.process] INFO: Injected into 64-bit <Process 4580 GameBar.exe>
2026-04-28 01:37:11,407 [root] DEBUG: 7496: AllocationHandler: Allocation already in tracked region list: 0x08C80000.
2026-04-28 01:37:11,438 [root] DEBUG: 6384: DLL loaded at 0x6FE50000: C:\Windows\SYSTEM32\miutils (0x52000 bytes).
2026-04-28 01:37:11,454 [root] DEBUG: 5144: AllocationHandler: Allocation already in tracked region list: 0x081E0000.
2026-04-28 01:37:11,579 [root] DEBUG: 8632: AllocationHandler: Allocation already in tracked region list: 0x07BF0000.
2026-04-28 01:37:11,610 [root] DEBUG: 7548: DLL loaded at 0x704B0000: C:\Windows\SYSTEM32\DPAPI (0x8000 bytes).
2026-04-28 01:37:11,657 [root] DEBUG: 1820: DLL loaded at 0x00007FFEEF210000: C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1940_none_7dd80d767cb5c7b0\wdscore (0x43000 bytes).
2026-04-28 01:37:11,673 [root] INFO: Announced 64-bit process name: GameBar.exe pid: 4580
2026-04-28 01:37:11,782 [lib.api.process] INFO: Monitor config for <Process 4580 GameBar.exe>: C:\ltb6yatm\dll\4580.ini
2026-04-28 01:37:11,782 [root] DEBUG: 7496: AllocationHandler: Allocation already in tracked region list: 0x08CD0000.
2026-04-28 01:37:11,798 [root] DEBUG: 6384: DLL loaded at 0x715A0000: C:\Windows\SYSTEM32\mi (0x1c000 bytes).
2026-04-28 01:37:11,798 [root] DEBUG: 5144: AllocationHandler: Allocation already in tracked region list: 0x081E0000.
2026-04-28 01:37:11,985 [root] DEBUG: 8632: AllocationHandler: Allocation already in tracked region list: 0x07BF0000.
2026-04-28 01:37:12,049 [root] DEBUG: 7548: DLL loaded at 0x71570000: C:\Windows\System32\wmidcom (0x26000 bytes).
2026-04-28 01:37:12,049 [root] DEBUG: 1820: DLL loaded at 0x00007FFEF1F00000: C:\Windows\system32\dbghelp (0x1e4000 bytes).
2026-04-28 01:37:12,063 [root] DEBUG: 7496: AllocationHandler: Allocation already in tracked region list: 0x08C80000.
2026-04-28 01:37:12,110 [root] DEBUG: 6384: DLL loaded at 0x715C0000: C:\Windows\SYSTEM32\Microsoft.Management.Infrastructure.Native.Unmanaged (0x8000 bytes).
2026-04-28 01:37:12,220 [root] DEBUG: 5144: AllocationHandler: Allocation already in tracked region list: 0x081E0000.
2026-04-28 01:37:12,376 [root] DEBUG: 8632: AllocationHandler: Allocation already in tracked region list: 0x07BF0000.
2026-04-28 01:37:12,610 [root] DEBUG: 7496: AllocationHandler: Adding allocation to tracked region list: 0x08F60000, size: 0x1000.
2026-04-28 01:37:12,626 [root] DEBUG: 1820: DLL loaded at 0x00007FFEF1ED0000: C:\Windows\SYSTEM32\dbgcore (0x2c000 bytes).
2026-04-28 01:37:12,657 [root] DEBUG: 7496: DLL loaded at 0x6FDA0000: C:\Windows\SYSTEM32\wbemcomn (0x70000 bytes).
2026-04-28 01:37:12,657 [root] DEBUG: 6384: DLL loaded at 0x704B0000: C:\Windows\SYSTEM32\DPAPI (0x8000 bytes).
2026-04-28 01:37:12,673 [root] DEBUG: 5144: caller_dispatch: Added region at 0x09030000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x0903278A, thread 8980).
2026-04-28 01:37:12,673 [root] DEBUG: 5144: AllocationHandler: Allocation already in tracked region list: 0x081E0000.
2026-04-28 01:37:12,688 [root] DEBUG: 8632: AllocationHandler: Allocation already in tracked region list: 0x07BF0000.
2026-04-28 01:37:12,845 [root] DEBUG: 7548: .NET JIT native cache at 0x07FF0000: scans and dumps active.
2026-04-28 01:37:13,001 [root] DEBUG: 7496: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:37:13,001 [root] DEBUG: 1820: set_hooks_by_export_directory: Hooked 0 out of 628 functions
2026-04-28 01:37:13,016 [root] DEBUG: 7496: DLL loaded at 0x704A0000: C:\Windows\system32\wbem\wbemprox (0xd000 bytes).
2026-04-28 01:37:13,032 [root] DEBUG: 6384: DLL loaded at 0x71570000: C:\Windows\System32\wmidcom (0x26000 bytes).
2026-04-28 01:37:13,112 [root] DEBUG: 5144: ProcessTrackedRegion: .NET cache region at 0x09030000 skipped
2026-04-28 01:37:13,126 [root] DEBUG: 5144: AllocationHandler: Allocation already in tracked region list: 0x081E0000.
2026-04-28 01:37:13,126 [root] DEBUG: 7548: api-cap: compileMethod hook disabled due to count: 5000
2026-04-28 01:37:13,143 [root] DEBUG: 7548: caller_dispatch: Added region at 0x07FF0000 to tracked regions list (kernel32::GetSystemTimeAsFileTime returns to 0x07FF0F6D, thread 8948).
2026-04-28 01:37:13,157 [root] DEBUG: 8632: .NET JIT native cache at 0x07DA0000: scans and dumps active.
2026-04-28 01:37:13,188 [root] DEBUG: 7496: DumpPEsInRange: Scanning range 0x08F60000 - 0x08F606A6.
2026-04-28 01:37:13,251 [root] DEBUG: 1820: DLL loaded at 0x00007FFEF9E80000: C:\Windows\SYSTEM32\kernel.appcore (0x12000 bytes).
2026-04-28 01:37:13,345 [lib.api.process] INFO: 64-bit DLL to inject is C:\ltb6yatm\dll\xzHEKGQ.dll, loader C:\ltb6yatm\bin\FktMnuSd.exe
2026-04-28 01:37:13,391 [root] DEBUG: 7496: DLL loaded at 0x70490000: C:\Windows\system32\wbem\wbemsvc (0x10000 bytes).
2026-04-28 01:37:13,579 [root] DEBUG: 5144: AllocationHandler: Allocation already in tracked region list: 0x081E0000.
2026-04-28 01:37:13,813 [root] DEBUG: 7548: AllocationHandler: Previously reserved region at 0x07FF0000, committing at: 0x07FF2000.
2026-04-28 01:37:13,985 [root] DEBUG: 8632: caller_dispatch: Added region at 0x07DA0000 to tracked regions list (kernel32::GetSystemInfo returns to 0x07DA173E, thread 2708).
2026-04-28 01:37:14,173 [root] DEBUG: 7548: ProcessTrackedRegion: .NET cache region at 0x07FF0000 skipped
2026-04-28 01:37:14,329 [root] DEBUG: 7496: ScanForDisguisedPE: Size too small: 0x6a6 bytes
2026-04-28 01:37:14,391 [root] DEBUG: 6136: DLL loaded at 0x00007FFEF41E0000: C:\Windows\system32\wbem\wmiutils (0x28000 bytes).
2026-04-28 01:37:14,407 [root] DEBUG: 1820: DLL loaded at 0x00007FFEFC380000: C:\Windows\System32\bcryptPrimitives (0x82000 bytes).
2026-04-28 01:37:14,407 [root] DEBUG: 6384: .NET JIT native cache at 0x06A20000: scans and dumps active.
2026-04-28 01:37:14,438 [root] DEBUG: Loader: Injecting process 4580 (thread 6940) with C:\ltb6yatm\dll\xzHEKGQ.dll.
2026-04-28 01:37:14,454 [root] DEBUG: 7496: DLL loaded at 0x6FCD0000: C:\Windows\system32\wbem\fastprox (0xc9000 bytes).
2026-04-28 01:37:14,454 [root] DEBUG: 5144: AllocationHandler: Allocation already in tracked region list: 0x081E0000.
2026-04-28 01:37:14,548 [root] DEBUG: 7548: AllocationHandler: Allocation already in tracked region list: 0x07FF0000.
2026-04-28 01:37:14,595 [root] DEBUG: 8632: ProcessTrackedRegion: .NET cache region at 0x07DA0000 skipped
2026-04-28 01:37:14,704 [root] DEBUG: 1820: DEBUG:Initialized 9 com hooks
2026-04-28 01:37:14,923 [root] DEBUG: 6384: caller_dispatch: Added region at 0x06A20000 to tracked regions list (kernel32::CreateThread returns to 0x06A20440, thread 8768).
2026-04-28 01:37:14,938 [lib.common.results] INFO: Uploading file C:\atsPQMC\CAPE\7496_796984514372227142026 to CAPE\4d354556ee54720e9aeae145b24d73a6d8c04d7bca95b004059cbaa52c52055f; Size is 1702; Max size: 100000000
2026-04-28 01:37:14,954 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2026-04-28 01:37:14,970 [root] DEBUG: 6384: api-cap: compileMethod hook disabled due to count: 5000
2026-04-28 01:37:15,001 [root] DEBUG: 7548: AllocationHandler: Allocation already in tracked region list: 0x07FF0000.
2026-04-28 01:37:15,032 [root] DEBUG: 8632: DLL loaded at 0x6FE30000: C:\Windows\SYSTEM32\edputil (0x1b000 bytes).
2026-04-28 01:37:15,079 [root] DEBUG: 5144: AllocationHandler: Allocation already in tracked region list: 0x081E0000.
2026-04-28 01:37:15,407 [root] DEBUG: 6384: ProcessTrackedRegion: .NET cache region at 0x06A20000 skipped
2026-04-28 01:37:15,579 [root] DEBUG: Successfully injected DLL C:\ltb6yatm\dll\xzHEKGQ.dll.
2026-04-28 01:37:15,641 [lib.api.process] INFO: Injected into 64-bit <Process 4580 GameBar.exe>
2026-04-28 01:37:15,641 [root] DEBUG: 1820: DLL loaded at 0x00007FFEFCC00000: C:\Windows\System32\clbcatq (0xa9000 bytes).
2026-04-28 01:37:15,720 [root] DEBUG: 7496: DumpMemory: Payload successfully created: C:\atsPQMC\CAPE\7496_796984514372227142026 (size 1702 bytes)
2026-04-28 01:37:15,860 [root] DEBUG: 6384: AllocationHandler: Previously reserved region at 0x06A20000, committing at: 0x06A22000.
2026-04-28 01:37:15,876 [root] DEBUG: 8632: AllocationHandler: Allocation already in tracked region list: 0x03BE0000.
2026-04-28 01:37:16,017 [root] DEBUG: 5144: AllocationHandler: Allocation already in tracked region list: 0x081E0000.
2026-04-28 01:37:16,032 [root] DEBUG: 8632: AllocationHandler: Adding allocation to tracked region list: 0x07F40000, size: 0x1000.
2026-04-28 01:37:16,141 [root] DEBUG: 7496: Unable to set COM hook on WbemLocator_ConnectServer
2026-04-28 01:37:16,220 [root] DEBUG: 7548: AllocationHandler: Allocation already in tracked region list: 0x07FF0000.
2026-04-28 01:37:16,298 [root] INFO: Announced 64-bit process name: GameBar.exe pid: 4580
2026-04-28 01:37:16,392 [lib.api.process] INFO: Monitor config for <Process 4580 GameBar.exe>: C:\ltb6yatm\dll\4580.ini
2026-04-28 01:37:16,438 [root] DEBUG: 7496: DumpRegion: Dumped entire allocation from 0x08F60000, size 4096 bytes.
2026-04-28 01:37:16,517 [root] DEBUG: 6384: AllocationHandler: Allocation already in tracked region list: 0x06A20000.
2026-04-28 01:37:16,563 [root] DEBUG: 5144: AllocationHandler: Allocation already in tracked region list: 0x081E0000.
2026-04-28 01:37:16,641 [root] DEBUG: 8632: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:37:16,688 [root] DEBUG: 1820: DLL loaded at 0x00007FFEF0830000: C:\Windows\servicing\CbsApi (0x12000 bytes).
2026-04-28 01:37:16,705 [root] DEBUG: 7548: AllocationHandler: Allocation already in tracked region list: 0x07FF0000.
2026-04-28 01:37:16,782 [root] DEBUG: 7496: ProcessTrackedRegion: Dumped region at 0x08F60000.
2026-04-28 01:37:16,798 [root] DEBUG: 6384: AllocationHandler: Allocation already in tracked region list: 0x06A20000.
2026-04-28 01:37:16,845 [root] DEBUG: 5144: AllocationHandler: Allocation already in tracked region list: 0x081E0000.
2026-04-28 01:37:16,891 [root] DEBUG: 8632: .NET JIT native cache at 0x07F40000: scans and dumps active.
2026-04-28 01:37:17,188 [root] DEBUG: 7548: AllocationHandler: Allocation already in tracked region list: 0x07FF0000.
2026-04-28 01:37:17,220 [root] DEBUG: 7496: AllocationHandler: Allocation already in tracked region list: 0x08F60000.
2026-04-28 01:37:17,235 [root] DEBUG: 1820: DLL loaded at 0x00007FFEFAC70000: C:\Windows\SYSTEM32\ntmarta (0x33000 bytes).
2026-04-28 01:37:17,266 [root] DEBUG: 6384: caller_dispatch: Added region at 0x0A090000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x0A09278A, thread 8768).
2026-04-28 01:37:17,282 [root] DEBUG: 5144: AllocationHandler: Allocation already in tracked region list: 0x081E0000.
2026-04-28 01:37:17,282 [root] DEBUG: 6384: AllocationHandler: Allocation already in tracked region list: 0x06A20000.
2026-04-28 01:37:17,360 [root] DEBUG: 8632: ProcessTrackedRegion: .NET cache region at 0x07F40000 skipped
2026-04-28 01:37:17,423 [root] DEBUG: 7548: AllocationHandler: Allocation already in tracked region list: 0x07FF0000.
2026-04-28 01:37:17,767 [root] DEBUG: 1820: DLL loaded at 0x00007FFEFB850000: C:\Windows\SYSTEM32\cryptsp (0x18000 bytes).
2026-04-28 01:37:17,798 [root] DEBUG: 6384: ProcessTrackedRegion: .NET cache region at 0x0A090000 skipped
2026-04-28 01:37:17,829 [root] DEBUG: 5144: AllocationHandler: Allocation already in tracked region list: 0x05CB0000.
2026-04-28 01:37:17,845 [root] DEBUG: 6384: AllocationHandler: Allocation already in tracked region list: 0x06A20000.
2026-04-28 01:37:17,845 [root] DEBUG: 8632: AllocationHandler: Allocation already in tracked region list: 0x07F40000.
2026-04-28 01:37:17,923 [root] DEBUG: 7548: AllocationHandler: Allocation already in tracked region list: 0x07FF0000.
2026-04-28 01:37:18,079 [root] DEBUG: 5144: AllocationHandler: Allocation already in tracked region list: 0x081E0000.
2026-04-28 01:37:18,141 [root] DEBUG: 6384: AllocationHandler: Allocation already in tracked region list: 0x06A20000.
2026-04-28 01:37:18,188 [root] DEBUG: 8632: caller_dispatch: Added region at 0x07AB0000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x07AB3229, thread 2708).
2026-04-28 01:37:18,313 [root] DEBUG: 1820: DLL loaded at 0x00007FFEFBE70000: C:\Windows\SYSTEM32\USERENV (0x2e000 bytes).
2026-04-28 01:37:18,360 [root] DEBUG: 7548: AllocationHandler: Allocation already in tracked region list: 0x07FF0000.
2026-04-28 01:37:18,376 [lib.api.process] INFO: 64-bit DLL to inject is C:\ltb6yatm\dll\xzHEKGQ.dll, loader C:\ltb6yatm\bin\FktMnuSd.exe
2026-04-28 01:37:18,454 [root] DEBUG: 8632: ProcessTrackedRegion: .NET cache region at 0x07AB0000 skipped
2026-04-28 01:37:18,532 [root] DEBUG: 5144: DLL loaded at 0x6FDA0000: C:\Windows\SYSTEM32\wbemcomn (0x70000 bytes).
2026-04-28 01:37:18,548 [root] DEBUG: 6384: AllocationHandler: Allocation already in tracked region list: 0x06A20000.
2026-04-28 01:37:18,595 [root] DEBUG: 5144: AllocationHandler: Adding allocation to tracked region list: 0x09AC0000, size: 0x1000.
2026-04-28 01:37:18,595 [root] DEBUG: 1820: DLL loaded at 0x00007FFEFBFF0000: C:\Windows\System32\WINTRUST (0x69000 bytes).
2026-04-28 01:37:18,641 [root] DEBUG: 7548: AllocationHandler: Allocation already in tracked region list: 0x07FF0000.
2026-04-28 01:37:18,688 [root] DEBUG: Loader: Injecting process 4580 (thread 6940) with C:\ltb6yatm\dll\xzHEKGQ.dll.
2026-04-28 01:37:18,720 [root] DEBUG: 8632: AllocationHandler: Allocation already in tracked region list: 0x07F40000.
2026-04-28 01:37:18,720 [root] DEBUG: 5144: DLL loaded at 0x704A0000: C:\Windows\system32\wbem\wbemprox (0xd000 bytes).
2026-04-28 01:37:18,720 [root] DEBUG: 6384: AllocationHandler: Allocation already in tracked region list: 0x06A20000.
2026-04-28 01:37:18,766 [root] DEBUG: 5144: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:37:18,907 [root] DEBUG: 7548: AllocationHandler: Allocation already in tracked region list: 0x07FF0000.
2026-04-28 01:37:19,063 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2026-04-28 01:37:19,188 [root] DEBUG: 1820: DLL loaded at 0x00007FFEACDE0000: C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1940_none_7dd80d767cb5c7b0\cbscore (0x291000 bytes).
2026-04-28 01:37:19,235 [root] DEBUG: 8632: AllocationHandler: Allocation already in tracked region list: 0x07F40000.
2026-04-28 01:37:19,548 [root] DEBUG: 5144: DumpPEsInRange: Scanning range 0x09AC0000 - 0x09AC06A6.
2026-04-28 01:37:19,548 [root] DEBUG: 6384: AllocationHandler: Allocation already in tracked region list: 0x06A20000.
2026-04-28 01:37:19,610 [root] DEBUG: 7548: AllocationHandler: Allocation already in tracked region list: 0x07FF0000.
2026-04-28 01:37:19,642 [root] DEBUG: Successfully injected DLL C:\ltb6yatm\dll\xzHEKGQ.dll.
2026-04-28 01:37:19,720 [root] DEBUG: 5144: DLL loaded at 0x70490000: C:\Windows\system32\wbem\wbemsvc (0x10000 bytes).
2026-04-28 01:37:19,813 [lib.api.process] INFO: Injected into 64-bit <Process 4580 GameBar.exe>
2026-04-28 01:37:20,063 [root] DEBUG: 780: CreateProcessHandler: Injection info set for new process 3368: \\?\C:\Windows\system32\wbem\WMIADAP.EXE, ImageBase: 0x00007FF6B3210000
2026-04-28 01:37:20,110 [root] DEBUG: 5144: ScanForDisguisedPE: Size too small: 0x6a6 bytes
2026-04-28 01:37:20,157 [root] DEBUG: 8632: .NET JIT native cache at 0x08490000: scans and dumps active.
2026-04-28 01:37:20,188 [root] DEBUG: 1820: DLL loaded at 0x00007FFEFBA90000: C:\Windows\SYSTEM32\MSASN1 (0x12000 bytes).
2026-04-28 01:37:20,205 [root] DEBUG: 7548: AllocationHandler: Allocation already in tracked region list: 0x07FF0000.
2026-04-28 01:37:20,235 [root] DEBUG: 6384: AllocationHandler: Allocation already in tracked region list: 0x06A20000.
2026-04-28 01:37:20,251 [root] DEBUG: 5144: DLL loaded at 0x6FCD0000: C:\Windows\system32\wbem\fastprox (0xc9000 bytes).
2026-04-28 01:37:20,360 [root] DEBUG: 8632: caller_dispatch: Added region at 0x08490000 to tracked regions list (advapi32::CryptAcquireContextW returns to 0x08491053, thread 2708).
2026-04-28 01:37:20,360 [lib.common.results] INFO: Uploading file C:\atsPQMC\CAPE\5144_236098820372227142026 to CAPE\d2e0872717ae0cfdf1683bb6bc6b316a5435bdf7d2ff48861c0edef304e50cd1; Size is 1702; Max size: 100000000
2026-04-28 01:37:20,376 [root] INFO: Announced 64-bit process name: WMIADAP.exe pid: 3368
2026-04-28 01:37:20,376 [lib.api.process] INFO: Monitor config for <Process 3368 WMIADAP.exe>: C:\ltb6yatm\dll\3368.ini
2026-04-28 01:37:20,391 [root] DEBUG: 7548: AllocationHandler: Allocation already in tracked region list: 0x08140000.
2026-04-28 01:37:20,407 [root] DEBUG: 6384: AllocationHandler: Allocation already in tracked region list: 0x06A20000.
2026-04-28 01:37:20,423 [root] DEBUG: 1820: DLL loaded at 0x00007FFEE8700000: C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1940_none_7dd80d767cb5c7b0\dpx (0xb9000 bytes).
2026-04-28 01:37:20,548 [root] DEBUG: 8632: ProcessTrackedRegion: .NET cache region at 0x08490000 skipped
2026-04-28 01:37:20,657 [root] DEBUG: 5144: DumpMemory: Payload successfully created: C:\atsPQMC\CAPE\5144_236098820372227142026 (size 1702 bytes)
2026-04-28 01:37:20,985 [root] DEBUG: 7548: AllocationHandler: Allocation already in tracked region list: 0x07FF0000.
2026-04-28 01:37:21,235 [root] DEBUG: 6384: AllocationHandler: Allocation already in tracked region list: 0x06A20000.
2026-04-28 01:37:21,251 [root] DEBUG: 8632: AllocationHandler: Adding allocation to tracked region list: 0x03BDD000, size: 0x1000.
2026-04-28 01:37:21,298 [root] DEBUG: 5144: DumpRegion: Dumped entire allocation from 0x09AC0000, size 4096 bytes.
2026-04-28 01:37:21,298 [root] DEBUG: 8632: AllocationHandler: Previously reserved region at 0x08490000, committing at: 0x08494000.
2026-04-28 01:37:21,407 [root] DEBUG: 5144: Unable to set COM hook on WbemLocator_ConnectServer
2026-04-28 01:37:21,782 [root] DEBUG: 6384: AllocationHandler: Allocation already in tracked region list: 0x06A20000.
2026-04-28 01:37:21,782 [root] DEBUG: 1820: DLL loaded at 0x00007FFEACA20000: C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1940_none_7dd80d767cb5c7b0\wcp (0x3bc000 bytes).
2026-04-28 01:37:21,798 [root] DEBUG: 8632: DumpPEsInRange: Scanning range 0x03BD0000 - 0x03BD156D.
2026-04-28 01:37:21,829 [root] DEBUG: 5144: ProcessTrackedRegion: Dumped region at 0x09AC0000.
2026-04-28 01:37:21,860 [root] DEBUG: 6384: AllocationHandler: Allocation already in tracked region list: 0x06A70000.
2026-04-28 01:37:21,860 [lib.api.process] INFO: 64-bit DLL to inject is C:\ltb6yatm\dll\xzHEKGQ.dll, loader C:\ltb6yatm\bin\FktMnuSd.exe
2026-04-28 01:37:21,907 [root] DEBUG: 8632: .NET JIT native cache at 0x09E60000: scans and dumps active.
2026-04-28 01:37:21,923 [root] DEBUG: 8632: ScanForDisguisedPE: No PE image located in range 0x03BD0000-0x03BD156D.
2026-04-28 01:37:21,954 [root] DEBUG: 5144: AllocationHandler: Allocation already in tracked region list: 0x09AC0000.
2026-04-28 01:37:21,985 [root] DEBUG: 1820: DLL loaded at 0x00007FFEFBFA0000: C:\Windows\System32\cfgmgr32 (0x4e000 bytes).
2026-04-28 01:37:22,001 [root] DEBUG: 6384: AllocationHandler: Allocation already in tracked region list: 0x06A20000.
2026-04-28 01:37:22,079 [root] DEBUG: Loader: Injecting process 3368 (thread 2032) with C:\ltb6yatm\dll\xzHEKGQ.dll.
2026-04-28 01:37:22,095 [lib.common.results] INFO: Uploading file C:\atsPQMC\CAPE\8632_594129221372227142026 to CAPE\852435e1028a22d0b53ebfecb3107a93133bf82581885a84053298d1245db5ae; Size is 5485; Max size: 100000000
2026-04-28 01:37:22,095 [root] DEBUG: 8632: caller_dispatch: Added region at 0x09E60000 to tracked regions list (ntdll::NtCreateEvent returns to 0x09E61A59, thread 2708).
2026-04-28 01:37:22,173 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2026-04-28 01:37:22,173 [root] DEBUG: 8632: DumpMemory: Payload successfully created: C:\atsPQMC\CAPE\8632_594129221372227142026 (size 5485 bytes)
2026-04-28 01:37:22,267 [root] DEBUG: 1820: DLL loaded at 0x00007FFEE7E50000: C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1940_none_7dd80d767cb5c7b0\DrUpdate (0x61000 bytes).
2026-04-28 01:37:22,313 [root] DEBUG: 8632: ProcessTrackedRegion: .NET cache region at 0x09E60000 skipped
2026-04-28 01:37:22,360 [root] DEBUG: Successfully injected DLL C:\ltb6yatm\dll\xzHEKGQ.dll.
2026-04-28 01:37:22,392 [lib.api.process] INFO: Injected into 64-bit <Process 3368 WMIADAP.exe>
2026-04-28 01:37:22,392 [root] DEBUG: 8632: DumpRegion: Dumped entire allocation from 0x03BD0000, size 8192 bytes.
2026-04-28 01:37:22,423 [root] DEBUG: 8632: DLL loaded at 0x6FCA0000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\wminet_utils (0x21000 bytes).
2026-04-28 01:37:22,485 [root] DEBUG: 7548: DLL loaded at 0x6FDA0000: C:\Windows\SYSTEM32\wbemcomn (0x70000 bytes).
2026-04-28 01:37:22,501 [root] DEBUG: 7548: AllocationHandler: Adding allocation to tracked region list: 0x096F0000, size: 0x1000.
2026-04-28 01:37:22,517 [root] DEBUG: 8632: ProcessTrackedRegion: Dumped region at 0x03BD0000.
2026-04-28 01:37:22,532 [root] INFO: Announced 64-bit process name: WMIADAP.exe pid: 3368
2026-04-28 01:37:22,532 [root] DEBUG: 1820: DLL loaded at 0x00007FFEF2420000: C:\Windows\SYSTEM32\VssTrace (0x18000 bytes).
2026-04-28 01:37:22,532 [lib.api.process] INFO: Monitor config for <Process 3368 WMIADAP.exe>: C:\ltb6yatm\dll\3368.ini
2026-04-28 01:37:22,532 [root] DEBUG: 8632: AllocationHandler: Adding allocation to tracked region list: 0xFFDF0000, size: 0x50000.
2026-04-28 01:37:22,595 [root] DEBUG: 7548: DLL loaded at 0x704A0000: C:\Windows\system32\wbem\wbemprox (0xd000 bytes).
2026-04-28 01:37:22,610 [root] DEBUG: 7548: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:37:22,704 [root] DEBUG: 8632: YaraScan: Scanning 0x03BD0000, size 0x156d
2026-04-28 01:37:22,782 [root] DEBUG: 8632: GetEntropy: Error - Supplied address inaccessible: 0xFFDF0000
2026-04-28 01:37:22,923 [root] DEBUG: 7548: DumpPEsInRange: Scanning range 0x096F0000 - 0x096F06A6.
2026-04-28 01:37:22,970 [root] DEBUG: 7548: DLL loaded at 0x70490000: C:\Windows\system32\wbem\wbemsvc (0x10000 bytes).
2026-04-28 01:37:23,173 [root] DEBUG: 1820: DLL loaded at 0x00007FFEF2440000: C:\Windows\SYSTEM32\VSSAPI (0x19e000 bytes).
2026-04-28 01:37:23,251 [root] DEBUG: 8632: AllocationHandler: Allocation already in tracked region list: 0x06BC0000.
2026-04-28 01:37:23,423 [root] DEBUG: 6384: DLL loaded at 0x6FDA0000: C:\Windows\SYSTEM32\wbemcomn (0x70000 bytes).
2026-04-28 01:37:23,438 [root] DEBUG: 6384: AllocationHandler: Adding allocation to tracked region list: 0x08B50000, size: 0x1000.
2026-04-28 01:37:23,485 [root] DEBUG: 7548: ScanForDisguisedPE: Size too small: 0x6a6 bytes
2026-04-28 01:37:23,532 [root] DEBUG: 8632: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:37:23,532 [root] DEBUG: 7548: DLL loaded at 0x6FCD0000: C:\Windows\system32\wbem\fastprox (0xc9000 bytes).
2026-04-28 01:37:23,595 [root] DEBUG: 8632: AllocationHandler: Allocation already in tracked region list: 0x06BC0000.
2026-04-28 01:37:23,673 [root] DEBUG: 1820: DLL loaded at 0x00007FFEEDFA0000: C:\Windows\SYSTEM32\SPP (0x4b000 bytes).
2026-04-28 01:37:23,751 [root] DEBUG: 6384: DLL loaded at 0x704A0000: C:\Windows\system32\wbem\wbemprox (0xd000 bytes).
2026-04-28 01:37:23,798 [root] DEBUG: 6384: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:37:23,891 [lib.common.results] INFO: Uploading file C:\atsPQMC\CAPE\7548_938773823372227142026 to CAPE\34363f6529a3655fd9bed49d2479435be28428c373d3bd3bec1eac4c173df43c; Size is 1702; Max size: 100000000
2026-04-28 01:37:24,032 [root] DEBUG: 8632: AllocationHandler: Adding allocation to tracked region list: 0x09D60000, size: 0x8000.
2026-04-28 01:37:24,141 [root] DEBUG: 8632: AllocationHandler: Processing previous tracked region at: 0x08490000.
2026-04-28 01:37:24,188 [root] DEBUG: 6384: DumpPEsInRange: Scanning range 0x08B50000 - 0x08B506A6.
2026-04-28 01:37:24,188 [root] DEBUG: 6384: DLL loaded at 0x70490000: C:\Windows\system32\wbem\wbemsvc (0x10000 bytes).
2026-04-28 01:37:24,251 [root] DEBUG: 7548: DumpMemory: Payload successfully created: C:\atsPQMC\CAPE\7548_938773823372227142026 (size 1702 bytes)
2026-04-28 01:37:24,266 [root] DEBUG: 8632: GetEntropy: Error - Supplied address inaccessible: 0x09D60000
2026-04-28 01:37:24,298 [root] DEBUG: 8632: ProcessTrackedRegion: .NET cache region at 0x08490000 skipped
2026-04-28 01:37:24,298 [root] DEBUG: 6384: ScanForDisguisedPE: Size too small: 0x6a6 bytes
2026-04-28 01:37:24,298 [root] DEBUG: 7548: Unable to set COM hook on WbemLocator_ConnectServer
2026-04-28 01:37:24,391 [root] DEBUG: 6384: DLL loaded at 0x6FCD0000: C:\Windows\system32\wbem\fastprox (0xc9000 bytes).
2026-04-28 01:37:24,407 [root] DEBUG: 8632: AllocationHandler: Memory region (size 0x50000) reserved but not committed at 0xFFDF0000.
2026-04-28 01:37:24,485 [root] DEBUG: 1820: DLL loaded at 0x00007FFEFBDE0000: C:\Windows\SYSTEM32\POWRPROF (0x4b000 bytes).
2026-04-28 01:37:24,548 [root] DEBUG: 7548: DumpRegion: Dumped entire allocation from 0x096F0000, size 4096 bytes.
2026-04-28 01:37:24,595 [root] DEBUG: 8632: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:37:24,626 [lib.common.results] INFO: Uploading file C:\atsPQMC\CAPE\6384_889264324372227142026 to CAPE\bef2bd710720e0e5f3eb5f664fc490f2ff7a2cc20294480f0681203248776506; Size is 1702; Max size: 100000000
2026-04-28 01:37:24,657 [root] DEBUG: 8632: AllocationHandler: Previously reserved region at 0xFFDF0000, committing at: 0xFFDF0000.
2026-04-28 01:37:24,673 [lib.api.process] INFO: 64-bit DLL to inject is C:\ltb6yatm\dll\xzHEKGQ.dll, loader C:\ltb6yatm\bin\FktMnuSd.exe
2026-04-28 01:37:24,766 [root] DEBUG: 1820: DLL loaded at 0x00007FFEF0810000: C:\Windows\SYSTEM32\SrClient (0x17000 bytes).
2026-04-28 01:37:24,829 [root] DEBUG: 7548: ProcessTrackedRegion: Dumped region at 0x096F0000.
2026-04-28 01:37:24,860 [root] DEBUG: 8632: AllocationHandler: Memory region (size 0x8000) reserved but not committed at 0x09D60000.
2026-04-28 01:37:24,955 [root] DEBUG: 8632: AllocationHandler: Allocation already in tracked region list: 0xFFDF0000.
2026-04-28 01:37:24,970 [root] DEBUG: Loader: Injecting process 3368 (thread 2032) with C:\ltb6yatm\dll\xzHEKGQ.dll.
2026-04-28 01:37:24,985 [root] DEBUG: 6384: Unable to set COM hook on WbemLocator_ConnectServer
2026-04-28 01:37:25,063 [root] DEBUG: 8632: AllocationHandler: Previously reserved region at 0x09D60000, committing at: 0x09D60000.
2026-04-28 01:37:25,532 [root] DEBUG: 6384: DumpMemory: Payload successfully created: C:\atsPQMC\CAPE\6384_889264324372227142026 (size 1702 bytes)
2026-04-28 01:37:25,641 [root] DEBUG: 7548: AllocationHandler: Allocation already in tracked region list: 0x096F0000.
2026-04-28 01:37:25,657 [root] DEBUG: 1820: DLL loaded at 0x00007FFEFBDC0000: C:\Windows\SYSTEM32\UMPDC (0x12000 bytes).
2026-04-28 01:37:25,657 [root] DEBUG: 8632: AllocationHandler: Allocation already in tracked region list: 0xFFDF0000.
2026-04-28 01:37:25,673 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2026-04-28 01:37:25,735 [root] DEBUG: 6136: DLL loaded at 0x00007FFEE8FB0000: C:\Program Files\Windows Defender\mpclient (0xe9000 bytes).
2026-04-28 01:37:25,735 [root] DEBUG: 8632: AllocationHandler: Allocation already in tracked region list: 0x06BC0000.
2026-04-28 01:37:25,751 [root] DEBUG: 8632: AllocationHandler: Adding allocation to tracked region list: 0xFFDE0000, size: 0x10000.
2026-04-28 01:37:25,766 [root] DEBUG: 6384: DumpRegion: Dumped entire allocation from 0x08B50000, size 4096 bytes.
2026-04-28 01:37:25,766 [root] DEBUG: Successfully injected DLL C:\ltb6yatm\dll\xzHEKGQ.dll.
2026-04-28 01:37:25,813 [lib.api.process] INFO: Injected into 64-bit <Process 3368 WMIADAP.exe>
2026-04-28 01:37:25,829 [root] DEBUG: Error 5 (0x5) - OpenProcessHandler: Error obtaining target process name: ￎ￲￪￠￧￠￭￮ ￢ ￤￮￱￲￳￯￥.
2026-04-28 01:37:25,845 [root] DEBUG: 8632: GetEntropy: Error - Supplied address inaccessible: 0xFFDE0000
2026-04-28 01:37:25,923 [root] DEBUG: 6384: ProcessTrackedRegion: Dumped region at 0x08B50000.
2026-04-28 01:37:25,970 [root] DEBUG: 6136: DLL loaded at 0x00007FFEFDBE0000: C:\Windows\System32\SHELL32 (0x743000 bytes).
2026-04-28 01:37:25,985 [root] DEBUG: 8632: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:37:25,985 [root] DEBUG: 1820: OpenProcessHandler: Injection info created for process 3664, handle 0x324: Error obtaining target process name
2026-04-28 01:37:25,985 [root] DEBUG: 6384: AllocationHandler: Allocation already in tracked region list: 0x08B50000.
2026-04-28 01:37:26,017 [root] DEBUG: 3368: Python path set to 'C:\Python310'.
2026-04-28 01:37:26,063 [root] DEBUG: 8632: AllocationHandler: Memory region (size 0x10000) reserved but not committed at 0xFFDE0000.
2026-04-28 01:37:26,188 [root] DEBUG: 6136: DLL loaded at 0x00007FFEF5730000: C:\Windows\SYSTEM32\VERSION (0xa000 bytes).
2026-04-28 01:37:26,579 [root] DEBUG: 752: CreateProcessHandler: Injection info set for new process 948: C:\Windows\system32\DllHost.exe, ImageBase: 0x00007FF6F2810000
2026-04-28 01:37:26,798 [root] DEBUG: 3368: Dropped file limit defaulting to 100.
2026-04-28 01:37:27,360 [root] DEBUG: 8632: AllocationHandler: Previously reserved region at 0xFFDE0000, committing at: 0xFFDE0000.
2026-04-28 01:37:27,595 [root] DEBUG: 6136: DLL loaded at 0x00007FFEFBE70000: C:\Windows\SYSTEM32\USERENV (0x2e000 bytes).
2026-04-28 01:37:27,688 [root] INFO: Announced 64-bit process name: dllhost.exe pid: 948
2026-04-28 01:37:27,813 [lib.api.process] INFO: Monitor config for <Process 948 dllhost.exe>: C:\ltb6yatm\dll\948.ini
2026-04-28 01:37:28,266 [lib.api.process] INFO: 64-bit DLL to inject is C:\ltb6yatm\dll\xzHEKGQ.dll, loader C:\ltb6yatm\bin\FktMnuSd.exe
2026-04-28 01:37:28,470 [root] DEBUG: 3368: Disabling sleep skipping.
2026-04-28 01:37:28,579 [root] DEBUG: 6136: DLL loaded at 0x00007FFEFBFF0000: C:\Windows\System32\WINTRUST (0x69000 bytes).
2026-04-28 01:37:28,688 [root] DEBUG: 3368: YaraInit: Compiled rules loaded from existing file C:\ltb6yatm\data\yara\capemon.yac
2026-04-28 01:37:28,891 [root] DEBUG: Loader: Injecting process 948 (thread 5964) with C:\ltb6yatm\dll\xzHEKGQ.dll.
2026-04-28 01:37:29,079 [root] DEBUG: 8632: DLL loaded at 0x6FDA0000: C:\Windows\SYSTEM32\wbemcomn (0x70000 bytes).
2026-04-28 01:37:29,595 [root] DEBUG: 6136: DLL loaded at 0x00007FFEF6A30000: C:\Windows\SYSTEM32\WTSAPI32 (0x14000 bytes).
2026-04-28 01:37:29,907 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2026-04-28 01:37:30,126 [root] DEBUG: 3368: RtlInsertInvertedFunctionTable 0x00007FFEFE86090E, LdrpInvertedFunctionTableSRWLock 0x00007FFEFE9BD500
2026-04-28 01:37:30,313 [root] DEBUG: 1820: DLL loaded at 0x00007FFEE7DC0000: C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1940_none_7dd80d767cb5c7b0\msdelta (0x85000 bytes).
2026-04-28 01:37:30,329 [root] DEBUG: 8632: DLL loaded at 0x6FC80000: C:\Windows\system32\wbem\wmiutils (0x1d000 bytes).
2026-04-28 01:37:30,360 [root] DEBUG: Successfully injected DLL C:\ltb6yatm\dll\xzHEKGQ.dll.
2026-04-28 01:37:30,376 [root] DEBUG: 3368: YaraScan: Scanning 0x00007FF6B3210000, size 0x302f8
2026-04-28 01:37:30,376 [lib.api.process] INFO: Injected into 64-bit <Process 948 dllhost.exe>
2026-04-28 01:37:30,391 [root] DEBUG: 8632: DLL loaded at 0x704A0000: C:\Windows\system32\wbem\wbemprox (0xd000 bytes).
2026-04-28 01:37:30,407 [root] DEBUG: 6136: DLL loaded at 0x00007FFEE6C70000: C:\Program Files\Windows Defender\ProtectionManagement (0xac000 bytes).
2026-04-28 01:37:30,438 [root] DEBUG: 3368: Monitor initialised: 64-bit capemon loaded in process 3368 at 0x00007FFEABCB0000, thread 2032, image base 0x00007FF6B3210000, stack from 0x000000A20CD30000-0x000000A20CD40000
2026-04-28 01:37:30,470 [root] INFO: Announced 64-bit process name: dllhost.exe pid: 948
2026-04-28 01:37:30,485 [lib.api.process] INFO: Monitor config for <Process 948 dllhost.exe>: C:\ltb6yatm\dll\948.ini
2026-04-28 01:37:30,641 [lib.api.process] INFO: 64-bit DLL to inject is C:\ltb6yatm\dll\xzHEKGQ.dll, loader C:\ltb6yatm\bin\FktMnuSd.exe
2026-04-28 01:37:30,751 [root] DEBUG: 3368: Commandline: wmiadap.exe /F /T /R
2026-04-28 01:37:31,438 [root] DEBUG: 8632: DLL loaded at 0x70490000: C:\Windows\system32\wbem\wbemsvc (0x10000 bytes).
2026-04-28 01:37:31,485 [root] DEBUG: 6136: DLL loaded at 0x00007FFEFBA90000: C:\Windows\System32\MSASN1 (0x12000 bytes).
2026-04-28 01:37:31,751 [root] DEBUG: Loader: Injecting process 948 (thread 5964) with C:\ltb6yatm\dll\xzHEKGQ.dll.
2026-04-28 01:37:31,782 [root] DEBUG: 3368: hook_api: LdrpCallInitRoutine export address 0x00007FFEFE8699BC obtained via GetFunctionAddress
2026-04-28 01:37:31,938 [root] DEBUG: 8632: DLL loaded at 0x6FCD0000: C:\Windows\system32\wbem\fastprox (0xc9000 bytes).
2026-04-28 01:37:32,282 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2026-04-28 01:37:32,360 [root] WARNING: b'Unable to place hook on LockResource'
2026-04-28 01:37:32,657 [root] DEBUG: 1820: api-cap: NtEnumerateValueKey hook disabled due to count: 5000
2026-04-28 01:37:32,704 [root] DEBUG: Successfully injected DLL C:\ltb6yatm\dll\xzHEKGQ.dll.
2026-04-28 01:37:32,720 [root] DEBUG: 3368: set_hooks: Unable to hook LockResource
2026-04-28 01:37:32,766 [lib.api.process] INFO: Injected into 64-bit <Process 948 dllhost.exe>
2026-04-28 01:37:32,766 [root] DEBUG: 8632: Unable to set COM hook on WbemLocator_ConnectServer
2026-04-28 01:37:32,782 [root] DEBUG: 6136: DLL loaded at 0x00007FFEF1D10000: C:\Windows\SYSTEM32\miutils (0x60000 bytes).
2026-04-28 01:37:32,938 [root] DEBUG: 1820: api-cap: NtQueryValueKey hook disabled due to count: 5000
2026-04-28 01:37:33,126 [root] DEBUG: 3368: Hooked 627 out of 628 functions
2026-04-28 01:37:33,704 [root] DEBUG: 6136: DLL loaded at 0x00007FFEF1E50000: C:\Windows\SYSTEM32\mi (0x23000 bytes).
2026-04-28 01:37:33,813 [root] DEBUG: 948: Python path set to 'C:\Python310'.
2026-04-28 01:37:34,141 [root] DEBUG: 3368: Syscall hook installed, syscall logging level 1
2026-04-28 01:37:34,251 [root] DEBUG: 948: Dropped file limit defaulting to 100.
2026-04-28 01:37:34,282 [root] DEBUG: 6136: DLL loaded at 0x00007FFEE84F0000: C:\Windows\system32\wmitomi (0x3a000 bytes).
2026-04-28 01:37:34,282 [root] DEBUG: 3368: RestoreHeaders: Restored original import table.
2026-04-28 01:37:34,329 [root] DEBUG: 948: Disabling sleep skipping.
2026-04-28 01:37:34,360 [root] DEBUG: 948: YaraInit: Compiled rules loaded from existing file C:\ltb6yatm\data\yara\capemon.yac
2026-04-28 01:37:34,407 [root] INFO: Loaded monitor into process with pid 3368
2026-04-28 01:37:34,454 [root] DEBUG: 948: RtlInsertInvertedFunctionTable 0x00007FFEFE86090E, LdrpInvertedFunctionTableSRWLock 0x00007FFEFE9BD500
2026-04-28 01:37:34,470 [root] DEBUG: 3368: caller_dispatch: Added region at 0x00007FF6B3210000 to tracked regions list (kernel32::SetUnhandledExceptionFilter returns to 0x00007FF6B32262B1, thread 2032).
2026-04-28 01:37:34,532 [root] DEBUG: 948: YaraScan: Scanning 0x00007FF6F2810000, size 0x8026
2026-04-28 01:37:34,751 [root] DEBUG: 3368: YaraScan: Scanning 0x00007FF6B3210000, size 0x302f8
2026-04-28 01:37:35,204 [root] DEBUG: 948: Monitor initialised: 64-bit capemon loaded in process 948 at 0x00007FFEABCB0000, thread 5964, image base 0x00007FF6F2810000, stack from 0x0000004E9B6F4000-0x0000004E9B700000
2026-04-28 01:37:35,454 [root] DEBUG: 3368: ProcessImageBase: Main module image at 0x00007FF6B3210000 unmodified (entropy change 0.000000e+00)
2026-04-28 01:37:35,563 [root] DEBUG: 948: Commandline: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
2026-04-28 01:37:35,860 [root] DEBUG: 3368: set_hooks_by_export_directory: Hooked 0 out of 628 functions
2026-04-28 01:37:35,891 [root] DEBUG: 948: hook_api: LdrpCallInitRoutine export address 0x00007FFEFE8699BC obtained via GetFunctionAddress
2026-04-28 01:37:36,704 [root] DEBUG: 3368: DLL loaded at 0x00007FFEF9E80000: C:\Windows\SYSTEM32\kernel.appcore (0x12000 bytes).
2026-04-28 01:37:36,845 [root] WARNING: b'Unable to place hook on LockResource'
2026-04-28 01:37:36,860 [root] DEBUG: 3368: DLL loaded at 0x00007FFEFC380000: C:\Windows\System32\bcryptPrimitives (0x82000 bytes).
2026-04-28 01:37:36,985 [root] DEBUG: 948: set_hooks: Unable to hook LockResource
2026-04-28 01:37:37,095 [root] DEBUG: 948: Hooked 627 out of 628 functions
2026-04-28 01:37:37,110 [root] DEBUG: 3368: DLL loaded at 0x00007FFEFCC00000: C:\Windows\System32\clbcatq (0xa9000 bytes).
2026-04-28 01:37:37,141 [root] DEBUG: 6136: Unable to set COM hook on WbemLocator_ConnectServer
2026-04-28 01:37:37,157 [root] DEBUG: 948: Syscall hook installed, syscall logging level 1
2026-04-28 01:37:37,157 [root] DEBUG: 3368: DLL loaded at 0x00007FFEF1EB0000: C:\Windows\system32\wbem\wbemprox (0x11000 bytes).
2026-04-28 01:37:37,220 [root] DEBUG: 948: RestoreHeaders: Restored original import table.
2026-04-28 01:37:37,220 [root] DEBUG: 3368: DEBUG:Initialized 9 com hooks
2026-04-28 01:37:37,251 [root] INFO: Loaded monitor into process with pid 948
2026-04-28 01:37:37,267 [root] DEBUG: 948: caller_dispatch: Added region at 0x00007FF6F2810000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x00007FF6F28117A9, thread 5964).
2026-04-28 01:37:37,267 [root] DEBUG: 3368: DLL loaded at 0x00007FFEF2120000: C:\Windows\system32\wbem\wbemsvc (0x14000 bytes).
2026-04-28 01:37:37,282 [root] DEBUG: 948: YaraScan: Scanning 0x00007FF6F2810000, size 0x8026
2026-04-28 01:37:37,485 [root] DEBUG: 948: ProcessImageBase: Main module image at 0x00007FF6F2810000 unmodified (entropy change 0.000000e+00)
2026-04-28 01:37:37,876 [root] DEBUG: 3368: DLL loaded at 0x00007FFEF2140000: C:\Windows\system32\wbem\fastprox (0x10b000 bytes).
2026-04-28 01:37:38,001 [root] DEBUG: 948: set_hooks_by_export_directory: Hooked 0 out of 628 functions
2026-04-28 01:37:38,220 [root] DEBUG: 948: DLL loaded at 0x00007FFEF9E80000: C:\Windows\SYSTEM32\kernel.appcore (0x12000 bytes).
2026-04-28 01:37:38,251 [root] DEBUG: 3368: DLL loaded at 0x00007FFEF08D0000: C:\Windows\SYSTEM32\amsi (0x20000 bytes).
2026-04-28 01:37:38,251 [root] DEBUG: 948: DLL loaded at 0x00007FFEFC380000: C:\Windows\System32\bcryptPrimitives (0x82000 bytes).
2026-04-28 01:37:38,282 [root] DEBUG: 3368: Unable to set COM hook on WbemLocator_ConnectServer
2026-04-28 01:37:38,298 [root] DEBUG: 948: DLL loaded at 0x00007FFEFCC00000: C:\Windows\System32\clbcatq (0xa9000 bytes).
2026-04-28 01:37:38,595 [root] DEBUG: 948: DLL loaded at 0x00007FFEF9980000: C:\Windows\system32\uxtheme (0x9e000 bytes).
2026-04-28 01:37:38,720 [root] DEBUG: 3444: DLL loaded at 0x00007FFEFA860000: C:\Windows\SYSTEM32\dxgi (0xf3000 bytes).
2026-04-28 01:37:38,860 [root] DEBUG: 6136: Unable to set COM hook on WbemLocator_ConnectServer
2026-04-28 01:37:39,673 [root] DEBUG: 6136: DLL loaded at 0x00007FFEFA830000: C:\Windows\SYSTEM32\gpapi (0x23000 bytes).
2026-04-28 01:37:39,782 [root] DEBUG: 3444: DLL loaded at 0x00007FFEFD240000: C:\Windows\System32\setupapi (0x46f000 bytes).
2026-04-28 01:37:39,813 [root] DEBUG: 6136: DLL loaded at 0x00007FFEF0790000: C:\Program Files\Windows Defender\MsMpCom (0x18000 bytes).
2026-04-28 01:37:39,860 [root] DEBUG: 3368: Unable to set COM hook on WbemLocator_ConnectServer
2026-04-28 01:37:39,923 [root] DEBUG: 3444: DLL loaded at 0x00007FFEFBFF0000: C:\Windows\System32\WINTRUST (0x69000 bytes).
2026-04-28 01:37:39,938 [root] DEBUG: 3444: DLL loaded at 0x00007FFEFBA90000: C:\Windows\SYSTEM32\MSASN1 (0x12000 bytes).
2026-04-28 01:37:40,048 [root] DEBUG: 3444: DLL loaded at 0x00007FFEFA860000: C:\Windows\SYSTEM32\dxgi (0xf3000 bytes).
2026-04-28 01:37:40,985 [root] DEBUG: 948: DEBUG:Initialized 9 com hooks
2026-04-28 01:37:41,079 [root] DEBUG: 3444: DLL loaded at 0x00007FFEFD240000: C:\Windows\System32\setupapi (0x46f000 bytes).
2026-04-28 01:37:41,470 [root] DEBUG: 3444: DLL loaded at 0x00007FFEFBFF0000: C:\Windows\System32\WINTRUST (0x69000 bytes).
2026-04-28 01:37:41,485 [root] DEBUG: 948: DLL loaded at 0x00007FFEFE330000: C:\Windows\System32\shcore (0xad000 bytes).
