CAPE

Detections: Emotet


Analysis

Category Package Started Completed Duration Options Log
FILE Emotet 2020-02-14 15:08:30 2020-02-14 15:12:28 238 seconds Show Options Show Log
route = inetsim
procdump = 1
2020-02-14 16:09:10,000 [root] INFO: Date set to: 02-14-20, time set to: 15:09:10, timeout set to: 200
2020-02-14 16:09:11,217 [root] DEBUG: Starting analyzer from: C:\inhmedn
2020-02-14 16:09:11,233 [root] DEBUG: Storing results at: C:\eGWfTIjF
2020-02-14 16:09:11,233 [root] DEBUG: Pipe server name: \\.\PIPE\pmlxWUQJ
2020-02-14 16:09:11,233 [root] INFO: Analysis package "Emotet" has been specified.
2020-02-14 16:09:55,780 [root] DEBUG: Started auxiliary module Browser
2020-02-14 16:09:55,780 [root] DEBUG: Started auxiliary module Curtain
2020-02-14 16:09:55,780 [modules.auxiliary.digisig] DEBUG: Checking for a digitial signature.
2020-02-14 16:10:01,155 [modules.auxiliary.digisig] DEBUG: File is not signed.
2020-02-14 16:10:01,155 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2020-02-14 16:10:01,155 [root] DEBUG: Started auxiliary module DigiSig
2020-02-14 16:10:01,155 [root] DEBUG: Started auxiliary module Disguise
2020-02-14 16:10:01,155 [root] DEBUG: Started auxiliary module Human
2020-02-14 16:10:01,171 [root] DEBUG: Started auxiliary module Screenshots
2020-02-14 16:10:01,171 [root] DEBUG: Started auxiliary module Sysmon
2020-02-14 16:10:01,171 [root] DEBUG: Started auxiliary module Usage
2020-02-14 16:10:01,171 [root] INFO: Analyzer: Package modules.packages.Emotet does not specify a DLL option
2020-02-14 16:10:01,171 [root] INFO: Analyzer: Package modules.packages.Emotet does not specify a DLL_64 option
2020-02-14 16:10:06,812 [lib.api.process] INFO: Successfully executed process from path "C:\Users\Rebecca\AppData\Local\Temp\E1-20200214_114409.exe" with arguments "" with pid 2440
2020-02-14 16:10:19,640 [lib.api.process] INFO: Option 'exclude-apis' with value 'RegOpenKeyExA:SendMessageA' sent to monitor
2020-02-14 16:10:19,640 [lib.api.process] INFO: Option 'extraction' with value '1' sent to monitor
2020-02-14 16:10:19,640 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-02-14 16:10:19,640 [lib.api.process] INFO: Option 'single-process' with value '1' sent to monitor
2020-02-14 16:10:19,640 [lib.api.process] INFO: 32-bit DLL to inject is C:\inhmedn\dll\HqCVbOi.dll, loader C:\inhmedn\bin\kdBGbtl.exe
2020-02-14 16:10:19,780 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\pmlxWUQJ.
2020-02-14 16:10:19,796 [root] DEBUG: Loader: Injecting process 2440 (thread 1904) with C:\inhmedn\dll\HqCVbOi.dll.
2020-02-14 16:10:19,796 [root] DEBUG: Process image base: 0x00400000
2020-02-14 16:10:19,796 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\inhmedn\dll\HqCVbOi.dll.
2020-02-14 16:10:19,796 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-02-14 16:10:19,796 [root] DEBUG: Successfully injected DLL C:\inhmedn\dll\HqCVbOi.dll.
2020-02-14 16:10:19,812 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2440
2020-02-14 16:10:21,842 [lib.api.process] INFO: Successfully resumed process with pid 2440
2020-02-14 16:10:21,842 [root] INFO: Added new process to list with pid: 2440
2020-02-14 16:10:24,250 [root] DEBUG: Terminate processes on terminate_event disabled.
2020-02-14 16:10:24,296 [root] DEBUG: Capture of extracted payloads enabled.
2020-02-14 16:10:24,358 [root] DEBUG: Process dumps disabled.
2020-02-14 16:10:24,405 [root] DEBUG: Monitoring child processes disabled.
2020-02-14 16:10:27,500 [root] INFO: Disabling sleep skipping.
2020-02-14 16:10:27,500 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-02-14 16:10:27,500 [root] INFO: Disabling sleep skipping.
2020-02-14 16:10:27,500 [root] INFO: Disabling sleep skipping.
2020-02-14 16:10:27,562 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 2440 at 0x70120000, image base 0x400000, stack from 0x126000-0x130000
2020-02-14 16:10:27,500 [root] INFO: Disabling sleep skipping.
2020-02-14 16:10:27,562 [root] DEBUG: Commandline: C:\Users\Rebecca\AppData\Local\Temp\"C:\Users\Rebecca\AppData\Local\Temp\E1-20200214_114409.exe".
2020-02-14 16:10:27,578 [root] DEBUG: WoW64 not detected.
2020-02-14 16:10:27,578 [root] DEBUG: ExtractionInit: Debugger initialised.
2020-02-14 16:10:27,578 [root] DEBUG: AddTrackedRegion: Created new tracked region for address 0x00400000.
2020-02-14 16:10:27,592 [root] DEBUG: AddTrackedRegion: New region at 0x00400000 size 0x1000 added to tracked regions: EntryPoint 0x9ad0, Entropy 6.231105e+00
2020-02-14 16:10:27,640 [root] DEBUG: ExtractionInit: Adding main image base to tracked regions.
2020-02-14 16:10:27,640 [root] INFO: Monitor successfully loaded in process with pid 2440.
2020-02-14 16:10:27,812 [root] DEBUG: DLL loaded at 0x75920000: C:\Windows\system32\cryptbase (0xc000 bytes).
2020-02-14 16:10:27,812 [root] DEBUG: DLL loaded at 0x753F0000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2020-02-14 16:10:27,890 [root] DEBUG: DLL loaded at 0x75180000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2020-02-14 16:10:27,967 [root] DEBUG: DLL loaded at 0x75AE0000: C:\Windows\system32\USERENV (0x17000 bytes).
2020-02-14 16:10:27,967 [root] DEBUG: DLL loaded at 0x75A40000: C:\Windows\system32\profapi (0xb000 bytes).
2020-02-14 16:10:34,453 [root] DEBUG: Allocation: 0x002B0000 - 0x002BA000, size: 0xa000, protection: 0x40.
2020-02-14 16:10:34,500 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-02-14 16:10:34,592 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-02-14 16:10:34,625 [root] DEBUG: ProcessImageBase: EP 0x00009AD0 image base 0x00400000 size 0x0 entropy 6.245305e+00.
2020-02-14 16:10:34,687 [root] DEBUG: AllocationHandler: Adding allocation to tracked region list: 0x002B0000, size: 0xa000.
2020-02-14 16:10:34,733 [root] DEBUG: AddTrackedRegion: Created new tracked region for address 0x002B0000.
2020-02-14 16:10:34,780 [root] DEBUG: AddTrackedRegion: New region at 0x002B0000 size 0xa000 added to tracked regions.
2020-02-14 16:10:34,828 [root] DEBUG: ActivateBreakpoints: TrackedRegion->AllocationBase: 0x002B0000, TrackedRegion->RegionSize: 0xa000, thread 1904
2020-02-14 16:10:34,953 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xc0, Size=0x2, Address=0x002B0000 and Type=0x1.
2020-02-14 16:10:35,000 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 1904 type 1 at address 0x002B0000, size 2 with Callback 0x70127890.
2020-02-14 16:10:35,125 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on empty protect address: 0x002B0000
2020-02-14 16:10:35,217 [root] DEBUG: SetDebugRegister: Setting breakpoint 1 hThread=0xc0, Size=0x4, Address=0x002B003C and Type=0x1.
2020-02-14 16:10:35,265 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 1904 type 1 at address 0x002B003C, size 4 with Callback 0x701274e0.
2020-02-14 16:10:35,453 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x002B003C
2020-02-14 16:10:35,453 [root] DEBUG: AllocationHandler: Breakpoints set on newly-allocated executable region at: 0x002B0000 (size 0xa000).
2020-02-14 16:10:35,453 [root] DEBUG: DLL unloaded from 0x77CB0000.
2020-02-14 16:10:35,453 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x00401165 (thread 1904)
2020-02-14 16:10:35,453 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x002B0000.
2020-02-14 16:10:35,453 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 2 within Context, Size=0x0, Address=0x002B0000 and Type=0x0.
2020-02-14 16:10:35,453 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x2b0000: 0x95.
2020-02-14 16:10:35,453 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2020-02-14 16:10:35,453 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x00401165 (thread 1904)
2020-02-14 16:10:35,453 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x002B0000.
2020-02-14 16:10:35,453 [root] DEBUG: ContextSetNextAvailableBreakpoint: An identical breakpoint (2) at 0x002B0000 already exists for thread 1904 (process 2440), skipping.
2020-02-14 16:10:35,453 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x2b0000: 0x95.
2020-02-14 16:10:35,453 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2020-02-14 16:10:35,467 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x00401165 (thread 1904)
2020-02-14 16:10:35,467 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x002B003C.
2020-02-14 16:10:35,467 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x2, Address=0x002B0055 and Type=0x1.
2020-02-14 16:10:35,467 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 3 within Context, Size=0x4, Address=0x002B0065 and Type=0x1.
2020-02-14 16:10:35,467 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x002B0065.
2020-02-14 16:10:35,467 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x00401165 (thread 1904)
2020-02-14 16:10:35,467 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x002B003C.
2020-02-14 16:10:35,467 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0xce3d (at 0x002B003C).
2020-02-14 16:10:35,467 [root] DEBUG: ContextSetNextAvailableBreakpoint: An identical breakpoint (2) at 0x002B0000 already exists for thread 1904 (process 2440), skipping.
2020-02-14 16:10:35,467 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x002B0000.
2020-02-14 16:10:35,467 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x00401165 (thread 1904)
2020-02-14 16:10:35,467 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x002B003C.
2020-02-14 16:10:35,467 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0x77ce3d (at 0x002B003C).
2020-02-14 16:10:35,467 [root] DEBUG: ContextSetNextAvailableBreakpoint: An identical breakpoint (2) at 0x002B0000 already exists for thread 1904 (process 2440), skipping.
2020-02-14 16:10:35,467 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x002B0000.
2020-02-14 16:10:35,467 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x00401165 (thread 1904)
2020-02-14 16:10:35,467 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x002B003C.
2020-02-14 16:10:35,467 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0xbd77ce3d (at 0x002B003C).
2020-02-14 16:10:35,467 [root] DEBUG: ContextSetNextAvailableBreakpoint: An identical breakpoint (2) at 0x002B0000 already exists for thread 1904 (process 2440), skipping.
2020-02-14 16:10:35,467 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x002B0000.
2020-02-14 16:10:35,467 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x00401165 (thread 1904)
2020-02-14 16:10:35,467 [root] DEBUG: MagicWriteCallback: pointer to PE header too big: 0xBD77CE3D.
2020-02-14 16:10:35,467 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x00401165 (thread 1904)
2020-02-14 16:10:35,483 [root] DEBUG: MagicWriteCallback: pointer to PE header too big: 0xBD77CE3D.
2020-02-14 16:10:35,483 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x00401165 (thread 1904)
2020-02-14 16:10:35,483 [root] DEBUG: AddressOfEPWriteCallback: pointer to PE header too big: 0xBD77CE3D.
2020-02-14 16:10:35,483 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x00401165 (thread 1904)
2020-02-14 16:10:35,483 [root] DEBUG: AddressOfEPWriteCallback: pointer to PE header too big: 0xBD77CE3D.
2020-02-14 16:10:35,483 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x00401165 (thread 1904)
2020-02-14 16:10:35,483 [root] DEBUG: AddressOfEPWriteCallback: pointer to PE header too big: 0xBD77CE3D.
2020-02-14 16:10:35,483 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x00401165 (thread 1904)
2020-02-14 16:10:35,483 [root] DEBUG: AddressOfEPWriteCallback: pointer to PE header too big: 0xBD77CE3D.
2020-02-14 16:10:35,483 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x00402798 (thread 1904)
2020-02-14 16:10:35,483 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x002B003C.
2020-02-14 16:10:35,483 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0xbd77ce56 (at 0x002B003C).
2020-02-14 16:10:35,483 [root] DEBUG: ContextSetNextAvailableBreakpoint: An identical breakpoint (2) at 0x002B0000 already exists for thread 1904 (process 2440), skipping.
2020-02-14 16:10:35,483 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x002B0000.
2020-02-14 16:10:35,483 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x00402798 (thread 1904)
2020-02-14 16:10:35,483 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x002B003C.
2020-02-14 16:10:35,483 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0xbd775756 (at 0x002B003C).
2020-02-14 16:10:35,483 [root] DEBUG: ContextSetNextAvailableBreakpoint: An identical breakpoint (2) at 0x002B0000 already exists for thread 1904 (process 2440), skipping.
2020-02-14 16:10:35,483 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x002B0000.
2020-02-14 16:10:35,483 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x00402798 (thread 1904)
2020-02-14 16:10:35,483 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x002B003C.
2020-02-14 16:10:35,483 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0xbd335756 (at 0x002B003C).
2020-02-14 16:10:35,483 [root] DEBUG: ContextSetNextAvailableBreakpoint: An identical breakpoint (2) at 0x002B0000 already exists for thread 1904 (process 2440), skipping.
2020-02-14 16:10:35,500 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x002B0000.
2020-02-14 16:10:35,500 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x00402798 (thread 1904)
2020-02-14 16:10:35,500 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x002B003C.
2020-02-14 16:10:35,500 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0xf6335756 (at 0x002B003C).
2020-02-14 16:10:35,500 [root] DEBUG: ContextSetNextAvailableBreakpoint: An identical breakpoint (2) at 0x002B0000 already exists for thread 1904 (process 2440), skipping.
2020-02-14 16:10:35,500 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x002B0000.
2020-02-14 16:10:35,500 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x00402798 (thread 1904)
