CAPE

Triggered CAPE Tasks: Task #74105: Extraction


Analysis

Category Package Started Completed Duration Log
FILE exe 2019-05-16 03:25:01 2019-05-16 03:29:37 276 seconds Show Log
2019-05-16 04:25:03,015 [root] INFO: Date set to: 05-16-19, time set to: 03:25:03, timeout set to: 200
2019-05-16 04:25:03,078 [root] DEBUG: Starting analyzer from: C:\jkoxkfbadn
2019-05-16 04:25:03,078 [root] DEBUG: Storing results at: C:\fbLWSbK
2019-05-16 04:25:03,078 [root] DEBUG: Pipe server name: \\.\PIPE\KgHquv
2019-05-16 04:25:03,078 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2019-05-16 04:25:03,078 [root] INFO: Automatically selected analysis package "exe"
2019-05-16 04:25:04,045 [root] DEBUG: Started auxiliary module Browser
2019-05-16 04:25:04,045 [root] DEBUG: Started auxiliary module Curtain
2019-05-16 04:25:04,045 [modules.auxiliary.digisig] DEBUG: Checking for a digitial signature.
2019-05-16 04:25:30,033 [modules.auxiliary.digisig] DEBUG: File has an invalid signature.
2019-05-16 04:25:30,033 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2019-05-16 04:25:30,033 [root] DEBUG: Started auxiliary module DigiSig
2019-05-16 04:25:30,033 [root] DEBUG: Started auxiliary module Disguise
2019-05-16 04:25:30,033 [root] DEBUG: Started auxiliary module Human
2019-05-16 04:25:30,033 [root] DEBUG: Started auxiliary module Screenshots
2019-05-16 04:25:30,033 [root] DEBUG: Started auxiliary module Sysmon
2019-05-16 04:25:30,049 [root] DEBUG: Started auxiliary module Usage
2019-05-16 04:25:30,049 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2019-05-16 04:25:30,049 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2019-05-16 04:25:30,049 [lib.api.process] INFO: Successfully executed process from path "C:\Users\user\AppData\Local\Temp\miE9i3N.exe" with arguments "" with pid 2360
2019-05-16 04:25:30,049 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-05-16 04:25:30,049 [lib.api.process] INFO: 32-bit DLL to inject is C:\jkoxkfbadn\dll\OJdFLGbg.dll, loader C:\jkoxkfbadn\bin\gZteDSd.exe
2019-05-16 04:25:30,081 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\KgHquv.
2019-05-16 04:25:30,081 [root] DEBUG: Loader: Injecting process 2360 (thread 1912) with C:\jkoxkfbadn\dll\OJdFLGbg.dll.
2019-05-16 04:25:30,081 [root] DEBUG: Process image base: 0x00400000
2019-05-16 04:25:30,081 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\jkoxkfbadn\dll\OJdFLGbg.dll.
2019-05-16 04:25:30,081 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x0042A000 - 0x77380000
2019-05-16 04:25:30,081 [root] DEBUG: InjectDllViaIAT: Allocated 0x1c8 bytes for new import table at 0x00430000.
2019-05-16 04:25:30,081 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-05-16 04:25:30,081 [root] DEBUG: Successfully injected DLL C:\jkoxkfbadn\dll\OJdFLGbg.dll.
2019-05-16 04:25:30,081 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2360
2019-05-16 04:25:32,094 [lib.api.process] INFO: Successfully resumed process with pid 2360
2019-05-16 04:25:32,094 [root] INFO: Added new process to list with pid: 2360
2019-05-16 04:25:32,125 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-05-16 04:25:32,155 [root] INFO: Disabling sleep skipping.
2019-05-16 04:25:32,155 [root] INFO: Disabling sleep skipping.
2019-05-16 04:25:32,155 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-05-16 04:25:32,155 [root] INFO: Disabling sleep skipping.
2019-05-16 04:25:32,155 [root] INFO: Disabling sleep skipping.
2019-05-16 04:25:32,155 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 2360 at 0x747a0000, image base 0x400000, stack from 0x186000-0x190000
2019-05-16 04:25:32,155 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\miE9i3N.exe".
2019-05-16 04:25:32,155 [root] INFO: Monitor successfully loaded in process with pid 2360.
2019-05-16 04:25:32,858 [root] DEBUG: set_caller_info: Adding region at 0x00230000 to caller regions list (ntdll::LdrGetProcedureAddress).
2019-05-16 04:25:32,858 [root] DEBUG: DLL loaded at 0x74CB0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2019-05-16 04:25:32,874 [root] DEBUG: DLL unloaded from 0x00400000.
2019-05-16 04:25:32,888 [root] INFO: Announced 32-bit process name: miE9i3N.exe pid: 3040
2019-05-16 04:25:32,888 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-05-16 04:25:32,888 [lib.api.process] INFO: 32-bit DLL to inject is C:\jkoxkfbadn\dll\OJdFLGbg.dll, loader C:\jkoxkfbadn\bin\gZteDSd.exe
2019-05-16 04:25:32,904 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\KgHquv.
2019-05-16 04:25:32,904 [root] DEBUG: Loader: Injecting process 3040 (thread 112) with C:\jkoxkfbadn\dll\OJdFLGbg.dll.
2019-05-16 04:25:32,904 [root] DEBUG: Process image base: 0x00400000
2019-05-16 04:25:32,904 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\jkoxkfbadn\dll\OJdFLGbg.dll.
2019-05-16 04:25:32,904 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x0042A000 - 0x77380000
2019-05-16 04:25:32,904 [root] DEBUG: InjectDllViaIAT: Allocated 0x1c8 bytes for new import table at 0x00430000.
2019-05-16 04:25:32,904 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-05-16 04:25:32,904 [root] DEBUG: Successfully injected DLL C:\jkoxkfbadn\dll\OJdFLGbg.dll.
2019-05-16 04:25:32,904 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3040
2019-05-16 04:25:32,904 [root] DEBUG: DLL unloaded from 0x75700000.
2019-05-16 04:25:32,904 [root] INFO: Notified of termination of process with pid 2360.
2019-05-16 04:25:32,920 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-05-16 04:25:32,967 [root] INFO: Disabling sleep skipping.
2019-05-16 04:25:32,967 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-05-16 04:25:32,967 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 3040 at 0x747a0000, image base 0x400000, stack from 0x186000-0x190000
2019-05-16 04:25:32,997 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\--8ea82f2a.
2019-05-16 04:25:32,997 [root] INFO: Added new process to list with pid: 3040
2019-05-16 04:25:32,997 [root] INFO: Monitor successfully loaded in process with pid 3040.
2019-05-16 04:25:33,138 [root] INFO: Process with pid 2360 has terminated
2019-05-16 04:25:33,700 [root] DEBUG: set_caller_info: Adding region at 0x003D0000 to caller regions list (ntdll::LdrGetProcedureAddress).
2019-05-16 04:25:41,000 [root] DEBUG: DLL loaded at 0x76EA0000: C:\Windows\syswow64\OLEAUT32 (0x8f000 bytes).
2019-05-16 04:25:41,016 [root] DEBUG: DLL loaded at 0x74600000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32 (0x19e000 bytes).
2019-05-16 04:25:41,016 [root] DEBUG: DLL loaded at 0x75670000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2019-05-16 04:25:41,032 [root] DEBUG: DLL loaded at 0x74500000: C:\Windows\system32\propsys (0xf5000 bytes).
2019-05-16 04:25:41,078 [root] DEBUG: DLL loaded at 0x758B0000: C:\Windows\syswow64\SETUPAPI (0x19d000 bytes).
2019-05-16 04:25:41,095 [root] DEBUG: DLL loaded at 0x76A40000: C:\Windows\syswow64\CFGMGR32 (0x27000 bytes).
2019-05-16 04:25:41,095 [root] DEBUG: DLL loaded at 0x76770000: C:\Windows\syswow64\DEVOBJ (0x12000 bytes).
2019-05-16 04:25:41,095 [root] DEBUG: DLL loaded at 0x74BB0000: C:\Windows\system32\ntmarta (0x21000 bytes).
2019-05-16 04:25:41,095 [root] DEBUG: DLL loaded at 0x75860000: C:\Windows\syswow64\WLDAP32 (0x45000 bytes).
2019-05-16 04:25:41,095 [root] DEBUG: DLL unloaded from 0x75B20000.
2019-05-16 04:25:41,203 [root] INFO: Announced 64-bit process name: explorer.exe pid: 1708
2019-05-16 04:25:41,203 [lib.api.process] DEBUG: Using CreateRemoteThread injection.
2019-05-16 04:25:41,234 [lib.api.process] INFO: 64-bit DLL to inject is C:\jkoxkfbadn\dll\LAzojT.dll, loader C:\jkoxkfbadn\bin\wGPEwMRo.exe
2019-05-16 04:25:41,282 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\KgHquv.
2019-05-16 04:25:41,282 [root] DEBUG: Loader: Injecting process 1708 (thread 0) with C:\jkoxkfbadn\dll\LAzojT.dll.
2019-05-16 04:25:41,282 [root] DEBUG: InjectDll: No thread ID supplied. Initial thread ID 1712, handle 0x84
2019-05-16 04:25:41,282 [root] DEBUG: Process image base: 0x00000000FFA80000
2019-05-16 04:25:41,282 [root] DEBUG: InjectDllViaIAT: Not a new process, aborting IAT patch
2019-05-16 04:25:41,282 [root] DEBUG: InjectDll: IAT patching failed, falling back to thread injection.
2019-05-16 04:25:41,312 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-05-16 04:25:41,312 [root] INFO: Disabling sleep skipping.
2019-05-16 04:25:41,359 [root] WARNING: Unable to place hook on LockResource
2019-05-16 04:25:41,359 [root] WARNING: Unable to hook LockResource
2019-05-16 04:25:41,407 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 1708 at 0x0000000074420000, image base 0x00000000FFA80000, stack from 0x0000000007D72000-0x0000000007D80000
2019-05-16 04:25:41,407 [root] DEBUG: Commandline: C:\Windows\explorer.exe.
2019-05-16 04:25:41,407 [root] INFO: Added new process to list with pid: 1708
2019-05-16 04:25:41,421 [root] INFO: Monitor successfully loaded in process with pid 1708.
2019-05-16 04:25:41,421 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2019-05-16 04:25:41,437 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2019-05-16 04:25:41,437 [root] DEBUG: Successfully injected DLL C:\jkoxkfbadn\dll\LAzojT.dll.
2019-05-16 04:25:41,453 [root] DEBUG: DLL unloaded from 0x74500000.
2019-05-16 04:25:41,469 [root] DEBUG: DLL loaded at 0x74F80000: C:\Windows\system32\CRYPTSP (0x16000 bytes).
2019-05-16 04:25:41,469 [root] DEBUG: DLL loaded at 0x74F40000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2019-05-16 04:25:41,469 [root] DEBUG: DLL loaded at 0x74B90000: C:\Windows\system32\RpcRtRemote (0xe000 bytes).
2019-05-16 04:25:41,484 [root] DEBUG: DLL unloaded from 0x751E0000.
2019-05-16 04:25:41,516 [root] DEBUG: DLL loaded at 0x74B80000: C:\Windows\system32\mssprxy (0xc000 bytes).
2019-05-16 04:25:41,516 [root] DEBUG: DLL unloaded from 0x74B80000.
2019-05-16 04:25:41,532 [root] DEBUG: DLL unloaded from 0x75B20000.
2019-05-16 04:25:41,562 [root] INFO: Announced starting service "gluerel"
2019-05-16 04:25:41,562 [root] INFO: Attaching to Service Control Manager (services.exe - pid 460)
2019-05-16 04:25:41,562 [lib.api.process] DEBUG: Using CreateRemoteThread injection.
2019-05-16 04:25:41,578 [lib.api.process] INFO: 64-bit DLL to inject is C:\jkoxkfbadn\dll\LAzojT.dll, loader C:\jkoxkfbadn\bin\wGPEwMRo.exe
2019-05-16 04:25:41,578 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\KgHquv.
2019-05-16 04:25:41,578 [root] DEBUG: Loader: Injecting process 460 (thread 0) with C:\jkoxkfbadn\dll\LAzojT.dll.
2019-05-16 04:25:41,578 [root] DEBUG: InjectDll: No thread ID supplied. Initial thread ID 2664, handle 0x84
2019-05-16 04:25:41,625 [root] DEBUG: Process image base: 0x00000000FFAB0000
2019-05-16 04:25:41,641 [root] DEBUG: InjectDllViaIAT: Not a new process, aborting IAT patch
2019-05-16 04:25:41,641 [root] DEBUG: InjectDll: IAT patching failed, falling back to thread injection.
2019-05-16 04:25:41,655 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-05-16 04:25:41,671 [root] INFO: Disabling sleep skipping.
2019-05-16 04:25:41,687 [root] WARNING: Unable to place hook on LockResource
2019-05-16 04:25:41,687 [root] WARNING: Unable to hook LockResource
2019-05-16 04:25:41,703 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 460 at 0x0000000074420000, image base 0x00000000FFAB0000, stack from 0x0000000002136000-0x0000000002140000
2019-05-16 04:25:41,719 [root] DEBUG: Commandline: C:\Windows\sysnative\services.exe.
2019-05-16 04:25:41,719 [root] INFO: Added new process to list with pid: 460
2019-05-16 04:25:41,719 [root] INFO: Monitor successfully loaded in process with pid 460.
2019-05-16 04:25:41,719 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2019-05-16 04:25:41,750 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2019-05-16 04:25:41,766 [root] DEBUG: Successfully injected DLL C:\jkoxkfbadn\dll\LAzojT.dll.
2019-05-16 04:25:42,825 [root] INFO: Announced 32-bit process name: gluerel.exe pid: 2448
2019-05-16 04:25:42,825 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-05-16 04:25:42,858 [lib.api.process] INFO: 32-bit DLL to inject is C:\jkoxkfbadn\dll\OJdFLGbg.dll, loader C:\jkoxkfbadn\bin\gZteDSd.exe
2019-05-16 04:25:42,858 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\KgHquv.
2019-05-16 04:25:42,858 [root] DEBUG: Loader: Injecting process 2448 (thread 784) with C:\jkoxkfbadn\dll\OJdFLGbg.dll.
2019-05-16 04:25:42,888 [root] DEBUG: Process image base: 0x00400000
2019-05-16 04:25:42,888 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\jkoxkfbadn\dll\OJdFLGbg.dll.
2019-05-16 04:25:42,888 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x0042A000 - 0x77380000
2019-05-16 04:25:42,888 [root] DEBUG: InjectDllViaIAT: Allocated 0x1c8 bytes for new import table at 0x00430000.
2019-05-16 04:25:42,888 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-05-16 04:25:42,888 [root] DEBUG: Successfully injected DLL C:\jkoxkfbadn\dll\OJdFLGbg.dll.
2019-05-16 04:25:42,888 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2448
2019-05-16 04:25:42,920 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-05-16 04:25:42,936 [root] INFO: Disabling sleep skipping.
2019-05-16 04:25:42,950 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-05-16 04:25:42,967 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 2448 at 0x747a0000, image base 0x400000, stack from 0x186000-0x190000
