CAPE

Detections: Emotet


Analysis

Category Package Started Completed Duration Log
FILE Emotet 2019-05-16 04:53:50 2019-05-16 04:55:47 117 seconds Show Log
2019-05-16 05:53:51,000 [root] INFO: Date set to: 05-16-19, time set to: 04:53:51, timeout set to: 60
2019-05-16 05:53:51,015 [root] DEBUG: Starting analyzer from: C:\lafvcll
2019-05-16 05:53:51,015 [root] DEBUG: Storing results at: C:\NqubLyIJtH
2019-05-16 05:53:51,015 [root] DEBUG: Pipe server name: \\.\PIPE\pglqOm
2019-05-16 05:53:51,015 [root] INFO: Analysis package "Emotet" has been specified.
2019-05-16 05:53:51,467 [root] DEBUG: Started auxiliary module Browser
2019-05-16 05:53:51,467 [root] DEBUG: Started auxiliary module Curtain
2019-05-16 05:53:51,467 [modules.auxiliary.digisig] DEBUG: Checking for a digitial signature.
2019-05-16 05:54:16,707 [modules.auxiliary.digisig] DEBUG: File has an invalid signature.
2019-05-16 05:54:16,707 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2019-05-16 05:54:16,723 [root] DEBUG: Started auxiliary module DigiSig
2019-05-16 05:54:16,723 [root] DEBUG: Started auxiliary module Disguise
2019-05-16 05:54:16,723 [root] DEBUG: Started auxiliary module Human
2019-05-16 05:54:16,723 [root] DEBUG: Started auxiliary module Screenshots
2019-05-16 05:54:16,723 [root] DEBUG: Started auxiliary module Sysmon
2019-05-16 05:54:16,723 [root] DEBUG: Started auxiliary module Usage
2019-05-16 05:54:16,723 [root] INFO: Analyzer: DLL set to Extraction.dll from package modules.packages.Emotet
2019-05-16 05:54:16,723 [root] INFO: Analyzer: Package modules.packages.Emotet does not specify a DLL_64 option
2019-05-16 05:54:16,755 [lib.api.process] INFO: Successfully executed process from path "C:\Users\user\AppData\Local\Temp\i8ekAGsNBxmGR.exe" with arguments "" with pid 2748
2019-05-16 05:54:16,755 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-05-16 05:54:16,755 [lib.api.process] INFO: Option 'exclude-apis' with value 'RegOpenKeyExA' sent to monitor
2019-05-16 05:54:16,755 [lib.api.process] INFO: 32-bit DLL to inject is C:\lafvcll\dll\gwoIKrg.dll, loader C:\lafvcll\bin\DStZtno.exe
2019-05-16 05:54:16,755 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\pglqOm.
2019-05-16 05:54:16,755 [root] DEBUG: Loader: Injecting process 2748 (thread 2752) with C:\lafvcll\dll\gwoIKrg.dll.
2019-05-16 05:54:16,755 [root] DEBUG: Process image base: 0x00400000
2019-05-16 05:54:16,755 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\lafvcll\dll\gwoIKrg.dll.
2019-05-16 05:54:16,755 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00437000 - 0x77110000
2019-05-16 05:54:16,755 [root] DEBUG: InjectDllViaIAT: Allocated 0x200 bytes for new import table at 0x00440000.
2019-05-16 05:54:16,770 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-05-16 05:54:16,770 [root] DEBUG: Successfully injected DLL C:\lafvcll\dll\gwoIKrg.dll.
2019-05-16 05:54:16,770 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2748
2019-05-16 05:54:18,782 [lib.api.process] INFO: Successfully resumed process with pid 2748
2019-05-16 05:54:18,782 [root] INFO: Added new process to list with pid: 2748
2019-05-16 05:54:18,782 [root] INFO: Enabled timeout enforce, running for the full timeout.
2019-05-16 05:54:18,813 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77110000, KiUserExceptionDispatcher: 0x0, NtSetContextThread: 0x7716124a, Wow64PrepareForException: 0x0
2019-05-16 05:54:18,813 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x260000
2019-05-16 05:54:18,813 [root] DEBUG: CAPE initialised (32-bit).
2019-05-16 05:54:18,829 [root] INFO: Monitor successfully loaded in process with pid 2748.
2019-05-16 05:54:18,954 [root] DEBUG: NtAllocateVirtualMemory hook, BaseAddress:0x2f0000, RegionSize: 0x11000.
2019-05-16 05:54:18,954 [root] DEBUG: SetInitialWriteBreakpoint: AllocationBase: 0x2f0000, AllocationSize: 0x11000, ThreadId: 0xac0
2019-05-16 05:54:18,954 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xa8, Size=0x2, Address=0x2f0000 and Type=0x1.
2019-05-16 05:54:18,954 [root] DEBUG: SetBreakpoint: Set bp 0 type 1 at address 0x2f0000, size 2 with Callback 0x747f3120, ThreadHandle = 0xa8.
2019-05-16 05:54:18,954 [root] DEBUG: SetInitialWriteBreakpoint: Breakpoint 0 set write on word at base address: 0x2f0000
2019-05-16 05:54:18,970 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x4012d6
2019-05-16 05:54:18,970 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x2f0000.
2019-05-16 05:54:18,970 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x2f0000: 0xf4.
2019-05-16 05:54:18,970 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x2f0000 and Type=0x0.
2019-05-16 05:54:18,970 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:54:18,986 [root] DEBUG: BaseAddressWriteCallback: Execution breakpoint 1 set base address: 0x2f0000, AllocationBaseExecBpSet = 1 (EIP = 0x4012d6)
2019-05-16 05:54:18,986 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-05-16 05:54:18,986 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x4012d6
2019-05-16 05:54:18,986 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x2f0000.
2019-05-16 05:54:18,986 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x2f0000: 0xf4.
2019-05-16 05:54:18,986 [root] DEBUG: BaseAddressWriteCallback: allocation exec bp already set, doing nothing.
2019-05-16 05:54:18,986 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x401337
2019-05-16 05:54:18,986 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x2f0000.
2019-05-16 05:54:18,986 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x2f0000: 0xf4.
2019-05-16 05:54:18,986 [root] DEBUG: BaseAddressWriteCallback: allocation exec bp already set, doing nothing.
2019-05-16 05:54:18,986 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x401085
2019-05-16 05:54:18,986 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x2f0000.
2019-05-16 05:54:18,986 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x2f0000: 0x6d.
2019-05-16 05:54:18,986 [root] DEBUG: BaseAddressWriteCallback: allocation exec bp already set, doing nothing.
2019-05-16 05:54:19,609 [root] DEBUG: NtAllocateVirtualMemory hook, BaseAddress:0x3d0000, RegionSize: 0x10000.
2019-05-16 05:54:19,609 [root] DEBUG: NtAllocateVirtualMemory hook: attempting CAPE dump on previous region: 0x2f0000.
2019-05-16 05:54:19,609 [root] DEBUG: DumpPEsInRange: Scanning range 0x2f0000 - 0x301000.
2019-05-16 05:54:19,609 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x2f0000-0x301000.
2019-05-16 05:54:19,609 [root] DEBUG: NtAllocateVirtualMemory hook: dumping memory range at 0x2f0000.
2019-05-16 05:54:19,625 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\lafvcll\CAPE\2748_61019541116452019
2019-05-16 05:54:19,641 [root] INFO: Added new CAPE file to list with path: C:\lafvcll\CAPE\2748_61019541116452019
2019-05-16 05:54:19,641 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x2f0000 - 0x301000.
2019-05-16 05:54:19,641 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x2f0000.
2019-05-16 05:54:19,641 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x2f0000.
2019-05-16 05:54:19,641 [root] DEBUG: SetInitialWriteBreakpoint: AllocationBase: 0x3d0000, AllocationSize: 0x10000, ThreadId: 0xac0
2019-05-16 05:54:19,641 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xa8, Size=0x2, Address=0x3d0000 and Type=0x1.
2019-05-16 05:54:19,641 [root] DEBUG: SetBreakpoint: Set bp 0 type 1 at address 0x3d0000, size 2 with Callback 0x747f3120, ThreadHandle = 0xa8.
2019-05-16 05:54:19,641 [root] DEBUG: SetInitialWriteBreakpoint: Breakpoint 0 set write on word at base address: 0x3d0000
2019-05-16 05:54:19,641 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x2ffbfc
2019-05-16 05:54:19,641 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x3d0000.
2019-05-16 05:54:19,641 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x3d0000: 0xa4.
2019-05-16 05:54:19,641 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x3d0000 and Type=0x0.
2019-05-16 05:54:19,641 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:54:19,641 [root] DEBUG: BaseAddressWriteCallback: Execution breakpoint 1 set base address: 0x3d0000, AllocationBaseExecBpSet = 1 (EIP = 0x2ffbfc)
2019-05-16 05:54:19,641 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-05-16 05:54:19,641 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x2ffbfc
2019-05-16 05:54:19,641 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x3d0000.
2019-05-16 05:54:19,641 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x3d0000: 0xa4.
2019-05-16 05:54:19,641 [root] DEBUG: BaseAddressWriteCallback: allocation exec bp already set, doing nothing.
2019-05-16 05:54:19,641 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x3002d1
2019-05-16 05:54:19,641 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x3d0000.
2019-05-16 05:54:19,641 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x3d0000: 0xa4.
2019-05-16 05:54:19,641 [root] DEBUG: BaseAddressWriteCallback: allocation exec bp already set, doing nothing.
2019-05-16 05:54:19,641 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x3002ea
2019-05-16 05:54:19,641 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x3d0000.
2019-05-16 05:54:19,641 [root] DEBUG: BaseAddressWriteCallback: MZ header found.
2019-05-16 05:54:19,641 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x3d003c and Type=0x1.
2019-05-16 05:54:19,641 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:54:19,641 [root] DEBUG: BaseAddressWriteCallback: set write bp on e_lfanew write location: 0x3d003c (EIP = 0x3002ea)
2019-05-16 05:54:19,641 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-05-16 05:54:19,641 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x3002d1
2019-05-16 05:54:19,641 [root] DEBUG: PEPointerWriteCallback entry.
2019-05-16 05:54:19,641 [root] DEBUG: PEPointerWriteCallback: Breakpoint 0 at Address 0x3d003c.
2019-05-16 05:54:19,641 [root] DEBUG: PEPointerWriteCallback: pointer to PE header too big: 0x49d (perhaps writing incomplete).
2019-05-16 05:54:19,641 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x3002ea
2019-05-16 05:54:19,641 [root] DEBUG: PEPointerWriteCallback entry.
2019-05-16 05:54:19,657 [root] DEBUG: PEPointerWriteCallback: Breakpoint 0 at Address 0x3d003c.
2019-05-16 05:54:19,657 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x3d00b8 and Type=0x1.
2019-05-16 05:54:19,657 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:54:19,657 [root] DEBUG: PEPointerWriteCallback: set write bp on e_lfanew write location 0x3d00b8 (EIP = 0x3002ea)
2019-05-16 05:54:19,657 [root] DEBUG: PEPointerWriteCallback executed successfully.
2019-05-16 05:54:19,657 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x3002d1
2019-05-16 05:54:19,657 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x3d00b8.
2019-05-16 05:54:19,657 [root] DEBUG: PEHeaderWriteCallback: PE header has: 0x41f1.
2019-05-16 05:54:19,657 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-05-16 05:54:19,657 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x3002ea
2019-05-16 05:54:19,657 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x3d00b8.
2019-05-16 05:54:19,657 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x0, Address=0x3dcc89 and Type=0x0.
2019-05-16 05:54:19,657 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:54:19,657 [root] DEBUG: PEHeaderWriteCallback: Execution bp set on EntryPoint 0x3dcc89 (EIP = 0x3002ea).
2019-05-16 05:54:19,657 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-05-16 05:54:19,657 [root] DEBUG: NtAllocateVirtualMemory hook, BaseAddress:0x3e0000, RegionSize: 0x14000.
2019-05-16 05:54:19,657 [root] DEBUG: NtAllocateVirtualMemory hook: attempting CAPE dump on previous region: 0x3d0000.
2019-05-16 05:54:19,657 [root] DEBUG: DumpPEsInRange: Scanning range 0x3d0000 - 0x3e0000.
2019-05-16 05:54:19,657 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x3d0000
2019-05-16 05:54:19,657 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image.
2019-05-16 05:54:19,657 [root] DEBUG: DumpPE: Instantiating PeParser with address: 0x3d0000
2019-05-16 05:54:19,657 [root] INFO: Added new CAPE file to list with path: C:\lafvcll\CAPE\2748_65719541116452019
2019-05-16 05:54:19,657 [root] DEBUG: DumpPE: PE file in memory dumped successfully.
2019-05-16 05:54:19,657 [root] DEBUG: DumpPEsInRange: Dumped PE image from 0x3d0000.
2019-05-16 05:54:19,657 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x3d0001-0x3e0000.
2019-05-16 05:54:19,657 [root] DEBUG: NtAllocateVirtualMemory hook: PE image(s) detected and dumped.
2019-05-16 05:54:19,657 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x3d0000 - 0x3e0000.
2019-05-16 05:54:19,657 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x3dcc89.
2019-05-16 05:54:19,657 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x3d0000.
2019-05-16 05:54:19,657 [root] DEBUG: SetInitialWriteBreakpoint: AllocationBase: 0x3e0000, AllocationSize: 0x14000, ThreadId: 0xac0
2019-05-16 05:54:19,657 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xa8, Size=0x2, Address=0x3e0000 and Type=0x1.
2019-05-16 05:54:19,671 [root] DEBUG: SetBreakpoint: Set bp 0 type 1 at address 0x3e0000, size 2 with Callback 0x747f3120, ThreadHandle = 0xa8.
2019-05-16 05:54:19,671 [root] DEBUG: SetInitialWriteBreakpoint: Breakpoint 0 set write on word at base address: 0x3e0000
2019-05-16 05:54:19,671 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x2ffbfc
2019-05-16 05:54:19,671 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x3e0000.
2019-05-16 05:54:19,671 [root] DEBUG: BaseAddressWriteCallback: M written to first byte, awaiting next byte.
2019-05-16 05:54:19,671 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-05-16 05:54:19,671 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x2ffbfc
2019-05-16 05:54:19,671 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x3e0000.
2019-05-16 05:54:19,671 [root] DEBUG: BaseAddressWriteCallback: MZ header found.
2019-05-16 05:54:19,671 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x3e003c and Type=0x1.
2019-05-16 05:54:19,671 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:54:19,671 [root] DEBUG: BaseAddressWriteCallback: set write bp on e_lfanew write location: 0x3e003c (EIP = 0x2ffbfc)
2019-05-16 05:54:19,671 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-05-16 05:54:19,671 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x2ffbfc
2019-05-16 05:54:19,671 [root] DEBUG: PEPointerWriteCallback entry.
2019-05-16 05:54:19,671 [root] DEBUG: PEPointerWriteCallback: Breakpoint 0 at Address 0x3e003c.
2019-05-16 05:54:19,671 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x3e00b8 and Type=0x1.
2019-05-16 05:54:19,671 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:54:19,671 [root] DEBUG: PEPointerWriteCallback: set write bp on e_lfanew write location 0x3e00b8 (EIP = 0x2ffbfc)
2019-05-16 05:54:19,671 [root] DEBUG: PEPointerWriteCallback executed successfully.
2019-05-16 05:54:19,671 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x2ffbfc
2019-05-16 05:54:19,671 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x3e00b8.
2019-05-16 05:54:19,671 [root] DEBUG: PEHeaderWriteCallback: PE header has: 0x50.
2019-05-16 05:54:19,671 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-05-16 05:54:19,671 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x2ffbfc
2019-05-16 05:54:19,671 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x3e00b8.
2019-05-16 05:54:19,671 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x3e00e0 and Type=0x1.
2019-05-16 05:54:19,671 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:54:19,671 [root] DEBUG: PEHeaderWriteCallback: set write bp on AddressOfEntryPoint location (EIP = 0x2ffbfc).
2019-05-16 05:54:19,671 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-05-16 05:54:19,671 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x2ffbfc
2019-05-16 05:54:19,671 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x3e00e0.
2019-05-16 05:54:19,671 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x3e00a0 and Type=0x0.
2019-05-16 05:54:19,671 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:54:19,671 [root] DEBUG: EntryPointWriteCallback: Execution bp 1 set on EntryPoint 0x3e00a0 (EIP = 0x2ffbfc).
2019-05-16 05:54:19,671 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 05:54:19,671 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x2ffbfc
2019-05-16 05:54:19,687 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x3e00e0.
2019-05-16 05:54:19,687 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x3ec9a0 and Type=0x0.
2019-05-16 05:54:19,687 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:54:19,687 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x3ec9a0 (EIP = 0x2ffbfc).
2019-05-16 05:54:19,687 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 05:54:19,687 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x2ffbfc
2019-05-16 05:54:19,687 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x3e00e0.
2019-05-16 05:54:19,687 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x3ec9a0 and Type=0x0.
2019-05-16 05:54:19,687 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:54:19,687 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x3ec9a0 (EIP = 0x2ffbfc).
2019-05-16 05:54:19,687 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 05:54:19,687 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x2ffbfc
2019-05-16 05:54:19,687 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x3e00e0.
2019-05-16 05:54:19,687 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x3ec9a0 and Type=0x0.
2019-05-16 05:54:19,687 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:54:19,687 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x3ec9a0 (EIP = 0x2ffbfc).
2019-05-16 05:54:19,687 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 05:54:19,687 [root] DEBUG: ProtectionHandler: Address: 0x1000, RegionSize: 0xcc24
2019-05-16 05:54:19,687 [root] DEBUG: ProtectionHandler: attempting CAPE dump on region: 0x3e0000.
2019-05-16 05:54:19,687 [root] DEBUG: DumpPEsInRange: Scanning range 0x0 - 0xf000.
2019-05-16 05:54:19,687 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:54:19,687 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:54:19,687 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:54:19,687 [root] DEBUG: ScanForDisguisedPE: Exception occured reading memory address 0x0
2019-05-16 05:54:19,687 [root] DEBUG: SetCapeMetaData: Extraction type with no PID - error.
2019-05-16 05:54:19,687 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\lafvcll\CAPE\2748_68819541116452019
2019-05-16 05:54:19,687 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:54:19,687 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:54:19,687 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:54:19,687 [root] DEBUG: DumpMemory: Exception occured reading memory address 0x0
2019-05-16 05:54:19,687 [root] DEBUG: ProtectionHandler: Previously marked memory range at: 0x3e0000 is empty or inaccessible.
2019-05-16 05:54:19,687 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x3e0000 - 0x3f4000.
2019-05-16 05:54:19,687 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x3e00e0.
2019-05-16 05:54:19,687 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x3ec9a0.
2019-05-16 05:54:19,687 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:54:19,687 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:54:19,687 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:54:19,703 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x1000
2019-05-16 05:54:19,703 [root] DEBUG: ProtectionHandler: Setting initial write breakpoint on protection address: 0x1000
2019-05-16 05:54:19,703 [root] DEBUG: SetInitialWriteBreakpoint: AllocationBase: 0x1000, AllocationSize: 0xcc24, ThreadId: 0xac0
2019-05-16 05:54:19,703 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xa8, Size=0x2, Address=0x1000 and Type=0x1.
2019-05-16 05:54:19,703 [root] DEBUG: SetBreakpoint: Set bp 0 type 1 at address 0x1000, size 2 with Callback 0x747f3120, ThreadHandle = 0xa8.
2019-05-16 05:54:19,703 [root] DEBUG: SetInitialWriteBreakpoint: Breakpoint 0 set write on word at base address: 0x1000
2019-05-16 05:54:19,703 [root] DEBUG: ProtectionHandler: Address: 0xf000, RegionSize: 0x3de4
2019-05-16 05:54:19,703 [root] DEBUG: NtAllocateVirtualMemory hook, BaseAddress:0x400000, RegionSize: 0x14000.
2019-05-16 05:54:19,703 [root] DEBUG: NtAllocateVirtualMemory hook: attempting CAPE dump on previous region: 0x1000.
2019-05-16 05:54:19,703 [root] DEBUG: DumpPEsInRange: Scanning range 0x0 - 0xf000.
2019-05-16 05:54:19,703 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:54:19,703 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:54:19,703 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:54:19,703 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:54:19,703 [root] DEBUG: ScanForDisguisedPE: Exception occured reading memory address 0x0
2019-05-16 05:54:19,703 [root] DEBUG: SetCapeMetaData: Extraction type with no PID - error.
2019-05-16 05:54:19,703 [root] DEBUG: NtAllocateVirtualMemory hook: dumping memory range at 0x1000.
2019-05-16 05:54:19,703 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:54:19,703 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:54:19,703 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:54:19,703 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:54:19,703 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x0
2019-05-16 05:54:19,703 [root] DEBUG: NtAllocateVirtualMemory hook: Failed to dump memory range at 0x1000.
2019-05-16 05:54:19,703 [root] DEBUG: NtAllocateVirtualMemory hook: Previously marked memory range at: 0x1000 is empty or inaccessible.
2019-05-16 05:54:19,703 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x1000 - 0xdc24.
2019-05-16 05:54:19,703 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x1000.
2019-05-16 05:54:19,703 [root] DEBUG: SetInitialWriteBreakpoint: AllocationBase: 0x400000, AllocationSize: 0x14000, ThreadId: 0xac0
