CAPE

Detections: Emotet


Analysis

Category Package Started Completed Duration Log
FILE Emotet 2019-05-16 04:42:19 2019-05-16 04:44:14 115 seconds Show Log
2019-05-16 05:42:20,000 [root] INFO: Date set to: 05-16-19, time set to: 04:42:20, timeout set to: 60
2019-05-16 05:42:20,015 [root] DEBUG: Starting analyzer from: C:\vsbmml
2019-05-16 05:42:20,015 [root] DEBUG: Storing results at: C:\wTiOTfrMQO
2019-05-16 05:42:20,015 [root] DEBUG: Pipe server name: \\.\PIPE\vOhxGIkuZU
2019-05-16 05:42:20,015 [root] INFO: Analysis package "Emotet" has been specified.
2019-05-16 05:42:20,390 [root] DEBUG: Started auxiliary module Browser
2019-05-16 05:42:20,390 [root] DEBUG: Started auxiliary module Curtain
2019-05-16 05:42:20,390 [modules.auxiliary.digisig] DEBUG: Checking for a digitial signature.
2019-05-16 05:42:45,427 [modules.auxiliary.digisig] DEBUG: File has an invalid signature.
2019-05-16 05:42:45,427 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2019-05-16 05:42:45,427 [root] DEBUG: Started auxiliary module DigiSig
2019-05-16 05:42:45,427 [root] DEBUG: Started auxiliary module Disguise
2019-05-16 05:42:45,427 [root] DEBUG: Started auxiliary module Human
2019-05-16 05:42:45,443 [root] DEBUG: Started auxiliary module Screenshots
2019-05-16 05:42:45,443 [root] DEBUG: Started auxiliary module Sysmon
2019-05-16 05:42:45,443 [root] DEBUG: Started auxiliary module Usage
2019-05-16 05:42:45,443 [root] INFO: Analyzer: DLL set to Extraction.dll from package modules.packages.Emotet
2019-05-16 05:42:45,443 [root] INFO: Analyzer: Package modules.packages.Emotet does not specify a DLL_64 option
2019-05-16 05:42:45,459 [lib.api.process] INFO: Successfully executed process from path "C:\Users\user\AppData\Local\Temp\NEYPefKofXc2Q6H.exe" with arguments "" with pid 2772
2019-05-16 05:42:45,459 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-05-16 05:42:45,459 [lib.api.process] INFO: Option 'exclude-apis' with value 'RegOpenKeyExA' sent to monitor
2019-05-16 05:42:45,459 [lib.api.process] INFO: 32-bit DLL to inject is C:\vsbmml\dll\tPWnmavI.dll, loader C:\vsbmml\bin\MlXEWOh.exe
2019-05-16 05:42:45,459 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\vOhxGIkuZU.
2019-05-16 05:42:45,459 [root] DEBUG: Loader: Injecting process 2772 (thread 2636) with C:\vsbmml\dll\tPWnmavI.dll.
2019-05-16 05:42:45,459 [root] DEBUG: Process image base: 0x00400000
2019-05-16 05:42:45,459 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\vsbmml\dll\tPWnmavI.dll.
2019-05-16 05:42:45,459 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x0042A000 - 0x77110000
2019-05-16 05:42:45,459 [root] DEBUG: InjectDllViaIAT: Allocated 0x1c4 bytes for new import table at 0x00430000.
2019-05-16 05:42:45,459 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-05-16 05:42:45,459 [root] DEBUG: Successfully injected DLL C:\vsbmml\dll\tPWnmavI.dll.
2019-05-16 05:42:45,459 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2772
2019-05-16 05:42:47,470 [lib.api.process] INFO: Successfully resumed process with pid 2772
2019-05-16 05:42:47,470 [root] INFO: Added new process to list with pid: 2772
2019-05-16 05:42:47,470 [root] INFO: Enabled timeout enforce, running for the full timeout.
2019-05-16 05:42:47,486 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77110000, KiUserExceptionDispatcher: 0x0, NtSetContextThread: 0x7716124a, Wow64PrepareForException: 0x0
2019-05-16 05:42:47,486 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x230000
2019-05-16 05:42:47,486 [root] DEBUG: CAPE initialised (32-bit).
2019-05-16 05:42:47,517 [root] INFO: Disabling sleep skipping.
2019-05-16 05:42:47,517 [root] INFO: Disabling sleep skipping.
2019-05-16 05:42:47,517 [root] INFO: Monitor successfully loaded in process with pid 2772.
2019-05-16 05:42:47,517 [root] INFO: Disabling sleep skipping.
2019-05-16 05:42:47,517 [root] INFO: Disabling sleep skipping.
2019-05-16 05:42:47,595 [root] DEBUG: NtAllocateVirtualMemory hook, BaseAddress:0x3e0000, RegionSize: 0x11000.
2019-05-16 05:42:47,595 [root] DEBUG: SetInitialWriteBreakpoint: AllocationBase: 0x3e0000, AllocationSize: 0x11000, ThreadId: 0xa4c
2019-05-16 05:42:47,595 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xac, Size=0x2, Address=0x3e0000 and Type=0x1.
2019-05-16 05:42:47,595 [root] DEBUG: SetBreakpoint: Set bp 0 type 1 at address 0x3e0000, size 2 with Callback 0x747f3120, ThreadHandle = 0xac.
2019-05-16 05:42:47,595 [root] DEBUG: SetInitialWriteBreakpoint: Breakpoint 0 set write on word at base address: 0x3e0000
2019-05-16 05:42:47,595 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x416ee6
2019-05-16 05:42:47,595 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x3e0000.
2019-05-16 05:42:47,595 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x3e0000: 0x6e.
2019-05-16 05:42:47,595 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x3e0000 and Type=0x0.
2019-05-16 05:42:47,595 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:42:47,595 [root] DEBUG: BaseAddressWriteCallback: Execution breakpoint 1 set base address: 0x3e0000, AllocationBaseExecBpSet = 1 (EIP = 0x416ee6)
2019-05-16 05:42:47,595 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-05-16 05:42:47,595 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x416ee6
2019-05-16 05:42:47,595 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x3e0000.
2019-05-16 05:42:47,595 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x3e0000: 0x6e.
2019-05-16 05:42:47,595 [root] DEBUG: BaseAddressWriteCallback: allocation exec bp already set, doing nothing.
2019-05-16 05:42:47,595 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x417018
2019-05-16 05:42:47,595 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x3e0000.
2019-05-16 05:42:47,611 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x3e0000: 0x6e.
2019-05-16 05:42:47,611 [root] DEBUG: BaseAddressWriteCallback: allocation exec bp already set, doing nothing.
2019-05-16 05:42:47,611 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x417096
2019-05-16 05:42:47,611 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x3e0000.
2019-05-16 05:42:47,611 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x3e0000: 0x6d.
2019-05-16 05:42:47,611 [root] DEBUG: BaseAddressWriteCallback: allocation exec bp already set, doing nothing.
2019-05-16 05:42:48,236 [root] DEBUG: NtAllocateVirtualMemory hook, BaseAddress:0x300000, RegionSize: 0x10000.
2019-05-16 05:42:48,236 [root] DEBUG: NtAllocateVirtualMemory hook: attempting CAPE dump on previous region: 0x3e0000.
2019-05-16 05:42:48,236 [root] DEBUG: DumpPEsInRange: Scanning range 0x3e0000 - 0x3f1000.
2019-05-16 05:42:48,236 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x3e0000-0x3f1000.
2019-05-16 05:42:48,236 [root] DEBUG: NtAllocateVirtualMemory hook: dumping memory range at 0x3e0000.
2019-05-16 05:42:48,250 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\vsbmml\CAPE\2772_2364822516452019
2019-05-16 05:42:48,266 [root] INFO: Added new CAPE file to list with path: C:\vsbmml\CAPE\2772_2364822516452019
2019-05-16 05:42:48,266 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x3e0000 - 0x3f1000.
2019-05-16 05:42:48,266 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x3e0000.
2019-05-16 05:42:48,266 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x3e0000.
2019-05-16 05:42:48,266 [root] DEBUG: SetInitialWriteBreakpoint: AllocationBase: 0x300000, AllocationSize: 0x10000, ThreadId: 0xa4c
2019-05-16 05:42:48,266 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xac, Size=0x2, Address=0x300000 and Type=0x1.
2019-05-16 05:42:48,266 [root] DEBUG: SetBreakpoint: Set bp 0 type 1 at address 0x300000, size 2 with Callback 0x747f3120, ThreadHandle = 0xac.
2019-05-16 05:42:48,266 [root] DEBUG: SetInitialWriteBreakpoint: Breakpoint 0 set write on word at base address: 0x300000
2019-05-16 05:42:48,266 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x3efbfc
2019-05-16 05:42:48,266 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x300000.
2019-05-16 05:42:48,266 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x300000: 0xa4.
2019-05-16 05:42:48,266 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x300000 and Type=0x0.
2019-05-16 05:42:48,266 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:42:48,266 [root] DEBUG: BaseAddressWriteCallback: Execution breakpoint 1 set base address: 0x300000, AllocationBaseExecBpSet = 1 (EIP = 0x3efbfc)
2019-05-16 05:42:48,266 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-05-16 05:42:48,266 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x3efbfc
2019-05-16 05:42:48,266 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x300000.
2019-05-16 05:42:48,266 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x300000: 0xa4.
2019-05-16 05:42:48,266 [root] DEBUG: BaseAddressWriteCallback: allocation exec bp already set, doing nothing.
2019-05-16 05:42:48,266 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x3f02d1
2019-05-16 05:42:48,266 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x300000.
2019-05-16 05:42:48,266 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x300000: 0xa4.
2019-05-16 05:42:48,266 [root] DEBUG: BaseAddressWriteCallback: allocation exec bp already set, doing nothing.
2019-05-16 05:42:48,266 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x3f02ea
2019-05-16 05:42:48,266 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x300000.
2019-05-16 05:42:48,266 [root] DEBUG: BaseAddressWriteCallback: MZ header found.
2019-05-16 05:42:48,266 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x30003c and Type=0x1.
2019-05-16 05:42:48,266 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:42:48,266 [root] DEBUG: BaseAddressWriteCallback: set write bp on e_lfanew write location: 0x30003c (EIP = 0x3f02ea)
2019-05-16 05:42:48,266 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-05-16 05:42:48,266 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x3f02d1
2019-05-16 05:42:48,266 [root] DEBUG: PEPointerWriteCallback entry.
2019-05-16 05:42:48,266 [root] DEBUG: PEPointerWriteCallback: Breakpoint 0 at Address 0x30003c.
2019-05-16 05:42:48,266 [root] DEBUG: PEPointerWriteCallback: pointer to PE header too big: 0x49d (perhaps writing incomplete).
2019-05-16 05:42:48,282 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x3f02ea
2019-05-16 05:42:48,282 [root] DEBUG: PEPointerWriteCallback entry.
2019-05-16 05:42:48,282 [root] DEBUG: PEPointerWriteCallback: Breakpoint 0 at Address 0x30003c.
2019-05-16 05:42:48,282 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x3000b8 and Type=0x1.
2019-05-16 05:42:48,282 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:42:48,282 [root] DEBUG: PEPointerWriteCallback: set write bp on e_lfanew write location 0x3000b8 (EIP = 0x3f02ea)
2019-05-16 05:42:48,282 [root] DEBUG: PEPointerWriteCallback executed successfully.
2019-05-16 05:42:48,282 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x3f02d1
2019-05-16 05:42:48,282 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x3000b8.
2019-05-16 05:42:48,282 [root] DEBUG: PEHeaderWriteCallback: PE header has: 0x41f1.
2019-05-16 05:42:48,282 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-05-16 05:42:48,282 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x3f02ea
2019-05-16 05:42:48,282 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x3000b8.
2019-05-16 05:42:48,282 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x0, Address=0x30cc89 and Type=0x0.
2019-05-16 05:42:48,282 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:42:48,282 [root] DEBUG: PEHeaderWriteCallback: Execution bp set on EntryPoint 0x30cc89 (EIP = 0x3f02ea).
2019-05-16 05:42:48,282 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-05-16 05:42:48,282 [root] DEBUG: NtAllocateVirtualMemory hook, BaseAddress:0x5d0000, RegionSize: 0x14000.
2019-05-16 05:42:48,282 [root] DEBUG: NtAllocateVirtualMemory hook: attempting CAPE dump on previous region: 0x300000.
2019-05-16 05:42:48,282 [root] DEBUG: DumpPEsInRange: Scanning range 0x300000 - 0x310000.
2019-05-16 05:42:48,282 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x300000
2019-05-16 05:42:48,282 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image.
2019-05-16 05:42:48,282 [root] DEBUG: DumpPE: Instantiating PeParser with address: 0x300000
2019-05-16 05:42:48,282 [root] INFO: Added new CAPE file to list with path: C:\vsbmml\CAPE\2772_2824822516452019
2019-05-16 05:42:48,282 [root] DEBUG: DumpPE: PE file in memory dumped successfully.
2019-05-16 05:42:48,282 [root] DEBUG: DumpPEsInRange: Dumped PE image from 0x300000.
2019-05-16 05:42:48,282 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x300001-0x310000.
2019-05-16 05:42:48,282 [root] DEBUG: NtAllocateVirtualMemory hook: PE image(s) detected and dumped.
2019-05-16 05:42:48,282 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x300000 - 0x310000.
2019-05-16 05:42:48,298 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x30cc89.
2019-05-16 05:42:48,298 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x300000.
2019-05-16 05:42:48,298 [root] DEBUG: SetInitialWriteBreakpoint: AllocationBase: 0x5d0000, AllocationSize: 0x14000, ThreadId: 0xa4c
2019-05-16 05:42:48,298 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xac, Size=0x2, Address=0x5d0000 and Type=0x1.
2019-05-16 05:42:48,298 [root] DEBUG: SetBreakpoint: Set bp 0 type 1 at address 0x5d0000, size 2 with Callback 0x747f3120, ThreadHandle = 0xac.
2019-05-16 05:42:48,298 [root] DEBUG: SetInitialWriteBreakpoint: Breakpoint 0 set write on word at base address: 0x5d0000
2019-05-16 05:42:48,298 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x3efbfc
2019-05-16 05:42:48,298 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x5d0000.
2019-05-16 05:42:48,298 [root] DEBUG: BaseAddressWriteCallback: M written to first byte, awaiting next byte.
2019-05-16 05:42:48,298 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-05-16 05:42:48,298 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x3efbfc
2019-05-16 05:42:48,298 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x5d0000.
2019-05-16 05:42:48,298 [root] DEBUG: BaseAddressWriteCallback: MZ header found.
2019-05-16 05:42:48,298 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x5d003c and Type=0x1.
2019-05-16 05:42:48,298 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:42:48,298 [root] DEBUG: BaseAddressWriteCallback: set write bp on e_lfanew write location: 0x5d003c (EIP = 0x3efbfc)
2019-05-16 05:42:48,298 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-05-16 05:42:48,298 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x3efbfc
2019-05-16 05:42:48,298 [root] DEBUG: PEPointerWriteCallback entry.
2019-05-16 05:42:48,298 [root] DEBUG: PEPointerWriteCallback: Breakpoint 0 at Address 0x5d003c.
2019-05-16 05:42:48,298 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x5d00b8 and Type=0x1.
2019-05-16 05:42:48,298 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:42:48,298 [root] DEBUG: PEPointerWriteCallback: set write bp on e_lfanew write location 0x5d00b8 (EIP = 0x3efbfc)
2019-05-16 05:42:48,298 [root] DEBUG: PEPointerWriteCallback executed successfully.
2019-05-16 05:42:48,298 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x3efbfc
2019-05-16 05:42:48,298 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x5d00b8.
2019-05-16 05:42:48,298 [root] DEBUG: PEHeaderWriteCallback: PE header has: 0x50.
2019-05-16 05:42:48,298 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-05-16 05:42:48,298 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x3efbfc
2019-05-16 05:42:48,298 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x5d00b8.
2019-05-16 05:42:48,298 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x5d00e0 and Type=0x1.
2019-05-16 05:42:48,313 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:42:48,313 [root] DEBUG: PEHeaderWriteCallback: set write bp on AddressOfEntryPoint location (EIP = 0x3efbfc).
2019-05-16 05:42:48,313 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-05-16 05:42:48,313 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x3efbfc
2019-05-16 05:42:48,313 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x5d00e0.
2019-05-16 05:42:48,313 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x5d00a0 and Type=0x0.
2019-05-16 05:42:48,313 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:42:48,313 [root] DEBUG: EntryPointWriteCallback: Execution bp 1 set on EntryPoint 0x5d00a0 (EIP = 0x3efbfc).
2019-05-16 05:42:48,313 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 05:42:48,313 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x3efbfc
2019-05-16 05:42:48,313 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x5d00e0.
2019-05-16 05:42:48,313 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x5dc9a0 and Type=0x0.
2019-05-16 05:42:48,313 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:42:48,313 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x5dc9a0 (EIP = 0x3efbfc).
2019-05-16 05:42:48,313 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 05:42:48,313 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x3efbfc
2019-05-16 05:42:48,313 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x5d00e0.
2019-05-16 05:42:48,313 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x5dc9a0 and Type=0x0.
2019-05-16 05:42:48,313 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:42:48,313 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x5dc9a0 (EIP = 0x3efbfc).
2019-05-16 05:42:48,313 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 05:42:48,313 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x3efbfc
2019-05-16 05:42:48,313 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x5d00e0.
2019-05-16 05:42:48,313 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x5dc9a0 and Type=0x0.
2019-05-16 05:42:48,313 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:42:48,313 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x5dc9a0 (EIP = 0x3efbfc).
2019-05-16 05:42:48,313 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 05:42:48,328 [root] DEBUG: ProtectionHandler: Address: 0x1000, RegionSize: 0xcc24
2019-05-16 05:42:48,328 [root] DEBUG: ProtectionHandler: attempting CAPE dump on region: 0x5d0000.
2019-05-16 05:42:48,328 [root] DEBUG: DumpPEsInRange: Scanning range 0x0 - 0xf000.
2019-05-16 05:42:48,328 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:42:48,328 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:42:48,328 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:42:48,328 [root] DEBUG: ScanForDisguisedPE: Exception occured reading memory address 0x0
2019-05-16 05:42:48,328 [root] DEBUG: SetCapeMetaData: Extraction type with no PID - error.
2019-05-16 05:42:48,328 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\vsbmml\CAPE\2772_3294822516452019
2019-05-16 05:42:48,328 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:42:48,328 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:42:48,328 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:42:48,328 [root] DEBUG: DumpMemory: Exception occured reading memory address 0x0
2019-05-16 05:42:48,328 [root] DEBUG: ProtectionHandler: Previously marked memory range at: 0x5d0000 is empty or inaccessible.
2019-05-16 05:42:48,328 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x5d0000 - 0x5e4000.
2019-05-16 05:42:48,328 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x5d00e0.
2019-05-16 05:42:48,328 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x5dc9a0.
2019-05-16 05:42:48,328 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:42:48,328 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:42:48,328 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:42:48,328 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x1000
2019-05-16 05:42:48,328 [root] DEBUG: ProtectionHandler: Setting initial write breakpoint on protection address: 0x1000
2019-05-16 05:42:48,328 [root] DEBUG: SetInitialWriteBreakpoint: AllocationBase: 0x1000, AllocationSize: 0xcc24, ThreadId: 0xa4c
2019-05-16 05:42:48,328 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xac, Size=0x2, Address=0x1000 and Type=0x1.
2019-05-16 05:42:48,328 [root] DEBUG: SetBreakpoint: Set bp 0 type 1 at address 0x1000, size 2 with Callback 0x747f3120, ThreadHandle = 0xac.
2019-05-16 05:42:48,328 [root] DEBUG: SetInitialWriteBreakpoint: Breakpoint 0 set write on word at base address: 0x1000
2019-05-16 05:42:48,328 [root] DEBUG: ProtectionHandler: Address: 0xf000, RegionSize: 0x3de4
2019-05-16 05:42:48,328 [root] DEBUG: NtAllocateVirtualMemory hook, BaseAddress:0x400000, RegionSize: 0x14000.
2019-05-16 05:42:48,328 [root] DEBUG: NtAllocateVirtualMemory hook: attempting CAPE dump on previous region: 0x1000.
2019-05-16 05:42:48,328 [root] DEBUG: DumpPEsInRange: Scanning range 0x0 - 0xf000.
2019-05-16 05:42:48,345 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:42:48,345 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:42:48,345 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:42:48,345 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:42:48,345 [root] DEBUG: ScanForDisguisedPE: Exception occured reading memory address 0x0
2019-05-16 05:42:48,345 [root] DEBUG: SetCapeMetaData: Extraction type with no PID - error.
2019-05-16 05:42:48,345 [root] DEBUG: NtAllocateVirtualMemory hook: dumping memory range at 0x1000.
2019-05-16 05:42:48,345 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:42:48,345 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:42:48,345 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:42:48,345 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:42:48,345 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x0
2019-05-16 05:42:48,345 [root] DEBUG: NtAllocateVirtualMemory hook: Failed to dump memory range at 0x1000.
2019-05-16 05:42:48,345 [root] DEBUG: NtAllocateVirtualMemory hook: Previously marked memory range at: 0x1000 is empty or inaccessible.
2019-05-16 05:42:48,345 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x1000 - 0xdc24.