2019-05-16 04:25:42,967 [root] DEBUG: Commandline: C:\Windows\System32\"C:\Windows\SysWOW64\gluerel.exe".
2019-05-16 04:25:42,967 [root] INFO: Added new process to list with pid: 2448
2019-05-16 04:25:42,967 [root] INFO: Monitor successfully loaded in process with pid 2448.
2019-05-16 04:25:43,684 [root] DEBUG: set_caller_info: Adding region at 0x00370000 to caller regions list (ntdll::LdrGetProcedureAddress).
2019-05-16 04:25:43,700 [root] DEBUG: DLL unloaded from 0x00400000.
2019-05-16 04:25:43,730 [root] DEBUG: DLL loaded at 0x74CB0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2019-05-16 04:25:43,730 [root] INFO: Announced 32-bit process name: gluerel.exe pid: 740
2019-05-16 04:25:43,730 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-05-16 04:25:43,746 [lib.api.process] INFO: 32-bit DLL to inject is C:\jkoxkfbadn\dll\OJdFLGbg.dll, loader C:\jkoxkfbadn\bin\gZteDSd.exe
2019-05-16 04:25:43,762 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\KgHquv.
2019-05-16 04:25:43,778 [root] DEBUG: Loader: Injecting process 740 (thread 320) with C:\jkoxkfbadn\dll\OJdFLGbg.dll.
2019-05-16 04:25:43,778 [root] DEBUG: Process image base: 0x00400000
2019-05-16 04:25:43,793 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\jkoxkfbadn\dll\OJdFLGbg.dll.
2019-05-16 04:25:43,825 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x0042A000 - 0x77380000
2019-05-16 04:25:43,855 [root] DEBUG: InjectDllViaIAT: Allocated 0x1c8 bytes for new import table at 0x00430000.
2019-05-16 04:25:43,871 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-05-16 04:25:43,871 [root] DEBUG: Successfully injected DLL C:\jkoxkfbadn\dll\OJdFLGbg.dll.
2019-05-16 04:25:43,871 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 740
2019-05-16 04:25:43,871 [root] DEBUG: DLL unloaded from 0x75700000.
2019-05-16 04:25:43,871 [root] INFO: Notified of termination of process with pid 2448.
2019-05-16 04:25:43,871 [root] WARNING: Unable to open termination event for pid 2448.
2019-05-16 04:25:43,871 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-05-16 04:25:43,871 [root] DEBUG: DLL unloaded from 0x74500000.
2019-05-16 04:25:43,871 [root] INFO: Disabling sleep skipping.
2019-05-16 04:25:43,871 [root] DEBUG: DLL unloaded from 0x75700000.
2019-05-16 04:25:43,871 [root] DEBUG: DLL unloaded from 0x74BB0000.
2019-05-16 04:25:43,887 [root] INFO: Notified of termination of process with pid 3040.
2019-05-16 04:25:43,887 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-05-16 04:25:43,887 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 740 at 0x747a0000, image base 0x400000, stack from 0x186000-0x190000
2019-05-16 04:25:43,887 [root] DEBUG: Commandline: C:\Windows\System32\--caeb0eba.
2019-05-16 04:25:43,887 [root] INFO: Added new process to list with pid: 740
2019-05-16 04:25:43,887 [root] INFO: Monitor successfully loaded in process with pid 740.
2019-05-16 04:25:44,323 [root] INFO: Process with pid 3040 has terminated
2019-05-16 04:25:44,323 [root] INFO: Process with pid 2448 has terminated
2019-05-16 04:25:44,994 [root] DEBUG: set_caller_info: Adding region at 0x006C0000 to caller regions list (ntdll::LdrGetProcedureAddress).
2019-05-16 04:25:47,194 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF2C10000 to caller regions list (ntdll::NtDuplicateObject).
2019-05-16 04:25:47,210 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF86E0000 to caller regions list (ntdll::NtDuplicateObject).
2019-05-16 04:25:47,210 [root] DEBUG: DLL unloaded from 0x000007FEF59C0000.
2019-05-16 04:25:47,210 [root] DEBUG: DLL unloaded from 0x000007FEFA5F0000.
2019-05-16 04:25:47,210 [root] DEBUG: set_caller_info: Adding region at 0x000007FEFA5F0000 to caller regions list (ntdll::NtClose).
2019-05-16 04:25:47,226 [root] DEBUG: DLL unloaded from 0x000007FEFBAB0000.
2019-05-16 04:25:47,226 [root] DEBUG: DLL unloaded from 0x000007FEF9740000.
2019-05-16 04:25:47,240 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF9740000 to caller regions list (ntdll::NtFreeVirtualMemory).
2019-05-16 04:25:47,240 [root] DEBUG: DLL unloaded from 0x000007FEF9C60000.
2019-05-16 04:25:47,240 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF9C60000 to caller regions list (ntdll::LdrGetProcedureAddress).
2019-05-16 04:25:47,240 [root] DEBUG: DLL unloaded from 0x000007FEF96B0000.
2019-05-16 04:25:47,256 [root] DEBUG: DLL unloaded from 0x000007FEFA1D0000.
2019-05-16 04:25:47,256 [root] DEBUG: set_caller_info: Adding region at 0x000007FEFA1D0000 to caller regions list (ntdll::NtClose).
2019-05-16 04:25:47,256 [root] DEBUG: set_caller_info: Adding region at 0x000007FEFA100000 to caller regions list (ntdll::LdrGetProcedureAddress).
2019-05-16 04:25:56,851 [root] DEBUG: DLL loaded at 0x76790000: C:\Windows\syswow64\crypt32 (0x11d000 bytes).
2019-05-16 04:25:56,851 [root] DEBUG: DLL loaded at 0x768B0000: C:\Windows\syswow64\MSASN1 (0xc000 bytes).
2019-05-16 04:25:56,881 [root] DEBUG: DLL loaded at 0x75530000: C:\Windows\syswow64\urlmon (0x136000 bytes).
2019-05-16 04:25:56,898 [root] DEBUG: DLL loaded at 0x75370000: C:\Windows\syswow64\WININET (0xf5000 bytes).
2019-05-16 04:25:56,913 [root] DEBUG: DLL loaded at 0x76BD0000: C:\Windows\syswow64\iertutil (0x1fb000 bytes).
2019-05-16 04:25:56,928 [root] DEBUG: DLL loaded at 0x76EA0000: C:\Windows\syswow64\OLEAUT32 (0x8f000 bytes).
2019-05-16 04:25:56,944 [root] DEBUG: DLL loaded at 0x74B80000: C:\Windows\SysWOW64\userenv (0x17000 bytes).
2019-05-16 04:25:56,944 [root] DEBUG: DLL loaded at 0x74B70000: C:\Windows\SysWOW64\profapi (0xb000 bytes).
2019-05-16 04:25:56,944 [root] DEBUG: DLL loaded at 0x74B60000: C:\Windows\SysWOW64\wtsapi32 (0xd000 bytes).
2019-05-16 04:25:56,944 [root] DEBUG: DLL loaded at 0x74F80000: C:\Windows\SysWOW64\CRYPTSP (0x16000 bytes).
2019-05-16 04:25:56,944 [root] DEBUG: DLL loaded at 0x74F40000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2019-05-16 04:25:59,611 [root] DEBUG: DLL unloaded from 0x000007FEFDF10000.
2019-05-16 04:26:03,684 [root] DEBUG: DLL loaded at 0x74280000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32 (0x19e000 bytes).
2019-05-16 04:26:03,839 [root] DEBUG: DLL loaded at 0x74BB0000: C:\Windows\SysWOW64\ntmarta (0x21000 bytes).
2019-05-16 04:26:03,839 [root] DEBUG: DLL loaded at 0x75860000: C:\Windows\syswow64\WLDAP32 (0x45000 bytes).
2019-05-16 04:26:03,871 [root] DEBUG: DLL loaded at 0x752D0000: C:\Windows\syswow64\ws2_32 (0x35000 bytes).
2019-05-16 04:26:03,871 [root] DEBUG: DLL loaded at 0x75850000: C:\Windows\syswow64\NSI (0x6000 bytes).
2019-05-16 04:26:03,871 [root] DEBUG: DLL loaded at 0x74DB0000: C:\Windows\SysWOW64\dnsapi (0x44000 bytes).
2019-05-16 04:26:03,885 [root] DEBUG: DLL loaded at 0x74B40000: C:\Windows\SysWOW64\iphlpapi (0x1c000 bytes).
2019-05-16 04:26:03,885 [root] DEBUG: DLL loaded at 0x74B30000: C:\Windows\SysWOW64\WINNSI (0x7000 bytes).
2019-05-16 04:26:03,885 [root] DEBUG: DLL unloaded from 0x77050000.
2019-05-16 04:26:03,885 [root] DEBUG: DLL loaded at 0x75520000: C:\Windows\syswow64\Normaliz (0x3000 bytes).
2019-05-16 04:26:03,901 [root] DEBUG: DLL loaded at 0x74740000: C:\Windows\SysWOW64\RASAPI32 (0x52000 bytes).
2019-05-16 04:26:03,901 [root] DEBUG: DLL loaded at 0x74B10000: C:\Windows\SysWOW64\rasman (0x15000 bytes).
2019-05-16 04:26:03,933 [root] DEBUG: DLL loaded at 0x74B00000: C:\Windows\SysWOW64\rtutils (0xd000 bytes).
2019-05-16 04:26:03,933 [root] DEBUG: DLL unloaded from 0x74740000.
2019-05-16 04:26:03,948 [root] DEBUG: DLL loaded at 0x74AF0000: C:\Windows\SysWOW64\sensapi (0x6000 bytes).
2019-05-16 04:26:03,948 [root] DEBUG: DLL unloaded from 0x75370000.
2019-05-16 04:26:03,948 [root] DEBUG: DLL unloaded from 0x74B10000.
2019-05-16 04:26:03,963 [root] DEBUG: DLL loaded at 0x74E30000: C:\Windows\system32\NLAapi (0x10000 bytes).
2019-05-16 04:26:03,963 [root] DEBUG: DLL loaded at 0x74E20000: C:\Windows\system32\napinsp (0x10000 bytes).
2019-05-16 04:26:03,963 [root] DEBUG: DLL loaded at 0x74E00000: C:\Windows\system32\pnrpnsp (0x12000 bytes).
2019-05-16 04:26:03,963 [root] DEBUG: DLL loaded at 0x74F00000: C:\Windows\System32\mswsock (0x3c000 bytes).
2019-05-16 04:26:03,963 [root] DEBUG: DLL loaded at 0x74DA0000: C:\Windows\System32\winrnr (0x8000 bytes).
2019-05-16 04:26:03,980 [root] DEBUG: DLL loaded at 0x74EF0000: C:\Windows\System32\wshtcpip (0x5000 bytes).
2019-05-16 04:26:03,980 [root] DEBUG: DLL loaded at 0x74730000: C:\Windows\System32\wship6 (0x6000 bytes).
2019-05-16 04:26:03,980 [root] DEBUG: DLL loaded at 0x74720000: C:\Windows\SysWOW64\rasadhlp (0x6000 bytes).
2019-05-16 04:26:03,980 [root] DEBUG: DLL loaded at 0x746E0000: C:\Windows\System32\fwpuclnt (0x38000 bytes).
2019-05-16 04:26:04,026 [root] DEBUG: DLL loaded at 0x75670000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2019-05-16 04:26:04,058 [root] DEBUG: DLL loaded at 0x74680000: C:\Windows\System32\netprofm (0x5a000 bytes).
2019-05-16 04:26:04,073 [root] DEBUG: DLL loaded at 0x74670000: C:\Windows\SysWOW64\RpcRtRemote (0xe000 bytes).
2019-05-16 04:26:04,088 [root] DEBUG: DLL loaded at 0x74650000: C:\Windows\SysWOW64\DHCPCSVC (0x12000 bytes).
2019-05-16 04:26:04,088 [root] DEBUG: DLL loaded at 0x74640000: C:\Windows\SysWOW64\dhcpcsvc6 (0xd000 bytes).
2019-05-16 04:26:04,088 [root] DEBUG: DLL unloaded from 0x74B40000.
2019-05-16 04:26:04,088 [root] DEBUG: DLL unloaded from 0x74650000.
2019-05-16 04:26:06,381 [root] DEBUG: DLL unloaded from 0x75370000.
2019-05-16 04:26:16,538 [root] DEBUG: DLL unloaded from 0x74680000.
2019-05-16 04:26:16,585 [root] DEBUG: DLL unloaded from 0x76A70000.
2019-05-16 04:26:16,585 [root] DEBUG: DLL unloaded from 0x75370000.
2019-05-16 04:26:32,839 [root] DEBUG: DLL unloaded from 0x77050000.
2019-05-16 04:29:20,009 [root] INFO: Analysis timeout hit (200 seconds), terminating analysis.
2019-05-16 04:29:20,009 [root] INFO: Created shutdown mutex.
2019-05-16 04:29:21,023 [root] INFO: Setting terminate event for process 1708.
2019-05-16 04:29:21,023 [lib.api.process] INFO: Successfully received reply to terminate_event, pid 1708
2019-05-16 04:29:21,023 [root] INFO: Terminating process 1708 before shutdown.
2019-05-16 04:29:21,023 [root] INFO: Waiting for process 1708 to exit.
2019-05-16 04:29:21,023 [root] DEBUG: Terminate Event: Skipping dump of process 1708
2019-05-16 04:29:21,289 [root] INFO: Announced 64-bit process name: explorer.exe pid: 2536
2019-05-16 04:29:21,305 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-05-16 04:29:21,305 [lib.api.process] INFO: 64-bit DLL to inject is C:\jkoxkfbadn\dll\LAzojT.dll, loader C:\jkoxkfbadn\bin\wGPEwMRo.exe
2019-05-16 04:29:21,305 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\KgHquv.
2019-05-16 04:29:21,305 [root] DEBUG: Loader: Injecting process 2536 (thread 2924) with C:\jkoxkfbadn\dll\LAzojT.dll.
2019-05-16 04:29:21,319 [root] DEBUG: Process image base: 0x00000000FFA80000
2019-05-16 04:29:21,322 [root] DEBUG: InjectDllViaIAT: Not a new process, aborting IAT patch
2019-05-16 04:29:21,322 [root] DEBUG: InjectDll: IAT patching failed, falling back to thread injection.
2019-05-16 04:29:21,325 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-05-16 04:29:21,328 [root] INFO: Disabling sleep skipping.
2019-05-16 04:29:21,329 [root] WARNING: Unable to place hook on LockResource
2019-05-16 04:29:21,329 [root] WARNING: Unable to hook LockResource
2019-05-16 04:29:21,329 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 2536 at 0x0000000074420000, image base 0x00000000FFA80000, stack from 0x0000000004D32000-0x0000000004D40000
2019-05-16 04:29:21,339 [root] DEBUG: Commandline: C:\Windows\sysnative\explorer.exe.
2019-05-16 04:29:21,339 [root] INFO: Added new process to list with pid: 2536
2019-05-16 04:29:21,339 [root] INFO: Monitor successfully loaded in process with pid 2536.
2019-05-16 04:29:21,339 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2019-05-16 04:29:21,339 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2019-05-16 04:29:21,339 [root] DEBUG: Successfully injected DLL C:\jkoxkfbadn\dll\LAzojT.dll.
2019-05-16 04:29:21,349 [root] DEBUG: DLL unloaded from 0x000007FEFBC10000.
2019-05-16 04:29:22,029 [root] INFO: Setting terminate event for process 740.
2019-05-16 04:29:22,029 [lib.api.process] INFO: Successfully received reply to terminate_event, pid 740
2019-05-16 04:29:22,029 [root] DEBUG: Terminate Event: Skipping dump of process 740
2019-05-16 04:29:22,029 [root] INFO: Terminating process 740 before shutdown.
2019-05-16 04:29:22,029 [root] INFO: Waiting for process 740 to exit.
2019-05-16 04:29:23,043 [root] INFO: Setting terminate event for process 2536.
2019-05-16 04:29:23,043 [lib.api.process] INFO: Successfully received reply to terminate_event, pid 2536
2019-05-16 04:29:23,043 [root] DEBUG: Terminate Event: Skipping dump of process 2536
2019-05-16 04:29:23,043 [root] INFO: Terminating process 2536 before shutdown.
2019-05-16 04:29:23,043 [root] INFO: Waiting for process 2536 to exit.
2019-05-16 04:29:24,058 [root] INFO: Shutting down package.
2019-05-16 04:29:24,058 [root] INFO: Stopping auxiliary modules.
2019-05-16 04:29:24,058 [root] INFO: Finishing auxiliary modules.
2019-05-16 04:29:24,058 [root] INFO: Shutting down pipe server and dumping dropped files.
2019-05-16 04:29:24,058 [root] WARNING: File at path "C:\fbLWSbK\debugger" does not exist, skip.
2019-05-16 04:29:24,058 [root] INFO: Analysis completed.