2020-02-14 16:10:35,500 [root] DEBUG: MagicWriteCallback: pointer to PE header too big: 0xF6335756.
2020-02-14 16:10:35,500 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x00402798 (thread 1904)
2020-02-14 16:10:35,500 [root] DEBUG: MagicWriteCallback: pointer to PE header too big: 0xF6335756.
2020-02-14 16:10:35,500 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x00402798 (thread 1904)
2020-02-14 16:10:35,500 [root] DEBUG: AddressOfEPWriteCallback: pointer to PE header too big: 0xF6335756.
2020-02-14 16:10:35,500 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x00402798 (thread 1904)
2020-02-14 16:10:35,500 [root] DEBUG: AddressOfEPWriteCallback: pointer to PE header too big: 0xF6335756.
2020-02-14 16:10:35,500 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x00402798 (thread 1904)
2020-02-14 16:10:35,500 [root] DEBUG: AddressOfEPWriteCallback: pointer to PE header too big: 0xF6335756.
2020-02-14 16:10:35,500 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x00402798 (thread 1904)
2020-02-14 16:10:35,500 [root] DEBUG: AddressOfEPWriteCallback: pointer to PE header too big: 0xF6335756.
2020-02-14 16:10:36,062 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x002B0000 (thread 1904)
2020-02-14 16:10:36,062 [root] DEBUG: ShellcodeExecCallback: Breakpoint 2 at Address 0x002B0000 (allocation base 0x002B0000).
2020-02-14 16:10:36,062 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x2b0000 - 0x2ba000.
2020-02-14 16:10:36,062 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x002B0055.
2020-02-14 16:10:36,062 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x002B003C.
2020-02-14 16:10:36,062 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 2 address 0x002B0000.
2020-02-14 16:10:36,062 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 3 address 0x002B0065.
2020-02-14 16:10:36,062 [root] DEBUG: ShellcodeExecCallback: About to scan region for a PE image (base 0x002B0000, size 0xa000).
2020-02-14 16:10:36,062 [root] DEBUG: DumpPEsInRange: Scanning range 0x2b0000 - 0x2ba000.
2020-02-14 16:10:36,062 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x2b053f
2020-02-14 16:10:36,062 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image.
2020-02-14 16:10:36,062 [root] DEBUG: DumpPE: Instantiating PeParser with address: 0x002B053F.
2020-02-14 16:10:36,092 [root] INFO: Added new CAPE file to list with path: C:\eGWfTIjF\CAPE\2440_27958761616521914522020
2020-02-14 16:10:36,108 [root] DEBUG: DumpPE: PE file in memory dumped successfully - dump size 0x9a00.
2020-02-14 16:10:36,108 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x2b153f-0x2ba000.
2020-02-14 16:10:36,108 [root] DEBUG: ShellcodeExecCallback: PE image(s) detected and dumped.
2020-02-14 16:10:36,108 [root] DEBUG: set_caller_info: Adding region at 0x002B0000 to caller regions list (ntdll::NtQuerySystemInformation).
2020-02-14 16:10:36,108 [root] DEBUG: DumpPEsInRange: Scanning range 0x2b0000 - 0x2ba000.
2020-02-14 16:10:36,108 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x2b053f
2020-02-14 16:10:36,108 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image.
2020-02-14 16:10:36,108 [root] DEBUG: DumpPE: Instantiating PeParser with address: 0x002B053F.
2020-02-14 16:10:36,108 [root] DEBUG: set_caller_info: Adding region at 0x01470000 to caller regions list (kernel32::GetSystemTime).
2020-02-14 16:10:39,421 [root] INFO: Added new CAPE file to list with path: C:\eGWfTIjF\CAPE\2440_186242545116521914522020
2020-02-14 16:10:39,421 [root] DEBUG: DumpPE: PE file in memory dumped successfully - dump size 0x9a00.
2020-02-14 16:10:39,421 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x2b153f-0x2ba000.
2020-02-14 16:10:39,421 [root] DEBUG: DumpPEsInTrackedRegion: Dumped 1 PE image(s) from range 0x002B0000 - 0x002BA000.
2020-02-14 16:10:39,421 [root] DEBUG: ProcessTrackedRegion: Found and dumped PE image(s) in range 0x002B0000 - 0x002BA000.
2020-02-14 16:10:39,421 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x2b0000 - 0x2ba000.
2020-02-14 16:10:39,421 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-02-14 16:10:39,421 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-02-14 16:10:39,421 [root] DEBUG: ProcessImageBase: EP 0x00009AD0 image base 0x00400000 size 0x0 entropy 6.245305e+00.
2020-02-14 16:10:39,421 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002B0000.
2020-02-14 16:10:39,421 [root] DEBUG: ProtectionHandler: Adding region at 0x002C1000 to tracked regions.
2020-02-14 16:10:39,421 [root] DEBUG: AddTrackedRegion: Created new tracked region for address 0x002C1000.
2020-02-14 16:10:39,437 [root] DEBUG: AddTrackedRegion: New region at 0x002C0000 size 0x9000 added to tracked regions: EntryPoint 0x51f0, Entropy 5.865860e+00
2020-02-14 16:10:39,437 [root] DEBUG: ProtectionHandler: Address: 0x002C1000 (alloc base 0x002C0000), NumberOfBytesToProtect: 0x8600, NewAccessProtection: 0x20
2020-02-14 16:10:39,437 [root] DEBUG: ProtectionHandler: Increased region size at 0x002C1000 to 0x9600.
2020-02-14 16:10:39,437 [root] DEBUG: ProtectionHandler: New code detected at (0x002C0000), scanning for PE images.
2020-02-14 16:10:39,437 [root] DEBUG: DumpPEsInRange: Scanning range 0x2c0000 - 0x2c9600.
2020-02-14 16:10:39,437 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x2c0000
2020-02-14 16:10:39,437 [root] DEBUG: DumpImageInCurrentProcess: Disguised PE image (bad MZ and/or PE headers) at 0x002C0000
2020-02-14 16:10:39,437 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-02-14 16:10:39,437 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x002C0000.
2020-02-14 16:10:39,437 [root] DEBUG: DumpProcess: Module entry point VA is 0x000051F0.
2020-02-14 16:10:40,312 [root] INFO: Added new CAPE file to list with path: C:\eGWfTIjF\CAPE\2440_51747018039101514522020
2020-02-14 16:10:40,312 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x9a00.
2020-02-14 16:10:40,312 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x2c1000-0x2c9600.
2020-02-14 16:10:40,328 [root] DEBUG: DumpPEsInTrackedRegion: Dumped 1 PE image(s) from range 0x002C0000 - 0x002C9600.
2020-02-14 16:10:40,328 [root] DEBUG: ProtectionHandler: PE image(s) dumped from 0x002C0000.
2020-02-14 16:10:40,328 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x2c0000 - 0x2c9600.
2020-02-14 16:10:40,358 [root] DEBUG: set_caller_info: Adding region at 0x002C0000 to caller regions list (ntdll::LdrGetDllHandle).
2020-02-14 16:10:40,937 [root] DEBUG: DLL loaded at 0x75C10000: C:\Windows\system32\crypt32 (0x122000 bytes).
2020-02-14 16:10:40,983 [root] DEBUG: DLL loaded at 0x75A30000: C:\Windows\system32\MSASN1 (0xc000 bytes).
2020-02-14 16:10:41,030 [root] DEBUG: DLL loaded at 0x76970000: C:\Windows\system32\urlmon (0x150000 bytes).
2020-02-14 16:10:41,078 [root] DEBUG: DLL loaded at 0x75B30000: C:\Windows\system32\api-ms-win-downlevel-ole32-l1-1-0 (0x4000 bytes).
2020-02-14 16:10:41,125 [root] DEBUG: DLL loaded at 0x75D50000: C:\Windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0 (0x4000 bytes).
2020-02-14 16:10:41,155 [root] DEBUG: DLL loaded at 0x75C00000: C:\Windows\system32\api-ms-win-downlevel-advapi32-l1-1-0 (0x5000 bytes).
2020-02-14 16:10:41,203 [root] DEBUG: DLL loaded at 0x75A60000: C:\Windows\system32\api-ms-win-downlevel-user32-l1-1-0 (0x4000 bytes).
2020-02-14 16:10:41,250 [root] DEBUG: DLL loaded at 0x75D40000: C:\Windows\system32\api-ms-win-downlevel-version-l1-1-0 (0x4000 bytes).
2020-02-14 16:10:41,296 [root] DEBUG: DLL loaded at 0x74EC0000: C:\Windows\system32\version (0x9000 bytes).
2020-02-14 16:10:41,342 [root] DEBUG: DLL loaded at 0x75A50000: C:\Windows\system32\api-ms-win-downlevel-normaliz-l1-1-0 (0x3000 bytes).
2020-02-14 16:10:41,467 [root] DEBUG: DLL loaded at 0x75D60000: C:\Windows\system32\normaliz (0x3000 bytes).
2020-02-14 16:10:41,530 [root] DEBUG: DLL loaded at 0x76660000: C:\Windows\system32\iertutil (0x236000 bytes).
2020-02-14 16:10:42,453 [root] DEBUG: DLL loaded at 0x76C20000: C:\Windows\system32\WININET (0x437000 bytes).
2020-02-14 16:10:42,467 [root] DEBUG: DLL loaded at 0x73F30000: C:\Windows\system32\wtsapi32 (0xd000 bytes).
2020-02-14 16:10:50,671 [root] DEBUG: DLL loaded at 0x76020000: C:\Windows\system32\OLEAUT32 (0x91000 bytes).
2020-02-14 16:10:50,750 [root] DEBUG: DLL loaded at 0x74950000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\comctl32 (0x19e000 bytes).
2020-02-14 16:10:50,875 [root] DEBUG: DLL loaded at 0x75D70000: C:\Windows\system32\CLBCatQ (0x83000 bytes).
2020-02-14 16:10:50,905 [root] DEBUG: DLL loaded at 0x74610000: C:\Windows\system32\propsys (0xf5000 bytes).
2020-02-14 16:10:50,921 [root] DEBUG: DLL loaded at 0x74270000: C:\Windows\system32\ntmarta (0x21000 bytes).
2020-02-14 16:10:50,921 [root] DEBUG: DLL loaded at 0x760C0000: C:\Windows\system32\WLDAP32 (0x45000 bytes).
2020-02-14 16:10:52,467 [root] DEBUG: DLL loaded at 0x762C0000: C:\Windows\system32\SETUPAPI (0x19d000 bytes).
2020-02-14 16:10:52,500 [root] DEBUG: DLL loaded at 0x75BD0000: C:\Windows\system32\CFGMGR32 (0x27000 bytes).
2020-02-14 16:10:52,983 [root] DEBUG: DLL loaded at 0x75AC0000: C:\Windows\system32\DEVOBJ (0x12000 bytes).
2020-02-14 16:10:53,030 [root] DEBUG: DLL unloaded from 0x77060000.
2020-02-14 16:10:53,125 [root] DEBUG: DLL unloaded from 0x74610000.
2020-02-14 16:10:53,140 [root] DEBUG: DLL loaded at 0x75990000: C:\Windows\system32\RpcRtRemote (0xe000 bytes).
2020-02-14 16:10:53,155 [root] DEBUG: DLL loaded at 0x6E830000: C:\Windows\system32\mssprxy (0xc000 bytes).
2020-02-14 16:10:53,203 [root] DEBUG: DLL unloaded from 0x6E830000.
2020-02-14 16:10:53,203 [root] DEBUG: DLL unloaded from 0x77060000.
2020-02-14 16:10:59,546 [root] DEBUG: DLL loaded at 0x758D0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2020-02-14 16:10:59,578 [root] DEBUG: DLL unloaded from 0x00400000.
2020-02-14 16:10:59,578 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 2440).
2020-02-14 16:10:59,608 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-02-14 16:10:59,655 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-02-14 16:11:01,703 [root] DEBUG: ProcessImageBase: EP 0x00009AD0 image base 0x00400000 size 0x0 entropy 6.245305e+00.
2020-02-14 16:11:01,905 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002B0000.
2020-02-14 16:11:02,000 [root] DEBUG: DumpPEsInRange: Scanning range 0x2b0000 - 0x2ba000.
2020-02-14 16:11:02,092 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x2b053f
2020-02-14 16:11:02,187 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image.
2020-02-14 16:11:02,296 [root] DEBUG: DumpPE: Instantiating PeParser with address: 0x002B053F.
2020-02-14 16:11:05,703 [root] INFO: Added new CAPE file to list with path: C:\eGWfTIjF\CAPE\2440_169919788852531914522020
2020-02-14 16:11:05,703 [root] DEBUG: DumpPE: PE file in memory dumped successfully - dump size 0x9a00.
2020-02-14 16:11:05,703 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x2b153f-0x2ba000.
2020-02-14 16:11:05,703 [root] DEBUG: DumpPEsInTrackedRegion: Dumped 1 PE image(s) from range 0x002B0000 - 0x002BA000.
2020-02-14 16:11:05,703 [root] DEBUG: ProcessTrackedRegion: Found and dumped PE image(s) in range 0x002B0000 - 0x002BA000.
2020-02-14 16:11:05,703 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x2b0000 - 0x2ba000.
2020-02-14 16:11:05,703 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002C0000.
2020-02-14 16:11:05,703 [root] DEBUG: DLL unloaded from 0x74610000.
2020-02-14 16:11:06,250 [root] DEBUG: DLL unloaded from 0x74270000.
2020-02-14 16:11:06,265 [root] DEBUG: DLL unloaded from 0x762A0000.
2020-02-14 16:11:06,265 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 2440).
2020-02-14 16:11:06,265 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-02-14 16:11:06,265 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-02-14 16:11:06,265 [root] DEBUG: ProcessImageBase: EP 0x00009AD0 image base 0x00400000 size 0x0 entropy 6.245305e+00.
2020-02-14 16:11:06,265 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002B0000.
2020-02-14 16:11:06,265 [root] DEBUG: DumpPEsInRange: Scanning range 0x2b0000 - 0x2ba000.
2020-02-14 16:11:06,265 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x2b053f
2020-02-14 16:11:06,280 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image.
2020-02-14 16:11:06,280 [root] DEBUG: DumpPE: Instantiating PeParser with address: 0x002B053F.
2020-02-14 16:11:06,312 [root] INFO: Added new CAPE file to list with path: C:\eGWfTIjF\CAPE\2440_122412196256551914522020
2020-02-14 16:11:06,312 [root] DEBUG: DumpPE: PE file in memory dumped successfully - dump size 0x9a00.
2020-02-14 16:11:06,312 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x2b153f-0x2ba000.
2020-02-14 16:11:06,312 [root] DEBUG: DumpPEsInTrackedRegion: Dumped 1 PE image(s) from range 0x002B0000 - 0x002BA000.
2020-02-14 16:11:06,312 [root] DEBUG: ProcessTrackedRegion: Found and dumped PE image(s) in range 0x002B0000 - 0x002BA000.
2020-02-14 16:11:06,312 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x2b0000 - 0x2ba000.
2020-02-14 16:11:06,312 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002C0000.
2020-02-14 16:11:06,312 [root] INFO: Notified of termination of process with pid 2440.
2020-02-14 16:11:12,687 [root] INFO: Process list is empty, terminating analysis.
2020-02-14 16:11:13,765 [root] INFO: Created shutdown mutex.
2020-02-14 16:11:14,796 [root] INFO: Shutting down package.
2020-02-14 16:11:14,796 [root] INFO: Stopping auxiliary modules.
2020-02-14 16:11:16,250 [root] INFO: Finishing auxiliary modules.
2020-02-14 16:11:16,250 [root] INFO: Shutting down pipe server and dumping dropped files.
2020-02-14 16:11:16,250 [root] WARNING: File at path "C:\eGWfTIjF\debugger" does not exist, skip.
2020-02-14 16:11:16,250 [root] INFO: Analysis completed.

