CAPE Sandbox

CAPE

Detections: Emotet

Analysis

Category	Package	Started	Completed	Duration	Log
FILE	Extraction	2019-02-11 18:26:12	2019-02-11 18:27:42	90 seconds	Show Log

2019-02-11 18:26:13,000 [root] INFO: Date set to: 02-11-19, time set to: 18:26:13, timeout set to: 60
2019-02-11 18:26:13,015 [root] DEBUG: Starting analyzer from: C:\whprbueeo
2019-02-11 18:26:13,015 [root] DEBUG: Storing results at: C:\baWRaIQSTf
2019-02-11 18:26:13,015 [root] DEBUG: Pipe server name: \\.\PIPE\sdAtjlBUF
2019-02-11 18:26:13,015 [root] INFO: Analysis package "Extraction" has been specified.
2019-02-11 18:26:13,342 [root] DEBUG: Started auxiliary module Browser
2019-02-11 18:26:13,342 [root] DEBUG: Started auxiliary module Curtain
2019-02-11 18:26:13,342 [modules.auxiliary.digisig] INFO: Skipping authenticode validation, signtool.exe was not found in bin/
2019-02-11 18:26:13,342 [root] DEBUG: Started auxiliary module DigiSig
2019-02-11 18:26:13,358 [root] DEBUG: Started auxiliary module Disguise
2019-02-11 18:26:13,358 [root] DEBUG: Started auxiliary module Human
2019-02-11 18:26:13,358 [root] DEBUG: Started auxiliary module Screenshots
2019-02-11 18:26:13,358 [root] DEBUG: Started auxiliary module Sysmon
2019-02-11 18:26:13,358 [root] DEBUG: Started auxiliary module Usage
2019-02-11 18:26:13,358 [root] INFO: Analyzer: DLL set to Extraction.dll from package modules.packages.Extraction
2019-02-11 18:26:13,358 [root] INFO: Analyzer: Package modules.packages.Extraction does not specify a DLL_64 option
2019-02-11 18:26:13,513 [lib.api.process] INFO: Successfully executed process from path "C:\Users\user\AppData\Local\Temp\VaiPmlRWuo2dxL.exe" with arguments "" with pid 2952
2019-02-11 18:26:13,513 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-02-11 18:26:13,513 [lib.api.process] INFO: 32-bit DLL to inject is C:\whprbueeo\dll\UjjAEMn.dll, loader C:\whprbueeo\bin\LogBewe.exe
2019-02-11 18:26:13,561 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2952
2019-02-11 18:26:15,573 [lib.api.process] INFO: Successfully resumed process with pid 2952
2019-02-11 18:26:15,573 [root] INFO: Added new process to list with pid: 2952
2019-02-11 18:26:15,573 [root] INFO: Enabled timeout enforce, running for the full timeout.
2019-02-11 18:26:15,651 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77110000, KiUserExceptionDispatcher: 0x0, NtSetContextThread: 0x7716124a, Wow64PrepareForException: 0x0
2019-02-11 18:26:15,651 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x260000
2019-02-11 18:26:15,651 [root] DEBUG: CAPE initialised (32-bit).
2019-02-11 18:26:15,683 [root] INFO: Monitor successfully loaded in process with pid 2952.
2019-02-11 18:26:15,713 [root] DEBUG: NtAllocateVirtualMemory hook, BaseAddress:0x2d0000, RegionSize: 0x1a000.
2019-02-11 18:26:15,713 [root] DEBUG: SetInitialWriteBreakpoint: AllocationBase: 0x2d0000, AllocationSize: 0x1a000, ThreadId: 0xb8c
2019-02-11 18:26:15,713 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xb8, Size=0x2, Address=0x2d0000 and Type=0x1.
2019-02-11 18:26:15,713 [root] DEBUG: SetBreakpoint: Set bp 0 type 1 at address 0x2d0000, size 2 with Callback 0x74493100, ThreadHandle = 0xb8.
2019-02-11 18:26:15,713 [root] DEBUG: SetInitialWriteBreakpoint: Breakpoint 0 set write on word at base address: 0x2d0000
2019-02-11 18:26:15,730 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x10f2927
2019-02-11 18:26:15,730 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x2d0000.
2019-02-11 18:26:15,730 [root] DEBUG: BaseAddressWriteCallback: M written to first byte, awaiting next byte.
2019-02-11 18:26:15,730 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-02-11 18:26:15,730 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x10f2927
2019-02-11 18:26:15,730 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x2d0000.
2019-02-11 18:26:15,730 [root] DEBUG: BaseAddressWriteCallback: MZ header found.
2019-02-11 18:26:15,730 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x2d003c and Type=0x1.
2019-02-11 18:26:15,730 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 18:26:15,730 [root] DEBUG: BaseAddressWriteCallback: set write bp on e_lfanew write location: 0x2d003c (EIP = 0x10f2927)
2019-02-11 18:26:15,730 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-02-11 18:26:15,730 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x10f2927
2019-02-11 18:26:15,730 [root] DEBUG: PEPointerWriteCallback entry.
2019-02-11 18:26:15,730 [root] DEBUG: PEPointerWriteCallback: Breakpoint 0 at Address 0x2d003c.
2019-02-11 18:26:15,730 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x2d0080 and Type=0x1.
2019-02-11 18:26:15,730 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 18:26:15,730 [root] DEBUG: PEPointerWriteCallback: set write bp on e_lfanew write location 0x2d0080 (EIP = 0x10f2927)
2019-02-11 18:26:15,730 [root] DEBUG: PEPointerWriteCallback executed successfully.
2019-02-11 18:26:15,744 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x10f2927
2019-02-11 18:26:15,744 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x2d0080.
2019-02-11 18:26:15,744 [root] DEBUG: PEHeaderWriteCallback: PE header has: 0x50.
2019-02-11 18:26:15,744 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-02-11 18:26:15,744 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x10f2927
2019-02-11 18:26:15,744 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x2d0080.
2019-02-11 18:26:15,744 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x2d00a8 and Type=0x1.
2019-02-11 18:26:15,744 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 18:26:15,744 [root] DEBUG: PEHeaderWriteCallback: set write bp on AddressOfEntryPoint location (EIP = 0x10f2927).
2019-02-11 18:26:15,744 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-02-11 18:26:15,744 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x10f2927
2019-02-11 18:26:15,744 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x2d00a8.
2019-02-11 18:26:15,744 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x2d0075 and Type=0x0.
2019-02-11 18:26:15,744 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 18:26:15,744 [root] DEBUG: EntryPointWriteCallback: Execution bp 1 set on EntryPoint 0x2d0075 (EIP = 0x10f2927).
2019-02-11 18:26:15,744 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-02-11 18:26:15,744 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x10f2927
2019-02-11 18:26:15,744 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x2d00a8.
2019-02-11 18:26:15,744 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x2d2e75 and Type=0x0.
2019-02-11 18:26:15,744 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 18:26:15,744 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x2d2e75 (EIP = 0x10f2927).
2019-02-11 18:26:15,744 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-02-11 18:26:15,744 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x10f2927
2019-02-11 18:26:15,744 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x2d00a8.
2019-02-11 18:26:15,744 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x2d2e75 and Type=0x0.
2019-02-11 18:26:15,760 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 18:26:15,760 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x2d2e75 (EIP = 0x10f2927).
2019-02-11 18:26:15,760 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-02-11 18:26:15,760 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x10f2927
2019-02-11 18:26:15,760 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x2d00a8.
2019-02-11 18:26:15,760 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x2d2e75 and Type=0x0.
2019-02-11 18:26:15,760 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 18:26:15,760 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x2d2e75 (EIP = 0x10f2927).
2019-02-11 18:26:15,760 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-02-11 18:26:15,760 [root] DEBUG: NtAllocateVirtualMemory hook, BaseAddress:0x4e0000, RegionSize: 0x18000.
2019-02-11 18:26:15,760 [root] DEBUG: NtAllocateVirtualMemory hook: attempting CAPE dump on previous region: 0x2d0000.
2019-02-11 18:26:15,760 [root] DEBUG: DumpPEsInRange: Scanning range 0x2d0000 - 0x2ea000.
2019-02-11 18:26:15,760 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x2d0000
2019-02-11 18:26:15,760 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-02-11 18:26:15,760 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x2d0000
2019-02-11 18:26:15,760 [root] DEBUG: DumpProcess: Module entry point VA is 0x2d2e75
2019-02-11 18:26:15,760 [root] INFO: Added new CAPE file to list with path: C:\whprbueeo\CAPE\2952_76115261911122019
2019-02-11 18:26:15,760 [root] DEBUG: DumpProcess: Module image dump success
2019-02-11 18:26:15,760 [root] DEBUG: DumpPEsInRange: Dumped PE image from 0x2d0000.
2019-02-11 18:26:15,776 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x2d0001-0x2ea000.
2019-02-11 18:26:15,776 [root] DEBUG: NtAllocateVirtualMemory hook: PE image(s) detected and dumped.
2019-02-11 18:26:15,776 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x2d0000 - 0x2ea000.
2019-02-11 18:26:15,776 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x2d00a8.
2019-02-11 18:26:15,776 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x2d2e75.
2019-02-11 18:26:15,776 [root] DEBUG: SetInitialWriteBreakpoint: AllocationBase: 0x4e0000, AllocationSize: 0x18000, ThreadId: 0xb8c
2019-02-11 18:26:15,776 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xb8, Size=0x2, Address=0x4e0000 and Type=0x1.
2019-02-11 18:26:15,776 [root] DEBUG: SetBreakpoint: Set bp 0 type 1 at address 0x4e0000, size 2 with Callback 0x74493100, ThreadHandle = 0xb8.
2019-02-11 18:26:15,776 [root] DEBUG: SetInitialWriteBreakpoint: Breakpoint 0 set write on word at base address: 0x4e0000
2019-02-11 18:26:15,776 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x2d28ee
2019-02-11 18:26:15,776 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x4e0000.
2019-02-11 18:26:15,776 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x4e0000: 0x0.
2019-02-11 18:26:15,776 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x4e0000 and Type=0x0.
2019-02-11 18:26:15,776 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 18:26:15,776 [root] DEBUG: BaseAddressWriteCallback: Execution breakpoint 1 set base address: 0x4e0000, AllocationBaseExecBpSet = 1 (EIP = 0x2d28ee)
2019-02-11 18:26:15,776 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-02-11 18:26:15,776 [root] DEBUG: ProtectionHandler: Address: 0x3f1000, RegionSize: 0x10000
2019-02-11 18:26:15,776 [root] DEBUG: ProtectionHandler: attempting CAPE dump on region: 0x4e0000.
2019-02-11 18:26:15,776 [root] DEBUG: DumpPEsInRange: Scanning range 0x3f0000 - 0x400000.
2019-02-11 18:26:15,776 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x3f0000
2019-02-11 18:26:15,776 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-02-11 18:26:15,776 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x3f0000
2019-02-11 18:26:15,776 [root] DEBUG: DumpProcess: Module entry point VA is 0x3ff5e0
2019-02-11 18:26:15,792 [root] INFO: Added new CAPE file to list with path: C:\whprbueeo\CAPE\2952_77615261911122019
2019-02-11 18:26:15,792 [root] DEBUG: DumpProcess: Module image dump success
2019-02-11 18:26:15,792 [root] DEBUG: DumpPEsInRange: Dumped PE image from 0x3f0000.
2019-02-11 18:26:15,792 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x3f0001-0x400000.
2019-02-11 18:26:15,792 [root] DEBUG: ProtectionHandler: PE image(s) detected and dumped.
2019-02-11 18:26:15,792 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x4e0000 - 0x4f8000.
2019-02-11 18:26:15,792 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x4e0000.
2019-02-11 18:26:15,792 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x4e0000.
2019-02-11 18:26:15,792 [root] DEBUG: DumpPEsInRange: Scanning range 0x3f0000 - 0x400000.
2019-02-11 18:26:15,792 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x3f0000
2019-02-11 18:26:15,792 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-02-11 18:26:15,792 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x3f0000
2019-02-11 18:26:15,792 [root] DEBUG: DumpProcess: Module entry point VA is 0x3ff5e0
2019-02-11 18:26:15,808 [root] INFO: Added new CAPE file to list with path: C:\whprbueeo\CAPE\2952_79215261911122019
2019-02-11 18:26:15,808 [root] DEBUG: DumpProcess: Module image dump success
2019-02-11 18:26:15,808 [root] DEBUG: DumpPEsInRange: Dumped PE image from 0x3f0000.
2019-02-11 18:26:15,808 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x3f0001-0x400000.
2019-02-11 18:26:15,808 [root] DEBUG: ProtectionHandler: Found and dumped PE image(s).
2019-02-11 18:26:15,808 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xb8, Size=0x0, Address=0x3f1000 and Type=0x0.
2019-02-11 18:26:15,808 [root] DEBUG: SetBreakpoint: Set bp 0 type 0 at address 0x3f1000, size 0 with Callback 0x74492e90, ThreadHandle = 0xb8.
2019-02-11 18:26:15,808 [root] DEBUG: ProtectionHandler: Execution breakpoint 0 set base address: 0x3f1000, AllocationBaseExecBpSet = 1
2019-02-11 18:26:15,808 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x3f1000
2019-02-11 18:26:15,808 [root] DEBUG: MidPageExecCallback: Breakpoint 0 at Address 0x3f1000.
2019-02-11 18:26:15,808 [root] DEBUG: MidPageExecCallback: Debug: About to scan region for a PE image (base 0x3f0000, size 0x11000).
2019-02-11 18:26:15,808 [root] DEBUG: DumpPEsInRange: Scanning range 0x3f0000 - 0x401000.
2019-02-11 18:26:15,808 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x3f0000