MalScore

10.0

Malicious

Machine

Name Label Manager Started On Shutdown On
target-02 target-02 ESX 2019-05-16 03:25:01 2019-05-16 03:29:37

File Details

File Name c370cbfd24022030b6e65cb49d93625b0dab7a8de5d9d1d5dbdc2e6b69cd508a
File Size 169536 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 e98d009b924e1c979ac85ef4d6e1445d
SHA1 b58b502a71df1ef7c483b821b6161b89698ebde6
SHA256 c370cbfd24022030b6e65cb49d93625b0dab7a8de5d9d1d5dbdc2e6b69cd508a
SHA512 2c0ad48fce2851366d1ed3b19077efacba6e2c99c74cf7b989da792c186d55d99d2704e210a489ff8b0d683b24d085ce5ff6144fc16695cd3b9423dc5e330dd6
CRC32 D663FACF
Ssdeep 3072:ZWoofUTXKZLk/lvI6enmhUcUygISmkEmKMKZiGG+ZJY0WZQu6JsdN0HCH5+iog:RjXP/hHenK5NSmHN/ZZG+ZO6z
TrID
  • 41.0% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
  • 36.3% (.EXE) Win64 Executable (generic) (27625/18/4)
  • 8.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
  • 5.9% (.EXE) Win32 Executable (generic) (4508/7/1)
  • 2.6% (.EXE) OS/2 Executable (generic) (2029/13)
ClamAV None matched
Yara None matched
CAPE Yara None matched
Resubmit sample

