CAPE

Detections: Emotet


Analysis

Category Package Started Completed Duration Log
FILE Extraction 2019-05-16 01:29:12 2019-05-16 01:33:38 266 seconds Show Log
2019-05-16 02:29:13,000 [root] INFO: Date set to: 05-16-19, time set to: 01:29:13, timeout set to: 200
2019-05-16 02:29:13,015 [root] DEBUG: Starting analyzer from: C:\jiihpofr
2019-05-16 02:29:13,015 [root] DEBUG: Storing results at: C:\SvWEwYIYSZ
2019-05-16 02:29:13,015 [root] DEBUG: Pipe server name: \\.\PIPE\qZIlUbM
2019-05-16 02:29:13,015 [root] INFO: Analysis package "Extraction" has been specified.
2019-05-16 02:29:13,451 [root] DEBUG: Started auxiliary module Browser
2019-05-16 02:29:13,451 [root] DEBUG: Started auxiliary module Curtain
2019-05-16 02:29:13,451 [modules.auxiliary.digisig] DEBUG: Checking for a digitial signature.
2019-05-16 02:29:38,707 [modules.auxiliary.digisig] DEBUG: File has an invalid signature.
2019-05-16 02:29:38,707 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2019-05-16 02:29:38,707 [root] DEBUG: Started auxiliary module DigiSig
2019-05-16 02:29:38,723 [root] DEBUG: Started auxiliary module Disguise
2019-05-16 02:29:38,723 [root] DEBUG: Started auxiliary module Human
2019-05-16 02:29:38,723 [root] DEBUG: Started auxiliary module Screenshots
2019-05-16 02:29:38,723 [root] DEBUG: Started auxiliary module Sysmon
2019-05-16 02:29:38,723 [root] DEBUG: Started auxiliary module Usage
2019-05-16 02:29:38,723 [root] INFO: Analyzer: DLL set to Extraction.dll from package modules.packages.Extraction
2019-05-16 02:29:38,723 [root] INFO: Analyzer: Package modules.packages.Extraction does not specify a DLL_64 option
2019-05-16 02:29:38,755 [lib.api.process] INFO: Successfully executed process from path "C:\Users\user\AppData\Local\Temp\TvI0e.exe" with arguments "" with pid 2740
2019-05-16 02:29:38,755 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-05-16 02:29:38,755 [lib.api.process] INFO: 32-bit DLL to inject is C:\jiihpofr\dll\DkPrIp.dll, loader C:\jiihpofr\bin\jfCzYkf.exe
2019-05-16 02:29:38,755 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\qZIlUbM.
2019-05-16 02:29:38,755 [root] DEBUG: Loader: Injecting process 2740 (thread 2744) with C:\jiihpofr\dll\DkPrIp.dll.
2019-05-16 02:29:38,755 [root] DEBUG: Process image base: 0x00400000
2019-05-16 02:29:38,755 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\jiihpofr\dll\DkPrIp.dll.
2019-05-16 02:29:38,755 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x0041D000 - 0x77110000
2019-05-16 02:29:38,755 [root] DEBUG: InjectDllViaIAT: Allocated 0x200 bytes for new import table at 0x00420000.
2019-05-16 02:29:38,755 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-05-16 02:29:38,755 [root] DEBUG: Successfully injected DLL C:\jiihpofr\dll\DkPrIp.dll.
2019-05-16 02:29:38,755 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2740
2019-05-16 02:29:40,767 [lib.api.process] INFO: Successfully resumed process with pid 2740
2019-05-16 02:29:40,767 [root] INFO: Added new process to list with pid: 2740
2019-05-16 02:29:40,799 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77110000, KiUserExceptionDispatcher: 0x0, NtSetContextThread: 0x7716124a, Wow64PrepareForException: 0x0
2019-05-16 02:29:40,799 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x230000
2019-05-16 02:29:40,799 [root] DEBUG: CAPE initialised (32-bit).
2019-05-16 02:29:40,813 [root] INFO: Monitor successfully loaded in process with pid 2740.
2019-05-16 02:29:40,938 [root] DEBUG: NtAllocateVirtualMemory hook, BaseAddress:0x5c0000, RegionSize: 0x11000.
2019-05-16 02:29:40,938 [root] DEBUG: SetInitialWriteBreakpoint: AllocationBase: 0x5c0000, AllocationSize: 0x11000, ThreadId: 0xab8
2019-05-16 02:29:40,938 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xa8, Size=0x2, Address=0x5c0000 and Type=0x1.
2019-05-16 02:29:40,938 [root] DEBUG: SetBreakpoint: Set bp 0 type 1 at address 0x5c0000, size 2 with Callback 0x747f3120, ThreadHandle = 0xa8.
2019-05-16 02:29:40,938 [root] DEBUG: SetInitialWriteBreakpoint: Breakpoint 0 set write on word at base address: 0x5c0000
2019-05-16 02:29:40,954 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x4012d6
2019-05-16 02:29:40,954 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x5c0000.
2019-05-16 02:29:40,954 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x5c0000: 0xf4.
2019-05-16 02:29:40,954 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x5c0000 and Type=0x0.
2019-05-16 02:29:40,954 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 02:29:40,954 [root] DEBUG: BaseAddressWriteCallback: Execution breakpoint 1 set base address: 0x5c0000, AllocationBaseExecBpSet = 1 (EIP = 0x4012d6)
2019-05-16 02:29:40,954 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-05-16 02:29:40,954 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x4012d6
2019-05-16 02:29:40,954 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x5c0000.
2019-05-16 02:29:40,954 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x5c0000: 0xf4.
2019-05-16 02:29:40,954 [root] DEBUG: BaseAddressWriteCallback: allocation exec bp already set, doing nothing.
2019-05-16 02:29:40,954 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x401337
2019-05-16 02:29:40,954 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x5c0000.
2019-05-16 02:29:40,954 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x5c0000: 0xf4.
2019-05-16 02:29:40,954 [root] DEBUG: BaseAddressWriteCallback: allocation exec bp already set, doing nothing.
2019-05-16 02:29:40,954 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x401085
2019-05-16 02:29:40,954 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x5c0000.
2019-05-16 02:29:40,954 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x5c0000: 0x6d.
2019-05-16 02:29:40,954 [root] DEBUG: BaseAddressWriteCallback: allocation exec bp already set, doing nothing.
2019-05-16 02:29:41,594 [root] DEBUG: NtAllocateVirtualMemory hook, BaseAddress:0x5e0000, RegionSize: 0x10000.
2019-05-16 02:29:41,594 [root] DEBUG: NtAllocateVirtualMemory hook: attempting CAPE dump on previous region: 0x5c0000.
2019-05-16 02:29:41,594 [root] DEBUG: DumpPEsInRange: Scanning range 0x5c0000 - 0x5d1000.
2019-05-16 02:29:41,594 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x5c0000-0x5d1000.
2019-05-16 02:29:41,594 [root] DEBUG: NtAllocateVirtualMemory hook: dumping memory range at 0x5c0000.
2019-05-16 02:29:41,594 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\jiihpofr\CAPE\2740_5944149316452019
2019-05-16 02:29:41,609 [root] INFO: Added new CAPE file to list with path: C:\jiihpofr\CAPE\2740_5944149316452019
2019-05-16 02:29:41,609 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x5c0000 - 0x5d1000.
2019-05-16 02:29:41,609 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x5c0000.
2019-05-16 02:29:41,609 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x5c0000.
2019-05-16 02:29:41,609 [root] DEBUG: SetInitialWriteBreakpoint: AllocationBase: 0x5e0000, AllocationSize: 0x10000, ThreadId: 0xab8
2019-05-16 02:29:41,609 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xa8, Size=0x2, Address=0x5e0000 and Type=0x1.
2019-05-16 02:29:41,625 [root] DEBUG: SetBreakpoint: Set bp 0 type 1 at address 0x5e0000, size 2 with Callback 0x747f3120, ThreadHandle = 0xa8.
2019-05-16 02:29:41,625 [root] DEBUG: SetInitialWriteBreakpoint: Breakpoint 0 set write on word at base address: 0x5e0000
2019-05-16 02:29:41,625 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x5cfbfc
2019-05-16 02:29:41,625 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x5e0000.
2019-05-16 02:29:41,625 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x5e0000: 0xa4.
2019-05-16 02:29:41,625 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x5e0000 and Type=0x0.
2019-05-16 02:29:41,625 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 02:29:41,625 [root] DEBUG: BaseAddressWriteCallback: Execution breakpoint 1 set base address: 0x5e0000, AllocationBaseExecBpSet = 1 (EIP = 0x5cfbfc)
2019-05-16 02:29:41,625 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-05-16 02:29:41,625 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x5cfbfc
2019-05-16 02:29:41,625 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x5e0000.
2019-05-16 02:29:41,625 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x5e0000: 0xa4.
2019-05-16 02:29:41,625 [root] DEBUG: BaseAddressWriteCallback: allocation exec bp already set, doing nothing.
2019-05-16 02:29:41,625 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x5d02d1
2019-05-16 02:29:41,625 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x5e0000.
2019-05-16 02:29:41,625 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x5e0000: 0xa4.
2019-05-16 02:29:41,625 [root] DEBUG: BaseAddressWriteCallback: allocation exec bp already set, doing nothing.
2019-05-16 02:29:41,625 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x5d02ea
2019-05-16 02:29:41,625 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x5e0000.
2019-05-16 02:29:41,625 [root] DEBUG: BaseAddressWriteCallback: MZ header found.
2019-05-16 02:29:41,625 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x5e003c and Type=0x1.
2019-05-16 02:29:41,625 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 02:29:41,625 [root] DEBUG: BaseAddressWriteCallback: set write bp on e_lfanew write location: 0x5e003c (EIP = 0x5d02ea)
2019-05-16 02:29:41,625 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-05-16 02:29:41,625 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x5d02d1
2019-05-16 02:29:41,625 [root] DEBUG: PEPointerWriteCallback entry.
2019-05-16 02:29:41,625 [root] DEBUG: PEPointerWriteCallback: Breakpoint 0 at Address 0x5e003c.
2019-05-16 02:29:41,625 [root] DEBUG: PEPointerWriteCallback: pointer to PE header too big: 0x49d (perhaps writing incomplete).
2019-05-16 02:29:41,625 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x5d02ea
2019-05-16 02:29:41,625 [root] DEBUG: PEPointerWriteCallback entry.
2019-05-16 02:29:41,641 [root] DEBUG: PEPointerWriteCallback: Breakpoint 0 at Address 0x5e003c.
2019-05-16 02:29:41,641 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x5e00b8 and Type=0x1.
2019-05-16 02:29:41,641 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 02:29:41,641 [root] DEBUG: PEPointerWriteCallback: set write bp on e_lfanew write location 0x5e00b8 (EIP = 0x5d02ea)
2019-05-16 02:29:41,641 [root] DEBUG: PEPointerWriteCallback executed successfully.
2019-05-16 02:29:41,641 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x5d02d1
2019-05-16 02:29:41,641 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x5e00b8.
2019-05-16 02:29:41,641 [root] DEBUG: PEHeaderWriteCallback: PE header has: 0x41f1.
2019-05-16 02:29:41,641 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-05-16 02:29:41,641 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x5d02ea
2019-05-16 02:29:41,641 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x5e00b8.
2019-05-16 02:29:41,641 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x0, Address=0x5ecc89 and Type=0x0.
2019-05-16 02:29:41,641 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 02:29:41,641 [root] DEBUG: PEHeaderWriteCallback: Execution bp set on EntryPoint 0x5ecc89 (EIP = 0x5d02ea).
2019-05-16 02:29:41,641 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-05-16 02:29:41,641 [root] DEBUG: NtAllocateVirtualMemory hook, BaseAddress:0x1d50000, RegionSize: 0x14000.
2019-05-16 02:29:41,641 [root] DEBUG: NtAllocateVirtualMemory hook: attempting CAPE dump on previous region: 0x5e0000.
2019-05-16 02:29:41,641 [root] DEBUG: DumpPEsInRange: Scanning range 0x5e0000 - 0x5f0000.
2019-05-16 02:29:41,641 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x5e0000
2019-05-16 02:29:41,641 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image.
2019-05-16 02:29:41,641 [root] DEBUG: DumpPE: Instantiating PeParser with address: 0x5e0000
2019-05-16 02:29:41,641 [root] INFO: Added new CAPE file to list with path: C:\jiihpofr\CAPE\2740_6414149316452019
2019-05-16 02:29:41,641 [root] DEBUG: DumpPE: PE file in memory dumped successfully.
2019-05-16 02:29:41,641 [root] DEBUG: DumpPEsInRange: Dumped PE image from 0x5e0000.
2019-05-16 02:29:41,657 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x5e0001-0x5f0000.
2019-05-16 02:29:41,657 [root] DEBUG: NtAllocateVirtualMemory hook: PE image(s) detected and dumped.
2019-05-16 02:29:41,657 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x5e0000 - 0x5f0000.
2019-05-16 02:29:41,657 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x5ecc89.
2019-05-16 02:29:41,657 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x5e0000.
2019-05-16 02:29:41,657 [root] DEBUG: SetInitialWriteBreakpoint: AllocationBase: 0x1d50000, AllocationSize: 0x14000, ThreadId: 0xab8
2019-05-16 02:29:41,657 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xa8, Size=0x2, Address=0x1d50000 and Type=0x1.
2019-05-16 02:29:41,657 [root] DEBUG: SetBreakpoint: Set bp 0 type 1 at address 0x1d50000, size 2 with Callback 0x747f3120, ThreadHandle = 0xa8.
2019-05-16 02:29:41,657 [root] DEBUG: SetInitialWriteBreakpoint: Breakpoint 0 set write on word at base address: 0x1d50000
2019-05-16 02:29:41,657 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x5cfbfc
2019-05-16 02:29:41,657 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x1d50000.
2019-05-16 02:29:41,657 [root] DEBUG: BaseAddressWriteCallback: M written to first byte, awaiting next byte.
2019-05-16 02:29:41,657 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-05-16 02:29:41,657 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x5cfbfc
2019-05-16 02:29:41,657 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x1d50000.
2019-05-16 02:29:41,657 [root] DEBUG: BaseAddressWriteCallback: MZ header found.
2019-05-16 02:29:41,657 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x1d5003c and Type=0x1.
2019-05-16 02:29:41,657 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 02:29:41,657 [root] DEBUG: BaseAddressWriteCallback: set write bp on e_lfanew write location: 0x1d5003c (EIP = 0x5cfbfc)
2019-05-16 02:29:41,657 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-05-16 02:29:41,657 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x5cfbfc
2019-05-16 02:29:41,657 [root] DEBUG: PEPointerWriteCallback entry.
2019-05-16 02:29:41,657 [root] DEBUG: PEPointerWriteCallback: Breakpoint 0 at Address 0x1d5003c.
2019-05-16 02:29:41,657 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x1d500b8 and Type=0x1.
2019-05-16 02:29:41,657 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 02:29:41,657 [root] DEBUG: PEPointerWriteCallback: set write bp on e_lfanew write location 0x1d500b8 (EIP = 0x5cfbfc)
2019-05-16 02:29:41,657 [root] DEBUG: PEPointerWriteCallback executed successfully.
2019-05-16 02:29:41,657 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x5cfbfc
2019-05-16 02:29:41,657 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x1d500b8.
2019-05-16 02:29:41,657 [root] DEBUG: PEHeaderWriteCallback: PE header has: 0x50.
2019-05-16 02:29:41,657 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-05-16 02:29:41,671 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x5cfbfc
2019-05-16 02:29:41,671 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x1d500b8.
2019-05-16 02:29:41,671 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x1d500e0 and Type=0x1.
2019-05-16 02:29:41,671 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 02:29:41,671 [root] DEBUG: PEHeaderWriteCallback: set write bp on AddressOfEntryPoint location (EIP = 0x5cfbfc).
2019-05-16 02:29:41,671 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-05-16 02:29:41,671 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x5cfbfc
2019-05-16 02:29:41,671 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x1d500e0.
2019-05-16 02:29:41,671 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x1d500a0 and Type=0x0.
2019-05-16 02:29:41,671 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 02:29:41,671 [root] DEBUG: EntryPointWriteCallback: Execution bp 1 set on EntryPoint 0x1d500a0 (EIP = 0x5cfbfc).
2019-05-16 02:29:41,671 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 02:29:41,671 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x5cfbfc
2019-05-16 02:29:41,671 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x1d500e0.
2019-05-16 02:29:41,671 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x1d5c9a0 and Type=0x0.
2019-05-16 02:29:41,671 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 02:29:41,671 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x1d5c9a0 (EIP = 0x5cfbfc).
2019-05-16 02:29:41,671 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 02:29:41,671 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x5cfbfc
2019-05-16 02:29:41,671 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x1d500e0.
2019-05-16 02:29:41,671 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x1d5c9a0 and Type=0x0.
2019-05-16 02:29:41,671 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 02:29:41,671 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x1d5c9a0 (EIP = 0x5cfbfc).
2019-05-16 02:29:41,671 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 02:29:41,671 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x5cfbfc
2019-05-16 02:29:41,671 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x1d500e0.
2019-05-16 02:29:41,671 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x1d5c9a0 and Type=0x0.
2019-05-16 02:29:41,671 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 02:29:41,671 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x1d5c9a0 (EIP = 0x5cfbfc).
2019-05-16 02:29:41,687 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 02:29:41,687 [root] DEBUG: ProtectionHandler: Address: 0x1000, RegionSize: 0xcc24
2019-05-16 02:29:41,687 [root] DEBUG: ProtectionHandler: attempting CAPE dump on region: 0x1d50000.
2019-05-16 02:29:41,687 [root] DEBUG: DumpPEsInRange: Scanning range 0x0 - 0xf000.
2019-05-16 02:29:41,687 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 02:29:41,687 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 02:29:41,687 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 02:29:41,687 [root] DEBUG: ScanForDisguisedPE: Exception occured reading memory address 0x0
2019-05-16 02:29:41,687 [root] DEBUG: SetCapeMetaData: Extraction type with no PID - error.
2019-05-16 02:29:41,687 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\jiihpofr\CAPE\2740_6884149316452019
2019-05-16 02:29:41,687 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 02:29:41,687 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 02:29:41,687 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 02:29:41,687 [root] DEBUG: DumpMemory: Exception occured reading memory address 0x0
2019-05-16 02:29:41,687 [root] DEBUG: ProtectionHandler: Previously marked memory range at: 0x1d50000 is empty or inaccessible.
2019-05-16 02:29:41,687 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x1d50000 - 0x1d64000.
2019-05-16 02:29:41,687 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x1d500e0.
2019-05-16 02:29:41,687 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x1d5c9a0.
2019-05-16 02:29:41,687 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 02:29:41,687 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 02:29:41,687 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 02:29:41,687 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x1000
2019-05-16 02:29:41,687 [root] DEBUG: ProtectionHandler: Setting initial write breakpoint on protection address: 0x1000
2019-05-16 02:29:41,687 [root] DEBUG: SetInitialWriteBreakpoint: AllocationBase: 0x1000, AllocationSize: 0xcc24, ThreadId: 0xab8
2019-05-16 02:29:41,687 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xa8, Size=0x2, Address=0x1000 and Type=0x1.
2019-05-16 02:29:41,687 [root] DEBUG: SetBreakpoint: Set bp 0 type 1 at address 0x1000, size 2 with Callback 0x747f3120, ThreadHandle = 0xa8.
2019-05-16 02:29:41,687 [root] DEBUG: SetInitialWriteBreakpoint: Breakpoint 0 set write on word at base address: 0x1000
2019-05-16 02:29:41,687 [root] DEBUG: ProtectionHandler: Address: 0xf000, RegionSize: 0x3de4
2019-05-16 02:29:41,687 [root] DEBUG: NtAllocateVirtualMemory hook, BaseAddress:0x400000, RegionSize: 0x14000.
2019-05-16 02:29:41,687 [root] DEBUG: NtAllocateVirtualMemory hook: attempting CAPE dump on previous region: 0x1000.
2019-05-16 02:29:41,687 [root] DEBUG: DumpPEsInRange: Scanning range 0x0 - 0xf000.
2019-05-16 02:29:41,687 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 02:29:41,687 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 02:29:41,703 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 02:29:41,703 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 02:29:41,703 [root] DEBUG: ScanForDisguisedPE: Exception occured reading memory address 0x0
2019-05-16 02:29:41,703 [root] DEBUG: SetCapeMetaData: Extraction type with no PID - error.
2019-05-16 02:29:41,703 [root] DEBUG: NtAllocateVirtualMemory hook: dumping memory range at 0x1000.
2019-05-16 02:29:41,703 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 02:29:41,703 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 02:29:41,703 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 02:29:41,703 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 02:29:41,703 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x0
2019-05-16 02:29:41,703 [root] DEBUG: NtAllocateVirtualMemory hook: Failed to dump memory range at 0x1000.
2019-05-16 02:29:41,703 [root] DEBUG: NtAllocateVirtualMemory hook: Previously marked memory range at: 0x1000 is empty or inaccessible.
2019-05-16 02:29:41,703 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x1000 - 0xdc24.
2019-05-16 02:29:41,703 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x1000.
2019-05-16 02:29:41,703 [root] DEBUG: SetInitialWriteBreakpoint: AllocationBase: 0x400000, AllocationSize: 0x14000, ThreadId: 0xab8
2019-05-16 02:29:41,703 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xa8, Size=0x2, Address=0x400000 and Type=0x1.