2019-05-16 05:54:19,703 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xa8, Size=0x2, Address=0x400000 and Type=0x1.
2019-05-16 05:54:19,703 [root] DEBUG: SetBreakpointWithoutThread: bp set with register 0
2019-05-16 05:54:19,703 [root] DEBUG: SetInitialWriteBreakpoint: Breakpoint 0 set write on word at base address: 0x400000
2019-05-16 05:54:19,703 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x2ffbfc
2019-05-16 05:54:19,703 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x400000.
2019-05-16 05:54:19,703 [root] DEBUG: BaseAddressWriteCallback: M written to first byte, awaiting next byte.
2019-05-16 05:54:19,703 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-05-16 05:54:19,703 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x2ffbfc
2019-05-16 05:54:19,703 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x400000.
2019-05-16 05:54:19,703 [root] DEBUG: BaseAddressWriteCallback: MZ header found.
2019-05-16 05:54:19,703 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x40003c and Type=0x1.
2019-05-16 05:54:19,703 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:54:19,703 [root] DEBUG: BaseAddressWriteCallback: set write bp on e_lfanew write location: 0x40003c (EIP = 0x2ffbfc)
2019-05-16 05:54:19,719 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-05-16 05:54:19,719 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x2ffbfc
2019-05-16 05:54:19,719 [root] DEBUG: PEPointerWriteCallback entry.
2019-05-16 05:54:19,719 [root] DEBUG: PEPointerWriteCallback: Breakpoint 0 at Address 0x40003c.
2019-05-16 05:54:19,719 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x4000b8 and Type=0x1.
2019-05-16 05:54:19,719 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:54:19,719 [root] DEBUG: PEPointerWriteCallback: set write bp on e_lfanew write location 0x4000b8 (EIP = 0x2ffbfc)
2019-05-16 05:54:19,719 [root] DEBUG: PEPointerWriteCallback executed successfully.
2019-05-16 05:54:19,719 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x2ffbfc
2019-05-16 05:54:19,719 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x4000b8.
2019-05-16 05:54:19,719 [root] DEBUG: PEHeaderWriteCallback: PE header has: 0x50.
2019-05-16 05:54:19,719 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-05-16 05:54:19,719 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x2ffbfc
2019-05-16 05:54:19,719 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x4000b8.
2019-05-16 05:54:19,719 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x4000e0 and Type=0x1.
2019-05-16 05:54:19,719 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:54:19,719 [root] DEBUG: PEHeaderWriteCallback: set write bp on AddressOfEntryPoint location (EIP = 0x2ffbfc).
2019-05-16 05:54:19,719 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-05-16 05:54:19,719 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x2ffbfc
2019-05-16 05:54:19,719 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x4000e0.
2019-05-16 05:54:19,719 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x4000a0 and Type=0x0.
2019-05-16 05:54:19,719 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:54:19,719 [root] DEBUG: EntryPointWriteCallback: Execution bp 1 set on EntryPoint 0x4000a0 (EIP = 0x2ffbfc).
2019-05-16 05:54:19,719 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 05:54:19,719 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x2ffbfc
2019-05-16 05:54:19,719 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x4000e0.
2019-05-16 05:54:19,719 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x40c9a0 and Type=0x0.
2019-05-16 05:54:19,719 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:54:19,719 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x40c9a0 (EIP = 0x2ffbfc).
2019-05-16 05:54:19,719 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 05:54:19,719 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x2ffbfc
2019-05-16 05:54:19,719 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x4000e0.
2019-05-16 05:54:19,719 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x40c9a0 and Type=0x0.
2019-05-16 05:54:19,719 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:54:19,719 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x40c9a0 (EIP = 0x2ffbfc).
2019-05-16 05:54:19,719 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 05:54:19,719 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x2ffbfc
2019-05-16 05:54:19,734 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x4000e0.
2019-05-16 05:54:19,734 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x40c9a0 and Type=0x0.
2019-05-16 05:54:19,734 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:54:19,734 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x40c9a0 (EIP = 0x2ffbfc).
2019-05-16 05:54:19,734 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 05:54:19,734 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x40c9a0
2019-05-16 05:54:19,734 [root] DEBUG: EntryPointExecCallback: Breakpoint 1 at Address 0x40c9a0.
2019-05-16 05:54:19,734 [root] DEBUG: DumpPEsInRange: Scanning range 0x400000 - 0x408000.
2019-05-16 05:54:19,734 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x400000
2019-05-16 05:54:19,734 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-05-16 05:54:19,734 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x400000
2019-05-16 05:54:19,734 [root] DEBUG: DumpProcess: Module entry point VA is 0x40c9a0
2019-05-16 05:54:19,734 [root] INFO: Added new CAPE file to list with path: C:\lafvcll\CAPE\2748_73519541116452019
2019-05-16 05:54:19,734 [root] DEBUG: DumpProcess: Module image dump success
2019-05-16 05:54:19,734 [root] DEBUG: DumpPEsInRange: Dumped PE image from 0x400000.
2019-05-16 05:54:19,734 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x400001-0x408000.
2019-05-16 05:54:19,734 [root] DEBUG: EntryPointExecCallback hook: PE image(s) detected and dumped.
2019-05-16 05:54:19,782 [root] INFO: Announced 32-bit process name: i8ekAGsNBxmGR.exe pid: 2640
2019-05-16 05:54:19,782 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-05-16 05:54:19,782 [lib.api.process] INFO: Option 'exclude-apis' with value 'RegOpenKeyExA' sent to monitor
2019-05-16 05:54:19,782 [lib.api.process] INFO: 32-bit DLL to inject is C:\lafvcll\dll\gwoIKrg.dll, loader C:\lafvcll\bin\DStZtno.exe
2019-05-16 05:54:19,782 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\pglqOm.
2019-05-16 05:54:19,782 [root] DEBUG: Loader: Injecting process 2640 (thread 2056) with C:\lafvcll\dll\gwoIKrg.dll.
2019-05-16 05:54:19,782 [root] DEBUG: Process image base: 0x00400000
2019-05-16 05:54:19,782 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\lafvcll\dll\gwoIKrg.dll.
2019-05-16 05:54:19,782 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00437000 - 0x77110000
2019-05-16 05:54:19,782 [root] DEBUG: InjectDllViaIAT: Allocated 0x200 bytes for new import table at 0x00440000.
2019-05-16 05:54:19,782 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-05-16 05:54:19,782 [root] DEBUG: Successfully injected DLL C:\lafvcll\dll\gwoIKrg.dll.
2019-05-16 05:54:19,782 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2640
2019-05-16 05:54:19,782 [root] INFO: Disabling sleep skipping.
2019-05-16 05:54:19,782 [root] INFO: Notified of termination of process with pid 2748.
2019-05-16 05:54:19,796 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77110000, KiUserExceptionDispatcher: 0x0, NtSetContextThread: 0x7716124a, Wow64PrepareForException: 0x0
2019-05-16 05:54:19,796 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x3d0000
2019-05-16 05:54:19,812 [root] DEBUG: CAPE initialised (32-bit).
2019-05-16 05:54:19,828 [root] INFO: Disabling sleep skipping.
2019-05-16 05:54:19,828 [root] INFO: Added new process to list with pid: 2640
2019-05-16 05:54:19,828 [root] INFO: Monitor successfully loaded in process with pid 2640.
2019-05-16 05:54:19,953 [root] DEBUG: NtAllocateVirtualMemory hook, BaseAddress:0x3e0000, RegionSize: 0x11000.
2019-05-16 05:54:19,953 [root] DEBUG: SetInitialWriteBreakpoint: AllocationBase: 0x3e0000, AllocationSize: 0x11000, ThreadId: 0x808
2019-05-16 05:54:19,969 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xa8, Size=0x2, Address=0x3e0000 and Type=0x1.
2019-05-16 05:54:19,983 [root] DEBUG: SetBreakpoint: Set bp 0 type 1 at address 0x3e0000, size 2 with Callback 0x747f3120, ThreadHandle = 0xa8.
2019-05-16 05:54:20,016 [root] DEBUG: SetInitialWriteBreakpoint: Breakpoint 0 set write on word at base address: 0x3e0000
2019-05-16 05:54:20,030 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x4012d6
2019-05-16 05:54:20,046 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x3e0000.
2019-05-16 05:54:20,046 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x3e0000: 0xf4.
2019-05-16 05:54:20,062 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x3e0000 and Type=0x0.
2019-05-16 05:54:20,078 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:54:20,078 [root] DEBUG: BaseAddressWriteCallback: Execution breakpoint 1 set base address: 0x3e0000, AllocationBaseExecBpSet = 1 (EIP = 0x4012d6)
2019-05-16 05:54:20,108 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-05-16 05:54:20,140 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x4012d6
2019-05-16 05:54:20,140 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x3e0000.
2019-05-16 05:54:20,140 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x3e0000: 0xf4.
2019-05-16 05:54:20,171 [root] DEBUG: BaseAddressWriteCallback: allocation exec bp already set, doing nothing.
2019-05-16 05:54:20,187 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x401337
2019-05-16 05:54:20,187 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x3e0000.
2019-05-16 05:54:20,203 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x3e0000: 0xf4.
2019-05-16 05:54:20,203 [root] DEBUG: BaseAddressWriteCallback: allocation exec bp already set, doing nothing.
2019-05-16 05:54:20,203 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x401085
2019-05-16 05:54:20,203 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x3e0000.
2019-05-16 05:54:20,203 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x3e0000: 0x6d.
2019-05-16 05:54:20,203 [root] DEBUG: BaseAddressWriteCallback: allocation exec bp already set, doing nothing.
2019-05-16 05:54:20,826 [root] DEBUG: NtAllocateVirtualMemory hook, BaseAddress:0x4d0000, RegionSize: 0x10000.
2019-05-16 05:54:20,826 [root] DEBUG: NtAllocateVirtualMemory hook: attempting CAPE dump on previous region: 0x3e0000.
2019-05-16 05:54:20,826 [root] DEBUG: DumpPEsInRange: Scanning range 0x3e0000 - 0x3f1000.
2019-05-16 05:54:20,842 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x3e0000-0x3f1000.
2019-05-16 05:54:20,842 [root] DEBUG: NtAllocateVirtualMemory hook: dumping memory range at 0x3e0000.
2019-05-16 05:54:20,858 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\lafvcll\CAPE\2640_84220541116452019
2019-05-16 05:54:20,874 [root] INFO: Added new CAPE file to list with path: C:\lafvcll\CAPE\2640_84220541116452019
2019-05-16 05:54:20,874 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x3e0000 - 0x3f1000.
2019-05-16 05:54:20,874 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x3e0000.
2019-05-16 05:54:20,874 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x3e0000.
2019-05-16 05:54:20,874 [root] DEBUG: SetInitialWriteBreakpoint: AllocationBase: 0x4d0000, AllocationSize: 0x10000, ThreadId: 0x808
2019-05-16 05:54:20,874 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xa8, Size=0x2, Address=0x4d0000 and Type=0x1.
2019-05-16 05:54:20,874 [root] DEBUG: SetBreakpoint: Set bp 0 type 1 at address 0x4d0000, size 2 with Callback 0x747f3120, ThreadHandle = 0xa8.
2019-05-16 05:54:20,888 [root] DEBUG: SetInitialWriteBreakpoint: Breakpoint 0 set write on word at base address: 0x4d0000
2019-05-16 05:54:20,888 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x3efbfc
2019-05-16 05:54:20,888 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x4d0000.
2019-05-16 05:54:20,904 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x4d0000: 0xa4.
2019-05-16 05:54:20,904 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x4d0000 and Type=0x0.
2019-05-16 05:54:20,920 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:54:20,920 [root] DEBUG: BaseAddressWriteCallback: Execution breakpoint 1 set base address: 0x4d0000, AllocationBaseExecBpSet = 1 (EIP = 0x3efbfc)
2019-05-16 05:54:20,920 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-05-16 05:54:20,920 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x3efbfc
2019-05-16 05:54:20,936 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x4d0000.
2019-05-16 05:54:20,936 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x4d0000: 0xa4.
2019-05-16 05:54:20,951 [root] DEBUG: BaseAddressWriteCallback: allocation exec bp already set, doing nothing.
2019-05-16 05:54:20,967 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x3f02d1
2019-05-16 05:54:20,997 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x4d0000.
2019-05-16 05:54:20,997 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x4d0000: 0xa4.
2019-05-16 05:54:20,997 [root] DEBUG: BaseAddressWriteCallback: allocation exec bp already set, doing nothing.
2019-05-16 05:54:21,013 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x3f02ea
2019-05-16 05:54:21,013 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x4d0000.
2019-05-16 05:54:21,013 [root] DEBUG: BaseAddressWriteCallback: MZ header found.
2019-05-16 05:54:21,013 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x4d003c and Type=0x1.
2019-05-16 05:54:21,013 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:54:21,013 [root] DEBUG: BaseAddressWriteCallback: set write bp on e_lfanew write location: 0x4d003c (EIP = 0x3f02ea)
2019-05-16 05:54:21,029 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-05-16 05:54:21,045 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x3f02d1
2019-05-16 05:54:21,075 [root] DEBUG: PEPointerWriteCallback entry.
2019-05-16 05:54:21,075 [root] DEBUG: PEPointerWriteCallback: Breakpoint 0 at Address 0x4d003c.
2019-05-16 05:54:21,075 [root] DEBUG: PEPointerWriteCallback: pointer to PE header too big: 0x49d (perhaps writing incomplete).
2019-05-16 05:54:21,075 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x3f02ea
2019-05-16 05:54:21,108 [root] DEBUG: PEPointerWriteCallback entry.
2019-05-16 05:54:21,122 [root] DEBUG: PEPointerWriteCallback: Breakpoint 0 at Address 0x4d003c.
2019-05-16 05:54:21,138 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x4d00b8 and Type=0x1.
2019-05-16 05:54:21,170 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:54:21,170 [root] DEBUG: PEPointerWriteCallback: set write bp on e_lfanew write location 0x4d00b8 (EIP = 0x3f02ea)
2019-05-16 05:54:21,200 [root] DEBUG: PEPointerWriteCallback executed successfully.
2019-05-16 05:54:21,200 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x3f02d1
2019-05-16 05:54:21,217 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x4d00b8.
2019-05-16 05:54:21,217 [root] DEBUG: PEHeaderWriteCallback: PE header has: 0x41f1.
2019-05-16 05:54:21,217 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-05-16 05:54:21,217 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x3f02ea
2019-05-16 05:54:21,217 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x4d00b8.
2019-05-16 05:54:21,232 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x0, Address=0x4dcc89 and Type=0x0.
2019-05-16 05:54:21,263 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:54:21,263 [root] DEBUG: PEHeaderWriteCallback: Execution bp set on EntryPoint 0x4dcc89 (EIP = 0x3f02ea).
2019-05-16 05:54:21,263 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-05-16 05:54:21,263 [root] DEBUG: NtAllocateVirtualMemory hook, BaseAddress:0x4e0000, RegionSize: 0x14000.
2019-05-16 05:54:21,263 [root] DEBUG: NtAllocateVirtualMemory hook: attempting CAPE dump on previous region: 0x4d0000.
2019-05-16 05:54:21,263 [root] DEBUG: DumpPEsInRange: Scanning range 0x4d0000 - 0x4e0000.
2019-05-16 05:54:21,295 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x4d0000
2019-05-16 05:54:21,309 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image.
2019-05-16 05:54:21,325 [root] DEBUG: DumpPE: Instantiating PeParser with address: 0x4d0000
2019-05-16 05:54:21,325 [root] INFO: Added new CAPE file to list with path: C:\lafvcll\CAPE\2640_32621541116452019
2019-05-16 05:54:21,325 [root] DEBUG: DumpPE: PE file in memory dumped successfully.
2019-05-16 05:54:21,325 [root] DEBUG: DumpPEsInRange: Dumped PE image from 0x4d0000.
2019-05-16 05:54:21,325 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x4d0001-0x4e0000.
2019-05-16 05:54:21,325 [root] DEBUG: NtAllocateVirtualMemory hook: PE image(s) detected and dumped.
2019-05-16 05:54:21,325 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x4d0000 - 0x4e0000.
2019-05-16 05:54:21,325 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x4dcc89.
2019-05-16 05:54:21,325 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x4d0000.
2019-05-16 05:54:21,325 [root] DEBUG: SetInitialWriteBreakpoint: AllocationBase: 0x4e0000, AllocationSize: 0x14000, ThreadId: 0x808
2019-05-16 05:54:21,325 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xa8, Size=0x2, Address=0x4e0000 and Type=0x1.
2019-05-16 05:54:21,342 [root] DEBUG: SetBreakpoint: Set bp 0 type 1 at address 0x4e0000, size 2 with Callback 0x747f3120, ThreadHandle = 0xa8.
2019-05-16 05:54:21,342 [root] DEBUG: SetInitialWriteBreakpoint: Breakpoint 0 set write on word at base address: 0x4e0000
2019-05-16 05:54:21,342 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x3efbfc
2019-05-16 05:54:21,357 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x4e0000.
2019-05-16 05:54:21,357 [root] DEBUG: BaseAddressWriteCallback: M written to first byte, awaiting next byte.
2019-05-16 05:54:21,357 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-05-16 05:54:21,357 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x3efbfc
2019-05-16 05:54:21,357 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x4e0000.
2019-05-16 05:54:21,357 [root] DEBUG: BaseAddressWriteCallback: MZ header found.
2019-05-16 05:54:21,357 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x4e003c and Type=0x1.
2019-05-16 05:54:21,357 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:54:21,372 [root] DEBUG: BaseAddressWriteCallback: set write bp on e_lfanew write location: 0x4e003c (EIP = 0x3efbfc)
2019-05-16 05:54:21,372 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-05-16 05:54:21,388 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x3efbfc
2019-05-16 05:54:21,388 [root] DEBUG: PEPointerWriteCallback entry.
2019-05-16 05:54:21,388 [root] DEBUG: PEPointerWriteCallback: Breakpoint 0 at Address 0x4e003c.
2019-05-16 05:54:21,388 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x4e00b8 and Type=0x1.
2019-05-16 05:54:21,404 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:54:21,404 [root] DEBUG: PEPointerWriteCallback: set write bp on e_lfanew write location 0x4e00b8 (EIP = 0x3efbfc)
2019-05-16 05:54:21,434 [root] DEBUG: PEPointerWriteCallback executed successfully.
2019-05-16 05:54:21,434 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x3efbfc
2019-05-16 05:54:21,450 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x4e00b8.
2019-05-16 05:54:21,450 [root] DEBUG: PEHeaderWriteCallback: PE header has: 0x50.
2019-05-16 05:54:21,450 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-05-16 05:54:21,450 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x3efbfc
2019-05-16 05:54:21,466 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x4e00b8.
2019-05-16 05:54:21,466 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x4e00e0 and Type=0x1.
2019-05-16 05:54:21,497 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:54:21,497 [root] DEBUG: PEHeaderWriteCallback: set write bp on AddressOfEntryPoint location (EIP = 0x3efbfc).
2019-05-16 05:54:21,513 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-05-16 05:54:21,513 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x3efbfc
2019-05-16 05:54:21,513 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x4e00e0.
2019-05-16 05:54:21,513 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x4e00a0 and Type=0x0.
2019-05-16 05:54:21,529 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:54:21,529 [root] DEBUG: EntryPointWriteCallback: Execution bp 1 set on EntryPoint 0x4e00a0 (EIP = 0x3efbfc).
2019-05-16 05:54:21,543 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 05:54:21,543 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x3efbfc
2019-05-16 05:54:21,559 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x4e00e0.
2019-05-16 05:54:21,559 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x4ec9a0 and Type=0x0.
2019-05-16 05:54:21,575 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:54:21,575 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x4ec9a0 (EIP = 0x3efbfc).
2019-05-16 05:54:21,591 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 05:54:21,607 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x3efbfc
2019-05-16 05:54:21,621 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x4e00e0.
2019-05-16 05:54:21,621 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x4ec9a0 and Type=0x0.
2019-05-16 05:54:21,638 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:54:21,638 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x4ec9a0 (EIP = 0x3efbfc).
2019-05-16 05:54:21,668 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 05:54:21,684 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x3efbfc
2019-05-16 05:54:21,684 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x4e00e0.
2019-05-16 05:54:21,700 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x4ec9a0 and Type=0x0.
2019-05-16 05:54:21,700 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:54:21,700 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x4ec9a0 (EIP = 0x3efbfc).
2019-05-16 05:54:21,732 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 05:54:21,763 [root] DEBUG: ProtectionHandler: Address: 0x1000, RegionSize: 0xcc24