Signatures

Behavioural detection: Executable code extraction
Communicates with IPs located across a large number of unique countries
country: United States
country: Poland
country: Taiwan
country: Argentina
country: Mexico
country: Germany
country: United Kingdom
Creates RWX memory
Possible date expiration check, exits too soon after checking local time
process: gluerel.exe, PID 2448
Mimics the system's user agent string for its own requests
Guard pages use detected - possible anti-debugging.
Dynamic (imported) function loading detected
DynamicLoader: kernel32.dll/mknjht34tfserdgfwGetProcAddress
DynamicLoader: kernel32.dll/GetProcAddress
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/LoadLibraryExA
DynamicLoader: kernel32.dll/SetFilePointer
DynamicLoader: kernel32.dll/lstrlenA
DynamicLoader: kernel32.dll/lstrcatA
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/UnmapViewOfFile
DynamicLoader: kernel32.dll/GetModuleHandleA
DynamicLoader: kernel32.dll/WriteFile
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/GetTempPathA
DynamicLoader: kernel32.dll/CreateFileA
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: kernel32.dll/LoadLibraryExA
DynamicLoader: kernel32.dll/mknjht34tfserdgfwGetProcAddress
DynamicLoader: kernel32.dll/GetProcAddress
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/LoadLibraryExA
DynamicLoader: kernel32.dll/SetFilePointer
DynamicLoader: kernel32.dll/lstrlenA
DynamicLoader: kernel32.dll/lstrcatA
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/UnmapViewOfFile
DynamicLoader: kernel32.dll/GetModuleHandleA
DynamicLoader: kernel32.dll/WriteFile
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/GetTempPathA
DynamicLoader: kernel32.dll/CreateFileA
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: SHELL32.dll/
DynamicLoader: ADVAPI32.dll/OpenThreadToken
DynamicLoader: propsys.dll/PSLookupPropertyHandlerCLSID
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: propsys.dll/PSCreatePropertyStoreFromObject
DynamicLoader: propsys.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: propsys.dll/PropVariantToStringAlloc
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore
DynamicLoader: propsys.dll/PropVariantToBuffer
DynamicLoader: propsys.dll/PropVariantToUInt64
DynamicLoader: propsys.dll/PropVariantToBoolean
DynamicLoader: propsys.dll/InitPropVariantFromBuffer
DynamicLoader: ADVAPI32.dll/GetNamedSecurityInfoW
DynamicLoader: ADVAPI32.dll/TreeSetNamedSecurityInfoW
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: OLEAUT32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: ntdll.dll/EtwUnregisterTraceGuids
DynamicLoader: ntdll.dll/EtwUnregisterTraceGuids
DynamicLoader: kernel32.dll/LoadLibraryExA
DynamicLoader: kernel32.dll/mknjht34tfserdgfwGetProcAddress
DynamicLoader: kernel32.dll/GetProcAddress
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/LoadLibraryExA
DynamicLoader: kernel32.dll/SetFilePointer
DynamicLoader: kernel32.dll/lstrlenA
DynamicLoader: kernel32.dll/lstrcatA
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/UnmapViewOfFile
DynamicLoader: kernel32.dll/GetModuleHandleA
DynamicLoader: kernel32.dll/WriteFile
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/GetTempPathA
DynamicLoader: kernel32.dll/CreateFileA
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: kernel32.dll/LoadLibraryExA
DynamicLoader: kernel32.dll/mknjht34tfserdgfwGetProcAddress
DynamicLoader: kernel32.dll/GetProcAddress
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/LoadLibraryExA
DynamicLoader: kernel32.dll/SetFilePointer
DynamicLoader: kernel32.dll/lstrlenA
DynamicLoader: kernel32.dll/lstrcatA
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/UnmapViewOfFile
DynamicLoader: kernel32.dll/GetModuleHandleA
DynamicLoader: kernel32.dll/WriteFile
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/GetTempPathA
DynamicLoader: kernel32.dll/CreateFileA
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptImportKey
DynamicLoader: CRYPTSP.dll/CryptGenKey
DynamicLoader: CRYPTSP.dll/CryptCreateHash
DynamicLoader: CRYPTSP.dll/CryptDuplicateHash
DynamicLoader: CRYPTSP.dll/CryptEncrypt
DynamicLoader: CRYPTSP.dll/CryptExportKey
DynamicLoader: CRYPTSP.dll/CryptGetHashParam
DynamicLoader: CRYPTSP.dll/CryptDestroyHash
DynamicLoader: RASAPI32.dll/RasConnectionNotificationW
DynamicLoader: sechost.dll/OpenServiceA
DynamicLoader: sechost.dll/NotifyServiceStatusChangeA
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: iphlpapi.DLL/GetAdaptersAddresses
DynamicLoader: DHCPCSVC.DLL/DhcpRequestParams
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: OLEAUT32.dll/
DynamicLoader: CFGMGR32.dll/CMP_UnregisterNotification
Performs HTTP requests potentially not found in PCAP.
url: 64.87.26.16:443/merge/mult/
url: 31.179.135.186:80/cab/results/tlb/merge/
url: 154.120.228.126:143/site/stubs/
url: 109.104.79.48:8080/arizona/raster/tlb/merge/
url: 185.94.252.27:443/tpt/cone/tlb/merge/
url: 218.161.88.253:8080/iplk/health/tlb/
url: 181.15.177.100:443/free/guids/
url: 200.32.61.210:8080/health/ringin/tlb/merge/
url: 189.143.52.49:443/pdf/bml/
Repeatedly searches for a not-found process, may want to run with startbrowser=1 option
Drops a binary and executes it
binary: C:\Windows\SysWOW64\gluerel.exe
Multiple direct IP connections
direct_ip_connections: Made direct connections to 9 unique IP addresses
The binary likely contains encrypted or compressed data.
section: name: .text, entropy: 7.16, characteristics: IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ, raw_size: 0x00016e00, virtual_size: 0x00016ce6
Deletes its original binary from disk
Attempts to remove evidence of file being downloaded from the Internet
file: C:\Windows\SysWOW64\gluerel.exe:Zone.Identifier
Attempts to repeatedly call a single API many times in order to delay analysis time
Spam: services.exe (460) called API GetSystemTimeAsFileTime 7218068 times
Installs itself for autorun at Windows startup
service name: gluerel
service path: "C:\Windows\SysWOW64\gluerel.exe"
Creates a copy of itself
copy: C:\Windows\SysWOW64\gluerel.exe

Screenshots


Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
Y 64.87.26.16 [VT] United States
Y 31.179.135.186 [VT] Poland
Y 218.161.88.253 [VT] Taiwan
Y 200.32.61.210 [VT] Argentina
Y 189.143.52.49 [VT] Mexico
Y 185.94.252.27 [VT] Germany
Y 181.15.177.100 [VT] Argentina
Y 109.104.79.48 [VT] United Kingdom

DNS

Name Response Post-Analysis Lookup
www.download.windowsupdate.com [VT]
crt.usertrust.com [VT]