2019-05-16 05:42:48,345 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x1000.
2019-05-16 05:42:48,345 [root] DEBUG: SetInitialWriteBreakpoint: AllocationBase: 0x400000, AllocationSize: 0x14000, ThreadId: 0xa4c
2019-05-16 05:42:48,345 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xac, Size=0x2, Address=0x400000 and Type=0x1.
2019-05-16 05:42:48,345 [root] DEBUG: SetBreakpointWithoutThread: bp set with register 0
2019-05-16 05:42:48,345 [root] DEBUG: SetInitialWriteBreakpoint: Breakpoint 0 set write on word at base address: 0x400000
2019-05-16 05:42:48,345 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x3efbfc
2019-05-16 05:42:48,345 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x400000.
2019-05-16 05:42:48,345 [root] DEBUG: BaseAddressWriteCallback: M written to first byte, awaiting next byte.
2019-05-16 05:42:48,345 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-05-16 05:42:48,345 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x3efbfc
2019-05-16 05:42:48,345 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x400000.
2019-05-16 05:42:48,345 [root] DEBUG: BaseAddressWriteCallback: MZ header found.
2019-05-16 05:42:48,345 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x40003c and Type=0x1.
2019-05-16 05:42:48,345 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:42:48,345 [root] DEBUG: BaseAddressWriteCallback: set write bp on e_lfanew write location: 0x40003c (EIP = 0x3efbfc)
2019-05-16 05:42:48,345 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-05-16 05:42:48,345 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x3efbfc
2019-05-16 05:42:48,345 [root] DEBUG: PEPointerWriteCallback entry.
2019-05-16 05:42:48,345 [root] DEBUG: PEPointerWriteCallback: Breakpoint 0 at Address 0x40003c.
2019-05-16 05:42:48,345 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x4000b8 and Type=0x1.
2019-05-16 05:42:48,359 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:42:48,359 [root] DEBUG: PEPointerWriteCallback: set write bp on e_lfanew write location 0x4000b8 (EIP = 0x3efbfc)
2019-05-16 05:42:48,359 [root] DEBUG: PEPointerWriteCallback executed successfully.
2019-05-16 05:42:48,359 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x3efbfc
2019-05-16 05:42:48,359 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x4000b8.
2019-05-16 05:42:48,359 [root] DEBUG: PEHeaderWriteCallback: PE header has: 0x50.
2019-05-16 05:42:48,359 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-05-16 05:42:48,359 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x3efbfc
2019-05-16 05:42:48,359 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x4000b8.
2019-05-16 05:42:48,359 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x4000e0 and Type=0x1.
2019-05-16 05:42:48,359 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:42:48,359 [root] DEBUG: PEHeaderWriteCallback: set write bp on AddressOfEntryPoint location (EIP = 0x3efbfc).
2019-05-16 05:42:48,359 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-05-16 05:42:48,359 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x3efbfc
2019-05-16 05:42:48,359 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x4000e0.
2019-05-16 05:42:48,359 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x4000a0 and Type=0x0.
2019-05-16 05:42:48,359 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:42:48,359 [root] DEBUG: EntryPointWriteCallback: Execution bp 1 set on EntryPoint 0x4000a0 (EIP = 0x3efbfc).
2019-05-16 05:42:48,359 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 05:42:48,359 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x3efbfc
2019-05-16 05:42:48,359 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x4000e0.
2019-05-16 05:42:48,359 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x40c9a0 and Type=0x0.
2019-05-16 05:42:48,359 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:42:48,359 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x40c9a0 (EIP = 0x3efbfc).
2019-05-16 05:42:48,359 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 05:42:48,359 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x3efbfc
2019-05-16 05:42:48,359 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x4000e0.
2019-05-16 05:42:48,359 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x40c9a0 and Type=0x0.
2019-05-16 05:42:48,375 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:42:48,375 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x40c9a0 (EIP = 0x3efbfc).
2019-05-16 05:42:48,375 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 05:42:48,375 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x3efbfc
2019-05-16 05:42:48,375 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x4000e0.
2019-05-16 05:42:48,375 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x40c9a0 and Type=0x0.
2019-05-16 05:42:48,375 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:42:48,375 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x40c9a0 (EIP = 0x3efbfc).
2019-05-16 05:42:48,375 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 05:42:48,375 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x40c9a0
2019-05-16 05:42:48,375 [root] DEBUG: EntryPointExecCallback: Breakpoint 1 at Address 0x40c9a0.
2019-05-16 05:42:48,375 [root] DEBUG: DumpPEsInRange: Scanning range 0x400000 - 0x408000.
2019-05-16 05:42:48,375 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x400000
2019-05-16 05:42:48,375 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-05-16 05:42:48,375 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x400000
2019-05-16 05:42:48,375 [root] DEBUG: DumpProcess: Module entry point VA is 0x40c9a0
2019-05-16 05:42:48,391 [root] INFO: Added new CAPE file to list with path: C:\vsbmml\CAPE\2772_3924822516452019
2019-05-16 05:42:48,391 [root] DEBUG: DumpProcess: Module image dump success
2019-05-16 05:42:48,391 [root] DEBUG: DumpPEsInRange: Dumped PE image from 0x400000.
2019-05-16 05:42:48,391 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x400001-0x408000.
2019-05-16 05:42:48,391 [root] DEBUG: EntryPointExecCallback hook: PE image(s) detected and dumped.
2019-05-16 05:42:48,423 [root] INFO: Announced 32-bit process name: NEYPefKofXc2Q6H.exe pid: 804
2019-05-16 05:42:48,423 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-05-16 05:42:48,423 [lib.api.process] INFO: Option 'exclude-apis' with value 'RegOpenKeyExA' sent to monitor
2019-05-16 05:42:48,423 [lib.api.process] INFO: 32-bit DLL to inject is C:\vsbmml\dll\tPWnmavI.dll, loader C:\vsbmml\bin\MlXEWOh.exe
2019-05-16 05:42:48,423 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\vOhxGIkuZU.
2019-05-16 05:42:48,423 [root] DEBUG: Loader: Injecting process 804 (thread 2732) with C:\vsbmml\dll\tPWnmavI.dll.
2019-05-16 05:42:48,423 [root] DEBUG: Process image base: 0x00400000
2019-05-16 05:42:48,423 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\vsbmml\dll\tPWnmavI.dll.
2019-05-16 05:42:48,423 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x0042A000 - 0x77110000
2019-05-16 05:42:48,423 [root] DEBUG: InjectDllViaIAT: Allocated 0x1c4 bytes for new import table at 0x00430000.
2019-05-16 05:42:48,423 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-05-16 05:42:48,423 [root] DEBUG: Successfully injected DLL C:\vsbmml\dll\tPWnmavI.dll.
2019-05-16 05:42:48,423 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 804
2019-05-16 05:42:48,423 [root] INFO: Notified of termination of process with pid 2772.
2019-05-16 05:42:48,437 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77110000, KiUserExceptionDispatcher: 0x0, NtSetContextThread: 0x7716124a, Wow64PrepareForException: 0x0
2019-05-16 05:42:48,437 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x1c0000
2019-05-16 05:42:48,453 [root] DEBUG: CAPE initialised (32-bit).
2019-05-16 05:42:48,453 [root] INFO: Disabling sleep skipping.
2019-05-16 05:42:48,453 [root] INFO: Added new process to list with pid: 804
2019-05-16 05:42:48,453 [root] INFO: Monitor successfully loaded in process with pid 804.
2019-05-16 05:42:48,532 [root] DEBUG: NtAllocateVirtualMemory hook, BaseAddress:0x1d0000, RegionSize: 0x11000.
2019-05-16 05:42:48,548 [root] DEBUG: SetInitialWriteBreakpoint: AllocationBase: 0x1d0000, AllocationSize: 0x11000, ThreadId: 0xaac
2019-05-16 05:42:48,548 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xac, Size=0x2, Address=0x1d0000 and Type=0x1.
2019-05-16 05:42:48,548 [root] DEBUG: SetBreakpoint: Set bp 0 type 1 at address 0x1d0000, size 2 with Callback 0x74493120, ThreadHandle = 0xac.
2019-05-16 05:42:48,548 [root] DEBUG: SetInitialWriteBreakpoint: Breakpoint 0 set write on word at base address: 0x1d0000
2019-05-16 05:42:48,548 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x416ee6
2019-05-16 05:42:48,548 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x1d0000.
2019-05-16 05:42:48,548 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x1d0000: 0x6e.
2019-05-16 05:42:48,548 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x1d0000 and Type=0x0.
2019-05-16 05:42:48,548 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:42:48,562 [root] DEBUG: BaseAddressWriteCallback: Execution breakpoint 1 set base address: 0x1d0000, AllocationBaseExecBpSet = 1 (EIP = 0x416ee6)
2019-05-16 05:42:48,562 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-05-16 05:42:48,562 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x416ee6
2019-05-16 05:42:48,562 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x1d0000.
2019-05-16 05:42:48,562 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x1d0000: 0x6e.
2019-05-16 05:42:48,562 [root] DEBUG: BaseAddressWriteCallback: allocation exec bp already set, doing nothing.
2019-05-16 05:42:48,562 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x417018
2019-05-16 05:42:48,578 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x1d0000.
2019-05-16 05:42:48,578 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x1d0000: 0x6e.
2019-05-16 05:42:48,594 [root] DEBUG: BaseAddressWriteCallback: allocation exec bp already set, doing nothing.
2019-05-16 05:42:48,594 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x417096
2019-05-16 05:42:48,609 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x1d0000.
2019-05-16 05:42:48,641 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x1d0000: 0x6d.
2019-05-16 05:42:48,641 [root] DEBUG: BaseAddressWriteCallback: allocation exec bp already set, doing nothing.
2019-05-16 05:42:49,265 [root] DEBUG: NtAllocateVirtualMemory hook, BaseAddress:0x3f0000, RegionSize: 0x10000.
2019-05-16 05:42:49,280 [root] DEBUG: NtAllocateVirtualMemory hook: attempting CAPE dump on previous region: 0x1d0000.
2019-05-16 05:42:49,296 [root] DEBUG: DumpPEsInRange: Scanning range 0x1d0000 - 0x1e1000.
2019-05-16 05:42:49,296 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x1d0000-0x1e1000.
2019-05-16 05:42:49,328 [root] DEBUG: NtAllocateVirtualMemory hook: dumping memory range at 0x1d0000.
2019-05-16 05:42:49,342 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\vsbmml\CAPE\804_3284922516452019
2019-05-16 05:42:49,358 [root] INFO: Added new CAPE file to list with path: C:\vsbmml\CAPE\804_3284922516452019
2019-05-16 05:42:49,358 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x1d0000 - 0x1e1000.
2019-05-16 05:42:49,358 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x1d0000.
2019-05-16 05:42:49,390 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x1d0000.
2019-05-16 05:42:49,405 [root] DEBUG: SetInitialWriteBreakpoint: AllocationBase: 0x3f0000, AllocationSize: 0x10000, ThreadId: 0xaac
2019-05-16 05:42:49,405 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xac, Size=0x2, Address=0x3f0000 and Type=0x1.
2019-05-16 05:42:49,421 [root] DEBUG: SetBreakpoint: Set bp 0 type 1 at address 0x3f0000, size 2 with Callback 0x74493120, ThreadHandle = 0xac.
2019-05-16 05:42:49,437 [root] DEBUG: SetInitialWriteBreakpoint: Breakpoint 0 set write on word at base address: 0x3f0000
2019-05-16 05:42:49,437 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x1dfbfc
2019-05-16 05:42:49,437 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x3f0000.
2019-05-16 05:42:49,437 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x3f0000: 0xa4.
2019-05-16 05:42:49,437 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x3f0000 and Type=0x0.
2019-05-16 05:42:49,437 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:42:49,437 [root] DEBUG: BaseAddressWriteCallback: Execution breakpoint 1 set base address: 0x3f0000, AllocationBaseExecBpSet = 1 (EIP = 0x1dfbfc)
2019-05-16 05:42:49,451 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-05-16 05:42:49,451 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x1dfbfc
2019-05-16 05:42:49,451 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x3f0000.
2019-05-16 05:42:49,467 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x3f0000: 0xa4.
2019-05-16 05:42:49,483 [root] DEBUG: BaseAddressWriteCallback: allocation exec bp already set, doing nothing.
2019-05-16 05:42:49,483 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x1e02d1
2019-05-16 05:42:49,499 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x3f0000.
2019-05-16 05:42:49,529 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x3f0000: 0xa4.
2019-05-16 05:42:49,529 [root] DEBUG: BaseAddressWriteCallback: allocation exec bp already set, doing nothing.
2019-05-16 05:42:49,529 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x1e02ea
2019-05-16 05:42:49,546 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x3f0000.
2019-05-16 05:42:49,546 [root] DEBUG: BaseAddressWriteCallback: MZ header found.
2019-05-16 05:42:49,562 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x3f003c and Type=0x1.
2019-05-16 05:42:49,576 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:42:49,576 [root] DEBUG: BaseAddressWriteCallback: set write bp on e_lfanew write location: 0x3f003c (EIP = 0x1e02ea)
2019-05-16 05:42:49,592 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-05-16 05:42:49,592 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x1e02d1
2019-05-16 05:42:49,592 [root] DEBUG: PEPointerWriteCallback entry.
2019-05-16 05:42:49,592 [root] DEBUG: PEPointerWriteCallback: Breakpoint 0 at Address 0x3f003c.
2019-05-16 05:42:49,608 [root] DEBUG: PEPointerWriteCallback: pointer to PE header too big: 0x49d (perhaps writing incomplete).
2019-05-16 05:42:49,608 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x1e02ea
2019-05-16 05:42:49,608 [root] DEBUG: PEPointerWriteCallback entry.
2019-05-16 05:42:49,608 [root] DEBUG: PEPointerWriteCallback: Breakpoint 0 at Address 0x3f003c.
2019-05-16 05:42:49,624 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x3f00b8 and Type=0x1.
2019-05-16 05:42:49,640 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:42:49,640 [root] DEBUG: PEPointerWriteCallback: set write bp on e_lfanew write location 0x3f00b8 (EIP = 0x1e02ea)
2019-05-16 05:42:49,654 [root] DEBUG: PEPointerWriteCallback executed successfully.
2019-05-16 05:42:49,654 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x1e02d1
2019-05-16 05:42:49,654 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x3f00b8.
2019-05-16 05:42:49,671 [root] DEBUG: PEHeaderWriteCallback: PE header has: 0x41f1.
2019-05-16 05:42:49,671 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-05-16 05:42:49,686 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x1e02ea
2019-05-16 05:42:49,686 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x3f00b8.
2019-05-16 05:42:49,686 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x0, Address=0x3fcc89 and Type=0x0.
2019-05-16 05:42:49,717 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:42:49,717 [root] DEBUG: PEHeaderWriteCallback: Execution bp set on EntryPoint 0x3fcc89 (EIP = 0x1e02ea).
2019-05-16 05:42:49,717 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-05-16 05:42:49,749 [root] DEBUG: NtAllocateVirtualMemory hook, BaseAddress:0x5b0000, RegionSize: 0x14000.
2019-05-16 05:42:49,749 [root] DEBUG: NtAllocateVirtualMemory hook: attempting CAPE dump on previous region: 0x3f0000.
2019-05-16 05:42:49,763 [root] DEBUG: DumpPEsInRange: Scanning range 0x3f0000 - 0x400000.
2019-05-16 05:42:49,763 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x3f0000
2019-05-16 05:42:49,779 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image.
2019-05-16 05:42:49,779 [root] DEBUG: DumpPE: Instantiating PeParser with address: 0x3f0000
2019-05-16 05:42:49,796 [root] INFO: Added new CAPE file to list with path: C:\vsbmml\CAPE\804_7804922516452019
2019-05-16 05:42:49,796 [root] DEBUG: DumpPE: PE file in memory dumped successfully.
2019-05-16 05:42:49,811 [root] DEBUG: DumpPEsInRange: Dumped PE image from 0x3f0000.
2019-05-16 05:42:49,811 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x3f0001-0x400000.
2019-05-16 05:42:49,811 [root] DEBUG: NtAllocateVirtualMemory hook: PE image(s) detected and dumped.
2019-05-16 05:42:49,811 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x3f0000 - 0x400000.
2019-05-16 05:42:49,811 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x3fcc89.
2019-05-16 05:42:49,826 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x3f0000.
2019-05-16 05:42:49,842 [root] DEBUG: SetInitialWriteBreakpoint: AllocationBase: 0x5b0000, AllocationSize: 0x14000, ThreadId: 0xaac
2019-05-16 05:42:49,842 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xac, Size=0x2, Address=0x5b0000 and Type=0x1.
2019-05-16 05:42:49,858 [root] DEBUG: SetBreakpoint: Set bp 0 type 1 at address 0x5b0000, size 2 with Callback 0x74493120, ThreadHandle = 0xac.
2019-05-16 05:42:49,874 [root] DEBUG: SetInitialWriteBreakpoint: Breakpoint 0 set write on word at base address: 0x5b0000
2019-05-16 05:42:49,874 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x1dfbfc
2019-05-16 05:42:49,874 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x5b0000.
2019-05-16 05:42:49,888 [root] DEBUG: BaseAddressWriteCallback: M written to first byte, awaiting next byte.
2019-05-16 05:42:49,888 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-05-16 05:42:49,888 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x1dfbfc
2019-05-16 05:42:49,888 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x5b0000.
2019-05-16 05:42:49,888 [root] DEBUG: BaseAddressWriteCallback: MZ header found.
2019-05-16 05:42:49,888 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x5b003c and Type=0x1.
2019-05-16 05:42:49,888 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:42:49,888 [root] DEBUG: BaseAddressWriteCallback: set write bp on e_lfanew write location: 0x5b003c (EIP = 0x1dfbfc)
2019-05-16 05:42:49,904 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-05-16 05:42:49,920 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x1dfbfc
2019-05-16 05:42:49,920 [root] DEBUG: PEPointerWriteCallback entry.
2019-05-16 05:42:49,936 [root] DEBUG: PEPointerWriteCallback: Breakpoint 0 at Address 0x5b003c.
2019-05-16 05:42:49,951 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x5b00b8 and Type=0x1.
2019-05-16 05:42:49,967 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:42:49,967 [root] DEBUG: PEPointerWriteCallback: set write bp on e_lfanew write location 0x5b00b8 (EIP = 0x1dfbfc)
2019-05-16 05:42:49,983 [root] DEBUG: PEPointerWriteCallback executed successfully.
2019-05-16 05:42:50,013 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x1dfbfc
2019-05-16 05:42:50,029 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x5b00b8.
2019-05-16 05:42:50,029 [root] DEBUG: PEHeaderWriteCallback: PE header has: 0x50.
2019-05-16 05:42:50,029 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-05-16 05:42:50,045 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x1dfbfc
2019-05-16 05:42:50,061 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x5b00b8.
2019-05-16 05:42:50,061 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x5b00e0 and Type=0x1.
2019-05-16 05:42:50,061 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:42:50,075 [root] DEBUG: PEHeaderWriteCallback: set write bp on AddressOfEntryPoint location (EIP = 0x1dfbfc).
2019-05-16 05:42:50,075 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-05-16 05:42:50,092 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x1dfbfc
2019-05-16 05:42:50,092 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x5b00e0.
2019-05-16 05:42:50,108 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x5b00a0 and Type=0x0.
2019-05-16 05:42:50,122 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:42:50,138 [root] DEBUG: EntryPointWriteCallback: Execution bp 1 set on EntryPoint 0x5b00a0 (EIP = 0x1dfbfc).
2019-05-16 05:42:50,138 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 05:42:50,138 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x1dfbfc
2019-05-16 05:42:50,154 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x5b00e0.
2019-05-16 05:42:50,154 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x5bc9a0 and Type=0x0.
2019-05-16 05:42:50,186 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:42:50,200 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x5bc9a0 (EIP = 0x1dfbfc).
2019-05-16 05:42:50,217 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 05:42:50,217 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x1dfbfc
2019-05-16 05:42:50,232 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x5b00e0.
2019-05-16 05:42:50,232 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x5bc9a0 and Type=0x0.
2019-05-16 05:42:50,247 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:42:50,279 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x5bc9a0 (EIP = 0x1dfbfc).
2019-05-16 05:42:50,279 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 05:42:50,295 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x1dfbfc
2019-05-16 05:42:50,309 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x5b00e0.
2019-05-16 05:42:50,309 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x5bc9a0 and Type=0x0.
2019-05-16 05:42:50,325 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:42:50,325 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x5bc9a0 (EIP = 0x1dfbfc).