MalScore

10.0

Emotet

Machine

Name Label Manager Started On Shutdown On
win7_2 win7_2 KVM 2020-02-14 15:08:31 2020-02-14 15:12:26

File Details

File Name E1-20200214_114409
File Size 499712 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 1e25d09b70fe0a9433a5f5c939ae1474
SHA1 515f34b30df2293716247d92e5b76f5b820b3704
SHA256 c22ea51a534169d3e2cbc391a502d2cf2e3d474be9ae2746250e595b55da7b92
SHA512 20bbc2b56896ead9048cb6e91e15aa5afe7a79fff38cf67f18000319210f304ad8a3d1221b2352d0818fa3200d9b1514942c3d10b422e13dc138eb1e3c9fb912
CRC32 C663A0F6
Ssdeep 6144:5Im/oNPVTirlST3mK80/+658U3u6TTpL7qV+9dUaRLMwtv42:5+VTxT3mKZ3mU3UV+vBMut
TrID None matched
ClamAV None matched
Yara None matched
CAPE Yara None matched
Download Download ZIP Resubmit sample

Signatures

SetUnhandledExceptionFilter detected (possible anti-debug)
Behavioural detection: Executable code extraction
Yara rule detections observed from a process memory dump/dropped files/CAPE
Hit: PID 2440 trigged the Yara rule 'Emotet'
Possible date expiration check, exits too soon after checking local time
process: E1-20200214_114409.exe, PID 2440
Dynamic (imported) function loading detected
DynamicLoader: IMM32.DLL/ImmCreateContext
DynamicLoader: IMM32.DLL/ImmDestroyContext
DynamicLoader: IMM32.DLL/ImmNotifyIME
DynamicLoader: IMM32.DLL/ImmAssociateContext
DynamicLoader: IMM32.DLL/ImmReleaseContext
DynamicLoader: IMM32.DLL/ImmGetContext
DynamicLoader: IMM32.DLL/ImmGetCompositionStringA
DynamicLoader: IMM32.DLL/ImmSetCompositionStringA
DynamicLoader: IMM32.DLL/ImmGetCompositionStringW
DynamicLoader: IMM32.DLL/ImmSetCompositionStringW
DynamicLoader: IMM32.DLL/ImmSetCandidateWindow
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/SetDefaultPrinterW
DynamicLoader: WINSPOOL.DRV/GetDefaultPrinterW
DynamicLoader: WINSPOOL.DRV/GetPrinterDriverPackagePathW
DynamicLoader: WINSPOOL.DRV/CorePrinterDriverInstalledW
DynamicLoader: WINSPOOL.DRV/GetCorePrinterDriversW
DynamicLoader: WINSPOOL.DRV/UploadPrinterDriverPackageW
DynamicLoader: WINSPOOL.DRV/InstallPrinterDriverFromPackageW
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/AddPrinterConnection2W
DynamicLoader: WINSPOOL.DRV/OpenPrinter2W
DynamicLoader: WINSPOOL.DRV/DeletePrinterKeyW
DynamicLoader: WINSPOOL.DRV/DeletePrinterDataExW
DynamicLoader: WINSPOOL.DRV/EnumPrinterKeyW
DynamicLoader: WINSPOOL.DRV/EnumPrinterDataExW
DynamicLoader: WINSPOOL.DRV/GetPrinterDataExW
DynamicLoader: WINSPOOL.DRV/SetPrinterDataExW
DynamicLoader: WINSPOOL.DRV/DeletePrinterDataW
DynamicLoader: WINSPOOL.DRV/EnumPrinterDataW
DynamicLoader: WINSPOOL.DRV/SpoolerPrinterEvent
DynamicLoader: WINSPOOL.DRV/SetPortW
DynamicLoader: WINSPOOL.DRV/DocumentPropertySheets
DynamicLoader: WINSPOOL.DRV/DevicePropertySheets
DynamicLoader: WINSPOOL.DRV/IsValidDevmodeW
DynamicLoader: WINSPOOL.DRV/IsValidDevmodeA
DynamicLoader: WINSPOOL.DRV/AddPortExW
DynamicLoader: WINSPOOL.DRV/DeletePrintProvidorW
DynamicLoader: WINSPOOL.DRV/AddPrintProvidorW
DynamicLoader: WINSPOOL.DRV/DeletePrintProcessorW
DynamicLoader: WINSPOOL.DRV/DeleteMonitorW
DynamicLoader: WINSPOOL.DRV/AddMonitorW
DynamicLoader: WINSPOOL.DRV/StartDocDlgW
DynamicLoader: WINSPOOL.DRV/AdvancedDocumentPropertiesW
DynamicLoader: WINSPOOL.DRV/AdvancedDocumentPropertiesA
DynamicLoader: WINSPOOL.DRV/DocumentPropertiesW
DynamicLoader: WINSPOOL.DRV/DeviceCapabilitiesW
DynamicLoader: WINSPOOL.DRV/DeletePrinterIC
DynamicLoader: WINSPOOL.DRV/PlayGdiScriptOnPrinterIC
DynamicLoader: WINSPOOL.DRV/CreatePrinterIC
DynamicLoader: WINSPOOL.DRV/SetJobW
DynamicLoader: WINSPOOL.DRV/GetJobW
DynamicLoader: WINSPOOL.DRV/EnumJobsW
DynamicLoader: WINSPOOL.DRV/AddPrinterW
DynamicLoader: WINSPOOL.DRV/SetPrinterW
DynamicLoader: WINSPOOL.DRV/GetPrinterDriverW
DynamicLoader: WINSPOOL.DRV/GetPrinterDriverDirectoryW
DynamicLoader: WINSPOOL.DRV/EnumPrintersW
DynamicLoader: WINSPOOL.DRV/AddPrinterConnectionW
DynamicLoader: WINSPOOL.DRV/DeletePrinterConnectionW
DynamicLoader: WINSPOOL.DRV/AddPrinterDriverExW
DynamicLoader: WINSPOOL.DRV/AddPrinterDriverExA
DynamicLoader: WINSPOOL.DRV/EnumPrinterDriversW
DynamicLoader: WINSPOOL.DRV/DeletePrinterDriverW
DynamicLoader: WINSPOOL.DRV/DeletePrinterDriverExW
DynamicLoader: WINSPOOL.DRV/AddPrintProcessorW
DynamicLoader: WINSPOOL.DRV/EnumPrintProcessorsW
DynamicLoader: WINSPOOL.DRV/GetPrintProcessorDirectoryW
DynamicLoader: WINSPOOL.DRV/EnumPrintProcessorDatatypesW
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/SplDriverUnloadComplete
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/OpenPrinterW
DynamicLoader: WINSPOOL.DRV/OpenPrinterA
DynamicLoader: WINSPOOL.DRV/ResetPrinterW
DynamicLoader: WINSPOOL.DRV/StartDocPrinterW
DynamicLoader: WINSPOOL.DRV/FlushPrinter
DynamicLoader: WINSPOOL.DRV/GetPrinterDataW
DynamicLoader: WINSPOOL.DRV/SetPrinterDataW
DynamicLoader: WINSPOOL.DRV/AddJobW
DynamicLoader: WINSPOOL.DRV/ScheduleJob
DynamicLoader: WINSPOOL.DRV/WaitForPrinterChange
DynamicLoader: WINSPOOL.DRV/FindNextPrinterChangeNotification
DynamicLoader: WINSPOOL.DRV/PrinterMessageBoxW
DynamicLoader: WINSPOOL.DRV/ClosePrinter
DynamicLoader: WINSPOOL.DRV/AddFormW
DynamicLoader: WINSPOOL.DRV/DeleteFormW
DynamicLoader: WINSPOOL.DRV/GetFormW
DynamicLoader: WINSPOOL.DRV/SetFormW
DynamicLoader: WINSPOOL.DRV/EnumFormsW
DynamicLoader: WINSPOOL.DRV/EnumPortsW
DynamicLoader: WINSPOOL.DRV/EnumMonitorsW
DynamicLoader: WINSPOOL.DRV/AddPortW
DynamicLoader: WINSPOOL.DRV/ConfigurePortW
DynamicLoader: WINSPOOL.DRV/DeletePortW
DynamicLoader: WINSPOOL.DRV/GetPrinterW
DynamicLoader: WINSPOOL.DRV/DeletePrinterDriverPackageW
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: kernel32.dll/IsProcessorFeaturePresent
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: CRYPTSP.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: cryptbase.dll/SystemFunction036
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: SHELL32.dll/
DynamicLoader: ADVAPI32.dll/OpenThreadToken
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: propsys.dll/PSLookupPropertyHandlerCLSID
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: propsys.dll/PSCreatePropertyStoreFromObject
DynamicLoader: propsys.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: propsys.dll/PropVariantToStringAlloc
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore
DynamicLoader: propsys.dll/PropVariantToBuffer
DynamicLoader: propsys.dll/PropVariantToUInt64
DynamicLoader: propsys.dll/PropVariantToBoolean
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: comctl32.dll/
DynamicLoader: propsys.dll/InitPropVariantFromBuffer
DynamicLoader: ADVAPI32.dll/GetNamedSecurityInfoW
DynamicLoader: ADVAPI32.dll/TreeSetNamedSecurityInfoW
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: OLEAUT32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/UnregisterTraceGuids
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
File has been identified by 7 Antiviruses on VirusTotal as malicious
Invincea: heuristic
BitDefenderTheta: Gen:[email protected]
Endgame: malicious (high confidence)
APEX: Malicious
Microsoft: Trojan:Win32/Wacatac.C!ml
Webroot: W32.Trojan.Emotet
Qihoo-360: HEUR/QVM07.1.3E9B.Malware.Gen
CAPE extracted potentially suspicious content
E1-20200214_114409.exe: Emotet Payload
E1-20200214_114409.exe: [{u'strings': [u'{ 8B 48 18 C7 00 F8 A2 40 00 C7 40 24 F8 A2 40 00 C7 40 34 00 00 00 00 83 3C CD F8 A2 40 00 00 74 0E 41 89 48 18 83 3C CD F8 A2 40 00 00 75 F2 }'], u'meta': {u'cape_type': u'Emotet Payload', u'description': u'Emotet Payload', u'author': u'kevoreilly'}, u'addresses': {u'snippet7': 2849L}, u'name': u'Emotet'}]
Queries or connects to DNS-Over-HTTPS/DNS-Over-TLS domain or IP address
ip: 1.1.1.1
Deletes its original binary from disk
Attempts to remove evidence of file being downloaded from the Internet
file: C:\Windows\System32\osbaseln\osbaseln.exe:Zone.Identifier
Installs itself for autorun at Windows startup
service name: osbaseln
service path: "C:\Windows\system32\osbaseln\osbaseln.exe"
Installs itself for autorun at Windows startup
service name: osbaseln
service path: "C:\Windows\system32\osbaseln\osbaseln.exe"
Network activity detected but not expressed in API logs
CAPE detected the Emotet malware family
Creates a copy of itself
copy: C:\Windows\System32\osbaseln\osbaseln.exe
Created a service that was not started
service: osbaseln

Screenshots


Hosts

Direct IP Country Name
Y 1.1.1.1 [VT] Australia

DNS

No domains contacted.


