Detections

Suricata:

Feodo

Analysis

Category Package Started Completed Duration Options Log
FILE Emotet 2020-06-30 14:01:15 2020-06-30 14:08:27 432 seconds Show Options Show Log
route = inetsim
2020-05-13 09:11:34,547 [root] INFO: Date set to: 20200630T13:57:36, timeout set to: 300
2020-06-30 13:57:36,031 [root] DEBUG: Starting analyzer from: C:\tmp52sk_on6
2020-06-30 13:57:36,031 [root] DEBUG: Storing results at: C:\yazaiFAP
2020-06-30 13:57:36,031 [root] DEBUG: Pipe server name: \\.\PIPE\VffSwnEiht
2020-06-30 13:57:36,031 [root] DEBUG: Python path: C:\Users\Rebecca\AppData\Local\Programs\Python\Python38-32
2020-06-30 13:57:36,031 [root] INFO: Analysis package "Emotet" has been specified.
2020-06-30 13:57:36,031 [root] DEBUG: Trying to import analysis package "Emotet"...
2020-06-30 13:57:36,062 [root] DEBUG: Imported analysis package "Emotet".
2020-06-30 13:57:36,062 [root] DEBUG: Trying to initialize analysis package "Emotet"...
2020-06-30 13:57:36,062 [root] DEBUG: Initialized analysis package "Emotet".
2020-06-30 13:57:36,093 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.browser"...
2020-06-30 13:57:36,109 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser".
2020-06-30 13:57:36,109 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.curtain"...
2020-06-30 13:57:36,140 [root] DEBUG: Imported auxiliary module "modules.auxiliary.curtain".
2020-06-30 13:57:36,140 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.digisig"...
2020-06-30 13:57:36,156 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig".
2020-06-30 13:57:36,156 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.disguise"...
2020-06-30 13:57:36,171 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise".
2020-06-30 13:57:36,171 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.human"...
2020-06-30 13:57:36,187 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human".
2020-06-30 13:57:36,187 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.procmon"...
2020-06-30 13:57:36,203 [root] DEBUG: Imported auxiliary module "modules.auxiliary.procmon".
2020-06-30 13:57:36,203 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.screenshots"...
2020-06-30 13:57:36,203 [modules.auxiliary.screenshots] DEBUG: Importing 'time'
2020-06-30 13:57:36,203 [modules.auxiliary.screenshots] DEBUG: Importing 'StringIO'
2020-06-30 13:57:36,203 [modules.auxiliary.screenshots] DEBUG: Importing 'Thread'
2020-06-30 13:57:36,203 [modules.auxiliary.screenshots] DEBUG: Importing 'Auxiliary'
2020-06-30 13:57:36,203 [modules.auxiliary.screenshots] DEBUG: Importing 'NetlogFile'
2020-06-30 13:57:36,203 [modules.auxiliary.screenshots] DEBUG: Importing 'Screenshot'
2020-06-30 13:57:36,203 [lib.api.screenshot] DEBUG: Importing 'math'
2020-06-30 13:57:36,203 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2020-06-30 13:57:37,546 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageGrab'
2020-06-30 13:57:37,656 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageDraw'
2020-06-30 13:57:37,703 [modules.auxiliary.screenshots] DEBUG: Imports OK
2020-06-30 13:57:37,703 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots".
2020-06-30 13:57:37,703 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.sysmon"...
2020-06-30 13:57:37,703 [root] DEBUG: Imported auxiliary module "modules.auxiliary.sysmon".
2020-06-30 13:57:37,703 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.usage"...
2020-06-30 13:57:37,734 [root] DEBUG: Imported auxiliary module "modules.auxiliary.usage".
2020-06-30 13:57:37,734 [root] DEBUG: Trying to initialize auxiliary module "Browser"...
2020-06-30 13:57:37,734 [root] DEBUG: Initialized auxiliary module "Browser".
2020-06-30 13:57:37,734 [root] DEBUG: Trying to start auxiliary module "Browser"...
2020-06-30 13:57:37,734 [root] DEBUG: Started auxiliary module Browser
2020-06-30 13:57:37,734 [root] DEBUG: Trying to initialize auxiliary module "Curtain"...
2020-06-30 13:57:37,750 [root] DEBUG: Initialized auxiliary module "Curtain".
2020-06-30 13:57:37,750 [root] DEBUG: Trying to start auxiliary module "Curtain"...
2020-06-30 13:57:37,750 [root] DEBUG: Started auxiliary module Curtain
2020-06-30 13:57:37,750 [root] DEBUG: Trying to initialize auxiliary module "DigiSig"...
2020-06-30 13:57:37,750 [root] DEBUG: Initialized auxiliary module "DigiSig".
2020-06-30 13:57:37,750 [root] DEBUG: Trying to start auxiliary module "DigiSig"...
2020-06-30 13:57:37,750 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature.
2020-06-30 13:57:38,062 [modules.auxiliary.digisig] DEBUG: File is not signed.
2020-06-30 13:57:38,062 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2020-06-30 13:57:38,078 [root] DEBUG: Started auxiliary module DigiSig
2020-06-30 13:57:38,078 [root] DEBUG: Trying to initialize auxiliary module "Disguise"...
2020-06-30 13:57:38,078 [root] DEBUG: Initialized auxiliary module "Disguise".
2020-06-30 13:57:38,078 [root] DEBUG: Trying to start auxiliary module "Disguise"...
2020-06-30 13:57:38,093 [root] DEBUG: Started auxiliary module Disguise
2020-06-30 13:57:38,093 [root] DEBUG: Trying to initialize auxiliary module "Human"...
2020-06-30 13:57:38,093 [root] DEBUG: Initialized auxiliary module "Human".
2020-06-30 13:57:38,093 [root] DEBUG: Trying to start auxiliary module "Human"...
2020-06-30 13:57:38,093 [root] DEBUG: Started auxiliary module Human
2020-06-30 13:57:38,093 [root] DEBUG: Trying to initialize auxiliary module "Procmon"...
2020-06-30 13:57:38,109 [root] DEBUG: Initialized auxiliary module "Procmon".
2020-06-30 13:57:38,109 [root] DEBUG: Trying to start auxiliary module "Procmon"...
2020-06-30 13:57:38,109 [root] DEBUG: Started auxiliary module Procmon
2020-06-30 13:57:38,109 [root] DEBUG: Trying to initialize auxiliary module "Screenshots"...
2020-06-30 13:57:38,109 [root] DEBUG: Initialized auxiliary module "Screenshots".
2020-06-30 13:57:38,109 [root] DEBUG: Trying to start auxiliary module "Screenshots"...
2020-06-30 13:57:38,109 [root] DEBUG: Started auxiliary module Screenshots
2020-06-30 13:57:38,109 [root] DEBUG: Trying to initialize auxiliary module "Sysmon"...
2020-06-30 13:57:38,109 [root] DEBUG: Initialized auxiliary module "Sysmon".
2020-06-30 13:57:38,109 [root] DEBUG: Trying to start auxiliary module "Sysmon"...
2020-06-30 13:57:38,109 [root] DEBUG: Started auxiliary module Sysmon
2020-06-30 13:57:38,109 [root] DEBUG: Trying to initialize auxiliary module "Usage"...
2020-06-30 13:57:38,109 [root] DEBUG: Initialized auxiliary module "Usage".
2020-06-30 13:57:38,109 [root] DEBUG: Trying to start auxiliary module "Usage"...
2020-06-30 13:57:38,109 [root] DEBUG: Started auxiliary module Usage
2020-06-30 13:57:38,109 [root] INFO: Analyzer: Package modules.packages.Emotet does not specify a DLL option
2020-06-30 13:57:38,109 [root] INFO: Analyzer: Package modules.packages.Emotet does not specify a DLL_64 option
2020-06-30 13:57:38,109 [root] INFO: Analyzer: Package modules.packages.Emotet does not specify a loader option
2020-06-30 13:57:38,109 [root] INFO: Analyzer: Package modules.packages.Emotet does not specify a loader_64 option
2020-06-30 13:57:38,265 [lib.api.process] INFO: Successfully executed process from path "C:\Users\Rebecca\AppData\Local\Temp\E2-20200630_100917.exe" with arguments "" with pid 2788
2020-06-30 13:57:38,265 [lib.api.process] INFO: Monitor config for process 2788: C:\tmp52sk_on6\dll\2788.ini
2020-06-30 13:57:38,265 [lib.api.process] INFO: Option 'unpacker' with value '1' sent to monitor
2020-06-30 13:57:38,265 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2020-06-30 13:57:38,265 [lib.api.process] INFO: Option 'exclude-apis' with value 'RegOpenKeyExA:SendMessageA:srand:GetSystemTimeAsFileTime' sent to monitor
2020-06-30 13:57:38,296 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp52sk_on6\dll\TevAPc.dll, loader C:\tmp52sk_on6\bin\toRTDnS.exe
2020-06-30 13:57:38,421 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\VffSwnEiht.
2020-06-30 13:57:38,421 [root] DEBUG: Loader: Injecting process 2788 (thread 5204) with C:\tmp52sk_on6\dll\TevAPc.dll.
2020-06-30 13:57:38,421 [root] DEBUG: Process image base: 0x00400000
2020-06-30 13:57:38,421 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmp52sk_on6\dll\TevAPc.dll.
2020-06-30 13:57:38,421 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-06-30 13:57:38,421 [root] DEBUG: Successfully injected DLL C:\tmp52sk_on6\dll\TevAPc.dll.
2020-06-30 13:57:38,421 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2788
2020-06-30 13:57:40,421 [lib.api.process] INFO: Successfully resumed process with pid 2788
2020-06-30 13:57:41,000 [root] DEBUG: Python path set to 'C:\Users\Rebecca\AppData\Local\Programs\Python\Python38-32'.
2020-06-30 13:57:41,000 [root] DEBUG: Auto-unpacking of payloads enabled.
2020-06-30 13:57:41,000 [root] DEBUG: Process dumps enabled.
2020-06-30 13:57:41,000 [root] DEBUG: Dropped file limit defaulting to 100.
2020-06-30 13:57:41,015 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-06-30 13:57:41,015 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 2788 at 0x6a4b0000, image base 0x400000, stack from 0x126000-0x130000
2020-06-30 13:57:41,031 [root] DEBUG: Commandline: C:\Users\Rebecca\AppData\Local\Temp\"C:\Users\Rebecca\AppData\Local\Temp\E2-20200630_100917.exe".
2020-06-30 13:57:41,031 [root] DEBUG: WoW64 not detected.
2020-06-30 13:57:41,140 [root] DEBUG: UnpackerInit: Debugger initialised.
2020-06-30 13:57:41,421 [root] DEBUG: AddTrackedRegion: Created new tracked region for address 0x00400000.
2020-06-30 13:57:41,515 [root] DEBUG: AddTrackedRegion: New region at 0x00400000 size 0x1000 added to tracked regions: EntryPoint 0x5b9ff, Entropy 6.442234e+00
2020-06-30 13:57:41,609 [root] DEBUG: UnpackerInit: Adding main image base to tracked regions.
2020-06-30 13:57:41,687 [root] INFO: Loaded monitor into process with pid 2788
2020-06-30 13:57:41,765 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 2788, handle 0xb4.
2020-06-30 13:57:41,765 [root] DEBUG: DLL loaded at 0x756F0000: C:\Windows\system32\cryptbase (0xc000 bytes).
2020-06-30 13:57:41,765 [root] DEBUG: set_caller_info: Adding region at 0x00310000 to caller regions list (ntdll::memcpy).
2020-06-30 13:57:41,781 [root] DEBUG: DLL loaded at 0x751C0000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2020-06-30 13:57:41,796 [root] DEBUG: DLL loaded at 0x74F50000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2020-06-30 13:57:41,796 [root] DEBUG: DLL loaded at 0x74DD0000: C:\Windows\system32\USERENV (0x17000 bytes).
2020-06-30 13:57:41,796 [root] DEBUG: DLL loaded at 0x757A0000: C:\Windows\system32\profapi (0xb000 bytes).
2020-06-30 13:57:41,828 [root] DEBUG: DLL loaded at 0x01260000: C:\Windows\system32\taskmgr.exe (0x3a000 bytes).
2020-06-30 13:57:41,828 [root] DEBUG: Allocation: 0x003E0000 - 0x003EB000, size: 0xb000, protection: 0x40.
2020-06-30 13:57:41,828 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-06-30 13:57:41,828 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-06-30 13:57:41,828 [root] DEBUG: ProcessImageBase: EP 0x0005B9FF image base 0x00400000 size 0x0 entropy 6.447391e+00.
2020-06-30 13:57:41,828 [root] DEBUG: AllocationHandler: Adding allocation to tracked region list: 0x003E0000, size: 0xb000.
2020-06-30 13:57:41,828 [root] DEBUG: AddTrackedRegion: Created new tracked region for address 0x003E0000.
2020-06-30 13:57:41,828 [root] DEBUG: AddTrackedRegion: New region at 0x003E0000 size 0xb000 added to tracked regions.
2020-06-30 13:57:41,843 [root] DEBUG: ActivateBreakpoints: TrackedRegion->AllocationBase: 0x003E0000, TrackedRegion->RegionSize: 0xb000, thread 5204
2020-06-30 13:57:41,843 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 5204 type 1 at address 0x003E0000, size 2 with Callback 0x6a4ca1c0.
2020-06-30 13:57:41,843 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on empty protect address: 0x003E0000
2020-06-30 13:57:41,843 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 5204 type 1 at address 0x003E003C, size 4 with Callback 0x6a4c9e10.
2020-06-30 13:57:41,843 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x003E003C
2020-06-30 13:57:41,843 [root] DEBUG: AllocationHandler: Breakpoints set on newly-allocated executable region at: 0x003E0000 (size 0xb000).
2020-06-30 13:57:41,843 [root] DEBUG: DebuggerAllocationHandler: Error, failed to set breakpoints on new executable region at: 0x003E0000 size 0x0000B000.
2020-06-30 13:57:41,843 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x00461F2A (thread 5204)
2020-06-30 13:57:41,843 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x003E003C.
2020-06-30 13:57:41,859 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0xda65fd1a (at 0x003E003C).
2020-06-30 13:57:41,859 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x003E0000.
2020-06-30 13:57:41,859 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x00401766 (thread 5204)
2020-06-30 13:57:41,859 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x003E0000.
2020-06-30 13:57:41,859 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x3e0000: 0xe8.
2020-06-30 13:57:41,859 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2020-06-30 13:57:41,859 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x00401766 (thread 5204)
2020-06-30 13:57:41,859 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x003E0000.
2020-06-30 13:57:41,859 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x3e0000: 0xe8.
2020-06-30 13:57:41,859 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2020-06-30 13:57:41,859 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x00401766 (thread 5204)
2020-06-30 13:57:41,859 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x003E003C.
2020-06-30 13:57:41,859 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0xda65fd56 (at 0x003E003C).
2020-06-30 13:57:41,875 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x003E0000.
2020-06-30 13:57:41,875 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x00401766 (thread 5204)
2020-06-30 13:57:41,875 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x003E003C.
2020-06-30 13:57:41,875 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0xda655756 (at 0x003E003C).
2020-06-30 13:57:41,875 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x003E0000.
2020-06-30 13:57:41,875 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x00401766 (thread 5204)
2020-06-30 13:57:41,875 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x003E003C.
2020-06-30 13:57:41,875 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0xda335756 (at 0x003E003C).
2020-06-30 13:57:41,875 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x003E0000.
2020-06-30 13:57:41,875 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x00401766 (thread 5204)
2020-06-30 13:57:41,875 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x003E003C.
2020-06-30 13:57:41,875 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0xf6335756 (at 0x003E003C).
2020-06-30 13:57:41,875 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x003E0000.
2020-06-30 13:57:41,921 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x003E0000 (thread 5204)
2020-06-30 13:57:41,921 [root] DEBUG: ShellcodeExecCallback: Breakpoint 2 at Address 0x003E0000 (allocation base 0x003E0000).
2020-06-30 13:57:41,937 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x3e0000 - 0x3eb000.
2020-06-30 13:57:41,937 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x003E0000.
2020-06-30 13:57:41,937 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x003E003C.
2020-06-30 13:57:41,937 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 2 address 0x003E0000.
2020-06-30 13:57:41,937 [root] DEBUG: ShellcodeExecCallback: About to scan region for a PE image (base 0x003E0000, size 0xb000).
2020-06-30 13:57:41,984 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\yazaiFAP\CAPE\2788_15591985885237171372020 (size 0xa742)
2020-06-30 13:57:41,984 [root] DEBUG: ShellcodeExecCallback: successfully dumped memory range at 0x003E0000 (size 0xb000).
2020-06-30 13:57:41,984 [root] DEBUG: set_caller_info: Adding region at 0x003E0000 to caller regions list (ntdll::NtQuerySystemInformation).