Summary

C:\Windows\Globalization\Sorting\sortdefault.nls
C:\
C:\Users\user\AppData\Local\Temp\miE9i3N.exe
C:\Windows\SysWOW64\dafpanes.exe
C:\Windows\
C:\Windows\SysWOW64\
\Device\KsecDD
C:\Windows\SysWOW64\shell32.dll
C:\Windows\SysWOW64\gluerel.exe
C:\Users
C:\Users\user\AppData\Local\Microsoft\Windows\Caches
C:\Users\user\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000d.db
\??\MountPointManager
C:\Users\desktop.ini
C:\Users\user
C:\Users\user\AppData
C:\Users\user\AppData\Local
C:\Users\user\AppData\Local\Temp
C:\Windows
C:\Windows\SysWOW64
C:\Windows\SysWOW64\propsys.dll
C:\Windows\sysnative\propsys.dll
C:\Users\user\AppData\Local\
C:\Windows\SysWOW64\gluerel.exe:Zone.Identifier
C:\Users\user\AppData\Local\Microsoft\Windows\Burn
C:\Windows\Temp
C:\Windows\sysnative\LogFiles\Scm\eaca24ff-236c-401d-a1e7-b3d5267b8a50
C:\ProgramData\Microsoft\Network\Connections\Pbk\rasphone.pbk
C:\ProgramData\Microsoft\Network\Connections\Pbk\*.pbk
C:\Windows\System32\ras\*.pbk
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Network\Connections\Pbk\rasphone.pbk
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Network\Connections\Pbk\*.pbk
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Users\user\AppData\Local\Temp\miE9i3N.exe
\Device\KsecDD
C:\Windows\SysWOW64\shell32.dll
C:\
C:\Users\user\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000d.db
C:\Users\desktop.ini
C:\Users
C:\Users\user
C:\Users\user\AppData
C:\Users\user\AppData\Local
C:\Windows
C:\Users\user\AppData\Local\Temp
C:\Users\user\AppData\Local\Microsoft\Windows\Burn
C:\Windows\sysnative\LogFiles\Scm\eaca24ff-236c-401d-a1e7-b3d5267b8a50
C:\Windows\SysWOW64\gluerel.exe
C:\Windows\SysWOW64\gluerel.exe
C:\Windows\SysWOW64\dafpanes.exe
C:\Users\user\AppData\Local\Temp\miE9i3N.exe
C:\Windows\SysWOW64\gluerel.exe:Zone.Identifier
DisableUserModeCallbackFilter
HKEY_CLASSES_ROOT\interface\{aa5b6a80-b834-11d0-932f-00a0c90dcaa9}
\xea\xa7\x80\xc8\x9cEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AA5B6A80-B834-11D0-932F-00A0C90DCAA9}\(Default)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-GB
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-GB
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
\xea\xa7\x80\xc8\x90EY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AA5B6A80-B834-11D0-932F-00A0C90DCAA9}\(Default)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\NoFileFolderConnection
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesRecycleBin
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\miE9i3N.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups
HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\CallForAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\RestrictedAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORDISPLAY
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideFolderVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\UseDropHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORPARSING
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsParseDisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\MapNetDriveVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForInfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideInWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideOnDesktopPerUser
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsAliasedNotifications
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsUniversalDelegate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\NoFileFolderJunction
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\PinToNameSpaceTree
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HasNavigationEnum
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\Generation
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\AccessProviders
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\AccessProviders\MartaExtension
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\Generation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DontShowSuperHidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ClassicShell
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\SeparateProcess
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetCrawling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSimpleStartMenu
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowCompColor
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\DontPrettyPath
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowInfoTip
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideIcons
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\MapNetDrvBtn
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\WebView
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Filter
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\SeparateProcess
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\NoNetCrawling
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AutoCheckSelect
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\IconsOnly
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowTypeOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\AllowFileCLSIDJunctions
HKEY_CLASSES_ROOT\.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe\(Default)
HKEY_CLASSES_ROOT\.exe\OpenWithProgids
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\OpenWithProgids
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\UserChoice
HKEY_CLASSES_ROOT\exefile
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\CurVer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\ShellEx\IconHandler
HKEY_CLASSES_ROOT\SystemFileAssociations\.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\ShellEx\IconHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe\Content Type
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\NeverShowExt
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\PropertySystem\PropertyHandlers\.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\PropertySystem\PropertyHandlers\.exe\(Default)
HKEY_CLASSES_ROOT\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\OverrideFileSystemProperties
HKEY_CLASSES_ROOT\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\DisableProcessIsolation
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\NoOplock
HKEY_CLASSES_ROOT\ExplorerCLSIDFlags\{66742402-F9B9-11D1-A202-0000F81FEDEE}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\UseInProcHandlerCache
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\UseOutOfProcHandlerCache
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Shell\RegisteredApplications\UrlAssociations\Directory\OpenWithProgids
HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\Directory
HKEY_CLASSES_ROOT\Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\CurVer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\ShellEx\IconHandler
HKEY_CLASSES_ROOT\Folder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\ShellEx\IconHandler
HKEY_CLASSES_ROOT\AllFilesystemObjects
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\ShellEx\IconHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\ShellEx\PropertyHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\ShellEx\PropertyHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\ShellEx\PropertyHandler
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\MaxUndoItems
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Advanced\MaxUndoItems
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\App Paths\miE9i3N.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\miE9i3N.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\ShellEx\{2F711B17-773C-41D4-93FA-7F23EDCECB66}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\ShellEx\{2F711B17-773C-41D4-93FA-7F23EDCECB66}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\ShellEx\{2F711B17-773C-41D4-93FA-7F23EDCECB66}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceCopyACLWithFile
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\ShellEx\{000214F9-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\ShellEx\{000214F9-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\ShellEx\{000214F9-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoEncryptOnMove
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gluerel
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gluerel\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gluerel\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gluerel\WOW64
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Public
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Default
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonW6432Dir
HKEY_USERS\S-1-5-18
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18\ProfileImagePath
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
HKEY_USERS\.DEFAULT\Environment
HKEY_USERS\.DEFAULT\Volatile Environment
HKEY_USERS\.DEFAULT\Volatile Environment\0
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gluerel\Environment
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcSs
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcSs\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\nsiproxy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\nsiproxy\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\nsi
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\nsi\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NlaSvc
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NlaSvc\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\netprofm
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\netprofm\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MMCSS
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MMCSS\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MMCSS\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MMCSS\WOW64
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MMCSS\RequiredPrivileges
\xea\xa7\x80\xc3\xb0EY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AA5B6A80-B834-11D0-932F-00A0C90DCAA9}\(Default)
HKEY_CURRENT_USER
HKEY_USERS\.DEFAULT\Control Panel\International
HKEY_USERS\.DEFAULT\Control Panel\International\LocaleName
HKEY_USERS\.DEFAULT\Control Panel\International\sCountry
HKEY_USERS\.DEFAULT\Control Panel\International\sList
HKEY_USERS\.DEFAULT\Control Panel\International\sDecimal
HKEY_USERS\.DEFAULT\Control Panel\International\sThousand
HKEY_USERS\.DEFAULT\Control Panel\International\sGrouping
HKEY_USERS\.DEFAULT\Control Panel\International\sNativeDigits
HKEY_USERS\.DEFAULT\Control Panel\International\sCurrency
HKEY_USERS\.DEFAULT\Control Panel\International\sMonDecimalSep
HKEY_USERS\.DEFAULT\Control Panel\International\sMonThousandSep
HKEY_USERS\.DEFAULT\Control Panel\International\sMonGrouping
HKEY_USERS\.DEFAULT\Control Panel\International\sPositiveSign
HKEY_USERS\.DEFAULT\Control Panel\International\sNegativeSign
HKEY_USERS\.DEFAULT\Control Panel\International\sTimeFormat
HKEY_USERS\.DEFAULT\Control Panel\International\sShortTime
HKEY_USERS\.DEFAULT\Control Panel\International\s1159
HKEY_USERS\.DEFAULT\Control Panel\International\s2359
HKEY_USERS\.DEFAULT\Control Panel\International\sShortDate
HKEY_USERS\.DEFAULT\Control Panel\International\sYearMonth
HKEY_USERS\.DEFAULT\Control Panel\International\sLongDate
HKEY_USERS\.DEFAULT\Control Panel\International\iCountry
HKEY_USERS\.DEFAULT\Control Panel\International\iMeasure
HKEY_USERS\.DEFAULT\Control Panel\International\iPaperSize
HKEY_USERS\.DEFAULT\Control Panel\International\iDigits
HKEY_USERS\.DEFAULT\Control Panel\International\iLZero
HKEY_USERS\.DEFAULT\Control Panel\International\iNegNumber
HKEY_USERS\.DEFAULT\Control Panel\International\NumShape
HKEY_USERS\.DEFAULT\Control Panel\International\iCurrDigits
HKEY_USERS\.DEFAULT\Control Panel\International\iCurrency
HKEY_USERS\.DEFAULT\Control Panel\International\iNegCurr
HKEY_USERS\.DEFAULT\Control Panel\International\iCalendarType
HKEY_USERS\.DEFAULT\Control Panel\International\iFirstDayOfWeek
HKEY_USERS\.DEFAULT\Control Panel\International\iFirstWeekOfYear
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoProxyDetectType
\xe3\xb1\xa8\xc3\xb0EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASAPI32\EnableFileTracing
\xe3\xb1\xa8\xc3\xb0EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASAPI32\FileTracingMask
\xe3\xb1\xa8\xc3\xb0EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASAPI32\EnableConsoleTracing
\xe3\xb1\xa8\xc3\xb0EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASAPI32\ConsoleTracingMask
\xe3\xb1\xa8\xc3\xb0EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASAPI32\MaxFileSize
\xe3\xb1\xa8\xc3\xb0EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASAPI32\FileDirectory
\xe3\xb1\xa8\xc3\xb0EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASMANCS\EnableFileTracing
\xe3\xb1\xa8\xc3\xb0EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASMANCS\FileTracingMask
\xe3\xb1\xa8\xc3\xb0EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASMANCS\EnableConsoleTracing
\xe3\xb1\xa8\xc3\xb0EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASMANCS\ConsoleTracingMask
\xe3\xb1\xa8\xc3\xb0EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASMANCS\MaxFileSize
\xe3\xb1\xa8\xc3\xb0EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASMANCS\FileDirectory
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ProxySettingsPerUser
HKEY_USERS\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad
DisableUserModeCallbackFilter
\xea\xa7\x80\xc8\x9cEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AA5B6A80-B834-11D0-932F-00A0C90DCAA9}\(Default)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-GB
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-GB
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
\xea\xa7\x80\xc8\x90EY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AA5B6A80-B834-11D0-932F-00A0C90DCAA9}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\NoFileFolderConnection
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesRecycleBin
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\CallForAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\RestrictedAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORDISPLAY
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideFolderVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\UseDropHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORPARSING
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsParseDisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\MapNetDriveVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForInfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideInWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideOnDesktopPerUser
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsAliasedNotifications
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsUniversalDelegate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\NoFileFolderJunction
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\PinToNameSpaceTree
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HasNavigationEnum
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\Generation
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\AccessProviders\MartaExtension
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\Generation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DontShowSuperHidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ClassicShell
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\SeparateProcess
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetCrawling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSimpleStartMenu
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowCompColor
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\DontPrettyPath
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowInfoTip
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideIcons
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\MapNetDrvBtn
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\WebView
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Filter
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\SeparateProcess
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\NoNetCrawling
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AutoCheckSelect
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\IconsOnly
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowTypeOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\AllowFileCLSIDJunctions
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe\Content Type
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\PropertySystem\PropertyHandlers\.exe\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\DisableProcessIsolation
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\NoOplock
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\UseInProcHandlerCache
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\UseOutOfProcHandlerCache
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\NeverShowExt
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\MaxUndoItems
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Advanced\MaxUndoItems
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceCopyACLWithFile
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoEncryptOnMove
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gluerel\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gluerel\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gluerel\WOW64
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Public
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18\ProfileImagePath
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gluerel\Environment
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcSs\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\nsiproxy\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\nsi\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NlaSvc\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\netprofm\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MMCSS\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MMCSS\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MMCSS\WOW64
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MMCSS\RequiredPrivileges
\xea\xa7\x80\xc3\xb0EY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AA5B6A80-B834-11D0-932F-00A0C90DCAA9}\(Default)
HKEY_USERS\.DEFAULT\Control Panel\International\LocaleName
HKEY_USERS\.DEFAULT\Control Panel\International\sCountry
HKEY_USERS\.DEFAULT\Control Panel\International\sList
HKEY_USERS\.DEFAULT\Control Panel\International\sDecimal
HKEY_USERS\.DEFAULT\Control Panel\International\sThousand
HKEY_USERS\.DEFAULT\Control Panel\International\sGrouping
HKEY_USERS\.DEFAULT\Control Panel\International\sNativeDigits
HKEY_USERS\.DEFAULT\Control Panel\International\sCurrency
HKEY_USERS\.DEFAULT\Control Panel\International\sMonDecimalSep
HKEY_USERS\.DEFAULT\Control Panel\International\sMonThousandSep
HKEY_USERS\.DEFAULT\Control Panel\International\sMonGrouping
HKEY_USERS\.DEFAULT\Control Panel\International\sPositiveSign
HKEY_USERS\.DEFAULT\Control Panel\International\sNegativeSign
HKEY_USERS\.DEFAULT\Control Panel\International\sTimeFormat
HKEY_USERS\.DEFAULT\Control Panel\International\sShortTime
HKEY_USERS\.DEFAULT\Control Panel\International\s1159
HKEY_USERS\.DEFAULT\Control Panel\International\s2359
HKEY_USERS\.DEFAULT\Control Panel\International\sShortDate
HKEY_USERS\.DEFAULT\Control Panel\International\sYearMonth
HKEY_USERS\.DEFAULT\Control Panel\International\sLongDate
HKEY_USERS\.DEFAULT\Control Panel\International\iCountry
HKEY_USERS\.DEFAULT\Control Panel\International\iMeasure
HKEY_USERS\.DEFAULT\Control Panel\International\iPaperSize
HKEY_USERS\.DEFAULT\Control Panel\International\iDigits
HKEY_USERS\.DEFAULT\Control Panel\International\iLZero
HKEY_USERS\.DEFAULT\Control Panel\International\iNegNumber
HKEY_USERS\.DEFAULT\Control Panel\International\NumShape
HKEY_USERS\.DEFAULT\Control Panel\International\iCurrDigits
HKEY_USERS\.DEFAULT\Control Panel\International\iCurrency
HKEY_USERS\.DEFAULT\Control Panel\International\iNegCurr
HKEY_USERS\.DEFAULT\Control Panel\International\iCalendarType
HKEY_USERS\.DEFAULT\Control Panel\International\iFirstDayOfWeek
HKEY_USERS\.DEFAULT\Control Panel\International\iFirstWeekOfYear
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoProxyDetectType
\xe3\xb1\xa8\xc3\xb0EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASAPI32\EnableFileTracing
\xe3\xb1\xa8\xc3\xb0EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASAPI32\FileTracingMask
\xe3\xb1\xa8\xc3\xb0EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASAPI32\EnableConsoleTracing
\xe3\xb1\xa8\xc3\xb0EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASAPI32\ConsoleTracingMask
\xe3\xb1\xa8\xc3\xb0EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASAPI32\MaxFileSize
\xe3\xb1\xa8\xc3\xb0EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASAPI32\FileDirectory
\xe3\xb1\xa8\xc3\xb0EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASMANCS\EnableFileTracing
\xe3\xb1\xa8\xc3\xb0EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASMANCS\FileTracingMask
\xe3\xb1\xa8\xc3\xb0EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASMANCS\EnableConsoleTracing
\xe3\xb1\xa8\xc3\xb0EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASMANCS\ConsoleTracingMask
\xe3\xb1\xa8\xc3\xb0EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASMANCS\MaxFileSize
\xe3\xb1\xa8\xc3\xb0EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASMANCS\FileDirectory
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ProxySettingsPerUser
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
kernel32.dll.LoadLibraryExA
kernel32.dll.GetProcAddress
kernel32.dll.VirtualAlloc
kernel32.dll.SetFilePointer
kernel32.dll.lstrlenA
kernel32.dll.lstrcatA
kernel32.dll.VirtualProtect
kernel32.dll.UnmapViewOfFile
kernel32.dll.GetModuleHandleA
kernel32.dll.WriteFile
kernel32.dll.CloseHandle
kernel32.dll.VirtualFree
kernel32.dll.GetTempPathA
kernel32.dll.CreateFileA
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
oleaut32.dll.#200
ole32.dll.CoInitializeEx
cryptbase.dll.SystemFunction036
comctl32.dll.#385
comctl32.dll.#320
comctl32.dll.#324
comctl32.dll.#323
ole32.dll.CreateBindCtx
ole32.dll.CoTaskMemAlloc
ole32.dll.CoGetApartmentType
ole32.dll.CoRegisterInitializeSpy
ole32.dll.CoTaskMemFree
comctl32.dll.#236
oleaut32.dll.#6
ole32.dll.CoGetMalloc
comctl32.dll.#328
comctl32.dll.#334
oleaut32.dll.#2
ole32.dll.CoCreateInstance
setupapi.dll.CM_Get_Device_Interface_List_Size_ExW
advapi32.dll.InitializeSecurityDescriptor
advapi32.dll.SetEntriesInAclW
ntmarta.dll.GetMartaExtensionInterface
advapi32.dll.SetSecurityDescriptorDacl
setupapi.dll.CM_Get_Device_Interface_List_ExW
comctl32.dll.#332
comctl32.dll.#386
advapi32.dll.IsTextUnicode
comctl32.dll.#338
comctl32.dll.#339
shell32.dll.#102
advapi32.dll.OpenThreadToken
propsys.dll.PSLookupPropertyHandlerCLSID
advapi32.dll.RegOpenKeyExW
advapi32.dll.RegQueryValueExW
advapi32.dll.RegCloseKey
propsys.dll.PSCreatePropertyStoreFromObject
propsys.dll.#417
propsys.dll.PropVariantToStringAlloc
ole32.dll.PropVariantClear
propsys.dll.PSCreateMemoryPropertyStore
propsys.dll.PropVariantToBuffer
propsys.dll.PropVariantToUInt64
propsys.dll.PropVariantToBoolean
propsys.dll.InitPropVariantFromBuffer
advapi32.dll.GetNamedSecurityInfoW
advapi32.dll.TreeSetNamedSecurityInfoW
ole32.dll.CoUninitialize
comctl32.dll.#329
comctl32.dll.#388
comctl32.dll.#321
ole32.dll.CoRevokeInitializeSpy
oleaut32.dll.#500
comctl32.dll.#387
comctl32.dll.#327
advapi32.dll.UnregisterTraceGuids
cryptsp.dll.CryptReleaseContext
ntdll.dll.EtwUnregisterTraceGuids
cryptsp.dll.CryptAcquireContextW
cryptsp.dll.CryptImportKey
cryptsp.dll.CryptGenKey
cryptsp.dll.CryptCreateHash
cryptsp.dll.CryptDuplicateHash
cryptsp.dll.CryptEncrypt
cryptsp.dll.CryptExportKey
cryptsp.dll.CryptGetHashParam
cryptsp.dll.CryptDestroyHash
rasapi32.dll.RasConnectionNotificationW
sechost.dll.OpenServiceA
sechost.dll.NotifyServiceStatusChangeA
advapi32.dll.RegDeleteTreeA
advapi32.dll.RegDeleteTreeW
iphlpapi.dll.GetAdaptersAddresses
dhcpcsvc.dll.DhcpRequestParams
cfgmgr32.dll.CMP_UnregisterNotification
C:\Users\user\AppData\Local\Temp\miE9i3N.exe --8ea82f2a
"C:\Windows\SysWOW64\gluerel.exe"
C:\Windows\SysWOW64\gluerel.exe --caeb0eba
Global\IA4889F95
Global\MA4889F95
IESQMMUTEX_0_208
gluerel
gluerel