Summary

C:\Windows\System32\tzres.dll
C:\Windows\System32\en-US\tzres.dll.mui
C:\
C:\Windows\System32\elemsidebar.exe
C:\Windows\System32\*
C:\Windows\
C:\Windows\System32\
C:\Windows\System32\osbaseln\
C:\Windows\System32\shell32.dll
C:\Windows\System32\osbaseln\osbaseln.exe
C:\Users
C:\Users\Rebecca\AppData\Local\Microsoft\Windows\Caches
C:\Users\Rebecca\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
C:\Users\Rebecca\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000002.db
C:\Users\desktop.ini
C:\Users\Rebecca
C:\Users\Rebecca\AppData
C:\Users\Rebecca\AppData\Local
C:\Users\Rebecca\AppData\Local\Temp
C:\Windows
C:\Windows\System32
C:\Windows\System32\osbaseln
C:\Users\Rebecca\AppData\Local\Temp\E1-20200214_114409.exe
C:\Windows\System32\propsys.dll
\??\MountPointManager
C:\Windows\System32\en-US\SHELL32.dll.mui
C:\Users\Rebecca\AppData\Local\
C:\Windows\System32\osbaseln\osbaseln.exe:Zone.Identifier
C:\Windows\System32\tzres.dll
C:\Windows\System32\en-US\tzres.dll.mui
C:\Windows\System32\shell32.dll
C:\
C:\Users\Rebecca\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
C:\Users\Rebecca\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000002.db
C:\Users\desktop.ini
C:\Users
C:\Users\Rebecca
C:\Users\Rebecca\AppData
C:\Users\Rebecca\AppData\Local
C:\Windows
C:\Windows\System32
C:\Users\Rebecca\AppData\Local\Temp
C:\Windows\System32\en-US\SHELL32.dll.mui
C:\Windows\System32\osbaseln\osbaseln.exe
C:\Windows\System32\elemsidebar.exe
C:\Users\Rebecca\AppData\Local\Temp\E1-20200214_114409.exe
C:\Windows\System32\osbaseln\osbaseln.exe:Zone.Identifier
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT\CLSID
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\CMF\Config
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CMF\Config\SYSTEM
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\8c65a894
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\NoFileFolderConnection
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\E1-20200214_114409.exe
HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\CallForAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\RestrictedAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORDISPLAY
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideFolderVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\UseDropHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORPARSING
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsParseDisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\MapNetDriveVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForInfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideInWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideOnDesktopPerUser
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsAliasedNotifications
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsUniversalDelegate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\NoFileFolderJunction
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\PinToNameSpaceTree
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HasNavigationEnum
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{210acb58-272f-11e9-8326-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{210acb58-272f-11e9-8326-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{210acb58-272f-11e9-8326-806e6f6e6963}\Generation
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\AccessProviders
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\AccessProviders\MartaExtension
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowCompColor
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\DontPrettyPath
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowInfoTip
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideIcons
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\MapNetDrvBtn
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\WebView
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Filter
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\SeparateProcess
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\NoNetCrawling
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AutoCheckSelect
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\IconsOnly
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowTypeOverlay
HKEY_CLASSES_ROOT\.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe\(Default)
HKEY_CLASSES_ROOT\.exe\OpenWithProgids
HKEY_CLASSES_ROOT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\OpenWithProgids
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\UserChoice
HKEY_CLASSES_ROOT\exefile
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\CurVer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\ShellEx\IconHandler
HKEY_CLASSES_ROOT\SystemFileAssociations\.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\ShellEx\IconHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe\Content Type
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\NeverShowExt
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\PropertySystem\PropertyHandlers\.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\PropertySystem\PropertyHandlers\.exe\(Default)
HKEY_CLASSES_ROOT\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\OverrideFileSystemProperties
HKEY_CLASSES_ROOT\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\DisableProcessIsolation
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\NoOplock
HKEY_CLASSES_ROOT\ExplorerCLSIDFlags\{66742402-F9B9-11D1-A202-0000F81FEDEE}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\UseInProcHandlerCache
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\UseOutOfProcHandlerCache
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Shell\RegisteredApplications\UrlAssociations\Directory\OpenWithProgids
HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\Directory
HKEY_CLASSES_ROOT\Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\CurVer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\ShellEx\IconHandler
HKEY_CLASSES_ROOT\Folder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\ShellEx\IconHandler
HKEY_CLASSES_ROOT\AllFilesystemObjects
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\ShellEx\IconHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\ShellEx\PropertyHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\ShellEx\PropertyHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\ShellEx\PropertyHandler
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\MaxUndoItems
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\MaxUndoItems
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{210acb57-272f-11e9-8326-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{210acb57-272f-11e9-8326-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{210acb57-272f-11e9-8326-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\App Paths\E1-20200214_114409.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\E1-20200214_114409.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\ShellEx\{2F711B17-773C-41D4-93FA-7F23EDCECB66}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\ShellEx\{2F711B17-773C-41D4-93FA-7F23EDCECB66}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\ShellEx\{2F711B17-773C-41D4-93FA-7F23EDCECB66}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\ShellEx\{000214F9-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\ShellEx\{000214F9-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\ShellEx\{000214F9-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MoveSecurityAttributes
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CMF\Config\SYSTEM
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\8c65a894
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\NoFileFolderConnection
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\CallForAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\RestrictedAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORDISPLAY
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideFolderVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\UseDropHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORPARSING
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsParseDisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\MapNetDriveVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForInfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideInWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideOnDesktopPerUser
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsAliasedNotifications
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsUniversalDelegate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\NoFileFolderJunction
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\PinToNameSpaceTree
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HasNavigationEnum
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{210acb58-272f-11e9-8326-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{210acb58-272f-11e9-8326-806e6f6e6963}\Generation
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\AccessProviders\MartaExtension
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowCompColor
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\DontPrettyPath
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowInfoTip
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideIcons
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\MapNetDrvBtn
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\WebView
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Filter
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\SeparateProcess
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\NoNetCrawling
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AutoCheckSelect
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\IconsOnly
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowTypeOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe\Content Type
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\PropertySystem\PropertyHandlers\.exe\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\DisableProcessIsolation
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\NoOplock
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\UseInProcHandlerCache
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\UseOutOfProcHandlerCache
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\NeverShowExt
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\MaxUndoItems
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\MaxUndoItems
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{210acb57-272f-11e9-8326-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{210acb57-272f-11e9-8326-806e6f6e6963}\Generation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MoveSecurityAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\8c65a894
kernel32.dll.FlsAlloc
kernel32.dll.FlsGetValue
kernel32.dll.FlsSetValue
kernel32.dll.FlsFree
kernelbase.dll.InitializeCriticalSectionAndSpinCount
kernel32.dll.ProcessIdToSessionId
imm32.dll.ImmCreateContext
imm32.dll.ImmDestroyContext
imm32.dll.ImmNotifyIME
imm32.dll.ImmAssociateContext
imm32.dll.ImmReleaseContext
imm32.dll.ImmGetContext
imm32.dll.ImmGetCompositionStringA
imm32.dll.ImmSetCompositionStringA
imm32.dll.ImmGetCompositionStringW
imm32.dll.ImmSetCompositionStringW
imm32.dll.ImmSetCandidateWindow
winspool.drv.#218
winspool.drv.#217
winspool.drv.SetDefaultPrinterW
winspool.drv.GetDefaultPrinterW
winspool.drv.GetPrinterDriverPackagePathW
winspool.drv.CorePrinterDriverInstalledW
winspool.drv.GetCorePrinterDriversW
winspool.drv.UploadPrinterDriverPackageW
winspool.drv.InstallPrinterDriverFromPackageW
winspool.drv.#251
winspool.drv.AddPrinterConnection2W
winspool.drv.OpenPrinter2W
winspool.drv.DeletePrinterKeyW
winspool.drv.DeletePrinterDataExW
winspool.drv.EnumPrinterKeyW
winspool.drv.EnumPrinterDataExW
winspool.drv.GetPrinterDataExW
winspool.drv.SetPrinterDataExW
winspool.drv.DeletePrinterDataW
winspool.drv.EnumPrinterDataW
winspool.drv.SpoolerPrinterEvent
winspool.drv.SetPortW
winspool.drv.DocumentPropertySheets
winspool.drv.DevicePropertySheets
winspool.drv.IsValidDevmodeW
winspool.drv.IsValidDevmodeA
winspool.drv.AddPortExW
winspool.drv.DeletePrintProvidorW
winspool.drv.AddPrintProvidorW
winspool.drv.DeletePrintProcessorW
winspool.drv.DeleteMonitorW
winspool.drv.AddMonitorW
winspool.drv.StartDocDlgW
winspool.drv.AdvancedDocumentPropertiesW
winspool.drv.AdvancedDocumentPropertiesA
winspool.drv.DocumentPropertiesW
winspool.drv.DeviceCapabilitiesW
winspool.drv.DeletePrinterIC
winspool.drv.PlayGdiScriptOnPrinterIC
winspool.drv.CreatePrinterIC
winspool.drv.SetJobW
winspool.drv.GetJobW
winspool.drv.EnumJobsW
winspool.drv.AddPrinterW
winspool.drv.SetPrinterW
winspool.drv.GetPrinterDriverW
winspool.drv.GetPrinterDriverDirectoryW
winspool.drv.EnumPrintersW
winspool.drv.AddPrinterConnectionW
winspool.drv.DeletePrinterConnectionW
winspool.drv.AddPrinterDriverExW
winspool.drv.AddPrinterDriverExA
winspool.drv.EnumPrinterDriversW
winspool.drv.DeletePrinterDriverW
winspool.drv.DeletePrinterDriverExW
winspool.drv.AddPrintProcessorW
winspool.drv.EnumPrintProcessorsW
winspool.drv.GetPrintProcessorDirectoryW
winspool.drv.EnumPrintProcessorDatatypesW
winspool.drv.#207
winspool.drv.#209
winspool.drv.#211
winspool.drv.#212
winspool.drv.SplDriverUnloadComplete
winspool.drv.#213
winspool.drv.#214
winspool.drv.OpenPrinterW
winspool.drv.OpenPrinterA
winspool.drv.ResetPrinterW
winspool.drv.StartDocPrinterW
winspool.drv.FlushPrinter
winspool.drv.GetPrinterDataW
winspool.drv.SetPrinterDataW
winspool.drv.AddJobW
winspool.drv.ScheduleJob
winspool.drv.WaitForPrinterChange
winspool.drv.FindNextPrinterChangeNotification
winspool.drv.PrinterMessageBoxW
winspool.drv.ClosePrinter
winspool.drv.AddFormW
winspool.drv.DeleteFormW
winspool.drv.GetFormW
winspool.drv.SetFormW
winspool.drv.EnumFormsW
winspool.drv.EnumPortsW
winspool.drv.EnumMonitorsW
winspool.drv.AddPortW
winspool.drv.ConfigurePortW
winspool.drv.DeletePortW
winspool.drv.GetPrinterW
winspool.drv.DeletePrinterDriverPackageW
winspool.drv.#234
kernel32.dll.IsProcessorFeaturePresent
advapi32.dll.CryptAcquireContextA
cryptsp.dll.CryptAcquireContextA
oleaut32.dll.#200
ole32.dll.CoInitializeEx
cryptbase.dll.SystemFunction036
comctl32.dll.#385
comctl32.dll.#320
comctl32.dll.#324
comctl32.dll.#323
ole32.dll.CreateBindCtx
ole32.dll.CoTaskMemAlloc
ole32.dll.CoGetApartmentType
ole32.dll.CoRegisterInitializeSpy
ole32.dll.CoTaskMemFree
comctl32.dll.#236
oleaut32.dll.#6
ole32.dll.CoGetMalloc
comctl32.dll.#328
comctl32.dll.#334
oleaut32.dll.#2
ole32.dll.CoCreateInstance
advapi32.dll.InitializeSecurityDescriptor
advapi32.dll.SetEntriesInAclW
ntmarta.dll.GetMartaExtensionInterface
advapi32.dll.SetSecurityDescriptorDacl
advapi32.dll.IsTextUnicode
comctl32.dll.#332
comctl32.dll.#338
comctl32.dll.#339
shell32.dll.#102
advapi32.dll.OpenThreadToken
setupapi.dll.CM_Get_Device_Interface_List_Size_ExW
propsys.dll.PSLookupPropertyHandlerCLSID
advapi32.dll.RegOpenKeyExW
advapi32.dll.RegQueryValueExW
advapi32.dll.RegCloseKey
propsys.dll.PSCreatePropertyStoreFromObject
propsys.dll.#417
propsys.dll.PropVariantToStringAlloc
ole32.dll.PropVariantClear
propsys.dll.PSCreateMemoryPropertyStore
propsys.dll.PropVariantToBuffer
propsys.dll.PropVariantToUInt64
propsys.dll.PropVariantToBoolean
setupapi.dll.CM_Get_Device_Interface_List_ExW
comctl32.dll.#386
propsys.dll.InitPropVariantFromBuffer
advapi32.dll.GetNamedSecurityInfoW
advapi32.dll.TreeSetNamedSecurityInfoW
ole32.dll.CoUninitialize
comctl32.dll.#329
comctl32.dll.#388
comctl32.dll.#321
ole32.dll.CoRevokeInitializeSpy
oleaut32.dll.#500
comctl32.dll.#387
comctl32.dll.#327
advapi32.dll.UnregisterTraceGuids
api-ms-win-downlevel-advapi32-l1-1-0.dll.UnregisterTraceGuids
cryptsp.dll.CryptReleaseContext
"C:\Windows\system32\osbaseln\osbaseln.exe"
Global\I8C65A894
Global\M8C65A894
osbaseln

BinGraph

PE Information

Image Base 0x00400000
Entry Point 0x00409ad0
Reported Checksum 0x0007d0e1
Actual Checksum 0x0007d0e1
Minimum OS Version 4.0
Compile Time 2020-02-14 11:44:09
Import Hash d7b6a8364d6238f5637a841656020e24
Icon
Icon Exact Hash 703767d4808df340e2b4fab05cf318fb
Icon Similarity Hash 815da8f87392cb72b01d721c0c02546d

Version Infos

LegalCopyright Copyright (C) 1998
InternalName AutoPan
FileVersion 1, 0, 0, 1
CompanyName
LegalTrademarks
ProductName AutoPan Application
ProductVersion 1, 0, 0, 1
FileDescription AutoPan MFC Application
OriginalFilename AutoPan.EXE
Translation 0x0409 0x04b0

Sections

Name Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00001000 0x00044ac2 0x00045000 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.55
.rdata 0x00046000 0x0000efe8 0x0000f000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.24
.data 0x00055000 0x00007708 0x00003000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 4.59
.idata 0x0005d000 0x00002c92 0x00003000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 5.45
.rsrc 0x00060000 0x00013ef0 0x00014000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 6.55
.reloc 0x00074000 0x0000a4ca 0x0000b000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ 4.92