2020-06-30 13:57:41,984 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-06-30 13:57:41,984 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-06-30 13:57:42,000 [root] DEBUG: ProcessImageBase: EP 0x0005B9FF image base 0x00400000 size 0x0 entropy 6.447391e+00.
2020-06-30 13:57:42,000 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003E0000.
2020-06-30 13:57:42,000 [root] DEBUG: ProtectionHandler: Adding region at 0x003F1000 to tracked regions.
2020-06-30 13:57:42,000 [root] DEBUG: AddTrackedRegion: Created new tracked region for address 0x003F1000.
2020-06-30 13:57:42,000 [root] DEBUG: AddTrackedRegion: New region at 0x003F0000 size 0x2000 added to tracked regions: EntryPoint 0x1000, Entropy 5.270271e+00
2020-06-30 13:57:42,000 [root] DEBUG: ProtectionHandler: Address: 0x003F1000 (alloc base 0x003F0000), NumberOfBytesToProtect: 0x1200, NewAccessProtection: 0x20
2020-06-30 13:57:42,000 [root] DEBUG: ProtectionHandler: Increased region size at 0x003F1000 to 0x2200.
2020-06-30 13:57:42,000 [root] DEBUG: ProtectionHandler: New code detected at (0x003F0000), scanning for PE images.
2020-06-30 13:57:42,000 [root] DEBUG: DumpPEsInRange: Scanning range 0x3f0000 - 0x3f2200.
2020-06-30 13:57:42,000 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x3f0000
2020-06-30 13:57:42,000 [root] DEBUG: DumpImageInCurrentProcess: Disguised PE image (bad MZ and/or PE headers) at 0x003F0000
2020-06-30 13:57:42,000 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-06-30 13:57:42,015 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x003F0000.
2020-06-30 13:57:42,015 [root] DEBUG: DumpProcess: Module entry point VA is 0x00001000.
2020-06-30 13:57:42,046 [root] DEBUG: DumpProcess: Module image dump success - dump size 0xa200.
2020-06-30 13:57:42,046 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x3f1000-0x3f2200.
2020-06-30 13:57:42,046 [root] DEBUG: DumpPEsInTrackedRegion: Dumped 1 PE image(s) from range 0x003F0000 - 0x003F2200.
2020-06-30 13:57:42,046 [root] DEBUG: ProtectionHandler: PE image(s) dumped from 0x003F0000.
2020-06-30 13:57:42,046 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x3f0000 - 0x3f2200.
2020-06-30 13:57:42,046 [root] DEBUG: set_caller_info: Adding region at 0x003F0000 to caller regions list (ntdll::NtQuerySystemInformation).
2020-06-30 13:57:42,046 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-06-30 13:57:42,062 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-06-30 13:57:42,062 [root] DEBUG: ProcessImageBase: EP 0x0005B9FF image base 0x00400000 size 0x0 entropy 6.447391e+00.
2020-06-30 13:57:42,062 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003E0000.
2020-06-30 13:57:42,062 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003F0000.
2020-06-30 13:57:42,062 [root] DEBUG: ProtectionHandler: Adding region at 0x012A1000 to tracked regions.
2020-06-30 13:57:42,062 [root] DEBUG: AddTrackedRegion: Created new tracked region for address 0x012A1000.
2020-06-30 13:57:42,062 [root] DEBUG: AddTrackedRegion: New region at 0x012A0000 size 0x8000 added to tracked regions: EntryPoint 0x4210, Entropy 5.350536e+00
2020-06-30 13:57:42,062 [root] DEBUG: ProtectionHandler: Address: 0x012A1000 (alloc base 0x012A0000), NumberOfBytesToProtect: 0x7200, NewAccessProtection: 0x20
2020-06-30 13:57:42,062 [root] DEBUG: ProtectionHandler: Increased region size at 0x012A1000 to 0x8200.
2020-06-30 13:57:42,062 [root] DEBUG: ActivateBreakpoints: TrackedRegion->AllocationBase: 0x012A0000, TrackedRegion->RegionSize: 0x8200, thread 5204
2020-06-30 13:57:42,078 [root] DEBUG: ActivateBreakpoints: Switching breakpoints from region 0x003E0000 to 0x012A0000.
2020-06-30 13:57:42,078 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 5204 type 0 at address 0x012A1000, size 0 with Callback 0x6a4ca010.
2020-06-30 13:57:42,078 [root] DEBUG: ActivateBreakpoints: Set execution breakpoint on non-zero byte 0x55 at protected address: 0x012A1000
2020-06-30 13:57:42,078 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 5204 type 1 at address 0x012A003C, size 4 with Callback 0x6a4c9e10.
2020-06-30 13:57:42,078 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x012A003C
2020-06-30 13:57:42,078 [root] DEBUG: set_caller_info: Adding region at 0x012A0000 to caller regions list (ntdll::LdrGetDllHandle).
2020-06-30 13:57:42,093 [root] DEBUG: DLL loaded at 0x758D0000: C:\Windows\system32\crypt32 (0x122000 bytes).
2020-06-30 13:57:42,093 [root] DEBUG: DLL loaded at 0x75810000: C:\Windows\system32\MSASN1 (0xc000 bytes).
2020-06-30 13:57:42,109 [root] DEBUG: DLL loaded at 0x761C0000: C:\Windows\system32\urlmon (0x124000 bytes).
2020-06-30 13:57:42,109 [root] DEBUG: DLL loaded at 0x75AC0000: C:\Windows\system32\api-ms-win-downlevel-ole32-l1-1-0 (0x4000 bytes).
2020-06-30 13:57:42,109 [root] DEBUG: DLL loaded at 0x75860000: C:\Windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0 (0x4000 bytes).
2020-06-30 13:57:42,109 [root] DEBUG: DLL loaded at 0x75AD0000: C:\Windows\system32\api-ms-win-downlevel-advapi32-l1-1-0 (0x5000 bytes).
2020-06-30 13:57:42,125 [root] DEBUG: DLL loaded at 0x75870000: C:\Windows\system32\api-ms-win-downlevel-user32-l1-1-0 (0x4000 bytes).
2020-06-30 13:57:42,125 [root] DEBUG: DLL loaded at 0x75830000: C:\Windows\system32\api-ms-win-downlevel-version-l1-1-0 (0x4000 bytes).
2020-06-30 13:57:42,125 [root] DEBUG: DLL loaded at 0x74C70000: C:\Windows\system32\version (0x9000 bytes).
2020-06-30 13:57:42,125 [root] DEBUG: DLL loaded at 0x75820000: C:\Windows\system32\api-ms-win-downlevel-normaliz-l1-1-0 (0x3000 bytes).
2020-06-30 13:57:42,125 [root] DEBUG: DLL loaded at 0x77910000: C:\Windows\system32\normaliz (0x3000 bytes).
2020-06-30 13:57:42,125 [root] DEBUG: DLL loaded at 0x75E40000: C:\Windows\system32\iertutil (0x215000 bytes).
2020-06-30 13:57:42,249 [root] DEBUG: DLL loaded at 0x766D0000: C:\Windows\system32\WININET (0x1c4000 bytes).
2020-06-30 13:57:42,265 [root] DEBUG: DLL loaded at 0x73CD0000: C:\Windows\system32\wtsapi32 (0xd000 bytes).
2020-06-30 13:57:42,281 [root] INFO: Disabling sleep skipping.
2020-06-30 13:57:42,281 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 2788.
2020-06-30 13:57:52,281 [root] DEBUG: CreateThread: Initialising breakpoints for thread 3724.
2020-06-30 13:57:52,281 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 3724 type 0 at address 0x012A1000, size 0 with Callback 0x6a4ca010.
2020-06-30 13:57:52,296 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 3724 type 1 at address 0x012A003C, size 4 with Callback 0x6a4c9e10.
2020-06-30 13:58:05,265 [root] DEBUG: DLL loaded at 0x75480000: C:\Windows\system32\Secur32 (0x8000 bytes).
2020-06-30 13:58:05,281 [root] DEBUG: DLL loaded at 0x71730000: C:\Windows\system32\api-ms-win-downlevel-advapi32-l2-1-0 (0x4000 bytes).
2020-06-30 13:58:05,296 [root] DEBUG: DLL loaded at 0x75D50000: C:\Windows\system32\WS2_32 (0x35000 bytes).
2020-06-30 13:58:05,296 [root] DEBUG: DLL loaded at 0x779C0000: C:\Windows\system32\NSI (0x6000 bytes).
2020-06-30 13:58:05,312 [root] DEBUG: DLL loaded at 0x6F380000: C:\Windows\system32\winhttp (0x58000 bytes).
2020-06-30 13:58:05,312 [root] DEBUG: DLL loaded at 0x6F330000: C:\Windows\system32\webio (0x50000 bytes).
2020-06-30 13:58:05,312 [root] DEBUG: DLL unloaded from 0x6F380000.
2020-06-30 13:58:05,343 [root] DEBUG: DLL loaded at 0x75180000: C:\Windows\system32\mswsock (0x3c000 bytes).
2020-06-30 13:58:05,343 [root] DEBUG: DLL loaded at 0x75170000: C:\Windows\System32\wship6 (0x6000 bytes).
2020-06-30 13:58:05,343 [root] DEBUG: DLL loaded at 0x73C60000: C:\Windows\system32\IPHLPAPI (0x1c000 bytes).
2020-06-30 13:58:05,359 [root] DEBUG: DLL loaded at 0x73B10000: C:\Windows\system32\WINNSI (0x7000 bytes).
2020-06-30 13:58:05,375 [root] DEBUG: DLL loaded at 0x6D9E0000: C:\Windows\system32\api-ms-win-downlevel-shlwapi-l2-1-0 (0x4000 bytes).
2020-06-30 13:58:05,390 [root] DEBUG: DLL loaded at 0x75040000: C:\Windows\system32\DNSAPI (0x44000 bytes).
2020-06-30 13:58:05,406 [root] DEBUG: DLL loaded at 0x739F0000: C:\Windows\system32\dhcpcsvc6 (0xd000 bytes).
2020-06-30 13:58:05,406 [root] DEBUG: DLL loaded at 0x76130000: C:\Windows\system32\CLBCatQ (0x83000 bytes).
2020-06-30 13:58:05,406 [root] DEBUG: DLL loaded at 0x73970000: C:\Windows\system32\dhcpcsvc (0x12000 bytes).
2020-06-30 13:58:05,421 [root] DEBUG: DLL loaded at 0x74D00000: C:\Windows\System32\wshtcpip (0x5000 bytes).
2020-06-30 13:58:05,421 [root] DEBUG: DLL loaded at 0x70CC0000: C:\Windows\System32\netprofm (0x5a000 bytes).
2020-06-30 13:58:05,421 [root] DEBUG: DLL loaded at 0x73F00000: C:\Windows\System32\nlaapi (0x10000 bytes).
2020-06-30 13:58:05,437 [root] DEBUG: DLL loaded at 0x73A90000: C:\Windows\System32\fwpuclnt (0x38000 bytes).
2020-06-30 13:58:05,437 [root] DEBUG: DLL loaded at 0x71EA0000: C:\Windows\system32\rasadhlp (0x6000 bytes).
2020-06-30 13:58:05,453 [root] DEBUG: DLL loaded at 0x75790000: C:\Windows\system32\RpcRtRemote (0xe000 bytes).
2020-06-30 13:58:05,453 [root] DEBUG: DLL loaded at 0x6DF50000: C:\Windows\System32\npmproxy (0x8000 bytes).
2020-06-30 13:58:05,468 [root] DEBUG: DLL loaded at 0x74620000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\Comctl32 (0x19e000 bytes).
2020-06-30 13:58:05,468 [root] DEBUG: DLL unloaded from 0x74D00000.
2020-06-30 13:58:05,484 [root] DEBUG: DLL unloaded from 0x75170000.
2020-06-30 13:58:15,406 [root] DEBUG: DLL unloaded from 0x766D0000.
2020-06-30 13:58:15,406 [root] DEBUG: DLL unloaded from 0x75CB0000.
2020-06-30 13:58:15,406 [root] DEBUG: DLL unloaded from 0x6DF50000.
2020-06-30 13:58:15,421 [root] DEBUG: DLL unloaded from 0x70CC0000.
2020-06-30 13:58:25,453 [root] DEBUG: DLL unloaded from 0x762F0000.
2020-06-30 13:58:36,890 [root] DEBUG: DLL loaded at 0x70CC0000: C:\Windows\System32\netprofm (0x5a000 bytes).
2020-06-30 13:58:36,906 [root] DEBUG: DLL loaded at 0x73F00000: C:\Windows\System32\nlaapi (0x10000 bytes).
2020-06-30 13:58:36,921 [root] DEBUG: DLL loaded at 0x6DF50000: C:\Windows\System32\npmproxy (0x8000 bytes).
2020-06-30 13:58:46,937 [root] DEBUG: DLL unloaded from 0x766D0000.
2020-06-30 13:58:46,937 [root] DEBUG: DLL unloaded from 0x75CB0000.
2020-06-30 13:58:46,937 [root] DEBUG: DLL unloaded from 0x6DF50000.
2020-06-30 13:58:46,953 [root] DEBUG: DLL unloaded from 0x70CC0000.
2020-06-30 13:58:56,921 [root] DEBUG: DLL unloaded from 0x762F0000.
2020-06-30 13:59:15,812 [root] DEBUG: DLL loaded at 0x70CC0000: C:\Windows\System32\netprofm (0x5a000 bytes).
2020-06-30 13:59:15,828 [root] DEBUG: DLL loaded at 0x73F00000: C:\Windows\System32\nlaapi (0x10000 bytes).
2020-06-30 13:59:15,859 [root] DEBUG: DLL loaded at 0x6DF50000: C:\Windows\System32\npmproxy (0x8000 bytes).
2020-06-30 13:59:25,796 [root] DEBUG: DLL unloaded from 0x766D0000.
2020-06-30 13:59:25,796 [root] DEBUG: DLL unloaded from 0x75CB0000.
2020-06-30 13:59:25,796 [root] DEBUG: DLL unloaded from 0x6DF50000.
2020-06-30 13:59:25,812 [root] DEBUG: DLL unloaded from 0x70CC0000.
2020-06-30 13:59:35,843 [root] DEBUG: DLL unloaded from 0x762F0000.
2020-06-30 14:00:00,984 [root] DEBUG: DLL loaded at 0x70CC0000: C:\Windows\System32\netprofm (0x5a000 bytes).
2020-06-30 14:00:00,984 [root] DEBUG: DLL loaded at 0x73F00000: C:\Windows\System32\nlaapi (0x10000 bytes).
2020-06-30 14:00:01,000 [root] DEBUG: DLL loaded at 0x6DF50000: C:\Windows\System32\npmproxy (0x8000 bytes).
2020-06-30 14:00:10,984 [root] DEBUG: DLL unloaded from 0x766D0000.
2020-06-30 14:00:10,984 [root] DEBUG: DLL unloaded from 0x75CB0000.
2020-06-30 14:00:10,984 [root] DEBUG: DLL unloaded from 0x70CC0000.
2020-06-30 14:00:21,000 [root] DEBUG: DLL unloaded from 0x762F0000.
2020-06-30 14:00:32,140 [root] DEBUG: DLL loaded at 0x70CC0000: C:\Windows\System32\netprofm (0x5a000 bytes).
2020-06-30 14:00:32,140 [root] DEBUG: DLL loaded at 0x73F00000: C:\Windows\System32\nlaapi (0x10000 bytes).
2020-06-30 14:00:32,156 [root] DEBUG: DLL loaded at 0x6DF50000: C:\Windows\System32\npmproxy (0x8000 bytes).
2020-06-30 14:00:42,140 [root] DEBUG: DLL unloaded from 0x766D0000.
2020-06-30 14:00:42,140 [root] DEBUG: DLL unloaded from 0x75CB0000.
2020-06-30 14:00:42,140 [root] DEBUG: DLL unloaded from 0x70CC0000.
2020-06-30 14:00:52,156 [root] DEBUG: DLL unloaded from 0x762F0000.
2020-06-30 14:01:09,781 [root] DEBUG: DLL loaded at 0x70CC0000: C:\Windows\System32\netprofm (0x5a000 bytes).
2020-06-30 14:01:09,781 [root] DEBUG: DLL loaded at 0x73F00000: C:\Windows\System32\nlaapi (0x10000 bytes).
2020-06-30 14:01:09,796 [root] DEBUG: DLL loaded at 0x6DF50000: C:\Windows\System32\npmproxy (0x8000 bytes).
2020-06-30 14:01:19,781 [root] DEBUG: DLL unloaded from 0x766D0000.
2020-06-30 14:01:19,781 [root] DEBUG: DLL unloaded from 0x75CB0000.
2020-06-30 14:01:19,781 [root] DEBUG: DLL unloaded from 0x6DF50000.
2020-06-30 14:01:19,781 [root] DEBUG: DLL unloaded from 0x70CC0000.
2020-06-30 14:01:29,796 [root] DEBUG: DLL unloaded from 0x762F0000.
2020-06-30 14:01:46,421 [root] DEBUG: DLL loaded at 0x70CC0000: C:\Windows\System32\netprofm (0x5a000 bytes).
2020-06-30 14:01:46,421 [root] DEBUG: DLL loaded at 0x73F00000: C:\Windows\System32\nlaapi (0x10000 bytes).
2020-06-30 14:01:46,437 [root] DEBUG: DLL loaded at 0x6DF50000: C:\Windows\System32\npmproxy (0x8000 bytes).
2020-06-30 14:01:56,421 [root] DEBUG: DLL unloaded from 0x766D0000.
2020-06-30 14:01:56,421 [root] DEBUG: DLL unloaded from 0x75CB0000.
2020-06-30 14:01:56,421 [root] DEBUG: DLL unloaded from 0x6DF50000.
2020-06-30 14:01:56,421 [root] DEBUG: DLL unloaded from 0x70CC0000.
2020-06-30 14:02:06,437 [root] DEBUG: DLL unloaded from 0x762F0000.
2020-06-30 14:02:17,203 [root] DEBUG: DLL loaded at 0x70CC0000: C:\Windows\System32\netprofm (0x5a000 bytes).
2020-06-30 14:02:17,203 [root] DEBUG: DLL loaded at 0x73F00000: C:\Windows\System32\nlaapi (0x10000 bytes).
2020-06-30 14:02:17,218 [root] DEBUG: DLL loaded at 0x6DF50000: C:\Windows\System32\npmproxy (0x8000 bytes).
2020-06-30 14:02:27,203 [root] DEBUG: DLL unloaded from 0x766D0000.
2020-06-30 14:02:27,203 [root] DEBUG: DLL unloaded from 0x75CB0000.
2020-06-30 14:02:27,203 [root] DEBUG: DLL unloaded from 0x70CC0000.
2020-06-30 14:02:37,218 [root] DEBUG: DLL unloaded from 0x762F0000.
2020-06-30 14:02:40,953 [root] INFO: Analysis timeout hit, terminating analysis.
2020-06-30 14:02:40,953 [lib.api.process] INFO: Terminate event set for process 2788
2020-06-30 14:02:40,953 [root] DEBUG: Terminate Event: Processing tracked regions before shutdown (process 2788).
2020-06-30 14:02:40,953 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-06-30 14:02:40,953 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-06-30 14:02:40,953 [root] DEBUG: ProcessImageBase: EP 0x0005B9FF image base 0x00400000 size 0x0 entropy 6.447391e+00.
2020-06-30 14:02:40,968 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x012A0000.
2020-06-30 14:02:40,968 [root] DEBUG: Terminate Event: Attempting to dump process 2788
2020-06-30 14:02:40,968 [root] DEBUG: DoProcessDump: Dumping Imagebase at 0x00400000.
2020-06-30 14:02:40,968 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image.
2020-06-30 14:02:40,968 [root] DEBUG: DumpPE: Instantiating PeParser with address: 0x00400000.
2020-06-30 14:02:41,031 [root] DEBUG: DumpPE: PE file in memory dumped successfully - dump size 0xc5000.
2020-06-30 14:02:41,031 [lib.api.process] INFO: Termination confirmed for process 2788
2020-06-30 14:02:41,031 [root] INFO: Terminate event set for process 2788.
2020-06-30 14:02:41,031 [root] INFO: Created shutdown mutex.
2020-06-30 14:02:41,031 [root] DEBUG: Terminate Event: CAPE shutdown complete for process 2788
2020-06-30 14:02:42,031 [root] INFO: Shutting down package.
2020-06-30 14:02:42,031 [root] INFO: Stopping auxiliary modules.
2020-06-30 14:02:42,109 [lib.common.results] WARNING: File C:\yazaiFAP\bin\procmon.xml doesn't exist anymore
2020-06-30 14:02:42,109 [root] INFO: Finishing auxiliary modules.
2020-06-30 14:02:42,109 [root] INFO: Shutting down pipe server and dumping dropped files.
2020-06-30 14:02:42,109 [root] WARNING: Folder at path "C:\yazaiFAP\debugger" does not exist, skip.
2020-06-30 14:02:42,109 [root] INFO: Analysis completed.

