CAPE

Detections: Emotet


Analysis

Category Package Started Completed Duration Log
FILE Emotet 2019-05-16 03:09:41 2019-05-16 03:11:42 121 seconds Show Log
2019-05-16 04:09:42,000 [root] INFO: Date set to: 05-16-19, time set to: 03:09:42, timeout set to: 60
2019-05-16 04:09:42,015 [root] DEBUG: Starting analyzer from: C:\faehbyidmz
2019-05-16 04:09:42,015 [root] DEBUG: Storing results at: C:\naimEsnu
2019-05-16 04:09:42,015 [root] DEBUG: Pipe server name: \\.\PIPE\iPoqcxK
2019-05-16 04:09:42,015 [root] INFO: Analysis package "Emotet" has been specified.
2019-05-16 04:09:42,312 [root] DEBUG: Started auxiliary module Browser
2019-05-16 04:09:42,312 [root] DEBUG: Started auxiliary module Curtain
2019-05-16 04:09:42,312 [modules.auxiliary.digisig] DEBUG: Checking for a digitial signature.
2019-05-16 04:10:07,194 [modules.auxiliary.digisig] DEBUG: File has an invalid signature.
2019-05-16 04:10:07,194 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2019-05-16 04:10:07,194 [root] DEBUG: Started auxiliary module DigiSig
2019-05-16 04:10:07,194 [root] DEBUG: Started auxiliary module Disguise
2019-05-16 04:10:07,194 [root] DEBUG: Started auxiliary module Human
2019-05-16 04:10:07,194 [root] DEBUG: Started auxiliary module Screenshots
2019-05-16 04:10:07,209 [root] DEBUG: Started auxiliary module Sysmon
2019-05-16 04:10:07,209 [root] DEBUG: Started auxiliary module Usage
2019-05-16 04:10:07,209 [root] INFO: Analyzer: DLL set to Extraction.dll from package modules.packages.Emotet
2019-05-16 04:10:07,209 [root] INFO: Analyzer: Package modules.packages.Emotet does not specify a DLL_64 option
2019-05-16 04:10:07,224 [lib.api.process] INFO: Successfully executed process from path "C:\Users\user\AppData\Local\Temp\gx135q72E.exe" with arguments "" with pid 2796
2019-05-16 04:10:07,224 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-05-16 04:10:07,224 [lib.api.process] INFO: Option 'exclude-apis' with value 'RegOpenKeyExA' sent to monitor
2019-05-16 04:10:07,224 [lib.api.process] INFO: 32-bit DLL to inject is C:\faehbyidmz\dll\VnmufV.dll, loader C:\faehbyidmz\bin\ALLNdmm.exe
2019-05-16 04:10:07,224 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\iPoqcxK.
2019-05-16 04:10:07,224 [root] DEBUG: Loader: Injecting process 2796 (thread 2792) with C:\faehbyidmz\dll\VnmufV.dll.
2019-05-16 04:10:07,224 [root] DEBUG: Process image base: 0x00400000
2019-05-16 04:10:07,224 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\faehbyidmz\dll\VnmufV.dll.
2019-05-16 04:10:07,224 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x0042A000 - 0x77110000
2019-05-16 04:10:07,224 [root] DEBUG: InjectDllViaIAT: Allocated 0x1c8 bytes for new import table at 0x00430000.
2019-05-16 04:10:07,224 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-05-16 04:10:07,224 [root] DEBUG: Successfully injected DLL C:\faehbyidmz\dll\VnmufV.dll.
2019-05-16 04:10:07,224 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2796
2019-05-16 04:10:09,236 [lib.api.process] INFO: Successfully resumed process with pid 2796
2019-05-16 04:10:09,236 [root] INFO: Added new process to list with pid: 2796
2019-05-16 04:10:09,236 [root] INFO: Enabled timeout enforce, running for the full timeout.
2019-05-16 04:10:09,267 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77110000, KiUserExceptionDispatcher: 0x0, NtSetContextThread: 0x7716124a, Wow64PrepareForException: 0x0
2019-05-16 04:10:09,267 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x3b0000
2019-05-16 04:10:09,267 [root] DEBUG: CAPE initialised (32-bit).
2019-05-16 04:10:09,299 [root] INFO: Monitor successfully loaded in process with pid 2796.
2019-05-16 04:10:09,299 [root] INFO: Disabling sleep skipping.
2019-05-16 04:10:09,299 [root] INFO: Disabling sleep skipping.
2019-05-16 04:10:09,299 [root] INFO: Disabling sleep skipping.
2019-05-16 04:10:09,299 [root] INFO: Disabling sleep skipping.
2019-05-16 04:10:09,378 [root] DEBUG: NtAllocateVirtualMemory hook, BaseAddress:0x540000, RegionSize: 0x11000.
2019-05-16 04:10:09,378 [root] DEBUG: SetInitialWriteBreakpoint: AllocationBase: 0x540000, AllocationSize: 0x11000, ThreadId: 0xae8
2019-05-16 04:10:09,378 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xac, Size=0x2, Address=0x540000 and Type=0x1.
2019-05-16 04:10:09,378 [root] DEBUG: SetBreakpoint: Set bp 0 type 1 at address 0x540000, size 2 with Callback 0x747f3120, ThreadHandle = 0xac.
2019-05-16 04:10:09,378 [root] DEBUG: SetInitialWriteBreakpoint: Breakpoint 0 set write on word at base address: 0x540000
2019-05-16 04:10:09,392 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x416e46
2019-05-16 04:10:09,392 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x540000.
2019-05-16 04:10:09,392 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x540000: 0x6e.
2019-05-16 04:10:09,392 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x540000 and Type=0x0.
2019-05-16 04:10:09,392 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 04:10:09,392 [root] DEBUG: BaseAddressWriteCallback: Execution breakpoint 1 set base address: 0x540000, AllocationBaseExecBpSet = 1 (EIP = 0x416e46)
2019-05-16 04:10:09,392 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-05-16 04:10:09,392 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x416e46
2019-05-16 04:10:09,392 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x540000.
2019-05-16 04:10:09,392 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x540000: 0x6e.
2019-05-16 04:10:09,392 [root] DEBUG: BaseAddressWriteCallback: allocation exec bp already set, doing nothing.
2019-05-16 04:10:09,392 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x416f78
2019-05-16 04:10:09,392 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x540000.
2019-05-16 04:10:09,408 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x540000: 0x6e.
2019-05-16 04:10:09,408 [root] DEBUG: BaseAddressWriteCallback: allocation exec bp already set, doing nothing.
2019-05-16 04:10:09,408 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x416ff6
2019-05-16 04:10:09,408 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x540000.
2019-05-16 04:10:09,408 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x540000: 0x6d.
2019-05-16 04:10:09,408 [root] DEBUG: BaseAddressWriteCallback: allocation exec bp already set, doing nothing.
2019-05-16 04:10:10,032 [root] DEBUG: NtAllocateVirtualMemory hook, BaseAddress:0x560000, RegionSize: 0x10000.
2019-05-16 04:10:10,032 [root] DEBUG: NtAllocateVirtualMemory hook: attempting CAPE dump on previous region: 0x540000.
2019-05-16 04:10:10,032 [root] DEBUG: DumpPEsInRange: Scanning range 0x540000 - 0x551000.
2019-05-16 04:10:10,032 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x540000-0x551000.
2019-05-16 04:10:10,048 [root] DEBUG: NtAllocateVirtualMemory hook: dumping memory range at 0x540000.
2019-05-16 04:10:10,048 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\faehbyidmz\CAPE\2796_481030816452019
2019-05-16 04:10:10,063 [root] INFO: Added new CAPE file to list with path: C:\faehbyidmz\CAPE\2796_481030816452019
2019-05-16 04:10:10,063 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x540000 - 0x551000.
2019-05-16 04:10:10,063 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x540000.
2019-05-16 04:10:10,063 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x540000.
2019-05-16 04:10:10,063 [root] DEBUG: SetInitialWriteBreakpoint: AllocationBase: 0x560000, AllocationSize: 0x10000, ThreadId: 0xae8
2019-05-16 04:10:10,063 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xac, Size=0x2, Address=0x560000 and Type=0x1.
2019-05-16 04:10:10,063 [root] DEBUG: SetBreakpoint: Set bp 0 type 1 at address 0x560000, size 2 with Callback 0x747f3120, ThreadHandle = 0xac.
2019-05-16 04:10:10,063 [root] DEBUG: SetInitialWriteBreakpoint: Breakpoint 0 set write on word at base address: 0x560000
2019-05-16 04:10:10,063 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x54fbfc
2019-05-16 04:10:10,063 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x560000.
2019-05-16 04:10:10,063 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x560000: 0xa4.
2019-05-16 04:10:10,063 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x560000 and Type=0x0.
2019-05-16 04:10:10,063 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 04:10:10,063 [root] DEBUG: BaseAddressWriteCallback: Execution breakpoint 1 set base address: 0x560000, AllocationBaseExecBpSet = 1 (EIP = 0x54fbfc)
2019-05-16 04:10:10,063 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-05-16 04:10:10,063 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x54fbfc
2019-05-16 04:10:10,063 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x560000.
2019-05-16 04:10:10,063 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x560000: 0xa4.
2019-05-16 04:10:10,063 [root] DEBUG: BaseAddressWriteCallback: allocation exec bp already set, doing nothing.
2019-05-16 04:10:10,063 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x5502d1
2019-05-16 04:10:10,063 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x560000.
2019-05-16 04:10:10,063 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x560000: 0xa4.
2019-05-16 04:10:10,063 [root] DEBUG: BaseAddressWriteCallback: allocation exec bp already set, doing nothing.
2019-05-16 04:10:10,063 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x5502ea
2019-05-16 04:10:10,063 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x560000.
2019-05-16 04:10:10,063 [root] DEBUG: BaseAddressWriteCallback: MZ header found.
2019-05-16 04:10:10,063 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x56003c and Type=0x1.
2019-05-16 04:10:10,063 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 04:10:10,063 [root] DEBUG: BaseAddressWriteCallback: set write bp on e_lfanew write location: 0x56003c (EIP = 0x5502ea)
2019-05-16 04:10:10,063 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-05-16 04:10:10,063 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x5502d1
2019-05-16 04:10:10,063 [root] DEBUG: PEPointerWriteCallback entry.
2019-05-16 04:10:10,063 [root] DEBUG: PEPointerWriteCallback: Breakpoint 0 at Address 0x56003c.
2019-05-16 04:10:10,063 [root] DEBUG: PEPointerWriteCallback: pointer to PE header too big: 0x49d (perhaps writing incomplete).
2019-05-16 04:10:10,079 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x5502ea
2019-05-16 04:10:10,079 [root] DEBUG: PEPointerWriteCallback entry.
2019-05-16 04:10:10,079 [root] DEBUG: PEPointerWriteCallback: Breakpoint 0 at Address 0x56003c.
2019-05-16 04:10:10,079 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x5600b8 and Type=0x1.
2019-05-16 04:10:10,079 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 04:10:10,079 [root] DEBUG: PEPointerWriteCallback: set write bp on e_lfanew write location 0x5600b8 (EIP = 0x5502ea)
2019-05-16 04:10:10,079 [root] DEBUG: PEPointerWriteCallback executed successfully.
2019-05-16 04:10:10,079 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x5502d1
2019-05-16 04:10:10,079 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x5600b8.
2019-05-16 04:10:10,079 [root] DEBUG: PEHeaderWriteCallback: PE header has: 0x41f1.
2019-05-16 04:10:10,079 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-05-16 04:10:10,079 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x5502ea
2019-05-16 04:10:10,079 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x5600b8.
2019-05-16 04:10:10,079 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x0, Address=0x56cc89 and Type=0x0.
2019-05-16 04:10:10,079 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 04:10:10,079 [root] DEBUG: PEHeaderWriteCallback: Execution bp set on EntryPoint 0x56cc89 (EIP = 0x5502ea).
2019-05-16 04:10:10,079 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-05-16 04:10:10,079 [root] DEBUG: NtAllocateVirtualMemory hook, BaseAddress:0x1de0000, RegionSize: 0x14000.
2019-05-16 04:10:10,079 [root] DEBUG: NtAllocateVirtualMemory hook: attempting CAPE dump on previous region: 0x560000.
2019-05-16 04:10:10,079 [root] DEBUG: DumpPEsInRange: Scanning range 0x560000 - 0x570000.
2019-05-16 04:10:10,079 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x560000
2019-05-16 04:10:10,079 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image.
2019-05-16 04:10:10,079 [root] DEBUG: DumpPE: Instantiating PeParser with address: 0x560000
2019-05-16 04:10:10,095 [root] INFO: Added new CAPE file to list with path: C:\faehbyidmz\CAPE\2796_801030816452019
2019-05-16 04:10:10,095 [root] DEBUG: DumpPE: PE file in memory dumped successfully.
2019-05-16 04:10:10,095 [root] DEBUG: DumpPEsInRange: Dumped PE image from 0x560000.
2019-05-16 04:10:10,095 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x560001-0x570000.
2019-05-16 04:10:10,095 [root] DEBUG: NtAllocateVirtualMemory hook: PE image(s) detected and dumped.
2019-05-16 04:10:10,095 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x560000 - 0x570000.
2019-05-16 04:10:10,095 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x56cc89.
2019-05-16 04:10:10,095 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x560000.
2019-05-16 04:10:10,095 [root] DEBUG: SetInitialWriteBreakpoint: AllocationBase: 0x1de0000, AllocationSize: 0x14000, ThreadId: 0xae8
2019-05-16 04:10:10,095 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xac, Size=0x2, Address=0x1de0000 and Type=0x1.
2019-05-16 04:10:10,095 [root] DEBUG: SetBreakpoint: Set bp 0 type 1 at address 0x1de0000, size 2 with Callback 0x747f3120, ThreadHandle = 0xac.
2019-05-16 04:10:10,095 [root] DEBUG: SetInitialWriteBreakpoint: Breakpoint 0 set write on word at base address: 0x1de0000
2019-05-16 04:10:10,095 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x54fbfc
2019-05-16 04:10:10,095 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x1de0000.
2019-05-16 04:10:10,095 [root] DEBUG: BaseAddressWriteCallback: M written to first byte, awaiting next byte.
2019-05-16 04:10:10,095 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-05-16 04:10:10,095 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x54fbfc
2019-05-16 04:10:10,095 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x1de0000.
2019-05-16 04:10:10,095 [root] DEBUG: BaseAddressWriteCallback: MZ header found.
2019-05-16 04:10:10,095 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x1de003c and Type=0x1.
2019-05-16 04:10:10,095 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 04:10:10,095 [root] DEBUG: BaseAddressWriteCallback: set write bp on e_lfanew write location: 0x1de003c (EIP = 0x54fbfc)
2019-05-16 04:10:10,095 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-05-16 04:10:10,095 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x54fbfc
2019-05-16 04:10:10,095 [root] DEBUG: PEPointerWriteCallback entry.
2019-05-16 04:10:10,095 [root] DEBUG: PEPointerWriteCallback: Breakpoint 0 at Address 0x1de003c.
2019-05-16 04:10:10,095 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x1de00b8 and Type=0x1.
2019-05-16 04:10:10,095 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 04:10:10,095 [root] DEBUG: PEPointerWriteCallback: set write bp on e_lfanew write location 0x1de00b8 (EIP = 0x54fbfc)
2019-05-16 04:10:10,095 [root] DEBUG: PEPointerWriteCallback executed successfully.
2019-05-16 04:10:10,095 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x54fbfc
2019-05-16 04:10:10,111 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x1de00b8.
2019-05-16 04:10:10,111 [root] DEBUG: PEHeaderWriteCallback: PE header has: 0x50.
2019-05-16 04:10:10,111 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-05-16 04:10:10,111 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x54fbfc
2019-05-16 04:10:10,111 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x1de00b8.
2019-05-16 04:10:10,111 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x1de00e0 and Type=0x1.
2019-05-16 04:10:10,111 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 04:10:10,111 [root] DEBUG: PEHeaderWriteCallback: set write bp on AddressOfEntryPoint location (EIP = 0x54fbfc).
2019-05-16 04:10:10,111 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-05-16 04:10:10,111 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x54fbfc
2019-05-16 04:10:10,111 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x1de00e0.
2019-05-16 04:10:10,111 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x1de00a0 and Type=0x0.
2019-05-16 04:10:10,111 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 04:10:10,111 [root] DEBUG: EntryPointWriteCallback: Execution bp 1 set on EntryPoint 0x1de00a0 (EIP = 0x54fbfc).
2019-05-16 04:10:10,111 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 04:10:10,111 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x54fbfc
2019-05-16 04:10:10,111 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x1de00e0.
2019-05-16 04:10:10,111 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x1dec9a0 and Type=0x0.
2019-05-16 04:10:10,111 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 04:10:10,111 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x1dec9a0 (EIP = 0x54fbfc).
2019-05-16 04:10:10,111 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 04:10:10,111 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x54fbfc
2019-05-16 04:10:10,111 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x1de00e0.
2019-05-16 04:10:10,111 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x1dec9a0 and Type=0x0.
2019-05-16 04:10:10,111 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 04:10:10,111 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x1dec9a0 (EIP = 0x54fbfc).
2019-05-16 04:10:10,111 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 04:10:10,111 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x54fbfc
2019-05-16 04:10:10,111 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x1de00e0.
2019-05-16 04:10:10,111 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x1dec9a0 and Type=0x0.
2019-05-16 04:10:10,125 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 04:10:10,125 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x1dec9a0 (EIP = 0x54fbfc).
2019-05-16 04:10:10,125 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 04:10:10,125 [root] DEBUG: ProtectionHandler: Address: 0x1000, RegionSize: 0xcc24
2019-05-16 04:10:10,125 [root] DEBUG: ProtectionHandler: attempting CAPE dump on region: 0x1de0000.
2019-05-16 04:10:10,125 [root] DEBUG: DumpPEsInRange: Scanning range 0x0 - 0xf000.
2019-05-16 04:10:10,125 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 04:10:10,125 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 04:10:10,125 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 04:10:10,125 [root] DEBUG: ScanForDisguisedPE: Exception occured reading memory address 0x0
2019-05-16 04:10:10,125 [root] DEBUG: SetCapeMetaData: Extraction type with no PID - error.
2019-05-16 04:10:10,125 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\faehbyidmz\CAPE\2796_1261030816452019
2019-05-16 04:10:10,125 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 04:10:10,125 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 04:10:10,125 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 04:10:10,125 [root] DEBUG: DumpMemory: Exception occured reading memory address 0x0
2019-05-16 04:10:10,125 [root] DEBUG: ProtectionHandler: Previously marked memory range at: 0x1de0000 is empty or inaccessible.
2019-05-16 04:10:10,125 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x1de0000 - 0x1df4000.
2019-05-16 04:10:10,125 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x1de00e0.
2019-05-16 04:10:10,125 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x1dec9a0.
2019-05-16 04:10:10,125 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 04:10:10,125 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 04:10:10,125 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 04:10:10,125 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x1000
2019-05-16 04:10:10,125 [root] DEBUG: ProtectionHandler: Setting initial write breakpoint on protection address: 0x1000
2019-05-16 04:10:10,125 [root] DEBUG: SetInitialWriteBreakpoint: AllocationBase: 0x1000, AllocationSize: 0xcc24, ThreadId: 0xae8
2019-05-16 04:10:10,125 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xac, Size=0x2, Address=0x1000 and Type=0x1.
2019-05-16 04:10:10,125 [root] DEBUG: SetBreakpoint: Set bp 0 type 1 at address 0x1000, size 2 with Callback 0x747f3120, ThreadHandle = 0xac.
2019-05-16 04:10:10,125 [root] DEBUG: SetInitialWriteBreakpoint: Breakpoint 0 set write on word at base address: 0x1000
2019-05-16 04:10:10,125 [root] DEBUG: ProtectionHandler: Address: 0xf000, RegionSize: 0x3de4
2019-05-16 04:10:10,125 [root] DEBUG: NtAllocateVirtualMemory hook, BaseAddress:0x400000, RegionSize: 0x14000.
2019-05-16 04:10:10,125 [root] DEBUG: NtAllocateVirtualMemory hook: attempting CAPE dump on previous region: 0x1000.
2019-05-16 04:10:10,141 [root] DEBUG: DumpPEsInRange: Scanning range 0x0 - 0xf000.
2019-05-16 04:10:10,141 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 04:10:10,141 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 04:10:10,141 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 04:10:10,141 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 04:10:10,141 [root] DEBUG: ScanForDisguisedPE: Exception occured reading memory address 0x0
2019-05-16 04:10:10,141 [root] DEBUG: SetCapeMetaData: Extraction type with no PID - error.
2019-05-16 04:10:10,141 [root] DEBUG: NtAllocateVirtualMemory hook: dumping memory range at 0x1000.
2019-05-16 04:10:10,141 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 04:10:10,141 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 04:10:10,141 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 04:10:10,141 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 04:10:10,141 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x0
2019-05-16 04:10:10,141 [root] DEBUG: NtAllocateVirtualMemory hook: Failed to dump memory range at 0x1000.
2019-05-16 04:10:10,141 [root] DEBUG: NtAllocateVirtualMemory hook: Previously marked memory range at: 0x1000 is empty or inaccessible.
2019-05-16 04:10:10,141 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x1000 - 0xdc24.