2019-05-16 05:54:21,763 [root] DEBUG: ProtectionHandler: attempting CAPE dump on region: 0x4e0000.
2019-05-16 05:54:21,763 [root] DEBUG: DumpPEsInRange: Scanning range 0x0 - 0xf000.
2019-05-16 05:54:21,763 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:54:21,763 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:54:21,778 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:54:21,778 [root] DEBUG: ScanForDisguisedPE: Exception occured reading memory address 0x0
2019-05-16 05:54:21,778 [root] DEBUG: SetCapeMetaData: Extraction type with no PID - error.
2019-05-16 05:54:21,793 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\lafvcll\CAPE\2640_77821541116452019
2019-05-16 05:54:21,793 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:54:21,793 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:54:21,809 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:54:21,809 [root] DEBUG: DumpMemory: Exception occured reading memory address 0x0
2019-05-16 05:54:21,825 [root] DEBUG: ProtectionHandler: Previously marked memory range at: 0x4e0000 is empty or inaccessible.
2019-05-16 05:54:21,855 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x4e0000 - 0x4f4000.
2019-05-16 05:54:21,855 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x4e00e0.
2019-05-16 05:54:21,855 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x4ec9a0.
2019-05-16 05:54:21,855 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:54:21,888 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:54:21,888 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:54:21,903 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x1000
2019-05-16 05:54:21,903 [root] DEBUG: ProtectionHandler: Setting initial write breakpoint on protection address: 0x1000
2019-05-16 05:54:21,903 [root] DEBUG: SetInitialWriteBreakpoint: AllocationBase: 0x1000, AllocationSize: 0xcc24, ThreadId: 0x808
2019-05-16 05:54:21,918 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xa8, Size=0x2, Address=0x1000 and Type=0x1.
2019-05-16 05:54:21,918 [root] DEBUG: SetBreakpoint: Set bp 0 type 1 at address 0x1000, size 2 with Callback 0x747f3120, ThreadHandle = 0xa8.
2019-05-16 05:54:21,934 [root] DEBUG: SetInitialWriteBreakpoint: Breakpoint 0 set write on word at base address: 0x1000
2019-05-16 05:54:21,934 [root] DEBUG: ProtectionHandler: Address: 0xf000, RegionSize: 0x3de4
2019-05-16 05:54:21,950 [root] DEBUG: NtAllocateVirtualMemory hook, BaseAddress:0x400000, RegionSize: 0x14000.
2019-05-16 05:54:21,966 [root] DEBUG: NtAllocateVirtualMemory hook: attempting CAPE dump on previous region: 0x1000.
2019-05-16 05:54:21,966 [root] DEBUG: DumpPEsInRange: Scanning range 0x0 - 0xf000.
2019-05-16 05:54:21,966 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:54:21,996 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:54:21,996 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:54:21,996 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:54:21,996 [root] DEBUG: ScanForDisguisedPE: Exception occured reading memory address 0x0
2019-05-16 05:54:21,996 [root] DEBUG: SetCapeMetaData: Extraction type with no PID - error.
2019-05-16 05:54:21,996 [root] DEBUG: NtAllocateVirtualMemory hook: dumping memory range at 0x1000.
2019-05-16 05:54:21,996 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:54:22,012 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:54:22,028 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:54:22,043 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:54:22,059 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x0
2019-05-16 05:54:22,059 [root] DEBUG: NtAllocateVirtualMemory hook: Failed to dump memory range at 0x1000.
2019-05-16 05:54:22,059 [root] DEBUG: NtAllocateVirtualMemory hook: Previously marked memory range at: 0x1000 is empty or inaccessible.
2019-05-16 05:54:22,059 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x1000 - 0xdc24.
2019-05-16 05:54:22,059 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x1000.
2019-05-16 05:54:22,059 [root] DEBUG: SetInitialWriteBreakpoint: AllocationBase: 0x400000, AllocationSize: 0x14000, ThreadId: 0x808
2019-05-16 05:54:22,059 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xa8, Size=0x2, Address=0x400000 and Type=0x1.
2019-05-16 05:54:22,059 [root] DEBUG: SetBreakpointWithoutThread: bp set with register 0
2019-05-16 05:54:22,059 [root] DEBUG: SetInitialWriteBreakpoint: Breakpoint 0 set write on word at base address: 0x400000
2019-05-16 05:54:22,075 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x3efbfc
2019-05-16 05:54:22,075 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x400000.
2019-05-16 05:54:22,075 [root] DEBUG: BaseAddressWriteCallback: M written to first byte, awaiting next byte.
2019-05-16 05:54:22,075 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-05-16 05:54:22,075 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x3efbfc
2019-05-16 05:54:22,089 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x400000.
2019-05-16 05:54:22,089 [root] DEBUG: BaseAddressWriteCallback: MZ header found.
2019-05-16 05:54:22,121 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x40003c and Type=0x1.
2019-05-16 05:54:22,137 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:54:22,153 [root] DEBUG: BaseAddressWriteCallback: set write bp on e_lfanew write location: 0x40003c (EIP = 0x3efbfc)
2019-05-16 05:54:22,153 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-05-16 05:54:22,184 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x3efbfc
2019-05-16 05:54:22,200 [root] DEBUG: PEPointerWriteCallback entry.
2019-05-16 05:54:22,200 [root] DEBUG: PEPointerWriteCallback: Breakpoint 0 at Address 0x40003c.
2019-05-16 05:54:22,214 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x4000b8 and Type=0x1.
2019-05-16 05:54:22,214 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:54:22,214 [root] DEBUG: PEPointerWriteCallback: set write bp on e_lfanew write location 0x4000b8 (EIP = 0x3efbfc)
2019-05-16 05:54:22,230 [root] DEBUG: PEPointerWriteCallback executed successfully.
2019-05-16 05:54:22,262 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x3efbfc
2019-05-16 05:54:22,262 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x4000b8.
2019-05-16 05:54:22,262 [root] DEBUG: PEHeaderWriteCallback: PE header has: 0x50.
2019-05-16 05:54:22,262 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-05-16 05:54:22,262 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x3efbfc
2019-05-16 05:54:22,292 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x4000b8.
2019-05-16 05:54:22,309 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x4000e0 and Type=0x1.
2019-05-16 05:54:22,323 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:54:22,323 [root] DEBUG: PEHeaderWriteCallback: set write bp on AddressOfEntryPoint location (EIP = 0x3efbfc).
2019-05-16 05:54:22,323 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-05-16 05:54:22,323 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x3efbfc
2019-05-16 05:54:22,355 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x4000e0.
2019-05-16 05:54:22,371 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x4000a0 and Type=0x0.
2019-05-16 05:54:22,371 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:54:22,371 [root] DEBUG: EntryPointWriteCallback: Execution bp 1 set on EntryPoint 0x4000a0 (EIP = 0x3efbfc).
2019-05-16 05:54:22,387 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 05:54:22,387 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x3efbfc
2019-05-16 05:54:22,401 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x4000e0.
2019-05-16 05:54:22,401 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x40c9a0 and Type=0x0.
2019-05-16 05:54:22,417 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:54:22,417 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x40c9a0 (EIP = 0x3efbfc).
2019-05-16 05:54:22,434 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 05:54:22,434 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x3efbfc
2019-05-16 05:54:22,434 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x4000e0.
2019-05-16 05:54:22,448 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x40c9a0 and Type=0x0.
2019-05-16 05:54:22,448 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:54:22,448 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x40c9a0 (EIP = 0x3efbfc).
2019-05-16 05:54:22,464 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 05:54:22,464 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x3efbfc
2019-05-16 05:54:22,480 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x4000e0.
2019-05-16 05:54:22,480 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x40c9a0 and Type=0x0.
2019-05-16 05:54:22,480 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:54:22,480 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x40c9a0 (EIP = 0x3efbfc).
2019-05-16 05:54:22,480 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 05:54:22,480 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x40c9a0
2019-05-16 05:54:22,480 [root] DEBUG: EntryPointExecCallback: Breakpoint 1 at Address 0x40c9a0.
2019-05-16 05:54:22,480 [root] DEBUG: DumpPEsInRange: Scanning range 0x400000 - 0x408000.
2019-05-16 05:54:22,480 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x400000
2019-05-16 05:54:22,496 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-05-16 05:54:22,496 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x400000
2019-05-16 05:54:22,496 [root] DEBUG: DumpProcess: Module entry point VA is 0x40c9a0
2019-05-16 05:54:22,496 [root] INFO: Added new CAPE file to list with path: C:\lafvcll\CAPE\2640_49622541116452019
2019-05-16 05:54:22,496 [root] DEBUG: DumpProcess: Module image dump success
2019-05-16 05:54:22,496 [root] DEBUG: DumpPEsInRange: Dumped PE image from 0x400000.
2019-05-16 05:54:22,512 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x400001-0x408000.
2019-05-16 05:54:22,512 [root] DEBUG: EntryPointExecCallback hook: PE image(s) detected and dumped.
2019-05-16 05:54:27,332 [root] INFO: Announced starting service "gluerel"
2019-05-16 05:54:27,332 [root] INFO: Attaching to Service Control Manager (services.exe - pid 460)
2019-05-16 05:54:27,362 [lib.api.process] DEBUG: Using CreateRemoteThread injection.
2019-05-16 05:54:27,378 [lib.api.process] INFO: Option 'exclude-apis' with value 'RegOpenKeyExA' sent to monitor
2019-05-16 05:54:27,378 [lib.api.process] INFO: 64-bit DLL to inject is C:\lafvcll\dll\AHecdz.dll, loader C:\lafvcll\bin\QdvCrCjN.exe
2019-05-16 05:54:27,378 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\pglqOm.
2019-05-16 05:54:27,410 [root] DEBUG: Loader: Injecting process 460 (thread 0) with C:\lafvcll\dll\AHecdz.dll.
2019-05-16 05:54:27,426 [root] DEBUG: InjectDll: No thread ID supplied. Initial thread ID 2256, handle 0x84
2019-05-16 05:54:27,426 [root] DEBUG: Process image base: 0x00000000FFA10000
2019-05-16 05:54:27,440 [root] DEBUG: InjectDllViaIAT: Not a new process, aborting IAT patch
2019-05-16 05:54:27,457 [root] DEBUG: InjectDll: IAT patching failed, falling back to thread injection.
2019-05-16 05:54:27,457 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-05-16 05:54:27,471 [root] INFO: Disabling sleep skipping.
2019-05-16 05:54:27,519 [root] WARNING: Unable to place hook on LockResource
2019-05-16 05:54:27,549 [root] WARNING: Unable to hook LockResource
2019-05-16 05:54:27,582 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 460 at 0x00000000741C0000, image base 0x00000000FFA10000, stack from 0x0000000001116000-0x0000000001120000
2019-05-16 05:54:27,582 [root] DEBUG: Commandline: C:\Windows\sysnative\services.exe.
2019-05-16 05:54:27,612 [root] INFO: Added new process to list with pid: 460
2019-05-16 05:54:27,612 [root] INFO: Monitor successfully loaded in process with pid 460.
2019-05-16 05:54:27,628 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2019-05-16 05:54:27,628 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2019-05-16 05:54:27,644 [root] DEBUG: Successfully injected DLL C:\lafvcll\dll\AHecdz.dll.
2019-05-16 05:54:28,752 [root] INFO: Announced 32-bit process name: gluerel.exe pid: 2868
2019-05-16 05:54:28,752 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-05-16 05:54:28,766 [lib.api.process] INFO: Option 'exclude-apis' with value 'RegOpenKeyExA' sent to monitor
2019-05-16 05:54:28,766 [lib.api.process] INFO: 32-bit DLL to inject is C:\lafvcll\dll\gwoIKrg.dll, loader C:\lafvcll\bin\DStZtno.exe
2019-05-16 05:54:28,798 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\pglqOm.
2019-05-16 05:54:28,798 [root] DEBUG: Loader: Injecting process 2868 (thread 2892) with C:\lafvcll\dll\gwoIKrg.dll.
2019-05-16 05:54:28,798 [root] DEBUG: Process image base: 0x00400000
2019-05-16 05:54:28,813 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\lafvcll\dll\gwoIKrg.dll.
2019-05-16 05:54:28,813 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00437000 - 0x77110000
2019-05-16 05:54:28,813 [root] DEBUG: InjectDllViaIAT: Allocated 0x200 bytes for new import table at 0x00440000.
2019-05-16 05:54:28,845 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-05-16 05:54:28,845 [root] DEBUG: Successfully injected DLL C:\lafvcll\dll\gwoIKrg.dll.
2019-05-16 05:54:28,845 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2868
2019-05-16 05:54:28,875 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77110000, KiUserExceptionDispatcher: 0x0, NtSetContextThread: 0x7716124a, Wow64PrepareForException: 0x0
2019-05-16 05:54:28,891 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x390000
2019-05-16 05:54:28,907 [root] DEBUG: CAPE initialised (32-bit).
2019-05-16 05:54:28,938 [root] INFO: Disabling sleep skipping.
2019-05-16 05:54:28,938 [root] INFO: Added new process to list with pid: 2868
2019-05-16 05:54:28,938 [root] INFO: Monitor successfully loaded in process with pid 2868.
2019-05-16 05:54:29,078 [root] DEBUG: NtAllocateVirtualMemory hook, BaseAddress:0x490000, RegionSize: 0x11000.
2019-05-16 05:54:29,095 [root] DEBUG: SetInitialWriteBreakpoint: AllocationBase: 0x490000, AllocationSize: 0x11000, ThreadId: 0xb4c
2019-05-16 05:54:29,109 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xa8, Size=0x2, Address=0x490000 and Type=0x1.
2019-05-16 05:54:29,109 [root] DEBUG: SetBreakpoint: Set bp 0 type 1 at address 0x490000, size 2 with Callback 0x747f3120, ThreadHandle = 0xa8.
2019-05-16 05:54:29,125 [root] DEBUG: SetInitialWriteBreakpoint: Breakpoint 0 set write on word at base address: 0x490000
2019-05-16 05:54:29,125 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x4012d6
2019-05-16 05:54:29,125 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x490000.
2019-05-16 05:54:29,157 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x490000: 0xf4.
2019-05-16 05:54:29,187 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x490000 and Type=0x0.
2019-05-16 05:54:29,203 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:54:29,220 [root] DEBUG: BaseAddressWriteCallback: Execution breakpoint 1 set base address: 0x490000, AllocationBaseExecBpSet = 1 (EIP = 0x4012d6)
2019-05-16 05:54:29,220 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-05-16 05:54:29,250 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x4012d6
2019-05-16 05:54:29,250 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x490000.
2019-05-16 05:54:29,282 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x490000: 0xf4.
2019-05-16 05:54:29,282 [root] DEBUG: BaseAddressWriteCallback: allocation exec bp already set, doing nothing.
2019-05-16 05:54:29,298 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x401337
2019-05-16 05:54:29,298 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x490000.
2019-05-16 05:54:29,298 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x490000: 0xf4.
2019-05-16 05:54:29,312 [root] DEBUG: BaseAddressWriteCallback: allocation exec bp already set, doing nothing.
2019-05-16 05:54:29,312 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x401085
2019-05-16 05:54:29,344 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x490000.
2019-05-16 05:54:29,375 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x490000: 0x6d.
2019-05-16 05:54:29,375 [root] DEBUG: BaseAddressWriteCallback: allocation exec bp already set, doing nothing.
2019-05-16 05:54:30,015 [root] DEBUG: NtAllocateVirtualMemory hook, BaseAddress:0x3f0000, RegionSize: 0x10000.
2019-05-16 05:54:30,015 [root] DEBUG: NtAllocateVirtualMemory hook: attempting CAPE dump on previous region: 0x490000.
2019-05-16 05:54:30,015 [root] DEBUG: DumpPEsInRange: Scanning range 0x490000 - 0x4a1000.
2019-05-16 05:54:30,046 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x490000-0x4a1000.
2019-05-16 05:54:30,062 [root] DEBUG: NtAllocateVirtualMemory hook: dumping memory range at 0x490000.
2019-05-16 05:54:30,062 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\lafvcll\CAPE\2868_6230541116452019
2019-05-16 05:54:30,062 [root] INFO: Added new CAPE file to list with path: C:\lafvcll\CAPE\2868_6230541116452019
2019-05-16 05:54:30,062 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x490000 - 0x4a1000.
2019-05-16 05:54:30,092 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x490000.
2019-05-16 05:54:30,124 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x490000.
2019-05-16 05:54:30,124 [root] DEBUG: SetInitialWriteBreakpoint: AllocationBase: 0x3f0000, AllocationSize: 0x10000, ThreadId: 0xb4c
2019-05-16 05:54:30,140 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xa8, Size=0x2, Address=0x3f0000 and Type=0x1.
2019-05-16 05:54:30,140 [root] DEBUG: SetBreakpoint: Set bp 0 type 1 at address 0x3f0000, size 2 with Callback 0x747f3120, ThreadHandle = 0xa8.
2019-05-16 05:54:30,171 [root] DEBUG: SetInitialWriteBreakpoint: Breakpoint 0 set write on word at base address: 0x3f0000
2019-05-16 05:54:30,171 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x49fbfc
2019-05-16 05:54:30,187 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x3f0000.
2019-05-16 05:54:30,217 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x3f0000: 0xa4.
2019-05-16 05:54:30,217 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x3f0000 and Type=0x0.
2019-05-16 05:54:30,249 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:54:30,265 [root] DEBUG: BaseAddressWriteCallback: Execution breakpoint 1 set base address: 0x3f0000, AllocationBaseExecBpSet = 1 (EIP = 0x49fbfc)
2019-05-16 05:54:30,279 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-05-16 05:54:30,279 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x49fbfc
2019-05-16 05:54:30,296 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x3f0000.
2019-05-16 05:54:30,296 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x3f0000: 0xa4.
2019-05-16 05:54:30,296 [root] DEBUG: BaseAddressWriteCallback: allocation exec bp already set, doing nothing.
2019-05-16 05:54:30,296 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x4a02d1
2019-05-16 05:54:30,312 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x3f0000.
2019-05-16 05:54:30,326 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x3f0000: 0xa4.
2019-05-16 05:54:30,358 [root] DEBUG: BaseAddressWriteCallback: allocation exec bp already set, doing nothing.
2019-05-16 05:54:30,358 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x4a02ea
2019-05-16 05:54:30,374 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x3f0000.
2019-05-16 05:54:30,374 [root] DEBUG: BaseAddressWriteCallback: MZ header found.
2019-05-16 05:54:30,390 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x3f003c and Type=0x1.
2019-05-16 05:54:30,404 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:54:30,436 [root] DEBUG: BaseAddressWriteCallback: set write bp on e_lfanew write location: 0x3f003c (EIP = 0x4a02ea)
2019-05-16 05:54:30,436 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-05-16 05:54:30,436 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x4a02d1
2019-05-16 05:54:30,467 [root] DEBUG: PEPointerWriteCallback entry.
2019-05-16 05:54:30,467 [root] DEBUG: PEPointerWriteCallback: Breakpoint 0 at Address 0x3f003c.
2019-05-16 05:54:30,499 [root] DEBUG: PEPointerWriteCallback: pointer to PE header too big: 0x49d (perhaps writing incomplete).
2019-05-16 05:54:30,513 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x4a02ea
2019-05-16 05:54:30,513 [root] DEBUG: PEPointerWriteCallback entry.
2019-05-16 05:54:30,529 [root] DEBUG: PEPointerWriteCallback: Breakpoint 0 at Address 0x3f003c.
2019-05-16 05:54:30,529 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x3f00b8 and Type=0x1.
2019-05-16 05:54:30,561 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:54:30,608 [root] DEBUG: PEPointerWriteCallback: set write bp on e_lfanew write location 0x3f00b8 (EIP = 0x4a02ea)
2019-05-16 05:54:30,624 [root] DEBUG: PEPointerWriteCallback executed successfully.
2019-05-16 05:54:30,624 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x4a02d1
2019-05-16 05:54:30,638 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x3f00b8.
2019-05-16 05:54:30,638 [root] DEBUG: PEHeaderWriteCallback: PE header has: 0x41f1.
2019-05-16 05:54:30,654 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-05-16 05:54:30,654 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x4a02ea
2019-05-16 05:54:30,686 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x3f00b8.
2019-05-16 05:54:30,686 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x0, Address=0x3fcc89 and Type=0x0.
2019-05-16 05:54:30,686 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:54:30,686 [root] DEBUG: PEHeaderWriteCallback: Execution bp set on EntryPoint 0x3fcc89 (EIP = 0x4a02ea).
2019-05-16 05:54:30,686 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-05-16 05:54:30,701 [root] DEBUG: NtAllocateVirtualMemory hook, BaseAddress:0x2180000, RegionSize: 0x14000.
2019-05-16 05:54:30,701 [root] DEBUG: NtAllocateVirtualMemory hook: attempting CAPE dump on previous region: 0x3f0000.
2019-05-16 05:54:30,701 [root] DEBUG: DumpPEsInRange: Scanning range 0x3f0000 - 0x400000.