2019-05-16 05:42:50,325 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 05:42:50,342 [root] DEBUG: ProtectionHandler: Address: 0x1000, RegionSize: 0xcc24
2019-05-16 05:42:50,357 [root] DEBUG: ProtectionHandler: attempting CAPE dump on region: 0x5b0000.
2019-05-16 05:42:50,372 [root] DEBUG: DumpPEsInRange: Scanning range 0x0 - 0xf000.
2019-05-16 05:42:50,388 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:42:50,388 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:42:50,388 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:42:50,404 [root] DEBUG: ScanForDisguisedPE: Exception occured reading memory address 0x0
2019-05-16 05:42:50,404 [root] DEBUG: SetCapeMetaData: Extraction type with no PID - error.
2019-05-16 05:42:50,404 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\vsbmml\CAPE\804_4045022516452019
2019-05-16 05:42:50,404 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:42:50,404 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:42:50,420 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:42:50,420 [root] DEBUG: DumpMemory: Exception occured reading memory address 0x0
2019-05-16 05:42:50,420 [root] DEBUG: ProtectionHandler: Previously marked memory range at: 0x5b0000 is empty or inaccessible.
2019-05-16 05:42:50,420 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x5b0000 - 0x5c4000.
2019-05-16 05:42:50,420 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x5b00e0.
2019-05-16 05:42:50,420 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x5bc9a0.
2019-05-16 05:42:50,420 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:42:50,420 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:42:50,420 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:42:50,420 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x1000
2019-05-16 05:42:50,420 [root] DEBUG: ProtectionHandler: Setting initial write breakpoint on protection address: 0x1000
2019-05-16 05:42:50,420 [root] DEBUG: SetInitialWriteBreakpoint: AllocationBase: 0x1000, AllocationSize: 0xcc24, ThreadId: 0xaac
2019-05-16 05:42:50,434 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xac, Size=0x2, Address=0x1000 and Type=0x1.
2019-05-16 05:42:50,434 [root] DEBUG: SetBreakpoint: Set bp 0 type 1 at address 0x1000, size 2 with Callback 0x74493120, ThreadHandle = 0xac.
2019-05-16 05:42:50,434 [root] DEBUG: SetInitialWriteBreakpoint: Breakpoint 0 set write on word at base address: 0x1000
2019-05-16 05:42:50,434 [root] DEBUG: ProtectionHandler: Address: 0xf000, RegionSize: 0x3de4
2019-05-16 05:42:50,434 [root] DEBUG: NtAllocateVirtualMemory hook, BaseAddress:0x400000, RegionSize: 0x14000.
2019-05-16 05:42:50,434 [root] DEBUG: NtAllocateVirtualMemory hook: attempting CAPE dump on previous region: 0x1000.
2019-05-16 05:42:50,434 [root] DEBUG: DumpPEsInRange: Scanning range 0x0 - 0xf000.
2019-05-16 05:42:50,450 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:42:50,466 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:42:50,466 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:42:50,466 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:42:50,466 [root] DEBUG: ScanForDisguisedPE: Exception occured reading memory address 0x0
2019-05-16 05:42:50,466 [root] DEBUG: SetCapeMetaData: Extraction type with no PID - error.
2019-05-16 05:42:50,466 [root] DEBUG: NtAllocateVirtualMemory hook: dumping memory range at 0x1000.
2019-05-16 05:42:50,466 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:42:50,466 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:42:50,466 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:42:50,466 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:42:50,466 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x0
2019-05-16 05:42:50,466 [root] DEBUG: NtAllocateVirtualMemory hook: Failed to dump memory range at 0x1000.
2019-05-16 05:42:50,466 [root] DEBUG: NtAllocateVirtualMemory hook: Previously marked memory range at: 0x1000 is empty or inaccessible.
2019-05-16 05:42:50,466 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x1000 - 0xdc24.
2019-05-16 05:42:50,466 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x1000.
2019-05-16 05:42:50,466 [root] DEBUG: SetInitialWriteBreakpoint: AllocationBase: 0x400000, AllocationSize: 0x14000, ThreadId: 0xaac
2019-05-16 05:42:50,482 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xac, Size=0x2, Address=0x400000 and Type=0x1.
2019-05-16 05:42:50,482 [root] DEBUG: SetBreakpointWithoutThread: bp set with register 0
2019-05-16 05:42:50,482 [root] DEBUG: SetInitialWriteBreakpoint: Breakpoint 0 set write on word at base address: 0x400000
2019-05-16 05:42:50,482 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x1dfbfc
2019-05-16 05:42:50,482 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x400000.
2019-05-16 05:42:50,482 [root] DEBUG: BaseAddressWriteCallback: M written to first byte, awaiting next byte.
2019-05-16 05:42:50,482 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-05-16 05:42:50,513 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x1dfbfc
2019-05-16 05:42:50,513 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x400000.
2019-05-16 05:42:50,513 [root] DEBUG: BaseAddressWriteCallback: MZ header found.
2019-05-16 05:42:50,513 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x40003c and Type=0x1.
2019-05-16 05:42:50,513 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:42:50,513 [root] DEBUG: BaseAddressWriteCallback: set write bp on e_lfanew write location: 0x40003c (EIP = 0x1dfbfc)
2019-05-16 05:42:50,513 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-05-16 05:42:50,513 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x1dfbfc
2019-05-16 05:42:50,529 [root] DEBUG: PEPointerWriteCallback entry.
2019-05-16 05:42:50,543 [root] DEBUG: PEPointerWriteCallback: Breakpoint 0 at Address 0x40003c.
2019-05-16 05:42:50,543 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x4000b8 and Type=0x1.
2019-05-16 05:42:50,543 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:42:50,543 [root] DEBUG: PEPointerWriteCallback: set write bp on e_lfanew write location 0x4000b8 (EIP = 0x1dfbfc)
2019-05-16 05:42:50,543 [root] DEBUG: PEPointerWriteCallback executed successfully.
2019-05-16 05:42:50,543 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x1dfbfc
2019-05-16 05:42:50,543 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x4000b8.
2019-05-16 05:42:50,559 [root] DEBUG: PEHeaderWriteCallback: PE header has: 0x50.
2019-05-16 05:42:50,559 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-05-16 05:42:50,559 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x1dfbfc
2019-05-16 05:42:50,559 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x4000b8.
2019-05-16 05:42:50,575 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x4000e0 and Type=0x1.
2019-05-16 05:42:50,575 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:42:50,575 [root] DEBUG: PEHeaderWriteCallback: set write bp on AddressOfEntryPoint location (EIP = 0x1dfbfc).
2019-05-16 05:42:50,575 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-05-16 05:42:50,575 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x1dfbfc
2019-05-16 05:42:50,591 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x4000e0.
2019-05-16 05:42:50,591 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x4000a0 and Type=0x0.
2019-05-16 05:42:50,591 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:42:50,607 [root] DEBUG: EntryPointWriteCallback: Execution bp 1 set on EntryPoint 0x4000a0 (EIP = 0x1dfbfc).
2019-05-16 05:42:50,607 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 05:42:50,607 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x1dfbfc
2019-05-16 05:42:50,607 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x4000e0.
2019-05-16 05:42:50,607 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x40c9a0 and Type=0x0.
2019-05-16 05:42:50,607 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:42:50,607 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x40c9a0 (EIP = 0x1dfbfc).
2019-05-16 05:42:50,607 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 05:42:50,607 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x1dfbfc
2019-05-16 05:42:50,621 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x4000e0.
2019-05-16 05:42:50,621 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x40c9a0 and Type=0x0.
2019-05-16 05:42:50,621 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:42:50,621 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x40c9a0 (EIP = 0x1dfbfc).
2019-05-16 05:42:50,621 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 05:42:50,621 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x1dfbfc
2019-05-16 05:42:50,621 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x4000e0.
2019-05-16 05:42:50,621 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x40c9a0 and Type=0x0.
2019-05-16 05:42:50,621 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:42:50,621 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x40c9a0 (EIP = 0x1dfbfc).
2019-05-16 05:42:50,621 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 05:42:50,638 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x40c9a0
2019-05-16 05:42:50,638 [root] DEBUG: EntryPointExecCallback: Breakpoint 1 at Address 0x40c9a0.
2019-05-16 05:42:50,654 [root] DEBUG: DumpPEsInRange: Scanning range 0x400000 - 0x408000.
2019-05-16 05:42:50,654 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x400000
2019-05-16 05:42:50,654 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-05-16 05:42:50,668 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x400000
2019-05-16 05:42:50,668 [root] DEBUG: DumpProcess: Module entry point VA is 0x40c9a0
2019-05-16 05:42:50,668 [root] INFO: Added new CAPE file to list with path: C:\vsbmml\CAPE\804_6695022516452019
2019-05-16 05:42:50,668 [root] DEBUG: DumpProcess: Module image dump success
2019-05-16 05:42:50,684 [root] DEBUG: DumpPEsInRange: Dumped PE image from 0x400000.
2019-05-16 05:42:50,684 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x400001-0x408000.
2019-05-16 05:42:50,684 [root] DEBUG: EntryPointExecCallback hook: PE image(s) detected and dumped.
2019-05-16 05:42:58,562 [root] INFO: Announced starting service "gluerel"
2019-05-16 05:42:58,562 [root] INFO: Attaching to Service Control Manager (services.exe - pid 460)
2019-05-16 05:42:58,609 [lib.api.process] DEBUG: Using CreateRemoteThread injection.
2019-05-16 05:42:58,641 [lib.api.process] INFO: Option 'exclude-apis' with value 'RegOpenKeyExA' sent to monitor
2019-05-16 05:42:58,641 [lib.api.process] INFO: 64-bit DLL to inject is C:\vsbmml\dll\ocVGFmN.dll, loader C:\vsbmml\bin\UqHIXTnn.exe
2019-05-16 05:42:58,641 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\vOhxGIkuZU.
2019-05-16 05:42:58,655 [root] DEBUG: Loader: Injecting process 460 (thread 0) with C:\vsbmml\dll\ocVGFmN.dll.
2019-05-16 05:42:58,655 [root] DEBUG: InjectDll: No thread ID supplied. Initial thread ID 2256, handle 0x84
2019-05-16 05:42:58,671 [root] DEBUG: Process image base: 0x00000000FFA10000
2019-05-16 05:42:58,687 [root] DEBUG: InjectDllViaIAT: Not a new process, aborting IAT patch
2019-05-16 05:42:58,703 [root] DEBUG: InjectDll: IAT patching failed, falling back to thread injection.
2019-05-16 05:42:58,719 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-05-16 05:42:58,750 [root] INFO: Disabling sleep skipping.
2019-05-16 05:42:58,780 [root] WARNING: Unable to place hook on LockResource
2019-05-16 05:42:58,780 [root] WARNING: Unable to hook LockResource
2019-05-16 05:42:58,828 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 460 at 0x0000000074110000, image base 0x00000000FFA10000, stack from 0x00000000031A6000-0x00000000031B0000
2019-05-16 05:42:58,828 [root] DEBUG: Commandline: C:\Windows\sysnative\services.exe.
2019-05-16 05:42:58,844 [root] INFO: Added new process to list with pid: 460
2019-05-16 05:42:58,844 [root] INFO: Monitor successfully loaded in process with pid 460.
2019-05-16 05:42:58,875 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2019-05-16 05:42:58,890 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2019-05-16 05:42:58,890 [root] DEBUG: Successfully injected DLL C:\vsbmml\dll\ocVGFmN.dll.
2019-05-16 05:42:59,950 [root] INFO: Announced 32-bit process name: gluerel.exe pid: 828
2019-05-16 05:42:59,950 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-05-16 05:42:59,950 [lib.api.process] INFO: Option 'exclude-apis' with value 'RegOpenKeyExA' sent to monitor
2019-05-16 05:42:59,950 [lib.api.process] INFO: 32-bit DLL to inject is C:\vsbmml\dll\tPWnmavI.dll, loader C:\vsbmml\bin\MlXEWOh.exe
2019-05-16 05:42:59,982 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\vOhxGIkuZU.
2019-05-16 05:42:59,982 [root] DEBUG: Loader: Injecting process 828 (thread 3024) with C:\vsbmml\dll\tPWnmavI.dll.
2019-05-16 05:42:59,982 [root] DEBUG: Process image base: 0x00400000
2019-05-16 05:42:59,997 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\vsbmml\dll\tPWnmavI.dll.
2019-05-16 05:43:00,013 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x0042A000 - 0x77110000
2019-05-16 05:43:00,013 [root] DEBUG: InjectDllViaIAT: Allocated 0x1c4 bytes for new import table at 0x00430000.
2019-05-16 05:43:00,013 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-05-16 05:43:00,013 [root] DEBUG: Successfully injected DLL C:\vsbmml\dll\tPWnmavI.dll.
2019-05-16 05:43:00,013 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 828
2019-05-16 05:43:00,059 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77110000, KiUserExceptionDispatcher: 0x0, NtSetContextThread: 0x7716124a, Wow64PrepareForException: 0x0
2019-05-16 05:43:00,059 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x1c0000
2019-05-16 05:43:00,059 [root] DEBUG: CAPE initialised (32-bit).
2019-05-16 05:43:00,059 [root] INFO: Disabling sleep skipping.
2019-05-16 05:43:00,075 [root] INFO: Added new process to list with pid: 828
2019-05-16 05:43:00,075 [root] INFO: Monitor successfully loaded in process with pid 828.
2019-05-16 05:43:00,170 [root] DEBUG: NtAllocateVirtualMemory hook, BaseAddress:0x1d0000, RegionSize: 0x11000.
2019-05-16 05:43:00,170 [root] DEBUG: SetInitialWriteBreakpoint: AllocationBase: 0x1d0000, AllocationSize: 0x11000, ThreadId: 0xbd0
2019-05-16 05:43:00,200 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xac, Size=0x2, Address=0x1d0000 and Type=0x1.
2019-05-16 05:43:00,216 [root] DEBUG: SetBreakpoint: Set bp 0 type 1 at address 0x1d0000, size 2 with Callback 0x74493120, ThreadHandle = 0xac.
2019-05-16 05:43:00,247 [root] DEBUG: SetInitialWriteBreakpoint: Breakpoint 0 set write on word at base address: 0x1d0000
2019-05-16 05:43:00,247 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x416ee6
2019-05-16 05:43:00,247 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x1d0000.
2019-05-16 05:43:00,263 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x1d0000: 0x6e.
2019-05-16 05:43:00,263 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x1d0000 and Type=0x0.
2019-05-16 05:43:00,263 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:43:00,293 [root] DEBUG: BaseAddressWriteCallback: Execution breakpoint 1 set base address: 0x1d0000, AllocationBaseExecBpSet = 1 (EIP = 0x416ee6)
2019-05-16 05:43:00,293 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-05-16 05:43:00,325 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x416ee6
2019-05-16 05:43:00,341 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x1d0000.
2019-05-16 05:43:00,357 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x1d0000: 0x6e.
2019-05-16 05:43:00,388 [root] DEBUG: BaseAddressWriteCallback: allocation exec bp already set, doing nothing.
2019-05-16 05:43:00,388 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x417018
2019-05-16 05:43:00,434 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x1d0000.
2019-05-16 05:43:00,450 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x1d0000: 0x6e.
2019-05-16 05:43:00,450 [root] DEBUG: BaseAddressWriteCallback: allocation exec bp already set, doing nothing.
2019-05-16 05:43:00,450 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x417096
2019-05-16 05:43:00,450 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x1d0000.
2019-05-16 05:43:00,466 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x1d0000: 0x6d.
2019-05-16 05:43:00,466 [root] DEBUG: BaseAddressWriteCallback: allocation exec bp already set, doing nothing.
2019-05-16 05:43:01,105 [root] DEBUG: NtAllocateVirtualMemory hook, BaseAddress:0x3f0000, RegionSize: 0x10000.
2019-05-16 05:43:01,121 [root] DEBUG: NtAllocateVirtualMemory hook: attempting CAPE dump on previous region: 0x1d0000.
2019-05-16 05:43:01,137 [root] DEBUG: DumpPEsInRange: Scanning range 0x1d0000 - 0x1e1000.
2019-05-16 05:43:01,151 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x1d0000-0x1e1000.
2019-05-16 05:43:01,151 [root] DEBUG: NtAllocateVirtualMemory hook: dumping memory range at 0x1d0000.
2019-05-16 05:43:01,167 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\vsbmml\CAPE\828_152123516452019
2019-05-16 05:43:01,198 [root] INFO: Added new CAPE file to list with path: C:\vsbmml\CAPE\828_152123516452019
2019-05-16 05:43:01,246 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x1d0000 - 0x1e1000.
2019-05-16 05:43:01,246 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x1d0000.
2019-05-16 05:43:01,246 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x1d0000.
2019-05-16 05:43:01,246 [root] DEBUG: SetInitialWriteBreakpoint: AllocationBase: 0x3f0000, AllocationSize: 0x10000, ThreadId: 0xbd0
2019-05-16 05:43:01,246 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xac, Size=0x2, Address=0x3f0000 and Type=0x1.
2019-05-16 05:43:01,262 [root] DEBUG: SetBreakpoint: Set bp 0 type 1 at address 0x3f0000, size 2 with Callback 0x74493120, ThreadHandle = 0xac.
2019-05-16 05:43:01,276 [root] DEBUG: SetInitialWriteBreakpoint: Breakpoint 0 set write on word at base address: 0x3f0000
2019-05-16 05:43:01,292 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x1dfbfc
2019-05-16 05:43:01,292 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x3f0000.
2019-05-16 05:43:01,323 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x3f0000: 0xa4.
2019-05-16 05:43:01,339 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x3f0000 and Type=0x0.
2019-05-16 05:43:01,371 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:43:01,371 [root] DEBUG: BaseAddressWriteCallback: Execution breakpoint 1 set base address: 0x3f0000, AllocationBaseExecBpSet = 1 (EIP = 0x1dfbfc)
2019-05-16 05:43:01,371 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-05-16 05:43:01,371 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x1dfbfc
2019-05-16 05:43:01,385 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x3f0000.
2019-05-16 05:43:01,385 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x3f0000: 0xa4.
2019-05-16 05:43:01,385 [root] DEBUG: BaseAddressWriteCallback: allocation exec bp already set, doing nothing.
2019-05-16 05:43:01,385 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x1e02d1
2019-05-16 05:43:01,385 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x3f0000.
2019-05-16 05:43:01,385 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x3f0000: 0xa4.
2019-05-16 05:43:01,385 [root] DEBUG: BaseAddressWriteCallback: allocation exec bp already set, doing nothing.
2019-05-16 05:43:01,401 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x1e02ea
2019-05-16 05:43:01,401 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x3f0000.
2019-05-16 05:43:01,401 [root] DEBUG: BaseAddressWriteCallback: MZ header found.
2019-05-16 05:43:01,401 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x3f003c and Type=0x1.
2019-05-16 05:43:01,417 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:43:01,417 [root] DEBUG: BaseAddressWriteCallback: set write bp on e_lfanew write location: 0x3f003c (EIP = 0x1e02ea)
2019-05-16 05:43:01,417 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-05-16 05:43:01,417 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x1e02d1
2019-05-16 05:43:01,448 [root] DEBUG: PEPointerWriteCallback entry.
2019-05-16 05:43:01,463 [root] DEBUG: PEPointerWriteCallback: Breakpoint 0 at Address 0x3f003c.
2019-05-16 05:43:01,463 [root] DEBUG: PEPointerWriteCallback: pointer to PE header too big: 0x49d (perhaps writing incomplete).
2019-05-16 05:43:01,463 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x1e02ea
2019-05-16 05:43:01,480 [root] DEBUG: PEPointerWriteCallback entry.
2019-05-16 05:43:01,496 [root] DEBUG: PEPointerWriteCallback: Breakpoint 0 at Address 0x3f003c.
2019-05-16 05:43:01,496 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x3f00b8 and Type=0x1.
2019-05-16 05:43:01,496 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:43:01,510 [root] DEBUG: PEPointerWriteCallback: set write bp on e_lfanew write location 0x3f00b8 (EIP = 0x1e02ea)
2019-05-16 05:43:01,510 [root] DEBUG: PEPointerWriteCallback executed successfully.
2019-05-16 05:43:01,510 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x1e02d1
2019-05-16 05:43:01,510 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x3f00b8.
2019-05-16 05:43:01,542 [root] DEBUG: PEHeaderWriteCallback: PE header has: 0x41f1.
2019-05-16 05:43:01,558 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-05-16 05:43:01,558 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x1e02ea
2019-05-16 05:43:01,558 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x3f00b8.
2019-05-16 05:43:01,558 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x0, Address=0x3fcc89 and Type=0x0.
2019-05-16 05:43:01,573 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:43:01,573 [root] DEBUG: PEHeaderWriteCallback: Execution bp set on EntryPoint 0x3fcc89 (EIP = 0x1e02ea).
2019-05-16 05:43:01,588 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-05-16 05:43:01,605 [root] DEBUG: NtAllocateVirtualMemory hook, BaseAddress:0x570000, RegionSize: 0x14000.
2019-05-16 05:43:01,635 [root] DEBUG: NtAllocateVirtualMemory hook: attempting CAPE dump on previous region: 0x3f0000.