2019-05-16 04:10:10,141 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x1000.
2019-05-16 04:10:10,141 [root] DEBUG: SetInitialWriteBreakpoint: AllocationBase: 0x400000, AllocationSize: 0x14000, ThreadId: 0xae8
2019-05-16 04:10:10,141 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xac, Size=0x2, Address=0x400000 and Type=0x1.
2019-05-16 04:10:10,141 [root] DEBUG: SetBreakpointWithoutThread: bp set with register 0
2019-05-16 04:10:10,141 [root] DEBUG: SetInitialWriteBreakpoint: Breakpoint 0 set write on word at base address: 0x400000
2019-05-16 04:10:10,141 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x54fbfc
2019-05-16 04:10:10,141 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x400000.
2019-05-16 04:10:10,141 [root] DEBUG: BaseAddressWriteCallback: M written to first byte, awaiting next byte.
2019-05-16 04:10:10,141 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-05-16 04:10:10,141 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x54fbfc
2019-05-16 04:10:10,141 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x400000.
2019-05-16 04:10:10,141 [root] DEBUG: BaseAddressWriteCallback: MZ header found.
2019-05-16 04:10:10,141 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x40003c and Type=0x1.
2019-05-16 04:10:10,141 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 04:10:10,141 [root] DEBUG: BaseAddressWriteCallback: set write bp on e_lfanew write location: 0x40003c (EIP = 0x54fbfc)
2019-05-16 04:10:10,141 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-05-16 04:10:10,141 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x54fbfc
2019-05-16 04:10:10,141 [root] DEBUG: PEPointerWriteCallback entry.
2019-05-16 04:10:10,141 [root] DEBUG: PEPointerWriteCallback: Breakpoint 0 at Address 0x40003c.
2019-05-16 04:10:10,141 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x4000b8 and Type=0x1.
2019-05-16 04:10:10,157 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 04:10:10,157 [root] DEBUG: PEPointerWriteCallback: set write bp on e_lfanew write location 0x4000b8 (EIP = 0x54fbfc)
2019-05-16 04:10:10,157 [root] DEBUG: PEPointerWriteCallback executed successfully.
2019-05-16 04:10:10,157 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x54fbfc
2019-05-16 04:10:10,157 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x4000b8.
2019-05-16 04:10:10,157 [root] DEBUG: PEHeaderWriteCallback: PE header has: 0x50.
2019-05-16 04:10:10,157 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-05-16 04:10:10,157 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x54fbfc
2019-05-16 04:10:10,157 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x4000b8.
2019-05-16 04:10:10,157 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x4000e0 and Type=0x1.
2019-05-16 04:10:10,157 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 04:10:10,157 [root] DEBUG: PEHeaderWriteCallback: set write bp on AddressOfEntryPoint location (EIP = 0x54fbfc).
2019-05-16 04:10:10,157 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-05-16 04:10:10,157 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x54fbfc
2019-05-16 04:10:10,157 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x4000e0.
2019-05-16 04:10:10,157 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x4000a0 and Type=0x0.
2019-05-16 04:10:10,157 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 04:10:10,157 [root] DEBUG: EntryPointWriteCallback: Execution bp 1 set on EntryPoint 0x4000a0 (EIP = 0x54fbfc).
2019-05-16 04:10:10,157 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 04:10:10,157 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x54fbfc
2019-05-16 04:10:10,157 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x4000e0.
2019-05-16 04:10:10,157 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x40c9a0 and Type=0x0.
2019-05-16 04:10:10,157 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 04:10:10,157 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x40c9a0 (EIP = 0x54fbfc).
2019-05-16 04:10:10,157 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 04:10:10,157 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x54fbfc
2019-05-16 04:10:10,157 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x4000e0.
2019-05-16 04:10:10,157 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x40c9a0 and Type=0x0.
2019-05-16 04:10:10,157 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 04:10:10,157 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x40c9a0 (EIP = 0x54fbfc).
2019-05-16 04:10:10,173 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 04:10:10,173 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x54fbfc
2019-05-16 04:10:10,173 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x4000e0.
2019-05-16 04:10:10,173 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x40c9a0 and Type=0x0.
2019-05-16 04:10:10,173 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 04:10:10,173 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x40c9a0 (EIP = 0x54fbfc).
2019-05-16 04:10:10,173 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 04:10:10,173 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x40c9a0
2019-05-16 04:10:10,173 [root] DEBUG: EntryPointExecCallback: Breakpoint 1 at Address 0x40c9a0.
2019-05-16 04:10:10,173 [root] DEBUG: DumpPEsInRange: Scanning range 0x400000 - 0x408000.
2019-05-16 04:10:10,173 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x400000
2019-05-16 04:10:10,173 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-05-16 04:10:10,173 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x400000
2019-05-16 04:10:10,188 [root] DEBUG: DumpProcess: Module entry point VA is 0x40c9a0
2019-05-16 04:10:10,188 [root] INFO: Added new CAPE file to list with path: C:\faehbyidmz\CAPE\2796_1891030816452019
2019-05-16 04:10:10,188 [root] DEBUG: DumpProcess: Module image dump success
2019-05-16 04:10:10,188 [root] DEBUG: DumpPEsInRange: Dumped PE image from 0x400000.
2019-05-16 04:10:10,188 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x400001-0x408000.
2019-05-16 04:10:10,188 [root] DEBUG: EntryPointExecCallback hook: PE image(s) detected and dumped.
2019-05-16 04:10:10,220 [root] INFO: Announced 32-bit process name: gx135q72E.exe pid: 1364
2019-05-16 04:10:10,220 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-05-16 04:10:10,220 [lib.api.process] INFO: Option 'exclude-apis' with value 'RegOpenKeyExA' sent to monitor
2019-05-16 04:10:10,220 [lib.api.process] INFO: 32-bit DLL to inject is C:\faehbyidmz\dll\VnmufV.dll, loader C:\faehbyidmz\bin\ALLNdmm.exe
2019-05-16 04:10:10,220 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\iPoqcxK.
2019-05-16 04:10:10,220 [root] DEBUG: Loader: Injecting process 1364 (thread 1432) with C:\faehbyidmz\dll\VnmufV.dll.
2019-05-16 04:10:10,220 [root] DEBUG: Process image base: 0x00400000
2019-05-16 04:10:10,220 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\faehbyidmz\dll\VnmufV.dll.
2019-05-16 04:10:10,220 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x0042A000 - 0x77110000
2019-05-16 04:10:10,220 [root] DEBUG: InjectDllViaIAT: Allocated 0x1c8 bytes for new import table at 0x00430000.
2019-05-16 04:10:10,220 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-05-16 04:10:10,220 [root] DEBUG: Successfully injected DLL C:\faehbyidmz\dll\VnmufV.dll.
2019-05-16 04:10:10,220 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1364
2019-05-16 04:10:10,220 [root] INFO: Notified of termination of process with pid 2796.
2019-05-16 04:10:10,250 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77110000, KiUserExceptionDispatcher: 0x0, NtSetContextThread: 0x7716124a, Wow64PrepareForException: 0x0
2019-05-16 04:10:10,250 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x1c0000
2019-05-16 04:10:10,266 [root] DEBUG: CAPE initialised (32-bit).
2019-05-16 04:10:10,266 [root] INFO: Disabling sleep skipping.
2019-05-16 04:10:10,282 [root] INFO: Added new process to list with pid: 1364
2019-05-16 04:10:10,282 [root] INFO: Monitor successfully loaded in process with pid 1364.
2019-05-16 04:10:10,345 [root] DEBUG: NtAllocateVirtualMemory hook, BaseAddress:0x2d0000, RegionSize: 0x11000.
2019-05-16 04:10:10,345 [root] DEBUG: SetInitialWriteBreakpoint: AllocationBase: 0x2d0000, AllocationSize: 0x11000, ThreadId: 0x598
2019-05-16 04:10:10,345 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xac, Size=0x2, Address=0x2d0000 and Type=0x1.
2019-05-16 04:10:10,375 [root] DEBUG: SetBreakpoint: Set bp 0 type 1 at address 0x2d0000, size 2 with Callback 0x74493120, ThreadHandle = 0xac.
2019-05-16 04:10:10,391 [root] DEBUG: SetInitialWriteBreakpoint: Breakpoint 0 set write on word at base address: 0x2d0000
2019-05-16 04:10:10,407 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x416e46
2019-05-16 04:10:10,407 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x2d0000.
2019-05-16 04:10:10,423 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x2d0000: 0x6e.
2019-05-16 04:10:10,437 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x2d0000 and Type=0x0.
2019-05-16 04:10:10,453 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 04:10:10,453 [root] DEBUG: BaseAddressWriteCallback: Execution breakpoint 1 set base address: 0x2d0000, AllocationBaseExecBpSet = 1 (EIP = 0x416e46)
2019-05-16 04:10:10,470 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-05-16 04:10:10,470 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x416e46
2019-05-16 04:10:10,500 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x2d0000.
2019-05-16 04:10:10,500 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x2d0000: 0x6e.
2019-05-16 04:10:10,500 [root] DEBUG: BaseAddressWriteCallback: allocation exec bp already set, doing nothing.
2019-05-16 04:10:10,516 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x416f78
2019-05-16 04:10:10,532 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x2d0000.
2019-05-16 04:10:10,532 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x2d0000: 0x6e.
2019-05-16 04:10:10,532 [root] DEBUG: BaseAddressWriteCallback: allocation exec bp already set, doing nothing.
2019-05-16 04:10:10,532 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x416ff6
2019-05-16 04:10:10,532 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x2d0000.
2019-05-16 04:10:10,562 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x2d0000: 0x6d.
2019-05-16 04:10:10,562 [root] DEBUG: BaseAddressWriteCallback: allocation exec bp already set, doing nothing.
2019-05-16 04:10:11,187 [root] DEBUG: NtAllocateVirtualMemory hook, BaseAddress:0x3f0000, RegionSize: 0x10000.
2019-05-16 04:10:11,203 [root] DEBUG: NtAllocateVirtualMemory hook: attempting CAPE dump on previous region: 0x2d0000.
2019-05-16 04:10:11,203 [root] DEBUG: DumpPEsInRange: Scanning range 0x2d0000 - 0x2e1000.
2019-05-16 04:10:11,217 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x2d0000-0x2e1000.
2019-05-16 04:10:11,217 [root] DEBUG: NtAllocateVirtualMemory hook: dumping memory range at 0x2d0000.
2019-05-16 04:10:11,265 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\faehbyidmz\CAPE\1364_2181130816452019
2019-05-16 04:10:11,265 [root] INFO: Added new CAPE file to list with path: C:\faehbyidmz\CAPE\1364_2181130816452019
2019-05-16 04:10:11,265 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x2d0000 - 0x2e1000.
2019-05-16 04:10:11,265 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x2d0000.
2019-05-16 04:10:11,280 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x2d0000.
2019-05-16 04:10:11,280 [root] DEBUG: SetInitialWriteBreakpoint: AllocationBase: 0x3f0000, AllocationSize: 0x10000, ThreadId: 0x598
2019-05-16 04:10:11,280 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xac, Size=0x2, Address=0x3f0000 and Type=0x1.
2019-05-16 04:10:11,280 [root] DEBUG: SetBreakpoint: Set bp 0 type 1 at address 0x3f0000, size 2 with Callback 0x74493120, ThreadHandle = 0xac.
2019-05-16 04:10:11,296 [root] DEBUG: SetInitialWriteBreakpoint: Breakpoint 0 set write on word at base address: 0x3f0000
2019-05-16 04:10:11,296 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x2dfbfc
2019-05-16 04:10:11,312 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x3f0000.
2019-05-16 04:10:11,312 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x3f0000: 0xa4.
2019-05-16 04:10:11,312 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x3f0000 and Type=0x0.
2019-05-16 04:10:11,312 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 04:10:11,312 [root] DEBUG: BaseAddressWriteCallback: Execution breakpoint 1 set base address: 0x3f0000, AllocationBaseExecBpSet = 1 (EIP = 0x2dfbfc)
2019-05-16 04:10:11,312 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-05-16 04:10:11,328 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x2dfbfc
2019-05-16 04:10:11,342 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x3f0000.
2019-05-16 04:10:11,342 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x3f0000: 0xa4.
2019-05-16 04:10:11,342 [root] DEBUG: BaseAddressWriteCallback: allocation exec bp already set, doing nothing.
2019-05-16 04:10:11,342 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x2e02d1
2019-05-16 04:10:11,342 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x3f0000.
2019-05-16 04:10:11,342 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x3f0000: 0xa4.
2019-05-16 04:10:11,342 [root] DEBUG: BaseAddressWriteCallback: allocation exec bp already set, doing nothing.
2019-05-16 04:10:11,358 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x2e02ea
2019-05-16 04:10:11,358 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x3f0000.
2019-05-16 04:10:11,374 [root] DEBUG: BaseAddressWriteCallback: MZ header found.
2019-05-16 04:10:11,374 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x3f003c and Type=0x1.
2019-05-16 04:10:11,374 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 04:10:11,390 [root] DEBUG: BaseAddressWriteCallback: set write bp on e_lfanew write location: 0x3f003c (EIP = 0x2e02ea)
2019-05-16 04:10:11,421 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-05-16 04:10:11,451 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x2e02d1
2019-05-16 04:10:11,467 [root] DEBUG: PEPointerWriteCallback entry.
2019-05-16 04:10:11,467 [root] DEBUG: PEPointerWriteCallback: Breakpoint 0 at Address 0x3f003c.
2019-05-16 04:10:11,467 [root] DEBUG: PEPointerWriteCallback: pointer to PE header too big: 0x49d (perhaps writing incomplete).
2019-05-16 04:10:11,483 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x2e02ea
2019-05-16 04:10:11,499 [root] DEBUG: PEPointerWriteCallback entry.
2019-05-16 04:10:11,499 [root] DEBUG: PEPointerWriteCallback: Breakpoint 0 at Address 0x3f003c.
2019-05-16 04:10:11,515 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x3f00b8 and Type=0x1.
2019-05-16 04:10:11,515 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 04:10:11,546 [root] DEBUG: PEPointerWriteCallback: set write bp on e_lfanew write location 0x3f00b8 (EIP = 0x2e02ea)
2019-05-16 04:10:11,546 [root] DEBUG: PEPointerWriteCallback executed successfully.
2019-05-16 04:10:11,546 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x2e02d1
2019-05-16 04:10:11,546 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x3f00b8.
2019-05-16 04:10:11,546 [root] DEBUG: PEHeaderWriteCallback: PE header has: 0x41f1.
2019-05-16 04:10:11,546 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-05-16 04:10:11,546 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x2e02ea
2019-05-16 04:10:11,546 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x3f00b8.
2019-05-16 04:10:11,546 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x0, Address=0x3fcc89 and Type=0x0.
2019-05-16 04:10:11,546 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 04:10:11,562 [root] DEBUG: PEHeaderWriteCallback: Execution bp set on EntryPoint 0x3fcc89 (EIP = 0x2e02ea).
2019-05-16 04:10:11,562 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-05-16 04:10:11,576 [root] DEBUG: NtAllocateVirtualMemory hook, BaseAddress:0x5b0000, RegionSize: 0x14000.
2019-05-16 04:10:11,592 [root] DEBUG: NtAllocateVirtualMemory hook: attempting CAPE dump on previous region: 0x3f0000.
2019-05-16 04:10:11,624 [root] DEBUG: DumpPEsInRange: Scanning range 0x3f0000 - 0x400000.
2019-05-16 04:10:11,624 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x3f0000
2019-05-16 04:10:11,624 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image.
2019-05-16 04:10:11,624 [root] DEBUG: DumpPE: Instantiating PeParser with address: 0x3f0000
2019-05-16 04:10:11,624 [root] INFO: Added new CAPE file to list with path: C:\faehbyidmz\CAPE\1364_6241130816452019
2019-05-16 04:10:11,624 [root] DEBUG: DumpPE: PE file in memory dumped successfully.
2019-05-16 04:10:11,624 [root] DEBUG: DumpPEsInRange: Dumped PE image from 0x3f0000.
2019-05-16 04:10:11,640 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x3f0001-0x400000.
2019-05-16 04:10:11,640 [root] DEBUG: NtAllocateVirtualMemory hook: PE image(s) detected and dumped.
2019-05-16 04:10:11,640 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x3f0000 - 0x400000.
2019-05-16 04:10:11,654 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x3fcc89.
2019-05-16 04:10:11,654 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x3f0000.
2019-05-16 04:10:11,654 [root] DEBUG: SetInitialWriteBreakpoint: AllocationBase: 0x5b0000, AllocationSize: 0x14000, ThreadId: 0x598
2019-05-16 04:10:11,654 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xac, Size=0x2, Address=0x5b0000 and Type=0x1.
2019-05-16 04:10:11,654 [root] DEBUG: SetBreakpoint: Set bp 0 type 1 at address 0x5b0000, size 2 with Callback 0x74493120, ThreadHandle = 0xac.
2019-05-16 04:10:11,671 [root] DEBUG: SetInitialWriteBreakpoint: Breakpoint 0 set write on word at base address: 0x5b0000
2019-05-16 04:10:11,671 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x2dfbfc
2019-05-16 04:10:11,671 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x5b0000.
2019-05-16 04:10:11,686 [root] DEBUG: BaseAddressWriteCallback: M written to first byte, awaiting next byte.
2019-05-16 04:10:11,686 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-05-16 04:10:11,701 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x2dfbfc
2019-05-16 04:10:11,717 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x5b0000.
2019-05-16 04:10:11,749 [root] DEBUG: BaseAddressWriteCallback: MZ header found.
2019-05-16 04:10:11,749 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x5b003c and Type=0x1.
2019-05-16 04:10:11,763 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 04:10:11,779 [root] DEBUG: BaseAddressWriteCallback: set write bp on e_lfanew write location: 0x5b003c (EIP = 0x2dfbfc)
2019-05-16 04:10:11,796 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-05-16 04:10:11,796 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x2dfbfc
2019-05-16 04:10:11,796 [root] DEBUG: PEPointerWriteCallback entry.
2019-05-16 04:10:11,796 [root] DEBUG: PEPointerWriteCallback: Breakpoint 0 at Address 0x5b003c.
2019-05-16 04:10:11,796 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x5b00b8 and Type=0x1.
2019-05-16 04:10:11,796 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 04:10:11,796 [root] DEBUG: PEPointerWriteCallback: set write bp on e_lfanew write location 0x5b00b8 (EIP = 0x2dfbfc)
2019-05-16 04:10:11,796 [root] DEBUG: PEPointerWriteCallback executed successfully.
2019-05-16 04:10:11,796 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x2dfbfc
2019-05-16 04:10:11,796 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x5b00b8.
2019-05-16 04:10:11,811 [root] DEBUG: PEHeaderWriteCallback: PE header has: 0x50.
2019-05-16 04:10:11,811 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-05-16 04:10:11,826 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x2dfbfc
2019-05-16 04:10:11,826 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x5b00b8.
2019-05-16 04:10:11,826 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x5b00e0 and Type=0x1.
2019-05-16 04:10:11,826 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 04:10:11,842 [root] DEBUG: PEHeaderWriteCallback: set write bp on AddressOfEntryPoint location (EIP = 0x2dfbfc).
2019-05-16 04:10:11,842 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-05-16 04:10:11,858 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x2dfbfc
2019-05-16 04:10:11,858 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x5b00e0.
2019-05-16 04:10:11,858 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x5b00a0 and Type=0x0.
2019-05-16 04:10:11,858 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 04:10:11,874 [root] DEBUG: EntryPointWriteCallback: Execution bp 1 set on EntryPoint 0x5b00a0 (EIP = 0x2dfbfc).
2019-05-16 04:10:11,874 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 04:10:11,888 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x2dfbfc
2019-05-16 04:10:11,888 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x5b00e0.
2019-05-16 04:10:11,904 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x5bc9a0 and Type=0x0.
2019-05-16 04:10:11,904 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 04:10:11,904 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x5bc9a0 (EIP = 0x2dfbfc).
2019-05-16 04:10:11,904 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 04:10:11,904 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x2dfbfc
2019-05-16 04:10:11,904 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x5b00e0.
2019-05-16 04:10:11,904 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x5bc9a0 and Type=0x0.
2019-05-16 04:10:11,904 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 04:10:11,904 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x5bc9a0 (EIP = 0x2dfbfc).
2019-05-16 04:10:11,904 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 04:10:11,904 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x2dfbfc
2019-05-16 04:10:11,904 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x5b00e0.
2019-05-16 04:10:11,904 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x5bc9a0 and Type=0x0.
2019-05-16 04:10:11,904 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 04:10:11,920 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x5bc9a0 (EIP = 0x2dfbfc).