Resources

Name Offset Size Language Sub-language Entropy File type
VANCYKL 0x00061a98 0x00009f44 LANG_GERMAN SUBLANG_GERMAN 7.99 PGP\011Secret Key -
RT_CURSOR 0x00070f88 0x000000b4 LANG_ENGLISH SUBLANG_ENGLISH_US 2.58 data
RT_CURSOR 0x00070f88 0x000000b4 LANG_ENGLISH SUBLANG_ENGLISH_US 2.58 data
RT_CURSOR 0x00070f88 0x000000b4 LANG_ENGLISH SUBLANG_ENGLISH_US 2.58 data
RT_CURSOR 0x00070f88 0x000000b4 LANG_ENGLISH SUBLANG_ENGLISH_US 2.58 data
RT_CURSOR 0x00070f88 0x000000b4 LANG_ENGLISH SUBLANG_ENGLISH_US 2.58 data
RT_CURSOR 0x00070f88 0x000000b4 LANG_ENGLISH SUBLANG_ENGLISH_US 2.58 data
RT_CURSOR 0x00070f88 0x000000b4 LANG_ENGLISH SUBLANG_ENGLISH_US 2.58 data
RT_CURSOR 0x00070f88 0x000000b4 LANG_ENGLISH SUBLANG_ENGLISH_US 2.58 data
RT_CURSOR 0x00070f88 0x000000b4 LANG_ENGLISH SUBLANG_ENGLISH_US 2.58 data
RT_CURSOR 0x00070f88 0x000000b4 LANG_ENGLISH SUBLANG_ENGLISH_US 2.58 data
RT_CURSOR 0x00070f88 0x000000b4 LANG_ENGLISH SUBLANG_ENGLISH_US 2.58 data
RT_CURSOR 0x00070f88 0x000000b4 LANG_ENGLISH SUBLANG_ENGLISH_US 2.58 data
RT_CURSOR 0x00070f88 0x000000b4 LANG_ENGLISH SUBLANG_ENGLISH_US 2.58 data
RT_CURSOR 0x00070f88 0x000000b4 LANG_ENGLISH SUBLANG_ENGLISH_US 2.58 data
RT_CURSOR 0x00070f88 0x000000b4 LANG_ENGLISH SUBLANG_ENGLISH_US 2.58 data
RT_CURSOR 0x00070f88 0x000000b4 LANG_ENGLISH SUBLANG_ENGLISH_US 2.58 data
RT_CURSOR 0x00070f88 0x000000b4 LANG_ENGLISH SUBLANG_ENGLISH_US 2.58 data
RT_CURSOR 0x00070f88 0x000000b4 LANG_ENGLISH SUBLANG_ENGLISH_US 2.58 data
RT_CURSOR 0x00070f88 0x000000b4 LANG_ENGLISH SUBLANG_ENGLISH_US 2.58 data
RT_CURSOR 0x00070f88 0x000000b4 LANG_ENGLISH SUBLANG_ENGLISH_US 2.58 data
RT_CURSOR 0x00070f88 0x000000b4 LANG_ENGLISH SUBLANG_ENGLISH_US 2.58 data
RT_CURSOR 0x00070f88 0x000000b4 LANG_ENGLISH SUBLANG_ENGLISH_US 2.58 data
RT_CURSOR 0x00070f88 0x000000b4 LANG_ENGLISH SUBLANG_ENGLISH_US 2.58 data
RT_CURSOR 0x00070f88 0x000000b4 LANG_ENGLISH SUBLANG_ENGLISH_US 2.58 data
RT_BITMAP 0x00070d08 0x00000144 LANG_ENGLISH SUBLANG_ENGLISH_US 2.88 data
RT_BITMAP 0x00070d08 0x00000144 LANG_ENGLISH SUBLANG_ENGLISH_US 2.88 data
RT_BITMAP 0x00070d08 0x00000144 LANG_ENGLISH SUBLANG_ENGLISH_US 2.88 data
RT_BITMAP 0x00070d08 0x00000144 LANG_ENGLISH SUBLANG_ENGLISH_US 2.88 data
RT_BITMAP 0x00070d08 0x00000144 LANG_ENGLISH SUBLANG_ENGLISH_US 2.88 data
RT_BITMAP 0x00070d08 0x00000144 LANG_ENGLISH SUBLANG_ENGLISH_US 2.88 data
RT_BITMAP 0x00070d08 0x00000144 LANG_ENGLISH SUBLANG_ENGLISH_US 2.88 data
RT_BITMAP 0x00070d08 0x00000144 LANG_ENGLISH SUBLANG_ENGLISH_US 2.88 data
RT_ICON 0x0006e988 0x00000128 LANG_ENGLISH SUBLANG_ENGLISH_US 2.69 GLS_BINARY_LSB_FIRST
RT_ICON 0x0006e988 0x00000128 LANG_ENGLISH SUBLANG_ENGLISH_US 2.69 GLS_BINARY_LSB_FIRST
RT_ICON 0x0006e988 0x00000128 LANG_ENGLISH SUBLANG_ENGLISH_US 2.69 GLS_BINARY_LSB_FIRST
RT_ICON 0x0006e988 0x00000128 LANG_ENGLISH SUBLANG_ENGLISH_US 2.69 GLS_BINARY_LSB_FIRST
RT_MENU 0x0006f8a8 0x000002f0 LANG_ENGLISH SUBLANG_ENGLISH_US 3.33 data
RT_MENU 0x0006f8a8 0x000002f0 LANG_ENGLISH SUBLANG_ENGLISH_US 3.33 data
RT_MENU 0x0006f8a8 0x000002f0 LANG_ENGLISH SUBLANG_ENGLISH_US 3.33 data
RT_MENU 0x0006f8a8 0x000002f0 LANG_ENGLISH SUBLANG_ENGLISH_US 3.33 data
RT_MENU 0x0006f8a8 0x000002f0 LANG_ENGLISH SUBLANG_ENGLISH_US 3.33 data
RT_MENU 0x0006f8a8 0x000002f0 LANG_ENGLISH SUBLANG_ENGLISH_US 3.33 data
RT_MENU 0x0006f8a8 0x000002f0 LANG_ENGLISH SUBLANG_ENGLISH_US 3.33 data
RT_DIALOG 0x00071188 0x0000015a LANG_ENGLISH SUBLANG_ENGLISH_US 3.13 data
RT_DIALOG 0x00071188 0x0000015a LANG_ENGLISH SUBLANG_ENGLISH_US 3.13 data
RT_DIALOG 0x00071188 0x0000015a LANG_ENGLISH SUBLANG_ENGLISH_US 3.13 data
RT_DIALOG 0x00071188 0x0000015a LANG_ENGLISH SUBLANG_ENGLISH_US 3.13 data
RT_DIALOG 0x00071188 0x0000015a LANG_ENGLISH SUBLANG_ENGLISH_US 3.13 data
RT_DIALOG 0x00071188 0x0000015a LANG_ENGLISH SUBLANG_ENGLISH_US 3.13 data
RT_STRING 0x00073d98 0x0000002c LANG_ENGLISH SUBLANG_ENGLISH_US 1.08 data
RT_STRING 0x00073d98 0x0000002c LANG_ENGLISH SUBLANG_ENGLISH_US 1.08 data
RT_STRING 0x00073d98 0x0000002c LANG_ENGLISH SUBLANG_ENGLISH_US 1.08 data
RT_STRING 0x00073d98 0x0000002c LANG_ENGLISH SUBLANG_ENGLISH_US 1.08 data
RT_STRING 0x00073d98 0x0000002c LANG_ENGLISH SUBLANG_ENGLISH_US 1.08 data
RT_STRING 0x00073d98 0x0000002c LANG_ENGLISH SUBLANG_ENGLISH_US 1.08 data
RT_STRING 0x00073d98 0x0000002c LANG_ENGLISH SUBLANG_ENGLISH_US 1.08 data
RT_STRING 0x00073d98 0x0000002c LANG_ENGLISH SUBLANG_ENGLISH_US 1.08 data
RT_STRING 0x00073d98 0x0000002c LANG_ENGLISH SUBLANG_ENGLISH_US 1.08 data
RT_STRING 0x00073d98 0x0000002c LANG_ENGLISH SUBLANG_ENGLISH_US 1.08 data
RT_STRING 0x00073d98 0x0000002c LANG_ENGLISH SUBLANG_ENGLISH_US 1.08 data
RT_STRING 0x00073d98 0x0000002c LANG_ENGLISH SUBLANG_ENGLISH_US 1.08 data
RT_STRING 0x00073d98 0x0000002c LANG_ENGLISH SUBLANG_ENGLISH_US 1.08 data
RT_STRING 0x00073d98 0x0000002c LANG_ENGLISH SUBLANG_ENGLISH_US 1.08 data
RT_STRING 0x00073d98 0x0000002c LANG_ENGLISH SUBLANG_ENGLISH_US 1.08 data
RT_STRING 0x00073d98 0x0000002c LANG_ENGLISH SUBLANG_ENGLISH_US 1.08 data
RT_STRING 0x00073d98 0x0000002c LANG_ENGLISH SUBLANG_ENGLISH_US 1.08 data
RT_STRING 0x00073d98 0x0000002c LANG_ENGLISH SUBLANG_ENGLISH_US 1.08 data
RT_STRING 0x00073d98 0x0000002c LANG_ENGLISH SUBLANG_ENGLISH_US 1.08 data
RT_STRING 0x00073d98 0x0000002c LANG_ENGLISH SUBLANG_ENGLISH_US 1.08 data
RT_STRING 0x00073d98 0x0000002c LANG_ENGLISH SUBLANG_ENGLISH_US 1.08 data
RT_STRING 0x00073d98 0x0000002c LANG_ENGLISH SUBLANG_ENGLISH_US 1.08 data
RT_STRING 0x00073d98 0x0000002c LANG_ENGLISH SUBLANG_ENGLISH_US 1.08 data
RT_STRING 0x00073d98 0x0000002c LANG_ENGLISH SUBLANG_ENGLISH_US 1.08 data
RT_STRING 0x00073d98 0x0000002c LANG_ENGLISH SUBLANG_ENGLISH_US 1.08 data
RT_ACCELERATOR 0x000712e8 0x00000018 LANG_ENGLISH SUBLANG_ENGLISH_US 2.18 data
RT_ACCELERATOR 0x000712e8 0x00000018 LANG_ENGLISH SUBLANG_ENGLISH_US 2.18 data
RT_GROUP_CURSOR 0x00071040 0x00000022 LANG_ENGLISH SUBLANG_ENGLISH_US 2.25 Lotus unknown worksheet or configuration, revision 0x2
RT_GROUP_CURSOR 0x00071040 0x00000022 LANG_ENGLISH SUBLANG_ENGLISH_US 2.25 Lotus unknown worksheet or configuration, revision 0x2
RT_GROUP_CURSOR 0x00071040 0x00000022 LANG_ENGLISH SUBLANG_ENGLISH_US 2.25 Lotus unknown worksheet or configuration, revision 0x2
RT_GROUP_CURSOR 0x00071040 0x00000022 LANG_ENGLISH SUBLANG_ENGLISH_US 2.25 Lotus unknown worksheet or configuration, revision 0x2
RT_GROUP_CURSOR 0x00071040 0x00000022 LANG_ENGLISH SUBLANG_ENGLISH_US 2.25 Lotus unknown worksheet or configuration, revision 0x2
RT_GROUP_CURSOR 0x00071040 0x00000022 LANG_ENGLISH SUBLANG_ENGLISH_US 2.25 Lotus unknown worksheet or configuration, revision 0x2
RT_GROUP_CURSOR 0x00071040 0x00000022 LANG_ENGLISH SUBLANG_ENGLISH_US 2.25 Lotus unknown worksheet or configuration, revision 0x2
RT_GROUP_CURSOR 0x00071040 0x00000022 LANG_ENGLISH SUBLANG_ENGLISH_US 2.25 Lotus unknown worksheet or configuration, revision 0x2
RT_GROUP_CURSOR 0x00071040 0x00000022 LANG_ENGLISH SUBLANG_ENGLISH_US 2.25 Lotus unknown worksheet or configuration, revision 0x2
RT_GROUP_CURSOR 0x00071040 0x00000022 LANG_ENGLISH SUBLANG_ENGLISH_US 2.25 Lotus unknown worksheet or configuration, revision 0x2
RT_GROUP_CURSOR 0x00071040 0x00000022 LANG_ENGLISH SUBLANG_ENGLISH_US 2.25 Lotus unknown worksheet or configuration, revision 0x2
RT_GROUP_CURSOR 0x00071040 0x00000022 LANG_ENGLISH SUBLANG_ENGLISH_US 2.25 Lotus unknown worksheet or configuration, revision 0x2
RT_GROUP_CURSOR 0x00071040 0x00000022 LANG_ENGLISH SUBLANG_ENGLISH_US 2.25 Lotus unknown worksheet or configuration, revision 0x2
RT_GROUP_CURSOR 0x00071040 0x00000022 LANG_ENGLISH SUBLANG_ENGLISH_US 2.25 Lotus unknown worksheet or configuration, revision 0x2
RT_GROUP_CURSOR 0x00071040 0x00000022 LANG_ENGLISH SUBLANG_ENGLISH_US 2.25 Lotus unknown worksheet or configuration, revision 0x2
RT_GROUP_CURSOR 0x00071040 0x00000022 LANG_ENGLISH SUBLANG_ENGLISH_US 2.25 Lotus unknown worksheet or configuration, revision 0x2
RT_GROUP_CURSOR 0x00071040 0x00000022 LANG_ENGLISH SUBLANG_ENGLISH_US 2.25 Lotus unknown worksheet or configuration, revision 0x2
RT_GROUP_CURSOR 0x00071040 0x00000022 LANG_ENGLISH SUBLANG_ENGLISH_US 2.25 Lotus unknown worksheet or configuration, revision 0x2
RT_GROUP_CURSOR 0x00071040 0x00000022 LANG_ENGLISH SUBLANG_ENGLISH_US 2.25 Lotus unknown worksheet or configuration, revision 0x2
RT_GROUP_CURSOR 0x00071040 0x00000022 LANG_ENGLISH SUBLANG_ENGLISH_US 2.25 Lotus unknown worksheet or configuration, revision 0x2
RT_GROUP_CURSOR 0x00071040 0x00000022 LANG_ENGLISH SUBLANG_ENGLISH_US 2.25 Lotus unknown worksheet or configuration, revision 0x2
RT_GROUP_CURSOR 0x00071040 0x00000022 LANG_ENGLISH SUBLANG_ENGLISH_US 2.25 Lotus unknown worksheet or configuration, revision 0x2
RT_GROUP_ICON 0x0006eab0 0x00000022 LANG_ENGLISH SUBLANG_ENGLISH_US 2.56 data
RT_GROUP_ICON 0x0006eab0 0x00000022 LANG_ENGLISH SUBLANG_ENGLISH_US 2.56 data
RT_VERSION 0x0006ff00 0x000002f4 LANG_ENGLISH SUBLANG_ENGLISH_US 3.36 data
None 0x0006ead8 0x00000020 LANG_ENGLISH SUBLANG_ENGLISH_US 3.00 data