2019-05-16 05:54:30,717 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x3f0000
2019-05-16 05:54:30,733 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image.
2019-05-16 05:54:30,747 [root] DEBUG: DumpPE: Instantiating PeParser with address: 0x3f0000
2019-05-16 05:54:30,747 [root] INFO: Added new CAPE file to list with path: C:\lafvcll\CAPE\2868_74830541116452019
2019-05-16 05:54:30,763 [root] DEBUG: DumpPE: PE file in memory dumped successfully.
2019-05-16 05:54:30,763 [root] DEBUG: DumpPEsInRange: Dumped PE image from 0x3f0000.
2019-05-16 05:54:30,779 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x3f0001-0x400000.
2019-05-16 05:54:30,795 [root] DEBUG: NtAllocateVirtualMemory hook: PE image(s) detected and dumped.
2019-05-16 05:54:30,811 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x3f0000 - 0x400000.
2019-05-16 05:54:30,825 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x3fcc89.
2019-05-16 05:54:30,825 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x3f0000.
2019-05-16 05:54:30,825 [root] DEBUG: SetInitialWriteBreakpoint: AllocationBase: 0x2180000, AllocationSize: 0x14000, ThreadId: 0xb4c
2019-05-16 05:54:30,872 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xa8, Size=0x2, Address=0x2180000 and Type=0x1.
2019-05-16 05:54:30,920 [root] DEBUG: SetBreakpoint: Set bp 0 type 1 at address 0x2180000, size 2 with Callback 0x747f3120, ThreadHandle = 0xa8.
2019-05-16 05:54:30,920 [root] DEBUG: SetInitialWriteBreakpoint: Breakpoint 0 set write on word at base address: 0x2180000
2019-05-16 05:54:30,936 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x49fbfc
2019-05-16 05:54:30,936 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x2180000.
2019-05-16 05:54:30,936 [root] DEBUG: BaseAddressWriteCallback: M written to first byte, awaiting next byte.
2019-05-16 05:54:30,967 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-05-16 05:54:30,967 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x49fbfc
2019-05-16 05:54:30,982 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x2180000.
2019-05-16 05:54:30,982 [root] DEBUG: BaseAddressWriteCallback: MZ header found.
2019-05-16 05:54:31,013 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x218003c and Type=0x1.
2019-05-16 05:54:31,013 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:54:31,013 [root] DEBUG: BaseAddressWriteCallback: set write bp on e_lfanew write location: 0x218003c (EIP = 0x49fbfc)
2019-05-16 05:54:31,013 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-05-16 05:54:31,029 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x49fbfc
2019-05-16 05:54:31,029 [root] DEBUG: PEPointerWriteCallback entry.
2019-05-16 05:54:31,045 [root] DEBUG: PEPointerWriteCallback: Breakpoint 0 at Address 0x218003c.
2019-05-16 05:54:31,045 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x21800b8 and Type=0x1.
2019-05-16 05:54:31,045 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:54:31,045 [root] DEBUG: PEPointerWriteCallback: set write bp on e_lfanew write location 0x21800b8 (EIP = 0x49fbfc)
2019-05-16 05:54:31,059 [root] DEBUG: PEPointerWriteCallback executed successfully.
2019-05-16 05:54:31,075 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x49fbfc
2019-05-16 05:54:31,107 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x21800b8.
2019-05-16 05:54:31,107 [root] DEBUG: PEHeaderWriteCallback: PE header has: 0x50.
2019-05-16 05:54:31,107 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-05-16 05:54:31,107 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x49fbfc
2019-05-16 05:54:31,107 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x21800b8.
2019-05-16 05:54:31,122 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x21800e0 and Type=0x1.
2019-05-16 05:54:31,138 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:54:31,138 [root] DEBUG: PEHeaderWriteCallback: set write bp on AddressOfEntryPoint location (EIP = 0x49fbfc).
2019-05-16 05:54:31,154 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-05-16 05:54:31,154 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x49fbfc
2019-05-16 05:54:31,154 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x21800e0.
2019-05-16 05:54:31,170 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x21800a0 and Type=0x0.
2019-05-16 05:54:31,170 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:54:31,170 [root] DEBUG: EntryPointWriteCallback: Execution bp 1 set on EntryPoint 0x21800a0 (EIP = 0x49fbfc).
2019-05-16 05:54:31,184 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 05:54:31,200 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x49fbfc
2019-05-16 05:54:31,216 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x21800e0.
2019-05-16 05:54:31,216 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x218c9a0 and Type=0x0.
2019-05-16 05:54:31,247 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:54:31,247 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x218c9a0 (EIP = 0x49fbfc).
2019-05-16 05:54:31,263 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 05:54:31,263 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x49fbfc
2019-05-16 05:54:31,263 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x21800e0.
2019-05-16 05:54:31,309 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x218c9a0 and Type=0x0.
2019-05-16 05:54:31,309 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:54:31,309 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x218c9a0 (EIP = 0x49fbfc).
2019-05-16 05:54:31,341 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 05:54:31,341 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x49fbfc
2019-05-16 05:54:31,357 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x21800e0.
2019-05-16 05:54:31,357 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x218c9a0 and Type=0x0.
2019-05-16 05:54:31,357 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:54:31,357 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x218c9a0 (EIP = 0x49fbfc).
2019-05-16 05:54:31,357 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 05:54:31,371 [root] DEBUG: ProtectionHandler: Address: 0x1000, RegionSize: 0xcc24
2019-05-16 05:54:31,404 [root] DEBUG: ProtectionHandler: attempting CAPE dump on region: 0x2180000.
2019-05-16 05:54:31,404 [root] DEBUG: DumpPEsInRange: Scanning range 0x0 - 0xf000.
2019-05-16 05:54:31,404 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:54:31,404 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:54:31,434 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:54:31,450 [root] DEBUG: ScanForDisguisedPE: Exception occured reading memory address 0x0
2019-05-16 05:54:31,466 [root] DEBUG: SetCapeMetaData: Extraction type with no PID - error.
2019-05-16 05:54:31,466 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\lafvcll\CAPE\2868_46631541116452019
2019-05-16 05:54:31,496 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:54:31,496 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:54:31,528 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:54:31,543 [root] DEBUG: DumpMemory: Exception occured reading memory address 0x0
2019-05-16 05:54:31,559 [root] DEBUG: ProtectionHandler: Previously marked memory range at: 0x2180000 is empty or inaccessible.
2019-05-16 05:54:31,559 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x2180000 - 0x2194000.
2019-05-16 05:54:31,559 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x21800e0.
2019-05-16 05:54:31,559 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x218c9a0.
2019-05-16 05:54:31,591 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:54:31,591 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:54:31,621 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:54:31,638 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x1000
2019-05-16 05:54:31,653 [root] DEBUG: ProtectionHandler: Setting initial write breakpoint on protection address: 0x1000
2019-05-16 05:54:31,653 [root] DEBUG: SetInitialWriteBreakpoint: AllocationBase: 0x1000, AllocationSize: 0xcc24, ThreadId: 0xb4c
2019-05-16 05:54:31,668 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xa8, Size=0x2, Address=0x1000 and Type=0x1.
2019-05-16 05:54:31,684 [root] DEBUG: SetBreakpoint: Set bp 0 type 1 at address 0x1000, size 2 with Callback 0x747f3120, ThreadHandle = 0xa8.
2019-05-16 05:54:31,700 [root] DEBUG: SetInitialWriteBreakpoint: Breakpoint 0 set write on word at base address: 0x1000
2019-05-16 05:54:31,716 [root] DEBUG: ProtectionHandler: Address: 0xf000, RegionSize: 0x3de4
2019-05-16 05:54:31,730 [root] DEBUG: NtAllocateVirtualMemory hook, BaseAddress:0x400000, RegionSize: 0x14000.
2019-05-16 05:54:31,730 [root] DEBUG: NtAllocateVirtualMemory hook: attempting CAPE dump on previous region: 0x1000.
2019-05-16 05:54:31,730 [root] DEBUG: DumpPEsInRange: Scanning range 0x0 - 0xf000.
2019-05-16 05:54:31,746 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:54:31,762 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:54:31,762 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:54:31,809 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:54:31,809 [root] DEBUG: ScanForDisguisedPE: Exception occured reading memory address 0x0
2019-05-16 05:54:31,825 [root] DEBUG: SetCapeMetaData: Extraction type with no PID - error.
2019-05-16 05:54:31,855 [root] DEBUG: NtAllocateVirtualMemory hook: dumping memory range at 0x1000.
2019-05-16 05:54:31,871 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:54:31,903 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:54:31,917 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:54:31,917 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:54:31,934 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x0
2019-05-16 05:54:31,950 [root] DEBUG: NtAllocateVirtualMemory hook: Failed to dump memory range at 0x1000.
2019-05-16 05:54:31,950 [root] DEBUG: NtAllocateVirtualMemory hook: Previously marked memory range at: 0x1000 is empty or inaccessible.
2019-05-16 05:54:31,980 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x1000 - 0xdc24.
2019-05-16 05:54:31,996 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x1000.
2019-05-16 05:54:31,996 [root] DEBUG: SetInitialWriteBreakpoint: AllocationBase: 0x400000, AllocationSize: 0x14000, ThreadId: 0xb4c
2019-05-16 05:54:32,012 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xa8, Size=0x2, Address=0x400000 and Type=0x1.
2019-05-16 05:54:32,012 [root] DEBUG: SetBreakpointWithoutThread: bp set with register 0
2019-05-16 05:54:32,028 [root] DEBUG: SetInitialWriteBreakpoint: Breakpoint 0 set write on word at base address: 0x400000
2019-05-16 05:54:32,042 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x49fbfc
2019-05-16 05:54:32,059 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x400000.
2019-05-16 05:54:32,059 [root] DEBUG: BaseAddressWriteCallback: M written to first byte, awaiting next byte.
2019-05-16 05:54:32,059 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-05-16 05:54:32,073 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x49fbfc
2019-05-16 05:54:32,073 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x400000.
2019-05-16 05:54:32,089 [root] DEBUG: BaseAddressWriteCallback: MZ header found.
2019-05-16 05:54:32,121 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x40003c and Type=0x1.
2019-05-16 05:54:32,121 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:54:32,137 [root] DEBUG: BaseAddressWriteCallback: set write bp on e_lfanew write location: 0x40003c (EIP = 0x49fbfc)
2019-05-16 05:54:32,151 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-05-16 05:54:32,167 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x49fbfc
2019-05-16 05:54:32,184 [root] DEBUG: PEPointerWriteCallback entry.
2019-05-16 05:54:32,184 [root] DEBUG: PEPointerWriteCallback: Breakpoint 0 at Address 0x40003c.
2019-05-16 05:54:32,198 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x4000b8 and Type=0x1.
2019-05-16 05:54:32,198 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:54:32,198 [root] DEBUG: PEPointerWriteCallback: set write bp on e_lfanew write location 0x4000b8 (EIP = 0x49fbfc)
2019-05-16 05:54:32,230 [root] DEBUG: PEPointerWriteCallback executed successfully.
2019-05-16 05:54:32,230 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x49fbfc
2019-05-16 05:54:32,246 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x4000b8.
2019-05-16 05:54:32,246 [root] DEBUG: PEHeaderWriteCallback: PE header has: 0x50.
2019-05-16 05:54:32,276 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-05-16 05:54:32,276 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x49fbfc
2019-05-16 05:54:32,276 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x4000b8.
2019-05-16 05:54:32,276 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x4000e0 and Type=0x1.
2019-05-16 05:54:32,292 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:54:32,292 [root] DEBUG: PEHeaderWriteCallback: set write bp on AddressOfEntryPoint location (EIP = 0x49fbfc).
2019-05-16 05:54:32,292 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-05-16 05:54:32,308 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x49fbfc
2019-05-16 05:54:32,323 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x4000e0.
2019-05-16 05:54:32,355 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x4000a0 and Type=0x0.
2019-05-16 05:54:32,371 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:54:32,385 [root] DEBUG: EntryPointWriteCallback: Execution bp 1 set on EntryPoint 0x4000a0 (EIP = 0x49fbfc).
2019-05-16 05:54:32,385 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 05:54:32,385 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x49fbfc
2019-05-16 05:54:32,417 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x4000e0.
2019-05-16 05:54:32,417 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x40c9a0 and Type=0x0.
2019-05-16 05:54:32,433 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:54:32,433 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x40c9a0 (EIP = 0x49fbfc).
2019-05-16 05:54:32,463 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 05:54:32,463 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x49fbfc
2019-05-16 05:54:32,480 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x4000e0.
2019-05-16 05:54:32,480 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x40c9a0 and Type=0x0.
2019-05-16 05:54:32,496 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:54:32,496 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x40c9a0 (EIP = 0x49fbfc).
2019-05-16 05:54:32,510 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 05:54:32,510 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x49fbfc
2019-05-16 05:54:32,526 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x4000e0.
2019-05-16 05:54:32,526 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x40c9a0 and Type=0x0.
2019-05-16 05:54:32,542 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:54:32,542 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x40c9a0 (EIP = 0x49fbfc).
2019-05-16 05:54:32,558 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 05:54:32,588 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x40c9a0
2019-05-16 05:54:32,588 [root] DEBUG: EntryPointExecCallback: Breakpoint 1 at Address 0x40c9a0.
2019-05-16 05:54:32,588 [root] DEBUG: DumpPEsInRange: Scanning range 0x400000 - 0x408000.
2019-05-16 05:54:32,588 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x400000
2019-05-16 05:54:32,588 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-05-16 05:54:32,619 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x400000
2019-05-16 05:54:32,619 [root] DEBUG: DumpProcess: Module entry point VA is 0x40c9a0
2019-05-16 05:54:32,635 [root] INFO: Added new CAPE file to list with path: C:\lafvcll\CAPE\2868_62032541116452019
2019-05-16 05:54:32,635 [root] DEBUG: DumpProcess: Module image dump success
2019-05-16 05:54:32,651 [root] DEBUG: DumpPEsInRange: Dumped PE image from 0x400000.
2019-05-16 05:54:32,651 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x400001-0x408000.
2019-05-16 05:54:32,651 [root] DEBUG: EntryPointExecCallback hook: PE image(s) detected and dumped.
2019-05-16 05:54:32,683 [root] INFO: Announced 32-bit process name: gluerel.exe pid: 1376
2019-05-16 05:54:32,683 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-05-16 05:54:32,730 [lib.api.process] INFO: Option 'exclude-apis' with value 'RegOpenKeyExA' sent to monitor
2019-05-16 05:54:32,730 [lib.api.process] INFO: 32-bit DLL to inject is C:\lafvcll\dll\gwoIKrg.dll, loader C:\lafvcll\bin\DStZtno.exe
2019-05-16 05:54:32,744 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\pglqOm.
2019-05-16 05:54:32,744 [root] DEBUG: Loader: Injecting process 1376 (thread 1916) with C:\lafvcll\dll\gwoIKrg.dll.
2019-05-16 05:54:32,760 [root] DEBUG: Process image base: 0x00400000
2019-05-16 05:54:32,760 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\lafvcll\dll\gwoIKrg.dll.
2019-05-16 05:54:32,760 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00437000 - 0x77110000
2019-05-16 05:54:32,760 [root] DEBUG: InjectDllViaIAT: Allocated 0x200 bytes for new import table at 0x00440000.
2019-05-16 05:54:32,760 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-05-16 05:54:32,760 [root] DEBUG: Successfully injected DLL C:\lafvcll\dll\gwoIKrg.dll.
2019-05-16 05:54:32,760 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1376
2019-05-16 05:54:32,760 [root] INFO: Notified of termination of process with pid 2868.
2019-05-16 05:54:32,760 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77110000, KiUserExceptionDispatcher: 0x0, NtSetContextThread: 0x7716124a, Wow64PrepareForException: 0x0
2019-05-16 05:54:32,760 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x250000
2019-05-16 05:54:32,776 [root] DEBUG: CAPE initialised (32-bit).
2019-05-16 05:54:32,776 [root] INFO: Disabling sleep skipping.
2019-05-16 05:54:32,776 [root] INFO: Added new process to list with pid: 1376
2019-05-16 05:54:32,776 [root] INFO: Monitor successfully loaded in process with pid 1376.
2019-05-16 05:54:32,776 [root] WARNING: Unable to open termination event for pid 2868.
2019-05-16 05:54:32,869 [root] INFO: Notified of termination of process with pid 2640.
2019-05-16 05:54:32,901 [root] DEBUG: NtAllocateVirtualMemory hook, BaseAddress:0x930000, RegionSize: 0x11000.
2019-05-16 05:54:32,901 [root] DEBUG: SetInitialWriteBreakpoint: AllocationBase: 0x930000, AllocationSize: 0x11000, ThreadId: 0x77c
2019-05-16 05:54:32,901 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xa8, Size=0x2, Address=0x930000 and Type=0x1.
2019-05-16 05:54:32,901 [root] DEBUG: SetBreakpoint: Set bp 0 type 1 at address 0x930000, size 2 with Callback 0x747f3120, ThreadHandle = 0xa8.
2019-05-16 05:54:32,901 [root] DEBUG: SetInitialWriteBreakpoint: Breakpoint 0 set write on word at base address: 0x930000
2019-05-16 05:54:32,901 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x4012d6
2019-05-16 05:54:32,901 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x930000.
2019-05-16 05:54:32,901 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x930000: 0xf4.
2019-05-16 05:54:32,917 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x930000 and Type=0x0.
2019-05-16 05:54:32,917 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:54:32,917 [root] DEBUG: BaseAddressWriteCallback: Execution breakpoint 1 set base address: 0x930000, AllocationBaseExecBpSet = 1 (EIP = 0x4012d6)
2019-05-16 05:54:32,917 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-05-16 05:54:32,917 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x4012d6
2019-05-16 05:54:32,917 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x930000.
2019-05-16 05:54:32,917 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x930000: 0xf4.
2019-05-16 05:54:32,917 [root] DEBUG: BaseAddressWriteCallback: allocation exec bp already set, doing nothing.
2019-05-16 05:54:32,917 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x401337
2019-05-16 05:54:32,931 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x930000.
2019-05-16 05:54:32,931 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x930000: 0xf4.
2019-05-16 05:54:32,931 [root] DEBUG: BaseAddressWriteCallback: allocation exec bp already set, doing nothing.
2019-05-16 05:54:32,931 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x401085
2019-05-16 05:54:32,931 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x930000.
2019-05-16 05:54:32,931 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x930000: 0x6d.
2019-05-16 05:54:32,931 [root] DEBUG: BaseAddressWriteCallback: allocation exec bp already set, doing nothing.
2019-05-16 05:54:33,572 [root] DEBUG: NtAllocateVirtualMemory hook, BaseAddress:0x260000, RegionSize: 0x10000.
2019-05-16 05:54:33,572 [root] DEBUG: NtAllocateVirtualMemory hook: attempting CAPE dump on previous region: 0x930000.
2019-05-16 05:54:33,572 [root] DEBUG: DumpPEsInRange: Scanning range 0x930000 - 0x941000.
2019-05-16 05:54:33,572 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x930000-0x941000.
2019-05-16 05:54:33,588 [root] DEBUG: NtAllocateVirtualMemory hook: dumping memory range at 0x930000.
2019-05-16 05:54:33,588 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\lafvcll\CAPE\1376_58833541116452019
2019-05-16 05:54:33,588 [root] INFO: Added new CAPE file to list with path: C:\lafvcll\CAPE\1376_58833541116452019
2019-05-16 05:54:33,588 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x930000 - 0x941000.
2019-05-16 05:54:33,588 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x930000.
2019-05-16 05:54:33,588 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x930000.
2019-05-16 05:54:33,602 [root] DEBUG: SetInitialWriteBreakpoint: AllocationBase: 0x260000, AllocationSize: 0x10000, ThreadId: 0x77c
2019-05-16 05:54:33,602 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xa8, Size=0x2, Address=0x260000 and Type=0x1.
2019-05-16 05:54:33,602 [root] DEBUG: SetBreakpoint: Set bp 0 type 1 at address 0x260000, size 2 with Callback 0x747f3120, ThreadHandle = 0xa8.