2019-05-16 04:10:11,936 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 04:10:11,951 [root] DEBUG: ProtectionHandler: Address: 0x1000, RegionSize: 0xcc24
2019-05-16 04:10:11,951 [root] DEBUG: ProtectionHandler: attempting CAPE dump on region: 0x5b0000.
2019-05-16 04:10:11,983 [root] DEBUG: DumpPEsInRange: Scanning range 0x0 - 0xf000.
2019-05-16 04:10:11,983 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 04:10:11,983 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 04:10:12,013 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 04:10:12,013 [root] DEBUG: ScanForDisguisedPE: Exception occured reading memory address 0x0
2019-05-16 04:10:12,013 [root] DEBUG: SetCapeMetaData: Extraction type with no PID - error.
2019-05-16 04:10:12,013 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\faehbyidmz\CAPE\1364_141230816452019
2019-05-16 04:10:12,013 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 04:10:12,013 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 04:10:12,013 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 04:10:12,013 [root] DEBUG: DumpMemory: Exception occured reading memory address 0x0
2019-05-16 04:10:12,013 [root] DEBUG: ProtectionHandler: Previously marked memory range at: 0x5b0000 is empty or inaccessible.
2019-05-16 04:10:12,013 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x5b0000 - 0x5c4000.
2019-05-16 04:10:12,013 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x5b00e0.
2019-05-16 04:10:12,013 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x5bc9a0.
2019-05-16 04:10:12,029 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 04:10:12,045 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 04:10:12,045 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 04:10:12,045 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x1000
2019-05-16 04:10:12,045 [root] DEBUG: ProtectionHandler: Setting initial write breakpoint on protection address: 0x1000
2019-05-16 04:10:12,061 [root] DEBUG: SetInitialWriteBreakpoint: AllocationBase: 0x1000, AllocationSize: 0xcc24, ThreadId: 0x598
2019-05-16 04:10:12,061 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xac, Size=0x2, Address=0x1000 and Type=0x1.
2019-05-16 04:10:12,075 [root] DEBUG: SetBreakpoint: Set bp 0 type 1 at address 0x1000, size 2 with Callback 0x74493120, ThreadHandle = 0xac.
2019-05-16 04:10:12,075 [root] DEBUG: SetInitialWriteBreakpoint: Breakpoint 0 set write on word at base address: 0x1000
2019-05-16 04:10:12,092 [root] DEBUG: ProtectionHandler: Address: 0xf000, RegionSize: 0x3de4
2019-05-16 04:10:12,092 [root] DEBUG: NtAllocateVirtualMemory hook, BaseAddress:0x400000, RegionSize: 0x14000.
2019-05-16 04:10:12,092 [root] DEBUG: NtAllocateVirtualMemory hook: attempting CAPE dump on previous region: 0x1000.
2019-05-16 04:10:12,092 [root] DEBUG: DumpPEsInRange: Scanning range 0x0 - 0xf000.
2019-05-16 04:10:12,092 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 04:10:12,108 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 04:10:12,108 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 04:10:12,108 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 04:10:12,122 [root] DEBUG: ScanForDisguisedPE: Exception occured reading memory address 0x0
2019-05-16 04:10:12,122 [root] DEBUG: SetCapeMetaData: Extraction type with no PID - error.
2019-05-16 04:10:12,138 [root] DEBUG: NtAllocateVirtualMemory hook: dumping memory range at 0x1000.
2019-05-16 04:10:12,138 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 04:10:12,154 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 04:10:12,154 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 04:10:12,154 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 04:10:12,154 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x0
2019-05-16 04:10:12,154 [root] DEBUG: NtAllocateVirtualMemory hook: Failed to dump memory range at 0x1000.
2019-05-16 04:10:12,154 [root] DEBUG: NtAllocateVirtualMemory hook: Previously marked memory range at: 0x1000 is empty or inaccessible.
2019-05-16 04:10:12,154 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x1000 - 0xdc24.
2019-05-16 04:10:12,154 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x1000.
2019-05-16 04:10:12,186 [root] DEBUG: SetInitialWriteBreakpoint: AllocationBase: 0x400000, AllocationSize: 0x14000, ThreadId: 0x598
2019-05-16 04:10:12,200 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xac, Size=0x2, Address=0x400000 and Type=0x1.
2019-05-16 04:10:12,217 [root] DEBUG: SetBreakpointWithoutThread: bp set with register 0
2019-05-16 04:10:12,217 [root] DEBUG: SetInitialWriteBreakpoint: Breakpoint 0 set write on word at base address: 0x400000
2019-05-16 04:10:12,217 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x2dfbfc
2019-05-16 04:10:12,217 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x400000.
2019-05-16 04:10:12,247 [root] DEBUG: BaseAddressWriteCallback: M written to first byte, awaiting next byte.
2019-05-16 04:10:12,247 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-05-16 04:10:12,247 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x2dfbfc
2019-05-16 04:10:12,247 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x400000.
2019-05-16 04:10:12,247 [root] DEBUG: BaseAddressWriteCallback: MZ header found.
2019-05-16 04:10:12,247 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x40003c and Type=0x1.
2019-05-16 04:10:12,247 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 04:10:12,247 [root] DEBUG: BaseAddressWriteCallback: set write bp on e_lfanew write location: 0x40003c (EIP = 0x2dfbfc)
2019-05-16 04:10:12,247 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-05-16 04:10:12,247 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x2dfbfc
2019-05-16 04:10:12,263 [root] DEBUG: PEPointerWriteCallback entry.
2019-05-16 04:10:12,263 [root] DEBUG: PEPointerWriteCallback: Breakpoint 0 at Address 0x40003c.
2019-05-16 04:10:12,279 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x4000b8 and Type=0x1.
2019-05-16 04:10:12,279 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 04:10:12,295 [root] DEBUG: PEPointerWriteCallback: set write bp on e_lfanew write location 0x4000b8 (EIP = 0x2dfbfc)
2019-05-16 04:10:12,295 [root] DEBUG: PEPointerWriteCallback executed successfully.
2019-05-16 04:10:12,295 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x2dfbfc
2019-05-16 04:10:12,295 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x4000b8.
2019-05-16 04:10:12,309 [root] DEBUG: PEHeaderWriteCallback: PE header has: 0x50.
2019-05-16 04:10:12,309 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-05-16 04:10:12,309 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x2dfbfc
2019-05-16 04:10:12,309 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x4000b8.
2019-05-16 04:10:12,309 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x4000e0 and Type=0x1.
2019-05-16 04:10:12,309 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 04:10:12,325 [root] DEBUG: PEHeaderWriteCallback: set write bp on AddressOfEntryPoint location (EIP = 0x2dfbfc).
2019-05-16 04:10:12,325 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-05-16 04:10:12,325 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x2dfbfc
2019-05-16 04:10:12,325 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x4000e0.
2019-05-16 04:10:12,325 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x4000a0 and Type=0x0.
2019-05-16 04:10:12,325 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 04:10:12,342 [root] DEBUG: EntryPointWriteCallback: Execution bp 1 set on EntryPoint 0x4000a0 (EIP = 0x2dfbfc).
2019-05-16 04:10:12,357 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 04:10:12,372 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x2dfbfc
2019-05-16 04:10:12,372 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x4000e0.
2019-05-16 04:10:12,372 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x40c9a0 and Type=0x0.
2019-05-16 04:10:12,372 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 04:10:12,404 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x40c9a0 (EIP = 0x2dfbfc).
2019-05-16 04:10:12,404 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 04:10:12,404 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x2dfbfc
2019-05-16 04:10:12,404 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x4000e0.
2019-05-16 04:10:12,420 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x40c9a0 and Type=0x0.
2019-05-16 04:10:12,420 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 04:10:12,420 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x40c9a0 (EIP = 0x2dfbfc).
2019-05-16 04:10:12,420 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 04:10:12,434 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x2dfbfc
2019-05-16 04:10:12,450 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x4000e0.
2019-05-16 04:10:12,466 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x40c9a0 and Type=0x0.
2019-05-16 04:10:12,466 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 04:10:12,482 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x40c9a0 (EIP = 0x2dfbfc).
2019-05-16 04:10:12,482 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 04:10:12,513 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x40c9a0
2019-05-16 04:10:12,513 [root] DEBUG: EntryPointExecCallback: Breakpoint 1 at Address 0x40c9a0.
2019-05-16 04:10:12,513 [root] DEBUG: DumpPEsInRange: Scanning range 0x400000 - 0x408000.
2019-05-16 04:10:12,513 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x400000
2019-05-16 04:10:12,529 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-05-16 04:10:12,529 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x400000
2019-05-16 04:10:12,529 [root] DEBUG: DumpProcess: Module entry point VA is 0x40c9a0
2019-05-16 04:10:12,529 [root] INFO: Added new CAPE file to list with path: C:\faehbyidmz\CAPE\1364_5291230816452019
2019-05-16 04:10:12,543 [root] DEBUG: DumpProcess: Module image dump success
2019-05-16 04:10:12,543 [root] DEBUG: DumpPEsInRange: Dumped PE image from 0x400000.
2019-05-16 04:10:12,559 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x400001-0x408000.
2019-05-16 04:10:12,559 [root] DEBUG: EntryPointExecCallback hook: PE image(s) detected and dumped.
2019-05-16 04:10:20,516 [root] INFO: Announced starting service "gluerel"
2019-05-16 04:10:20,516 [root] INFO: Attaching to Service Control Manager (services.exe - pid 460)
2019-05-16 04:10:20,546 [lib.api.process] DEBUG: Using CreateRemoteThread injection.
2019-05-16 04:10:20,562 [lib.api.process] INFO: Option 'exclude-apis' with value 'RegOpenKeyExA' sent to monitor
2019-05-16 04:10:20,562 [lib.api.process] INFO: 64-bit DLL to inject is C:\faehbyidmz\dll\jCymrc.dll, loader C:\faehbyidmz\bin\AUEpQxhN.exe
2019-05-16 04:10:20,578 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\iPoqcxK.
2019-05-16 04:10:20,578 [root] DEBUG: Loader: Injecting process 460 (thread 0) with C:\faehbyidmz\dll\jCymrc.dll.
2019-05-16 04:10:20,578 [root] DEBUG: InjectDll: No thread ID supplied. Initial thread ID 2256, handle 0x84
2019-05-16 04:10:20,578 [root] DEBUG: Process image base: 0x00000000FFA10000
2019-05-16 04:10:20,594 [root] DEBUG: InjectDllViaIAT: Not a new process, aborting IAT patch
2019-05-16 04:10:20,609 [root] DEBUG: InjectDll: IAT patching failed, falling back to thread injection.
2019-05-16 04:10:20,625 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-05-16 04:10:20,641 [root] INFO: Disabling sleep skipping.
2019-05-16 04:10:20,687 [root] WARNING: Unable to place hook on LockResource
2019-05-16 04:10:20,703 [root] WARNING: Unable to hook LockResource
2019-05-16 04:10:20,733 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 460 at 0x0000000074110000, image base 0x00000000FFA10000, stack from 0x0000000002FF6000-0x0000000003000000
2019-05-16 04:10:20,750 [root] DEBUG: Commandline: C:\Windows\sysnative\services.exe.
2019-05-16 04:10:20,750 [root] INFO: Added new process to list with pid: 460
2019-05-16 04:10:20,750 [root] INFO: Monitor successfully loaded in process with pid 460.
2019-05-16 04:10:20,796 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2019-05-16 04:10:20,796 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2019-05-16 04:10:20,812 [root] DEBUG: Successfully injected DLL C:\faehbyidmz\dll\jCymrc.dll.
2019-05-16 04:10:21,872 [root] INFO: Announced 32-bit process name: gluerel.exe pid: 2856
2019-05-16 04:10:21,872 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-05-16 04:10:21,872 [lib.api.process] INFO: Option 'exclude-apis' with value 'RegOpenKeyExA' sent to monitor
2019-05-16 04:10:21,872 [lib.api.process] INFO: 32-bit DLL to inject is C:\faehbyidmz\dll\VnmufV.dll, loader C:\faehbyidmz\bin\ALLNdmm.exe
2019-05-16 04:10:21,920 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\iPoqcxK.
2019-05-16 04:10:21,920 [root] DEBUG: Loader: Injecting process 2856 (thread 2860) with C:\faehbyidmz\dll\VnmufV.dll.
2019-05-16 04:10:21,936 [root] DEBUG: Process image base: 0x00400000
2019-05-16 04:10:21,936 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\faehbyidmz\dll\VnmufV.dll.
2019-05-16 04:10:21,950 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x0042A000 - 0x77110000
2019-05-16 04:10:21,950 [root] DEBUG: InjectDllViaIAT: Allocated 0x1c8 bytes for new import table at 0x00430000.
2019-05-16 04:10:21,950 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-05-16 04:10:21,950 [root] DEBUG: Successfully injected DLL C:\faehbyidmz\dll\VnmufV.dll.
2019-05-16 04:10:21,950 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2856
2019-05-16 04:10:21,982 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77110000, KiUserExceptionDispatcher: 0x0, NtSetContextThread: 0x7716124a, Wow64PrepareForException: 0x0
2019-05-16 04:10:21,982 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x240000
2019-05-16 04:10:21,997 [root] DEBUG: CAPE initialised (32-bit).
2019-05-16 04:10:21,997 [root] INFO: Disabling sleep skipping.
2019-05-16 04:10:22,029 [root] INFO: Added new process to list with pid: 2856
2019-05-16 04:10:22,029 [root] INFO: Monitor successfully loaded in process with pid 2856.
2019-05-16 04:10:22,122 [root] DEBUG: NtAllocateVirtualMemory hook, BaseAddress:0x8f0000, RegionSize: 0x11000.
2019-05-16 04:10:22,154 [root] DEBUG: SetInitialWriteBreakpoint: AllocationBase: 0x8f0000, AllocationSize: 0x11000, ThreadId: 0xb2c
2019-05-16 04:10:22,154 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xac, Size=0x2, Address=0x8f0000 and Type=0x1.
2019-05-16 04:10:22,170 [root] DEBUG: SetBreakpoint: Set bp 0 type 1 at address 0x8f0000, size 2 with Callback 0x74493120, ThreadHandle = 0xac.
2019-05-16 04:10:22,170 [root] DEBUG: SetInitialWriteBreakpoint: Breakpoint 0 set write on word at base address: 0x8f0000
2019-05-16 04:10:22,184 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x416e46
2019-05-16 04:10:22,184 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x8f0000.
2019-05-16 04:10:22,200 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x8f0000: 0x6e.
2019-05-16 04:10:22,200 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x8f0000 and Type=0x0.
2019-05-16 04:10:22,216 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 04:10:22,216 [root] DEBUG: BaseAddressWriteCallback: Execution breakpoint 1 set base address: 0x8f0000, AllocationBaseExecBpSet = 1 (EIP = 0x416e46)
2019-05-16 04:10:22,247 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-05-16 04:10:22,247 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x416e46
2019-05-16 04:10:22,263 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x8f0000.
2019-05-16 04:10:22,263 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x8f0000: 0x6e.
2019-05-16 04:10:22,293 [root] DEBUG: BaseAddressWriteCallback: allocation exec bp already set, doing nothing.
2019-05-16 04:10:22,309 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x416f78
2019-05-16 04:10:22,341 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x8f0000.
2019-05-16 04:10:22,357 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x8f0000: 0x6e.
2019-05-16 04:10:22,357 [root] DEBUG: BaseAddressWriteCallback: allocation exec bp already set, doing nothing.
2019-05-16 04:10:22,357 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x416ff6
2019-05-16 04:10:22,371 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x8f0000.
2019-05-16 04:10:22,371 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x8f0000: 0x6d.
2019-05-16 04:10:22,371 [root] DEBUG: BaseAddressWriteCallback: allocation exec bp already set, doing nothing.
2019-05-16 04:10:22,996 [root] DEBUG: NtAllocateVirtualMemory hook, BaseAddress:0x910000, RegionSize: 0x10000.
2019-05-16 04:10:22,996 [root] DEBUG: NtAllocateVirtualMemory hook: attempting CAPE dump on previous region: 0x8f0000.
2019-05-16 04:10:23,012 [root] DEBUG: DumpPEsInRange: Scanning range 0x8f0000 - 0x901000.
2019-05-16 04:10:23,042 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x8f0000-0x901000.
2019-05-16 04:10:23,042 [root] DEBUG: NtAllocateVirtualMemory hook: dumping memory range at 0x8f0000.
2019-05-16 04:10:23,059 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\faehbyidmz\CAPE\2856_432330816452019
2019-05-16 04:10:23,059 [root] INFO: Added new CAPE file to list with path: C:\faehbyidmz\CAPE\2856_432330816452019
2019-05-16 04:10:23,073 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x8f0000 - 0x901000.
2019-05-16 04:10:23,073 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x8f0000.
2019-05-16 04:10:23,073 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x8f0000.
2019-05-16 04:10:23,073 [root] DEBUG: SetInitialWriteBreakpoint: AllocationBase: 0x910000, AllocationSize: 0x10000, ThreadId: 0xb2c
2019-05-16 04:10:23,089 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xac, Size=0x2, Address=0x910000 and Type=0x1.
2019-05-16 04:10:23,105 [root] DEBUG: SetBreakpoint: Set bp 0 type 1 at address 0x910000, size 2 with Callback 0x74493120, ThreadHandle = 0xac.
2019-05-16 04:10:23,121 [root] DEBUG: SetInitialWriteBreakpoint: Breakpoint 0 set write on word at base address: 0x910000
2019-05-16 04:10:23,121 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x8ffbfc
2019-05-16 04:10:23,137 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x910000.
2019-05-16 04:10:23,137 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x910000: 0xa4.
2019-05-16 04:10:23,137 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x910000 and Type=0x0.
2019-05-16 04:10:23,167 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 04:10:23,184 [root] DEBUG: BaseAddressWriteCallback: Execution breakpoint 1 set base address: 0x910000, AllocationBaseExecBpSet = 1 (EIP = 0x8ffbfc)
2019-05-16 04:10:23,184 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-05-16 04:10:23,214 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x8ffbfc
2019-05-16 04:10:23,214 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x910000.
2019-05-16 04:10:23,246 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x910000: 0xa4.
2019-05-16 04:10:23,246 [root] DEBUG: BaseAddressWriteCallback: allocation exec bp already set, doing nothing.
2019-05-16 04:10:23,246 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x9002d1
2019-05-16 04:10:23,246 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x910000.
2019-05-16 04:10:23,246 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x910000: 0xa4.
2019-05-16 04:10:23,246 [root] DEBUG: BaseAddressWriteCallback: allocation exec bp already set, doing nothing.
2019-05-16 04:10:23,262 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x9002ea
2019-05-16 04:10:23,262 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x910000.
2019-05-16 04:10:23,262 [root] DEBUG: BaseAddressWriteCallback: MZ header found.
2019-05-16 04:10:23,262 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x91003c and Type=0x1.
2019-05-16 04:10:23,262 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 04:10:23,262 [root] DEBUG: BaseAddressWriteCallback: set write bp on e_lfanew write location: 0x91003c (EIP = 0x9002ea)
2019-05-16 04:10:23,276 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-05-16 04:10:23,308 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x9002d1
2019-05-16 04:10:23,323 [root] DEBUG: PEPointerWriteCallback entry.
2019-05-16 04:10:23,323 [root] DEBUG: PEPointerWriteCallback: Breakpoint 0 at Address 0x91003c.
2019-05-16 04:10:23,339 [root] DEBUG: PEPointerWriteCallback: pointer to PE header too big: 0x49d (perhaps writing incomplete).
2019-05-16 04:10:23,355 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x9002ea
2019-05-16 04:10:23,371 [root] DEBUG: PEPointerWriteCallback entry.
2019-05-16 04:10:23,371 [root] DEBUG: PEPointerWriteCallback: Breakpoint 0 at Address 0x91003c.
2019-05-16 04:10:23,371 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x9100b8 and Type=0x1.
2019-05-16 04:10:23,371 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 04:10:23,401 [root] DEBUG: PEPointerWriteCallback: set write bp on e_lfanew write location 0x9100b8 (EIP = 0x9002ea)
2019-05-16 04:10:23,417 [root] DEBUG: PEPointerWriteCallback executed successfully.
2019-05-16 04:10:23,433 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x9002d1
2019-05-16 04:10:23,433 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x9100b8.
2019-05-16 04:10:23,433 [root] DEBUG: PEHeaderWriteCallback: PE header has: 0x41f1.
2019-05-16 04:10:23,433 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-05-16 04:10:23,433 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x9002ea
2019-05-16 04:10:23,433 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x9100b8.
2019-05-16 04:10:23,433 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x0, Address=0x91cc89 and Type=0x0.
2019-05-16 04:10:23,448 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 04:10:23,448 [root] DEBUG: PEHeaderWriteCallback: Execution bp set on EntryPoint 0x91cc89 (EIP = 0x9002ea).
2019-05-16 04:10:23,448 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-05-16 04:10:23,448 [root] DEBUG: NtAllocateVirtualMemory hook, BaseAddress:0x2140000, RegionSize: 0x14000.
2019-05-16 04:10:23,448 [root] DEBUG: NtAllocateVirtualMemory hook: attempting CAPE dump on previous region: 0x910000.