2019-05-16 02:29:41,703 [root] DEBUG: SetBreakpointWithoutThread: bp set with register 0
2019-05-16 02:29:41,703 [root] DEBUG: SetInitialWriteBreakpoint: Breakpoint 0 set write on word at base address: 0x400000
2019-05-16 02:29:41,703 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x5cfbfc
2019-05-16 02:29:41,703 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x400000.
2019-05-16 02:29:41,703 [root] DEBUG: BaseAddressWriteCallback: M written to first byte, awaiting next byte.
2019-05-16 02:29:41,703 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-05-16 02:29:41,703 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x5cfbfc
2019-05-16 02:29:41,703 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x400000.
2019-05-16 02:29:41,703 [root] DEBUG: BaseAddressWriteCallback: MZ header found.
2019-05-16 02:29:41,703 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x40003c and Type=0x1.
2019-05-16 02:29:41,703 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 02:29:41,703 [root] DEBUG: BaseAddressWriteCallback: set write bp on e_lfanew write location: 0x40003c (EIP = 0x5cfbfc)
2019-05-16 02:29:41,719 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-05-16 02:29:41,719 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x5cfbfc
2019-05-16 02:29:41,719 [root] DEBUG: PEPointerWriteCallback entry.
2019-05-16 02:29:41,719 [root] DEBUG: PEPointerWriteCallback: Breakpoint 0 at Address 0x40003c.
2019-05-16 02:29:41,719 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x4000b8 and Type=0x1.
2019-05-16 02:29:41,719 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 02:29:41,719 [root] DEBUG: PEPointerWriteCallback: set write bp on e_lfanew write location 0x4000b8 (EIP = 0x5cfbfc)
2019-05-16 02:29:41,719 [root] DEBUG: PEPointerWriteCallback executed successfully.
2019-05-16 02:29:41,719 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x5cfbfc
2019-05-16 02:29:41,719 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x4000b8.
2019-05-16 02:29:41,719 [root] DEBUG: PEHeaderWriteCallback: PE header has: 0x50.
2019-05-16 02:29:41,719 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-05-16 02:29:41,719 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x5cfbfc
2019-05-16 02:29:41,719 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x4000b8.
2019-05-16 02:29:41,719 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x4000e0 and Type=0x1.
2019-05-16 02:29:41,719 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 02:29:41,719 [root] DEBUG: PEHeaderWriteCallback: set write bp on AddressOfEntryPoint location (EIP = 0x5cfbfc).
2019-05-16 02:29:41,719 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-05-16 02:29:41,719 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x5cfbfc
2019-05-16 02:29:41,719 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x4000e0.
2019-05-16 02:29:41,719 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x4000a0 and Type=0x0.
2019-05-16 02:29:41,719 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 02:29:41,719 [root] DEBUG: EntryPointWriteCallback: Execution bp 1 set on EntryPoint 0x4000a0 (EIP = 0x5cfbfc).
2019-05-16 02:29:41,719 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 02:29:41,719 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x5cfbfc
2019-05-16 02:29:41,719 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x4000e0.
2019-05-16 02:29:41,719 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x40c9a0 and Type=0x0.
2019-05-16 02:29:41,719 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 02:29:41,734 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x40c9a0 (EIP = 0x5cfbfc).
2019-05-16 02:29:41,734 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 02:29:41,734 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x5cfbfc
2019-05-16 02:29:41,734 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x4000e0.
2019-05-16 02:29:41,734 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x40c9a0 and Type=0x0.
2019-05-16 02:29:41,734 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 02:29:41,734 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x40c9a0 (EIP = 0x5cfbfc).
2019-05-16 02:29:41,734 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 02:29:41,734 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x5cfbfc
2019-05-16 02:29:41,734 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x4000e0.
2019-05-16 02:29:41,734 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x40c9a0 and Type=0x0.
2019-05-16 02:29:41,734 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 02:29:41,734 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x40c9a0 (EIP = 0x5cfbfc).
2019-05-16 02:29:41,734 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 02:29:41,734 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x40c9a0
2019-05-16 02:29:41,734 [root] DEBUG: EntryPointExecCallback: Breakpoint 1 at Address 0x40c9a0.
2019-05-16 02:29:41,734 [root] DEBUG: DumpPEsInRange: Scanning range 0x400000 - 0x408000.
2019-05-16 02:29:41,734 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x400000
2019-05-16 02:29:41,734 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-05-16 02:29:41,734 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x400000
2019-05-16 02:29:41,734 [root] DEBUG: DumpProcess: Module entry point VA is 0x40c9a0
2019-05-16 02:29:41,750 [root] INFO: Added new CAPE file to list with path: C:\jiihpofr\CAPE\2740_7504149316452019
2019-05-16 02:29:41,750 [root] DEBUG: DumpProcess: Module image dump success
2019-05-16 02:29:41,750 [root] DEBUG: DumpPEsInRange: Dumped PE image from 0x400000.
2019-05-16 02:29:41,750 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x400001-0x408000.
2019-05-16 02:29:41,750 [root] DEBUG: EntryPointExecCallback hook: PE image(s) detected and dumped.
2019-05-16 02:29:41,782 [root] INFO: Announced 32-bit process name: TvI0e.exe pid: 2916
2019-05-16 02:29:41,782 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-05-16 02:29:41,782 [lib.api.process] INFO: 32-bit DLL to inject is C:\jiihpofr\dll\DkPrIp.dll, loader C:\jiihpofr\bin\jfCzYkf.exe
2019-05-16 02:29:41,782 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\qZIlUbM.
2019-05-16 02:29:41,782 [root] DEBUG: Loader: Injecting process 2916 (thread 2920) with C:\jiihpofr\dll\DkPrIp.dll.
2019-05-16 02:29:41,782 [root] DEBUG: Process image base: 0x00400000
2019-05-16 02:29:41,782 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\jiihpofr\dll\DkPrIp.dll.
2019-05-16 02:29:41,782 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x0041D000 - 0x77110000
2019-05-16 02:29:41,782 [root] DEBUG: InjectDllViaIAT: Allocated 0x200 bytes for new import table at 0x00420000.
2019-05-16 02:29:41,782 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-05-16 02:29:41,782 [root] DEBUG: Successfully injected DLL C:\jiihpofr\dll\DkPrIp.dll.
2019-05-16 02:29:41,782 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2916
2019-05-16 02:29:41,782 [root] INFO: Disabling sleep skipping.
2019-05-16 02:29:41,782 [root] INFO: Notified of termination of process with pid 2740.
2019-05-16 02:29:41,796 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77110000, KiUserExceptionDispatcher: 0x0, NtSetContextThread: 0x7716124a, Wow64PrepareForException: 0x0
2019-05-16 02:29:41,828 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x2b0000
2019-05-16 02:29:41,828 [root] DEBUG: CAPE initialised (32-bit).
2019-05-16 02:29:41,844 [root] INFO: Disabling sleep skipping.
2019-05-16 02:29:41,844 [root] INFO: Added new process to list with pid: 2916
2019-05-16 02:29:41,844 [root] INFO: Monitor successfully loaded in process with pid 2916.
2019-05-16 02:29:41,953 [root] DEBUG: NtAllocateVirtualMemory hook, BaseAddress:0x340000, RegionSize: 0x11000.
2019-05-16 02:29:41,953 [root] DEBUG: SetInitialWriteBreakpoint: AllocationBase: 0x340000, AllocationSize: 0x11000, ThreadId: 0xb68
2019-05-16 02:29:41,969 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xa8, Size=0x2, Address=0x340000 and Type=0x1.
2019-05-16 02:29:41,983 [root] DEBUG: SetBreakpoint: Set bp 0 type 1 at address 0x340000, size 2 with Callback 0x747f3120, ThreadHandle = 0xa8.
2019-05-16 02:29:41,983 [root] DEBUG: SetInitialWriteBreakpoint: Breakpoint 0 set write on word at base address: 0x340000
2019-05-16 02:29:42,000 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x4012d6
2019-05-16 02:29:42,000 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x340000.
2019-05-16 02:29:42,000 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x340000: 0xf4.
2019-05-16 02:29:42,016 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x340000 and Type=0x0.
2019-05-16 02:29:42,030 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 02:29:42,046 [root] DEBUG: BaseAddressWriteCallback: Execution breakpoint 1 set base address: 0x340000, AllocationBaseExecBpSet = 1 (EIP = 0x4012d6)
2019-05-16 02:29:42,046 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-05-16 02:29:42,046 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x4012d6
2019-05-16 02:29:42,046 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x340000.
2019-05-16 02:29:42,062 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x340000: 0xf4.
2019-05-16 02:29:42,062 [root] DEBUG: BaseAddressWriteCallback: allocation exec bp already set, doing nothing.
2019-05-16 02:29:42,078 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x401337
2019-05-16 02:29:42,094 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x340000.
2019-05-16 02:29:42,094 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x340000: 0xf4.
2019-05-16 02:29:42,094 [root] DEBUG: BaseAddressWriteCallback: allocation exec bp already set, doing nothing.
2019-05-16 02:29:42,125 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x401085
2019-05-16 02:29:42,125 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x340000.
2019-05-16 02:29:42,140 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x340000: 0x6d.
2019-05-16 02:29:42,155 [root] DEBUG: BaseAddressWriteCallback: allocation exec bp already set, doing nothing.
2019-05-16 02:29:42,796 [root] INFO: Process with pid 2740 has terminated
2019-05-16 02:29:42,811 [root] DEBUG: NtAllocateVirtualMemory hook, BaseAddress:0x360000, RegionSize: 0x10000.
2019-05-16 02:29:42,811 [root] DEBUG: NtAllocateVirtualMemory hook: attempting CAPE dump on previous region: 0x340000.
2019-05-16 02:29:42,811 [root] DEBUG: DumpPEsInRange: Scanning range 0x340000 - 0x351000.
2019-05-16 02:29:42,826 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x340000-0x351000.
2019-05-16 02:29:42,826 [root] DEBUG: NtAllocateVirtualMemory hook: dumping memory range at 0x340000.
2019-05-16 02:29:42,842 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\jiihpofr\CAPE\2916_8274249316452019
2019-05-16 02:29:42,858 [root] INFO: Added new CAPE file to list with path: C:\jiihpofr\CAPE\2916_8274249316452019
2019-05-16 02:29:42,858 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x340000 - 0x351000.
2019-05-16 02:29:42,858 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x340000.
2019-05-16 02:29:42,858 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x340000.
2019-05-16 02:29:42,858 [root] DEBUG: SetInitialWriteBreakpoint: AllocationBase: 0x360000, AllocationSize: 0x10000, ThreadId: 0xb68
2019-05-16 02:29:42,858 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xa8, Size=0x2, Address=0x360000 and Type=0x1.
2019-05-16 02:29:42,858 [root] DEBUG: SetBreakpoint: Set bp 0 type 1 at address 0x360000, size 2 with Callback 0x747f3120, ThreadHandle = 0xa8.
2019-05-16 02:29:42,858 [root] DEBUG: SetInitialWriteBreakpoint: Breakpoint 0 set write on word at base address: 0x360000
2019-05-16 02:29:42,888 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x34fbfc
2019-05-16 02:29:42,888 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x360000.
2019-05-16 02:29:42,904 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x360000: 0xa4.
2019-05-16 02:29:42,904 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x360000 and Type=0x0.
2019-05-16 02:29:42,904 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 02:29:42,920 [root] DEBUG: BaseAddressWriteCallback: Execution breakpoint 1 set base address: 0x360000, AllocationBaseExecBpSet = 1 (EIP = 0x34fbfc)
2019-05-16 02:29:42,951 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-05-16 02:29:42,951 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x34fbfc
2019-05-16 02:29:42,967 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x360000.
2019-05-16 02:29:42,967 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x360000: 0xa4.
2019-05-16 02:29:42,983 [root] DEBUG: BaseAddressWriteCallback: allocation exec bp already set, doing nothing.
2019-05-16 02:29:42,997 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x3502d1
2019-05-16 02:29:43,013 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x360000.
2019-05-16 02:29:43,013 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x360000: 0xa4.
2019-05-16 02:29:43,013 [root] DEBUG: BaseAddressWriteCallback: allocation exec bp already set, doing nothing.
2019-05-16 02:29:43,029 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x3502ea
2019-05-16 02:29:43,029 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x360000.
2019-05-16 02:29:43,029 [root] DEBUG: BaseAddressWriteCallback: MZ header found.
2019-05-16 02:29:43,029 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x36003c and Type=0x1.
2019-05-16 02:29:43,029 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 02:29:43,045 [root] DEBUG: BaseAddressWriteCallback: set write bp on e_lfanew write location: 0x36003c (EIP = 0x3502ea)
2019-05-16 02:29:43,045 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-05-16 02:29:43,075 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x3502d1
2019-05-16 02:29:43,075 [root] DEBUG: PEPointerWriteCallback entry.
2019-05-16 02:29:43,075 [root] DEBUG: PEPointerWriteCallback: Breakpoint 0 at Address 0x36003c.
2019-05-16 02:29:43,075 [root] DEBUG: PEPointerWriteCallback: pointer to PE header too big: 0x49d (perhaps writing incomplete).
2019-05-16 02:29:43,092 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x3502ea
2019-05-16 02:29:43,122 [root] DEBUG: PEPointerWriteCallback entry.
2019-05-16 02:29:43,122 [root] DEBUG: PEPointerWriteCallback: Breakpoint 0 at Address 0x36003c.
2019-05-16 02:29:43,122 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x3600b8 and Type=0x1.
2019-05-16 02:29:43,122 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 02:29:43,122 [root] DEBUG: PEPointerWriteCallback: set write bp on e_lfanew write location 0x3600b8 (EIP = 0x3502ea)
2019-05-16 02:29:43,122 [root] DEBUG: PEPointerWriteCallback executed successfully.
2019-05-16 02:29:43,122 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x3502d1
2019-05-16 02:29:43,138 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x3600b8.
2019-05-16 02:29:43,138 [root] DEBUG: PEHeaderWriteCallback: PE header has: 0x41f1.
2019-05-16 02:29:43,138 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-05-16 02:29:43,138 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x3502ea
2019-05-16 02:29:43,138 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x3600b8.
2019-05-16 02:29:43,154 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x0, Address=0x36cc89 and Type=0x0.
2019-05-16 02:29:43,154 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 02:29:43,154 [root] DEBUG: PEHeaderWriteCallback: Execution bp set on EntryPoint 0x36cc89 (EIP = 0x3502ea).
2019-05-16 02:29:43,154 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-05-16 02:29:43,154 [root] DEBUG: NtAllocateVirtualMemory hook, BaseAddress:0x430000, RegionSize: 0x14000.
2019-05-16 02:29:43,170 [root] DEBUG: NtAllocateVirtualMemory hook: attempting CAPE dump on previous region: 0x360000.
2019-05-16 02:29:43,170 [root] DEBUG: DumpPEsInRange: Scanning range 0x360000 - 0x370000.
2019-05-16 02:29:43,170 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x360000
2019-05-16 02:29:43,170 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image.
2019-05-16 02:29:43,170 [root] DEBUG: DumpPE: Instantiating PeParser with address: 0x360000
2019-05-16 02:29:43,170 [root] INFO: Added new CAPE file to list with path: C:\jiihpofr\CAPE\2916_1704349316452019
2019-05-16 02:29:43,170 [root] DEBUG: DumpPE: PE file in memory dumped successfully.
2019-05-16 02:29:43,170 [root] DEBUG: DumpPEsInRange: Dumped PE image from 0x360000.
2019-05-16 02:29:43,170 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x360001-0x370000.
2019-05-16 02:29:43,170 [root] DEBUG: NtAllocateVirtualMemory hook: PE image(s) detected and dumped.
2019-05-16 02:29:43,170 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x360000 - 0x370000.
2019-05-16 02:29:43,186 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x36cc89.
2019-05-16 02:29:43,200 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x360000.
2019-05-16 02:29:43,200 [root] DEBUG: SetInitialWriteBreakpoint: AllocationBase: 0x430000, AllocationSize: 0x14000, ThreadId: 0xb68
2019-05-16 02:29:43,217 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xa8, Size=0x2, Address=0x430000 and Type=0x1.
2019-05-16 02:29:43,247 [root] DEBUG: SetBreakpoint: Set bp 0 type 1 at address 0x430000, size 2 with Callback 0x747f3120, ThreadHandle = 0xa8.
2019-05-16 02:29:43,263 [root] DEBUG: SetInitialWriteBreakpoint: Breakpoint 0 set write on word at base address: 0x430000
2019-05-16 02:29:43,263 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x34fbfc
2019-05-16 02:29:43,263 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x430000.
2019-05-16 02:29:43,263 [root] DEBUG: BaseAddressWriteCallback: M written to first byte, awaiting next byte.
2019-05-16 02:29:43,263 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-05-16 02:29:43,263 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x34fbfc
2019-05-16 02:29:43,263 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x430000.
2019-05-16 02:29:43,263 [root] DEBUG: BaseAddressWriteCallback: MZ header found.
2019-05-16 02:29:43,263 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x43003c and Type=0x1.
2019-05-16 02:29:43,263 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 02:29:43,263 [root] DEBUG: BaseAddressWriteCallback: set write bp on e_lfanew write location: 0x43003c (EIP = 0x34fbfc)
2019-05-16 02:29:43,263 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-05-16 02:29:43,279 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x34fbfc
2019-05-16 02:29:43,279 [root] DEBUG: PEPointerWriteCallback entry.
2019-05-16 02:29:43,279 [root] DEBUG: PEPointerWriteCallback: Breakpoint 0 at Address 0x43003c.
2019-05-16 02:29:43,279 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x4300b8 and Type=0x1.
2019-05-16 02:29:43,279 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 02:29:43,279 [root] DEBUG: PEPointerWriteCallback: set write bp on e_lfanew write location 0x4300b8 (EIP = 0x34fbfc)
2019-05-16 02:29:43,295 [root] DEBUG: PEPointerWriteCallback executed successfully.
2019-05-16 02:29:43,295 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x34fbfc
2019-05-16 02:29:43,309 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x4300b8.
2019-05-16 02:29:43,309 [root] DEBUG: PEHeaderWriteCallback: PE header has: 0x50.
2019-05-16 02:29:43,325 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-05-16 02:29:43,357 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x34fbfc
2019-05-16 02:29:43,357 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x4300b8.
2019-05-16 02:29:43,357 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x4300e0 and Type=0x1.
2019-05-16 02:29:43,357 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 02:29:43,357 [root] DEBUG: PEHeaderWriteCallback: set write bp on AddressOfEntryPoint location (EIP = 0x34fbfc).
2019-05-16 02:29:43,372 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-05-16 02:29:43,372 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x34fbfc
2019-05-16 02:29:43,372 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x4300e0.
2019-05-16 02:29:43,372 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x4300a0 and Type=0x0.
2019-05-16 02:29:43,372 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 02:29:43,372 [root] DEBUG: EntryPointWriteCallback: Execution bp 1 set on EntryPoint 0x4300a0 (EIP = 0x34fbfc).
2019-05-16 02:29:43,388 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 02:29:43,388 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x34fbfc
2019-05-16 02:29:43,388 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x4300e0.
2019-05-16 02:29:43,388 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x43c9a0 and Type=0x0.
2019-05-16 02:29:43,388 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 02:29:43,388 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x43c9a0 (EIP = 0x34fbfc).
2019-05-16 02:29:43,388 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 02:29:43,388 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x34fbfc
2019-05-16 02:29:43,388 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x4300e0.
2019-05-16 02:29:43,388 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x43c9a0 and Type=0x0.
2019-05-16 02:29:43,388 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 02:29:43,388 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x43c9a0 (EIP = 0x34fbfc).
2019-05-16 02:29:43,404 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 02:29:43,404 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x34fbfc
2019-05-16 02:29:43,404 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x4300e0.
2019-05-16 02:29:43,420 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x43c9a0 and Type=0x0.
2019-05-16 02:29:43,434 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 02:29:43,434 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x43c9a0 (EIP = 0x34fbfc).
2019-05-16 02:29:43,450 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 02:29:43,450 [root] DEBUG: ProtectionHandler: Address: 0x1000, RegionSize: 0xcc24