2019-02-11 18:26:15,808 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-02-11 18:26:15,808 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x3f0000
2019-02-11 18:26:15,822 [root] DEBUG: DumpProcess: Module entry point VA is 0x3ff5e0
2019-02-11 18:26:15,822 [root] INFO: Added new CAPE file to list with path: C:\whprbueeo\CAPE\2952_82315261911122019
2019-02-11 18:26:15,822 [root] DEBUG: DumpProcess: Module image dump success
2019-02-11 18:26:15,822 [root] DEBUG: DumpPEsInRange: Dumped PE image from 0x3f0000.
2019-02-11 18:26:15,822 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x3f0001-0x401000.
2019-02-11 18:26:15,822 [root] DEBUG: MidPageExecCallback: PE image(s) detected and dumped.
2019-02-11 18:26:15,822 [root] DEBUG: MidPageExecCallback executed successfully.
2019-02-11 18:26:15,838 [root] INFO: Announced 32-bit process name: VaiPmlRWuo2dxL.exe pid: 3040
2019-02-11 18:26:15,854 [root] INFO: Added new process to list with pid: 3040
2019-02-11 18:26:15,854 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-02-11 18:26:15,854 [lib.api.process] INFO: 32-bit DLL to inject is C:\whprbueeo\dll\UjjAEMn.dll, loader C:\whprbueeo\bin\LogBewe.exe
2019-02-11 18:26:15,854 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3040
2019-02-11 18:26:15,854 [root] INFO: Disabling sleep skipping.
2019-02-11 18:26:15,854 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77110000, KiUserExceptionDispatcher: 0x0, NtSetContextThread: 0x7716124a, Wow64PrepareForException: 0x0
2019-02-11 18:26:15,854 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x2e0000
2019-02-11 18:26:15,854 [root] DEBUG: CAPE initialised (32-bit).
2019-02-11 18:26:15,869 [root] INFO: Disabling sleep skipping.
2019-02-11 18:26:15,869 [root] INFO: Monitor successfully loaded in process with pid 3040.
2019-02-11 18:26:15,869 [root] DEBUG: NtAllocateVirtualMemory hook, BaseAddress:0x4e0000, RegionSize: 0x1a000.
2019-02-11 18:26:15,869 [root] DEBUG: SetInitialWriteBreakpoint: AllocationBase: 0x4e0000, AllocationSize: 0x1a000, ThreadId: 0x83c
2019-02-11 18:26:15,869 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xb8, Size=0x2, Address=0x4e0000 and Type=0x1.
2019-02-11 18:26:15,869 [root] DEBUG: SetBreakpoint: Set bp 0 type 1 at address 0x4e0000, size 2 with Callback 0x74493100, ThreadHandle = 0xb8.
2019-02-11 18:26:15,869 [root] DEBUG: SetInitialWriteBreakpoint: Breakpoint 0 set write on word at base address: 0x4e0000
2019-02-11 18:26:15,869 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x10f2927
2019-02-11 18:26:15,869 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x4e0000.
2019-02-11 18:26:15,885 [root] DEBUG: BaseAddressWriteCallback: M written to first byte, awaiting next byte.
2019-02-11 18:26:15,885 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-02-11 18:26:15,885 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x10f2927
2019-02-11 18:26:15,885 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x4e0000.
2019-02-11 18:26:15,885 [root] DEBUG: BaseAddressWriteCallback: MZ header found.
2019-02-11 18:26:15,885 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x4e003c and Type=0x1.
2019-02-11 18:26:15,885 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 18:26:15,885 [root] DEBUG: BaseAddressWriteCallback: set write bp on e_lfanew write location: 0x4e003c (EIP = 0x10f2927)
2019-02-11 18:26:15,885 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-02-11 18:26:15,885 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x10f2927
2019-02-11 18:26:15,885 [root] DEBUG: PEPointerWriteCallback entry.
2019-02-11 18:26:15,885 [root] DEBUG: PEPointerWriteCallback: Breakpoint 0 at Address 0x4e003c.
2019-02-11 18:26:15,885 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x4e0080 and Type=0x1.
2019-02-11 18:26:15,885 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 18:26:15,885 [root] DEBUG: PEPointerWriteCallback: set write bp on e_lfanew write location 0x4e0080 (EIP = 0x10f2927)
2019-02-11 18:26:15,885 [root] DEBUG: PEPointerWriteCallback executed successfully.
2019-02-11 18:26:15,885 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x10f2927
2019-02-11 18:26:15,885 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x4e0080.
2019-02-11 18:26:15,885 [root] DEBUG: PEHeaderWriteCallback: PE header has: 0x50.
2019-02-11 18:26:15,885 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-02-11 18:26:15,885 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x10f2927
2019-02-11 18:26:15,885 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x4e0080.
2019-02-11 18:26:15,885 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x4e00a8 and Type=0x1.
2019-02-11 18:26:15,885 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 18:26:15,885 [root] DEBUG: PEHeaderWriteCallback: set write bp on AddressOfEntryPoint location (EIP = 0x10f2927).
2019-02-11 18:26:15,885 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-02-11 18:26:15,901 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x10f2927
2019-02-11 18:26:15,901 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x4e00a8.
2019-02-11 18:26:15,901 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x4e0075 and Type=0x0.
2019-02-11 18:26:15,901 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 18:26:15,901 [root] DEBUG: EntryPointWriteCallback: Execution bp 1 set on EntryPoint 0x4e0075 (EIP = 0x10f2927).
2019-02-11 18:26:15,901 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-02-11 18:26:15,901 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x10f2927
2019-02-11 18:26:15,901 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x4e00a8.
2019-02-11 18:26:15,901 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x4e2e75 and Type=0x0.
2019-02-11 18:26:15,901 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 18:26:15,901 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x4e2e75 (EIP = 0x10f2927).
2019-02-11 18:26:15,901 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-02-11 18:26:15,901 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x10f2927
2019-02-11 18:26:15,901 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x4e00a8.
2019-02-11 18:26:15,901 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x4e2e75 and Type=0x0.
2019-02-11 18:26:15,901 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 18:26:15,901 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x4e2e75 (EIP = 0x10f2927).
2019-02-11 18:26:15,901 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-02-11 18:26:15,901 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x10f2927
2019-02-11 18:26:15,901 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x4e00a8.
2019-02-11 18:26:15,901 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x4e2e75 and Type=0x0.
2019-02-11 18:26:15,901 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 18:26:15,917 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x4e2e75 (EIP = 0x10f2927).
2019-02-11 18:26:15,917 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-02-11 18:26:15,917 [root] DEBUG: NtAllocateVirtualMemory hook, BaseAddress:0x520000, RegionSize: 0x18000.
2019-02-11 18:26:15,917 [root] DEBUG: NtAllocateVirtualMemory hook: attempting CAPE dump on previous region: 0x4e0000.
2019-02-11 18:26:15,917 [root] DEBUG: DumpPEsInRange: Scanning range 0x4e0000 - 0x4fa000.
2019-02-11 18:26:15,917 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x4e0000
2019-02-11 18:26:15,917 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-02-11 18:26:15,917 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x4e0000
2019-02-11 18:26:15,917 [root] DEBUG: DumpProcess: Module entry point VA is 0x4e2e75
2019-02-11 18:26:15,917 [root] INFO: Added new CAPE file to list with path: C:\whprbueeo\CAPE\3040_91715261911122019
2019-02-11 18:26:15,917 [root] DEBUG: DumpProcess: Module image dump success
2019-02-11 18:26:15,917 [root] DEBUG: DumpPEsInRange: Dumped PE image from 0x4e0000.
2019-02-11 18:26:15,917 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x4e0001-0x4fa000.
2019-02-11 18:26:15,917 [root] DEBUG: NtAllocateVirtualMemory hook: PE image(s) detected and dumped.
2019-02-11 18:26:15,917 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x4e0000 - 0x4fa000.
2019-02-11 18:26:15,917 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x4e00a8.
2019-02-11 18:26:15,931 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x4e2e75.
2019-02-11 18:26:15,931 [root] DEBUG: SetInitialWriteBreakpoint: AllocationBase: 0x520000, AllocationSize: 0x18000, ThreadId: 0x83c
2019-02-11 18:26:15,931 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xb8, Size=0x2, Address=0x520000 and Type=0x1.
2019-02-11 18:26:15,931 [root] DEBUG: SetBreakpoint: Set bp 0 type 1 at address 0x520000, size 2 with Callback 0x74493100, ThreadHandle = 0xb8.
2019-02-11 18:26:15,931 [root] DEBUG: SetInitialWriteBreakpoint: Breakpoint 0 set write on word at base address: 0x520000
2019-02-11 18:26:15,931 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x4e28ee
2019-02-11 18:26:15,931 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x520000.
2019-02-11 18:26:15,931 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x520000: 0x0.
2019-02-11 18:26:15,931 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x520000 and Type=0x0.
2019-02-11 18:26:15,931 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 18:26:15,931 [root] DEBUG: BaseAddressWriteCallback: Execution breakpoint 1 set base address: 0x520000, AllocationBaseExecBpSet = 1 (EIP = 0x4e28ee)
2019-02-11 18:26:15,931 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-02-11 18:26:15,931 [root] DEBUG: ProtectionHandler: Address: 0x501000, RegionSize: 0x10000
2019-02-11 18:26:15,931 [root] DEBUG: ProtectionHandler: attempting CAPE dump on region: 0x520000.
2019-02-11 18:26:15,931 [root] DEBUG: DumpPEsInRange: Scanning range 0x500000 - 0x510000.
2019-02-11 18:26:15,931 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x500000
2019-02-11 18:26:15,931 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-02-11 18:26:15,931 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x500000
2019-02-11 18:26:15,931 [root] DEBUG: DumpProcess: Module entry point VA is 0x50f5e0
2019-02-11 18:26:15,947 [root] INFO: Added new CAPE file to list with path: C:\whprbueeo\CAPE\3040_93215261911122019
2019-02-11 18:26:15,947 [root] DEBUG: DumpProcess: Module image dump success
2019-02-11 18:26:15,947 [root] DEBUG: DumpPEsInRange: Dumped PE image from 0x500000.
2019-02-11 18:26:15,947 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x500001-0x510000.
2019-02-11 18:26:15,947 [root] DEBUG: ProtectionHandler: PE image(s) detected and dumped.
2019-02-11 18:26:15,947 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x520000 - 0x538000.
2019-02-11 18:26:15,947 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x520000.
2019-02-11 18:26:15,947 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x520000.
2019-02-11 18:26:15,947 [root] DEBUG: DumpPEsInRange: Scanning range 0x500000 - 0x510000.
2019-02-11 18:26:15,947 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x500000
2019-02-11 18:26:15,947 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-02-11 18:26:15,947 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x500000
2019-02-11 18:26:15,947 [root] DEBUG: DumpProcess: Module entry point VA is 0x50f5e0
2019-02-11 18:26:15,963 [root] INFO: Added new CAPE file to list with path: C:\whprbueeo\CAPE\3040_94815261911122019
2019-02-11 18:26:15,963 [root] DEBUG: DumpProcess: Module image dump success
2019-02-11 18:26:15,963 [root] DEBUG: DumpPEsInRange: Dumped PE image from 0x500000.
2019-02-11 18:26:15,963 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x500001-0x510000.
2019-02-11 18:26:15,963 [root] DEBUG: ProtectionHandler: Found and dumped PE image(s).
2019-02-11 18:26:15,963 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xb8, Size=0x0, Address=0x501000 and Type=0x0.
2019-02-11 18:26:15,963 [root] DEBUG: SetBreakpoint: Set bp 0 type 0 at address 0x501000, size 0 with Callback 0x74492e90, ThreadHandle = 0xb8.
2019-02-11 18:26:15,963 [root] DEBUG: ProtectionHandler: Execution breakpoint 0 set base address: 0x501000, AllocationBaseExecBpSet = 1
2019-02-11 18:26:15,963 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x501000
2019-02-11 18:26:15,963 [root] DEBUG: MidPageExecCallback: Breakpoint 0 at Address 0x501000.
2019-02-11 18:26:15,963 [root] DEBUG: MidPageExecCallback: Debug: About to scan region for a PE image (base 0x500000, size 0x11000).
2019-02-11 18:26:15,963 [root] DEBUG: DumpPEsInRange: Scanning range 0x500000 - 0x511000.
2019-02-11 18:26:15,963 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x500000
2019-02-11 18:26:15,979 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-02-11 18:26:15,979 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x500000
2019-02-11 18:26:15,979 [root] DEBUG: DumpProcess: Module entry point VA is 0x50f5e0
2019-02-11 18:26:15,979 [root] INFO: Added new CAPE file to list with path: C:\whprbueeo\CAPE\3040_97915261911122019
2019-02-11 18:26:15,979 [root] DEBUG: DumpProcess: Module image dump success
2019-02-11 18:26:15,979 [root] DEBUG: DumpPEsInRange: Dumped PE image from 0x500000.
2019-02-11 18:26:15,979 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x500001-0x511000.
2019-02-11 18:26:15,979 [root] DEBUG: MidPageExecCallback: PE image(s) detected and dumped.
2019-02-11 18:26:15,979 [root] DEBUG: MidPageExecCallback executed successfully.
2019-02-11 18:26:15,979 [root] INFO: Notified of termination of process with pid 2952.
2019-02-11 18:26:22,921 [root] INFO: Announced starting service "dafpanes"