Imports

Library KERNEL32.dll:
0x45d940 SetHandleCount
0x45d944 GetStdHandle
0x45d948 GetFileType
0x45d950 LCMapStringA
0x45d954 LCMapStringW
0x45d958 GetStringTypeA
0x45d95c GetStringTypeW
0x45d960 Sleep
0x45d964 IsBadReadPtr
0x45d96c SetStdHandle
0x45d970 CompareStringA
0x45d974 CompareStringW
0x45d97c IsBadWritePtr
0x45d980 GetProfileStringA
0x45d984 InterlockedExchange
0x45d988 VirtualAlloc
0x45d98c VirtualFree
0x45d990 HeapCreate
0x45d994 HeapDestroy
0x45d998 HeapSize
0x45d99c HeapReAlloc
0x45d9a0 GetACP
0x45d9a4 RaiseException
0x45d9a8 HeapAlloc
0x45d9ac TerminateProcess
0x45d9b0 GetCommandLineA
0x45d9b4 GetStartupInfoA
0x45d9b8 HeapFree
0x45d9bc RtlUnwind
0x45d9c0 GetLocalTime
0x45d9c4 GetSystemTime
0x45d9cc lstrcpyW
0x45d9d8 SetErrorMode
0x45d9dc CopyFileA
0x45d9e0 GlobalSize
0x45d9ec GetFileSize
0x45d9f0 GetShortPathNameA
0x45d9f4 GetThreadLocale
0x45d9f8 GetStringTypeExA
0x45da00 FindFirstFileA
0x45da04 FindClose
0x45da08 DeleteFileA
0x45da0c MoveFileA
0x45da10 SetEndOfFile
0x45da14 UnlockFile
0x45da18 LockFile
0x45da1c FlushFileBuffers
0x45da20 SetFilePointer
0x45da24 WriteFile
0x45da28 ReadFile
0x45da2c CreateFileA
0x45da30 GetCurrentProcess
0x45da34 DuplicateHandle
0x45da38 GetOEMCP
0x45da3c GetCPInfo
0x45da40 GetProcessVersion
0x45da48 TlsGetValue
0x45da4c LocalReAlloc
0x45da50 TlsSetValue
0x45da58 GlobalReAlloc
0x45da60 TlsFree
0x45da64 GlobalHandle
0x45da6c TlsAlloc
0x45da74 SizeofResource
0x45da78 GlobalFlags
0x45da7c lstrlenW
0x45da80 SetLastError
0x45da84 FormatMessageA
0x45da88 WideCharToMultiByte
0x45da94 LocalAlloc
0x45da98 LocalLock
0x45da9c LocalUnlock
0x45daa0 LocalFree
0x45daa4 MultiByteToWideChar
0x45daa8 GetLastError
0x45daac GetDiskFreeSpaceA
0x45dab0 GetFileTime
0x45dab4 SetFileTime
0x45dab8 GetFullPathNameA
0x45dabc GetTempFileNameA
0x45dac0 lstrcpynA
0x45dac4 GetFileAttributesA
0x45dac8 lstrlenA
0x45dad8 LoadLibraryA
0x45dadc FreeLibrary
0x45dae0 GetVersion
0x45dae4 lstrcatA
0x45dae8 GlobalGetAtomNameA
0x45daec GlobalFindAtomA
0x45daf0 lstrcpyA
0x45daf4 GetModuleHandleA
0x45daf8 GlobalAddAtomA
0x45dafc CloseHandle
0x45db00 GetModuleFileNameA
0x45db04 GlobalAlloc
0x45db08 GlobalDeleteAtom
0x45db0c lstrcmpiA
0x45db10 GetCurrentThread
0x45db14 GetCurrentThreadId
0x45db18 GlobalLock
0x45db1c GlobalUnlock
0x45db20 GlobalFree
0x45db24 LockResource
0x45db28 FindResourceA
0x45db2c LoadResource
0x45db30 MulDiv
0x45db34 lstrcmpA
0x45db38 ExitProcess
0x45db3c LoadLibraryW
0x45db40 IsBadCodePtr
0x45db44 GetProcAddress
Library USER32.dll:
0x45db64 InvertRect
0x45db68 GetDCEx
0x45db6c LockWindowUpdate
0x45db70 RemoveMenu
0x45db7c InvalidateRect
0x45db80 FindWindowA
0x45db84 DestroyMenu
0x45db88 LoadMenuA
0x45db8c LoadAcceleratorsA
0x45db90 LoadIconA
0x45db94 MapWindowPoints
0x45db98 AdjustWindowRectEx
0x45db9c ScreenToClient
0x45dba0 EqualRect
0x45dba4 DeferWindowPos
0x45dba8 BeginDeferWindowPos
0x45dbac CopyRect
0x45dbb0 EndDeferWindowPos
0x45dbb4 ScrollWindow
0x45dbb8 GetScrollInfo
0x45dbbc SetScrollInfo
0x45dbc0 ShowScrollBar
0x45dbc4 GetScrollRange
0x45dbc8 SetScrollRange
0x45dbcc GetScrollPos
0x45dbd0 SetScrollPos
0x45dbd4 GetTopWindow
0x45dbd8 IsChild
0x45dbdc GetCapture
0x45dbe0 WinHelpA
0x45dbe4 wsprintfA
0x45dbe8 GetClassInfoA
0x45dbec RegisterClassA
0x45dbf0 GetMenuItemCount
0x45dbf4 GetSubMenu
0x45dbf8 GetMenuItemID
0x45dbfc DefWindowProcA
0x45dc00 CreateWindowExA
0x45dc04 GetClassLongA
0x45dc08 SetPropA
0x45dc0c UnhookWindowsHookEx
0x45dc10 GetPropA
0x45dc14 CallWindowProcA
0x45dc18 RemovePropA
0x45dc1c GetMessageTime
0x45dc20 GetMessagePos
0x45dc24 GetForegroundWindow
0x45dc28 SetForegroundWindow
0x45dc2c IntersectRect
0x45dc34 IsIconic
0x45dc38 GetWindowPlacement
0x45dc3c GetWindowRect
0x45dc40 SetFocus
0x45dc44 ShowWindow
0x45dc48 SetWindowPos
0x45dc4c MoveWindow
0x45dc50 CharUpperA
0x45dc54 GetDlgCtrlID
0x45dc5c GetWindowTextA
0x45dc60 SetWindowTextA
0x45dc64 SetDlgItemTextA
0x45dc68 SendDlgItemMessageA
0x45dc70 ModifyMenuA
0x45dc74 SetMenuItemBitmaps
0x45dc78 EnableMenuItem
0x45dc7c GetFocus
0x45dc80 GetMessageA
0x45dc84 TranslateMessage
0x45dc88 DispatchMessageA
0x45dc8c CallNextHookEx
0x45dc90 ValidateRect
0x45dc94 IsWindowVisible
0x45dc98 PeekMessageA
0x45dc9c SetWindowsHookExA
0x45dca0 GetLastActivePopup
0x45dca4 MessageBoxA
0x45dca8 ShowOwnedPopups
0x45dcac PostMessageA
0x45dcb0 PostQuitMessage
0x45dcb4 GetNextDlgTabItem
0x45dcb8 EndDialog
0x45dcbc GetActiveWindow
0x45dcc0 SetActiveWindow
0x45dcc4 GetSystemMetrics
0x45dccc DestroyWindow
0x45dcd0 GetWindowLongA
0x45dcd4 GetDlgItem
0x45dcd8 GetMenuStringW
0x45dcdc UnregisterClassA
0x45dce0 HideCaret
0x45dce4 ShowCaret
0x45dce8 ExcludeUpdateRgn
0x45dcec DrawFocusRect
0x45dcf0 DefDlgProcA
0x45dcf4 CharNextA
0x45dcf8 IsWindowUnicode
0x45dcfc UpdateWindow
0x45dd00 EnableWindow
0x45dd04 SetParent
0x45dd0c GrayStringA
0x45dd10 IsWindowEnabled
0x45dd14 GetMenu
0x45dd18 GetMenuState
0x45dd1c CheckMenuItem
0x45dd20 WindowFromPoint
0x45dd24 LoadBitmapA
0x45dd28 LoadCursorA
0x45dd2c ClientToScreen
0x45dd30 ReleaseCapture
0x45dd34 KillTimer
0x45dd38 SetCursor
0x45dd3c GetClientRect
0x45dd40 IsWindow
0x45dd44 OffsetRect
0x45dd48 GetCursorPos
0x45dd4c DestroyIcon
0x45dd50 LoadStringA
0x45dd54 GetSysColorBrush
0x45dd58 GetMenuStringA
0x45dd5c SetWindowLongA
0x45dd60 InsertMenuA
0x45dd64 SetWindowRgn
0x45dd68 SetCapture
0x45dd6c SetTimer
0x45dd70 GetWindow
0x45dd74 GetParent
0x45dd78 GetClassNameA
0x45dd80 GetSysColor
0x45dd84 SendMessageA
0x45dd88 GetKeyState
0x45dd8c InflateRect
0x45dd90 DrawTextA
0x45dd94 TabbedTextOutA
0x45dd98 EndPaint
0x45dd9c BeginPaint
0x45dda0 GetWindowDC
0x45dda4 GetSystemMenu
0x45dda8 DeleteMenu
0x45ddac AppendMenuA
0x45ddb0 FillRect
0x45ddb4 PtInRect
0x45ddb8 IsZoomed
0x45ddbc MessageBeep
0x45ddc4 SetRect
0x45ddcc UnpackDDElParam
0x45ddd0 ReuseDDElParam
0x45ddd4 SetMenu
0x45ddd8 GetDesktopWindow
0x45dddc SetRectEmpty
0x45dde0 RedrawWindow
0x45dde4 DefMDIChildProcA
0x45dde8 DrawMenuBar
0x45ddf4 DefFrameProcA
0x45ddf8 BringWindowToTop
0x45ddfc GetDC
0x45de00 ReleaseDC
0x45de04 IsDialogMessageA
0x45de08 IsRectEmpty
Library GDI32.dll:
0x45d838 SelectObject
0x45d83c DeleteDC
0x45d840 StretchDIBits
0x45d848 CreateFontA
0x45d84c StartDocA
0x45d850 SaveDC
0x45d854 RestoreDC
0x45d858 SetBkMode
0x45d85c SetMapMode
0x45d860 SetViewportOrgEx
0x45d864 OffsetViewportOrgEx
0x45d868 SetViewportExtEx
0x45d86c ScaleViewportExtEx
0x45d870 SetWindowExtEx
0x45d874 ScaleWindowExtEx
0x45d878 SelectClipRgn
0x45d87c ExcludeClipRect
0x45d880 IntersectClipRect
0x45d884 SetTextAlign
0x45d888 GetCharWidthA
0x45d88c GetViewportExtEx
0x45d890 GetWindowExtEx
0x45d894 CreateSolidBrush
0x45d898 PtVisible
0x45d89c RectVisible
0x45d8a0 TextOutA
0x45d8a4 Escape
0x45d8a8 CreateDCA
0x45d8ac AbortDoc
0x45d8b0 EndDoc
0x45d8b4 EndPage
0x45d8b8 StartPage
0x45d8bc SetAbortProc
0x45d8c0 CopyMetaFileA
0x45d8c4 GetStockObject
0x45d8c8 GetTextMetricsA
0x45d8cc CreateFontIndirectA
0x45d8d0 ExtTextOutA
0x45d8d8 CreateRectRgn
0x45d8dc CombineRgn
0x45d8e0 SetRectRgn
0x45d8e4 PatBlt
0x45d8e8 CreatePatternBrush
0x45d8ec DeleteObject
0x45d8f0 GetMapMode
0x45d8f4 GetDeviceCaps
0x45d8f8 DPtoLP
0x45d8fc SetBkColor
0x45d900 SetTextColor
0x45d904 GetClipBox
0x45d908 CreateBitmap
0x45d90c CreateCompatibleDC
0x45d910 BitBlt
0x45d914 GetRgnBox
0x45d918 GetObjectA
0x45d91c CreateEllipticRgn
0x45d920 CreateDIBitmap
0x45d924 GetTextExtentPointA
0x45d928 LPtoDP
Library comdlg32.dll:
0x45de20 GetSaveFileNameA
0x45de24 ChooseFontA
0x45de28 FindTextA
0x45de2c ReplaceTextA
0x45de30 GetFileTitleA
0x45de34 PrintDlgA
0x45de3c GetOpenFileNameA
Library WINSPOOL.DRV:
0x45de10 DocumentPropertiesA
0x45de14 OpenPrinterA
0x45de18 ClosePrinter
Library ADVAPI32.dll:
0x45d7e4 RegCreateKeyA
0x45d7e8 RegCloseKey
0x45d7ec RegEnumKeyA
0x45d7f0 RegOpenKeyA
0x45d7f4 RegDeleteKeyA
0x45d7f8 RegCreateKeyExA
0x45d7fc RegOpenKeyExA
0x45d800 RegQueryValueExA
0x45d804 RegSetValueExA
0x45d808 RegDeleteValueA
0x45d80c RegSetValueA
0x45d810 RegQueryValueA
0x45d814 GetFileSecurityA
0x45d818 SetFileSecurityA
Library SHELL32.dll:
0x45db4c ExtractIconA
0x45db50 DragQueryFileA
0x45db54 DragFinish
0x45db58 DragAcceptFiles
0x45db5c SHGetFileInfoA
Library COMCTL32.dll:
0x45d824 None
0x45d828 ImageList_Destroy
Library oledlg.dll:
0x45dedc None
0x45dee0 None
0x45dee4 None
Library ole32.dll:
0x45de44 OleDuplicateData
0x45de48 SetConvertStg
0x45de4c WriteFmtUserTypeStg
0x45de50 WriteClassStg
0x45de54 CoTreatAsClass
0x45de58 OleGetClipboard
0x45de60 ReadClassStg
0x45de6c OleSave
0x45de70 OleLoad
0x45de74 OleCreate
0x45de78 OleCreateLinkToFile
0x45de7c OleCreateFromFile
0x45de88 OleCreateFromData
0x45de90 StringFromCLSID
0x45de94 OleLockRunning
0x45de98 CreateFileMoniker
0x45de9c CoDisconnectObject
0x45dea0 OleRegGetUserType
0x45dea4 CoTaskMemFree
0x45dea8 ReleaseStgMedium
0x45deac ReadFmtUserTypeStg
0x45deb0 CoTaskMemAlloc
0x45deb4 CreateBindCtx
0x45debc CreateItemMoniker
0x45dec4 WriteClassStm
0x45dec8 OleSaveToStream
0x45decc OleGetIconOfClass