2019-05-16 02:29:43,466 [root] DEBUG: ProtectionHandler: attempting CAPE dump on region: 0x430000.
2019-05-16 02:29:43,466 [root] DEBUG: DumpPEsInRange: Scanning range 0x0 - 0xf000.
2019-05-16 02:29:43,482 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 02:29:43,482 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 02:29:43,482 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 02:29:43,482 [root] DEBUG: ScanForDisguisedPE: Exception occured reading memory address 0x0
2019-05-16 02:29:43,497 [root] DEBUG: SetCapeMetaData: Extraction type with no PID - error.
2019-05-16 02:29:43,497 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\jiihpofr\CAPE\2916_4984349316452019
2019-05-16 02:29:43,513 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 02:29:43,513 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 02:29:43,529 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 02:29:43,529 [root] DEBUG: DumpMemory: Exception occured reading memory address 0x0
2019-05-16 02:29:43,529 [root] DEBUG: ProtectionHandler: Previously marked memory range at: 0x430000 is empty or inaccessible.
2019-05-16 02:29:43,529 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x430000 - 0x444000.
2019-05-16 02:29:43,543 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x4300e0.
2019-05-16 02:29:43,543 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x43c9a0.
2019-05-16 02:29:43,543 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 02:29:43,543 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 02:29:43,575 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 02:29:43,575 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x1000
2019-05-16 02:29:43,575 [root] DEBUG: ProtectionHandler: Setting initial write breakpoint on protection address: 0x1000
2019-05-16 02:29:43,575 [root] DEBUG: SetInitialWriteBreakpoint: AllocationBase: 0x1000, AllocationSize: 0xcc24, ThreadId: 0xb68
2019-05-16 02:29:43,591 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xa8, Size=0x2, Address=0x1000 and Type=0x1.
2019-05-16 02:29:43,591 [root] DEBUG: SetBreakpoint: Set bp 0 type 1 at address 0x1000, size 2 with Callback 0x747f3120, ThreadHandle = 0xa8.
2019-05-16 02:29:43,591 [root] DEBUG: SetInitialWriteBreakpoint: Breakpoint 0 set write on word at base address: 0x1000
2019-05-16 02:29:43,591 [root] DEBUG: ProtectionHandler: Address: 0xf000, RegionSize: 0x3de4
2019-05-16 02:29:43,607 [root] DEBUG: NtAllocateVirtualMemory hook, BaseAddress:0x400000, RegionSize: 0x14000.
2019-05-16 02:29:43,607 [root] DEBUG: NtAllocateVirtualMemory hook: attempting CAPE dump on previous region: 0x1000.
2019-05-16 02:29:43,607 [root] DEBUG: DumpPEsInRange: Scanning range 0x0 - 0xf000.
2019-05-16 02:29:43,607 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 02:29:43,607 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 02:29:43,607 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 02:29:43,621 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 02:29:43,638 [root] DEBUG: ScanForDisguisedPE: Exception occured reading memory address 0x0
2019-05-16 02:29:43,638 [root] DEBUG: SetCapeMetaData: Extraction type with no PID - error.
2019-05-16 02:29:43,638 [root] DEBUG: NtAllocateVirtualMemory hook: dumping memory range at 0x1000.
2019-05-16 02:29:43,654 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 02:29:43,654 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 02:29:43,668 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 02:29:43,668 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 02:29:43,684 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x0
2019-05-16 02:29:43,684 [root] DEBUG: NtAllocateVirtualMemory hook: Failed to dump memory range at 0x1000.
2019-05-16 02:29:43,700 [root] DEBUG: NtAllocateVirtualMemory hook: Previously marked memory range at: 0x1000 is empty or inaccessible.
2019-05-16 02:29:43,700 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x1000 - 0xdc24.
2019-05-16 02:29:43,716 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x1000.
2019-05-16 02:29:43,716 [root] DEBUG: SetInitialWriteBreakpoint: AllocationBase: 0x400000, AllocationSize: 0x14000, ThreadId: 0xb68
2019-05-16 02:29:43,732 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xa8, Size=0x2, Address=0x400000 and Type=0x1.
2019-05-16 02:29:43,732 [root] DEBUG: SetBreakpointWithoutThread: bp set with register 0
2019-05-16 02:29:43,732 [root] DEBUG: SetInitialWriteBreakpoint: Breakpoint 0 set write on word at base address: 0x400000
2019-05-16 02:29:43,732 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x34fbfc
2019-05-16 02:29:43,732 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x400000.
2019-05-16 02:29:43,732 [root] DEBUG: BaseAddressWriteCallback: M written to first byte, awaiting next byte.
2019-05-16 02:29:43,732 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-05-16 02:29:43,732 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x34fbfc
2019-05-16 02:29:43,732 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x400000.
2019-05-16 02:29:43,732 [root] DEBUG: BaseAddressWriteCallback: MZ header found.
2019-05-16 02:29:43,746 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x40003c and Type=0x1.
2019-05-16 02:29:43,746 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 02:29:43,746 [root] DEBUG: BaseAddressWriteCallback: set write bp on e_lfanew write location: 0x40003c (EIP = 0x34fbfc)
2019-05-16 02:29:43,746 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-05-16 02:29:43,746 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x34fbfc
2019-05-16 02:29:43,746 [root] DEBUG: PEPointerWriteCallback entry.
2019-05-16 02:29:43,746 [root] DEBUG: PEPointerWriteCallback: Breakpoint 0 at Address 0x40003c.
2019-05-16 02:29:43,746 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x4000b8 and Type=0x1.
2019-05-16 02:29:43,763 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 02:29:43,763 [root] DEBUG: PEPointerWriteCallback: set write bp on e_lfanew write location 0x4000b8 (EIP = 0x34fbfc)
2019-05-16 02:29:43,763 [root] DEBUG: PEPointerWriteCallback executed successfully.
2019-05-16 02:29:43,763 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x34fbfc
2019-05-16 02:29:43,778 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x4000b8.
2019-05-16 02:29:43,809 [root] DEBUG: PEHeaderWriteCallback: PE header has: 0x50.
2019-05-16 02:29:43,825 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-05-16 02:29:43,825 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x34fbfc
2019-05-16 02:29:43,841 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x4000b8.
2019-05-16 02:29:43,855 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x4000e0 and Type=0x1.
2019-05-16 02:29:43,855 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 02:29:43,855 [root] DEBUG: PEHeaderWriteCallback: set write bp on AddressOfEntryPoint location (EIP = 0x34fbfc).
2019-05-16 02:29:43,855 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-05-16 02:29:43,855 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x34fbfc
2019-05-16 02:29:43,855 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x4000e0.
2019-05-16 02:29:43,855 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x4000a0 and Type=0x0.
2019-05-16 02:29:43,871 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 02:29:43,871 [root] DEBUG: EntryPointWriteCallback: Execution bp 1 set on EntryPoint 0x4000a0 (EIP = 0x34fbfc).
2019-05-16 02:29:43,871 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 02:29:43,871 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x34fbfc
2019-05-16 02:29:43,871 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x4000e0.
2019-05-16 02:29:43,871 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x40c9a0 and Type=0x0.
2019-05-16 02:29:43,888 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 02:29:43,903 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x40c9a0 (EIP = 0x34fbfc).
2019-05-16 02:29:43,903 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 02:29:43,903 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x34fbfc
2019-05-16 02:29:43,903 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x4000e0.
2019-05-16 02:29:43,918 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x40c9a0 and Type=0x0.
2019-05-16 02:29:43,918 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 02:29:43,934 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x40c9a0 (EIP = 0x34fbfc).
2019-05-16 02:29:43,934 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 02:29:43,934 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x34fbfc
2019-05-16 02:29:43,950 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x4000e0.
2019-05-16 02:29:43,966 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x40c9a0 and Type=0x0.
2019-05-16 02:29:43,966 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 02:29:43,966 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x40c9a0 (EIP = 0x34fbfc).
2019-05-16 02:29:43,980 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 02:29:43,980 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x40c9a0
2019-05-16 02:29:44,012 [root] DEBUG: EntryPointExecCallback: Breakpoint 1 at Address 0x40c9a0.
2019-05-16 02:29:44,012 [root] DEBUG: DumpPEsInRange: Scanning range 0x400000 - 0x408000.
2019-05-16 02:29:44,012 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x400000
2019-05-16 02:29:44,012 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-05-16 02:29:44,012 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x400000
2019-05-16 02:29:44,012 [root] DEBUG: DumpProcess: Module entry point VA is 0x40c9a0
2019-05-16 02:29:44,043 [root] INFO: Added new CAPE file to list with path: C:\jiihpofr\CAPE\2916_124449316452019
2019-05-16 02:29:44,043 [root] DEBUG: DumpProcess: Module image dump success
2019-05-16 02:29:44,043 [root] DEBUG: DumpPEsInRange: Dumped PE image from 0x400000.
2019-05-16 02:29:44,043 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x400001-0x408000.
2019-05-16 02:29:44,059 [root] DEBUG: EntryPointExecCallback hook: PE image(s) detected and dumped.
2019-05-16 02:29:50,361 [root] INFO: Announced starting service "gluerel"
2019-05-16 02:29:50,361 [root] INFO: Attaching to Service Control Manager (services.exe - pid 460)
2019-05-16 02:29:50,407 [lib.api.process] DEBUG: Using CreateRemoteThread injection.
2019-05-16 02:29:50,407 [lib.api.process] INFO: 64-bit DLL to inject is C:\jiihpofr\dll\KSUWexU.dll, loader C:\jiihpofr\bin\eBQeNpwO.exe
2019-05-16 02:29:50,440 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\qZIlUbM.
2019-05-16 02:29:50,440 [root] DEBUG: Loader: Injecting process 460 (thread 0) with C:\jiihpofr\dll\KSUWexU.dll.
2019-05-16 02:29:50,440 [root] DEBUG: InjectDll: No thread ID supplied. Initial thread ID 2256, handle 0x84
2019-05-16 02:29:50,440 [root] DEBUG: Process image base: 0x00000000FFA10000
2019-05-16 02:29:50,440 [root] DEBUG: InjectDllViaIAT: Not a new process, aborting IAT patch
2019-05-16 02:29:50,454 [root] DEBUG: InjectDll: IAT patching failed, falling back to thread injection.
2019-05-16 02:29:50,454 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-05-16 02:29:50,502 [root] INFO: Disabling sleep skipping.
2019-05-16 02:29:50,549 [root] WARNING: Unable to place hook on LockResource
2019-05-16 02:29:50,549 [root] WARNING: Unable to hook LockResource
2019-05-16 02:29:50,579 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 460 at 0x00000000741C0000, image base 0x00000000FFA10000, stack from 0x0000000003046000-0x0000000003050000
2019-05-16 02:29:50,595 [root] DEBUG: Commandline: C:\Windows\sysnative\services.exe.
2019-05-16 02:29:50,595 [root] INFO: Added new process to list with pid: 460
2019-05-16 02:29:50,595 [root] INFO: Monitor successfully loaded in process with pid 460.
2019-05-16 02:29:50,595 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2019-05-16 02:29:50,595 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2019-05-16 02:29:50,611 [root] DEBUG: Successfully injected DLL C:\jiihpofr\dll\KSUWexU.dll.
2019-05-16 02:29:51,671 [root] INFO: Announced 32-bit process name: gluerel.exe pid: 1856
2019-05-16 02:29:51,671 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-05-16 02:29:51,687 [lib.api.process] INFO: 32-bit DLL to inject is C:\jiihpofr\dll\DkPrIp.dll, loader C:\jiihpofr\bin\jfCzYkf.exe
2019-05-16 02:29:51,687 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\qZIlUbM.
2019-05-16 02:29:51,719 [root] DEBUG: Loader: Injecting process 1856 (thread 1796) with C:\jiihpofr\dll\DkPrIp.dll.
2019-05-16 02:29:51,719 [root] DEBUG: Process image base: 0x00400000
2019-05-16 02:29:51,733 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\jiihpofr\dll\DkPrIp.dll.
2019-05-16 02:29:51,750 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x0041D000 - 0x77110000
2019-05-16 02:29:51,766 [root] DEBUG: InjectDllViaIAT: Allocated 0x200 bytes for new import table at 0x00420000.
2019-05-16 02:29:51,766 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-05-16 02:29:51,796 [root] DEBUG: Successfully injected DLL C:\jiihpofr\dll\DkPrIp.dll.
2019-05-16 02:29:51,796 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1856
2019-05-16 02:29:51,812 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77110000, KiUserExceptionDispatcher: 0x0, NtSetContextThread: 0x7716124a, Wow64PrepareForException: 0x0
2019-05-16 02:29:51,828 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x240000
2019-05-16 02:29:51,844 [root] DEBUG: CAPE initialised (32-bit).
2019-05-16 02:29:51,858 [root] INFO: Disabling sleep skipping.
2019-05-16 02:29:51,858 [root] INFO: Added new process to list with pid: 1856
2019-05-16 02:29:51,858 [root] INFO: Monitor successfully loaded in process with pid 1856.
2019-05-16 02:29:52,000 [root] DEBUG: NtAllocateVirtualMemory hook, BaseAddress:0x830000, RegionSize: 0x11000.
2019-05-16 02:29:52,000 [root] DEBUG: SetInitialWriteBreakpoint: AllocationBase: 0x830000, AllocationSize: 0x11000, ThreadId: 0x704
2019-05-16 02:29:52,000 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xa8, Size=0x2, Address=0x830000 and Type=0x1.
2019-05-16 02:29:52,015 [root] DEBUG: SetBreakpoint: Set bp 0 type 1 at address 0x830000, size 2 with Callback 0x747f3120, ThreadHandle = 0xa8.
2019-05-16 02:29:52,030 [root] DEBUG: SetInitialWriteBreakpoint: Breakpoint 0 set write on word at base address: 0x830000
2019-05-16 02:29:52,062 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x4012d6
2019-05-16 02:29:52,078 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x830000.
2019-05-16 02:29:52,078 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x830000: 0xf4.
2019-05-16 02:29:52,108 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x830000 and Type=0x0.
2019-05-16 02:29:52,108 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 02:29:52,108 [root] DEBUG: BaseAddressWriteCallback: Execution breakpoint 1 set base address: 0x830000, AllocationBaseExecBpSet = 1 (EIP = 0x4012d6)
2019-05-16 02:29:52,124 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-05-16 02:29:52,140 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x4012d6
2019-05-16 02:29:52,140 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x830000.
2019-05-16 02:29:52,155 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x830000: 0xf4.
2019-05-16 02:29:52,155 [root] DEBUG: BaseAddressWriteCallback: allocation exec bp already set, doing nothing.
2019-05-16 02:29:52,171 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x401337
2019-05-16 02:29:52,171 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x830000.
2019-05-16 02:29:52,171 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x830000: 0xf4.
2019-05-16 02:29:52,171 [root] DEBUG: BaseAddressWriteCallback: allocation exec bp already set, doing nothing.
2019-05-16 02:29:52,187 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x401085
2019-05-16 02:29:52,187 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x830000.
2019-05-16 02:29:52,201 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x830000: 0x6d.
2019-05-16 02:29:52,217 [root] DEBUG: BaseAddressWriteCallback: allocation exec bp already set, doing nothing.
2019-05-16 02:29:52,872 [root] DEBUG: NtAllocateVirtualMemory hook, BaseAddress:0x4f0000, RegionSize: 0x10000.
2019-05-16 02:29:52,872 [root] DEBUG: NtAllocateVirtualMemory hook: attempting CAPE dump on previous region: 0x830000.
2019-05-16 02:29:52,904 [root] DEBUG: DumpPEsInRange: Scanning range 0x830000 - 0x841000.
2019-05-16 02:29:52,920 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x830000-0x841000.
2019-05-16 02:29:52,936 [root] DEBUG: NtAllocateVirtualMemory hook: dumping memory range at 0x830000.
2019-05-16 02:29:52,936 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\jiihpofr\CAPE\1856_9365249316452019
2019-05-16 02:29:52,950 [root] INFO: Added new CAPE file to list with path: C:\jiihpofr\CAPE\1856_9365249316452019
2019-05-16 02:29:52,950 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x830000 - 0x841000.
2019-05-16 02:29:52,967 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x830000.
2019-05-16 02:29:52,997 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x830000.
2019-05-16 02:29:53,013 [root] DEBUG: SetInitialWriteBreakpoint: AllocationBase: 0x4f0000, AllocationSize: 0x10000, ThreadId: 0x704
2019-05-16 02:29:53,013 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xa8, Size=0x2, Address=0x4f0000 and Type=0x1.
2019-05-16 02:29:53,013 [root] DEBUG: SetBreakpoint: Set bp 0 type 1 at address 0x4f0000, size 2 with Callback 0x747f3120, ThreadHandle = 0xa8.
2019-05-16 02:29:53,013 [root] DEBUG: SetInitialWriteBreakpoint: Breakpoint 0 set write on word at base address: 0x4f0000
2019-05-16 02:29:53,013 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x83fbfc
2019-05-16 02:29:53,013 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x4f0000.
2019-05-16 02:29:53,029 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x4f0000: 0xa4.
2019-05-16 02:29:53,045 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x4f0000 and Type=0x0.
2019-05-16 02:29:53,059 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 02:29:53,059 [root] DEBUG: BaseAddressWriteCallback: Execution breakpoint 1 set base address: 0x4f0000, AllocationBaseExecBpSet = 1 (EIP = 0x83fbfc)
2019-05-16 02:29:53,059 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-05-16 02:29:53,092 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x83fbfc
2019-05-16 02:29:53,122 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x4f0000.
2019-05-16 02:29:53,122 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x4f0000: 0xa4.
2019-05-16 02:29:53,122 [root] DEBUG: BaseAddressWriteCallback: allocation exec bp already set, doing nothing.
2019-05-16 02:29:53,122 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x8402d1
2019-05-16 02:29:53,122 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x4f0000.
2019-05-16 02:29:53,122 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x4f0000: 0xa4.
2019-05-16 02:29:53,154 [root] DEBUG: BaseAddressWriteCallback: allocation exec bp already set, doing nothing.
2019-05-16 02:29:53,154 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x8402ea
2019-05-16 02:29:53,154 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x4f0000.
2019-05-16 02:29:53,154 [root] DEBUG: BaseAddressWriteCallback: MZ header found.
2019-05-16 02:29:53,154 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x4f003c and Type=0x1.
2019-05-16 02:29:53,154 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 02:29:53,170 [root] DEBUG: BaseAddressWriteCallback: set write bp on e_lfanew write location: 0x4f003c (EIP = 0x8402ea)
2019-05-16 02:29:53,170 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-05-16 02:29:53,170 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x8402d1
2019-05-16 02:29:53,170 [root] DEBUG: PEPointerWriteCallback entry.
2019-05-16 02:29:53,184 [root] DEBUG: PEPointerWriteCallback: Breakpoint 0 at Address 0x4f003c.
2019-05-16 02:29:53,184 [root] DEBUG: PEPointerWriteCallback: pointer to PE header too big: 0x49d (perhaps writing incomplete).
2019-05-16 02:29:53,200 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x8402ea
2019-05-16 02:29:53,200 [root] DEBUG: PEPointerWriteCallback entry.
2019-05-16 02:29:53,200 [root] DEBUG: PEPointerWriteCallback: Breakpoint 0 at Address 0x4f003c.
2019-05-16 02:29:53,200 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x4f00b8 and Type=0x1.
2019-05-16 02:29:53,216 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 02:29:53,216 [root] DEBUG: PEPointerWriteCallback: set write bp on e_lfanew write location 0x4f00b8 (EIP = 0x8402ea)
2019-05-16 02:29:53,216 [root] DEBUG: PEPointerWriteCallback executed successfully.
2019-05-16 02:29:53,216 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x8402d1
2019-05-16 02:29:53,216 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x4f00b8.
2019-05-16 02:29:53,216 [root] DEBUG: PEHeaderWriteCallback: PE header has: 0x41f1.
2019-05-16 02:29:53,216 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-05-16 02:29:53,216 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x8402ea
2019-05-16 02:29:53,232 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x4f00b8.
2019-05-16 02:29:53,232 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x0, Address=0x4fcc89 and Type=0x0.
2019-05-16 02:29:53,232 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 02:29:53,232 [root] DEBUG: PEHeaderWriteCallback: Execution bp set on EntryPoint 0x4fcc89 (EIP = 0x8402ea).
2019-05-16 02:29:53,232 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-05-16 02:29:53,247 [root] DEBUG: NtAllocateVirtualMemory hook, BaseAddress:0x2120000, RegionSize: 0x14000.
2019-05-16 02:29:53,247 [root] DEBUG: NtAllocateVirtualMemory hook: attempting CAPE dump on previous region: 0x4f0000.
2019-05-16 02:29:53,247 [root] DEBUG: DumpPEsInRange: Scanning range 0x4f0000 - 0x500000.