2019-02-11 18:26:22,921 [root] INFO: Attaching to Service Control Manager (services.exe - pid 460)
2019-02-11 18:26:22,921 [lib.api.process] DEBUG: Using CreateRemoteThread injection.
2019-02-11 18:26:22,951 [lib.api.process] INFO: 64-bit DLL to inject is C:\whprbueeo\dll\aSeKHm.dll, loader C:\whprbueeo\bin\NMZeuqqI.exe
2019-02-11 18:26:22,967 [root] DEBUG: Terminate processes on terminate_event disabled.
2019-02-11 18:26:22,967 [root] DEBUG: Process dumps enabled.
2019-02-11 18:26:22,983 [root] INFO: Disabling sleep skipping.
2019-02-11 18:26:22,999 [root] WARNING: Unable to place hook on LockResource
2019-02-11 18:26:22,999 [root] WARNING: Unable to hook LockResource
2019-02-11 18:26:23,015 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 460 at 0x0000000074110000, image base 0x00000000FFA10000, stack from 0x0000000002E46000-0x0000000002E50000
2019-02-11 18:26:23,015 [root] DEBUG: Commandline: C:\Windows\sysnative\services.exe.
2019-02-11 18:26:23,029 [root] INFO: Added new process to list with pid: 460
2019-02-11 18:26:23,029 [root] INFO: Monitor successfully loaded in process with pid 460.
2019-02-11 18:26:24,013 [root] INFO: Announced 32-bit process name: dafpanes.exe pid: 2904
2019-02-11 18:26:24,013 [root] INFO: Added new process to list with pid: 2904
2019-02-11 18:26:24,013 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-02-11 18:26:24,029 [lib.api.process] INFO: 32-bit DLL to inject is C:\whprbueeo\dll\UjjAEMn.dll, loader C:\whprbueeo\bin\LogBewe.exe
2019-02-11 18:26:24,029 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2904
2019-02-11 18:26:24,059 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77110000, KiUserExceptionDispatcher: 0x0, NtSetContextThread: 0x7716124a, Wow64PrepareForException: 0x0
2019-02-11 18:26:24,059 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x160000
2019-02-11 18:26:24,059 [root] DEBUG: CAPE initialised (32-bit).
2019-02-11 18:26:24,075 [root] INFO: Disabling sleep skipping.
2019-02-11 18:26:24,075 [root] INFO: Monitor successfully loaded in process with pid 2904.
2019-02-11 18:26:24,091 [root] DEBUG: NtAllocateVirtualMemory hook, BaseAddress:0x390000, RegionSize: 0x1a000.
2019-02-11 18:26:24,091 [root] DEBUG: SetInitialWriteBreakpoint: AllocationBase: 0x390000, AllocationSize: 0x1a000, ThreadId: 0xb5c
2019-02-11 18:26:24,107 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xb8, Size=0x2, Address=0x390000 and Type=0x1.
2019-02-11 18:26:24,107 [root] DEBUG: SetBreakpoint: Set bp 0 type 1 at address 0x390000, size 2 with Callback 0x74493100, ThreadHandle = 0xb8.
2019-02-11 18:26:24,107 [root] DEBUG: SetInitialWriteBreakpoint: Breakpoint 0 set write on word at base address: 0x390000
2019-02-11 18:26:24,138 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x10f2927
2019-02-11 18:26:24,138 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x390000.
2019-02-11 18:26:24,138 [root] DEBUG: BaseAddressWriteCallback: M written to first byte, awaiting next byte.
2019-02-11 18:26:24,154 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-02-11 18:26:24,154 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x10f2927
2019-02-11 18:26:24,168 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x390000.
2019-02-11 18:26:24,168 [root] DEBUG: BaseAddressWriteCallback: MZ header found.
2019-02-11 18:26:24,184 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x39003c and Type=0x1.
2019-02-11 18:26:24,184 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 18:26:24,200 [root] DEBUG: BaseAddressWriteCallback: set write bp on e_lfanew write location: 0x39003c (EIP = 0x10f2927)
2019-02-11 18:26:24,216 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-02-11 18:26:24,232 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x10f2927
2019-02-11 18:26:24,232 [root] DEBUG: PEPointerWriteCallback entry.
2019-02-11 18:26:24,232 [root] DEBUG: PEPointerWriteCallback: Breakpoint 0 at Address 0x39003c.
2019-02-11 18:26:24,246 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x390080 and Type=0x1.
2019-02-11 18:26:24,246 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 18:26:24,246 [root] DEBUG: PEPointerWriteCallback: set write bp on e_lfanew write location 0x390080 (EIP = 0x10f2927)
2019-02-11 18:26:24,246 [root] DEBUG: PEPointerWriteCallback executed successfully.
2019-02-11 18:26:24,246 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x10f2927
2019-02-11 18:26:24,246 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x390080.
2019-02-11 18:26:24,246 [root] DEBUG: PEHeaderWriteCallback: PE header has: 0x50.
2019-02-11 18:26:24,263 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-02-11 18:26:24,263 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x10f2927
2019-02-11 18:26:24,263 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x390080.
2019-02-11 18:26:24,278 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x3900a8 and Type=0x1.
2019-02-11 18:26:24,293 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 18:26:24,293 [root] DEBUG: PEHeaderWriteCallback: set write bp on AddressOfEntryPoint location (EIP = 0x10f2927).
2019-02-11 18:26:24,309 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-02-11 18:26:24,325 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x10f2927
2019-02-11 18:26:24,325 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x3900a8.
2019-02-11 18:26:24,325 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x390075 and Type=0x0.
2019-02-11 18:26:24,325 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 18:26:24,325 [root] DEBUG: EntryPointWriteCallback: Execution bp 1 set on EntryPoint 0x390075 (EIP = 0x10f2927).
2019-02-11 18:26:24,325 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-02-11 18:26:24,325 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x10f2927
2019-02-11 18:26:24,355 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x3900a8.
2019-02-11 18:26:24,355 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x392e75 and Type=0x0.
2019-02-11 18:26:24,355 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 18:26:24,355 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x392e75 (EIP = 0x10f2927).
2019-02-11 18:26:24,355 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-02-11 18:26:24,355 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x10f2927
2019-02-11 18:26:24,371 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x3900a8.
2019-02-11 18:26:24,371 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x392e75 and Type=0x0.
2019-02-11 18:26:24,371 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 18:26:24,371 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x392e75 (EIP = 0x10f2927).
2019-02-11 18:26:24,371 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-02-11 18:26:24,371 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x10f2927
2019-02-11 18:26:24,388 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x3900a8.
2019-02-11 18:26:24,388 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x392e75 and Type=0x0.
2019-02-11 18:26:24,388 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 18:26:24,388 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x392e75 (EIP = 0x10f2927).
2019-02-11 18:26:24,403 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-02-11 18:26:24,403 [root] DEBUG: NtAllocateVirtualMemory hook, BaseAddress:0x920000, RegionSize: 0x18000.
2019-02-11 18:26:24,418 [root] DEBUG: NtAllocateVirtualMemory hook: attempting CAPE dump on previous region: 0x390000.
2019-02-11 18:26:24,434 [root] DEBUG: DumpPEsInRange: Scanning range 0x390000 - 0x3aa000.
2019-02-11 18:26:24,434 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x390000
2019-02-11 18:26:24,434 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-02-11 18:26:24,434 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x390000
2019-02-11 18:26:24,434 [root] DEBUG: DumpProcess: Module entry point VA is 0x392e75
2019-02-11 18:26:24,466 [root] INFO: Added new CAPE file to list with path: C:\whprbueeo\CAPE\2904_43424261911122019
2019-02-11 18:26:24,466 [root] DEBUG: DumpProcess: Module image dump success
2019-02-11 18:26:24,480 [root] DEBUG: DumpPEsInRange: Dumped PE image from 0x390000.
2019-02-11 18:26:24,480 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x390001-0x3aa000.
2019-02-11 18:26:24,496 [root] DEBUG: NtAllocateVirtualMemory hook: PE image(s) detected and dumped.
2019-02-11 18:26:24,496 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x390000 - 0x3aa000.
2019-02-11 18:26:24,496 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x3900a8.
2019-02-11 18:26:24,496 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x392e75.
2019-02-11 18:26:24,496 [root] DEBUG: SetInitialWriteBreakpoint: AllocationBase: 0x920000, AllocationSize: 0x18000, ThreadId: 0xb5c
2019-02-11 18:26:24,496 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xb8, Size=0x2, Address=0x920000 and Type=0x1.
2019-02-11 18:26:24,528 [root] DEBUG: SetBreakpoint: Set bp 0 type 1 at address 0x920000, size 2 with Callback 0x74493100, ThreadHandle = 0xb8.
2019-02-11 18:26:24,528 [root] DEBUG: SetInitialWriteBreakpoint: Breakpoint 0 set write on word at base address: 0x920000
2019-02-11 18:26:24,559 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x3928ee
2019-02-11 18:26:24,559 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x920000.
2019-02-11 18:26:24,559 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x920000: 0x0.
2019-02-11 18:26:24,559 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x920000 and Type=0x0.
2019-02-11 18:26:24,575 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 18:26:24,575 [root] DEBUG: BaseAddressWriteCallback: Execution breakpoint 1 set base address: 0x920000, AllocationBaseExecBpSet = 1 (EIP = 0x3928ee)
2019-02-11 18:26:24,575 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-02-11 18:26:24,589 [root] DEBUG: ProtectionHandler: Address: 0x511000, RegionSize: 0x10000
2019-02-11 18:26:24,589 [root] DEBUG: ProtectionHandler: attempting CAPE dump on region: 0x920000.
2019-02-11 18:26:24,589 [root] DEBUG: DumpPEsInRange: Scanning range 0x510000 - 0x520000.
2019-02-11 18:26:24,589 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x510000
2019-02-11 18:26:24,589 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-02-11 18:26:24,589 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x510000
2019-02-11 18:26:24,589 [root] DEBUG: DumpProcess: Module entry point VA is 0x51f5e0
2019-02-11 18:26:24,605 [root] INFO: Added new CAPE file to list with path: C:\whprbueeo\CAPE\2904_59024261911122019
2019-02-11 18:26:24,605 [root] DEBUG: DumpProcess: Module image dump success
2019-02-11 18:26:24,605 [root] DEBUG: DumpPEsInRange: Dumped PE image from 0x510000.
2019-02-11 18:26:24,605 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x510001-0x520000.
2019-02-11 18:26:24,605 [root] DEBUG: ProtectionHandler: PE image(s) detected and dumped.
2019-02-11 18:26:24,605 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x920000 - 0x938000.
2019-02-11 18:26:24,605 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x920000.
2019-02-11 18:26:24,605 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x920000.
2019-02-11 18:26:24,621 [root] DEBUG: DumpPEsInRange: Scanning range 0x510000 - 0x520000.
2019-02-11 18:26:24,621 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x510000
2019-02-11 18:26:24,653 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-02-11 18:26:24,667 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x510000
2019-02-11 18:26:24,667 [root] DEBUG: DumpProcess: Module entry point VA is 0x51f5e0
2019-02-11 18:26:24,887 [root] INFO: Added new CAPE file to list with path: C:\whprbueeo\CAPE\2904_66824261911122019
2019-02-11 18:26:24,887 [root] DEBUG: DumpProcess: Module image dump success
2019-02-11 18:26:24,887 [root] DEBUG: DumpPEsInRange: Dumped PE image from 0x510000.
2019-02-11 18:26:24,887 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x510001-0x520000.
2019-02-11 18:26:24,917 [root] DEBUG: ProtectionHandler: Found and dumped PE image(s).
2019-02-11 18:26:24,917 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xb8, Size=0x0, Address=0x511000 and Type=0x0.
2019-02-11 18:26:24,917 [root] DEBUG: SetBreakpoint: Set bp 0 type 0 at address 0x511000, size 0 with Callback 0x74492e90, ThreadHandle = 0xb8.
2019-02-11 18:26:24,917 [root] DEBUG: ProtectionHandler: Execution breakpoint 0 set base address: 0x511000, AllocationBaseExecBpSet = 1
2019-02-11 18:26:24,934 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x511000
2019-02-11 18:26:24,934 [root] DEBUG: MidPageExecCallback: Breakpoint 0 at Address 0x511000.
2019-02-11 18:26:24,948 [root] DEBUG: MidPageExecCallback: Debug: About to scan region for a PE image (base 0x510000, size 0x11000).
2019-02-11 18:26:24,948 [root] DEBUG: DumpPEsInRange: Scanning range 0x510000 - 0x521000.
2019-02-11 18:26:24,948 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x510000
2019-02-11 18:26:24,948 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-02-11 18:26:24,948 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x510000
2019-02-11 18:26:24,948 [root] DEBUG: DumpProcess: Module entry point VA is 0x51f5e0
2019-02-11 18:26:25,198 [root] INFO: Added new CAPE file to list with path: C:\whprbueeo\CAPE\2904_878902011122019
2019-02-11 18:26:25,198 [root] DEBUG: DumpProcess: Module image dump success
2019-02-11 18:26:25,198 [root] DEBUG: DumpPEsInRange: Dumped PE image from 0x510000.
2019-02-11 18:26:25,198 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x510001-0x521000.