2019-05-16 05:54:33,602 [root] DEBUG: SetInitialWriteBreakpoint: Breakpoint 0 set write on word at base address: 0x260000
2019-05-16 05:54:33,602 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x93fbfc
2019-05-16 05:54:33,602 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x260000.
2019-05-16 05:54:33,602 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x260000: 0xa4.
2019-05-16 05:54:33,602 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x260000 and Type=0x0.
2019-05-16 05:54:33,602 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:54:33,618 [root] DEBUG: BaseAddressWriteCallback: Execution breakpoint 1 set base address: 0x260000, AllocationBaseExecBpSet = 1 (EIP = 0x93fbfc)
2019-05-16 05:54:33,618 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-05-16 05:54:33,618 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x93fbfc
2019-05-16 05:54:33,618 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x260000.
2019-05-16 05:54:33,618 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x260000: 0xa4.
2019-05-16 05:54:33,618 [root] DEBUG: BaseAddressWriteCallback: allocation exec bp already set, doing nothing.
2019-05-16 05:54:33,618 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x9402d1
2019-05-16 05:54:33,618 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x260000.
2019-05-16 05:54:33,618 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x260000: 0xa4.
2019-05-16 05:54:33,618 [root] DEBUG: BaseAddressWriteCallback: allocation exec bp already set, doing nothing.
2019-05-16 05:54:33,634 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x9402ea
2019-05-16 05:54:33,634 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x260000.
2019-05-16 05:54:33,634 [root] DEBUG: BaseAddressWriteCallback: MZ header found.
2019-05-16 05:54:33,634 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x26003c and Type=0x1.
2019-05-16 05:54:33,634 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:54:33,634 [root] DEBUG: BaseAddressWriteCallback: set write bp on e_lfanew write location: 0x26003c (EIP = 0x9402ea)
2019-05-16 05:54:33,634 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-05-16 05:54:33,634 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x9402d1
2019-05-16 05:54:33,634 [root] DEBUG: PEPointerWriteCallback entry.
2019-05-16 05:54:33,650 [root] DEBUG: PEPointerWriteCallback: Breakpoint 0 at Address 0x26003c.
2019-05-16 05:54:33,650 [root] DEBUG: PEPointerWriteCallback: pointer to PE header too big: 0x49d (perhaps writing incomplete).
2019-05-16 05:54:33,650 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x9402ea
2019-05-16 05:54:33,650 [root] DEBUG: PEPointerWriteCallback entry.
2019-05-16 05:54:33,650 [root] DEBUG: PEPointerWriteCallback: Breakpoint 0 at Address 0x26003c.
2019-05-16 05:54:33,650 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x2600b8 and Type=0x1.
2019-05-16 05:54:33,650 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:54:33,650 [root] DEBUG: PEPointerWriteCallback: set write bp on e_lfanew write location 0x2600b8 (EIP = 0x9402ea)
2019-05-16 05:54:33,650 [root] DEBUG: PEPointerWriteCallback executed successfully.
2019-05-16 05:54:33,650 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x9402d1
2019-05-16 05:54:33,665 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x2600b8.
2019-05-16 05:54:33,665 [root] DEBUG: PEHeaderWriteCallback: PE header has: 0x41f1.
2019-05-16 05:54:33,665 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-05-16 05:54:33,665 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x9402ea
2019-05-16 05:54:33,665 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x2600b8.
2019-05-16 05:54:33,665 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x0, Address=0x26cc89 and Type=0x0.
2019-05-16 05:54:33,665 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:54:33,665 [root] DEBUG: PEHeaderWriteCallback: Execution bp set on EntryPoint 0x26cc89 (EIP = 0x9402ea).
2019-05-16 05:54:33,665 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-05-16 05:54:33,665 [root] DEBUG: NtAllocateVirtualMemory hook, BaseAddress:0x950000, RegionSize: 0x14000.
2019-05-16 05:54:33,680 [root] DEBUG: NtAllocateVirtualMemory hook: attempting CAPE dump on previous region: 0x260000.
2019-05-16 05:54:33,680 [root] DEBUG: DumpPEsInRange: Scanning range 0x260000 - 0x270000.
2019-05-16 05:54:33,680 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x260000
2019-05-16 05:54:33,680 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image.
2019-05-16 05:54:33,680 [root] DEBUG: DumpPE: Instantiating PeParser with address: 0x260000
2019-05-16 05:54:33,680 [root] INFO: Added new CAPE file to list with path: C:\lafvcll\CAPE\1376_68133541116452019
2019-05-16 05:54:33,697 [root] DEBUG: DumpPE: PE file in memory dumped successfully.
2019-05-16 05:54:33,697 [root] DEBUG: DumpPEsInRange: Dumped PE image from 0x260000.
2019-05-16 05:54:33,697 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x260001-0x270000.
2019-05-16 05:54:33,697 [root] DEBUG: NtAllocateVirtualMemory hook: PE image(s) detected and dumped.
2019-05-16 05:54:33,697 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x260000 - 0x270000.
2019-05-16 05:54:33,697 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x26cc89.
2019-05-16 05:54:33,697 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x260000.
2019-05-16 05:54:33,697 [root] DEBUG: SetInitialWriteBreakpoint: AllocationBase: 0x950000, AllocationSize: 0x14000, ThreadId: 0x77c
2019-05-16 05:54:33,697 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xa8, Size=0x2, Address=0x950000 and Type=0x1.
2019-05-16 05:54:33,711 [root] DEBUG: SetBreakpoint: Set bp 0 type 1 at address 0x950000, size 2 with Callback 0x747f3120, ThreadHandle = 0xa8.
2019-05-16 05:54:33,711 [root] DEBUG: SetInitialWriteBreakpoint: Breakpoint 0 set write on word at base address: 0x950000
2019-05-16 05:54:33,711 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x93fbfc
2019-05-16 05:54:33,711 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x950000.
2019-05-16 05:54:33,711 [root] DEBUG: BaseAddressWriteCallback: M written to first byte, awaiting next byte.
2019-05-16 05:54:33,711 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-05-16 05:54:33,711 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x93fbfc
2019-05-16 05:54:33,711 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x950000.
2019-05-16 05:54:33,711 [root] DEBUG: BaseAddressWriteCallback: MZ header found.
2019-05-16 05:54:33,711 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x95003c and Type=0x1.
2019-05-16 05:54:33,727 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:54:33,727 [root] DEBUG: BaseAddressWriteCallback: set write bp on e_lfanew write location: 0x95003c (EIP = 0x93fbfc)
2019-05-16 05:54:33,727 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-05-16 05:54:33,727 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x93fbfc
2019-05-16 05:54:33,727 [root] DEBUG: PEPointerWriteCallback entry.
2019-05-16 05:54:33,727 [root] DEBUG: PEPointerWriteCallback: Breakpoint 0 at Address 0x95003c.
2019-05-16 05:54:33,727 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x9500b8 and Type=0x1.
2019-05-16 05:54:33,727 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:54:33,727 [root] DEBUG: PEPointerWriteCallback: set write bp on e_lfanew write location 0x9500b8 (EIP = 0x93fbfc)
2019-05-16 05:54:33,727 [root] DEBUG: PEPointerWriteCallback executed successfully.
2019-05-16 05:54:33,743 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x93fbfc
2019-05-16 05:54:33,743 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x9500b8.
2019-05-16 05:54:33,743 [root] DEBUG: PEHeaderWriteCallback: PE header has: 0x50.
2019-05-16 05:54:33,743 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-05-16 05:54:33,743 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x93fbfc
2019-05-16 05:54:33,743 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x9500b8.
2019-05-16 05:54:33,743 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x9500e0 and Type=0x1.
2019-05-16 05:54:33,743 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:54:33,743 [root] DEBUG: PEHeaderWriteCallback: set write bp on AddressOfEntryPoint location (EIP = 0x93fbfc).
2019-05-16 05:54:33,743 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-05-16 05:54:33,759 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x93fbfc
2019-05-16 05:54:33,759 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x9500e0.
2019-05-16 05:54:33,759 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x9500a0 and Type=0x0.
2019-05-16 05:54:33,759 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:54:33,759 [root] DEBUG: EntryPointWriteCallback: Execution bp 1 set on EntryPoint 0x9500a0 (EIP = 0x93fbfc).
2019-05-16 05:54:33,759 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 05:54:33,759 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x93fbfc
2019-05-16 05:54:33,759 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x9500e0.
2019-05-16 05:54:33,759 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x95c9a0 and Type=0x0.
2019-05-16 05:54:33,759 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:54:33,775 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x95c9a0 (EIP = 0x93fbfc).
2019-05-16 05:54:33,775 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 05:54:33,775 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x93fbfc
2019-05-16 05:54:33,775 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x9500e0.
2019-05-16 05:54:33,775 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x95c9a0 and Type=0x0.
2019-05-16 05:54:33,775 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:54:33,775 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x95c9a0 (EIP = 0x93fbfc).
2019-05-16 05:54:33,775 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 05:54:33,775 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x93fbfc
2019-05-16 05:54:33,789 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x9500e0.
2019-05-16 05:54:33,789 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x95c9a0 and Type=0x0.
2019-05-16 05:54:33,789 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:54:33,789 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x95c9a0 (EIP = 0x93fbfc).
2019-05-16 05:54:33,789 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 05:54:33,789 [root] DEBUG: ProtectionHandler: Address: 0x1000, RegionSize: 0xcc24
2019-05-16 05:54:33,789 [root] DEBUG: ProtectionHandler: attempting CAPE dump on region: 0x950000.
2019-05-16 05:54:33,789 [root] DEBUG: DumpPEsInRange: Scanning range 0x0 - 0xf000.
2019-05-16 05:54:33,789 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:54:33,805 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:54:33,805 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:54:33,805 [root] DEBUG: ScanForDisguisedPE: Exception occured reading memory address 0x0
2019-05-16 05:54:33,805 [root] DEBUG: SetCapeMetaData: Extraction type with no PID - error.
2019-05-16 05:54:33,805 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\lafvcll\CAPE\1376_80633541116452019
2019-05-16 05:54:33,805 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:54:33,805 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:54:33,805 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:54:33,805 [root] DEBUG: DumpMemory: Exception occured reading memory address 0x0
2019-05-16 05:54:33,805 [root] DEBUG: ProtectionHandler: Previously marked memory range at: 0x950000 is empty or inaccessible.
2019-05-16 05:54:33,822 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x950000 - 0x964000.
2019-05-16 05:54:33,822 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x9500e0.
2019-05-16 05:54:33,822 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x95c9a0.
2019-05-16 05:54:33,822 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:54:33,822 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:54:33,822 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:54:33,822 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x1000
2019-05-16 05:54:33,822 [root] DEBUG: ProtectionHandler: Setting initial write breakpoint on protection address: 0x1000
2019-05-16 05:54:33,822 [root] DEBUG: SetInitialWriteBreakpoint: AllocationBase: 0x1000, AllocationSize: 0xcc24, ThreadId: 0x77c
2019-05-16 05:54:33,822 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xa8, Size=0x2, Address=0x1000 and Type=0x1.
2019-05-16 05:54:33,836 [root] DEBUG: SetBreakpoint: Set bp 0 type 1 at address 0x1000, size 2 with Callback 0x747f3120, ThreadHandle = 0xa8.
2019-05-16 05:54:33,836 [root] DEBUG: SetInitialWriteBreakpoint: Breakpoint 0 set write on word at base address: 0x1000
2019-05-16 05:54:33,836 [root] DEBUG: ProtectionHandler: Address: 0xf000, RegionSize: 0x3de4
2019-05-16 05:54:33,836 [root] DEBUG: NtAllocateVirtualMemory hook, BaseAddress:0x400000, RegionSize: 0x14000.
2019-05-16 05:54:33,836 [root] DEBUG: NtAllocateVirtualMemory hook: attempting CAPE dump on previous region: 0x1000.
2019-05-16 05:54:33,836 [root] DEBUG: DumpPEsInRange: Scanning range 0x0 - 0xf000.
2019-05-16 05:54:33,836 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:54:33,836 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:54:33,836 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:54:33,836 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:54:33,852 [root] DEBUG: ScanForDisguisedPE: Exception occured reading memory address 0x0
2019-05-16 05:54:33,852 [root] DEBUG: SetCapeMetaData: Extraction type with no PID - error.
2019-05-16 05:54:33,852 [root] DEBUG: NtAllocateVirtualMemory hook: dumping memory range at 0x1000.
2019-05-16 05:54:33,852 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:54:33,852 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:54:33,852 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:54:33,852 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-05-16 05:54:33,852 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x0
2019-05-16 05:54:33,852 [root] DEBUG: NtAllocateVirtualMemory hook: Failed to dump memory range at 0x1000.
2019-05-16 05:54:33,852 [root] DEBUG: NtAllocateVirtualMemory hook: Previously marked memory range at: 0x1000 is empty or inaccessible.
2019-05-16 05:54:33,868 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x1000 - 0xdc24.
2019-05-16 05:54:33,868 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x1000.
2019-05-16 05:54:33,868 [root] DEBUG: SetInitialWriteBreakpoint: AllocationBase: 0x400000, AllocationSize: 0x14000, ThreadId: 0x77c
2019-05-16 05:54:33,868 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xa8, Size=0x2, Address=0x400000 and Type=0x1.
2019-05-16 05:54:33,868 [root] DEBUG: SetBreakpointWithoutThread: bp set with register 0
2019-05-16 05:54:33,868 [root] DEBUG: SetInitialWriteBreakpoint: Breakpoint 0 set write on word at base address: 0x400000
2019-05-16 05:54:33,868 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x93fbfc
2019-05-16 05:54:33,868 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x400000.
2019-05-16 05:54:33,868 [root] DEBUG: BaseAddressWriteCallback: M written to first byte, awaiting next byte.
2019-05-16 05:54:33,868 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-05-16 05:54:33,884 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x93fbfc
2019-05-16 05:54:33,884 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x400000.
2019-05-16 05:54:33,884 [root] DEBUG: BaseAddressWriteCallback: MZ header found.
2019-05-16 05:54:33,884 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x40003c and Type=0x1.
2019-05-16 05:54:33,884 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:54:33,884 [root] DEBUG: BaseAddressWriteCallback: set write bp on e_lfanew write location: 0x40003c (EIP = 0x93fbfc)
2019-05-16 05:54:33,884 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-05-16 05:54:33,884 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x93fbfc
2019-05-16 05:54:33,884 [root] DEBUG: PEPointerWriteCallback entry.
2019-05-16 05:54:33,884 [root] DEBUG: PEPointerWriteCallback: Breakpoint 0 at Address 0x40003c.
2019-05-16 05:54:33,884 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x4000b8 and Type=0x1.
2019-05-16 05:54:33,900 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:54:33,900 [root] DEBUG: PEPointerWriteCallback: set write bp on e_lfanew write location 0x4000b8 (EIP = 0x93fbfc)
2019-05-16 05:54:33,900 [root] DEBUG: PEPointerWriteCallback executed successfully.
2019-05-16 05:54:33,900 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x93fbfc
2019-05-16 05:54:33,900 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x4000b8.
2019-05-16 05:54:33,900 [root] DEBUG: PEHeaderWriteCallback: PE header has: 0x50.
2019-05-16 05:54:33,900 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-05-16 05:54:33,900 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x93fbfc
2019-05-16 05:54:33,900 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x4000b8.
2019-05-16 05:54:33,900 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x4000e0 and Type=0x1.
2019-05-16 05:54:33,914 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:54:33,914 [root] DEBUG: PEHeaderWriteCallback: set write bp on AddressOfEntryPoint location (EIP = 0x93fbfc).
2019-05-16 05:54:33,914 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-05-16 05:54:33,914 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x93fbfc
2019-05-16 05:54:33,914 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x4000e0.
2019-05-16 05:54:33,914 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x4000a0 and Type=0x0.
2019-05-16 05:54:33,914 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:54:33,914 [root] DEBUG: EntryPointWriteCallback: Execution bp 1 set on EntryPoint 0x4000a0 (EIP = 0x93fbfc).
2019-05-16 05:54:33,914 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 05:54:33,914 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x93fbfc
2019-05-16 05:54:33,930 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x4000e0.
2019-05-16 05:54:33,930 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x40c9a0 and Type=0x0.
2019-05-16 05:54:33,930 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:54:33,930 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x40c9a0 (EIP = 0x93fbfc).
2019-05-16 05:54:33,930 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 05:54:33,930 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x93fbfc
2019-05-16 05:54:33,930 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x4000e0.
2019-05-16 05:54:33,930 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x40c9a0 and Type=0x0.
2019-05-16 05:54:33,930 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:54:33,930 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x40c9a0 (EIP = 0x93fbfc).
2019-05-16 05:54:33,930 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 05:54:33,946 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x93fbfc
2019-05-16 05:54:33,946 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x4000e0.
2019-05-16 05:54:33,946 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x40c9a0 and Type=0x0.
2019-05-16 05:54:33,946 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-05-16 05:54:33,946 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x40c9a0 (EIP = 0x93fbfc).
2019-05-16 05:54:33,946 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-05-16 05:54:33,946 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x40c9a0
2019-05-16 05:54:33,946 [root] DEBUG: EntryPointExecCallback: Breakpoint 1 at Address 0x40c9a0.
2019-05-16 05:54:33,946 [root] DEBUG: DumpPEsInRange: Scanning range 0x400000 - 0x408000.
2019-05-16 05:54:33,946 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x400000
2019-05-16 05:54:33,961 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-05-16 05:54:33,961 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x400000
2019-05-16 05:54:33,961 [root] DEBUG: DumpProcess: Module entry point VA is 0x40c9a0
2019-05-16 05:54:33,961 [root] INFO: Added new CAPE file to list with path: C:\lafvcll\CAPE\1376_96233541116452019
2019-05-16 05:54:33,961 [root] DEBUG: DumpProcess: Module image dump success
2019-05-16 05:54:33,977 [root] DEBUG: DumpPEsInRange: Dumped PE image from 0x400000.
2019-05-16 05:54:33,977 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x400001-0x408000.
2019-05-16 05:54:33,977 [root] DEBUG: EntryPointExecCallback hook: PE image(s) detected and dumped.
2019-05-16 05:55:24,895 [root] INFO: Analysis timeout hit (60 seconds), terminating analysis.
2019-05-16 05:55:24,895 [root] INFO: Created shutdown mutex.
2019-05-16 05:55:25,910 [root] INFO: Terminating process 2748 before shutdown.
2019-05-16 05:55:25,910 [root] INFO: Terminating process 2640 before shutdown.
2019-05-16 05:55:25,910 [root] INFO: Terminating process 2868 before shutdown.
2019-05-16 05:55:25,910 [root] INFO: Setting terminate event for process 1376.
2019-05-16 05:55:25,910 [lib.api.process] INFO: Successfully received reply to terminate_event, pid 1376
2019-05-16 05:55:25,910 [root] INFO: Terminating process 1376 before shutdown.
2019-05-16 05:55:25,910 [root] INFO: Waiting for process 1376 to exit.
2019-05-16 05:55:26,924 [root] INFO: Waiting for process 1376 to exit.
2019-05-16 05:55:27,937 [root] INFO: Waiting for process 1376 to exit.
2019-05-16 05:55:28,951 [root] INFO: Waiting for process 1376 to exit.
2019-05-16 05:55:29,966 [lib.api.process] INFO: Successfully terminated process with pid 1376.
2019-05-16 05:55:29,982 [root] INFO: Waiting for process 1376 to exit.
2019-05-16 05:55:30,996 [root] INFO: Shutting down package.
2019-05-16 05:55:31,010 [root] INFO: Stopping auxiliary modules.
2019-05-16 05:55:31,010 [root] INFO: Finishing auxiliary modules.
2019-05-16 05:55:31,010 [root] INFO: Shutting down pipe server and dumping dropped files.
2019-05-16 05:55:31,010 [root] WARNING: File at path "C:\NqubLyIJtH\debugger" does not exist, skip.
2019-05-16 05:55:31,010 [root] INFO: Analysis completed.