2019-05-16 02:29:53,247 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x4f0000
2019-05-16 02:29:53,247 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image.
2019-05-16 02:29:53,279 [root] DEBUG: DumpPE: Instantiating PeParser with address: 0x4f0000
2019-05-16 02:29:53,279 [root] INFO: Added new CAPE file to list with path: C:\jiihpofr\CAPE\1856_2795349316452019
2019-05-16 02:29:53,309 [root] DEBUG: DumpPE: PE file in memory dumped successfully.
2019-05-16 02:29:53,309 [root] DEBUG: DumpPEsInRange: Dumped PE image from 0x4f0000.
2019-05-16 02:29:53,325 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x4f0001-0x500000.
2019-05-16 02:29:53,325 [root] DEBUG: NtAllocateVirtualMemory hook: PE image(s) detected and dumped.
2019-05-16 02:29:53,357 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x4f0000 - 0x500000.
2019-05-16 02:29:53,357 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x4fcc89.
2019-05-16 02:29:53,357 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x4f0000.
2019-05-16 02:29:53,357 [root] DEBUG: SetInitialWriteBreakpoint: AllocationBase: 0x2120000, AllocationSize: 0x14000, ThreadId: 0x704
2019-05-16 02:29:53,371 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xa8, Size=0x2, Address=0x2120000 and Type=0x1.
2019-05-16 02:29:53,371 [root] DEBUG: SetBreakpoint: Set bp 0 type 1 at address 0x2120000, size 2 with Callback 0x747f3120, ThreadHandle = 0xa8.
2019-05-16 02:29:53,371 [root] DEBUG: SetInitialWriteBreakpoint: Breakpoint 0 set write on word at base address: 0x2120000
2019-05-16 02:29:53,371 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x83fbfc
2019-05-16 02:29:53,388 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x2120000.
2019-05-16 02:29:53,404 [root] DEBUG: BaseAddressWriteCallback: M written to first byte, awaiting next byte.
2019-05-16 02:29:53,434 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-05-16 02:29:53,450 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x83fbfc
2019-05-16 02:29:53,450 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x2120000.
2019-05-16 02:29:53,450 [root] DEBUG: BaseAddressWriteCallback: MZ header found.
2019-05-16 02:29:53,450 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x212003c and Type=0x1.
2019-05-16 02:29:53,466 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 02:29:53,482 [root] DEBUG: BaseAddressWriteCallback: set write bp on e_lfanew write location: 0x212003c (EIP = 0x83fbfc)
2019-05-16 02:29:53,496 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-05-16 02:29:53,513 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x83fbfc
2019-05-16 02:29:53,513 [root] DEBUG: PEPointerWriteCallback entry.
2019-05-16 02:29:53,543 [root] DEBUG: PEPointerWriteCallback: Breakpoint 0 at Address 0x212003c.
2019-05-16 02:29:53,543 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x21200b8 and Type=0x1.
2019-05-16 02:29:53,559 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 02:29:53,591 [root] DEBUG: PEPointerWriteCallback: set write bp on e_lfanew write location 0x21200b8 (EIP = 0x83fbfc)
2019-05-16 02:29:53,621 [root] DEBUG: PEPointerWriteCallback executed successfully.
2019-05-16 02:29:53,621 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x83fbfc
2019-05-16 02:29:53,638 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x21200b8.
2019-05-16 02:29:53,638 [root] DEBUG: PEHeaderWriteCallback: PE header has: 0x50.
2019-05-16 02:29:53,653 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-05-16 02:29:53,653 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x83fbfc
2019-05-16 02:29:53,668 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x21200b8.
2019-05-16 02:29:53,668 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x21200e0 and Type=0x1.
2019-05-16 02:29:53,668 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 02:29:53,684 [root] DEBUG: PEHeaderWriteCallback: set write bp on AddressOfEntryPoint location (EIP = 0x83fbfc).
2019-05-16 02:29:53,700 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-05-16 02:29:53,700 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x83fbfc
2019-05-16 02:29:53,716 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x21200e0.
2019-05-16 02:29:53,716 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x21200a0 and Type=0x0.
2019-05-16 02:29:53,746 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 02:29:53,762 [root] DEBUG: EntryPointWriteCallback: Execution bp 1 set on EntryPoint 0x21200a0 (EIP = 0x83fbfc).
2019-05-16 02:29:53,762 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 02:29:53,778 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x83fbfc
2019-05-16 02:29:53,778 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x21200e0.
2019-05-16 02:29:53,778 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x212c9a0 and Type=0x0.
2019-05-16 02:29:53,778 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 02:29:53,778 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x212c9a0 (EIP = 0x83fbfc).
2019-05-16 02:29:53,778 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 02:29:53,793 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x83fbfc
2019-05-16 02:29:53,809 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x21200e0.
2019-05-16 02:29:53,809 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x212c9a0 and Type=0x0.
2019-05-16 02:29:53,809 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 02:29:53,825 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x212c9a0 (EIP = 0x83fbfc).
2019-05-16 02:29:53,825 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 02:29:53,825 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x83fbfc
2019-05-16 02:29:53,825 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x21200e0.
2019-05-16 02:29:53,825 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x212c9a0 and Type=0x0.
2019-05-16 02:29:53,825 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 02:29:53,825 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x212c9a0 (EIP = 0x83fbfc).
2019-05-16 02:29:53,825 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 02:29:53,825 [root] DEBUG: ProtectionHandler: Address: 0x1000, RegionSize: 0xcc24
2019-05-16 02:29:53,825 [root] DEBUG: ProtectionHandler: attempting CAPE dump on region: 0x2120000.
2019-05-16 02:29:53,825 [root] DEBUG: DumpPEsInRange: Scanning range 0x0 - 0xf000.
2019-05-16 02:29:53,839 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 02:29:53,871 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 02:29:53,917 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 02:29:53,934 [root] DEBUG: ScanForDisguisedPE: Exception occured reading memory address 0x0
2019-05-16 02:29:53,964 [root] DEBUG: SetCapeMetaData: Extraction type with no PID - error.
2019-05-16 02:29:53,964 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\jiihpofr\CAPE\1856_9655349316452019
2019-05-16 02:29:53,964 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 02:29:53,964 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 02:29:53,980 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 02:29:53,996 [root] DEBUG: DumpMemory: Exception occured reading memory address 0x0
2019-05-16 02:29:54,012 [root] DEBUG: ProtectionHandler: Previously marked memory range at: 0x2120000 is empty or inaccessible.
2019-05-16 02:29:54,012 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x2120000 - 0x2134000.
2019-05-16 02:29:54,028 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x21200e0.
2019-05-16 02:29:54,028 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x212c9a0.
2019-05-16 02:29:54,042 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 02:29:54,059 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 02:29:54,105 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 02:29:54,105 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x1000
2019-05-16 02:29:54,105 [root] DEBUG: ProtectionHandler: Setting initial write breakpoint on protection address: 0x1000
2019-05-16 02:29:54,105 [root] DEBUG: SetInitialWriteBreakpoint: AllocationBase: 0x1000, AllocationSize: 0xcc24, ThreadId: 0x704
2019-05-16 02:29:54,121 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xa8, Size=0x2, Address=0x1000 and Type=0x1.
2019-05-16 02:29:54,121 [root] DEBUG: SetBreakpoint: Set bp 0 type 1 at address 0x1000, size 2 with Callback 0x747f3120, ThreadHandle = 0xa8.
2019-05-16 02:29:54,121 [root] DEBUG: SetInitialWriteBreakpoint: Breakpoint 0 set write on word at base address: 0x1000
2019-05-16 02:29:54,121 [root] DEBUG: ProtectionHandler: Address: 0xf000, RegionSize: 0x3de4
2019-05-16 02:29:54,121 [root] DEBUG: NtAllocateVirtualMemory hook, BaseAddress:0x400000, RegionSize: 0x14000.
2019-05-16 02:29:54,121 [root] DEBUG: NtAllocateVirtualMemory hook: attempting CAPE dump on previous region: 0x1000.
2019-05-16 02:29:54,121 [root] DEBUG: DumpPEsInRange: Scanning range 0x0 - 0xf000.
2019-05-16 02:29:54,137 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 02:29:54,151 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 02:29:54,151 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 02:29:54,184 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 02:29:54,184 [root] DEBUG: ScanForDisguisedPE: Exception occured reading memory address 0x0
2019-05-16 02:29:54,184 [root] DEBUG: SetCapeMetaData: Extraction type with no PID - error.
2019-05-16 02:29:54,184 [root] DEBUG: NtAllocateVirtualMemory hook: dumping memory range at 0x1000.
2019-05-16 02:29:54,198 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 02:29:54,214 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 02:29:54,214 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 02:29:54,230 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 02:29:54,230 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x0
2019-05-16 02:29:54,230 [root] DEBUG: NtAllocateVirtualMemory hook: Failed to dump memory range at 0x1000.
2019-05-16 02:29:54,246 [root] DEBUG: NtAllocateVirtualMemory hook: Previously marked memory range at: 0x1000 is empty or inaccessible.
2019-05-16 02:29:54,262 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x1000 - 0xdc24.
2019-05-16 02:29:54,276 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x1000.
2019-05-16 02:29:54,276 [root] DEBUG: SetInitialWriteBreakpoint: AllocationBase: 0x400000, AllocationSize: 0x14000, ThreadId: 0x704
2019-05-16 02:29:54,276 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xa8, Size=0x2, Address=0x400000 and Type=0x1.
2019-05-16 02:29:54,276 [root] DEBUG: SetBreakpointWithoutThread: bp set with register 0
2019-05-16 02:29:54,308 [root] DEBUG: SetInitialWriteBreakpoint: Breakpoint 0 set write on word at base address: 0x400000
2019-05-16 02:29:54,323 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x83fbfc
2019-05-16 02:29:54,323 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x400000.
2019-05-16 02:29:54,323 [root] DEBUG: BaseAddressWriteCallback: M written to first byte, awaiting next byte.
2019-05-16 02:29:54,355 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-05-16 02:29:54,371 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x83fbfc
2019-05-16 02:29:54,401 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x400000.
2019-05-16 02:29:54,417 [root] DEBUG: BaseAddressWriteCallback: MZ header found.
2019-05-16 02:29:54,417 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x40003c and Type=0x1.
2019-05-16 02:29:54,417 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 02:29:54,433 [root] DEBUG: BaseAddressWriteCallback: set write bp on e_lfanew write location: 0x40003c (EIP = 0x83fbfc)
2019-05-16 02:29:54,433 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-05-16 02:29:54,463 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x83fbfc
2019-05-16 02:29:54,496 [root] DEBUG: PEPointerWriteCallback entry.
2019-05-16 02:29:54,496 [root] DEBUG: PEPointerWriteCallback: Breakpoint 0 at Address 0x40003c.
2019-05-16 02:29:54,496 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x4000b8 and Type=0x1.
2019-05-16 02:29:54,496 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 02:29:54,496 [root] DEBUG: PEPointerWriteCallback: set write bp on e_lfanew write location 0x4000b8 (EIP = 0x83fbfc)
2019-05-16 02:29:54,510 [root] DEBUG: PEPointerWriteCallback executed successfully.
2019-05-16 02:29:54,542 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x83fbfc
2019-05-16 02:29:54,558 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x4000b8.
2019-05-16 02:29:54,558 [root] DEBUG: PEHeaderWriteCallback: PE header has: 0x50.
2019-05-16 02:29:54,573 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-05-16 02:29:54,588 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x83fbfc
2019-05-16 02:29:54,619 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x4000b8.
2019-05-16 02:29:54,619 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x4000e0 and Type=0x1.
2019-05-16 02:29:54,651 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 02:29:54,651 [root] DEBUG: PEHeaderWriteCallback: set write bp on AddressOfEntryPoint location (EIP = 0x83fbfc).
2019-05-16 02:29:54,667 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-05-16 02:29:54,683 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x83fbfc
2019-05-16 02:29:54,697 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x4000e0.
2019-05-16 02:29:54,713 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x4000a0 and Type=0x0.
2019-05-16 02:29:54,713 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 02:29:54,713 [root] DEBUG: EntryPointWriteCallback: Execution bp 1 set on EntryPoint 0x4000a0 (EIP = 0x83fbfc).
2019-05-16 02:29:54,744 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 02:29:54,744 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x83fbfc
2019-05-16 02:29:54,744 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x4000e0.
2019-05-16 02:29:54,744 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x40c9a0 and Type=0x0.
2019-05-16 02:29:54,760 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 02:29:54,760 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x40c9a0 (EIP = 0x83fbfc).
2019-05-16 02:29:54,776 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 02:29:54,792 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x83fbfc
2019-05-16 02:29:54,808 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x4000e0.
2019-05-16 02:29:54,808 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x40c9a0 and Type=0x0.
2019-05-16 02:29:54,838 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 02:29:54,838 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x40c9a0 (EIP = 0x83fbfc).
2019-05-16 02:29:54,838 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 02:29:54,838 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x83fbfc
2019-05-16 02:29:54,869 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x4000e0.
2019-05-16 02:29:54,885 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x40c9a0 and Type=0x0.
2019-05-16 02:29:54,901 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 02:29:54,901 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x40c9a0 (EIP = 0x83fbfc).
2019-05-16 02:29:54,931 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 02:29:54,979 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x40c9a0
2019-05-16 02:29:54,994 [root] DEBUG: EntryPointExecCallback: Breakpoint 1 at Address 0x40c9a0.
2019-05-16 02:29:55,009 [root] DEBUG: DumpPEsInRange: Scanning range 0x400000 - 0x408000.
2019-05-16 02:29:55,009 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x400000
2019-05-16 02:29:55,009 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-05-16 02:29:55,009 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x400000
2019-05-16 02:29:55,056 [root] DEBUG: DumpProcess: Module entry point VA is 0x40c9a0
2019-05-16 02:29:55,104 [root] INFO: Added new CAPE file to list with path: C:\jiihpofr\CAPE\1856_575549316452019
2019-05-16 02:29:55,119 [root] DEBUG: DumpProcess: Module image dump success
2019-05-16 02:29:55,119 [root] DEBUG: DumpPEsInRange: Dumped PE image from 0x400000.
2019-05-16 02:29:55,119 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x400001-0x408000.
2019-05-16 02:29:55,119 [root] DEBUG: EntryPointExecCallback hook: PE image(s) detected and dumped.
2019-05-16 02:29:55,151 [root] INFO: Announced 32-bit process name: gluerel.exe pid: 2100
2019-05-16 02:29:55,151 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-05-16 02:29:55,151 [lib.api.process] INFO: 32-bit DLL to inject is C:\jiihpofr\dll\DkPrIp.dll, loader C:\jiihpofr\bin\jfCzYkf.exe
2019-05-16 02:29:55,181 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\qZIlUbM.
2019-05-16 02:29:55,181 [root] DEBUG: Loader: Injecting process 2100 (thread 1276) with C:\jiihpofr\dll\DkPrIp.dll.
2019-05-16 02:29:55,181 [root] DEBUG: Process image base: 0x00400000
2019-05-16 02:29:55,181 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\jiihpofr\dll\DkPrIp.dll.
2019-05-16 02:29:55,181 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x0041D000 - 0x77110000
2019-05-16 02:29:55,181 [root] DEBUG: InjectDllViaIAT: Allocated 0x200 bytes for new import table at 0x00420000.
2019-05-16 02:29:55,197 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-05-16 02:29:55,213 [root] DEBUG: Successfully injected DLL C:\jiihpofr\dll\DkPrIp.dll.
2019-05-16 02:29:55,213 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2100
2019-05-16 02:29:55,213 [root] INFO: Notified of termination of process with pid 1856.
2019-05-16 02:29:55,213 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77110000, KiUserExceptionDispatcher: 0x0, NtSetContextThread: 0x7716124a, Wow64PrepareForException: 0x0
2019-05-16 02:29:55,213 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x1c0000
2019-05-16 02:29:55,213 [root] DEBUG: CAPE initialised (32-bit).
2019-05-16 02:29:55,213 [root] INFO: Disabling sleep skipping.
2019-05-16 02:29:55,213 [root] INFO: Added new process to list with pid: 2100
2019-05-16 02:29:55,229 [root] WARNING: Unable to open termination event for pid 1856.
2019-05-16 02:29:55,229 [root] INFO: Monitor successfully loaded in process with pid 2100.
2019-05-16 02:29:55,306 [root] INFO: Notified of termination of process with pid 2916.
2019-05-16 02:29:55,338 [root] DEBUG: NtAllocateVirtualMemory hook, BaseAddress:0x1e0000, RegionSize: 0x11000.
2019-05-16 02:29:55,338 [root] DEBUG: SetInitialWriteBreakpoint: AllocationBase: 0x1e0000, AllocationSize: 0x11000, ThreadId: 0x4fc
2019-05-16 02:29:55,338 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xa8, Size=0x2, Address=0x1e0000 and Type=0x1.
2019-05-16 02:29:55,354 [root] DEBUG: SetBreakpoint: Set bp 0 type 1 at address 0x1e0000, size 2 with Callback 0x747f3120, ThreadHandle = 0xa8.
2019-05-16 02:29:55,354 [root] DEBUG: SetInitialWriteBreakpoint: Breakpoint 0 set write on word at base address: 0x1e0000
2019-05-16 02:29:55,354 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x4012d6
2019-05-16 02:29:55,354 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x1e0000.
2019-05-16 02:29:55,354 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x1e0000: 0xf4.
2019-05-16 02:29:55,354 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x1e0000 and Type=0x0.
2019-05-16 02:29:55,354 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 02:29:55,354 [root] DEBUG: BaseAddressWriteCallback: Execution breakpoint 1 set base address: 0x1e0000, AllocationBaseExecBpSet = 1 (EIP = 0x4012d6)
2019-05-16 02:29:55,354 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-05-16 02:29:55,368 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x4012d6
2019-05-16 02:29:55,368 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x1e0000.
2019-05-16 02:29:55,368 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x1e0000: 0xf4.
2019-05-16 02:29:55,368 [root] DEBUG: BaseAddressWriteCallback: allocation exec bp already set, doing nothing.
2019-05-16 02:29:55,368 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x401337
2019-05-16 02:29:55,368 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x1e0000.
2019-05-16 02:29:55,368 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x1e0000: 0xf4.
2019-05-16 02:29:55,368 [root] DEBUG: BaseAddressWriteCallback: allocation exec bp already set, doing nothing.
2019-05-16 02:29:55,368 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x401085
2019-05-16 02:29:55,368 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x1e0000.
2019-05-16 02:29:55,368 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x1e0000: 0x6d.
2019-05-16 02:29:55,384 [root] DEBUG: BaseAddressWriteCallback: allocation exec bp already set, doing nothing.
2019-05-16 02:29:56,009 [root] DEBUG: NtAllocateVirtualMemory hook, BaseAddress:0x2c0000, RegionSize: 0x10000.
2019-05-16 02:29:56,009 [root] INFO: Process with pid 2916 has terminated
2019-05-16 02:29:56,009 [root] DEBUG: NtAllocateVirtualMemory hook: attempting CAPE dump on previous region: 0x1e0000.
2019-05-16 02:29:56,009 [root] INFO: Process with pid 1856 has terminated
2019-05-16 02:29:56,009 [root] DEBUG: DumpPEsInRange: Scanning range 0x1e0000 - 0x1f1000.
2019-05-16 02:29:56,023 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x1e0000-0x1f1000.
2019-05-16 02:29:56,023 [root] DEBUG: NtAllocateVirtualMemory hook: dumping memory range at 0x1e0000.
2019-05-16 02:29:56,023 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\jiihpofr\CAPE\2100_245649316452019
2019-05-16 02:29:56,023 [root] INFO: Added new CAPE file to list with path: C:\jiihpofr\CAPE\2100_245649316452019
2019-05-16 02:29:56,023 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x1e0000 - 0x1f1000.
2019-05-16 02:29:56,039 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x1e0000.
2019-05-16 02:29:56,039 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x1e0000.
2019-05-16 02:29:56,039 [root] DEBUG: SetInitialWriteBreakpoint: AllocationBase: 0x2c0000, AllocationSize: 0x10000, ThreadId: 0x4fc
2019-05-16 02:29:56,039 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xa8, Size=0x2, Address=0x2c0000 and Type=0x1.