2026-04-28 01:37:42,329 [root] DEBUG: 3444: DLL loaded at 0x00007FFEFBA90000: C:\Windows\SYSTEM32\MSASN1 (0x12000 bytes).
2026-04-28 01:37:42,376 [root] DEBUG: 3444: DLL loaded at 0x00007FFEFD240000: C:\Windows\System32\setupapi (0x46f000 bytes).
2026-04-28 01:37:42,407 [root] DEBUG: 7728: Unable to set COM hook on WbemLocator_ConnectServer
2026-04-28 01:37:42,407 [root] DEBUG: 3596: Unable to set COM hook on WbemLocator_ConnectServer
2026-04-28 01:37:42,423 [root] DEBUG: 948: DLL loaded at 0x00007FFEE2610000: C:\Windows\System32\thumbcache (0x66000 bytes).
2026-04-28 01:37:42,688 [root] DEBUG: 3444: DLL loaded at 0x00007FFEFBFF0000: C:\Windows\System32\WINTRUST (0x69000 bytes).
2026-04-28 01:37:42,782 [root] DEBUG: 948: DLL loaded at 0x00007FFEF6F00000: C:\Windows\system32\propsys (0xf6000 bytes).
2026-04-28 01:37:43,704 [root] DEBUG: 6384: Unable to set COM hook on WbemLocator_ConnectServer
2026-04-28 01:37:43,829 [root] DEBUG: 3444: DLL loaded at 0x00007FFEFBA90000: C:\Windows\SYSTEM32\MSASN1 (0x12000 bytes).
2026-04-28 01:37:43,845 [root] DEBUG: 7728: AllocationHandler: Allocation already in tracked region list: 0x09D50000.
2026-04-28 01:37:43,860 [root] DEBUG: 3596: AllocationHandler: Allocation already in tracked region list: 0x08750000.
2026-04-28 01:37:43,907 [root] DEBUG: 7728: AllocationHandler: Allocation already in tracked region list: 0x09D50000.
2026-04-28 01:37:43,985 [root] DEBUG: 3596: AllocationHandler: Allocation already in tracked region list: 0x08750000.
2026-04-28 01:37:44,032 [root] DEBUG: 3444: DLL loaded at 0x00007FFEE6AF0000: C:\Windows\system32\MFC42u (0x172000 bytes).
2026-04-28 01:37:44,126 [root] DEBUG: 6384: AllocationHandler: Allocation already in tracked region list: 0x08B50000.
2026-04-28 01:37:44,282 [root] DEBUG: 3596: AllocationHandler: Allocation already in tracked region list: 0x08750000.
2026-04-28 01:37:44,876 [root] DEBUG: 6384: AllocationHandler: Allocation already in tracked region list: 0x08B50000.
2026-04-28 01:37:45,126 [root] DEBUG: 3444: DLL loaded at 0x00007FFEF07F0000: C:\Windows\system32\ATL (0x1d000 bytes).
2026-04-28 01:37:45,220 [root] DEBUG: 3596: AllocationHandler: Allocation already in tracked region list: 0x08750000.
2026-04-28 01:37:45,220 [root] DEBUG: 7728: AllocationHandler: Allocation already in tracked region list: 0x09D50000.
2026-04-28 01:37:45,251 [root] DEBUG: 6384: AllocationHandler: Allocation already in tracked region list: 0x08B50000.
2026-04-28 01:37:45,251 [root] DEBUG: 3596: AllocationHandler: Allocation already in tracked region list: 0x08750000.
2026-04-28 01:37:45,298 [root] DEBUG: 3444: DLL loaded at 0x00007FFEFBFF0000: C:\Windows\System32\WINTRUST (0x69000 bytes).
2026-04-28 01:37:45,376 [root] DEBUG: 7728: AllocationHandler: Allocation already in tracked region list: 0x09D50000.
2026-04-28 01:37:45,407 [root] DEBUG: 6384: AllocationHandler: Allocation already in tracked region list: 0x08B50000.
2026-04-28 01:37:45,516 [root] DEBUG: 3596: AllocationHandler: Allocation already in tracked region list: 0x08750000.
2026-04-28 01:37:45,548 [root] DEBUG: 3444: DLL loaded at 0x00007FFEFD240000: C:\Windows\System32\SETUPAPI (0x46f000 bytes).
2026-04-28 01:37:45,548 [root] DEBUG: 7728: AllocationHandler: Allocation already in tracked region list: 0x09D50000.
2026-04-28 01:37:45,595 [root] DEBUG: 6384: AllocationHandler: Allocation already in tracked region list: 0x08B50000.
2026-04-28 01:37:45,626 [root] DEBUG: 7728: AllocationHandler: Allocation already in tracked region list: 0x085C0000.
2026-04-28 01:37:45,704 [root] DEBUG: 3444: DLL loaded at 0x00007FFEFDBE0000: C:\Windows\System32\SHELL32 (0x743000 bytes).
2026-04-28 01:37:46,485 [root] DEBUG: 6384: AllocationHandler: Allocation already in tracked region list: 0x09080000.
2026-04-28 01:37:46,688 [root] DEBUG: 3596: AllocationHandler: Allocation already in tracked region list: 0x08750000.
2026-04-28 01:37:46,720 [root] DEBUG: 7728: AllocationHandler: Allocation already in tracked region list: 0x09D50000.
2026-04-28 01:37:46,735 [root] DEBUG: 3444: DLL loaded at 0x00007FFEF1C10000: C:\Windows\system32\signdrv (0x14000 bytes).
2026-04-28 01:37:46,829 [root] DEBUG: 6384: AllocationHandler: Allocation already in tracked region list: 0x08B50000.
2026-04-28 01:37:46,845 [root] DEBUG: 7728: AllocationHandler: Allocation already in tracked region list: 0x09D50000.
2026-04-28 01:37:46,860 [root] DEBUG: 3596: AllocationHandler: Allocation already in tracked region list: 0x08750000.
2026-04-28 01:37:46,891 [root] DEBUG: 3836: Unable to set COM hook on WbemLocator_ConnectServer
2026-04-28 01:37:46,907 [root] DEBUG: 3404: Unable to set COM hook on WbemLocator_ConnectServer
2026-04-28 01:37:46,907 [root] DEBUG: 6384: AllocationHandler: Allocation already in tracked region list: 0x08B50000.
2026-04-28 01:37:46,970 [root] DEBUG: 7728: AllocationHandler: Allocation already in tracked region list: 0x09D50000.
2026-04-28 01:37:46,970 [root] DEBUG: 3596: AllocationHandler: Allocation already in tracked region list: 0x08750000.
2026-04-28 01:37:46,985 [root] DEBUG: 3368: Unable to set COM hook on WbemLocator_ConnectServer
2026-04-28 01:37:47,048 [root] DEBUG: 6384: AllocationHandler: Allocation already in tracked region list: 0x08B50000.
2026-04-28 01:37:47,063 [root] DEBUG: 7548: Unable to set COM hook on WbemLocator_ConnectServer
2026-04-28 01:37:47,079 [root] DEBUG: 7728: AllocationHandler: Allocation already in tracked region list: 0x09D50000.
2026-04-28 01:37:47,110 [root] DEBUG: 3596: AllocationHandler: Allocation already in tracked region list: 0x08750000.
2026-04-28 01:37:47,516 [root] DEBUG: 3444: DLL loaded at 0x00007FFEFBA90000: C:\Windows\System32\MSASN1 (0x12000 bytes).
2026-04-28 01:37:47,798 [root] DEBUG: 6384: AllocationHandler: Allocation already in tracked region list: 0x08B50000.
2026-04-28 01:37:47,907 [root] DEBUG: 3596: AllocationHandler: Allocation already in tracked region list: 0x08750000.
2026-04-28 01:37:47,985 [root] DEBUG: 7728: AllocationHandler: Allocation already in tracked region list: 0x09D50000.
2026-04-28 01:37:48,048 [root] DEBUG: 3836: api-cap: compileMethod hook disabled due to count: 5000
2026-04-28 01:37:48,532 [root] DEBUG: 3404: AllocationHandler: Allocation already in tracked region list: 0x06740000.
2026-04-28 01:37:48,673 [root] DEBUG: 6384: AllocationHandler: Allocation already in tracked region list: 0x08B50000.
2026-04-28 01:37:49,079 [root] DEBUG: 3596: AllocationHandler: Allocation already in tracked region list: 0x08750000.
2026-04-28 01:37:49,251 [root] DEBUG: 3444: DLL loaded at 0x00007FFEAF670000: C:\Windows\SYSTEM32\USP10 (0x19000 bytes).
2026-04-28 01:37:49,266 [root] DEBUG: 7728: AllocationHandler: Allocation already in tracked region list: 0x09D50000.
2026-04-28 01:37:49,298 [root] DEBUG: 3836: AllocationHandler: Adding allocation to tracked region list: 0x08830000, size: 0x1000.
2026-04-28 01:37:49,298 [root] DEBUG: 7548: AllocationHandler: Allocation already in tracked region list: 0x096F0000.
2026-04-28 01:37:49,329 [root] DEBUG: 3404: AllocationHandler: Allocation already in tracked region list: 0x06740000.
2026-04-28 01:37:49,563 [root] DEBUG: 6384: AllocationHandler: Allocation already in tracked region list: 0x08B50000.
2026-04-28 01:37:49,657 [root] DEBUG: 3596: AllocationHandler: Adding allocation to tracked region list: 0x084C0000, size: 0x1000.
2026-04-28 01:37:49,704 [root] INFO: Process with pid 948 has terminated
2026-04-28 01:37:49,704 [root] DEBUG: 7728: AllocationHandler: Allocation already in tracked region list: 0x09D50000.
2026-04-28 01:37:49,735 [root] DEBUG: 3836: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:37:49,735 [root] DEBUG: 7548: AllocationHandler: Allocation already in tracked region list: 0x096F0000.
2026-04-28 01:37:49,923 [root] DEBUG: 3404: AllocationHandler: Allocation already in tracked region list: 0x06740000.
2026-04-28 01:37:50,079 [root] DEBUG: 3444: DLL loaded at 0x00007FFEEFF10000: C:\Windows\SYSTEM32\msls31 (0x39000 bytes).
2026-04-28 01:37:50,298 [root] DEBUG: 6384: AllocationHandler: Allocation already in tracked region list: 0x08B50000.
2026-04-28 01:37:50,501 [root] DEBUG: 3444: DLL loaded at 0x00007FFEE6960000: C:\Windows\SYSTEM32\RICHED20 (0x9a000 bytes).
2026-04-28 01:37:50,688 [root] DEBUG: 3596: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:37:50,704 [root] DEBUG: 752: CreateProcessHandler: Injection info set for new process 2168: C:\Windows\system32\DllHost.exe, ImageBase: 0x00007FF6F2810000
2026-04-28 01:37:50,766 [root] DEBUG: 7728: AllocationHandler: Allocation already in tracked region list: 0x09D50000.
2026-04-28 01:37:50,829 [root] DEBUG: 948: NtTerminateProcess hook: Attempting to dump process 948
2026-04-28 01:37:50,829 [root] DEBUG: 3836: DumpPEsInRange: Scanning range 0x08830000 - 0x088308DD.
2026-04-28 01:37:50,829 [root] DEBUG: 7548: AllocationHandler: Allocation already in tracked region list: 0x096F0000.
2026-04-28 01:37:50,845 [root] DEBUG: 3404: AllocationHandler: Allocation already in tracked region list: 0x06740000.
2026-04-28 01:37:50,876 [root] DEBUG: 6384: AllocationHandler: Allocation already in tracked region list: 0x08B50000.
2026-04-28 01:37:51,016 [root] DEBUG: 3596: DumpPEsInRange: Scanning range 0x084C0000 - 0x084C065B.
2026-04-28 01:37:51,095 [root] DEBUG: 3444: DLL loaded at 0x00007FFEF08F0000: C:\Windows\SYSTEM32\RICHED32 (0x7000 bytes).
2026-04-28 01:37:51,110 [root] DEBUG: 3596: ScanForDisguisedPE: Size too small: 0x65b bytes
2026-04-28 01:37:51,126 [root] INFO: Announced 64-bit process name: dllhost.exe pid: 2168
2026-04-28 01:37:51,141 [lib.api.process] INFO: Monitor config for <Process 2168 dllhost.exe>: C:\ltb6yatm\dll\2168.ini
2026-04-28 01:37:51,626 [lib.api.process] INFO: 64-bit DLL to inject is C:\ltb6yatm\dll\xzHEKGQ.dll, loader C:\ltb6yatm\bin\FktMnuSd.exe
2026-04-28 01:37:51,641 [root] DEBUG: 3836: ScanForDisguisedPE: No PE image located in range 0x08830000-0x088308DD.
2026-04-28 01:37:52,079 [root] DEBUG: 7548: AllocationHandler: Allocation already in tracked region list: 0x096F0000.
2026-04-28 01:37:52,220 [root] DEBUG: 7728: AllocationHandler: Allocation already in tracked region list: 0x09D50000.
2026-04-28 01:37:52,360 [root] DEBUG: 948: DoProcessDump: Skipping process dump as code is identical on disk.
2026-04-28 01:37:52,423 [root] DEBUG: 3404: AllocationHandler: Allocation already in tracked region list: 0x06740000.
2026-04-28 01:37:52,516 [root] DEBUG: 6384: AllocationHandler: Allocation already in tracked region list: 0x08B50000.
2026-04-28 01:37:52,548 [root] DEBUG: 3488: Unable to set COM hook on WbemLocator_ConnectServer
2026-04-28 01:37:52,563 [root] DEBUG: Loader: Injecting process 2168 (thread 1576) with C:\ltb6yatm\dll\xzHEKGQ.dll.
2026-04-28 01:37:52,563 [lib.common.results] INFO: Uploading file C:\atsPQMC\CAPE\3596_291072651372227142026 to CAPE\515d568a7de2f4dc0e88e10561702591aa3b40e72cc8cfeed205ba548e64ffa3; Size is 1627; Max size: 100000000
2026-04-28 01:37:52,579 [root] DEBUG: 7548: AllocationHandler: Allocation already in tracked region list: 0x09800000.
2026-04-28 01:37:52,610 [root] DEBUG: 7728: AllocationHandler: Adding allocation to tracked region list: 0x08480000, size: 0x1000.
2026-04-28 01:37:52,610 [lib.common.results] INFO: Uploading file C:\atsPQMC\CAPE\3836_390843651372227142026 to CAPE\be3109c3a68ef92061b0b3fbb5623c12cd353f52a70392aac15c034d56849a63; Size is 2269; Max size: 100000000
2026-04-28 01:37:52,751 [root] DEBUG: 3404: AllocationHandler: Allocation already in tracked region list: 0x08AA0000.
2026-04-28 01:37:52,782 [root] DEBUG: 6384: AllocationHandler: Adding allocation to tracked region list: 0x08D80000, size: 0x1000.
2026-04-28 01:37:52,985 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2026-04-28 01:37:53,360 [root] DEBUG: 7728: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:37:53,595 [root] DEBUG: 3596: DumpMemory: Payload successfully created: C:\atsPQMC\CAPE\3596_291072651372227142026 (size 1627 bytes)
2026-04-28 01:37:53,610 [root] DEBUG: 7548: AllocationHandler: Allocation already in tracked region list: 0x096F0000.
2026-04-28 01:37:53,720 [root] DEBUG: 3836: DumpMemory: Payload successfully created: C:\atsPQMC\CAPE\3836_390843651372227142026 (size 2269 bytes)
2026-04-28 01:37:53,720 [root] DEBUG: 3404: AllocationHandler: Allocation already in tracked region list: 0x06740000.
2026-04-28 01:37:53,735 [root] DEBUG: Successfully injected DLL C:\ltb6yatm\dll\xzHEKGQ.dll.
2026-04-28 01:37:53,735 [root] DEBUG: 6384: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:37:53,751 [lib.api.process] INFO: Injected into 64-bit <Process 2168 dllhost.exe>
2026-04-28 01:37:53,782 [root] DEBUG: 7728: DumpPEsInRange: Scanning range 0x08480000 - 0x08480122.
2026-04-28 01:37:53,798 [root] DEBUG: 3596: DumpRegion: Dumped entire allocation from 0x084C0000, size 4096 bytes.
2026-04-28 01:37:53,845 [root] DEBUG: 3836: DumpRegion: Dumped entire allocation from 0x08830000, size 4096 bytes.
2026-04-28 01:37:53,876 [root] DEBUG: 3596: ProcessTrackedRegion: Dumped region at 0x084C0000.
2026-04-28 01:37:53,923 [root] DEBUG: 3404: AllocationHandler: Allocation already in tracked region list: 0x06740000.
2026-04-28 01:37:54,016 [root] DEBUG: 6384: DumpPEsInRange: Scanning range 0x08D80000 - 0x08D803FD.
2026-04-28 01:37:54,032 [root] DEBUG: 7548: AllocationHandler: Allocation already in tracked region list: 0x096F0000.
2026-04-28 01:37:54,048 [root] DEBUG: 7548: AllocationHandler: Allocation already in tracked region list: 0x096F0000.
2026-04-28 01:37:54,063 [root] DEBUG: 3488: AllocationHandler: Allocation already in tracked region list: 0x08CD0000.
2026-04-28 01:37:54,063 [root] DEBUG: 6384: ScanForDisguisedPE: Size too small: 0x3fd bytes
2026-04-28 01:37:54,079 [root] INFO: Announced 64-bit process name: dllhost.exe pid: 2168
2026-04-28 01:37:54,095 [lib.api.process] INFO: Monitor config for <Process 2168 dllhost.exe>: C:\ltb6yatm\dll\2168.ini
2026-04-28 01:37:54,141 [lib.api.process] INFO: 64-bit DLL to inject is C:\ltb6yatm\dll\xzHEKGQ.dll, loader C:\ltb6yatm\bin\FktMnuSd.exe
2026-04-28 01:37:54,266 [root] DEBUG: 7728: ScanForDisguisedPE: Size too small: 0x122 bytes
2026-04-28 01:37:54,360 [root] DEBUG: 3836: ProcessTrackedRegion: Dumped region at 0x08830000.
2026-04-28 01:37:54,641 [root] DEBUG: 3596: AllocationHandler: Allocation already in tracked region list: 0x084C0000.
2026-04-28 01:37:54,907 [root] DEBUG: 6384: Unable to set COM hook on WbemLocator_ConnectServer
2026-04-28 01:37:55,173 [root] DEBUG: 3404: AllocationHandler: Allocation already in tracked region list: 0x06740000.
2026-04-28 01:37:55,298 [root] DEBUG: 3488: AllocationHandler: Allocation already in tracked region list: 0x08CD0000.
2026-04-28 01:37:55,423 [root] DEBUG: 7548: AllocationHandler: Allocation already in tracked region list: 0x096F0000.
2026-04-28 01:37:55,454 [lib.common.results] INFO: Uploading file C:\atsPQMC\CAPE\6384_128382954372227142026 to CAPE\2e4cc692499cb8fc1e307d85a77def25ddc3432b80dd2d3b269ba99e28c608c4; Size is 1021; Max size: 100000000
2026-04-28 01:37:55,470 [root] DEBUG: Loader: Injecting process 2168 (thread 1576) with C:\ltb6yatm\dll\xzHEKGQ.dll.
2026-04-28 01:37:55,470 [root] DEBUG: 3836: AllocationHandler: Allocation already in tracked region list: 0x08830000.
2026-04-28 01:37:55,485 [lib.common.results] INFO: Uploading file C:\atsPQMC\CAPE\7728_377034054372227142026 to CAPE\7a0a1079e8cbd51247cea8bc38e1fa07147b7a8d2de818e9ed50b5de58ed0404; Size is 827; Max size: 100000000
2026-04-28 01:37:55,501 [root] DEBUG: 6384: AllocationHandler: Allocation already in tracked region list: 0x08D80000.
2026-04-28 01:37:55,501 [root] DEBUG: 3596: AllocationHandler: Allocation already in tracked region list: 0x084C0000.
2026-04-28 01:37:55,532 [root] DEBUG: 3404: AllocationHandler: Allocation already in tracked region list: 0x06740000.
2026-04-28 01:37:55,595 [root] DEBUG: 3488: AllocationHandler: Allocation already in tracked region list: 0x08CD0000.
2026-04-28 01:37:55,657 [root] DEBUG: 7548: AllocationHandler: Allocation already in tracked region list: 0x096F0000.
2026-04-28 01:37:55,766 [root] DEBUG: 6384: DumpMemory: Payload successfully created: C:\atsPQMC\CAPE\6384_128382954372227142026 (size 1021 bytes)
2026-04-28 01:37:55,782 [root] DEBUG: 3836: AllocationHandler: Allocation already in tracked region list: 0x08830000.
2026-04-28 01:37:55,782 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2026-04-28 01:37:55,923 [root] DEBUG: 6384: AllocationHandler: Allocation already in tracked region list: 0x03130000.
2026-04-28 01:37:56,188 [root] DEBUG: 3596: AllocationHandler: Allocation already in tracked region list: 0x084C0000.
2026-04-28 01:37:56,407 [root] DEBUG: 7728: DumpMemory: Payload successfully created: C:\atsPQMC\CAPE\7728_377034054372227142026 (size 827 bytes)
2026-04-28 01:37:56,641 [root] DEBUG: 3488: AllocationHandler: Allocation already in tracked region list: 0x08CD0000.
2026-04-28 01:37:56,876 [root] DEBUG: 3404: AllocationHandler: Allocation already in tracked region list: 0x06740000.
2026-04-28 01:37:57,110 [root] DEBUG: 7548: AllocationHandler: Allocation already in tracked region list: 0x096F0000.
2026-04-28 01:37:57,298 [root] DEBUG: 6384: DumpRegion: Dumped entire allocation from 0x08D80000, size 4096 bytes.
2026-04-28 01:37:57,391 [root] DEBUG: 752: CreateProcessHandler: Injection info set for new process 1424: C:\Windows\system32\wbem\wmiprvse.exe, ImageBase: 0x00007FF6402C0000
2026-04-28 01:37:57,407 [root] DEBUG: 3836: AllocationHandler: Allocation already in tracked region list: 0x08830000.
2026-04-28 01:37:57,423 [root] DEBUG: Successfully injected DLL C:\ltb6yatm\dll\xzHEKGQ.dll.
2026-04-28 01:37:57,454 [lib.api.process] INFO: Injected into 64-bit <Process 2168 dllhost.exe>
2026-04-28 01:37:57,454 [root] DEBUG: 3596: AllocationHandler: Allocation already in tracked region list: 0x084C0000.
2026-04-28 01:37:57,595 [root] DEBUG: 7728: DumpRegion: Dumped entire allocation from 0x08480000, size 4096 bytes.
2026-04-28 01:37:57,767 [root] DEBUG: 3488: AllocationHandler: Allocation already in tracked region list: 0x08CD0000.
2026-04-28 01:37:58,001 [root] DEBUG: 3404: AllocationHandler: Allocation already in tracked region list: 0x06740000.
2026-04-28 01:37:58,516 [root] DEBUG: 6384: ProcessTrackedRegion: Dumped region at 0x08D80000.
2026-04-28 01:37:58,532 [root] DEBUG: 7548: AllocationHandler: Allocation already in tracked region list: 0x096F0000.
2026-04-28 01:37:58,548 [root] DEBUG: 3444: DLL loaded at 0x00007FFEFA860000: C:\Windows\SYSTEM32\dxgi (0xf3000 bytes).
2026-04-28 01:37:58,548 [root] DEBUG: 3836: AllocationHandler: Allocation already in tracked region list: 0x08830000.
2026-04-28 01:37:58,579 [root] DEBUG: 2168: Python path set to 'C:\Python310'.
2026-04-28 01:37:58,579 [root] DEBUG: 3596: AllocationHandler: Allocation already in tracked region list: 0x09AD0000.
2026-04-28 01:37:58,579 [root] INFO: Announced 64-bit process name: WmiPrvSE.exe pid: 1424
2026-04-28 01:37:58,641 [lib.api.process] INFO: Monitor config for <Process 1424 WmiPrvSE.exe>: C:\ltb6yatm\dll\1424.ini
2026-04-28 01:37:58,641 [root] DEBUG: 2168: Dropped file limit defaulting to 100.
2026-04-28 01:37:58,657 [root] DEBUG: 3488: AllocationHandler: Allocation already in tracked region list: 0x08CD0000.
2026-04-28 01:37:58,673 [root] DEBUG: 7728: ProcessTrackedRegion: Dumped region at 0x08480000.
2026-04-28 01:37:58,767 [root] DEBUG: 3404: AllocationHandler: Allocation already in tracked region list: 0x06740000.
2026-04-28 01:37:58,782 [root] DEBUG: 5200: Unable to set COM hook on WbemLocator_ConnectServer
2026-04-28 01:37:58,798 [root] DEBUG: 6384: AllocationHandler: Allocation already in tracked region list: 0x08D80000.
2026-04-28 01:37:58,798 [root] DEBUG: 3836: AllocationHandler: Allocation already in tracked region list: 0x08830000.
2026-04-28 01:37:58,892 [root] DEBUG: 7548: AllocationHandler: Allocation already in tracked region list: 0x096F0000.
2026-04-28 01:37:58,938 [root] DEBUG: 3596: AllocationHandler: Allocation already in tracked region list: 0x084C0000.
2026-04-28 01:37:58,954 [root] DEBUG: 3444: DLL loaded at 0x00007FFEFA860000: C:\Windows\SYSTEM32\dxgi (0xf3000 bytes).
2026-04-28 01:37:59,126 [root] DEBUG: 3368: DLL loaded at 0x00007FFEFD100000: C:\Windows\System32\PSAPI (0x8000 bytes).
2026-04-28 01:37:59,345 [root] DEBUG: 3596: Unable to set COM hook on WbemLocator_ConnectServer
2026-04-28 01:37:59,751 [root] DEBUG: 7728: AllocationHandler: Allocation already in tracked region list: 0x08480000.
2026-04-28 01:37:59,954 [root] DEBUG: 3488: AllocationHandler: Allocation already in tracked region list: 0x08CD0000.
2026-04-28 01:38:00,001 [root] DEBUG: 3404: AllocationHandler: Allocation already in tracked region list: 0x06740000.
2026-04-28 01:38:00,157 [root] DEBUG: 6384: AllocationHandler: Allocation already in tracked region list: 0x08D80000.
2026-04-28 01:38:00,204 [root] DEBUG: 3836: AllocationHandler: Allocation already in tracked region list: 0x043A0000.
2026-04-28 01:38:00,563 [root] DEBUG: 3596: AllocationHandler: Allocation already in tracked region list: 0x084C0000.
2026-04-28 01:38:00,579 [lib.api.process] INFO: 64-bit DLL to inject is C:\ltb6yatm\dll\xzHEKGQ.dll, loader C:\ltb6yatm\bin\FktMnuSd.exe
2026-04-28 01:38:00,641 [root] DEBUG: 7548: AllocationHandler: Allocation already in tracked region list: 0x096F0000.
2026-04-28 01:38:01,485 [root] DEBUG: 3444: DLL loaded at 0x00007FFEF4220000: C:\Windows\System32\Win32_DeviceGuard (0xc000 bytes).
2026-04-28 01:38:01,548 [root] DEBUG: 2168: Disabling sleep skipping.
2026-04-28 01:38:01,579 [root] DEBUG: 7728: AllocationHandler: Allocation already in tracked region list: 0x08480000.
2026-04-28 01:38:01,595 [root] DEBUG: 3488: AllocationHandler: Allocation already in tracked region list: 0x08CD0000.
2026-04-28 01:38:01,673 [root] DEBUG: 3368: DLL loaded at 0x00007FFEEFC60000: C:\Windows\SYSTEM32\loadperf (0x25000 bytes).
2026-04-28 01:38:01,735 [root] DEBUG: 3404: AllocationHandler: Allocation already in tracked region list: 0x06740000.
2026-04-28 01:38:01,766 [root] DEBUG: 3836: AllocationHandler: Allocation already in tracked region list: 0x08830000.
2026-04-28 01:38:01,829 [root] DEBUG: 6384: AllocationHandler: Allocation already in tracked region list: 0x08D80000.
2026-04-28 01:38:01,845 [root] DEBUG: 3596: AllocationHandler: Allocation already in tracked region list: 0x084C0000.
2026-04-28 01:38:01,876 [root] DEBUG: 7548: AllocationHandler: Allocation already in tracked region list: 0x096F0000.
2026-04-28 01:38:01,954 [root] DEBUG: Loader: Injecting process 1424 (thread 2772) with C:\ltb6yatm\dll\xzHEKGQ.dll.
2026-04-28 01:38:01,970 [root] DEBUG: 2168: YaraInit: Compiled rules loaded from existing file C:\ltb6yatm\data\yara\capemon.yac
2026-04-28 01:38:02,048 [root] DEBUG: 3444: DLL loaded at 0x00007FFEF1D10000: C:\Windows\SYSTEM32\miutils (0x60000 bytes).
2026-04-28 01:38:02,173 [root] DEBUG: 7728: AllocationHandler: Allocation already in tracked region list: 0x08480000.
2026-04-28 01:38:02,360 [root] DEBUG: 3488: AllocationHandler: Allocation already in tracked region list: 0x08CD0000.
2026-04-28 01:38:02,501 [root] DEBUG: 3836: AllocationHandler: Allocation already in tracked region list: 0x08830000.
2026-04-28 01:38:02,595 [root] DEBUG: 3404: AllocationHandler: Adding allocation to tracked region list: 0x09500000, size: 0x1000.
2026-04-28 01:38:02,798 [root] DEBUG: 3368: Unable to set COM hook on WbemLocator_ConnectServer
2026-04-28 01:38:03,173 [root] DEBUG: 6384: AllocationHandler: Allocation already in tracked region list: 0x08D80000.
2026-04-28 01:38:03,173 [root] DEBUG: 5200: AllocationHandler: Allocation already in tracked region list: 0x08540000.
2026-04-28 01:38:03,204 [root] DEBUG: 3596: AllocationHandler: Adding allocation to tracked region list: 0x08A13000, size: 0x1000.
2026-04-28 01:38:03,204 [root] DEBUG: 2168: RtlInsertInvertedFunctionTable 0x00007FFEFE86090E, LdrpInvertedFunctionTableSRWLock 0x00007FFEFE9BD500
2026-04-28 01:38:03,220 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2026-04-28 01:38:03,313 [root] DEBUG: 7728: AllocationHandler: Previously reserved region at 0x091D0000, committing at: 0x091D3000.
2026-04-28 01:38:03,329 [root] DEBUG: 7548: AllocationHandler: Adding allocation to tracked region list: 0x05DE0000, size: 0x1000.
2026-04-28 01:38:03,360 [root] DEBUG: 3488: AllocationHandler: Allocation already in tracked region list: 0x08CD0000.
2026-04-28 01:38:03,391 [root] DEBUG: 3836: AllocationHandler: Allocation already in tracked region list: 0x08830000.
2026-04-28 01:38:03,423 [root] DEBUG: 3404: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:38:03,516 [root] DEBUG: 6384: AllocationHandler: Previously reserved region at 0x0A090000, committing at: 0x0A093000.
2026-04-28 01:38:03,532 [root] DEBUG: 5200: AllocationHandler: Allocation already in tracked region list: 0x08540000.
2026-04-28 01:38:03,579 [root] DEBUG: 3444: DLL loaded at 0x00007FFEF1E50000: C:\Windows\SYSTEM32\mi (0x23000 bytes).
2026-04-28 01:38:03,595 [root] DEBUG: 2168: YaraScan: Scanning 0x00007FF6F2810000, size 0x8026
2026-04-28 01:38:03,610 [root] DEBUG: 3596: AllocationHandler: Allocation already in tracked region list: 0x084C0000.
2026-04-28 01:38:03,610 [root] DEBUG: Successfully injected DLL C:\ltb6yatm\dll\xzHEKGQ.dll.
2026-04-28 01:38:03,923 [root] DEBUG: 7548: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:38:04,079 [lib.api.process] INFO: Injected into 64-bit <Process 1424 WmiPrvSE.exe>
2026-04-28 01:38:04,079 [root] DEBUG: 7728: AllocationHandler: Allocation already in tracked region list: 0x08480000.
2026-04-28 01:38:04,251 [root] DEBUG: 3488: AllocationHandler: Allocation already in tracked region list: 0x08CD0000.
2026-04-28 01:38:04,485 [root] DEBUG: 3836: AllocationHandler: Allocation already in tracked region list: 0x08830000.
2026-04-28 01:38:04,673 [root] DEBUG: 6384: AllocationHandler: Allocation already in tracked region list: 0x08D80000.
2026-04-28 01:38:04,688 [root] DEBUG: 3404: DumpPEsInRange: Scanning range 0x09500000 - 0x09500234.
2026-04-28 01:38:04,704 [root] DEBUG: 5200: AllocationHandler: Allocation already in tracked region list: 0x08540000.
2026-04-28 01:38:04,720 [root] DEBUG: 2168: Monitor initialised: 64-bit capemon loaded in process 2168 at 0x00007FFEABCB0000, thread 1576, image base 0x00007FF6F2810000, stack from 0x0000005800BB4000-0x0000005800BC0000
2026-04-28 01:38:04,751 [root] DEBUG: 3444: DLL loaded at 0x00007FFEE84F0000: C:\Windows\system32\wmitomi (0x3a000 bytes).
2026-04-28 01:38:04,798 [root] DEBUG: 3596: AllocationHandler: Allocation already in tracked region list: 0x084C0000.
2026-04-28 01:38:04,845 [root] DEBUG: 2168: Commandline: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
2026-04-28 01:38:04,876 [root] DEBUG: 7548: DumpPEsInRange: Scanning range 0x05DE0000 - 0x05DE052A.
2026-04-28 01:38:04,891 [root] INFO: Announced 64-bit process name: WmiPrvSE.exe pid: 1424
2026-04-28 01:38:04,907 [root] DEBUG: 3488: AllocationHandler: Allocation already in tracked region list: 0x08CD0000.
2026-04-28 01:38:04,907 [root] DEBUG: 7728: AllocationHandler: Allocation already in tracked region list: 0x09BF0000.
2026-04-28 01:38:04,907 [root] DEBUG: 3836: AllocationHandler: Allocation already in tracked region list: 0x08830000.
2026-04-28 01:38:04,907 [lib.api.process] INFO: Monitor config for <Process 1424 WmiPrvSE.exe>: C:\ltb6yatm\dll\1424.ini
2026-04-28 01:38:05,235 [root] DEBUG: 3404: ScanForDisguisedPE: Size too small: 0x234 bytes
2026-04-28 01:38:05,407 [root] DEBUG: 6384: AllocationHandler: Allocation already in tracked region list: 0x08D80000.
2026-04-28 01:38:05,688 [root] DEBUG: 5200: AllocationHandler: Allocation already in tracked region list: 0x08540000.
2026-04-28 01:38:05,766 [root] DEBUG: 3596: AllocationHandler: Allocation already in tracked region list: 0x084C0000.
2026-04-28 01:38:05,813 [root] DEBUG: 2168: hook_api: LdrpCallInitRoutine export address 0x00007FFEFE8699BC obtained via GetFunctionAddress
2026-04-28 01:38:05,891 [root] DEBUG: 7548: ScanForDisguisedPE: Size too small: 0x52a bytes
2026-04-28 01:38:05,923 [root] DEBUG: 3488: AllocationHandler: Adding allocation to tracked region list: 0x08AD0000, size: 0x1000.
2026-04-28 01:38:05,938 [root] DEBUG: 7728: AllocationHandler: Allocation already in tracked region list: 0x08480000.
2026-04-28 01:38:05,985 [root] DEBUG: 3836: AllocationHandler: Allocation already in tracked region list: 0x08830000.
2026-04-28 01:38:06,032 [root] DEBUG: 6384: AllocationHandler: Allocation already in tracked region list: 0x08D80000.
2026-04-28 01:38:06,063 [root] DEBUG: 5200: AllocationHandler: Allocation already in tracked region list: 0x08540000.
2026-04-28 01:38:06,063 [lib.common.results] INFO: Uploading file C:\atsPQMC\CAPE\3404_54415905382227142026 to CAPE\b889d68d880bd1a4727325fc8567b39439333a20510d8c273522410161084c88; Size is 3774; Max size: 100000000
2026-04-28 01:38:06,079 [root] WARNING: b'Unable to place hook on LockResource'
2026-04-28 01:38:06,095 [root] DEBUG: 3596: AllocationHandler: Allocation already in tracked region list: 0x084C0000.
2026-04-28 01:38:06,220 [lib.common.results] INFO: Uploading file C:\atsPQMC\CAPE\7548_232764845382227142026 to CAPE\892d62aaddf8112fed660c3775b6e7a7383c03df3883de5cd50dd2be635b54ad; Size is 1859; Max size: 100000000
2026-04-28 01:38:06,657 [root] DEBUG: 7728: AllocationHandler: Allocation already in tracked region list: 0x08480000.
2026-04-28 01:38:07,173 [root] DEBUG: 3488: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:38:07,188 [lib.api.process] INFO: 64-bit DLL to inject is C:\ltb6yatm\dll\xzHEKGQ.dll, loader C:\ltb6yatm\bin\FktMnuSd.exe
2026-04-28 01:38:07,251 [root] DEBUG: 3836: AllocationHandler: Allocation already in tracked region list: 0x08830000.
2026-04-28 01:38:07,298 [root] DEBUG: 5200: AllocationHandler: Allocation already in tracked region list: 0x08540000.
2026-04-28 01:38:07,376 [root] DEBUG: 6384: AllocationHandler: Allocation already in tracked region list: 0x08D80000.
2026-04-28 01:38:07,454 [root] DEBUG: 3404: DumpMemory: Payload successfully created: C:\atsPQMC\CAPE\3404_54415905382227142026 (size 3774 bytes)
2026-04-28 01:38:07,563 [root] DEBUG: 2168: set_hooks: Unable to hook LockResource
2026-04-28 01:38:07,813 [root] DEBUG: 3596: AllocationHandler: Allocation already in tracked region list: 0x084C0000.
2026-04-28 01:38:08,141 [root] DEBUG: 7548: DumpMemory: Payload successfully created: C:\atsPQMC\CAPE\7548_232764845382227142026 (size 1859 bytes)
2026-04-28 01:38:08,220 [root] DEBUG: 7728: AllocationHandler: Allocation already in tracked region list: 0x08480000.
2026-04-28 01:38:08,251 [root] DEBUG: 3488: DumpPEsInRange: Scanning range 0x08AD0000 - 0x08AD078E.
2026-04-28 01:38:08,282 [root] DEBUG: 3836: AllocationHandler: Allocation already in tracked region list: 0x08830000.
2026-04-28 01:38:08,313 [root] DEBUG: Loader: Injecting process 1424 (thread 2772) with C:\ltb6yatm\dll\xzHEKGQ.dll.
2026-04-28 01:38:08,345 [root] DEBUG: 5200: AllocationHandler: Allocation already in tracked region list: 0x08540000.
2026-04-28 01:38:08,391 [root] DEBUG: 6384: AllocationHandler: Allocation already in tracked region list: 0x08D80000.
2026-04-28 01:38:08,470 [root] DEBUG: 3404: DumpRegion: Dumped entire allocation from 0x09500000, size 4096 bytes.
2026-04-28 01:38:08,485 [root] DEBUG: 2168: Hooked 627 out of 628 functions
2026-04-28 01:38:08,516 [root] DEBUG: 7548: DumpRegion: Dumped entire allocation from 0x05DE0000, size 4096 bytes.
2026-04-28 01:38:08,673 [root] DEBUG: 3596: AllocationHandler: Allocation already in tracked region list: 0x084C0000.
2026-04-28 01:38:08,813 [root] DEBUG: 7728: AllocationHandler: Allocation already in tracked region list: 0x08480000.
2026-04-28 01:38:09,329 [root] DEBUG: 3836: AllocationHandler: Allocation already in tracked region list: 0x08830000.
2026-04-28 01:38:09,501 [root] DEBUG: 3488: ScanForDisguisedPE: Size too small: 0x78e bytes
2026-04-28 01:38:09,532 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2026-04-28 01:38:09,595 [root] DEBUG: 5200: AllocationHandler: Allocation already in tracked region list: 0x08540000.
2026-04-28 01:38:09,641 [root] DEBUG: 6384: AllocationHandler: Allocation already in tracked region list: 0x0A090000.
2026-04-28 01:38:09,860 [root] DEBUG: 3404: ProcessTrackedRegion: Dumped region at 0x09500000.
2026-04-28 01:38:09,970 [root] DEBUG: 6384: api-cap: NtDelayExecution hook disabled due to count: 5000
2026-04-28 01:38:10,001 [root] DEBUG: 7548: ProcessTrackedRegion: Dumped region at 0x05DE0000.
2026-04-28 01:38:10,095 [root] DEBUG: 6384: api-cap: NtDelayExecution hook disabled due to count: 5001
2026-04-28 01:38:10,298 [root] DEBUG: 3596: AllocationHandler: Allocation already in tracked region list: 0x08A10000.
2026-04-28 01:38:10,579 [root] DEBUG: 7728: AllocationHandler: Allocation already in tracked region list: 0x08480000.
2026-04-28 01:38:10,767 [lib.common.results] INFO: Uploading file C:\atsPQMC\CAPE\3488_119201169382227142026 to CAPE\7d0e69a161f3978f1ade9b80a597791b15363712c5d8110e88282bbe2ee5105d; Size is 1934; Max size: 100000000
2026-04-28 01:38:10,798 [root] DEBUG: 3836: AllocationHandler: Adding allocation to tracked region list: 0x08503000, size: 0x1000.
2026-04-28 01:38:10,985 [root] DEBUG: Successfully injected DLL C:\ltb6yatm\dll\xzHEKGQ.dll.
2026-04-28 01:38:11,095 [lib.api.process] INFO: Injected into 64-bit <Process 1424 WmiPrvSE.exe>
2026-04-28 01:38:11,141 [root] DEBUG: 2168: Syscall hook installed, syscall logging level 1
2026-04-28 01:38:11,188 [root] DEBUG: 3596: api-cap: NtDelayExecution hook disabled due to count: 5000
2026-04-28 01:38:11,235 [root] DEBUG: 5200: AllocationHandler: Allocation already in tracked region list: 0x08540000.
2026-04-28 01:38:11,266 [root] DEBUG: 3596: api-cap: NtDelayExecution hook disabled due to count: 5001
2026-04-28 01:38:11,345 [root] DEBUG: 7728: Unable to set COM hook on WbemLocator_ConnectServer
2026-04-28 01:38:11,579 [root] DEBUG: 6384: AllocationHandler: Allocation already in tracked region list: 0x08D80000.
2026-04-28 01:38:11,798 [root] DEBUG: 3404: AllocationHandler: Allocation already in tracked region list: 0x09500000.
2026-04-28 01:38:12,204 [root] DEBUG: 3596: AllocationHandler: Adding allocation to tracked region list: 0x045BA000, size: 0x1000.
2026-04-28 01:38:12,235 [root] DEBUG: 7728: AllocationHandler: Allocation already in tracked region list: 0x091D0000.
2026-04-28 01:38:12,360 [root] DEBUG: 3444: DLL loaded at 0x00007FFEFA860000: C:\Windows\SYSTEM32\dxgi (0xf3000 bytes).
2026-04-28 01:38:12,392 [root] DEBUG: 7548: AllocationHandler: Allocation already in tracked region list: 0x05DE0000.
2026-04-28 01:38:12,454 [root] DEBUG: 3488: DumpMemory: Payload successfully created: C:\atsPQMC\CAPE\3488_119201169382227142026 (size 1934 bytes)
2026-04-28 01:38:12,485 [root] DEBUG: 3836: AllocationHandler: Allocation already in tracked region list: 0x08830000.
2026-04-28 01:38:13,001 [root] DEBUG: 3404: Unable to set COM hook on WbemLocator_ConnectServer
2026-04-28 01:38:13,329 [root] DEBUG: 1424: Python path set to 'C:\Python310'.
2026-04-28 01:38:13,470 [root] DEBUG: 5200: AllocationHandler: Allocation already in tracked region list: 0x08540000.
2026-04-28 01:38:13,595 [root] DEBUG: 6384: AllocationHandler: Adding allocation to tracked region list: 0x061AA000, size: 0x1000.
2026-04-28 01:38:13,610 [root] DEBUG: 3404: AllocationHandler: Allocation already in tracked region list: 0x09500000.
2026-04-28 01:38:13,657 [root] DEBUG: 3488: Unable to set COM hook on WbemLocator_ConnectServer
2026-04-28 01:38:13,720 [root] DEBUG: 3596: AllocationHandler: Allocation already in tracked region list: 0x045B0000.
2026-04-28 01:38:13,923 [root] DEBUG: 7728: AllocationHandler: Allocation already in tracked region list: 0x08480000.
2026-04-28 01:38:14,001 [root] DEBUG: 3444: DLL loaded at 0x00007FFEFA860000: C:\Windows\SYSTEM32\dxgi (0xf3000 bytes).
2026-04-28 01:38:14,173 [root] DEBUG: 2168: RestoreHeaders: Restored original import table.
2026-04-28 01:38:14,376 [root] DEBUG: 3488: DumpRegion: Dumped entire allocation from 0x08AD0000, size 4096 bytes.
2026-04-28 01:38:14,657 [root] DEBUG: 7548: AllocationHandler: Allocation already in tracked region list: 0x05DE0000.
2026-04-28 01:38:14,766 [root] DEBUG: 3836: AllocationHandler: Adding allocation to tracked region list: 0x09AD0000, size: 0x1000.
2026-04-28 01:38:14,829 [root] DEBUG: 1424: Dropped file limit defaulting to 100.
2026-04-28 01:38:14,845 [root] DEBUG: 5200: AllocationHandler: Allocation already in tracked region list: 0x08540000.
2026-04-28 01:38:14,891 [root] DEBUG: 6384: AllocationHandler: Allocation already in tracked region list: 0x061A0000.
2026-04-28 01:38:14,923 [root] DEBUG: 752: CreateProcessHandler: Injection info set for new process 8616: C:\Windows\system32\DllHost.exe, ImageBase: 0x00007FF6F2810000
2026-04-28 01:38:14,938 [root] DEBUG: 3404: AllocationHandler: Allocation already in tracked region list: 0x09500000.
2026-04-28 01:38:15,188 [root] DEBUG: 3488: AllocationHandler: Allocation already in tracked region list: 0x08AD0000.
2026-04-28 01:38:15,220 [root] DEBUG: 3596: AllocationHandler: Allocation already in tracked region list: 0x084C0000.
2026-04-28 01:38:15,485 [root] DEBUG: 7728: AllocationHandler: Adding allocation to tracked region list: 0x05A4A000, size: 0x1000.
2026-04-28 01:38:15,704 [root] DEBUG: 3488: ProcessTrackedRegion: Dumped region at 0x08AD0000.
2026-04-28 01:38:16,126 [root] DEBUG: 7548: AllocationHandler: Previously reserved region at 0x092B0000, committing at: 0x092B3000.
2026-04-28 01:38:16,438 [root] INFO: Loaded monitor into process with pid 2168
2026-04-28 01:38:16,454 [root] DEBUG: 3836: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:38:16,485 [root] DEBUG: 6384: AllocationHandler: Allocation already in tracked region list: 0x08D80000.
2026-04-28 01:38:16,532 [root] DEBUG: 5200: AllocationHandler: Allocation already in tracked region list: 0x08540000.
2026-04-28 01:38:16,798 [root] DEBUG: 3404: AllocationHandler: Allocation already in tracked region list: 0x09500000.
2026-04-28 01:38:17,251 [root] INFO: Announced 64-bit process name: dllhost.exe pid: 8616
2026-04-28 01:38:17,313 [lib.api.process] INFO: Monitor config for <Process 8616 dllhost.exe>: C:\ltb6yatm\dll\8616.ini
2026-04-28 01:38:17,563 [root] DEBUG: 7496: Unable to set COM hook on WbemLocator_ConnectServer
2026-04-28 01:38:17,610 [lib.api.process] INFO: 64-bit DLL to inject is C:\ltb6yatm\dll\xzHEKGQ.dll, loader C:\ltb6yatm\bin\FktMnuSd.exe
2026-04-28 01:38:17,610 [root] DEBUG: 7728: AllocationHandler: Allocation already in tracked region list: 0x05A40000.
2026-04-28 01:38:17,704 [root] DEBUG: 3596: AllocationHandler: Allocation already in tracked region list: 0x08A10000.
2026-04-28 01:38:17,751 [root] DEBUG: 3488: AllocationHandler: Allocation already in tracked region list: 0x08AD0000.
2026-04-28 01:38:17,782 [root] DEBUG: 1424: Disabling sleep skipping.
2026-04-28 01:38:17,829 [root] DEBUG: 7548: AllocationHandler: Allocation already in tracked region list: 0x05DE0000.
2026-04-28 01:38:17,876 [root] DEBUG: 3836: DumpPEsInRange: Scanning range 0x09AD0000 - 0x09AD01BA.
2026-04-28 01:38:17,970 [root] DEBUG: 2168: caller_dispatch: Added region at 0x00007FF6F2810000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x00007FF6F28112F2, thread 1576).
2026-04-28 01:38:18,251 [root] DEBUG: 6384: AllocationHandler: Allocation already in tracked region list: 0x0A090000.
2026-04-28 01:38:18,438 [root] DEBUG: 5200: AllocationHandler: Adding allocation to tracked region list: 0x08560000, size: 0x1000.
2026-04-28 01:38:19,001 [root] DEBUG: 3404: AllocationHandler: Allocation already in tracked region list: 0x0A050000.