Machine

Name Label Manager Started On Shutdown On
win7_3 win7_3 KVM 2020-06-30 14:01:17 2020-06-30 14:08:27

File Details

File Name E2-20200630_100917
File Size 806912 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
PE timestamp 2020-06-30 10:09:17
MD5 6bf10802322f50afdd6ac8035fafb107
SHA1 0bc78aa8a0e62bb61c3e85d8b71f5bb75ca2646f
SHA256 10f75e4e6204c4215d8047e9f83e00773a2284b04ff5aab7fbc236e919fc12e9
SHA512 99a63af2de842b192f977b42d1116705d2530a916b5ffe256e76f05262d11eb546bac747349f919adc78e8e15ad45e8f1f22d49c435dd1e315a73cb17389387f
CRC32 740B4C4F
Ssdeep 12288:BXH5qcS4yOhYCS5/WVFdf+0gczhS/ubHXc0xWaSyex:BXHJV/lgcz8/WRWc
Download Download ZIP Resubmit sample

Signatures

SetUnhandledExceptionFilter detected (possible anti-debug)
Behavioural detection: Executable code extraction - unpacking
Communicates with IPs located across a large number of unique countries
country: Russian Federation
country: Germany
country: United States
country: Italy
country: Thailand
country: France
country: South Africa
country: Czech Republic
country: Switzerland
country: Indonesia
country: Mexico
country: Argentina
country: Brazil
country: Korea, Republic of
country: Vietnam
country: Australia
Yara rule detections observed from a process memory dump/dropped files/CAPE
Hit: PID 2788 trigged the Yara rule 'embedded_pe'
Hit: PID 2788 trigged the Yara rule 'embedded_win_api'
Hit: PID 2788 trigged the Yara rule 'shellcode_patterns'
Hit: PID 2788 trigged the Yara rule 'shellcode_get_eip'
Hit: PID 2788 trigged the Yara rule 'shellcode_peb_parsing'
Mimics the system's user agent string for its own requests
A process attempted to delay the analysis task.
Process: E2-20200630_100917.exe tried to sleep 480.03 seconds, actually delayed analysis time by 0.0 seconds
Dynamic (imported) function loading detected
DynamicLoader: IMM32.DLL/ImmCreateContext
DynamicLoader: IMM32.DLL/ImmDestroyContext
DynamicLoader: IMM32.DLL/ImmNotifyIME
DynamicLoader: IMM32.DLL/ImmAssociateContext
DynamicLoader: IMM32.DLL/ImmReleaseContext
DynamicLoader: IMM32.DLL/ImmGetContext
DynamicLoader: IMM32.DLL/ImmGetCompositionStringA
DynamicLoader: IMM32.DLL/ImmSetCompositionStringA
DynamicLoader: IMM32.DLL/ImmGetCompositionStringW
DynamicLoader: IMM32.DLL/ImmSetCompositionStringW
DynamicLoader: IMM32.DLL/ImmSetCandidateWindow
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/SetDefaultPrinterW
DynamicLoader: WINSPOOL.DRV/GetDefaultPrinterW
DynamicLoader: WINSPOOL.DRV/GetPrinterDriverPackagePathW
DynamicLoader: WINSPOOL.DRV/CorePrinterDriverInstalledW
DynamicLoader: WINSPOOL.DRV/GetCorePrinterDriversW
DynamicLoader: WINSPOOL.DRV/UploadPrinterDriverPackageW
DynamicLoader: WINSPOOL.DRV/InstallPrinterDriverFromPackageW
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/AddPrinterConnection2W
DynamicLoader: WINSPOOL.DRV/OpenPrinter2W
DynamicLoader: WINSPOOL.DRV/DeletePrinterKeyW
DynamicLoader: WINSPOOL.DRV/DeletePrinterDataExW
DynamicLoader: WINSPOOL.DRV/EnumPrinterKeyW
DynamicLoader: WINSPOOL.DRV/EnumPrinterDataExW
DynamicLoader: WINSPOOL.DRV/GetPrinterDataExW
DynamicLoader: WINSPOOL.DRV/SetPrinterDataExW
DynamicLoader: WINSPOOL.DRV/DeletePrinterDataW
DynamicLoader: WINSPOOL.DRV/EnumPrinterDataW
DynamicLoader: WINSPOOL.DRV/SpoolerPrinterEvent
DynamicLoader: WINSPOOL.DRV/SetPortW
DynamicLoader: WINSPOOL.DRV/DocumentPropertySheets
DynamicLoader: WINSPOOL.DRV/DevicePropertySheets
DynamicLoader: WINSPOOL.DRV/IsValidDevmodeW
DynamicLoader: WINSPOOL.DRV/IsValidDevmodeA
DynamicLoader: WINSPOOL.DRV/AddPortExW
DynamicLoader: WINSPOOL.DRV/DeletePrintProvidorW
DynamicLoader: WINSPOOL.DRV/AddPrintProvidorW
DynamicLoader: WINSPOOL.DRV/DeletePrintProcessorW
DynamicLoader: WINSPOOL.DRV/DeleteMonitorW
DynamicLoader: WINSPOOL.DRV/AddMonitorW
DynamicLoader: WINSPOOL.DRV/StartDocDlgW
DynamicLoader: WINSPOOL.DRV/AdvancedDocumentPropertiesW
DynamicLoader: WINSPOOL.DRV/AdvancedDocumentPropertiesA
DynamicLoader: WINSPOOL.DRV/DocumentPropertiesW
DynamicLoader: WINSPOOL.DRV/DeviceCapabilitiesW
DynamicLoader: WINSPOOL.DRV/DeletePrinterIC
DynamicLoader: WINSPOOL.DRV/PlayGdiScriptOnPrinterIC
DynamicLoader: WINSPOOL.DRV/CreatePrinterIC
DynamicLoader: WINSPOOL.DRV/SetJobW
DynamicLoader: WINSPOOL.DRV/GetJobW
DynamicLoader: WINSPOOL.DRV/EnumJobsW
DynamicLoader: WINSPOOL.DRV/AddPrinterW
DynamicLoader: WINSPOOL.DRV/SetPrinterW
DynamicLoader: WINSPOOL.DRV/GetPrinterDriverW
DynamicLoader: WINSPOOL.DRV/GetPrinterDriverDirectoryW
DynamicLoader: WINSPOOL.DRV/EnumPrintersW
DynamicLoader: WINSPOOL.DRV/AddPrinterConnectionW
DynamicLoader: WINSPOOL.DRV/DeletePrinterConnectionW
DynamicLoader: WINSPOOL.DRV/AddPrinterDriverExW
DynamicLoader: WINSPOOL.DRV/AddPrinterDriverExA
DynamicLoader: WINSPOOL.DRV/EnumPrinterDriversW
DynamicLoader: WINSPOOL.DRV/DeletePrinterDriverW
DynamicLoader: WINSPOOL.DRV/DeletePrinterDriverExW
DynamicLoader: WINSPOOL.DRV/AddPrintProcessorW
DynamicLoader: WINSPOOL.DRV/EnumPrintProcessorsW
DynamicLoader: WINSPOOL.DRV/GetPrintProcessorDirectoryW
DynamicLoader: WINSPOOL.DRV/EnumPrintProcessorDatatypesW
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/SplDriverUnloadComplete
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/OpenPrinterW
DynamicLoader: WINSPOOL.DRV/OpenPrinterA
DynamicLoader: WINSPOOL.DRV/ResetPrinterW
DynamicLoader: WINSPOOL.DRV/StartDocPrinterW
DynamicLoader: WINSPOOL.DRV/FlushPrinter
DynamicLoader: WINSPOOL.DRV/GetPrinterDataW
DynamicLoader: WINSPOOL.DRV/SetPrinterDataW
DynamicLoader: WINSPOOL.DRV/AddJobW
DynamicLoader: WINSPOOL.DRV/ScheduleJob
DynamicLoader: WINSPOOL.DRV/WaitForPrinterChange
DynamicLoader: WINSPOOL.DRV/FindNextPrinterChangeNotification
DynamicLoader: WINSPOOL.DRV/PrinterMessageBoxW
DynamicLoader: WINSPOOL.DRV/ClosePrinter
DynamicLoader: WINSPOOL.DRV/AddFormW
DynamicLoader: WINSPOOL.DRV/DeleteFormW
DynamicLoader: WINSPOOL.DRV/GetFormW
DynamicLoader: WINSPOOL.DRV/SetFormW
DynamicLoader: WINSPOOL.DRV/EnumFormsW
DynamicLoader: WINSPOOL.DRV/EnumPortsW
DynamicLoader: WINSPOOL.DRV/EnumMonitorsW
DynamicLoader: WINSPOOL.DRV/AddPortW
DynamicLoader: WINSPOOL.DRV/ConfigurePortW
DynamicLoader: WINSPOOL.DRV/DeletePortW
DynamicLoader: WINSPOOL.DRV/GetPrinterW
DynamicLoader: WINSPOOL.DRV/DeletePrinterDriverPackageW
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/InitializeCriticalSectionAndSpinCount
DynamicLoader: kernel32.dll/IsProcessorFeaturePresent
DynamicLoader: kernel32.dll/CreateActCtxW
DynamicLoader: kernel32.dll/ReleaseActCtx
DynamicLoader: kernel32.dll/ActivateActCtx
DynamicLoader: kernel32.dll/DeactivateActCtx
DynamicLoader: USER32.dll/NotifyWinEvent
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: CRYPTSP.dll/CryptAcquireContextA
DynamicLoader: kernel32.dll/VirtualAllocExNuma
DynamicLoader: kernel32.dll/VirtualQuery
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/SetLastError
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/IsBadReadPtr
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: kernel32.dll/GetProcAddress
DynamicLoader: kernel32.dll/FreeLibrary
DynamicLoader: kernel32.dll/GetNativeSystemInfo
DynamicLoader: kernel32.dll/HeapAlloc
DynamicLoader: kernel32.dll/GetProcessHeap
DynamicLoader: kernel32.dll/HeapFree
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptImportKey
DynamicLoader: CRYPTSP.dll/CryptGenKey
DynamicLoader: CRYPTSP.dll/CryptCreateHash
DynamicLoader: CRYPTSP.dll/CryptDuplicateHash
DynamicLoader: CRYPTSP.dll/CryptEncrypt
DynamicLoader: CRYPTSP.dll/CryptExportKey
DynamicLoader: CRYPTSP.dll/CryptGetHashParam
DynamicLoader: CRYPTSP.dll/CryptDestroyHash
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/WSAIoctl
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: IPHLPAPI.DLL/NotifyIpInterfaceChange
DynamicLoader: IPHLPAPI.DLL/NotifyUnicastIpAddressChange
DynamicLoader: IPHLPAPI.DLL/GetBestInterfaceEx
DynamicLoader: IPHLPAPI.DLL/GetIfEntry2
DynamicLoader: api-ms-win-downlevel-ole32-l1-1-0.dll/CoInitializeEx
DynamicLoader: cryptbase.dll/SystemFunction036
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/EventWrite
DynamicLoader: api-ms-win-downlevel-ole32-l1-1-0.dll/CoCreateInstance
DynamicLoader: IPHLPAPI.DLL/GetAdaptersAddresses
DynamicLoader: WS2_32.dll/GetAddrInfoW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/DllGetClassObject
DynamicLoader: OLEAUT32.dll/DllCanUnloadNow
DynamicLoader: ADVAPI32.dll/RegOpenKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: IPHLPAPI.DLL/ConvertInterfaceGuidToLuid
DynamicLoader: IPHLPAPI.DLL/GetIpForwardTable2
DynamicLoader: IPHLPAPI.DLL/GetIpNetEntry2
DynamicLoader: IPHLPAPI.DLL/FreeMibTable
DynamicLoader: api-ms-win-downlevel-ole32-l1-1-0.dll/StringFromIID
DynamicLoader: api-ms-win-downlevel-ole32-l1-1-0.dll/CoUninitialize
DynamicLoader: OLEAUT32.dll/
DynamicLoader: api-ms-win-downlevel-ole32-l1-1-0.dll/CoSetProxyBlanket
DynamicLoader: ole32.dll/ObjectStublessClient10
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/RegEnumKeyExW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/DllGetClassObject
DynamicLoader: OLEAUT32.dll/DllCanUnloadNow
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: OLEAUT32.dll/DllGetClassObject
DynamicLoader: OLEAUT32.dll/DllCanUnloadNow
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: OLEAUT32.dll/DllGetClassObject
DynamicLoader: OLEAUT32.dll/DllCanUnloadNow
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: OLEAUT32.dll/DllGetClassObject
DynamicLoader: OLEAUT32.dll/DllCanUnloadNow
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: OLEAUT32.dll/DllGetClassObject
DynamicLoader: OLEAUT32.dll/DllCanUnloadNow
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: OLEAUT32.dll/DllGetClassObject
DynamicLoader: OLEAUT32.dll/DllCanUnloadNow
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: OLEAUT32.dll/DllGetClassObject
DynamicLoader: OLEAUT32.dll/DllCanUnloadNow
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemFree
Performs HTTP requests potentially not found in PCAP.
url: 64.88.202.250:80/3oWlLlTIdPbNlMls/eMoIyFtplsds/G5jJLNPsfXVM/
url: 212.51.142.238:8080/jHUI8oNPpvg4Ru/
url: 200.55.243.138:8080/9rM6Paw/J3HhCVI/SZLac/h94fdNvRNF3yEOtaF/
url: 104.236.246.93:8080/0XNFUbsuX1k9Yr/mrnyLlwRHs/KB8d/lZeK/NC7wqmm/
url: 61.19.246.238:443/cewmXRcb5/dDU7HQti17A6Toc/
url: 79.45.112.220:80/N2mRGGY59JUFmw/gR6lZ23/QyRzoM5/
url: 95.213.236.64:8080/S55w/bfgdI3hpnHb/JBQleIJY/gP5Ka/SklrlzfxyC/
url: 169.239.182.217:8080/3ILDP4ZM1Tr7hYr/sQgsqWsNng7ORjIbFQ/huYxloRAoYTXi/2l5tlMLSI/
url: 103.86.49.11:8080/UGMc06B/bED6l/
url: 87.106.139.101:8080/HXnrdEloeIwzScAyo0/gwpPYBKHBzeBg/HDBacYR0/
url: 74.208.45.104:8080/5jfdGSEWtOWd569ILs/RW7AdO/EUvywF4Ruly/si7KZo1cq3LERG/ZimVSfgWogbzdrG3/
url: 113.160.130.116:8443/CAO51Vwz/
url: 209.141.54.221:8080/ln9w3kzMnaABp/R8Ln8D/
url: 203.153.216.189:7080/DTBRMWXL/ZxkYLS4/1kFlt/4IP0H5/xM7dZGMDm1113PJW5/
url: 73.11.153.178:8080/q0DGujKC/vcvpwJ2Yk9ZND/v3Z5IWTbKmjE0baXm/bRcH7MLz/qXG7kJ7E7GQWo/
url: 186.208.123.210:443/6kFXBLvVEFtFMFal/
url: 37.187.72.193:8080/8WJ0BJCjt1QdWKWRg/us2EfaEfVt2lj148L/gxIiF/Elq3gUA/57zNdyduiy/aHIY7z9GkBbPKhP/
url: 201.173.217.124:443/igarmK7pJStp0/4jwmXz9cVKnnx/
url: 121.124.124.40:7080/WXO1fwHaL5/nSeZAj4uW/tyPBfg/
url: 24.1.189.87:8080/ueCe/KxX3wN674zJF/l7Gf312I2lt0AQ/
url: 41.203.62.170:80/lekPUT9vUpO6biVvk02/aYOA1Cty5mSQKV/BKZ71b0/mjVwW06fyHXXchuWb0d/NiB5WNDPXGt3/yomUcP68Ig/
url: 5.196.74.210:8080/WAHVSaPZo3dwc6Fp3Ky/NPnxKfyJT5VD/
url: 31.31.77.83:443/taPK/5Yen/z71IB/wvrjSNhbnLiMedZXxfJ/f6hSQiIv6eaY7c/
Expresses interest in specific running processes
process: E2-20200630_100917.exe
Repeatedly searches for a not-found process, may want to run with startbrowser=1 option
CAPE extracted potentially suspicious content
E2-20200630_100917.exe: Unpacked PE Image
E2-20200630_100917.exe: Unpacked Shellcode
Multiple direct IP connections
direct_ip_connections: Made direct connections to 26 unique IP addresses
Queries or connects to DNS-Over-HTTPS/DNS-Over-TLS domain or IP address
ip: 1.1.1.1
Authenticode signature is invalid
authenticode error: No signature found. SignTool Error File not valid C\Users\Rebecca\AppData\Local\Temp\E2-20200630_100917
CAPE detected the Feodo malware family
File has been identified by 13 Antiviruses on VirusTotal as malicious
APEX: Malicious
BitDefender: Gen:Variant.Graftor.774444
MicroWorld-eScan: Gen:Variant.Graftor.774444
Ad-Aware: Gen:Variant.Graftor.774444
FireEye: Gen:Variant.Graftor.774444
Emsisoft: Trojan.Emotet (A)
Endgame: malicious (high confidence)
Arcabit: Trojan.Graftor.DBD12C
GData: Gen:Variant.Graftor.774444
Acronis: suspicious
ALYac: Gen:Variant.Graftor.774444
MAX: malware (ai score=88)
Rising: Malware.Heuristic!ET#87% (RDMK:cmRtazozh0Q3m+vyA9pvIA7nsRzx)
Attempts to modify proxy settings
Created network traffic indicative of malicious activity
signature: ET CNC Feodo Tracker Reported CnC Server group 22
signature: ET CNC Feodo Tracker Reported CnC Server group 18
signature: ET CNC Feodo Tracker Reported CnC Server group 10
signature: ET CNC Feodo Tracker Reported CnC Server group 21
signature: ET CNC Feodo Tracker Reported CnC Server group 2
signature: ET CNC Feodo Tracker Reported CnC Server group 17
signature: ET CNC Feodo Tracker Reported CnC Server group 15

Screenshots


Hosts

Direct IP Country Name
Y 95.213.236.64 [VT] Russian Federation
Y 87.106.139.101 [VT] Germany
Y 8.8.8.8 [VT] United States
Y 79.45.112.220 [VT] Italy
Y 75.139.38.211 [VT] United States
Y 74.208.45.104 [VT] United States
Y 73.11.153.178 [VT] United States
Y 64.88.202.250 [VT] United States
Y 61.19.246.238 [VT] Thailand
Y 5.196.74.210 [VT] France
Y 41.203.62.170 [VT] South Africa
Y 37.187.72.193 [VT] France
Y 31.31.77.83 [VT] Czech Republic
Y 24.1.189.87 [VT] United States
Y 212.51.142.238 [VT] Switzerland
Y 209.141.54.221 [VT] United States
Y 203.153.216.189 [VT] Indonesia
Y 201.173.217.124 [VT] Mexico
Y 200.55.243.138 [VT] Argentina
Y 186.208.123.210 [VT] Brazil
Y 169.239.182.217 [VT] South Africa
Y 121.124.124.40 [VT] Korea, Republic of
Y 113.160.130.116 [VT] Vietnam
Y 104.236.246.93 [VT] United States
Y 103.86.49.11 [VT] Thailand
Y 1.1.1.1 [VT] Australia

DNS

No domains contacted.