2019-05-16 05:43:01,635 [root] DEBUG: DumpPEsInRange: Scanning range 0x3f0000 - 0x400000.
2019-05-16 05:43:01,635 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x3f0000
2019-05-16 05:43:01,635 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image.
2019-05-16 05:43:01,667 [root] DEBUG: DumpPE: Instantiating PeParser with address: 0x3f0000
2019-05-16 05:43:01,667 [root] INFO: Added new CAPE file to list with path: C:\vsbmml\CAPE\828_667123516452019
2019-05-16 05:43:01,667 [root] DEBUG: DumpPE: PE file in memory dumped successfully.
2019-05-16 05:43:01,667 [root] DEBUG: DumpPEsInRange: Dumped PE image from 0x3f0000.
2019-05-16 05:43:01,683 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x3f0001-0x400000.
2019-05-16 05:43:01,683 [root] DEBUG: NtAllocateVirtualMemory hook: PE image(s) detected and dumped.
2019-05-16 05:43:01,683 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x3f0000 - 0x400000.
2019-05-16 05:43:01,697 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x3fcc89.
2019-05-16 05:43:01,713 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x3f0000.
2019-05-16 05:43:01,713 [root] DEBUG: SetInitialWriteBreakpoint: AllocationBase: 0x570000, AllocationSize: 0x14000, ThreadId: 0xbd0
2019-05-16 05:43:01,713 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xac, Size=0x2, Address=0x570000 and Type=0x1.
2019-05-16 05:43:01,760 [root] DEBUG: SetBreakpoint: Set bp 0 type 1 at address 0x570000, size 2 with Callback 0x74493120, ThreadHandle = 0xac.
2019-05-16 05:43:01,808 [root] DEBUG: SetInitialWriteBreakpoint: Breakpoint 0 set write on word at base address: 0x570000
2019-05-16 05:43:01,808 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x1dfbfc
2019-05-16 05:43:01,822 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x570000.
2019-05-16 05:43:01,854 [root] DEBUG: BaseAddressWriteCallback: M written to first byte, awaiting next byte.
2019-05-16 05:43:01,854 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-05-16 05:43:01,885 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x1dfbfc
2019-05-16 05:43:01,901 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x570000.
2019-05-16 05:43:01,901 [root] DEBUG: BaseAddressWriteCallback: MZ header found.
2019-05-16 05:43:01,917 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x57003c and Type=0x1.
2019-05-16 05:43:01,931 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:43:01,931 [root] DEBUG: BaseAddressWriteCallback: set write bp on e_lfanew write location: 0x57003c (EIP = 0x1dfbfc)
2019-05-16 05:43:01,931 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-05-16 05:43:01,947 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x1dfbfc
2019-05-16 05:43:01,947 [root] DEBUG: PEPointerWriteCallback entry.
2019-05-16 05:43:01,963 [root] DEBUG: PEPointerWriteCallback: Breakpoint 0 at Address 0x57003c.
2019-05-16 05:43:01,963 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x5700b8 and Type=0x1.
2019-05-16 05:43:01,979 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:43:01,979 [root] DEBUG: PEPointerWriteCallback: set write bp on e_lfanew write location 0x5700b8 (EIP = 0x1dfbfc)
2019-05-16 05:43:01,994 [root] DEBUG: PEPointerWriteCallback executed successfully.
2019-05-16 05:43:01,994 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x1dfbfc
2019-05-16 05:43:01,994 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x5700b8.
2019-05-16 05:43:01,994 [root] DEBUG: PEHeaderWriteCallback: PE header has: 0x50.
2019-05-16 05:43:01,994 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-05-16 05:43:02,009 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x1dfbfc
2019-05-16 05:43:02,026 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x5700b8.
2019-05-16 05:43:02,026 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x5700e0 and Type=0x1.
2019-05-16 05:43:02,042 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:43:02,042 [root] DEBUG: PEHeaderWriteCallback: set write bp on AddressOfEntryPoint location (EIP = 0x1dfbfc).
2019-05-16 05:43:02,072 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-05-16 05:43:02,072 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x1dfbfc
2019-05-16 05:43:02,072 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x5700e0.
2019-05-16 05:43:02,119 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x5700a0 and Type=0x0.
2019-05-16 05:43:02,134 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:43:02,134 [root] DEBUG: EntryPointWriteCallback: Execution bp 1 set on EntryPoint 0x5700a0 (EIP = 0x1dfbfc).
2019-05-16 05:43:02,134 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 05:43:02,134 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x1dfbfc
2019-05-16 05:43:02,151 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x5700e0.
2019-05-16 05:43:02,151 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x57c9a0 and Type=0x0.
2019-05-16 05:43:02,165 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:43:02,165 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x57c9a0 (EIP = 0x1dfbfc).
2019-05-16 05:43:02,165 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 05:43:02,197 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x1dfbfc
2019-05-16 05:43:02,197 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x5700e0.
2019-05-16 05:43:02,213 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x57c9a0 and Type=0x0.
2019-05-16 05:43:02,243 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:43:02,243 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x57c9a0 (EIP = 0x1dfbfc).
2019-05-16 05:43:02,243 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 05:43:02,259 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x1dfbfc
2019-05-16 05:43:02,290 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x5700e0.
2019-05-16 05:43:02,290 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x57c9a0 and Type=0x0.
2019-05-16 05:43:02,322 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:43:02,338 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x57c9a0 (EIP = 0x1dfbfc).
2019-05-16 05:43:02,354 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 05:43:02,384 [root] DEBUG: ProtectionHandler: Address: 0x1000, RegionSize: 0xcc24
2019-05-16 05:43:02,384 [root] DEBUG: ProtectionHandler: attempting CAPE dump on region: 0x570000.
2019-05-16 05:43:02,400 [root] DEBUG: DumpPEsInRange: Scanning range 0x0 - 0xf000.
2019-05-16 05:43:02,415 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:43:02,431 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:43:02,431 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:43:02,447 [root] DEBUG: ScanForDisguisedPE: Exception occured reading memory address 0x0
2019-05-16 05:43:02,447 [root] DEBUG: SetCapeMetaData: Extraction type with no PID - error.
2019-05-16 05:43:02,447 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\vsbmml\CAPE\828_447223516452019
2019-05-16 05:43:02,463 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:43:02,477 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:43:02,477 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:43:02,477 [root] DEBUG: DumpMemory: Exception occured reading memory address 0x0
2019-05-16 05:43:02,477 [root] DEBUG: ProtectionHandler: Previously marked memory range at: 0x570000 is empty or inaccessible.
2019-05-16 05:43:02,477 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x570000 - 0x584000.
2019-05-16 05:43:02,477 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x5700e0.
2019-05-16 05:43:02,477 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x57c9a0.
2019-05-16 05:43:02,477 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:43:02,477 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:43:02,509 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:43:02,509 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x1000
2019-05-16 05:43:02,509 [root] DEBUG: ProtectionHandler: Setting initial write breakpoint on protection address: 0x1000
2019-05-16 05:43:02,509 [root] DEBUG: SetInitialWriteBreakpoint: AllocationBase: 0x1000, AllocationSize: 0xcc24, ThreadId: 0xbd0
2019-05-16 05:43:02,525 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xac, Size=0x2, Address=0x1000 and Type=0x1.
2019-05-16 05:43:02,540 [root] DEBUG: SetBreakpoint: Set bp 0 type 1 at address 0x1000, size 2 with Callback 0x74493120, ThreadHandle = 0xac.
2019-05-16 05:43:02,540 [root] DEBUG: SetInitialWriteBreakpoint: Breakpoint 0 set write on word at base address: 0x1000
2019-05-16 05:43:02,555 [root] DEBUG: ProtectionHandler: Address: 0xf000, RegionSize: 0x3de4
2019-05-16 05:43:02,555 [root] DEBUG: NtAllocateVirtualMemory hook, BaseAddress:0x400000, RegionSize: 0x14000.
2019-05-16 05:43:02,555 [root] DEBUG: NtAllocateVirtualMemory hook: attempting CAPE dump on previous region: 0x1000.
2019-05-16 05:43:02,555 [root] DEBUG: DumpPEsInRange: Scanning range 0x0 - 0xf000.
2019-05-16 05:43:02,555 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:43:02,555 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:43:02,555 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:43:02,555 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:43:02,572 [root] DEBUG: ScanForDisguisedPE: Exception occured reading memory address 0x0
2019-05-16 05:43:02,572 [root] DEBUG: SetCapeMetaData: Extraction type with no PID - error.
2019-05-16 05:43:02,572 [root] DEBUG: NtAllocateVirtualMemory hook: dumping memory range at 0x1000.
2019-05-16 05:43:02,572 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:43:02,572 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:43:02,572 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:43:02,572 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:43:02,572 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x0
2019-05-16 05:43:02,572 [root] DEBUG: NtAllocateVirtualMemory hook: Failed to dump memory range at 0x1000.
2019-05-16 05:43:02,572 [root] DEBUG: NtAllocateVirtualMemory hook: Previously marked memory range at: 0x1000 is empty or inaccessible.
2019-05-16 05:43:02,572 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x1000 - 0xdc24.
2019-05-16 05:43:02,572 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x1000.
2019-05-16 05:43:02,572 [root] DEBUG: SetInitialWriteBreakpoint: AllocationBase: 0x400000, AllocationSize: 0x14000, ThreadId: 0xbd0
2019-05-16 05:43:02,572 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xac, Size=0x2, Address=0x400000 and Type=0x1.
2019-05-16 05:43:02,572 [root] DEBUG: SetBreakpointWithoutThread: bp set with register 0
2019-05-16 05:43:02,572 [root] DEBUG: SetInitialWriteBreakpoint: Breakpoint 0 set write on word at base address: 0x400000
2019-05-16 05:43:02,572 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x1dfbfc
2019-05-16 05:43:02,588 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x400000.
2019-05-16 05:43:02,588 [root] DEBUG: BaseAddressWriteCallback: M written to first byte, awaiting next byte.
2019-05-16 05:43:02,588 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-05-16 05:43:02,588 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x1dfbfc
2019-05-16 05:43:02,618 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x400000.
2019-05-16 05:43:02,618 [root] DEBUG: BaseAddressWriteCallback: MZ header found.
2019-05-16 05:43:02,618 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x40003c and Type=0x1.
2019-05-16 05:43:02,618 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:43:02,618 [root] DEBUG: BaseAddressWriteCallback: set write bp on e_lfanew write location: 0x40003c (EIP = 0x1dfbfc)
2019-05-16 05:43:02,618 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-05-16 05:43:02,618 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x1dfbfc
2019-05-16 05:43:02,634 [root] DEBUG: PEPointerWriteCallback entry.
2019-05-16 05:43:02,665 [root] DEBUG: PEPointerWriteCallback: Breakpoint 0 at Address 0x40003c.
2019-05-16 05:43:02,665 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x4000b8 and Type=0x1.
2019-05-16 05:43:02,665 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:43:02,665 [root] DEBUG: PEPointerWriteCallback: set write bp on e_lfanew write location 0x4000b8 (EIP = 0x1dfbfc)
2019-05-16 05:43:02,665 [root] DEBUG: PEPointerWriteCallback executed successfully.
2019-05-16 05:43:02,665 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x1dfbfc
2019-05-16 05:43:02,665 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x4000b8.
2019-05-16 05:43:02,665 [root] DEBUG: PEHeaderWriteCallback: PE header has: 0x50.
2019-05-16 05:43:02,697 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-05-16 05:43:02,711 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x1dfbfc
2019-05-16 05:43:02,743 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x4000b8.
2019-05-16 05:43:02,743 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x4000e0 and Type=0x1.
2019-05-16 05:43:02,759 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:43:02,759 [root] DEBUG: PEHeaderWriteCallback: set write bp on AddressOfEntryPoint location (EIP = 0x1dfbfc).
2019-05-16 05:43:02,759 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-05-16 05:43:02,789 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x1dfbfc
2019-05-16 05:43:02,822 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x4000e0.
2019-05-16 05:43:02,822 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x4000a0 and Type=0x0.
2019-05-16 05:43:02,822 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:43:02,852 [root] DEBUG: EntryPointWriteCallback: Execution bp 1 set on EntryPoint 0x4000a0 (EIP = 0x1dfbfc).
2019-05-16 05:43:02,868 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 05:43:02,884 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x1dfbfc
2019-05-16 05:43:02,884 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x4000e0.
2019-05-16 05:43:02,884 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x40c9a0 and Type=0x0.
2019-05-16 05:43:02,900 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:43:02,914 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x40c9a0 (EIP = 0x1dfbfc).
2019-05-16 05:43:02,914 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 05:43:02,946 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x1dfbfc
2019-05-16 05:43:02,961 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x4000e0.
2019-05-16 05:43:02,961 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x40c9a0 and Type=0x0.
2019-05-16 05:43:02,961 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:43:02,993 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x40c9a0 (EIP = 0x1dfbfc).
2019-05-16 05:43:02,993 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 05:43:03,009 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x1dfbfc
2019-05-16 05:43:03,009 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x4000e0.
2019-05-16 05:43:03,023 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x40c9a0 and Type=0x0.
2019-05-16 05:43:03,055 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:43:03,071 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x40c9a0 (EIP = 0x1dfbfc).
2019-05-16 05:43:03,071 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 05:43:03,101 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x40c9a0
2019-05-16 05:43:03,134 [root] DEBUG: EntryPointExecCallback: Breakpoint 1 at Address 0x40c9a0.
2019-05-16 05:43:03,134 [root] DEBUG: DumpPEsInRange: Scanning range 0x400000 - 0x408000.
2019-05-16 05:43:03,134 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x400000
2019-05-16 05:43:03,164 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-05-16 05:43:03,180 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x400000
2019-05-16 05:43:03,180 [root] DEBUG: DumpProcess: Module entry point VA is 0x40c9a0
2019-05-16 05:43:03,180 [root] INFO: Added new CAPE file to list with path: C:\vsbmml\CAPE\828_180323516452019
2019-05-16 05:43:03,180 [root] DEBUG: DumpProcess: Module image dump success
2019-05-16 05:43:03,196 [root] DEBUG: DumpPEsInRange: Dumped PE image from 0x400000.
2019-05-16 05:43:03,226 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x400001-0x408000.
2019-05-16 05:43:03,226 [root] DEBUG: EntryPointExecCallback hook: PE image(s) detected and dumped.
2019-05-16 05:43:03,257 [root] INFO: Announced 32-bit process name: gluerel.exe pid: 1132
2019-05-16 05:43:03,257 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-05-16 05:43:03,257 [lib.api.process] INFO: Option 'exclude-apis' with value 'RegOpenKeyExA' sent to monitor
2019-05-16 05:43:03,257 [lib.api.process] INFO: 32-bit DLL to inject is C:\vsbmml\dll\tPWnmavI.dll, loader C:\vsbmml\bin\MlXEWOh.exe
2019-05-16 05:43:03,289 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\vOhxGIkuZU.
2019-05-16 05:43:03,289 [root] DEBUG: Loader: Injecting process 1132 (thread 1468) with C:\vsbmml\dll\tPWnmavI.dll.
2019-05-16 05:43:03,305 [root] DEBUG: Process image base: 0x00400000
2019-05-16 05:43:03,305 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\vsbmml\dll\tPWnmavI.dll.
2019-05-16 05:43:03,305 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x0042A000 - 0x77110000
2019-05-16 05:43:03,305 [root] DEBUG: InjectDllViaIAT: Allocated 0x1c4 bytes for new import table at 0x00430000.
2019-05-16 05:43:03,305 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-05-16 05:43:03,321 [root] DEBUG: Successfully injected DLL C:\vsbmml\dll\tPWnmavI.dll.
2019-05-16 05:43:03,321 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1132
2019-05-16 05:43:03,321 [root] INFO: Notified of termination of process with pid 828.
2019-05-16 05:43:03,321 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77110000, KiUserExceptionDispatcher: 0x0, NtSetContextThread: 0x7716124a, Wow64PrepareForException: 0x0
2019-05-16 05:43:03,321 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x3b0000
2019-05-16 05:43:03,321 [root] DEBUG: CAPE initialised (32-bit).
2019-05-16 05:43:03,321 [root] INFO: Disabling sleep skipping.
2019-05-16 05:43:03,321 [root] INFO: Added new process to list with pid: 1132
2019-05-16 05:43:03,335 [root] INFO: Monitor successfully loaded in process with pid 1132.
2019-05-16 05:43:03,368 [root] WARNING: Unable to open termination event for pid 828.
2019-05-16 05:43:03,398 [root] INFO: Notified of termination of process with pid 804.
2019-05-16 05:43:03,398 [root] DEBUG: NtAllocateVirtualMemory hook, BaseAddress:0x4c0000, RegionSize: 0x11000.
2019-05-16 05:43:03,398 [root] DEBUG: SetInitialWriteBreakpoint: AllocationBase: 0x4c0000, AllocationSize: 0x11000, ThreadId: 0x5bc
2019-05-16 05:43:03,398 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xac, Size=0x2, Address=0x4c0000 and Type=0x1.
2019-05-16 05:43:03,414 [root] DEBUG: SetBreakpoint: Set bp 0 type 1 at address 0x4c0000, size 2 with Callback 0x74493120, ThreadHandle = 0xac.
2019-05-16 05:43:03,414 [root] DEBUG: SetInitialWriteBreakpoint: Breakpoint 0 set write on word at base address: 0x4c0000
2019-05-16 05:43:03,414 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x416ee6
2019-05-16 05:43:03,414 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x4c0000.
2019-05-16 05:43:03,414 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x4c0000: 0x6e.
2019-05-16 05:43:03,414 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x4c0000 and Type=0x0.
2019-05-16 05:43:03,414 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:43:03,414 [root] DEBUG: BaseAddressWriteCallback: Execution breakpoint 1 set base address: 0x4c0000, AllocationBaseExecBpSet = 1 (EIP = 0x416ee6)
2019-05-16 05:43:03,414 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-05-16 05:43:03,414 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x416ee6
2019-05-16 05:43:03,430 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x4c0000.
2019-05-16 05:43:03,430 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x4c0000: 0x6e.
2019-05-16 05:43:03,430 [root] DEBUG: BaseAddressWriteCallback: allocation exec bp already set, doing nothing.
2019-05-16 05:43:03,430 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x417018
2019-05-16 05:43:03,430 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x4c0000.
2019-05-16 05:43:03,430 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x4c0000: 0x6e.
2019-05-16 05:43:03,430 [root] DEBUG: BaseAddressWriteCallback: allocation exec bp already set, doing nothing.
2019-05-16 05:43:03,430 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x417096
2019-05-16 05:43:03,430 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x4c0000.
2019-05-16 05:43:03,446 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x4c0000: 0x6d.
2019-05-16 05:43:03,446 [root] DEBUG: BaseAddressWriteCallback: allocation exec bp already set, doing nothing.
2019-05-16 05:43:04,615 [root] DEBUG: NtAllocateVirtualMemory hook, BaseAddress:0x2120000, RegionSize: 0x10000.
2019-05-16 05:43:04,631 [root] DEBUG: NtAllocateVirtualMemory hook: attempting CAPE dump on previous region: 0x4c0000.
2019-05-16 05:43:04,631 [root] DEBUG: DumpPEsInRange: Scanning range 0x4c0000 - 0x4d1000.
2019-05-16 05:43:04,631 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x4c0000-0x4d1000.
2019-05-16 05:43:04,631 [root] DEBUG: NtAllocateVirtualMemory hook: dumping memory range at 0x4c0000.
2019-05-16 05:43:04,631 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\vsbmml\CAPE\1132_631423516452019
2019-05-16 05:43:04,647 [root] INFO: Added new CAPE file to list with path: C:\vsbmml\CAPE\1132_631423516452019
2019-05-16 05:43:04,647 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x4c0000 - 0x4d1000.
2019-05-16 05:43:04,647 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x4c0000.
2019-05-16 05:43:04,647 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x4c0000.
2019-05-16 05:43:04,647 [root] DEBUG: SetInitialWriteBreakpoint: AllocationBase: 0x2120000, AllocationSize: 0x10000, ThreadId: 0x5bc
2019-05-16 05:43:04,647 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xac, Size=0x2, Address=0x2120000 and Type=0x1.
2019-05-16 05:43:04,647 [root] DEBUG: SetBreakpoint: Set bp 0 type 1 at address 0x2120000, size 2 with Callback 0x74493120, ThreadHandle = 0xac.