2026-04-28 01:38:19,313 [root] DEBUG: 7728: AllocationHandler: Allocation already in tracked region list: 0x08480000.
2026-04-28 01:38:19,423 [root] DEBUG: Loader: Injecting process 8616 (thread 5048) with C:\ltb6yatm\dll\xzHEKGQ.dll.
2026-04-28 01:38:19,454 [root] DEBUG: 3596: AllocationHandler: Allocation already in tracked region list: 0x084C0000.
2026-04-28 01:38:19,470 [root] DEBUG: 1424: YaraInit: Compiled rules loaded from existing file C:\ltb6yatm\data\yara\capemon.yac
2026-04-28 01:38:19,516 [root] DEBUG: 3488: AllocationHandler: Allocation already in tracked region list: 0x0A030000.
2026-04-28 01:38:19,579 [root] DEBUG: 7548: AllocationHandler: Allocation already in tracked region list: 0x05DE0000.
2026-04-28 01:38:19,970 [root] DEBUG: 3836: ScanForDisguisedPE: Size too small: 0x1ba bytes
2026-04-28 01:38:20,360 [root] DEBUG: 2168: YaraScan: Scanning 0x00007FF6F2810000, size 0x8026
2026-04-28 01:38:20,641 [root] DEBUG: 6384: AllocationHandler: Allocation already in tracked region list: 0x08D80000.
2026-04-28 01:38:20,876 [root] DEBUG: 3404: AllocationHandler: Adding allocation to tracked region list: 0x09CC3000, size: 0x1000.
2026-04-28 01:38:21,204 [root] DEBUG: 5200: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:38:21,345 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2026-04-28 01:38:21,813 [root] DEBUG: 3596: AllocationHandler: Adding allocation to tracked region list: 0x08770000, size: 0x1000.
2026-04-28 01:38:21,860 [root] DEBUG: 1424: RtlInsertInvertedFunctionTable 0x00007FFEFE86090E, LdrpInvertedFunctionTableSRWLock 0x00007FFEFE9BD500
2026-04-28 01:38:21,876 [root] DEBUG: 7728: AllocationHandler: Allocation already in tracked region list: 0x08480000.
2026-04-28 01:38:22,016 [root] DEBUG: 7548: AllocationHandler: Allocation already in tracked region list: 0x08620000.
2026-04-28 01:38:22,048 [root] DEBUG: 3488: AllocationHandler: Allocation already in tracked region list: 0x08AD0000.
2026-04-28 01:38:22,095 [root] DEBUG: 7728: api-cap: NtDelayExecution hook disabled due to count: 5000
2026-04-28 01:38:22,110 [root] INFO: Analysis timeout hit, terminating analysis
2026-04-28 01:38:22,110 [lib.api.process] INFO: Terminate event set for <Process 752 svchost.exe>
2026-04-28 01:38:22,110 [root] DEBUG: 7728: api-cap: NtDelayExecution hook disabled due to count: 5001
2026-04-28 01:38:22,141 [lib.common.results] INFO: Uploading file C:\atsPQMC\CAPE\3836_247089020382227142026 to CAPE\1b29f3675b67f13a37cf912dff5027ea24d3b67cba3e3a135f0cc2426dcc6e95; Size is 442; Max size: 100000000
2026-04-28 01:38:22,595 [root] DEBUG: 5200: Unable to set COM hook on WbemLocator_ConnectServer
2026-04-28 01:38:22,782 [root] DEBUG: 2168: ProcessImageBase: Main module image at 0x00007FF6F2810000 unmodified (entropy change 0.000000e+00)
2026-04-28 01:38:22,813 [root] DEBUG: 7496: AllocationHandler: Allocation already in tracked region list: 0x08F60000.
2026-04-28 01:38:22,845 [root] DEBUG: 6384: AllocationHandler: Allocation already in tracked region list: 0x08D80000.
2026-04-28 01:38:22,923 [root] DEBUG: 3404: AllocationHandler: Allocation already in tracked region list: 0x09500000.
2026-04-28 01:38:23,001 [root] DEBUG: Successfully injected DLL C:\ltb6yatm\dll\xzHEKGQ.dll.
2026-04-28 01:38:23,173 [root] DEBUG: 3596: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:38:23,360 [root] DEBUG: 1424: YaraScan: Scanning 0x00007FF6402C0000, size 0x7dcfe
2026-04-28 01:38:23,407 [lib.api.process] INFO: Injected into 64-bit <Process 8616 dllhost.exe>
2026-04-28 01:38:23,985 [root] DEBUG: 7548: AllocationHandler: Allocation already in tracked region list: 0x05DE0000.
2026-04-28 01:38:24,298 [root] DEBUG: 7728: AllocationHandler: Allocation already in tracked region list: 0x091D0000.
2026-04-28 01:38:24,407 [root] DEBUG: 3836: DumpMemory: Payload successfully created: C:\atsPQMC\CAPE\3836_247089020382227142026 (size 442 bytes)
2026-04-28 01:38:24,485 [root] DEBUG: 3488: AllocationHandler: Allocation already in tracked region list: 0x08AD0000.
2026-04-28 01:38:24,579 [root] DEBUG: 752: Terminate Event: Attempting to dump process 752
2026-04-28 01:38:24,641 [root] DEBUG: 5200: DumpPEsInRange: Scanning range 0x08560000 - 0x0856078E.
2026-04-28 01:38:24,845 [root] DEBUG: 3836: Unable to set COM hook on WbemLocator_ConnectServer
2026-04-28 01:38:25,032 [root] DEBUG: 5200: AllocationHandler: Allocation already in tracked region list: 0x08560000.
2026-04-28 01:38:25,110 [root] DEBUG: 2168: set_hooks_by_export_directory: Hooked 0 out of 628 functions
2026-04-28 01:38:25,532 [root] DEBUG: 6384: AllocationHandler: Allocation already in tracked region list: 0x08D80000.
2026-04-28 01:38:25,563 [root] DEBUG: 7496: AllocationHandler: Allocation already in tracked region list: 0x08F60000.
2026-04-28 01:38:25,735 [root] DEBUG: 3404: AllocationHandler: Allocation already in tracked region list: 0x09500000.
2026-04-28 01:38:25,798 [root] DEBUG: 1424: Monitor initialised: 64-bit capemon loaded in process 1424 at 0x00007FFEABCB0000, thread 2772, image base 0x00007FF6402C0000, stack from 0x00000050E9270000-0x00000050E9280000
2026-04-28 01:38:25,845 [root] DEBUG: 3596: AllocationHandler: Allocation already in tracked region list: 0x08A10000.
2026-04-28 01:38:25,985 [root] DEBUG: 7548: AllocationHandler: Allocation already in tracked region list: 0x05DE0000.
2026-04-28 01:38:26,313 [root] DEBUG: 7728: AllocationHandler: Allocation already in tracked region list: 0x08480000.
2026-04-28 01:38:26,626 [root] DEBUG: 3836: DumpRegion: Dumped entire allocation from 0x09AD0000, size 4096 bytes.
2026-04-28 01:38:26,766 [root] DEBUG: 752: DoProcessDump: Skipping process dump as code is identical on disk.
2026-04-28 01:38:26,907 [lib.api.process] INFO: Termination confirmed for <Process 752 svchost.exe>
2026-04-28 01:38:26,985 [root] INFO: Terminate event set for process 752
2026-04-28 01:38:27,048 [root] DEBUG: 3488: AllocationHandler: Allocation already in tracked region list: 0x08AD0000.
2026-04-28 01:38:27,063 [lib.api.process] INFO: Terminate event set for <Process 780 svchost.exe>
2026-04-28 01:38:27,126 [root] DEBUG: 3836: AllocationHandler: Allocation already in tracked region list: 0x09AD0000.
2026-04-28 01:38:27,298 [root] DEBUG: 5200: ScanForDisguisedPE: Size too small: 0x78e bytes
2026-04-28 01:38:27,376 [root] DEBUG: 2168: DLL loaded at 0x00007FFEF9E80000: C:\Windows\SYSTEM32\kernel.appcore (0x12000 bytes).
2026-04-28 01:38:27,548 [root] DEBUG: 6384: AllocationHandler: Adding allocation to tracked region list: 0x08D70000, size: 0x1000.
2026-04-28 01:38:27,782 [root] DEBUG: 5144: Unable to set COM hook on WbemLocator_ConnectServer
2026-04-28 01:38:28,110 [root] DEBUG: 7496: AllocationHandler: Allocation already in tracked region list: 0x08F60000.
2026-04-28 01:38:28,251 [root] DEBUG: 3404: AllocationHandler: Allocation already in tracked region list: 0x09500000.
2026-04-28 01:38:28,391 [root] DEBUG: 7548: api-cap: NtDelayExecution hook disabled due to count: 5000
2026-04-28 01:38:28,579 [root] DEBUG: 1424: Commandline: C:\Windows\system32\wbem\wmiprvse.exe -Embedding
2026-04-28 01:38:28,829 [root] DEBUG: 7548: api-cap: NtDelayExecution hook disabled due to count: 5001
2026-04-28 01:38:29,063 [root] DEBUG: 7548: AllocationHandler: Allocation already in tracked region list: 0x05DE0000.
2026-04-28 01:38:29,423 [root] DEBUG: 3596: DumpPEsInRange: Scanning range 0x08770000 - 0x08770CF1.
2026-04-28 01:38:29,501 [root] DEBUG: 3836: ProcessTrackedRegion: Dumped region at 0x09AD0000.
2026-04-28 01:38:29,579 [root] DEBUG: 7728: AllocationHandler: Allocation already in tracked region list: 0x08480000.
2026-04-28 01:38:29,641 [root] DEBUG: 752: Terminate Event: monitor shutdown complete for process 752
2026-04-28 01:38:29,751 [root] DEBUG: 8616: Python path set to 'C:\Python310'.
2026-04-28 01:38:29,782 [root] DEBUG: 3488: AllocationHandler: Allocation already in tracked region list: 0x08AD0000.
2026-04-28 01:38:29,845 [root] DEBUG: 780: Terminate Event: Attempting to dump process 780
2026-04-28 01:38:29,876 [lib.common.results] INFO: Uploading file C:\atsPQMC\CAPE\5200_796984527382227142026 to CAPE\972e41d4fc47654b3bb670912c8a95be0a1458338186af799bd9e06bd2592b03; Size is 4096; Max size: 100000000
2026-04-28 01:38:30,079 [root] DEBUG: 6384: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:38:30,266 [root] DEBUG: 7496: AllocationHandler: Allocation already in tracked region list: 0x08F60000.
2026-04-28 01:38:30,485 [root] DEBUG: 3404: AllocationHandler: Allocation already in tracked region list: 0x09500000.
2026-04-28 01:38:30,579 [root] DEBUG: 2168: DLL loaded at 0x00007FFEFC380000: C:\Windows\System32\bcryptPrimitives (0x82000 bytes).
2026-04-28 01:38:30,688 [root] DEBUG: 1424: hook_api: LdrpCallInitRoutine export address 0x00007FFEFE8699BC obtained via GetFunctionAddress
2026-04-28 01:38:30,845 [root] DEBUG: 3596: ScanForDisguisedPE: No PE image located in range 0x08770000-0x08770CF1.
2026-04-28 01:38:30,876 [root] DEBUG: 7548: AllocationHandler: Allocation already in tracked region list: 0x05DE0000.
2026-04-28 01:38:30,923 [root] DEBUG: 3836: AllocationHandler: Allocation already in tracked region list: 0x09AD0000.
2026-04-28 01:38:31,048 [root] DEBUG: 7728: AllocationHandler: Allocation already in tracked region list: 0x08480000.
2026-04-28 01:38:31,313 [root] DEBUG: 8616: Dropped file limit defaulting to 100.
2026-04-28 01:38:31,579 [root] DEBUG: 780: DoProcessDump: Skipping process dump as code is identical on disk.
2026-04-28 01:38:31,782 [root] DEBUG: 3488: AllocationHandler: Allocation already in tracked region list: 0x08AD0000.
2026-04-28 01:38:31,782 [lib.api.process] INFO: Termination confirmed for <Process 780 svchost.exe>
2026-04-28 01:38:32,063 [root] DEBUG: 5200: DumpMemory: Payload successfully created: C:\atsPQMC\CAPE\5200_796984527382227142026 (size 4096 bytes)
2026-04-28 01:38:32,173 [root] INFO: Terminate event set for process 780
2026-04-28 01:38:32,188 [root] DEBUG: 6384: DumpPEsInRange: Scanning range 0x08D70000 - 0x08D70230.
2026-04-28 01:38:32,188 [lib.api.process] INFO: Terminate event set for <Process 5200 powershell.exe>
2026-04-28 01:38:32,204 [root] DEBUG: 3488: AllocationHandler: Previously reserved region at 0x09DC0000, committing at: 0x09DC3000.
2026-04-28 01:38:32,282 [root] DEBUG: 3404: AllocationHandler: Allocation already in tracked region list: 0x09500000.
2026-04-28 01:38:32,407 [root] DEBUG: 7496: AllocationHandler: Allocation already in tracked region list: 0x08F60000.
2026-04-28 01:38:32,516 [root] WARNING: b'Unable to place hook on LockResource'
2026-04-28 01:38:32,532 [lib.common.results] INFO: Uploading file C:\atsPQMC\CAPE\3596_2108951030382227142026 to CAPE\618d4756d1b660cc3b0e63ef004cedffa9b00aef247113f566dc405e83f73b94; Size is 3313; Max size: 100000000
2026-04-28 01:38:32,548 [root] DEBUG: 7548: AllocationHandler: Allocation already in tracked region list: 0x05DE0000.
2026-04-28 01:38:32,610 [root] DEBUG: 3836: AllocationHandler: Allocation already in tracked region list: 0x09AD0000.
2026-04-28 01:38:32,751 [root] DEBUG: 7728: AllocationHandler: Adding allocation to tracked region list: 0x084A0000, size: 0x1000.
2026-04-28 01:38:33,266 [root] DEBUG: 780: Terminate Event: monitor shutdown complete for process 780
2026-04-28 01:38:33,360 [root] DEBUG: 5200: DumpRegion: Dumped entire allocation from 0x08560000, size 4096 bytes.
2026-04-28 01:38:33,470 [root] DEBUG: 2168: DLL loaded at 0x00007FFEFCC00000: C:\Windows\System32\clbcatq (0xa9000 bytes).
2026-04-28 01:38:33,626 [root] DEBUG: 6384: ScanForDisguisedPE: Size too small: 0x230 bytes
2026-04-28 01:38:33,704 [root] DEBUG: 5200: Terminate Event: Attempting to dump process 5200
2026-04-28 01:38:33,782 [root] DEBUG: 3404: AllocationHandler: Allocation already in tracked region list: 0x09500000.
2026-04-28 01:38:33,970 [root] DEBUG: 3488: AllocationHandler: Allocation already in tracked region list: 0x08AD0000.
2026-04-28 01:38:34,157 [root] DEBUG: 5144: AllocationHandler: Allocation already in tracked region list: 0x09AC0000.
2026-04-28 01:38:34,548 [root] DEBUG: 7496: AllocationHandler: Allocation already in tracked region list: 0x099E0000.
2026-04-28 01:38:34,688 [root] DEBUG: 7548: AllocationHandler: Allocation already in tracked region list: 0x092B0000.
2026-04-28 01:38:34,766 [root] DEBUG: 1424: set_hooks: Unable to hook LockResource
2026-04-28 01:38:34,876 [root] DEBUG: 3596: DumpMemory: Payload successfully created: C:\atsPQMC\CAPE\3596_2108951030382227142026 (size 3313 bytes)
2026-04-28 01:38:34,970 [root] DEBUG: 3836: AllocationHandler: Allocation already in tracked region list: 0x09AD0000.
2026-04-28 01:38:35,016 [root] DEBUG: 8616: Disabling sleep skipping.
2026-04-28 01:38:35,016 [root] DEBUG: 7728: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:38:35,126 [root] DEBUG: 5200: ProcessTrackedRegion: Dumped region at 0x08560000.
2026-04-28 01:38:35,641 [lib.common.results] INFO: Uploading file C:\atsPQMC\CAPE\6384_941248033382227142026 to CAPE\6079b943e8d0327cf8a33b6f3c314fd11493fadb96cb0f5135486c7ccc8d4229; Size is 560; Max size: 100000000
2026-04-28 01:38:35,845 [root] DEBUG: 3404: AllocationHandler: Allocation already in tracked region list: 0x09CC0000.
2026-04-28 01:38:36,095 [root] DEBUG: 2168: DLL loaded at 0x00007FFEF9980000: C:\Windows\system32\uxtheme (0x9e000 bytes).
2026-04-28 01:38:36,126 [root] DEBUG: 5200: DoProcessDump: Skipping process dump as code is identical on disk.
2026-04-28 01:38:36,188 [root] DEBUG: 7496: AllocationHandler: Allocation already in tracked region list: 0x08F60000.
2026-04-28 01:38:36,282 [root] DEBUG: 3488: AllocationHandler: Allocation already in tracked region list: 0x08AD0000.
2026-04-28 01:38:36,329 [root] DEBUG: 1424: Hooked 627 out of 628 functions
2026-04-28 01:38:36,391 [root] DEBUG: 5144: AllocationHandler: Allocation already in tracked region list: 0x09AC0000.
2026-04-28 01:38:36,470 [root] DEBUG: 7548: AllocationHandler: Adding allocation to tracked region list: 0x00CDA000, size: 0x1000.
2026-04-28 01:38:36,516 [root] DEBUG: 3596: DumpRegion: Dumped entire allocation from 0x08770000, size 4096 bytes.
2026-04-28 01:38:36,751 [root] DEBUG: 3836: AllocationHandler: Allocation already in tracked region list: 0x09AD0000.
2026-04-28 01:38:36,923 [root] DEBUG: 8616: YaraInit: Compiled rules loaded from existing file C:\ltb6yatm\data\yara\capemon.yac
2026-04-28 01:38:37,001 [root] DEBUG: 5200: AllocationHandler: Allocation already in tracked region list: 0x08560000.
2026-04-28 01:38:37,063 [root] DEBUG: 7728: DumpPEsInRange: Scanning range 0x084A0000 - 0x084A0230.
2026-04-28 01:38:37,095 [root] DEBUG: 6384: DumpMemory: Payload successfully created: C:\atsPQMC\CAPE\6384_941248033382227142026 (size 560 bytes)
2026-04-28 01:38:37,173 [root] DEBUG: 3404: AllocationHandler: Adding allocation to tracked region list: 0x05FEA000, size: 0x1000.
2026-04-28 01:38:37,313 [lib.api.process] INFO: Termination confirmed for <Process 5200 powershell.exe>
2026-04-28 01:38:37,313 [root] DEBUG: 5200: DumpInterestingRegions: Skipping .NET JIT native cache at 0x006E0000 (jit-dumps=0)
2026-04-28 01:38:37,329 [root] INFO: Terminate event set for process 5200
2026-04-28 01:38:37,345 [root] DEBUG: 3488: AllocationHandler: Allocation already in tracked region list: 0x08AD0000.
2026-04-28 01:38:37,360 [lib.api.process] INFO: Terminate event set for <Process 3488 powershell.exe>
2026-04-28 01:38:37,391 [root] DEBUG: 7496: AllocationHandler: Allocation already in tracked region list: 0x08F60000.
2026-04-28 01:38:37,470 [root] DEBUG: 2168: DEBUG:Initialized 9 com hooks
2026-04-28 01:38:37,532 [root] DEBUG: 5144: AllocationHandler: Allocation already in tracked region list: 0x09AC0000.
2026-04-28 01:38:37,579 [root] DEBUG: 7548: AllocationHandler: Allocation already in tracked region list: 0x00CD0000.
2026-04-28 01:38:37,626 [root] DEBUG: 3596: ProcessTrackedRegion: Dumped region at 0x08770000.
2026-04-28 01:38:37,674 [root] DEBUG: 8632: AllocationHandler: Adding allocation to tracked region list: 0x07700000, size: 0x100000.
2026-04-28 01:38:37,782 [root] DEBUG: 3836: AllocationHandler: Allocation already in tracked region list: 0x09AD0000.
2026-04-28 01:38:37,876 [root] DEBUG: 1424: Syscall hook installed, syscall logging level 1
2026-04-28 01:38:37,923 [root] DEBUG: 8616: RtlInsertInvertedFunctionTable 0x00007FFEFE86090E, LdrpInvertedFunctionTableSRWLock 0x00007FFEFE9BD500
2026-04-28 01:38:37,985 [root] DEBUG: 5200: AllocationHandler: Allocation already in tracked region list: 0x09620000.
2026-04-28 01:38:38,063 [root] DEBUG: 7728: ScanForDisguisedPE: Size too small: 0x230 bytes
2026-04-28 01:38:38,141 [root] DEBUG: 6384: DumpRegion: Dumped entire allocation from 0x08D70000, size 4096 bytes.
2026-04-28 01:38:38,157 [root] DEBUG: 5200: DumpInterestingRegions: Skipping .NET JIT native cache at 0x04450000 (jit-dumps=0)
2026-04-28 01:38:38,173 [root] DEBUG: 3404: AllocationHandler: Allocation already in tracked region list: 0x05FE0000.
2026-04-28 01:38:38,266 [root] DEBUG: 3488: Terminate Event: Attempting to dump process 3488
2026-04-28 01:38:38,345 [root] DEBUG: 3488: AllocationHandler: Allocation already in tracked region list: 0x08AD0000.
2026-04-28 01:38:38,391 [root] DEBUG: 7496: AllocationHandler: Allocation already in tracked region list: 0x08F60000.
2026-04-28 01:38:38,454 [root] DEBUG: 5144: AllocationHandler: Allocation already in tracked region list: 0x09AC0000.
2026-04-28 01:38:38,485 [root] DEBUG: 7548: AllocationHandler: Allocation already in tracked region list: 0x05DE0000.
2026-04-28 01:38:38,610 [root] DEBUG: 3596: AllocationHandler: Allocation already in tracked region list: 0x08770000.
2026-04-28 01:38:38,782 [root] DEBUG: 8632: GetEntropy: Error - Supplied address inaccessible: 0x07700000
2026-04-28 01:38:38,891 [root] DEBUG: 2168: DLL loaded at 0x00007FFEFE330000: C:\Windows\System32\shcore (0xad000 bytes).
2026-04-28 01:38:38,907 [root] DEBUG: 3836: AllocationHandler: Allocation already in tracked region list: 0x08500000.
2026-04-28 01:38:39,001 [root] DEBUG: 8616: YaraScan: Scanning 0x00007FF6F2810000, size 0x8026
2026-04-28 01:38:39,095 [root] DEBUG: 5200: AllocationHandler: Allocation already in tracked region list: 0x08560000.
2026-04-28 01:38:39,188 [lib.common.results] INFO: Uploading file C:\atsPQMC\CAPE\7728_60577038382227142026 to CAPE\bd582823b3d16559e32e7f38f3c12b1a40339c88aadad72b7baa897588dd36b7; Size is 560; Max size: 100000000
2026-04-28 01:38:39,220 [root] DEBUG: 1424: RestoreHeaders: Restored original import table.
2026-04-28 01:38:39,235 [root] DEBUG: 6384: ProcessTrackedRegion: Dumped region at 0x08D70000.
2026-04-28 01:38:39,470 [root] DEBUG: 5200: DumpInterestingRegions: Skipping .NET JIT native cache at 0x061D0000 (jit-dumps=0)
2026-04-28 01:38:39,548 [root] DEBUG: 7548: Unable to set COM hook on WbemLocator_ConnectServer
2026-04-28 01:38:39,579 [root] DEBUG: 3404: AllocationHandler: Allocation already in tracked region list: 0x09500000.
2026-04-28 01:38:39,626 [root] DEBUG: 3488: DoProcessDump: Skipping process dump as code is identical on disk.
2026-04-28 01:38:39,704 [root] DEBUG: 3488: AllocationHandler: Allocation already in tracked region list: 0x08AD0000.
2026-04-28 01:38:39,766 [root] DEBUG: 5144: AllocationHandler: Allocation already in tracked region list: 0x09AC0000.
2026-04-28 01:38:39,813 [root] DEBUG: 7496: AllocationHandler: Allocation already in tracked region list: 0x08F60000.
2026-04-28 01:38:39,845 [root] DEBUG: 7548: AllocationHandler: Allocation already in tracked region list: 0x05DE0000.
2026-04-28 01:38:40,016 [root] DEBUG: 8616: Monitor initialised: 64-bit capemon loaded in process 8616 at 0x00007FFEABCB0000, thread 5048, image base 0x00007FF6F2810000, stack from 0x000000527CD44000-0x000000527CD50000
2026-04-28 01:38:40,032 [root] DEBUG: 3596: AllocationHandler: Allocation already in tracked region list: 0x08770000.
2026-04-28 01:38:40,188 [root] DEBUG: 3836: AllocationHandler: Allocation already in tracked region list: 0x09AD0000.
2026-04-28 01:38:40,329 [root] DEBUG: 5200: AllocationHandler: Allocation already in tracked region list: 0x08560000.
2026-04-28 01:38:40,376 [root] DEBUG: 7728: DumpMemory: Payload successfully created: C:\atsPQMC\CAPE\7728_60577038382227142026 (size 560 bytes)
2026-04-28 01:38:40,407 [root] DEBUG: 8632: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:38:40,501 [root] DEBUG: 6384: AllocationHandler: Allocation already in tracked region list: 0x08D70000.
2026-04-28 01:38:40,673 [root] DEBUG: 2168: DLL loaded at 0x00007FFEE2610000: C:\Windows\System32\thumbcache (0x66000 bytes).
2026-04-28 01:38:40,766 [root] DEBUG: 5200: DumpInterestingRegions: Skipping .NET JIT native cache at 0x061E0000 (jit-dumps=0)
2026-04-28 01:38:40,860 [root] INFO: Loaded monitor into process with pid 1424
2026-04-28 01:38:40,891 [root] DEBUG: 3404: AllocationHandler: Allocation already in tracked region list: 0x09500000.
2026-04-28 01:38:41,001 [root] DEBUG: 3488: AllocationHandler: Allocation already in tracked region list: 0x08AD0000.
2026-04-28 01:38:41,032 [root] DEBUG: 5144: AllocationHandler: Allocation already in tracked region list: 0x08EC0000.
2026-04-28 01:38:41,079 [root] DEBUG: 3488: DumpInterestingRegions: Skipping .NET JIT native cache at 0x00BC0000 (jit-dumps=0)
2026-04-28 01:38:41,141 [root] DEBUG: 3488: api-cap: NtDelayExecution hook disabled due to count: 5000
2026-04-28 01:38:41,188 [root] DEBUG: 3488: api-cap: NtDelayExecution hook disabled due to count: 5001
2026-04-28 01:38:41,235 [root] DEBUG: 7496: AllocationHandler: Allocation already in tracked region list: 0x08F60000.
2026-04-28 01:38:41,345 [root] DEBUG: 7548: AllocationHandler: Allocation already in tracked region list: 0x092B0000.
2026-04-28 01:38:41,485 [root] DEBUG: 8616: Commandline: C:\Windows\system32\DllHost.exe /Processid:{AA65DD7C-83AC-48C0-A6FD-9B61FEBF8800}
2026-04-28 01:38:41,641 [root] DEBUG: 3836: AllocationHandler: Adding allocation to tracked region list: 0x0603A000, size: 0x1000.
2026-04-28 01:38:41,688 [root] DEBUG: 3596: AllocationHandler: Allocation already in tracked region list: 0x08770000.
2026-04-28 01:38:41,985 [root] DEBUG: 8632: AllocationHandler: Memory region (size 0x100000) reserved but not committed at 0x07700000.
2026-04-28 01:38:41,985 [root] DEBUG: 5200: AllocationHandler: Allocation already in tracked region list: 0x08560000.
2026-04-28 01:38:42,032 [root] DEBUG: 7728: DumpRegion: Dumped entire allocation from 0x084A0000, size 4096 bytes.
2026-04-28 01:38:42,110 [root] DEBUG: 5200: DumpInterestingRegions: Skipping .NET JIT native cache at 0x06240000 (jit-dumps=0)
2026-04-28 01:38:42,157 [root] DEBUG: 1424: caller_dispatch: Added region at 0x00007FF6402C0000 to tracked regions list (kernel32::SetUnhandledExceptionFilter returns to 0x00007FF6402D2CD1, thread 2772).
2026-04-28 01:38:42,188 [root] DEBUG: 3488: AllocationHandler: Allocation already in tracked region list: 0x09DC0000.
2026-04-28 01:38:42,235 [root] DEBUG: 5144: AllocationHandler: Allocation already in tracked region list: 0x09AC0000.
2026-04-28 01:38:42,266 [root] DEBUG: 2168: DLL loaded at 0x00007FFEF6F00000: C:\Windows\system32\propsys (0xf6000 bytes).
2026-04-28 01:38:42,313 [root] DEBUG: 3404: AllocationHandler: Allocation already in tracked region list: 0x09CC0000.
2026-04-28 01:38:42,360 [root] DEBUG: 6384: AllocationHandler: Allocation already in tracked region list: 0x08D70000.
2026-04-28 01:38:42,391 [root] DEBUG: 7496: AllocationHandler: Allocation already in tracked region list: 0x08F60000.
2026-04-28 01:38:42,595 [lib.api.process] INFO: Termination confirmed for <Process 3488 powershell.exe>
2026-04-28 01:38:42,610 [root] DEBUG: 3488: DumpInterestingRegions: Skipping .NET JIT native cache at 0x06300000 (jit-dumps=0)
2026-04-28 01:38:42,657 [root] INFO: Terminate event set for process 3488
2026-04-28 01:38:42,688 [root] DEBUG: 8616: hook_api: LdrpCallInitRoutine export address 0x00007FFEFE8699BC obtained via GetFunctionAddress
2026-04-28 01:38:42,720 [lib.api.process] INFO: Terminate event set for <Process 3596 powershell.exe>
2026-04-28 01:38:42,782 [root] DEBUG: 3836: AllocationHandler: Allocation already in tracked region list: 0x06030000.
2026-04-28 01:38:42,829 [root] DEBUG: 7548: AllocationHandler: Allocation already in tracked region list: 0x05DE0000.
2026-04-28 01:38:42,907 [root] DEBUG: 8632: AllocationHandler: Previously reserved region at 0x07700000, committing at: 0x07700000.
2026-04-28 01:38:43,110 [root] DEBUG: 3444: DLL loaded at 0x00007FFEFB970000: C:\Windows\SYSTEM32\ncrypt (0x27000 bytes).
2026-04-28 01:38:43,595 [root] DEBUG: 7728: ProcessTrackedRegion: Dumped region at 0x084A0000.
2026-04-28 01:38:43,720 [root] DEBUG: 5200: AllocationHandler: Allocation already in tracked region list: 0x08560000.
2026-04-28 01:38:43,891 [root] DEBUG: 1424: YaraScan: Scanning 0x00007FF6402C0000, size 0x7dcfe
2026-04-28 01:38:43,907 [root] DEBUG: 5200: DumpInterestingRegions: Skipping .NET JIT native cache at 0x08440000 (jit-dumps=0)
2026-04-28 01:38:43,985 [root] DEBUG: 3488: AllocationHandler: Adding allocation to tracked region list: 0x05F7A000, size: 0x1000.
2026-04-28 01:38:44,001 [root] DEBUG: 3404: AllocationHandler: Allocation already in tracked region list: 0x09500000.
2026-04-28 01:38:44,032 [root] DEBUG: 5144: AllocationHandler: Allocation already in tracked region list: 0x09AC0000.
2026-04-28 01:38:44,048 [root] DEBUG: 6384: AllocationHandler: Allocation already in tracked region list: 0x08D70000.
2026-04-28 01:38:44,141 [root] DEBUG: 3596: AllocationHandler: Allocation already in tracked region list: 0x08770000.
2026-04-28 01:38:44,345 [root] DEBUG: 7496: AllocationHandler: Allocation already in tracked region list: 0x08F60000.
2026-04-28 01:38:44,548 [root] DEBUG: 3488: DumpInterestingRegions: Skipping .NET JIT native cache at 0x08A80000 (jit-dumps=0)
2026-04-28 01:38:44,720 [root] DEBUG: 3596: Terminate Event: Attempting to dump process 3596
2026-04-28 01:38:44,893 [root] DEBUG: 3836: AllocationHandler: Allocation already in tracked region list: 0x09AD0000.
2026-04-28 01:38:45,095 [root] WARNING: b'Unable to place hook on LockResource'
2026-04-28 01:38:45,141 [root] DEBUG: 7728: AllocationHandler: Allocation already in tracked region list: 0x084A0000.
2026-04-28 01:38:45,282 [root] DEBUG: 7548: AllocationHandler: Allocation already in tracked region list: 0x05DE0000.
2026-04-28 01:38:45,532 [root] DEBUG: 5200: AllocationHandler: Allocation already in tracked region list: 0x08560000.
2026-04-28 01:38:45,720 [root] DEBUG: 3444: DLL loaded at 0x00007FFEF5C20000: C:\Windows\SYSTEM32\WINHTTP (0x10a000 bytes).
2026-04-28 01:38:46,095 [root] DEBUG: 3488: AllocationHandler: Allocation already in tracked region list: 0x05F70000.
2026-04-28 01:38:46,204 [root] DEBUG: 3404: AllocationHandler: Allocation already in tracked region list: 0x09500000.
2026-04-28 01:38:46,391 [root] DEBUG: 5200: DumpInterestingRegions: Skipping .NET JIT native cache at 0x08580000 (jit-dumps=0)
2026-04-28 01:38:46,438 [root] DEBUG: 5144: AllocationHandler: Allocation already in tracked region list: 0x09AC0000.
2026-04-28 01:38:46,532 [root] DEBUG: 1424: ProcessImageBase: Main module image at 0x00007FF6402C0000 unmodified (entropy change 0.000000e+00)
2026-04-28 01:38:46,626 [root] DEBUG: 3596: AllocationHandler: Allocation already in tracked region list: 0x08770000.
2026-04-28 01:38:46,657 [root] DEBUG: 6384: AllocationHandler: Allocation already in tracked region list: 0x08D70000.
2026-04-28 01:38:46,673 [root] DEBUG: 3488: DumpInterestingRegions: Skipping .NET JIT native cache at 0x08AB0000 (jit-dumps=0)
2026-04-28 01:38:46,720 [root] DEBUG: 3596: DoProcessDump: Skipping process dump as code is identical on disk.
2026-04-28 01:38:46,735 [root] DEBUG: 7496: AllocationHandler: Allocation already in tracked region list: 0x08F60000.
2026-04-28 01:38:46,860 [root] DEBUG: 3836: AllocationHandler: Allocation already in tracked region list: 0x08500000.
2026-04-28 01:38:47,126 [root] DEBUG: 7548: AllocationHandler: Allocation already in tracked region list: 0x05DE0000.
2026-04-28 01:38:47,376 [root] DEBUG: 5200: AllocationHandler: Previously reserved region at 0x08950000, committing at: 0x08953000.
2026-04-28 01:38:47,610 [root] DEBUG: 8616: set_hooks: Unable to hook LockResource
2026-04-28 01:38:47,766 [root] DEBUG: 3488: AllocationHandler: Allocation already in tracked region list: 0x08AD0000.
2026-04-28 01:38:47,845 [root] DEBUG: 3404: AllocationHandler: Allocation already in tracked region list: 0x09500000.
2026-04-28 01:38:47,860 [lib.api.process] INFO: Termination confirmed for <Process 3596 powershell.exe>
2026-04-28 01:38:47,876 [root] INFO: Terminate event set for process 3596
2026-04-28 01:38:47,970 [root] DEBUG: 5144: AllocationHandler: Allocation already in tracked region list: 0x09AC0000.
2026-04-28 01:38:47,970 [lib.api.process] INFO: Terminate event set for <Process 3404 powershell.exe>
2026-04-28 01:38:48,001 [root] DEBUG: 5200: DumpInterestingRegions: Skipping .NET JIT native cache at 0x08950000 (jit-dumps=0)
2026-04-28 01:38:48,032 [root] DEBUG: 3444: DLL loaded at 0x00007FFEFD0A0000: C:\Windows\System32\WLDAP32 (0x56000 bytes).
2026-04-28 01:38:48,048 [root] DEBUG: 3596: AllocationHandler: Allocation already in tracked region list: 0x08770000.
2026-04-28 01:38:48,376 [root] DEBUG: 3488: DumpInterestingRegions: Skipping .NET JIT native cache at 0x095A0000 (jit-dumps=0)
2026-04-28 01:38:48,579 [root] DEBUG: 6384: AllocationHandler: Allocation already in tracked region list: 0x08D70000.
2026-04-28 01:38:48,766 [root] DEBUG: 1424: set_hooks_by_export_directory: Hooked 0 out of 628 functions
2026-04-28 01:38:49,032 [root] DEBUG: 7496: AllocationHandler: Allocation already in tracked region list: 0x08F60000.
2026-04-28 01:38:49,173 [root] DEBUG: 3596: DumpInterestingRegions: Skipping .NET JIT native cache at 0x00910000 (jit-dumps=0)
2026-04-28 01:38:49,282 [root] DEBUG: 7548: AllocationHandler: Allocation already in tracked region list: 0x05DE0000.
2026-04-28 01:38:49,641 [root] DEBUG: 5200: AllocationHandler: Allocation already in tracked region list: 0x08560000.
2026-04-28 01:38:49,751 [root] DEBUG: 7728: AllocationHandler: Allocation already in tracked region list: 0x084A0000.
2026-04-28 01:38:49,845 [root] DEBUG: 3836: AllocationHandler: Allocation already in tracked region list: 0x09AD0000.
2026-04-28 01:38:49,876 [root] DEBUG: 8616: Hooked 627 out of 628 functions
2026-04-28 01:38:50,001 [root] INFO: Process with pid 2168 has terminated
2026-04-28 01:38:50,064 [root] DEBUG: 3488: AllocationHandler: Allocation already in tracked region list: 0x09DC0000.
2026-04-28 01:38:50,095 [root] DEBUG: 3404: AllocationHandler: Adding allocation to tracked region list: 0x08960000, size: 0x1000.
2026-04-28 01:38:50,376 [root] DEBUG: 3404: Terminate Event: Attempting to dump process 3404
2026-04-28 01:38:50,532 [root] DEBUG: 5144: AllocationHandler: Allocation already in tracked region list: 0x09AC0000.
2026-04-28 01:38:51,001 [root] DEBUG: 5200: DumpInterestingRegions: Skipping .NET JIT native cache at 0x09580000 (jit-dumps=0)
2026-04-28 01:38:51,079 [root] DEBUG: 3488: DumpInterestingRegions: Skipping .NET JIT native cache at 0x09DC0000 (jit-dumps=0)
2026-04-28 01:38:51,251 [root] DEBUG: 3596: AllocationHandler: Allocation already in tracked region list: 0x08770000.
2026-04-28 01:38:51,251 [root] DEBUG: 6384: AllocationHandler: Allocation already in tracked region list: 0x08D70000.
2026-04-28 01:38:51,282 [root] DEBUG: 7496: AllocationHandler: Adding allocation to tracked region list: 0x04CF0000, size: 0x1000.
2026-04-28 01:38:51,282 [root] DEBUG: 3444: DLL loaded at 0x00007FFEE9E70000: C:\Windows\SYSTEM32\certca (0xcd000 bytes).
2026-04-28 01:38:51,313 [root] DEBUG: 1424: DLL loaded at 0x00007FFEF9E80000: C:\Windows\SYSTEM32\kernel.appcore (0x12000 bytes).
2026-04-28 01:38:51,345 [root] DEBUG: 5144: AllocationHandler: Allocation already in tracked region list: 0x09AC0000.
2026-04-28 01:38:51,470 [root] DEBUG: 3596: DumpInterestingRegions: Skipping .NET JIT native cache at 0x04850000 (jit-dumps=0)
2026-04-28 01:38:51,923 [root] DEBUG: 7728: AllocationHandler: Allocation already in tracked region list: 0x084A0000.
2026-04-28 01:38:52,141 [root] DEBUG: 5200: AllocationHandler: Allocation already in tracked region list: 0x08560000.
2026-04-28 01:38:52,548 [root] DEBUG: 3836: AllocationHandler: Allocation already in tracked region list: 0x09AD0000.
2026-04-28 01:38:53,235 [lib.api.process] INFO: Termination confirmed for <Process 3404 powershell.exe>
2026-04-28 01:38:53,235 [root] DEBUG: 3488: AllocationHandler: Allocation already in tracked region list: 0x08AD0000.
2026-04-28 01:38:53,454 [root] DEBUG: 3404: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:38:53,470 [root] INFO: Terminate event set for process 3404
2026-04-28 01:38:54,016 [root] DEBUG: 2168: NtTerminateProcess hook: Attempting to dump process 2168
2026-04-28 01:38:54,095 [lib.api.process] INFO: Terminate event set for <Process 7728 powershell.exe>
2026-04-28 01:38:54,173 [root] DEBUG: 3404: DoProcessDump: Skipping process dump as code is identical on disk.
2026-04-28 01:38:54,360 [root] DEBUG: 5144: Unable to set COM hook on WbemLocator_ConnectServer
2026-04-28 01:38:54,407 [root] DEBUG: 5200: DumpInterestingRegions: Skipping .NET JIT native cache at 0x095F0000 (jit-dumps=0)
2026-04-28 01:38:54,688 [root] DEBUG: 3488: DumpInterestingRegions: Skipping .NET JIT native cache at 0x09E30000 (jit-dumps=0)
2026-04-28 01:38:54,907 [root] DEBUG: 3596: AllocationHandler: Allocation already in tracked region list: 0x08770000.
2026-04-28 01:38:55,079 [root] INFO: Added new file to list with pid 6384 and path C:\Users\cape\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
2026-04-28 01:38:55,188 [root] DEBUG: 7548: AllocationHandler: Adding allocation to tracked region list: 0x08480000, size: 0x1000.
2026-04-28 01:38:55,438 [root] DEBUG: 7496: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:38:55,595 [root] DEBUG: 8616: Syscall hook installed, syscall logging level 1
2026-04-28 01:38:55,688 [root] DEBUG: 1424: DLL loaded at 0x00007FFEFC380000: C:\Windows\System32\bcryptPrimitives (0x82000 bytes).
2026-04-28 01:38:55,829 [root] DEBUG: 3596: DumpInterestingRegions: Skipping .NET JIT native cache at 0x08520000 (jit-dumps=0)
2026-04-28 01:38:55,891 [root] DEBUG: 5200: AllocationHandler: Allocation already in tracked region list: 0x08560000.
2026-04-28 01:38:55,954 [root] DEBUG: 7728: AllocationHandler: Allocation already in tracked region list: 0x084A0000.
2026-04-28 01:38:56,063 [root] DEBUG: 3444: DLL loaded at 0x00007FFEF5FF0000: C:\Windows\SYSTEM32\DSPARSE (0xc000 bytes).
2026-04-28 01:38:56,251 [root] DEBUG: 3836: AllocationHandler: Allocation already in tracked region list: 0x09AD0000.
2026-04-28 01:38:56,563 [root] DEBUG: 5144: AllocationHandler: Allocation already in tracked region list: 0x09AC0000.
2026-04-28 01:38:56,766 [root] DEBUG: 3488: AllocationHandler: Adding allocation to tracked region list: 0x08AC0000, size: 0x1000.
2026-04-28 01:38:57,016 [root] DEBUG: 3404: DumpPEsInRange: Scanning range 0x08960000 - 0x089600D8.
2026-04-28 01:38:57,141 [root] DEBUG: 7728: Terminate Event: Attempting to dump process 7728
2026-04-28 01:38:57,157 [root] DEBUG: 3404: DumpInterestingRegions: Skipping .NET JIT native cache at 0x02EB0000 (jit-dumps=0)
2026-04-28 01:38:57,298 [root] DEBUG: 2168: DoProcessDump: Skipping process dump as code is identical on disk.
2026-04-28 01:38:57,313 [root] DEBUG: 5200: DumpInterestingRegions: Skipping .NET JIT native cache at 0x09610000 (jit-dumps=0)
2026-04-28 01:38:57,313 [root] DEBUG: 5200: DumpInterestingRegions: Skipping .NET JIT native cache at 0x09640000 (jit-dumps=0)
2026-04-28 01:38:57,329 [root] DEBUG: 3488: DumpInterestingRegions: Skipping .NET JIT native cache at 0x09E40000 (jit-dumps=0)
2026-04-28 01:38:57,345 [root] DEBUG: 6384: AllocationHandler: Allocation already in tracked region list: 0x08D70000.
2026-04-28 01:38:57,345 [root] DEBUG: 7548: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:38:57,454 [root] DEBUG: 7496: DumpPEsInRange: Scanning range 0x04CF0000 - 0x04CF07FE.
2026-04-28 01:38:57,470 [root] DEBUG: 7496: AllocationHandler: Allocation already in tracked region list: 0x04CF0000.
2026-04-28 01:38:57,798 [root] DEBUG: 1424: DEBUG:Initialized 9 com hooks
2026-04-28 01:38:58,032 [root] DEBUG: 8616: RestoreHeaders: Restored original import table.
2026-04-28 01:38:58,266 [root] DEBUG: 3596: DumpInterestingRegions: Skipping .NET JIT native cache at 0x08790000 (jit-dumps=0)
2026-04-28 01:38:58,329 [root] DEBUG: 5200: AllocationHandler: Allocation already in tracked region list: 0x08560000.
2026-04-28 01:38:58,516 [root] DEBUG: 7728: AllocationHandler: Allocation already in tracked region list: 0x084A0000.
2026-04-28 01:38:58,595 [root] DEBUG: 3596: DumpInterestingRegions: Skipping .NET JIT native cache at 0x087A0000 (jit-dumps=0)
2026-04-28 01:38:58,673 [root] DEBUG: 3444: DLL loaded at 0x00007FFEFBD00000: C:\Windows\SYSTEM32\DPAPI (0xa000 bytes).
2026-04-28 01:38:58,907 [root] DEBUG: 3836: AllocationHandler: Allocation already in tracked region list: 0x09AD0000.
2026-04-28 01:38:59,095 [root] DEBUG: 5144: AllocationHandler: Allocation already in tracked region list: 0x09AC0000.
2026-04-28 01:38:59,235 [lib.api.process] INFO: Termination confirmed for <Process 7728 powershell.exe>
2026-04-28 01:38:59,391 [root] DEBUG: 3404: ScanForDisguisedPE: Size too small: 0xd8 bytes
2026-04-28 01:38:59,532 [root] INFO: Terminate event set for process 7728
2026-04-28 01:38:59,532 [root] DEBUG: 3488: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:38:59,782 [root] DEBUG: 7728: DoProcessDump: Skipping process dump as code is identical on disk.
2026-04-28 01:38:59,782 [lib.api.process] INFO: Terminate event set for <Process 7496 powershell.exe>
2026-04-28 01:38:59,845 [root] DEBUG: 3404: DumpInterestingRegions: Skipping .NET JIT native cache at 0x02F10000 (jit-dumps=0)
2026-04-28 01:39:00,391 [root] DEBUG: 5200: DumpInterestingRegions: Skipping .NET JIT native cache at 0x09650000 (jit-dumps=0)
2026-04-28 01:39:00,516 [root] DEBUG: 3488: DumpInterestingRegions: Skipping .NET JIT native cache at 0x09E80000 (jit-dumps=0)
2026-04-28 01:39:00,704 [root] INFO: Added new file to list with pid 6384 and path C:\Users\cape\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
2026-04-28 01:39:00,938 [root] DEBUG: 7496: AllocationHandler: Allocation already in tracked region list: 0x04CF0000.
2026-04-28 01:39:01,173 [root] DEBUG: 7496: ScanForDisguisedPE: Size too small: 0x7fe bytes
2026-04-28 01:39:01,266 [root] DEBUG: 5200: AllocationHandler: Allocation already in tracked region list: 0x08560000.
2026-04-28 01:39:01,329 [root] DEBUG: 7728: AllocationHandler: Allocation already in tracked region list: 0x084A0000.
2026-04-28 01:39:01,392 [root] DEBUG: 3596: DumpInterestingRegions: Skipping .NET JIT native cache at 0x08930000 (jit-dumps=0)
2026-04-28 01:39:01,501 [root] DEBUG: 7548: DumpPEsInRange: Scanning range 0x08480000 - 0x08480230.
2026-04-28 01:39:01,735 [root] DEBUG: 5144: AllocationHandler: Allocation already in tracked region list: 0x09AC0000.
2026-04-28 01:39:01,751 [root] DEBUG: 1424: DLL loaded at 0x00007FFEFCC00000: C:\Windows\System32\clbcatq (0xa9000 bytes).
2026-04-28 01:39:02,063 [root] DEBUG: 3444: DLL loaded at 0x00007FFEE90A0000: C:\Windows\SYSTEM32\certenroll (0x338000 bytes).
2026-04-28 01:39:02,376 [root] DEBUG: 7496: Terminate Event: Attempting to dump process 7496
2026-04-28 01:39:02,641 [lib.common.results] INFO: Uploading file C:\atsPQMC\CAPE\3404_421836259382227142026 to CAPE\fb7b0841a14da0e4d8ec941637dfd0bb9a9f3e2be01cb84c013edaad9d007c25; Size is 216; Max size: 100000000