Summary

C:\Users\Rebecca\AppData\Local\Temp\E2-20200630_100917.exe.2.Manifest
C:\Users\Rebecca\AppData\Local\Temp\E2-20200630_100917.exe.3.Manifest
C:\Users\Rebecca\AppData\Local\Temp\E2-20200630_100917.exe.Config
C:\Users\Rebecca\AppData\Local\Temp\E2-20200630_100917.exe
C:\Windows\System32\*
C:\
\??\Nsi
C:\Users\Rebecca\AppData\Local\Temp\E2-20200630_100917.exe.2.Manifest
C:\Users\Rebecca\AppData\Local\Temp\E2-20200630_100917.exe.3.Manifest
C:\Users\Rebecca\AppData\Local\Temp\E2-20200630_100917.exe.Config
C:\Users\Rebecca\AppData\Local\Temp\E2-20200630_100917.exe
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Network
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\8c65a894
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad
HKEY_CURRENT_USER\Software\Classes
HKEY_CURRENT_USER\Software\Classes\Interface\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\Interface\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\Interface\{55272A00-42CB-11CE-8135-00AA004BB851}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{55272A00-42CB-11CE-8135-00AA004BB851}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{55272A00-42CB-11CE-8135-00AA004BB851}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocHandler
HKEY_LOCAL_MACHINE\Software\Microsoft\OleAut
HKEY_CURRENT_USER\Software\Classes\Interface\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\Interface\{2A1C9EB2-DF62-4154-B800-63278FCB8037}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{2A1C9EB2-DF62-4154-B800-63278FCB8037}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{2A1C9EB2-DF62-4154-B800-63278FCB8037}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9F64103F-F384-44A8-88B3-DFA27402741D}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9F64103F-F384-44A8-88B3-DFA27402741D}\WpadDecision
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9F64103F-F384-44A8-88B3-DFA27402741D}\WpadDecisionTime
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadExpirationDays
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9F64103F-F384-44A8-88B3-DFA27402741D}\WpadDecisionReason
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9F64103F-F384-44A8-88B3-DFA27402741D}\WpadDhcp
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9F64103F-F384-44A8-88B3-DFA27402741D}\WpadDns
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9F64103F-F384-44A8-88B3-DFA27402741D}\WpadDetectedUrl
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecision
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecisionTime
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecisionReason
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDhcp
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDns
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDetectedUrl
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9F64103F-F384-44A8-88B3-DFA27402741D}\52-54-00-6f-d4-05
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9F64103F-F384-44A8-88B3-DFA27402741D}\WpadNetworkName
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\8c65a894
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{55272A00-42CB-11CE-8135-00AA004BB851}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{2A1C9EB2-DF62-4154-B800-63278FCB8037}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9F64103F-F384-44A8-88B3-DFA27402741D}\WpadDecision
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9F64103F-F384-44A8-88B3-DFA27402741D}\WpadDecisionTime
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadExpirationDays
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9F64103F-F384-44A8-88B3-DFA27402741D}\WpadDecisionReason
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9F64103F-F384-44A8-88B3-DFA27402741D}\WpadDhcp
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9F64103F-F384-44A8-88B3-DFA27402741D}\WpadDns
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9F64103F-F384-44A8-88B3-DFA27402741D}\WpadDetectedUrl
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecision
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecisionTime
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecisionReason
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDhcp
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDns
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDetectedUrl
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecisionReason
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecisionTime
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecision
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDetectedUrl
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9F64103F-F384-44A8-88B3-DFA27402741D}\WpadDecisionReason
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9F64103F-F384-44A8-88B3-DFA27402741D}\WpadDecisionTime
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9F64103F-F384-44A8-88B3-DFA27402741D}\WpadDecision
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9F64103F-F384-44A8-88B3-DFA27402741D}\WpadNetworkName
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9F64103F-F384-44A8-88B3-DFA27402741D}\WpadDetectedUrl
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDetectedUrl
kernel32.dll.FlsAlloc
kernel32.dll.FlsGetValue
kernel32.dll.FlsSetValue
kernel32.dll.FlsFree
kernelbase.dll.InitializeCriticalSectionAndSpinCount
kernel32.dll.ProcessIdToSessionId
imm32.dll.ImmCreateContext
imm32.dll.ImmDestroyContext
imm32.dll.ImmNotifyIME
imm32.dll.ImmAssociateContext
imm32.dll.ImmReleaseContext
imm32.dll.ImmGetContext
imm32.dll.ImmGetCompositionStringA
imm32.dll.ImmSetCompositionStringA
imm32.dll.ImmGetCompositionStringW
imm32.dll.ImmSetCompositionStringW
imm32.dll.ImmSetCandidateWindow
winspool.drv.#218
winspool.drv.#217
winspool.drv.SetDefaultPrinterW
winspool.drv.GetDefaultPrinterW
winspool.drv.GetPrinterDriverPackagePathW
winspool.drv.CorePrinterDriverInstalledW
winspool.drv.GetCorePrinterDriversW
winspool.drv.UploadPrinterDriverPackageW
winspool.drv.InstallPrinterDriverFromPackageW
winspool.drv.#251
winspool.drv.AddPrinterConnection2W
winspool.drv.OpenPrinter2W
winspool.drv.DeletePrinterKeyW
winspool.drv.DeletePrinterDataExW
winspool.drv.EnumPrinterKeyW
winspool.drv.EnumPrinterDataExW
winspool.drv.GetPrinterDataExW
winspool.drv.SetPrinterDataExW
winspool.drv.DeletePrinterDataW
winspool.drv.EnumPrinterDataW
winspool.drv.SpoolerPrinterEvent
winspool.drv.SetPortW
winspool.drv.DocumentPropertySheets
winspool.drv.DevicePropertySheets
winspool.drv.IsValidDevmodeW
winspool.drv.IsValidDevmodeA
winspool.drv.AddPortExW
winspool.drv.DeletePrintProvidorW
winspool.drv.AddPrintProvidorW
winspool.drv.DeletePrintProcessorW
winspool.drv.DeleteMonitorW
winspool.drv.AddMonitorW
winspool.drv.StartDocDlgW
winspool.drv.AdvancedDocumentPropertiesW
winspool.drv.AdvancedDocumentPropertiesA
winspool.drv.DocumentPropertiesW
winspool.drv.DeviceCapabilitiesW
winspool.drv.DeletePrinterIC
winspool.drv.PlayGdiScriptOnPrinterIC
winspool.drv.CreatePrinterIC
winspool.drv.SetJobW
winspool.drv.GetJobW
winspool.drv.EnumJobsW
winspool.drv.AddPrinterW
winspool.drv.SetPrinterW
winspool.drv.GetPrinterDriverW
winspool.drv.GetPrinterDriverDirectoryW
winspool.drv.EnumPrintersW
winspool.drv.AddPrinterConnectionW
winspool.drv.DeletePrinterConnectionW
winspool.drv.AddPrinterDriverExW
winspool.drv.AddPrinterDriverExA
winspool.drv.EnumPrinterDriversW
winspool.drv.DeletePrinterDriverW
winspool.drv.DeletePrinterDriverExW
winspool.drv.AddPrintProcessorW
winspool.drv.EnumPrintProcessorsW
winspool.drv.GetPrintProcessorDirectoryW
winspool.drv.EnumPrintProcessorDatatypesW
winspool.drv.#207
winspool.drv.#209
winspool.drv.#211
winspool.drv.#212
winspool.drv.SplDriverUnloadComplete
winspool.drv.#213
winspool.drv.#214
winspool.drv.OpenPrinterW
winspool.drv.OpenPrinterA
winspool.drv.ResetPrinterW
winspool.drv.StartDocPrinterW
winspool.drv.FlushPrinter
winspool.drv.GetPrinterDataW
winspool.drv.SetPrinterDataW
winspool.drv.AddJobW
winspool.drv.ScheduleJob
winspool.drv.WaitForPrinterChange
winspool.drv.FindNextPrinterChangeNotification
winspool.drv.PrinterMessageBoxW
winspool.drv.ClosePrinter
winspool.drv.AddFormW
winspool.drv.DeleteFormW
winspool.drv.GetFormW
winspool.drv.SetFormW
winspool.drv.EnumFormsW
winspool.drv.EnumPortsW
winspool.drv.EnumMonitorsW
winspool.drv.AddPortW
winspool.drv.ConfigurePortW
winspool.drv.DeletePortW
winspool.drv.GetPrinterW
winspool.drv.DeletePrinterDriverPackageW
winspool.drv.#234
kernel32.dll.InitializeCriticalSectionAndSpinCount
kernel32.dll.IsProcessorFeaturePresent
kernel32.dll.CreateActCtxW
kernel32.dll.ReleaseActCtx
kernel32.dll.ActivateActCtx
kernel32.dll.DeactivateActCtx
user32.dll.NotifyWinEvent
advapi32.dll.CryptAcquireContextA
cryptsp.dll.CryptAcquireContextA
kernel32.dll.VirtualAllocExNuma
kernel32.dll.VirtualQuery
kernel32.dll.VirtualFree
kernel32.dll.VirtualAlloc
kernel32.dll.SetLastError
kernel32.dll.VirtualProtect
kernel32.dll.IsBadReadPtr
kernel32.dll.LoadLibraryA
kernel32.dll.GetProcAddress
kernel32.dll.FreeLibrary
kernel32.dll.GetNativeSystemInfo
kernel32.dll.HeapAlloc
kernel32.dll.GetProcessHeap
kernel32.dll.HeapFree
cryptsp.dll.CryptAcquireContextW
cryptsp.dll.CryptImportKey
cryptsp.dll.CryptGenKey
cryptsp.dll.CryptCreateHash
cryptsp.dll.CryptDuplicateHash
cryptsp.dll.CryptEncrypt
cryptsp.dll.CryptExportKey
cryptsp.dll.CryptGetHashParam
cryptsp.dll.CryptDestroyHash
ws2_32.dll.#23
ws2_32.dll.#21
ws2_32.dll.WSAIoctl
ws2_32.dll.#3
ws2_32.dll.#116
iphlpapi.dll.NotifyIpInterfaceChange
iphlpapi.dll.NotifyUnicastIpAddressChange
iphlpapi.dll.GetBestInterfaceEx
iphlpapi.dll.GetIfEntry2
api-ms-win-downlevel-ole32-l1-1-0.dll.CoInitializeEx
cryptbase.dll.SystemFunction036
api-ms-win-downlevel-advapi32-l1-1-0.dll.EventWrite
api-ms-win-downlevel-ole32-l1-1-0.dll.CoCreateInstance
iphlpapi.dll.GetAdaptersAddresses
ws2_32.dll.GetAddrInfoW
oleaut32.dll.#8
oleaut32.dll.#9
oleaut32.dll.DllGetClassObject
oleaut32.dll.DllCanUnloadNow
advapi32.dll.RegOpenKeyW
iphlpapi.dll.ConvertInterfaceGuidToLuid
iphlpapi.dll.GetIpForwardTable2
iphlpapi.dll.GetIpNetEntry2
iphlpapi.dll.FreeMibTable
api-ms-win-downlevel-ole32-l1-1-0.dll.StringFromIID
api-ms-win-downlevel-ole32-l1-1-0.dll.CoUninitialize
oleaut32.dll.#500
api-ms-win-downlevel-ole32-l1-1-0.dll.CoSetProxyBlanket
ole32.dll.ObjectStublessClient10
oleaut32.dll.#2
ole32.dll.CoTaskMemFree
api-ms-win-downlevel-advapi32-l1-1-0.dll.RegEnumKeyExW
oleaut32.dll.#6

BinGraph Download graph

PE Information

Image Base Entry Point Reported Checksum Actual Checksum Minimum OS Version Compile Time Import Hash Icon Icon Exact Hash Icon Similarity Hash
0x00400000 0x0045b9ff 0x000c67b2 0x000c67b2 4.0 2020-06-30 10:09:17 9b1cfdac5eb73d891167944ed559cf47 55af8d00725af9d22bf5b9916f511af7 93bd211b09790c47c832caa659c6cdfc

Sections

Name RAW Address Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00001000 0x00001000 0x0008b424 0x0008c000 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.62
.rdata 0x0008d000 0x0008d000 0x00022778 0x00023000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.92
.data 0x000b0000 0x000b0000 0x00011b00 0x0000e000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 7.53
.rsrc 0x000be000 0x000c2000 0x00006b60 0x00007000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 3.72

Resources

Name Offset Size Language Sub-language Entropy File type
RT_CURSOR 0x000c5b58 0x000000b4 LANG_ENGLISH SUBLANG_ENGLISH_US 2.58 None
RT_CURSOR 0x000c5b58 0x000000b4 LANG_ENGLISH SUBLANG_ENGLISH_US 2.58 None
RT_CURSOR 0x000c5b58 0x000000b4 LANG_ENGLISH SUBLANG_ENGLISH_US 2.58 None
RT_CURSOR 0x000c5b58 0x000000b4 LANG_ENGLISH SUBLANG_ENGLISH_US 2.58 None
RT_CURSOR 0x000c5b58 0x000000b4 LANG_ENGLISH SUBLANG_ENGLISH_US 2.58 None
RT_CURSOR 0x000c5b58 0x000000b4 LANG_ENGLISH SUBLANG_ENGLISH_US 2.58 None
RT_CURSOR 0x000c5b58 0x000000b4 LANG_ENGLISH SUBLANG_ENGLISH_US 2.58 None
RT_CURSOR 0x000c5b58 0x000000b4 LANG_ENGLISH SUBLANG_ENGLISH_US 2.58 None
RT_CURSOR 0x000c5b58 0x000000b4 LANG_ENGLISH SUBLANG_ENGLISH_US 2.58 None
RT_CURSOR 0x000c5b58 0x000000b4 LANG_ENGLISH SUBLANG_ENGLISH_US 2.58 None
RT_CURSOR 0x000c5b58 0x000000b4 LANG_ENGLISH SUBLANG_ENGLISH_US 2.58 None
RT_CURSOR 0x000c5b58 0x000000b4 LANG_ENGLISH SUBLANG_ENGLISH_US 2.58 None
RT_CURSOR 0x000c5b58 0x000000b4 LANG_ENGLISH SUBLANG_ENGLISH_US 2.58 None
RT_CURSOR 0x000c5b58 0x000000b4 LANG_ENGLISH SUBLANG_ENGLISH_US 2.58 None
RT_CURSOR 0x000c5b58 0x000000b4 LANG_ENGLISH SUBLANG_ENGLISH_US 2.58 None
RT_CURSOR 0x000c5b58 0x000000b4 LANG_ENGLISH SUBLANG_ENGLISH_US 2.58 None
RT_CURSOR 0x000c5b58 0x000000b4 LANG_ENGLISH SUBLANG_ENGLISH_US 2.58 None
RT_CURSOR 0x000c5b58 0x000000b4 LANG_ENGLISH SUBLANG_ENGLISH_US 2.58 None
RT_BITMAP 0x000c58d8 0x00000144 LANG_ENGLISH SUBLANG_ENGLISH_US 2.88 None
RT_BITMAP 0x000c58d8 0x00000144 LANG_ENGLISH SUBLANG_ENGLISH_US 2.88 None
RT_BITMAP 0x000c58d8 0x00000144 LANG_ENGLISH SUBLANG_ENGLISH_US 2.88 None
RT_ICON 0x000c3780 0x00000128 LANG_ENGLISH SUBLANG_ENGLISH_US 2.83 None
RT_ICON 0x000c3780 0x00000128 LANG_ENGLISH SUBLANG_ENGLISH_US 2.83 None
RT_ICON 0x000c3780 0x00000128 LANG_ENGLISH SUBLANG_ENGLISH_US 2.83 None
RT_ICON 0x000c3780 0x00000128 LANG_ENGLISH SUBLANG_ENGLISH_US 2.83 None
RT_MENU 0x000c3c28 0x000001a4 LANG_ENGLISH SUBLANG_ENGLISH_US 3.17 None
RT_DIALOG 0x000c57e8 0x00000034 LANG_ENGLISH SUBLANG_ENGLISH_US 2.42 None
RT_DIALOG 0x000c57e8 0x00000034 LANG_ENGLISH SUBLANG_ENGLISH_US 2.42 None
RT_DIALOG 0x000c57e8 0x00000034 LANG_ENGLISH SUBLANG_ENGLISH_US 2.42 None
RT_DIALOG 0x000c57e8 0x00000034 LANG_ENGLISH SUBLANG_ENGLISH_US 2.42 None
RT_DIALOG 0x000c57e8 0x00000034 LANG_ENGLISH SUBLANG_ENGLISH_US 2.42 None
RT_STRING 0x000c8958 0x00000042 LANG_ENGLISH SUBLANG_ENGLISH_US 1.96 None
RT_STRING 0x000c8958 0x00000042 LANG_ENGLISH SUBLANG_ENGLISH_US 1.96 None
RT_STRING 0x000c8958 0x00000042 LANG_ENGLISH SUBLANG_ENGLISH_US 1.96 None
RT_STRING 0x000c8958 0x00000042 LANG_ENGLISH SUBLANG_ENGLISH_US 1.96 None
RT_STRING 0x000c8958 0x00000042 LANG_ENGLISH SUBLANG_ENGLISH_US 1.96 None
RT_STRING 0x000c8958 0x00000042 LANG_ENGLISH SUBLANG_ENGLISH_US 1.96 None
RT_STRING 0x000c8958 0x00000042 LANG_ENGLISH SUBLANG_ENGLISH_US 1.96 None
RT_STRING 0x000c8958 0x00000042 LANG_ENGLISH SUBLANG_ENGLISH_US 1.96 None
RT_STRING 0x000c8958 0x00000042 LANG_ENGLISH SUBLANG_ENGLISH_US 1.96 None
RT_STRING 0x000c8958 0x00000042 LANG_ENGLISH SUBLANG_ENGLISH_US 1.96 None
RT_STRING 0x000c8958 0x00000042 LANG_ENGLISH SUBLANG_ENGLISH_US 1.96 None
RT_STRING 0x000c8958 0x00000042 LANG_ENGLISH SUBLANG_ENGLISH_US 1.96 None
RT_STRING 0x000c8958 0x00000042 LANG_ENGLISH SUBLANG_ENGLISH_US 1.96 None
RT_STRING 0x000c8958 0x00000042 LANG_ENGLISH SUBLANG_ENGLISH_US 1.96 None
RT_STRING 0x000c8958 0x00000042 LANG_ENGLISH SUBLANG_ENGLISH_US 1.96 None
RT_STRING 0x000c8958 0x00000042 LANG_ENGLISH SUBLANG_ENGLISH_US 1.96 None
RT_STRING 0x000c8958 0x00000042 LANG_ENGLISH SUBLANG_ENGLISH_US 1.96 None
RT_STRING 0x000c8958 0x00000042 LANG_ENGLISH SUBLANG_ENGLISH_US 1.96 None
RT_STRING 0x000c8958 0x00000042 LANG_ENGLISH SUBLANG_ENGLISH_US 1.96 None
RT_STRING 0x000c8958 0x00000042 LANG_ENGLISH SUBLANG_ENGLISH_US 1.96 None
RT_STRING 0x000c8958 0x00000042 LANG_ENGLISH SUBLANG_ENGLISH_US 1.96 None
RT_STRING 0x000c8958 0x00000042 LANG_ENGLISH SUBLANG_ENGLISH_US 1.96 None
RT_STRING 0x000c8958 0x00000042 LANG_ENGLISH SUBLANG_ENGLISH_US 1.96 None
RT_STRING 0x000c8958 0x00000042 LANG_ENGLISH SUBLANG_ENGLISH_US 1.96 None
RT_STRING 0x000c8958 0x00000042 LANG_ENGLISH SUBLANG_ENGLISH_US 1.96 None
RT_STRING 0x000c8958 0x00000042 LANG_ENGLISH SUBLANG_ENGLISH_US 1.96 None
RT_STRING 0x000c8958 0x00000042 LANG_ENGLISH SUBLANG_ENGLISH_US 1.96 None
RT_ACCELERATOR 0x000c5f40 0x00000018 LANG_ENGLISH SUBLANG_ENGLISH_US 2.18 None
RT_ACCELERATOR 0x000c5f40 0x00000018 LANG_ENGLISH SUBLANG_ENGLISH_US 2.18 None
RT_GROUP_CURSOR 0x000c56e8 0x00000014 LANG_ENGLISH SUBLANG_ENGLISH_US 2.02 None
RT_GROUP_CURSOR 0x000c56e8 0x00000014 LANG_ENGLISH SUBLANG_ENGLISH_US 2.02 None
RT_GROUP_CURSOR 0x000c56e8 0x00000014 LANG_ENGLISH SUBLANG_ENGLISH_US 2.02 None
RT_GROUP_CURSOR 0x000c56e8 0x00000014 LANG_ENGLISH SUBLANG_ENGLISH_US 2.02 None
RT_GROUP_CURSOR 0x000c56e8 0x00000014 LANG_ENGLISH SUBLANG_ENGLISH_US 2.02 None
RT_GROUP_CURSOR 0x000c56e8 0x00000014 LANG_ENGLISH SUBLANG_ENGLISH_US 2.02 None
RT_GROUP_CURSOR 0x000c56e8 0x00000014 LANG_ENGLISH SUBLANG_ENGLISH_US 2.02 None
RT_GROUP_CURSOR 0x000c56e8 0x00000014 LANG_ENGLISH SUBLANG_ENGLISH_US 2.02 None
RT_GROUP_CURSOR 0x000c56e8 0x00000014 LANG_ENGLISH SUBLANG_ENGLISH_US 2.02 None
RT_GROUP_CURSOR 0x000c56e8 0x00000014 LANG_ENGLISH SUBLANG_ENGLISH_US 2.02 None
RT_GROUP_CURSOR 0x000c56e8 0x00000014 LANG_ENGLISH SUBLANG_ENGLISH_US 2.02 None
RT_GROUP_CURSOR 0x000c56e8 0x00000014 LANG_ENGLISH SUBLANG_ENGLISH_US 2.02 None
RT_GROUP_CURSOR 0x000c56e8 0x00000014 LANG_ENGLISH SUBLANG_ENGLISH_US 2.02 None
RT_GROUP_CURSOR 0x000c56e8 0x00000014 LANG_ENGLISH SUBLANG_ENGLISH_US 2.02 None
RT_GROUP_CURSOR 0x000c56e8 0x00000014 LANG_ENGLISH SUBLANG_ENGLISH_US 2.02 None
RT_GROUP_CURSOR 0x000c56e8 0x00000014 LANG_ENGLISH SUBLANG_ENGLISH_US 2.02 None
RT_GROUP_ICON 0x000c38a8 0x00000022 LANG_ENGLISH SUBLANG_ENGLISH_US 2.48 None
RT_GROUP_ICON 0x000c38a8 0x00000022 LANG_ENGLISH SUBLANG_ENGLISH_US 2.48 None
RT_VERSION 0x000c3f20 0x00000368 LANG_ENGLISH SUBLANG_ENGLISH_US 3.37 None
RT_MANIFEST 0x000c8ac8 0x00000092 LANG_ENGLISH SUBLANG_ENGLISH_US 4.95 None
None 0x000c3c08 0x0000001a LANG_ENGLISH SUBLANG_ENGLISH_US 2.82 None