2019-05-16 05:43:04,647 [root] DEBUG: SetInitialWriteBreakpoint: Breakpoint 0 set write on word at base address: 0x2120000
2019-05-16 05:43:04,647 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x4cfbfc
2019-05-16 05:43:04,647 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x2120000.
2019-05-16 05:43:04,661 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x2120000: 0xa4.
2019-05-16 05:43:04,661 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x2120000 and Type=0x0.
2019-05-16 05:43:04,661 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:43:04,661 [root] DEBUG: BaseAddressWriteCallback: Execution breakpoint 1 set base address: 0x2120000, AllocationBaseExecBpSet = 1 (EIP = 0x4cfbfc)
2019-05-16 05:43:04,661 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-05-16 05:43:04,661 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x4cfbfc
2019-05-16 05:43:04,661 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x2120000.
2019-05-16 05:43:04,661 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x2120000: 0xa4.
2019-05-16 05:43:04,661 [root] DEBUG: BaseAddressWriteCallback: allocation exec bp already set, doing nothing.
2019-05-16 05:43:04,677 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x4d02d1
2019-05-16 05:43:04,677 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x2120000.
2019-05-16 05:43:04,677 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x2120000: 0xa4.
2019-05-16 05:43:04,677 [root] DEBUG: BaseAddressWriteCallback: allocation exec bp already set, doing nothing.
2019-05-16 05:43:04,677 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x4d02ea
2019-05-16 05:43:04,677 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x2120000.
2019-05-16 05:43:04,677 [root] DEBUG: BaseAddressWriteCallback: MZ header found.
2019-05-16 05:43:04,677 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x212003c and Type=0x1.
2019-05-16 05:43:04,677 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:43:04,677 [root] DEBUG: BaseAddressWriteCallback: set write bp on e_lfanew write location: 0x212003c (EIP = 0x4d02ea)
2019-05-16 05:43:04,694 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-05-16 05:43:04,694 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x4d02d1
2019-05-16 05:43:04,694 [root] DEBUG: PEPointerWriteCallback entry.
2019-05-16 05:43:04,694 [root] DEBUG: PEPointerWriteCallback: Breakpoint 0 at Address 0x212003c.
2019-05-16 05:43:04,694 [root] DEBUG: PEPointerWriteCallback: pointer to PE header too big: 0x49d (perhaps writing incomplete).
2019-05-16 05:43:04,694 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x4d02ea
2019-05-16 05:43:04,694 [root] DEBUG: PEPointerWriteCallback entry.
2019-05-16 05:43:04,694 [root] DEBUG: PEPointerWriteCallback: Breakpoint 0 at Address 0x212003c.
2019-05-16 05:43:04,694 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x21200b8 and Type=0x1.
2019-05-16 05:43:04,694 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:43:04,709 [root] DEBUG: PEPointerWriteCallback: set write bp on e_lfanew write location 0x21200b8 (EIP = 0x4d02ea)
2019-05-16 05:43:04,709 [root] DEBUG: PEPointerWriteCallback executed successfully.
2019-05-16 05:43:04,709 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x4d02d1
2019-05-16 05:43:04,709 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x21200b8.
2019-05-16 05:43:04,709 [root] DEBUG: PEHeaderWriteCallback: PE header has: 0x41f1.
2019-05-16 05:43:04,709 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-05-16 05:43:04,709 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x4d02ea
2019-05-16 05:43:04,709 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x21200b8.
2019-05-16 05:43:04,709 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x0, Address=0x212cc89 and Type=0x0.
2019-05-16 05:43:04,709 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:43:04,724 [root] DEBUG: PEHeaderWriteCallback: Execution bp set on EntryPoint 0x212cc89 (EIP = 0x4d02ea).
2019-05-16 05:43:04,724 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-05-16 05:43:04,724 [root] DEBUG: NtAllocateVirtualMemory hook, BaseAddress:0x2130000, RegionSize: 0x14000.
2019-05-16 05:43:04,724 [root] DEBUG: NtAllocateVirtualMemory hook: attempting CAPE dump on previous region: 0x2120000.
2019-05-16 05:43:04,724 [root] DEBUG: DumpPEsInRange: Scanning range 0x2120000 - 0x2130000.
2019-05-16 05:43:04,724 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x2120000
2019-05-16 05:43:04,724 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image.
2019-05-16 05:43:04,724 [root] DEBUG: DumpPE: Instantiating PeParser with address: 0x2120000
2019-05-16 05:43:04,740 [root] INFO: Added new CAPE file to list with path: C:\vsbmml\CAPE\1132_725423516452019
2019-05-16 05:43:04,740 [root] DEBUG: DumpPE: PE file in memory dumped successfully.
2019-05-16 05:43:04,740 [root] DEBUG: DumpPEsInRange: Dumped PE image from 0x2120000.
2019-05-16 05:43:04,740 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x2120001-0x2130000.
2019-05-16 05:43:04,740 [root] DEBUG: NtAllocateVirtualMemory hook: PE image(s) detected and dumped.
2019-05-16 05:43:04,740 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x2120000 - 0x2130000.
2019-05-16 05:43:04,740 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x212cc89.
2019-05-16 05:43:04,740 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x2120000.
2019-05-16 05:43:04,756 [root] DEBUG: SetInitialWriteBreakpoint: AllocationBase: 0x2130000, AllocationSize: 0x14000, ThreadId: 0x5bc
2019-05-16 05:43:04,756 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xac, Size=0x2, Address=0x2130000 and Type=0x1.
2019-05-16 05:43:04,756 [root] DEBUG: SetBreakpoint: Set bp 0 type 1 at address 0x2130000, size 2 with Callback 0x74493120, ThreadHandle = 0xac.
2019-05-16 05:43:04,756 [root] DEBUG: SetInitialWriteBreakpoint: Breakpoint 0 set write on word at base address: 0x2130000
2019-05-16 05:43:04,756 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x4cfbfc
2019-05-16 05:43:04,756 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x2130000.
2019-05-16 05:43:04,756 [root] DEBUG: BaseAddressWriteCallback: M written to first byte, awaiting next byte.
2019-05-16 05:43:04,756 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-05-16 05:43:04,756 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x4cfbfc
2019-05-16 05:43:04,756 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x2130000.
2019-05-16 05:43:04,772 [root] DEBUG: BaseAddressWriteCallback: MZ header found.
2019-05-16 05:43:04,772 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x213003c and Type=0x1.
2019-05-16 05:43:04,772 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:43:04,772 [root] DEBUG: BaseAddressWriteCallback: set write bp on e_lfanew write location: 0x213003c (EIP = 0x4cfbfc)
2019-05-16 05:43:04,772 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-05-16 05:43:04,772 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x4cfbfc
2019-05-16 05:43:04,772 [root] DEBUG: PEPointerWriteCallback entry.
2019-05-16 05:43:04,772 [root] DEBUG: PEPointerWriteCallback: Breakpoint 0 at Address 0x213003c.
2019-05-16 05:43:04,772 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x21300b8 and Type=0x1.
2019-05-16 05:43:04,772 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:43:04,786 [root] DEBUG: PEPointerWriteCallback: set write bp on e_lfanew write location 0x21300b8 (EIP = 0x4cfbfc)
2019-05-16 05:43:04,786 [root] DEBUG: PEPointerWriteCallback executed successfully.
2019-05-16 05:43:04,786 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x4cfbfc
2019-05-16 05:43:04,786 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x21300b8.
2019-05-16 05:43:04,786 [root] DEBUG: PEHeaderWriteCallback: PE header has: 0x50.
2019-05-16 05:43:04,786 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-05-16 05:43:04,786 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x4cfbfc
2019-05-16 05:43:04,786 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x21300b8.
2019-05-16 05:43:04,786 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x21300e0 and Type=0x1.
2019-05-16 05:43:04,786 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:43:04,802 [root] DEBUG: PEHeaderWriteCallback: set write bp on AddressOfEntryPoint location (EIP = 0x4cfbfc).
2019-05-16 05:43:04,802 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-05-16 05:43:04,802 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x4cfbfc
2019-05-16 05:43:04,802 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x21300e0.
2019-05-16 05:43:04,802 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x21300a0 and Type=0x0.
2019-05-16 05:43:04,802 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:43:04,802 [root] DEBUG: EntryPointWriteCallback: Execution bp 1 set on EntryPoint 0x21300a0 (EIP = 0x4cfbfc).
2019-05-16 05:43:04,802 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 05:43:04,802 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x4cfbfc
2019-05-16 05:43:04,802 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x21300e0.
2019-05-16 05:43:04,818 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x213c9a0 and Type=0x0.
2019-05-16 05:43:04,818 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:43:04,818 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x213c9a0 (EIP = 0x4cfbfc).
2019-05-16 05:43:04,818 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 05:43:04,818 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x4cfbfc
2019-05-16 05:43:04,818 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x21300e0.
2019-05-16 05:43:04,818 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x213c9a0 and Type=0x0.
2019-05-16 05:43:04,818 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:43:04,818 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x213c9a0 (EIP = 0x4cfbfc).
2019-05-16 05:43:04,818 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 05:43:04,834 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x4cfbfc
2019-05-16 05:43:04,834 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x21300e0.
2019-05-16 05:43:04,834 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x213c9a0 and Type=0x0.
2019-05-16 05:43:04,834 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:43:04,834 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x213c9a0 (EIP = 0x4cfbfc).
2019-05-16 05:43:04,834 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 05:43:04,834 [root] DEBUG: ProtectionHandler: Address: 0x1000, RegionSize: 0xcc24
2019-05-16 05:43:04,834 [root] DEBUG: ProtectionHandler: attempting CAPE dump on region: 0x2130000.
2019-05-16 05:43:04,834 [root] DEBUG: DumpPEsInRange: Scanning range 0x0 - 0xf000.
2019-05-16 05:43:04,834 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:43:04,849 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:43:04,849 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:43:04,849 [root] DEBUG: ScanForDisguisedPE: Exception occured reading memory address 0x0
2019-05-16 05:43:04,849 [root] DEBUG: SetCapeMetaData: Extraction type with no PID - error.
2019-05-16 05:43:04,849 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\vsbmml\CAPE\1132_850423516452019
2019-05-16 05:43:04,849 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:43:04,849 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:43:04,849 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:43:04,849 [root] DEBUG: DumpMemory: Exception occured reading memory address 0x0
2019-05-16 05:43:04,849 [root] DEBUG: ProtectionHandler: Previously marked memory range at: 0x2130000 is empty or inaccessible.
2019-05-16 05:43:04,865 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x2130000 - 0x2144000.
2019-05-16 05:43:04,865 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x21300e0.
2019-05-16 05:43:04,865 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x213c9a0.
2019-05-16 05:43:04,865 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:43:04,865 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:43:04,865 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:43:04,865 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x1000
2019-05-16 05:43:04,865 [root] DEBUG: ProtectionHandler: Setting initial write breakpoint on protection address: 0x1000
2019-05-16 05:43:04,865 [root] DEBUG: SetInitialWriteBreakpoint: AllocationBase: 0x1000, AllocationSize: 0xcc24, ThreadId: 0x5bc
2019-05-16 05:43:04,865 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xac, Size=0x2, Address=0x1000 and Type=0x1.
2019-05-16 05:43:04,881 [root] DEBUG: SetBreakpoint: Set bp 0 type 1 at address 0x1000, size 2 with Callback 0x74493120, ThreadHandle = 0xac.
2019-05-16 05:43:04,881 [root] DEBUG: SetInitialWriteBreakpoint: Breakpoint 0 set write on word at base address: 0x1000
2019-05-16 05:43:04,881 [root] DEBUG: ProtectionHandler: Address: 0xf000, RegionSize: 0x3de4
2019-05-16 05:43:04,881 [root] DEBUG: NtAllocateVirtualMemory hook, BaseAddress:0x400000, RegionSize: 0x14000.
2019-05-16 05:43:04,881 [root] DEBUG: NtAllocateVirtualMemory hook: attempting CAPE dump on previous region: 0x1000.
2019-05-16 05:43:04,881 [root] DEBUG: DumpPEsInRange: Scanning range 0x0 - 0xf000.
2019-05-16 05:43:04,881 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:43:04,881 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:43:04,881 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:43:04,881 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:43:04,895 [root] DEBUG: ScanForDisguisedPE: Exception occured reading memory address 0x0
2019-05-16 05:43:04,895 [root] DEBUG: SetCapeMetaData: Extraction type with no PID - error.
2019-05-16 05:43:04,895 [root] DEBUG: NtAllocateVirtualMemory hook: dumping memory range at 0x1000.
2019-05-16 05:43:04,895 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:43:04,895 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:43:04,895 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:43:04,895 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:43:04,895 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x0
2019-05-16 05:43:04,895 [root] DEBUG: NtAllocateVirtualMemory hook: Failed to dump memory range at 0x1000.
2019-05-16 05:43:04,895 [root] DEBUG: NtAllocateVirtualMemory hook: Previously marked memory range at: 0x1000 is empty or inaccessible.
2019-05-16 05:43:04,911 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x1000 - 0xdc24.
2019-05-16 05:43:04,911 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x1000.
2019-05-16 05:43:04,911 [root] DEBUG: SetInitialWriteBreakpoint: AllocationBase: 0x400000, AllocationSize: 0x14000, ThreadId: 0x5bc
2019-05-16 05:43:04,911 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xac, Size=0x2, Address=0x400000 and Type=0x1.
2019-05-16 05:43:04,911 [root] DEBUG: SetBreakpointWithoutThread: bp set with register 0
2019-05-16 05:43:04,911 [root] DEBUG: SetInitialWriteBreakpoint: Breakpoint 0 set write on word at base address: 0x400000
2019-05-16 05:43:04,911 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x4cfbfc
2019-05-16 05:43:04,911 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x400000.
2019-05-16 05:43:04,911 [root] DEBUG: BaseAddressWriteCallback: M written to first byte, awaiting next byte.
2019-05-16 05:43:04,911 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-05-16 05:43:04,927 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x4cfbfc
2019-05-16 05:43:04,927 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x400000.
2019-05-16 05:43:04,927 [root] DEBUG: BaseAddressWriteCallback: MZ header found.
2019-05-16 05:43:04,927 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x40003c and Type=0x1.
2019-05-16 05:43:04,927 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:43:04,927 [root] DEBUG: BaseAddressWriteCallback: set write bp on e_lfanew write location: 0x40003c (EIP = 0x4cfbfc)
2019-05-16 05:43:04,927 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-05-16 05:43:04,927 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x4cfbfc
2019-05-16 05:43:04,927 [root] DEBUG: PEPointerWriteCallback entry.
2019-05-16 05:43:04,927 [root] DEBUG: PEPointerWriteCallback: Breakpoint 0 at Address 0x40003c.
2019-05-16 05:43:04,943 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x4000b8 and Type=0x1.
2019-05-16 05:43:04,943 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:43:04,943 [root] DEBUG: PEPointerWriteCallback: set write bp on e_lfanew write location 0x4000b8 (EIP = 0x4cfbfc)
2019-05-16 05:43:04,943 [root] DEBUG: PEPointerWriteCallback executed successfully.
2019-05-16 05:43:04,943 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x4cfbfc
2019-05-16 05:43:04,943 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x4000b8.
2019-05-16 05:43:04,943 [root] DEBUG: PEHeaderWriteCallback: PE header has: 0x50.
2019-05-16 05:43:04,943 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-05-16 05:43:04,943 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x4cfbfc
2019-05-16 05:43:04,943 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x4000b8.
2019-05-16 05:43:04,959 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x4000e0 and Type=0x1.
2019-05-16 05:43:04,959 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:43:04,959 [root] DEBUG: PEHeaderWriteCallback: set write bp on AddressOfEntryPoint location (EIP = 0x4cfbfc).
2019-05-16 05:43:04,959 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-05-16 05:43:04,959 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x4cfbfc
2019-05-16 05:43:04,959 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x4000e0.
2019-05-16 05:43:04,959 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x4000a0 and Type=0x0.
2019-05-16 05:43:04,959 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:43:04,959 [root] DEBUG: EntryPointWriteCallback: Execution bp 1 set on EntryPoint 0x4000a0 (EIP = 0x4cfbfc).
2019-05-16 05:43:04,959 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 05:43:04,973 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x4cfbfc
2019-05-16 05:43:04,973 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x4000e0.
2019-05-16 05:43:04,973 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x40c9a0 and Type=0x0.
2019-05-16 05:43:04,973 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:43:04,973 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x40c9a0 (EIP = 0x4cfbfc).
2019-05-16 05:43:04,973 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 05:43:04,973 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x4cfbfc
2019-05-16 05:43:04,973 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x4000e0.
2019-05-16 05:43:04,973 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x40c9a0 and Type=0x0.
2019-05-16 05:43:04,973 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:43:04,973 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x40c9a0 (EIP = 0x4cfbfc).
2019-05-16 05:43:04,990 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 05:43:04,990 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x4cfbfc
2019-05-16 05:43:04,990 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x4000e0.
2019-05-16 05:43:04,990 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x40c9a0 and Type=0x0.
2019-05-16 05:43:04,990 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:43:04,990 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x40c9a0 (EIP = 0x4cfbfc).
2019-05-16 05:43:04,990 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 05:43:04,990 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x40c9a0
2019-05-16 05:43:04,990 [root] DEBUG: EntryPointExecCallback: Breakpoint 1 at Address 0x40c9a0.
2019-05-16 05:43:04,990 [root] DEBUG: DumpPEsInRange: Scanning range 0x400000 - 0x408000.
2019-05-16 05:43:05,006 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x400000
2019-05-16 05:43:05,006 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-05-16 05:43:05,006 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x400000
2019-05-16 05:43:05,006 [root] DEBUG: DumpProcess: Module entry point VA is 0x40c9a0
2019-05-16 05:43:05,006 [root] INFO: Added new CAPE file to list with path: C:\vsbmml\CAPE\1132_6523516452019
2019-05-16 05:43:05,020 [root] DEBUG: DumpProcess: Module image dump success
2019-05-16 05:43:05,020 [root] DEBUG: DumpPEsInRange: Dumped PE image from 0x400000.
2019-05-16 05:43:05,020 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x400001-0x408000.
2019-05-16 05:43:05,020 [root] DEBUG: EntryPointExecCallback hook: PE image(s) detected and dumped.
2019-05-16 05:43:52,023 [root] INFO: Analysis timeout hit (60 seconds), terminating analysis.
2019-05-16 05:43:52,023 [root] INFO: Created shutdown mutex.
2019-05-16 05:43:53,038 [root] INFO: Terminating process 2772 before shutdown.
2019-05-16 05:43:53,038 [root] INFO: Terminating process 804 before shutdown.
2019-05-16 05:43:53,038 [root] INFO: Terminating process 828 before shutdown.
2019-05-16 05:43:53,038 [root] INFO: Setting terminate event for process 1132.
2019-05-16 05:43:53,038 [lib.api.process] INFO: Successfully received reply to terminate_event, pid 1132
2019-05-16 05:43:53,038 [root] INFO: Terminating process 1132 before shutdown.
2019-05-16 05:43:53,038 [root] INFO: Waiting for process 1132 to exit.
2019-05-16 05:43:54,052 [root] INFO: Waiting for process 1132 to exit.
2019-05-16 05:43:55,065 [root] INFO: Waiting for process 1132 to exit.
2019-05-16 05:43:56,079 [root] INFO: Waiting for process 1132 to exit.
2019-05-16 05:43:57,109 [lib.api.process] INFO: Successfully terminated process with pid 1132.
2019-05-16 05:43:57,125 [root] INFO: Waiting for process 1132 to exit.
2019-05-16 05:43:58,138 [root] INFO: Shutting down package.
2019-05-16 05:43:58,154 [root] INFO: Stopping auxiliary modules.
2019-05-16 05:43:58,154 [root] INFO: Finishing auxiliary modules.
2019-05-16 05:43:58,154 [root] INFO: Shutting down pipe server and dumping dropped files.
2019-05-16 05:43:58,154 [root] WARNING: File at path "C:\wTiOTfrMQO\debugger" does not exist, skip.
2019-05-16 05:43:58,154 [root] INFO: Analysis completed.