2026-04-28 01:39:02,813 [root] DEBUG: 3596: ProcessTrackedRegion: Updated entropy for tracked region at 0x08770000: 6.074419e+00 (from 0.000000e+00)
2026-04-28 01:39:02,891 [root] DEBUG: 3488: AllocationHandler: Allocation already in tracked region list: 0x09DC0000.
2026-04-28 01:39:02,923 [root] DEBUG: 3836: AllocationHandler: Allocation already in tracked region list: 0x09AD0000.
2026-04-28 01:39:03,141 [root] DEBUG: 7728: DumpInterestingRegions: Skipping .NET JIT native cache at 0x00890000 (jit-dumps=0)
2026-04-28 01:39:03,345 [root] DEBUG: 3404: DumpInterestingRegions: Skipping .NET JIT native cache at 0x06260000 (jit-dumps=0)
2026-04-28 01:39:03,985 [root] DEBUG: 3488: DumpInterestingRegions: Skipping .NET JIT native cache at 0x09EA0000 (jit-dumps=0)
2026-04-28 01:39:04,188 [root] DEBUG: 5200: DumpInterestingRegions: Skipping .NET JIT native cache at 0x09790000 (jit-dumps=0)
2026-04-28 01:39:04,235 [root] DEBUG: 6384: NtTerminateProcess hook: Attempting to dump process 6384
2026-04-28 01:39:04,313 [root] DEBUG: 7496: AllocationHandler: Allocation already in tracked region list: 0x04CF0000.
2026-04-28 01:39:04,345 [lib.common.results] INFO: Uploading file C:\atsPQMC\CAPE\7496_102911392227142026 to CAPE\6c7ef1fc834f80ff52d6fa95de696367d37f4ad2429739274cd4d30912fa9733; Size is 4096; Max size: 100000000
2026-04-28 01:39:04,470 [root] DEBUG: 5200: api-cap: NtDelayExecution hook disabled due to count: 5000
2026-04-28 01:39:04,735 [root] DEBUG: 5200: api-cap: NtDelayExecution hook disabled due to count: 5001
2026-04-28 01:39:04,923 [root] DEBUG: 7548: ScanForDisguisedPE: Size too small: 0x230 bytes
2026-04-28 01:39:05,173 [root] DEBUG: 5144: AllocationHandler: Adding allocation to tracked region list: 0x08450000, size: 0x1000.
2026-04-28 01:39:05,173 [lib.api.process] INFO: Termination confirmed for <Process 7496 powershell.exe>
2026-04-28 01:39:05,407 [root] DEBUG: 5200: AllocationHandler: Allocation already in tracked region list: 0x08950000.
2026-04-28 01:39:05,501 [root] INFO: Terminate event set for process 7496
2026-04-28 01:39:05,501 [root] DEBUG: 7496: DoProcessDump: Skipping process dump as code is identical on disk.
2026-04-28 01:39:05,782 [lib.api.process] INFO: Terminate event set for <Process 5144 powershell.exe>
2026-04-28 01:39:05,891 [root] DEBUG: 3404: DumpMemory: Payload successfully created: C:\atsPQMC\CAPE\3404_421836259382227142026 (size 216 bytes)
2026-04-28 01:39:05,907 [root] DEBUG: 3596: DumpPEsInRange: Scanning range 0x08770000 - 0x08778F24.
2026-04-28 01:39:06,095 [root] DEBUG: 3444: DLL loaded at 0x00007FFEE85D0000: C:\Windows\SYSTEM32\TpmCoreProvisioning (0x123000 bytes).
2026-04-28 01:39:06,235 [root] INFO: Loaded monitor into process with pid 8616
2026-04-28 01:39:06,454 [root] DEBUG: 3488: DumpPEsInRange: Scanning range 0x08AC0000 - 0x08AC0CF1.
2026-04-28 01:39:06,563 [root] DEBUG: 3488: DumpInterestingRegions: Skipping .NET JIT native cache at 0x09F20000 (jit-dumps=0)
2026-04-28 01:39:06,860 [root] DEBUG: 7728: DumpInterestingRegions: Skipping .NET JIT native cache at 0x04330000 (jit-dumps=0)
2026-04-28 01:39:07,126 [root] DEBUG: 3404: DumpInterestingRegions: Skipping .NET JIT native cache at 0x08940000 (jit-dumps=0)
2026-04-28 01:39:07,220 [root] DEBUG: 6384: DoProcessDump: Skipping process dump as code is identical on disk.
2026-04-28 01:39:07,751 [root] DEBUG: 5200: DumpInterestingRegions: Skipping .NET JIT native cache at 0x09840000 (jit-dumps=0)
2026-04-28 01:39:07,891 [root] DEBUG: 7496: AllocationHandler: Adding allocation to tracked region list: 0x0A1C3000, size: 0x1000.
2026-04-28 01:39:08,016 [root] DEBUG: 7496: DumpMemory: Payload successfully created: C:\atsPQMC\CAPE\7496_102911392227142026 (size 4096 bytes)
2026-04-28 01:39:08,188 [root] DEBUG: 5200: DumpInterestingRegions: Skipping .NET JIT native cache at 0x098E0000 (jit-dumps=0)
2026-04-28 01:39:08,501 [lib.common.results] INFO: Uploading file C:\atsPQMC\CAPE\7548_13852115392227142026 to CAPE\1e41e14b3f24237afb7f45edd325392c5824523b9eff797687eb37a8aa310d59; Size is 560; Max size: 100000000
2026-04-28 01:39:08,673 [root] DEBUG: 5144: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:39:08,704 [root] DEBUG: 7728: AllocationHandler: Allocation already in tracked region list: 0x084A0000.
2026-04-28 01:39:08,829 [root] DEBUG: 5200: AllocationHandler: Adding allocation to tracked region list: 0x00D0A000, size: 0x1000.
2026-04-28 01:39:09,126 [root] DEBUG: 5144: Terminate Event: Attempting to dump process 5144
2026-04-28 01:39:09,345 [root] DEBUG: 7496: DumpInterestingRegions: Skipping .NET JIT native cache at 0x034D0000 (jit-dumps=0)
2026-04-28 01:39:09,563 [root] DEBUG: 3596: ScanForDisguisedPE: No PE image located in range 0x08770000-0x08778F24.
2026-04-28 01:39:09,891 [root] DEBUG: 3488: ScanForDisguisedPE: No PE image located in range 0x08AC0000-0x08AC0CF1.
2026-04-28 01:39:10,251 [root] DEBUG: 3404: DumpRegion: Dumped entire allocation from 0x08960000, size 4096 bytes.
2026-04-28 01:39:10,282 [root] DEBUG: 1424: DLL loaded at 0x00007FFEF1EB0000: C:\Windows\system32\wbem\wbemprox (0x11000 bytes).
2026-04-28 01:39:10,376 [root] DEBUG: 3444: DLL loaded at 0x00007FFEF6A80000: C:\Windows\System32\wbem\Win32_TPM (0x18000 bytes).
2026-04-28 01:39:10,470 [root] DEBUG: 3488: DumpInterestingRegions: Skipping .NET JIT native cache at 0x0A050000 (jit-dumps=0)
2026-04-28 01:39:10,563 [root] DEBUG: 7728: ProcessTrackedRegion: Updated entropy for tracked region at 0x084A0000: 5.891863e+00 (from 0.000000e+00)
2026-04-28 01:39:10,766 [root] DEBUG: 8616: caller_dispatch: Added region at 0x00007FF6F2810000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x00007FF6F28112F2, thread 5048).
2026-04-28 01:39:10,954 [lib.api.process] INFO: Termination confirmed for <Process 5144 powershell.exe>
2026-04-28 01:39:11,204 [root] INFO: Terminate event set for process 5144
2026-04-28 01:39:11,376 [root] DEBUG: 3404: DumpInterestingRegions: Skipping .NET JIT native cache at 0x08C50000 (jit-dumps=0)
2026-04-28 01:39:11,376 [lib.api.process] INFO: Terminate event set for <Process 7548 powershell.exe>
2026-04-28 01:39:11,438 [root] DEBUG: 7496: DumpRegion: Dumped entire allocation from 0x04CF0000, size 4096 bytes.
2026-04-28 01:39:11,485 [root] DEBUG: 7496: AllocationHandler: Allocation already in tracked region list: 0x04CF0000.
2026-04-28 01:39:11,516 [root] DEBUG: 6384: DumpInterestingRegions: Skipping .NET JIT native cache at 0x03160000 (jit-dumps=0)
2026-04-28 01:39:11,610 [root] DEBUG: 5200: DumpInterestingRegions: Skipping .NET JIT native cache at 0x09920000 (jit-dumps=0)
2026-04-28 01:39:11,876 [root] DEBUG: 5200: AllocationHandler: Allocation already in tracked region list: 0x00D00000.
2026-04-28 01:39:11,891 [root] DEBUG: 5144: DumpPEsInRange: Scanning range 0x08450000 - 0x08450886.
2026-04-28 01:39:12,063 [root] DEBUG: 7548: DumpMemory: Payload successfully created: C:\atsPQMC\CAPE\7548_13852115392227142026 (size 560 bytes)
2026-04-28 01:39:12,407 [root] DEBUG: 5144: DoProcessDump: Skipping process dump as code is identical on disk.
2026-04-28 01:39:12,641 [root] DEBUG: 7496: DumpInterestingRegions: Skipping .NET JIT native cache at 0x06AC0000 (jit-dumps=0)
2026-04-28 01:39:12,782 [root] DEBUG: 3836: AllocationHandler: Allocation already in tracked region list: 0x09AD0000.
2026-04-28 01:39:12,923 [lib.common.results] INFO: Uploading file C:\atsPQMC\CAPE\3488_391840610392227142026 to CAPE\35b548be080806effc56b2e44c96bc3620366aa90639402bef01fa8c99fbf460; Size is 3313; Max size: 100000000
2026-04-28 01:39:13,188 [root] DEBUG: 3404: ProcessTrackedRegion: Dumped region at 0x08960000.
2026-04-28 01:39:13,188 [lib.common.results] INFO: Uploading file C:\atsPQMC\CAPE\3596_96125349392227142026 to CAPE\fc21d2fc869985598f5b6f7f5230a19e1420a28a19e6dfe9ddaadf6f81bd952d; Size is 36644; Max size: 100000000
2026-04-28 01:39:13,360 [root] DEBUG: 1424: DLL loaded at 0x00007FFEF2120000: C:\Windows\system32\wbem\wbemsvc (0x14000 bytes).
2026-04-28 01:39:13,501 [root] DEBUG: 3444: DLL loaded at 0x00007FFEFB930000: C:\Windows\SYSTEM32\NTASN1 (0x3b000 bytes).
2026-04-28 01:39:13,532 [root] DEBUG: 3488: DumpInterestingRegions: Skipping .NET JIT native cache at 0x0A0C0000 (jit-dumps=0)
2026-04-28 01:39:13,845 [root] DEBUG: 7728: DumpPEsInRange: Scanning range 0x084A0000 - 0x084A702C.
2026-04-28 01:39:14,251 [root] DEBUG: 7548: Terminate Event: Attempting to dump process 7548
2026-04-28 01:39:14,516 [root] DEBUG: 3404: DumpInterestingRegions: Skipping .NET JIT native cache at 0x08DE0000 (jit-dumps=0)
2026-04-28 01:39:14,610 [root] DEBUG: 8616: YaraScan: Scanning 0x00007FF6F2810000, size 0x8026
2026-04-28 01:39:14,657 [root] DEBUG: 7496: ProcessTrackedRegion: Dumped region at 0x04CF0000.
2026-04-28 01:39:14,673 [root] DEBUG: 7496: AllocationHandler: Allocation already in tracked region list: 0x09280000.
2026-04-28 01:39:14,688 [root] DEBUG: 6384: DumpInterestingRegions: Skipping .NET JIT native cache at 0x031A0000 (jit-dumps=0)
2026-04-28 01:39:15,016 [root] DEBUG: 5200: AllocationHandler: Allocation already in tracked region list: 0x08560000.
2026-04-28 01:39:15,251 [root] DEBUG: 5200: DumpInterestingRegions: Skipping .NET JIT native cache at 0x09930000 (jit-dumps=0)
2026-04-28 01:39:15,532 [root] DEBUG: 5144: ScanForDisguisedPE: No PE image located in range 0x08450000-0x08450886.
2026-04-28 01:39:15,938 [root] DEBUG: 5144: DumpInterestingRegions: Skipping .NET JIT native cache at 0x00850000 (jit-dumps=0)
2026-04-28 01:39:16,157 [root] DEBUG: 7496: DumpInterestingRegions: Skipping .NET JIT native cache at 0x08C80000 (jit-dumps=0)
2026-04-28 01:39:16,157 [root] DEBUG: 7548: DumpRegion: Dumped entire allocation from 0x08480000, size 4096 bytes.
2026-04-28 01:39:16,173 [root] DEBUG: 3836: AllocationHandler: Allocation already in tracked region list: 0x09AD0000.
2026-04-28 01:39:16,173 [root] DEBUG: 3488: DumpMemory: Payload successfully created: C:\atsPQMC\CAPE\3488_391840610392227142026 (size 3313 bytes)
2026-04-28 01:39:16,251 [root] DEBUG: 3596: DumpMemory: Payload successfully created: C:\atsPQMC\CAPE\3596_96125349392227142026 (size 36644 bytes)
2026-04-28 01:39:16,266 [root] DEBUG: 3488: DumpRegion: Dumped entire allocation from 0x08AC0000, size 4096 bytes.
2026-04-28 01:39:16,282 [root] DEBUG: 3488: DumpInterestingRegions: Skipping .NET JIT native cache at 0x0A0E0000 (jit-dumps=0)
2026-04-28 01:39:16,282 [root] DEBUG: 7728: ScanForDisguisedPE: No PE image located in range 0x084A0000-0x084A702C.
2026-04-28 01:39:16,298 [root] DEBUG: 7548: DoProcessDump: Skipping process dump as code is identical on disk.
2026-04-28 01:39:16,298 [root] DEBUG: 3404: DumpInterestingRegions: Skipping .NET JIT native cache at 0x09600000 (jit-dumps=0)
2026-04-28 01:39:16,313 [root] DEBUG: 3444: DLL loaded at 0x00007FFEFC950000: C:\Windows\System32\imagehlp (0x1d000 bytes).
2026-04-28 01:39:16,329 [root] DEBUG: 7496: AllocationHandler: Allocation already in tracked region list: 0x04CF0000.
2026-04-28 01:39:16,376 [root] DEBUG: 6384: DumpInterestingRegions: Skipping .NET JIT native cache at 0x04AD0000 (jit-dumps=0)
2026-04-28 01:39:16,563 [lib.api.process] INFO: Termination confirmed for <Process 7548 powershell.exe>
2026-04-28 01:39:16,563 [root] DEBUG: 8616: ProcessImageBase: Main module image at 0x00007FF6F2810000 unmodified (entropy change 0.000000e+00)
2026-04-28 01:39:16,563 [root] INFO: Terminate event set for process 7548
2026-04-28 01:39:16,610 [lib.api.process] INFO: Terminate event set for <Process 6384 powershell.exe>
2026-04-28 01:39:16,720 [root] DEBUG: 5200: DumpInterestingRegions: Skipping .NET JIT native cache at 0x09970000 (jit-dumps=0)
2026-04-28 01:39:16,829 [root] DEBUG: 5200: AllocationHandler: Allocation already in tracked region list: 0x08560000.
2026-04-28 01:39:17,032 [lib.common.results] INFO: Uploading file C:\atsPQMC\CAPE\5144_1880928015392227142026 to CAPE\4738db4cb39f6e465f4865958821206956d0f43da039f53c2f02d36737153dba; Size is 2182; Max size: 100000000
2026-04-28 01:39:17,157 [root] DEBUG: 5144: DumpInterestingRegions: Skipping .NET JIT native cache at 0x00BC0000 (jit-dumps=0)
2026-04-28 01:39:17,282 [root] DEBUG: 7496: Unable to set COM hook on WbemLocator_ConnectServer
2026-04-28 01:39:17,391 [root] DEBUG: 7496: DumpInterestingRegions: Skipping .NET JIT native cache at 0x08CF0000 (jit-dumps=0)
2026-04-28 01:39:17,516 [root] DEBUG: 7548: ProcessTrackedRegion: Dumped region at 0x08480000.
2026-04-28 01:39:17,782 [root] DEBUG: 3488: ProcessTrackedRegion: Dumped region at 0x08AC0000.
2026-04-28 01:39:17,813 [root] DEBUG: 3488: DumpInterestingRegions: Skipping .NET JIT native cache at 0x0A150000 (jit-dumps=0)
2026-04-28 01:39:17,829 [root] DEBUG: 7548: DumpInterestingRegions: Skipping .NET JIT native cache at 0x00520000 (jit-dumps=0)
2026-04-28 01:39:17,845 [root] DEBUG: 3836: AllocationHandler: Adding allocation to tracked region list: 0x09AE0000, size: 0x1000.
2026-04-28 01:39:17,845 [root] DEBUG: 3596: DumpRegion: Dumped entire allocation from 0x08770000, size 40960 bytes.
2026-04-28 01:39:17,860 [lib.common.results] INFO: Uploading file C:\atsPQMC\CAPE\7728_174657816392227142026 to CAPE\46ef022f4fb176d478884d78d1e9f1f509c5c838238a374be665cc84acb67435; Size is 28716; Max size: 100000000
2026-04-28 01:39:17,860 [root] DEBUG: 3404: DumpInterestingRegions: Skipping .NET JIT native cache at 0x09620000 (jit-dumps=0)
2026-04-28 01:39:17,876 [root] DEBUG: 7496: AllocationHandler: Allocation already in tracked region list: 0x04CF0000.
2026-04-28 01:39:17,923 [root] DEBUG: 6384: Terminate Event: Process 6384 has already been dumped(!)
2026-04-28 01:39:17,938 [root] DEBUG: 6384: DumpInterestingRegions: Skipping .NET JIT native cache at 0x06520000 (jit-dumps=0)
2026-04-28 01:39:17,938 [root] DEBUG: 5200: AllocationHandler: Allocation already in tracked region list: 0x08950000.
2026-04-28 01:39:17,970 [root] DEBUG: 5200: DumpInterestingRegions: Skipping .NET JIT native cache at 0x09980000 (jit-dumps=0)
2026-04-28 01:39:17,985 [root] DEBUG: 5144: DumpMemory: Payload successfully created: C:\atsPQMC\CAPE\5144_1880928015392227142026 (size 2182 bytes)
2026-04-28 01:39:18,001 [root] DEBUG: 3444: DLL loaded at 0x00007FFEF4D70000: C:\Windows\SYSTEM32\tbs (0x1a000 bytes).
2026-04-28 01:39:18,032 [root] DEBUG: 5144: DumpInterestingRegions: Skipping .NET JIT native cache at 0x05C50000 (jit-dumps=0)
2026-04-28 01:39:18,032 [root] DEBUG: 7496: DumpInterestingRegions: Skipping .NET JIT native cache at 0x08E40000 (jit-dumps=0)
2026-04-28 01:39:18,048 [root] DEBUG: 3488: AllocationHandler: Allocation already in tracked region list: 0x08AC0000.
2026-04-28 01:39:18,063 [root] DEBUG: 3488: DumpInterestingRegions: Skipping .NET JIT native cache at 0x0A1C0000 (jit-dumps=0)
2026-04-28 01:39:18,126 [root] DEBUG: 8616: set_hooks_by_export_directory: Hooked 0 out of 628 functions
2026-04-28 01:39:18,313 [root] DEBUG: 7548: DumpInterestingRegions: Skipping .NET JIT native cache at 0x04240000 (jit-dumps=0)
2026-04-28 01:39:18,485 [root] DEBUG: 3596: ProcessTrackedRegion: Dumped region at 0x08770000.
2026-04-28 01:39:18,641 [root] DEBUG: 3404: DumpInterestingRegions: Skipping .NET JIT native cache at 0x09630000 (jit-dumps=0)
2026-04-28 01:39:18,876 [root] DEBUG: 3836: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:39:19,016 [root] DEBUG: 7728: DumpMemory: Payload successfully created: C:\atsPQMC\CAPE\7728_174657816392227142026 (size 28716 bytes)
2026-04-28 01:39:19,032 [root] DEBUG: 7496: AllocationHandler: Allocation already in tracked region list: 0x04CF0000.
2026-04-28 01:39:19,063 [root] DEBUG: 6384: ProcessTrackedRegion: Updated entropy for tracked region at 0x08D70000: 6.407488e+00 (from 0.000000e+00)
2026-04-28 01:39:19,063 [root] DEBUG: 6384: DumpInterestingRegions: Skipping .NET JIT native cache at 0x06A20000 (jit-dumps=0)
2026-04-28 01:39:19,079 [root] DEBUG: 5200: AllocationHandler: Allocation already in tracked region list: 0x08560000.
2026-04-28 01:39:19,188 [root] DEBUG: 5200: DumpInterestingRegions: Skipping .NET JIT native cache at 0x09990000 (jit-dumps=0)
2026-04-28 01:39:19,313 [root] DEBUG: 5144: DumpRegion: Dumped entire allocation from 0x08450000, size 4096 bytes.
2026-04-28 01:39:19,579 [root] DEBUG: 3444: DLL loaded at 0x00007FFEFB900000: C:\Windows\System32\Wldp (0x30000 bytes).
2026-04-28 01:39:19,735 [root] DEBUG: 7496: DumpInterestingRegions: Skipping .NET JIT native cache at 0x08F80000 (jit-dumps=0)
2026-04-28 01:39:19,954 [root] DEBUG: 3488: AllocationHandler: Allocation already in tracked region list: 0x08AC0000.
2026-04-28 01:39:20,126 [root] DEBUG: 5144: DumpInterestingRegions: Skipping .NET JIT native cache at 0x08130000 (jit-dumps=0)
2026-04-28 01:39:20,313 [root] DEBUG: 3488: DumpInterestingRegions: Skipping .NET JIT native cache at 0x0A1E0000 (jit-dumps=0)
2026-04-28 01:39:20,485 [root] DEBUG: 7548: DumpInterestingRegions: Skipping .NET JIT native cache at 0x05DA0000 (jit-dumps=0)
2026-04-28 01:39:20,766 [root] INFO: Process with pid 3596 has terminated
2026-04-28 01:39:20,813 [root] DEBUG: 3404: DumpInterestingRegions: Skipping .NET JIT native cache at 0x09CC0000 (jit-dumps=0)
2026-04-28 01:39:20,891 [root] DEBUG: 7548: AllocationHandler: Allocation already in tracked region list: 0x08480000.
2026-04-28 01:39:20,923 [root] DEBUG: 3836: DumpPEsInRange: Scanning range 0x09AE0000 - 0x09AE069D.
2026-04-28 01:39:21,063 [root] DEBUG: 3404: AllocationHandler: Allocation already in tracked region list: 0x08960000.
2026-04-28 01:39:21,079 [root] DEBUG: 7496: AllocationHandler: Allocation already in tracked region list: 0x04CF0000.
2026-04-28 01:39:21,110 [root] DEBUG: 8616: DLL loaded at 0x00007FFEF9E80000: C:\Windows\SYSTEM32\kernel.appcore (0x12000 bytes).
2026-04-28 01:39:21,204 [root] DEBUG: 6384: DumpPEsInRange: Scanning range 0x08D70000 - 0x08D77D0E.
2026-04-28 01:39:21,407 [root] DEBUG: 7728: DumpRegion: Dumped entire allocation from 0x084A0000, size 32768 bytes.
2026-04-28 01:39:21,751 [lib.api.process] INFO: Termination confirmed for <Process 6384 powershell.exe>
2026-04-28 01:39:21,798 [root] DEBUG: 5200: AllocationHandler: Allocation already in tracked region list: 0x08950000.
2026-04-28 01:39:21,954 [root] DEBUG: 6384: DumpInterestingRegions: Skipping .NET JIT native cache at 0x06A80000 (jit-dumps=0)
2026-04-28 01:39:21,954 [root] INFO: Terminate event set for process 6384
2026-04-28 01:39:22,016 [lib.api.process] INFO: Terminate event set for <Process 3444 WmiPrvSE.exe>
2026-04-28 01:39:22,126 [root] DEBUG: 5200: DumpInterestingRegions: Skipping .NET JIT native cache at 0x09A30000 (jit-dumps=0)
2026-04-28 01:39:22,376 [root] DEBUG: 5144: ProcessTrackedRegion: Dumped region at 0x08450000.
2026-04-28 01:39:22,423 [root] DEBUG: 5144: DumpInterestingRegions: Skipping .NET JIT native cache at 0x081E0000 (jit-dumps=0)
2026-04-28 01:39:22,454 [root] DEBUG: 7496: DumpInterestingRegions: Skipping .NET JIT native cache at 0x092F0000 (jit-dumps=0)
2026-04-28 01:39:22,471 [root] DEBUG: 3488: DumpInterestingRegions: Skipping .NET JIT native cache at 0x0A200000 (jit-dumps=0)
2026-04-28 01:39:22,485 [root] DEBUG: 7548: DumpInterestingRegions: Skipping .NET JIT native cache at 0x07FD0000 (jit-dumps=0)
2026-04-28 01:39:22,485 [root] DEBUG: 3404: DumpInterestingRegions: Skipping .NET JIT native cache at 0x09E70000 (jit-dumps=0)
2026-04-28 01:39:22,641 [root] DEBUG: 3444: DLL loaded at 0x00007FFEFA080000: C:\Windows\SYSTEM32\windows.storage (0x795000 bytes).
2026-04-28 01:39:22,798 [root] DEBUG: 3836: ScanForDisguisedPE: Size too small: 0x69d bytes
2026-04-28 01:39:23,516 [root] DEBUG: 6384: ScanForDisguisedPE: No PE image located in range 0x08D70000-0x08D77D0E.
2026-04-28 01:39:23,845 [root] DEBUG: 7496: AllocationHandler: Allocation already in tracked region list: 0x04CF0000.
2026-04-28 01:39:23,907 [root] DEBUG: 3404: AllocationHandler: Allocation already in tracked region list: 0x08960000.
2026-04-28 01:39:23,938 [root] DEBUG: 7728: ProcessTrackedRegion: Dumped region at 0x084A0000.
2026-04-28 01:39:24,032 [root] DEBUG: 5200: AllocationHandler: Adding allocation to tracked region list: 0x06180000, size: 0x1000.
2026-04-28 01:39:24,235 [root] DEBUG: 6384: DumpInterestingRegions: Skipping .NET JIT native cache at 0x08B20000 (jit-dumps=0)
2026-04-28 01:39:24,313 [root] DEBUG: 3444: Terminate Event: Attempting to dump process 3444
2026-04-28 01:39:24,329 [root] DEBUG: 8616: DLL loaded at 0x00007FFEFC380000: C:\Windows\System32\bcryptPrimitives (0x82000 bytes).
2026-04-28 01:39:24,345 [root] DEBUG: 3488: AllocationHandler: Allocation already in tracked region list: 0x08AC0000.
2026-04-28 01:39:24,345 [root] DEBUG: 5200: DumpInterestingRegions: Skipping .NET JIT native cache at 0x09BD0000 (jit-dumps=0)
2026-04-28 01:39:24,641 [root] DEBUG: 6384: DumpInterestingRegions: Skipping .NET JIT native cache at 0x08D50000 (jit-dumps=0)
2026-04-28 01:39:24,876 [root] DEBUG: 5144: AllocationHandler: Allocation already in tracked region list: 0x08450000.
2026-04-28 01:39:25,048 [root] DEBUG: 5144: DumpInterestingRegions: Skipping .NET JIT native cache at 0x08300000 (jit-dumps=0)
2026-04-28 01:39:25,282 [root] DEBUG: 7496: DumpInterestingRegions: Skipping .NET JIT native cache at 0x09A00000 (jit-dumps=0)
2026-04-28 01:39:25,298 [root] DEBUG: 7548: DumpInterestingRegions: Skipping .NET JIT native cache at 0x07FF0000 (jit-dumps=0)
2026-04-28 01:39:25,329 [root] DEBUG: 3488: DumpInterestingRegions: Skipping .NET JIT native cache at 0x0A260000 (jit-dumps=0)
2026-04-28 01:39:25,329 [root] DEBUG: 3404: DumpInterestingRegions: Skipping .NET JIT native cache at 0x09EB0000 (jit-dumps=0)
2026-04-28 01:39:25,470 [root] DEBUG: 7496: AllocationHandler: Allocation already in tracked region list: 0x04CF0000.
2026-04-28 01:39:25,532 [lib.common.results] INFO: Uploading file C:\atsPQMC\CAPE\3836_87612723392227142026 to CAPE\08d0803ec7c04de306066794e17df2ee3fd628dd7366664fbaf0dca03c5f2a3d; Size is 1693; Max size: 100000000
2026-04-28 01:39:25,579 [root] DEBUG: 3404: AllocationHandler: Allocation already in tracked region list: 0x08960000.
2026-04-28 01:39:25,641 [root] INFO: Process with pid 7728 has terminated
2026-04-28 01:39:26,048 [root] DEBUG: 5200: AddTrackedRegion: GetEntropy failed.
2026-04-28 01:39:26,220 [root] DEBUG: 3444: DoProcessDump: Skipping process dump as code is identical on disk.
2026-04-28 01:39:26,876 [root] DEBUG: 6384: DumpInterestingRegions: Skipping .NET JIT native cache at 0x090A0000 (jit-dumps=0)
2026-04-28 01:39:27,204 [root] DEBUG: 5200: DumpInterestingRegions: Skipping .NET JIT native cache at 0x0A990000 (jit-dumps=0)
2026-04-28 01:39:27,204 [lib.api.process] INFO: Termination confirmed for <Process 3444 WmiPrvSE.exe>
2026-04-28 01:39:27,266 [root] DEBUG: 5144: AllocationHandler: Allocation already in tracked region list: 0x08450000.
2026-04-28 01:39:27,423 [root] INFO: Terminate event set for process 3444
2026-04-28 01:39:27,470 [root] DEBUG: 5144: DumpInterestingRegions: Skipping .NET JIT native cache at 0x083D0000 (jit-dumps=0)
2026-04-28 01:39:27,548 [root] DEBUG: 8616: DLL loaded at 0x00007FFEFCC00000: C:\Windows\System32\clbcatq (0xa9000 bytes).
2026-04-28 01:39:27,563 [lib.api.process] INFO: Terminate event set for <Process 6136 WmiPrvSE.exe>
2026-04-28 01:39:27,626 [root] DEBUG: 7548: DumpInterestingRegions: Skipping .NET JIT native cache at 0x08080000 (jit-dumps=0)
2026-04-28 01:39:27,657 [root] DEBUG: 7496: DumpInterestingRegions: Skipping .NET JIT native cache at 0x09B20000 (jit-dumps=0)
2026-04-28 01:39:28,095 [root] DEBUG: 3488: DumpInterestingRegions: Skipping .NET JIT native cache at 0x0A370000 (jit-dumps=0)
2026-04-28 01:39:28,626 [root] DEBUG: 7496: AllocationHandler: Allocation already in tracked region list: 0x0A1C0000.
2026-04-28 01:39:28,876 [root] DEBUG: 3404: DumpInterestingRegions: Skipping .NET JIT native cache at 0x09F10000 (jit-dumps=0)
2026-04-28 01:39:29,032 [root] DEBUG: 3836: DumpMemory: Payload successfully created: C:\atsPQMC\CAPE\3836_87612723392227142026 (size 1693 bytes)
2026-04-28 01:39:29,220 [root] DEBUG: 3404: AllocationHandler: Allocation already in tracked region list: 0x08960000.
2026-04-28 01:39:29,313 [root] DEBUG: 5200: DumpPEsInRange: Scanning range 0x06180000 - 0x061807DA.
2026-04-28 01:39:29,345 [root] DEBUG: 3444: Terminate Event: Shutdown complete for process 3444 but failed to inform analyzer.
2026-04-28 01:39:29,657 [root] DEBUG: 752: CreateProcessHandler: Injection info set for new process 160: C:\Windows\System32\mousocoreworker.exe, ImageBase: 0x00007FF7C04F0000
2026-04-28 01:39:29,688 [root] DEBUG: 7548: AllocationHandler: Allocation already in tracked region list: 0x08480000.
2026-04-28 01:39:29,860 [root] DEBUG: 6384: DumpInterestingRegions: Skipping .NET JIT native cache at 0x097A0000 (jit-dumps=0)
2026-04-28 01:39:30,064 [root] DEBUG: 5200: DumpInterestingRegions: Skipping .NET JIT native cache at 0x0AA30000 (jit-dumps=0)
2026-04-28 01:39:30,266 [root] DEBUG: 5144: AllocationHandler: Allocation already in tracked region list: 0x08450000.
2026-04-28 01:39:30,688 [root] DEBUG: 6136: Terminate Event: Attempting to dump process 6136
2026-04-28 01:39:30,704 [root] DEBUG: 5144: DumpInterestingRegions: Skipping .NET JIT native cache at 0x08410000 (jit-dumps=0)
2026-04-28 01:39:30,720 [root] DEBUG: 7548: DumpInterestingRegions: Skipping .NET JIT native cache at 0x08100000 (jit-dumps=0)
2026-04-28 01:39:30,751 [root] DEBUG: 8616: DEBUG:Initialized 9 com hooks
2026-04-28 01:39:30,798 [root] DEBUG: 7496: AllocationHandler: Adding allocation to tracked region list: 0x065FA000, size: 0x1000.
2026-04-28 01:39:30,829 [root] DEBUG: 3488: DumpInterestingRegions: Skipping .NET JIT native cache at 0x0A380000 (jit-dumps=0)
2026-04-28 01:39:31,001 [root] DEBUG: 3404: DumpInterestingRegions: Skipping .NET JIT native cache at 0x09FA0000 (jit-dumps=0)
2026-04-28 01:39:31,095 [root] DEBUG: 3836: DumpRegion: Dumped entire allocation from 0x09AE0000, size 4096 bytes.
2026-04-28 01:39:31,110 [root] DEBUG: 7496: DumpInterestingRegions: Skipping .NET JIT native cache at 0x09B40000 (jit-dumps=0)
2026-04-28 01:39:31,485 [root] DEBUG: 3404: AllocationHandler: Allocation already in tracked region list: 0x08960000.
2026-04-28 01:39:31,720 [root] DEBUG: 5200: ScanForDisguisedPE: Size too small: 0x7da bytes
2026-04-28 01:39:31,751 [root] DEBUG: 7548: AllocationHandler: Allocation already in tracked region list: 0x08480000.
2026-04-28 01:39:31,876 [root] DEBUG: 6384: DumpInterestingRegions: Skipping .NET JIT native cache at 0x09D00000 (jit-dumps=0)
2026-04-28 01:39:31,891 [root] DEBUG: 5200: DumpInterestingRegions: Skipping .NET JIT native cache at 0x0AAC0000 (jit-dumps=0)
2026-04-28 01:39:32,048 [root] DEBUG: 6136: DoProcessDump: Skipping process dump as code is identical on disk.
2026-04-28 01:39:32,563 [root] DEBUG: 5144: AllocationHandler: Allocation already in tracked region list: 0x099B0000.
2026-04-28 01:39:32,938 [root] DEBUG: 5144: DumpInterestingRegions: Skipping .NET JIT native cache at 0x08E30000 (jit-dumps=0)
2026-04-28 01:39:33,251 [root] DEBUG: 7548: DumpInterestingRegions: Skipping .NET JIT native cache at 0x08470000 (jit-dumps=0)
2026-04-28 01:39:33,251 [lib.api.process] INFO: Termination confirmed for <Process 6136 WmiPrvSE.exe>
2026-04-28 01:39:33,438 [root] DEBUG: 3488: DumpInterestingRegions: Skipping .NET JIT native cache at 0x0A3D0000 (jit-dumps=0)
2026-04-28 01:39:33,438 [root] INFO: Terminate event set for process 6136
2026-04-28 01:39:33,470 [lib.api.process] INFO: Terminate event set for <Process 1820 TiWorker.exe>
2026-04-28 01:39:33,532 [root] DEBUG: 7496: AllocationHandler: Allocation already in tracked region list: 0x065F0000.
2026-04-28 01:39:33,563 [root] DEBUG: 3836: ProcessTrackedRegion: Dumped region at 0x09AE0000.
2026-04-28 01:39:33,657 [root] DEBUG: 7496: DumpInterestingRegions: Skipping .NET JIT native cache at 0x09B60000 (jit-dumps=0)
2026-04-28 01:39:33,704 [root] DEBUG: 3488: AllocationHandler: Allocation already in tracked region list: 0x08AC0000.
2026-04-28 01:39:33,907 [root] DEBUG: 3404: DumpInterestingRegions: Skipping .NET JIT native cache at 0x09FC0000 (jit-dumps=0)
2026-04-28 01:39:34,063 [root] DEBUG: 3404: AllocationHandler: Allocation already in tracked region list: 0x08960000.
2026-04-28 01:39:34,391 [lib.common.results] INFO: Uploading file C:\atsPQMC\CAPE\5200_1991648431392227142026 to CAPE\71eabfcf5758a8e5b9d1e782879b2171099a1ca11791da3c48cde69339364fd7; Size is 2010; Max size: 100000000
2026-04-28 01:39:34,641 [root] DEBUG: 8616: DLL loaded at 0x00007FFEFB470000: C:\Windows\system32\logoncli (0x43000 bytes).
2026-04-28 01:39:34,813 [root] DEBUG: 6384: DumpInterestingRegions: Skipping .NET JIT native cache at 0x09F50000 (jit-dumps=0)
2026-04-28 01:39:35,079 [root] DEBUG: 5200: DumpPEsInRange: Scanning range 0x06180000 - 0x061807DA.
2026-04-28 01:39:35,141 [root] DEBUG: 6136: Terminate Event: Shutdown complete for process 6136 but failed to inform analyzer.
2026-04-28 01:39:35,188 [root] DEBUG: 5144: AllocationHandler: Allocation already in tracked region list: 0x08450000.
2026-04-28 01:39:35,220 [root] DEBUG: 7548: AllocationHandler: Allocation already in tracked region list: 0x08480000.
2026-04-28 01:39:35,235 [root] DEBUG: 5144: DumpInterestingRegions: Skipping .NET JIT native cache at 0x08FC0000 (jit-dumps=0)
2026-04-28 01:39:35,267 [root] DEBUG: 1424: DLL loaded at 0x00007FFEF41E0000: C:\Windows\system32\wbem\wmiutils (0x28000 bytes).
2026-04-28 01:39:35,282 [root] DEBUG: 7548: DumpInterestingRegions: Skipping .NET JIT native cache at 0x084C0000 (jit-dumps=0)
2026-04-28 01:39:35,423 [root] DEBUG: 3488: DumpInterestingRegions: Skipping .NET JIT native cache at 0x0A3E0000 (jit-dumps=0)
2026-04-28 01:39:35,641 [root] DEBUG: 7496: AllocationHandler: Allocation already in tracked region list: 0x04CF0000.
2026-04-28 01:39:36,126 [root] DEBUG: 3836: AllocationHandler: Allocation already in tracked region list: 0x09CC0000.
2026-04-28 01:39:36,235 [root] DEBUG: 3488: AllocationHandler: Allocation already in tracked region list: 0x08AC0000.
2026-04-28 01:39:36,485 [root] DEBUG: 7496: DumpInterestingRegions: Skipping .NET JIT native cache at 0x0A1C0000 (jit-dumps=0)
2026-04-28 01:39:36,735 [root] DEBUG: 1820: Terminate Event: Attempting to dump process 1820
2026-04-28 01:39:36,829 [root] DEBUG: 3404: DumpInterestingRegions: Skipping .NET JIT native cache at 0x0A040000 (jit-dumps=0)
2026-04-28 01:39:36,829 [root] DEBUG: 5200: DumpMemory: Payload successfully created: C:\atsPQMC\CAPE\5200_1991648431392227142026 (size 2010 bytes)
2026-04-28 01:39:36,829 [root] DEBUG: 5200: ScanForDisguisedPE: Size too small: 0x7da bytes
2026-04-28 01:39:36,845 [root] DEBUG: 6384: DumpInterestingRegions: Skipping .NET JIT native cache at 0x0A090000 (jit-dumps=0)
2026-04-28 01:39:36,845 [root] DEBUG: 5144: AllocationHandler: Allocation already in tracked region list: 0x08450000.
2026-04-28 01:39:36,860 [root] DEBUG: 5144: DumpInterestingRegions: Skipping .NET JIT native cache at 0x09030000 (jit-dumps=0)
2026-04-28 01:39:36,876 [root] DEBUG: 7548: AllocationHandler: Allocation already in tracked region list: 0x08480000.
2026-04-28 01:39:36,876 [root] DEBUG: 7548: DumpInterestingRegions: Skipping .NET JIT native cache at 0x08610000 (jit-dumps=0)
2026-04-28 01:39:37,282 [root] DEBUG: 3488: DumpInterestingRegions: Skipping .NET JIT native cache at 0x0A3F0000 (jit-dumps=0)
2026-04-28 01:39:37,485 [root] DEBUG: 7496: AllocationHandler: Allocation already in tracked region list: 0x04CF0000.
2026-04-28 01:39:37,751 [root] DEBUG: 8616: DLL loaded at 0x00007FFEFB390000: C:\Windows\system32\netutils (0xc000 bytes).
2026-04-28 01:39:37,798 [root] DEBUG: 7496: DumpInterestingRegions: Skipping .NET JIT native cache at 0x0A3A0000 (jit-dumps=0)
2026-04-28 01:39:37,798 [root] DEBUG: 3836: AllocationHandler: Allocation already in tracked region list: 0x09AE0000.
2026-04-28 01:39:37,798 [root] DEBUG: 3404: AllocationHandler: Allocation already in tracked region list: 0x08960000.
2026-04-28 01:39:37,813 [root] DEBUG: 3488: AllocationHandler: Allocation already in tracked region list: 0x08AC0000.
2026-04-28 01:39:37,813 [root] DEBUG: 3404: DumpInterestingRegions: Skipping .NET JIT native cache at 0x0A070000 (jit-dumps=0)
2026-04-28 01:39:37,813 [root] DEBUG: 5200: DumpRegion: Dumped entire allocation from 0x06180000, size 4096 bytes.
2026-04-28 01:39:37,891 [root] DEBUG: 5144: AllocationHandler: Previously reserved region at 0x09030000, committing at: 0x09033000.
2026-04-28 01:39:38,095 [root] DEBUG: 5144: DumpInterestingRegions: Skipping .NET JIT native cache at 0x09080000 (jit-dumps=0)
2026-04-28 01:39:38,095 [lib.common.results] INFO: Uploading file C:\atsPQMC\CAPE\5200_3464536392227142026 to CAPE\71eabfcf5758a8e5b9d1e782879b2171099a1ca11791da3c48cde69339364fd7; Size is 2010; Max size: 100000000
2026-04-28 01:39:38,110 [root] DEBUG: 6384: DumpInterestingRegions: Skipping .NET JIT native cache at 0x0A160000 (jit-dumps=0)
2026-04-28 01:39:38,110 [root] DEBUG: 7548: AllocationHandler: Allocation already in tracked region list: 0x08480000.
2026-04-28 01:39:38,204 [root] DEBUG: 7548: DumpInterestingRegions: Skipping .NET JIT native cache at 0x092B0000 (jit-dumps=0)
2026-04-28 01:39:38,204 [root] DEBUG: 1820: DoProcessDump: Skipping process dump as code is identical on disk.
2026-04-28 01:39:38,204 [root] DEBUG: 5200: DumpMemory: Payload successfully created: C:\atsPQMC\CAPE\5200_3464536392227142026 (size 2010 bytes)
2026-04-28 01:39:38,204 [root] DEBUG: 3488: DumpInterestingRegions: Skipping .NET JIT native cache at 0x0A480000 (jit-dumps=0)
2026-04-28 01:39:38,235 [root] DEBUG: 7496: DumpInterestingRegions: Skipping .NET JIT native cache at 0x0A3B0000 (jit-dumps=0)
2026-04-28 01:39:38,235 [root] DEBUG: 3836: AllocationHandler: Allocation already in tracked region list: 0x043A0000.
2026-04-28 01:39:38,251 [root] DEBUG: 3404: ProcessTrackedRegion: Updated entropy for tracked region at 0x08960000: 6.380831e+00 (from 0.000000e+00)
2026-04-28 01:39:38,251 [root] DEBUG: 7496: AllocationHandler: Allocation already in tracked region list: 0x0A1C0000.
2026-04-28 01:39:38,501 [root] DEBUG: 3404: DumpInterestingRegions: Skipping .NET JIT native cache at 0x0A0A0000 (jit-dumps=0)
2026-04-28 01:39:38,641 [lib.api.process] INFO: Termination confirmed for <Process 1820 TiWorker.exe>
2026-04-28 01:39:38,782 [root] DEBUG: 3488: AllocationHandler: Allocation already in tracked region list: 0x08AC0000.
2026-04-28 01:39:38,798 [root] INFO: Terminate event set for process 1820
2026-04-28 01:39:38,829 [root] DEBUG: 5144: DumpInterestingRegions: Skipping .NET JIT native cache at 0x09890000 (jit-dumps=0)
2026-04-28 01:39:38,985 [lib.api.process] INFO: Terminate event set for <Process 3368 WMIADAP.exe>
2026-04-28 01:39:39,032 [root] DEBUG: 5144: AllocationHandler: Allocation already in tracked region list: 0x08450000.
2026-04-28 01:39:39,204 [root] DEBUG: 5200: ProcessTrackedRegion: Dumped region at 0x06180000.
2026-04-28 01:39:39,235 [root] DEBUG: 6384: DumpInterestingRegions: Skipping .NET JIT native cache at 0x0A180000 (jit-dumps=0)
2026-04-28 01:39:39,251 [root] INFO: Added new file to list with pid 1820 and path C:\Windows\Logs\CBS\CBS.log
2026-04-28 01:39:39,266 [root] DEBUG: 5200: DumpRegion: Dumped entire allocation from 0x06180000, size 4096 bytes.
2026-04-28 01:39:39,266 [root] DEBUG: 8616: DLL loaded at 0x00007FFEF5F10000: C:\Windows\system32\dhcpcsvc (0x1d000 bytes).
2026-04-28 01:39:39,391 [root] DEBUG: 7496: DumpInterestingRegions: Skipping .NET JIT native cache at 0x0A3E0000 (jit-dumps=0)
2026-04-28 01:39:39,407 [root] DEBUG: 3836: AllocationHandler: Allocation already in tracked region list: 0x09AE0000.
2026-04-28 01:39:39,407 [root] DEBUG: 3404: DumpPEsInRange: Scanning range 0x08960000 - 0x08967BCE.
2026-04-28 01:39:39,423 [root] DEBUG: 3488: DumpInterestingRegions: Skipping .NET JIT native cache at 0x0B380000 (jit-dumps=0)
2026-04-28 01:39:39,438 [root] DEBUG: 7496: AllocationHandler: Allocation already in tracked region list: 0x04CF0000.
2026-04-28 01:39:39,454 [root] DEBUG: 3404: DumpInterestingRegions: Skipping .NET JIT native cache at 0x0A0E0000 (jit-dumps=0)
2026-04-28 01:39:39,454 [root] DEBUG: 3488: AllocationHandler: Allocation already in tracked region list: 0x08AC0000.
2026-04-28 01:39:39,907 [root] DEBUG: 7548: DumpInterestingRegions: Skipping .NET JIT native cache at 0x09340000 (jit-dumps=0)
2026-04-28 01:39:40,454 [root] DEBUG: 3368: Terminate Event: Attempting to dump process 3368
2026-04-28 01:39:40,610 [root] DEBUG: 5144: DumpInterestingRegions: Skipping .NET JIT native cache at 0x098A0000 (jit-dumps=0)
2026-04-28 01:39:40,626 [root] DEBUG: 3404: DumpInterestingRegions: Skipping .NET JIT native cache at 0x0A1A0000 (jit-dumps=0)
2026-04-28 01:39:40,641 [root] DEBUG: 5144: AllocationHandler: Allocation already in tracked region list: 0x08450000.
2026-04-28 01:39:40,735 [root] DEBUG: 6384: DumpInterestingRegions: Skipping .NET JIT native cache at 0x0A2C0000 (jit-dumps=0)
2026-04-28 01:39:40,798 [root] DEBUG: 5200: AllocationHandler: Allocation already in tracked region list: 0x06180000.
2026-04-28 01:39:41,001 [root] DEBUG: 7548: AllocationHandler: Allocation already in tracked region list: 0x08480000.
2026-04-28 01:39:41,173 [root] DEBUG: 5200: ProcessTrackedRegion: Dumped region at 0x06180000.
2026-04-28 01:39:41,298 [root] DEBUG: 7496: DumpInterestingRegions: Skipping .NET JIT native cache at 0x0A400000 (jit-dumps=0)
2026-04-28 01:39:41,532 [root] DEBUG: 3836: AllocationHandler: Allocation already in tracked region list: 0x09AE0000.
2026-04-28 01:39:41,704 [root] DEBUG: 1820: Terminate Event: Shutdown complete for process 1820 but failed to inform analyzer.
2026-04-28 01:39:41,751 [root] DEBUG: 3404: ScanForDisguisedPE: No PE image located in range 0x08960000-0x08967BCE.
2026-04-28 01:39:41,766 [root] DEBUG: 3488: ProcessTrackedRegion: Updated entropy for tracked region at 0x08AC0000: 6.103737e+00 (from 0.000000e+00)
2026-04-28 01:39:41,766 [root] DEBUG: 8616: DLL loaded at 0x00007FFEF5C20000: C:\Windows\system32\WINHTTP (0x10a000 bytes).
2026-04-28 01:39:41,782 [root] DEBUG: 7496: AllocationHandler: Allocation already in tracked region list: 0x04CF0000.
2026-04-28 01:39:41,845 [root] DEBUG: 3488: DumpPEsInRange: Scanning range 0x08AC0000 - 0x08AC8E4D.
2026-04-28 01:39:41,860 [root] DEBUG: 7548: DumpInterestingRegions: Skipping .NET JIT native cache at 0x09470000 (jit-dumps=0)
2026-04-28 01:39:41,860 [root] DEBUG: 5144: DumpInterestingRegions: Skipping .NET JIT native cache at 0x09950000 (jit-dumps=0)
2026-04-28 01:39:41,891 [root] DEBUG: 3404: DumpInterestingRegions: Skipping .NET JIT native cache at 0x0A1D0000 (jit-dumps=0)
2026-04-28 01:39:41,891 [root] DEBUG: 7548: ProcessTrackedRegion: Updated entropy for tracked region at 0x08480000: 6.411709e+00 (from 0.000000e+00)
2026-04-28 01:39:41,907 [root] DEBUG: 3368: DoProcessDump: Skipping process dump as code is identical on disk.
2026-04-28 01:39:41,923 [lib.api.process] INFO: Termination confirmed for <Process 3368 WMIADAP.exe>
2026-04-28 01:39:41,923 [root] DEBUG: 5144: AllocationHandler: Allocation already in tracked region list: 0x08450000.
2026-04-28 01:39:41,938 [root] DEBUG: 5200: AllocationHandler: Allocation already in tracked region list: 0x06180000.
2026-04-28 01:39:41,938 [root] INFO: Terminate event set for process 3368
2026-04-28 01:39:41,938 [root] DEBUG: 5200: Terminate Event: Shutdown complete for process 5200 but failed to inform analyzer.
2026-04-28 01:39:41,985 [lib.api.process] INFO: Terminate event set for <Process 1424 WmiPrvSE.exe>
2026-04-28 01:39:42,173 [root] DEBUG: 6384: DumpInterestingRegions: Skipping .NET JIT native cache at 0x0A2E0000 (jit-dumps=0)
2026-04-28 01:39:42,173 [root] DEBUG: 7496: DumpInterestingRegions: Skipping .NET JIT native cache at 0x0A450000 (jit-dumps=0)