2019-05-16 02:29:56,039 [root] DEBUG: SetBreakpoint: Set bp 0 type 1 at address 0x2c0000, size 2 with Callback 0x747f3120, ThreadHandle = 0xa8.
2019-05-16 02:29:56,039 [root] DEBUG: SetInitialWriteBreakpoint: Breakpoint 0 set write on word at base address: 0x2c0000
2019-05-16 02:29:56,039 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x1efbfc
2019-05-16 02:29:56,039 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x2c0000.
2019-05-16 02:29:56,039 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x2c0000: 0xa4.
2019-05-16 02:29:56,039 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x2c0000 and Type=0x0.
2019-05-16 02:29:56,055 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 02:29:56,055 [root] DEBUG: BaseAddressWriteCallback: Execution breakpoint 1 set base address: 0x2c0000, AllocationBaseExecBpSet = 1 (EIP = 0x1efbfc)
2019-05-16 02:29:56,055 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-05-16 02:29:56,055 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x1efbfc
2019-05-16 02:29:56,055 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x2c0000.
2019-05-16 02:29:56,055 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x2c0000: 0xa4.
2019-05-16 02:29:56,055 [root] DEBUG: BaseAddressWriteCallback: allocation exec bp already set, doing nothing.
2019-05-16 02:29:56,055 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x1f02d1
2019-05-16 02:29:56,055 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x2c0000.
2019-05-16 02:29:56,071 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x2c0000: 0xa4.
2019-05-16 02:29:56,071 [root] DEBUG: BaseAddressWriteCallback: allocation exec bp already set, doing nothing.
2019-05-16 02:29:56,071 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x1f02ea
2019-05-16 02:29:56,071 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x2c0000.
2019-05-16 02:29:56,071 [root] DEBUG: BaseAddressWriteCallback: MZ header found.
2019-05-16 02:29:56,071 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x2c003c and Type=0x1.
2019-05-16 02:29:56,071 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 02:29:56,071 [root] DEBUG: BaseAddressWriteCallback: set write bp on e_lfanew write location: 0x2c003c (EIP = 0x1f02ea)
2019-05-16 02:29:56,071 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-05-16 02:29:56,071 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x1f02d1
2019-05-16 02:29:56,086 [root] DEBUG: PEPointerWriteCallback entry.
2019-05-16 02:29:56,086 [root] DEBUG: PEPointerWriteCallback: Breakpoint 0 at Address 0x2c003c.
2019-05-16 02:29:56,086 [root] DEBUG: PEPointerWriteCallback: pointer to PE header too big: 0x49d (perhaps writing incomplete).
2019-05-16 02:29:56,086 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x1f02ea
2019-05-16 02:29:56,086 [root] DEBUG: PEPointerWriteCallback entry.
2019-05-16 02:29:56,086 [root] DEBUG: PEPointerWriteCallback: Breakpoint 0 at Address 0x2c003c.
2019-05-16 02:29:56,086 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x2c00b8 and Type=0x1.
2019-05-16 02:29:56,086 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 02:29:56,086 [root] DEBUG: PEPointerWriteCallback: set write bp on e_lfanew write location 0x2c00b8 (EIP = 0x1f02ea)
2019-05-16 02:29:56,101 [root] DEBUG: PEPointerWriteCallback executed successfully.
2019-05-16 02:29:56,101 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x1f02d1
2019-05-16 02:29:56,101 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x2c00b8.
2019-05-16 02:29:56,101 [root] DEBUG: PEHeaderWriteCallback: PE header has: 0x41f1.
2019-05-16 02:29:56,101 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-05-16 02:29:56,101 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x1f02ea
2019-05-16 02:29:56,101 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x2c00b8.
2019-05-16 02:29:56,101 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x0, Address=0x2ccc89 and Type=0x0.
2019-05-16 02:29:56,118 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 02:29:56,118 [root] DEBUG: PEHeaderWriteCallback: Execution bp set on EntryPoint 0x2ccc89 (EIP = 0x1f02ea).
2019-05-16 02:29:56,118 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-05-16 02:29:56,118 [root] DEBUG: NtAllocateVirtualMemory hook, BaseAddress:0x3d0000, RegionSize: 0x14000.
2019-05-16 02:29:56,118 [root] DEBUG: NtAllocateVirtualMemory hook: attempting CAPE dump on previous region: 0x2c0000.
2019-05-16 02:29:56,118 [root] DEBUG: DumpPEsInRange: Scanning range 0x2c0000 - 0x2d0000.
2019-05-16 02:29:56,118 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x2c0000
2019-05-16 02:29:56,118 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image.
2019-05-16 02:29:56,134 [root] DEBUG: DumpPE: Instantiating PeParser with address: 0x2c0000
2019-05-16 02:29:56,134 [root] INFO: Added new CAPE file to list with path: C:\jiihpofr\CAPE\2100_1345649316452019
2019-05-16 02:29:56,134 [root] DEBUG: DumpPE: PE file in memory dumped successfully.
2019-05-16 02:29:56,134 [root] DEBUG: DumpPEsInRange: Dumped PE image from 0x2c0000.
2019-05-16 02:29:56,134 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x2c0001-0x2d0000.
2019-05-16 02:29:56,148 [root] DEBUG: NtAllocateVirtualMemory hook: PE image(s) detected and dumped.
2019-05-16 02:29:56,148 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x2c0000 - 0x2d0000.
2019-05-16 02:29:56,148 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x2ccc89.
2019-05-16 02:29:56,148 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x2c0000.
2019-05-16 02:29:56,148 [root] DEBUG: SetInitialWriteBreakpoint: AllocationBase: 0x3d0000, AllocationSize: 0x14000, ThreadId: 0x4fc
2019-05-16 02:29:56,148 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xa8, Size=0x2, Address=0x3d0000 and Type=0x1.
2019-05-16 02:29:56,148 [root] DEBUG: SetBreakpoint: Set bp 0 type 1 at address 0x3d0000, size 2 with Callback 0x747f3120, ThreadHandle = 0xa8.
2019-05-16 02:29:56,148 [root] DEBUG: SetInitialWriteBreakpoint: Breakpoint 0 set write on word at base address: 0x3d0000
2019-05-16 02:29:56,148 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x1efbfc
2019-05-16 02:29:56,148 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x3d0000.
2019-05-16 02:29:56,164 [root] DEBUG: BaseAddressWriteCallback: M written to first byte, awaiting next byte.
2019-05-16 02:29:56,164 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-05-16 02:29:56,164 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x1efbfc
2019-05-16 02:29:56,164 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x3d0000.
2019-05-16 02:29:56,164 [root] DEBUG: BaseAddressWriteCallback: MZ header found.
2019-05-16 02:29:56,164 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x3d003c and Type=0x1.
2019-05-16 02:29:56,164 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 02:29:56,164 [root] DEBUG: BaseAddressWriteCallback: set write bp on e_lfanew write location: 0x3d003c (EIP = 0x1efbfc)
2019-05-16 02:29:56,164 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-05-16 02:29:56,164 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x1efbfc
2019-05-16 02:29:56,180 [root] DEBUG: PEPointerWriteCallback entry.
2019-05-16 02:29:56,180 [root] DEBUG: PEPointerWriteCallback: Breakpoint 0 at Address 0x3d003c.
2019-05-16 02:29:56,180 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x3d00b8 and Type=0x1.
2019-05-16 02:29:56,180 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 02:29:56,180 [root] DEBUG: PEPointerWriteCallback: set write bp on e_lfanew write location 0x3d00b8 (EIP = 0x1efbfc)
2019-05-16 02:29:56,180 [root] DEBUG: PEPointerWriteCallback executed successfully.
2019-05-16 02:29:56,180 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x1efbfc
2019-05-16 02:29:56,180 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x3d00b8.
2019-05-16 02:29:56,180 [root] DEBUG: PEHeaderWriteCallback: PE header has: 0x50.
2019-05-16 02:29:56,180 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-05-16 02:29:56,196 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x1efbfc
2019-05-16 02:29:56,196 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x3d00b8.
2019-05-16 02:29:56,196 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x3d00e0 and Type=0x1.
2019-05-16 02:29:56,196 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 02:29:56,196 [root] DEBUG: PEHeaderWriteCallback: set write bp on AddressOfEntryPoint location (EIP = 0x1efbfc).
2019-05-16 02:29:56,196 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-05-16 02:29:56,196 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x1efbfc
2019-05-16 02:29:56,196 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x3d00e0.
2019-05-16 02:29:56,196 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x3d00a0 and Type=0x0.
2019-05-16 02:29:56,196 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 02:29:56,211 [root] DEBUG: EntryPointWriteCallback: Execution bp 1 set on EntryPoint 0x3d00a0 (EIP = 0x1efbfc).
2019-05-16 02:29:56,211 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 02:29:56,211 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x1efbfc
2019-05-16 02:29:56,211 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x3d00e0.
2019-05-16 02:29:56,211 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x3dc9a0 and Type=0x0.
2019-05-16 02:29:56,211 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 02:29:56,211 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x3dc9a0 (EIP = 0x1efbfc).
2019-05-16 02:29:56,211 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 02:29:56,211 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x1efbfc
2019-05-16 02:29:56,226 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x3d00e0.
2019-05-16 02:29:56,226 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x3dc9a0 and Type=0x0.
2019-05-16 02:29:56,226 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 02:29:56,226 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x3dc9a0 (EIP = 0x1efbfc).
2019-05-16 02:29:56,226 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 02:29:56,226 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x1efbfc
2019-05-16 02:29:56,226 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x3d00e0.
2019-05-16 02:29:56,226 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x3dc9a0 and Type=0x0.
2019-05-16 02:29:56,226 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 02:29:56,226 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x3dc9a0 (EIP = 0x1efbfc).
2019-05-16 02:29:56,243 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 02:29:56,243 [root] DEBUG: ProtectionHandler: Address: 0x1000, RegionSize: 0xcc24
2019-05-16 02:29:56,243 [root] DEBUG: ProtectionHandler: attempting CAPE dump on region: 0x3d0000.
2019-05-16 02:29:56,243 [root] DEBUG: DumpPEsInRange: Scanning range 0x0 - 0xf000.
2019-05-16 02:29:56,243 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 02:29:56,243 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 02:29:56,243 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 02:29:56,243 [root] DEBUG: ScanForDisguisedPE: Exception occured reading memory address 0x0
2019-05-16 02:29:56,243 [root] DEBUG: SetCapeMetaData: Extraction type with no PID - error.
2019-05-16 02:29:56,257 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\jiihpofr\CAPE\2100_2435649316452019
2019-05-16 02:29:56,257 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 02:29:56,257 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 02:29:56,257 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 02:29:56,257 [root] DEBUG: DumpMemory: Exception occured reading memory address 0x0
2019-05-16 02:29:56,273 [root] DEBUG: ProtectionHandler: Previously marked memory range at: 0x3d0000 is empty or inaccessible.
2019-05-16 02:29:56,273 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x3d0000 - 0x3e4000.
2019-05-16 02:29:56,273 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x3d00e0.
2019-05-16 02:29:56,273 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x3dc9a0.
2019-05-16 02:29:56,273 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 02:29:56,273 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 02:29:56,273 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 02:29:56,273 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x1000
2019-05-16 02:29:56,273 [root] DEBUG: ProtectionHandler: Setting initial write breakpoint on protection address: 0x1000
2019-05-16 02:29:56,273 [root] DEBUG: SetInitialWriteBreakpoint: AllocationBase: 0x1000, AllocationSize: 0xcc24, ThreadId: 0x4fc
2019-05-16 02:29:56,289 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xa8, Size=0x2, Address=0x1000 and Type=0x1.
2019-05-16 02:29:56,289 [root] DEBUG: SetBreakpoint: Set bp 0 type 1 at address 0x1000, size 2 with Callback 0x747f3120, ThreadHandle = 0xa8.
2019-05-16 02:29:56,289 [root] DEBUG: SetInitialWriteBreakpoint: Breakpoint 0 set write on word at base address: 0x1000
2019-05-16 02:29:56,289 [root] DEBUG: ProtectionHandler: Address: 0xf000, RegionSize: 0x3de4
2019-05-16 02:29:56,289 [root] DEBUG: NtAllocateVirtualMemory hook, BaseAddress:0x400000, RegionSize: 0x14000.
2019-05-16 02:29:56,289 [root] DEBUG: NtAllocateVirtualMemory hook: attempting CAPE dump on previous region: 0x1000.
2019-05-16 02:29:56,289 [root] DEBUG: DumpPEsInRange: Scanning range 0x0 - 0xf000.
2019-05-16 02:29:56,289 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 02:29:56,289 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 02:29:56,305 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 02:29:56,305 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 02:29:56,305 [root] DEBUG: ScanForDisguisedPE: Exception occured reading memory address 0x0
2019-05-16 02:29:56,305 [root] DEBUG: SetCapeMetaData: Extraction type with no PID - error.
2019-05-16 02:29:56,305 [root] DEBUG: NtAllocateVirtualMemory hook: dumping memory range at 0x1000.
2019-05-16 02:29:56,305 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 02:29:56,305 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 02:29:56,305 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 02:29:56,305 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 02:29:56,305 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x0
2019-05-16 02:29:56,321 [root] DEBUG: NtAllocateVirtualMemory hook: Failed to dump memory range at 0x1000.
2019-05-16 02:29:56,321 [root] DEBUG: NtAllocateVirtualMemory hook: Previously marked memory range at: 0x1000 is empty or inaccessible.
2019-05-16 02:29:56,321 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x1000 - 0xdc24.
2019-05-16 02:29:56,321 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x1000.
2019-05-16 02:29:56,321 [root] DEBUG: SetInitialWriteBreakpoint: AllocationBase: 0x400000, AllocationSize: 0x14000, ThreadId: 0x4fc
2019-05-16 02:29:56,321 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xa8, Size=0x2, Address=0x400000 and Type=0x1.
2019-05-16 02:29:56,321 [root] DEBUG: SetBreakpointWithoutThread: bp set with register 0
2019-05-16 02:29:56,321 [root] DEBUG: SetInitialWriteBreakpoint: Breakpoint 0 set write on word at base address: 0x400000
2019-05-16 02:29:56,321 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x1efbfc
2019-05-16 02:29:56,321 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x400000.
2019-05-16 02:29:56,335 [root] DEBUG: BaseAddressWriteCallback: M written to first byte, awaiting next byte.
2019-05-16 02:29:56,351 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-05-16 02:29:56,351 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x1efbfc
2019-05-16 02:29:56,351 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x400000.
2019-05-16 02:29:56,351 [root] DEBUG: BaseAddressWriteCallback: MZ header found.
2019-05-16 02:29:56,351 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x40003c and Type=0x1.
2019-05-16 02:29:56,351 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 02:29:56,351 [root] DEBUG: BaseAddressWriteCallback: set write bp on e_lfanew write location: 0x40003c (EIP = 0x1efbfc)
2019-05-16 02:29:56,351 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-05-16 02:29:56,351 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x1efbfc
2019-05-16 02:29:56,368 [root] DEBUG: PEPointerWriteCallback entry.
2019-05-16 02:29:56,368 [root] DEBUG: PEPointerWriteCallback: Breakpoint 0 at Address 0x40003c.
2019-05-16 02:29:56,368 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x4000b8 and Type=0x1.
2019-05-16 02:29:56,368 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 02:29:56,368 [root] DEBUG: PEPointerWriteCallback: set write bp on e_lfanew write location 0x4000b8 (EIP = 0x1efbfc)
2019-05-16 02:29:56,368 [root] DEBUG: PEPointerWriteCallback executed successfully.
2019-05-16 02:29:56,368 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x1efbfc
2019-05-16 02:29:56,368 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x4000b8.
2019-05-16 02:29:56,368 [root] DEBUG: PEHeaderWriteCallback: PE header has: 0x50.
2019-05-16 02:29:56,368 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-05-16 02:29:56,382 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x1efbfc
2019-05-16 02:29:56,382 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x4000b8.
2019-05-16 02:29:56,382 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x4000e0 and Type=0x1.
2019-05-16 02:29:56,382 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 02:29:56,382 [root] DEBUG: PEHeaderWriteCallback: set write bp on AddressOfEntryPoint location (EIP = 0x1efbfc).
2019-05-16 02:29:56,382 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-05-16 02:29:56,382 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x1efbfc
2019-05-16 02:29:56,382 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x4000e0.
2019-05-16 02:29:56,382 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x4000a0 and Type=0x0.
2019-05-16 02:29:56,382 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 02:29:56,398 [root] DEBUG: EntryPointWriteCallback: Execution bp 1 set on EntryPoint 0x4000a0 (EIP = 0x1efbfc).
2019-05-16 02:29:56,398 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 02:29:56,398 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x1efbfc
2019-05-16 02:29:56,398 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x4000e0.
2019-05-16 02:29:56,398 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x40c9a0 and Type=0x0.
2019-05-16 02:29:56,398 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 02:29:56,398 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x40c9a0 (EIP = 0x1efbfc).
2019-05-16 02:29:56,398 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 02:29:56,398 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x1efbfc
2019-05-16 02:29:56,398 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x4000e0.
2019-05-16 02:29:56,414 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x40c9a0 and Type=0x0.
2019-05-16 02:29:56,414 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 02:29:56,414 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x40c9a0 (EIP = 0x1efbfc).
2019-05-16 02:29:56,414 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 02:29:56,414 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x1efbfc
2019-05-16 02:29:56,414 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x4000e0.
2019-05-16 02:29:56,414 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x40c9a0 and Type=0x0.
2019-05-16 02:29:56,414 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 02:29:56,414 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x40c9a0 (EIP = 0x1efbfc).
2019-05-16 02:29:56,414 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 02:29:56,430 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x40c9a0
2019-05-16 02:29:56,430 [root] DEBUG: EntryPointExecCallback: Breakpoint 1 at Address 0x40c9a0.
2019-05-16 02:29:56,430 [root] DEBUG: DumpPEsInRange: Scanning range 0x400000 - 0x408000.
2019-05-16 02:29:56,430 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x400000
2019-05-16 02:29:56,430 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-05-16 02:29:56,430 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x400000
2019-05-16 02:29:56,430 [root] DEBUG: DumpProcess: Module entry point VA is 0x40c9a0
2019-05-16 02:29:56,446 [root] INFO: Added new CAPE file to list with path: C:\jiihpofr\CAPE\2100_4305649316452019
2019-05-16 02:29:56,446 [root] DEBUG: DumpProcess: Module image dump success
2019-05-16 02:29:56,446 [root] DEBUG: DumpPEsInRange: Dumped PE image from 0x400000.
2019-05-16 02:29:56,446 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x400001-0x408000.
2019-05-16 02:29:56,446 [root] DEBUG: EntryPointExecCallback hook: PE image(s) detected and dumped.
2019-05-16 02:33:09,012 [root] INFO: Analysis timeout hit (200 seconds), terminating analysis.
2019-05-16 02:33:09,012 [root] INFO: Created shutdown mutex.
2019-05-16 02:33:10,058 [root] INFO: Setting terminate event for process 2100.
2019-05-16 02:33:10,058 [lib.api.process] INFO: Successfully received reply to terminate_event, pid 2100
2019-05-16 02:33:10,058 [root] INFO: Terminating process 2100 before shutdown.
2019-05-16 02:33:10,058 [root] INFO: Waiting for process 2100 to exit.
2019-05-16 02:33:11,072 [root] INFO: Waiting for process 2100 to exit.
2019-05-16 02:33:12,101 [root] INFO: Waiting for process 2100 to exit.
2019-05-16 02:33:13,131 [root] INFO: Waiting for process 2100 to exit.
2019-05-16 02:33:14,144 [lib.api.process] INFO: Successfully terminated process with pid 2100.
2019-05-16 02:33:14,160 [root] INFO: Waiting for process 2100 to exit.
2019-05-16 02:33:15,174 [root] INFO: Shutting down package.
2019-05-16 02:33:15,190 [root] INFO: Stopping auxiliary modules.
2019-05-16 02:33:15,190 [root] INFO: Finishing auxiliary modules.
2019-05-16 02:33:15,190 [root] INFO: Shutting down pipe server and dumping dropped files.
2019-05-16 02:33:15,190 [root] WARNING: File at path "C:\SvWEwYIYSZ\debugger" does not exist, skip.
2019-05-16 02:33:15,190 [root] INFO: Analysis completed.