Imports

0x48d200 HeapSize
0x48d204 TerminateProcess
0x48d210 IsDebuggerPresent
0x48d214 Sleep
0x48d218 GetACP
0x48d21c HeapDestroy
0x48d220 HeapCreate
0x48d224 VirtualFree
0x48d228 FatalAppExitA
0x48d22c GetStdHandle
0x48d240 SetHandleCount
0x48d244 GetFileType
0x48d250 CreateThread
0x48d258 GetConsoleCP
0x48d25c GetConsoleMode
0x48d260 LCMapStringA
0x48d264 LCMapStringW
0x48d268 GetStringTypeA
0x48d26c GetStringTypeW
0x48d270 GetTimeFormatA
0x48d274 GetDateFormatA
0x48d278 GetUserDefaultLCID
0x48d27c EnumSystemLocalesA
0x48d280 IsValidLocale
0x48d284 IsValidCodePage
0x48d288 GetLocaleInfoW
0x48d28c SetStdHandle
0x48d290 WriteConsoleA
0x48d294 GetConsoleOutputCP
0x48d298 WriteConsoleW
0x48d2a0 WideCharToMultiByte
0x48d2a4 ExitThread
0x48d2a8 RaiseException
0x48d2ac RtlUnwind
0x48d2b0 GetStartupInfoA
0x48d2b4 GetProcessHeap
0x48d2b8 GetCommandLineA
0x48d2bc HeapReAlloc
0x48d2c0 VirtualQuery
0x48d2c4 GetSystemInfo
0x48d2c8 VirtualAlloc
0x48d2cc VirtualProtect
0x48d2d0 HeapAlloc
0x48d2d4 HeapFree
0x48d2d8 GetTickCount
0x48d2dc SetErrorMode
0x48d2e0 SetFileAttributesA
0x48d2ec GetOEMCP
0x48d2f0 GetCPInfo
0x48d2f4 CreateFileA
0x48d2f8 GetShortPathNameA
0x48d300 FindFirstFileA
0x48d304 FindClose
0x48d308 DuplicateHandle
0x48d30c GetFileSize
0x48d310 SetEndOfFile
0x48d314 UnlockFile
0x48d318 LockFile
0x48d31c FlushFileBuffers
0x48d320 SetFilePointer
0x48d324 WriteFile
0x48d328 ReadFile
0x48d32c DeleteFileA
0x48d330 MoveFileA
0x48d33c GetThreadLocale
0x48d340 GetAtomNameA
0x48d348 TlsFree
0x48d350 LocalReAlloc
0x48d354 TlsSetValue
0x48d358 TlsAlloc
0x48d360 GlobalHandle
0x48d364 GlobalReAlloc
0x48d36c TlsGetValue
0x48d374 LocalAlloc
0x48d37c GlobalFlags
0x48d384 GetModuleFileNameW
0x48d388 GetTempPathA
0x48d38c GetProfileIntA
0x48d390 SearchPathA
0x48d394 GetDiskFreeSpaceA
0x48d398 GetFullPathNameA
0x48d39c GetTempFileNameA
0x48d3a0 GetFileTime
0x48d3a4 SetFileTime
0x48d3a8 GetFileAttributesA
0x48d3ac GlobalGetAtomNameA
0x48d3b0 GlobalFindAtomA
0x48d3b4 lstrcmpW
0x48d3b8 GetVersionExA
0x48d3bc GetCurrentProcessId
0x48d3c0 CreateEventA
0x48d3c4 SuspendThread
0x48d3c8 SetEvent
0x48d3cc WaitForSingleObject
0x48d3d0 ResumeThread
0x48d3d4 SetThreadPriority
0x48d3d8 CloseHandle
0x48d3dc CopyFileA
0x48d3e0 GlobalSize
0x48d3e4 FormatMessageA
0x48d3e8 LocalFree
0x48d3ec MulDiv
0x48d3f0 GlobalFree
0x48d3f4 FreeResource
0x48d3f8 GlobalAddAtomA
0x48d408 GetCurrentThread
0x48d40c GetCurrentThreadId
0x48d414 GetModuleFileNameA
0x48d41c GetLocaleInfoA
0x48d420 GlobalAlloc
0x48d424 FreeLibrary
0x48d428 GlobalDeleteAtom
0x48d42c GlobalUnlock
0x48d430 GlobalLock
0x48d434 lstrcmpA
0x48d438 SetLastError
0x48d43c GetModuleHandleA
0x48d440 LoadLibraryA
0x48d444 GetVersion
0x48d448 CompareStringA
0x48d44c lstrcmpiW
0x48d450 GetLastError
0x48d454 InterlockedExchange
0x48d458 GetStringTypeExA
0x48d45c lstrlenW
0x48d460 CompareStringW
0x48d468 GetStringTypeExW
0x48d470 lstrcmpiA
0x48d474 MultiByteToWideChar
0x48d478 lstrlenA
0x48d47c ExitProcess
0x48d480 GetCurrentProcess
0x48d484 GetProcAddress
0x48d488 LoadLibraryExA
0x48d48c FindResourceA
0x48d490 LoadResource
0x48d494 LockResource
0x48d498 SizeofResource
0x48d578 SendNotifyMessageA
0x48d584 WindowFromDC
0x48d588 InSendMessage
0x48d58c GetSysColorBrush
0x48d590 GetDialogBaseUnits
0x48d594 DestroyIcon
0x48d598 SetParent
0x48d59c DeleteMenu
0x48d5a0 IsZoomed
0x48d5a4 UnpackDDElParam
0x48d5a8 ReuseDDElParam
0x48d5ac InsertMenuItemA
0x48d5b0 SetRectEmpty
0x48d5b4 BringWindowToTop
0x48d5b8 SetMenu
0x48d5c0 GetMenuItemInfoA
0x48d5c4 InflateRect
0x48d5c8 EndPaint
0x48d5cc BeginPaint
0x48d5d0 GetWindowDC
0x48d5d4 GrayStringA
0x48d5d8 DrawTextExA
0x48d5dc DrawTextA
0x48d5e0 TabbedTextOutA
0x48d5e4 DestroyCursor
0x48d5e8 SetRect
0x48d5ec LoadCursorA
0x48d5f0 KillTimer
0x48d5f4 SetTimer
0x48d5f8 SetWindowRgn
0x48d5fc DrawIcon
0x48d600 FillRect
0x48d604 IsRectEmpty
0x48d608 FindWindowA
0x48d60c ReleaseCapture
0x48d610 SetCapture
0x48d618 LoadIconA
0x48d61c WinHelpA
0x48d620 GetCapture
0x48d624 GetClassLongA
0x48d628 GetClassNameA
0x48d62c SetPropA
0x48d630 GetPropA
0x48d634 RemovePropA
0x48d638 GetForegroundWindow
0x48d63c BeginDeferWindowPos
0x48d640 EndDeferWindowPos
0x48d644 GetTopWindow
0x48d648 UnhookWindowsHookEx
0x48d64c GetMessageTime
0x48d650 GetMessagePos
0x48d654 MapWindowPoints
0x48d658 ScrollWindow
0x48d65c TrackPopupMenuEx
0x48d660 TrackPopupMenu
0x48d664 SetScrollRange
0x48d668 GetScrollRange
0x48d66c SetScrollPos
0x48d670 GetScrollPos
0x48d674 SetForegroundWindow
0x48d678 ShowScrollBar
0x48d67c CreateWindowExA
0x48d680 GetClassInfoExA
0x48d684 WaitMessage
0x48d688 RegisterClassA
0x48d68c AdjustWindowRectEx
0x48d690 ScreenToClient
0x48d694 EqualRect
0x48d698 DeferWindowPos
0x48d69c CopyRect
0x48d6a0 GetScrollInfo
0x48d6a4 SetScrollInfo
0x48d6a8 PtInRect
0x48d6ac SetWindowPlacement
0x48d6b0 DefWindowProcA
0x48d6b4 CallWindowProcA
0x48d6b8 OffsetRect
0x48d6bc IntersectRect
0x48d6c4 IsIconic
0x48d6c8 GetWindowPlacement
0x48d6cc GetWindowRect
0x48d6d0 LoadMenuA
0x48d6d4 LoadAcceleratorsA
0x48d6d8 DestroyMenu
0x48d6e0 GetLastActivePopup
0x48d6e4 MessageBoxA
0x48d6e8 ShowOwnedPopups
0x48d6ec SetCursor
0x48d6f0 SetWindowsHookExA
0x48d6f4 CallNextHookEx
0x48d6f8 GetMessageA
0x48d6fc TranslateMessage
0x48d700 DispatchMessageA
0x48d704 IsWindowVisible
0x48d708 GetKeyState
0x48d70c PeekMessageA
0x48d710 GetCursorPos
0x48d714 ValidateRect
0x48d718 SetMenuItemBitmaps
0x48d720 LoadBitmapA
0x48d724 ModifyMenuA
0x48d728 EnableMenuItem
0x48d72c CheckMenuItem
0x48d730 GetMenuState
0x48d734 GetMenuStringA
0x48d738 GetMenuItemID
0x48d73c InsertMenuA
0x48d740 GetMenuItemCount
0x48d744 GetSystemMenu
0x48d748 UpdateWindow
0x48d74c EnableWindow
0x48d750 GetDC
0x48d754 ReleaseDC
0x48d758 GetSysColor
0x48d75c GetClientRect
0x48d760 GetSubMenu
0x48d764 RemoveMenu
0x48d768 GetDesktopWindow
0x48d76c GetActiveWindow
0x48d770 SetActiveWindow
0x48d774 GetSystemMetrics
0x48d77c DestroyWindow
0x48d780 GetNextDlgTabItem
0x48d784 EndDialog
0x48d78c GetWindowTextA
0x48d790 GetFocus
0x48d794 GetParent
0x48d798 SetWindowPos
0x48d7a0 LockWindowUpdate
0x48d7a4 GetDCEx
0x48d7a8 UnionRect
0x48d7ac MapVirtualKeyA
0x48d7b0 GetKeyNameTextA
0x48d7b4 UnregisterClassA
0x48d7b8 WindowFromPoint
0x48d7c0 PostThreadMessageA
0x48d7c4 GetClassInfoA
0x48d7c8 CreateMenu
0x48d7cc GetMenu
0x48d7d0 CreatePopupMenu
0x48d7d4 AppendMenuA
0x48d7d8 InvalidateRect
0x48d7dc IsChild
0x48d7e0 CharUpperW
0x48d7e4 CharLowerA
0x48d7e8 CharLowerW
0x48d7ec CharUpperA
0x48d7f0 PostQuitMessage
0x48d7f4 PostMessageA
0x48d7f8 SendMessageA
0x48d7fc GetWindow
0x48d800 CheckDlgButton
0x48d804 CheckRadioButton
0x48d808 GetDlgItem
0x48d80c GetDlgItemInt
0x48d810 GetDlgItemTextA
0x48d814 SendDlgItemMessageA
0x48d818 SetDlgItemInt
0x48d81c SetDlgItemTextA
0x48d820 IsDlgButtonChecked
0x48d824 IsDialogMessageA
0x48d828 GetWindowLongA
0x48d82c SetWindowTextA
0x48d830 IsWindow
0x48d834 GetDlgCtrlID
0x48d838 SetWindowLongA
0x48d83c MoveWindow
0x48d840 ShowWindow
0x48d844 IsWindowEnabled
0x48d848 SetFocus
0x48d84c ScrollWindowEx
0x48d850 ClientToScreen
0x48d03c SelectClipPath
0x48d040 GetViewportExtEx
0x48d044 GetWindowExtEx
0x48d048 GetPixel
0x48d04c PtVisible
0x48d050 RectVisible
0x48d054 TextOutA
0x48d058 ExtTextOutA
0x48d05c Escape
0x48d060 SelectObject
0x48d064 SetViewportOrgEx
0x48d068 OffsetViewportOrgEx
0x48d06c SetViewportExtEx
0x48d070 ScaleViewportExtEx
0x48d074 SetWindowOrgEx
0x48d078 OffsetWindowOrgEx
0x48d07c SetWindowExtEx
0x48d080 ScaleWindowExtEx
0x48d088 ArcTo
0x48d08c PolyDraw
0x48d090 PolylineTo
0x48d094 PolyBezierTo
0x48d098 ExtSelectClipRgn
0x48d0a0 CreatePatternBrush
0x48d0a4 SelectPalette
0x48d0a8 PlayMetaFileRecord
0x48d0ac CreateRectRgn
0x48d0b0 EnumMetaFile
0x48d0b4 PlayMetaFile
0x48d0b8 ExtCreatePen
0x48d0bc CreateSolidBrush
0x48d0c0 CreateHatchBrush
0x48d0c4 CreateFontIndirectA
0x48d0cc SetRectRgn
0x48d0d0 CombineRgn
0x48d0d4 GetMapMode
0x48d0dc GetTextMetricsA
0x48d0e0 GetCharWidthA
0x48d0e4 CreateFontA
0x48d0e8 StretchDIBits
0x48d0ec GetNearestColor
0x48d0f0 GetBkColor
0x48d0f4 GetBkMode
0x48d0f8 GetPolyFillMode
0x48d0fc GetROP2
0x48d100 GetStretchBltMode
0x48d104 GetTextColor
0x48d108 GetTextAlign
0x48d10c GetTextFaceA
0x48d110 GetWindowOrgEx
0x48d114 CreateMetaFileA
0x48d118 CloseMetaFile
0x48d11c DeleteMetaFile
0x48d120 GetClipRgn
0x48d124 SelectClipRgn
0x48d128 DeleteObject
0x48d12c SetColorAdjustment
0x48d130 SetArcDirection
0x48d134 SetMapperFlags
0x48d140 SetTextAlign
0x48d144 MoveToEx
0x48d148 LineTo
0x48d14c OffsetClipRgn
0x48d150 IntersectClipRect
0x48d154 GetObjectType
0x48d158 GetDeviceCaps
0x48d15c SetMapMode
0x48d164 SetWorldTransform
0x48d168 SetGraphicsMode
0x48d16c SetStretchBltMode
0x48d170 SetROP2
0x48d174 SetPolyFillMode
0x48d178 SetBkMode
0x48d17c RestoreDC
0x48d180 SaveDC
0x48d184 GetStockObject
0x48d188 PatBlt
0x48d18c Rectangle
0x48d190 GetViewportOrgEx
0x48d194 CreatePen
0x48d198 DeleteDC
0x48d19c EndDoc
0x48d1a0 AbortDoc
0x48d1a4 SetAbortProc
0x48d1a8 EndPage
0x48d1ac StartPage
0x48d1b0 StartDocA
0x48d1b4 Ellipse
0x48d1b8 LPtoDP
0x48d1bc DPtoLP
0x48d1c0 CreateEllipticRgn
0x48d1c4 GetObjectA
0x48d1c8 SetBkColor
0x48d1cc SetTextColor
0x48d1d0 GetClipBox
0x48d1d4 GetDCOrgEx
0x48d1d8 CreateBitmap
0x48d1dc CreateDCA
0x48d1e0 CopyMetaFileA
0x48d1e4 CreateICA
0x48d1e8 BitBlt
0x48d1f0 CreateCompatibleDC
0x48d1f4 RealizePalette
0x48d1f8 ExcludeClipRect
0x48d86c GetFileTitleA
0x48d858 DocumentPropertiesA
0x48d85c OpenPrinterA
0x48d860 GetJobA
0x48d864 ClosePrinter
0x48d000 GetFileSecurityA
0x48d004 SetFileSecurityA
0x48d008 RegSetValueA
0x48d00c RegQueryValueA
0x48d010 RegOpenKeyA
0x48d014 RegEnumKeyA
0x48d018 RegDeleteKeyA
0x48d01c RegDeleteValueA
0x48d020 RegSetValueExA
0x48d024 RegCreateKeyExA
0x48d028 RegOpenKeyExA
0x48d02c RegQueryValueExA
0x48d030 RegCloseKey
0x48d034 RegCreateKeyA
0x48d548 DragQueryFileA
0x48d54c DragFinish
0x48d550 ExtractIconA
0x48d554 SHGetFileInfoA
0x48d558 DragAcceptFiles
0x48d564 PathFindFileNameA
0x48d568 PathStripToRootA
0x48d56c PathFindExtensionA
0x48d570 PathIsUNCA
0x48d990 None
0x48d874 OleCreateLinkToFile
0x48d878 OleGetIconOfClass
0x48d87c CreateItemMoniker
0x48d884 OleIsRunning
0x48d890 OleRun
0x48d894 CreateFileMoniker
0x48d898 CoGetMalloc
0x48d89c StgCreateDocfile
0x48d8a0 StgOpenStorage
0x48d8a4 StgIsStorageFile
0x48d8b0 OleGetClipboard
0x48d8b4 OleSetClipboard
0x48d8bc OleFlushClipboard
0x48d8cc DoDragDrop
0x48d8d0 OleUninitialize
0x48d8d8 OleInitialize
0x48d8dc CoGetClassObject
0x48d8e4 CoRevokeClassObject
0x48d8ec CLSIDFromProgID
0x48d8f0 OleCreateFromFile
0x48d8f4 OleCreateFromData
0x48d8f8 OleLockRunning
0x48d900 OleSaveToStream
0x48d904 WriteClassStm
0x48d908 OleSave
0x48d91c IsAccelerator
0x48d924 OleRegGetMiscStatus
0x48d928 OleRegEnumVerbs
0x48d92c CoDisconnectObject
0x48d930 CLSIDFromString
0x48d934 StringFromGUID2
0x48d938 CoCreateInstance
0x48d93c OleDuplicateData
0x48d940 CoTaskMemAlloc
0x48d944 ReleaseStgMedium
0x48d948 CreateBindCtx
0x48d94c CoTreatAsClass
0x48d950 StringFromCLSID
0x48d954 ReadClassStg
0x48d958 ReadFmtUserTypeStg
0x48d95c OleRegGetUserType
0x48d960 WriteClassStg
0x48d964 WriteFmtUserTypeStg
0x48d968 SetConvertStg
0x48d96c CoTaskMemFree
0x48d97c OleLoad
0x48d980 OleCreate
0x48d4a4 OleLoadPicturePath
0x48d4a8 SysStringLen
0x48d4ac SysFreeString
0x48d4b4 SysStringByteLen
0x48d4b8 VariantClear
0x48d4bc VariantChangeType
0x48d4c0 VariantInit
0x48d4c4 SysAllocStringLen
0x48d4cc SafeArrayAccessData
0x48d4d0 SafeArrayGetUBound
0x48d4d4 SafeArrayGetLBound
0x48d4dc SafeArrayGetDim
0x48d4e0 SafeArrayCreate
0x48d4e4 SafeArrayRedim
0x48d4e8 VariantCopy
0x48d4ec SafeArrayAllocData
0x48d4f4 SafeArrayCopy
0x48d4f8 SafeArrayGetElement
0x48d4fc SafeArrayPtrOfIndex
0x48d500 SafeArrayPutElement
0x48d504 SafeArrayLock
0x48d508 SafeArrayUnlock
0x48d50c SafeArrayDestroy
0x48d520 SysReAllocStringLen
0x48d524 VarDateFromStr
0x48d528 VarBstrFromCy
0x48d52c VarBstrFromDec
0x48d530 VarDecFromStr
0x48d534 VarCyFromStr
0x48d538 VarBstrFromDate
0x48d53c SysAllocString
0x48d540 LoadTypeLib