MalScore

10.0

Emotet

Machine

Name Label Manager Started On Shutdown On
target-01 target-01 ESX 2019-05-16 04:53:51 2019-05-16 04:55:44

File Details

File Name 55a055d5e71c5ddb44447f099bdaa8b3038f6b381cb9f26f672a9e718ed7f1ca
File Size 222784 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 165f4d8ec852248e5a885389e515468f
SHA1 23db7c3414b6af9aac7fc9fe8fbbe2f2fc31fcb0
SHA256 55a055d5e71c5ddb44447f099bdaa8b3038f6b381cb9f26f672a9e718ed7f1ca
SHA512 2da6322453eff4814fb7c53826448850616dbfb154af657c559e9b4a97306761c7ca2bea53050668f535dd170c25de95ca353f42e243662a767e481705554f6c
CRC32 BA94170B
Ssdeep 6144:CaIgmWo6JvwA1DHDgqangu2+UvQ/KpmOqc:C36JvdzDPKMvQ/Kp
TrID
  • 63.3% (.EXE) Win32 Executable MS Visual C++ 4.x (134693/65)
  • 14.6% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
  • 12.9% (.EXE) Win64 Executable (generic) (27625/18/4)
  • 3.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
  • 2.1% (.EXE) Win32 Executable (generic) (4508/7/1)
ClamAV None matched
Yara None matched
CAPE Yara None matched
Resubmit sample

Signatures

Behavioural detection: Executable code extraction
Yara rule detections observed from a process memory dump/dropped files/CAPE
Hit: PID 2748 trigged the Yara rule 'embedded_win_api'
Hit: PID 2748 trigged the Yara rule 'shellcode'
Hit: PID 2748 trigged the Yara rule 'Emotet'
Possible date expiration check, exits too soon after checking local time
process: gluerel.exe, PID 2868
Mimics the system's user agent string for its own requests
Guard pages use detected - possible anti-debugging.
Dynamic (imported) function loading detected
DynamicLoader: kernel32.dll/VirtualAllocEx
DynamicLoader: kernel32.dll/LoadLibraryExA
DynamicLoader: kernel32.dll/mknjht34tfserdgfwGetProcAddress
DynamicLoader: kernel32.dll/GetProcAddress
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/LoadLibraryExA
DynamicLoader: kernel32.dll/SetFilePointer
DynamicLoader: kernel32.dll/lstrlenA
DynamicLoader: kernel32.dll/lstrcatA
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/UnmapViewOfFile
DynamicLoader: kernel32.dll/GetModuleHandleA
DynamicLoader: kernel32.dll/WriteFile
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/GetTempPathA
DynamicLoader: kernel32.dll/CreateFileA
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: kernel32.dll/VirtualAllocEx
DynamicLoader: kernel32.dll/LoadLibraryExA
DynamicLoader: kernel32.dll/mknjht34tfserdgfwGetProcAddress
DynamicLoader: kernel32.dll/GetProcAddress
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/LoadLibraryExA
DynamicLoader: kernel32.dll/SetFilePointer
DynamicLoader: kernel32.dll/lstrlenA
DynamicLoader: kernel32.dll/lstrcatA
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/UnmapViewOfFile
DynamicLoader: kernel32.dll/GetModuleHandleA
DynamicLoader: kernel32.dll/WriteFile
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/GetTempPathA
DynamicLoader: kernel32.dll/CreateFileA
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: SHELL32.dll/
DynamicLoader: ADVAPI32.dll/OpenThreadToken
DynamicLoader: propsys.dll/PSLookupPropertyHandlerCLSID
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: propsys.dll/PSCreatePropertyStoreFromObject
DynamicLoader: propsys.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: propsys.dll/PropVariantToStringAlloc
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore
DynamicLoader: propsys.dll/PropVariantToBuffer
DynamicLoader: propsys.dll/PropVariantToUInt64
DynamicLoader: propsys.dll/PropVariantToBoolean
DynamicLoader: propsys.dll/InitPropVariantFromBuffer
DynamicLoader: ADVAPI32.dll/GetNamedSecurityInfoW
DynamicLoader: ADVAPI32.dll/TreeSetNamedSecurityInfoW
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: OLEAUT32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: kernel32.dll/VirtualAllocEx
DynamicLoader: kernel32.dll/LoadLibraryExA
DynamicLoader: kernel32.dll/mknjht34tfserdgfwGetProcAddress
DynamicLoader: kernel32.dll/GetProcAddress
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/LoadLibraryExA
DynamicLoader: kernel32.dll/SetFilePointer
DynamicLoader: kernel32.dll/lstrlenA
DynamicLoader: kernel32.dll/lstrcatA
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/UnmapViewOfFile
DynamicLoader: kernel32.dll/GetModuleHandleA
DynamicLoader: kernel32.dll/WriteFile
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/GetTempPathA
DynamicLoader: kernel32.dll/CreateFileA
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: kernel32.dll/VirtualAllocEx
DynamicLoader: kernel32.dll/LoadLibraryExA
DynamicLoader: kernel32.dll/mknjht34tfserdgfwGetProcAddress
DynamicLoader: kernel32.dll/GetProcAddress
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/LoadLibraryExA
DynamicLoader: kernel32.dll/SetFilePointer
DynamicLoader: kernel32.dll/lstrlenA
DynamicLoader: kernel32.dll/lstrcatA
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/UnmapViewOfFile
DynamicLoader: kernel32.dll/GetModuleHandleA
DynamicLoader: kernel32.dll/WriteFile
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/GetTempPathA
DynamicLoader: kernel32.dll/CreateFileA
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptImportKey
DynamicLoader: CRYPTSP.dll/CryptGenKey
DynamicLoader: CRYPTSP.dll/CryptCreateHash
DynamicLoader: CRYPTSP.dll/CryptDuplicateHash
DynamicLoader: CRYPTSP.dll/CryptEncrypt
DynamicLoader: CRYPTSP.dll/CryptExportKey
DynamicLoader: CRYPTSP.dll/CryptGetHashParam
DynamicLoader: CRYPTSP.dll/CryptDestroyHash
DynamicLoader: RASAPI32.dll/RasConnectionNotificationW
DynamicLoader: sechost.dll/NotifyServiceStatusChangeA
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: iphlpapi.DLL/GetAdaptersAddresses
DynamicLoader: DHCPCSVC.DLL/DhcpRequestParams
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: OLEAUT32.dll/
Performs HTTP requests potentially not found in PCAP.
url: 181.15.177.100:443/stubs/psec/raster/merge/
The binary likely contains encrypted or compressed data.
section: name: .data, entropy: 7.46, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x00013e00, virtual_size: 0x00013d68
section: name: .rsrc, entropy: 7.37, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ, raw_size: 0x0001a200, virtual_size: 0x0001a0dc
Deletes its original binary from disk
Attempts to remove evidence of file being downloaded from the Internet
file: C:\Windows\SysWOW64\gluerel.exe:Zone.Identifier
Installs itself for autorun at Windows startup
service name: gluerel
service path: "C:\Windows\SysWOW64\gluerel.exe"
CAPE detected the Emotet malware family
Creates a copy of itself
copy: C:\Windows\SysWOW64\gluerel.exe
Drops a binary and executes it
binary: C:\Windows\SysWOW64\gluerel.exe

Screenshots


Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
Y 181.15.177.100 [VT] Argentina

DNS

Name Response Post-Analysis Lookup
www.download.windowsupdate.com [VT]
crt.usertrust.com [VT]

Summary

C:\Windows\Globalization\Sorting\sortdefault.nls
C:\
C:\Users\user\AppData\Local\Temp\i8ekAGsNBxmGR.exe
C:\Windows\SysWOW64\dafpanes.exe
C:\Windows\
C:\Windows\SysWOW64\
\Device\KsecDD
C:\Windows\SysWOW64\shell32.dll
C:\Windows\SysWOW64\gluerel.exe
C:\Users
\??\MountPointManager
C:\Users\user\AppData\Local\Microsoft\Windows\Caches
C:\Users\user\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000d.db
C:\Users\desktop.ini
C:\Users\user
C:\Users\user\AppData
C:\Users\user\AppData\Local
C:\Users\user\AppData\Local\Temp
C:\Windows
C:\Windows\SysWOW64
C:\Windows\SysWOW64\propsys.dll
C:\Windows\sysnative\propsys.dll
C:\Users\user\AppData\Local\
C:\Windows\SysWOW64\gluerel.exe:Zone.Identifier
C:\Windows\Temp
C:\ProgramData\Microsoft\Network\Connections\Pbk\rasphone.pbk
C:\ProgramData\Microsoft\Network\Connections\Pbk\*.pbk
C:\Windows\System32\ras\*.pbk
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Network\Connections\Pbk\rasphone.pbk
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Network\Connections\Pbk\*.pbk
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Users\user\AppData\Local\Temp\i8ekAGsNBxmGR.exe
\Device\KsecDD
C:\Windows\SysWOW64\shell32.dll
C:\
C:\Users\user\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000d.db
C:\Users\desktop.ini
C:\Users
C:\Users\user
C:\Users\user\AppData
C:\Users\user\AppData\Local
C:\Windows
C:\Users\user\AppData\Local\Temp
C:\Windows\SysWOW64\gluerel.exe
C:\Windows\SysWOW64\gluerel.exe
C:\Windows\SysWOW64\dafpanes.exe
C:\Users\user\AppData\Local\Temp\i8ekAGsNBxmGR.exe
C:\Windows\SysWOW64\gluerel.exe:Zone.Identifier
DisableUserModeCallbackFilter
HKEY_CURRENT_USER\Software\Classes
HKEY_CURRENT_USER\Software\Classes\interface\{aa5b6a80-b834-11d0-932f-00a0c90dcaa9}
HKEY_LOCAL_MACHINE\Software\Classes\interface\{aa5b6a80-b834-11d0-932f-00a0c90dcaa9}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AA5B6A80-B834-11D0-932F-00A0C90DCAA9}\(Default)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-GB
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-GB
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\NoFileFolderConnection
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesRecycleBin
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\i8ekAGsNBxmGR.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups
HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\CallForAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\RestrictedAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORDISPLAY
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideFolderVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\UseDropHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORPARSING
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsParseDisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\MapNetDriveVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForInfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideInWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideOnDesktopPerUser
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsAliasedNotifications
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsUniversalDelegate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\NoFileFolderJunction
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\PinToNameSpaceTree
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HasNavigationEnum
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\Generation
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\Generation
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\AccessProviders
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\AccessProviders\MartaExtension
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DontShowSuperHidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ClassicShell
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\SeparateProcess
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetCrawling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSimpleStartMenu
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowCompColor
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\DontPrettyPath
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowInfoTip
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideIcons
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\MapNetDrvBtn
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\WebView
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Filter
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\SeparateProcess
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\NoNetCrawling
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AutoCheckSelect
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\IconsOnly
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowTypeOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\AllowFileCLSIDJunctions
HKEY_CLASSES_ROOT\.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe\(Default)
HKEY_CLASSES_ROOT\.exe\OpenWithProgids
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\OpenWithProgids
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\UserChoice
HKEY_CLASSES_ROOT\exefile
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\CurVer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\ShellEx\IconHandler
HKEY_CLASSES_ROOT\SystemFileAssociations\.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\ShellEx\IconHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe\Content Type
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\NeverShowExt
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\PropertySystem\PropertyHandlers\.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\PropertySystem\PropertyHandlers\.exe\(Default)
HKEY_CLASSES_ROOT\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\OverrideFileSystemProperties
HKEY_CLASSES_ROOT\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\DisableProcessIsolation
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\NoOplock
HKEY_CLASSES_ROOT\ExplorerCLSIDFlags\{66742402-F9B9-11D1-A202-0000F81FEDEE}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\UseInProcHandlerCache
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\UseOutOfProcHandlerCache
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Shell\RegisteredApplications\UrlAssociations\Directory\OpenWithProgids
HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\Directory
HKEY_CLASSES_ROOT\Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\CurVer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\ShellEx\IconHandler
HKEY_CLASSES_ROOT\Folder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\ShellEx\IconHandler
HKEY_CLASSES_ROOT\AllFilesystemObjects
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\ShellEx\IconHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\ShellEx\PropertyHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\ShellEx\PropertyHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\ShellEx\PropertyHandler
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\MaxUndoItems
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Advanced\MaxUndoItems
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\App Paths\i8ekAGsNBxmGR.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\i8ekAGsNBxmGR.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\ShellEx\{2F711B17-773C-41D4-93FA-7F23EDCECB66}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\ShellEx\{2F711B17-773C-41D4-93FA-7F23EDCECB66}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\ShellEx\{2F711B17-773C-41D4-93FA-7F23EDCECB66}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceCopyACLWithFile
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\ShellEx\{000214F9-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\ShellEx\{000214F9-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\ShellEx\{000214F9-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoEncryptOnMove
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gluerel
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gluerel\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gluerel\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gluerel\WOW64
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Public
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Default
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonW6432Dir
HKEY_USERS\S-1-5-18
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18\ProfileImagePath
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
HKEY_USERS\.DEFAULT\Environment
HKEY_USERS\.DEFAULT\Volatile Environment
HKEY_USERS\.DEFAULT\Volatile Environment\0
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gluerel\Environment
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\interface\{aa5b6a80-b834-11d0-932f-00a0c90dcaa9}
HKEY_CURRENT_USER
HKEY_USERS\.DEFAULT\Control Panel\International
HKEY_USERS\.DEFAULT\Control Panel\International\LocaleName
HKEY_USERS\.DEFAULT\Control Panel\International\sCountry
HKEY_USERS\.DEFAULT\Control Panel\International\sList
HKEY_USERS\.DEFAULT\Control Panel\International\sDecimal
HKEY_USERS\.DEFAULT\Control Panel\International\sThousand
HKEY_USERS\.DEFAULT\Control Panel\International\sGrouping
HKEY_USERS\.DEFAULT\Control Panel\International\sNativeDigits
HKEY_USERS\.DEFAULT\Control Panel\International\sCurrency
HKEY_USERS\.DEFAULT\Control Panel\International\sMonDecimalSep
HKEY_USERS\.DEFAULT\Control Panel\International\sMonThousandSep
HKEY_USERS\.DEFAULT\Control Panel\International\sMonGrouping
HKEY_USERS\.DEFAULT\Control Panel\International\sPositiveSign
HKEY_USERS\.DEFAULT\Control Panel\International\sNegativeSign
HKEY_USERS\.DEFAULT\Control Panel\International\sTimeFormat
HKEY_USERS\.DEFAULT\Control Panel\International\sShortTime
HKEY_USERS\.DEFAULT\Control Panel\International\s1159
HKEY_USERS\.DEFAULT\Control Panel\International\s2359
HKEY_USERS\.DEFAULT\Control Panel\International\sShortDate
HKEY_USERS\.DEFAULT\Control Panel\International\sYearMonth
HKEY_USERS\.DEFAULT\Control Panel\International\sLongDate
HKEY_USERS\.DEFAULT\Control Panel\International\iCountry
HKEY_USERS\.DEFAULT\Control Panel\International\iMeasure
HKEY_USERS\.DEFAULT\Control Panel\International\iPaperSize
HKEY_USERS\.DEFAULT\Control Panel\International\iDigits
HKEY_USERS\.DEFAULT\Control Panel\International\iLZero
HKEY_USERS\.DEFAULT\Control Panel\International\iNegNumber
HKEY_USERS\.DEFAULT\Control Panel\International\NumShape
HKEY_USERS\.DEFAULT\Control Panel\International\iCurrDigits
HKEY_USERS\.DEFAULT\Control Panel\International\iCurrency
HKEY_USERS\.DEFAULT\Control Panel\International\iNegCurr
HKEY_USERS\.DEFAULT\Control Panel\International\iCalendarType
HKEY_USERS\.DEFAULT\Control Panel\International\iFirstDayOfWeek
HKEY_USERS\.DEFAULT\Control Panel\International\iFirstWeekOfYear
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoProxyDetectType
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASAPI32\EnableFileTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASAPI32\FileTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASAPI32\EnableConsoleTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASAPI32\ConsoleTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASAPI32\MaxFileSize
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASAPI32\FileDirectory
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASMANCS\EnableFileTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASMANCS\FileTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASMANCS\EnableConsoleTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASMANCS\ConsoleTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASMANCS\MaxFileSize
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASMANCS\FileDirectory
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ProxySettingsPerUser
HKEY_USERS\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
HKEY_USERS\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AA5B6A80-B834-11D0-932F-00A0C90DCAA9}\(Default)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-GB
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-GB
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\NoFileFolderConnection
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesRecycleBin
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\CallForAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\RestrictedAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORDISPLAY
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideFolderVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\UseDropHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORPARSING
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsParseDisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\MapNetDriveVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForInfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideInWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideOnDesktopPerUser
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsAliasedNotifications
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsUniversalDelegate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\NoFileFolderJunction
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\PinToNameSpaceTree
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HasNavigationEnum
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\Generation
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\AccessProviders\MartaExtension
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DontShowSuperHidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ClassicShell
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\SeparateProcess
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetCrawling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSimpleStartMenu
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowCompColor
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\DontPrettyPath
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowInfoTip
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideIcons
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\MapNetDrvBtn
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\WebView
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Filter
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\SeparateProcess
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\NoNetCrawling
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AutoCheckSelect
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\IconsOnly
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowTypeOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\AllowFileCLSIDJunctions
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe\Content Type
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\PropertySystem\PropertyHandlers\.exe\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\DisableProcessIsolation
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\NoOplock
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\UseInProcHandlerCache
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\UseOutOfProcHandlerCache
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\NeverShowExt
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\MaxUndoItems
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Advanced\MaxUndoItems
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceCopyACLWithFile
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoEncryptOnMove
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gluerel\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gluerel\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gluerel\WOW64
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Public
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18\ProfileImagePath
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gluerel\Environment
HKEY_USERS\.DEFAULT\Control Panel\International\LocaleName
HKEY_USERS\.DEFAULT\Control Panel\International\sCountry
HKEY_USERS\.DEFAULT\Control Panel\International\sList
HKEY_USERS\.DEFAULT\Control Panel\International\sDecimal
HKEY_USERS\.DEFAULT\Control Panel\International\sThousand
HKEY_USERS\.DEFAULT\Control Panel\International\sGrouping
HKEY_USERS\.DEFAULT\Control Panel\International\sNativeDigits
HKEY_USERS\.DEFAULT\Control Panel\International\sCurrency
HKEY_USERS\.DEFAULT\Control Panel\International\sMonDecimalSep
HKEY_USERS\.DEFAULT\Control Panel\International\sMonThousandSep
HKEY_USERS\.DEFAULT\Control Panel\International\sMonGrouping
HKEY_USERS\.DEFAULT\Control Panel\International\sPositiveSign
HKEY_USERS\.DEFAULT\Control Panel\International\sNegativeSign
HKEY_USERS\.DEFAULT\Control Panel\International\sTimeFormat
HKEY_USERS\.DEFAULT\Control Panel\International\sShortTime
HKEY_USERS\.DEFAULT\Control Panel\International\s1159
HKEY_USERS\.DEFAULT\Control Panel\International\s2359
HKEY_USERS\.DEFAULT\Control Panel\International\sShortDate
HKEY_USERS\.DEFAULT\Control Panel\International\sYearMonth
HKEY_USERS\.DEFAULT\Control Panel\International\sLongDate
HKEY_USERS\.DEFAULT\Control Panel\International\iCountry
HKEY_USERS\.DEFAULT\Control Panel\International\iMeasure
HKEY_USERS\.DEFAULT\Control Panel\International\iPaperSize
HKEY_USERS\.DEFAULT\Control Panel\International\iDigits
HKEY_USERS\.DEFAULT\Control Panel\International\iLZero
HKEY_USERS\.DEFAULT\Control Panel\International\iNegNumber
HKEY_USERS\.DEFAULT\Control Panel\International\NumShape
HKEY_USERS\.DEFAULT\Control Panel\International\iCurrDigits
HKEY_USERS\.DEFAULT\Control Panel\International\iCurrency
HKEY_USERS\.DEFAULT\Control Panel\International\iNegCurr
HKEY_USERS\.DEFAULT\Control Panel\International\iCalendarType
HKEY_USERS\.DEFAULT\Control Panel\International\iFirstDayOfWeek
HKEY_USERS\.DEFAULT\Control Panel\International\iFirstWeekOfYear
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoProxyDetectType
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASAPI32\EnableFileTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASAPI32\FileTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASAPI32\EnableConsoleTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASAPI32\ConsoleTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASAPI32\MaxFileSize
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASAPI32\FileDirectory
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASMANCS\EnableFileTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASMANCS\FileTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASMANCS\EnableConsoleTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASMANCS\ConsoleTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASMANCS\MaxFileSize
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\gluerel_RASMANCS\FileDirectory
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ProxySettingsPerUser
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
kernel32.dll.VirtualAllocEx
kernel32.dll.LoadLibraryExA
kernel32.dll.GetProcAddress
kernel32.dll.VirtualAlloc
kernel32.dll.SetFilePointer
kernel32.dll.lstrlenA
kernel32.dll.lstrcatA
kernel32.dll.VirtualProtect
kernel32.dll.UnmapViewOfFile
kernel32.dll.GetModuleHandleA
kernel32.dll.WriteFile
kernel32.dll.CloseHandle
kernel32.dll.VirtualFree
kernel32.dll.GetTempPathA
kernel32.dll.CreateFileA
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
oleaut32.dll.#200
ole32.dll.CoInitializeEx
cryptbase.dll.SystemFunction036
comctl32.dll.#385
comctl32.dll.#320
comctl32.dll.#324
comctl32.dll.#323
ole32.dll.CreateBindCtx
ole32.dll.CoTaskMemAlloc
ole32.dll.CoGetApartmentType
ole32.dll.CoRegisterInitializeSpy
ole32.dll.CoTaskMemFree
comctl32.dll.#236
oleaut32.dll.#6
ole32.dll.CoGetMalloc
comctl32.dll.#328
comctl32.dll.#334
oleaut32.dll.#2
setupapi.dll.CM_Get_Device_Interface_List_Size_ExW
setupapi.dll.CM_Get_Device_Interface_List_ExW
comctl32.dll.#332
comctl32.dll.#386
ole32.dll.CoCreateInstance
advapi32.dll.InitializeSecurityDescriptor
advapi32.dll.SetEntriesInAclW
ntmarta.dll.GetMartaExtensionInterface
advapi32.dll.SetSecurityDescriptorDacl
advapi32.dll.IsTextUnicode
comctl32.dll.#338
comctl32.dll.#339
shell32.dll.#102
advapi32.dll.OpenThreadToken
propsys.dll.PSLookupPropertyHandlerCLSID
advapi32.dll.RegOpenKeyExW
advapi32.dll.RegQueryValueExW
advapi32.dll.RegCloseKey
propsys.dll.PSCreatePropertyStoreFromObject
propsys.dll.#417
propsys.dll.PropVariantToStringAlloc
ole32.dll.PropVariantClear
propsys.dll.PSCreateMemoryPropertyStore
propsys.dll.PropVariantToBuffer
propsys.dll.PropVariantToUInt64
propsys.dll.PropVariantToBoolean
propsys.dll.InitPropVariantFromBuffer
advapi32.dll.GetNamedSecurityInfoW
advapi32.dll.TreeSetNamedSecurityInfoW
ole32.dll.CoUninitialize
comctl32.dll.#329
comctl32.dll.#388
comctl32.dll.#321
ole32.dll.CoRevokeInitializeSpy
oleaut32.dll.#500
comctl32.dll.#387
comctl32.dll.#327
advapi32.dll.UnregisterTraceGuids
cryptsp.dll.CryptReleaseContext
cryptsp.dll.CryptAcquireContextW
cryptsp.dll.CryptImportKey
cryptsp.dll.CryptGenKey
cryptsp.dll.CryptCreateHash
cryptsp.dll.CryptDuplicateHash
cryptsp.dll.CryptEncrypt
cryptsp.dll.CryptExportKey
cryptsp.dll.CryptGetHashParam
cryptsp.dll.CryptDestroyHash
rasapi32.dll.RasConnectionNotificationW
sechost.dll.NotifyServiceStatusChangeA
advapi32.dll.RegDeleteTreeA
advapi32.dll.RegDeleteTreeW
iphlpapi.dll.GetAdaptersAddresses
dhcpcsvc.dll.DhcpRequestParams
C:\Users\user\AppData\Local\Temp\i8ekAGsNBxmGR.exe --8f37b422
"C:\Windows\SysWOW64\gluerel.exe"
C:\Windows\SysWOW64\gluerel.exe --caeb0eba
Global\IA4889F95
Global\MA4889F95
IESQMMUTEX_0_208
gluerel
gluerel