MalScore

10.0

Emotet

Machine

Name Label Manager Started On Shutdown On
target-01 target-01 ESX 2019-05-16 01:29:12 2019-05-16 01:33:34

File Details

File Name af88f31b7896ee7ee757ffa2126ff0b12d5b1c04de72ea1eaf19076d06173170
File Size 119872 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 87f5b7e7ce8f6ce58f1440ed3a653b76
SHA1 a7a138cc1644accc619c229f6b1671bdd79fb6cf
SHA256 af88f31b7896ee7ee757ffa2126ff0b12d5b1c04de72ea1eaf19076d06173170
SHA512 e6764ee1d15578ca7864927522193b5fac4a268fb5d3ee0cf914e771dfda8e23a9e821af28bf509088da9cdc5cba49e359cc933d56746b00035bfd694ca2da8e
CRC32 5E845A45
Ssdeep 3072:+AgKdPNlX/1SvgDJ6gwBq1DH1xEh6/X4yTg:+AgmNo6JvwA1DHDEhmH
TrID
  • 63.3% (.EXE) Win32 Executable MS Visual C++ 4.x (134693/65)
  • 14.6% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
  • 12.9% (.EXE) Win64 Executable (generic) (27625/18/4)
  • 3.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
  • 2.1% (.EXE) Win32 Executable (generic) (4508/7/1)
ClamAV None matched
Yara None matched
CAPE Yara None matched
Resubmit sample

Signatures

Behavioural detection: Executable code extraction
Communicates with IPs located across a large number of unique countries
country: United States
country: Poland
country: Taiwan
country: Argentina
country: Mexico
country: United Kingdom
Yara rule detections observed from a process memory dump/dropped files/CAPE
Hit: PID 2740 trigged the Yara rule 'embedded_win_api'
Hit: PID 2740 trigged the Yara rule 'shellcode'
Hit: PID 2740 trigged the Yara rule 'Emotet'
Possible date expiration check, exits too soon after checking local time
process: gluerel.exe, PID 1856
Mimics the system's user agent string for its own requests
Guard pages use detected - possible anti-debugging.
Dynamic (imported) function loading detected
DynamicLoader: kernel32.dll/VirtualAllocEx
DynamicLoader: kernel32.dll/LoadLibraryExA
DynamicLoader: kernel32.dll/mknjht34tfserdgfwGetProcAddress
DynamicLoader: kernel32.dll/GetProcAddress
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/LoadLibraryExA
DynamicLoader: kernel32.dll/SetFilePointer
DynamicLoader: kernel32.dll/lstrlenA
DynamicLoader: kernel32.dll/lstrcatA
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/UnmapViewOfFile
DynamicLoader: kernel32.dll/GetModuleHandleA
DynamicLoader: kernel32.dll/WriteFile
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/GetTempPathA
DynamicLoader: kernel32.dll/CreateFileA
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: kernel32.dll/VirtualAllocEx
DynamicLoader: kernel32.dll/LoadLibraryExA
DynamicLoader: kernel32.dll/mknjht34tfserdgfwGetProcAddress
DynamicLoader: kernel32.dll/GetProcAddress
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/LoadLibraryExA
DynamicLoader: kernel32.dll/SetFilePointer
DynamicLoader: kernel32.dll/lstrlenA
DynamicLoader: kernel32.dll/lstrcatA
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/UnmapViewOfFile
DynamicLoader: kernel32.dll/GetModuleHandleA
DynamicLoader: kernel32.dll/WriteFile
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/GetTempPathA
DynamicLoader: kernel32.dll/CreateFileA
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: SHELL32.dll/
DynamicLoader: ADVAPI32.dll/OpenThreadToken
DynamicLoader: propsys.dll/PSLookupPropertyHandlerCLSID
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: propsys.dll/PSCreatePropertyStoreFromObject
DynamicLoader: propsys.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: propsys.dll/PropVariantToStringAlloc
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore
DynamicLoader: propsys.dll/PropVariantToBuffer
DynamicLoader: propsys.dll/PropVariantToUInt64
DynamicLoader: propsys.dll/PropVariantToBoolean
DynamicLoader: propsys.dll/InitPropVariantFromBuffer
DynamicLoader: ADVAPI32.dll/GetNamedSecurityInfoW
DynamicLoader: ADVAPI32.dll/TreeSetNamedSecurityInfoW
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: OLEAUT32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: kernel32.dll/VirtualAllocEx
DynamicLoader: kernel32.dll/LoadLibraryExA
DynamicLoader: kernel32.dll/mknjht34tfserdgfwGetProcAddress
DynamicLoader: kernel32.dll/GetProcAddress
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/LoadLibraryExA
DynamicLoader: kernel32.dll/SetFilePointer
DynamicLoader: kernel32.dll/lstrlenA
DynamicLoader: kernel32.dll/lstrcatA
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/UnmapViewOfFile
DynamicLoader: kernel32.dll/GetModuleHandleA
DynamicLoader: kernel32.dll/WriteFile
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/GetTempPathA
DynamicLoader: kernel32.dll/CreateFileA
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: kernel32.dll/VirtualAllocEx
DynamicLoader: kernel32.dll/LoadLibraryExA
DynamicLoader: kernel32.dll/mknjht34tfserdgfwGetProcAddress
DynamicLoader: kernel32.dll/GetProcAddress
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/LoadLibraryExA
DynamicLoader: kernel32.dll/SetFilePointer
DynamicLoader: kernel32.dll/lstrlenA
DynamicLoader: kernel32.dll/lstrcatA
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/UnmapViewOfFile
DynamicLoader: kernel32.dll/GetModuleHandleA
DynamicLoader: kernel32.dll/WriteFile
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/GetTempPathA
DynamicLoader: kernel32.dll/CreateFileA
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptImportKey
DynamicLoader: CRYPTSP.dll/CryptGenKey
DynamicLoader: CRYPTSP.dll/CryptCreateHash
DynamicLoader: CRYPTSP.dll/CryptDuplicateHash
DynamicLoader: CRYPTSP.dll/CryptEncrypt
DynamicLoader: CRYPTSP.dll/CryptExportKey
DynamicLoader: CRYPTSP.dll/CryptGetHashParam
DynamicLoader: CRYPTSP.dll/CryptDestroyHash
DynamicLoader: RASAPI32.dll/RasConnectionNotificationW
DynamicLoader: sechost.dll/OpenServiceA
DynamicLoader: sechost.dll/NotifyServiceStatusChangeA
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: iphlpapi.DLL/GetAdaptersAddresses
DynamicLoader: DHCPCSVC.DLL/DhcpRequestParams
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: OLEAUT32.dll/
Performs HTTP requests potentially not found in PCAP.
url: 64.87.26.16:443/bml/psec/report/
url: 31.179.135.186:80/balloon/free/
url: 154.120.228.126:143/codec/chunk/report/
url: 109.104.79.48:8080/usbccid/sym/report/
url: 218.161.88.253:8080/img/teapot/report/merge/
url: 181.15.177.100:443/img/
url: 200.32.61.210:8080/mult/iab/report/
url: 189.143.52.49:443/teapot/
Repeatedly searches for a not-found process, may want to run with startbrowser=1 option
Multiple direct IP connections
direct_ip_connections: Made direct connections to 8 unique IP addresses
The binary likely contains encrypted or compressed data.
section: name: .data, entropy: 7.46, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x00013e00, virtual_size: 0x00013cf8
Deletes its original binary from disk
Attempts to remove evidence of file being downloaded from the Internet
file: C:\Windows\SysWOW64\gluerel.exe:Zone.Identifier
Installs itself for autorun at Windows startup
service name: gluerel
service path: "C:\Windows\SysWOW64\gluerel.exe"
CAPE detected the Emotet malware family
Creates a copy of itself
copy: C:\Windows\SysWOW64\gluerel.exe
Drops a binary and executes it
binary: C:\Windows\SysWOW64\gluerel.exe

Screenshots


Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
Y 64.87.26.16 [VT] United States
Y 31.179.135.186 [VT] Poland
Y 218.161.88.253 [VT] Taiwan
Y 200.32.61.210 [VT] Argentina
Y 189.143.52.49 [VT] Mexico
Y 181.15.177.100 [VT] Argentina
Y 109.104.79.48 [VT] United Kingdom

DNS

Name Response Post-Analysis Lookup
www.download.windowsupdate.com [VT]
crt.usertrust.com [VT]

Summary

C:\Windows\Globalization\Sorting\sortdefault.nls
C:\
C:\Users\user\AppData\Local\Temp\TvI0e.exe
C:\Windows\SysWOW64\dafpanes.exe
C:\Windows\
C:\Windows\SysWOW64\
\Device\KsecDD
C:\Windows\SysWOW64\shell32.dll
C:\Windows\SysWOW64\gluerel.exe
C:\Users
\??\MountPointManager
C:\Users\user\AppData\Local\Microsoft\Windows\Caches
C:\Users\user\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000d.db
C:\Users\desktop.ini
C:\Users\user
C:\Users\user\AppData
C:\Users\user\AppData\Local
C:\Users\user\AppData\Local\Temp
C:\Windows
C:\Windows\SysWOW64
C:\Windows\SysWOW64\propsys.dll
C:\Windows\sysnative\propsys.dll
C:\Users\user\AppData\Local\
C:\Windows\SysWOW64\gluerel.exe:Zone.Identifier
C:\Windows\Temp
C:\ProgramData\Microsoft\Network\Connections\Pbk\rasphone.pbk
C:\ProgramData\Microsoft\Network\Connections\Pbk\*.pbk
C:\Windows\System32\ras\*.pbk
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Network\Connections\Pbk\rasphone.pbk
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Network\Connections\Pbk\*.pbk
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Users\user\AppData\Local\Temp\TvI0e.exe
\Device\KsecDD
C:\Windows\SysWOW64\shell32.dll
C:\
C:\Users\user\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000d.db
C:\Users\desktop.ini
C:\Users
C:\Users\user
C:\Users\user\AppData
C:\Users\user\AppData\Local
C:\Windows
C:\Users\user\AppData\Local\Temp
C:\Windows\SysWOW64\gluerel.exe
C:\Windows\SysWOW64\gluerel.exe
C:\Windows\SysWOW64\dafpanes.exe
C:\Users\user\AppData\Local\Temp\TvI0e.exe
C:\Windows\SysWOW64\gluerel.exe:Zone.Identifier
DisableUserModeCallbackFilter
HKEY_CLASSES_ROOT\interface\{aa5b6a80-b834-11d0-932f-00a0c90dcaa9}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AA5B6A80-B834-11D0-932F-00A0C90DCAA9}\(Default)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-GB
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-GB
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\NoFileFolderConnection
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesRecycleBin
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\TvI0e.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups
HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\CallForAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\RestrictedAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORDISPLAY
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideFolderVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\UseDropHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORPARSING
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsParseDisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\MapNetDriveVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForInfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideInWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideOnDesktopPerUser
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsAliasedNotifications
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsUniversalDelegate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\NoFileFolderJunction
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\PinToNameSpaceTree
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HasNavigationEnum
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\Generation
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\Generation
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\AccessProviders
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\AccessProviders\MartaExtension
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DontShowSuperHidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ClassicShell
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\SeparateProcess
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetCrawling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSimpleStartMenu
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowCompColor
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\DontPrettyPath
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowInfoTip
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideIcons
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\MapNetDrvBtn
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\WebView
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Filter
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\SeparateProcess
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\NoNetCrawling
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AutoCheckSelect
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\IconsOnly
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowTypeOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\AllowFileCLSIDJunctions
HKEY_CLASSES_ROOT\.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe\(Default)
HKEY_CLASSES_ROOT\.exe\OpenWithProgids
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\OpenWithProgids
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\UserChoice
HKEY_CLASSES_ROOT\exefile
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\CurVer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\ShellEx\IconHandler
HKEY_CLASSES_ROOT\SystemFileAssociations\.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\ShellEx\IconHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe\Content Type
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\NeverShowExt
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\PropertySystem\PropertyHandlers\.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\PropertySystem\PropertyHandlers\.exe\(Default)
HKEY_CLASSES_ROOT\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\OverrideFileSystemProperties
HKEY_CLASSES_ROOT\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\DisableProcessIsolation
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\NoOplock
HKEY_CLASSES_ROOT\ExplorerCLSIDFlags\{66742402-F9B9-11D1-A202-0000F81FEDEE}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\UseInProcHandlerCache
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\UseOutOfProcHandlerCache
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Shell\RegisteredApplications\UrlAssociations\Directory\OpenWithProgids
HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\Directory
HKEY_CLASSES_ROOT\Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\CurVer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\ShellEx\IconHandler
HKEY_CLASSES_ROOT\Folder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\ShellEx\IconHandler
HKEY_CLASSES_ROOT\AllFilesystemObjects
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\ShellEx\IconHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\ShellEx\PropertyHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\ShellEx\PropertyHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\ShellEx\PropertyHandler
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\MaxUndoItems
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Advanced\MaxUndoItems
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\App Paths\TvI0e.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\TvI0e.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\ShellEx\{2F711B17-773C-41D4-93FA-7F23EDCECB66}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\ShellEx\{2F711B17-773C-41D4-93FA-7F23EDCECB66}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\ShellEx\{2F711B17-773C-41D4-93FA-7F23EDCECB66}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceCopyACLWithFile
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\ShellEx\{000214F9-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\ShellEx\{000214F9-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\ShellEx\{000214F9-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoEncryptOnMove
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gluerel
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gluerel\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gluerel\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gluerel\WOW64
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Public
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Default
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonW6432Dir
HKEY_USERS\S-1-5-18
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18\ProfileImagePath
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
HKEY_USERS\.DEFAULT\Environment
HKEY_USERS\.DEFAULT\Volatile Environment
HKEY_USERS\.DEFAULT\Volatile Environment\0
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gluerel\Environment
HKEY_CURRENT_USER
HKEY_USERS\.DEFAULT\Control Panel\International
HKEY_USERS\.DEFAULT\Control Panel\International\LocaleName
HKEY_USERS\.DEFAULT\Control Panel\International\sCountry
HKEY_USERS\.DEFAULT\Control Panel\International\sList
HKEY_USERS\.DEFAULT\Control Panel\International\sDecimal
HKEY_USERS\.DEFAULT\Control Panel\International\sThousand
HKEY_USERS\.DEFAULT\Control Panel\International\sGrouping
HKEY_USERS\.DEFAULT\Control Panel\International\sNativeDigits
HKEY_USERS\.DEFAULT\Control Panel\International\sCurrency
HKEY_USERS\.DEFAULT\Control Panel\International\sMonDecimalSep
HKEY_USERS\.DEFAULT\Control Panel\International\sMonThousandSep
HKEY_USERS\.DEFAULT\Control Panel\International\sMonGrouping
HKEY_USERS\.DEFAULT\Control Panel\International\sPositiveSign
HKEY_USERS\.DEFAULT\Control Panel\International\sNegativeSign
HKEY_USERS\.DEFAULT\Control Panel\International\sTimeFormat
HKEY_USERS\.DEFAULT\Control Panel\International\sShortTime
HKEY_USERS\.DEFAULT\Control Panel\International\s1159
HKEY_USERS\.DEFAULT\Control Panel\International\s2359
HKEY_USERS\.DEFAULT\Control Panel\International\sShortDate
HKEY_USERS\.DEFAULT\Control Panel\International\sYearMonth
HKEY_USERS\.DEFAULT\Control Panel\International\sLongDate
HKEY_USERS\.DEFAULT\Control Panel\International\iCountry
HKEY_USERS\.DEFAULT\Control Panel\International\iMeasure
HKEY_USERS\.DEFAULT\Control Panel\International\iPaperSize
HKEY_USERS\.DEFAULT\Control Panel\International\iDigits
HKEY_USERS\.DEFAULT\Control Panel\International\iLZero
HKEY_USERS\.DEFAULT\Control Panel\International\iNegNumber
HKEY_USERS\.DEFAULT\Control Panel\International\NumShape
HKEY_USERS\.DEFAULT\Control Panel\International\iCurrDigits
HKEY_USERS\.DEFAULT\Control Panel\International\iCurrency
HKEY_USERS\.DEFAULT\Control Panel\International\iNegCurr
HKEY_USERS\.DEFAULT\Control Panel\International\iCalendarType
HKEY_USERS\.DEFAULT\Control Panel\International\iFirstDayOfWeek
HKEY_USERS\.DEFAULT\Control Panel\International\iFirstWeekOfYear
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoProxyDetectType
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASAPI32\EnableFileTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASAPI32\FileTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASAPI32\EnableConsoleTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASAPI32\ConsoleTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASAPI32\MaxFileSize
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASAPI32\FileDirectory
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASMANCS\EnableFileTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASMANCS\FileTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASMANCS\EnableConsoleTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASMANCS\ConsoleTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASMANCS\MaxFileSize
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASMANCS\FileDirectory
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ProxySettingsPerUser
HKEY_USERS\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AA5B6A80-B834-11D0-932F-00A0C90DCAA9}\(Default)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-GB
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-GB
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\NoFileFolderConnection
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesRecycleBin
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\CallForAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\RestrictedAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORDISPLAY
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideFolderVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\UseDropHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORPARSING
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsParseDisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\MapNetDriveVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForInfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideInWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideOnDesktopPerUser
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsAliasedNotifications
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsUniversalDelegate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\NoFileFolderJunction
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\PinToNameSpaceTree
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HasNavigationEnum
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\Generation
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\AccessProviders\MartaExtension
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DontShowSuperHidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ClassicShell
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\SeparateProcess
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetCrawling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSimpleStartMenu
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowCompColor
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\DontPrettyPath
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowInfoTip
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideIcons
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\MapNetDrvBtn
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\WebView
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Filter
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\SeparateProcess
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\NoNetCrawling
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AutoCheckSelect
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\IconsOnly
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowTypeOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\AllowFileCLSIDJunctions
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe\Content Type
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\PropertySystem\PropertyHandlers\.exe\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\DisableProcessIsolation
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\NoOplock
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\UseInProcHandlerCache
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\UseOutOfProcHandlerCache
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\NeverShowExt
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\MaxUndoItems
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Advanced\MaxUndoItems
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceCopyACLWithFile
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoEncryptOnMove
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gluerel\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gluerel\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gluerel\WOW64
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Public
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18\ProfileImagePath
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gluerel\Environment
HKEY_USERS\.DEFAULT\Control Panel\International\LocaleName
HKEY_USERS\.DEFAULT\Control Panel\International\sCountry
HKEY_USERS\.DEFAULT\Control Panel\International\sList
HKEY_USERS\.DEFAULT\Control Panel\International\sDecimal
HKEY_USERS\.DEFAULT\Control Panel\International\sThousand
HKEY_USERS\.DEFAULT\Control Panel\International\sGrouping
HKEY_USERS\.DEFAULT\Control Panel\International\sNativeDigits
HKEY_USERS\.DEFAULT\Control Panel\International\sCurrency
HKEY_USERS\.DEFAULT\Control Panel\International\sMonDecimalSep
HKEY_USERS\.DEFAULT\Control Panel\International\sMonThousandSep
HKEY_USERS\.DEFAULT\Control Panel\International\sMonGrouping
HKEY_USERS\.DEFAULT\Control Panel\International\sPositiveSign
HKEY_USERS\.DEFAULT\Control Panel\International\sNegativeSign
HKEY_USERS\.DEFAULT\Control Panel\International\sTimeFormat
HKEY_USERS\.DEFAULT\Control Panel\International\sShortTime
HKEY_USERS\.DEFAULT\Control Panel\International\s1159
HKEY_USERS\.DEFAULT\Control Panel\International\s2359
HKEY_USERS\.DEFAULT\Control Panel\International\sShortDate
HKEY_USERS\.DEFAULT\Control Panel\International\sYearMonth
HKEY_USERS\.DEFAULT\Control Panel\International\sLongDate
HKEY_USERS\.DEFAULT\Control Panel\International\iCountry
HKEY_USERS\.DEFAULT\Control Panel\International\iMeasure
HKEY_USERS\.DEFAULT\Control Panel\International\iPaperSize
HKEY_USERS\.DEFAULT\Control Panel\International\iDigits
HKEY_USERS\.DEFAULT\Control Panel\International\iLZero
HKEY_USERS\.DEFAULT\Control Panel\International\iNegNumber
HKEY_USERS\.DEFAULT\Control Panel\International\NumShape
HKEY_USERS\.DEFAULT\Control Panel\International\iCurrDigits
HKEY_USERS\.DEFAULT\Control Panel\International\iCurrency
HKEY_USERS\.DEFAULT\Control Panel\International\iNegCurr
HKEY_USERS\.DEFAULT\Control Panel\International\iCalendarType
HKEY_USERS\.DEFAULT\Control Panel\International\iFirstDayOfWeek
HKEY_USERS\.DEFAULT\Control Panel\International\iFirstWeekOfYear
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoProxyDetectType
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASAPI32\EnableFileTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASAPI32\FileTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASAPI32\EnableConsoleTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASAPI32\ConsoleTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASAPI32\MaxFileSize
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASAPI32\FileDirectory
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASMANCS\EnableFileTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASMANCS\FileTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASMANCS\EnableConsoleTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASMANCS\ConsoleTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASMANCS\MaxFileSize
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASMANCS\FileDirectory
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ProxySettingsPerUser
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
kernel32.dll.VirtualAllocEx
kernel32.dll.LoadLibraryExA
kernel32.dll.GetProcAddress
kernel32.dll.VirtualAlloc
kernel32.dll.SetFilePointer
kernel32.dll.lstrlenA
kernel32.dll.lstrcatA
kernel32.dll.VirtualProtect
kernel32.dll.UnmapViewOfFile
kernel32.dll.GetModuleHandleA
kernel32.dll.WriteFile
kernel32.dll.CloseHandle
kernel32.dll.VirtualFree
kernel32.dll.GetTempPathA
kernel32.dll.CreateFileA
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
oleaut32.dll.#200
ole32.dll.CoInitializeEx
cryptbase.dll.SystemFunction036
comctl32.dll.#385
comctl32.dll.#320
comctl32.dll.#324
comctl32.dll.#323
ole32.dll.CreateBindCtx
ole32.dll.CoTaskMemAlloc
ole32.dll.CoGetApartmentType
ole32.dll.CoRegisterInitializeSpy
ole32.dll.CoTaskMemFree
comctl32.dll.#236
oleaut32.dll.#6
ole32.dll.CoGetMalloc
comctl32.dll.#328
comctl32.dll.#334
oleaut32.dll.#2
ole32.dll.CoCreateInstance
setupapi.dll.CM_Get_Device_Interface_List_Size_ExW
setupapi.dll.CM_Get_Device_Interface_List_ExW
comctl32.dll.#332
comctl32.dll.#386
advapi32.dll.InitializeSecurityDescriptor
advapi32.dll.SetEntriesInAclW
ntmarta.dll.GetMartaExtensionInterface
advapi32.dll.SetSecurityDescriptorDacl
advapi32.dll.IsTextUnicode
comctl32.dll.#338
comctl32.dll.#339
shell32.dll.#102
advapi32.dll.OpenThreadToken
propsys.dll.PSLookupPropertyHandlerCLSID
advapi32.dll.RegOpenKeyExW
advapi32.dll.RegQueryValueExW
advapi32.dll.RegCloseKey
propsys.dll.PSCreatePropertyStoreFromObject
propsys.dll.#417
propsys.dll.PropVariantToStringAlloc
ole32.dll.PropVariantClear
propsys.dll.PSCreateMemoryPropertyStore
propsys.dll.PropVariantToBuffer
propsys.dll.PropVariantToUInt64
propsys.dll.PropVariantToBoolean
propsys.dll.InitPropVariantFromBuffer
advapi32.dll.GetNamedSecurityInfoW
advapi32.dll.TreeSetNamedSecurityInfoW
ole32.dll.CoUninitialize
comctl32.dll.#329
comctl32.dll.#388
comctl32.dll.#321
ole32.dll.CoRevokeInitializeSpy
oleaut32.dll.#500
comctl32.dll.#387
comctl32.dll.#327
advapi32.dll.UnregisterTraceGuids
cryptsp.dll.CryptReleaseContext
cryptsp.dll.CryptAcquireContextW
cryptsp.dll.CryptImportKey
cryptsp.dll.CryptGenKey
cryptsp.dll.CryptCreateHash
cryptsp.dll.CryptDuplicateHash
cryptsp.dll.CryptEncrypt
cryptsp.dll.CryptExportKey
cryptsp.dll.CryptGetHashParam
cryptsp.dll.CryptDestroyHash
rasapi32.dll.RasConnectionNotificationW
sechost.dll.OpenServiceA
sechost.dll.NotifyServiceStatusChangeA
advapi32.dll.RegDeleteTreeA
advapi32.dll.RegDeleteTreeW
iphlpapi.dll.GetAdaptersAddresses
dhcpcsvc.dll.DhcpRequestParams
C:\Users\user\AppData\Local\Temp\TvI0e.exe --7b06ce32
"C:\Windows\SysWOW64\gluerel.exe"
C:\Windows\SysWOW64\gluerel.exe --caeb0eba
Global\IA4889F95
Global\MA4889F95
IESQMMUTEX_0_208
gluerel
gluerel