PE Information

Image Base 0x00400000
Entry Point 0x00417b00
Reported Checksum 0x0002c419
Actual Checksum 0x0002c419
Minimum OS Version 5.0
Compile Time 2019-05-16 03:11:42
Import Hash d22b5108a2ea7747ee87ec83f7a89d94

Sections

Name Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00001000 0x00016ce6 0x00016e00 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 7.16
.rdata 0x00018000 0x000085c2 0x00008600 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 5.77
.data 0x00021000 0x0000569c 0x00005600 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 5.21
.rsrc 0x00027000 0x00002fc0 0x00003000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 3.77

Overlay

Offset 0x00027e00
Size 0x00001840

Imports

Library KERNEL32.dll:
0x41818c GetProcAddress
0x418194 GetProcessHeap
0x41819c GetStartupInfoA
0x4181a0 GetStartupInfoW
0x4181a4 GetStdHandle
0x4181a8 GetStringTypeA
0x4181ac GetStringTypeExW
0x4181b0 GetStringTypeW
0x4181b8 GetSystemDirectoryW
0x4181bc GetSystemInfo
0x4181c4 GetSystemTime
0x4181cc GetSystemTimes
0x4181d4 GetTempFileNameW
0x4181d8 GetTempPathW
0x4181dc GetTickCount
0x4181e0 GetTimeFormatA
0x4181e8 GetUserDefaultLCID
0x4181f0 GetVersion
0x4181f4 GetVersionExW
0x418200 GlobalAlloc
0x418204 GlobalFindAtomA
0x418208 GlobalFree
0x41820c GlobalUnWire
0x418210 HeapAlloc
0x418214 HeapCreate
0x418218 HeapDestroy
0x41821c HeapFree
0x418220 HeapReAlloc
0x418224 HeapSize
0x418238 InterlockedExchange
0x418244 IsBadReadPtr
0x418248 IsDebuggerPresent
0x418250 IsValidCodePage
0x418254 IsValidLocale
0x418258 IsWow64Process
0x41825c LCMapStringA
0x418260 LCMapStringW
0x418268 LoadLibraryA
0x41826c LoadLibraryExW
0x418270 LoadLibraryW
0x418274 LoadResource
0x418278 LocalAlloc
0x418280 LocalFree
0x418284 LockFile
0x418288 LockResource
0x41828c MapViewOfFileEx
0x418290 Module32FirstW
0x418294 MoveFileW
0x418298 MulDiv
0x41829c MultiByteToWideChar
0x4182a0 OpenEventA
0x4182ac OpenMutexW
0x4182b0 OpenProcess
0x4182b4 OpenThread
0x4182b8 OutputDebugStringW
0x4182bc PeekNamedPipe
0x4182c0 Process32FirstW
0x4182c4 Process32NextW
0x4182d0 RaiseException
0x4182d8 ReadFile
0x4182dc ReadProcessMemory
0x4182e0 ReleaseMutex
0x4182e4 ReleaseSemaphore
0x4182e8 ReplaceFile
0x4182ec ResetEvent
0x4182f0 ResumeThread
0x4182f4 RtlUnwind
0x418300 SetEndOfFile
0x418308 SetEvent
0x41830c SetFileAttributesA
0x418310 SetFilePointer
0x418314 SetFilePointerEx
0x418318 SetHandleCount
0x41831c SetLastError
0x418324 SetStdHandle
0x418328 SetThreadLocale
0x418330 SetWaitableTimer
0x418334 SizeofResource
0x418338 Sleep
0x418340 TerminateProcess
0x418344 TerminateThread
0x418348 TlsAlloc
0x41834c TlsFree
0x418350 TlsGetValue
0x418354 TlsSetValue
0x418360 UnlockFile
0x418364 UnmapViewOfFile
0x418368 VerSetConditionMask
0x41836c VerifyVersionInfoW
0x418370 VirtualAlloc
0x418374 VirtualAllocEx
0x418378 VirtualFree
0x41837c VirtualFreeEx
0x418380 VirtualLock
0x41838c WaitForSingleObject
0x418390 WideCharToMultiByte
0x418394 WriteConsoleA
0x418398 WriteConsoleW
0x41839c WriteFile
0x4183a8 lstrcmpA
0x4183ac lstrcmpiA
0x4183b0 lstrcmpiW
0x4183b4 lstrcpynW
0x4183b8 lstrlen
0x4183bc lstrlenA
0x4183c0 lstrlenW
0x4183c4 FlushFileBuffers
0x4183c8 FindResourceW
0x4183d0 GetOverlappedResult
0x4183d4 GetOEMCP
0x4183dc GetModuleHandleW
0x4183e0 GetModuleHandleA
0x4183e4 GetModuleFileNameW
0x4183e8 GetModuleFileNameA
0x4183ec GetLongPathNameW
0x4183f0 GetLogicalDrives
0x4183f4 GetLocaleInfoW
0x4183f8 GetLocaleInfoA
0x4183fc GetLocalTime
0x418400 GetLastError
0x418404 GetFileType
0x418408 GetFileTime
0x41840c GetFileSizeEx
0x418410 GetFileSize
0x418414 GetFileAttributesW
0x418420 GetExitCodeThread
0x418424 GetExitCodeProcess
0x41842c GetDriveTypeA
0x418430 GetDiskFreeSpaceExW
0x418434 GetDateFormatA
0x418438 GetCurrentThreadId
0x41843c GetCurrentProcessId
0x418440 GetCurrentProcess
0x418448 GetConsoleOutputCP
0x41844c GetConsoleMode
0x418450 GetConsoleCP
0x418454 GetConsoleAliasesW
0x418458 GetCommandLineW
0x41845c GetCommState
0x418460 GetCPInfoExA
0x418464 GetCPInfo
0x418468 GetAtomNameW
0x41846c GetACP
0x418470 FreeResource
0x418474 FreeLibrary
0x41847c FreeConsole
0x418480 OpenMutexA
0x418484 FormatMessageW
0x418488 FindResourceExW
0x41848c FindNextFileW
0x418490 FindFirstFileW
0x418498 FindClose
0x41849c FindAtomW
0x4184a8 FatalAppExitA
0x4184ac ExitThread
0x4184b0 ExitProcess
0x4184b4 EnumSystemLocalesA
0x4184bc DuplicateHandle
0x4184c0 DisconnectNamedPipe
0x4184c4 DeviceIoControl
0x4184cc DeleteFileW
0x4184d0 DeleteFileA
0x4184d8 DeleteAtom
0x4184e4 CreateThread
0x4184e8 CreateSemaphoreW
0x4184ec CreateSemaphoreA
0x4184f0 CreateRemoteThread
0x4184f4 CreateProcessW
0x4184f8 CreateNamedPipeW
0x4184fc CreateMutexW
0x418500 CreateMutexA
0x418504 CreateFileW
0x418508 CreateFileMappingW
0x41850c CreateFileA
0x418510 CreateEventW
0x418514 CreateEventA
0x418518 CreateDirectoryW
0x41851c CreateDirectoryA
0x418520 CopyFileW
0x418524 CopyFileExA
0x418528 ConnectNamedPipe
0x41852c CompareStringW
0x418530 CompareStringA
0x418534 CompareFileTime
0x418538 CloseHandle
0x41853c CancelIo
0x418540 OpenEventW
0x418544 AddAtomW
Library USER32.dll:
0x418610 keybd_event
0x418614 WindowFromPoint
0x418618 WaitForInputIdle
0x41861c UpdateWindow
0x418620 UpdateLayeredWindow
0x418624 UnregisterClassA
0x418628 TranslateMessage
0x418630 SwitchToThisWindow
0x418634 ShowWindow
0x418638 ShowOwnedPopups
0x41863c SetWindowsHookExA
0x418640 SetWindowsHookA
0x418644 SetWindowTextW
0x418648 SetWindowPos
0x41864c SetWindowLongW
0x418650 SetTimer
0x418654 SetRectEmpty
0x418658 SetRect
0x41865c SetForegroundWindow
0x418660 SetFocus
0x418664 SetCursor
0x418668 SetClipboardViewer
0x41866c SetClassLongW
0x418670 SetActiveWindow
0x418674 SendMessageW
0x418678 SendMessageTimeoutW
0x41867c ScreenToClient
0x418680 ReleaseDC
0x418684 ReleaseCapture
0x41868c RegisterClassExW
0x418690 PtInRect
0x418694 PostQuitMessage
0x418698 PostMessageW
0x41869c PeekMessageW
0x4186a0 OpenInputDesktop
0x4186a4 OffsetRect
0x4186a8 MonitorFromWindow
0x4186ac MonitorFromRect
0x4186b0 MonitorFromPoint
0x4186b4 MessageBoxW
0x4186b8 MapWindowPoints
0x4186bc LoadStringW
0x4186c0 LoadImageW
0x4186c4 LoadCursorW
0x4186c8 KillTimer
0x4186cc IsWindowVisible
0x4186d0 IsWindowEnabled
0x4186d4 IsWindow
0x4186d8 IsDialogMessageW
0x4186dc InvalidateRect
0x4186e4 GetWindowTextW
0x4186e8 GetWindowRect
0x4186ec GetWindowPlacement
0x4186f0 GetWindowLongW
0x4186f4 GetWindowInfo
0x4186f8 GetWindow
0x4186fc GetSystemMetrics
0x418700 GetShellWindow
0x418704 GetParent
0x418708 GetMonitorInfoW
0x41870c GetMessageW
0x418710 GetMessagePos
0x418714 GetKeyboardState
0x418718 GetForegroundWindow
0x41871c GetDesktopWindow
0x418720 GetDC
0x418724 GetCursorPos
0x418728 GetClientRect
0x41872c GetClassLongW
0x418730 GetClassInfoExW
0x418734 GetAncestor
0x418738 GetActiveWindow
0x41873c FindWindowW
0x418740 FindWindowExW
0x418744 ExitWindowsEx
0x418750 EnableWindow
0x418754 DrawTextW
0x418758 DispatchMessageW
0x41875c DestroyWindow
0x418760 DestroyIcon
0x418764 DefWindowProcW
0x418768 CreateWindowExW
0x41876c CopyRect
0x418770 CloseDesktop
0x418774 ClientToScreen
0x418778 CharNextW
0x41877c CallWindowProcW
0x418780 AttachThreadInput
0x418788 AdjustWindowRect
Library GDI32.dll:
0x4180c8 AngleArc
0x4180cc CloseMetaFile
0x4180d0 CreateBrushIndirect
0x4180d8 CreateCompatibleDC
0x4180dc CreateDIBSection
0x4180e0 CreateEllipticRgn
0x4180e4 CreateFontIndirectW
0x4180e8 CreateFontW
0x4180ec CreatePolygonRgn
0x4180f0 DeleteDC
0x4180f4 DeleteObject
0x4180fc EngDeletePath
0x418100 EngFillPath
0x418104 EngReleaseSemaphore
0x418108 ExtCreatePen
0x418110 GdiEntry9
0x418114 GdiValidateHandle
0x418118 GetBkMode
0x418120 GetCharABCWidthsI
0x418124 GetCharWidthInfo
0x41812c GetLogColorSpaceA
0x418130 GetObjectW
0x418138 GetStockObject
0x418140 GetTextExtentPointI
0x418148 LPtoDP
0x41814c PATHOBJ_bEnum
0x418150 PlayMetaFile
0x418154 PolyBezier
0x418158 RoundRect
0x41815c SelectObject
0x418160 SetDIBColorTable
0x418164 SetROP2
0x418168 SetRectRgn
0x41816c SetTextColor
0x418170 SwapBuffers
0x418174 UnloadNetworkFonts
0x418178 cGetTTFFromFOT
0x41817c BitBlt
Library ADVAPI32.dll:
0x418004 CloseServiceHandle
0x418010 CreateWellKnownSid
0x418018 CryptGenRandom
0x41801c CryptReleaseContext
0x418020 DuplicateToken
0x418024 DuplicateTokenEx
0x418028 EqualSid
0x41802c FreeSid
0x418034 GetTokenInformation
0x418038 GetUserNameW
0x418044 LookupAccountSidW
0x41804c OpenEventLogW
0x418050 OpenProcessToken
0x418054 OpenSCManagerW
0x418058 OpenServiceW
0x41805c QueryServiceStatus
0x418060 ReadEventLogW
0x418064 RegCloseKey
0x418068 RegCreateKeyA
0x41806c RegCreateKeyExW
0x418070 RegDeleteKeyW
0x418074 RegDeleteValueW
0x418078 RegEnumKeyExA
0x41807c RegEnumKeyExW
0x418084 RegOpenKeyExA
0x418088 RegOpenKeyExW
0x41808c RegOpenKeyW
0x418090 RegQueryInfoKeyW
0x418094 RegQueryValueExA
0x418098 RegQueryValueExW
0x41809c RegSetValueExW
0x4180a0 RevertToSelf
0x4180a4 SetEntriesInAclW
0x4180b0 StartServiceW
0x4180b4 RegOpenKeyA
0x4180c0 CloseEventLog
Library SHELL32.dll:
0x41854c ShellExecuteW
0x418550 ShellExecuteExW
0x418554 ShellExecuteA
0x418558 SHLoadInProc
0x418560 SHGetMalloc
0x418568 SHGetFolderPathW
0x41856c SHGetFolderPathA
0x418570 SHFileOperationA
0x418578 SHChangeNotify
0x418580 DragQueryFileA
0x418584 Shell_NotifyIconW
Library SHLWAPI.dll:
0x41858c ColorHLSToRGB
0x418590 ColorRGBToHLS
0x418594 PathAddBackslashW
0x418598 PathAppendW
0x41859c PathCombineA
0x4185a0 PathCombineW
0x4185a4 PathCompactPathW
0x4185a8 PathFileExistsA
0x4185ac AssocQueryStringW
0x4185b0 PathFindExtensionW
0x4185b4 PathFindFileNameA
0x4185b8 PathFindFileNameW
0x4185bc PathIsDirectoryW
0x4185c0 PathIsPrefixW
0x4185cc PathRemoveFileSpecW
0x4185d0 PathStripPathW
0x4185d4 SHDeleteKeyW
0x4185d8 SHDeleteValueA
0x4185dc SHDeleteValueW
0x4185e0 SHGetValueA
0x4185e4 SHGetValueW
0x4185e8 SHSetValueA
0x4185ec SHSetValueW
0x4185f0 StrCmpIW
0x4185f4 StrCmpNA
0x4185f8 StrRStrIW
0x4185fc StrStrIW
0x418600 StrStrW
0x418604 wnsprintfW
0x418608 PathFileExistsW