!This program cannot be run in DOS mode.
.text
`.rdata
@.data
.rsrc
PQSUVW
;D$,t
Y_^][
Y_^][
9l$0r
9l$Lr
9l$hr
(9l$hr
\$T9l$Lr
\$89l$0r
Y_^][
T$\RP
9t$4r
D$tPUUhh
L$pu'
Y_^][
D$TSVW
VPQUj
G$QRPh
Y_^][
L$$QV
D$LPR
L$4SSQP
T$0QR
L$LSSQP
SSQPVSSR
T$$jXR
T$ Qh
T$ Qh
L$ Ph
SUVWP
h4(@P
T$,j;
D$$SV
T$0RS
T$4URUW
Y_^][
VVVVSWVP
VRSWj
Y_^][
VPWUj
VPWUj
t:;L$
~ESVW
YYtph
YYt_h
9t.9Q
9t/9Q
SSOWVQ
YYt!F
PWVWWW
WVWWW
NL;Apt
@L;ppt
WWWWW
tf9|$$t6V
;D$$t
_]^[YY
QQQQj
4PhB
Sj VW
ucSj
u8f9F&t
Sj VW
G j&P
ucSj
Gfj6P
u8f9FFt
0u39^
u%RRRh
YYt*W
t;9\$
EtSVW
_j X;
QQSUVW
0UUUUW
UUUUW
_^][Y
WtrHHt
tA9wht<
9p t-S
9p$ty
VVUVS
g9n t_;
t"9^ u
9^,Wt
F,t]P
WWWWh
t%9n0u
9nDt%9n8u
9nLt#9n(u
F,_^][
~<9=
;(r[V
tNHtf
PQQQQQ
QX_^]
t$ UP
S\_^[]
S\_^[]
P\_^[
rWWWW
v Wh!
FD_^][
t39w u&
_ 9w$u
u*9] t
O 9Htu
t:WWh
9M t
QX_^]
Q\_^]
u:j0^V
YYtLj
VwltB
j_j`V
j_j`V
PPPPhd
SVWj(3
SUVW3
Ph_^[
WWWWQS
Wu9Sh
SSSSh
]_^[Y
tjf95
t*VVQP
QSVWh$
QQSVW
WWWWh
j j WW
QPWWW
QSVWj
t2Ht*Ht"Ht
t2It*It"It
FhjQSS
Fx9~|u
F|9~ t
jOjPP
t8PhL!I
HtcHt7Ht-HHt
pThL!I
Itf9A
t>IIt
u!SSSS
EP+EHj
EL+ED
EP+EH
EP+EHj
EL+ED
EP+EH
_[^]Y
F< Wt
9nht`SWj
9HhStL9L$
tV9_ uQ
P`_^[
9p u*
PSSSSS
HVtAHtXHuU
t'SShl
SSSSS
t79E`t2
Et;EX
~ Pht
~ Pht
j3PPPPP
G;~t|
G;~t|
t&9^t
C;^t|
SUVW3
VVVVj
VVVjH
j6j6S
_^][Y
j3PPPPP
SUVW3
~dj7WWWWW
QQSVW3
QSUVW3
_^][Y
PPWVP
~#;|$
@u>W3
WWWWW
jWWWWWW
QQSVW
_^][Y
+F(_;E
F(@;F,v
F(@@;F,v
F(;^ r
F(;F0u
^(_^[]
N 9^0
@ WWj
u"FPF
Pj4ht
t5UWSV
}|j
AQPQV
VVVVPUVV
t$ UVV
G j&P
Gfj6P
j,Wj,V
j,Wj,V
G,PUU
G.PUU
G0PUU
VVVVP
'wXtR
w+t"
HtpHHt
HtvHt
<A|0<Z
1GG;E
<A|S<Z
1CC;E
u$SShe
QQSUV
_^][u
t`9w t[
f9Y:u
f9X:t
SSSSV
@_^][
9X tE
:;w$u5S
o$_^]
A _^[
PWWWh
9p$[u
tD9yhuG
;F u&
P`_^][
9H$u;;
PWPPV
R,_][^
M8Qj<P
ETPj
M\;ux
E8+E4
+M\;uxu
SWWWWP
M$QSP
9F4~
QQSVW
RQQQQQ
tPPQ+
;ALtHh,
RSSSSS
jTSSSSS
^(_^[
tbItDIt
pSVWj
t7Ht$HHt
QSUV3
PUUUUU
t*UUW
_^][Y
_^][Y
VWt#%
C4+C,
C0+C(
C`+CX
Cd+C\
CX+C`+E
C\+Cd+E
t|VWP
t^HtF-
{D+{<+
@[^_]
VhlGI
;M |%
;M r%w
^d_^[
8_GtVV
_G^_[
QQSVW
QQSVW
N$QPh
QQSVW
^8SPPj
Fp_^[
Fp$HI
FtLHI
PjMhlII
jMhlII
^ tpP
t)9^8t$
u!9D$
=<\t?</t;<:t7<!t3<[t/
Ph,^I
uA9~ t<9~0u7h
F8xMI
G;~tt
P\9_|
t=Ht*Ht
HuR9~8tM
>9~8t9
.9~8t)
6PVPV
QQVh`
SVWh`
FttPI
t)9^,t
HtbHHt8
QSUVW
_^][Y
;A u%
WPPWV
ASSSS
Wj(_Wj
VVVVV
k9~8uDj
F4_]^[
+toHt_HtOHt6Ht
+t=Ht-Ht
9n tCS3
9n(v(W3
$;^(r
n([^]
F(;F$uO
$WRQS
F0;F<uFW3
98t2P
F0p\I
DSVRP
q(hddI
F(9p`u
A(9H`u
_9~Pt
G9~Pt
SVWtU
QQSVWj
[9^Pt
9~Xt!
@ WWW
RRPQV
Od9A uC
tP9_huU
A(9H`u
q(hddI
q(hddI
Q(9J`ut
uERhddI
YYt4S3
A(9H`u
IT;O t
FH8]I
9^`u)jL
tI9^du)jL
QQSV3
u(QVR
6PVPV
FXSWh
VVVVV
QQSVW
PjDh\`I
jDh\`I
F4_^[
N,;N0r
V(PRP
tHSHP
pThDNI
ShddI
;B u3
pThDNI
WhddI
PhddI
9p$ts
9^|t%9^Xt
t/Vhp
RRRRj
vDWWj
09~(t
vc9^0uc
tO9^,tJ
:9^0t
t!PVW
@tvf=
9_puF
t6;D$
QSUVW
_^][Y
0WWWWW
0WWWWW
SSSSS
VVVVV
SSSSS
SSSSS
HH_^[
SSSSS
SSSSS
SSSSS
SSSSS
SSSSS
SSSSS
SSSSS
YYtF+u
WWWWW
WWWWW
wIVSP
VVVVV
0WWWWW
BBFFf;
QQSVWd
Y__^[
Y__^[
\$ UV
D$,9h
VVVVV
VVVVV
VVVVV
VVVVV
VVVVV
VVVVV
VVVVV
YYuTVWh
0SSSSS
SSSSS
PPPPP
PPPPP
WWWWW
YYt SVW
UUUUU
SSSSS
SSSSS
SSSSS
SSSSS
0;1t|
SSSSS
0SSSSS
SSSSS
SSSSS
SSSSS
0SSSSS
WWWWW
WWWWW
SSSSS
SSSSS
SSSSS
SSSSS
Vj<RP
VVVVV
VVVVV
^WWWWW
^WWWWW
WWWWW
WWWWW
WWWWW
Wj<RS
9} ug
9} t`9}$uV9}(uV
>:u3;
9E vJPS
9u(v(V
9u wk3
^WWWWW
YSSSSS
</YYt
VVVVV
0WWWWW
@@BBf;
@@BBf;
SSSSS
SSSSS
YYt:V
Wh pI
YYt4V
YYu-9D$
u-9D$
PPPPP
QQQQQ
QQQQQ
, <Xw
HHt]+
2If90t
PPPPP
<dtN<it.<ot*<ut&<xt"<Xt
Xu_<dt
SSSSS
, <Xw
}l9]luHj
UPu";
t%HHt
UPuC;
*uo9}lu
<dt[<itW<otS<utO<xtK<XtG
tt9}lu
9}hu!
>9}lu
WWWWW
]p9}lu?
N9Ep~
9}hup
tU9}l
9}hu&
@t:9}lu
f9}lu
9}hth
@t29}lu
9}ht2
c9}lu
9}hu2
EttC;
6If98t
9}tu
]@+](+]8
ELSj
uJ9}huE3
9}<|>
HHtAHHt
HHt]+
PPPPP
t^9(uZ
Y_^][
VVVVV
Y9>t7j
SSSSS
SSSSS
PPPPP
SSSSS
PhTrI
3hXrI
PPPPP
3hXrI
uFh\rI
VVVVV
VVVVV
VVVVV
M\_^3
PPPPP
E|SV3
VVVVV
aSSSh
Mp_^3
SSSSS
VVVVV
VVVVV
VVVVV
VVVVV
VVVVV
VVVVV
VVVVV
PPPPP
<Yv8V
VVVVV
VVVVV
VVVVV
]_^[Y
t$<"u
>=Yt/j
tJVUP
SSSSS
Y]_^[
< tK<
@PVSS
t#SSUP
t$$VSS
_^][YY
j(j ^V
Rj(j
I=csm
s[S;7|G;w
tR99u2
@_^[]
URPQQh
9~\u'
PPPPP
PPPPP
_VVVVV
_VVVVV
VVVVV
zukSSS
YYt>S
M`_^3
SSSSS
WWWWW
SSSSS
jF<-uH
]t=F:
YYj0[
SSSSS
dF<-uE
]t:F:
YYj0[
PPPPP
^SSSSS
^SSSSS
j"^SSSSS
PPPPP
SSSSS
VVVVV
SSSSS
SSSSS
HH_^[
VVVVV
VVVVV
SSSSS
SSSSS
PPPPPPPP
PPPPPPPP
PPPPPPPP
WWWWW
SSSSS
_VVVVV
SSSSS
SSSSS
^WWWWW
PPPPP
SSSSS
SSSSS
VVVVV
^WWWWW
VVVVV
VVVVV
VVVVV
Vt:9]
^SSSSS
^SSSSS
SSSSS
SSSSS
SSSSS
SSSSS
SSSSS
>:u8FV
SSSSS
jd_Fj
PPPPP
VVVVV
PVVRV
$f95d
.VVVVVSRSSj
VVVVVj
^SSSSS
JJt&JJt
t8JJt
tK<_t<<$t8<<t4<>t0<-t,<a|
<z~$<A|
<0|I<9
t^<A|f<P
WQt)9E
tP<@tF<Zt
th<@tdj'
EhPWje
@Yt*j
Ft)Nt
@YtNj
!Mh!MXV3
!MX8]x
ETj<P
@YtKj
t.<@t5V
TtSHtIHt?Ht
8?u(@
t*IIt
E,j`P
;<$u-
<_u_V
AtIHt0Hu
t}<?tH<Xt
WWWWW
WWWWW
VVVVV
VVVVV
WWWWW
VVVVV
VVVVV
VVVVV
^SSSSS
j"^SSSSS
QSWVj
u8SS3
9]$SS
9] SS
Pj1Q3
F Pj*
F$Pj+
F(Pj,
F,Pj-
F0Pj.
F4Pj/
F8PjD
F<PjE
FDPjG
FHPjH
FLPjI
FPPjJ
FTPjK
FXPjL
F\PjM
F`PjN
FdPjO
FhPj8
FlPj9
FpPj:
FtPj;
FxPj<
F|Pj=
C PjPV
C$PjQV
C*PjTV
C+PjUV
C,PjVV
C-PjWV
C.PjRV
C/PjSV
PPPPP
PPPPP
PPPPP
PPPPP
PPPPP
PPPPP
PPPPP
PPPPP
PPPPP
PPPPP
PPPPP
PPPPP
PPPPP
.;1s(N
tIHt$
HHt4HHt
Ht`Ht,
SVtAj
WWWWW
teHtFHt&Hu
VVVVV
SSSSS
SSSSS
ty<%tA
tOF9]
SSSSS
YYu%j
PPPPP
SSSSS
tm958
SSSSS
VVVVV
SVWUj
;t$,v-
UQPXY]Y[
u/WW3
u,VVWV
WWWWW
WWWWW
VVVVV
VVVVV
ji_jd^f;
t:f=o
t4f=u
t.f=x
t(f=X
Xupf;
SSSSS
UHu%3
UHuE;
t:f=i
t4f=o
t.f=u
t(f=x
t"f=X
VVVVV
99Ex~
9]x~'
EptU;
EP9]P|
-9upu
Kf90t
ELSj
ELSj
9}@|H
It(It%It
PPPPP
SSSSS
PPPPP
SSSSW
SSSSW
PPPPP
0SSSSS
PPPPP
_VVVVV
^SSSSS
SSSSS
^WWWWW
WWWWW
VVVVV
0SSSSS
SSSSS
8VVVVV
VVVVV
VW|Z;
VW|[;
VVVVV
VVVVV
~,WPV
WWWWW
WWWWV
t+WWVPV
SSSSS
SSSSS
VVVVV
SSSSS
SSSSS
VVVVV
^SSSSS
^SSSSS
0SSSSS
WWWWW
WWWWW
WWWWW
SSSSS
7GG9]
SSSSS
<+t(<-t$:
+t HHt
u&f!;f;
VVVVV
VVVVV
VVVVV
_^][Y
9T$$W
D$ #D$$
#L$$#
SSSSS
SSSSS
QQSV3
VVVVj
@A;D$
WWWWW
WWWWW
SSSSS
tb9} u
rpf=Z
rJf=*
r6f=J
t{~Bj
SSSSS
SSSSS
SSSSS
tSj=V
YYt\VV
SSSSS
WWWWW
9~$~!S
G;~$|
G;~4|
QRPhP
=)"^t"Hh
uO&ZG
.y^|s
8SZdH
Dv$6/|
CSingleDocTemplate
%s (%s:%d)
%s (%s:%d)
Exception thrown in destructor
f:\rtm\vctools\vc7libs\ship\atlmfc\include\afxwin2.inl
CommDlgExtendedError
CWinApp
Recent File List
File%d
Settings
PreviewPages
DeactivateActCtx
ActivateActCtx
ReleaseActCtx
CreateActCtxA
KERNEL32
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoRun
NoDrives
RestrictRun
NoNetConnectDisconnect
NoRecentDocsHistory
NoClose
Software\Microsoft\Windows\CurrentVersion\Policies\Network
NoEntireNetwork
Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32
NoPlacesBar
NoBackButton
NoFileMru
Automation
Embedding
Unregserver
Unregister
Regserver
Register
ntdll.dll
Control Panel\Desktop\ResourceLocale
GetSystemDefaultUILanguage
GetUserDefaultUILanguage
kernel32.dll
%s.dll
software
system
Software\
CDialog
MS Shell Dlg
COleException
CLSID
CInvalidArgException
CNotSupportedException
CMemoryException
CException
CCmdTarget
CWinThread
CDocTemplate
AfxWnd80s
AfxControlBar80s
AfxMDIFrame80s
AfxFrameOrView80s
AfxOleControl80s
AfxOldWndProc423
EnumDisplayDevicesA
GetMonitorInfoA
EnumDisplayMonitors
MonitorFromPoint
MonitorFromRect
MonitorFromWindow
GetSystemMetrics
USER32
InitCommonControls
InitCommonControlsEx
HtmlHelpA
hhctrl.ocx
F#32768
Afx:%p:%x:%p:%p:%p
Afx:%p:%x
commctrl_DragListMsg
CDocument
ReplaceFileA
MAPI32.DLL
MAPISendMail
CScrollView
MouseZ
Magellan MSWHEEL
MSH_SCROLL_LINES_MSG
MSH_WHEELSUPPORT_MSG
MSWHEEL_ROLLMSG
CPreviewView
CPalette
CBitmap
CFont
CBrush
CGdiObject
CPaintDC
CWindowDC
CClientDC
CUserException
CResourceException
GetLayout
GDI32.DLL
SetLayout
CCtrlView
CSplitterWnd
CreateActCtxW
comctl32.dll
comdlg32.dll
CMenu
CControlBar
CView
CFrameWnd
ImageList_Draw
ImageList_GetImageInfo
ToolbarWindow32
ReBarWindow32
CStatusBar
msctls_statusbar32
CToolBar
Marlett
DllGetVersion
CMiniDockFrameWnd
CDockBar
combobox
CPageSetupDialog
CPrintDialog
PrintDlgA
PageSetupDlgA
CObject
TypeLib
Software
SYSTEM
SECURITY
Hardware
Interface
FileType
Component Categories
AppID
Delete
NoRemove
ForceRemove
CArchiveException
CDocManager
%s\shell\open\%s
%s\shell\print\%s
%s\shell\printto\%s
%s\DefaultIcon
%s\ShellNew
command
"%1"
/p "%1"
/pt "%1" "%2" "%3" "%4"
/dde
ddeexec
[open("%1")]
[print("%1")]
[printto("%1","%2","%3","%4")]
NullFile
[printto("
[print("
[open("
CFile
InProcServer32
f:\rtm\vctools\vc7libs\ship\atlmfc\src\mfc\filecore.cpp
{%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}
DllGetClassObject
CMapPtrToPtr
CPtrList
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
System
CFileException
NotifyWinEvent
user32.dll
CFileDialog
GetOpenFileNameA
GetSaveFileNameA
COleServerDoc
COleIPFrameWnd
CPreviewDC
CDialogBar
CObArray
CRichEditCtrl
CImageList
CStatusBarCtrl
CToolBarCtrl
CListCtrl
CTreeCtrl
CTabCtrl
CAnimateCtrl
CHotKeyCtrl
CHeaderCtrl
CComboBoxEx
CProgressCtrl
CSliderCtrl
CSpinButtonCtrl
CDragListBox
SysListView32
SysTreeView32
msctls_updown32
msctls_trackbar32
msctls_progress32
SysHeader32
msctls_hotkey32
SysTabControl32
SysAnimate32
ImageList_Create
ImageList_Destroy
ImageList_LoadImageA
ImageList_Read
ImageList_Write
ImageList_Merge
MakeDragList
LBItemFromPt
CReBar
CMapStringToPtr
CMiniFrameWnd
CPtrArray
commdlg_SetRGBColor
commdlg_help
commdlg_ColorOK
commdlg_FileNameOK
commdlg_ShareViolation
commdlg_LBSelChangedNotify
CByteArray
%I64d
%I64u
COleLinkingDoc
Embedding %lu
f:\rtm\vctools\vc7libs\ship\atlmfc\src\mfc\olecli1.cpp
DocShortcut
DefaultIcon
clsid
CDocObjectServerItem
CDocObjectServer
COleServerItem
COleClientItem
COleDocument
CDocItem
Contents
CToolTipCtrl
tooltips_class32
CScrollBar
CEdit
CComboBox
CListBox
CButton
CStatic
STATIC
BUTTON
LISTBOX
COMBOBOX
SCROLLBAR
COleDocIPFrameWnd
CObList
COleStreamFile
f:\rtm\vctools\vc7libs\ship\atlmfc\src\mfc\olestrm.cpp
CMetaFileDC
DragDelay
windows
DragMinDist
RichEdit Text and Objects
Rich Text Format
FileNameW
FileName
Link Source Descriptor
Object Descriptor
Link Source
Embed Source
Embedded Object
ObjectLink
OwnerLink
Native
CSharedFile
COleDocObjectItem
%s %s
COleObjectFactory
f:\rtm\vctools\vc7libs\ship\atlmfc\src\mfc\olefact.cpp
CLSID\%s
CMemFile
%2\CLSID
%2\Insertable
%2\protocol\StdFileEditing\verb\0
&Edit
%2\protocol\StdFileEditing\server
CLSID\%1
CLSID\%1\ProgID
CLSID\%1\InprocHandler32
ole32.dll
CLSID\%1\LocalServer32
CLSID\%1\Verb\0
&Edit,0,2
CLSID\%1\Verb\1
&Open,0,2
CLSID\%1\Insertable
CLSID\%1\AuxUserType\2
CLSID\%1\AuxUserType\3
CLSID\%1\DefaultIcon
%3,%7
CLSID\%1\MiscStatus
CLSID\%1\InProcServer32
CLSID\%1\DocObject
%2\DocObject
CLSID\%1\Printable
CLSID\%1\DefaultExtension
%9, %8
ThreadingModel
InprocServer32
Insertable
COleBusyDialog
COleDialog
COleDispatchException
Unknown exception
SetThreadStackGuarantee
CorExitProcess
mscoree.dll
EncodePointer
KERNEL32.DLL
DecodePointer
FlsFree
FlsSetValue
FlsGetValue
FlsAlloc
(null)
( 8PX
700WP
`h````
xpxxxx
('8PW
700PP
`h`hhh
xppwpp
LC_TIME
LC_NUMERIC
LC_MONETARY
LC_CTYPE
LC_COLLATE
LC_ALL
!"#$%&'()*+,-./0123456789:;<=>[email protected][\]^_`abcdefghijklmnopqrstuvwxyz{|}~
runtime error
TLOSS error
SING error
DOMAIN error
R6034
An application has made an attempt to load the C runtime library incorrectly.
Please contact the application's support team for more information.
R6033
- Attempt to use MSIL code from this assembly during native code initialization
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
R6032
- not enough space for locale information
R6031
- Attempt to initialize the CRT more than once.
This indicates a bug in your application.
R6030
- CRT not initialized
R6028
- unable to initialize heap
R6027
- not enough space for lowio initialization
R6026
- not enough space for stdio initialization
R6025
- pure virtual function call
R6024
- not enough space for _onexit/atexit table
R6019
- unable to open console device
R6018
- unexpected heap error
R6017
- unexpected multithread lock error
R6016
- not enough space for thread data
This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.
R6009
- not enough space for environment
R6008
- not enough space for arguments
R6002
- floating point not loaded
Microsoft Visual C++ Runtime Library
<program name unknown>
Runtime Error!
Program:
bad exception
SystemFunction036
InitializeCriticalSectionAndSpinCount
e+000
GAIsProcessorFeaturePresent
SunMonTueWedThuFriSat
JanFebMarAprMayJunJulAugSepOctNovDec
Complete Object Locator'
Class Hierarchy Descriptor'
Base Class Array'
Base Class Descriptor at (
Type Descriptor'
`local static thread guard'
`managed vector copy constructor iterator'
`vector vbase copy constructor iterator'
`vector copy constructor iterator'
`dynamic atexit destructor for '
`dynamic initializer for '
`eh vector vbase copy constructor iterator'
`eh vector copy constructor iterator'
`managed vector destructor iterator'
`managed vector constructor iterator'
`placement delete[] closure'
`placement delete closure'
`omni callsig'
delete[]
new[]
`local vftable constructor closure'
`local vftable'
`RTTI
`udt returning'
`copy constructor closure'
`eh vector vbase constructor iterator'
`eh vector destructor iterator'
`eh vector constructor iterator'
`virtual displacement map'
`vector vbase constructor iterator'
`vector destructor iterator'
`vector constructor iterator'
`scalar deleting destructor'
`default constructor closure'
`vector deleting destructor'
`vbase destructor'
`string'
`local static guard'
`typeof'
`vcall'
`vbtable'
`vftable'
operator
delete
__unaligned
__restrict
__ptr64
__clrcall
__fastcall
__thiscall
__stdcall
__pascal
__cdecl
__based(
{flat}
{for
`non-type-template-parameter
unsigned
long
short
char
<ellipsis>
,<ellipsis>
throw(
`template-parameter
cli::pin_ptr<
cli::array<
void
`anonymous namespace'
generic-type-
template-parameter-
`unknown ecsu'
union
struct
class
enum
coclass
cointerface
extern "C"
[thunk]:
public:
protected:
private:
virtual
static
`template static data member destructor helper'
`template static data member constructor helper'
`local static destructor helper'
`adjustor{
`vtordisp{
`vtordispex{
const
volatile
volatile
volatile
const
signed
double
wchar_t
UNKNOWN
__int128
__int32
__int64
__int16
__w64
__int8
float
short
!"#$%&'()*+,-./0123456789:;<=>[email protected][\]^_`abcdefghijklmnopqrstuvwxyz{|}~
!"#$%&'()*+,-./0123456789:;<=>[email protected][\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
HH:mm:ss
dddd, MMMM dd, yyyy
MM/dd/yy
December
November
October
September
August
April
March
February
January
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
am/pm
united-states
united-kingdom
trinidad & tobago
south-korea
south-africa
south korea
south africa
slovak
puerto-rico
pr-china
pr china
new-zealand
hong-kong
holland
great britain
england
czech
china
britain
america
swiss
swedish-finland
spanish-venezuela
spanish-uruguay
spanish-puerto rico
spanish-peru
spanish-paraguay
spanish-panama
spanish-nicaragua
spanish-modern
spanish-mexican
spanish-honduras
spanish-guatemala
spanish-el salvador
spanish-ecuador
spanish-dominican republic
spanish-costa rica
spanish-colombia
spanish-chile
spanish-bolivia
spanish-argentina
portuguese-brazilian
norwegian-nynorsk
norwegian-bokmal
norwegian
italian-swiss
irish-english
german-swiss
german-luxembourg
german-lichtenstein
german-austrian
french-swiss
french-luxembourg
french-canadian
french-belgian
english-usa
english-us
english-uk
english-trinidad y tobago
english-south africa
english-nz
english-jamaica
english-ire
english-caribbean
english-can
english-belize
english-aus
english-american
dutch-belgian
chinese-traditional
chinese-singapore
chinese-simplified
chinese-hongkong
chinese
canadian
belgian
australian
american-english
american english
american
Norwegian-Nynorsk
GetProcessWindowStation
GetUserObjectInformationA
GetLastActivePopup
GetActiveWindow
MessageBoxA
USER32.DLL
1#QNAN
1#INF
1#IND
1#SNAN
CONIN$
CONOUT$
'+?2LF
-np1A
VDEST
6!i3%
=sRWj
=sRVj
=sRUj
=sRTj
=sRSj
=sRRj
=sRQj
=sRPj
string too long
invalid string position
invalid string argument
=L9o<
OLEACC.dll
bad allocation
BBoVTdpb
ualAlloc
taskmgr.exe
ptAcquire
ContextA
ADVAPI32.DLL
ywfTGtCMgwRJtgeUpm6r90c9Q1gkxJSQN32LnwGIwAE
ImgViewer
CImgViewerDoc
CImgViewerView
DISPLAY
CMainFrame
Invalid DateTimeSpan
Invalid DateTime
RSDSQt
c:\Users\User\Desktop\2005\30.6.20\ImgViewer (1)\Release\ImgViewer.pdb
CreateStdAccessibleObject
AccessibleObjectFromWindow
LresultFromObject
WideCharToMultiByte
SizeofResource
LockResource
LoadResource
FindResourceA
LoadLibraryExA
GetProcAddress
GetCurrentProcess
ExitProcess