2019-05-16 04:10:23,448 [root] DEBUG: DumpPEsInRange: Scanning range 0x910000 - 0x920000.
2019-05-16 04:10:23,448 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x910000
2019-05-16 04:10:23,448 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image.
2019-05-16 04:10:23,448 [root] DEBUG: DumpPE: Instantiating PeParser with address: 0x910000
2019-05-16 04:10:23,448 [root] INFO: Added new CAPE file to list with path: C:\faehbyidmz\CAPE\2856_4492330816452019
2019-05-16 04:10:23,448 [root] DEBUG: DumpPE: PE file in memory dumped successfully.
2019-05-16 04:10:23,463 [root] DEBUG: DumpPEsInRange: Dumped PE image from 0x910000.
2019-05-16 04:10:23,463 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x910001-0x920000.
2019-05-16 04:10:23,463 [root] DEBUG: NtAllocateVirtualMemory hook: PE image(s) detected and dumped.
2019-05-16 04:10:23,463 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x910000 - 0x920000.
2019-05-16 04:10:23,463 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x91cc89.
2019-05-16 04:10:23,480 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x910000.
2019-05-16 04:10:23,496 [root] DEBUG: SetInitialWriteBreakpoint: AllocationBase: 0x2140000, AllocationSize: 0x14000, ThreadId: 0xb2c
2019-05-16 04:10:23,542 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xac, Size=0x2, Address=0x2140000 and Type=0x1.
2019-05-16 04:10:23,558 [root] DEBUG: SetBreakpoint: Set bp 0 type 1 at address 0x2140000, size 2 with Callback 0x74493120, ThreadHandle = 0xac.
2019-05-16 04:10:23,558 [root] DEBUG: SetInitialWriteBreakpoint: Breakpoint 0 set write on word at base address: 0x2140000
2019-05-16 04:10:23,588 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x8ffbfc
2019-05-16 04:10:23,605 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x2140000.
2019-05-16 04:10:23,619 [root] DEBUG: BaseAddressWriteCallback: M written to first byte, awaiting next byte.
2019-05-16 04:10:23,619 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-05-16 04:10:23,619 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x8ffbfc
2019-05-16 04:10:23,619 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x2140000.
2019-05-16 04:10:23,619 [root] DEBUG: BaseAddressWriteCallback: MZ header found.
2019-05-16 04:10:23,619 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x214003c and Type=0x1.
2019-05-16 04:10:23,651 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 04:10:23,651 [root] DEBUG: BaseAddressWriteCallback: set write bp on e_lfanew write location: 0x214003c (EIP = 0x8ffbfc)
2019-05-16 04:10:23,651 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-05-16 04:10:23,651 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x8ffbfc
2019-05-16 04:10:23,667 [root] DEBUG: PEPointerWriteCallback entry.
2019-05-16 04:10:23,667 [root] DEBUG: PEPointerWriteCallback: Breakpoint 0 at Address 0x214003c.
2019-05-16 04:10:23,683 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x21400b8 and Type=0x1.
2019-05-16 04:10:23,683 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 04:10:23,697 [root] DEBUG: PEPointerWriteCallback: set write bp on e_lfanew write location 0x21400b8 (EIP = 0x8ffbfc)
2019-05-16 04:10:23,697 [root] DEBUG: PEPointerWriteCallback executed successfully.
2019-05-16 04:10:23,713 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x8ffbfc
2019-05-16 04:10:23,713 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x21400b8.
2019-05-16 04:10:23,730 [root] DEBUG: PEHeaderWriteCallback: PE header has: 0x50.
2019-05-16 04:10:23,730 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-05-16 04:10:23,744 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x8ffbfc
2019-05-16 04:10:23,744 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x21400b8.
2019-05-16 04:10:23,776 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x21400e0 and Type=0x1.
2019-05-16 04:10:23,792 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 04:10:23,808 [root] DEBUG: PEHeaderWriteCallback: set write bp on AddressOfEntryPoint location (EIP = 0x8ffbfc).
2019-05-16 04:10:23,822 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-05-16 04:10:23,822 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x8ffbfc
2019-05-16 04:10:23,822 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x21400e0.
2019-05-16 04:10:23,838 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x21400a0 and Type=0x0.
2019-05-16 04:10:23,869 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 04:10:23,869 [root] DEBUG: EntryPointWriteCallback: Execution bp 1 set on EntryPoint 0x21400a0 (EIP = 0x8ffbfc).
2019-05-16 04:10:23,869 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 04:10:23,869 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x8ffbfc
2019-05-16 04:10:23,869 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x21400e0.
2019-05-16 04:10:23,917 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x214c9a0 and Type=0x0.
2019-05-16 04:10:23,931 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 04:10:23,963 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x214c9a0 (EIP = 0x8ffbfc).
2019-05-16 04:10:23,994 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 04:10:24,042 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x8ffbfc
2019-05-16 04:10:24,042 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x21400e0.
2019-05-16 04:10:24,056 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x214c9a0 and Type=0x0.
2019-05-16 04:10:24,088 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 04:10:24,119 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x214c9a0 (EIP = 0x8ffbfc).
2019-05-16 04:10:24,119 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 04:10:24,151 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x8ffbfc
2019-05-16 04:10:24,151 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x21400e0.
2019-05-16 04:10:24,151 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x214c9a0 and Type=0x0.
2019-05-16 04:10:24,165 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 04:10:24,165 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x214c9a0 (EIP = 0x8ffbfc).
2019-05-16 04:10:24,165 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 04:10:24,181 [root] DEBUG: ProtectionHandler: Address: 0x1000, RegionSize: 0xcc24
2019-05-16 04:10:24,181 [root] DEBUG: ProtectionHandler: attempting CAPE dump on region: 0x2140000.
2019-05-16 04:10:24,213 [root] DEBUG: DumpPEsInRange: Scanning range 0x0 - 0xf000.
2019-05-16 04:10:24,213 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 04:10:24,243 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 04:10:24,243 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 04:10:24,259 [root] DEBUG: ScanForDisguisedPE: Exception occured reading memory address 0x0
2019-05-16 04:10:24,276 [root] DEBUG: SetCapeMetaData: Extraction type with no PID - error.
2019-05-16 04:10:24,290 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\faehbyidmz\CAPE\2856_2762430816452019
2019-05-16 04:10:24,290 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 04:10:24,306 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 04:10:24,306 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 04:10:24,322 [root] DEBUG: DumpMemory: Exception occured reading memory address 0x0
2019-05-16 04:10:24,338 [root] DEBUG: ProtectionHandler: Previously marked memory range at: 0x2140000 is empty or inaccessible.
2019-05-16 04:10:24,338 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x2140000 - 0x2154000.
2019-05-16 04:10:24,338 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x21400e0.
2019-05-16 04:10:24,338 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x214c9a0.
2019-05-16 04:10:24,338 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 04:10:24,338 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 04:10:24,338 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 04:10:24,338 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x1000
2019-05-16 04:10:24,338 [root] DEBUG: ProtectionHandler: Setting initial write breakpoint on protection address: 0x1000
2019-05-16 04:10:24,354 [root] DEBUG: SetInitialWriteBreakpoint: AllocationBase: 0x1000, AllocationSize: 0xcc24, ThreadId: 0xb2c
2019-05-16 04:10:24,354 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xac, Size=0x2, Address=0x1000 and Type=0x1.
2019-05-16 04:10:24,354 [root] DEBUG: SetBreakpoint: Set bp 0 type 1 at address 0x1000, size 2 with Callback 0x74493120, ThreadHandle = 0xac.
2019-05-16 04:10:24,354 [root] DEBUG: SetInitialWriteBreakpoint: Breakpoint 0 set write on word at base address: 0x1000
2019-05-16 04:10:24,354 [root] DEBUG: ProtectionHandler: Address: 0xf000, RegionSize: 0x3de4
2019-05-16 04:10:24,354 [root] DEBUG: NtAllocateVirtualMemory hook, BaseAddress:0x400000, RegionSize: 0x14000.
2019-05-16 04:10:24,368 [root] DEBUG: NtAllocateVirtualMemory hook: attempting CAPE dump on previous region: 0x1000.
2019-05-16 04:10:24,368 [root] DEBUG: DumpPEsInRange: Scanning range 0x0 - 0xf000.
2019-05-16 04:10:24,384 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 04:10:24,384 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 04:10:24,431 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 04:10:24,431 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 04:10:24,477 [root] DEBUG: ScanForDisguisedPE: Exception occured reading memory address 0x0
2019-05-16 04:10:24,477 [root] DEBUG: SetCapeMetaData: Extraction type with no PID - error.
2019-05-16 04:10:24,493 [root] DEBUG: NtAllocateVirtualMemory hook: dumping memory range at 0x1000.
2019-05-16 04:10:24,525 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 04:10:24,525 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 04:10:24,555 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 04:10:24,572 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 04:10:24,572 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x0
2019-05-16 04:10:24,602 [root] DEBUG: NtAllocateVirtualMemory hook: Failed to dump memory range at 0x1000.
2019-05-16 04:10:24,618 [root] DEBUG: NtAllocateVirtualMemory hook: Previously marked memory range at: 0x1000 is empty or inaccessible.
2019-05-16 04:10:24,618 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x1000 - 0xdc24.
2019-05-16 04:10:24,618 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x1000.
2019-05-16 04:10:24,665 [root] DEBUG: SetInitialWriteBreakpoint: AllocationBase: 0x400000, AllocationSize: 0x14000, ThreadId: 0xb2c
2019-05-16 04:10:24,665 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xac, Size=0x2, Address=0x400000 and Type=0x1.
2019-05-16 04:10:24,680 [root] DEBUG: SetBreakpointWithoutThread: bp set with register 0
2019-05-16 04:10:24,680 [root] DEBUG: SetInitialWriteBreakpoint: Breakpoint 0 set write on word at base address: 0x400000
2019-05-16 04:10:24,711 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x8ffbfc
2019-05-16 04:10:24,711 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x400000.
2019-05-16 04:10:24,727 [root] DEBUG: BaseAddressWriteCallback: M written to first byte, awaiting next byte.
2019-05-16 04:10:24,727 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-05-16 04:10:24,743 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x8ffbfc
2019-05-16 04:10:24,759 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x400000.
2019-05-16 04:10:24,759 [root] DEBUG: BaseAddressWriteCallback: MZ header found.
2019-05-16 04:10:24,759 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x40003c and Type=0x1.
2019-05-16 04:10:24,775 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 04:10:24,775 [root] DEBUG: BaseAddressWriteCallback: set write bp on e_lfanew write location: 0x40003c (EIP = 0x8ffbfc)
2019-05-16 04:10:24,789 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-05-16 04:10:24,789 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x8ffbfc
2019-05-16 04:10:24,789 [root] DEBUG: PEPointerWriteCallback entry.
2019-05-16 04:10:24,789 [root] DEBUG: PEPointerWriteCallback: Breakpoint 0 at Address 0x40003c.
2019-05-16 04:10:24,805 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x4000b8 and Type=0x1.
2019-05-16 04:10:24,805 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 04:10:24,822 [root] DEBUG: PEPointerWriteCallback: set write bp on e_lfanew write location 0x4000b8 (EIP = 0x8ffbfc)
2019-05-16 04:10:24,836 [root] DEBUG: PEPointerWriteCallback executed successfully.
2019-05-16 04:10:24,868 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x8ffbfc
2019-05-16 04:10:24,868 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x4000b8.
2019-05-16 04:10:24,914 [root] DEBUG: PEHeaderWriteCallback: PE header has: 0x50.
2019-05-16 04:10:24,914 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-05-16 04:10:24,930 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x8ffbfc
2019-05-16 04:10:24,930 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x4000b8.
2019-05-16 04:10:24,946 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x4000e0 and Type=0x1.
2019-05-16 04:10:24,961 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 04:10:24,993 [root] DEBUG: PEHeaderWriteCallback: set write bp on AddressOfEntryPoint location (EIP = 0x8ffbfc).
2019-05-16 04:10:24,993 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-05-16 04:10:25,039 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x8ffbfc
2019-05-16 04:10:25,039 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x4000e0.
2019-05-16 04:10:25,039 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x4000a0 and Type=0x0.
2019-05-16 04:10:25,039 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 04:10:25,055 [root] DEBUG: EntryPointWriteCallback: Execution bp 1 set on EntryPoint 0x4000a0 (EIP = 0x8ffbfc).
2019-05-16 04:10:25,055 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 04:10:25,071 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x8ffbfc
2019-05-16 04:10:25,086 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x4000e0.
2019-05-16 04:10:25,086 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x40c9a0 and Type=0x0.
2019-05-16 04:10:25,118 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 04:10:25,134 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x40c9a0 (EIP = 0x8ffbfc).
2019-05-16 04:10:25,134 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 04:10:25,148 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x8ffbfc
2019-05-16 04:10:25,148 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x4000e0.
2019-05-16 04:10:25,148 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x40c9a0 and Type=0x0.
2019-05-16 04:10:25,148 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 04:10:25,180 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x40c9a0 (EIP = 0x8ffbfc).
2019-05-16 04:10:25,180 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 04:10:25,180 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x8ffbfc
2019-05-16 04:10:25,180 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x4000e0.
2019-05-16 04:10:25,180 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x40c9a0 and Type=0x0.
2019-05-16 04:10:25,180 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 04:10:25,196 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x40c9a0 (EIP = 0x8ffbfc).
2019-05-16 04:10:25,196 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 04:10:25,226 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x40c9a0
2019-05-16 04:10:25,226 [root] DEBUG: EntryPointExecCallback: Breakpoint 1 at Address 0x40c9a0.
2019-05-16 04:10:25,226 [root] DEBUG: DumpPEsInRange: Scanning range 0x400000 - 0x408000.
2019-05-16 04:10:25,226 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x400000
2019-05-16 04:10:25,226 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-05-16 04:10:25,226 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x400000
2019-05-16 04:10:25,243 [root] DEBUG: DumpProcess: Module entry point VA is 0x40c9a0
2019-05-16 04:10:25,243 [root] INFO: Added new CAPE file to list with path: C:\faehbyidmz\CAPE\2856_2432530816452019
2019-05-16 04:10:25,257 [root] DEBUG: DumpProcess: Module image dump success
2019-05-16 04:10:25,273 [root] DEBUG: DumpPEsInRange: Dumped PE image from 0x400000.
2019-05-16 04:10:25,273 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x400001-0x408000.
2019-05-16 04:10:25,273 [root] DEBUG: EntryPointExecCallback hook: PE image(s) detected and dumped.
2019-05-16 04:10:25,305 [root] INFO: Announced 32-bit process name: gluerel.exe pid: 1860
2019-05-16 04:10:25,305 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-05-16 04:10:25,321 [lib.api.process] INFO: Option 'exclude-apis' with value 'RegOpenKeyExA' sent to monitor
2019-05-16 04:10:25,321 [lib.api.process] INFO: 32-bit DLL to inject is C:\faehbyidmz\dll\VnmufV.dll, loader C:\faehbyidmz\bin\ALLNdmm.exe
2019-05-16 04:10:25,335 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\iPoqcxK.
2019-05-16 04:10:25,351 [root] DEBUG: Loader: Injecting process 1860 (thread 2200) with C:\faehbyidmz\dll\VnmufV.dll.
2019-05-16 04:10:25,351 [root] DEBUG: Process image base: 0x00400000
2019-05-16 04:10:25,368 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\faehbyidmz\dll\VnmufV.dll.
2019-05-16 04:10:25,368 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x0042A000 - 0x77110000
2019-05-16 04:10:25,382 [root] DEBUG: InjectDllViaIAT: Allocated 0x1c8 bytes for new import table at 0x00430000.
2019-05-16 04:10:25,382 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-05-16 04:10:25,382 [root] DEBUG: Successfully injected DLL C:\faehbyidmz\dll\VnmufV.dll.
2019-05-16 04:10:25,382 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1860
2019-05-16 04:10:25,382 [root] INFO: Notified of termination of process with pid 2856.
2019-05-16 04:10:25,382 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77110000, KiUserExceptionDispatcher: 0x0, NtSetContextThread: 0x7716124a, Wow64PrepareForException: 0x0
2019-05-16 04:10:25,382 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x230000
2019-05-16 04:10:25,382 [root] DEBUG: CAPE initialised (32-bit).
2019-05-16 04:10:25,398 [root] INFO: Disabling sleep skipping.
2019-05-16 04:10:25,398 [root] WARNING: Unable to open termination event for pid 2856.
2019-05-16 04:10:25,398 [root] INFO: Notified of termination of process with pid 1364.
2019-05-16 04:10:25,398 [root] INFO: Added new process to list with pid: 1860
2019-05-16 04:10:25,398 [root] INFO: Monitor successfully loaded in process with pid 1860.
2019-05-16 04:10:25,476 [root] DEBUG: NtAllocateVirtualMemory hook, BaseAddress:0x3d0000, RegionSize: 0x11000.
2019-05-16 04:10:25,476 [root] DEBUG: SetInitialWriteBreakpoint: AllocationBase: 0x3d0000, AllocationSize: 0x11000, ThreadId: 0x898
2019-05-16 04:10:25,476 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xac, Size=0x2, Address=0x3d0000 and Type=0x1.
2019-05-16 04:10:25,476 [root] DEBUG: SetBreakpoint: Set bp 0 type 1 at address 0x3d0000, size 2 with Callback 0x74493120, ThreadHandle = 0xac.
2019-05-16 04:10:25,476 [root] DEBUG: SetInitialWriteBreakpoint: Breakpoint 0 set write on word at base address: 0x3d0000
2019-05-16 04:10:25,476 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x416e46
2019-05-16 04:10:25,492 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x3d0000.
2019-05-16 04:10:25,492 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x3d0000: 0x6e.
2019-05-16 04:10:25,492 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x3d0000 and Type=0x0.
2019-05-16 04:10:25,492 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 04:10:25,492 [root] DEBUG: BaseAddressWriteCallback: Execution breakpoint 1 set base address: 0x3d0000, AllocationBaseExecBpSet = 1 (EIP = 0x416e46)
2019-05-16 04:10:25,492 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-05-16 04:10:25,492 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x416e46
2019-05-16 04:10:25,492 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x3d0000.
2019-05-16 04:10:25,492 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x3d0000: 0x6e.
2019-05-16 04:10:25,492 [root] DEBUG: BaseAddressWriteCallback: allocation exec bp already set, doing nothing.
2019-05-16 04:10:25,507 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x416f78
2019-05-16 04:10:25,507 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x3d0000.
2019-05-16 04:10:25,507 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x3d0000: 0x6e.
2019-05-16 04:10:25,507 [root] DEBUG: BaseAddressWriteCallback: allocation exec bp already set, doing nothing.
2019-05-16 04:10:25,507 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x416ff6
2019-05-16 04:10:25,507 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x3d0000.
2019-05-16 04:10:25,507 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x3d0000: 0x6d.
2019-05-16 04:10:25,507 [root] DEBUG: BaseAddressWriteCallback: allocation exec bp already set, doing nothing.
2019-05-16 04:10:26,631 [root] DEBUG: NtAllocateVirtualMemory hook, BaseAddress:0x3f0000, RegionSize: 0x10000.
2019-05-16 04:10:26,631 [root] DEBUG: NtAllocateVirtualMemory hook: attempting CAPE dump on previous region: 0x3d0000.
2019-05-16 04:10:26,647 [root] DEBUG: DumpPEsInRange: Scanning range 0x3d0000 - 0x3e1000.
2019-05-16 04:10:26,647 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x3d0000-0x3e1000.
2019-05-16 04:10:26,647 [root] DEBUG: NtAllocateVirtualMemory hook: dumping memory range at 0x3d0000.
2019-05-16 04:10:26,647 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\faehbyidmz\CAPE\1860_6472630816452019
2019-05-16 04:10:26,647 [root] INFO: Added new CAPE file to list with path: C:\faehbyidmz\CAPE\1860_6472630816452019
2019-05-16 04:10:26,661 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x3d0000 - 0x3e1000.
2019-05-16 04:10:26,661 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x3d0000.
2019-05-16 04:10:26,661 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x3d0000.
2019-05-16 04:10:26,661 [root] DEBUG: SetInitialWriteBreakpoint: AllocationBase: 0x3f0000, AllocationSize: 0x10000, ThreadId: 0x898
2019-05-16 04:10:26,661 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xac, Size=0x2, Address=0x3f0000 and Type=0x1.