.text
`.rdata
@.data
.idata
.rsrc
@.reloc
Yh\RE
PhHSE
WhHSE
WWWWh
tNh|~D
t=hh~D
t,hT~D
SVWUj
^hHQE
YYhTQE
;5hmE
0B=HhE
;5hmE
;5hmE
A=XoE
9=toE
954{E
L$ h!
D$$h!
D$$h!
D$(h!
D$(h!
\$dPSWVj
\$dPSWVj
\$dPSWVj
PhXuD
Yt&h4wD
~<j j
;54YE
PhHSE
4PhB
~`jpj
CDialog
MS Sans Serif
MS Shell Dlg
CWinApp
PreviewPages
Settings
File%d
Recent File List
Automation
Embedding
Unregserver
Unregister
CWinThread
CCmdTarget
Software\
system
CTempWnd
AfxOldWndProc423
AfxWnd42s
AfxControlBar42s
AfxMDIFrame42s
AfxFrameOrView42s
AfxOleControl42s
GetMonitorInfoA
EnumDisplayMonitors
MonitorFromPoint
MonitorFromRect
MonitorFromWindow
GetSystemMetrics
USER32
DISPLAY
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
InitCommonControlsEx
COMCTL32.DLL
CMultiDocTemplate
software
CDocument
#%;/\
ReplaceFile
KERNEL32
CScrollView
MouseZ
Magellan MSWHEEL
WheelScrollLines
Control Panel\Desktop
MSH_SCROLL_LINES_MSG
CCtrlView
CSplitterWnd
CMDIChildWnd
CMDIFrameWnd
mdiclient
CControlBar
CView
CFrameWnd
MSWHEEL_ROLLMSG
CEditView
commdlg_FindReplace
CFormView
CTreeView
CListView
CTempImageList
CImageList
ToolbarWindow32
msctls_statusbar32
CStatusBar
CToolBar
DllGetVersion
Marlett
CMiniDockFrameWnd
CDockBar
CTempGdiObject
CTempDC
CBitmap
CBrush
CGdiObject
CPaintDC
CWindowDC
CClientDC
CUserException
CResourceException
GetLayout
GDI32.DLL
SetLayout
RICHED32.DLL
CObject
CRichEditView
CRichEditDoc
CRichEditCntrItem
CDWordArray
CTempMenu
CMenu
combobox
CNotSupportedException
CMemoryException
CException
System
CPrintDialog
CMapPtrToPtr
CDocManager
NullFile
[printto("%1","%2","%3","%4")]
[print("%1")]
[open("%1")]
ddeexec
/dde
/pt "%1" "%2" "%3" "%4"
/p "%1"
"%1"
command
%s\ShellNew
%s\DefaultIcon
%s\shell\printto\%s
%s\shell\print\%s
%s\shell\open\%s
[printto("
[print("
[open("
CDocTemplate
CPtrList
CFile
DllGetClassObject
{%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}
InProcServer32
CLSID
CFileException
CArchiveException
CUIntArray
CFindReplaceDialog
CMapStringToPtr
CMiniFrameWnd
Small Fonts
Terminal
CPtrArray
CToolTipCtrl
tooltips_class32
COleServerDoc
COleClientItem
COleDocument
CDocItem
COleLinkingDoc
Embedding %lu
COlePasteSpecialDialog
COleInsertDialog
COleException
COlePropertiesDialog
CFontDialog
RichEdit Text and Objects
Rich Text Format
FileNameW
FileName
Link Source Descriptor
Object Descriptor
Link Source
Embed Source
Embedded Object
ObjectLink
OwnerLink
Native
commdlg_SetRGBColor
commdlg_help
commdlg_ColorOK
commdlg_FileNameOK
commdlg_ShareViolation
commdlg_LBSelChangedNotify
CFileDialog
CObList
COleStreamFile
COleDialog
windows
DragMinDist
DragDelay
CSharedFile
COleDocObjectItem
%2\CLSID
%2\Insertable
%2\protocol\StdFileEditing\verb\0
&Edit
%2\protocol\StdFileEditing\server
CLSID\%1
CLSID\%1\ProgID
CLSID\%1\InprocHandler32
ole32.dll
CLSID\%1\LocalServer32
CLSID\%1\Verb\0
&Edit,0,2
CLSID\%1\Verb\1
&Open,0,2
CLSID\%1\Insertable
CLSID\%1\AuxUserType\2
CLSID\%1\AuxUserType\3
CLSID\%1\DefaultIcon
%3,%7
CLSID\%1\MiscStatus
CLSID\%1\InProcServer32
CLSID\%1\DocObject
%2\DocObject
CLSID\%1\Printable
CLSID\%1\DefaultExtension
%9, %8
CMemFile
H:mm:ss
dddd, MMMM dd, yyyy
M/d/yy
December
November
October
September
August
April
March
February
January
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
GAIsProcessorFeaturePresent
e+000
runtime error
Microsoft Visual C++ Runtime Library
Program:
<program name unknown>
`h````
(null)
SunMonTueWedThuFriSat
JanFebMarAprMayJunJulAugSepOctNovDec
frexp
_hypot
_cabs
ldexp
floor
atan2
log10
GetLastActivePopup
GetActiveWindow
MessageBoxA
user32.dll
1#QNAN
1#INF
1#IND
1#SNAN
ios::eofbit set
ios::failbit set
ios::badbit set
string too long
invalid string position
Button
ListBox
ComboBox
Static
ComboLBox
Unknown exception
CryptAcquireContextA
Local AppWizard-Generated Applications
VANCYKL
CAutoPanDoc
CAutoPanView
CChildFrame
CEditExampleView
CFormExampleView
CListExampleView
SysListView32
Item %d.%d
Column %d
CMainFrame
rjf_OriginWindowUpdate
ListBox
RICHEDIT
SysTreeView32
msctls_updown32
ComboBox
This is just a small test for Combo/List-Boxes %d and the Text continues a little bit...
CRichEditExampleView
Arial
CTreeExampleView
Child of Child
Child of Parent
Parent Item
Grand Parent Item
hangeul
kanji
english
roman
hangeulmenu
kanjimenu
windows
C3dHNew
C3dLNew
C3dNew
#32770
DisableThreadLibraryCalls
KERNEL32.DLL
GetProcAddress
LoadLibraryW
ExitProcess
lstrcmpA
MulDiv
LoadResource
FindResourceA
LockResource
GlobalFree
GlobalUnlock
GlobalLock
GetCurrentThreadId
GetCurrentThread
lstrcmpiA
GlobalDeleteAtom
GlobalAlloc
GetModuleFileNameA
CloseHandle
GlobalAddAtomA
GetModuleHandleA
lstrcpyA
GlobalFindAtomA
GlobalGetAtomNameA
lstrcatA
GetVersion
FreeLibrary
LoadLibraryA
GetPrivateProfileIntA
GetPrivateProfileStringA
WritePrivateProfileStringA
lstrlenA
GetFileAttributesA
lstrcpynA
GetTempFileNameA
GetFullPathNameA
SetFileTime
GetFileTime
GetDiskFreeSpaceA
GetLastError
MultiByteToWideChar
LocalFree
LocalUnlock
LocalLock
LocalAlloc
InterlockedIncrement
InterlockedDecrement
WideCharToMultiByte
FormatMessageA
SetLastError
lstrlenW
GlobalFlags
SizeofResource
InitializeCriticalSection
TlsAlloc
DeleteCriticalSection
GlobalHandle
TlsFree
LeaveCriticalSection
GlobalReAlloc
EnterCriticalSection
TlsSetValue
LocalReAlloc
TlsGetValue
GetCurrentDirectoryA
GetProcessVersion
GetCPInfo
GetOEMCP
DuplicateHandle
GetCurrentProcess
CreateFileA
ReadFile
WriteFile
SetFilePointer
FlushFileBuffers
LockFile
UnlockFile
SetEndOfFile
MoveFileA
DeleteFileA
FindClose
FindFirstFileA
GetVolumeInformationA
GetStringTypeExA
GetThreadLocale
GetShortPathNameA
GetFileSize
LocalFileTimeToFileTime
SystemTimeToFileTime
GlobalSize
CopyFileA
SetErrorMode
FileTimeToSystemTime
FileTimeToLocalFileTime
lstrcpyW
GetTimeZoneInformation
GetSystemTime
GetLocalTime
RtlUnwind
HeapFree
GetStartupInfoA
GetCommandLineA
TerminateProcess
HeapAlloc
RaiseException
GetACP
HeapReAlloc
HeapSize
HeapDestroy
HeapCreate
VirtualFree
VirtualAlloc
IsBadWritePtr
UnhandledExceptionFilter
FreeEnvironmentStringsA
FreeEnvironmentStringsW
GetEnvironmentStrings
GetEnvironmentStringsW
SetHandleCount
GetStdHandle
GetFileType
SetUnhandledExceptionFilter
LCMapStringA
LCMapStringW
GetStringTypeA
GetStringTypeW
Sleep
IsBadReadPtr
IsBadCodePtr
SetStdHandle
CompareStringA
CompareStringW
SetEnvironmentVariableA
KERNEL32.dll
GetMenuStringW
UpdateWindow
EnableWindow
InflateRect
GetKeyState
SendMessageA
GetSysColor
RegisterWindowMessageA
GetClassNameA
GetParent
GetWindow
SetTimer
SetCapture
SetWindowRgn
GetCursorPos
OffsetRect
IsWindow
GetClientRect
SetCursor
KillTimer
ReleaseCapture
ClientToScreen
LoadCursorA
LoadBitmapA
WindowFromPoint
CheckMenuItem
GetMenuState
GetMenu
IsWindowEnabled
GetDlgItem
GetWindowLongA
DestroyWindow
CreateDialogIndirectParamA
GetSystemMetrics
SetActiveWindow
GetActiveWindow
EndDialog
GetNextDlgTabItem
PostQuitMessage
PostMessageA
ShowOwnedPopups
MessageBoxA
GetLastActivePopup
SetWindowsHookExA
PeekMessageA
IsWindowVisible
ValidateRect
CallNextHookEx
DispatchMessageA
TranslateMessage
GetMessageA
GetFocus
EnableMenuItem
SetMenuItemBitmaps
ModifyMenuA
GetMenuCheckMarkDimensions
SendDlgItemMessageA
SetDlgItemTextA
IsDialogMessageA
SetWindowTextA
GetWindowTextA
GetWindowTextLengthA
GetDlgCtrlID
SetWindowLongA
MoveWindow
SetWindowPos
ShowWindow
SetFocus
GetWindowRect
GetWindowPlacement
IsIconic
SystemParametersInfoA
IntersectRect
SetForegroundWindow
GetForegroundWindow
GetMessagePos
GetMessageTime
RemovePropA
CallWindowProcA
GetPropA
UnhookWindowsHookEx
SetPropA
GetClassLongA
CreateWindowExA
DefWindowProcA
GetMenuItemID
GetSubMenu
GetMenuItemCount
RegisterClassA
GetClassInfoA
wsprintfA
WinHelpA
GetCapture
IsChild
GetTopWindow
SetScrollPos
GetScrollPos
SetScrollRange
GetScrollRange
ShowScrollBar
SetScrollInfo
GetScrollInfo
ScrollWindow
EndDeferWindowPos
CopyRect
BeginDeferWindowPos
DeferWindowPos
EqualRect
ScreenToClient
AdjustWindowRectEx
MapWindowPoints
LoadIconA
LoadAcceleratorsA
LoadMenuA
DestroyMenu
FindWindowA
InvalidateRect
FillRect
IsRectEmpty
ReleaseDC
GetDC
BringWindowToTop
DefFrameProcA
TranslateMDISysAccel
TranslateAcceleratorA
DrawMenuBar
DefMDIChildProcA
RedrawWindow
SetRectEmpty
GetDesktopWindow
SetMenu
ReuseDDElParam
UnpackDDElParam
GetTabbedTextExtentA
SetRect
IsClipboardFormatAvailable
MessageBeep
IsZoomed
PtInRect
SetParent
AppendMenuA
DeleteMenu
GetSystemMenu
GetWindowDC
BeginPaint
EndPaint
TabbedTextOutA
DrawTextA
GrayStringA
CountClipboardFormats
InsertMenuA
GetMenuStringA
GetSysColorBrush
LoadStringA
DestroyIcon
CharUpperA
InvertRect
GetDCEx
LockWindowUpdate
RemoveMenu
RegisterClipboardFormatA
CopyAcceleratorTableA
USER32.dll
LPtoDP
CreateEllipticRgn
GetObjectA
GetRgnBox
BitBlt
CreateCompatibleDC
CreateBitmap
GetClipBox
SetTextColor
SetBkColor
DPtoLP
GetDeviceCaps
GetMapMode
DeleteObject
CreatePatternBrush
PatBlt
SetRectRgn
CombineRgn
CreateRectRgn
CreateRectRgnIndirect
ExtTextOutA
CreateFontIndirectA
GetTextMetricsA
GetStockObject
GetCharWidthA
GetTextExtentPoint32A
SelectObject
DeleteDC
StretchDIBits
CreateCompatibleBitmap
CreateFontA
StartDocA
SaveDC
RestoreDC
SetBkMode
SetMapMode
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
SetWindowExtEx
ScaleWindowExtEx
SelectClipRgn
ExcludeClipRect
IntersectClipRect
SetTextAlign
GetViewportExtEx
GetWindowExtEx
CreateSolidBrush
PtVisible
RectVisible
TextOutA
Escape
CreateDCA
AbortDoc
EndDoc
EndPage
StartPage
SetAbortProc
CopyMetaFileA
GDI32.dll
CommDlgExtendedError
PrintDlgA
GetFileTitleA
ReplaceTextA
FindTextA
ChooseFontA
GetSaveFileNameA
GetOpenFileNameA
comdlg32.dll
ClosePrinter
DocumentPropertiesA
OpenPrinterA
WINSPOOL.DRV
RegQueryValueA
RegCloseKey
RegEnumKeyA
RegOpenKeyA
RegDeleteKeyA
RegCreateKeyExA
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
RegDeleteValueA
SetFileSecurityA
GetFileSecurityA
RegCreateKeyA
RegSetValueA
ADVAPI32.dll
DragAcceptFiles
DragFinish
DragQueryFileA
ExtractIconA
SHGetFileInfoA
SHELL32.dll
ImageList_SetBkColor
ImageList_Destroy
ImageList_LoadImageA
COMCTL32.dll
oledlg.dll
ReleaseStgMedium
CoTaskMemFree
OleRegGetUserType
CoDisconnectObject
CreateFileMoniker
OleLockRunning
StringFromCLSID
OleSetContainedObject
OleCreateFromData
OleCreateLinkFromData
OleCreateStaticFromData
OleCreateFromFile
OleCreateLinkToFile
OleCreate
OleLoad
OleSave
StgCreateDocfileOnILockBytes
CreateILockBytesOnHGlobal
StgOpenStorageOnILockBytes
GetHGlobalFromILockBytes
OleGetIconOfClass
WriteClassStm
OleSaveToStream
CreateStreamOnHGlobal
CreateItemMoniker
CreateGenericComposite
CreateBindCtx
CoTaskMemAlloc
ReadFmtUserTypeStg
ReadClassStg
OleDuplicateData
SetConvertStg
WriteFmtUserTypeStg
WriteClassStg
CoTreatAsClass
OleGetClipboard
OleSetMenuDescriptor
ole32.dll
OLEAUT32.dll
InterlockedExchange
GetProfileStringA
IsWindowUnicode
CharNextA
DefDlgProcA
DrawFocusRect
ExcludeUpdateRgn
ShowCaret
HideCaret
UnregisterClassA
GetTextExtentPointA
CreateDIBitmap
TgVSl
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwtGwwwwwwwwwwwwwwwtDDDDw
wwwwp
wwwwp
wwGtwDwwwwwtDDDDw
33330wp3
wwtDtwGwp
wwDDDDDDGwwwwwww
p0wwww
wwwww
wwwwwwwwwwwwwww
wwwwwww
wwwwwp
DDDDDDD
8P8i8
==?B?
>#>_>
?Q?W?
?/?v?
>"?j?
=8=X=
(null)
?M~d7k9rpsP9P5dRD~*NYI|[email protected]*e*rv8xCeZgjAD
FGDSFgsdfsgdCDDSASASS
ADVAPI32.DLL
LKERNEL32.DLL
VANCYKL(
Auto-Panning in a Dialog Box!
MS Sans Serif
msctls_updown32
Spin1
About AutoPan
MS Sans Serif
AutoPan Version 1.0
Copyright (C) 1998
MS Sans Serif
Button1
Button1
Button1
Button1
Button1
Button1
Button1
Button1
Button1
Button1
Button1
Button1
Button1
Button1
Button1
Button1
Button1
Button1
Button1
Button1
Button1
Button1
Button1
Button1
Button1
&File
Ctrl+N
Ctrl+D
Ctrl+O
P&rint Setup...
Recent File
E&xit
&View
&Toolbar
&Status Bar
&Help
&About AutoPan...
&File
Ctrl+N
Ctrl+D
Ctrl+O
&Close
Ctrl+S
Save &As...
Ctrl+P
Print Pre&view
P&rint Setup...
Recent File
E&xit
&Edit
Ctrl+Z
Ctrl+X
Ctrl+C
Ctrl+V
&View
&Toolbar
&Status Bar
&Window
&New Window
&Cascade
&Tile
&Arrange Icons
&Help
&About AutoPan...
&File
Ctrl+N
Ctrl+D
Ctrl+O
&Close
Ctrl+S
Save &As...
Ctrl+P
Print Pre&view
P&rint Setup...
Recent File
E&xit
&Edit
Ctrl+Z
Ctrl+X
Ctrl+C
Ctrl+V
&View
&Toolbar
&Status Bar
&Window
&New Window
&Cascade
&Tile
&Arrange Icons
&Help
&About AutoPan...
&File
Ctrl+N
Ctrl+D
Ctrl+O
&Close
Ctrl+S
Save &As...
Ctrl+P
Print Pre&view
P&rint Setup...
Recent File
E&xit
&Edit
Ctrl+Z
Ctrl+X
Ctrl+C
Ctrl+V
&View
&Toolbar
&Status Bar
&Icon
&Small Icon
&List
&Report
&Window
&New Window
&Cascade
&Tile
&Arrange Icons
&Help
&About AutoPan...
&File
Ctrl+N
Ctrl+D
Ctrl+O
&Close
Ctrl+S
Save &As...
Ctrl+P
Print Pre&view
P&rint Setup...
Recent File
E&xit
&Edit
Ctrl+Z
Ctrl+X
Ctrl+C
Ctrl+V
&View
&Toolbar
&Status Bar
&Horizontal Scrollbar
&Window
&New Window
&Cascade
&Tile
&Arrange Icons
&Help
&About AutoPan...
&File
Ctrl+N
Ctrl+D
Ctrl+O
&Close
Ctrl+S
Save &As...
Ctrl+P
Print Pre&view
P&rint Setup...
Recent File
E&xit
&Edit
Ctrl+Z
Ctrl+X
Ctrl+C
Ctrl+V
&View
&Toolbar
&Status Bar
&Window
&New Window
&Cascade
&Tile
&Arrange Icons
&Help
&About AutoPan...
&File
Ctrl+N
Ctrl+D
Ctrl+O
&Close
Ctrl+S
Save &As...
Ctrl+P
Print Pre&view
P&rint Setup...
Recent File
E&xit
&Edit
Ctrl+Z
Ctrl+X
Ctrl+C
Ctrl+V
&View
&Toolbar
&Status Bar
&Window
&New Window
&Cascade
&Tile
&Arrange Icons
&Help
&About AutoPan...
VS_VERSION_INFO
StringFileInfo
040904B0
CompanyName
FileDescription
AutoPan MFC Application
FileVersion
1, 0, 0, 1
InternalName
AutoPan
LegalCopyright
Copyright (C) 1998
LegalTrademarks
OriginalFilename
AutoPan.EXE
ProductName
AutoPan Application
ProductVersion
1, 0, 0, 1
VarFileInfo
Translation
MS Shell Dlg
&New
Cancel
&Help
MS Shell Dlg
Printing
on the
Cancel
MS Shell Dlg
&Print...
&Next Page
Pre&v Page
Zoom &In
Zoom &Out
&Close
AutoPan Document
AutoPan Document
Ready
Print
Print Preview
Previous Pane
Split
Paste
Toggle StatusBar
Enlarge the window to full size"Switch to the next document window&Switch to the previous document window9Close the active window and prompts to save the documents
Activate Task List
Activate this window
Untitled
an unnamed file
Dialog
Show Horizontal Scrollbar
&Hide
An unknown error has occurred.
Command failed.)Insufficient memory to perform operation.PSystem registry entries have been removed and the INI file (if any) was deleted.BNot all of the system registry entries (or INI file) were removed.FThis program requires the file %s, which was not found on this system.tThis program is linked to the missing export %s in the file %s. This machine may have an incompatible version of %s.
#Unable to read write-only property.#Unable to write read-only property.
Destination disk drive is full.5Unable to read from %1, it is opened by someone else.AUnable to write to %1, it is read-only or opened by someone else..An unexpected error occurred while reading %1..An unexpected error occurred while writing %1.
Please enter a currency.
Disk full while accessing %1..An attempt was made to access %1 past its end.
%1 has a bad format."%1 contained an unexpected object. %1 contains an incorrect schema.
Mail system DLL is invalid.!Send Mail failed to send message.
pixels
to %1