Process Log

Pre-Script Log

During-Script Log

Machine Information

Name	Label	Manager	Started On	Shutdown On
win10x64	win10x64	KVM	2026-04-28 01:32:15	2026-04-28 01:39:47

File Details

Show Parent File

Parent File Info

File Information

File Name	f3e7737bd0e1eeb9863c6a00d4a9e0e8cb26ae78952b9c1cbd451d7c3f0ae93b
File Size	2021058 bytes
MD5	b3914551bba8b68e092954b063789ced
SHA1	3bf47bf08c6c450e91f93cf282c4fa76971e23e7
SHA256	f3e7737bd0e1eeb9863c6a00d4a9e0e8cb26ae78952b9c1cbd451d7c3f0ae93b VT MWDB Bazaar
CRC32	307B3EDC
Ssdeep	None

Tools: Gen Strings Gen BinGraph

File Information

Type	RedLine Payload: 32-bit executable
File Name	2026-04-28_1db227e867a99
File Type	PE32 executable (GUI) Intel 80386, for MS Windows
File Size	2078720 bytes
MD5	1db227e867a9980100dbed45ed50dddb
SHA1	9ecc0af5dccc10db6199f7eb56e01c79493cf164
SHA256	a19238fbf4dee8ddb36d45615e40ea04198462806a9db892ab04155faccf0c28 VT MWDB Bazaar
SHA3-384	d7c52985e164ef80e82e80d2e6652c72ed590e4bb539b22852122eecb951fad19f0d51751ff30d06e13acc304419d1de
CRC32	EE7E64C1
TLSH	T189A5337470D1C1B2E5A6103584CACB32A636B062877EC1CB7ADD76F56F603F1623A6C6
Ssdeep	49152:+kQTACYS/v6h3+1uhZcT2NnvOyLXXjFpNXCym/hXmL9W6EppQpk:+aC5CbhZcT2lvnDFpFW/twU7+k
Yara	COD3NYM_SUSP_OBF_NET_Reactor_Native_Stub_Jan24 - Detects native packer stub for version 4.5-4.7 of .NET Reactor. A pirated copy of version 4.5 of this commercial obfuscation solution is used by various malware families like BlackBit, RedLine, AgentTesla etc. (Jonathan Peters) SIGNATURE_BASE_MAL_Malware_Imphash_Mar23_1 - Detects malware by known bad imphash or rich_pe_header_hash (Arnim Rupp) IsPE32 - IsWindowsGUI - IsPacked - Entropy Check HasDebugData - DebugData Check (_pusher_) HasRichSignature - Rich Signature Check (_pusher_) VC8_Microsoft_Corporation - Microsoft_Visual_Cpp_8 - Visual_Cpp_2008_Release_Microsoft -
CAPE Yara	RedLine RedLine Payload

Tools: PE Strings Gen BinGraph

Strings

[(g~c
h&ydS[3
>CV&V
N>6J#85
ZLH>,4
ZUqZW
@J7M,
w4xzS"
h|loB=
,}Mys
uXMk%m7d
l -{eI
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
h/]+=
&93e`
KO3O4
B96\&
6p2EN
J71xd
ARkqN
p/{+n_
;EbeIy;0
X^6|=
=<1,q`J
WWWWW
eQe5H
E?[v:
|nnV&
\fCi8
^wT/#
vNNhd
E&p[s
 6lT;D
f>a%w
@uOnnU
XU/2MNC
LxE/U
&{v2kR
x)u7v-
aEjU1
M(}$#JE
December
_7Gad
uqhdf
3GfT=
N,P, 
_o-T>
FreeEnvironmentStringsW
%VPBo
,K)A~
|E-#lHl3H
t1jCm?
C@EmV
hJ(`5
#) e%oX'Bu
Xt# )
/d@c]
J84u#
t(6Ij*'
February
6q&z`
$<Ev:)
hbTSE
VR_aMZ
Z]ZK-
4,FzH
?|jX8t
DX'v@
|Z7D\Q
eg>-f
73>i5T
RdA*i#E
eKa~T
y6GZ2
{G,-=pQF~
I<^>"R
9^t8;K
<>_Vl4
uQ\{6
ou,L&
jK_"W
t.9Vlt)
pjvH*
)~y=3
:q#@"b
}~!!lV
^q=>+
^X=u}s
7U?NU
DE)@.
vWH{s
;z;k"oz8
R(C@(p
:mkS[
3h.OE
jKq:+!
%EhrJ
)RO?.>(
`4ZmI 
jM#n;
.~Z[F|
GE [-1
Zk)ll<
jbi!|
Zdt|0v
jv+7Fi{
P+SmrM
Unknown error
*b0gP_k
T&>~a
Z~"5'
>JQ`p
gJ:sA
`omni callsig'
! OJ]@
9yPK;`
{<~LL
|9xOy
IKDzd
rAT+\
&py?|
/p54m"
>D\Ao
3HY:BYd5H
++\|}+
|v'y8j
~JWQt
:+A:k
G\5bU
6'k;7?f
=\BTX
jv9Ec7
FLWUP
jM^6577
K^ +[
o]vs|
hR]P9
mB=H)
vAup(
_sc(U,R
r.>.GH
6q{Vu
Uinq'
@DtJ<
 S"iL
=ELxWrm
x@S >
N#j%7
:Op&`eG
O/HSy
|Kb;8='gy
OkU/-lSh
\Q?pM
U\(Pq5S}
qwol4vi
gy+7*J
?u#(t_
gYhh&
gK 1C
l9rz`
1<stg
Fa0xr
P.uvd
tb%8H
-H9S3
D>HA\Dn
RQTa-|
+tQAn
|6]+=_
}"[yC
rV]aO(
"FKcy
C0SEj
3iy[dS
hbJl&,
tbLh<
Z+#u`
1ZYJ3
X<-C&
j);z/En:$
@~2`pR'
\jqZ>
8>Yxii
!mk/G
|t@zW
A`RaNz
EnVFA
sC)uf
s@N@DJ
Dq<vh
aeX.[[
gBlln
!G+Kf
#<0W(xm-
aB68B
2? v.
GZMLM
0KYk{sFV
,3j Z
hgh2+
LegalCopyright
^D"Y1
I|K{dPi
:,Fs1Q
`,^IW
SjGmy!
W^C"ca
}$d,K
0&mZ.S
UgAh`
D$|`~
k*=(GGu
<*Ci]g@[8
].[go
E&r?&
h7U .
</<t!]
uPqtF
IEHo,
3;b6E
}Bw']
\$(+^
V$JuK
1X:sX>
*1^y;
![]&SP
E!(N.IPT
Z*YG.
(0e1.
M#D5&O
b:s}"
.rsrc
Pm]=U
LkzXS
Dv^Rd
VoVEF
}!#oBBdH+
rB?i;
dU#]:
XWz:+
q[wZ]
/. O]
`$$Tg*D}
GetStringTypeW
&<K{~D
-lW4=f
zz*Wue
f \Ry)
D$(+D$
Kw2E@
M9)7Z
Kv<TQ
1^yIN
L$(+L$
)aVyz7z
%-P4zY
\)VWY
&fn6D
L-o:n
+l3-7
^2w|!3
[fO@Q
LxPBx
i%}=|c
L9,/X
u^QDQ8Q
50k_ 
\J|~u
6?g$A
*k^GX
PUGS0
qH^PR
v?fj8
R6032
Q)wZW
4aQqF
$U%Y,
dTuvn
% =J3k
t80<(r
~F=>MLU
A'\*d
f6S_Yp
Nz|7\
p{1W;
?LvAE
'qOm;
`d(8^
?LV*KoT
Dw9lu
K\)w[
R=sZ$0
j)_>b
plQX|
=CN[w
2+''l
z#Fo-
xykAE
8K.V<
a0Vwe
Sunday
P>F-NS
9Swz|w/
qR79=2L
[so''U
G"_1"c
izfRKz4
W_ bv
$PF`p
TKJ=va
jF4NA
Est*`
s(S!R
@g: 9
6N(w"
2#+R]
4[\-z,
m{*4<
o.xpFtVs5
fq<'~;9D
YIo)l
v0z4pz
U[G4%
AXWhs
n3R*$
h_53s
ngi(JP
ACH.W
{?~o6QS(?
Vlf+Vd
+^vXb%e
SA!o}
/GnO5l
w[*~P>
5_n`1t
,kVU4*
TI5`(*
7Qdzle
pH&2A- 
MultiByteToWideChar
~d8;G
Vnfb'
>}Y)9
({0!+
fKA2h
 ZY(jYV
[?3q%\
1d^T;
y2;.u
,Xvx8
~2#i~
[4LKZ@A
Nq0fX
WPWUj
Result too large
B"j!8N
"k8e00
b'H3I
L.kR{
:I>r,
os0zGl
c|5,[
ZsN~DwnZ&
`f6th
Friday
/U_)(
(Imn:h
5xt6-
:O8NBI
s*)P*l
wJ>Ly
`s(")
&Dvgc
4<U/`
0zz\[2
^z<&U
B_E6c=
V"EU6
7N2JC
Ky5XW
R ,]G
SA^e}
9^Pfr
}<9`%K
KkB1-
<<b5=8
, b,Il
Cr$nX
"v{qx
a-51w
ZT~R=dHp
chol`
zCfQw
$;}|j
+y5r;
xil{>|
]e/B=;
NH)j}
;^ZS f
VE3Ni
"8+*l
uRW[ai
zBAdl
HLs"gk
2`uy(
@w!s2I
#W)[^
ctWB)
`vector deleting destructor'
\zm|H`L
rh,,|
Qnlg,1
6T`\2R
Y97;4 
^pi!I/
}-*zY
/f?cyO1Z
~>j~V
L?-k5
z##$rb
lq_9z_%
E5v2oG
]Knk`
nv_)RU
+=t5=
lt+#3
l{<tm
v?9/;
ro&C.
116 `
aHL9d
%[x{m<.
)KX*qp,
5&'wZ
8ex)"
Y@0dF
vORy4
A\W)w
A'eTv2
~,WPV
#<wa9
O EQ[
GBS`.
K%RSjU
#>Ir>
aqilv
C&8YS
0<oejg
N%RcZZ
R@I>;
?rD?|ky
p#"ns
'FQ',
4[<:R;
\(_44
9<-aG
)n73O
CorExitProcess
NJ0J<
v$6jC
!:9!"
0I@_<q
k]GjO
SyK0,
K,K)O
)E).t
y(M&I[uW
YE.(/z*
R1UV&
)yAgHv^
Bj|5b
gH7f2C
 @HcXzS
npEur8
M4^VP
r<~6+
=vw.5f@
Lnj~[
alBDc
leDz&
y7mO\
4=2;Lmk
8=EL{\=7
G`9Gh
h$\t}
ArqwA]
e%CSW
r2UbY
{3lKE
g-X}I
>=A):
.B7lNE
SetUnhandledExceptionFilter
tvtEU
$O`+w
v*k@oVH
53Q-^/
;%"3!c
xdq`S
Qb;jX
3Ayv]t
ST"hx
~qYX#s
r0f;p
-w-me
vWz1K
Fxa"qx
&}"P#_
`c6%&
&^aR&
.?g\h
)wT_;
Wq@2I
2mFK6
g2H"d
-uGJ}
1pI,M_
LZ!dq
libGLESv2.dll
Bb5{J,
DXL".
'rfc"
L'c[.
\5[pT
%:O]R
#"7L$
;X=Z|
nt$h}Z
tUw%-=l
B%hsx
1q+#Y
mFEg;
i \fp
Uc5'Y`P
jRKo!
!=brs
m6mKd
P#fGu
{+2U B,
'jVdM
9] SS
\f8)lQ}
Oub~b
zy'0`
O5/>k
cOAVkd
[$G[?
ef$ D/8
R9 F_
?Rl3Jd
#|C&s
B}!t 
Zh9ZuO
>TCPT?1
tSj=V
SeoY3o
*hAy 
N1,r>
Xju^{+
n>;L5
eHTO/
2"}Wx
/#u;H
d1?d/ePo
%q@mk
Bad file descriptor
.i9M/!
A'\U"
!AL<M
>l@MF
Improper link
a[1Xt
9b<c/p
R:~wA7
*bd1_
>GgG-
x/ig/
{Tl%=
7'S'#ro W
9F sn
UL,^V
D6:vY
(3l"&;
ErGAM
~oQzh
 K/3)
_f"?3
CO4:U Phw
#:,<Y%
%]&14
Rs"V<
&Kn{9r
bp$"z
@lcGo
U%r&`
g`]`%r
FC>:F
`n~eA
;M!/*0
%Q3=D
Bmf!uu
Y?c-<
12cLx
ar^W<5
rc4:#
XY3$qrI7
]t6u@
}@lN\
Wl_[C
 (Z7+
mQK:J
&XKSk
QU';o
(MJZ+U
@2J_}
9NZU'
Ce+SM
P_#Gt7
<Pa]{P
HHty+
$6KP?
_\?.=\
)\ul9
53~#]
Q",e,
'{\hU
c}Q}Z
Q&oAd
3Levp,m
/uZ5P
LoadResource
SXfA,i
This application has requested the Runtime to terminate it in an unusual way.
qA'5"
Eo#z2
biIbaN^
!2'VMH
e&VF_gB!
s|&y'
E1U)w
nCK<+]
(}o5b52
TZF<K
j.LTT
Yt3^w
/U*;=
xGs~y
 -%C8
389V^
O71.h*72
]^m-.I
2^26P&
M{Lrt
-l|;(
hI@jpMS
rVXE!t
%"[I0
+@G){<
I|u*$:
!-kdW
1Sz+L
+^|wh
TEL9P
hnTv;D7f
7R3`z
b9t(qr
#Oh7/90
A2 8qV
<l@cG
fJPGd\S
Rq*F<
91*8x
Jhxb(
Y#x\E>
WbJe5
'G!>+0/
"5W9pfG.
z}q85
Lr[h`
1 bCo
U]1tO
\TkWp
[ZO@3
N+q_R
oX}MG
a(G^BuE
oejq[[
TFH^q$
/p6^r
N{)UG
%_t4+
\=>e|
MnZ|C
.:XU8S
%n}+s
D^C tN
$kM%L
>^>ex
<89V0
DeleteCriticalSection
RKC9Y
\]rQ)
BxQ=(z
RlcvS
|4E41
^<43{;<
'DA`?
lSZ| 
wscvJ
2F)`z
!rcYw
uN[8N
`e Elsi
G*.H'
;Hm|_
=Dd?=
9*('t*
ei:ID
+4Y4lg2
cj}O-
Rz|=]
OtBE6k
$2`OT
<HLRq
^:S}`
j_;$"
SetHandleCount
M^b]}
@kRfU
h~0Nc
%SSZs
EEfZ(
Nf^\K
gXg0P
}1}gEI
2y;Ng
)]#9x
9R;DP
bcy8u2
P#a'hW
@3?;R~
*3c=G
bz]-O%
p5;Q9
U9w1h@7s
u[l]Ro
4_365
w2%z)
r=r0}
^x+RuM
mrgGZ>q
J:U=\
pK'sl
{{"=lj-
sVv1+'ec
N'^H5Q
xZbAu
&m[7!5
S_Zy%4h
+=C*"
$L6c`
?e:WJ
Z@c|_u
ixdGRO
l<ygg
J])[V|+FW
<MP;xn+<\
|P(%"w
QU^F&
\YQ#j'C
p$D.x
RF-<:
Lgd-t
-fgX"
ihmM"
xq>|T
~+s>3&
F]K;nM
}Vd)%H
q vbx`U>
7FNuPOb
SYfNb
Q! b76
1W6b-
#tTRH
fC,ni
FtZ7Y%
YlK_Lj
</Pwu
oXtRu
'9yE+
W*oCx
,N]##d
p&25y
c(}~g
bOA dPF
*+=`<
@IhK)
@}ry1
S$,Gz)
JcC~A
X^\AE[
?Xgaj-
;3? :a
m!hqi9{;
aH,GH
.?AVexception@std@@
+Q}kr!
JBW)[
o=Cp|
rI6Q?
}Kr7b
|P33n
5d$/t
,>Bd*E
x (?hT
 sd)zg
6zh>@
okRR}
/.WZAem
k8{5r
No locks available
u=N@Z
f*LK^7
4e=g2#se
)\ZEo^m/
VUj?g
xIzHe
,s6FQ
`GAA|
rC<L,
hrR>0
Ea9=E
R8?4K
8j][|&
eRK><
Fc8DQD
                          