2019-05-16 04:10:26,661 [root] DEBUG: SetBreakpoint: Set bp 0 type 1 at address 0x3f0000, size 2 with Callback 0x74493120, ThreadHandle = 0xac.
2019-05-16 04:10:26,661 [root] DEBUG: SetInitialWriteBreakpoint: Breakpoint 0 set write on word at base address: 0x3f0000
2019-05-16 04:10:26,661 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x3dfbfc
2019-05-16 04:10:26,661 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x3f0000.
2019-05-16 04:10:26,661 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x3f0000: 0xa4.
2019-05-16 04:10:26,677 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x3f0000 and Type=0x0.
2019-05-16 04:10:26,677 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 04:10:26,677 [root] DEBUG: BaseAddressWriteCallback: Execution breakpoint 1 set base address: 0x3f0000, AllocationBaseExecBpSet = 1 (EIP = 0x3dfbfc)
2019-05-16 04:10:26,677 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-05-16 04:10:26,677 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x3dfbfc
2019-05-16 04:10:26,677 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x3f0000.
2019-05-16 04:10:26,677 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x3f0000: 0xa4.
2019-05-16 04:10:26,677 [root] DEBUG: BaseAddressWriteCallback: allocation exec bp already set, doing nothing.
2019-05-16 04:10:26,677 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x3e02d1
2019-05-16 04:10:26,694 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x3f0000.
2019-05-16 04:10:26,694 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x3f0000: 0xa4.
2019-05-16 04:10:26,694 [root] DEBUG: BaseAddressWriteCallback: allocation exec bp already set, doing nothing.
2019-05-16 04:10:26,694 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x3e02ea
2019-05-16 04:10:26,694 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x3f0000.
2019-05-16 04:10:26,694 [root] DEBUG: BaseAddressWriteCallback: MZ header found.
2019-05-16 04:10:26,694 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x3f003c and Type=0x1.
2019-05-16 04:10:26,694 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 04:10:26,694 [root] DEBUG: BaseAddressWriteCallback: set write bp on e_lfanew write location: 0x3f003c (EIP = 0x3e02ea)
2019-05-16 04:10:26,694 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-05-16 04:10:26,709 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x3e02d1
2019-05-16 04:10:26,709 [root] DEBUG: PEPointerWriteCallback entry.
2019-05-16 04:10:26,709 [root] DEBUG: PEPointerWriteCallback: Breakpoint 0 at Address 0x3f003c.
2019-05-16 04:10:26,709 [root] DEBUG: PEPointerWriteCallback: pointer to PE header too big: 0x49d (perhaps writing incomplete).
2019-05-16 04:10:26,709 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x3e02ea
2019-05-16 04:10:26,709 [root] DEBUG: PEPointerWriteCallback entry.
2019-05-16 04:10:26,709 [root] DEBUG: PEPointerWriteCallback: Breakpoint 0 at Address 0x3f003c.
2019-05-16 04:10:26,709 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x3f00b8 and Type=0x1.
2019-05-16 04:10:26,709 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 04:10:26,724 [root] DEBUG: PEPointerWriteCallback: set write bp on e_lfanew write location 0x3f00b8 (EIP = 0x3e02ea)
2019-05-16 04:10:26,724 [root] DEBUG: PEPointerWriteCallback executed successfully.
2019-05-16 04:10:26,724 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x3e02d1
2019-05-16 04:10:26,724 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x3f00b8.
2019-05-16 04:10:26,724 [root] DEBUG: PEHeaderWriteCallback: PE header has: 0x41f1.
2019-05-16 04:10:26,724 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-05-16 04:10:26,724 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x3e02ea
2019-05-16 04:10:26,724 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x3f00b8.
2019-05-16 04:10:26,724 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x0, Address=0x3fcc89 and Type=0x0.
2019-05-16 04:10:26,724 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 04:10:26,740 [root] DEBUG: PEHeaderWriteCallback: Execution bp set on EntryPoint 0x3fcc89 (EIP = 0x3e02ea).
2019-05-16 04:10:26,740 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-05-16 04:10:26,740 [root] DEBUG: NtAllocateVirtualMemory hook, BaseAddress:0x500000, RegionSize: 0x14000.
2019-05-16 04:10:26,740 [root] DEBUG: NtAllocateVirtualMemory hook: attempting CAPE dump on previous region: 0x3f0000.
2019-05-16 04:10:26,740 [root] DEBUG: DumpPEsInRange: Scanning range 0x3f0000 - 0x400000.
2019-05-16 04:10:26,740 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x3f0000
2019-05-16 04:10:26,740 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image.
2019-05-16 04:10:26,740 [root] DEBUG: DumpPE: Instantiating PeParser with address: 0x3f0000
2019-05-16 04:10:26,756 [root] INFO: Added new CAPE file to list with path: C:\faehbyidmz\CAPE\1860_7402630816452019
2019-05-16 04:10:26,756 [root] DEBUG: DumpPE: PE file in memory dumped successfully.
2019-05-16 04:10:26,756 [root] DEBUG: DumpPEsInRange: Dumped PE image from 0x3f0000.
2019-05-16 04:10:26,756 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x3f0001-0x400000.
2019-05-16 04:10:26,756 [root] DEBUG: NtAllocateVirtualMemory hook: PE image(s) detected and dumped.
2019-05-16 04:10:26,756 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x3f0000 - 0x400000.
2019-05-16 04:10:26,756 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x3fcc89.
2019-05-16 04:10:26,772 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x3f0000.
2019-05-16 04:10:26,772 [root] DEBUG: SetInitialWriteBreakpoint: AllocationBase: 0x500000, AllocationSize: 0x14000, ThreadId: 0x898
2019-05-16 04:10:26,772 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xac, Size=0x2, Address=0x500000 and Type=0x1.
2019-05-16 04:10:26,772 [root] DEBUG: SetBreakpoint: Set bp 0 type 1 at address 0x500000, size 2 with Callback 0x74493120, ThreadHandle = 0xac.
2019-05-16 04:10:26,772 [root] DEBUG: SetInitialWriteBreakpoint: Breakpoint 0 set write on word at base address: 0x500000
2019-05-16 04:10:26,772 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x3dfbfc
2019-05-16 04:10:26,772 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x500000.
2019-05-16 04:10:26,772 [root] DEBUG: BaseAddressWriteCallback: M written to first byte, awaiting next byte.
2019-05-16 04:10:26,772 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-05-16 04:10:26,786 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x3dfbfc
2019-05-16 04:10:26,786 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x500000.
2019-05-16 04:10:26,786 [root] DEBUG: BaseAddressWriteCallback: MZ header found.
2019-05-16 04:10:26,786 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x50003c and Type=0x1.
2019-05-16 04:10:26,786 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 04:10:26,786 [root] DEBUG: BaseAddressWriteCallback: set write bp on e_lfanew write location: 0x50003c (EIP = 0x3dfbfc)
2019-05-16 04:10:26,786 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-05-16 04:10:26,786 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x3dfbfc
2019-05-16 04:10:26,786 [root] DEBUG: PEPointerWriteCallback entry.
2019-05-16 04:10:26,786 [root] DEBUG: PEPointerWriteCallback: Breakpoint 0 at Address 0x50003c.
2019-05-16 04:10:26,802 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x5000b8 and Type=0x1.
2019-05-16 04:10:26,802 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 04:10:26,802 [root] DEBUG: PEPointerWriteCallback: set write bp on e_lfanew write location 0x5000b8 (EIP = 0x3dfbfc)
2019-05-16 04:10:26,802 [root] DEBUG: PEPointerWriteCallback executed successfully.
2019-05-16 04:10:26,802 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x3dfbfc
2019-05-16 04:10:26,802 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x5000b8.
2019-05-16 04:10:26,802 [root] DEBUG: PEHeaderWriteCallback: PE header has: 0x50.
2019-05-16 04:10:26,802 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-05-16 04:10:26,802 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x3dfbfc
2019-05-16 04:10:26,818 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x5000b8.
2019-05-16 04:10:26,818 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x5000e0 and Type=0x1.
2019-05-16 04:10:26,818 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 04:10:26,834 [root] DEBUG: PEHeaderWriteCallback: set write bp on AddressOfEntryPoint location (EIP = 0x3dfbfc).
2019-05-16 04:10:26,834 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-05-16 04:10:26,834 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x3dfbfc
2019-05-16 04:10:26,834 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x5000e0.
2019-05-16 04:10:26,834 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x5000a0 and Type=0x0.
2019-05-16 04:10:26,834 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 04:10:26,834 [root] DEBUG: EntryPointWriteCallback: Execution bp 1 set on EntryPoint 0x5000a0 (EIP = 0x3dfbfc).
2019-05-16 04:10:26,834 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 04:10:26,834 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x3dfbfc
2019-05-16 04:10:26,849 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x5000e0.
2019-05-16 04:10:26,849 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x50c9a0 and Type=0x0.
2019-05-16 04:10:26,849 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 04:10:26,849 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x50c9a0 (EIP = 0x3dfbfc).
2019-05-16 04:10:26,849 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 04:10:26,849 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x3dfbfc
2019-05-16 04:10:26,849 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x5000e0.
2019-05-16 04:10:26,849 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x50c9a0 and Type=0x0.
2019-05-16 04:10:26,849 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 04:10:26,849 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x50c9a0 (EIP = 0x3dfbfc).
2019-05-16 04:10:26,865 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 04:10:26,865 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x3dfbfc
2019-05-16 04:10:26,865 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x5000e0.
2019-05-16 04:10:26,865 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x50c9a0 and Type=0x0.
2019-05-16 04:10:26,865 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 04:10:26,865 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x50c9a0 (EIP = 0x3dfbfc).
2019-05-16 04:10:26,865 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 04:10:26,865 [root] DEBUG: ProtectionHandler: Address: 0x1000, RegionSize: 0xcc24
2019-05-16 04:10:26,865 [root] DEBUG: ProtectionHandler: attempting CAPE dump on region: 0x500000.
2019-05-16 04:10:26,881 [root] DEBUG: DumpPEsInRange: Scanning range 0x0 - 0xf000.
2019-05-16 04:10:26,881 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 04:10:26,881 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 04:10:26,881 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 04:10:26,881 [root] DEBUG: ScanForDisguisedPE: Exception occured reading memory address 0x0
2019-05-16 04:10:26,881 [root] DEBUG: SetCapeMetaData: Extraction type with no PID - error.
2019-05-16 04:10:26,881 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\faehbyidmz\CAPE\1860_8812630816452019
2019-05-16 04:10:26,881 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 04:10:26,881 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 04:10:26,881 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 04:10:26,895 [root] DEBUG: DumpMemory: Exception occured reading memory address 0x0
2019-05-16 04:10:26,895 [root] DEBUG: ProtectionHandler: Previously marked memory range at: 0x500000 is empty or inaccessible.
2019-05-16 04:10:26,895 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x500000 - 0x514000.
2019-05-16 04:10:26,895 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x5000e0.
2019-05-16 04:10:26,895 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x50c9a0.
2019-05-16 04:10:26,895 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 04:10:26,895 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 04:10:26,895 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 04:10:26,895 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x1000
2019-05-16 04:10:26,911 [root] DEBUG: ProtectionHandler: Setting initial write breakpoint on protection address: 0x1000
2019-05-16 04:10:26,911 [root] DEBUG: SetInitialWriteBreakpoint: AllocationBase: 0x1000, AllocationSize: 0xcc24, ThreadId: 0x898
2019-05-16 04:10:26,911 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xac, Size=0x2, Address=0x1000 and Type=0x1.
2019-05-16 04:10:26,911 [root] DEBUG: SetBreakpoint: Set bp 0 type 1 at address 0x1000, size 2 with Callback 0x74493120, ThreadHandle = 0xac.
2019-05-16 04:10:26,911 [root] DEBUG: SetInitialWriteBreakpoint: Breakpoint 0 set write on word at base address: 0x1000
2019-05-16 04:10:26,911 [root] DEBUG: ProtectionHandler: Address: 0xf000, RegionSize: 0x3de4
2019-05-16 04:10:26,911 [root] DEBUG: NtAllocateVirtualMemory hook, BaseAddress:0x400000, RegionSize: 0x14000.
2019-05-16 04:10:26,911 [root] DEBUG: NtAllocateVirtualMemory hook: attempting CAPE dump on previous region: 0x1000.
2019-05-16 04:10:26,911 [root] DEBUG: DumpPEsInRange: Scanning range 0x0 - 0xf000.
2019-05-16 04:10:26,911 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 04:10:26,927 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 04:10:26,927 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 04:10:26,927 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 04:10:26,927 [root] DEBUG: ScanForDisguisedPE: Exception occured reading memory address 0x0
2019-05-16 04:10:26,927 [root] DEBUG: SetCapeMetaData: Extraction type with no PID - error.
2019-05-16 04:10:26,927 [root] DEBUG: NtAllocateVirtualMemory hook: dumping memory range at 0x1000.
2019-05-16 04:10:26,927 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 04:10:26,927 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 04:10:26,927 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 04:10:26,927 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 04:10:26,943 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x0
2019-05-16 04:10:26,943 [root] DEBUG: NtAllocateVirtualMemory hook: Failed to dump memory range at 0x1000.
2019-05-16 04:10:26,943 [root] DEBUG: NtAllocateVirtualMemory hook: Previously marked memory range at: 0x1000 is empty or inaccessible.
2019-05-16 04:10:26,943 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x1000 - 0xdc24.
2019-05-16 04:10:26,943 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x1000.
2019-05-16 04:10:26,943 [root] DEBUG: SetInitialWriteBreakpoint: AllocationBase: 0x400000, AllocationSize: 0x14000, ThreadId: 0x898
2019-05-16 04:10:26,943 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xac, Size=0x2, Address=0x400000 and Type=0x1.
2019-05-16 04:10:26,943 [root] DEBUG: SetBreakpointWithoutThread: bp set with register 0
2019-05-16 04:10:26,943 [root] DEBUG: SetInitialWriteBreakpoint: Breakpoint 0 set write on word at base address: 0x400000
2019-05-16 04:10:26,959 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x3dfbfc
2019-05-16 04:10:26,959 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x400000.
2019-05-16 04:10:26,959 [root] DEBUG: BaseAddressWriteCallback: M written to first byte, awaiting next byte.
2019-05-16 04:10:26,959 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-05-16 04:10:26,959 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x3dfbfc
2019-05-16 04:10:26,959 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x400000.
2019-05-16 04:10:26,959 [root] DEBUG: BaseAddressWriteCallback: MZ header found.
2019-05-16 04:10:26,959 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x40003c and Type=0x1.
2019-05-16 04:10:26,959 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 04:10:26,959 [root] DEBUG: BaseAddressWriteCallback: set write bp on e_lfanew write location: 0x40003c (EIP = 0x3dfbfc)
2019-05-16 04:10:26,973 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-05-16 04:10:26,973 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x3dfbfc
2019-05-16 04:10:26,973 [root] DEBUG: PEPointerWriteCallback entry.
2019-05-16 04:10:26,973 [root] DEBUG: PEPointerWriteCallback: Breakpoint 0 at Address 0x40003c.
2019-05-16 04:10:26,973 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x4000b8 and Type=0x1.
2019-05-16 04:10:26,973 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 04:10:26,973 [root] DEBUG: PEPointerWriteCallback: set write bp on e_lfanew write location 0x4000b8 (EIP = 0x3dfbfc)
2019-05-16 04:10:26,973 [root] DEBUG: PEPointerWriteCallback executed successfully.
2019-05-16 04:10:26,973 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x3dfbfc
2019-05-16 04:10:26,973 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x4000b8.
2019-05-16 04:10:26,990 [root] DEBUG: PEHeaderWriteCallback: PE header has: 0x50.
2019-05-16 04:10:26,990 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-05-16 04:10:26,990 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x3dfbfc
2019-05-16 04:10:26,990 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x4000b8.
2019-05-16 04:10:26,990 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x4000e0 and Type=0x1.
2019-05-16 04:10:26,990 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 04:10:26,990 [root] DEBUG: PEHeaderWriteCallback: set write bp on AddressOfEntryPoint location (EIP = 0x3dfbfc).
2019-05-16 04:10:26,990 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-05-16 04:10:26,990 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x3dfbfc
2019-05-16 04:10:27,006 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x4000e0.
2019-05-16 04:10:27,006 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x4000a0 and Type=0x0.
2019-05-16 04:10:27,006 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 04:10:27,006 [root] DEBUG: EntryPointWriteCallback: Execution bp 1 set on EntryPoint 0x4000a0 (EIP = 0x3dfbfc).
2019-05-16 04:10:27,006 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 04:10:27,006 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x3dfbfc
2019-05-16 04:10:27,006 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x4000e0.
2019-05-16 04:10:27,006 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x40c9a0 and Type=0x0.
2019-05-16 04:10:27,006 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 04:10:27,006 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x40c9a0 (EIP = 0x3dfbfc).
2019-05-16 04:10:27,020 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 04:10:27,020 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x3dfbfc
2019-05-16 04:10:27,020 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x4000e0.
2019-05-16 04:10:27,020 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x40c9a0 and Type=0x0.
2019-05-16 04:10:27,020 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 04:10:27,020 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x40c9a0 (EIP = 0x3dfbfc).
2019-05-16 04:10:27,020 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 04:10:27,020 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x3dfbfc
2019-05-16 04:10:27,020 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x4000e0.
2019-05-16 04:10:27,020 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x40c9a0 and Type=0x0.
2019-05-16 04:10:27,036 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 04:10:27,036 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x40c9a0 (EIP = 0x3dfbfc).
2019-05-16 04:10:27,036 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 04:10:27,036 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x40c9a0
2019-05-16 04:10:27,036 [root] DEBUG: EntryPointExecCallback: Breakpoint 1 at Address 0x40c9a0.
2019-05-16 04:10:27,036 [root] DEBUG: DumpPEsInRange: Scanning range 0x400000 - 0x408000.
2019-05-16 04:10:27,036 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x400000
2019-05-16 04:10:27,036 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-05-16 04:10:27,036 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x400000
2019-05-16 04:10:27,052 [root] DEBUG: DumpProcess: Module entry point VA is 0x40c9a0
2019-05-16 04:10:27,052 [root] INFO: Added new CAPE file to list with path: C:\faehbyidmz\CAPE\1860_522730816452019
2019-05-16 04:10:27,052 [root] DEBUG: DumpProcess: Module image dump success
2019-05-16 04:10:27,052 [root] DEBUG: DumpPEsInRange: Dumped PE image from 0x400000.
2019-05-16 04:10:27,052 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x400001-0x408000.
2019-05-16 04:10:27,068 [root] DEBUG: EntryPointExecCallback hook: PE image(s) detected and dumped.
2019-05-16 04:11:19,858 [root] INFO: Analysis timeout hit (60 seconds), terminating analysis.
2019-05-16 04:11:19,858 [root] INFO: Created shutdown mutex.
2019-05-16 04:11:20,871 [root] INFO: Terminating process 2796 before shutdown.
2019-05-16 04:11:20,871 [root] INFO: Terminating process 1364 before shutdown.
2019-05-16 04:11:20,871 [root] INFO: Terminating process 2856 before shutdown.
2019-05-16 04:11:20,871 [root] INFO: Setting terminate event for process 1860.
2019-05-16 04:11:20,871 [lib.api.process] INFO: Successfully received reply to terminate_event, pid 1860
2019-05-16 04:11:20,871 [root] INFO: Terminating process 1860 before shutdown.
2019-05-16 04:11:20,871 [root] INFO: Waiting for process 1860 to exit.
2019-05-16 04:11:21,885 [root] INFO: Waiting for process 1860 to exit.
2019-05-16 04:11:22,900 [root] INFO: Waiting for process 1860 to exit.
2019-05-16 04:11:23,914 [root] INFO: Waiting for process 1860 to exit.
2019-05-16 04:11:24,927 [lib.api.process] INFO: Successfully terminated process with pid 1860.
2019-05-16 04:11:24,927 [root] INFO: Waiting for process 1860 to exit.
2019-05-16 04:11:25,941 [root] INFO: Shutting down package.
2019-05-16 04:11:25,941 [root] INFO: Stopping auxiliary modules.
2019-05-16 04:11:25,941 [root] INFO: Finishing auxiliary modules.
2019-05-16 04:11:25,941 [root] INFO: Shutting down pipe server and dumping dropped files.
2019-05-16 04:11:25,941 [root] WARNING: File at path "C:\naimEsnu\debugger" does not exist, skip.
2019-05-16 04:11:25,941 [root] INFO: Analysis completed.