lstrlenA
MultiByteToWideChar
lstrcmpiA
GetEnvironmentVariableW
GetStringTypeExW
GetEnvironmentVariableA
CompareStringW
lstrlenW
GetStringTypeExA
InterlockedExchange
GetLastError
lstrcmpiW
CompareStringA
GetVersion
LoadLibraryA
GetModuleHandleA
SetLastError
lstrcmpA
GlobalLock
GlobalUnlock
GlobalDeleteAtom
FreeLibrary
GlobalAlloc
GetLocaleInfoA
EnumResourceLanguagesA
GetModuleFileNameA
ConvertDefaultLocale
GetCurrentThreadId
GetCurrentThread
GetPrivateProfileIntA
WritePrivateProfileStringA
GetPrivateProfileStringA
GlobalAddAtomA
FreeResource
GlobalFree
MulDiv
LocalFree
FormatMessageA
GlobalSize
CopyFileA
CloseHandle
SetThreadPriority
ResumeThread
WaitForSingleObject
SetEvent
SuspendThread
CreateEventA
GetCurrentProcessId
GetVersionExA
lstrcmpW
GlobalFindAtomA
GlobalGetAtomNameA
GetFileAttributesA
SetFileTime
GetFileTime
GetTempFileNameA
GetFullPathNameA
GetDiskFreeSpaceA
SearchPathA
GetProfileIntA
GetTempPathA
GetModuleFileNameW
InterlockedDecrement
GlobalFlags
GetCurrentDirectoryA
LocalAlloc
LeaveCriticalSection
TlsGetValue
EnterCriticalSection
GlobalReAlloc
GlobalHandle
InitializeCriticalSection
TlsAlloc
TlsSetValue
LocalReAlloc
DeleteCriticalSection
TlsFree
InterlockedIncrement
GetAtomNameA
GetThreadLocale
FileTimeToSystemTime
SystemTimeToFileTime
MoveFileA
DeleteFileA
ReadFile
WriteFile
SetFilePointer
FlushFileBuffers
LockFile
UnlockFile
SetEndOfFile
GetFileSize
DuplicateHandle
FindClose
FindFirstFileA
GetVolumeInformationA
GetShortPathNameA
CreateFileA
GetCPInfo
GetOEMCP
FileTimeToLocalFileTime
LocalFileTimeToFileTime
SetFileAttributesA
SetErrorMode
GetTickCount
HeapFree
HeapAlloc
VirtualProtect
VirtualAlloc
GetSystemInfo
VirtualQuery
HeapReAlloc
GetCommandLineA
GetProcessHeap
GetStartupInfoA
RtlUnwind
RaiseException
ExitThread
CreateThread
HeapSize
TerminateProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
Sleep
GetACP
HeapDestroy
HeapCreate
VirtualFree
FatalAppExitA
GetStdHandle
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
GetEnvironmentStringsW
SetHandleCount
GetFileType
QueryPerformanceCounter
GetSystemTimeAsFileTime
SetConsoleCtrlHandler
GetTimeZoneInformation
GetConsoleCP
GetConsoleMode
LCMapStringA
LCMapStringW
GetStringTypeA
GetStringTypeW
GetTimeFormatA
GetDateFormatA
GetUserDefaultLCID
EnumSystemLocalesA
IsValidLocale
IsValidCodePage
GetLocaleInfoW
SetStdHandle
WriteConsoleA
GetConsoleOutputCP
WriteConsoleW
SetEnvironmentVariableA
KERNEL32.dll
GetSystemMenu
UpdateWindow
EnableWindow
GetDC
ReleaseDC
GetSysColor
GetClientRect
GetMenu
CreatePopupMenu
AppendMenuA
InvalidateRect
IsChild
CharUpperW
CharLowerA
CharLowerW
CharUpperA
PostQuitMessage
PostMessageA
SendMessageA
GetWindow
CheckDlgButton
CheckRadioButton
GetDlgItem
GetDlgItemInt
GetDlgItemTextA
SendDlgItemMessageA
SetDlgItemInt
SetDlgItemTextA
IsDlgButtonChecked
IsDialogMessageA
GetWindowLongA
SetWindowTextA
IsWindow
GetDlgCtrlID
SetWindowLongA
MoveWindow
ShowWindow
IsWindowEnabled
SetFocus
ScrollWindowEx
SetWindowPos
GetParent
GetFocus
GetWindowTextA
GetWindowTextLengthA
EndDialog
GetNextDlgTabItem
DestroyWindow
CreateDialogIndirectParamA
GetSystemMetrics
SetActiveWindow
GetActiveWindow
GetDesktopWindow
RemoveMenu
GetSubMenu
GetMenuItemCount
InsertMenuA
GetMenuItemID
GetMenuStringA
GetMenuState
CheckMenuItem
EnableMenuItem
ModifyMenuA
LoadBitmapA
GetMenuCheckMarkDimensions
SetMenuItemBitmaps
ValidateRect
GetCursorPos
PeekMessageA
GetKeyState
IsWindowVisible
DispatchMessageA
TranslateMessage
GetMessageA
CallNextHookEx
SetWindowsHookExA
SetCursor
ShowOwnedPopups
MessageBoxA
GetLastActivePopup
GetWindowThreadProcessId
DestroyMenu
LoadAcceleratorsA
LoadMenuA
GetWindowRect
GetWindowPlacement
IsIconic
SystemParametersInfoA
IntersectRect
OffsetRect
CallWindowProcA
DefWindowProcA
SetWindowPlacement
PtInRect
SetScrollInfo
GetScrollInfo
CopyRect
DeferWindowPos
EqualRect
ScreenToClient
AdjustWindowRectEx
RegisterClassA
GetClassInfoA
GetClassInfoExA
CreateWindowExA
ShowScrollBar
SetForegroundWindow
GetScrollPos
SetScrollPos
GetScrollRange
SetScrollRange
TrackPopupMenu
TrackPopupMenuEx
ScrollWindow
MapWindowPoints
GetMessagePos
GetMessageTime
UnhookWindowsHookEx
GetTopWindow
EndDeferWindowPos
BeginDeferWindowPos
GetForegroundWindow
RemovePropA
GetPropA
SetPropA
GetClassNameA
GetClassLongA
GetCapture
WinHelpA
LoadIconA
RegisterWindowMessageA
SetCapture
ReleaseCapture
FindWindowA
IsRectEmpty
FillRect
DrawIcon
SetWindowRgn
ClientToScreen
SetTimer
KillTimer
LoadCursorA
SetRect
DestroyCursor
TabbedTextOutA
DrawTextA
DrawTextExA
GrayStringA
GetWindowDC
BeginPaint
EndPaint
InflateRect
GetMenuItemInfoA
TranslateAcceleratorA
SetMenu
BringWindowToTop
SetRectEmpty
InsertMenuItemA
ReuseDDElParam
UnpackDDElParam
IsZoomed
DeleteMenu
SetParent
DestroyIcon
GetDialogBaseUnits
GetSysColorBrush
InSendMessage
WindowFromDC
CopyAcceleratorTableA
CreateMenu
PostThreadMessageA
GetTabbedTextExtentA
WindowFromPoint
UnregisterClassA
GetKeyNameTextA
MapVirtualKeyA
UnionRect
GetDCEx
LockWindowUpdate
IsClipboardFormatAvailable
WaitMessage
SendNotifyMessageA
RegisterClipboardFormatA
USER32.dll
GetDeviceCaps
RealizePalette
CreateCompatibleDC
CreateCompatibleBitmap
BitBlt
CreateICA
CopyMetaFileA
CreateDCA
CreateBitmap
GetDCOrgEx
GetClipBox
SetTextColor
SetBkColor
GetObjectA
CreateEllipticRgn
DPtoLP
LPtoDP
Ellipse
StartDocA
StartPage
EndPage
SetAbortProc
AbortDoc
EndDoc
DeleteDC
CreatePen
GetViewportOrgEx
Rectangle
PatBlt
GetStockObject
SaveDC
RestoreDC
SetBkMode
SetPolyFillMode
SetROP2
SetStretchBltMode
SetGraphicsMode
SetWorldTransform
ModifyWorldTransform
SetMapMode
ExcludeClipRect
IntersectClipRect
OffsetClipRgn
LineTo
MoveToEx
SetTextAlign
SetTextJustification
SetTextCharacterExtra
SetMapperFlags
SetArcDirection
SetColorAdjustment
DeleteObject
SelectClipRgn
GetClipRgn
CreateRectRgn
SelectClipPath
GetViewportExtEx
GetWindowExtEx
GetPixel
PtVisible
RectVisible
TextOutA
ExtTextOutA
Escape
SelectObject
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
SetWindowOrgEx
OffsetWindowOrgEx
SetWindowExtEx
ScaleWindowExtEx
GetCurrentPositionEx
ArcTo
PolyDraw
PolylineTo
PolyBezierTo
ExtSelectClipRgn
CreateDIBPatternBrushPt
CreatePatternBrush
SelectPalette
PlayMetaFileRecord
GetObjectType
EnumMetaFile
PlayMetaFile
ExtCreatePen
CreateSolidBrush
CreateHatchBrush
CreateFontIndirectA
CreateRectRgnIndirect
SetRectRgn
CombineRgn
GetMapMode
GetTextExtentPoint32A
GetTextMetricsA
GetCharWidthA
CreateFontA
StretchDIBits
GetNearestColor
GetBkColor
GetBkMode
GetPolyFillMode
GetROP2
GetStretchBltMode
GetTextColor
GetTextAlign
GetTextFaceA
GetWindowOrgEx
CreateMetaFileA
CloseMetaFile
DeleteMetaFile
GDI32.dll
GetFileTitleA
comdlg32.dll
ClosePrinter
DocumentPropertiesA
OpenPrinterA
GetJobA
WINSPOOL.DRV
RegCloseKey
RegQueryValueExA
RegOpenKeyExA
RegCreateKeyExA
RegSetValueExA
RegDeleteValueA
RegDeleteKeyA
RegEnumKeyA
RegOpenKeyA
RegQueryValueA
RegSetValueA
SetFileSecurityA
GetFileSecurityA
RegCreateKeyA
ADVAPI32.dll
DragAcceptFiles
DragQueryFileA
DragFinish
ExtractIconA
SHGetFileInfoA
SHELL32.dll
PathFindExtensionA
PathRemoveExtensionA
PathFindFileNameA
PathStripToRootA
PathIsUNCA
SHLWAPI.dll
oledlg.dll
CoTaskMemFree
SetConvertStg
WriteFmtUserTypeStg
WriteClassStg
OleRegGetUserType
ReadFmtUserTypeStg
ReadClassStg
StringFromCLSID
CoTreatAsClass
CreateBindCtx
ReleaseStgMedium
CoTaskMemAlloc
OleDuplicateData
CoCreateInstance
StringFromGUID2
CLSIDFromString
CoDisconnectObject
OleRegEnumVerbs
OleRegGetMiscStatus
OleTranslateAccelerator
IsAccelerator
OleCreateMenuDescriptor
OleDestroyMenuDescriptor
StgCreateDocfileOnILockBytes
CreateILockBytesOnHGlobal
OleSave
WriteClassStm
OleSaveToStream
CreateStreamOnHGlobal
OleLockRunning
OleCreateFromData
OleCreateLinkFromData
OleCreateStaticFromData
OleCreate
OleLoad
StgOpenStorageOnILockBytes
GetHGlobalFromILockBytes
OleSetContainedObject
OleCreateFromFile
OleCreateLinkToFile
OleGetIconOfClass
CreateItemMoniker
CreateGenericComposite
OleIsRunning
GetRunningObjectTable
CoLockObjectExternal
OleRun
CreateFileMoniker
CoGetMalloc
StgCreateDocfile
StgOpenStorage
StgIsStorageFile
CreateOleAdviseHolder
CreateDataAdviseHolder
OleGetClipboard
OleSetClipboard
OleIsCurrentClipboard
OleFlushClipboard
OleSetMenuDescriptor
OleQueryCreateFromData
OleQueryLinkFromData
DoDragDrop
OleUninitialize
CoFreeUnusedLibraries
OleInitialize
CoGetClassObject
CoRegisterClassObject
CoRevokeClassObject
CoRegisterMessageFilter
CLSIDFromProgID
ole32.dll
OLEAUT32.dll
Apartment
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
z?aUY
zc%C1
-64OS
)H,OT
q>eqE:,j
Y;)=6G
q:nj6/ms
M,7:4
N3nhF
:4Via
@@P85%
/2r8U
ALuq{
g",Mt(|
NHw}N
4?+Dg
p[YPb
t!$hh
q/99+
0D')-
!W] Y
'}F8a
CQ7xs(!
rML~5
x8\fP
T-]Oz
J~{JF
O}$||
0p1f4
"1jJx
+)<D_
l8!>I
u`Dvlq
72mzad
-#h8d
$^~VU
;2\t:t
Bn5Tb?
UDinh
Gl2o|#
$yg2AT
6`~Y$
]{#]L
([:[]
?O;Tz
,(Lc!
o8gb?
%.&b-
ye'?:
i'9tH
<ZNpKy
F,3HL
Ltg`NSi
ASt4t
"}6k]_
z6*o1
9+.AT
b[Zf*
)W1>*
T6mG<
]M2$ dw
C6=3eY
246M>
^#ds~
E'4o/K$
vku]LYXv
IcZBa
2Ep-W
PFa!}
V{qk2
"2[,"S
r]N _
A8%;L
Wr2LF
'yCWp
n%6Y:
+'O{p
`ey])
CxR'`DM
^m!qZ
K8#pc
0RrJP
'd`~2
Kyf#X
^YTaR
H`L+2#
ZbF ^
[i#?S
#z+U>
+33q&
p{[4.
W8+CR
,9?q[
.k6c0
y~!GJlR
[ \c+XF
}u2"&
q:?&z
QtYaBX
/K(:l
S`B<[
}:gI4
ERI0Fq
Dn`}O
%j^cD
N\?`p
rfIcpo2
"~*tl
TcS^h
XFg7LmF
k1.zC
~"4fm
}iSpP
DN7m=M
~<yi3
qWBb?Uw
(j:l3
xi(t&
xe/i0
^.(l8
K67c="W
7I(jL
1;&p8
C?!/;'1
e\^F>
b_+UW
/ L,)
U'*l*:h
\Q5/3&~
zd'l55
6x>:$
9)0u-\Q
JnPHusu
,a#J,zef5Y
vUxmE
},Z&r
x[@lO
emM'.r
p >Ci
SJ5zo
P9.)u
"8_wG
c=6,TF
C0X(wy
n[b&|L
~H%hLY3b
6zo!Y
PS<Ye`@
#eX8+F0
bvYJY
y#!4k
C_?hL
%x+0hR9JHi
C4H2B
pq%2K
Bi1<//
qEi'6
F^'9G
&5q/2
<&V^=
pob?m=
h,158
Uz'w\
#>5abH
g8V8~HC
fso<F
0U#%q
-*O&6
""""".
DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
DDDDDDDD
wwwwwwwwwwwwwwww
wwwwwwww
wwwwwwwwwwwwwwwwwww
wwwwwwww
wwwwwp
wwpwwwwppw
wwwww
wwwww
33330w
wwwwwp
wwwww
33330
xpwwwww
wwwww
wwwwppp
wwwww
wwwww
pppwpDwp
wwDwp
wwwwwwww
wwwwwwwwwwwwppwwwDwp
wwwwwpwppww
wwwwwwwwwwwwww
wwpDww
wwwwwww
wwwwwwwwwwwwwwp
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
</assembly>
Kjjjj
jjjjj
G;H0H
accParent
accChildCount
accChild
accName
accValue
accDescription
accRole
accState
accHelp
accHelpTopic
accKeyboardShortcut
accFocus
accSelection
accDefaultAction
accSelect
accLocation
accNavigate
accHitTest
accDoDefaultAction
(null)
((((( H
h(((( H
H
&File
&Open...
Ctrl+O
&Close
&Print...
Ctrl+P
Print Pre&view
P&rint Setup...
Sen&d...
Proper&ties
Recent File
E&xit
&View
&Toolbar
&Status Bar
&Help
&About ImgViewer...
About ImgViewer
MS Sans Serif
ImgViewer Version 1.2
Copyright (C) chensu 2000 - 2002
VS_VERSION_INFO
StringFileInfo
040904b0
Comments
CompanyName
chensu
FileDescription
ImgViewer MFC Application
FileVersion
InternalName
ImgViewer
LegalCopyright
Copyright (C) chensu 2000 - 2002
LegalTrademarks
OriginalFilename
ImgViewer.EXE
PrivateBuild
ProductName
ImgViewer Application
ProductVersion
SpecialBuild
VarFileInfo
Translation
MS Shell Dlg
&New
Cancel
&Help
MS Shell Dlg
MS Shell Dlg
Printing
Document :
Page :
Printer :
Port :
Cancel
MS Shell Dlg
&Print...
&Next Page
Pre&v Page
Zoom &In
Zoom &Out
&Close
ImgViewer
Image
Image Files (*.bmp; *.gif; *.jpg; *.ico; *.emf; *.wmf)
.bmp;.gif;.jpg;.ico;.emf;.wmf
ImgViewer.Document
ImgViewer DocumentRPath name: %s
Size: %d x %d pixels
Picture Type: %hd (%s)
Attributes: 0x%08X (%s)
Unknown
PICTYPE_UNINITIALIZED
PICTYPE_NONE
PICTYPE_BITMAP
PICTYPE_METAFILE
PICTYPE_ICON
PICTYPE_ENHMETAFILE
PICTURE_SCALABLE
PICTURE_TRANSPARENT
Nonem%s
ImgViewer cannot read this file.
This is not a valid image file, or its format is not currently supported.
ImgViewer
Ready
Create a new document
Open an existing document
Close the active document
Close
Save the active document
Save0Save the active document with a new name
Save As&Change the printing options
Page Setup3Change the printer and printing options
Print Setup
Print the active document
Print
Display full pages
Print Preview
/Sends the document through electronic mail
?Display program information, version number and copyright
About4Quit the application; prompts to save documents
Open this document
Open this document
Open this document
Open this document
Open this document
Open this document
Open this document
Open this document
Open this document
Open this document
Open this document
Open this document
Open this document
Open this document
Open this document
Open this document(Switch to the next window pane
Next Pane5Switch back to the previous window pane
Previous Pane
(Split the active window into panes
Split
Erase the selection
Erase
Erase everything
Erase All3Copy the selection and put it on the Clipboard
Copy1Cut the selection and put it on the Clipboard
Find the specified text
Insert Clipboard contents
Paste
Repeat the last action
Repeat1Replace specific text with different text
Replace%Select the entire document
Select All
Undo the last action
Undo&Redo the previously undone action
'Show or hide the toolbar
Toggle ToolBar,Show or hide the status bar
Toggle StatusBar
Change the window size
Change the window position
Reduce the window to an icon
Enlarge the window to full size"Switch to the next document window&Switch to the previous document window9Close the active window and prompts to save the documents
!Restore the window to normal size
Activate Task List
Save As
All Files (*.*)
Untitled
'Close print preview mode
Cancel Preview
an unnamed file
3Displays the properties of this document
Properties
&Hide
No error message is available.'An unsupported operation was attempted.$A required resource was unavailable.
Out of memory.
An unknown error has occurred.$An invalid argument was encountered.
Invalid filename.
Failed to open document.
Failed to save document.
Save changes to %1? Failed to create empty document.
The file is too large to open.
Could not start print job.
Failed to launch help.
Internal application error.
Command failed.)Insufficient memory to perform operation.PSystem registry entries have been removed and the INI file (if any) was deleted.BNot all of the system registry entries (or INI file) were removed.FThis program requires the file %s, which was not found on this system.tThis program is linked to the missing export %s in the file %s. This machine may have an incompatible version of %s.
#Unable to read write-only property.#Unable to write read-only property.
Unexpected file format.V%1
Cannot find this file.
Please verify that the correct path and file name are given.
Destination disk drive is full.5Unable to read from %1, it is opened by someone else.AUnable to write to %1, it is read-only or opened by someone else..An unexpected error occurred while reading %1..An unexpected error occurred while writing %1.
Please enter an integer.
Please enter a number.*Please enter an integer between %1 and %2.(Please enter a number between %1 and %2.(Please enter no more than %1 characters.
Please select a button.*Please enter an integer between 0 and 255. Please enter a positive integer. Please enter a date and/or time.
Please enter a currency.
Please enter a GUID.
Please enter a time.
Please enter a date.
No error occurred.-An unknown error occurred while accessing %1.
%1 was not found.
%1 contains an invalid path.=%1 could not be opened because there are too many open files.
Access to %1 was denied..An invalid file handle was associated with %1.<%1 could not be removed because it is the current directory.6%1 could not be created because the directory is full.
Seek failed on %15A hardware I/O error was reported while accessing %1.0A sharing violation occurred while accessing %1.0A locking violation occurred while accessing %1.
Disk full while accessing %1..An attempt was made to access %1 past its end.
No error occurred.-An unknown error occurred while accessing %1./An attempt was made to write to the reading %1..An attempt was made to access %1 past its end.0An attempt was made to read from the writing %1.
%1 has a bad format."%1 contained an unexpected object. %1 contains an incorrect schema.
#Unable to load mail system support.
Mail system DLL is invalid.!Send Mail failed to send message.
pixels
%1: %2
Continue running script?
Dispatch exception: %1
Uncheck
Check
Mixed
on %1
&One Page
&Two Page
Page %u
Page %u
Pages %u-%u
Output.prn1Printer Files (*.prn)|*.prn|All Files (*.*)|*.*||
Print to File
to %1