JbLkNw
%-1Td
ol/|,
-C:&"
jgN1>w
 in2t
v-qT?
UyNSX
[4[N!
d=(PQq
l].Da
uL9=\9B
>G`]t
7K$Lf
+t>WZ
[:]kv
)b%Bu
.z+ih
y! _:3
l;*PA
`3Gls
+NFHZ
mDLM.Z
\gjnG
?~K=b
CSGXG{Y
4`Bd?
GetConsoleCP
"l4El
RoG(W
dLcZ}
LbWvg
 %9ql
pTvui2
r~`z8
~0G!Z
zu2Ab~
/AaoF
v)[4/
sUSJ\C
Wcjf5
@9fJ#.
@`sXc
 F^v}
;r]}iS6
w8Tu[P
?lBn\p
3>.bC*
iw!bW
Xf}eC
jqfZd2Re
GetCurrentProcess
MI%;b
xoNq'
Q([5{
Zh<7Q
D[3\;u
pF)fe
U&-x 
^*4@9E
E?yRw
D$HUWP
NBaF D
%h'H4`
-Es5b
PmN6L
`a)kK
=8v"Y?
!0}Sx
E`=.hk
AIi{@
i]?KL
GetOEMCP
zo6l]
o6}>1
/S}dd
_Zx7R
=>WL+
N&ko8}
W EKa
l7HoQ8
dZAfK2
A;dFR
?BIiSt,
c49F-}
:n_c%
'>)<n
0\YcW
VLP>"M
($9>r
6X|:<
v$\qE
r  o,
#}vbn
18[g8t
Q);FZ
O,+L$
#A]cv
hd^f\3{&
M%H8A
)xFrs#
{o&Ay
$p`;6m
{^oz:8
qd{$FfQ
D(^h:
on9[[
f0Q|a
L$PQSV
;]P&/f*S~:(
O?*\}
=_z2;<
f2SW2)&
uun^(
DsBiS
t{nk6
A,89LF
r'!7zP
jS ;P
q5Yt=/
\s)vt{
&ILh`
F-p#z
TlsSetValue
,f+vl
($:cdK-UOd8
yA;BC
mKx.1
-"D5 
l>!6N!
*JmWZ
p4abx'
y(]TD
T~SBF
(E`\m
`}R#jReb
D$3UV
@(;3I
?D*&Q
"{yGG;
^%$K}!<
/u fl
 Q3{lB
]\Da<
#.bu)
{3fiW
* r%t
Vp,(u.
<po__
i%iS~
_R&m)
u-,Dy
/ (:'
Ot{#2
q!MeD
Rby52
#[zhW
a^hHE
No such device or address
;`WmhHU:/1
(s"7>8uaCA
@caf)
h}FuB
Too many links
uWHXq
dq`3g
KFI[C
;x5yx{X
M_cZWc
rCM?h
-uVqH
?g"hs
RB~A__
MBtW7
4t>h0
DFfH=1
6I2H 
.l^Yj
1Z=cnL
k%ej0Ow;TA
R6026
aPC{~E
)S\>Q
""/p#c
R(iOB
1#IND
vQO+t
Nz)(k)
n(oT(-
zL27W
s#^s5
\Bls"
Q0"M;
h:<A*
[U3'u7
x[|=0
v?(3p
&r&NC=
GetEnvironmentStrings
O4FfG
U)fKS
^G^+cn
KO&1Z`
OFc'dOdoc
*6.}Q
z8VLGR
`dynamic atexit destructor for '
wNx9Rei
"UVO9e>
XTX#Q
!V4-^
Nsv%Kn@
?&mBU
%Qr.v
S'"YN
-3Qd3
+l@YJC
sm?g[
}L-=^
c$!uAu
K4l66S
?fU3}
ic+G|
n<j.5
0alf~
=M7bA0
GoI|.{X
-VeF}6
R|VTe
.;ZAW
5>Y$D{UV
\Z0q;H
5D6X_4
FZ3n$7
NJ%a1
@nS](
t.NFO
p1ToH
zaC.{=
2N> ~J
Ny\0#
TrnyDh#]
k61\/
|*%=9
^%qg77&>
lzptm$
#E:v?
oaH*-r
0R7DUT\
PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD
|HF?^
j@j ^V
rn(v9
Z93@'a
/@).~:)
bmua:
#6x|^
k)8Ka
]]pM-
R7L8>\
olNTV
jQ34m"XZ
&`W[F)
;G!z+mn
S6|5<\l
(?uih
IBzTw
+}Fhz
|->>r
dWZ-Z
$/8aU\
.Q!Xv
n-8W&
A-cql.
JHwnxs
UOSP$ Y
f{DW<
^Xq1z.
V'F!-
QueryPerformanceCounter
<{?jia
DvJ4DLgy
X$jbl
 j0T=
}5@`p
!]@cZ
5#xP}`[
;l$Ts
V@X1@!<
a(7g?y/
f9K"])F
$P>Ir
"cq>W
2-q?4
__based(
y0kcA
j^Ffgn 
lWBRE
%XH-"5
GetModuleFileNameA
!{r@I?{
BN3X_5
GeG:8
Cvr,@[
N=:[N
>s.=ci[
L%g(;J`D
X?{0CH
bRspU
of9CV
wU<wHI{
ZRWG98
Q+N&H
ilpz5
'(FsG
`YsfJ
=MfXE
4r9FFn/R
Fe(XP@
+2FI3
_JK=!=
rv5J;
'1!Q'
Ax>;R#
IZ9*:
@|ir 
BrnGi
?N['u
cE`9Q
d61Kc
0m:RR6c
H=B{3
:^w^e
|o*qQ
fV&Pn8V
{O,;\z
/E+K5
Qf^Iu!
|Y4~;
yP#4/l
Q&i'a66
jbM" 
Y;byZ
}~#mn2*
:0{_DT
/-(oR
Do8Gi
PaQUt
L^'Ep
4c6Z,
gd7z)
HRm.8
T17kvY
VVVVj
@\ A{3
3QQsb,mP"
P9 n)
G>l==
#g\tO
=/{JHO/mL
qNp7y
P*KnES<
>\'5S^
$jY#N|
O%o &
58-L&
`%v<8
+MDz@
R@+Ke
mg*[6u
V!pKP(,
% I7P
8Fism
*fL-P
<Jl)vaH
$YXVf
]'*|]d
Nl#N4
G#eUz
{G0Wi|
QXhbNhS/
bJ6 M
z7w>}
?b#;UfN
u\?no
,NKM 
BEEP/)
,8a<Q
geJDXl
BxP\3
~(`Cv
]9ifU
x%VMYR
&L3nZr
5zXO!/
'o!YyQ
dLz_)Yv
AZAjvQ
|*-<w30
x!YZp
G&(_<8M
KR{`sn
}0)xg
&yi5K
:!TjP5
\az_\
m2uWVA
=Q:4;
.wIJy%o
]@T:l
J9 8E$
Mq<nH
O3Qw&C
No error
SZqXr,D
uc$CaJ
o&@AS
UfEIi^
UTF-16LE
K>Q7d
/R!3~
[ozwxC
ynC0a
-8fjS
^gjG=
^6`b;
J:-sK/
0"q'[
t_GZ&|S
Fxm"-o
_-0_Q
8a.4H
]|%)XU
nw8*V
`d%J5
*_0x<
MQ=oNI
m},`j
;\h(a
`M>t_
FURkLm
%v -[U
9>yL +Y
8^HYe
DX;p/a
|C0\j
Vz7Q=E+
d>lcm>
Too many open files in system
e+000
R6009
oY "/
:F{5R
PZBh#
=%Ujh
>5h(v<P
#;ih%
Resource temporarily unavailable
(ww?$
AO"36
'*EZN
/PZ\G
v,rLf
bQbR.
*,^_&b
E*R<]U
gBU[(
H9B;gG
Vlf+Vp
(A)=7
T6<>{
5]oWf
Function not implemented
!,U)$
?'.R:
/N'+<d2+
>u/ly
,|&D[
k;Ic3gq
Ve4Hm
-dcl@
v@qNxg
n4e&pq\
-M[Z|
5q#V0?A
[\^|M
_YFNr
YThmKg
oDzub9A
L7h)}
~:!o7y
&]@l5
nZ7GE
Lt6d|
r1#[B
"Em|O)
DV'<z{0
=K'Yy}
#/B,SxT~
'puB>3
y/lE)od
4ZThv
Va/S7P@
ow<XHl
9m;ip
7JWr*
lp;th(L
PVl|g
6P6CP
M``j^
4Nn8x
;\vWV
mn'M$
6\"!:p
Uv{\U^
$xEN#
.A]I"s
Md)8f
"_Z]V
]q^_W
~$!AS
LSp`#m
"5z$&
c*}DoA
September
0*!;f
u<"*QUv{v
2it_B
7wK2P
hVJgwH
]sO>A2
uUHbMP
0#M2k
zc5%8#
`-f?V
r<xCx
?' ~N
t"&7Y9
Z~2wX^
y/O6"
p^C6L
6bV!z?
@ux_c
Qt^ew
vFUKI
>qvcZ
'0DK9Ii
{[ZoA2
X-Qk>-
o<L6z
X2p^J
g[r<:
:`ce7
`^gFw
%/l 'YR
!m=1.
&:;{_
_$B<dV
'c|!?
%ymZip
brzr 
3#pM63xI
4tu!p
z.[|a5
b_)K^
Fg"qV
7M[Np
zd#K 
Kt}l|
_n"U\
}J_iY/
~Z:KGCz
}_hptx
5OFx,t
^u2bF
\m9w?
raO*kN*
B-y#^x^4
X$_=1
jv`7I
SetLastError
|yszr
cBO1d
s8`&1
-~g]<
#*=9O$Trd7
xxBNc^=C
Io"[S
A~Rl"
'E;Rs
/$z^w
t-<t,a
}iJtS
NG?;C
jMLC~
i^Ru;s<
<>`4\
etx)q!
2|V ]
K?f(o
owF>{y
!|scK
eIh_N
^x1sn^
jGfVg
k'Uifi
)}>xT
NoW/R
U/g!m
">\owq
CgsD"
?r:g:q)9
&}G5v
weOjd
hZE"x/<
|Qe[-
|W#6>
Kyt8S
+d(l%
_#aQT
?Xx}V
 Y0'N
W@8iX
=,o'm
*v%`t
b %}G-
fKu<S
"gF~D
8@D+t
`3R@U}
b#k~W
O*1"Dd
<r7]z6
HoHfz]
'ZgIifIW
61`$y
DQWsg
Q<"Pm
P#"_m
zJ*f:
U;T?E
has]'k
M%q89
%(EPDA`
_$^{Pk
H{qQB
(5bA=77M
r~*ml3E
,a Gx
1K:nQ[fwJG
'0hN9
y!2<EV
7pY\0k
lq*"q
>0.Di
Pl0[xE1
qDYFl
2(R=B.p7
*4%KBx
hY9e@
Wr2]k
+~LX)
h-r4`
:Qt<3
!v>/b
/18N;
b4k<b
4=(P?
QbkYQ
cYDg-
ko:t(YC
(R-7w
HI:HR@
y\ru2
fg$u_
Tru27
\5h}3
IW]4`P
Y^jcK
g`zT7
, <Xw
)N!D;
dnL^k
/G"kj
x<mW&
}std%l`
fV+R`
IN0XWK}!
._~ob^y
u1~Sm
k/V^O
IMdjBc
u\4B=
CreateFileA
GHtV;
(|xq 
] @kP
IxdCw
eI;cJ:
FPwWK
,u9@g
\0[{6-
N[D(^n
Y=dVq
Q%g<f
Vct2\<
'7TV>
25t-y
3V@|I
HqdH0
Zj V0n;
OZw3(?
!0Ru|o-
YO),\a
&*:Bsd
FrMiU
497.22.962.278
mAZrs
RHO>rY
pCDCL
7aXsaO
&gg.9k
r}vJd
6>*P&.-G
]e]eB#rf
`A]':
xv/6Qz=
hms5\=]
,QAJf
[v^^51
:S++&
>eN?=
GetUserObjectInformationA
#mKp]%;q
v@4Rb
WG`(:x
uu,.Gn
?6~)6A
~?Rde
i^})]m
@Kf/+
WideCharToMultiByte
PzRv;W
1y5H"
z?YCH
/NZp!
!G6vl
pqZM@
qaSuQ
,%MC 
ka@y;
39)v>
0W4bgI
vPOQ'
r&~IHZ
Mz2-G
7(A}f
                                 H
#qPdG
x;Ud7'`4:
L=,[t=
 9x&/
xewQi@l
W8Ow?=
MF%l[
|;K5ov
~eo/h
,o+@B
}GSU3.
]F1H4
oaN&q)AwvM
[gQ4M?
}K BW
Y6*sG
F{+/n#)
,dLtS
[-],q
<PM_@D
-"kjW
Af9`}
u":W$
D/|x_
e%_;$
M|W~#
US8Mw
8TA@Y
@CA>#g'
9e/ZG
p$,S}
}{=%*d
_)+|P
VPWUj
D|:QR
pzYIJ
Tq}Lj5D<
Tf,hUGE
Wu_*y(m
dKrf=
P"e\'AO
+QDS~8aV
`JvY8P
r3*YI
zu00C-
v:Zb"
okR0g
l^YLL
,1eal
<u A.C
hLsn&
v|9/mb
t?dy3`
#-(0w6
~`no2l
n%0'P
/tX6A\
HQyE<
[qW42
hT4'?
o6#L8
TUO0Y
7S[&k ~
8<K4G%
Sl#&o 
bA7&7s
%Sl=f
!"W3G
Rm}FI
[k;e_
&ndjji
4UPdh8
:PY(5^
6;XmL5
TTqli2N
I46Dh~
*.yKq
E9Y/4n
7fhS`
><F}9
<I!e&C
3SDns
mq!MG
BF*n^w
BmM'Z,D
]x7L4
QCa!2+H
R6WM1
kb"^`
0rrd_[:
nwhqD
4N6 bl
_^Wm&
E\nWDqj"
SB VK
!7}-k/
lA9v~
44d_VA
<#9+w
sCex;K
c\P{U
|bY%%s
).gbdN
X_X+c
N{su|
"M~~bC.
h)5=c
;+^:C
8Y] <N
l85%u
G6v:L
%?;8m
)BwT9c
7xBX;
iZ-TM
fz0:q
t]usu4
hE%/g
_ra?L
+E'et
1R3@`
t"SS9]
7Kzm1EmD
2pY1t
p+:nn
g]]'t
G}<x, I
|U+c|
G~`\fL
a9gXqE
w0LtDh
O!17|
y4g(GJ
Yn?=U*
l9W-9
3{ Ix
aGh!H
sez]y
~Val}
Nu!@=R
RpR-L
zT*|*
slYS:8Y
gdx-m
t<'B$
I.;=>cy;
 ?gUl
PSyos
x&vu9
 hC\g
wFy{0
|dTVT]-
+?h*P
(rcwR
aW3$2
xPfaL
U3`+]
UVF_(+
G|F*&
BhJl~z
k`fe5
0w7[q
wjZ=`
gHp}:e
l}ciy
)QyCT
Be3+Xd
Q.T,e_
ty{f['
L#)O0
jrMNT
}Kk;$
E;GBFJ|w3>
eIvZ-
',hAo
B~',6[e
t`AU#x\_
?tDV,
N(~>k
U1Zs;c
m@_t.
\cO$_
2e#3#
&I]lJ
7[>j9
.?Zk~
i:h) al
ACI>r
jwqOB
irnLiV
~PM.&
`B!+27
;$;h\T
S,j}s
JI`pP
GKWkb
UM)Bq
Ve*A1,
Broken pipe
<hwUEJ
8\ywd
 0EO%
CompareStringW
NOT*%
_06VnE#
;ZI!Z:
-^%sb
jz}3%;
{M_)6
-WR^h
}}v(b5G
XW?'g
QjM.,]
_Ot5}NN>
=Lkhp
A)}Cr
O]?!x
2#lFRT\
W^d$e
Q'lZj8
uDOB3
18w%cP3
BFxcq`4jo5y
qelCLT.
.text
.$3e#N<Nm$
JK`BOE
s+hR%
H>z8m<=
^(9^$u
QgP_:
8?LXgf
fYOQH
R2.Gp^M
C2gcB
M.FUW0m
U/u0aKb
- unexpected multithread lock error
k@gU6A
eHW]<
m[Y0p
r=$j=
xB#$yq
H_^J>
rwJ#NH
;pRNgg
Y~x]YT
gAEC\pov
-(]zSN
pjPR;l=
r)A<bo
h+e-a
EA[V>T*
7Rg!(7
`**Yw1
DFYqw
$]@gP
U-1St
,AhBIc
R6027
ocu@2
G6JSW
1-ecD
EJ~dLU`
9bx<15
Z{pjn
|Pbp)B
"*yM*
Z$z1~Z
rOY/<
)a?MA
BLqd=
GetTickCount
4?S1"
2#[{X
(49<|
uu{;j
v;=L`f}
AGB&{
)BE&]
J2n(g
<0p(I
n*DE\
?s[{>
:Bd8]8
UOLKW
 <Wol
sEn}`*
mk%)Z
]ji)`
F^DNV
SD>.}
@XDNw
E[x!=
+WH!Ew2
C]nxqZ
S@B:M
[gYR*
a\LyS/"F
D$@QP
Plx?H
B^Tu4`_
J7D6k
!"),?p,
CP_^][
L#~J2E
#:}=Bq
Z'rN4
043Tq
:q2x|z
l_\1B
#+G@8{;
d9BPn
DL2JSy
?{~PRV
3l>v?
v-{=E
7+}%O?
U~}oH
421=8R
=->+R
K'Z< T!
vZ$APbb
?/~|G
HK2Ur
%UDT<
H0=?l}
uJCE>!R
+ue.k
0T6]N
[|r6b
n)LDR
t+WWVPV
\zw~r
THf1x
+'#p&;
%_a=dFa
2SuVR%
k:N`/'
#.I2{w
`vbase destructor'
exg(Ps
hO<(Q_
wX!X[
4}{`++
y`96^
#f)oP
Bkg>+8
#3N%+\
}B!&%U
yDw,}
R@gwe
 T,m>7
(Pa[j
LEldL
:s1cB
ghm~x
fNaQ2
UNICODE
K'd}I
n[0J^i
+h*H[w
qCN k6
RXI2A
'I68H
qYA!Q
5^7TU
o%]x)?
%XSW+
tK*x ;
SlDFY
Gsqu!}
Fzs+]
A/mR0
I>zE_
[nvoN
837Ib
XeU2+W
?DasW
b*%hA
)~E$|
YFEh_v4b
0=U3z
["(=_X
.2@Ag"f
}(dU:}
N0S}]
Vt|2u(
jc7:c*
8RLdZ
G&0Z)
J~DSf
- not enough space for environment
b Jx/{i6?
_MXA/G
August
x<jz#
<^Fy/E
iq+aA
uY5Kv6
aui3sr
o]9$?'
ihOps
EGt7/
 AzA`K
w*R|w
5A_Emv
xGR3qz
QWSLp
;Z<=Z
)`y;-
*I0";
[eZ;l
C}*fZ
,uh*oP_
%|a\1l#'
mz!%)Z
;E&md<JD
LeqKm
BIf"7
AxDczFC
)8zF1
{IN^r
S95pI^g
9I}S*
x ?u?
S}#0H
u[\)A
]VN#%
, vig
r;B8OU1|
AM/LL
6]nLe
,i[j(
9/n[/
Ww4#`
OB{y8
hR~Ul
*{R69
VFJs+F
pUw>i
QJ#m(
~\ruK
vRp`r6
`QsE{
#y4D(J
U8$yn
=GNT/
t~@"EXE
3j;zo4
x<_^]
"zP<E
my6w!
q^U<L>qL
-zkit
qUg4jsz'
shQUC
*\_0`
emI&R
Tt`Vr
R6008
dE+W>+:E6
*8Ev)K
1:x^I#(
x7L5-
`,hU[
y)f.#
AY9kB
$LxK4}
x{j]#|
x5\.(%Zpa
`copy constructor closure'
@Ig8(
C<dG^
iwK=1
<d{I>
"kqkh
3D)Ig
:)O- 
B7Tni
o*ClOE
n2c;4
GetConsoleOutputCP
^CEV_M
m]ew_
:|)x]
g]bu.
_^][H
'a@'+
X,]@6
wy(M*l
2!Twcs
\1>~)y
ebYA/T
5BNKY7)9
Z7z .
PyEn%^
eeO#8
}?UI|
L*.NC
?PGOP
PF:o?
Ho)H0
- not enough space for stdio initialization
@bC.'b~
_5kyk
MsvZ&
QCx,c
T$<PQR
`m"?p
z?aUY
%k`vi}
"JoKY
kC\S7
b.WSS.t
X&G,]
c*X?S
"hadi}'
}P>P3n
^X8t?
<iU*-
37=D <
c[KiD>
W\D{1
91<me?
?3Vo=
4-fOW
s:FZU
IXF`v6
PS4E^
Gx@0m
b^A{B
CG6L7@
}&E[q
D"z/Oo
^er)j`
^EyQ<
Ombbx*
EQ0SL
lDR~0
$.54aV*H
 =d3(
u5wT"
;4Vrz
1Gx`|
9?(7RU
e:8|>f
j/UH::
`h[ U
&R.]%X
V||Ah
`*,u-
/esj@
@&8f`
l?T6m
M`QP^
Fgm.oyE
>^Ave
.?AV_com_error@@
GR.x@
k^I`mY
XpfYO
WriteConsoleA
0_~V:S
#.tg;
VbGg/b
$!H="`
fc+)/
vHAU6Y
$VJ2/
SOW;>=SO
`*M[<
(wB8!
BePk^
|K?&2
+?]Iy
w `^\
n@e*i
v5Y<!
SVv)LU3
E>zVv
%R",d
-&\Zv
An application has made an attempt to load the C runtime library incorrectly.
f<f:,M
J3UPE`
6G+Tg
\LT[Ch
R1h58
-'5]6
_VHgGp9
[]LRz
T<=W0
*#@W"
[;4^j2B
t\4d$P
n:s?Z
x:mK1
*-:J:"FU
}eP{O
pRG`q5
tYmA^
cOplY
xppwpp
_9aZ)
7G}UOW0
%)[{`
Yb8lC&
o<N<a
.?AVbad_alloc@std@@
CKGTq
-I!y=,
VCO6@
9FZ)"
M8vze
V h0%
a|UP6
GDIy-
 XS6o
^*<cf
j-6h$
wx6La
b2_GC
EG$9w
p(~O;
4#$$qe(
vwOJ`
M1-'_;SN
gXq.Y
{)i'F
`:~:h
8EX:n
F>h{iWu
LI%cK
S9'Ym(
J*(9#
6"gdJ&
M=5d`"k_
]bg_e
%V|os
(m^h&=k
w}J:1j
{PUb1
%f"FiOe
i]e\19
u0PUNm
vGEM&[%
`eh vector vbase constructor iterator'
lgcml
p*^45Fx
Microsoft Visual C++ Runtime Library
UHn$H
A$nN|
*&P17l
TerminateProcess
CCOG,
QKd2v
.?pZqr
GetModuleHandleW
:<C~(
Oar\l
R}Apz
\e4,K
B8rkz
tR*X6E2K-Np
1#S.epU?
Ls$Ww
&d;M;
`E<Ww1qZ
3BU3YB
{u-G^x
B072!J|
5.N!/
[kZfT
HoRTo
|A($a49
>(?gg
Ia:A/
bczI4Q3
!*b<?
Y?%az
i:G=aHB3
,+#.4
/Rj',
0*WvD*
;T_$$
=+Zfp
N6I-uc
<fQ4W
bGjD]
2;|:S
MGC#a
_n\i7
w$_#q@E
lC`lw
LHTi3
Ig74BK
|.e,{O
3?fC]
r@X,A
]!]{#$
January
Q=@3~
[c|)]
 mC>'i
<Cru2
fdS|"V
_%w{Z
ohg!j
B(ko3
|tp]5
a~}8V
p4brQ
N6if8
2+a1Cx
FQ<g8
F =i$
^Dm_j
WfZn%,
5'ud#
ES|&m<
TrqFJ(\
2SrpL/
|{9=@
Q_PG`
oT0K*
Iq?`.
\'StCE
A;P6e
QV+[]
W0f6Pr
r2wa[
v;)jb
ZD0 ;g
~nAndW
\g"9x
Sw9x[
Rv+IC
$L6w 
<wB}-
d|t9=i
%n]@M
aoDkI
bSyvy
hdYeg
$yp@iU
~^;,f}q
;FLuK
HM`{P
eqzx@]
wwG%)
'0g5e
u.i\~
#3`jb
i;gV4
Wusiv
ApPRw+6
7??c.-'
):_c<T
\>n[}
t'V1/u
my/#4
jq~b<(
bFN.\
:t}Z"_
Xj}cFg
jG|T|
'p,ub
,s -,
qbBrmk5
]e.To
=;qCYb$ 
[4Cj@
!ie#Vo;Q
zc%C1
?0y-^
R1Ku{1
W$l\6
VarFileInfo
Fg)%k
`vector copy constructor iterator'
1!y"!8
t}H-q
\V>MO0
,c>Yx
FO9e!
p-Q\iP
\mpDo
7hTOi/
l&!Jwz
bxGH9
3NdrN
klM}w
`q!7mx
:Ls_,
#o6zTf
H  ~5
f{7UO
|'[)#x
UQPXY]Y[
zeOH+
!]eiDb
bweNP
rPe]4
>cQYa4
qYZF5^
a2MFH
FP,>V
!E'Vf
3Hy=4
ksff~
GX'cI
{"w>5
ProductName
R?2C<
4op"(
XdWbnu
#Qp%A
ds-<{
K@xgs
0@W<7
gc30_HTAqF,WDh
p2.K]"
PU}B$
w|%g?T
!>e-'
W)KNM
e's#yB
*jc33
5!6i2^
`managed vector destructor iterator'
> ZB'
;vd=5
\G;+9
pu9.~
Translation
[%}qg<
Z^7jX
_uXGK
 new[]
"W.L$_
^%6lq
mr'1`
JR.jY
9.&-?
RD :8X
Y\h+*(
~>!2J
6F`1s
?~HA@
)RL9(;
fJL|G
ud0zc[K
Lobb6
kWI0 
xpv:nJh
~*K\H
]t.Uti
4]K:Uw9
T$(;P
m1V9;%(&
)Q*mR
62]9c
+SVcv(
S1IG.l
eyR!M)~
)]C1y
$B*Y}
.=~-7
>ZV<K
h:(U=,
_Y)D(
_bf[V
bQ7D/z
SpU7-
1z_2R-
vwhNk
4&<e!U
T**He
*@]r>
b#4WS!+$
HgK:t
95(/B
~"Tv2&A
<>(7B
T,^B:
U-V96
S 8u*
M_lSd
f8/,0]
HeapCreate
H(}-9G
~BL}\
RvZ'iK
:VJ;j
UI4EP
}vCo'GZcZ
[:O@fS
DyOn?
0"qJ[
)N|t=W
F$sj-
YhlP5@
rfr)Q.`I!O
 X{Xx
.oJy6
Yh\;V(
=6mPwG
o8_L7N
Mv(@Of
!!n..+
xiWb~x
;T$$f
 YTa*J
r8#FHq9
GetLocaleInfoA
td5hVw
K2;7y!
X2/EM
_j;?c#
~cU3V6
i(<V[
&B{;Q
&1Aph
IvHi*
m@c9*
PfqD=
JCK"0
*Bzds
.V@HwU
$_Ob"
_$clO
]C{Cb
A&PE#
R+;Zw
p>O#O+
D:}>'
]DzvP
T5#&B
EGQ(k
cbKIRA
D$<RSP
0a|^Z
*+zib8F_g
:^(>:
y1bbTG
8[Vs`
i?a=%
;-'o>
wjmp=
1sQ(+
3`lIxZca[
m{ezJ
u{1GSW=
;~BM?m
r6PE!hA
%/DS0
jQNRY
n["X9
hh,!b}
-Kax9jg
3%Jv,
SH#tn
da;]u`
C"t:_
@fH+V
"!i'kd
^s)sS
<phTK@X
Hlp.$CI
hh]eP
Gbbf;h
gIr;y
bX$#+K
xkLDj
f'^-!U
xeAeY
r0\OXc
~lI$<Q
e1A<&
;t$,v-
KQE9VxD
lVgIS
#%^a\Q
F9P,[<
I<\qx
f+'lH{Q
:l1j?b
HGM~/
QQSV3
K7J(P
- not enough space for arguments
'Jhq^
;UyFg6z"0!*BkH
8 @Pmp
~8/gq
j.ahA
Eb9A)
&%Q(Y
Xhx0?
Y,;,4
n~,&U5
1;W=vipm
~oiLVacuC
BWgA2
g21@.l
_8_!F6
*bjMd
.AO4w
+{x`{p
]=|3L
%RueUH
SetEndOfFile
!mI4f<T
##M<<nSv P
7G(wo
Xu/'M
nAcg$X
File exists
>k93mj
{cHcb)?C
ri34"@
bAt1-
LJ|/s
.'RTQ
Ups'`
_5vYk
[Saqu
AS+;[
n^f+W
;M3Vz
tr9_ tm9_$th
=:.?p6J",+
+?H[`
~\wuJ
U$%RAo
FreeEnvironmentStringsA
_gdzR
L@.5L
]uq<]3
Hg{OR1^
TZ^*THw
NIQ8a
*E6XpBm
Ju}9]
ecBU4
R6028
 b+;O
3\d/f
GumB9
1I6_`:0=1
0tj9[]
IEF< 
fufJI
H}uG(
xF"E/
*3z%'*
avdYG
!}Q#oA
kB6*o,K%|
N_{$2
Yws6G
D>h:I
i\tfT[(y
s'jLj
WHPZY
o.B%r~
"Va!c
+mqH[\
wP"Al
>*( c
K]543
ksSfTRdF
gt9Cv
"Vc9Q9T
/$t6c
had9%
3Qw~=g
nbY:QDu
8~+O?
PD,.J
#?mI7
}1g|N
SGj~y
kW>Hy
<S'W0
,QN; 
g`.H`
|hQ)F
H Z8x
qh0Ow
^*a[w
awegPr
V~7,d
s|lZ8
;YlhP
*_0s;
^uHG?O
@K2e]
o.#4T
EEc0Hh
!gcR%
|Kq7_y
N?0ld
!$WP`
Gr\^ 
JX1B\
&JlaY
S_tnE
-rm3"
SetEnvironmentVariableA
;2@P4
^hMXp
W^E$=
t\XhT
l)5))
bM`PK
NLz%-,
X(:\?
#Vuog*
((T6n
N)91t4:
NofU;
 =C[;\
Gl;/o
xF32R
R$U!6c
*A$~3
[vj(Q
E:T,y
;,N41
fhO`a_
=.9V+T=
`1F0.
wf=L(
Y!12q
{W/LZ
s>TCh
mYOQv
94unKu
{oK:,>
wm3Cw
xdcPm
95L>B
9,yI?YM
Q]3a>
- pure virtual function call
xw|5D
;}ho{
H5/uaI
_[i^'
QFH,F@'vuA
P=MVH
?WF&#
sC.L4
d@HrQiQD
\XRPhVf
n]7`uw
tO&3t
;VY B
$V)9o
NUBJF
\{Lna
~*:^Z^_
h"AedZ
mVgqW
BXN-(
46dY1
~>Y]B
#Ky<1
t$,PV
><tN$
Fqoz<
;z\S'
UIQY.
yg{\>
a%5gl6;
%>$e=
+goHk
4dTb+
4uVhU
A0SUP
:J2CCm
.=H W
T$9q'
#$Q7E
Lnp4L/0
GetStdHandle
U7Q)9X
U%{g?
xg7\.
QsOiI]i
^PT{yP
 .qE"0
t>9^Y
W-^l00
;8x*h
dvI.x+
_MqS(
XYfHH
jaKHJ
-I:plG
n%tZ1H
i%9}n:F
nb9BNWf
i?e,C
hW\2K1[
1ZOB8
jx_{s
?wAfK/,\
N,_^3
(d E~
~5.rO
VOyC 
hV]Oyd
"W?Xtj
dn0";
M5391o:{
'5@WGlM
G5Hic
9R}h2
:[xt3
G{\/w
'/ca(!
9)X/5
rLE}R
#)KI^P
:Gx9\C
&b/.t
%-02 B
bDx-tx
5Q9Q#
)}],x
U+>'*
UVNHU
t:<wuE
\*67 
'Rp~?
'9Vt,
%3b<mj\
O~bRO
q]@:C
)F@El=
o.?*(
W_9*tm
Qe)PX
,3=L`+is
 $cdb
:*AnGP
F^4B}
9=p>B
;mg('
tBb)-
o1w}S/-
o7;I8
3pHk@
gPL&y)S3
lN;c%
Z(spm
dz+|y'
;P/JW
K[.5)
mGXvz
<jfyh
5:R(k
;'V.3
*I{_,
$rHL0|
pP]Ta
Ze[Zb
+A5#!
3v!dx
@xg5kv
}5V9H
_S/$z]RG
:2@'L
0.uA>G
=9I':
r+:~[Fe
ykMH.
WBiciX-V
~%#=+
-/;"w
)A?[%1
97'oa-
nWC^Z
GPbcb
#H!]G
Ik]UD4
vx^CN
|L@*Z
Q_B+N-
|Iqj9,6}
ts5"xE 
j}xh.h&:
I#&Dd
Wy>SZ
J yzI
Y[*w|q
fz8i)
M3N49P.
4RESn
=Yg`C
-P4;1
euylS
Du>8z2.
bId"Bd
FLHxLk
3h!pH
Sqo:;B3
R`V 6
Saturday
dx9e(4
[W91X?
v.L'6N
o!~T`
KzDc8
Y]pVHFw0
ZYXLc
|n15o
kzhTO
otC#?
oVjaZ
&-%>'
+S=3 
<mD';
1qI"E
c)-)(p&
FQ='E
J>ciZ
zNE8O
x@{\\`
D$0^][_
}]L&x
=_|49h
WriteFile
^@%}u
FK{9^4"
R6017
qTB9[
lNfGp@
eZpKH
+1qYw
?dW=~ZrF
Inid/
V"*{d
h7{QhO
ZBb[3
G.X1R
RtlUnwind
JI#gE%
Oh;O\sN
\~>Q8
4dhW.
700PP
X/ 4V9
QpxRa
UzW7O
Q^a~T
u4r^|
w`j&i
1/?^)
GetModuleHandleA
|/.bK
]07#T
Q@E`m
}AZ9FU}
v`GED\
LLH@;
(M9pY
tv$n,
/_XN^
+rW7+
',3rt
|$ WSPV
/HFSN
oE-EU++
V}{?R
y8y2NA
"b-!N
#FO33
jI;YHI
/][EE
["?Zw
=*/45
*cHB%
AyZ[I
3DL.KV
[q\v7
1R(A<N
?iaY3
f:&F.{
w&;~9B
{X}?{
Y:UDP
{OycM
/?zEn
Vktlq
{WN/:
 n8dA
dCV{y
kjXtk
O(9O$u
`A0IC
22]#><
Aq02i
],T<O
c.4}]t
5ql{"
&dO^ ;
rP#Ip
<aEq&
YPBsy
DShZDW
;sXQ{p[
+b|bQ
]CBbz
8_Bg\
a|9p!V
.E0-!
b#uVC
|U-e4
 'qB|T
Gl_W{
t$_uNY
R.Kkb
.prwr
#@qdC{
ea; C1;
9J*n#
&E@^DrDP
FreeResource
PlJI+
.S@Qi
#uiPh
/hy}Q
AMyc3
&kZ>o
s=2E@zf
M,F@(
TLaMt`
=pimjy2
$ZIL+i
2^6Jm/C
b MUlR
dNf|$
\@*{y
EncodePointer
dWhWq8v?b
f.*w<
4wt11q
'\>D|
Eb:dd
F&XdqEr
"U;Hg
Ju`[W
A=~E#/8
ih~5.
\@-ze
Ub/t^
?aM)1s7D
ye`a'
?LliP
OKhob
W ~W A
wjjt-BYirx
7m?AU
{94zQG
nZjG>Z
10):nG,
hHkO`
yVo:w
K>*XnG
x/ h"
HkTS<
&(kBMt
lI*UZ
"pffp3
`local vftable constructor closure'
8f76AX'
N5rH0P
E^Ab0
3hn]L
D7S$)
@a"sy
@RQGHx{b
 (Q</?C
ZoD`5ug
J>;e8
Ma>cY)M
L6_"L
|e/Kn
Ad(Yc
$t15O
G0Yk_
>sfj^
#T4tb
\9qG<Qd0
NuY-H^
[dzA9
8)JEZ
jHp6,{Jl
ejZ*%
TiS=]$
ST,eg
Fi#z&4
ym,:P&
 MQ;`=
/d;HR
 @Zwh`
7?z88
vzxWr
b05qh
fB\m}]
;58-B
sFAsoa
g:Fg\
>XVP'
x~F\r%
0OXUG>H
e|vAM
.81!.?
_GbG1
fUZl`
u:qzm
q~c['
%~+NCG
[Td,I
-4vo,L
"1YC[\N
"y{vqf
l5@C=
%?u>TE
KK+FT
xy:2>
A~qRv
s$w:w*/
Kq1g`
6=BX9
">:lr0q
:@3|~
sR"h'[
,&,%U
at0n_J
=n/9Dc'
wg<WG
paW>G
g94}M
SwYUB|
2d4DZ
jOYKF
HLIn8
%DMl.
?#gfc
u[;N;
^SSSSS
27JcLou
GetConsoleMode
uNPTk
Vl+Vp
le9d7
kLSbO
q{>Z[
Permission denied
AE_C+
U:E~Y$x
uLVoOwue(k
p2!{-k
@'pg@/(C
fnO{H\
^T\d$
A*}0V
h*Uea
2P/<KP
Uhb$:@/
lcjDC=
%6&0f
1h:A@#
CRQz:#
_9/OP[tB
nUF>>
=]xV`
fa3gb
`."l"
q*m,O
exSEh 
sr{v<kl4
(lQx1
N%h?"
UW_i>
}Fa;kd3
XFI0L
QSWVj
4'Y'h
`h````
P<MaTm
A1mL8H
5p5Y\
<at9<rt,<wt
(r>.oq
>Y;yl
uy]5V
}X|Ly
w8p){
U^~ gL
4@Kvr
Xa5=s}
B-ZX.
80l&8
V_:X1:
]QBN(n
Zy-@V)
FDWWW
BmGt?^v
,$ T=)
IsDebuggerPresent
t`25V
Hpbv!m
}t::n
fPX}7,
&8Vs&
%iM2n
)!)TB
IKO5U
[lv\B
*o)+Q
9=P?B
I$x.j
@XP,2
P&Zr:
wE(b1
#Q-"=U
(qG.gT
kHI{t
jPS6D
9.K2h
FNj[@sjp=P
<QC(71#
+^1kW
n)\X4&
dV:AQa
sbsEA
!lYto
SetFilePointer
>=upF
6YW 8a
`*F#t[
y_QF;q
\KnJD
iQ;?_
dkm)n
;syep
^a$"^f
Hv+bl
Ah=Gr
#<z%j
~&^xf
/"|;J
__\8k
mHwuTs
mpYoi
rYUMu
">}!m
f$:D4
>}@],
w2Y)k
{',Q`
_mv-w
 vPJ|
q,SGg
lrx(4
Hn}kFA
q,6DV
,K-yn$/
<7yGQ
m:D6&
ft:XG
A`qpn
]RbM\
zuC[>
]B6S-
cu<1-Wz%
k,WF0
w6z2R
0MvtT
8 /or
;wJ^_S
7'bSg
g>ac@
+o1f9
)Rh/q
H&DZ@z
Be[8u
x)G5"
[)Ldo
*oyM"0
T_?o^L-
ObzNsX>R
C<~(Ta
8!Se\/U
9'Ao.[
on |9
tWI^;Q
=+GJ~
x*Z;a
&lA%a@
{o*6+T
a-~Ah 
Fd93@e(
8sf0=
TZEoi
kU^j$
eyX-?
ksBN1
FlsGetValue
{4LX+
rJ^Fq
"A$<Y
U:gs+<
W&q&j
nSA9fHy
jx4&d
9z-[wic
j"^SSSSS
gjF}a
Y_^[]
m;'0l
v^NrSkK
b 7d/
(`$eP
_A=T=
u:hdg
/-vC;*
S?`+8`
}r%N+
vQhx5
}(79~
cic1w$z
5zO.3f
cAwh##R
chMhe_
@JEh{
A2WZ.
y\(>T
=DpCa
$rf!~,
yBuN-r
+P,s5
+%UFk
i?^{S
=)zxn
7-r7u
9MW7;XB
poFL^
n#.Y#PtS` 
\pbm(J
'pij$Nvrx
<RHS]}
5w,d_
.17o.
-"VFw%:
.CcCV
`j6hd
vU"<<
ZEw4^
|{-9ZzU
cK3<kjz
oJerC
- not enough space for _onexit/atexit table
(vIWW
=s>&U
tQC5&N*N
 {<j?
zhRr?
I)D$T
6{}Fe0
-_U7SC8
*Fu0hN/I/
E6Y~z
z$hG0
S+W_!
{e"~j
% -iqh
Yx6,B
um(\1
?rV?Qx
6]ot$
0t?Vr
S3t|#S
PPPPPPPP
&:]X+
b5"\S
u^pP8
dK_9Ac
7+Wnu6/
s~jQY
&$`OM]
Invalid seek
`!1J=
iw9'!
Q'!2^
+7Hou
'jy))
Y~k@f
:BrL*
4R-sMj
QMoB4Q
["KsT
:P<nW'
U7l__|
{@Cp;
7I),W
Vkm<f
1_aCZ
g%,4[=
9,"Fx
p0f[e
ZRpYy
+(z-a\
)B"|.
Pxy:-
xG)@9b
GoPC)
[#Gn,:
Nx$;it
J/0?P3,
D/*v+y
>@=_n{
WH!Hq
'bQ.s
sK+Hy
u)!Hil
e,/~F
3o0mH
J>D~ BW|sN
4f:3?
WS6,'
#v`:K
}R4#RwP
=hOv(
{7mv3
j*uyyM/
%A^KV
>0:uq8!>
|1P=3
QmncN
L;J{w`
*ti>4
XQ:Pg
&9j_i
'#I_ oA
t:Zl$
@=ug-.\
ZCW'O
<*=wD
Ov~p"
bp'{4
]5`&w
cFJtZWy
`)n[N
Si6& 
)Nd)Vh
G=+}Z
[HKWH'
N86e]7
CGxt$l1
fDm!Gp
+h],)a
)O3[}
G;.y2
r=C6y
!j0sQ
s7aYD
.Rs]3
Ct97F
rC<=j 
hItOp
svp'!
lJ-'M
-VnJ^r=
>AL4Q
-VMRX<
V7"Rh
A*foV
kAg)i]
3Hr$&9
 PKQpT
z*nYL
!A!_6
Oi1m|
+BgEs
"5eON
)t*^_o
=kyw&2
mr+Uz
=<B4v
I(glr
pNjv9
.1"^0
\I&Nd
q!rw{l9
Dmk6d
JyARA
y|:#,
xAv_?3@
-+`F 
*7Mln
LCMapStringW
$>MPu
.jV>D
~[cW<
iBep52
]6;Ho
(*$AE
eI?Fa.
q!A-\
WriteConsoleW
Sd]jX~
rQC] 
-7uv#
{uXO7
@.data
alB6^
K^%LMe
5nT!*
m|`nf
&H7B1F
]1!hO
gxJ__|
0<uCo
$wDT~
%&u{;
J=~([
*9j:P
R<^hn
ABCDEFGHIJKLMNOPQRSTUVWXYZ
.!)"mk
DCY}{
{a(P9h
zA?wd-R
a|WMV
2aD-s
&aQ1P
4R0Ox4
9FhHj
+i9G6t(
9QJgWQ[
, qpU
\{eIS-]i
t(U@d
;!$:C
g* j'
sG6,k
(2+&X08P
lRfQwPq
?5bJ6
E`3cq
L$pr7
`local static guard'
"BNDr
`1>tK
+T$TN
7 {Fe
B#c}f
`glQ&
cs~y@k
M>-=D
8,6_VJ
#kXEv
?9XY'
TZ;0h/
0ZAm3
(X@$8
Unn&J
xq!n=P
~2#n~
*Q&<-
 1!3&
ksCJW0
NLU3;
H0yT9
ho1Ee
+n"M2R
sKa=1
Gg1|{S
1`4d,
"(]mS
RUKaj
q&,c][
:E#El
e FbG
/Ee=C
Zo/9i
LZ?|t>
fRus)K
=yU/[
&mJEOm>
hL[@t
."Jf>
ET1`RO
49nCX
`placement delete closure'
IT-vh
L:c[.
j&n3_
BX35}5
 =[{ax
K\MU{
c8'y|
|t`0X
WU"~T
c}]4S
7.X4Sf
OB?|U
d<gO:
t.g6,7
__fastcall
zlg%Mb
1FvOa
j>>^7
OLatSY
Se+.B
'P_=I
SQ7Vo}#R
iiOaB
rZ=8P>
"uRig
'[.;8
3@vf{
~<9bD*r
@F*xg
 {aGL
6fdcK
lpX}S
-CuCf
VQzbRD
B7M#I
GAIsProcessorFeaturePresent
T!9as
E#YEn
Ji*P^
)<Iad
!c{Pn
*IG'r
OHNE3
c4Wfm
!ahu?
[!ng)5-
"0usp
4Jq #
 <mepF
N@QPj
L|AkC:
Ql{X)v
N{|bud?|tO
4HA2\U+
Yz*bB
8#d-)
^JyfE
/]Am8
E%J9RK
DUR?M
:zuYU
M[)z`
 !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
z&eyp
[G.w8q
JR<ub?
Ed1Xl
%7k$DK
y&Um]Yi
L~nGN7
5LqK 
I<RSX
[EZIJ
8L)ag
t-G?,sGz
iRst6
 GD-5
{J8!f2
:R_9v
*OnKD
#SoPZ
+bmr_`
8+lzr
Lc(]0p
3l_q2
{;ptb%L
|rBKU)
4CYa4
Cz7o`A
zCqqNtF
,b2QK
SrL9aB
su<Rq
n)k4`
D>:4:
`(iy3
CO%gA
y;MH0
3 1K$
`vmBI
?D_#!
--UMn
'.yB%
0WWWWW
6J%,V?
]6 ~'
Ta[EM
YQM!M?
uwUmy
Aa7.&||
UDwi%
|Q7/o
LvN#C
3N_(:
?w3yJ~
}}i;k
Vs2Dhx
{?)r*
ECwN_X
} H]CM7
%um2^8)
7=o{9}
GM%^D
:bT|i
?/(:F
:IpQh&`
Fr.O?
I@}3X
JanFebMarAprMayJunJulAugSepOctNovDec
Q(%iM
bk?kh
9X^"J
5VAB^
,s1qIe
2y4B@,:
 NQgL
*x~F~
 5'S;
BPhDVW
Hk^PHs)r
!{NbZ
~/8U`
f[J|e@
vj;X}\
> DYHa
`JQ'uD
MessageBoxA
t4kta+/ftV
"T$3i
[ngYp
2b}bM
ID5tFv
8zj]-
F/4kM>
Dc%--|
}Ty0A.N
r)=6*
%(5Bg
B>de&
X^f%X@
~"22s
^U!sI-
:4.-%X
.5[q)
,UC(=*v
^J7z^
'<)?:m;
/5bp/F
_f1<+Bm
eT6GB`
hzC;4
4nq{Y
IhSb'#
ASn#A
oH4?]?#
~O}mj3
)qja'
x)[?HM
\V6^0
/y)'Y
^WWWWW
u-+&i7
k_ts@[
VirtualFree
H_{ `
Q9qWh%
`e~8[
5x9<}
"[Pr9
>/Qa6
>iWtB
{r[NP
dT6Z8 
?/NH|i
phVeb
:K=_j
?/B(e
9@&YM
E3$MS
3a~cn
gu--3
his\E
el>v{
dW9m';
Y*K$D
AxTIE>
9DE\B
1.6b"
kYpq_=
8U"}W
FN"yx
F(kf]t
)GNeOU
+N/-<phT
'T}jh
7 zCm>`U
k]`Sq
MFiK)
%LMcw
FuUY*nc
!cHec+
A(,~o
K7?B-
XB0fb
$B&8C?
e$E.`z
Mfo0UD*
kOq_sG
_Wh}vV
354"B
6=R j
Q8B!@=1
ns`y>:
y__ND
1+v<]
WU3:]q
AA_M*
u9kpT
4k1c&
R~mcx
XgvNv
Hg%EK
URPQQh
c{cZA?P
FF'm>`
sW!Y>
uYk;U
$&zh0
X9$Ot3
f@}p0
gd)nt]
v{0lG
lBYL|
!(*8Z
2o]:%
>Pzb9
)={)?_RJ
}GRt5
 O6M^}
:4H=]o
H)gp+
,':SK
_>B8k
}@<I~
'[tN^
IT.]R
R~ow{
ktqz+
4z'$`
a&tcY;
PL2qbt
{VLj3
+Pt@1
kk]0-
`aj2Q
31H;h
.w.{!f
mr5RI
Z+7]W
-jz`z9R
|"$YE
aRaUd
D$$)G@
2hbbx?
@&JoC
Egyl|Z
Pw;c@
/[sNa
OriginalFilename
OLEAUT32.dll
Dy&|>
=%uzO
%!nh*fT
_;'W[
&#n2I
#<sE+
K-LvwP
)IW'l
I|A*V
mfP6M
_tac!
Y<K@R
16Ne6}
Rh&k8
ac(Gf
(]:v-nRh2
%DQ8|]
IK1B1
4Ps![E
~9v;0
nWham
4f/%i
&8 S?
 R0sK
{(|OU
0\VSh
ou-u`D=%8
_ApVnx
uxR{KB19
3/"xc
~2rYp
mj>zjZ
InterlockedIncrement
p;WAL
cm>AT&S
-BJ=9
?xV)]
bdbeO
`local vftable'
i,ph#
6+1I@
Uw2q)
AlIMz
R6030
^5CfmU
HA5ce
H,a-!:
W{!#h
oOCrpo
*$:Vr
iWhu9
6Ucnu
p&~kj
'\`wR
p_/c>X
i{8rt
ip7-y
/^yj3
_*e;4
0&@~q
H]hu,q!
qJde%SnX#
4O!Ts&h
z9J,9
5YA)8
6>Lhz
k!Hh4M
ZE1?F
V+N(s@
I70oo
Iy"<A
QZXmZ
,:qB>V
ysu(';
5D)82
C2Zk4
,o8#B
n6lX,
0Od,n
hZsUB
At'>t
v!"o|
{'b:O
ZUM&s
LRYsx&
R6016
njEAWp
!5`i_
>2X\]+
[0~EZ
FIE|ho
<hVI7
hc#"Em
A5DxAI
t\b:I
-X7DX
K}2Ou
4bBJg4
j_0[ L
Q33E9
"6BBR
T^RFt
=d>TR#a
xnBRe
7G";+"Y
^}Nnh
l)Bz5
>beq2
f::Nt
*W@t}
Z;c)@
F9lfY
uGRbM
X1<@WF
9}v[y
[-&LMb#{'
>bY@,
sV%^AQTYZ
,SB9ZF
8R>v+
>e96DV.
USV{T
'L{!8
f`3[RX
+me8|'
PITX{
/W4@Z
]?5om
aFV,h
@!MK$
[dXW"V
TNGZ>
^t;X=l
{)9pQRL
<I%YP
B%R O!$
x:TIE
(S/_~%
]'I{w
Y{%kk
R6025
=7y$,
7axX<
&mJ*f
y(<+x"
m#kAe
ql%94
>cERC
)VShZ?N
AqU!`g
n#k"1
Ez+^=
6r/sX
[RxazpE
$.J3Y{)
T7F=M
nP8al
{8t-w
lo?y$
YeKA!@3:SKRS
DC:ndK
Pq{p%
m$oZ#
y8CsV+Q
w0E^fk
x@XM6%
q@7E8Q|
R&-aEax
j#U#M
yO,o*
\bQZ\
/xf$#
)xh2u
L&4N,d
Yx[57'
n86z8f
SQ-,M
y,F{_
LoadLibraryA
RM[R&j
`vftable'
)D-Q`!
Y#"`s
5>M|+se
}t*hX
<fYr?
0};_i
IEP)R}
TN_gdH
iYcI`
No such process
L2=jI
kpy?b
})9(A:
%xzy)
k(0`,
jv[?!
1MG/hr
|e|rx3
4dhK8
43dpUTpu
)M\6Z4
0m=tM
n6l^l*
EST^Xe
d.?z~
Q1:/zVX
April
KERNEL32.DLL
~I]RC
LPk,C
kZ&lx
>z[Z*
HH:mm:ss
{A035$V
jJ2+?
{UzNJ=
r|-=S2
(F!wYU
d$=Yvk
Q7686
HkE?M
C3G(m=
T7R6R
JWU`{Y+L
aR)7P
/\kJ)vy
o}#|*1
.;aQj
nJa&%X
Te2J 
36Pa]
Ybe~Do
skR=@+
nDK1C
mN,u+
[j9bA
rHds1
`v?6eAY
$vnnH
hXVFG
Q7i[t
@T7[h
Tk1S,`
wBYi9
evUCs
leSa4
%]]*m
4`+`7
zw2 D4
 Base Class Descriptor at (
*S)mkEw
6V$n>
*[P^|m
J%TRJ9_
u";T$
@_Aet
0ASijf
c?-6J
t.O{uD^
oA]|=
kNgunR
2Sf^X
@xc6Ki
@P]5w
XAB>K3
=QT_YsN
=]LK>_~?A
N{}ruD
l&Bfh
YjDslC
3h'K#
|T[kA
 ^T.EQ
Afn!7
omkSn
*Ra9Wl
cerX\
nU$B-
;.8+P8
!QOgd
_"@vB
ry9sIU!
)4[9J89)
0|!'t
%w/U3hS0
%D*97
^oEZ_
#9fVE@
F@Ae,
Not enough space
<<x,Jss5_I
60=i[5
Unknown exception
D'7CwH
UwT{I
XHMiua,
QXeEE
Input/output error
V6P5T=
z] A?h
[Dh]"V
,|{z)%
f`e|v
DAr;&
_A$,7
l.cYAw
NJ2"v
!)z`.
{w=1"
q^DG88
~}g)Uj
/[#O!
pSh!r
1#INF
FH1,T
Z,Y}/
F"sa2
/B1"']Zr
{J`i 
4S`!'
7)w;h
?!Tnl
X@AC8
A_|=@
~`(e14]1E
ss~>6:F
;UfKI
EpKC_&u
J;XY3c
{cF2E
O> p0n
uZ gT
Ol2S!
{8aOE
C1@HW
vx5N=[
x4G_9
<M9)q
         h((((                  H
guk'6:
O2\IA
\h)CiD
an~Hp)
`managed vector constructor iterator'
[bSjGy
XtM0w
']|J!
f x'dAl
1+,[3
SR[ww
nW_,#
zIok/F
A+HNR5
94Rcy[Q
Wl-_D
EC!s"
GetActiveWindow
a,rbY
n&1I'
enhR*
wWF!4CD
#dKG[
=+tgr
A6g4]
Nz$j^
1$3(!
/5J~v
8Qv2'
3_3zTU
mOy\e
7P!M5
i*'FP
l)XtV7
h/>L}
A%SNn
Wg`>t|.
8e\vw
k%C/_
A]sa5
t'>-J
l:er>
5tx_B
G*8~SE
MHh?-H
eR)F/
){<}hN
#UFGe
 q@spN
I4.=>
P#H x;
?Z\oV[
mbaK'g
/tf>L
lm,Lc
Monday
IM?ce
xwj8Z{
k05<(
/K6mH
3[S%Rf
,)GM9
s0h9c
ue+l.2
g"<h.%2
?B=v8]
`fe@"Wk
\#Y$J
#ez^P
T$HRW
CkX6g
f1635c,
+M\2'@
zoP,,0n
GetSystemTimeAsFileTime
?wV2U
sku9N
D:i`EW
AfK"hA*
G(9G,
a(wU=
\xvH7
jhZo`
jyzO_3
1S6WQ[
.U~Wk
 s&32
hZyMf
hNmI,
_][W4
J`oTgJ
x{Sh`
($+VR&
:1"v%
L$,uL
:&9]X
IOL1yO
|sDj!
t%bXG
",CZ9
-T]3T
Rs'EM
Ce:!c
snI'=
__MXF
__unaligned
tOX5h
qssZQ
piIH"
T~}v/fZ
~8H;[0
qua(G
\G_^;o
)NUT'
1'N[%
Ok8CJ!
&oV4J
2$I/}
e)Ps%
pb4zj
xi$6t
Ilijao
|]5t@
';$3{
bg`)@K
ori!Z
`;y6.K
cOpo^
@1b@1
?\@nF
w"oEwT
JDO5h
W`a09
.sL.h$
hKz-g
i;Go&w
cBymh
2pBVY~
k8:6o
I})s%B
`tuiFEce
IsValidCodePage
D6iqC
ZAQ,*
/_aXC}UpY
8L+Dg
I&+.a
~tY-'
O>{!W
H`Li"%+
Mnp D
}Uw4*
#Zh~z
oW05w
- unable to open console device
YxIbu
yP(.'JK
U,".`
u2N6y
q#<8b
SetStdHandle
9FC,m
hePn~
q}c^M~
;*70<
6pMEIk
rtM-IN
r*_h!
|:1h!3
#Sk9!
D|Z%O
V1O#]m4
kkEt-&s
Mu%eGv
)bi@z
rfz$yo
LPlq(
1#SNAN
EovQZ
BwSp?
`s6*[
8@@ZKs,>`e
@Sun,<]}
SVWUj
yMC7X
|{k"`
)4OI<>
@*Od~
SizeofResource
'b{Tc6
mE'L*g
c(T7n
ole32.dll
BHz+!>
dJTjuw
X'|0,
QcGIM
JatL>
j*<o"p
:|*8}
Vj=qK
:_R2H
ADw 7
kPezT
D._b{
MMJ K
!^z,<
_mu0w
a0zED
?w-f_]
C.z&M
#JQV-
QUdsMA
+QSS8
6r,-O
Q[lN6
.Mo'G
g*gdd(
xd]gh
- floating point support not loaded
C.Nh%
|!D1||MTVd
Ib7F=c
kK6&R
*|B_0
3PP62"
lhgk<W 2,
o;|mr
\fkC?I
fuh0Q
q\tG'{
Exec format error
*cj/)
oP_TdzL
\g*{0
CwcyD!
pRdci
sCK_K
)7=5u2
p*]+}_
vtr#zJ
f)BWW\
P"!lZ6
{&j.Y
VS_VERSION_INFO
K+J983f8
q2:}m
TDeQ>;
5LV$&P
]8dmE
}Rfl*#
cKUx8X
^l 6;
e@`NUd`jh
?(42$M
2BeRFw
XWNhLin
TkP=Y
DMr^-
{i#m5d
nT9<X/G
sqoQ*v
V6NB0
 e>_<A
bh/2gb=
3+}ER
^-+m:M
K7+S{
xpxxxx
}u{|:
h?rQ1
B?D@i
85T..
o@jYY
[%Ven8L
7We!o
wnAQq
:=beKs
6;+UPb
E<808
5snq>
6~E\-T
fxLR9
'QHAO
1-Ia@
g35!L
g(W_x
fVtGr
p`wXW
S.m5i
gQ]=d
n4>>0sv
j]?1x
D} &`
AyH~0
MQ?.`
@c} D
!+7%,
n#U?b
x02Z/
ueq"+
NY~V%{
ey}?7
xk^qqn0
,\7}s0if
LaR)M
M9.Qag
}5ZjQ
3nOJF
#2E!r
s; .^
E#'2N^`
gcjBPNM
YR[Ne
nG[R}
_",yS
l0(hp0
>bZDA
-UvtQ
*l6B(
B&3ij_.
|nU58
ZT*@eC(
bOx[12
f)tG9
NXa!H
zzo]=
?+N7_
HO KAwU
& Av1
T]4kiG@
zp<>c
W=t[EU
Rk`q]
:v\fV
SM&jF]
apY'|*/
xl*sZh
T$$QUR
eSMt>Z
*Ntsb
ymOJxZN
([Qz@
wYxM0
Iqo7%
?S9QU
[~G,1k
%Y&0d
i8i?;
fup4&
FlsAlloc
>'wL<
ProductVersion
K42?s&
@a;/n
n&ZD/
 &Mrz
XmHcD
lPP6F
lS,5b
v,Yf}
s0Rs0T'
V16w^
aD=2q
/1[y'
\RWf"
??0P7
__clrcall
Jl?:n
hsL^(
gE4sQH
.Gsa|
NHPWj
U<LXY=s
ab@F7
-Efkx
{(t\;
f)p"o
}fG#"
9Rlb[C
#BO!~
@q>4SP
[X6S<
AP0|b
f/Ycf
- Attempt to use MSIL code from this assembly during native code initialization
H//j4_
FEM2#
 ;30~v
}b2sF
-$](;
tjX7U
i/(-3
B)=F5
TLOSS error
<R0"o0hc
\. V"6X
~6hgx
z/y<#I
y/U&[S
"D\PVK%
r0 .g
3W: ,
0G7\G
:ug=l}
+F$a8
Qetsy
5_c7P
v6^ZTw
F0A?y
4xie:
)=_?U
C=:X1
5dw2>7m
/C)G^
RA!)k
~[BZ.
jO;9eY
l"j$S
i&?M2F
<`4.:
JZV.7T
pT&5R
+>=BN
6fdl\&
&=p<$m
$E yS
q),?u5
>zoV]pb
#h84I
bL<G<
j`Z{p(
`};If
p~Jaf
<v09B
>TQjv
nr1Tj^
TTl@;
5vj],
&>J9/O
N2V*].^T
1L`4m
y,F>:/$PD
)1R; %
T1%)[
W,z8D[
'&[dq
,2X!=g
a9Njk$
*pTi2
R_N#d
(F,MeR
7MF>e
k,]MA
700WP
l "Q:
{hZZ=
Ur0ZW
`OIFP_^
Runtime Error!
\J?}<c[
r+pTf
_w ff
v'R*A
ByX(S
dYw 2
1)]s:
Vc38x#?&
Os2)~{
-Hd]'P
FamR2N
S"g"6
Rgj~U
os)yp
%BBaZX
mw`Nv
:`CJ@
wIVSP
o5=7;)
Ml|x-
dafm9%
_VVVVV
8"(`#`
N5]]a
S#jX}
c+g|s
0yZ4a
AoVQ 
Snuk3
)j'}'
cULg*
6RQ=Vz
/'oPc
;5P?B
agk4Da
c/~ g
1FF4/2nlF
{+ZfAe{,I
m4?)TR
h}7J9
Ot?y(
DNU4N
sIs6Z
WjW+~yL
w&aFI:/
-8mou
EeL+l
=}2Fyz
 delete[]
oScy5k0
__cdecl
,|&gG
\{'u$
GetProcessWindowStation
)*qZg
4{Q}!,
`_ZFO
.MM0&j
=,b^0
Please contact the application's support team for more information.
t0 )VS
k'fW?V
.ThQU
h^<tt
OGo(7;
Y\.elEI
L[h44
`$v}jW
V*hD/#
JFOcs
}";Zi^Z
*3C3!_J
`eh vector destructor iterator'
t[%`6s|
X-aA<
"%%|t
;YHpc 
l6H%m
-j`Xnw
MruZ,I
J[76|M^A
YC,En
+h]nx
5p55t
E&*mi
Sy8_Qq
rF6"\
Kd%l1
XGGDN
C`w=_
D4)C]YR
rXm)s
I?]Hx
xN#zt
qQ4V2
%,Zvv
b78uM
=Lf}26
5q+;Xz
-~x6q
&i*Cg
hOhLL`\9
79GUf9;z)
Jsp3j?
b_)(s
co t>
mnuO 
V|[VD
$5;#_enh
Xr1\D
=2z'S
,iVN9
GetProcessHeap
ygPS9
J`)^h
9@3fy
GetFileType
MTPfE1W2H
Q71oA
d!;@q
{DMXJ
qfiKT
HeapReAlloc
XSX)5
ed@_]
h7qYWC
:gXq7N
L%<Yx
t>g95r
EmD"w
mIOID
`f/.-
$uDSp
x8J3z
iP^;m
W1Dmn
PQ.Yg
e>$\p
~U&qqFr
Rryj#
44W6d
:+rcAE!'
',w'Z
b*UD^U
hoI:r&
1YPHI
"?$pW!
hV4aGo
_ooLj
F\>,R
z`mur
bi!cm
J]/mh
.|@(]N^
2@%T-*x
b}/Urc
v))ilBd&
uRZc.
3U!Uu
yIACY
OlV|%
jZ#V{S<
;[thb|
tGHt.Ht&
4B&om
=&|b&
VC|#a
wBNV#r
$ q!1
OJYE^
8]>Y 
W%'AD
?'A\AX
[h6A5
R5;nb
xrW8>
'[&X\w
_Z8X$L
H?vQ.=
g6"YE
LQ=yI
+L5h-6J
fKW/yZ
e$j>cJ
%lDdTW
5gsz~
Mv?lp
6Z(z;
|aKN@
6ia=d
\?13D
]"60K\
S>ssF
8qvhR
g'r,B
744.246.436.344
=z7vs
cG1{B
h_3("
rr3bM
xX~k&
%2bN>{R
A:V+2N
pn"&NA
WfyI#
6o\LVj
9#w,;
 1QYs'
W:qPEr
gS"FT
e;^jR
 DrYLF
]-s)%;qy
7g ^d
d3` A"sya
-ADEY
'Kzo^=
vO: J#
^c1Ol
ubTdeU
du6$'
rYlB0
X!c1:
z>!N]
ch#x[
H@v2XmY
321I0\
8\5wc8
#a#NNW
Y>>oEZ
 d(`>U
H2**w
!xgcv
,C6+"
F45'-
@<)Hc
''-B1.
YBI-?
^0X|4
sb${h
WQ[Xy
[lB<l
}|Y(~uf
~kN7l]
&U_ef
hBbL&
ey,pd
1Am+b2O]
ASp K)
hAG("
Do;T:
;(yJB
i5wQA
[[rEh5V
0m&^R
<Ax- 
pu`l1
s>hxrf
9W'%Kp
0,51qh0
.bCU|(
c(g\W
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
u/C'C
l6qnk
b"K,.
[5Fpf
ntUsKcRV
I+JS|
xo\IA
izMMP
 vmYF
`grSz+
^,Hn*6O_&
O`-fq
,g"Y>
 =KlprGP
p|VJX
}-}j!
DmF5 
&jpy%
s(JGd
W#IYI,
,|"(#
sy;:2\A
8dHsQt
)+HjLp
m!B2(
:8,q.O
7/k%u
^G<y`5
u\!xA
^i>a=gX
:97m]
kp94n
].R:Z
ASj+Dg
|la]Q
t:;L$
Qc#tb
M[v[t
XE%u}6/
NDSL*
1~Oj`
^q)wD
JjW$G,{
^'G=^^j
|fU-u.z
cEV^t
{%q]W
1.2.3
,d1je<c
dIeTl
Visual C++ CRT: Not enough memory to complete call to strerror.
)Lx9f
Sea|-Yv
8fai9"'z7z
^\Xt>
'D)h01
l|0)Sc
1Tvi*
ek<VByIR
7K)>E
N=:R!
eYCDh
Bp!Ue
?$e:cUX
tn3\L`WW
SING error
Xh7T/w
>7`4D
.nfy 
t`ZnC
*2&?\
h{B&](/
EFz;Mhft2'd,
p >9m
wgd%>
q%/3^ckH$@
)Zy8v
O=}>d
Ml^K?K
:[vQ+
uFmqw
*Y7Q8
6-o,u
Z=1K<
;17z)l
YOzZr
w"J=U/t
7fyS8
/jT4&
a~%dB
eQzRC
lo^$Q
4>lGy
Ps^lcj
1|2e*
zvJ3`
eF$UqN
gqg1}
sN1/BF.
sT(6Y
s710j;#u
(Or2~
Ridh'G
~s+n3
yL6v>
:Hp2=
 (s\A>
Z4saY
aiffK
9z Ci
};{4b$
M%}b]g
(=d`&
I(fP-r
3|N/tr
/!b)0
$'#4*
5<72L
U&UD2 d
z5bAf
"b'Fe
!Y}Ml
G0d]lU
!+8qf;{
$;S#;
3rw?;s
E{U}*
5-9Z0X
hI=a'
A&edd
|E-<*(
HeVxF
^9X]L]{
h\1.(
w(F?VYiy
I%y}9V
q6AE]
br*7g
yNx~[
x#C+/T=Oi
*IpV"
&{aN~
D[o`o
p5&xU
l45T{<
%H"gh
8VI@u
MkNM<
QtiEvFoq
X}Z"H
?Qq*+F
3ig]\
950>B
T .mr
%ic63
o<MNH
P/m+J
bY<kv
OIz4;
         (((((                  H
]y'$(
2e)~Z
9N7Du
Zsy7r
XqoU&g
9`!*F
-p=4_x
?@1aL
01bi*
Uj(OC
;i+<*
fI?fY
G61*Q
iE_W-zh
.'wqr:
v53d1
%W$3GG
Nb"v[
E1e+$y
U>n`u
n*E_B
 Complete Object Locator'
lQ:>`rn&
t((.U
GetStringTypeA
;TV!S
')-^8
DbC{f
9>i(v
]Y6..B
]:|\Y
fQ'^{4i
-wI<9suDUjI
tVHtG
J:2]U_g_
qI9.M
#QXdL
GetLastError
sM_Nu,
Xp9rY
bad allocation
.c4q)J
U%JU@&
J.?Y:J
0gY4:
'g>b@
8bx;=
OP`=M
3rnou0
cbH\9
]t,pdq
HcWln
6(8P}
wt /8
t%HHt
t_Q}|,r
CPqCE
^'`7Ck
]ZTZ0
_*~my
X-cT>
Ge)SK|
~<+~t
+%)T]z,
.89VI
#*lY2CY
bV!NXK
s*pX~3
-0j-^1
H7,5%
TPO ^
pneb}
6fP?FI
`$N $
;|o=e 
9Yz%-XQ
Is a directory
cTa*"
otP3T
A;.@f-
_qJI,6
ehf@eAW
EVgg4
z5PktY
|H~zj
2"}[k' j
oeA@6
]BBY4
1`p+A
kb^!qN
?i.Zi
[Xt3-
qzE\;
[H@Ua
!;_qd
*O&f_-$
ri0>h
/Q^_y
mqaVk
_:r.V5S
l)G[2
@sIbn
6JNOv
I:$0s*0
\N:hg;
Ol3Up
dU%,}
+[`U@
,]?A\
xFh!B^
abcdefghijklmnopqrstuvwxyz
TmG:`>
JX3^nV#
Hq4AQa5
BG~% 
< tK<
Mbf2 F
QnmQN
Db~2C\7y
a73F*
p<O#|$
I,)jBz
w#[[1
>R;r]
;9wcl>
>R^?X
November
;]l(qd
`N7r)
Y(O!Ms
r0f;H
ooAJV
Aas:LK
QQ,G+$
re]Y!A
HeapAlloc
+n3JaJ
{U7p|
lY7Zm2
!.nEV@
`placement delete[] closure'
Q@e1A
SIzv(
'.:hF
~#lBN3)
+t HHt
?#x9M\&T~5
grw*e
j_Qx/e
g ;f2
';-wEi
ic&7=
^'_"D`
Av f0
[">?-
Z)0IZY=J/)VQ
h;x-.
_lsr 
8+Y-|
qsv9K
b?fPPL
V;E4h-
hJ*yG
f+G'|
(]ZQT.
r1PM;L
0Awqz
`Toy&
eXk*>
0aa"w
VNTGU,*.b
}B#<6
q|T?`z8Og
|uQ'~Z@
This indicates a bug in your application.
FD)np)nl
VVVVV
5o55S@
>=Yt1j
'zksE
Xg)@?
6 }DJ
[e#+oku
=T]g(
&tw!<
1uFb)O
#|$F4
I$y#^-g
xhssTt
17x}L
c+?Q=
1~cs 
Yt|WW
F`MbK
oi']`
:'dH=jX
(f!PV
i2HRa
Cy"|x
z:8#y
^IEh(
]e~i;
<1A#a
TDSf|z
H\4Q]
iFJ?f
.B}%v
Too many open files
O$KBB
zv>3w|
SYBvk5
P4z2A
ax6x;
|0@%J
R6024
~s3z,
y9pqZ~?
O*9y]
DRL``~
- unable to initialize heap
wzi,.
n+"^?
Ctpa=
'eMeV
cbZnI
/VL/U/,z
uO=dY
k`e[eg
L Bt|d
XzXBl
!^sl%k
<+t(<-t$:
W?M/`
DHYMB
R*k'"e
DcmNr4xz
I4T?r
p1^aV
z&8h#a
oC'/+
}WAZP
9RjA[wA
PG;Xs
dNU8xa
Fs*%XA
TIH[O#O
b|3+0
v}Yo#`S
Gubg}
I!Ov{
dgfs/(
H*0"ZOW
DW^L-
%dN%$
R'r3*
$'3h#
%i<b:
U~);s
#4izl>N`Xzm
d+4< c
`cwm$!
-GvS8
!k== S
~C{ym/
4uFPG
e8ve`oX?
MTfJe!
-l[qD
\TtW*
.><l[bbT4c
1">us
YD}|.f
63e9_x
6-1rz
!RoN 
WJP4X
Db~+a]
}[Kh\
s,7go
\X!d7a
AX?8b
LeaveCriticalSection
@9b8tL
e"/#"(
:K9kQgZK
vyqF\:L
3~(4E)t
kYSap-R!\IL
~.70BB:&D
O5D|!
()WKb 
040904b0
:EGz`
C`336;
0Y^,w
p ?sm
1t*=-
kRt]X
6orop
cj9y^
PPPPP
1U=tixK
rrv|e
]D4|[Jp'-
=w`f;
}x]*,cy
- %?>
eluqc
h_=pL,2
f?}so
=)HEW@
*UBGJB
U?SE?
H:ph?`
2[X%\
xvUe@
@%1Biy
mEPa)
r.6TU
uu]w{
-*RL=
$%Ik[
gdivc
FindResourceA
"@B.O
kY[5O
CLA.4
GetStartupInfoA
TzVRVU,:
SFj89C,
njuUbl
biUX=_
aiF,<
(:6Wp 
?O`G=
K|+M}
d2xKK
F;9jgB
ez/[V|
]Vs~<;s
!<"PI
Yh5UT
rR8d3
rl=:2
`string'
O>`~s
Y.5Bnls
pKN)@
@[3@d
I\O=k
$MrScl;I
p2gAk
$u~IGK.
#JH8J
"%e_?vm
^m7u4
'bCOK<
}1KnD
XVk$94UNL
xq- ~F
?qka}
ODw|" u4
2'r13
aWv{b
ndi/ BH
L9XDfqC
fCXjM
 Did{
[{u_T
wA8{j
w,bRExk&
5F#-^<X.9
Q8n45
j5Kr)>h_
I]Y(?<KP
o<&m#c
M0]R&
,pZt9%
_d4qI
U|3m/
\)4EIY
3s #W
{DjD`k
$PYv(
`managed vector copy constructor iterator'
h+A4J
6/s'J
IGDj!
VT4"D|Ug&
x]Bhb
Z_L%y
XN=|p
;s*3y
pI?%.pK7
*8IOu3
o8H4]g
a\g26d
jZiVQ
+}-uD^
kIh_u_
5?-MFu
!0qJ-`
k0{y&[DK
'+R97
<+jVI
abt0+
[f;!S
ZyTym|
GetLastActivePopup
AuWHpl
p@[gW/'
_cSKG
j)=;~y
UQUp[
,N1 5W
!UkOO
MG!\-tJ
.'N>/S
GE1tgV
/fMSf7
FileVersion
qgw>9m
5GU(I
V(2DL
[);!/p
_H!I$
Lsuxm__
r!3F:
)*8#j
@mL1f
/s"3I
3"hv*#^K
__thiscall
KEqq9
4"f6j
gWb&|p
XU [9
jg-mo
q$4et
9Ghs%
}y"P.
onn;)
`scalar deleting destructor'
wFV7B9
J4QZO
!|fH)FA{
^6w_Z
tolGs
GjIZ>-
'TtsV
@0:D!B
 GanX
Arg list too long
2FDK]
`virtual displacement map'
y"u@d
bkEDL
AJW`Y*AY
w+OQvr
^&EYq
WBu<5
lfs<DX
p sr0
9zoah
/ubc15v
$yV`'L!
'6m@~Vvm
j?Q&[
Md}i?
.a;l&*)5
w%Ldw
($kP`o;`
WjAFXW
>qD()
sjla~
HsN(D!
XTq6#
V&Tpl
KB6/~
4pHs`%
!Nge]k5
KPt{f
H}3G:
F5ZI{
#v2%p
(+ D_
Invalid argument
%>T)|P|
F@6Wo
6r<_Ug
MM/dd/yy
t1f89
:Ww/W&
9{pZN
o +>:
.1F]j
ua,&!
Yggn0
CNH!2
6n'Sx
0%Haf
3,`;-
dF#`k3
_~[fnO
]L(w}
4hHEn
# .Je
aG:H-
$wSaS
h=cBF
XGh@)
wIq;d
SunMonTueWedThuFriSat
]5prX
QQWU3
`@ue`ev#
JP>z@&kV
|e`0C
OTwEzH
+hXb S
;;WpL
J%AY{-Y
yUR,t[
1A!G2
a[]/%
9}!J>
(yYT9
\9-2eI
>t)>l9R0
)+T)N
h+16>Y
Hu/ "}
wFC,<
>$>p7
UCe&M
pqx3W
tev@&E
VO)n#
i8qTJ
RiOw#
/|^gld
TOpRj
dvr=_*YnR
@8N.~Ot
Q&3]t
sO+43
3P.2:,.x$:
1+G8H
"hm(.
4<0R8
vHZ$xe
me7Bv
:~)4>
xp"(,$
 ,lgO.
0nAU^`
#$e=*
RVw/U
Ldv?Y
p)\ ]a,
G>ydE
0^p1%'
2uK=``af
H|.Ls
y-Y$j>0
zJjDI
 L-elR~dQ
KA9=L
vv@AXLD{
[Q@NH&
n-@&S
#\_Zj
M^4U|
$[UwL
 AP$q
Z5KRg
wWB(k=8
55XiB
?.8H1+-
wme!\G'
skwOF
yX!NB
hS`&P
<program name unknown>
D$ )D$
H'h^-Z
A',>[
y5oRY'
1HVl+
U`5Sl
o^FP LPU
E}X19
X/:z6
-fJobAL
Qw`'+&l3
k,:r%c
lKWhMK
H#e01
p'dH}
T0+A=
[dGw.
0N31:z
6i=|J
o<GyO
1i~loK
{ZrYD3Akkx9
SW4UG
liqnV
L V@k
=RXt,
HjW/v
`)cA^Z
OG39'p4*/
ForceRemove
6<WmH
p*tV9
6_)2y
]Q[ECt
`(cF,
lWr^/
,QDo-
8<PjY
DecodePointer
qcrvNtC
5O<^M
-T~L)
-,"&q
yT1N$
R6033
YZ#?C0
vQ.ps;R
DJy,r
nV3P;
wcrfI
ow@}*
xkbI8
<%hz/
LcU0i
N_nUazF$
se@T]
)uY]t
xmj=F
e2fc_g
,BPm}3
Fga?Y
&5S6C
H<Yo^
/wEiR
.idM*
tS(|$H
)%.kt
\$VK,C
lHME2K
V)dt$e
x|7Gu
}Z)lS
K0bz)a
n:iVo
|jYA.CC}Z
                                                                                                        