MalScore

10.0

Emotet

Machine

Name Label Manager Started On Shutdown On
target-01 target-01 ESX 2019-05-16 04:42:19 2019-05-16 04:44:11

File Details

File Name 576e27bc56d71276bfa9f52d242c3204e29d0d498fc9a2461a6dd34a471c6f20
File Size 170048 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 2677c192c0e519ea0202e5aae151107c
SHA1 2da79f0e2d855e7b15ad7c124848829516fee8f3
SHA256 576e27bc56d71276bfa9f52d242c3204e29d0d498fc9a2461a6dd34a471c6f20
SHA512 e54c9d3878621cd3abff2a00c8bc382664e4e8204c413743e8bc95fe3f0760645dc425d4732e474e21b47729a49600784242c6a87cb9826e1f8d3dca8a3f37ec
CRC32 81DC0B87
Ssdeep 3072:4WoofUTXKZLk/lvI6enmhUcUygISmkEm8M8GGza0WsQu6JMdN0HC25+i7gp:wjXP/hHenK5NSmH3YGj6RW
TrID
  • 41.0% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
  • 36.3% (.EXE) Win64 Executable (generic) (27625/18/4)
  • 8.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
  • 5.9% (.EXE) Win32 Executable (generic) (4508/7/1)
  • 2.6% (.EXE) OS/2 Executable (generic) (2029/13)
ClamAV None matched
Yara None matched
CAPE Yara None matched
Resubmit sample

Signatures

Behavioural detection: Executable code extraction
Yara rule detections observed from a process memory dump/dropped files/CAPE
Hit: PID 2772 trigged the Yara rule 'embedded_win_api'
Hit: PID 2772 trigged the Yara rule 'shellcode'
Hit: PID 2772 trigged the Yara rule 'Emotet'
Possible date expiration check, exits too soon after checking local time
process: gluerel.exe, PID 828
Mimics the system's user agent string for its own requests
Guard pages use detected - possible anti-debugging.
Dynamic (imported) function loading detected
DynamicLoader: kernel32.dll/mknjht34tfserdgfwGetProcAddress
DynamicLoader: kernel32.dll/GetProcAddress
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/LoadLibraryExA
DynamicLoader: kernel32.dll/SetFilePointer
DynamicLoader: kernel32.dll/lstrlenA
DynamicLoader: kernel32.dll/lstrcatA
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/UnmapViewOfFile
DynamicLoader: kernel32.dll/GetModuleHandleA
DynamicLoader: kernel32.dll/WriteFile
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/GetTempPathA
DynamicLoader: kernel32.dll/CreateFileA
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: kernel32.dll/LoadLibraryExA
DynamicLoader: kernel32.dll/mknjht34tfserdgfwGetProcAddress
DynamicLoader: kernel32.dll/GetProcAddress
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/LoadLibraryExA
DynamicLoader: kernel32.dll/SetFilePointer
DynamicLoader: kernel32.dll/lstrlenA
DynamicLoader: kernel32.dll/lstrcatA
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/UnmapViewOfFile
DynamicLoader: kernel32.dll/GetModuleHandleA
DynamicLoader: kernel32.dll/WriteFile
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/GetTempPathA
DynamicLoader: kernel32.dll/CreateFileA
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: SHELL32.dll/
DynamicLoader: ADVAPI32.dll/OpenThreadToken
DynamicLoader: propsys.dll/PSLookupPropertyHandlerCLSID
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: propsys.dll/PSCreatePropertyStoreFromObject
DynamicLoader: propsys.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: propsys.dll/PropVariantToStringAlloc
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore
DynamicLoader: propsys.dll/PropVariantToBuffer
DynamicLoader: propsys.dll/PropVariantToUInt64
DynamicLoader: propsys.dll/PropVariantToBoolean
DynamicLoader: propsys.dll/InitPropVariantFromBuffer
DynamicLoader: ADVAPI32.dll/GetNamedSecurityInfoW
DynamicLoader: ADVAPI32.dll/TreeSetNamedSecurityInfoW
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: OLEAUT32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: kernel32.dll/LoadLibraryExA
DynamicLoader: kernel32.dll/mknjht34tfserdgfwGetProcAddress
DynamicLoader: kernel32.dll/GetProcAddress
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/LoadLibraryExA
DynamicLoader: kernel32.dll/SetFilePointer
DynamicLoader: kernel32.dll/lstrlenA
DynamicLoader: kernel32.dll/lstrcatA
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/UnmapViewOfFile
DynamicLoader: kernel32.dll/GetModuleHandleA
DynamicLoader: kernel32.dll/WriteFile
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/GetTempPathA
DynamicLoader: kernel32.dll/CreateFileA
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: kernel32.dll/LoadLibraryExA
DynamicLoader: kernel32.dll/mknjht34tfserdgfwGetProcAddress
DynamicLoader: kernel32.dll/GetProcAddress
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/LoadLibraryExA
DynamicLoader: kernel32.dll/SetFilePointer
DynamicLoader: kernel32.dll/lstrlenA
DynamicLoader: kernel32.dll/lstrcatA
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/UnmapViewOfFile
DynamicLoader: kernel32.dll/GetModuleHandleA
DynamicLoader: kernel32.dll/WriteFile
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/GetTempPathA
DynamicLoader: kernel32.dll/CreateFileA
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptImportKey
DynamicLoader: CRYPTSP.dll/CryptGenKey
DynamicLoader: CRYPTSP.dll/CryptCreateHash
DynamicLoader: CRYPTSP.dll/CryptDuplicateHash
DynamicLoader: CRYPTSP.dll/CryptEncrypt
DynamicLoader: CRYPTSP.dll/CryptExportKey
DynamicLoader: CRYPTSP.dll/CryptGetHashParam
DynamicLoader: CRYPTSP.dll/CryptDestroyHash
DynamicLoader: RASAPI32.dll/RasConnectionNotificationW
DynamicLoader: sechost.dll/NotifyServiceStatusChangeA
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: iphlpapi.DLL/GetAdaptersAddresses
DynamicLoader: DHCPCSVC.DLL/DhcpRequestParams
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: OLEAUT32.dll/
Performs HTTP requests potentially not found in PCAP.
url: 181.15.177.100:443/glitch/forced/jit/merge/
The binary likely contains encrypted or compressed data.
section: name: .text, entropy: 7.16, characteristics: IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ, raw_size: 0x00016e00, virtual_size: 0x00016d86
Deletes its original binary from disk
Attempts to remove evidence of file being downloaded from the Internet
file: C:\Windows\SysWOW64\gluerel.exe:Zone.Identifier
Installs itself for autorun at Windows startup
service name: gluerel
service path: "C:\Windows\SysWOW64\gluerel.exe"
CAPE detected the Emotet malware family
Creates a copy of itself
copy: C:\Windows\SysWOW64\gluerel.exe
Drops a binary and executes it
binary: C:\Windows\SysWOW64\gluerel.exe

Screenshots


Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
Y 181.15.177.100 [VT] Argentina

DNS

Name Response Post-Analysis Lookup
www.download.windowsupdate.com [VT]
crt.usertrust.com [VT]

Summary

C:\Windows\Globalization\Sorting\sortdefault.nls
C:\
C:\Users\user\AppData\Local\Temp\NEYPefKofXc2Q6H.exe
C:\Windows\SysWOW64\dafpanes.exe
C:\Windows\
C:\Windows\SysWOW64\
\Device\KsecDD
C:\Windows\SysWOW64\shell32.dll
C:\Windows\SysWOW64\gluerel.exe
C:\Users
\??\MountPointManager
C:\Users\user\AppData\Local\Microsoft\Windows\Caches
C:\Users\user\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000d.db
C:\Users\desktop.ini
C:\Users\user
C:\Users\user\AppData
C:\Users\user\AppData\Local
C:\Users\user\AppData\Local\Temp
C:\Windows
C:\Windows\SysWOW64
C:\Windows\SysWOW64\propsys.dll
C:\Windows\sysnative\propsys.dll
C:\Users\user\AppData\Local\
C:\Windows\SysWOW64\gluerel.exe:Zone.Identifier
C:\Windows\Temp
C:\ProgramData\Microsoft\Network\Connections\Pbk\rasphone.pbk
C:\ProgramData\Microsoft\Network\Connections\Pbk\*.pbk
C:\Windows\System32\ras\*.pbk
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Network\Connections\Pbk\rasphone.pbk
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Network\Connections\Pbk\*.pbk
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Users\user\AppData\Local\Temp\NEYPefKofXc2Q6H.exe
\Device\KsecDD
C:\Windows\SysWOW64\shell32.dll
C:\
C:\Users\user\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000d.db
C:\Users\desktop.ini
C:\Users
C:\Users\user
C:\Users\user\AppData
C:\Users\user\AppData\Local
C:\Windows
C:\Users\user\AppData\Local\Temp
C:\Windows\SysWOW64\gluerel.exe
C:\Windows\SysWOW64\gluerel.exe
C:\Windows\SysWOW64\dafpanes.exe
C:\Users\user\AppData\Local\Temp\NEYPefKofXc2Q6H.exe
C:\Windows\SysWOW64\gluerel.exe:Zone.Identifier
DisableUserModeCallbackFilter
HKEY_CURRENT_USER\Software\Classes
HKEY_CURRENT_USER\Software\Classes\interface\{aa5b6a80-b834-11d0-932f-00a0c90dcaa9}
HKEY_LOCAL_MACHINE\Software\Classes\interface\{aa5b6a80-b834-11d0-932f-00a0c90dcaa9}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AA5B6A80-B834-11D0-932F-00A0C90DCAA9}\(Default)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-GB
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-GB
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\NoFileFolderConnection
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesRecycleBin
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\NEYPefKofXc2Q6H.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups
HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\CallForAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\RestrictedAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORDISPLAY
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideFolderVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\UseDropHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORPARSING
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsParseDisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\MapNetDriveVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForInfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideInWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideOnDesktopPerUser
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsAliasedNotifications
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsUniversalDelegate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\NoFileFolderJunction
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\PinToNameSpaceTree
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HasNavigationEnum
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\Generation
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\Generation
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\AccessProviders
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\AccessProviders\MartaExtension
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DontShowSuperHidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ClassicShell
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\SeparateProcess
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetCrawling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSimpleStartMenu
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowCompColor
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\DontPrettyPath
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowInfoTip
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideIcons
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\MapNetDrvBtn
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\WebView
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Filter
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\SeparateProcess
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\NoNetCrawling
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AutoCheckSelect
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\IconsOnly
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowTypeOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\AllowFileCLSIDJunctions
HKEY_CLASSES_ROOT\.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe\(Default)
HKEY_CLASSES_ROOT\.exe\OpenWithProgids
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\OpenWithProgids
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\UserChoice
HKEY_CLASSES_ROOT\exefile
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\CurVer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\ShellEx\IconHandler
HKEY_CLASSES_ROOT\SystemFileAssociations\.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\ShellEx\IconHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe\Content Type
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\NeverShowExt
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\PropertySystem\PropertyHandlers\.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\PropertySystem\PropertyHandlers\.exe\(Default)
HKEY_CLASSES_ROOT\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\OverrideFileSystemProperties
HKEY_CLASSES_ROOT\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\DisableProcessIsolation
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\NoOplock
HKEY_CLASSES_ROOT\ExplorerCLSIDFlags\{66742402-F9B9-11D1-A202-0000F81FEDEE}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\UseInProcHandlerCache
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\UseOutOfProcHandlerCache
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Shell\RegisteredApplications\UrlAssociations\Directory\OpenWithProgids
HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\Directory
HKEY_CLASSES_ROOT\Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\CurVer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\ShellEx\IconHandler
HKEY_CLASSES_ROOT\Folder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\ShellEx\IconHandler
HKEY_CLASSES_ROOT\AllFilesystemObjects
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\ShellEx\IconHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\ShellEx\PropertyHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\ShellEx\PropertyHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\ShellEx\PropertyHandler
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\MaxUndoItems
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Advanced\MaxUndoItems
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\App Paths\NEYPefKofXc2Q6H.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\NEYPefKofXc2Q6H.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\ShellEx\{2F711B17-773C-41D4-93FA-7F23EDCECB66}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\ShellEx\{2F711B17-773C-41D4-93FA-7F23EDCECB66}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\ShellEx\{2F711B17-773C-41D4-93FA-7F23EDCECB66}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceCopyACLWithFile
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\ShellEx\{000214F9-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\ShellEx\{000214F9-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\ShellEx\{000214F9-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoEncryptOnMove
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gluerel
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gluerel\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gluerel\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gluerel\WOW64
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Public
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Default
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonW6432Dir
HKEY_USERS\S-1-5-18
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18\ProfileImagePath
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
HKEY_USERS\.DEFAULT\Environment
HKEY_USERS\.DEFAULT\Volatile Environment
HKEY_USERS\.DEFAULT\Volatile Environment\0
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gluerel\Environment
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\interface\{aa5b6a80-b834-11d0-932f-00a0c90dcaa9}
HKEY_CURRENT_USER
HKEY_USERS\.DEFAULT\Control Panel\International
HKEY_USERS\.DEFAULT\Control Panel\International\LocaleName
HKEY_USERS\.DEFAULT\Control Panel\International\sCountry
HKEY_USERS\.DEFAULT\Control Panel\International\sList
HKEY_USERS\.DEFAULT\Control Panel\International\sDecimal
HKEY_USERS\.DEFAULT\Control Panel\International\sThousand
HKEY_USERS\.DEFAULT\Control Panel\International\sGrouping
HKEY_USERS\.DEFAULT\Control Panel\International\sNativeDigits
HKEY_USERS\.DEFAULT\Control Panel\International\sCurrency
HKEY_USERS\.DEFAULT\Control Panel\International\sMonDecimalSep
HKEY_USERS\.DEFAULT\Control Panel\International\sMonThousandSep
HKEY_USERS\.DEFAULT\Control Panel\International\sMonGrouping
HKEY_USERS\.DEFAULT\Control Panel\International\sPositiveSign
HKEY_USERS\.DEFAULT\Control Panel\International\sNegativeSign
HKEY_USERS\.DEFAULT\Control Panel\International\sTimeFormat
HKEY_USERS\.DEFAULT\Control Panel\International\sShortTime
HKEY_USERS\.DEFAULT\Control Panel\International\s1159
HKEY_USERS\.DEFAULT\Control Panel\International\s2359
HKEY_USERS\.DEFAULT\Control Panel\International\sShortDate
HKEY_USERS\.DEFAULT\Control Panel\International\sYearMonth
HKEY_USERS\.DEFAULT\Control Panel\International\sLongDate
HKEY_USERS\.DEFAULT\Control Panel\International\iCountry
HKEY_USERS\.DEFAULT\Control Panel\International\iMeasure
HKEY_USERS\.DEFAULT\Control Panel\International\iPaperSize
HKEY_USERS\.DEFAULT\Control Panel\International\iDigits
HKEY_USERS\.DEFAULT\Control Panel\International\iLZero
HKEY_USERS\.DEFAULT\Control Panel\International\iNegNumber
HKEY_USERS\.DEFAULT\Control Panel\International\NumShape
HKEY_USERS\.DEFAULT\Control Panel\International\iCurrDigits
HKEY_USERS\.DEFAULT\Control Panel\International\iCurrency
HKEY_USERS\.DEFAULT\Control Panel\International\iNegCurr
HKEY_USERS\.DEFAULT\Control Panel\International\iCalendarType
HKEY_USERS\.DEFAULT\Control Panel\International\iFirstDayOfWeek
HKEY_USERS\.DEFAULT\Control Panel\International\iFirstWeekOfYear
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoProxyDetectType
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASAPI32\EnableFileTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASAPI32\FileTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASAPI32\EnableConsoleTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASAPI32\ConsoleTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASAPI32\MaxFileSize
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASAPI32\FileDirectory
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASMANCS\EnableFileTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASMANCS\FileTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASMANCS\EnableConsoleTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASMANCS\ConsoleTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASMANCS\MaxFileSize
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASMANCS\FileDirectory
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ProxySettingsPerUser
HKEY_USERS\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
HKEY_USERS\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AA5B6A80-B834-11D0-932F-00A0C90DCAA9}\(Default)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-GB
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-GB
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\NoFileFolderConnection
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesRecycleBin
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\CallForAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\RestrictedAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORDISPLAY
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideFolderVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\UseDropHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORPARSING
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsParseDisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\MapNetDriveVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForInfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideInWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideOnDesktopPerUser
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsAliasedNotifications
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsUniversalDelegate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\NoFileFolderJunction
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\PinToNameSpaceTree
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HasNavigationEnum
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\Generation
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\AccessProviders\MartaExtension
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DontShowSuperHidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ClassicShell
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\SeparateProcess
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetCrawling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSimpleStartMenu
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowCompColor
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\DontPrettyPath
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowInfoTip
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideIcons
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\MapNetDrvBtn
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\WebView
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Filter
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\SeparateProcess
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\NoNetCrawling
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AutoCheckSelect
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\IconsOnly
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowTypeOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\AllowFileCLSIDJunctions
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe\Content Type
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\PropertySystem\PropertyHandlers\.exe\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\DisableProcessIsolation
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\NoOplock
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\UseInProcHandlerCache
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\UseOutOfProcHandlerCache
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\NeverShowExt
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\MaxUndoItems
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Advanced\MaxUndoItems
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceCopyACLWithFile
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoEncryptOnMove
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gluerel\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gluerel\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gluerel\WOW64
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Public
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18\ProfileImagePath
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gluerel\Environment
HKEY_USERS\.DEFAULT\Control Panel\International\LocaleName
HKEY_USERS\.DEFAULT\Control Panel\International\sCountry
HKEY_USERS\.DEFAULT\Control Panel\International\sList
HKEY_USERS\.DEFAULT\Control Panel\International\sDecimal
HKEY_USERS\.DEFAULT\Control Panel\International\sThousand
HKEY_USERS\.DEFAULT\Control Panel\International\sGrouping
HKEY_USERS\.DEFAULT\Control Panel\International\sNativeDigits
HKEY_USERS\.DEFAULT\Control Panel\International\sCurrency
HKEY_USERS\.DEFAULT\Control Panel\International\sMonDecimalSep
HKEY_USERS\.DEFAULT\Control Panel\International\sMonThousandSep
HKEY_USERS\.DEFAULT\Control Panel\International\sMonGrouping
HKEY_USERS\.DEFAULT\Control Panel\International\sPositiveSign
HKEY_USERS\.DEFAULT\Control Panel\International\sNegativeSign
HKEY_USERS\.DEFAULT\Control Panel\International\sTimeFormat
HKEY_USERS\.DEFAULT\Control Panel\International\sShortTime
HKEY_USERS\.DEFAULT\Control Panel\International\s1159
HKEY_USERS\.DEFAULT\Control Panel\International\s2359
HKEY_USERS\.DEFAULT\Control Panel\International\sShortDate
HKEY_USERS\.DEFAULT\Control Panel\International\sYearMonth
HKEY_USERS\.DEFAULT\Control Panel\International\sLongDate
HKEY_USERS\.DEFAULT\Control Panel\International\iCountry
HKEY_USERS\.DEFAULT\Control Panel\International\iMeasure
HKEY_USERS\.DEFAULT\Control Panel\International\iPaperSize
HKEY_USERS\.DEFAULT\Control Panel\International\iDigits
HKEY_USERS\.DEFAULT\Control Panel\International\iLZero
HKEY_USERS\.DEFAULT\Control Panel\International\iNegNumber
HKEY_USERS\.DEFAULT\Control Panel\International\NumShape
HKEY_USERS\.DEFAULT\Control Panel\International\iCurrDigits
HKEY_USERS\.DEFAULT\Control Panel\International\iCurrency
HKEY_USERS\.DEFAULT\Control Panel\International\iNegCurr
HKEY_USERS\.DEFAULT\Control Panel\International\iCalendarType
HKEY_USERS\.DEFAULT\Control Panel\International\iFirstDayOfWeek
HKEY_USERS\.DEFAULT\Control Panel\International\iFirstWeekOfYear
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoProxyDetectType
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASAPI32\EnableFileTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASAPI32\FileTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASAPI32\EnableConsoleTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASAPI32\ConsoleTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASAPI32\MaxFileSize
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASAPI32\FileDirectory
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASMANCS\EnableFileTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASMANCS\FileTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASMANCS\EnableConsoleTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASMANCS\ConsoleTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASMANCS\MaxFileSize
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASMANCS\FileDirectory
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ProxySettingsPerUser
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
kernel32.dll.LoadLibraryExA
kernel32.dll.GetProcAddress
kernel32.dll.VirtualAlloc
kernel32.dll.SetFilePointer
kernel32.dll.lstrlenA
kernel32.dll.lstrcatA
kernel32.dll.VirtualProtect
kernel32.dll.UnmapViewOfFile
kernel32.dll.GetModuleHandleA
kernel32.dll.WriteFile
kernel32.dll.CloseHandle
kernel32.dll.VirtualFree
kernel32.dll.GetTempPathA
kernel32.dll.CreateFileA
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
oleaut32.dll.#200
ole32.dll.CoInitializeEx
cryptbase.dll.SystemFunction036
comctl32.dll.#385
comctl32.dll.#320
comctl32.dll.#324
comctl32.dll.#323
ole32.dll.CreateBindCtx
ole32.dll.CoTaskMemAlloc
ole32.dll.CoGetApartmentType
ole32.dll.CoRegisterInitializeSpy
ole32.dll.CoTaskMemFree
comctl32.dll.#236
oleaut32.dll.#6
ole32.dll.CoGetMalloc
comctl32.dll.#328
comctl32.dll.#334
oleaut32.dll.#2
ole32.dll.CoCreateInstance
setupapi.dll.CM_Get_Device_Interface_List_Size_ExW
setupapi.dll.CM_Get_Device_Interface_List_ExW
comctl32.dll.#332
comctl32.dll.#386
advapi32.dll.InitializeSecurityDescriptor
advapi32.dll.SetEntriesInAclW
ntmarta.dll.GetMartaExtensionInterface
advapi32.dll.SetSecurityDescriptorDacl
advapi32.dll.IsTextUnicode
comctl32.dll.#338
comctl32.dll.#339
shell32.dll.#102
advapi32.dll.OpenThreadToken
propsys.dll.PSLookupPropertyHandlerCLSID
advapi32.dll.RegOpenKeyExW
advapi32.dll.RegQueryValueExW
advapi32.dll.RegCloseKey
propsys.dll.PSCreatePropertyStoreFromObject
propsys.dll.#417
propsys.dll.PropVariantToStringAlloc
ole32.dll.PropVariantClear
propsys.dll.PSCreateMemoryPropertyStore
propsys.dll.PropVariantToBuffer
propsys.dll.PropVariantToUInt64
propsys.dll.PropVariantToBoolean
propsys.dll.InitPropVariantFromBuffer
advapi32.dll.GetNamedSecurityInfoW
advapi32.dll.TreeSetNamedSecurityInfoW
ole32.dll.CoUninitialize
comctl32.dll.#329
comctl32.dll.#388
comctl32.dll.#321
ole32.dll.CoRevokeInitializeSpy
oleaut32.dll.#500
comctl32.dll.#387
comctl32.dll.#327
advapi32.dll.UnregisterTraceGuids
cryptsp.dll.CryptReleaseContext
cryptsp.dll.CryptAcquireContextW
cryptsp.dll.CryptImportKey
cryptsp.dll.CryptGenKey
cryptsp.dll.CryptCreateHash
cryptsp.dll.CryptDuplicateHash
cryptsp.dll.CryptEncrypt
cryptsp.dll.CryptExportKey
cryptsp.dll.CryptGetHashParam
cryptsp.dll.CryptDestroyHash
rasapi32.dll.RasConnectionNotificationW
sechost.dll.NotifyServiceStatusChangeA
advapi32.dll.RegDeleteTreeA
advapi32.dll.RegDeleteTreeW
iphlpapi.dll.GetAdaptersAddresses
dhcpcsvc.dll.DhcpRequestParams
C:\Users\user\AppData\Local\Temp\NEYPefKofXc2Q6H.exe --59f6465
"C:\Windows\SysWOW64\gluerel.exe"
C:\Windows\SysWOW64\gluerel.exe --caeb0eba
Global\IA4889F95
Global\MA4889F95
IESQMMUTEX_0_208
gluerel
gluerel