PE Information

Image Base 0x00400000
Entry Point 0x004026c0
Reported Checksum 0x000271e2
Actual Checksum 0x000271e2
Minimum OS Version 4.0
Compile Time 2018-05-16 01:16:21
Import Hash 1cf3647e988c2ddf489c4ba1a3b54a99

Sections

Name Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00001000 0x0000187e 0x00001a00 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 5.62
.rdata 0x00003000 0x00004ecc 0x00005000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 5.02
.data 0x00008000 0x00013cf8 0x00013e00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 7.46
.rsrc 0x0001c000 0x00000f40 0x00001000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.71

Overlay

Offset 0x0001bc00
Size 0x00001840

Imports

Library KERNEL32.dll:
0x419224 LoadLibraryA
0x419228 GetProcAddress
0x41922c GetModuleHandleA
0x419230 CloseHandle
0x419234 CreateSemaphoreA
0x419238 ExitProcess
0x41923c FindClose
0x419240 FindFirstFileA
0x419244 FindNextFileA
0x41924c GetCurrentProcessId
0x419250 GetCurrentThreadId
0x419254 GetFileAttributesA
0x419258 GetFullPathNameA
0x41925c GetLastError
0x419260 GetModuleFileNameA
0x419268 GetVersionExW
0x419274 ReleaseSemaphore
0x419278 SetLastError
0x419280 Sleep
0x419284 TlsAlloc
0x419288 TlsFree
0x41928c TlsGetValue
0x419290 TlsSetValue
0x419294 WaitForSingleObject
0x419298 GetLocaleInfoW
0x41929c GetConsoleAliasW
0x4192a4 lstrcpynA
0x4192a8 GetStdHandle
0x4192ac CopyFileExA
0x4192b4 DuplicateHandle
0x4192b8 GetCurrentProcess
0x4192bc CreateThread
0x4192c0 SetThreadPriority
0x4192c4 TerminateThread
0x4192c8 ResumeThread
0x4192cc GetSystemInfo
0x4192d4 CreateFileW
0x4192d8 FlushFileBuffers
0x4192dc GetFileType
0x4192e0 GetLogicalDrives
0x4192e4 ReadFile
0x4192e8 SetEndOfFile
0x4192ec SetFilePointerEx
0x4192f0 WriteFile
0x4192f4 SetErrorMode
0x4192f8 CreateFileMappingW
0x4192fc MapViewOfFile
0x419300 UnmapViewOfFile
0x419304 MoveFileExW
0x41930c CreateDirectoryW
0x419310 FindFirstFileW
0x41931c GetFullPathNameW
0x419320 GetLongPathNameW
0x419324 RemoveDirectoryW
0x419328 GetTempPathW
0x41932c DeviceIoControl
0x419330 MoveFileW
0x419340 GetCurrencyFormatW
0x419344 GetTickCount
0x419348 FindFirstFileExW
0x41934c GetTimeFormatW
0x419350 GetStartupInfoW
0x419354 GetModuleFileNameW
0x419358 MultiByteToWideChar
0x41935c WideCharToMultiByte
0x419360 FreeLibrary
0x419368 GetGeoInfoW
0x41936c GetUserGeoID
0x419370 GetModuleHandleExW
0x419378 lstrcmpW
0x41937c ReleaseMutex
0x419380 CreateMutexW
0x419384 VirtualAlloc
0x419388 VirtualFree
0x4193a0 TerminateProcess
0x4193a8 IsDebuggerPresent
0x4193b0 InitializeSListHead
0x4193b4 RtlUnwind
0x4193b8 EncodePointer
0x4193bc RaiseException
0x4193c4 LoadLibraryExW
0x4193c8 GetCommandLineA
0x4193cc ExitThread
0x4193d4 SetStdHandle
0x4193d8 GetConsoleMode
0x4193dc ReadConsoleW
0x4193e0 GetConsoleCP
0x4193e4 GetACP
0x4193e8 HeapFree
0x4193ec HeapAlloc
0x4193f0 LCMapStringW
0x4193f4 EnumSystemLocalesW
0x4193f8 DecodePointer
0x4193fc HeapReAlloc
0x419400 GetCPInfo
0x419408 WriteConsoleW
0x41940c GetStringTypeW
0x419410 IsValidCodePage
0x419414 GetOEMCP
0x419420 GetProcessHeap
0x419424 FindFirstFileExA
0x419428 HeapSize
0x41942c GetDateFormatW
0x419430 GetThreadPriority
0x419434 GetCurrentThread
0x419438 ResetEvent
0x41943c LoadLibraryW
0x419440 GetSystemDirectoryW
0x419444 CreateEventW
0x41944c SetEvent
0x419450 GetConsoleWindow
0x419454 OutputDebugStringW
0x41945c GetLocalTime
0x419460 GetSystemTime
0x419464 GetUserDefaultLCID
0x419468 CompareStringW
0x41946c GlobalSize
0x419470 GlobalUnlock
0x419474 GlobalLock
0x419478 GlobalAlloc
0x41947c OpenProcess
0x419488 CreateProcessW
0x419490 IsValidLocale
0x419498 FormatMessageW
0x41949c GetModuleHandleW
0x4194a0 FindNextFileW
0x4194ac LocalFree
0x4194b0 GetCommandLineW
0x4194b4 CopyFileW
0x4194b8 SetFileAttributesW
0x4194bc GetFileAttributesW
0x4194c0 GetDriveTypeW
0x4194c8 DeleteFileW
0x4194cc WinExec
0x4194d0 CreateFileMappingA
0x4194d4 GetFileSize
0x4194d8 GetShortPathNameA
0x4194dc MoveFileExA
0x4194e0 GetTempPathA
0x4194e4 GlobalFree
0x4194ec SetFileAttributesA
0x4194f0 SetFileTime
0x4194fc GetStartupInfoA
0x419500 CreateDirectoryA
0x419504 GetVersionExA
0x419508 CreateFileA
0x41950c CompareStringA
0x419510 lstrcmpiA
0x419514 CreateMutexA
0x419518 lstrcatA
0x41951c FormatMessageA
0x419524 CreateEventA
0x41952c GetSystemDirectoryA
0x419530 CopyFileA
0x419534 DeleteFileA
0x419538 RemoveDirectoryA
0x41953c CreateProcessA
0x419540 SetFilePointer
0x419544 GetShortPathNameW
0x419550 lstrlenW
Library USER32.dll:
0x419558 GetDesktopWindow
0x41955c GetClipboardOwner
0x419560 GetThreadDesktop
0x419564 GetCaretBlinkTime
0x419568 DestroyWindow
0x41956c GetKeyState
0x419570 IsIconic
0x419574 GetTopWindow
0x419578 GetSysColor
0x41957c GetListBoxInfo
0x419580 IsWindowVisible
0x419584 ExcludeUpdateRgn
0x419588 DdeUninitialize
0x41958c IsWindowEnabled
0x419590 SetDlgItemTextW
0x419594 IMPQueryIMEA
0x41959c LoadCursorW
0x4195a4 SetCursor
0x4195ac ToUnicodeEx
0x4195b0 MapVirtualKeyW
0x4195b8 PtInRect
0x4195bc CloseWindowStation
0x4195c0 HideCaret
0x4195c4 GetClipboardData
0x4195cc CheckDlgButton
0x4195d0 CheckRadioButton
0x4195d4 GetDlgItemTextW
0x4195dc MenuItemFromPoint
0x4195e4 MessageBeep
0x4195e8 EnumDesktopsA
0x4195ec InvalidateRect
0x4195f0 GetUpdateRect
0x4195f8 WindowFromDC
0x4195fc CreateMenu
0x419604 AppendMenuW
0x419608 MessageBoxW
0x41960c InsertMenuA
0x419610 UpdateLayeredWindow
0x419614 SendInput
0x419618 FindWindowExW
0x41961c CloseDesktop
0x419620 SetClipboardData
0x419624 ToUnicode
0x419628 GetMenu
0x41962c TrackPopupMenuEx
0x419630 SetMenuItemInfoW
0x419634 NotifyWinEvent
0x419638 SetCursorPos
0x41963c GetCursor
0x419640 CreateCursor
0x419644 CreateIconIndirect
0x419648 GetCursorInfo
0x41964c RegisterClassW
0x419654 TrackMouseEvent
0x419658 GetMessageExtraInfo
0x41965c GetWindowTextW
0x419660 EnumWindows
0x419664 RealGetWindowClassW
0x419668 TranslateMessage
0x41966c DispatchMessageW
0x419670 GetQueueStatus
0x419678 SetTimer
0x41967c KillTimer
0x419680 SetWindowsHookExW
0x419684 UnhookWindowsHookEx
0x419688 CallNextHookEx
0x41968c CharNextExA
0x419690 ToAscii
0x419694 GetKeyboardState
0x419698 IsZoomed
0x41969c PeekMessageW
0x4196a0 SetCaretPos
0x4196a4 GetDC
0x4196a8 ReleaseDC
0x4196ac DestroyIcon
0x4196b0 DrawIconEx
0x4196b4 GetIconInfo
0x4196b8 DestroyCaret
0x4196bc CreateCaret
0x4196c4 GetKeyboardLayout
0x4196c8 GetAsyncKeyState
0x4196d0 SetClipboardViewer
0x4196d4 LoadIconW
0x4196d8 RegisterClassExW
0x4196dc GetClassInfoW
0x4196e0 UnregisterClassW
0x4196e8 GetAncestor
0x4196ec DestroyCursor
0x4196f4 SetParent
0x4196f8 GetParent
0x4196fc SetWindowLongW
0x419700 GetWindowLongW
0x419704 ScreenToClient
0x419708 ClientToScreen
0x41970c AdjustWindowRectEx
0x419710 GetWindowRect
0x419714 SetWindowTextW
0x419718 EnumDisplayMonitors
0x41971c GetMonitorInfoW
0x419720 LoadImageW
0x419724 GetSysColorBrush
0x419728 SetWindowRgn
0x41972c EndPaint
0x419730 BeginPaint
0x419734 SetForegroundWindow
0x419738 GetForegroundWindow
0x41973c EnableMenuItem
0x419740 GetSystemMenu
0x419744 GetSystemMetrics
0x419748 ReleaseCapture
0x41974c SetCapture
0x419750 GetCapture
0x419754 SetFocus
0x419758 SetWindowPlacement
0x41975c GetWindowPlacement
0x419760 SetWindowPos
0x419764 MoveWindow
0x419768 FlashWindowEx
0x41976c IsChild
0x419770 CreateWindowExW
0x419774 DefWindowProcW
0x419778 AttachThreadInput
0x41977c PostMessageW
0x419780 SendMessageW
0x419788 GetDoubleClickTime
0x41978c GetCursorPos
0x419790 GetClientRect
0x419794 GetFocus
0x419798 ShowWindow
Library GDI32.dll:
0x4197a0 GetTextAlign
0x4197a4 GetDCPenColor
0x4197a8 CloseMetaFile
0x4197ac CreateMetaFileA
0x4197b0 FillPath
0x4197b4 GetFontLanguageInfo
0x4197b8 GetSystemPaletteUse
0x4197bc GetLayout
0x4197c0 GetDeviceCaps
0x4197c4 GetCharABCWidthsI
0x4197d0 SelectClipRgn
0x4197d4 GetRegionData
0x4197d8 CreateBitmap
0x4197dc ExtTextOutW
0x4197e0 SetWorldTransform
0x4197e4 CreateCompatibleDC
0x4197e8 DeleteDC
0x4197ec DeleteObject
0x4197f0 GetDIBits
0x4197f4 SelectObject
0x4197f8 CreateDIBSection
0x4197fc SetTextAlign
0x419800 SetTextColor
0x419804 SetGraphicsMode
0x419808 GetGlyphOutlineW
0x419810 GetCharABCWidthsW
0x419814 GetBitmapBits
0x419818 BitBlt
0x41981c CombineRgn
0x419820 CreateRectRgn
0x419824 OffsetRgn
0x419828 SetBkMode
0x419830 CreateDCW
0x419834 EnumFontFamiliesExW
0x419838 CreateFontIndirectW
0x41983c GetFontData
0x419840 GetStockObject
0x419844 AddFontResourceExW
0x419854 GetTextMetricsW
0x419858 GetObjectW
0x41985c GetTextFaceW
0x419860 ChoosePixelFormat
0x419864 DescribePixelFormat
0x419868 GetPixelFormat
0x41986c SetPixelFormat
0x419870 SwapBuffers
0x419874 GdiFlush
Library ADVAPI32.dll:
0x41987c RegOpenKeyA
0x419880 RegQueryValueExA
0x419884 RegCloseKey
0x419888 RegQueryValueExW
0x41988c OpenProcessToken
0x419890 CopySid
0x419894 FreeSid
0x419898 GetLengthSid
0x41989c GetTokenInformation
0x4198a0 RegCreateKeyExW
0x4198a4 RegDeleteKeyW
0x4198a8 RegDeleteValueW
0x4198ac RegEnumKeyExW
0x4198b0 RegEnumValueW
0x4198b4 RegFlushKey
0x4198b8 RegQueryInfoKeyW
0x4198bc RegSetValueExW
0x4198c0 SystemFunction036
0x4198c4 RegOpenKeyExW
Library SHELL32.dll:
0x4198d4 SHChangeNotify
0x4198d8 SHGetFolderPathW
0x4198dc CommandLineToArgvW
0x4198e0 SHGetStockIconInfo
0x4198e8 SHBrowseForFolderW
0x4198f0 SHGetMalloc
0x4198f4 ShellExecuteW
0x4198f8 SHGetFileInfoW
Library ole32.dll:
0x419900 StringFromGUID2
0x419904 CoTaskMemAlloc
0x419908 CoGetMalloc
0x41990c CoUninitialize
0x419910 CoTaskMemFree
0x419914 DoDragDrop
0x41991c OleFlushClipboard
0x419920 OleGetClipboard
0x419924 OleSetClipboard
0x419928 CoCreateGuid
0x41992c OleUninitialize
0x419930 OleInitialize
0x419934 RevokeDragDrop
0x419938 CoCreateInstance
0x41993c ReleaseStgMedium
0x419940 RegisterDragDrop
0x419948 CoInitialize
Library SHLWAPI.dll:
0x419950 StrChrA
Library MSVCRT.dll:
0x419958 _except_handler3
0x41995c __set_app_type
0x419960 __p__fmode
0x419964 __p__commode
0x419968 _adjust_fdiv
0x41996c __setusermatherr
0x419970 _initterm
0x419974 __getmainargs
0x419978 _acmdln
0x41997c exit
0x419980 _XcptFilter
0x419984 _exit
0x419988 _onexit
0x41998c __dllonexit
0x419990 _controlfp
Library IMM32.dll:
0x4199a0 ImmGetVirtualKey
0x4199a4 ImmGetDefaultIMEWnd
0x4199a8 ImmGetContext
0x4199ac ImmReleaseContext
0x4199b0 ImmAssociateContext
0x4199b4 ImmNotifyIME