.text
`.rdata
@.data
.rsrc
(O`L
.(S8K
<j{gtL{
r+e4B
a}/3JQK
I!q*x
Y5?5B
kPrlteco
VnmasVieTOfFjle
Get6odu/eHa%dleB
teF*le
|000p;
000k<
6 hbU
'000x
`000R<
m3<4B
000A.?
2s0003H
jJ000h
%A000
AddAtomW
CancelIo
CloseHandle
CompareFileTime
CompareStringA
CompareStringW
ConnectNamedPipe
CopyFileExA
CopyFileW
CreateDirectoryA
CreateDirectoryW
CreateEventA
CreateEventW
CreateFileA
CreateFileMappingW
CreateFileW
CreateMutexA
CreateMutexW
CreateNamedPipeW
CreateProcessW
CreateRemoteThread
CreateSemaphoreA
CreateSemaphoreW
CreateThread
CreateToolhelp32Snapshot
CreateWaitableTimerA
DeleteAtom
DeleteCriticalSection
DeleteFileA
DeleteFileW
DeleteVolumeMountPointW
DeviceIoControl
DisconnectNamedPipe
DuplicateHandle
EnterCriticalSection
EnumSystemLocalesA
ExitProcess
ExitThread
FatalAppExitA
FileTimeToLocalFileTime
FileTimeToSystemTime
FindAtomW
FindClose
FindCloseChangeNotification
FindFirstFileW
FindNextFileW
FindResourceExW
FindResourceW
FlushFileBuffers
FlushInstructionCache
FormatMessageW
FreeConsole
FreeEnvironmentStringsW
FreeLibrary
FreeResource
GetACP
GetAtomNameW
GetCPInfo
GetCPInfoExA
GetCommState
GetCommandLineW
GetConsoleAliasesW
GetConsoleCP
GetConsoleMode
GetConsoleOutputCP
GetCurrentDirectoryW
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetDateFormatA
GetDiskFreeSpaceExW
GetDriveTypeA
GetEnvironmentStringsW
GetExitCodeProcess
GetExitCodeThread
GetFileAttributesExA
GetFileAttributesExW
GetFileAttributesW
GetFileSize
GetFileSizeEx
GetFileTime
GetFileType
GetLastError
GetLocalTime
GetLocaleInfoA
GetLocaleInfoW
GetLogicalDrives
GetLongPathNameW
GetModuleFileNameA
GetModuleFileNameW
GetModuleHandleA
GetModuleHandleW
GetNumberOfConsoleMouseButtons
GetOEMCP
GetOverlappedResult
GetPrivateProfileIntW
GetPrivateProfileSectionNamesW
GetPrivateProfileSectionW
GetPrivateProfileStringW
GetProcAddress
GetProcessAffinityMask
GetProcessHeap
GetProcessIoCounters
GetStartupInfoA
GetStartupInfoW
GetStdHandle
GetStringTypeA
GetStringTypeExW
GetStringTypeW
GetSystemDefaultUILanguage
GetSystemDirectoryW
GetSystemInfo
GetSystemPowerStatus
GetSystemTime
GetSystemTimeAsFileTime
GetSystemTimes
GetSystemWindowsDirectoryW
GetTempFileNameW
GetTempPathW
GetTickCount
GetTimeFormatA
GetTimeZoneInformation
GetUserDefaultLCID
GetUserDefaultUILanguage
GetVersion
GetVersionExW
GetVolumeInformationW
GetWindowsDirectoryW
GlobalAlloc
GlobalFindAtomA
GlobalFree
GlobalUnWire
HeapAlloc
HeapCreate
HeapDestroy
HeapFree
HeapReAlloc
HeapSize
InitializeCriticalSection
InitializeCriticalSectionAndSpinCount
InterlockedCompareExchange
InterlockedDecrement
InterlockedExchange
InterlockedExchangeAdd
InterlockedIncrement
IsBadReadPtr
IsDebuggerPresent
IsProcessorFeaturePresent
IsValidCodePage
IsValidLocale
IsWow64Process
LCMapStringA
LCMapStringW
LeaveCriticalSection
LoadLibraryA
LoadLibraryExW
LoadLibraryW
LoadResource
LocalAlloc
LocalFileTimeToFileTime
LocalFree
LockFile
LockResource
MapViewOfFileEx
Module32FirstW
MoveFileW
MulDiv
MultiByteToWideChar
OpenEventA
OpenEventW
OpenMutexA
OpenMutexW
OpenProcess
OpenThread
OutputDebugStringW
PeekNamedPipe
Process32FirstW
Process32NextW
ProcessIdToSessionId
QueryPerformanceCounter
RaiseException
ReadDirectoryChangesW
ReadFile
ReadProcessMemory
ReleaseMutex
ReleaseSemaphore
ReplaceFile
ResetEvent
ResumeThread
RtlUnwind
ScrollConsoleScreenBufferA
SetCurrentDirectoryW
SetEndOfFile
SetEnvironmentVariableA
SetEvent
SetFileAttributesA
SetFilePointer
SetFilePointerEx
SetHandleCount
SetLastError
SetNamedPipeHandleState
SetStdHandle
SetThreadLocale
SetUnhandledExceptionFilter
SetWaitableTimer
SizeofResource
Sleep
SystemTimeToFileTime
TerminateProcess
TerminateThread
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
TryEnterCriticalSection
UnhandledExceptionFilter
UnlockFile
UnmapViewOfFile
VerSetConditionMask
VerifyVersionInfoW
VirtualAlloc
VirtualAllocEx
VirtualFree
VirtualFreeEx
VirtualLock
WTSGetActiveConsoleSessionId
WaitForMultipleObjects
WaitForSingleObject
WideCharToMultiByte
WriteConsoleA
WriteConsoleW
WriteFile
WritePrivateProfileSectionW
WritePrivateProfileStringW
lstrcmpA
lstrcmpiA
lstrcmpiW
lstrcpynW
lstrlen
lstrlenA
lstrlenW
KERNEL32.dll
AdjustWindowRect
AllowSetForegroundWindow
AttachThreadInput
CallWindowProcW
CharNextW
ClientToScreen
CloseDesktop
CopyRect
CreateWindowExW
DefWindowProcW
DestroyIcon
DestroyWindow
DispatchMessageW
DrawTextW
EnableWindow
EnumClipboardFormats
EnumDisplaySettingsW
ExitWindowsEx
FindWindowExW
FindWindowW
GetActiveWindow
GetAncestor
GetClassInfoExW
GetClassLongW
GetClientRect
GetCursorPos
GetDC
GetDesktopWindow
GetForegroundWindow
GetKeyboardState
GetMessagePos
GetMessageW
GetMonitorInfoW
GetParent
GetShellWindow
GetSystemMetrics
GetWindow
GetWindowInfo
GetWindowLongW
GetWindowPlacement
GetWindowRect
GetWindowTextW
GetWindowThreadProcessId
InvalidateRect
IsDialogMessageW
IsWindow
IsWindowEnabled
IsWindowVisible
KillTimer
LoadCursorW
LoadImageW
LoadStringW
MapWindowPoints
MessageBoxW
MonitorFromPoint
MonitorFromRect
MonitorFromWindow
OffsetRect
OpenInputDesktop
PeekMessageW
PostMessageW
PostQuitMessage
PtInRect
RegisterClassExW
RegisterWindowMessageW
ReleaseCapture
ReleaseDC
ScreenToClient
SendMessageTimeoutW
SendMessageW
SetActiveWindow
SetClassLongW
SetClipboardViewer
SetCursor
SetFocus
SetForegroundWindow
SetRect
SetRectEmpty
SetTimer
SetWindowLongW
SetWindowPos
SetWindowTextW
SetWindowsHookA
SetWindowsHookExA
ShowOwnedPopups
ShowWindow
SwitchToThisWindow
SystemParametersInfoW
TranslateMessage
UnregisterClassA
UpdateLayeredWindow
UpdateWindow
WaitForInputIdle
WindowFromPoint
keybd_event
USER32.dll
AngleArc
BitBlt
CloseMetaFile
CreateBrushIndirect
CreateCompatibleBitmap
CreateCompatibleDC
CreateDIBSection
CreateEllipticRgn
CreateFontIndirectW
CreateFontW
CreatePolygonRgn
DeleteDC
DeleteObject
DeviceCapabilitiesExW
EngDeletePath
EngFillPath
EngReleaseSemaphore
ExtCreatePen
GdiCreateLocalEnhMetaFile
GdiEntry9
GdiValidateHandle
GetBkMode
GetCharABCWidthsFloatA
GetCharABCWidthsI
GetCharWidthInfo
GetEnhMetaFileDescriptionW
GetLogColorSpaceA
GetObjectW
GetOutlineTextMetricsW
GetStockObject
GetTextExtentPoint32W
GetTextExtentPointI
HT_Get8BPPMaskPalette
LPtoDP
PATHOBJ_bEnum
PlayMetaFile
PolyBezier
RoundRect
SelectObject
SetDIBColorTable
SetROP2
SetRectRgn
SetTextColor
SwapBuffers
UnloadNetworkFonts
cGetTTFFromFOT
GDI32.dll
AdjustTokenPrivileges
AllocateAndInitializeSid
CheckTokenMembership
CloseEventLog
CloseServiceHandle
ConvertSidToStringSidW
ConvertStringSidToSidW
CreateWellKnownSid
CryptAcquireContextW
CryptGenRandom
CryptReleaseContext
DuplicateToken
DuplicateTokenEx
EqualSid
FreeSid
GetNamedSecurityInfoW
GetTokenInformation
GetUserNameW
ImpersonateLoggedOnUser
InitializeSecurityDescriptor
LookupAccountSidW
LookupPrivilegeValueW
OpenEventLogW
OpenProcessToken
OpenSCManagerW
OpenServiceW
QueryServiceStatus
ReadEventLogW
RegCloseKey
RegCreateKeyA
RegCreateKeyExW
RegDeleteKeyW
RegDeleteValueW
RegEnumKeyExA
RegEnumKeyExW
RegNotifyChangeKeyValue
RegOpenKeyExA
RegOpenKeyExW
RegOpenKeyW
RegQueryInfoKeyW
RegQueryValueExA
RegQueryValueExW
RegSetValueExW
RevertToSelf
SetEntriesInAclW
SetNamedSecurityInfoW
SetSecurityDescriptorDacl
StartServiceW
RegOpenKeyA
ADVAPI32.dll
Shell_NotifyIconW
ShellExecuteW
ShellExecuteExW
ShellExecuteA
SHLoadInProc
SHGetSpecialFolderPathW
SHGetMalloc
SHGetIconOverlayIndexW
SHGetFolderPathW
SHGetFolderPathA
SHFileOperationA
SHCreateDirectoryExW
SHChangeNotify
ExtractAssociatedIconExW
DragQueryFileA
SHELL32.dll
AssocQueryStringW
ColorHLSToRGB
ColorRGBToHLS
PathAddBackslashW
PathAppendW
PathCombineA
PathCombineW
PathCompactPathW
PathFileExistsA
PathFileExistsW
PathFindExtensionW
PathFindFileNameA
PathFindFileNameW
PathIsDirectoryW
PathIsPrefixW
PathRemoveBackslashW
PathRemoveExtensionW
PathRemoveFileSpecW
PathStripPathW
SHDeleteKeyW
SHDeleteValueA
SHDeleteValueW
SHGetValueA
SHGetValueW
SHSetValueA
SHSetValueW
StrCmpIW
StrCmpNA
StrRStrIW
StrStrIW
StrStrW
wnsprintfW
SHLWAPI.dll
tkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk
rprocmsv
*ShellAPI
System
SysInit
KWindows
UTypes
CommCtrl
3Messages
sActiveX
+IdTCPServer
|IdResourceStrings
yIdStack
SysUtils
SysConst
^Classes
"RTLConsts
CVariants
$VarUtils
QTypInfo
IdException
@IdStackConsts
)IdWinSock2
uIdGlobal
IdStackWindows
8Registry
IniFiles
EIdURI
SyncObjs
IdStrings
IdThreadSafe
IdComponent
IdAntiFreezeBase
IdBaseComponent
mIdSocketHandle
IdTCPConnection
IdStream
IdTCPStream
IdIntercept
BIdIOHandler
IdRFCReply
yIdIOHandlerSocket
jIdSocks
IdAssignedNumbers
IdThread
%IdThreadMgr
IdThreadMgrDefault
IdServerIOHandler
&IdServerIOHandlerSocket
RemoteProcMgrServerU
GlobalConsts
MAINICON
Address type not supported.;Cannot call TerminateAndWaitFor on FreeAndTerminate threads
Socks server did not respond.$Invalid socks authentication method.%Authentication error to socks server.
Socket is not connected..Cannot send or receive after socket is closed.
Bad protocol option.
Connect timed out.
Terminate Thread Timeout
%s.Seek not implemented
Class %s not found%List does not allow duplicates ($0%x)
Exception in safecall method
Floating point overflow
This file is not on VirusTotal.