2019-02-11 18:26:25,213 [root] DEBUG: MidPageExecCallback: PE image(s) detected and dumped.
2019-02-11 18:26:25,213 [root] DEBUG: MidPageExecCallback executed successfully.
2019-02-11 18:26:25,213 [root] INFO: Announced 32-bit process name: dafpanes.exe pid: 1856
2019-02-11 18:26:25,213 [root] INFO: Added new process to list with pid: 1856
2019-02-11 18:26:25,213 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-02-11 18:26:25,230 [lib.api.process] INFO: 32-bit DLL to inject is C:\whprbueeo\dll\UjjAEMn.dll, loader C:\whprbueeo\bin\LogBewe.exe
2019-02-11 18:26:25,260 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1856
2019-02-11 18:26:25,276 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77110000, KiUserExceptionDispatcher: 0x0, NtSetContextThread: 0x7716124a, Wow64PrepareForException: 0x0
2019-02-11 18:26:25,308 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x1e0000
2019-02-11 18:26:25,308 [root] DEBUG: CAPE initialised (32-bit).
2019-02-11 18:26:25,308 [root] INFO: Disabling sleep skipping.
2019-02-11 18:26:25,308 [root] INFO: Monitor successfully loaded in process with pid 1856.
2019-02-11 18:26:25,323 [root] DEBUG: NtAllocateVirtualMemory hook, BaseAddress:0x2e0000, RegionSize: 0x1a000.
2019-02-11 18:26:25,323 [root] DEBUG: SetInitialWriteBreakpoint: AllocationBase: 0x2e0000, AllocationSize: 0x1a000, ThreadId: 0xb24
2019-02-11 18:26:25,323 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xb8, Size=0x2, Address=0x2e0000 and Type=0x1.
2019-02-11 18:26:25,338 [root] DEBUG: SetBreakpoint: Set bp 0 type 1 at address 0x2e0000, size 2 with Callback 0x74493100, ThreadHandle = 0xb8.
2019-02-11 18:26:25,338 [root] DEBUG: SetInitialWriteBreakpoint: Breakpoint 0 set write on word at base address: 0x2e0000
2019-02-11 18:26:25,338 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x10f2927
2019-02-11 18:26:25,338 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x2e0000.
2019-02-11 18:26:25,338 [root] DEBUG: BaseAddressWriteCallback: M written to first byte, awaiting next byte.
2019-02-11 18:26:25,338 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-02-11 18:26:25,338 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x10f2927
2019-02-11 18:26:25,338 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x2e0000.
2019-02-11 18:26:25,355 [root] DEBUG: BaseAddressWriteCallback: MZ header found.
2019-02-11 18:26:25,355 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x2e003c and Type=0x1.
2019-02-11 18:26:25,355 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 18:26:25,355 [root] DEBUG: BaseAddressWriteCallback: set write bp on e_lfanew write location: 0x2e003c (EIP = 0x10f2927)
2019-02-11 18:26:25,369 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-02-11 18:26:25,369 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x10f2927
2019-02-11 18:26:25,369 [root] DEBUG: PEPointerWriteCallback entry.
2019-02-11 18:26:25,369 [root] DEBUG: PEPointerWriteCallback: Breakpoint 0 at Address 0x2e003c.
2019-02-11 18:26:25,369 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x2e0080 and Type=0x1.
2019-02-11 18:26:25,369 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 18:26:25,385 [root] DEBUG: PEPointerWriteCallback: set write bp on e_lfanew write location 0x2e0080 (EIP = 0x10f2927)
2019-02-11 18:26:25,385 [root] DEBUG: PEPointerWriteCallback executed successfully.
2019-02-11 18:26:25,385 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x10f2927
2019-02-11 18:26:25,385 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x2e0080.
2019-02-11 18:26:25,385 [root] DEBUG: PEHeaderWriteCallback: PE header has: 0x50.
2019-02-11 18:26:25,385 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-02-11 18:26:25,385 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x10f2927
2019-02-11 18:26:25,385 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x2e0080.
2019-02-11 18:26:25,401 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x2e00a8 and Type=0x1.
2019-02-11 18:26:25,401 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 18:26:25,401 [root] DEBUG: PEHeaderWriteCallback: set write bp on AddressOfEntryPoint location (EIP = 0x10f2927).
2019-02-11 18:26:25,401 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-02-11 18:26:25,401 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x10f2927
2019-02-11 18:26:25,417 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x2e00a8.
2019-02-11 18:26:25,417 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x2e0075 and Type=0x0.
2019-02-11 18:26:25,417 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 18:26:25,417 [root] DEBUG: EntryPointWriteCallback: Execution bp 1 set on EntryPoint 0x2e0075 (EIP = 0x10f2927).
2019-02-11 18:26:25,417 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-02-11 18:26:25,417 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x10f2927
2019-02-11 18:26:25,417 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x2e00a8.
2019-02-11 18:26:25,433 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x2e2e75 and Type=0x0.
2019-02-11 18:26:25,433 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 18:26:25,433 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x2e2e75 (EIP = 0x10f2927).
2019-02-11 18:26:25,433 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-02-11 18:26:25,433 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x10f2927
2019-02-11 18:26:25,433 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x2e00a8.
2019-02-11 18:26:25,433 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x2e2e75 and Type=0x0.
2019-02-11 18:26:25,447 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 18:26:25,447 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x2e2e75 (EIP = 0x10f2927).
2019-02-11 18:26:25,447 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-02-11 18:26:25,447 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x10f2927
2019-02-11 18:26:25,447 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x2e00a8.
2019-02-11 18:26:25,463 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x2e2e75 and Type=0x0.
2019-02-11 18:26:25,463 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 18:26:25,463 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x2e2e75 (EIP = 0x10f2927).
2019-02-11 18:26:25,463 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-02-11 18:26:25,463 [root] DEBUG: NtAllocateVirtualMemory hook, BaseAddress:0x960000, RegionSize: 0x18000.
2019-02-11 18:26:25,463 [root] DEBUG: NtAllocateVirtualMemory hook: attempting CAPE dump on previous region: 0x2e0000.
2019-02-11 18:26:25,480 [root] DEBUG: DumpPEsInRange: Scanning range 0x2e0000 - 0x2fa000.
2019-02-11 18:26:25,480 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x2e0000
2019-02-11 18:26:25,480 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-02-11 18:26:25,480 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x2e0000
2019-02-11 18:26:25,494 [root] DEBUG: DumpProcess: Module entry point VA is 0x2e2e75
2019-02-11 18:26:25,510 [root] INFO: Added new CAPE file to list with path: C:\whprbueeo\CAPE\1856_49525261911122019
2019-02-11 18:26:25,510 [root] DEBUG: DumpProcess: Module image dump success
2019-02-11 18:26:25,526 [root] DEBUG: DumpPEsInRange: Dumped PE image from 0x2e0000.
2019-02-11 18:26:25,542 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x2e0001-0x2fa000.
2019-02-11 18:26:25,542 [root] DEBUG: NtAllocateVirtualMemory hook: PE image(s) detected and dumped.
2019-02-11 18:26:25,542 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x2e0000 - 0x2fa000.
2019-02-11 18:26:25,558 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x2e00a8.
2019-02-11 18:26:25,558 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x2e2e75.
2019-02-11 18:26:25,558 [root] DEBUG: SetInitialWriteBreakpoint: AllocationBase: 0x960000, AllocationSize: 0x18000, ThreadId: 0xb24
2019-02-11 18:26:25,572 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xb8, Size=0x2, Address=0x960000 and Type=0x1.
2019-02-11 18:26:25,588 [root] DEBUG: SetBreakpoint: Set bp 0 type 1 at address 0x960000, size 2 with Callback 0x74493100, ThreadHandle = 0xb8.
2019-02-11 18:26:25,604 [root] DEBUG: SetInitialWriteBreakpoint: Breakpoint 0 set write on word at base address: 0x960000
2019-02-11 18:26:25,604 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x2e28ee
2019-02-11 18:26:25,604 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x960000.
2019-02-11 18:26:25,619 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x960000: 0x0.
2019-02-11 18:26:25,635 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x960000 and Type=0x0.
2019-02-11 18:26:25,635 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 18:26:25,635 [root] DEBUG: BaseAddressWriteCallback: Execution breakpoint 1 set base address: 0x960000, AllocationBaseExecBpSet = 1 (EIP = 0x2e28ee)
2019-02-11 18:26:25,635 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-02-11 18:26:25,635 [root] DEBUG: ProtectionHandler: Address: 0x301000, RegionSize: 0x10000
2019-02-11 18:26:25,635 [root] DEBUG: ProtectionHandler: attempting CAPE dump on region: 0x960000.
2019-02-11 18:26:25,635 [root] DEBUG: DumpPEsInRange: Scanning range 0x300000 - 0x310000.
2019-02-11 18:26:25,635 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x300000
2019-02-11 18:26:25,635 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-02-11 18:26:25,651 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x300000
2019-02-11 18:26:25,651 [root] DEBUG: DumpProcess: Module entry point VA is 0x30f5e0
2019-02-11 18:26:25,651 [root] INFO: Added new CAPE file to list with path: C:\whprbueeo\CAPE\1856_65125261911122019
2019-02-11 18:26:25,651 [root] DEBUG: DumpProcess: Module image dump success
2019-02-11 18:26:25,667 [root] DEBUG: DumpPEsInRange: Dumped PE image from 0x300000.
2019-02-11 18:26:25,667 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x300001-0x310000.
2019-02-11 18:26:25,681 [root] DEBUG: ProtectionHandler: PE image(s) detected and dumped.
2019-02-11 18:26:25,681 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x960000 - 0x978000.
2019-02-11 18:26:25,713 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x960000.
2019-02-11 18:26:25,713 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x960000.
2019-02-11 18:26:25,713 [root] DEBUG: DumpPEsInRange: Scanning range 0x300000 - 0x310000.
2019-02-11 18:26:25,713 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x300000
2019-02-11 18:26:25,713 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-02-11 18:26:25,713 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x300000
2019-02-11 18:26:25,713 [root] DEBUG: DumpProcess: Module entry point VA is 0x30f5e0
2019-02-11 18:26:25,729 [root] INFO: Added new CAPE file to list with path: C:\whprbueeo\CAPE\1856_71425261911122019
2019-02-11 18:26:25,729 [root] DEBUG: DumpProcess: Module image dump success
2019-02-11 18:26:25,729 [root] DEBUG: DumpPEsInRange: Dumped PE image from 0x300000.
2019-02-11 18:26:25,729 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x300001-0x310000.
2019-02-11 18:26:25,729 [root] DEBUG: ProtectionHandler: Found and dumped PE image(s).
2019-02-11 18:26:25,729 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xb8, Size=0x0, Address=0x301000 and Type=0x0.
2019-02-11 18:26:25,744 [root] DEBUG: SetBreakpoint: Set bp 0 type 0 at address 0x301000, size 0 with Callback 0x74492e90, ThreadHandle = 0xb8.
2019-02-11 18:26:25,744 [root] DEBUG: ProtectionHandler: Execution breakpoint 0 set base address: 0x301000, AllocationBaseExecBpSet = 1
2019-02-11 18:26:25,759 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x301000
2019-02-11 18:26:25,776 [root] DEBUG: MidPageExecCallback: Breakpoint 0 at Address 0x301000.
2019-02-11 18:26:25,776 [root] DEBUG: MidPageExecCallback: Debug: About to scan region for a PE image (base 0x300000, size 0x11000).
2019-02-11 18:26:25,776 [root] DEBUG: DumpPEsInRange: Scanning range 0x300000 - 0x311000.
2019-02-11 18:26:25,792 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x300000
2019-02-11 18:26:25,792 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-02-11 18:26:25,792 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x300000
2019-02-11 18:26:25,792 [root] DEBUG: DumpProcess: Module entry point VA is 0x30f5e0
2019-02-11 18:26:25,822 [root] INFO: Added new CAPE file to list with path: C:\whprbueeo\CAPE\1856_7701102011122019
2019-02-11 18:26:25,838 [root] DEBUG: DumpProcess: Module image dump success
2019-02-11 18:26:25,854 [root] DEBUG: DumpPEsInRange: Dumped PE image from 0x300000.
2019-02-11 18:26:25,854 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x300001-0x311000.
2019-02-11 18:26:25,854 [root] DEBUG: MidPageExecCallback: PE image(s) detected and dumped.
2019-02-11 18:26:25,869 [root] DEBUG: MidPageExecCallback executed successfully.
2019-02-11 18:26:25,869 [root] INFO: Notified of termination of process with pid 2904.
2019-02-11 18:26:25,869 [root] WARNING: Unable to open termination event for pid 2904.
2019-02-11 18:26:25,869 [root] INFO: Notified of termination of process with pid 3040.
2019-02-11 18:27:15,461 [root] INFO: Analysis timeout hit (60 seconds), terminating analysis.
2019-02-11 18:27:15,477 [root] INFO: Created shutdown mutex.
2019-02-11 18:27:16,506 [root] INFO: Setting terminate event for process 1856.
2019-02-11 18:27:17,022 [root] INFO: Shutting down package.
2019-02-11 18:27:17,022 [root] INFO: Stopping auxiliary modules.
2019-02-11 18:27:17,022 [root] INFO: Finishing auxiliary modules.
2019-02-11 18:27:17,022 [root] INFO: Shutting down pipe server and dumping dropped files.
2019-02-11 18:27:17,022 [root] INFO: Analysis completed.