Full Results

VirusTotal Signature
Bkav Clean
DrWeb Clean
MicroWorld-eScan Clean
CMC Clean
CAT-QuickHeal Clean
McAfee Clean
Cylance Clean
Zillya Clean
AegisLab Clean
Sangfor Clean
CrowdStrike Clean
BitDefender Clean
K7GW Clean
K7AntiVirus Clean
TrendMicro Clean
BitDefenderTheta Gen:[email protected]
Cyren Clean
Symantec Clean
ESET-NOD32 Clean
Zoner Clean
TrendMicro-HouseCall Clean
Paloalto Clean
ClamAV Clean
Kaspersky Clean
Alibaba Clean
NANO-Antivirus Clean
ViRobot Clean
Tencent Clean
Endgame malicious (high confidence)
Emsisoft Clean
Comodo Clean
F-Secure Clean
Baidu Clean
VIPRE Clean
Invincea heuristic
McAfee-GW-Edition Clean
Trapmine Clean
FireEye Clean
Sophos Clean
Ikarus Clean
F-Prot Clean
Jiangmin Clean
eGambit Clean
Avira Clean
Antiy-AVL Clean
Kingsoft Clean
Microsoft Trojan:Win32/Wacatac.C!ml
Arcabit Clean
SUPERAntiSpyware Clean
ZoneAlarm Clean
Avast-Mobile Clean
GData Clean
TACHYON Clean
AhnLab-V3 Clean
Acronis Clean
VBA32 Clean
ALYac Clean
MAX Clean
Ad-Aware Clean
Panda Clean
APEX Malicious
Rising Clean
Yandex Clean
SentinelOne Clean
MaxSecure Clean
Fortinet Clean
Webroot W32.Trojan.Emotet
AVG Clean
Cybereason Clean
Avast Clean
Qihoo-360 HEUR/QVM07.1.3E9B.Malware.Gen

Process Tree


E1-20200214_114409.exe, PID: 2440, Parent PID: 2280
Full Path: C:\Users\Rebecca\AppData\Local\Temp\E1-20200214_114409.exe
Command Line: "C:\Users\Rebecca\AppData\Local\Temp\E1-20200214_114409.exe"

Hosts

Direct IP Country Name
Y 1.1.1.1 [VT] Australia

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.1.2 51142 1.1.1.1 53
192.168.1.2 51584 1.1.1.1 53
192.168.1.2 51997 1.1.1.1 53
192.168.1.2 64163 1.1.1.1 53
192.168.1.2 138 192.168.1.255 138

DNS

No domains contacted.

HTTP Requests

No HTTP requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

Timestamp Source IP Source Port Destination IP Destination Port Subject Issuer Fingerprint Version
2020-02-14 15:10:55.627 192.168.1.2 [VT] 49163 192.0.2.123 [VT] 443 CN=localhost a6:44:d8:14:40:2b:de:72:ea:9b:93:d1:5c:49:a9:20:4f:f9:21:0e TLS 1.2

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

Source Source Port Destination Destination Port JA3 Hash JA3 Description
192.168.1.2 49163 192.0.2.123 443 67f9e6835a46017b668ace14afaaac17 unknown
File name osbaseln.exe
Associated Filenames
C:\Windows\System32\osbaseln\osbaseln.exe
File Size 499712 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 1e25d09b70fe0a9433a5f5c939ae1474
SHA1 515f34b30df2293716247d92e5b76f5b820b3704
SHA256 c22ea51a534169d3e2cbc391a502d2cf2e3d474be9ae2746250e595b55da7b92
CRC32 C663A0F6
Ssdeep 6144:5Im/oNPVTirlST3mK80/+658U3u6TTpL7qV+9dUaRLMwtv42:5+VTxT3mKZ3mU3UV+vBMut
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Download Download ZIP Submit file

BinGraph

Type Emotet Config
RSA public key
-----BEGIN PUBLIC KEY----- MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOZ9fLJ8UrI0OZURpPsR3eijAyfPj3z6 uS75f2igmYFW2aWgNcFIzsAYQleKzD0nlCFHOo7Zf8/4wY2UW0CJ4dJEHnE/PHlz 6uNk3pxjm7o4eCDyiJbzf+k0Azjl0q54FQIDAQAB -----END PUBLIC KEY-----
address
41.60.202.26:443
147.83.10.59:80
91.236.4.234:443
104.131.41.185:8080
190.57.130.142:443
72.47.248.48:7080
73.239.11.159:80
191.103.76.34:443
61.92.159.208:8080
68.183.170.114:8080
181.10.204.106:80
94.76.247.61:8080
89.19.20.202:443
191.183.21.190:80
110.145.101.66:443
186.250.113.201:80
217.199.160.224:8080
200.127.51.94:80
181.60.244.48:8080
190.219.149.236:80
189.180.84.98:443
77.55.211.77:8080
179.127.59.210:443
213.60.19.245:80
212.71.237.140:8080
182.191.75.93:443
181.30.69.50:80
186.138.186.74:443
201.82.155.121:80
93.144.226.57:80
177.72.13.80:80
191.92.120.49:80
175.139.209.3:8080
12.162.84.2:8080
190.24.243.186:80
189.123.239.235:80
91.205.215.57:7080
104.236.161.64:8080
201.213.32.59:80
119.59.124.163:8080
69.163.33.84:8080
190.195.129.227:8090
91.219.169.180:80
204.225.249.100:7080
50.28.51.143:8080
190.210.184.138:995
188.216.24.204:80
125.99.61.162:7080
152.169.32.195:80
185.94.252.13:443
86.247.108.13:8080
181.122.172.67:8080
193.204.179.46:443
91.83.93.124:7080
89.216.23.167:80
200.45.187.90:80
139.162.118.88:8080
70.32.115.157:8080
82.8.232.51:80
192.241.143.52:8080
216.251.83.79:80
181.31.211.181:80
172.221.229.86:80
94.176.234.118:443
117.7.236.115:80
87.106.46.107:8080
175.114.178.83:443
190.13.215.114:80
192.241.146.84:8080
185.94.252.12:80
62.75.160.178:8080
88.249.1.225:443
118.69.71.14:80
59.120.5.154:80
49.176.162.90:443
68.174.15.223:80
89.32.150.160:8080
149.62.173.247:8080
129.205.201.163:80
187.190.47.173:80
201.213.100.141:8080
111.67.12.221:8080
200.82.170.231:80
187.162.248.237:80
185.32.46.109:80
110.170.65.146:80
70.184.69.146:80
143.0.87.101:80
86.42.166.147:80
210.186.132.68:80
200.58.83.179:80
77.90.136.129:8080
152.231.89.226:80
152.170.196.157:443
144.139.91.187:80
177.66.190.130:80
177.6.166.4:80
200.58.180.130:80
186.68.48.204:443
190.186.164.23:80
203.25.159.3:8080
5.196.35.138:7080
113.61.66.94:80
184.172.27.82:8080
178.79.163.131:8080
189.19.81.181:443
152.168.82.36:443
186.3.232.68:80
58.171.38.26:80
190.70.1.69:80
138.68.106.4:7080
120.151.194.117:80
74.101.225.121:443
37.120.185.153:443
181.60.247.8:443
82.196.15.205:8080
114.109.179.60:80
81.16.1.45:80
79.10.57.78:80
181.231.220.232:80
189.14.80.194:443
181.36.42.205:443
181.54.245.85:8080
177.103.159.44:80
103.8.112.222:8443
37.187.6.63:8080
147.83.10.212:80
Download
Type Emotet Payload
Size 39424 bytes
Virtual Address 0x002C0000
Process E1-20200214_114409.exe
PID 2440
Path C:\Users\Rebecca\AppData\Local\Temp\E1-20200214_114409.exe
MD5 8759c0e63a986d08224a8cb013cfca5f
SHA1 59413bcde7929f4c4c28e7069f0a11c0ba273c5d
SHA256 e030c0bd45b14a9cd661eed11fc29957b082e1cf93d0c2a9c88b6cc0c83fe80d
CRC32 00C50F47
Ssdeep 768:ujkSkhl5/eo9usFYZzBxMhkC+3Qvc05nkJ9iXwQ8Noh:ukD5/7urz3p2KoAQ8q
Yara None matched
CAPE Yara
  • Emotet
  • Emotet Payload
Download Download ZIP

BinGraph