Process Tree


miE9i3N.exe, PID: 2360, Parent PID: 2584
Full Path: C:\Users\user\AppData\Local\Temp\miE9i3N.exe
Command Line: "C:\Users\user\AppData\Local\Temp\miE9i3N.exe"
miE9i3N.exe, PID: 3040, Parent PID: 2360
Full Path: C:\Users\user\AppData\Local\Temp\miE9i3N.exe
Command Line: --8ea82f2a
explorer.exe, PID: 1708, Parent PID: 1660
Full Path: C:\Windows\explorer.exe
Command Line: C:\Windows\Explorer.EXE
services.exe, PID: 460, Parent PID: 372
Full Path: C:\Windows\sysnative\services.exe
Command Line: C:\Windows\system32\services.exe
gluerel.exe, PID: 2448, Parent PID: 460
Full Path: C:\Windows\SysWOW64\gluerel.exe
Command Line: "C:\Windows\SysWOW64\gluerel.exe"
gluerel.exe, PID: 740, Parent PID: 2448
Full Path: C:\Windows\SysWOW64\gluerel.exe
Command Line: --caeb0eba
explorer.exe, PID: 2536, Parent PID: 396
Full Path: C:\Windows\explorer.exe
Command Line: explorer.exe

Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
Y 64.87.26.16 [VT] United States
Y 31.179.135.186 [VT] Poland
Y 218.161.88.253 [VT] Taiwan
Y 200.32.61.210 [VT] Argentina
Y 189.143.52.49 [VT] Mexico
Y 185.94.252.27 [VT] Germany
Y 181.15.177.100 [VT] Argentina
Y 109.104.79.48 [VT] United Kingdom

TCP

Source Source Port Destination Destination Port
192.168.35.22 49175 109.104.79.48 8080
192.168.35.22 49169 181.15.177.100 443
192.168.35.22 49176 185.94.252.27 443
192.168.35.22 49170 189.143.52.49 443
192.168.35.22 49172 200.32.61.210 8080
192.168.35.22 49174 218.161.88.253 8080
192.168.35.22 49171 31.179.135.186 80
192.168.35.22 49173 64.87.26.16 443

UDP

Source Source Port Destination Destination Port
192.168.35.22 58774 8.8.8.8 53
192.168.35.22 61809 8.8.8.8 53

DNS

Name Response Post-Analysis Lookup
www.download.windowsupdate.com [VT]
crt.usertrust.com [VT]

HTTP Requests

No HTTP requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

File name gluerel.exe
Associated Filenames
C:\Windows\SysWOW64\gluerel.exe
File Size 169536 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 e98d009b924e1c979ac85ef4d6e1445d
SHA1 b58b502a71df1ef7c483b821b6161b89698ebde6
SHA256 c370cbfd24022030b6e65cb49d93625b0dab7a8de5d9d1d5dbdc2e6b69cd508a
CRC32 D663FACF
Ssdeep 3072:ZWoofUTXKZLk/lvI6enmhUcUygISmkEmKMKZiGG+ZJY0WZQu6JsdN0HCH5+iog:RjXP/hHenK5NSmHN/ZZG+ZO6z
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
Sorry! No CAPE files.
Sorry! No process dumps.

Comments



No comments posted

Processing ( 2.185 seconds )

  • 0.729 BehaviorAnalysis
  • 0.474 CAPE
  • 0.324 Static
  • 0.234 Dropped
  • 0.233 TargetInfo
  • 0.09 TrID
  • 0.071 Deduplicate
  • 0.012 NetworkAnalysis
  • 0.012 Strings
  • 0.005 AnalysisInfo
  • 0.001 Debug

Signatures ( 0.579 seconds )

  • 0.307 antidbg_windows
  • 0.037 stealth_timeout
  • 0.032 antivm_vbox_window
  • 0.027 decoy_document
  • 0.025 antisandbox_script_timer
  • 0.024 api_spamming
  • 0.021 antiav_detectreg
  • 0.008 infostealer_ftp
  • 0.005 antivm_generic_disk
  • 0.005 infostealer_im
  • 0.004 mimics_filetime
  • 0.004 InjectionCreateRemoteThread
  • 0.004 antianalysis_detectreg
  • 0.004 antiav_detectfile
  • 0.004 infostealer_mail
  • 0.004 ransomware_files
  • 0.003 bootkit
  • 0.003 Doppelganging
  • 0.003 stealth_file
  • 0.003 injection_createremotethread
  • 0.003 InjectionProcessHollowing
  • 0.003 reads_self
  • 0.003 persistence_autorun
  • 0.003 injection_runpe
  • 0.003 virus
  • 0.003 ransomware_extensions
  • 0.002 InjectionInterProcess
  • 0.002 antivm_generic_scsi
  • 0.002 hancitor_behavior
  • 0.002 antivm_vbox_keys
  • 0.002 browser_security
  • 0.002 infostealer_bitcoin
  • 0.001 lsass_credential_dumping
  • 0.001 tinba_behavior
  • 0.001 malicious_dynamic_function_loading
  • 0.001 rat_nanocore
  • 0.001 recon_programs
  • 0.001 antivm_generic_services
  • 0.001 antiemu_wine_func
  • 0.001 process_interest
  • 0.001 betabot_behavior
  • 0.001 kibex_behavior
  • 0.001 dynamic_function_loading
  • 0.001 vawtrak_behavior
  • 0.001 cerber_behavior
  • 0.001 antianalysis_detectfile
  • 0.001 antivm_parallels_keys
  • 0.001 antivm_vbox_files
  • 0.001 antivm_vmware_keys
  • 0.001 antivm_xen_keys
  • 0.001 geodo_banking_trojan
  • 0.001 disables_browser_warn
  • 0.001 network_torgateway
  • 0.001 recon_fingerprint

Reporting ( 0.016 seconds )

  • 0.014 SubmitCAPE
  • 0.002 CompressResults
Task ID 74104
Mongo ID 5cdcd928f284885ccecee9ed
Cuckoo release 1.3-CAPE
Delete