MalScore

10.0

Emotet

Machine

Name	Label	Manager	Started On	Shutdown On
target-01	target-01	ESX	2019-02-11 18:26:12	2019-02-11 18:27:38

File Details

File Name	b18c064545fb00660dceebf2d7266702cb583dd658d4bdfea3545e1cdfd5732f
File Size	278528 bytes
File Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	91c332f5a5c7c4ec44e181b80ae3bc36
SHA1	6627756f9a17a0ac4ea31efa4c155645c2e425ac
SHA256	b18c064545fb00660dceebf2d7266702cb583dd658d4bdfea3545e1cdfd5732f
SHA512	058665199c3695978abc4f846ae17bf20962d96a04eb0c970e8c3d1ce8a7b2da056e0b20f866a944b40650d863e984016ccabd3a8779b547b7850d6e876cf8b0
CRC32	54C5B8B9
Ssdeep	3072:p+PtttttZlqp2nI8FkmbzEs8ttttttttttttttttttttmgRyZ6waEdW2NiCIYRAy:Q+ikyZeEA2NisAr0kdL5
TrID	38.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 26.3% (.EXE) Win32 Executable (generic) (4508/7/1) 11.8% (.EXE) OS/2 Executable (generic) (2029/13) 11.6% (.EXE) Generic Win/DOS Executable (2002/3) 11.6% (.EXE) DOS Executable Generic (2000/1)
ClamAV	None matched
Yara	None matched
CAPE Yara	None matched
	Download Download ZIP Resubmit sample

Signatures

Behavioural detection: Executable code extraction

Yara rule detections observed from a process memory dump/dropped files/CAPE

Hit: PID 2952 trigged the Yara rule 'Emotet'

Mimics the system's user agent string for its own requests

Dynamic (imported) function loading detected

DynamicLoader: kernel32.dll/GetProcessHeap

DynamicLoader: kernel32.dll/HeapAlloc

DynamicLoader: kernel32.dll/lstrcmpA

DynamicLoader: kernel32.dll/HeapFree

DynamicLoader: kernel32.dll/lstrcmpW

DynamicLoader: kernel32.dll/GetCurrentProcessId

DynamicLoader: kernel32.dll/GetTickCount

DynamicLoader: kernel32.dll/FreeConsole

DynamicLoader: kernel32.dll/GetCurrentProcess

DynamicLoader: kernel32.dll/lstrlenW

DynamicLoader: USER32.dll/GetMessageA

DynamicLoader: USER32.dll/DispatchMessageA

DynamicLoader: USER32.dll/LoadIconA

DynamicLoader: USER32.dll/LoadCursorA

DynamicLoader: USER32.dll/GetSystemMetrics

DynamicLoader: USER32.dll/LoadImageA

DynamicLoader: USER32.dll/RegisterClassExA

DynamicLoader: USER32.dll/CreateWindowExA

DynamicLoader: USER32.dll/ShowWindow

DynamicLoader: USER32.dll/UpdateWindow

DynamicLoader: USER32.dll/DefWindowProcA

DynamicLoader: USER32.dll/wsprintfA

DynamicLoader: USER32.dll/TranslateMessage

DynamicLoader: GDI32.dll/GetStockObject

DynamicLoader: kernel32.dll/SortGetHandle

DynamicLoader: kernel32.dll/SortCloseHandle

DynamicLoader: kernel32.dll/GetBinaryTypeW

DynamicLoader: kernel32.dll/VirtualAlloc

DynamicLoader: kernel32.dll/GetProcAddress

DynamicLoader: kernel32.dll/LoadLibraryA

DynamicLoader: kernel32.dll/GetProcessHeap

DynamicLoader: kernel32.dll/HeapAlloc

DynamicLoader: kernel32.dll/lstrcmpA

DynamicLoader: kernel32.dll/HeapFree

DynamicLoader: kernel32.dll/lstrcmpW

DynamicLoader: kernel32.dll/GetCurrentProcessId

DynamicLoader: kernel32.dll/GetTickCount

DynamicLoader: kernel32.dll/FreeConsole

DynamicLoader: kernel32.dll/GetCurrentProcess

DynamicLoader: kernel32.dll/lstrlenW

DynamicLoader: USER32.dll/GetMessageA

DynamicLoader: USER32.dll/DispatchMessageA

DynamicLoader: USER32.dll/LoadIconA

DynamicLoader: USER32.dll/LoadCursorA

DynamicLoader: USER32.dll/GetSystemMetrics

DynamicLoader: USER32.dll/LoadImageA

DynamicLoader: USER32.dll/RegisterClassExA

DynamicLoader: USER32.dll/CreateWindowExA

DynamicLoader: USER32.dll/ShowWindow

DynamicLoader: USER32.dll/UpdateWindow

DynamicLoader: USER32.dll/DefWindowProcA

DynamicLoader: USER32.dll/wsprintfA

DynamicLoader: USER32.dll/TranslateMessage

DynamicLoader: GDI32.dll/GetStockObject

DynamicLoader: kernel32.dll/SortGetHandle

DynamicLoader: kernel32.dll/SortCloseHandle

DynamicLoader: OLEAUT32.dll/

DynamicLoader: ole32.dll/CoInitializeEx

DynamicLoader: CRYPTBASE.dll/SystemFunction036

DynamicLoader: comctl32.dll/

DynamicLoader: ole32.dll/CreateBindCtx

DynamicLoader: ole32.dll/CoTaskMemAlloc

DynamicLoader: ole32.dll/CoGetApartmentType

DynamicLoader: ole32.dll/CoRegisterInitializeSpy

DynamicLoader: ole32.dll/CoTaskMemFree

DynamicLoader: comctl32.dll/

DynamicLoader: OLEAUT32.dll/

DynamicLoader: ole32.dll/CoTaskMemAlloc

DynamicLoader: ole32.dll/CoGetMalloc

DynamicLoader: comctl32.dll/

DynamicLoader: OLEAUT32.dll/

DynamicLoader: ole32.dll/CoCreateInstance

DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW

DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW

DynamicLoader: comctl32.dll/

DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor

DynamicLoader: ADVAPI32.dll/SetEntriesInAclW

DynamicLoader: ntmarta.dll/GetMartaExtensionInterface

DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl

DynamicLoader: ADVAPI32.dll/IsTextUnicode

DynamicLoader: comctl32.dll/

DynamicLoader: shell32.dll/

DynamicLoader: ADVAPI32.dll/OpenThreadToken

DynamicLoader: propsys.dll/PSLookupPropertyHandlerCLSID

DynamicLoader: ADVAPI32.dll/RegOpenKeyExW

DynamicLoader: ADVAPI32.dll/RegQueryValueExW

DynamicLoader: ADVAPI32.dll/RegCloseKey

DynamicLoader: propsys.dll/PSCreatePropertyStoreFromObject

DynamicLoader: propsys.dll/

DynamicLoader: OLEAUT32.dll/

DynamicLoader: propsys.dll/PropVariantToStringAlloc

DynamicLoader: ole32.dll/PropVariantClear

DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore

DynamicLoader: propsys.dll/PropVariantToBuffer

DynamicLoader: propsys.dll/PropVariantToUInt64

DynamicLoader: propsys.dll/PropVariantToBoolean

DynamicLoader: propsys.dll/InitPropVariantFromBuffer

DynamicLoader: ADVAPI32.dll/GetNamedSecurityInfoW

DynamicLoader: ADVAPI32.dll/TreeSetNamedSecurityInfoW

DynamicLoader: ole32.dll/CoUninitialize

DynamicLoader: comctl32.dll/

DynamicLoader: ole32.dll/CoRevokeInitializeSpy

DynamicLoader: OLEAUT32.dll/

DynamicLoader: comctl32.dll/

DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids

DynamicLoader: CRYPTSP.dll/CryptReleaseContext

DynamicLoader: kernel32.dll/GetBinaryTypeW

DynamicLoader: kernel32.dll/VirtualAlloc

DynamicLoader: kernel32.dll/GetProcAddress

DynamicLoader: kernel32.dll/LoadLibraryA

DynamicLoader: kernel32.dll/GetProcessHeap

DynamicLoader: kernel32.dll/HeapAlloc

DynamicLoader: kernel32.dll/lstrcmpA

DynamicLoader: kernel32.dll/HeapFree

DynamicLoader: kernel32.dll/lstrcmpW

DynamicLoader: kernel32.dll/GetCurrentProcessId

DynamicLoader: kernel32.dll/GetTickCount

DynamicLoader: kernel32.dll/FreeConsole

DynamicLoader: kernel32.dll/GetCurrentProcess

DynamicLoader: kernel32.dll/lstrlenW

DynamicLoader: USER32.dll/GetMessageA

DynamicLoader: USER32.dll/DispatchMessageA

DynamicLoader: USER32.dll/LoadIconA

DynamicLoader: USER32.dll/LoadCursorA

DynamicLoader: USER32.dll/GetSystemMetrics

DynamicLoader: USER32.dll/LoadImageA

DynamicLoader: USER32.dll/RegisterClassExA

DynamicLoader: USER32.dll/CreateWindowExA

DynamicLoader: USER32.dll/ShowWindow

DynamicLoader: USER32.dll/UpdateWindow

DynamicLoader: USER32.dll/DefWindowProcA

DynamicLoader: USER32.dll/wsprintfA

DynamicLoader: USER32.dll/TranslateMessage

DynamicLoader: GDI32.dll/GetStockObject

DynamicLoader: kernel32.dll/SortGetHandle

DynamicLoader: kernel32.dll/SortCloseHandle

DynamicLoader: kernel32.dll/GetBinaryTypeW

DynamicLoader: kernel32.dll/VirtualAlloc

DynamicLoader: kernel32.dll/GetProcAddress

DynamicLoader: kernel32.dll/LoadLibraryA

DynamicLoader: kernel32.dll/GetProcessHeap

DynamicLoader: kernel32.dll/HeapAlloc

DynamicLoader: kernel32.dll/lstrcmpA

DynamicLoader: kernel32.dll/HeapFree

DynamicLoader: kernel32.dll/lstrcmpW

DynamicLoader: kernel32.dll/GetCurrentProcessId

DynamicLoader: kernel32.dll/GetTickCount

DynamicLoader: kernel32.dll/FreeConsole

DynamicLoader: kernel32.dll/GetCurrentProcess

DynamicLoader: kernel32.dll/lstrlenW

DynamicLoader: USER32.dll/GetMessageA

DynamicLoader: USER32.dll/DispatchMessageA

DynamicLoader: USER32.dll/LoadIconA

DynamicLoader: USER32.dll/LoadCursorA

DynamicLoader: USER32.dll/GetSystemMetrics

DynamicLoader: USER32.dll/LoadImageA

DynamicLoader: USER32.dll/RegisterClassExA

DynamicLoader: USER32.dll/CreateWindowExA

DynamicLoader: USER32.dll/ShowWindow

DynamicLoader: USER32.dll/UpdateWindow

DynamicLoader: USER32.dll/DefWindowProcA

DynamicLoader: USER32.dll/wsprintfA

DynamicLoader: USER32.dll/TranslateMessage

DynamicLoader: GDI32.dll/GetStockObject

DynamicLoader: kernel32.dll/SortGetHandle

DynamicLoader: kernel32.dll/SortCloseHandle

DynamicLoader: CRYPTSP.dll/CryptAcquireContextW

DynamicLoader: CRYPTSP.dll/CryptImportKey

DynamicLoader: CRYPTSP.dll/CryptGenKey

DynamicLoader: CRYPTSP.dll/CryptCreateHash

DynamicLoader: CRYPTSP.dll/CryptDuplicateHash

DynamicLoader: CRYPTSP.dll/CryptEncrypt

DynamicLoader: CRYPTSP.dll/CryptExportKey

DynamicLoader: CRYPTSP.dll/CryptGetHashParam

DynamicLoader: CRYPTSP.dll/CryptDestroyHash

DynamicLoader: RASAPI32.dll/RasConnectionNotificationW

DynamicLoader: sechost.dll/NotifyServiceStatusChangeA

DynamicLoader: CRYPTBASE.dll/SystemFunction036

DynamicLoader: ole32.dll/CoInitializeEx

DynamicLoader: ADVAPI32.dll/RegDeleteTreeA

DynamicLoader: ADVAPI32.dll/RegDeleteTreeW

DynamicLoader: ole32.dll/CoCreateInstance

DynamicLoader: iphlpapi.DLL/GetAdaptersAddresses

DynamicLoader: DHCPCSVC.DLL/DhcpRequestParams

DynamicLoader: ole32.dll/CoUninitialize

DynamicLoader: OLEAUT32.dll/

Expresses interest in specific running processes

process: dafpanes.exe

process: VaiPmlRWuo2dxL.exe

The binary likely contains encrypted or compressed data.

section: name: .rdata, entropy: 7.77, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ, raw_size: 0x0001b000, virtual_size: 0x0001ae22

Deletes its original binary from disk

Attempts to remove evidence of file being downloaded from the Internet

file: C:\Windows\SysWOW64\dafpanes.exe:Zone.Identifier

Installs itself for autorun at Windows startup

service name: dafpanes

service path: "C:\Windows\SysWOW64\dafpanes.exe"

CAPE detected the Emotet malware family

Creates a copy of itself

copy: C:\Windows\SysWOW64\dafpanes.exe

Drops a binary and executes it

binary: C:\Windows\SysWOW64\dafpanes.exe

Screenshots

Hosts

Direct	IP	Country Name
Y	76.94.226.173 [VT]	United States
Y	189.163.137.10 [VT]	Mexico

DNS

No domains contacted.