.text
`.rdata
@.data
.rsrc
ccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc
kernel32
VirtualAllocEx
cFoCOkLxG
hdrh=1
z44~o
`eP>ent<~
xeFp`e
C}aseQkndmg
gcrtLklFKge
vdaLj
tAut$
r"u,$
-h0pI
wt38.J
`3<nO
a3<nO
0</PZ
LoadLibraryA
GetProcAddress
GetModuleHandleA
CloseHandle
CreateSemaphoreA
ExitProcess
FindClose
FindFirstFileA
FindNextFileA
GetCurrentDirectoryA
GetCurrentProcessId
GetCurrentThreadId
GetFileAttributesA
GetFullPathNameA
GetLastError
GetModuleFileNameA
GetSystemWindowsDirectoryA
GetVersionExW
InterlockedDecrement
InterlockedIncrement
ReleaseSemaphore
SetLastError
SetUnhandledExceptionFilter
Sleep
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
WaitForSingleObject
GetLocaleInfoW
GetConsoleAliasW
WriteProfileSectionA
lstrcpynA
GetStdHandle
CopyFileExA
GetUserDefaultUILanguage
DuplicateHandle
GetCurrentProcess
CreateThread
SetThreadPriority
TerminateThread
ResumeThread
GetSystemInfo
WaitForMultipleObjects
CreateFileW
FlushFileBuffers
GetFileType
GetLogicalDrives
ReadFile
SetEndOfFile
SetFilePointerEx
WriteFile
SetErrorMode
CreateFileMappingW
MapViewOfFile
UnmapViewOfFile
MoveFileExW
GetCurrentDirectoryW
CreateDirectoryW
FindFirstFileW
GetFileAttributesExW
GetFileInformationByHandle
GetFullPathNameW
GetLongPathNameW
RemoveDirectoryW
GetTempPathW
DeviceIoControl
MoveFileW
SystemTimeToTzSpecificLocalTime
FileTimeToSystemTime
QueryPerformanceCounter
GetCurrencyFormatW
GetTickCount
FindFirstFileExW
GetTimeFormatW
GetStartupInfoW
GetModuleFileNameW
MultiByteToWideChar
WideCharToMultiByte
FreeLibrary
GetTimeZoneInformation
GetGeoInfoW
GetUserGeoID
GetModuleHandleExW
GetVolumeInformationW
lstrcmpW
ReleaseMutex
CreateMutexW
VirtualAlloc
VirtualFree
InitializeCriticalSection
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
UnhandledExceptionFilter
TerminateProcess
IsProcessorFeaturePresent
IsDebuggerPresent
GetSystemTimeAsFileTime
InitializeSListHead
RtlUnwind
EncodePointer
RaiseException
InitializeCriticalSectionAndSpinCount
LoadLibraryExW
GetCommandLineA
ExitThread
FreeLibraryAndExitThread
SetStdHandle
GetConsoleMode
ReadConsoleW
GetConsoleCP
GetACP
HeapFree
HeapAlloc
LCMapStringW
EnumSystemLocalesW
DecodePointer
HeapReAlloc
GetCPInfo
SetEnvironmentVariableA
WriteConsoleW
GetStringTypeW
IsValidCodePage
GetOEMCP
GetEnvironmentStringsW
FreeEnvironmentStringsW
GetProcessHeap
FindFirstFileExA
HeapSize
GetDateFormatW
GetThreadPriority
GetCurrentThread
ResetEvent
LoadLibraryW
GetSystemDirectoryW
CreateEventW
WaitForSingleObjectEx
SetEvent
GetConsoleWindow
OutputDebugStringW
FindNextChangeNotification
GetLocalTime
GetSystemTime
GetUserDefaultLCID
CompareStringW
GlobalSize
GlobalUnlock
GlobalLock
GlobalAlloc
OpenProcess
CheckRemoteDebuggerPresent
GetUserDefaultLangID
CreateProcessW
ExpandEnvironmentStringsW
IsValidLocale
IsValidLanguageGroup
FormatMessageW
GetModuleHandleW
FindNextFileW
FindCloseChangeNotification
FindFirstChangeNotificationW
LocalFree
GetCommandLineW
CopyFileW
SetFileAttributesW
GetFileAttributesW
GetDriveTypeW
QueryPerformanceFrequency
DeleteFileW
WinExec
CreateFileMappingA
GetFileSize
GetShortPathNameA
MoveFileExA
GetTempPathA
GlobalFree
WritePrivateProfileStringA
SetFileAttributesA
SetFileTime
LocalFileTimeToFileTime
DosDateTimeToFileTime
GetStartupInfoA
CreateDirectoryA
GetVersionExA
CreateFileA
CompareStringA
lstrcmpiA
CreateMutexA
lstrcatA
FormatMessageA
GetPrivateProfileStringA
CreateEventA
GetWindowsDirectoryA
GetSystemDirectoryA
CopyFileA
DeleteFileA
RemoveDirectoryA
CreateProcessA
SetFilePointer
GetShortPathNameW
SetCurrentDirectoryA
SetCurrentDirectoryW
lstrlenW
KERNEL32.dll
GetDesktopWindow
GetClipboardOwner
GetThreadDesktop
GetCaretBlinkTime
DestroyWindow
GetKeyState
IsIconic
GetTopWindow
GetSysColor
GetListBoxInfo
IsWindowVisible
ExcludeUpdateRgn
DdeUninitialize
IsWindowEnabled
SetDlgItemTextW
IMPQueryIMEA
GetKeyboardLayoutNameW
LoadCursorW
ChangeClipboardChain
SetCursor
RegisterClipboardFormatA
ToUnicodeEx
MapVirtualKeyW
GetClipboardFormatNameA
PtInRect
CloseWindowStation
HideCaret
GetClipboardData
GetKeyboardLayoutNameA
CheckDlgButton
CheckRadioButton
GetDlgItemTextW
DialogBoxIndirectParamW
MenuItemFromPoint
CountClipboardFormats
MessageBeep
EnumDesktopsA
InvalidateRect
GetUpdateRect
DdeCreateStringHandleA
WindowFromDC
CreateMenu
ChildWindowFromPointEx
AppendMenuW
MessageBoxW
InsertMenuA
UpdateLayeredWindow
SendInput
FindWindowExW
CloseDesktop
SetClipboardData
ToUnicode
GetMenu
TrackPopupMenuEx
SetMenuItemInfoW
NotifyWinEvent
SetCursorPos
GetCursor
CreateCursor
CreateIconIndirect
GetCursorInfo
RegisterClassW
GetClipboardFormatNameW
TrackMouseEvent
GetMessageExtraInfo
GetWindowTextW
EnumWindows
RealGetWindowClassW
TranslateMessage
DispatchMessageW
GetQueueStatus
MsgWaitForMultipleObjectsEx
SetTimer
KillTimer
SetWindowsHookExW
UnhookWindowsHookEx
CallNextHookEx
CharNextExA
ToAscii
GetKeyboardState
IsZoomed
PeekMessageW
SetCaretPos
GetDC
ReleaseDC
DestroyIcon
DrawIconEx
GetIconInfo
DestroyCaret
CreateCaret
RegisterWindowMessageW
GetKeyboardLayout
GetAsyncKeyState
RegisterClipboardFormatW
SetClipboardViewer
LoadIconW
RegisterClassExW
GetClassInfoW
UnregisterClassW
GetKeyboardLayoutList
GetAncestor
DestroyCursor
GetWindowThreadProcessId
SetParent
GetParent
SetWindowLongW
GetWindowLongW
ScreenToClient
ClientToScreen
AdjustWindowRectEx
GetWindowRect
SetWindowTextW
EnumDisplayMonitors
GetMonitorInfoW
LoadImageW
GetSysColorBrush
SetWindowRgn
EndPaint
BeginPaint
SetForegroundWindow
GetForegroundWindow
EnableMenuItem
GetSystemMenu
GetSystemMetrics
ReleaseCapture
SetCapture
GetCapture
SetFocus
SetWindowPlacement
GetWindowPlacement
SetWindowPos
MoveWindow
FlashWindowEx
IsChild
CreateWindowExW
DefWindowProcW
AttachThreadInput
PostMessageW
SendMessageW
SystemParametersInfoW
GetDoubleClickTime
GetCursorPos
GetClientRect
GetFocus
ShowWindow
USER32.dll
GetTextAlign
GetDCPenColor
CloseMetaFile
CreateMetaFileA
FillPath
GetFontLanguageInfo
GetSystemPaletteUse
GetLayout
GetDeviceCaps
GetCharABCWidthsI
GetTextExtentPoint32W
GetOutlineTextMetricsW
SelectClipRgn
GetRegionData
CreateBitmap
ExtTextOutW
SetWorldTransform
CreateCompatibleDC
DeleteDC
DeleteObject
GetDIBits
SelectObject
CreateDIBSection
SetTextAlign
SetTextColor
SetGraphicsMode
GetGlyphOutlineW
GetCharABCWidthsFloatW
GetCharABCWidthsW
GetBitmapBits
BitBlt
CombineRgn
CreateRectRgn
OffsetRgn
SetBkMode
CreateCompatibleBitmap
CreateDCW
EnumFontFamiliesExW
CreateFontIndirectW
GetFontData
GetStockObject
AddFontResourceExW
RemoveFontResourceExW
AddFontMemResourceEx
RemoveFontMemResourceEx
GetTextMetricsW
GetObjectW
GetTextFaceW
ChoosePixelFormat
DescribePixelFormat
GetPixelFormat
SetPixelFormat
SwapBuffers
GdiFlush
GDI32.dll
RegOpenKeyA
RegQueryValueExA
RegCloseKey
RegQueryValueExW
OpenProcessToken
CopySid
FreeSid
GetLengthSid
GetTokenInformation
RegCreateKeyExW
RegDeleteKeyW
RegDeleteValueW
RegEnumKeyExW
RegEnumValueW
RegFlushKey
RegQueryInfoKeyW
RegSetValueExW
SystemFunction036
RegOpenKeyExW
ADVAPI32.dll
SHInvokePrinterCommandW
SHCreateDirectoryExW
SHChangeNotify
SHGetFolderPathW
CommandLineToArgvW
SHGetStockIconInfo
SHGetSpecialFolderPathW
SHBrowseForFolderW
SHGetPathFromIDListW
SHGetMalloc
ShellExecuteW
SHGetFileInfoW
SHELL32.dll
StringFromGUID2
CoTaskMemAlloc
CoGetMalloc
CoUninitialize
CoTaskMemFree
DoDragDrop
OleIsCurrentClipboard
OleFlushClipboard
OleGetClipboard
OleSetClipboard
CoCreateGuid
OleUninitialize
OleInitialize
RevokeDragDrop
CoCreateInstance
ReleaseStgMedium
RegisterDragDrop
CoLockObjectExternal
CoInitialize
ole32.dll
StrChrA
SHLWAPI.dll
_except_handler3
__set_app_type
__p__fmode
__p__commode
_adjust_fdiv
__setusermatherr
_initterm
__getmainargs
_acmdln
_XcptFilter
_exit
MSVCRT.dll
_onexit
__dllonexit
_controlfp
ImmSetCompositionWindow
ImmSetCandidateWindow
ImmGetVirtualKey
ImmGetDefaultIMEWnd
ImmGetContext
ImmReleaseContext
ImmAssociateContext
ImmNotifyIME
ImmGetCompositionStringW
IMM32.dll
REGISTRY
VS_VERSION_INFO
StringFileInfo
040904B0
CompanyName
Microsoft Corporation
FileDescription
Print Filter Pipeline Host
FileVersion
6.1.7600.16385 (win7_rtm.090713-1255)
InternalName
PrintFilterPipelineSvc.exe
LegalCopyright
Microsoft Corporation. All rights reserved.
OriginalFilename
PrintFilterPipelineSvc.exe
ProductName
Operating System
ProductVersion
6.1.7600.16385
VarFileInfo
Translation
This file is not on VirusTotal.

Process Tree


TvI0e.exe, PID: 2740, Parent PID: 2480
Full Path: C:\Users\user\AppData\Local\Temp\TvI0e.exe
Command Line: "C:\Users\user\AppData\Local\Temp\TvI0e.exe"
TvI0e.exe, PID: 2916, Parent PID: 2740
Full Path: C:\Users\user\AppData\Local\Temp\TvI0e.exe
Command Line: --7b06ce32
services.exe, PID: 460, Parent PID: 372
Full Path: C:\Windows\sysnative\services.exe
Command Line: C:\Windows\system32\services.exe
gluerel.exe, PID: 1856, Parent PID: 460
Full Path: C:\Windows\SysWOW64\gluerel.exe
Command Line: "C:\Windows\SysWOW64\gluerel.exe"
gluerel.exe, PID: 2100, Parent PID: 1856
Full Path: C:\Windows\SysWOW64\gluerel.exe
Command Line: --caeb0eba

Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
Y 64.87.26.16 [VT] United States
Y 31.179.135.186 [VT] Poland
Y 218.161.88.253 [VT] Taiwan
Y 200.32.61.210 [VT] Argentina
Y 189.143.52.49 [VT] Mexico
Y 181.15.177.100 [VT] Argentina
Y 109.104.79.48 [VT] United Kingdom

TCP

Source Source Port Destination Destination Port
192.168.35.21 49187 109.104.79.48 8080
192.168.35.21 49181 181.15.177.100 443
192.168.35.21 49182 189.143.52.49 443
192.168.35.21 49184 200.32.61.210 8080
192.168.35.21 49186 218.161.88.253 8080
192.168.35.21 49183 31.179.135.186 80
192.168.35.21 49185 64.87.26.16 443

UDP

Source Source Port Destination Destination Port
192.168.35.21 53447 8.8.8.8 53
192.168.35.21 58094 8.8.8.8 53

DNS

Name Response Post-Analysis Lookup
www.download.windowsupdate.com [VT]
crt.usertrust.com [VT]

HTTP Requests

No HTTP requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

File name gluerel.exe
Associated Filenames
C:\Windows\SysWOW64\gluerel.exe
File Size 119872 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 87f5b7e7ce8f6ce58f1440ed3a653b76
SHA1 a7a138cc1644accc619c229f6b1671bdd79fb6cf
SHA256 af88f31b7896ee7ee757ffa2126ff0b12d5b1c04de72ea1eaf19076d06173170
CRC32 5E845A45
Ssdeep 3072:+AgKdPNlX/1SvgDJ6gwBq1DH1xEh6/X4yTg:+AgmNo6JvwA1DHDEhmH
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
Type Emotet Config
RSA public key
-----BEGIN PUBLIC KEY----- MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAL9KRKWqcld40xbUZ6hRh+fPNkgJe7K+ 0y1rR0UFqc2SBmnyoR/2Ctd+8MRvU8zri2eNVkVBxCUH1Cthf3AEgRqY2kGva8gJ Wcqls3j7RztZzqFoL+wM9DNnz/OWuiyPAQIDAQAB -----END PUBLIC KEY-----
address
181.15.177.100:443
189.143.52.49:443
31.179.135.186:80
154.120.228.126:143
200.32.61.210:8080
64.87.26.16:443
218.161.88.253:8080
109.104.79.48:8080
185.94.252.27:443
216.98.148.136:4143
200.28.131.215:443
196.6.112.70:443
69.163.33.82:8080
190.147.116.32:21
186.139.160.193:8080
81.183.213.36:80
200.58.171.51:80
190.113.233.4:7080
181.29.101.13:80
163.18.23.242:80
103.201.150.209:80
181.16.127.226:443
200.59.189.217:80
185.129.93.140:80
45.73.124.235:8080
23.254.203.51:8080
190.85.206.228:80
85.132.96.242:80
187.178.9.19:20
111.67.12.221:8080
192.155.90.90:7080
201.217.67.3:80
190.180.52.146:20
91.205.215.57:7080
205.186.154.130:80
175.107.200.27:443
51.255.50.164:8080
187.242.204.142:80
181.39.134.122:80
181.110.239.26:80
62.75.143.100:7080
190.117.206.153:443
43.229.62.186:8080
190.123.35.82:50000
217.92.171.167:53
91.83.93.124:7080
181.30.126.66:80
82.226.163.9:80
103.213.212.42:443
89.134.144.41:8080
213.172.88.13:80
187.188.166.192:80
190.13.211.174:21
109.73.52.242:8080
217.199.175.216:8080
81.3.6.78:7080
66.209.69.165:443
79.143.182.254:8080
189.196.140.187:80
105.224.171.102:80
200.45.57.96:143
203.25.159.3:8080
201.251.229.37:80
185.86.148.222:8080
191.97.116.232:443
37.59.1.74:8080
181.143.101.18:8080
181.199.151.19:80
200.107.105.16:465
200.127.0.8:80
181.15.243.22:80
200.57.102.71:8443
219.94.254.93:8080
72.47.248.48:8080
Download
Type Extracted Shellcode
Size 69632 bytes
Virtual Address 0x5c0000
Process TvI0e.exe
PID 2740
Path C:\Users\user\AppData\Local\Temp\TvI0e.exe
MD5 38aa5772938a4a5679f12447b4de6889
SHA1 d56b4eba7306b96dabe394f380fd839dcdfc2f40
SHA256 9d975bd96a097a85b1841202f8c416da47ffeda6c45b8deb3ad45128fd759ba4
CRC32 56ADEADA
Ssdeep 1536:nAk1W42lCe4OsrMHAB201zneR5z/ZvECviGyMuYt:9UCQsjB20heR5tRvNL
Yara
  • embedded_win_api - A non-Windows executable contains win32 API functions names
  • shellcode - Matched shellcode byte patterns
CAPE Yara None matched
Download Download ZIP
Type Emotet Payload: 32-bit executable
Size 62976 bytes
Virtual Address 0x5e0000
Process TvI0e.exe
PID 2740
Path C:\Users\user\AppData\Local\Temp\TvI0e.exe
MD5 3b033c7eb80d53c418dfc5576a5adb54
SHA1 0e354a966392b0658f61354d8420bd0ccbd00f2b
SHA256 8cb9a5659fa9f606ffc2d9ac468804c898efbf8d328e0afb501480cdcda5bdf3
CRC32 C6FF60FA
Ssdeep 1536:ygV2M7cQ62aENvW0+wspUYUGgp9OSB942r:yEhbZ9yF89Oup
Yara None matched
CAPE Yara
  • Emotet
  • Emotet Payload
Download Download ZIP
Sorry! No process dumps.

Comments



No comments posted

Processing ( 4.222 seconds )

  • 3.031 CAPE
  • 0.419 BehaviorAnalysis
  • 0.215 Dropped
  • 0.215 TargetInfo
  • 0.16 Static
  • 0.122 TrID
  • 0.033 Deduplicate
  • 0.012 NetworkAnalysis
  • 0.009 Strings
  • 0.005 AnalysisInfo
  • 0.001 Debug

Signatures ( 0.197 seconds )

  • 0.02 antiav_detectreg
  • 0.016 stealth_timeout
  • 0.015 api_spamming
  • 0.015 decoy_document
  • 0.011 PlugX
  • 0.008 injection_createremotethread
  • 0.008 infostealer_ftp
  • 0.007 Doppelganging
  • 0.007 InjectionCreateRemoteThread
  • 0.006 InjectionProcessHollowing
  • 0.006 injection_runpe
  • 0.005 InjectionInterProcess
  • 0.005 infostealer_im
  • 0.004 antianalysis_detectreg
  • 0.004 antiav_detectfile
  • 0.004 ransomware_files
  • 0.003 mimics_filetime
  • 0.003 antivm_generic_disk
  • 0.003 persistence_autorun
  • 0.003 infostealer_bitcoin
  • 0.003 infostealer_mail
  • 0.003 ransomware_extensions
  • 0.002 bootkit
  • 0.002 stealth_file
  • 0.002 antivm_generic_scsi
  • 0.002 reads_self
  • 0.002 virus
  • 0.002 antivm_vbox_keys
  • 0.002 browser_security
  • 0.001 lsass_credential_dumping
  • 0.001 tinba_behavior
  • 0.001 malicious_dynamic_function_loading
  • 0.001 rat_nanocore
  • 0.001 recon_programs
  • 0.001 antivm_generic_services
  • 0.001 antiemu_wine_func
  • 0.001 process_interest
  • 0.001 betabot_behavior
  • 0.001 kibex_behavior
  • 0.001 dynamic_function_loading
  • 0.001 vawtrak_behavior
  • 0.001 cerber_behavior
  • 0.001 hancitor_behavior
  • 0.001 antianalysis_detectfile
  • 0.001 antivm_parallels_keys
  • 0.001 antivm_vbox_files
  • 0.001 antivm_vmware_keys
  • 0.001 antivm_xen_keys
  • 0.001 geodo_banking_trojan
  • 0.001 modify_proxy
  • 0.001 disables_browser_warn
  • 0.001 network_torgateway
  • 0.001 recon_fingerprint

Reporting ( 0.016 seconds )

  • 0.016 CompressResults
Task ID 74090
Mongo ID 5cdcbdfcf284884e29f6c78c
Cuckoo release 1.3-CAPE
Delete