MalScore

10.0

Emotet

Machine

Name Label Manager Started On Shutdown On
target-01 target-01 ESX 2019-05-16 03:09:41 2019-05-16 03:11:39

File Details

File Name de54f9f6b4da2411980068400f7e9ce93b3f587d2a9b83d42e3f5a24135cb36f
File Size 169536 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 8baf4f07a3780d1513edf1a87823021a
SHA1 99e63b327b2e6eedd1b3471b205130f3274346a4
SHA256 de54f9f6b4da2411980068400f7e9ce93b3f587d2a9b83d42e3f5a24135cb36f
SHA512 8984bdf42212608f88f600efa3ea53da4e9df8fe37cb009b09fbb081b4a7a6637f82f45a5c84cc8be4326122dbd4382f3a03e7e85f4b18c21f38a163051f16e8
CRC32 AB384C4C
Ssdeep 3072:/WoofUTXKZLk/lvI6enmhUcUygISmkEmKMKZiGG+ZJY0WZQu6JsdN0HCH5+isg:vjXP/hHenK5NSmHN/ZZG+ZO6d
TrID
  • 41.0% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
  • 36.3% (.EXE) Win64 Executable (generic) (27625/18/4)
  • 8.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
  • 5.9% (.EXE) Win32 Executable (generic) (4508/7/1)
  • 2.6% (.EXE) OS/2 Executable (generic) (2029/13)
ClamAV None matched
Yara None matched
CAPE Yara None matched
Resubmit sample

Signatures

Behavioural detection: Executable code extraction
Yara rule detections observed from a process memory dump/dropped files/CAPE
Hit: PID 2796 trigged the Yara rule 'embedded_win_api'
Hit: PID 2796 trigged the Yara rule 'shellcode'
Hit: PID 2796 trigged the Yara rule 'Emotet'
Possible date expiration check, exits too soon after checking local time
process: gluerel.exe, PID 2856
Mimics the system's user agent string for its own requests
Guard pages use detected - possible anti-debugging.
Dynamic (imported) function loading detected
DynamicLoader: kernel32.dll/mknjht34tfserdgfwGetProcAddress
DynamicLoader: kernel32.dll/GetProcAddress
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/LoadLibraryExA
DynamicLoader: kernel32.dll/SetFilePointer
DynamicLoader: kernel32.dll/lstrlenA
DynamicLoader: kernel32.dll/lstrcatA
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/UnmapViewOfFile
DynamicLoader: kernel32.dll/GetModuleHandleA
DynamicLoader: kernel32.dll/WriteFile
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/GetTempPathA
DynamicLoader: kernel32.dll/CreateFileA
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: kernel32.dll/LoadLibraryExA
DynamicLoader: kernel32.dll/mknjht34tfserdgfwGetProcAddress
DynamicLoader: kernel32.dll/GetProcAddress
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/LoadLibraryExA
DynamicLoader: kernel32.dll/SetFilePointer
DynamicLoader: kernel32.dll/lstrlenA
DynamicLoader: kernel32.dll/lstrcatA
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/UnmapViewOfFile
DynamicLoader: kernel32.dll/GetModuleHandleA
DynamicLoader: kernel32.dll/WriteFile
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/GetTempPathA
DynamicLoader: kernel32.dll/CreateFileA
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: SHELL32.dll/
DynamicLoader: ADVAPI32.dll/OpenThreadToken
DynamicLoader: propsys.dll/PSLookupPropertyHandlerCLSID
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: propsys.dll/PSCreatePropertyStoreFromObject
DynamicLoader: propsys.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: propsys.dll/PropVariantToStringAlloc
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore
DynamicLoader: propsys.dll/PropVariantToBuffer
DynamicLoader: propsys.dll/PropVariantToUInt64
DynamicLoader: propsys.dll/PropVariantToBoolean
DynamicLoader: propsys.dll/InitPropVariantFromBuffer
DynamicLoader: ADVAPI32.dll/GetNamedSecurityInfoW
DynamicLoader: ADVAPI32.dll/TreeSetNamedSecurityInfoW
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: OLEAUT32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: kernel32.dll/LoadLibraryExA
DynamicLoader: kernel32.dll/mknjht34tfserdgfwGetProcAddress
DynamicLoader: kernel32.dll/GetProcAddress
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/LoadLibraryExA
DynamicLoader: kernel32.dll/SetFilePointer
DynamicLoader: kernel32.dll/lstrlenA
DynamicLoader: kernel32.dll/lstrcatA
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/UnmapViewOfFile
DynamicLoader: kernel32.dll/GetModuleHandleA
DynamicLoader: kernel32.dll/WriteFile
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/GetTempPathA
DynamicLoader: kernel32.dll/CreateFileA
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: kernel32.dll/LoadLibraryExA
DynamicLoader: kernel32.dll/mknjht34tfserdgfwGetProcAddress
DynamicLoader: kernel32.dll/GetProcAddress
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/LoadLibraryExA
DynamicLoader: kernel32.dll/SetFilePointer
DynamicLoader: kernel32.dll/lstrlenA
DynamicLoader: kernel32.dll/lstrcatA
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/UnmapViewOfFile
DynamicLoader: kernel32.dll/GetModuleHandleA
DynamicLoader: kernel32.dll/WriteFile
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/GetTempPathA
DynamicLoader: kernel32.dll/CreateFileA
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptImportKey
DynamicLoader: CRYPTSP.dll/CryptGenKey
DynamicLoader: CRYPTSP.dll/CryptCreateHash
DynamicLoader: CRYPTSP.dll/CryptDuplicateHash
DynamicLoader: CRYPTSP.dll/CryptEncrypt
DynamicLoader: CRYPTSP.dll/CryptExportKey
DynamicLoader: CRYPTSP.dll/CryptGetHashParam
DynamicLoader: CRYPTSP.dll/CryptDestroyHash
DynamicLoader: RASAPI32.dll/RasConnectionNotificationW
DynamicLoader: sechost.dll/NotifyServiceStatusChangeA
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: iphlpapi.DLL/GetAdaptersAddresses
DynamicLoader: DHCPCSVC.DLL/DhcpRequestParams
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: OLEAUT32.dll/
Performs HTTP requests potentially not found in PCAP.
url: 181.15.177.100:443/tpt/balloon/
url: 189.143.52.49:443/rtm/
The binary likely contains encrypted or compressed data.
section: name: .text, entropy: 7.16, characteristics: IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ, raw_size: 0x00016e00, virtual_size: 0x00016ce6
Deletes its original binary from disk
Attempts to remove evidence of file being downloaded from the Internet
file: C:\Windows\SysWOW64\gluerel.exe:Zone.Identifier
Installs itself for autorun at Windows startup
service name: gluerel
service path: "C:\Windows\SysWOW64\gluerel.exe"
CAPE detected the Emotet malware family
Creates a copy of itself
copy: C:\Windows\SysWOW64\gluerel.exe
Drops a binary and executes it
binary: C:\Windows\SysWOW64\gluerel.exe

Screenshots


Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
Y 189.143.52.49 [VT] Mexico
Y 181.15.177.100 [VT] Argentina

DNS

Name Response Post-Analysis Lookup
www.download.windowsupdate.com [VT]
crt.usertrust.com [VT]

Summary

C:\Windows\Globalization\Sorting\sortdefault.nls
C:\
C:\Users\user\AppData\Local\Temp\gx135q72E.exe
C:\Windows\SysWOW64\dafpanes.exe
C:\Windows\
C:\Windows\SysWOW64\
\Device\KsecDD
C:\Windows\SysWOW64\shell32.dll
C:\Windows\SysWOW64\gluerel.exe
C:\Users
\??\MountPointManager
C:\Users\user\AppData\Local\Microsoft\Windows\Caches
C:\Users\user\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000d.db
C:\Users\desktop.ini
C:\Users\user
C:\Users\user\AppData
C:\Users\user\AppData\Local
C:\Users\user\AppData\Local\Temp
C:\Windows
C:\Windows\SysWOW64
C:\Windows\SysWOW64\propsys.dll
C:\Windows\sysnative\propsys.dll
C:\Users\user\AppData\Local\
C:\Windows\SysWOW64\gluerel.exe:Zone.Identifier
C:\Windows\Temp
C:\ProgramData\Microsoft\Network\Connections\Pbk\rasphone.pbk
C:\ProgramData\Microsoft\Network\Connections\Pbk\*.pbk
C:\Windows\System32\ras\*.pbk
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Network\Connections\Pbk\rasphone.pbk
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Network\Connections\Pbk\*.pbk
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Users\user\AppData\Local\Temp\gx135q72E.exe
\Device\KsecDD
C:\Windows\SysWOW64\shell32.dll
C:\
C:\Users\user\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000d.db
C:\Users\desktop.ini
C:\Users
C:\Users\user
C:\Users\user\AppData
C:\Users\user\AppData\Local
C:\Windows
C:\Users\user\AppData\Local\Temp
C:\Windows\SysWOW64\gluerel.exe
C:\Windows\SysWOW64\gluerel.exe
C:\Windows\SysWOW64\dafpanes.exe
C:\Users\user\AppData\Local\Temp\gx135q72E.exe
C:\Windows\SysWOW64\gluerel.exe:Zone.Identifier
DisableUserModeCallbackFilter
HKEY_CURRENT_USER\Software\Classes
HKEY_CURRENT_USER\Software\Classes\interface\{aa5b6a80-b834-11d0-932f-00a0c90dcaa9}
HKEY_LOCAL_MACHINE\Software\Classes\interface\{aa5b6a80-b834-11d0-932f-00a0c90dcaa9}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AA5B6A80-B834-11D0-932F-00A0C90DCAA9}\(Default)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-GB
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-GB
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\NoFileFolderConnection
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesRecycleBin
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\gx135q72E.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups
HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\CallForAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\RestrictedAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORDISPLAY
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideFolderVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\UseDropHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORPARSING
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsParseDisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\MapNetDriveVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForInfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideInWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideOnDesktopPerUser
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsAliasedNotifications
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsUniversalDelegate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\NoFileFolderJunction
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\PinToNameSpaceTree
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HasNavigationEnum
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\Generation
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\Generation
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\AccessProviders
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\AccessProviders\MartaExtension
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DontShowSuperHidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ClassicShell
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\SeparateProcess
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetCrawling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSimpleStartMenu
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowCompColor
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\DontPrettyPath
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowInfoTip
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideIcons
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\MapNetDrvBtn
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\WebView
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Filter
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\SeparateProcess
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\NoNetCrawling
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AutoCheckSelect
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\IconsOnly
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowTypeOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\AllowFileCLSIDJunctions
HKEY_CLASSES_ROOT\.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe\(Default)
HKEY_CLASSES_ROOT\.exe\OpenWithProgids
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\OpenWithProgids
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\UserChoice
HKEY_CLASSES_ROOT\exefile
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\CurVer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\ShellEx\IconHandler
HKEY_CLASSES_ROOT\SystemFileAssociations\.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\ShellEx\IconHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe\Content Type
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\NeverShowExt
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\PropertySystem\PropertyHandlers\.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\PropertySystem\PropertyHandlers\.exe\(Default)
HKEY_CLASSES_ROOT\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\OverrideFileSystemProperties
HKEY_CLASSES_ROOT\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\DisableProcessIsolation
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\NoOplock
HKEY_CLASSES_ROOT\ExplorerCLSIDFlags\{66742402-F9B9-11D1-A202-0000F81FEDEE}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\UseInProcHandlerCache
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\UseOutOfProcHandlerCache
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Shell\RegisteredApplications\UrlAssociations\Directory\OpenWithProgids
HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\Directory
HKEY_CLASSES_ROOT\Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\CurVer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\ShellEx\IconHandler
HKEY_CLASSES_ROOT\Folder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\ShellEx\IconHandler
HKEY_CLASSES_ROOT\AllFilesystemObjects
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\ShellEx\IconHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\ShellEx\PropertyHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\ShellEx\PropertyHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\ShellEx\PropertyHandler
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\MaxUndoItems
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Advanced\MaxUndoItems
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\App Paths\gx135q72E.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\gx135q72E.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\ShellEx\{2F711B17-773C-41D4-93FA-7F23EDCECB66}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\ShellEx\{2F711B17-773C-41D4-93FA-7F23EDCECB66}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\ShellEx\{2F711B17-773C-41D4-93FA-7F23EDCECB66}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceCopyACLWithFile
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\ShellEx\{000214F9-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\ShellEx\{000214F9-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\ShellEx\{000214F9-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoEncryptOnMove
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gluerel
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gluerel\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gluerel\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gluerel\WOW64
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Public
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Default
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonW6432Dir
HKEY_USERS\S-1-5-18
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18\ProfileImagePath
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
HKEY_USERS\.DEFAULT\Environment
HKEY_USERS\.DEFAULT\Volatile Environment
HKEY_USERS\.DEFAULT\Volatile Environment\0
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gluerel\Environment
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\interface\{aa5b6a80-b834-11d0-932f-00a0c90dcaa9}
HKEY_CURRENT_USER
HKEY_USERS\.DEFAULT\Control Panel\International
HKEY_USERS\.DEFAULT\Control Panel\International\LocaleName
HKEY_USERS\.DEFAULT\Control Panel\International\sCountry
HKEY_USERS\.DEFAULT\Control Panel\International\sList
HKEY_USERS\.DEFAULT\Control Panel\International\sDecimal
HKEY_USERS\.DEFAULT\Control Panel\International\sThousand
HKEY_USERS\.DEFAULT\Control Panel\International\sGrouping
HKEY_USERS\.DEFAULT\Control Panel\International\sNativeDigits
HKEY_USERS\.DEFAULT\Control Panel\International\sCurrency
HKEY_USERS\.DEFAULT\Control Panel\International\sMonDecimalSep
HKEY_USERS\.DEFAULT\Control Panel\International\sMonThousandSep
HKEY_USERS\.DEFAULT\Control Panel\International\sMonGrouping
HKEY_USERS\.DEFAULT\Control Panel\International\sPositiveSign
HKEY_USERS\.DEFAULT\Control Panel\International\sNegativeSign
HKEY_USERS\.DEFAULT\Control Panel\International\sTimeFormat
HKEY_USERS\.DEFAULT\Control Panel\International\sShortTime
HKEY_USERS\.DEFAULT\Control Panel\International\s1159
HKEY_USERS\.DEFAULT\Control Panel\International\s2359
HKEY_USERS\.DEFAULT\Control Panel\International\sShortDate
HKEY_USERS\.DEFAULT\Control Panel\International\sYearMonth
HKEY_USERS\.DEFAULT\Control Panel\International\sLongDate
HKEY_USERS\.DEFAULT\Control Panel\International\iCountry
HKEY_USERS\.DEFAULT\Control Panel\International\iMeasure
HKEY_USERS\.DEFAULT\Control Panel\International\iPaperSize
HKEY_USERS\.DEFAULT\Control Panel\International\iDigits
HKEY_USERS\.DEFAULT\Control Panel\International\iLZero
HKEY_USERS\.DEFAULT\Control Panel\International\iNegNumber
HKEY_USERS\.DEFAULT\Control Panel\International\NumShape
HKEY_USERS\.DEFAULT\Control Panel\International\iCurrDigits
HKEY_USERS\.DEFAULT\Control Panel\International\iCurrency
HKEY_USERS\.DEFAULT\Control Panel\International\iNegCurr
HKEY_USERS\.DEFAULT\Control Panel\International\iCalendarType
HKEY_USERS\.DEFAULT\Control Panel\International\iFirstDayOfWeek
HKEY_USERS\.DEFAULT\Control Panel\International\iFirstWeekOfYear
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoProxyDetectType
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASAPI32\EnableFileTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASAPI32\FileTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASAPI32\EnableConsoleTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASAPI32\ConsoleTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASAPI32\MaxFileSize
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASAPI32\FileDirectory
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASMANCS\EnableFileTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASMANCS\FileTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASMANCS\EnableConsoleTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASMANCS\ConsoleTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASMANCS\MaxFileSize
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASMANCS\FileDirectory
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ProxySettingsPerUser
HKEY_USERS\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
HKEY_USERS\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AA5B6A80-B834-11D0-932F-00A0C90DCAA9}\(Default)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-GB
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-GB
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\NoFileFolderConnection
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesRecycleBin
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\CallForAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\RestrictedAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORDISPLAY
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideFolderVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\UseDropHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORPARSING
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsParseDisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\MapNetDriveVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForInfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideInWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideOnDesktopPerUser
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsAliasedNotifications
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsUniversalDelegate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\NoFileFolderJunction
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\PinToNameSpaceTree
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HasNavigationEnum
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\Generation
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\AccessProviders\MartaExtension
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DontShowSuperHidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ClassicShell
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\SeparateProcess
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetCrawling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSimpleStartMenu
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowCompColor
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\DontPrettyPath
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowInfoTip
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideIcons
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\MapNetDrvBtn
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\WebView
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Filter
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\SeparateProcess
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\NoNetCrawling
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AutoCheckSelect
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\IconsOnly
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowTypeOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\AllowFileCLSIDJunctions
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe\Content Type
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\PropertySystem\PropertyHandlers\.exe\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\DisableProcessIsolation
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\NoOplock
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\UseInProcHandlerCache
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\UseOutOfProcHandlerCache
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\NeverShowExt
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\MaxUndoItems
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Advanced\MaxUndoItems
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceCopyACLWithFile
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoEncryptOnMove
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gluerel\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gluerel\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gluerel\WOW64
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Public
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18\ProfileImagePath
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gluerel\Environment
HKEY_USERS\.DEFAULT\Control Panel\International\LocaleName
HKEY_USERS\.DEFAULT\Control Panel\International\sCountry
HKEY_USERS\.DEFAULT\Control Panel\International\sList
HKEY_USERS\.DEFAULT\Control Panel\International\sDecimal
HKEY_USERS\.DEFAULT\Control Panel\International\sThousand
HKEY_USERS\.DEFAULT\Control Panel\International\sGrouping
HKEY_USERS\.DEFAULT\Control Panel\International\sNativeDigits
HKEY_USERS\.DEFAULT\Control Panel\International\sCurrency
HKEY_USERS\.DEFAULT\Control Panel\International\sMonDecimalSep
HKEY_USERS\.DEFAULT\Control Panel\International\sMonThousandSep
HKEY_USERS\.DEFAULT\Control Panel\International\sMonGrouping
HKEY_USERS\.DEFAULT\Control Panel\International\sPositiveSign
HKEY_USERS\.DEFAULT\Control Panel\International\sNegativeSign
HKEY_USERS\.DEFAULT\Control Panel\International\sTimeFormat
HKEY_USERS\.DEFAULT\Control Panel\International\sShortTime
HKEY_USERS\.DEFAULT\Control Panel\International\s1159
HKEY_USERS\.DEFAULT\Control Panel\International\s2359
HKEY_USERS\.DEFAULT\Control Panel\International\sShortDate
HKEY_USERS\.DEFAULT\Control Panel\International\sYearMonth
HKEY_USERS\.DEFAULT\Control Panel\International\sLongDate
HKEY_USERS\.DEFAULT\Control Panel\International\iCountry
HKEY_USERS\.DEFAULT\Control Panel\International\iMeasure
HKEY_USERS\.DEFAULT\Control Panel\International\iPaperSize
HKEY_USERS\.DEFAULT\Control Panel\International\iDigits
HKEY_USERS\.DEFAULT\Control Panel\International\iLZero
HKEY_USERS\.DEFAULT\Control Panel\International\iNegNumber
HKEY_USERS\.DEFAULT\Control Panel\International\NumShape
HKEY_USERS\.DEFAULT\Control Panel\International\iCurrDigits
HKEY_USERS\.DEFAULT\Control Panel\International\iCurrency
HKEY_USERS\.DEFAULT\Control Panel\International\iNegCurr
HKEY_USERS\.DEFAULT\Control Panel\International\iCalendarType
HKEY_USERS\.DEFAULT\Control Panel\International\iFirstDayOfWeek
HKEY_USERS\.DEFAULT\Control Panel\International\iFirstWeekOfYear
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoProxyDetectType
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASAPI32\EnableFileTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASAPI32\FileTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASAPI32\EnableConsoleTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASAPI32\ConsoleTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASAPI32\MaxFileSize
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASAPI32\FileDirectory
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASMANCS\EnableFileTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASMANCS\FileTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASMANCS\EnableConsoleTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASMANCS\ConsoleTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASMANCS\MaxFileSize
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASMANCS\FileDirectory
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ProxySettingsPerUser
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
kernel32.dll.LoadLibraryExA
kernel32.dll.GetProcAddress
kernel32.dll.VirtualAlloc
kernel32.dll.SetFilePointer
kernel32.dll.lstrlenA
kernel32.dll.lstrcatA
kernel32.dll.VirtualProtect
kernel32.dll.UnmapViewOfFile
kernel32.dll.GetModuleHandleA
kernel32.dll.WriteFile
kernel32.dll.CloseHandle
kernel32.dll.VirtualFree
kernel32.dll.GetTempPathA
kernel32.dll.CreateFileA
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
oleaut32.dll.#200
ole32.dll.CoInitializeEx
cryptbase.dll.SystemFunction036
comctl32.dll.#385
comctl32.dll.#320
comctl32.dll.#324
comctl32.dll.#323
ole32.dll.CreateBindCtx
ole32.dll.CoTaskMemAlloc
ole32.dll.CoGetApartmentType
ole32.dll.CoRegisterInitializeSpy
ole32.dll.CoTaskMemFree
comctl32.dll.#236
oleaut32.dll.#6
ole32.dll.CoGetMalloc
comctl32.dll.#328
comctl32.dll.#334
oleaut32.dll.#2
ole32.dll.CoCreateInstance
setupapi.dll.CM_Get_Device_Interface_List_Size_ExW
setupapi.dll.CM_Get_Device_Interface_List_ExW
comctl32.dll.#332
comctl32.dll.#386
advapi32.dll.InitializeSecurityDescriptor
advapi32.dll.SetEntriesInAclW
ntmarta.dll.GetMartaExtensionInterface
advapi32.dll.SetSecurityDescriptorDacl
advapi32.dll.IsTextUnicode
comctl32.dll.#338
comctl32.dll.#339
shell32.dll.#102
advapi32.dll.OpenThreadToken
propsys.dll.PSLookupPropertyHandlerCLSID
advapi32.dll.RegOpenKeyExW
advapi32.dll.RegQueryValueExW
advapi32.dll.RegCloseKey
propsys.dll.PSCreatePropertyStoreFromObject
propsys.dll.#417
propsys.dll.PropVariantToStringAlloc
ole32.dll.PropVariantClear
propsys.dll.PSCreateMemoryPropertyStore
propsys.dll.PropVariantToBuffer
propsys.dll.PropVariantToUInt64
propsys.dll.PropVariantToBoolean
propsys.dll.InitPropVariantFromBuffer
advapi32.dll.GetNamedSecurityInfoW
advapi32.dll.TreeSetNamedSecurityInfoW
ole32.dll.CoUninitialize
comctl32.dll.#329
comctl32.dll.#388
comctl32.dll.#321
ole32.dll.CoRevokeInitializeSpy
oleaut32.dll.#500
comctl32.dll.#387
comctl32.dll.#327
advapi32.dll.UnregisterTraceGuids
cryptsp.dll.CryptReleaseContext
cryptsp.dll.CryptAcquireContextW
cryptsp.dll.CryptImportKey
cryptsp.dll.CryptGenKey
cryptsp.dll.CryptCreateHash
cryptsp.dll.CryptDuplicateHash
cryptsp.dll.CryptEncrypt
cryptsp.dll.CryptExportKey
cryptsp.dll.CryptGetHashParam
cryptsp.dll.CryptDestroyHash
rasapi32.dll.RasConnectionNotificationW
sechost.dll.NotifyServiceStatusChangeA
advapi32.dll.RegDeleteTreeA
advapi32.dll.RegDeleteTreeW
iphlpapi.dll.GetAdaptersAddresses
dhcpcsvc.dll.DhcpRequestParams
C:\Users\user\AppData\Local\Temp\gx135q72E.exe --897bfbd1
"C:\Windows\SysWOW64\gluerel.exe"
C:\Windows\SysWOW64\gluerel.exe --caeb0eba
Global\IA4889F95
Global\MA4889F95
IESQMMUTEX_0_208
gluerel
gluerel