Summary

C:\Windows\System32\tzres.dll
C:\Users\user\AppData\Local\Temp\VaiPmlRWuo2dxL.exe
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\
C:\Windows\SysWOW64\compareiface.exe
C:\Windows\
C:\Windows\SysWOW64\
\Device\KsecDD
C:\Windows\SysWOW64\shell32.dll
C:\Windows\SysWOW64\dafpanes.exe
C:\Users
\??\MountPointManager
C:\Users\user\AppData\Local\Microsoft\Windows\Caches
C:\Users\user\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000d.db
C:\Users\desktop.ini
C:\Users\user
C:\Users\user\AppData
C:\Users\user\AppData\Local
C:\Users\user\AppData\Local\Temp
C:\Windows
C:\Windows\SysWOW64
C:\Windows\SysWOW64\propsys.dll
C:\Windows\sysnative\propsys.dll
C:\Users\user\AppData\Local\
C:\Windows\SysWOW64\dafpanes.exe:Zone.Identifier
C:\Windows\Temp
C:\ProgramData\Microsoft\Network\Connections\Pbk\rasphone.pbk
C:\ProgramData\Microsoft\Network\Connections\Pbk\*.pbk
C:\Windows\System32\ras\*.pbk
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Network\Connections\Pbk\rasphone.pbk
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Network\Connections\Pbk\*.pbk

C:\Windows\System32\tzres.dll
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Users\user\AppData\Local\Temp\VaiPmlRWuo2dxL.exe
\Device\KsecDD
C:\Windows\SysWOW64\shell32.dll
C:\
C:\Users\user\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000d.db
C:\Users\desktop.ini
C:\Users
C:\Users\user
C:\Users\user\AppData
C:\Users\user\AppData\Local
C:\Windows
C:\Users\user\AppData\Local\Temp
C:\Windows\SysWOW64\dafpanes.exe

C:\Windows\SysWOW64\dafpanes.exe

C:\Windows\SysWOW64\compareiface.exe
C:\Users\user\AppData\Local\Temp\VaiPmlRWuo2dxL.exe
C:\Windows\SysWOW64\dafpanes.exe:Zone.Identifier

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-GB
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-GB
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\NoFileFolderConnection
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesRecycleBin
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\VaiPmlRWuo2dxL.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups
HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\CallForAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\RestrictedAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORDISPLAY
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideFolderVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\UseDropHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORPARSING
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsParseDisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\MapNetDriveVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForInfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideInWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideOnDesktopPerUser
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsAliasedNotifications
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsUniversalDelegate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\NoFileFolderJunction
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\PinToNameSpaceTree
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HasNavigationEnum
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\Generation
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\Generation
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\AccessProviders
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\AccessProviders\MartaExtension
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DontShowSuperHidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ClassicShell
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\SeparateProcess
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetCrawling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSimpleStartMenu
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowCompColor
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\DontPrettyPath
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowInfoTip
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideIcons
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\MapNetDrvBtn
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\WebView
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Filter
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\SeparateProcess
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\NoNetCrawling
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AutoCheckSelect
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\IconsOnly
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowTypeOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\AllowFileCLSIDJunctions
HKEY_CLASSES_ROOT\.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe\(Default)
HKEY_CLASSES_ROOT\.exe\OpenWithProgids
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\OpenWithProgids
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\UserChoice
HKEY_CLASSES_ROOT\exefile
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\CurVer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\ShellEx\IconHandler
HKEY_CLASSES_ROOT\SystemFileAssociations\.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\ShellEx\IconHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe\Content Type
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\NeverShowExt
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\PropertySystem\PropertyHandlers\.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\PropertySystem\PropertyHandlers\.exe\(Default)
HKEY_CLASSES_ROOT\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\OverrideFileSystemProperties
HKEY_CLASSES_ROOT\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\DisableProcessIsolation
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\NoOplock
HKEY_CLASSES_ROOT\ExplorerCLSIDFlags\{66742402-F9B9-11D1-A202-0000F81FEDEE}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\UseInProcHandlerCache
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\UseOutOfProcHandlerCache
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Shell\RegisteredApplications\UrlAssociations\Directory\OpenWithProgids
HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\Directory
HKEY_CLASSES_ROOT\Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\CurVer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\ShellEx\IconHandler
HKEY_CLASSES_ROOT\Folder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\ShellEx\IconHandler
HKEY_CLASSES_ROOT\AllFilesystemObjects
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\ShellEx\IconHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\ShellEx\PropertyHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\ShellEx\PropertyHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\ShellEx\PropertyHandler
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\MaxUndoItems
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Advanced\MaxUndoItems
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\App Paths\VaiPmlRWuo2dxL.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\VaiPmlRWuo2dxL.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\ShellEx\{2F711B17-773C-41D4-93FA-7F23EDCECB66}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\ShellEx\{2F711B17-773C-41D4-93FA-7F23EDCECB66}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\ShellEx\{2F711B17-773C-41D4-93FA-7F23EDCECB66}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceCopyACLWithFile
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\ShellEx\{000214F9-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\ShellEx\{000214F9-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\ShellEx\{000214F9-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoEncryptOnMove
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\dafpanes
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\dafpanes\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\dafpanes\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\dafpanes\WOW64
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Public
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Default
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonW6432Dir
HKEY_USERS\S-1-5-18
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18\ProfileImagePath
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
HKEY_USERS\.DEFAULT\Environment
HKEY_USERS\.DEFAULT\Volatile Environment
HKEY_USERS\.DEFAULT\Volatile Environment\0
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\dafpanes\Environment
HKEY_CURRENT_USER
HKEY_USERS\.DEFAULT\Control Panel\International
HKEY_USERS\.DEFAULT\Control Panel\International\LocaleName
HKEY_USERS\.DEFAULT\Control Panel\International\sCountry
HKEY_USERS\.DEFAULT\Control Panel\International\sList
HKEY_USERS\.DEFAULT\Control Panel\International\sDecimal
HKEY_USERS\.DEFAULT\Control Panel\International\sThousand
HKEY_USERS\.DEFAULT\Control Panel\International\sGrouping
HKEY_USERS\.DEFAULT\Control Panel\International\sNativeDigits
HKEY_USERS\.DEFAULT\Control Panel\International\sCurrency
HKEY_USERS\.DEFAULT\Control Panel\International\sMonDecimalSep
HKEY_USERS\.DEFAULT\Control Panel\International\sMonThousandSep
HKEY_USERS\.DEFAULT\Control Panel\International\sMonGrouping
HKEY_USERS\.DEFAULT\Control Panel\International\sPositiveSign
HKEY_USERS\.DEFAULT\Control Panel\International\sNegativeSign
HKEY_USERS\.DEFAULT\Control Panel\International\sTimeFormat
HKEY_USERS\.DEFAULT\Control Panel\International\sShortTime
HKEY_USERS\.DEFAULT\Control Panel\International\s1159
HKEY_USERS\.DEFAULT\Control Panel\International\s2359
HKEY_USERS\.DEFAULT\Control Panel\International\sShortDate
HKEY_USERS\.DEFAULT\Control Panel\International\sYearMonth
HKEY_USERS\.DEFAULT\Control Panel\International\sLongDate
HKEY_USERS\.DEFAULT\Control Panel\International\iCountry
HKEY_USERS\.DEFAULT\Control Panel\International\iMeasure
HKEY_USERS\.DEFAULT\Control Panel\International\iPaperSize
HKEY_USERS\.DEFAULT\Control Panel\International\iDigits
HKEY_USERS\.DEFAULT\Control Panel\International\iLZero
HKEY_USERS\.DEFAULT\Control Panel\International\iNegNumber
HKEY_USERS\.DEFAULT\Control Panel\International\NumShape
HKEY_USERS\.DEFAULT\Control Panel\International\iCurrDigits
HKEY_USERS\.DEFAULT\Control Panel\International\iCurrency
HKEY_USERS\.DEFAULT\Control Panel\International\iNegCurr
HKEY_USERS\.DEFAULT\Control Panel\International\iCalendarType
HKEY_USERS\.DEFAULT\Control Panel\International\iFirstDayOfWeek
HKEY_USERS\.DEFAULT\Control Panel\International\iFirstWeekOfYear
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoProxyDetectType
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\dafpanes_RASAPI32\EnableFileTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\dafpanes_RASAPI32\FileTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\dafpanes_RASAPI32\EnableConsoleTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\dafpanes_RASAPI32\ConsoleTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\dafpanes_RASAPI32\MaxFileSize
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\dafpanes_RASAPI32\FileDirectory
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\dafpanes_RASMANCS\EnableFileTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\dafpanes_RASMANCS\FileTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\dafpanes_RASMANCS\EnableConsoleTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\dafpanes_RASMANCS\ConsoleTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\dafpanes_RASMANCS\MaxFileSize
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\dafpanes_RASMANCS\FileDirectory
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ProxySettingsPerUser
HKEY_USERS\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-GB
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-GB
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\NoFileFolderConnection
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesRecycleBin
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\CallForAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\RestrictedAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORDISPLAY
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideFolderVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\UseDropHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORPARSING
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsParseDisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\MapNetDriveVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForInfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideInWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideOnDesktopPerUser
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsAliasedNotifications
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsUniversalDelegate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\NoFileFolderJunction
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\PinToNameSpaceTree
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HasNavigationEnum
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\Generation
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\AccessProviders\MartaExtension
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DontShowSuperHidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ClassicShell
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\SeparateProcess
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetCrawling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSimpleStartMenu
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowCompColor
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\DontPrettyPath
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowInfoTip
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideIcons
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\MapNetDrvBtn
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\WebView
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Filter
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\SeparateProcess
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\NoNetCrawling
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AutoCheckSelect
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\IconsOnly
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowTypeOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\AllowFileCLSIDJunctions
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe\Content Type
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\PropertySystem\PropertyHandlers\.exe\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\DisableProcessIsolation
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\NoOplock
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\UseInProcHandlerCache
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\UseOutOfProcHandlerCache
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\NeverShowExt
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\MaxUndoItems
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Advanced\MaxUndoItems
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceCopyACLWithFile
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoEncryptOnMove
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\dafpanes\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\dafpanes\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\dafpanes\WOW64
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Public
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18\ProfileImagePath
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\dafpanes\Environment
HKEY_USERS\.DEFAULT\Control Panel\International\LocaleName
HKEY_USERS\.DEFAULT\Control Panel\International\sCountry
HKEY_USERS\.DEFAULT\Control Panel\International\sList
HKEY_USERS\.DEFAULT\Control Panel\International\sDecimal
HKEY_USERS\.DEFAULT\Control Panel\International\sThousand
HKEY_USERS\.DEFAULT\Control Panel\International\sGrouping
HKEY_USERS\.DEFAULT\Control Panel\International\sNativeDigits
HKEY_USERS\.DEFAULT\Control Panel\International\sCurrency
HKEY_USERS\.DEFAULT\Control Panel\International\sMonDecimalSep
HKEY_USERS\.DEFAULT\Control Panel\International\sMonThousandSep
HKEY_USERS\.DEFAULT\Control Panel\International\sMonGrouping
HKEY_USERS\.DEFAULT\Control Panel\International\sPositiveSign
HKEY_USERS\.DEFAULT\Control Panel\International\sNegativeSign
HKEY_USERS\.DEFAULT\Control Panel\International\sTimeFormat
HKEY_USERS\.DEFAULT\Control Panel\International\sShortTime
HKEY_USERS\.DEFAULT\Control Panel\International\s1159
HKEY_USERS\.DEFAULT\Control Panel\International\s2359
HKEY_USERS\.DEFAULT\Control Panel\International\sShortDate
HKEY_USERS\.DEFAULT\Control Panel\International\sYearMonth
HKEY_USERS\.DEFAULT\Control Panel\International\sLongDate
HKEY_USERS\.DEFAULT\Control Panel\International\iCountry
HKEY_USERS\.DEFAULT\Control Panel\International\iMeasure
HKEY_USERS\.DEFAULT\Control Panel\International\iPaperSize
HKEY_USERS\.DEFAULT\Control Panel\International\iDigits
HKEY_USERS\.DEFAULT\Control Panel\International\iLZero
HKEY_USERS\.DEFAULT\Control Panel\International\iNegNumber
HKEY_USERS\.DEFAULT\Control Panel\International\NumShape
HKEY_USERS\.DEFAULT\Control Panel\International\iCurrDigits
HKEY_USERS\.DEFAULT\Control Panel\International\iCurrency
HKEY_USERS\.DEFAULT\Control Panel\International\iNegCurr
HKEY_USERS\.DEFAULT\Control Panel\International\iCalendarType
HKEY_USERS\.DEFAULT\Control Panel\International\iFirstDayOfWeek
HKEY_USERS\.DEFAULT\Control Panel\International\iFirstWeekOfYear
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoProxyDetectType
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\dafpanes_RASAPI32\EnableFileTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\dafpanes_RASAPI32\FileTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\dafpanes_RASAPI32\EnableConsoleTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\dafpanes_RASAPI32\ConsoleTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\dafpanes_RASAPI32\MaxFileSize
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\dafpanes_RASAPI32\FileDirectory
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\dafpanes_RASMANCS\EnableFileTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\dafpanes_RASMANCS\FileTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\dafpanes_RASMANCS\EnableConsoleTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\dafpanes_RASMANCS\ConsoleTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\dafpanes_RASMANCS\MaxFileSize
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\dafpanes_RASMANCS\FileDirectory
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ProxySettingsPerUser
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings

kernel32.dll.GetBinaryTypeW
kernel32.dll.VirtualAlloc
kernel32.dll.GetProcAddress
kernel32.dll.LoadLibraryA
kernel32.dll.GetProcessHeap
kernel32.dll.HeapAlloc
kernel32.dll.lstrcmpA
kernel32.dll.HeapFree
kernel32.dll.lstrcmpW
kernel32.dll.GetCurrentProcessId
kernel32.dll.GetTickCount
kernel32.dll.FreeConsole
kernel32.dll.GetCurrentProcess
kernel32.dll.lstrlenW
user32.dll.GetMessageA
user32.dll.DispatchMessageA
user32.dll.LoadIconA
user32.dll.LoadCursorA
user32.dll.GetSystemMetrics
user32.dll.LoadImageA
user32.dll.RegisterClassExA
user32.dll.CreateWindowExA
user32.dll.ShowWindow
user32.dll.UpdateWindow
user32.dll.DefWindowProcA
user32.dll.wsprintfA
user32.dll.TranslateMessage
gdi32.dll.GetStockObject
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
oleaut32.dll.#200
ole32.dll.CoInitializeEx
cryptbase.dll.SystemFunction036
comctl32.dll.#385
comctl32.dll.#320
comctl32.dll.#324
comctl32.dll.#323
ole32.dll.CreateBindCtx
ole32.dll.CoTaskMemAlloc
ole32.dll.CoGetApartmentType
ole32.dll.CoRegisterInitializeSpy
ole32.dll.CoTaskMemFree
comctl32.dll.#236
oleaut32.dll.#6
ole32.dll.CoGetMalloc
comctl32.dll.#328
comctl32.dll.#334
oleaut32.dll.#2
ole32.dll.CoCreateInstance
setupapi.dll.CM_Get_Device_Interface_List_Size_ExW
setupapi.dll.CM_Get_Device_Interface_List_ExW
comctl32.dll.#332
comctl32.dll.#386
advapi32.dll.InitializeSecurityDescriptor
advapi32.dll.SetEntriesInAclW
ntmarta.dll.GetMartaExtensionInterface
advapi32.dll.SetSecurityDescriptorDacl
advapi32.dll.IsTextUnicode
comctl32.dll.#338
comctl32.dll.#339
shell32.dll.#102
advapi32.dll.OpenThreadToken
propsys.dll.PSLookupPropertyHandlerCLSID
advapi32.dll.RegOpenKeyExW
advapi32.dll.RegQueryValueExW
advapi32.dll.RegCloseKey
propsys.dll.PSCreatePropertyStoreFromObject
propsys.dll.#417
propsys.dll.PropVariantToStringAlloc
ole32.dll.PropVariantClear
propsys.dll.PSCreateMemoryPropertyStore
propsys.dll.PropVariantToBuffer
propsys.dll.PropVariantToUInt64
propsys.dll.PropVariantToBoolean
propsys.dll.InitPropVariantFromBuffer
advapi32.dll.GetNamedSecurityInfoW
advapi32.dll.TreeSetNamedSecurityInfoW
ole32.dll.CoUninitialize
comctl32.dll.#329
comctl32.dll.#388
comctl32.dll.#321
ole32.dll.CoRevokeInitializeSpy
oleaut32.dll.#500
comctl32.dll.#387
comctl32.dll.#327
advapi32.dll.UnregisterTraceGuids
cryptsp.dll.CryptReleaseContext
cryptsp.dll.CryptAcquireContextW
cryptsp.dll.CryptImportKey
cryptsp.dll.CryptGenKey
cryptsp.dll.CryptCreateHash
cryptsp.dll.CryptDuplicateHash
cryptsp.dll.CryptEncrypt
cryptsp.dll.CryptExportKey
cryptsp.dll.CryptGetHashParam
cryptsp.dll.CryptDestroyHash
rasapi32.dll.RasConnectionNotificationW
sechost.dll.NotifyServiceStatusChangeA
advapi32.dll.RegDeleteTreeA
advapi32.dll.RegDeleteTreeW
iphlpapi.dll.GetAdaptersAddresses
dhcpcsvc.dll.DhcpRequestParams

"C:\Windows\SysWOW64\dafpanes.exe"

PEM9B0
PEMB88
Global\IA4889F95
Global\MA4889F95
PEM1CC
PEMB58
IESQMMUTEX_0_208

dafpanes

PE Information

Image Base	0x00400000
Entry Point	0x004024f9
Reported Checksum	0x00000000
Actual Checksum	0x0004f5d6
Minimum OS Version	6.0
PDB Path	YmAGxf1R..pdb
Compile Time	2019-02-11 18:21:28
Import Hash	ec86a106f044de478d157890f20225dd

Sections

Name	Virtual Address	Virtual Size	Size of Raw Data	Characteristics	Entropy
.text	0x00001000	0x00003048	0x00004000	IMAGE_SCN_TYPE_NO_PAD\|IMAGE_SCN_CNT_CODE\|IMAGE_SCN_CNT_UNINITIALIZED_DATA\|IMAGE_SCN_LNK_INFO\|IMAGE_SCN_LNK_REMOVE\|IMAGE_SCN_GPREL\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	5.60
.rdata	0x00005000	0x0001ae22	0x0001b000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	7.77
.data	0x00020000	0x00002208	0x00001000	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_CNT_UNINITIALIZED_DATA\|IMAGE_SCN_LNK_COMDAT\|IMAGE_SCN_NO_DEFER_SPEC_EXC\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	5.55
.s2u	0x00023000	0x00021190	0x00022000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	3.31
.reloc	0x00045000	0x0000020c	0x00001000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_DISCARDABLE\|IMAGE_SCN_MEM_READ	1.24

Imports

Library SHLWAPI.dll:

• 0x405048 GetMenuPosFromID

Library KERNEL32.dll:

• 0x405010 ZombifyActCtx

• 0x405014 UnlockFileEx

• 0x405018 WaitForSingleObject

• 0x40501c Thread32First

• 0x405020 TlsGetValue

• 0x405024 GetLargePageMinimum

• 0x405028 GetTimeZoneInformation

• 0x40502c GetCommandLineW

• 0x405030 GetCurrentProcessId

• 0x405034 GetVersion

• 0x405038 CloseHandle

• 0x40503c UnregisterApplicationRestart

• 0x405040 HeapCompact

Library WINSPOOL.DRV:

• 0x405078 DeletePrinterConnectionW

Library ADVAPI32.dll:

• 0x405000 IsTokenRestricted

Library GDI32.dll:

• 0x405008 GetTextExtentExPointW

Library USER32.dll:

• 0x405050 SetMenuContextHelpId

• 0x405054 GetTopWindow

• 0x405058 GetFocus

• 0x40505c GetClassNameW

• 0x405060 GetClipboardViewer

• 0x405064 EnableScrollBar

• 0x405068 GetKeyboardType

Library VERSION.dll:

• 0x405070 GetFileVersionInfoSizeA

.text
`.rdata
@.data
@.reloc
f9D$vu
Ts GD:
vx+<!
"325X/
AugustGsimilarsforthe0zOmnibox
andaheadVoofPhavemikewas
masterWebKit,ohackerssetmessageon
andf4
xu300andO4fixed8
GChrome7or1269R9memoryis
Major.minortrackingwebmost
0orNovemberthezQ79
Chromesupport9QtheVgThemesB
releasethroughsodinterfacerather6useprocedure
afterTweetDeckwOgassembledOj
9LBD0devftheNj
in4XaAMozillaspeed.326Y
xdiedX
v2nreplacementbasedXinH5PointJavaScriptECMAScript
ntdll.dll
YmAGxf1R..pdb
GetMenuPosFromID
SHLWAPI.dll
UnregisterApplicationRestart
TlsGetValue
ZombifyActCtx
UnlockFileEx
WaitForSingleObject
Thread32First
HeapCompact
GetLargePageMinimum
GetTimeZoneInformation
GetCommandLineW
GetCurrentProcessId
GetVersion
CloseHandle
KERNEL32.dll
DeletePrinterConnectionW
WINSPOOL.DRV
IsTokenRestricted
ADVAPI32.dll
GetTextExtentExPointW
GDI32.dll
GetFocus
GetClassNameW
GetClipboardViewer
SetMenuContextHelpId
EnableScrollBar
GetKeyboardType
GetTopWindow
USER32.dll
GetFileVersionInfoSizeA
VERSION.dll
0 0&0,02080>0D0
article:bwK26260enginelanguages,eachX
ration de |1 en cours.
<inconnu>
ponse '%1!ls!'
 plusieurs fois
: '%1!ls!'
mes de compilation, y compris/le contenu de tous les fichiers de code source.
rence de l'assembly '%1!ls!'<Ajout du fichier de ressources '%1!ls!' en tant que '%2!ls!'
rence au module '%1!ls!'
E UNIQUEMENT -
<string>
                        
 un assembly.
rite de System.Windows.Forms.Form.
e. resinfo:<fichier>[,<nom>[,public|private]]
cifie un fichier de ressources Win32 (.res).
Activer les optimisations.
claration explicite des variables obligatoire.(Appliquer une syntaxe de langue stricte.
que ou un module (hex).
 de nom fort.
veloppement .NET Framework SDK (mscorlib.dll).
riter de 'System.|1' n'est pas valide.
thodes.
nements de la classe de base.3Try doit utiliser au moins un 'Catch' ou 'Finally'.
tres ParamArray et Optional.
s avec 'New'.
re occurrence de 'Case'.(Une expression de constante est requise.WUne conversion de '|1' en '|2' ne peut pas avoir lieu dans une expression de constante.
tre la cible d'une assignation.
rieur d'une instruction 'Select Case'.
s ne sont pas valides en tant qu'indices de tableau.
thode actuelle.A'Select Case' doit se terminer par un 'End Select' correspondant.
rieur d'une instruction 'Select'.
;Tout branchement en dehors d'un 'Finally' n'est pas valide.
rande a le type '|1'.
.9'|1' est un type Enum et n'est pas une expression valide.9'|1' est un type et n'est donc pas une expression valide.@'|1' est un type classe et n'est donc pas une expression valide.C'|1' est un type structure et n'est donc pas une expression valide.C'|1' est un type interface et n'est donc pas une expression valide.
 comme nom d'espace de noms racine.
: |0:Impossible d'incorporer le fichier de ressources '|1' : |0
menter '|2' pour l'interface '|3'.
cificateurs 'ReadOnly'/'WriteOnly' correspondants.
tre que dans une instruction 'With'.
er une instance de Module '|1'.
s dans '|5') sont en conflit dans l'espace de noms '|4'.
 d'un 'Enum' correspondant.8'Enum' doit se terminer par un 'End Enum' correspondant.
claration attendue.
cificateurs et les attributs ne sont pas valides sur cette instruction.
tre suivi de 'Text' ou 'Binary'.
rent une clause 'As'.
Virgule ou ')' attendu.
'Sub' ou 'Function' attendu.
thode.
tre qu'une seule fois par fichier.
claration de variable membre.
rateur relationnel attendu.
claration event.&'|1' n'est pas valide dans un Declare.
'=' attendu.
 d'un 'Interface' correspondant.B'Interface' doit se terminer par un 'End Interface' correspondant.
riter que d'autres classes.
 en tant que '|2' dans ce |3.
finitions comportant des signatures identiques.
claration event d'interface.
s 'Delegate'.
 un |1 dans une base |3.
'.' attendu.
me nom que la fonction qui la contient.
claration 'Sub', car un 'Sub' ne retourne pas de valeur.
rencient.
tre convertie en '|2'.
me instruction 'Select'.
rence.
tre de type '|1'.
rencient.
riter que d'une autre interface.
clarations dans une interface.
 '|1'.
faut.
 en tant que type.
e dans l'interface '|2'.
 d'un 'Try' correspondant.
claration delegate.
clarer un 'Sub New', car sa classe de base '|2' n'a pas de 'Sub New' accessible qu'il est possible d'appeler sans argument.
<'|1' n'est pas accessible dans ce contexte, car il est '|2'.?'|1.|2' n'est pas accessible dans ce contexte, car il est '|3'.
rieur d'une instruction 'Try'.
 'MustOverride'.
menter '|2', car il n'existe pas de |3 correspondant sur l'interface '|4'.
 '|2'.
rents.A'ReDim' ne peut pas changer le nombre de dimensions d'un tableau.
%'Sub Main' est introuvable dans '|1'.
, pas de type classe, structure ou tableau.
 d'un 'Property' correspondant.
sentable dans le type '|1'.
claration Const ne peut pas avoir un initialiseur de tableau.
fini pour les types '|2' et '|3'.
tre '|1' de '|2'.!'|1' n'est pas un membre de '|2'.
 '|1'.
thode et ne peut pas avoir de liste d'arguments.
 '|2', car il s'agit d'une instruction 'Declare'.
tre de type tableau.
 '|1'.JUne instruction 'Class' doit se terminer par un 'End Class' correspondant.
fini pour le type '|2'.
 avec '|1'.*Cette expression ne produit pas de valeur.
Exposant non valide.
nements.
s 'Shared'.3La clause Handles requiert une variable WithEvents.
s de |3 de base.
EOption Strict On interdit les conversions implicites de '|1' en '|2'.
 '|1' est 'WriteOnly'.
 '|1' est 'ReadOnly'.
finition.
thode 'Date.FromOADate'.
valuation de cette expression.
 ou utiliser sa valeur.
thodes d'interface.
clarations dans les modules '|2' et '|3'.1'|1' est ambigu dans les objets application '|2'.
e 'MustInherit'.
/Option Strict On rejette toute liaison tardive.
 partir de '|2'.
tre ParamArray.
nement.
finitions de types.
e comme la fin de l'interface.
s '|1'.
gative.
tres optionnels.
 votre projet.NUne instruction 'Return' dans un Function ou un Get doit retourner une valeur.'Le fichier requis '|1' est introuvable.
: '|2'
cificateur de type unique.
s avec des limites explicites.
 d'un '#Region' correspondant.LL'instruction '#Region' doit se terminer par un '#End Region' correspondant.
re de type.
 en tant qu'expression.
: |1 - |2
tre Commande.
bogage.
nements.
tre Commande.
 a la valeur 'Nothing'.
es dans le runtime.8Impossible d'obtenir des informations de type pour '|1'.
 '|1'.
rieures.
faut.
s d'E/S sur fichier sont disponibles dans l'espace de noms 'Microsoft.VisualBasic'.
 la place.
s graphiques en tant que 'System.Drawing.Graphics.DrawLine'.
e '|1' dans la DLL '|2' : |0
.NET.
e par cette classe.
 de nouveau.
es 'Default'.XLes initialiseurs sur les membres de structures ne sont valides que pour les constantes.
e dans un assembly.
e '|1'.
 en tant que module.
rence.
cifier des modificateurs de tableau sur la variable et son type.
ralement d'un fichier 'Microsoft.VisualBasic.dll' incompatible.
 '|2' dans |3 '|4'.
 en tant qu'attribut, car ce n'est pas une classe.
rencer '|1', car il ne s'agit pas d'un assembly.
me projet.
e.%'|1' n'est pas valide dans un module.&'|1' n'est valide que dans une classe.
'Assembly' ou 'Module' attendu.
.:Virgule, ')' ou continuation d'expression valide attendue.
re instruction d'une ligne.
 'MyBase.New' ou 'MyClass.New', car la classe de base '|1' de '|2' a plusieurs 'Sub New' accessibles qu'il est possible d'appeler sans argument.
 'Friend' et n'est pas accessible en dehors du projet qui le contient.
me classe.
e 'MustInherit'.
: '|2'
 'Shadows'.RD'autres langages peuvent permettre la substitution de membres Friend Overridable.
tre identiques.
faut.
faut.
nement.
VS_VERSION_INFO
StringFileInfo
040C04B0
CompanyName
Microsoft Corpora
FileDescription
ApiSet Stub DLL
FileVersion
6.2.9200
InternalName
apisetstu
LegalCopyright
 Microsoft Corporation. All rights reserved.
OriginalFilename
apisetstu
ProductName
io .NET
ProductVersion
6.2.9200
VarFileInfo
Translation