PE Information

Image Base 0x00400000
Entry Point 0x00417ba0
Reported Checksum 0x0002ecb5
Actual Checksum 0x0002ecb5
Minimum OS Version 5.0
Compile Time 2019-05-16 04:33:39
Import Hash 698a4e929ee33bd554dc443daf63049e

Sections

Name Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00001000 0x00016d86 0x00016e00 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 7.16
.rdata 0x00018000 0x00008636 0x00008800 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 5.76
.data 0x00021000 0x0000569c 0x00005600 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 5.21
.rsrc 0x00027000 0x00002fc0 0x00003000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 3.77

Overlay

Offset 0x00028000
Size 0x00001840

Imports

Library KERNEL32.dll:
0x418184 GetOverlappedResult
0x418198 GetProcAddress
0x4181a0 GetProcessHeap
0x4181a8 GetStartupInfoA
0x4181ac GetStartupInfoW
0x4181b0 GetStdHandle
0x4181b4 GetStringTypeA
0x4181b8 GetStringTypeExW
0x4181bc GetStringTypeW
0x4181c4 GetSystemDirectoryW
0x4181c8 GetSystemInfo
0x4181d0 GetSystemTime
0x4181d8 GetSystemTimes
0x4181e0 GetTempFileNameW
0x4181e4 GetTempPathW
0x4181e8 GetTickCount
0x4181ec GetTimeFormatA
0x4181f4 GetUserDefaultLCID
0x4181fc GetVersion
0x418200 GetVersionExA
0x418204 GetVersionExW
0x418210 GlobalAlloc
0x418214 GlobalFindAtomA
0x418218 GlobalFree
0x41821c GlobalUnWire
0x418220 HeapAlloc
0x418224 HeapCreate
0x418228 HeapDestroy
0x41822c HeapFree
0x418230 HeapReAlloc
0x418234 HeapSize
0x418248 InterlockedExchange
0x418254 IsBadReadPtr
0x418258 IsDebuggerPresent
0x418260 IsValidCodePage
0x418264 IsValidLocale
0x418268 IsWow64Process
0x41826c LCMapStringA
0x418270 LCMapStringW
0x418278 LoadLibraryA
0x41827c LoadLibraryExW
0x418280 LoadLibraryW
0x418284 LoadResource
0x418288 LocalAlloc
0x418290 LocalFree
0x418294 LockFile
0x418298 LockResource
0x41829c MapViewOfFileEx
0x4182a0 Module32FirstW
0x4182a4 MoveFileW
0x4182a8 MulDiv
0x4182ac GetOEMCP
0x4182b0 OpenEventA
0x4182b4 OpenEventW
0x4182b8 OpenMutexA
0x4182bc OpenMutexW
0x4182c0 OpenProcess
0x4182c4 OpenThread
0x4182c8 OutputDebugStringW
0x4182cc PeekNamedPipe
0x4182d0 Process32FirstW
0x4182d4 Process32NextW
0x4182e0 RaiseException
0x4182e8 ReadFile
0x4182ec ReadProcessMemory
0x4182f0 ReleaseMutex
0x4182f4 ReleaseSemaphore
0x4182f8 ReplaceFile
0x4182fc ResetEvent
0x418300 ResumeThread
0x418304 RtlUnwind
0x418310 SetEndOfFile
0x418318 SetEvent
0x41831c SetFileAttributesA
0x418320 SetFilePointer
0x418324 SetFilePointerEx
0x418328 SetHandleCount
0x41832c SetLastError
0x418334 SetStdHandle
0x418338 SetThreadLocale
0x418340 SetWaitableTimer
0x418344 SizeofResource
0x418348 Sleep
0x418350 TerminateProcess
0x418354 TerminateThread
0x418358 TlsAlloc
0x41835c TlsFree
0x418360 TlsGetValue
0x418364 TlsSetValue
0x418370 UnlockFile
0x418374 UnmapViewOfFile
0x418378 VerSetConditionMask
0x41837c VerifyVersionInfoW
0x418380 VirtualAlloc
0x418384 VirtualAllocEx
0x418388 VirtualFree
0x41838c VirtualFreeEx
0x418390 VirtualLock
0x41839c WaitForSingleObject
0x4183a0 WideCharToMultiByte
0x4183a4 WriteConsoleA
0x4183a8 WriteConsoleW
0x4183ac WriteFile
0x4183b8 lstrcmpA
0x4183bc lstrcmpiA
0x4183c0 lstrcmpiW
0x4183c4 lstrcpynW
0x4183c8 lstrlen
0x4183cc lstrlenA
0x4183d0 lstrlenW
0x4183d8 GetModuleHandleW
0x4183dc GetModuleHandleA
0x4183e0 GetModuleFileNameW
0x4183e4 GetModuleFileNameA
0x4183e8 GetLongPathNameW
0x4183ec GetLogicalDrives
0x4183f0 GetLocaleInfoW
0x4183f4 GetLocaleInfoA
0x4183f8 GetLocalTime
0x4183fc GetLastError
0x418400 GetFileType
0x418404 GetFileTime
0x418408 GetFileSizeEx
0x41840c GetFileSize
0x418410 GetFileAttributesW
0x41841c GetExitCodeThread
0x418420 GetExitCodeProcess
0x41842c GetDriveTypeA
0x418430 GetDiskFreeSpaceExW
0x418434 GetDateFormatA
0x418438 GetCurrentThreadId
0x41843c GetCurrentProcessId
0x418440 GetCurrentProcess
0x418448 GetConsoleOutputCP
0x41844c GetConsoleMode
0x418450 GetConsoleCP
0x418454 GetConsoleAliasesW
0x418458 GetCommandLineW
0x41845c GetCommandLineA
0x418460 GetCommState
0x418464 GetCPInfoExA
0x418468 GetCPInfo
0x41846c GetAtomNameW
0x418470 GetACP
0x418474 FreeResource
0x418478 FreeLibrary
0x418484 FreeConsole
0x418488 FormatMessageW
0x418490 FlushFileBuffers
0x418494 FindResourceW
0x418498 FindResourceExW
0x41849c FindNextFileW
0x4184a0 FindFirstFileW
0x4184a8 FindClose
0x4184ac FindAtomW
0x4184b8 FatalAppExitA
0x4184bc ExitThread
0x4184c0 ExitProcess
0x4184c4 EnumSystemLocalesA
0x4184cc DuplicateHandle
0x4184d0 DisconnectNamedPipe
0x4184d4 DeviceIoControl
0x4184dc DeleteFileW
0x4184e0 DeleteFileA
0x4184e8 DeleteAtom
0x4184f4 CreateThread
0x4184f8 CreateSemaphoreW
0x4184fc CreateSemaphoreA
0x418500 CreateRemoteThread
0x418504 CreateProcessW
0x418508 CreateNamedPipeW
0x41850c CreateMutexW
0x418510 CreateMutexA
0x418514 CreateFileW
0x418518 CreateFileMappingW
0x41851c CreateFileA
0x418520 CreateEventW
0x418524 CreateEventA
0x418528 CreateDirectoryW
0x41852c CreateDirectoryA
0x418530 CopyFileW
0x418534 CopyFileExA
0x418538 ConnectNamedPipe
0x41853c CompareStringW
0x418540 CompareStringA
0x418544 CompareFileTime
0x418548 CloseHandle
0x41854c CancelIo
0x418550 MultiByteToWideChar
0x418554 AddAtomW
Library USER32.dll:
0x418620 IsWindowEnabled
0x418624 IsWindow
0x418628 IsDialogMessageW
0x41862c InvalidateRect
0x418634 GetWindowTextW
0x418638 GetWindowRect
0x41863c GetWindowPlacement
0x418640 GetWindowLongW
0x418644 GetWindowInfo
0x418648 GetWindow
0x41864c GetSystemMetrics
0x418650 GetShellWindow
0x418654 GetParent
0x418658 GetMonitorInfoW
0x41865c GetMessageW
0x418660 GetMessagePos
0x418664 GetKeyboardState
0x418668 GetForegroundWindow
0x41866c GetDesktopWindow
0x418670 GetDC
0x418674 GetCursorPos
0x418678 GetClientRect
0x41867c IsWindowVisible
0x418680 GetClassInfoExW
0x418684 GetAncestor
0x418688 GetActiveWindow
0x41868c FindWindowW
0x418690 FindWindowExW
0x418694 ExitWindowsEx
0x4186a0 EnableWindow
0x4186a4 DrawTextW
0x4186a8 DispatchMessageW
0x4186ac DestroyWindow
0x4186b0 DestroyIcon
0x4186b4 DefWindowProcW
0x4186b8 CreateWindowExW
0x4186bc CopyRect
0x4186c0 CloseDesktop
0x4186c4 ClientToScreen
0x4186c8 CharNextW
0x4186cc CallWindowProcW
0x4186d0 AttachThreadInput
0x4186d8 AdjustWindowRect
0x4186dc KillTimer
0x4186e0 LoadCursorW
0x4186e4 LoadImageW
0x4186e8 LoadStringW
0x4186ec MapWindowPoints
0x4186f0 MessageBoxW
0x4186f4 MonitorFromPoint
0x4186f8 MonitorFromRect
0x4186fc MonitorFromWindow
0x418700 OffsetRect
0x418704 OpenInputDesktop
0x418708 PeekMessageW
0x41870c PostMessageW
0x418710 PostQuitMessage
0x418714 PtInRect
0x418718 RegisterClassExW
0x418720 ReleaseCapture
0x418724 ReleaseDC
0x418728 ScreenToClient
0x41872c SendMessageTimeoutW
0x418730 SendMessageW
0x418734 SetActiveWindow
0x418738 SetClassLongW
0x41873c SetClipboardViewer
0x418740 SetCursor
0x418744 SetFocus
0x418748 SetForegroundWindow
0x41874c SetRect
0x418750 SetRectEmpty
0x418754 SetTimer
0x418758 SetWindowLongW
0x41875c SetWindowPos
0x418760 SetWindowTextW
0x418764 SetWindowsHookA
0x418768 SetWindowsHookExA
0x41876c ShowOwnedPopups
0x418770 ShowWindow
0x418774 SwitchToThisWindow
0x41877c TranslateMessage
0x418780 UnregisterClassA
0x418784 UpdateLayeredWindow
0x418788 UpdateWindow
0x41878c WaitForInputIdle
0x418790 WindowFromPoint
0x418794 keybd_event
0x418798 GetClassLongW
Library GDI32.dll:
0x4180c8 cGetTTFFromFOT
0x4180cc UnloadNetworkFonts
0x4180d0 SwapBuffers
0x4180d4 SetTextColor
0x4180d8 SetRectRgn
0x4180dc SetROP2
0x4180e0 SetDIBColorTable
0x4180e4 SelectObject
0x4180e8 RoundRect
0x4180ec PolyBezier
0x4180f0 PlayMetaFile
0x4180f4 PATHOBJ_bEnum
0x4180f8 LPtoDP
0x418100 GetTextExtentPointI
0x418108 GetStockObject
0x418110 GetObjectW
0x418114 GetLogColorSpaceA
0x41811c GetCharWidthInfo
0x418120 GetCharABCWidthsI
0x418128 GetBkMode
0x41812c GdiValidateHandle
0x418130 GdiEntry9
0x418138 ExtCreatePen
0x41813c EngReleaseSemaphore
0x418140 EngFillPath
0x418144 EngDeletePath
0x41814c DeleteObject
0x418150 DeleteDC
0x418154 CreatePolygonRgn
0x418158 CreateFontW
0x41815c CreateFontIndirectW
0x418160 CreateEllipticRgn
0x418164 CreateDIBSection
0x418168 CreateCompatibleDC
0x418170 CreateBrushIndirect
0x418174 CloseMetaFile
0x418178 AngleArc
0x41817c BitBlt
Library ADVAPI32.dll:
0x418004 RegOpenKeyA
0x418008 StartServiceW
0x418014 SetEntriesInAclW
0x418018 RevertToSelf
0x41801c RegSetValueExW
0x418020 RegQueryValueExW
0x418024 RegQueryValueExA
0x418028 RegQueryInfoKeyW
0x41802c RegOpenKeyW
0x418030 RegOpenKeyExW
0x418034 RegOpenKeyExA
0x41803c RegEnumKeyExW
0x418040 RegEnumKeyExA
0x418044 RegDeleteValueW
0x418048 RegDeleteKeyW
0x41804c RegCreateKeyExW
0x418050 RegCreateKeyA
0x418054 RegCloseKey
0x418058 ReadEventLogW
0x41805c QueryServiceStatus
0x418060 OpenServiceW
0x418064 OpenSCManagerW
0x418068 OpenProcessToken
0x41806c OpenEventLogW
0x418074 LookupAccountSidW
0x418080 GetUserNameW
0x418084 GetTokenInformation
0x41808c FreeSid
0x418090 EqualSid
0x418094 DuplicateTokenEx
0x418098 DuplicateToken
0x41809c CryptReleaseContext
0x4180a0 CryptGenRandom
0x4180a8 CreateWellKnownSid
0x4180b4 CloseServiceHandle
0x4180c0 CloseEventLog
Library SHELL32.dll:
0x41855c Shell_NotifyIconW
0x418560 ShellExecuteExW
0x418564 ShellExecuteA
0x418568 SHLoadInProc
0x418570 SHGetMalloc
0x418578 SHGetFolderPathW
0x41857c SHGetFolderPathA
0x418580 SHFileOperationA
0x418588 SHChangeNotify
0x418590 DragQueryFileA
0x418594 ShellExecuteW
Library SHLWAPI.dll:
0x4185a0 PathIsPrefixW
0x4185a4 PathIsDirectoryW
0x4185a8 PathFindFileNameW
0x4185ac PathFindFileNameA
0x4185b0 PathFindExtensionW
0x4185b4 PathFileExistsW
0x4185bc PathCompactPathW
0x4185c0 PathCombineW
0x4185c4 PathCombineA
0x4185c8 PathAppendW
0x4185cc PathAddBackslashW
0x4185d0 ColorRGBToHLS
0x4185d4 ColorHLSToRGB
0x4185d8 AssocQueryStringW
0x4185dc PathRemoveFileSpecW
0x4185e0 PathStripPathW
0x4185e4 SHDeleteKeyW
0x4185e8 SHDeleteValueA
0x4185ec SHDeleteValueW
0x4185f0 SHGetValueA
0x4185f4 SHGetValueW
0x4185f8 SHSetValueA
0x4185fc SHSetValueW
0x418600 StrCmpIW
0x418604 StrCmpNA
0x418608 StrRStrIW
0x41860c StrStrIW
0x418610 StrStrW
0x418614 PathFileExistsA
0x418618 wnsprintfW