PE Information

Image Base 0x00400000
Entry Point 0x004026f0
Reported Checksum 0x00042ffb
Actual Checksum 0x00042ffb
Minimum OS Version 4.0
Compile Time 2018-05-16 04:48:59
Import Hash 01c92ac045954f49daf13714ddba5816

Sections

Name Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00001000 0x000018ae 0x00001a00 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 5.67
.rdata 0x00003000 0x00004ecc 0x00005000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 5.02
.data 0x00008000 0x00013d68 0x00013e00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 7.46
.rsrc 0x0001c000 0x0001a0dc 0x0001a200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 7.37

Overlay

Offset 0x00034e00
Size 0x00001840

Imports

Library KERNEL32.dll:
0x419238 LoadLibraryA
0x41923c GetProcAddress
0x419240 GetModuleHandleA
0x419244 CloseHandle
0x419248 CreateSemaphoreA
0x41924c ExitProcess
0x419250 FindClose
0x419254 FindFirstFileA
0x419258 FindNextFileA
0x419260 GetCurrentProcessId
0x419264 GetCurrentThreadId
0x419268 GetFileAttributesA
0x41926c GetFullPathNameA
0x419270 GetLastError
0x419274 GetModuleFileNameA
0x41927c GetVersionExW
0x419288 ReleaseSemaphore
0x41928c SetLastError
0x419294 Sleep
0x419298 TlsAlloc
0x41929c TlsFree
0x4192a0 TlsGetValue
0x4192a4 TlsSetValue
0x4192a8 WaitForSingleObject
0x4192ac GetLocaleInfoW
0x4192b0 GetConsoleAliasW
0x4192b8 lstrcpynA
0x4192bc GetStdHandle
0x4192c0 CopyFileExA
0x4192c8 DuplicateHandle
0x4192cc GetCurrentProcess
0x4192d0 CreateThread
0x4192d4 SetThreadPriority
0x4192d8 TerminateThread
0x4192dc ResumeThread
0x4192e0 GetSystemInfo
0x4192e8 CreateFileW
0x4192ec FlushFileBuffers
0x4192f0 GetFileType
0x4192f4 GetLogicalDrives
0x4192f8 ReadFile
0x4192fc SetEndOfFile
0x419300 SetFilePointerEx
0x419304 WriteFile
0x419308 SetErrorMode
0x41930c CreateFileMappingW
0x419310 MapViewOfFile
0x419314 UnmapViewOfFile
0x419318 MoveFileExW
0x419320 CreateDirectoryW
0x419324 FindFirstFileW
0x419330 GetFullPathNameW
0x419334 GetLongPathNameW
0x419338 RemoveDirectoryW
0x41933c GetTempPathW
0x419340 DeviceIoControl
0x419344 MoveFileW
0x419354 GetCurrencyFormatW
0x419358 GetTickCount
0x41935c FindFirstFileExW
0x419360 GetTimeFormatW
0x419364 GetStartupInfoW
0x419368 GetModuleFileNameW
0x41936c MultiByteToWideChar
0x419370 WideCharToMultiByte
0x419374 FreeLibrary
0x41937c GetGeoInfoW
0x419380 GetUserGeoID
0x419384 GetModuleHandleExW
0x41938c lstrcmpW
0x419390 ReleaseMutex
0x419394 CreateMutexW
0x419398 VirtualAlloc
0x41939c VirtualFree
0x4193b4 TerminateProcess
0x4193bc IsDebuggerPresent
0x4193c4 InitializeSListHead
0x4193c8 RtlUnwind
0x4193cc EncodePointer
0x4193d0 RaiseException
0x4193d8 LoadLibraryExW
0x4193dc GetCommandLineA
0x4193e0 ExitThread
0x4193e8 SetStdHandle
0x4193ec GetConsoleMode
0x4193f0 ReadConsoleW
0x4193f4 GetConsoleCP
0x4193f8 GetACP
0x4193fc HeapFree
0x419400 HeapAlloc
0x419404 LCMapStringW
0x419408 EnumSystemLocalesW
0x41940c DecodePointer
0x419410 HeapReAlloc
0x419414 GetCPInfo
0x41941c WriteConsoleW
0x419420 GetStringTypeW
0x419424 IsValidCodePage
0x419428 GetOEMCP
0x419434 GetProcessHeap
0x419438 FindFirstFileExA
0x41943c HeapSize
0x419440 GetDateFormatW
0x419444 GetThreadPriority
0x419448 GetCurrentThread
0x41944c ResetEvent
0x419450 LoadLibraryW
0x419454 GetSystemDirectoryW
0x419458 CreateEventW
0x419460 SetEvent
0x419464 GetConsoleWindow
0x419468 OutputDebugStringW
0x419470 GetLocalTime
0x419474 GetSystemTime
0x419478 GetUserDefaultLCID
0x41947c CompareStringW
0x419480 GlobalSize
0x419484 GlobalUnlock
0x419488 GlobalLock
0x41948c GlobalAlloc
0x419490 OpenProcess
0x41949c CreateProcessW
0x4194a4 IsValidLocale
0x4194ac FormatMessageW
0x4194b0 GetModuleHandleW
0x4194b4 FindNextFileW
0x4194c0 LocalFree
0x4194c4 GetCommandLineW
0x4194c8 CopyFileW
0x4194cc SetFileAttributesW
0x4194d0 GetFileAttributesW
0x4194d4 GetDriveTypeW
0x4194dc DeleteFileW
0x4194e0 WinExec
0x4194e4 CreateFileMappingA
0x4194e8 GetFileSize
0x4194ec GetShortPathNameA
0x4194f0 MoveFileExA
0x4194f4 GetTempPathA
0x4194f8 GlobalFree
0x419500 SetFileAttributesA
0x419504 SetFileTime
0x419510 GetStartupInfoA
0x419514 CreateDirectoryA
0x419518 GetVersionExA
0x41951c CreateFileA
0x419520 CompareStringA
0x419524 lstrcmpiA
0x419528 CreateMutexA
0x41952c lstrcatA
0x419530 FormatMessageA
0x419538 CreateEventA
0x419540 GetSystemDirectoryA
0x419544 CopyFileA
0x419548 DeleteFileA
0x41954c RemoveDirectoryA
0x419550 CreateProcessA
0x419554 SetFilePointer
0x419558 GetShortPathNameW
0x419564 lstrlenW
Library USER32.dll:
0x41956c GetDesktopWindow
0x419570 GetClipboardOwner
0x419574 GetThreadDesktop
0x419578 GetCaretBlinkTime
0x41957c DestroyWindow
0x419580 GetKeyState
0x419584 IsIconic
0x419588 GetTopWindow
0x41958c GetSysColor
0x419590 GetListBoxInfo
0x419594 IsWindowVisible
0x419598 ExcludeUpdateRgn
0x41959c DdeUninitialize
0x4195a0 IsWindowEnabled
0x4195a4 SetDlgItemTextW
0x4195a8 IMPQueryIMEA
0x4195b0 LoadCursorW
0x4195b8 SetCursor
0x4195c0 ToUnicodeEx
0x4195c4 MapVirtualKeyW
0x4195cc PtInRect
0x4195d0 CloseWindowStation
0x4195d4 HideCaret
0x4195d8 GetClipboardData
0x4195e0 CheckDlgButton
0x4195e4 CheckRadioButton
0x4195e8 GetDlgItemTextW
0x4195f0 MenuItemFromPoint
0x4195f8 MessageBeep
0x4195fc EnumDesktopsA
0x419600 InvalidateRect
0x419604 GetUpdateRect
0x41960c WindowFromDC
0x419610 CreateMenu
0x419618 AppendMenuW
0x41961c MessageBoxW
0x419620 InsertMenuA
0x419624 UpdateLayeredWindow
0x419628 SendInput
0x41962c FindWindowExW
0x419630 CloseDesktop
0x419634 SetClipboardData
0x419638 ToUnicode
0x41963c GetMenu
0x419640 TrackPopupMenuEx
0x419644 SetMenuItemInfoW
0x419648 NotifyWinEvent
0x41964c SetCursorPos
0x419650 GetCursor
0x419654 CreateCursor
0x419658 CreateIconIndirect
0x41965c GetCursorInfo
0x419660 RegisterClassW
0x419668 TrackMouseEvent
0x41966c GetMessageExtraInfo
0x419670 GetWindowTextW
0x419674 EnumWindows
0x419678 RealGetWindowClassW
0x41967c TranslateMessage
0x419680 DispatchMessageW
0x419684 GetQueueStatus
0x41968c SetTimer
0x419690 KillTimer
0x419694 SetWindowsHookExW
0x419698 UnhookWindowsHookEx
0x41969c CallNextHookEx
0x4196a0 CharNextExA
0x4196a4 ToAscii
0x4196a8 GetKeyboardState
0x4196ac IsZoomed
0x4196b0 PeekMessageW
0x4196b4 SetCaretPos
0x4196b8 GetDC
0x4196bc ReleaseDC
0x4196c0 DestroyIcon
0x4196c4 DrawIconEx
0x4196c8 GetIconInfo
0x4196cc DestroyCaret
0x4196d0 CreateCaret
0x4196d8 GetKeyboardLayout
0x4196dc GetAsyncKeyState
0x4196e4 SetClipboardViewer
0x4196e8 LoadIconW
0x4196ec RegisterClassExW
0x4196f0 GetClassInfoW
0x4196f4 UnregisterClassW
0x4196fc GetAncestor
0x419700 DestroyCursor
0x419708 SetParent
0x41970c GetParent
0x419710 SetWindowLongW
0x419714 GetWindowLongW
0x419718 ScreenToClient
0x41971c ClientToScreen
0x419720 AdjustWindowRectEx
0x419724 GetWindowRect
0x419728 SetWindowTextW
0x41972c EnumDisplayMonitors
0x419730 GetMonitorInfoW
0x419734 LoadImageW
0x419738 GetSysColorBrush
0x41973c SetWindowRgn
0x419740 EndPaint
0x419744 BeginPaint
0x419748 SetForegroundWindow
0x41974c GetForegroundWindow
0x419750 EnableMenuItem
0x419754 GetSystemMenu
0x419758 GetSystemMetrics
0x41975c ReleaseCapture
0x419760 SetCapture
0x419764 GetCapture
0x419768 SetFocus
0x41976c SetWindowPlacement
0x419770 GetWindowPlacement
0x419774 SetWindowPos
0x419778 MoveWindow
0x41977c FlashWindowEx
0x419780 IsChild
0x419784 CreateWindowExW
0x419788 DefWindowProcW
0x41978c AttachThreadInput
0x419790 PostMessageW
0x419794 SendMessageW
0x41979c GetDoubleClickTime
0x4197a0 GetCursorPos
0x4197a4 GetClientRect
0x4197a8 GetFocus
0x4197ac ShowWindow
0x4197b0 OffsetRect
0x4197b4 LockWindowUpdate
0x4197b8 InflateRect
0x4197bc FindWindowW
0x4197c0 FillRect
Library GDI32.dll:
0x4197c8 GetTextAlign
0x4197cc GetDCPenColor
0x4197d0 CloseMetaFile
0x4197d4 CreateMetaFileA
0x4197d8 FillPath
0x4197dc GetFontLanguageInfo
0x4197e0 GetSystemPaletteUse
0x4197e4 GetLayout
0x4197e8 GetDeviceCaps
0x4197ec GetCharABCWidthsI
0x4197f8 SelectClipRgn
0x4197fc GetRegionData
0x419800 CreateBitmap
0x419804 ExtTextOutW
0x419808 SetWorldTransform
0x41980c CreateCompatibleDC
0x419810 DeleteDC
0x419814 DeleteObject
0x419818 GetDIBits
0x41981c SelectObject
0x419820 CreateDIBSection
0x419824 SetTextAlign
0x419828 SetTextColor
0x41982c SetGraphicsMode
0x419830 GetGlyphOutlineW
0x419838 GetCharABCWidthsW
0x41983c GetBitmapBits
0x419840 BitBlt
0x419844 CombineRgn
0x419848 CreateRectRgn
0x41984c OffsetRgn
0x419850 SetBkMode
0x419858 CreateDCW
0x41985c EnumFontFamiliesExW
0x419860 CreateFontIndirectW
0x419864 GetFontData
0x419868 GetStockObject
0x41986c AddFontResourceExW
0x41987c GetTextMetricsW
0x419880 GetObjectW
0x419884 GetTextFaceW
0x419888 ChoosePixelFormat
0x41988c DescribePixelFormat
0x419890 GetPixelFormat
0x419894 SetPixelFormat
0x419898 SwapBuffers
0x41989c GdiFlush
Library ADVAPI32.dll:
0x4198a4 RegOpenKeyA
0x4198a8 RegQueryValueExA
0x4198ac RegCloseKey
0x4198b0 RegQueryValueExW
0x4198b4 OpenProcessToken
0x4198b8 CopySid
0x4198bc FreeSid
0x4198c0 GetLengthSid
0x4198c4 GetTokenInformation
0x4198c8 RegCreateKeyExW
0x4198cc RegDeleteKeyW
0x4198d0 RegDeleteValueW
0x4198d4 RegEnumKeyExW
0x4198d8 RegEnumValueW
0x4198dc RegFlushKey
0x4198e0 RegQueryInfoKeyW
0x4198e4 RegSetValueExW
0x4198e8 SystemFunction036
0x4198ec RegOpenKeyExW
Library SHELL32.dll:
0x4198fc SHChangeNotify
0x419900 SHGetFolderPathW
0x419904 CommandLineToArgvW
0x419908 SHGetStockIconInfo
0x419910 SHBrowseForFolderW
0x419918 SHGetMalloc
0x41991c ShellExecuteW
0x419920 SHGetFileInfoW
Library ole32.dll:
0x419928 StringFromGUID2
0x41992c CoTaskMemAlloc
0x419930 CoGetMalloc
0x419934 CoUninitialize
0x419938 CoTaskMemFree
0x41993c DoDragDrop
0x419944 OleFlushClipboard
0x419948 OleGetClipboard
0x41994c OleSetClipboard
0x419950 CoCreateGuid
0x419954 OleUninitialize
0x419958 OleInitialize
0x41995c RevokeDragDrop
0x419960 CoCreateInstance
0x419964 ReleaseStgMedium
0x419968 RegisterDragDrop
0x419970 CoInitialize
Library SHLWAPI.dll:
0x419978 StrChrA
Library MSVCRT.dll:
0x419980 _except_handler3
0x419984 __set_app_type
0x419988 __p__fmode
0x41998c __p__commode
0x419990 _adjust_fdiv
0x419994 __setusermatherr
0x419998 _initterm
0x41999c __getmainargs
0x4199a0 _acmdln
0x4199a4 exit
0x4199a8 _XcptFilter
0x4199ac _exit
0x4199b0 _onexit
0x4199b4 __dllonexit
0x4199b8 _controlfp
Library IMM32.dll:
0x4199c8 ImmGetVirtualKey
0x4199cc ImmGetDefaultIMEWnd
0x4199d0 ImmGetContext
0x4199d4 ImmReleaseContext
0x4199d8 ImmAssociateContext
0x4199dc ImmNotifyIME