PE Information

Image Base 0x00400000
Entry Point 0x00417b00
Reported Checksum 0x0002a2a5
Actual Checksum 0x0002a2a5
Minimum OS Version 5.0
Compile Time 2019-05-16 03:01:28
Import Hash d22b5108a2ea7747ee87ec83f7a89d94

Sections

Name Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00001000 0x00016ce6 0x00016e00 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 7.16
.rdata 0x00018000 0x000085c2 0x00008600 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 5.77
.data 0x00021000 0x0000569c 0x00005600 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 5.21
.rsrc 0x00027000 0x00002fc0 0x00003000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 3.77

Overlay

Offset 0x00027e00
Size 0x00001840

Imports

Library KERNEL32.dll:
0x41818c GetProcAddress
0x418194 GetProcessHeap
0x41819c GetStartupInfoA
0x4181a0 GetStartupInfoW
0x4181a4 GetStdHandle
0x4181a8 GetStringTypeA
0x4181ac GetStringTypeExW
0x4181b0 GetStringTypeW
0x4181b8 GetSystemDirectoryW
0x4181bc GetSystemInfo
0x4181c4 GetSystemTime
0x4181cc GetSystemTimes
0x4181d4 GetTempFileNameW
0x4181d8 GetTempPathW
0x4181dc GetTickCount
0x4181e0 GetTimeFormatA
0x4181e8 GetUserDefaultLCID
0x4181f0 GetVersion
0x4181f4 GetVersionExW
0x418200 GlobalAlloc
0x418204 GlobalFindAtomA
0x418208 GlobalFree
0x41820c GlobalUnWire
0x418210 HeapAlloc
0x418214 HeapCreate
0x418218 HeapDestroy
0x41821c HeapFree
0x418220 HeapReAlloc
0x418224 HeapSize
0x418238 InterlockedExchange
0x418244 IsBadReadPtr
0x418248 IsDebuggerPresent
0x418250 IsValidCodePage
0x418254 IsValidLocale
0x418258 IsWow64Process
0x41825c LCMapStringA
0x418260 LCMapStringW
0x418268 LoadLibraryA
0x41826c LoadLibraryExW
0x418270 LoadLibraryW
0x418274 LoadResource
0x418278 LocalAlloc
0x418280 LocalFree
0x418284 LockFile
0x418288 LockResource
0x41828c MapViewOfFileEx
0x418290 Module32FirstW
0x418294 MoveFileW
0x418298 MulDiv
0x41829c MultiByteToWideChar
0x4182a0 OpenEventA
0x4182ac OpenMutexW
0x4182b0 OpenProcess
0x4182b4 OpenThread
0x4182b8 OutputDebugStringW
0x4182bc PeekNamedPipe
0x4182c0 Process32FirstW
0x4182c4 Process32NextW
0x4182d0 RaiseException
0x4182d8 ReadFile
0x4182dc ReadProcessMemory
0x4182e0 ReleaseMutex
0x4182e4 ReleaseSemaphore
0x4182e8 ReplaceFile
0x4182ec ResetEvent
0x4182f0 ResumeThread
0x4182f4 RtlUnwind
0x418300 SetEndOfFile
0x418308 SetEvent
0x41830c SetFileAttributesA
0x418310 SetFilePointer
0x418314 SetFilePointerEx
0x418318 SetHandleCount
0x41831c SetLastError
0x418324 SetStdHandle
0x418328 SetThreadLocale
0x418330 SetWaitableTimer
0x418334 SizeofResource
0x418338 Sleep
0x418340 TerminateProcess
0x418344 TerminateThread
0x418348 TlsAlloc
0x41834c TlsFree
0x418350 TlsGetValue
0x418354 TlsSetValue
0x418360 UnlockFile
0x418364 UnmapViewOfFile
0x418368 VerSetConditionMask
0x41836c VerifyVersionInfoW
0x418370 VirtualAlloc
0x418374 VirtualAllocEx
0x418378 VirtualFree
0x41837c VirtualFreeEx
0x418380 VirtualLock
0x41838c WaitForSingleObject
0x418390 WideCharToMultiByte
0x418394 WriteConsoleA
0x418398 WriteConsoleW
0x41839c WriteFile
0x4183a8 lstrcmpA
0x4183ac lstrcmpiA
0x4183b0 lstrcmpiW
0x4183b4 lstrcpynW
0x4183b8 lstrlen
0x4183bc lstrlenA
0x4183c0 lstrlenW
0x4183c4 FlushFileBuffers
0x4183c8 FindResourceW
0x4183d0 GetOverlappedResult
0x4183d4 GetOEMCP
0x4183dc GetModuleHandleW
0x4183e0 GetModuleHandleA
0x4183e4 GetModuleFileNameW
0x4183e8 GetModuleFileNameA
0x4183ec GetLongPathNameW
0x4183f0 GetLogicalDrives
0x4183f4 GetLocaleInfoW
0x4183f8 GetLocaleInfoA
0x4183fc GetLocalTime
0x418400 GetLastError
0x418404 GetFileType
0x418408 GetFileTime
0x41840c GetFileSizeEx
0x418410 GetFileSize
0x418414 GetFileAttributesW
0x418420 GetExitCodeThread
0x418424 GetExitCodeProcess
0x41842c GetDriveTypeA
0x418430 GetDiskFreeSpaceExW
0x418434 GetDateFormatA
0x418438 GetCurrentThreadId
0x41843c GetCurrentProcessId
0x418440 GetCurrentProcess
0x418448 GetConsoleOutputCP
0x41844c GetConsoleMode
0x418450 GetConsoleCP
0x418454 GetConsoleAliasesW
0x418458 GetCommandLineW
0x41845c GetCommState
0x418460 GetCPInfoExA
0x418464 GetCPInfo
0x418468 GetAtomNameW
0x41846c GetACP
0x418470 FreeResource
0x418474 FreeLibrary
0x41847c FreeConsole
0x418480 OpenMutexA
0x418484 FormatMessageW
0x418488 FindResourceExW
0x41848c FindNextFileW
0x418490 FindFirstFileW
0x418498 FindClose
0x41849c FindAtomW
0x4184a8 FatalAppExitA
0x4184ac ExitThread
0x4184b0 ExitProcess
0x4184b4 EnumSystemLocalesA
0x4184bc DuplicateHandle
0x4184c0 DisconnectNamedPipe
0x4184c4 DeviceIoControl
0x4184cc DeleteFileW
0x4184d0 DeleteFileA
0x4184d8 DeleteAtom
0x4184e4 CreateThread
0x4184e8 CreateSemaphoreW
0x4184ec CreateSemaphoreA
0x4184f0 CreateRemoteThread
0x4184f4 CreateProcessW
0x4184f8 CreateNamedPipeW
0x4184fc CreateMutexW
0x418500 CreateMutexA
0x418504 CreateFileW
0x418508 CreateFileMappingW
0x41850c CreateFileA
0x418510 CreateEventW
0x418514 CreateEventA
0x418518 CreateDirectoryW
0x41851c CreateDirectoryA
0x418520 CopyFileW
0x418524 CopyFileExA
0x418528 ConnectNamedPipe
0x41852c CompareStringW
0x418530 CompareStringA
0x418534 CompareFileTime
0x418538 CloseHandle
0x41853c CancelIo
0x418540 OpenEventW
0x418544 AddAtomW
Library USER32.dll:
0x418610 keybd_event
0x418614 WindowFromPoint
0x418618 WaitForInputIdle
0x41861c UpdateWindow
0x418620 UpdateLayeredWindow
0x418624 UnregisterClassA
0x418628 TranslateMessage
0x418630 SwitchToThisWindow
0x418634 ShowWindow
0x418638 ShowOwnedPopups
0x41863c SetWindowsHookExA
0x418640 SetWindowsHookA
0x418644 SetWindowTextW
0x418648 SetWindowPos
0x41864c SetWindowLongW
0x418650 SetTimer
0x418654 SetRectEmpty
0x418658 SetRect
0x41865c SetForegroundWindow
0x418660 SetFocus
0x418664 SetCursor
0x418668 SetClipboardViewer
0x41866c SetClassLongW
0x418670 SetActiveWindow
0x418674 SendMessageW
0x418678 SendMessageTimeoutW
0x41867c ScreenToClient
0x418680 ReleaseDC
0x418684 ReleaseCapture
0x41868c RegisterClassExW
0x418690 PtInRect
0x418694 PostQuitMessage
0x418698 PostMessageW
0x41869c PeekMessageW
0x4186a0 OpenInputDesktop
0x4186a4 OffsetRect
0x4186a8 MonitorFromWindow
0x4186ac MonitorFromRect
0x4186b0 MonitorFromPoint
0x4186b4 MessageBoxW
0x4186b8 MapWindowPoints
0x4186bc LoadStringW
0x4186c0 LoadImageW
0x4186c4 LoadCursorW
0x4186c8 KillTimer
0x4186cc IsWindowVisible
0x4186d0 IsWindowEnabled
0x4186d4 IsWindow
0x4186d8 IsDialogMessageW
0x4186dc InvalidateRect
0x4186e4 GetWindowTextW
0x4186e8 GetWindowRect
0x4186ec GetWindowPlacement
0x4186f0 GetWindowLongW
0x4186f4 GetWindowInfo
0x4186f8 GetWindow
0x4186fc GetSystemMetrics
0x418700 GetShellWindow
0x418704 GetParent
0x418708 GetMonitorInfoW
0x41870c GetMessageW
0x418710 GetMessagePos
0x418714 GetKeyboardState
0x418718 GetForegroundWindow
0x41871c GetDesktopWindow
0x418720 GetDC
0x418724 GetCursorPos
0x418728 GetClientRect
0x41872c GetClassLongW
0x418730 GetClassInfoExW
0x418734 GetAncestor
0x418738 GetActiveWindow
0x41873c FindWindowW
0x418740 FindWindowExW
0x418744 ExitWindowsEx
0x418750 EnableWindow
0x418754 DrawTextW
0x418758 DispatchMessageW
0x41875c DestroyWindow
0x418760 DestroyIcon
0x418764 DefWindowProcW
0x418768 CreateWindowExW
0x41876c CopyRect
0x418770 CloseDesktop
0x418774 ClientToScreen
0x418778 CharNextW
0x41877c CallWindowProcW
0x418780 AttachThreadInput
0x418788 AdjustWindowRect
Library GDI32.dll:
0x4180c8 AngleArc
0x4180cc CloseMetaFile
0x4180d0 CreateBrushIndirect
0x4180d8 CreateCompatibleDC
0x4180dc CreateDIBSection
0x4180e0 CreateEllipticRgn
0x4180e4 CreateFontIndirectW
0x4180e8 CreateFontW
0x4180ec CreatePolygonRgn
0x4180f0 DeleteDC
0x4180f4 DeleteObject
0x4180fc EngDeletePath
0x418100 EngFillPath
0x418104 EngReleaseSemaphore
0x418108 ExtCreatePen
0x418110 GdiEntry9
0x418114 GdiValidateHandle
0x418118 GetBkMode
0x418120 GetCharABCWidthsI
0x418124 GetCharWidthInfo
0x41812c GetLogColorSpaceA
0x418130 GetObjectW
0x418138 GetStockObject
0x418140 GetTextExtentPointI
0x418148 LPtoDP
0x41814c PATHOBJ_bEnum
0x418150 PlayMetaFile
0x418154 PolyBezier
0x418158 RoundRect
0x41815c SelectObject
0x418160 SetDIBColorTable
0x418164 SetROP2
0x418168 SetRectRgn
0x41816c SetTextColor
0x418170 SwapBuffers
0x418174 UnloadNetworkFonts
0x418178 cGetTTFFromFOT
0x41817c BitBlt
Library ADVAPI32.dll:
0x418004 CloseServiceHandle
0x418010 CreateWellKnownSid
0x418018 CryptGenRandom
0x41801c CryptReleaseContext
0x418020 DuplicateToken
0x418024 DuplicateTokenEx
0x418028 EqualSid
0x41802c FreeSid
0x418034 GetTokenInformation
0x418038 GetUserNameW
0x418044 LookupAccountSidW
0x41804c OpenEventLogW
0x418050 OpenProcessToken
0x418054 OpenSCManagerW
0x418058 OpenServiceW
0x41805c QueryServiceStatus
0x418060 ReadEventLogW
0x418064 RegCloseKey
0x418068 RegCreateKeyA
0x41806c RegCreateKeyExW
0x418070 RegDeleteKeyW
0x418074 RegDeleteValueW
0x418078 RegEnumKeyExA
0x41807c RegEnumKeyExW
0x418084 RegOpenKeyExA
0x418088 RegOpenKeyExW
0x41808c RegOpenKeyW
0x418090 RegQueryInfoKeyW
0x418094 RegQueryValueExA
0x418098 RegQueryValueExW
0x41809c RegSetValueExW
0x4180a0 RevertToSelf
0x4180a4 SetEntriesInAclW
0x4180b0 StartServiceW
0x4180b4 RegOpenKeyA
0x4180c0 CloseEventLog
Library SHELL32.dll:
0x41854c ShellExecuteW
0x418550 ShellExecuteExW
0x418554 ShellExecuteA
0x418558 SHLoadInProc
0x418560 SHGetMalloc
0x418568 SHGetFolderPathW
0x41856c SHGetFolderPathA
0x418570 SHFileOperationA
0x418578 SHChangeNotify
0x418580 DragQueryFileA
0x418584 Shell_NotifyIconW
Library SHLWAPI.dll:
0x41858c ColorHLSToRGB
0x418590 ColorRGBToHLS
0x418594 PathAddBackslashW
0x418598 PathAppendW
0x41859c PathCombineA
0x4185a0 PathCombineW
0x4185a4 PathCompactPathW
0x4185a8 PathFileExistsA
0x4185ac AssocQueryStringW
0x4185b0 PathFindExtensionW
0x4185b4 PathFindFileNameA
0x4185b8 PathFindFileNameW
0x4185bc PathIsDirectoryW
0x4185c0 PathIsPrefixW
0x4185cc PathRemoveFileSpecW
0x4185d0 PathStripPathW
0x4185d4 SHDeleteKeyW
0x4185d8 SHDeleteValueA
0x4185dc SHDeleteValueW
0x4185e0 SHGetValueA
0x4185e4 SHGetValueW
0x4185e8 SHSetValueA
0x4185ec SHSetValueW
0x4185f0 StrCmpIW
0x4185f4 StrCmpNA
0x4185f8 StrRStrIW
0x4185fc StrStrIW
0x418600 StrStrW
0x418604 wnsprintfW
0x418608 PathFileExistsW