.text
`.rdata
@.data
.rsrc
(O`L
.(S8K
<j{gtL{
r+e4B
a}/3JQK
I!q*x
Y5?5B
kPrlteco
VnmasVieTOfFjle
Get6odu/eHa%dleB
teF*le
|000p;
000k<
6 hbU
'000x
`000R<
m3<4B
000A.?
2s0003H
jJ000h
%A000
AddAtomW
CancelIo
CloseHandle
CompareFileTime
CompareStringA
CompareStringW
ConnectNamedPipe
CopyFileExA
CopyFileW
CreateDirectoryA
CreateDirectoryW
CreateEventA
CreateEventW
CreateFileA
CreateFileMappingW
CreateFileW
CreateMutexA
CreateMutexW
CreateNamedPipeW
CreateProcessW
CreateRemoteThread
CreateSemaphoreA
CreateSemaphoreW
CreateThread
CreateToolhelp32Snapshot
CreateWaitableTimerA
DeleteAtom
DeleteCriticalSection
DeleteFileA
DeleteFileW
DeleteVolumeMountPointW
DeviceIoControl
DisconnectNamedPipe
DuplicateHandle
EnterCriticalSection
EnumSystemLocalesA
ExitProcess
ExitThread
FatalAppExitA
FileTimeToLocalFileTime
FileTimeToSystemTime
FindAtomW
FindClose
FindCloseChangeNotification
FindFirstFileW
FindNextFileW
FindResourceExW
FindResourceW
FlushFileBuffers
FlushInstructionCache
FormatMessageW
FreeConsole
FreeEnvironmentStringsA
FreeEnvironmentStringsW
FreeLibrary
FreeResource
GetACP
GetAtomNameW
GetCPInfo
GetCPInfoExA
GetCommState
GetCommandLineA
GetCommandLineW
GetConsoleAliasesW
GetConsoleCP
GetConsoleMode
GetConsoleOutputCP
GetCurrentDirectoryW
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetDateFormatA
GetDiskFreeSpaceExW
GetDriveTypeA
GetEnvironmentStrings
GetEnvironmentStringsW
GetExitCodeProcess
GetExitCodeThread
GetFileAttributesExA
GetFileAttributesExW
GetFileAttributesW
GetFileSize
GetFileSizeEx
GetFileTime
GetFileType
GetLastError
GetLocalTime
GetLocaleInfoA
GetLocaleInfoW
GetLogicalDrives
GetLongPathNameW
GetModuleFileNameA
GetModuleFileNameW
GetModuleHandleA
GetModuleHandleW
GetNumberOfConsoleMouseButtons
GetOEMCP
GetOverlappedResult
GetPrivateProfileIntW
GetPrivateProfileSectionNamesW
GetPrivateProfileSectionW
GetPrivateProfileStringW
GetProcAddress
GetProcessAffinityMask
GetProcessHeap
GetProcessIoCounters
GetStartupInfoA
GetStartupInfoW
GetStdHandle
GetStringTypeA
GetStringTypeExW
GetStringTypeW
GetSystemDefaultUILanguage
GetSystemDirectoryW
GetSystemInfo
GetSystemPowerStatus
GetSystemTime
GetSystemTimeAsFileTime
GetSystemTimes
GetSystemWindowsDirectoryW
GetTempFileNameW
GetTempPathW
GetTickCount
GetTimeFormatA
GetTimeZoneInformation
GetUserDefaultLCID
GetUserDefaultUILanguage
GetVersion
GetVersionExA
GetVersionExW
GetVolumeInformationW
GetWindowsDirectoryW
GlobalAlloc
GlobalFindAtomA
GlobalFree
GlobalUnWire
HeapAlloc
HeapCreate
HeapDestroy
HeapFree
HeapReAlloc
HeapSize
InitializeCriticalSection
InitializeCriticalSectionAndSpinCount
InterlockedCompareExchange
InterlockedDecrement
InterlockedExchange
InterlockedExchangeAdd
InterlockedIncrement
IsBadReadPtr
IsDebuggerPresent
IsProcessorFeaturePresent
IsValidCodePage
IsValidLocale
IsWow64Process
LCMapStringA
LCMapStringW
LeaveCriticalSection
LoadLibraryA
LoadLibraryExW
LoadLibraryW
LoadResource
LocalAlloc
LocalFileTimeToFileTime
LocalFree
LockFile
LockResource
MapViewOfFileEx
Module32FirstW
MoveFileW
MulDiv
MultiByteToWideChar
OpenEventA
OpenEventW
OpenMutexA
OpenMutexW
OpenProcess
OpenThread
OutputDebugStringW
PeekNamedPipe
Process32FirstW
Process32NextW
ProcessIdToSessionId
QueryPerformanceCounter
RaiseException
ReadDirectoryChangesW
ReadFile
ReadProcessMemory
ReleaseMutex
ReleaseSemaphore
ReplaceFile
ResetEvent
ResumeThread
RtlUnwind
ScrollConsoleScreenBufferA
SetCurrentDirectoryW
SetEndOfFile
SetEnvironmentVariableA
SetEvent
SetFileAttributesA
SetFilePointer
SetFilePointerEx
SetHandleCount
SetLastError
SetNamedPipeHandleState
SetStdHandle
SetThreadLocale
SetUnhandledExceptionFilter
SetWaitableTimer
SizeofResource
Sleep
SystemTimeToFileTime
TerminateProcess
TerminateThread
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
TryEnterCriticalSection
UnhandledExceptionFilter
UnlockFile
UnmapViewOfFile
VerSetConditionMask
VerifyVersionInfoW
VirtualAlloc
VirtualAllocEx
VirtualFree
VirtualFreeEx
VirtualLock
WTSGetActiveConsoleSessionId
WaitForMultipleObjects
WaitForSingleObject
WideCharToMultiByte
WriteConsoleA
WriteConsoleW
WriteFile
WritePrivateProfileSectionW
WritePrivateProfileStringW
lstrcmpA
lstrcmpiA
lstrcmpiW
lstrcpynW
lstrlen
lstrlenA
lstrlenW
KERNEL32.dll
AdjustWindowRect
AllowSetForegroundWindow
AttachThreadInput
CallWindowProcW
CharNextW
ClientToScreen
CloseDesktop
CopyRect
CreateWindowExW
DefWindowProcW
DestroyIcon
DestroyWindow
DispatchMessageW
DrawTextW
EnableWindow
EnumClipboardFormats
EnumDisplaySettingsW
ExitWindowsEx
FindWindowExW
FindWindowW
GetActiveWindow
GetAncestor
GetClassInfoExW
GetClassLongW
GetClientRect
GetCursorPos
GetDC
GetDesktopWindow
GetForegroundWindow
GetKeyboardState
GetMessagePos
GetMessageW
GetMonitorInfoW
GetParent
GetShellWindow
GetSystemMetrics
GetWindow
GetWindowInfo
GetWindowLongW
GetWindowPlacement
GetWindowRect
GetWindowTextW
GetWindowThreadProcessId
InvalidateRect
IsDialogMessageW
IsWindow
IsWindowEnabled
IsWindowVisible
KillTimer
LoadCursorW
LoadImageW
LoadStringW
MapWindowPoints
MessageBoxW
MonitorFromPoint
MonitorFromRect
MonitorFromWindow
OffsetRect
OpenInputDesktop
PeekMessageW
PostMessageW
PostQuitMessage
PtInRect
RegisterClassExW
RegisterWindowMessageW
ReleaseCapture
ReleaseDC
ScreenToClient
SendMessageTimeoutW
SendMessageW
SetActiveWindow
SetClassLongW
SetClipboardViewer
SetCursor
SetFocus
SetForegroundWindow
SetRect
SetRectEmpty
SetTimer
SetWindowLongW
SetWindowPos
SetWindowTextW
SetWindowsHookA
SetWindowsHookExA
ShowOwnedPopups
ShowWindow
SwitchToThisWindow
SystemParametersInfoW
TranslateMessage
UnregisterClassA
UpdateLayeredWindow
UpdateWindow
WaitForInputIdle
WindowFromPoint
keybd_event
USER32.dll
AngleArc
BitBlt
CloseMetaFile
CreateBrushIndirect
CreateCompatibleBitmap
CreateCompatibleDC
CreateDIBSection
CreateEllipticRgn
CreateFontIndirectW
CreateFontW
CreatePolygonRgn
DeleteDC
DeleteObject
DeviceCapabilitiesExW
EngDeletePath
EngFillPath
EngReleaseSemaphore
ExtCreatePen
GdiCreateLocalEnhMetaFile
GdiEntry9
GdiValidateHandle
GetBkMode
GetCharABCWidthsFloatA
GetCharABCWidthsI
GetCharWidthInfo
GetEnhMetaFileDescriptionW
GetLogColorSpaceA
GetObjectW
GetOutlineTextMetricsW
GetStockObject
GetTextExtentPoint32W
GetTextExtentPointI
HT_Get8BPPMaskPalette
LPtoDP
PATHOBJ_bEnum
PlayMetaFile
PolyBezier
RoundRect
SelectObject
SetDIBColorTable
SetROP2
SetRectRgn
SetTextColor
SwapBuffers
UnloadNetworkFonts
cGetTTFFromFOT
GDI32.dll
AdjustTokenPrivileges
AllocateAndInitializeSid
CheckTokenMembership
CloseEventLog
CloseServiceHandle
ConvertSidToStringSidW
ConvertStringSidToSidW
CreateWellKnownSid
CryptAcquireContextW
CryptGenRandom
CryptReleaseContext
DuplicateToken
DuplicateTokenEx
EqualSid
FreeSid
GetNamedSecurityInfoW
GetTokenInformation
GetUserNameW
ImpersonateLoggedOnUser
InitializeSecurityDescriptor
LookupAccountSidW
LookupPrivilegeValueW
OpenEventLogW
OpenProcessToken
OpenSCManagerW
OpenServiceW
QueryServiceStatus
ReadEventLogW
RegCloseKey
RegCreateKeyA
RegCreateKeyExW
RegDeleteKeyW
RegDeleteValueW
RegEnumKeyExA
RegEnumKeyExW
RegNotifyChangeKeyValue
RegOpenKeyExA
RegOpenKeyExW
RegOpenKeyW
RegQueryInfoKeyW
RegQueryValueExA
RegQueryValueExW
RegSetValueExW
RevertToSelf
SetEntriesInAclW
SetNamedSecurityInfoW
SetSecurityDescriptorDacl
StartServiceW
RegOpenKeyA
ADVAPI32.dll
Shell_NotifyIconW
ShellExecuteW
ShellExecuteExW
ShellExecuteA
SHLoadInProc
SHGetSpecialFolderPathW
SHGetMalloc
SHGetIconOverlayIndexW
SHGetFolderPathW
SHGetFolderPathA
SHFileOperationA
SHCreateDirectoryExW
SHChangeNotify
ExtractAssociatedIconExW
DragQueryFileA
SHELL32.dll
AssocQueryStringW
ColorHLSToRGB
ColorRGBToHLS
PathAddBackslashW
PathAppendW
PathCombineA
PathCombineW
PathCompactPathW
PathFileExistsA
PathFileExistsW
PathFindExtensionW
PathFindFileNameA
PathFindFileNameW
PathIsDirectoryW
PathIsPrefixW
PathRemoveBackslashW
PathRemoveExtensionW
PathRemoveFileSpecW
PathStripPathW
SHDeleteKeyW
SHDeleteValueA
SHDeleteValueW
SHGetValueA
SHGetValueW
SHSetValueA
SHSetValueW
StrCmpIW
StrCmpNA
StrRStrIW
StrStrIW
StrStrW
wnsprintfW
SHLWAPI.dll
tkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk
rprocmsv
*ShellAPI
System
SysInit
KWindows
UTypes
CommCtrl
3Messages
sActiveX
+IdTCPServer
|IdResourceStrings
yIdStack
SysUtils
SysConst
^Classes
"RTLConsts
CVariants
$VarUtils
QTypInfo
IdException
@IdStackConsts
)IdWinSock2
uIdGlobal
IdStackWindows
8Registry
IniFiles
EIdURI
SyncObjs
IdStrings
IdThreadSafe
IdComponent
IdAntiFreezeBase
IdBaseComponent
mIdSocketHandle
IdTCPConnection
IdStream
IdTCPStream
IdIntercept
BIdIOHandler
IdRFCReply
yIdIOHandlerSocket
jIdSocks
IdAssignedNumbers
IdThread
%IdThreadMgr
IdThreadMgrDefault
IdServerIOHandler
&IdServerIOHandlerSocket
RemoteProcMgrServerU
GlobalConsts
MAINICON
Address type not supported.;Cannot call TerminateAndWaitFor on FreeAndTerminate threads
Socks server did not respond.$Invalid socks authentication method.%Authentication error to socks server.
Socket is not connected..Cannot send or receive after socket is closed.
Bad protocol option.
Connect timed out.
Terminate Thread Timeout
%s.Seek not implemented
Class %s not found%List does not allow duplicates ($0%x)
Exception in safecall method
Floating point overflow
This file is not on VirusTotal.

Process Tree


NEYPefKofXc2Q6H.exe, PID: 2772, Parent PID: 2480
Full Path: C:\Users\user\AppData\Local\Temp\NEYPefKofXc2Q6H.exe
Command Line: "C:\Users\user\AppData\Local\Temp\NEYPefKofXc2Q6H.exe"
NEYPefKofXc2Q6H.exe, PID: 804, Parent PID: 2772
Full Path: C:\Users\user\AppData\Local\Temp\NEYPefKofXc2Q6H.exe
Command Line: --59f6465
services.exe, PID: 460, Parent PID: 372
Full Path: C:\Windows\sysnative\services.exe
Command Line: C:\Windows\system32\services.exe
gluerel.exe, PID: 828, Parent PID: 460
Full Path: C:\Windows\SysWOW64\gluerel.exe
Command Line: "C:\Windows\SysWOW64\gluerel.exe"
gluerel.exe, PID: 1132, Parent PID: 828
Full Path: C:\Windows\SysWOW64\gluerel.exe
Command Line: --caeb0eba

Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
Y 181.15.177.100 [VT] Argentina

TCP

Source Source Port Destination Destination Port
192.168.35.21 49181 181.15.177.100 443

UDP

Source Source Port Destination Destination Port
192.168.35.21 53447 8.8.8.8 53
192.168.35.21 58094 8.8.8.8 53

DNS

Name Response Post-Analysis Lookup
www.download.windowsupdate.com [VT]
crt.usertrust.com [VT]

HTTP Requests

No HTTP requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

File name gluerel.exe
Associated Filenames
C:\Windows\SysWOW64\gluerel.exe
File Size 170048 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 2677c192c0e519ea0202e5aae151107c
SHA1 2da79f0e2d855e7b15ad7c124848829516fee8f3
SHA256 576e27bc56d71276bfa9f52d242c3204e29d0d498fc9a2461a6dd34a471c6f20
CRC32 81DC0B87
Ssdeep 3072:4WoofUTXKZLk/lvI6enmhUcUygISmkEm8M8GGza0WsQu6JMdN0HC25+i7gp:wjXP/hHenK5NSmH3YGj6RW
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
Type Emotet Config
RSA public key
-----BEGIN PUBLIC KEY----- MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAL9KRKWqcld40xbUZ6hRh+fPNkgJe7K+ 0y1rR0UFqc2SBmnyoR/2Ctd+8MRvU8zri2eNVkVBxCUH1Cthf3AEgRqY2kGva8gJ Wcqls3j7RztZzqFoL+wM9DNnz/OWuiyPAQIDAQAB -----END PUBLIC KEY-----
address
181.15.177.100:443
189.143.52.49:443
31.179.135.186:80
154.120.228.126:143
200.32.61.210:8080
64.87.26.16:443
218.161.88.253:8080
109.104.79.48:8080
185.94.252.27:443
216.98.148.136:4143
200.28.131.215:443
196.6.112.70:443
69.163.33.82:8080
190.147.116.32:21
186.139.160.193:8080
81.183.213.36:80
200.58.171.51:80
190.113.233.4:7080
181.29.101.13:80
163.18.23.242:80
103.201.150.209:80
181.16.127.226:443
200.59.189.217:80
185.129.93.140:80
45.73.124.235:8080
23.254.203.51:8080
190.85.206.228:80
85.132.96.242:80
187.178.9.19:20
111.67.12.221:8080
192.155.90.90:7080
201.217.67.3:80
190.180.52.146:20
91.205.215.57:7080
205.186.154.130:80
175.107.200.27:443
51.255.50.164:8080
187.242.204.142:80
181.39.134.122:80
181.110.239.26:80
62.75.143.100:7080
190.117.206.153:443
43.229.62.186:8080
190.123.35.82:50000
217.92.171.167:53
91.83.93.124:7080
181.30.126.66:80
82.226.163.9:80
103.213.212.42:443
89.134.144.41:8080
213.172.88.13:80
187.188.166.192:80
190.13.211.174:21
109.73.52.242:8080
217.199.175.216:8080
81.3.6.78:7080
66.209.69.165:443
79.143.182.254:8080
189.196.140.187:80
105.224.171.102:80
200.45.57.96:143
203.25.159.3:8080
201.251.229.37:80
185.86.148.222:8080
191.97.116.232:443
37.59.1.74:8080
181.143.101.18:8080
181.199.151.19:80
200.107.105.16:465
200.127.0.8:80
181.15.243.22:80
200.57.102.71:8443
219.94.254.93:8080
72.47.248.48:8080
Download
Type Extracted Shellcode
Size 69632 bytes
Virtual Address 0x3e0000
Process NEYPefKofXc2Q6H.exe
PID 2772
Path C:\Users\user\AppData\Local\Temp\NEYPefKofXc2Q6H.exe
MD5 38aa5772938a4a5679f12447b4de6889
SHA1 d56b4eba7306b96dabe394f380fd839dcdfc2f40
SHA256 9d975bd96a097a85b1841202f8c416da47ffeda6c45b8deb3ad45128fd759ba4
CRC32 56ADEADA
Ssdeep 1536:nAk1W42lCe4OsrMHAB201zneR5z/ZvECviGyMuYt:9UCQsjB20heR5tRvNL
Yara
  • embedded_win_api - A non-Windows executable contains win32 API functions names
  • shellcode - Matched shellcode byte patterns
CAPE Yara None matched
Download Download ZIP
Type Emotet Payload: 32-bit executable
Size 62976 bytes
Virtual Address 0x300000
Process NEYPefKofXc2Q6H.exe
PID 2772
Path C:\Users\user\AppData\Local\Temp\NEYPefKofXc2Q6H.exe
MD5 3b033c7eb80d53c418dfc5576a5adb54
SHA1 0e354a966392b0658f61354d8420bd0ccbd00f2b
SHA256 8cb9a5659fa9f606ffc2d9ac468804c898efbf8d328e0afb501480cdcda5bdf3
CRC32 C6FF60FA
Ssdeep 1536:ygV2M7cQ62aENvW0+wspUYUGgp9OSB942r:yEhbZ9yF89Oup
Yara None matched
CAPE Yara
  • Emotet
  • Emotet Payload
Download Download ZIP
Sorry! No process dumps.

Comments



No comments posted

Processing ( 3.062 seconds )

  • 1.897 CAPE
  • 0.352 BehaviorAnalysis
  • 0.234 TargetInfo
  • 0.232 Dropped
  • 0.194 Static
  • 0.091 TrID
  • 0.033 Deduplicate
  • 0.013 Strings
  • 0.009 NetworkAnalysis
  • 0.006 AnalysisInfo
  • 0.001 Debug

Signatures ( 0.169 seconds )

  • 0.02 antiav_detectreg
  • 0.015 stealth_timeout
  • 0.012 api_spamming
  • 0.012 decoy_document
  • 0.01 PlugX
  • 0.008 infostealer_ftp
  • 0.005 Doppelganging
  • 0.005 injection_createremotethread
  • 0.005 InjectionCreateRemoteThread
  • 0.004 InjectionProcessHollowing
  • 0.004 injection_runpe
  • 0.004 antianalysis_detectreg
  • 0.004 antiav_detectfile
  • 0.004 infostealer_im
  • 0.004 ransomware_files
  • 0.003 InjectionInterProcess
  • 0.003 antivm_generic_disk
  • 0.003 persistence_autorun
  • 0.003 infostealer_mail
  • 0.003 ransomware_extensions
  • 0.002 bootkit
  • 0.002 stealth_file
  • 0.002 mimics_filetime
  • 0.002 antivm_generic_scsi
  • 0.002 reads_self
  • 0.002 virus
  • 0.002 antivm_vbox_keys
  • 0.002 browser_security
  • 0.002 infostealer_bitcoin
  • 0.001 tinba_behavior
  • 0.001 malicious_dynamic_function_loading
  • 0.001 rat_nanocore
  • 0.001 recon_programs
  • 0.001 antivm_generic_services
  • 0.001 antiemu_wine_func
  • 0.001 betabot_behavior
  • 0.001 kibex_behavior
  • 0.001 dynamic_function_loading
  • 0.001 cerber_behavior
  • 0.001 hancitor_behavior
  • 0.001 antianalysis_detectfile
  • 0.001 antivm_parallels_keys
  • 0.001 antivm_vbox_files
  • 0.001 antivm_vmware_keys
  • 0.001 antivm_xen_keys
  • 0.001 geodo_banking_trojan
  • 0.001 disables_browser_warn
  • 0.001 network_torgateway
  • 0.001 recon_fingerprint

Reporting ( 0.015 seconds )

  • 0.015 CompressResults
Task ID 74111
Mongo ID 5cdceaa4f284885ccdcef661
Cuckoo release 1.3-CAPE
Delete