78@(*
+;g]s
E`b4z
l26d0
!;2K.
/"~#q
GetCurrentThreadId
L NVb
ExitProcess
sn?(e%e
%3LB-
-&[ U
=;P(qT
57b~V
'ahNN`
#pf$(=D
IO?F=Z
LTl/\!
YVNY#
W`,iW
8IdA(
N;4H"
`local static thread guard'
Q*9To
eZ+!s
y^6r-
%zRp3
,<~LP&
FlsFree
m&pub
P8l;R
4cP37
un9_a
YQ=NP$P4
V H~M
C/xl-2s
iL}<k#~
mm*/C
__pascal
c7d9^
q=vh:@
cX/9`e
FfsGt
82M1R
z?cOF
a})me
V98Pb-
FueB-
J?_kUK
8D2'Z
FV-NV
F6JQeg
Yk#I@
,MVL98
Eu9lL
[|y<%,
"}2Mz
`Rf`k
O-f}Vt
].PM>=[}W
hYfRu\
T|QUG
m\<(D
x5,h2
 Class Hierarchy Descriptor'
WeL[,9
8`X'1
Gn>COR
V/sE\
q?d[9
_sm!r
9Qv:J
6TBwG
#x|x<
;w7jk
hR1q[N
SsXBT
=P5\|
zm;k/
`vbtable'
USER32.DLL
Xqq8i
+-~}6Ok
xS2Maf
nT9{0
t+<Ev
!=y@Ys
.B A/am
3.4v1
3Bt3X
d%;4j
>.Fb1
6q{jp5.
+.l2r
DK3&X+
u1{=y8;9
yS[4hv
0K:?[
?b,b?
u-<9Q
'@UO=
`WYo>
m4a6G}\
Q?tJnx3
jO)IO
^jH'zA
m6TPE/
j0M #
m07<%
,)096
(Tf.I
);*fq-^|
>(Xhd
K~dS5@
`x,>s~
.tg7}=
z'Z^'6J
!YmgCMv
w?!\YE
oj@6<
K\" 5
<M@Z}
92cA9d>
o&<Jc
i'w$y?
l"k!=M
_6LHf
m405.
5.15.2.0
ONCz#
KERNEL32
xhF]V
tO~&4
H];#R
iaZ{8@
1I_|;R}
~nZPv
\<Z:&
+Wz>$K(x
j>,XW
}t[_K
'qqhf/x
\\;+9
Ia*d$q&u
)X$^$
SE[lz
m.}%r
pzl>%
October
!s~uz
^1}(.
Br2%v
I`nY 
L?e{\
1%MLt
A6s2m)
`vector vbase copy constructor iterator'
V4=0c
Okn1V
\3tv,$
|$Dj8
OO\mhZ
B> [:
G}\}I
U@0$Q
4WX]ze
XKbSA
U^Ez\
)8G[G`
UQ~3/
*J%*EC1
/Wp[_
V@WQR
GetProcAddress
t*P_#
EL,6RQ
t8j,D
jK9]J
=%LaS
|d-L,
aovs9
[-vpR
GZiDb
pE//b
5,"!8}
i}Ek![
y`C@5F
eu<*H
Zm){@4
;BfgL
51""*
QvR>7
@mS5#}
"SZs'c
xN;j6
-N0_-AA
643'w
Kl*+0
W$(9x
m_za;
lsuL9E
6Q3CJF
.(NZb$
 $Pq2
giH{6
QJ={0f
X(2a)
t&5b1
Y59}7
E0a`C
Tuesday
UA5=y
 %%@4s
l~q7|mV
Y__^[
2rFjQ}7
z)n{qo;
/Y(Hm"8
W%#bK
M/"37
7xWi_
Z?"r(U@S
xX#w1@
Nq@*pLz
+gnU&6
/^}mB
"K#0.#
u1E6R
DXCEW
nMo}b
,_b%0x
N<a:V=
)GL*l
O0SPQ
CloseHandle
}_54E
y2be,
6b);A
mH~YC
__stdcall
y2!Fz
9`:^<
w)CsW
o\1MTe
s$d*R
 ,&_G
XvOItR
f8ucp-
MZ^?V
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
jTi2R
A/cJq
\U CU
VH=N!
&dkn9
fUKZkS
s"NlxT*9
vS5zj
-o95M
PZ:2m
/M=Hhjp
o6EBX
LXFeQ
kqjr?,u
HByQv
MpG4tp
kOy)Jj
Va%],jHw_D
!_4}^T
%U({C
gl$!h
z0:WZ
=6->)
:m45H]
l.'b*u
 '>?,mDw
`M9UOzfg
NO^~*
.+/or
Module32Next
Tu C5LJ=
*@|+|!
N7}NB
tAo$x
|Fy,9
]qs%L
R\VPo
/gM^&Fn
nWioV
1*@(y
Qh!:F
JBD!^
SI_/8
42hB9b7
7W_()
)mRT%
t4F}3*
u%_r=|a
#>vn 7
u8SS3
I:H)d
O!2dv
1OD$G
]<hs`xSR
U@kGSe
sRRw*
|yQ K
1IUoM
r:gnX>
D$c&^
 K.YRLypD=b}
b@js?y
m7yo>
Wz`%D@
N//*z
Mo;`l
&C;y:
.dyTVJ
xcs,s
rtOLZn<Y
[|(X3@,R
]!aSH+
'kWs~
=utF,
" )q&
T$h9T$
E`\J0.
|:S`.
P=UM51
8I),?
.HX'`j
+E:Ib
tBH??
InitializeCriticalSectionAndSpinCount
'CK=G'k
'E;so
keEXz
W_M7(
zL\A`
rzy*)
C3|pA
/oWVtif
|vd{r
b!w8>
6PLLuT
Cs6c\
F=b\5
zzj] 
}iu|~
rNV"S
Interrupted function call
v^M*[
^19[3=8+
R) 76
J3]M1
l$Jgh
i,x&&
pjyp;
V&\79
`mC$8
~2#{~-q
FqC7~A+
M@AG"
su0#Z
:-m}[
X/qIIuK
nf=W)
@?i=n
4&@z/
pMsjt7
'>w)/
Y1p*fy'
ix_y#
v`wDNB
HTO"`
>A]`R
R5X 9
:ka}y!
#YK\9
c*GDC
v@}b%
StGI@#
's:b0
~Q3p{
tD:.L{b
IrUy8
?0g1\
GAp*q
e'V_So,
N]!u!
5Y1"P
)SN;GEC
,ZIo&[B
]Ov=D
vFj.#
D )\x
MNN~ 
qEjKs
<'KS{
lpLMA
]zq g
*bp*4sV
D"SZo~l#
U?8'b
pJwr6
26cSX
9+.,_N
9$iTWc
RasR#
Read-only file system
2<-5r
\]L|$
|Y#l\
 dn~X
- not enough space for thread data
54z=P|_
r"J9l7
ReadFile
E=WYW.
fE*rU
BHlT-;Kf
zeM\Dr
L9tvn
W")oX
8B6kGD`r
;8qXR
s7\?h9
2'3Gmt
b-`c1\p
e$?k>
SMNN*
6mq~L
Mnf<Jn
'?4Hs 
F"Dd>
(K.n%
%+lPU
q){vf;
mAw88
KXvGh:
`{lH`
GSLON
\&-;mX
lg6W>-
UED=A
:06{dP
jy !s 
_ZjJ.Z
Cv1$di
^=Jg]
y?I<:
!p1,,
Z$shi&
5+kP;h
r69!_
c8@dOz
EnterCriticalSection
>P>~{
CONOUT$
InterlockedDecrement
H8QQW
Mm'X5>N
DinlVE
W/(@{4p
1#QNAN
iB<~o6
fc#DW
lTt8s
?5j[:
%xUesK_6
>Ua0JY
U,HNR
y;YrH
.J8< j
37E@,$1
!6wUl
zgQ}c
NN`VD
~smjt
c_V*.
Q7 |)
>|RjF
#=[1cuB
b3|AR
oQ_|^
yaAR7
?O<$#
99t%e
nRMg{
|aS&=e
I{01Y
]1?:U
[jwu!$o
jB|e|
!VdW@
4mWXP
Tp|Eh
|fwJ]
\<bb}{
1*.#s
[^_7Z
[j@j 
YWB91h
z<5g S`z
*/?F!
T=:Nq
@_R!O/~2
VirtualAlloc
ypX9V
0T>fi
n,-HaFL
AO1yK"P
Yo!-7
v$;540B
Zqze7
~{~rKU
65X75f
6u4dN
yt`*V7
~KB(8&
Po$h$
>BeUC
khaK,
@4.QL
QNuv W
z?-Hy
fH?]SD
X_vXk
/\./$
(Mu/h
"W[i3
97B1I
7Ni[0U
Hnn].
aFLiebp
+dTV\
9l}Jb
o@BuTQ
vIar~
Uyt(Ib^(
yh5G{
#Gytg
'WJ)I0
nvy =rWp
pnpWO
(7M<d
dC*iya[
TP:E[
dcFv(V
Not a directory
$W}IG
I6uU(Uj
0LF91
@#!<'E
B\d5,
O!/4ev
P&-cp4
9=\9B
AeuWF
TDd4;
5Hm50
U#:^u*
A:9V<t
z_1sH/
Lywe@(&
dJ+eq
{lKXJ
TN=+~(?J
g^fLJ\#M}
AZjH_
.##$h&
JxBlO8
mea14
{l>,R
Z(4s:"::7
w^vXy
X{1Rg$0
SStMJR*
]_B%(
rk3)?R
>09FE
uJQ,.
VxlIf'
Wy+ct
93R'j
 A53<n
Hb/|N
&N<^pP2
?Lq|v
1K!~b
O!5,4
M3?7C
3+l1I
8+K),>SU*
-E?Pmw
'v>P0
ar-u!v
rkWjKTiY
R6002
24K84^~
bj;%3
>i!)oA
/b0[, 
te)X_
;QjURyp
|u<m2rr
7V{4E8
GFO|(+
3#|E]
$))$#
}0aCx
9&EcU
]$n+L
@UnfS
2{Yxc
,uY3O
xbNJS
m<r|`
D7{_bv
Ovg0{|
<v$\G:
;r/gK
U`~S,
m.2@<
5ni$D
HAv)w65eJr)
- unexpected heap error
VO`Pj
I}z).
NoRemove
8K=A2
zbh-s
hG9c8fBiwewkipy21WMyZCdnPcF2K
gXc=Y
&Me3j
GetCPInfo
V!!]W
lUUepL
0:/XB
"xn@Y4
O2DEk
0|x#*-;
D`5V^6
?XfE]GG
Inappropriate I/O control operation
7\("e97
VW|[;
 delete
GQw(c@
M56-S
WFR(PZ
E^$tle
K]U>m
|W1K`
?Afmu
9q2g*
\BG;Q
4}X;&[
~>Tbx
C-nVo
I:%vH
Oy`7E
qt%@S
C_cmu
Gi<v&
[Fh+$#w
SkV,vW
*RCLqU
_SGyW
*#])"
eU7n,
Kuc|a
cD~?W
Irvi^f
S2d/h
'I|6o3
Cidi\
8vH_6?68
1z'K4
MO3@L
EA2OhD
D~XBJ$/0
ZT~at=
M6s&$
v1Fe[/
SMdh_'
@j{C2
BU!:J
f/RZ0Wi
|x=iJ
T38`R
t$H;t$8
&M}qQ*J
`3yE5P.
/2 ph
9aM2m
_ubO-
6p<8a4
R6031
+Cg(!
qJw0W
J)\fu
K?;h))
R= &W
D'p[q)NDod
:I&Y+H
=`J@~
eW*u$
-XS#!oV
e,R}bF
`R;z(
tXpC7
+tAaYl&
Directory not empty
S3't5
B[1'T
qzgr_
o[|.0e
pYlV6_L
TkMhx
9V.2,
k '|=
|7/Q<
o_(bj
U$|dN
iwce\~
uT'.I
RgFPk
?W-j*
2'2<2b
WdwF'F
m3|v|l>
iq~8Me
A<|Oys
;L2^6%I
8.Y:x
Yx(Ne
Kk}76
-64OS
\ge'R
lgd};
)J9?d
 Dq_B
/L:Ft(#"
CM.kR
721;)Q
BG)1\
BO{0`
EiA_j4
'KyO&fJ
4.$tU
NY4\Ni
`dynamic initializer for '
U1-% n
L5WC%
[&lRb
:lGU 
6l->+P
V&u*+b\
W-<d0%z
sB(/$
GqA9b
H]IP_#
40A%u
6JrIB
V.D+{
rvClxj
l7Wg37
\T4SI
C5bR6b
~Rich,q
4e1{s
*I_N0
Ai93nH
cNSoV|
uD-oH
2b)'7
jPecT69
5>]wxfp$FA
\RFn<
m]2^}
9^("$
3BvgX
R%n%v9
vKAQG2
L}dsy
FqqA3
VipsE+
Delete
&0SG*
[t^:{
`{*}>
>69Ar
p[UjFP
I5&x~
RSRHL{
Q/aIg
IBJd<x
GW%g 
~\wu(j
Tu9q7
'Xkq?)
bV%W$
jWYg$O
YRkbP
No child processes
$Vc'M
jI;$=>
tH/bn
Y8jck
s]9d(z
nPp _
x=u%>
d;aM_
2pIWq
~Ba]xO
h4w;q
x'USy]
$m[~b
S|Wqj9
^ 0CY
Z9rd4
h#J>C{S
V#Bnrq
0${Rn&
lJ;M9m
d,c3D_
#bML"
`_h~>
5q3Fg
NEZyD#
~eb}y
]S6#0
L'`zRG#y`
tY3~V
%f44b1K
;y!f~
]$CY>
,Pjh+rq
LLf;](
BCrIZ
X@&e:
'(.9o
LCMapStringA
|j@Q4
U$rlxG
!'/J,
&O$/2D
-I#E5
2EH1Y
lv*d_
&|XyG9*
r4%UW
l}D0~h
4gqxL
]oMK%
Cf&,4" o
r<SON
>If90t
0Bc0l
y\gIJ{
2jmOhw
b)!G8
0XW z
:uz1()
ba6X27
1Hu;I
2FTr=
|TmC!M
SUVW3
kxEsDh
3768O
bf?iB
:N3${
KIGQ)
>%1U_RT
XB$*aO
U=IS_}Q
\\;o]
m=7!1
X)Rt_1
W;}1"#
gzWEp
?T4rO
EF!CL
^"Gg`
Xt5CF
B,P_z
b4;{y
?1 ~oU
9V:p@
="eLl
ax1vzI?
ysEWx
o2v#y
O3U.}f
kz6L~
0GN+(9%E~
y3J(6(4
6?(]D
+c<Dp
#y!n6)
4@H+BVcrp
P.qD4
dNd/U~
-{xoi
X<7v.i
gkv|_
QGdw`
*z}y2
3AdcJh
E1*DK5
xnBTu
F[5$V
*2jPu
}])}oq
r\3]5-T*
zl_SZ
lc09t
`eh vector vbase copy constructor iterator'
w,Q:`
T7A*z
cri>{T:
}q;D/C
Y)IT*
\[U'pic
L^rZ]X
EE {B9
Va82d
F7,j\
V$KGO
6d]Ef
}3)nlf8s
"5Yq)]
l5C97
f;j~Wi
1=>K<v
 T*(7
Fid#N
,)NIc
LU1l~
1fjP+
sO:hs
nDBOg2
5`uGY
No such file or directory
TYsUS
z\O^,v
gBhu4
s8jF6
]V1O=6
"NB@`
ZA)K=
&'g?i/
@HUJz
b_)t4
vJ#tf
oE;b<w^
;sy|`
u[mTz
eH+zn
CF{7M
A9{<s
W<=^V&
p@$TT
RH_9y
U=znw
r$-Mdy
m+>BU
+F-eL
r7hep
%H$\X
:i9Sg
&t #CdI
K5x"Q
~$kU.
W|tuK/
$vlW=
DT]*e
OzX"/}
FK7 43
fYtz,
%IJt,
t*9Qlu%
@\)#|8
r]vU-
]NWH7
q-s8ZM
ckhJx
8b@wk
JPGxoC{
q}JG<
%ZRM(
N[3ev
[dW#$
5XBFxq"
U\cTn
o6lQr
P="Qg
")1qa
d>LQ*
2TYn<y
'V8Jj@
5wfsI6
w4*5 @
Fav M
C.2mrN
+>6j&
Bz_;Iy
$gUly
/zY&o
e=.?\
B($*Q
a4uo{
p>67-
vK.#my
 *<J@
-B-Br
VW9r;ZZ0i
]i!%7
rS:? G!
nPKwZ
0ED*p
DSx$m;M
#wS6tis
u(Gf\
S?S"Q[
!wDi2
#+3;CScs
L=Q){
V/w6.
D8X?/{3V
'p-=6
B;Ne 
&IgLdv
O"z`;
w X+I4u
NYCyi1+
g+&Q<
7p/IDd
-n?"H
RP[0h
I5x8]K
<v[1+*a
m1H8fm
FsX/ha
/H([2
=biE:
DXk;L
]kL/,
n=dIZ
@ >"W
5.dV"
6:%|Fnhm
anVn-
"bF2&}
w\'|U
M#Qy4[
$kUh\K}hU
wW^4bHm
do2h*
F"su1/
c.B[>
Sleep
7 \_yb?
uEtBn
1A26b
2`<\F
6Z^OW
8=<>,"
<#B`I
~nEpR
-p:']
h8Ok$ol
k~,}K
>(`)3
w:Xv.
{CnE.
\$Dj8
cJ)N~t
p{\kD
'FXt\
[nlf:
i`%TB
0\{B2
PZtjOs
?+-$z/
T$LRh
u.=K^
sXv+~
tZQnw7~
6pD]1
Kz[>o
3E2Bv
cmX))
?)FS|
!N@GQl
naz#=_
[>#CL
Zw{fa
`/pN(
F7/Rek
h%\^zs
Wednesday
bqaD-
0FmlMFN6[
fi<'~6
9cv7t
si<_O
lc;mp
%C% kE
+wjYM
G0SRP
x1jCY
S_1{5
[6-H/
}Kfbp,
9m<Ad
yW"F]
j0z&N
]nYuy
@cn&o
Izn.t
.!"NZ
pj'm^[
GetACP
v`9/_
{s$46
P!?4n
:53ud
t[J|N9
BtPZ_!s
m34J6P
X37(zd
<s>X(
BDsgk{r
I`9>Oa
uW|<Fe4 
.YT|7
m1'gdd`ZAUmi
- not enough space for lowio initialization
kL^F}
y74=K
<#3r6
.z"z#
WhjO-
f+*|M
N5ttvk
pCat["C
$nhA_1
4j1KQ
sFtmTQ
E40<7k>
Ik/aa\)
:(C--c
' 1Kp
]~j#a
ku"FI
TQ|,f'
M9%$\W
7"'q$
`RTTI
|V}9n
ACgxhc
2lA_P&
hGF#K
A.IG^
n~PEk
\y]|D
H=@:K/qJ
Qc"^,r"%
7p/GIv6:
{~_6jH
B=8Zd
jKJ98R
B?]lLbf
LO5R@
ByVw-eo}
Hy6rlP7
~P/,g1
,Ktvv\
X-3<|
]\.}i=
YVdO=
[g.tf
uSQbx
qV?@7N
[/|61Vl{b=
r{Qdm
}T/CeT
3[C=}0Y
{}wJz.!
Q:])TE
&ETs^i;>+
jGDjf|
7CN^v
hPPO~
je$XhA
|v%pX)S
j&gW[R<
(JRa6S
T\&*,J
>!6W 
Rw^+0[
P[ GD
+MQKN
M7R;S
<.,qQ
`eh vector constructor iterator'
1>-Gpo
/'#SE
i(z:%
# c0`V
{d|{B
Eadp.
H[Ju[|
<~qGanWA
9AFWi
Domain error
8@d[?j
y/Vd~D]
tqwvn
Jxgz8W7MD5ofrLyMoJW.exe
yx<>o
fC)&u
]LUdzx
bqD.3
.Vt6K
=1!lO*
P5e,DC
BzMQ7
wLj% 
qxl],
f'qLV
`.rdata
x+EF(
G6IlFh
:i*UI
%s4[k
t Dd:
Gm,:hl
:&g&.
1g~S8
PL@kV
EFRV*y
y=R/I
1PvNz
oW6UMw>
IA\&I
] YXX2
#0h[_
liHdl
h3_U-
<N?P4Q9S
tcOac~
EQwfj:
x}'1$
cK{QI
omsvu
n\s6J
nh\m5
)dLGO
qH/[Z
QmdRd
(null)
&_#cm=N
[39"X
Lk(Ucu
NVPYPk
\;U]Zwmu
i{#f<
;Kcte
= q!]6
S*IXJ(
0??B}
1m*Yf
?o =@[
Y+:Xp
$au+ 
_~i^((]
`fUWfd
wwP%f
tFwcMu1X1QYzZl
 -&4{
LnTB%
8u,E1
L\Kf6mW
W3,*]
0SSSSS
`u,Y)
[YdxJ
W3LfU
mFur`
- Attempt to initialize the CRT more than once.
i)5zeN
tiUr=^
6O1vm
Tu3*[
lC*1e
5)]Zx
h|n95H
j.)==
]N/|P
p >*B
x v1"
R0[,R
j1g[iU
B8rA37
uMFP]
_c)Fj
k+agt0
y0g^m*T
/\GA)
HB)P*
Z`x>Y+
u{[n]Fk
+W]lKt
 yWtd
G@fQwZ
/0<k+
u?T$:
iqH19_
_Vj$z
)L:/a`
> 'v*
X#)Tz 
K`?KebH
e_3l|
/&|*t
MaC(G
)=JiS
KXV+'
(_UdM
vECI+cV2
8kXY 
}G^WE>
bV.B{
PG,6k
:>,JPf
/7,vk<8
i;S{7
q4Fxf
NNq9aH
)s43$
(omX?Y!
}xAG)
0pfW2y
i3%K+BiC
78W|kI
tEHt1
E/QUsN
sz/pD
 SUVW
Aim$o
.,5P 
F!.v/q
T#z?s
=I^;^
IUKKo
c68G'
r?2|I]
s%,kX5
y69gQ
cJBAg
Pe-.U
Jhr,2{;
&\dw]H
. ~~A
`typeof'
i)buX
TKt>]\
Vh#mXo
pJ&Y^);
SDD/2
h,saf
tNVSP
ZMdfll
{g0ae
Y+~Y!
+TY/R
[h@4K
Tx6G~y
YXJ?u
Et8l9D
^A<L=d~
:78>a$
7B=y`
R[&zz[R
x~^0Q
VEnbL|Q
?I'%]
>~YM(
D<YvQ6
GetCommandLineA
dC:TB
D-[Ovf_Z
YxGb6+4
mm'z_r
b|^x3
6{DW|
4d>/k
j/q0F
H=;6o
A~,#=
:$#"J
o<JU;B
aI4'U
q-I6oC=r
[`Wl/
&cT'/b
N$Ow~U
.<engL
F8v5<
W='p'$
VJgy/
<eBf&
5z45N)8"
7DS+'
o^voo7
|wb6+
Y;5t5K
tW${b
N%&0W:=
8+M%R
u{hS&=O
-?#nd
j:!R*J
`LBKn
00BhR
FL9~Xu
V,pwP
^izka
]-&*Pj'
v:yhW>
7;?XG
1y9c*-
oMd#0
qA$]3
u1n*O
2v0>Q
z#bbq
.;"GJ3
`vector vbase constructor iterator'
GjbDjM3
XdclD
IdewR
|ZNvT
P_~\[
Pj;Li
^&HX=
`mz.n
T^zdL
b4/7*
bU5{e
7)Rc!NyB
sccC8:
xx6_>
Z~hk(
zb4Jb
|8zWLr
*R6B#
xjt,&o5
P2lg:
ex<!a
gJ.J.
|[B}u
MYT`J
]0V{c
0TU_J(
K+.Y@
6f(-?s
lK8mNWl|
 XsU4
rP]&|
l)f#n
KO:1a
?2-e>kn
 ,"j]
*^S!d^
/lgvMI't
\1<+bU`d
`default constructor closure'
$^]bl<DE
7iBVv1Q
7N]_E
sc~Xyk
I1}EK
&g~}Y
qbp6'
g/^+>
<t^27G
Z>}}z
*-cJ&u
F?2`$
|W?%W
=Sc{(.
|[$q(
AaeHgHx
i6z]o
Gh9Ghr
O@;H(s
4C32J
A%Vp?
OpDA$
cw[Hx
_^.Gcb
B\Y G
y*z|2
#U^YZ
"lP.<
]M+_l
kvz~kJ:
`s#XNLq
GAO!f
4GDeMF
u;5Ef
&Y-,+
}J fZ_
.%#&~
TlsFree
fU~w]
&SyJG
ALG)'wn
GetCurrentProcessId
gIUuN
2SQM`
3Aq(?
y(k2,s
!fm*b
bA!e>B
~z1G7
<3nRE
FlushFileBuffers
"(v7F#
<y#yK
qBk]~
13!0Tq 
$7R0v
.?AVtype_info@@
D2*tj
!b0dZ$
.O3]u
m;:"(
P_7>h
3iEks
`vector destructor iterator'
-=jUtX
:WtEYk
X?x8u
sGUa5
0\y#4
a4B)>c
fD!I!
PI{bG
Mq9KH
dc S8y
cfc>b
(Kc,&E
'dooc?
21!AR
_#BhR
yroO?
(8on{
6{7v3/~
`eh vector copy constructor iterator'
I:iVT
sB`46
+A/]I
{N.M@'
WDug.
OleInitialize
HfVlX
cSq43"
@zO*w
'q%B6
hK-s~
g(4QI!
3 (~(
Fp9on;-5f
+o{`#
UF1_`
8dw\{
N$+iv4
Fp;KU
eEk_@
o_;O]
r'8eX
f' at
Illegal byte sequence
9?0_}u
;yC|E
:jX6/a
%C0Lg5
5,lyw
vw~2h
["Df>
;xyr*
5VER3
uHw}A9
?_{o$
86smX
@@C&8p
GQqu8;
dZ+6z|
#A"-Ap
g\U/VZ
bZ5d0
#x 2`
>m&=~H
&@o*V*;h
tL%+Dn
%vooG
LZ)^~u
WWWWV
5rFeW
VX5K6
$\aIA
8s:3{
8Cu(5
0`~0(@
I9__q
,5f\Z
]/]&n
?HL~r
u!;\$
]w(a 3t
~/%)K>.L
Q]d&#
@&7p_
90rawp^
Y*oC?
a:xpOz
{cD^(F
P/7[a
*2vto
( 'D[
Zg7b@
mb2b8h;G
6\4V$
Q{e7E/
R-th>l
.=i,s$
~y/,"AA
K?' '
9`Y7D
gr>e<
{9)3l
&J2OD
:l(a9
lb>+}G
Al(q$!
*Z>;`
kxL<r
%C&`Z
GoXThVD
gy>P!
P&!.]b
{\z]m>
l\RJiro
2;YNS
q'V'$
u"D!D
.K-LB
*M8'_K
ZzbS4r
9P[aY
 P%iP.h
~\0%p
^27q]
Ir!:Q
K5F'/)(>
lzDmz
]v?Px"
j?1l\D
-0&PdI
0:Rw\
TrU2U
uLc/W
^21Uuy
nR;M!?q
3V^Lm
MF5P[
=77SN
y^<m)
TP$3(
hTayS
u5iSNY<<>
v:q9t
l$8+n
r`,e.
Gcc5?
v3=od
]@T2f
LNzK|P
K3mdHx
N 7kV86
2KpI-*
8t=Q`;
dKj,M
wmN_{[
_ ':eu
A1}FO
*IswdsZZ:
-5U'K{
=>2b?
CompareStringA
xw|Jp
[tlFWV
,c>3 
X7dM_I5
CreateToolhelp32Snapshot
7<%[l
kpZYk,T
ZPpdpX
V8WUR
Oc1xx
5,T"t
H)Uvu
tR&FY%
>B{P,
b1#5V
h?Ahea^:,o
bIpyr
P_F~xq
=0w:F
yluU+
<TDt}
vB;"%&M
BIC#m@$C
9+FU+
bp]hJ
fDcn-
C<%D!<7
&_Vao
Dt ,{7"
eiRUp'Q
f!b7lT
'QCbDk
H_R[p
2YgR)
rO%wG
^@L<l%
Aa&<<>hp
XdnaFj|_
No space left on device
jNap(
v$9:lg
s%~9d'
[dHPS
e )Ps
pg$UE
tXr9:q
U1~{N
+W*XO
;D1K_6
3%f.i
hx2EC
Me3.)
q;BEa
"%WiGg
}c$5R
3V0q'
w=P@(>%z'qDk
6ee_m
vXZ !wK
hr7('
E QJK
B)H[n
Mc,]$
,=m:.y
InternalName
MW4X?
=-67R
*+A&/05
4\xAe
YA;W6
m.KE]
:E4lR
UM+1$
`VH0s
1O__x71
l4b}l
;;e,L
Mc)2)
w+qE"
ZGfDe
u|o`3
__ptr64
zhUwg
ThBbv1
riS*G
-x40[&
)<qYO
3DaM+R
bc+\~L
kET|j
B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
wcfrN
&8o5O
96J.2
N(Uh0%
(#tjc
r:m2v
Ph4"B
<A2NP^:
?\>|2lr
7e :1|Tc~
tD%I7
>Rip07
M3e[s
yNHVI
0S<X&1!
C"h:}g
 B%M$j]{oqc
x|,. 
<kp{oc
t{~Bj
k%6a+Zi
lOo)<
Nbnu -
?'WDF
Z}\HP=`g
%I+8)
BtRJZv
~m$;\
d$I9/
cd<<8
gx_K}
kD:U!
#a<|Q
^p>/G
v"|KO
XB?Dq9L3
fVTJ?N)< 
.^ qF
stpr{t
uOO+Z?
!YSFX7@
m~%Ou
N~HP 
\ O,w9
4<Nuzs
DF!{@Q
Bs$]B
0ZXpT2o
MfT_a
rd&r7
d]xNW
R+WR[
=Ri&W
2RW]{
Rm\+M
-|n}-
<aON<
&PRsoq
tvqq|E-p".)
:a>&x
;DRC@
4s[1$
WxM=i,
F_F:[q. *f
X= 9E
ualuU
zA"[0
u9sZd
=Z#?T
'FmNRa
'`zgF
2l?+O
USSNx
s[zLY3b
+94f"
q8jVc
(L +{Xg
HeapFree
~x)]V
dlh(]rU}w
p1;L+
(xov)
ac;M9
ac_f^
RWYmu&?B
ZBbX~
^n*8g
dY*Ru#9
5wo*&
G'~fu
LTxpVu
QzS"X
A/vam
X${U[
w<9G,s
L$(9ODv
D$Tt*;
bL^Y(_
U]y)%
y'(='
8^Cv|!
(*q`z
+E),Bo
Xn{u$
:eJ8I
,>c,q
V4Qi5h
@7>AK
L$4;D$Ts<)D$T
w]lQ.
~^(b~
$L=7h
=>=ea
y=1dAa
3840d
0N'^,
rII^z
rZne<
!6"|J
xy$|v
2*JgN_
G|LHA
}2V`r
L/emEH'
N$lq;W
>_1\p
j@9chs
jumE/
y|;U@"PY 5$
Ed=Qt
M]?.7
3Fh6v
9RdtF
3rI|,
{(&nAwe
7"UHe]
dT/G(
72O]K
-GYyu(
runtime error 
!:YL)
S _k"
R.o=jkc
CoUFI{
<%7!%kNXz
xj$5qc
%$Jx*
%7;t;
QNbSR
hE'i!
v1-_3<
MU_"d0
=6L&C
XxVpLIT3uiUU4
I'2~B
|Gwiq}
}R"kAo@z
?3HM]*ap
xRD=#
G'pD{
l*9&'
L2.H=4`
mBuNE
8c.+4A8
S4[^s
V.Ph>/
~k95,
z?Bra76B*
}Z9PP
?<aS!@
"f8G(
E|}p`v
[n:}\
8B\0NZ
{f3uA
]!L/>
fh0*~4$
w>ZD9Y*
J->U:
6:8?Z
9P+7C
-G/+8
fN{{H
dNnHS
p+}Ux
P`(cH
?2`vg
ntSYo
QA[&{
-:iSB
}YcT`
0?R/KJ
| {?Y
wA') 
m5k2{+07
Jga}[
h{U,K_
JJX~-]
gDMOO
*olvqH
>~EYR
Utz3i
>Ra*`]hq;7(
XJevn
0A}z 
c-a>{
{98f 
]^(w=D<
9WFObd>5
4k&Vj
%S+)k
{, yg 
h,tZw2
<KQQK
m#`fD
6r9#e
uX.]v
t38ck
t\w}m
#Fdg5
@,\uO
tc9hS
nh_,:
$}(6d
N0WPQ
Wl'pa2
fzN[X
@E{9h
G$$5V}
U[55U
@?ac]
z+ 3a
(I!/R
(D)rX
MF-,s
^Y[n^
*i8se
dsC>g
`&\D^
(K?)TDw
-4gY$^
(#NEX
=69hr
~XaDT
cf<B``
PgX_H
Z{+I+.a
040904B0
?>7%QC
=SQ' 
Ai8wa{
YS+$g
SSSSW
x6b+MT
1wsHp
o1$`rA
gc0\zcIa_7Y
4i^FI
vn=AJF
REZ*y\
,a0ma|
@zlKJ
oF(U\
3ddc:
4VC5O\
7w+&z
*,cA^U
[pd}3
^1!//
J9~|GZeH
KERNEL32.dll
%Brn!/
ANb[7
~yi[d
ws<4?
O?rF*
68:d_
=~s$4
5_&{g
yem!f!4
DGoZt 
):H<~
$ND^pY
5SZ$=%
)mOIzL
Resource device
c|$r;.c
4QR19
-b]R}
bGIGA
Q$qTJ
8VVVVV
QN_|Qz
Z:^yY
E5yjIZ
JlKjl
Huk(z|
@kq!m
\T*. 
Lxgl4
efwy1
X]">L
FCIb/
$a:M/
libGLESv2
"V=02
)/9v.[
#Oik>
u.}/b
&39'8
U-gCO
^n`oE
'0?wK
Q_<5g
}Kf.t
O@;H s
Kx#*0
V{:;D
~4P%T
kRU0a
>W^h(
zS78b
<)Zz.
c:u>P
~.S.F
Vu-(tg
[wgG5
,^p`ey
V.LvA
<)AIp
dy,S"
Y:Nbw
i$t3+E>
:2w9q
|%bH{HT
l:f&|`
fEwLf``
s!Zo9
'FH.N
5a1RI
`1X6Q
{)N.o
+'35g
}:_ywN
 ~9,}%
fritk
M1/<N
5QZUs
\d]|Y
q* Nk
=_HoP
M#Xph
G&euGx
9XYm~
-n[tA
=2L]\qI7
X"jac
g[e&8
Lc|C{
"f[.d
S*n3*
%&4<Oq
Xb,izK
^u4QN+sMp
}Tpe"
o$@6jr
W]d9I
J/MTtD
h\.}l
9BPS>
Atyhu3
&&Bal)g
 f(TQ
57#D[
ZL@~no
q3,/}
QWs\fb?
W:Xvc
BqhOkkC
up;P{k
dQ\*"
NTLMI
1RSoH&4)
z;$1J
%^tWv
e5A{(
+ iG_
8BdS|
{A){9
gXPuD
vf>dY
o_Z!%
57ZI^
X&hcY)v
t_=h>
mo(&V%
S`htj
gfKG;]
51qg8
u8g5}(@
9Z|l0
{Y!r)m
Q#?Tr
'X[Ey
/@n@1
d\K0Q_
 8?N\H
a*`j4
k\|~&%
(D`l*
Pd@X%
Zcpu3/
La zC
K(yh=Im p
8@:GrVv
A\'Q8
+18?:4
:F} 4)
x-J`4
7icFx
g9uCgz
L6?y4
.Ysh!
`udt returning'
ux]-&
Lfp~D
S_YS{N
B]=x8
i &'`+
_6hN7
y\CIU
-~$Mi9
 o29G\
 k%-]{
CompanyName
48jP{K9]
,lo0)1
f~Mv]
k>f;g
e uDZ
Z*%]cad5X
XS>.h
@O+W,
=SSe=
7Zv~b
lh!6<
.`2J&
D~<}v
}BPp=,V
:Wfj5
Bad address
'(:kv
.jL2[
SFFf-
['|y_
Q,H.5
(id^_
|?.] ;
jXwwD 
kC]Go
I~ajq`L
oQ3@o#
b^$n"
}Y_v^m
|(f%_
]e1dB
n&@/p
('8PW
H`i"eF
8Tow)O
Fzdys
VIJ`f
AqvXL
MO|O%
z4t/",
3_kD%s"
mKAJ:
_JZ[)
No such device
_@L}&
nAXV^
Sc2'o7
WdCOv
nl[^X
2DEUdkl
;D$8t
Thursday
c~X+M
?"($a
`YVQ@
OLD0IMH
 .^81
ur|*o
*o:CY@4
uc+`S
r.gDH
?kmA:
4(r$\
1g@2>5
U9cWE 
i9SfX.
m'l$v7Nn
:BuBA
[aLH.
JsQy?
tP('*
hA#lXOI[
n^t\[
PpA]B
HSq7A
8+@+s
DYe,a
&^qK0^d
',PN%
MBqQI6
a)]z;
K=Ws(
=90B>
B|?6,
`vector constructor iterator'
8AX@T6
`48J'
OU*o1M
cv<&"
*QD1P5
#&toc
0GaG`=
:/fDC
=V(Bn
V~(KM
-L62<,2
-fGlpM
z&$o,
HHtXHHt
A:fCQV
*wV)y
IP;~/
V4UGs
 '731
,303m
<SUVW
5zt}Db
.]d)B
A4?zL
{tZmt+
 -8@]B
!\ci"k
GetEnvironmentStringsW
ybYCv
7u\i$8
;p.l#
csV9e:'G
9jS\H
TQu6B#u-
%z@0;PX
k;_%H
6IJT^
ccGxt-
}9WF]
@yf3vx^d51
tSrS$
V0WQR
L)Ge[
5z7$1
i#-S6
Jrp}.
K?w;RU;
j:;bB
-n?0!n
73 OH[
/[g'%-i
~A&Ax
^$V>.
92^I%~
C-QH!,
7)^i<
1G77}d~
0uV%xY}
yJi*J
+#8nj
K~b1G
dQ,WueQ
Vs<8!t
0N.ums
_@)R^
VT-Pik6
E'daOD
AA3s*J!
%6fl]
UTF-8
GHtR;
k4M x%
0WR[V
p54Vg
kH(c5t
@<rD#
?opVU
QI>+4
"<Q<l
'nBxhu
h4!hSt
,`y=M
& (/]
\k+>3
U~H>s
MYr_V
#J2h,
M}3xcCE
o${Od
(U_3{
n[9*;
yFCek):7
""<4=
uM|O=
wn>Jj
}T<OI&G
Y~T0rag
+>(x&7A
bTl69
+LXnU?&
?U%A>
WQ*A#
3oO4<U
!Tq\i
RaiseException
iZhB$7.
aM}wT/mz
]j@9u_
g7S![
sWC'i@
Y#s0Z 
I`M5r
`vcall'
_lFs>
@#T#XbJ
{@}_F
#xTSg[
4A)DSo(
oEf-s
"%$t\
;G]<;
DOMAIN error
`l\2x
Qg|z{
Y:&C{
n6rvG
3t%a$0T
UiOT6&
Module32First
`YQ-L
nl-LU
[X4YcM
~~Ks6
ds[84,l
<.#0[
$~,aa7
eKY#o
@Y@PW
Kr|zg#9
t'f(@
GsxGL
4iN\n
|sZp)
<\np,
>^/.g8~
'%d)Q
shUIEQ
xe|1:
TlsGetValue
x,`DPt1
i+/0,i
Q\qF+n
4?fD?
.-MsNm
ewh/?y
Idwx=
:U>33N1s
A,k]8
cRpr6]
6'eLu+
Ci!+J
jj]R,Ai
pTC-N3
Ng,)&
yVZUv
Fte4/
0W"NK
_T.5\#
9L:2v
O>>R{
x661=
~0tGm
@ud2L
hzxf;
WAs?4
H'GMy
6CJ>S
w,:*z
u+\3G+
 ?\QOC
Mh%]R
E+sxt
if8BVT
"+o$7H6
x&N?V
Yr}"a
\z&'y
L6-n;+
m(HHh
iw8:S~0
o-qa0
09B]vl
3x I-
W2'[e
o:\vq
 3^Kn
&tui+
TlsAlloc
<,Y?r_#h
+g@@3
%J6"%
[wi^O
V3"?G
StringFileInfo
=/C4p
}Q0dQq
px?OZc
rZnD(
K2$`(
]*<k|
,rpr%
G}'<:
Y@av]
%)Xy[yz
qqxst
`7Q|8
-I"a#
>zYb+
c'E0Z
vp=v+
iSJ(x
{+,9H^)T
_FtA9NB+
'?fjeKww
C{MJC
dBP+I
sROlM
L`Ls#/!,
+G|a&Y
`RrL@
lM2zT
)^76S;
FlsSetValue
a$L\P
S?>nb
G~"`'R
1Dz"2
X][ZF
@b_yn
"S6U0.:
10%~b
aA-jGN
Wt9T$
7B(!/
[6Bvc
@_YCM
R<z~a
"POis
nZQPl
ue&Rh+
{r{tT5f
z'uy\
e7@zSz
nH;^Z
zFuSr
=A=]&
'f9Z7
yORW`&u
;LW{JQ%
7EO->T
+)S^]D
kN<\Q
;}4+'
L$ H#
5,(UcR
VdLN\J^
1<'uYE
1mpZLd
2S8oT
]0[2h_
{\8R=
#xxm;
GEd:Gu
 qYd)
 tKT`@
%7+#"
Comments
>#L!u
@#[UXk
mscoree.dll
7-Lrq
QmESE
H*cm(
;QQ&\
w)Qr3
%;|X>
P"wS[
0UIR?
k^$^j
6&l-#Bs
NTVBqhB
>zzRcR
Gg>&-aI
0+chg
__restrict
`h`hhh
]9I8R&c
MD)"tv
_[#p';
IvN JNN
gdLN/i
JLd2U
'3]~&9
nTE'^fI
{xmjuI
 Base Class Array'
=m(-]YFW$
${/cW
@W62h
~'Q3e
|f-NB
m^it*
B1uv4+:#c
g6n!Q
GXLGn
wJ]6{
LiE\HE
[3Zq{S
z+UBd0
D_'I4
dddd, MMMM dd, yyyy
hE<uG.z
AFAk(_
P5!5Mp
$`tZ6
p@"0#
k3C)Da
R=&)O
.KnIV
c"s7iT
;l$TsY)l$T
`7yBz
oL)!e
s$(Te
(-"+zS
<VI\g
>?(a0
!lS-s$j
).s'_,Y]
BZkk3
K3ms[
Dju=eG7}n
Lt$lF
L$$J#
^.SJ}:gV:I
yRj?}
m7qJC
w},rJi
Uj(mU
];"e9
 D1%7m
;R/]i
(wrC.IL'W
a^J<P
MR$'=
w)aiu
1OYe[
n5i[q
v-4 <X|
_\bvC3
q5rH7
SLDf\e*
nA2pD
/s2s-L
f9\Q+!
{kXV{9
mx#b5;)
>H>>5
IiGM>nw
WLC#C
Qkkbal
N`iNS
LhNWz
,JKC=
t:bgC-y)
QdMU~S
*,T*{
Bad<U
$<JwLJmK
!H?b~
@}+1'
5~9x'"e
{w&D#
aT<nE
2zN E
-YlQ2m
- CRT not initialized
(12p^
sU'Ny
LYL*$T
DbMT%D
 >jocg
lstrlenA
<'#+`
:OL_{
Lf<=S
nwssDr
)F(E8
n9)=-
[[y 7
$c/Xh
^EFIP
wyxV"Sxhp
EQ@_I2
ky-iC]
,.tQ^G
o;S0*A
4n2"w
A3G4@
JgWRo
G*PfW
sEOMor
hO)Ql
]e[bp
q\uu9
O~4<A
FekRR
\#TPB
1$Sxw
CN]E{
<QQ.3
W8 CE
D;q1o
EjEHD
Operation not permitted
$GgoV
HeapSize
@s@}5
IxH6x
\8F>`
f~~uH
:b\3u
^eVHi
Y|R4q
MQc7_>
tP9?I$R
DHX7#I
p3-,F
lGW<8fh>
\3Gx=
8{hPou
!j\_#
b7+f(
qG@r1K
QmAN%.0
vs*"z9,o
FA1w-zU
xmm!*
a&Q7"?&J
i.x_+Kz
^j3<~
OP!RH
2dM|TT
OVslf
=g?`u
vB}bH
4x0h1
)Vd)Nh
File too large
tI?3/
0A@@Ju
<a3ce
tqpvf
m?i=l
1Ak20
<W'le
\tL{e
A7Z$hT
k!01H
|"Dr~u
tT?/p
9n4u'
C:2|I
M"f?X
qs%~q
N h0%
m267,
|hc~bq
)R7S\
yv"Tv
B[hCQhF
_U6qb
2=wl3
<sWfB
0fAOS
V(x&]
MmOm,
i!yD_
4zXWd
}Z#h= 
Wazr'x
&1s*P8Yg
~]~eSx
9]$SS
bX 0&
}6iK;
92Uz;
m2aI$O_70
LzO2h
z%\W3i
!This program cannot be run in DOS mode.
Nr56.a$
UnhandledExceptionFilter
% 4/b
t^dvt
q l~:
0%=%\
)_NP/
vLPfu<=
m?w'=
%B ch
%3vl&vj
;0EOZ
6i/=)Z{
Q$6?-
uwN;j
W:~@D
!Qo"JZZ
g[}ED
DaTor
YU6K+
,qh /
CKAjIc
byhyg
Program: 
x$%1G
  nT+
cGo[SfH
IM(fLKc=B
9t++q
#;-%S
-Po/k
1u!_1
|H2X6
X.Q"?
lY*Rh
/9*,?Hp)
[C1;<@
e1\m{2
LZFn/
0-8zg
*GYR-
 I[J|V
xVP\+
+EUGR
bHw"4
+DzeBqZS
Es;d`U
{R@^c^
I2Cj{
/D_Z!
6k1U!q
Zu)o1
@PAQBR
[Lk]r1/
pa&vQ
'cQl8
ro>m~N
zxid=95
^S{{a
u~j[9u~
6=To1
x~%aq
$}cF7i
!nd~c
R#666
\I97H
IFe:C>~"
b$E?d#oI
?9UF8
Fm!#,
7^< M
;OgJ&
@PWSS
$$zG4
=@L~5
mT"0d8Y
wHuG+
UWVT&
@2dt}
G%re{
u5HV#X
FYJbEd3|
s$48o
x$rb-|
u=H'~
YHn-EY
LC'rm
{<pbG
@J+O+
b(^!J
3$u:cx
 Type Descriptor'
LockResource
dt%7x
_Mzk)I
.H^vn
Resource deadlock avoided
om"tu/
s~wa}g
.a4YI
a^0=>
SSSSS
2nPv3
EUkOM
G XKo
#-g^|7
n&.FN
G[&3>
my_:S
D6Lsg
9FlB\
R6018
&C>,B+
&:=?V
VfaoIX
z_&c,
{51/<
iw\,]f
qxdJQ&#@O
F;L5tc
dJ~4A
.K~MR
ijz-(
}v_n[C
|JSM-
s"49E
.2IK9
93Dj*s
LRW;u
4>-Mt
Z0%_y
C 3A(O
,R(qgX
{*&QQ
L1gB0$
A-yjl
operator
hJ=` 
?kNc][3
L>,;DX
;i9p''Y
p`y:wq7
h~&tus
u:S/pl
]_IkWG
nz}@[B 
3kYF6
vGj/D
eQUden
iN+(/|
``~ }F
>,T&a
YVZN59vi1PThtLW1VGaeMSrOmoPw.exe
x/ gt
|Q< \
2x$$/$
 <1v[
Xv#7`
3F;ji
akLy.
b*1ck
10rRw
$X<0m
&lgY[
jA&J.
ZkY]>
A{R*$
D'/T9
1uC.u
Mk,yd]
Nd] I
,Z2a(
\<0hVb
=&k6]
>#+I5
;tR<:
-i+<~
}F1K&
cwEX:
ot\e`
"UK|>
&-2E2s
~(9~$u
:M[X?S
qs^PR
om]kr
1k~JC
LPhSr
Rtep`
`qHtk
QqsN^{
bzfzh
dJMie
f6e/E`3 f
JoW> 
bV\,)
R3ob5
 Q!PuRm
dDq>l
z AOx
+R^Q4C
t@k/S
5=mee:
r% ns@A
}pG8S
|r6{k
bts!<
s\kT7
H)U[9$
&}4[(
b tv7
j^d9c
owq|~=
cg9AD;
4%T!kq
8$hYVN
`1Hho
9CCbX
Q*6OP
6wBn`
+|RqTl
Y =Wm
j5"+[SW
"M^9@
_|Z  /(
kxekeYH"
dYm@=
Filename too long
z5,D_
L+?;.
;TiXw*
Mp;9}E%YZ
z~@*%
#;ORv
$-@Qd
NB1W)
St-z1G
<6Yd#
x}at`K
|dTZ81
MdJa|
g#MT3
VlX%^B
March
+AV)C
$}b'AT
&b>y3{
Auo`So.|
H=]tw
wlM.INbW
w5#Y@
Y4j.Rd
+@.#D
3~n_R}
6bo3s
 miX}
"OqLr
g3((yn
m,A6m
FTc&pA
*xjI!f
[qSrsh
!7E)v
a,WGlx
>n\C$
E!l-)W#<KNm.
,3OD;
y=KIQ
R6019
4,@cC
>bbT]
JF.R>
P4pZ[
,eimu
w,aT:
F\<wu
ylv94\
nef&R
!Cd?nf
`oS_S
k#47*
aYI1x
'RW0>Hq
95(6B
fflfXu\
bpe0[#?
wX7WX@
?nB~(
X+@v{
?#avA\
Kl:}Qg?
3vwQx5
-n(f|
@2S8S-O
4DQPwW
red6e
o8jkZ
EMLjJ@
f5vDx
BLlw\/
Bi(VY
g0RJ0
5j/64
,%lf.rX~
VYpK\2if x
M;,2k
VjVB/d
60%kD
pBR}h
""%DO
;w?f9
|m!YQC
-o+.G-9(
k;mi$
*y.W<
R6034
6Gf)3
/Pk3Ro
6R26!s
DJpA6
(WAQb+
v=?O%
fTOE0Yr5BX6hY
zs^I7
( 8PX
1 c,e
hh"O,z
~_H M^m
u,]EDr
lUvQA
."+.*
:aEX*
*0\uw
Sw<{M
*fc4V
 $P{ 
hCtV8
Zc+J5C 
Z9cqD
\mj=OEYk
q/DSn
~jC7>Mb
pyeW;
xW&-m
- not enough space for locale information
IWRvP
UdTg6d