.text
`.rdata
@.data
.rsrc
(O`L
.(S8K
<j{gtL{
r+e4B
a}/3JQK
I!q*x
Y5?5B
kPrlteco
VnmasVieTOfFjle
Get6odu/eHa%dleB
teF*le
|000p;
000k<
6 hbU
'000x
`000R<
m3<4B
000A.?
2s0003H
jJ000h
%A000
AddAtomW
CancelIo
CloseHandle
CompareFileTime
CompareStringA
CompareStringW
ConnectNamedPipe
CopyFileExA
CopyFileW
CreateDirectoryA
CreateDirectoryW
CreateEventA
CreateEventW
CreateFileA
CreateFileMappingW
CreateFileW
CreateMutexA
CreateMutexW
CreateNamedPipeW
CreateProcessW
CreateRemoteThread
CreateSemaphoreA
CreateSemaphoreW
CreateThread
CreateToolhelp32Snapshot
CreateWaitableTimerA
DeleteAtom
DeleteCriticalSection
DeleteFileA
DeleteFileW
DeleteVolumeMountPointW
DeviceIoControl
DisconnectNamedPipe
DuplicateHandle
EnterCriticalSection
EnumSystemLocalesA
ExitProcess
ExitThread
FatalAppExitA
FileTimeToLocalFileTime
FileTimeToSystemTime
FindAtomW
FindClose
FindCloseChangeNotification
FindFirstFileW
FindNextFileW
FindResourceExW
FindResourceW
FlushFileBuffers
FlushInstructionCache
FormatMessageW
FreeConsole
FreeEnvironmentStringsW
FreeLibrary
FreeResource
GetACP
GetAtomNameW
GetCPInfo
GetCPInfoExA
GetCommState
GetCommandLineW
GetConsoleAliasesW
GetConsoleCP
GetConsoleMode
GetConsoleOutputCP
GetCurrentDirectoryW
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetDateFormatA
GetDiskFreeSpaceExW
GetDriveTypeA
GetEnvironmentStringsW
GetExitCodeProcess
GetExitCodeThread
GetFileAttributesExA
GetFileAttributesExW
GetFileAttributesW
GetFileSize
GetFileSizeEx
GetFileTime
GetFileType
GetLastError
GetLocalTime
GetLocaleInfoA
GetLocaleInfoW
GetLogicalDrives
GetLongPathNameW
GetModuleFileNameA
GetModuleFileNameW
GetModuleHandleA
GetModuleHandleW
GetNumberOfConsoleMouseButtons
GetOEMCP
GetOverlappedResult
GetPrivateProfileIntW
GetPrivateProfileSectionNamesW
GetPrivateProfileSectionW
GetPrivateProfileStringW
GetProcAddress
GetProcessAffinityMask
GetProcessHeap
GetProcessIoCounters
GetStartupInfoA
GetStartupInfoW
GetStdHandle
GetStringTypeA
GetStringTypeExW
GetStringTypeW
GetSystemDefaultUILanguage
GetSystemDirectoryW
GetSystemInfo
GetSystemPowerStatus
GetSystemTime
GetSystemTimeAsFileTime
GetSystemTimes
GetSystemWindowsDirectoryW
GetTempFileNameW
GetTempPathW
GetTickCount
GetTimeFormatA
GetTimeZoneInformation
GetUserDefaultLCID
GetUserDefaultUILanguage
GetVersion
GetVersionExW
GetVolumeInformationW
GetWindowsDirectoryW
GlobalAlloc
GlobalFindAtomA
GlobalFree
GlobalUnWire
HeapAlloc
HeapCreate
HeapDestroy
HeapFree
HeapReAlloc
HeapSize
InitializeCriticalSection
InitializeCriticalSectionAndSpinCount
InterlockedCompareExchange
InterlockedDecrement
InterlockedExchange
InterlockedExchangeAdd
InterlockedIncrement
IsBadReadPtr
IsDebuggerPresent
IsProcessorFeaturePresent
IsValidCodePage
IsValidLocale
IsWow64Process
LCMapStringA
LCMapStringW
LeaveCriticalSection
LoadLibraryA
LoadLibraryExW
LoadLibraryW
LoadResource
LocalAlloc
LocalFileTimeToFileTime
LocalFree
LockFile
LockResource
MapViewOfFileEx
Module32FirstW
MoveFileW
MulDiv
MultiByteToWideChar
OpenEventA
OpenEventW
OpenMutexA
OpenMutexW
OpenProcess
OpenThread
OutputDebugStringW
PeekNamedPipe
Process32FirstW
Process32NextW
ProcessIdToSessionId
QueryPerformanceCounter
RaiseException
ReadDirectoryChangesW
ReadFile
ReadProcessMemory
ReleaseMutex
ReleaseSemaphore
ReplaceFile
ResetEvent
ResumeThread
RtlUnwind
ScrollConsoleScreenBufferA
SetCurrentDirectoryW
SetEndOfFile
SetEnvironmentVariableA
SetEvent
SetFileAttributesA
SetFilePointer
SetFilePointerEx
SetHandleCount
SetLastError
SetNamedPipeHandleState
SetStdHandle
SetThreadLocale
SetUnhandledExceptionFilter
SetWaitableTimer
SizeofResource
Sleep
SystemTimeToFileTime
TerminateProcess
TerminateThread
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
TryEnterCriticalSection
UnhandledExceptionFilter
UnlockFile
UnmapViewOfFile
VerSetConditionMask
VerifyVersionInfoW
VirtualAlloc
VirtualAllocEx
VirtualFree
VirtualFreeEx
VirtualLock
WTSGetActiveConsoleSessionId
WaitForMultipleObjects
WaitForSingleObject
WideCharToMultiByte
WriteConsoleA
WriteConsoleW
WriteFile
WritePrivateProfileSectionW
WritePrivateProfileStringW
lstrcmpA
lstrcmpiA
lstrcmpiW
lstrcpynW
lstrlen
lstrlenA
lstrlenW
KERNEL32.dll
AdjustWindowRect
AllowSetForegroundWindow
AttachThreadInput
CallWindowProcW
CharNextW
ClientToScreen
CloseDesktop
CopyRect
CreateWindowExW
DefWindowProcW
DestroyIcon
DestroyWindow
DispatchMessageW
DrawTextW
EnableWindow
EnumClipboardFormats
EnumDisplaySettingsW
ExitWindowsEx
FindWindowExW
FindWindowW
GetActiveWindow
GetAncestor
GetClassInfoExW
GetClassLongW
GetClientRect
GetCursorPos
GetDC
GetDesktopWindow
GetForegroundWindow
GetKeyboardState
GetMessagePos
GetMessageW
GetMonitorInfoW
GetParent
GetShellWindow
GetSystemMetrics
GetWindow
GetWindowInfo
GetWindowLongW
GetWindowPlacement
GetWindowRect
GetWindowTextW
GetWindowThreadProcessId
InvalidateRect
IsDialogMessageW
IsWindow
IsWindowEnabled
IsWindowVisible
KillTimer
LoadCursorW
LoadImageW
LoadStringW
MapWindowPoints
MessageBoxW
MonitorFromPoint
MonitorFromRect
MonitorFromWindow
OffsetRect
OpenInputDesktop
PeekMessageW
PostMessageW
PostQuitMessage
PtInRect
RegisterClassExW
RegisterWindowMessageW
ReleaseCapture
ReleaseDC
ScreenToClient
SendMessageTimeoutW
SendMessageW
SetActiveWindow
SetClassLongW
SetClipboardViewer
SetCursor
SetFocus
SetForegroundWindow
SetRect
SetRectEmpty
SetTimer
SetWindowLongW
SetWindowPos
SetWindowTextW
SetWindowsHookA
SetWindowsHookExA
ShowOwnedPopups
ShowWindow
SwitchToThisWindow
SystemParametersInfoW
TranslateMessage
UnregisterClassA
UpdateLayeredWindow
UpdateWindow
WaitForInputIdle
WindowFromPoint
keybd_event
USER32.dll
AngleArc
BitBlt
CloseMetaFile
CreateBrushIndirect
CreateCompatibleBitmap
CreateCompatibleDC
CreateDIBSection
CreateEllipticRgn
CreateFontIndirectW
CreateFontW
CreatePolygonRgn
DeleteDC
DeleteObject
DeviceCapabilitiesExW
EngDeletePath
EngFillPath
EngReleaseSemaphore
ExtCreatePen
GdiCreateLocalEnhMetaFile
GdiEntry9
GdiValidateHandle
GetBkMode
GetCharABCWidthsFloatA
GetCharABCWidthsI
GetCharWidthInfo
GetEnhMetaFileDescriptionW
GetLogColorSpaceA
GetObjectW
GetOutlineTextMetricsW
GetStockObject
GetTextExtentPoint32W
GetTextExtentPointI
HT_Get8BPPMaskPalette
LPtoDP
PATHOBJ_bEnum
PlayMetaFile
PolyBezier
RoundRect
SelectObject
SetDIBColorTable
SetROP2
SetRectRgn
SetTextColor
SwapBuffers
UnloadNetworkFonts
cGetTTFFromFOT
GDI32.dll
AdjustTokenPrivileges
AllocateAndInitializeSid
CheckTokenMembership
CloseEventLog
CloseServiceHandle
ConvertSidToStringSidW
ConvertStringSidToSidW
CreateWellKnownSid
CryptAcquireContextW
CryptGenRandom
CryptReleaseContext
DuplicateToken
DuplicateTokenEx
EqualSid
FreeSid
GetNamedSecurityInfoW
GetTokenInformation
GetUserNameW
ImpersonateLoggedOnUser
InitializeSecurityDescriptor
LookupAccountSidW
LookupPrivilegeValueW
OpenEventLogW
OpenProcessToken
OpenSCManagerW
OpenServiceW
QueryServiceStatus
ReadEventLogW
RegCloseKey
RegCreateKeyA
RegCreateKeyExW
RegDeleteKeyW
RegDeleteValueW
RegEnumKeyExA
RegEnumKeyExW
RegNotifyChangeKeyValue
RegOpenKeyExA
RegOpenKeyExW
RegOpenKeyW
RegQueryInfoKeyW
RegQueryValueExA
RegQueryValueExW
RegSetValueExW
RevertToSelf
SetEntriesInAclW
SetNamedSecurityInfoW
SetSecurityDescriptorDacl
StartServiceW
RegOpenKeyA
ADVAPI32.dll
Shell_NotifyIconW
ShellExecuteW
ShellExecuteExW
ShellExecuteA
SHLoadInProc
SHGetSpecialFolderPathW
SHGetMalloc
SHGetIconOverlayIndexW
SHGetFolderPathW
SHGetFolderPathA
SHFileOperationA
SHCreateDirectoryExW
SHChangeNotify
ExtractAssociatedIconExW
DragQueryFileA
SHELL32.dll
AssocQueryStringW
ColorHLSToRGB
ColorRGBToHLS
PathAddBackslashW
PathAppendW
PathCombineA
PathCombineW
PathCompactPathW
PathFileExistsA
PathFileExistsW
PathFindExtensionW
PathFindFileNameA
PathFindFileNameW
PathIsDirectoryW
PathIsPrefixW
PathRemoveBackslashW
PathRemoveExtensionW
PathRemoveFileSpecW
PathStripPathW
SHDeleteKeyW
SHDeleteValueA
SHDeleteValueW
SHGetValueA
SHGetValueW
SHSetValueA
SHSetValueW
StrCmpIW
StrCmpNA
StrRStrIW
StrStrIW
StrStrW
wnsprintfW
SHLWAPI.dll
tkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk
rprocmsv
*ShellAPI
System
SysInit
KWindows
UTypes
CommCtrl
3Messages
sActiveX
+IdTCPServer
|IdResourceStrings
yIdStack
SysUtils
SysConst
^Classes
"RTLConsts
CVariants
$VarUtils
QTypInfo
IdException
@IdStackConsts
)IdWinSock2
uIdGlobal
IdStackWindows
8Registry
IniFiles
EIdURI
SyncObjs
IdStrings
IdThreadSafe
IdComponent
IdAntiFreezeBase
IdBaseComponent
mIdSocketHandle
IdTCPConnection
IdStream
IdTCPStream
IdIntercept
BIdIOHandler
IdRFCReply
yIdIOHandlerSocket
jIdSocks
IdAssignedNumbers
IdThread
%IdThreadMgr
IdThreadMgrDefault
IdServerIOHandler
&IdServerIOHandlerSocket
RemoteProcMgrServerU
GlobalConsts
MAINICON
Address type not supported.;Cannot call TerminateAndWaitFor on FreeAndTerminate threads
Socks server did not respond.$Invalid socks authentication method.%Authentication error to socks server.
Socket is not connected..Cannot send or receive after socket is closed.
Bad protocol option.
Connect timed out.
Terminate Thread Timeout
%s.Seek not implemented
Class %s not found%List does not allow duplicates ($0%x)
Exception in safecall method
Floating point overflow
This file is not on VirusTotal.

Process Tree


gx135q72E.exe, PID: 2796, Parent PID: 2480
Full Path: C:\Users\user\AppData\Local\Temp\gx135q72E.exe
Command Line: "C:\Users\user\AppData\Local\Temp\gx135q72E.exe"
gx135q72E.exe, PID: 1364, Parent PID: 2796
Full Path: C:\Users\user\AppData\Local\Temp\gx135q72E.exe
Command Line: --897bfbd1
services.exe, PID: 460, Parent PID: 372
Full Path: C:\Windows\sysnative\services.exe
Command Line: C:\Windows\system32\services.exe
gluerel.exe, PID: 2856, Parent PID: 460
Full Path: C:\Windows\SysWOW64\gluerel.exe
Command Line: "C:\Windows\SysWOW64\gluerel.exe"
gluerel.exe, PID: 1860, Parent PID: 2856
Full Path: C:\Windows\SysWOW64\gluerel.exe
Command Line: --caeb0eba

Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
Y 189.143.52.49 [VT] Mexico
Y 181.15.177.100 [VT] Argentina

TCP

Source Source Port Destination Destination Port
192.168.35.21 49181 181.15.177.100 443
192.168.35.21 49182 189.143.52.49 443

UDP

Source Source Port Destination Destination Port
192.168.35.21 53447 8.8.8.8 53
192.168.35.21 58094 8.8.8.8 53

DNS

Name Response Post-Analysis Lookup
www.download.windowsupdate.com [VT]
crt.usertrust.com [VT]

HTTP Requests

No HTTP requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

File name gluerel.exe
Associated Filenames
C:\Windows\SysWOW64\gluerel.exe
File Size 169536 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 8baf4f07a3780d1513edf1a87823021a
SHA1 99e63b327b2e6eedd1b3471b205130f3274346a4
SHA256 de54f9f6b4da2411980068400f7e9ce93b3f587d2a9b83d42e3f5a24135cb36f
CRC32 AB384C4C
Ssdeep 3072:/WoofUTXKZLk/lvI6enmhUcUygISmkEmKMKZiGG+ZJY0WZQu6JsdN0HCH5+isg:vjXP/hHenK5NSmHN/ZZG+ZO6d
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
Type Emotet Config
RSA public key
-----BEGIN PUBLIC KEY----- MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAL9KRKWqcld40xbUZ6hRh+fPNkgJe7K+ 0y1rR0UFqc2SBmnyoR/2Ctd+8MRvU8zri2eNVkVBxCUH1Cthf3AEgRqY2kGva8gJ Wcqls3j7RztZzqFoL+wM9DNnz/OWuiyPAQIDAQAB -----END PUBLIC KEY-----
address
181.15.177.100:443
189.143.52.49:443
31.179.135.186:80
154.120.228.126:143
200.32.61.210:8080
64.87.26.16:443
218.161.88.253:8080
109.104.79.48:8080
185.94.252.27:443
216.98.148.136:4143
200.28.131.215:443
196.6.112.70:443
69.163.33.82:8080
190.147.116.32:21
186.139.160.193:8080
81.183.213.36:80
200.58.171.51:80
190.113.233.4:7080
181.29.101.13:80
163.18.23.242:80
103.201.150.209:80
181.16.127.226:443
200.59.189.217:80
185.129.93.140:80
45.73.124.235:8080
23.254.203.51:8080
190.85.206.228:80
85.132.96.242:80
187.178.9.19:20
111.67.12.221:8080
192.155.90.90:7080
201.217.67.3:80
190.180.52.146:20
91.205.215.57:7080
205.186.154.130:80
175.107.200.27:443
51.255.50.164:8080
187.242.204.142:80
181.39.134.122:80
181.110.239.26:80
62.75.143.100:7080
190.117.206.153:443
43.229.62.186:8080
190.123.35.82:50000
217.92.171.167:53
91.83.93.124:7080
181.30.126.66:80
82.226.163.9:80
103.213.212.42:443
89.134.144.41:8080
213.172.88.13:80
187.188.166.192:80
190.13.211.174:21
109.73.52.242:8080
217.199.175.216:8080
81.3.6.78:7080
66.209.69.165:443
79.143.182.254:8080
189.196.140.187:80
105.224.171.102:80
200.45.57.96:143
203.25.159.3:8080
201.251.229.37:80
185.86.148.222:8080
191.97.116.232:443
37.59.1.74:8080
181.143.101.18:8080
181.199.151.19:80
200.107.105.16:465
200.127.0.8:80
181.15.243.22:80
200.57.102.71:8443
219.94.254.93:8080
72.47.248.48:8080
Download
Type Extracted Shellcode
Size 69632 bytes
Virtual Address 0x540000
Process gx135q72E.exe
PID 2796
Path C:\Users\user\AppData\Local\Temp\gx135q72E.exe
MD5 38aa5772938a4a5679f12447b4de6889
SHA1 d56b4eba7306b96dabe394f380fd839dcdfc2f40
SHA256 9d975bd96a097a85b1841202f8c416da47ffeda6c45b8deb3ad45128fd759ba4
CRC32 56ADEADA
Ssdeep 1536:nAk1W42lCe4OsrMHAB201zneR5z/ZvECviGyMuYt:9UCQsjB20heR5tRvNL
Yara
  • embedded_win_api - A non-Windows executable contains win32 API functions names
  • shellcode - Matched shellcode byte patterns
CAPE Yara None matched
Download Download ZIP
Type Emotet Payload: 32-bit executable
Size 62976 bytes
Virtual Address 0x560000
Process gx135q72E.exe
PID 2796
Path C:\Users\user\AppData\Local\Temp\gx135q72E.exe
MD5 3b033c7eb80d53c418dfc5576a5adb54
SHA1 0e354a966392b0658f61354d8420bd0ccbd00f2b
SHA256 8cb9a5659fa9f606ffc2d9ac468804c898efbf8d328e0afb501480cdcda5bdf3
CRC32 C6FF60FA
Ssdeep 1536:ygV2M7cQ62aENvW0+wspUYUGgp9OSB942r:yEhbZ9yF89Oup
Yara None matched
CAPE Yara
  • Emotet
  • Emotet Payload
Download Download ZIP
Sorry! No process dumps.

Comments



No comments posted

Processing ( 2.951 seconds )

  • 1.785 CAPE
  • 0.353 BehaviorAnalysis
  • 0.233 Dropped
  • 0.232 TargetInfo
  • 0.193 Static
  • 0.091 TrID
  • 0.035 Deduplicate
  • 0.013 Strings
  • 0.01 NetworkAnalysis
  • 0.005 AnalysisInfo
  • 0.001 Debug

Signatures ( 0.178 seconds )

  • 0.02 antiav_detectreg
  • 0.015 stealth_timeout
  • 0.012 api_spamming
  • 0.012 decoy_document
  • 0.01 PlugX
  • 0.008 infostealer_ftp
  • 0.007 ransomware_files
  • 0.005 Doppelganging
  • 0.005 injection_createremotethread
  • 0.005 InjectionCreateRemoteThread
  • 0.005 infostealer_im
  • 0.004 InjectionProcessHollowing
  • 0.004 injection_runpe
  • 0.004 antianalysis_detectreg
  • 0.004 antiav_detectfile
  • 0.004 ransomware_extensions
  • 0.003 InjectionInterProcess
  • 0.003 antivm_generic_disk
  • 0.003 persistence_autorun
  • 0.003 infostealer_mail
  • 0.002 bootkit
  • 0.002 stealth_file
  • 0.002 mimics_filetime
  • 0.002 antivm_generic_scsi
  • 0.002 virus
  • 0.002 antivm_vbox_keys
  • 0.002 browser_security
  • 0.002 infostealer_bitcoin
  • 0.002 recon_fingerprint
  • 0.001 tinba_behavior
  • 0.001 malicious_dynamic_function_loading
  • 0.001 rat_nanocore
  • 0.001 recon_programs
  • 0.001 antivm_generic_services
  • 0.001 antiemu_wine_func
  • 0.001 betabot_behavior
  • 0.001 kibex_behavior
  • 0.001 reads_self
  • 0.001 dynamic_function_loading
  • 0.001 vawtrak_behavior
  • 0.001 cerber_behavior
  • 0.001 hancitor_behavior
  • 0.001 antianalysis_detectfile
  • 0.001 antivm_parallels_keys
  • 0.001 antivm_vbox_files
  • 0.001 antivm_vmware_keys
  • 0.001 antivm_xen_keys
  • 0.001 geodo_banking_trojan
  • 0.001 bot_drive
  • 0.001 disables_browser_warn
  • 0.001 network_torgateway
  • 0.001 recon_checkip
  • 0.001 stealth_hiddenreg

Reporting ( 0.015 seconds )

  • 0.015 CompressResults
Task ID 74101
Mongo ID 5cdcd4f2f284885ccecee98f
Cuckoo release 1.3-CAPE
Delete