This file is not on VirusTotal.

Process Tree

VaiPmlRWuo2dxL.exe 2952

VaiPmlRWuo2dxL.exe 3040

services.exe 460 C:\Windows\system32\services.exe

dafpanes.exe 2904

dafpanes.exe 1856

VaiPmlRWuo2dxL.exe, PID: 2952, Parent PID: 2480
Full Path: C:\Users\user\AppData\Local\Temp\VaiPmlRWuo2dxL.exe
Command Line: "C:\Users\user\AppData\Local\Temp\VaiPmlRWuo2dxL.exe"

default registry filesystem network process threading services device synchronization crypto browser all

VaiPmlRWuo2dxL.exe, PID: 3040, Parent PID: 2952
Full Path: C:\Users\user\AppData\Local\Temp\VaiPmlRWuo2dxL.exe
Command Line: "C:\Users\user\AppData\Local\Temp\VaiPmlRWuo2dxL.exe"

default registry filesystem network process threading services device synchronization crypto browser all

services.exe, PID: 460, Parent PID: 372
Full Path: C:\Windows\sysnative\services.exe
Command Line: C:\Windows\system32\services.exe

default registry filesystem network process threading services device synchronization crypto browser all

dafpanes.exe, PID: 2904, Parent PID: 460
Full Path: C:\Windows\SysWOW64\dafpanes.exe
Command Line: "C:\Windows\SysWOW64\dafpanes.exe"

default registry filesystem network process threading services device synchronization crypto browser all

dafpanes.exe, PID: 1856, Parent PID: 2904
Full Path: C:\Windows\SysWOW64\dafpanes.exe
Command Line: "C:\Windows\SysWOW64\dafpanes.exe"

default registry filesystem network process threading services device synchronization crypto browser all

Download PCAP

Hosts

Direct	IP	Country Name
Y	76.94.226.173 [VT]	United States
Y	189.163.137.10 [VT]	Mexico

TCP

Source	Source Port	Destination	Destination Port
192.168.35.21	49189	189.163.137.10	20
192.168.35.21	49188	76.94.226.173	20

UDP

No UDP connections recorded.

DNS

No domains contacted.

HTTP Requests

No HTTP requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

File name	dafpanes.exe
Associated Filenames	C:\Windows\SysWOW64\dafpanes.exe
File Size	278528 bytes
File Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	91c332f5a5c7c4ec44e181b80ae3bc36
SHA1	6627756f9a17a0ac4ea31efa4c155645c2e425ac
SHA256	b18c064545fb00660dceebf2d7266702cb583dd658d4bdfea3545e1cdfd5732f
CRC32	54C5B8B9
Ssdeep	3072:p+PtttttZlqp2nI8FkmbzEs8ttttttttttttttttttttmgRyZ6waEdW2NiCIYRAy:Q+ikyZeEA2NisAr0kdL5
ClamAV	None
Yara	None matched
CAPE Yara	None matched
VirusTotal	Search for Analysis
	Download Download ZIP Submit file

Type	Emotet Config
RSA public key	-----BEGIN PUBLIC KEY----- MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAMPLgcO0RQdJg/LTgiku57nH4KcLwHCx S0lbynOUhHhKjTnmENrMA2idUbK6hI0JRZtii9oJSlb3e5NZiCK+Qr/NB2u7ZNRc hG87aibm0ndS9xKDRXcmWwaQkF0PFuOHpwIDAQAB -----END PUBLIC KEY-----
address	76.94.226.173:20 189.163.137.10:20 70.55.70.230:7080 174.79.240.46:8080 50.93.34.66:443 64.87.26.16:80 133.242.164.31:7080 115.71.233.127:443 153.121.36.202:7080 50.31.0.160:8080 187.151.226.219:465 24.227.158.234:21 190.40.100.7:8080 5.230.147.179:8080 50.80.9.93:143 94.76.200.114:8080 169.0.85.74:465 83.222.124.62:8080 174.96.7.155:80 174.80.166.76:21 24.173.121.154:993 97.100.88.65:80 100.35.190.8:443 178.62.37.188:443 87.106.210.123:80 189.225.165.11:995 184.186.222.145:8443 45.123.3.54:443 208.107.52.29:80 71.7.15.240:22 211.115.111.19:443 66.57.212.114:50000 45.63.17.206:8080 108.190.34.69:20 186.3.223.3:995 173.255.196.209:8080 73.119.47.209:22 61.69.20.54:22 67.205.149.117:443 217.13.106.160:7080 68.192.249.20:143 62.75.187.192:8080 107.13.149.212:8443 24.228.124.151:7080 69.198.17.7:8080 169.57.61.42:80 190.114.242.130:20 62.75.191.231:8080 96.234.162.118:22 75.101.48.184:995 198.74.58.47:443 71.167.42.74:53 208.78.100.202:8080
	Download

Type	Extracted PE Image: 32-bit executable
Size	20992 bytes
Virtual Address	0x2d0000
Process	VaiPmlRWuo2dxL.exe
PID	2952
Path	C:\Users\user\AppData\Local\Temp\VaiPmlRWuo2dxL.exe
MD5	13498d590986080faf7669bef9e6d176
SHA1	e86f87751098b578768d5f7330664eb2a8fb7e07
SHA256	cd10fa9887bb2348035b99c594fe606e87f43fa83cba50c7b3c7a50e637621fb
CRC32	FE1A2D26
Ssdeep	384:7V4HiynLNmcSoqauxTx6SjS+T8kZse4GhpUW9vhCSs79XidHM:7VsiynwcSnxTxjPT8SpU9Ss7dids
Yara	None matched
CAPE Yara	None matched
	Download Download ZIP

Type	Emotet Payload: 32-bit executable
Size	78336 bytes
Virtual Address	0x3f0000
Process	VaiPmlRWuo2dxL.exe
PID	2952
Path	C:\Users\user\AppData\Local\Temp\VaiPmlRWuo2dxL.exe
MD5	6a4147bb1d0fe8b0c931e9c3f2330000
SHA1	6797be469809c422e38ad459173937f29352eecd
SHA256	be2ed63b2c583799e382bba6559ed99f5a601c61e8b95095d41a44068843190f
CRC32	39408F74
Ssdeep	1536:UMiOLwU2ZEsvb5DRhtfBGQMWff4zzWQD3OW8ZlC65dULLHrbzm5WqDlxqbfGWG:FHsxeI9DtfcMc93slT5CLLHnzwWWlxwu
Yara	None matched
CAPE Yara	Emotet Emotet Payload
	Download Download ZIP

Type	Emotet Payload: 32-bit executable
Size	82432 bytes
Virtual Address	0x3f0000
Process	VaiPmlRWuo2dxL.exe
PID	2952
Path	C:\Users\user\AppData\Local\Temp\VaiPmlRWuo2dxL.exe
MD5	e333157838fc105c79b94cb443db0bb4
SHA1	63d73a34f2322abb2b3438f429e98ac1935a078c
SHA256	c2fa7fcc2440a2df81e7653fd70e70cb2c1b9c9a7a5a9124fe46570023d1ef56
CRC32	1E219973
Ssdeep	1536:SiOLwU2ZEsvb5DRhtfBGQMWff4zzWQD3OW8ZlC65dULLHrbzm5WqDlxqbfGWGf:SHsxeI9DtfcMc93slT5CLLHnzwWWlxw0
Yara	None matched
CAPE Yara	Emotet Emotet Payload
	Download Download ZIP

Sorry! No process dumps.

Comments

No comments posted

Processing ( 3.341 seconds )

1.679 CAPE
0.752 BehaviorAnalysis
0.224 Static
0.212 TargetInfo
0.204 Dropped
0.154 TrID
0.062 Strings
0.034 Deduplicate
0.009 AnalysisInfo
0.008 NetworkAnalysis
0.002 config_decoder
0.001 Debug

Signatures ( 0.358 seconds )

0.049 stealth_timeout
0.036 api_spamming
0.035 decoy_document
0.024 injection_createremotethread
0.023 InjectionCreateRemoteThread
0.022 Doppelganging
0.02 antiav_detectreg
0.019 injection_runpe
0.018 InjectionProcessHollowing
0.016 InjectionInterProcess
0.011 PlugX
0.008 infostealer_ftp
0.005 infostealer_im
0.004 antivm_generic_disk
0.004 persistence_autorun
0.004 antianalysis_detectreg
0.004 antiav_detectfile
0.004 ransomware_files
0.003 mimics_filetime
0.003 infostealer_mail
0.003 ransomware_extensions
0.002 bootkit
0.002 stealth_file
0.002 antivm_generic_scsi
0.002 reads_self
0.002 virus
0.002 antivm_vbox_keys
0.002 browser_security
0.002 infostealer_bitcoin
0.001 lsass_credential_dumping
0.001 tinba_behavior
0.001 malicious_dynamic_function_loading
0.001 rat_nanocore
0.001 recon_programs
0.001 antivm_generic_services
0.001 antiemu_wine_func
0.001 process_interest
0.001 betabot_behavior
0.001 antivm_vbox_libs
0.001 kibex_behavior
0.001 infostealer_browser_password
0.001 dynamic_function_loading
0.001 vawtrak_behavior
0.001 cerber_behavior
0.001 kovter_behavior
0.001 hancitor_behavior
0.001 antianalysis_detectfile
0.001 antivm_parallels_keys
0.001 antivm_vbox_files
0.001 antivm_vmware_keys
0.001 antivm_xen_keys
0.001 geodo_banking_trojan
0.001 bot_drive
0.001 modify_proxy
0.001 disables_browser_warn
0.001 recon_fingerprint

Reporting ( 0.021 seconds )

0.021 CompressResults

Task ID	36414
Mongo ID	5c61c8bef284884f68b2c6e7
Cuckoo release	1.3-CAPE
	Delete