PE Information

Image Base

0x00400000

Entry Point

0x0000cd2f

Min OS

5.0

Compile Time

2012-07-13 22:47:16

Import Hash

bf5a4aa99e5b160f8521cadd6bfe73b8

PDB Path

FileVersion	5.15.2.0
OriginalFilename	libGLESv2.dll
ProductName	libGLESv2
ProductVersion	5.15.2.0
Translation	0x0409 0x04b0
ProductName	fTOE0Yr5BX6hY
CompanyName	tFwcMu1X1QYzZl
InternalName	YVZN59vi1PThtLW1VGaeMSrOmoPw.exe
LegalCopyright	hG9c8fBiwewkipy21WMyZCdnPcF2K
Comments	XxVpLIT3uiUU4
OriginalFilename	Jxgz8W7MD5ofrLyMoJW.exe
ProductVersion	744.246.436.344
FileVersion	497.22.962.278
Translation	0x0409 0x0514

Name	RAW Addr	Virt Addr	Virt Size	Raw Size	Characteristics	Entropy
.text	0x00000400	0x00001000	0x00019718	0x00019800	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	6.75
.rdata	0x00019c00	0x0001b000	0x00006db4	0x00006e00	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	6.44
.data	0x00020a00	0x00022000	0x000030c0	0x00001600	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	3.26
.rsrc	0x00022000	0x00026000	0x001d972c	0x001d9800	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	8.00

Name	Offset	Size	Language	Entropy	Type
RT_RCDATA	0x0002613c	0x001d90db	LANG_NEUTRAL	8.00	None
RT_RCDATA	0x001ff218	0x00000020	LANG_NEUTRAL	4.88	None
RT_GROUP_ICON	0x001ff238	0x00000006	LANG_NEUTRAL	0.65	None
RT_VERSION	0x001ff240	0x000001c0	LANG_NEUTRAL	3.27	None
RT_VERSION	0x001ff400	0x0000032c	LANG_ENGLISH	3.73	None

Address	Name
0x41b000	RaiseException
0x41b004	GetLastError
0x41b008	MultiByteToWideChar
0x41b00c	lstrlenA
0x41b010	InterlockedDecrement
0x41b014	GetProcAddress
0x41b018	LoadLibraryA
0x41b01c	FreeResource
0x41b020	SizeofResource
0x41b024	LockResource
0x41b028	LoadResource
0x41b02c	FindResourceA
0x41b030	GetModuleHandleA
0x41b034	Module32Next
0x41b038	CloseHandle
0x41b03c	Module32First
0x41b040	CreateToolhelp32Snapshot
0x41b044	GetCurrentProcessId
0x41b048	SetEndOfFile
0x41b04c	GetStringTypeW
0x41b050	GetStringTypeA
0x41b054	LCMapStringW
0x41b058	LCMapStringA
0x41b05c	GetLocaleInfoA
0x41b060	HeapFree
0x41b064	GetProcessHeap
0x41b068	HeapAlloc
0x41b06c	GetCommandLineA
0x41b070	HeapCreate
0x41b074	VirtualFree
0x41b078	DeleteCriticalSection
0x41b07c	LeaveCriticalSection
0x41b080	EnterCriticalSection
0x41b084	VirtualAlloc
0x41b088	HeapReAlloc
0x41b08c	HeapSize
0x41b090	TerminateProcess
0x41b094	GetCurrentProcess
0x41b098	UnhandledExceptionFilter
0x41b09c	SetUnhandledExceptionFilter
0x41b0a0	IsDebuggerPresent
0x41b0a4	GetModuleHandleW
0x41b0a8	Sleep
0x41b0ac	ExitProcess
0x41b0b0	WriteFile
0x41b0b4	GetStdHandle
0x41b0b8	GetModuleFileNameA
0x41b0bc	WideCharToMultiByte
0x41b0c0	GetConsoleCP
0x41b0c4	GetConsoleMode
0x41b0c8	ReadFile
0x41b0cc	TlsGetValue
0x41b0d0	TlsAlloc
0x41b0d4	TlsSetValue
0x41b0d8	TlsFree
0x41b0dc	InterlockedIncrement
0x41b0e0	SetLastError
0x41b0e4	GetCurrentThreadId
0x41b0e8	FlushFileBuffers
0x41b0ec	SetFilePointer
0x41b0f0	SetHandleCount
0x41b0f4	GetFileType
0x41b0f8	GetStartupInfoA
0x41b0fc	RtlUnwind
0x41b100	FreeEnvironmentStringsA
0x41b104	GetEnvironmentStrings
0x41b108	FreeEnvironmentStringsW
0x41b10c	GetEnvironmentStringsW
0x41b110	QueryPerformanceCounter
0x41b114	GetTickCount
0x41b118	GetSystemTimeAsFileTime
0x41b11c	InitializeCriticalSectionAndSpinCount
0x41b120	GetCPInfo
0x41b124	GetACP
0x41b128	GetOEMCP
0x41b12c	IsValidCodePage
0x41b130	CompareStringA
0x41b134	CompareStringW
0x41b138	SetEnvironmentVariableA
0x41b13c	WriteConsoleA
0x41b140	GetConsoleOutputCP
0x41b144	WriteConsoleW
0x41b148	SetStdHandle
0x41b14c	CreateFileA

Address	Name
0x41b17c	OleInitialize

Address	Name
0x41b154	SafeArrayCreate
0x41b158	SafeArrayAccessData
0x41b15c	SafeArrayUnaccessData
0x41b160	SafeArrayDestroy
0x41b164	SafeArrayCreateVector
0x41b168	VariantClear
0x41b16c	VariantInit
0x41b170	SysFreeString
0x41b174	SysAllocString

Processing 92.46s

62.549s CAPE
13.274s BehaviorAnalysis
9.96s NetworkAnalysis
6.619s Suricata
0.052s AnalysisInfo
0.002s Debug

Signatures 7.91s

2.685s antiav_detectreg
0.942s infostealer_ftp
0.875s territorial_disputes_sigs
0.563s antianalysis_detectreg
0.529s infostealer_im
0.265s antivm_vbox_keys
0.161s infostealer_mail
0.158s antivm_vmware_keys
0.155s masquerade_process_name
0.152s antivm_parallels_keys
0.117s antivm_xen_keys
0.11s antivm_generic_diskreg
0.104s antiav_detectfile
0.078s antivm_vpc_keys
0.069s uses_windows_utilities
0.066s suspicious_command_tools
0.051s antianalysis_detectfile
0.051s antivm_hyperv_keys
0.051s geodo_banking_trojan
0.05s antivm_bochs_keys
0.05s infostealer_bitcoin
0.043s ransomware_files
0.042s antivm_vbox_files
0.039s bypass_firewall
0.031s qulab_files
0.029s antivm_generic_bios
0.026s ransomware_extensions_known
0.022s poullight_files
0.021s limerat_regkeys
0.021s recon_fingerprint
0.018s ketrican_regkeys
0.018s darkcomet_regkeys
0.017s antidebug_devices
0.015s remcos_regkeys
0.013s antivm_vmware_files
0.011s warzonerat_regkeys
0.01s network_dns_url_shortener
0.01s medusalocker_regkeys
0.009s antivm_vbox_devices
0.008s packer_armadillo_regkey
0.008s reads_password_database
0.007s suspicious_tld
0.007s rat_pcclient
0.006s accesses_netlogon_regkey
0.006s antiemu_windefend
0.006s odbcconf_bypass
0.006s checks_uac_status
0.006s registry_credential_store_access
0.006s discover_registry_mount_points
0.006s accesses_office_username
0.005s accesses_sysvol
0.005s nemty_regkeys
0.005s obliquerat_files
0.005s sniffer_winpcap
0.004s network_dyndns
0.004s antisandbox_threattrack_files
0.004s file_credential_store_access
0.004s registry_lsa_secrets_access
0.004s cryptbot_files
0.004s network_tor_service
0.004s dcrat_files
0.004s warzonerat_files
0.004s remcos_files
0.004s targeted_flame
0.003s network_cnc_http
0.003s antisandbox_cuckoo_files
0.003s antisandbox_fortinet_files
0.003s antisandbox_joe_anubis_files
0.003s antisandbox_sunbelt_files
0.003s antivm_vpc_files
0.003s banker_cridex
0.003s browser_security
0.003s disables_browser_warn
0.003s driver_filtermanager
0.002s network_torgateway
0.002s accesses_public_folder
0.002s disables_backups
0.002s echelon_files
0.002s revil_mutexes
0.002s modirat_behavior
0.002s spreading_autoruninf
0.002s ursnif_behavior
0.001s network_http
0.001s network_open_proxy
0.001s procmem_yara
0.001s accesses_mailslot
0.001s writes_sysvol
0.001s antiemu_wine_reg
0.001s antivm_recentdocs
0.001s gulpix_behavior
0.001s banker_zeus_mutex
0.001s bitcoin_opencl
0.001s enumerates_physical_drives
0.001s browser_addon
0.001s uac_bypass_cmstpcom
0.001s clears_logs
0.001s powershell_renamed_commandline
0.001s file_credential_store_write
0.001s cryptomining_stratum_command
0.001s disables_power_options
0.001s disables_run_command
0.001s disables_smartscreen
0.001s disables_startmenu_search
0.001s disables_system_restore
0.001s disables_windows_defender
0.001s disables_windows_defender_logging
0.001s removes_windows_defender_contextmenu
0.001s apocalypse_stealer_file_behavior
0.001s arkei_files
0.001s azorult_mutexes
0.001s modify_oem_information
0.001s modify_security_center_warnings
0.001s network_dns_opennic
0.001s network_dns_paste_site
0.001s network_dns_temp_file_storage
0.001s network_dns_doh_tls
0.001s office_security
0.001s persistence_ads
0.001s persistence_rdp_registry
0.001s persistence_shim_database
0.001s ransomware_extensions_generic
0.001s ransomware_radamant
0.001s satan_mutexes
0.001s crat_mutexes
0.001s lodarat_file_behavior
0.001s rat_spynet
0.001s xpertrat_mutexes
0.001s removes_startmenu_defaults
0.001s spicyhotpot_behavior
0.001s stealth_hiddenreg
0.001s stealth_hide_notifications
0.001s stealth_webhistory
0.001s tampers_etw
0.001s lokibot_mutexes
0.001s web_shell_files

Reporting 0.38s

0.377s JsonDump

Signatures

Checks available memory

Queries computer hostname

Queries the username

Queries the keyboard layout

Queries the computer locale (possible geofencing)

The PE file contains a PDB path

pdbpath:

A file was accessed within the Public folder.

file: C:\Users\Public\Downloads\*

file: C:\Users\Public\*

file: C:\Users\Public\Downloads\441ebb83624b0b

file: C:\Users\Public\Downloads\RCX5C58.tmp

file: C:\Users\Public\SystemResources\msedgewebview2.exe.mun

file: C:\Users\Public\Downloads\msedgewebview2.exe

file: C:\Users\Public\Downloads

file: C:\Users\Public\Downloads\RCX5B1F.tmp

SetUnhandledExceptionFilter detected (possible anti-debug)

Executed a command line with /C or /R argument to terminate command shell on completion which can be used to hide execution

command: "C:\Windows\System32\cmd.exe" /C "C:\Users\cape\AppData\Local\Temp\IMjSYhT8km.bat"

Possible date expiration check, exits too soon after checking local time

process: powershell.exe, PID 3596

Checks system language via registry key (possible geofencing)

regkey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\ru-RU

regkey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\ru-RU

Anomalous file deletion behavior detected (10+)

file: C:\Users\cape\AppData\Local\Temp\RCX3072.tmp

file: C:\Users\cape\AppData\Local\Temp\RCX3239.tmp

file: C:\Users\cape\AppData\Local\Temp\wQLGPu91Uq

file: C:\Users\cape\AppData\Local\Temp\__PSScriptPolicyTest_ab2mmmlk.eny.ps1

file: C:\Users\cape\AppData\Local\Temp\__PSScriptPolicyTest_jwhrza5k.xge.psm1

file: C:\Users\cape\AppData\Local\Temp\__PSScriptPolicyTest_guit3no5.0dq.ps1

file: C:\Users\cape\AppData\Local\Temp\__PSScriptPolicyTest_24ffz0eo.bdn.psm1

file: C:\Users\cape\AppData\Local\Temp\__PSScriptPolicyTest_wrefbbmw.er0.ps1

file: C:\Users\cape\AppData\Local\Temp\__PSScriptPolicyTest_bsrf2pai.kew.psm1

file: C:\Users\cape\AppData\Local\Temp\__PSScriptPolicyTest_kaprrb5w.qee.ps1

file: C:\Users\cape\AppData\Local\Temp\__PSScriptPolicyTest_3xh1bvfz.3dp.psm1

file: C:\Users\cape\AppData\Local\Temp\__PSScriptPolicyTest_05pcje4g.qfk.ps1

file: C:\Users\cape\AppData\Local\Temp\__PSScriptPolicyTest_pqhbc0k2.am3.psm1

file: C:\Users\cape\AppData\Local\Temp\__PSScriptPolicyTest_r0hrvezo.u2n.ps1

file: C:\Users\cape\AppData\Local\Temp\__PSScriptPolicyTest_0wnuplft.kc1.psm1

file: C:\Users\cape\AppData\Local\Temp\__PSScriptPolicyTest_n3ecg4wk.v01.ps1

file: C:\Users\cape\AppData\Local\Temp\__PSScriptPolicyTest_aoj0euxm.0vz.psm1

file: C:\Users\cape\AppData\Local\Temp\__PSScriptPolicyTest_5qom1nq3.s2n.ps1

file: C:\Users\cape\AppData\Local\Temp\__PSScriptPolicyTest_drr1vdji.x04.psm1

file: C:\Users\cape\AppData\Local\Temp\__PSScriptPolicyTest_x2qdsu4c.iic.ps1

file: C:\Users\cape\AppData\Local\Temp\__PSScriptPolicyTest_y1n3c0hs.uzj.psm1

file: C:\Users\cape\AppData\Local\Temp\__PSScriptPolicyTest_t0crgahm.l5e.ps1

file: C:\Users\cape\AppData\Local\Temp\__PSScriptPolicyTest_juqnoqoc.g4z.psm1

file: C:\Users\cape\AppData\Local\Temp\__PSScriptPolicyTest_34fs34hk.hxy.ps1

file: C:\Users\cape\AppData\Local\Temp\__PSScriptPolicyTest_dnlnomdl.a4v.psm1

file: C:\Users\cape\AppData\Local\Temp\__PSScriptPolicyTest_42akvxyy.had.ps1

file: C:\Users\cape\AppData\Local\Temp\__PSScriptPolicyTest_nqbxirxz.2pn.psm1

file: C:\Users\cape\AppData\Local\Temp\__PSScriptPolicyTest_nkbilvuh.55p.ps1

file: C:\Users\cape\AppData\Local\Temp\__PSScriptPolicyTest_dabnzqnf.lni.psm1

file: C:\Users\cape\AppData\Local\Temp\__PSScriptPolicyTest_ibzonsf5.pty.ps1

file: C:\Users\cape\AppData\Local\Temp\__PSScriptPolicyTest_q4y0qetn.4x2.psm1

file: C:\Users\cape\AppData\Local\Temp\__PSScriptPolicyTest_fwegxp4c.3lk.ps1

file: C:\Users\cape\AppData\Local\Temp\__PSScriptPolicyTest_xycr1kwh.bia.psm1

file: C:\Users\cape\AppData\Local\Temp\__PSScriptPolicyTest_l1n3ntvt.qgd.ps1

file: C:\Users\cape\AppData\Local\Temp\__PSScriptPolicyTest_0y0izcr1.cgq.psm1

file: C:\Users\cape\AppData\Local\Temp\__PSScriptPolicyTest_3omthraf.xje.ps1

file: C:\Users\cape\AppData\Local\Temp\__PSScriptPolicyTest_egfuysds.53k.psm1

file: C:\Users\cape\AppData\Local\Temp\__PSScriptPolicyTest_hs0k3aav.yqj.ps1

file: C:\Users\cape\AppData\Local\Temp\__PSScriptPolicyTest_ecqm2vl4.b2p.psm1

file: C:\Users\cape\AppData\Local\Temp\__PSScriptPolicyTest_0ry005l1.f54.ps1

file: C:\Users\cape\AppData\Local\Temp\__PSScriptPolicyTest_asxvh2ut.bcn.psm1

At least one IP Address, Domain, or File Name was found in a crypto call

ioc: powershell.exe

Creates a process in a suspended state, likely for injection

Resumed a thread in another process

thread_resumed: Process svchost.exe with process ID 752 resumed a thread in another process with the process ID 3644

Enumerates the modules from a process (may be used to locate base addresses in process injection)

module: pid 7508 module ntdll.dll

module: pid 7508 module KERNEL32.DLL

module: pid 7508 module KERNELBASE.dll

module: pid 7508 module apphelp.dll

module: pid 7508 module CRYPT32.dll

module: pid 7508 module ucrtbase.dll

module: pid 7508 module WS2_32.dll

module: pid 7508 module RPCRT4.dll

module: pid 7508 module USER32.dll

module: pid 7508 module win32u.dll

module: pid 7508 module GDI32.dll

module: pid 7508 module gdi32full.dll

module: pid 7508 module msvcp_win.dll

module: pid 7508 module ADVAPI32.dll

module: pid 7508 module msvcrt.dll

module: pid 7508 module sechost.dll

module: pid 7508 module ole32.dll

module: pid 7508 module combase.dll

module: pid 7508 module OLEAUT32.dll

module: pid 7508 module SHLWAPI.dll

module: pid 7508 module bcrypt.dll

module: pid 7508 module IMM32.DLL

module: pid 7508 module CRYPTBASE.DLL

module: pid 7508 module SspiCli.dll

module: pid 7508 module kernel.appcore.dll

module: pid 7508 module bcryptPrimitives.dll

module: pid 7508 module uxtheme.dll

module: pid 8632 module ntdll.dll

module: pid 8632 module KERNEL32.DLL

module: pid 8632 module KERNELBASE.dll

module: pid 8632 module apphelp.dll

module: pid 8632 module CRYPT32.dll

module: pid 8632 module ucrtbase.dll

module: pid 8632 module WS2_32.dll

module: pid 8632 module RPCRT4.dll

module: pid 8632 module USER32.dll

module: pid 8632 module win32u.dll

module: pid 8632 module GDI32.dll

module: pid 8632 module gdi32full.dll

module: pid 8632 module msvcp_win.dll

module: pid 8632 module ADVAPI32.dll

module: pid 8632 module msvcrt.dll

module: pid 8632 module sechost.dll

module: pid 8632 module ole32.dll

module: pid 8632 module combase.dll

module: pid 8632 module OLEAUT32.dll

module: pid 8632 module SHLWAPI.dll

module: pid 8632 module bcrypt.dll

module: pid 8632 module IMM32.DLL

module: pid 8632 module CRYPTBASE.DLL

module: pid 8632 module SspiCli.dll

module: pid 8632 module kernel.appcore.dll

module: pid 8632 module bcryptPrimitives.dll

module: pid 8632 module uxtheme.dll

Reads data out of its own binary image

self_read: process: 2026-04-28_1db227e867a99.exe, pid: 7508, offset: 0x00000000, length: 0x00000040

self_read: process: 2026-04-28_1db227e867a99.exe, pid: 7508, offset: 0x3030785c3030785c, length: 0x000001d8

self_read: process: 2026-04-28_1db227e867a99.exe, pid: 7508, offset: 0x3030785c3065785c, length: 0x000000f8

self_read: process: 2026-04-28_1db227e867a99.exe, pid: 7508, offset: 0x30785c0a3030785c, length: 0x00001600

self_read: process: 2026-04-28_1db227e867a99.exe, pid: 7508, offset: 0x30785c3230785c78, length: 0x00000188

self_read: process: 2026-04-28_1db227e867a99.exe, pid: 7508, offset: 0x3130785c3864785c, length: 0x000000a0

self_read: process: 2026-04-28_1db227e867a99.exe, pid: 7508, offset: 0x3430785c3030785c, length: 0x00019800

self_read: process: 2026-04-28_1db227e867a99.exe, pid: 7508, offset: 0x6339785c3030785c, length: 0x00006e00

self_read: process: 2026-04-28_1db227e867a99.exe, pid: 7508, offset: 0x6439785c3063785c, length: 0x0000001c

A process created a hidden window

process: 2026-04-28_1db227e867a99.exe -> C:\Users\cape\AppData\Local\Temp\IMjSYhT8km.bat

process: svchost.exe -> \\?\C:\Windows\system32\wbem\WMIADAP.EXE

Performs some HTTP requests

url: http://i.pki.goog/gsr1.crt

url: http://i.pki.goog/r4.crt

url: http://i.pki.goog/we2.crt

url: http://i.pki.goog/gsr4.crt

The binary likely contains encrypted or compressed data

section: {'name': '.rsrc', 'raw_address': '0x00022000', 'virtual_address': '0x00026000', 'virtual_size': '0x001d972c', 'size_of_data': '0x001d9800', 'characteristics': 'IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ', 'characteristics_raw': '0x40000040', 'entropy': '8.00'}

Queries registry mount points to identify historical or connected removable/network drives

mount_point_key: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{c48439d1-0000-0000-0000-100000000000}\Data

mount_point_key: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{c48439d1-0000-0000-0000-100000000000}\Generation

mount_point_key: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{c48439d1-0000-0000-0000-100000000000}\

Creates RWX memory

A scripting utility was executed

command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\cape\AppData\Local\Temp\2026-04-28_1db227e867a99.exe'

command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\sqbmEUPTwi\CAPE\msedgewebview2.exe'

command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\winlogon.exe'

command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft\Temp\OneDriveStandaloneUpdater.exe'

command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\5o722xtn\prescripts\SgrmBroker.exe'

command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\\x412\x441\x435 \x43f\x43e\x43b\x44c\x437\x43e\x432\x430\x442\x435\x43b\x438\Memory Compression.exe'

command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\5o722xtn\dll\csrss.exe'

command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\\x412\x441\x435 \x43f\x43e\x43b\x44c\x437\x43e\x432\x430\x442\x435\x43b\x438\qemu-ga\conhost.exe'

command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Security\BrowserCore\en-US\qemu-ga.exe'

command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Downloads\msedgewebview2.exe'

Uses Windows utilities for basic functionality

command: "C:\Windows\System32\cmd.exe" /C "C:\Users\cape\AppData\Local\Temp\IMjSYhT8km.bat"

Attempted to write directly to a physical drive

Touches a file containing cookies, possibly for information gathering

Process: powershell.exe (5200)
file		C:\Users\cape\AppData\Local\Microsoft\Windows\INetCookies
Process: powershell.exe (3488)
file		C:\Users\cape\AppData\Local\Microsoft\Windows\INetCookies
Process: powershell.exe (3596)
file		C:\Users\cape\AppData\Local\Microsoft\Windows\INetCookies
Process: powershell.exe (3404)
file		C:\Users\cape\AppData\Local\Microsoft\Windows\INetCookies
Process: powershell.exe (7728)
file		C:\Users\cape\AppData\Local\Microsoft\Windows\INetCookies
Process: powershell.exe (7496)
file		C:\Users\cape\AppData\Local\Microsoft\Windows\INetCookies
Process: powershell.exe (5144)
file		C:\Users\cape\AppData\Local\Microsoft\Windows\INetCookies
Process: powershell.exe (7548)
file		C:\Users\cape\AppData\Local\Microsoft\Windows\INetCookies
Process: powershell.exe (6384)
file		C:\Users\cape\AppData\Local\Microsoft\Windows\INetCookies

Installs itself for autorun at Windows startup

regkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost

data: "C:\Users\\x412\x441\x435 \x43f\x43e\x43b\x44c\x437\x43e\x432\x430\x442\x435\x43b\x438\qemu-ga\conhost.exe"

regkey: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\OneDriveStandaloneUpdater

data: "C:\Program Files (x86)\Microsoft\Temp\OneDriveStandaloneUpdater.exe"

regkey: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Memory Compression

data: "C:\Users\\x412\x441\x435 \x43f\x43e\x43b\x44c\x437\x43e\x432\x430\x442\x435\x43b\x438\Memory Compression.exe"

regkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon

data: "C:\Recovery\WindowsRE\winlogon.exe"

regkey: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\csrss

data: "C:\5o722xtn\dll\csrss.exe"

regkey: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qemu-ga

data: "C:\Program Files\Windows Security\BrowserCore\en-US\qemu-ga.exe"

regkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Memory Compression

data: "C:\Users\\x412\x441\x435 \x43f\x43e\x43b\x44c\x437\x43e\x432\x430\x442\x435\x43b\x438\Memory Compression.exe"

regkey: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msedgewebview2

data: "C:\Users\Public\Downloads\msedgewebview2.exe"

regkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qemu-ga

data: "C:\Program Files\Windows Security\BrowserCore\en-US\qemu-ga.exe"

regkey: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SgrmBroker

data: "C:\5o722xtn\prescripts\SgrmBroker.exe"

regkey: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost

data: "C:\Users\\x412\x441\x435 \x43f\x43e\x43b\x44c\x437\x43e\x432\x430\x442\x435\x43b\x438\qemu-ga\conhost.exe"

regkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDriveStandaloneUpdater

data: "C:\Program Files (x86)\Microsoft\Temp\OneDriveStandaloneUpdater.exe"

regkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SgrmBroker

data: "C:\5o722xtn\prescripts\SgrmBroker.exe"

regkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msedgewebview2

data: "C:\Users\Public\Downloads\msedgewebview2.exe"

regkey: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winlogon

data: "C:\Recovery\WindowsRE\winlogon.exe"

regkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss

data: "C:\5o722xtn\dll\csrss.exe"

Exhibits possible ransomware or wiper file modification behavior: overwrites_existing_files

file: C:\Windows\System32\drivers\etc\hosts

file: C:\Users\cape\AppData\Local\Temp\RCX3072.tmp

file: C:\Users\cape\AppData\Local\Temp\RCX3239.tmp

file: C:\sqbmEUPTwi\CAPE\RCX35B4.tmp

file: C:\sqbmEUPTwi\CAPE\RCX36A0.tmp

file: C:\Recovery\WindowsRE\RCX3A89.tmp

file: C:\Recovery\WindowsRE\RCX3BC2.tmp

file: C:\Program Files (x86)\Microsoft\Temp\RCX3F5D.tmp

file: C:\Program Files (x86)\Microsoft\Temp\RCX4029.tmp

file: C:\5o722xtn\prescripts\RCX4318.tmp

file: C:\5o722xtn\prescripts\RCX4452.tmp

file: C:\ProgramData\RCX47AE.tmp

file: C:\ProgramData\RCX487A.tmp

file: C:\5o722xtn\dll\RCX4B4A.tmp

file: C:\5o722xtn\dll\RCX4E39.tmp

file: C:\ProgramData\qemu-ga\RCX5231.tmp

file: C:\ProgramData\qemu-ga\RCX533C.tmp

file: C:\Program Files\Windows Security\BrowserCore\en-US\RCX56C7.tmp

file: C:\Program Files\Windows Security\BrowserCore\en-US\RCX57C2.tmp