.text
`.rdata
@.data
.rsrc
ccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc
kernel32
VirtualAllocEx
cFoCOkLxG
hdrh=1
z44~o
`eP>ent<~
xeFp`e
C}aseQkndmg
gcrtLklFKge
vdaLj
tAut$
r"u,$
-h0pI
wt38.J
`3<nO
a3<nO
0</PZ
LoadLibraryA
GetProcAddress
GetModuleHandleA
CloseHandle
CreateSemaphoreA
ExitProcess
FindClose
FindFirstFileA
FindNextFileA
GetCurrentDirectoryA
GetCurrentProcessId
GetCurrentThreadId
GetFileAttributesA
GetFullPathNameA
GetLastError
GetModuleFileNameA
GetSystemWindowsDirectoryA
GetVersionExW
InterlockedDecrement
InterlockedIncrement
ReleaseSemaphore
SetLastError
SetUnhandledExceptionFilter
Sleep
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
WaitForSingleObject
GetLocaleInfoW
GetConsoleAliasW
WriteProfileSectionA
lstrcpynA
GetStdHandle
CopyFileExA
GetUserDefaultUILanguage
DuplicateHandle
GetCurrentProcess
CreateThread
SetThreadPriority
TerminateThread
ResumeThread
GetSystemInfo
WaitForMultipleObjects
CreateFileW
FlushFileBuffers
GetFileType
GetLogicalDrives
ReadFile
SetEndOfFile
SetFilePointerEx
WriteFile
SetErrorMode
CreateFileMappingW
MapViewOfFile
UnmapViewOfFile
MoveFileExW
GetCurrentDirectoryW
CreateDirectoryW
FindFirstFileW
GetFileAttributesExW
GetFileInformationByHandle
GetFullPathNameW
GetLongPathNameW
RemoveDirectoryW
GetTempPathW
DeviceIoControl
MoveFileW
SystemTimeToTzSpecificLocalTime
FileTimeToSystemTime
QueryPerformanceCounter
GetCurrencyFormatW
GetTickCount
FindFirstFileExW
GetTimeFormatW
GetStartupInfoW
GetModuleFileNameW
MultiByteToWideChar
WideCharToMultiByte
FreeLibrary
GetTimeZoneInformation
GetGeoInfoW
GetUserGeoID
GetModuleHandleExW
GetVolumeInformationW
lstrcmpW
ReleaseMutex
CreateMutexW
VirtualAlloc
VirtualFree
InitializeCriticalSection
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
UnhandledExceptionFilter
TerminateProcess
IsProcessorFeaturePresent
IsDebuggerPresent
GetSystemTimeAsFileTime
InitializeSListHead
RtlUnwind
EncodePointer
RaiseException
InitializeCriticalSectionAndSpinCount
LoadLibraryExW
GetCommandLineA
ExitThread
FreeLibraryAndExitThread
SetStdHandle
GetConsoleMode
ReadConsoleW
GetConsoleCP
GetACP
HeapFree
HeapAlloc
LCMapStringW
EnumSystemLocalesW
DecodePointer
HeapReAlloc
GetCPInfo
SetEnvironmentVariableA
WriteConsoleW
GetStringTypeW
IsValidCodePage
GetOEMCP
GetEnvironmentStringsW
FreeEnvironmentStringsW
GetProcessHeap
FindFirstFileExA
HeapSize
GetDateFormatW
GetThreadPriority
GetCurrentThread
ResetEvent
LoadLibraryW
GetSystemDirectoryW
CreateEventW
WaitForSingleObjectEx
SetEvent
GetConsoleWindow
OutputDebugStringW
FindNextChangeNotification
GetLocalTime
GetSystemTime
GetUserDefaultLCID
CompareStringW
GlobalSize
GlobalUnlock
GlobalLock
GlobalAlloc
OpenProcess
CheckRemoteDebuggerPresent
GetUserDefaultLangID
CreateProcessW
ExpandEnvironmentStringsW
IsValidLocale
IsValidLanguageGroup
FormatMessageW
GetModuleHandleW
FindNextFileW
FindCloseChangeNotification
FindFirstChangeNotificationW
LocalFree
GetCommandLineW
CopyFileW
SetFileAttributesW
GetFileAttributesW
GetDriveTypeW
QueryPerformanceFrequency
DeleteFileW
WinExec
CreateFileMappingA
GetFileSize
GetShortPathNameA
MoveFileExA
GetTempPathA
GlobalFree
WritePrivateProfileStringA
SetFileAttributesA
SetFileTime
LocalFileTimeToFileTime
DosDateTimeToFileTime
GetStartupInfoA
CreateDirectoryA
GetVersionExA
CreateFileA
CompareStringA
lstrcmpiA
CreateMutexA
lstrcatA
FormatMessageA
GetPrivateProfileStringA
CreateEventA
GetWindowsDirectoryA
GetSystemDirectoryA
CopyFileA
DeleteFileA
RemoveDirectoryA
CreateProcessA
SetFilePointer
GetShortPathNameW
SetCurrentDirectoryA
SetCurrentDirectoryW
lstrlenW
KERNEL32.dll
GetDesktopWindow
GetClipboardOwner
GetThreadDesktop
GetCaretBlinkTime
DestroyWindow
GetKeyState
IsIconic
GetTopWindow
GetSysColor
GetListBoxInfo
IsWindowVisible
ExcludeUpdateRgn
DdeUninitialize
IsWindowEnabled
SetDlgItemTextW
IMPQueryIMEA
GetKeyboardLayoutNameW
LoadCursorW
ChangeClipboardChain
SetCursor
RegisterClipboardFormatA
ToUnicodeEx
MapVirtualKeyW
GetClipboardFormatNameA
PtInRect
CloseWindowStation
HideCaret
GetClipboardData
GetKeyboardLayoutNameA
CheckDlgButton
CheckRadioButton
GetDlgItemTextW
DialogBoxIndirectParamW
MenuItemFromPoint
CountClipboardFormats
MessageBeep
EnumDesktopsA
InvalidateRect
GetUpdateRect
DdeCreateStringHandleA
WindowFromDC
CreateMenu
ChildWindowFromPointEx
AppendMenuW
MessageBoxW
InsertMenuA
UpdateLayeredWindow
SendInput
FindWindowExW
CloseDesktop
SetClipboardData
ToUnicode
GetMenu
TrackPopupMenuEx
SetMenuItemInfoW
NotifyWinEvent
SetCursorPos
GetCursor
CreateCursor
CreateIconIndirect
GetCursorInfo
RegisterClassW
GetClipboardFormatNameW
TrackMouseEvent
GetMessageExtraInfo
GetWindowTextW
EnumWindows
RealGetWindowClassW
TranslateMessage
DispatchMessageW
GetQueueStatus
MsgWaitForMultipleObjectsEx
SetTimer
KillTimer
SetWindowsHookExW
UnhookWindowsHookEx
CallNextHookEx
CharNextExA
ToAscii
GetKeyboardState
IsZoomed
PeekMessageW
SetCaretPos
GetDC
ReleaseDC
DestroyIcon
DrawIconEx
GetIconInfo
DestroyCaret
CreateCaret
RegisterWindowMessageW
GetKeyboardLayout
GetAsyncKeyState
RegisterClipboardFormatW
SetClipboardViewer
LoadIconW
RegisterClassExW
GetClassInfoW
UnregisterClassW
GetKeyboardLayoutList
GetAncestor
DestroyCursor
GetWindowThreadProcessId
SetParent
GetParent
SetWindowLongW
GetWindowLongW
ScreenToClient
ClientToScreen
AdjustWindowRectEx
GetWindowRect
SetWindowTextW
EnumDisplayMonitors
GetMonitorInfoW
LoadImageW
GetSysColorBrush
SetWindowRgn
EndPaint
BeginPaint
SetForegroundWindow
GetForegroundWindow
EnableMenuItem
GetSystemMenu
GetSystemMetrics
ReleaseCapture
SetCapture
GetCapture
SetFocus
SetWindowPlacement
GetWindowPlacement
SetWindowPos
MoveWindow
FlashWindowEx
IsChild
CreateWindowExW
DefWindowProcW
AttachThreadInput
PostMessageW
SendMessageW
SystemParametersInfoW
GetDoubleClickTime
GetCursorPos
GetClientRect
GetFocus
ShowWindow
OffsetRect
LockWindowUpdate
InflateRect
FindWindowW
FillRect
USER32.dll
GetTextAlign
GetDCPenColor
CloseMetaFile
CreateMetaFileA
FillPath
GetFontLanguageInfo
GetSystemPaletteUse
GetLayout
GetDeviceCaps
GetCharABCWidthsI
GetTextExtentPoint32W
GetOutlineTextMetricsW
SelectClipRgn
GetRegionData
CreateBitmap
ExtTextOutW
SetWorldTransform
CreateCompatibleDC
DeleteDC
DeleteObject
GetDIBits
SelectObject
CreateDIBSection
SetTextAlign
SetTextColor
SetGraphicsMode
GetGlyphOutlineW
GetCharABCWidthsFloatW
GetCharABCWidthsW
GetBitmapBits
BitBlt
CombineRgn
CreateRectRgn
OffsetRgn
SetBkMode
CreateCompatibleBitmap
CreateDCW
EnumFontFamiliesExW
CreateFontIndirectW
GetFontData
GetStockObject
AddFontResourceExW
RemoveFontResourceExW
AddFontMemResourceEx
RemoveFontMemResourceEx
GetTextMetricsW
GetObjectW
GetTextFaceW
ChoosePixelFormat
DescribePixelFormat
GetPixelFormat
SetPixelFormat
SwapBuffers
GdiFlush
GDI32.dll
RegOpenKeyA
RegQueryValueExA
RegCloseKey
RegQueryValueExW
OpenProcessToken
CopySid
FreeSid
GetLengthSid
GetTokenInformation
RegCreateKeyExW
RegDeleteKeyW
RegDeleteValueW
RegEnumKeyExW
RegEnumValueW
RegFlushKey
RegQueryInfoKeyW
RegSetValueExW
SystemFunction036
RegOpenKeyExW
ADVAPI32.dll
SHInvokePrinterCommandW
SHCreateDirectoryExW
SHChangeNotify
SHGetFolderPathW
CommandLineToArgvW
SHGetStockIconInfo
SHGetSpecialFolderPathW
SHBrowseForFolderW
SHGetPathFromIDListW
SHGetMalloc
ShellExecuteW
SHGetFileInfoW
SHELL32.dll
StringFromGUID2
CoTaskMemAlloc
CoGetMalloc
CoUninitialize
CoTaskMemFree
DoDragDrop
OleIsCurrentClipboard
OleFlushClipboard
OleGetClipboard
OleSetClipboard
CoCreateGuid
OleUninitialize
OleInitialize
RevokeDragDrop
CoCreateInstance
ReleaseStgMedium
RegisterDragDrop
CoLockObjectExternal
CoInitialize
ole32.dll
StrChrA
SHLWAPI.dll
_except_handler3
__set_app_type
__p__fmode
__p__commode
_adjust_fdiv
__setusermatherr
_initterm
__getmainargs
_acmdln
_XcptFilter
_exit
MSVCRT.dll
_onexit
__dllonexit
_controlfp
ImmSetCompositionWindow
ImmSetCandidateWindow
ImmGetVirtualKey
ImmGetDefaultIMEWnd
ImmGetContext
ImmReleaseContext
ImmAssociateContext
ImmNotifyIME
ImmGetCompositionStringW
IMM32.dll
VUMcc
yyydHxVUTcc!b
ydHxVUXc b
ydHxVU
y!dHxU
ydHxU
xVUUX
yydHV
HxVUX
dHHxU
dHHxVU
xddHHVVU
{VxVUT
@..820001(
C.,&+1
(((*+2&
11+233,
023'898
000/3
//39:.:;:
%)))(((
000///73-
&*)))((
739;<<=
,',,))(((
7769=
&))(((111
7773:<<
*)(((
<=qqq
-,()(((11100"0///
'*)(((111
B$'..-*(11100///777
+.,((1110
%(11000//777446
wwwwp
wwwwp
wwwwxp
tk]RMk
k__\\RRPMM
"a`ABOTT
[\vvvt&;)pxpS{{||G
1860yJyTH
e2++E\
>3ZiT
^J,--bvn
c)*IM
en-US
VS_VERSION_INFO
StringFileInfo
040904B0
CompanyName
Microsoft Corporation
FileDescription
Windows System Restore
FileVersion
6.1.7601.23539 (win7sp1_ldr.160902-0600)
InternalName
rstrui.exe
LegalCopyright
Microsoft Corporation. All rights reserved.
OriginalFilename
rstrui.exe
ProductName
Operating System
ProductVersion
6.1.7601.23539
VarFileInfo
Translation
This file is not on VirusTotal.

Process Tree


i8ekAGsNBxmGR.exe, PID: 2748, Parent PID: 2480
Full Path: C:\Users\user\AppData\Local\Temp\i8ekAGsNBxmGR.exe
Command Line: "C:\Users\user\AppData\Local\Temp\i8ekAGsNBxmGR.exe"
i8ekAGsNBxmGR.exe, PID: 2640, Parent PID: 2748
Full Path: C:\Users\user\AppData\Local\Temp\i8ekAGsNBxmGR.exe
Command Line: --8f37b422
services.exe, PID: 460, Parent PID: 372
Full Path: C:\Windows\sysnative\services.exe
Command Line: C:\Windows\system32\services.exe
gluerel.exe, PID: 2868, Parent PID: 460
Full Path: C:\Windows\SysWOW64\gluerel.exe
Command Line: "C:\Windows\SysWOW64\gluerel.exe"
gluerel.exe, PID: 1376, Parent PID: 2868
Full Path: C:\Windows\SysWOW64\gluerel.exe
Command Line: --caeb0eba

Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
Y 181.15.177.100 [VT] Argentina

TCP

Source Source Port Destination Destination Port
192.168.35.21 49181 181.15.177.100 443

UDP

Source Source Port Destination Destination Port
192.168.35.21 53447 8.8.8.8 53
192.168.35.21 58094 8.8.8.8 53

DNS

Name Response Post-Analysis Lookup
www.download.windowsupdate.com [VT]
crt.usertrust.com [VT]

HTTP Requests

No HTTP requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

File name gluerel.exe
Associated Filenames
C:\Windows\SysWOW64\gluerel.exe
File Size 222784 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 165f4d8ec852248e5a885389e515468f
SHA1 23db7c3414b6af9aac7fc9fe8fbbe2f2fc31fcb0
SHA256 55a055d5e71c5ddb44447f099bdaa8b3038f6b381cb9f26f672a9e718ed7f1ca
CRC32 BA94170B
Ssdeep 6144:CaIgmWo6JvwA1DHDgqangu2+UvQ/KpmOqc:C36JvdzDPKMvQ/Kp
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
Type Emotet Config
RSA public key
-----BEGIN PUBLIC KEY----- MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAL9KRKWqcld40xbUZ6hRh+fPNkgJe7K+ 0y1rR0UFqc2SBmnyoR/2Ctd+8MRvU8zri2eNVkVBxCUH1Cthf3AEgRqY2kGva8gJ Wcqls3j7RztZzqFoL+wM9DNnz/OWuiyPAQIDAQAB -----END PUBLIC KEY-----
address
181.15.177.100:443
189.143.52.49:443
31.179.135.186:80
154.120.228.126:143
200.32.61.210:8080
64.87.26.16:443
218.161.88.253:8080
109.104.79.48:8080
185.94.252.27:443
216.98.148.136:4143
200.28.131.215:443
196.6.112.70:443
69.163.33.82:8080
190.147.116.32:21
186.139.160.193:8080
81.183.213.36:80
200.58.171.51:80
190.113.233.4:7080
181.29.101.13:80
163.18.23.242:80
103.201.150.209:80
181.16.127.226:443
200.59.189.217:80
185.129.93.140:80
45.73.124.235:8080
23.254.203.51:8080
190.85.206.228:80
85.132.96.242:80
187.178.9.19:20
111.67.12.221:8080
192.155.90.90:7080
201.217.67.3:80
190.180.52.146:20
91.205.215.57:7080
205.186.154.130:80
175.107.200.27:443
51.255.50.164:8080
187.242.204.142:80
181.39.134.122:80
181.110.239.26:80
62.75.143.100:7080
190.117.206.153:443
43.229.62.186:8080
190.123.35.82:50000
217.92.171.167:53
91.83.93.124:7080
181.30.126.66:80
82.226.163.9:80
103.213.212.42:443
89.134.144.41:8080
213.172.88.13:80
187.188.166.192:80
190.13.211.174:21
109.73.52.242:8080
217.199.175.216:8080
81.3.6.78:7080
66.209.69.165:443
79.143.182.254:8080
189.196.140.187:80
105.224.171.102:80
200.45.57.96:143
203.25.159.3:8080
201.251.229.37:80
185.86.148.222:8080
191.97.116.232:443
37.59.1.74:8080
181.143.101.18:8080
181.199.151.19:80
200.107.105.16:465
200.127.0.8:80
181.15.243.22:80
200.57.102.71:8443
219.94.254.93:8080
72.47.248.48:8080
Download
Type Extracted Shellcode
Size 69632 bytes
Virtual Address 0x2f0000
Process i8ekAGsNBxmGR.exe
PID 2748
Path C:\Users\user\AppData\Local\Temp\i8ekAGsNBxmGR.exe
MD5 38aa5772938a4a5679f12447b4de6889
SHA1 d56b4eba7306b96dabe394f380fd839dcdfc2f40
SHA256 9d975bd96a097a85b1841202f8c416da47ffeda6c45b8deb3ad45128fd759ba4
CRC32 56ADEADA
Ssdeep 1536:nAk1W42lCe4OsrMHAB201zneR5z/ZvECviGyMuYt:9UCQsjB20heR5tRvNL
Yara
  • embedded_win_api - A non-Windows executable contains win32 API functions names
  • shellcode - Matched shellcode byte patterns
CAPE Yara None matched
Download Download ZIP
Type Emotet Payload: 32-bit executable
Size 62976 bytes
Virtual Address 0x3d0000
Process i8ekAGsNBxmGR.exe
PID 2748
Path C:\Users\user\AppData\Local\Temp\i8ekAGsNBxmGR.exe
MD5 3b033c7eb80d53c418dfc5576a5adb54
SHA1 0e354a966392b0658f61354d8420bd0ccbd00f2b
SHA256 8cb9a5659fa9f606ffc2d9ac468804c898efbf8d328e0afb501480cdcda5bdf3
CRC32 C6FF60FA
Ssdeep 1536:ygV2M7cQ62aENvW0+wspUYUGgp9OSB942r:yEhbZ9yF89Oup
Yara None matched
CAPE Yara
  • Emotet
  • Emotet Payload
Download Download ZIP
Sorry! No process dumps.

Comments



No comments posted

Processing ( 3.261 seconds )

  • 1.849 CAPE
  • 0.511 BehaviorAnalysis
  • 0.257 Dropped
  • 0.256 TargetInfo
  • 0.229 Static
  • 0.096 TrID
  • 0.034 Deduplicate
  • 0.013 Strings
  • 0.01 NetworkAnalysis
  • 0.005 AnalysisInfo
  • 0.001 Debug

Signatures ( 0.17 seconds )

  • 0.02 antiav_detectreg
  • 0.015 stealth_timeout
  • 0.013 decoy_document
  • 0.012 api_spamming
  • 0.01 PlugX
  • 0.008 infostealer_ftp
  • 0.005 Doppelganging
  • 0.005 injection_createremotethread
  • 0.005 InjectionCreateRemoteThread
  • 0.004 InjectionProcessHollowing
  • 0.004 injection_runpe
  • 0.004 antianalysis_detectreg
  • 0.004 antiav_detectfile
  • 0.004 infostealer_im
  • 0.004 ransomware_files
  • 0.003 InjectionInterProcess
  • 0.003 antivm_generic_disk
  • 0.003 persistence_autorun
  • 0.003 infostealer_mail
  • 0.003 ransomware_extensions
  • 0.002 bootkit
  • 0.002 stealth_file
  • 0.002 mimics_filetime
  • 0.002 antivm_generic_scsi
  • 0.002 reads_self
  • 0.002 virus
  • 0.002 antivm_vbox_keys
  • 0.002 browser_security
  • 0.002 infostealer_bitcoin
  • 0.001 tinba_behavior
  • 0.001 malicious_dynamic_function_loading
  • 0.001 rat_nanocore
  • 0.001 recon_programs
  • 0.001 antivm_generic_services
  • 0.001 antiemu_wine_func
  • 0.001 betabot_behavior
  • 0.001 kibex_behavior
  • 0.001 dynamic_function_loading
  • 0.001 cerber_behavior
  • 0.001 hancitor_behavior
  • 0.001 antianalysis_detectfile
  • 0.001 antivm_parallels_keys
  • 0.001 antivm_vbox_files
  • 0.001 antivm_vmware_keys
  • 0.001 antivm_xen_keys
  • 0.001 geodo_banking_trojan
  • 0.001 disables_browser_warn
  • 0.001 network_torgateway
  • 0.001 recon_fingerprint

Reporting ( 0.016 seconds )

  • 0.016 CompressResults
Task ID 74112
Mongo ID 5cdced58f284885cceceea9f
Cuckoo release 1.3-CAPE
Delete