Full Results

Engine Signature Engine Signature Engine Signature
Bkav Clean ClamAV Clean CMC Clean
CAT-QuickHeal Clean McAfee Clean Malwarebytes Clean
Zillya Clean SUPERAntiSpyware Clean Sangfor Clean
K7AntiVirus Clean Alibaba Clean K7GW Clean
Cybereason Clean Invincea Clean Baidu Clean
F-Prot Clean Symantec Clean ESET-NOD32 Clean
APEX Malicious Avast Clean Cynet Clean
Kaspersky Clean BitDefender Gen:Variant.Graftor.774444 NANO-Antivirus Clean
Paloalto Clean ViRobot Clean MicroWorld-eScan Gen:Variant.Graftor.774444
Tencent Clean Ad-Aware Gen:Variant.Graftor.774444 Sophos Clean
Comodo Clean F-Secure Clean DrWeb Clean
VIPRE Clean TrendMicro Clean Trapmine Clean
FireEye Gen:Variant.Graftor.774444 Emsisoft Trojan.Emotet (A) Ikarus Clean
Cyren Clean Jiangmin Clean eGambit Clean
Avira Clean Antiy-AVL Clean Kingsoft Clean
Microsoft Clean Endgame malicious (high confidence) Arcabit Trojan.Graftor.DBD12C
AegisLab Clean ZoneAlarm Clean Avast-Mobile Clean
GData Gen:Variant.Graftor.774444 TACHYON Clean AhnLab-V3 Clean
Acronis suspicious BitDefenderTheta Clean ALYac Gen:Variant.Graftor.774444
MAX malware (ai score=88) VBA32 Clean Cylance Clean
Zoner Clean TrendMicro-HouseCall Clean Rising Malware.Heuristic!ET#87% (RDMK:cmRtazozh0Q3m+vyA9pvIA7nsRzx)
Yandex Clean SentinelOne Clean MaxSecure Clean
Fortinet Clean Webroot Clean AVG Clean
Panda Clean CrowdStrike Clean Qihoo-360 Clean
Sorry! No behavior.

Hosts

Direct IP Country Name
Y 95.213.236.64 [VT] Russian Federation
Y 87.106.139.101 [VT] Germany
Y 8.8.8.8 [VT] United States
Y 79.45.112.220 [VT] Italy
Y 75.139.38.211 [VT] United States
Y 74.208.45.104 [VT] United States
Y 73.11.153.178 [VT] United States
Y 64.88.202.250 [VT] United States
Y 61.19.246.238 [VT] Thailand
Y 5.196.74.210 [VT] France
Y 41.203.62.170 [VT] South Africa
Y 37.187.72.193 [VT] France
Y 31.31.77.83 [VT] Czech Republic
Y 24.1.189.87 [VT] United States
Y 212.51.142.238 [VT] Switzerland
Y 209.141.54.221 [VT] United States
Y 203.153.216.189 [VT] Indonesia
Y 201.173.217.124 [VT] Mexico
Y 200.55.243.138 [VT] Argentina
Y 186.208.123.210 [VT] Brazil
Y 169.239.182.217 [VT] South Africa
Y 121.124.124.40 [VT] Korea, Republic of
Y 113.160.130.116 [VT] Vietnam
Y 104.236.246.93 [VT] United States
Y 103.86.49.11 [VT] Thailand
Y 1.1.1.1 [VT] Australia

TCP

Source Source Port Destination Destination Port
192.168.1.4 49191 103.86.49.11 8080
192.168.1.4 49186 104.236.246.93 8080
192.168.1.4 49194 113.160.130.116 8443
192.168.1.4 49201 121.124.124.40 7080
192.168.1.4 49190 169.239.182.217 8080
192.168.1.4 49198 186.208.123.210 443
192.168.1.4 49185 200.55.243.138 8080
192.168.1.4 49200 201.173.217.124 443
192.168.1.4 49196 203.153.216.189 7080
192.168.1.4 49195 209.141.54.221 8080
192.168.1.4 49184 212.51.142.238 8080
192.168.1.4 49202 24.1.189.87 8080
192.168.1.4 49205 31.31.77.83 443
192.168.1.4 49199 37.187.72.193 8080
192.168.1.4 49203 41.203.62.170 80
192.168.1.4 49204 5.196.74.210 8080
192.168.1.4 49187 61.19.246.238 443
192.168.1.4 49183 64.88.202.250 80
192.168.1.4 49197 73.11.153.178 8080
192.168.1.4 49193 74.208.45.104 8080
192.168.1.4 49207 75.139.38.211 80
192.168.1.4 49188 79.45.112.220 80
192.168.1.4 49192 87.106.139.101 8080
192.168.1.4 49189 95.213.236.64 8080

UDP

Source Source Port Destination Destination Port
192.168.1.4 51228 1.1.1.1 53
192.168.1.4 62350 1.1.1.1 53
192.168.1.4 137 192.168.1.255 137
192.168.1.4 51228 8.8.8.8 53
192.168.1.4 62350 8.8.8.8 53

DNS

No domains contacted.

HTTP Requests

No HTTP requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

Timestamp Source IP Source Port Destination IP Destination Port Protocol GID SID REV Signature Category Severity
2020-06-30 14:04:47.498 192.168.1.4 [VT] 49188 79.45.112.220 [VT] 80 TCP 1 2404321 5780 ET CNC Feodo Tracker Reported CnC Server group 22 A Network Trojan was detected 1
2020-06-30 14:06:09.842 192.168.1.4 [VT] 49194 113.160.130.116 [VT] 8443 TCP 1 2404301 5780 ET CNC Feodo Tracker Reported CnC Server group 2 A Network Trojan was detected 1
2020-06-30 14:06:41.481 192.168.1.4 [VT] 49197 73.11.153.178 [VT] 8080 TCP 1 2404320 5780 ET CNC Feodo Tracker Reported CnC Server group 21 A Network Trojan was detected 1
2020-06-30 14:06:53.966 192.168.1.4 [VT] 49198 186.208.123.210 [VT] 443 TCP 1 2404309 5780 ET CNC Feodo Tracker Reported CnC Server group 10 A Network Trojan was detected 1
2020-06-30 14:07:09.309 192.168.1.4 [VT] 49199 37.187.72.193 [VT] 8080 TCP 1 2404317 5780 ET CNC Feodo Tracker Reported CnC Server group 18 A Network Trojan was detected 1
2020-06-30 14:07:24.122 192.168.1.4 [VT] 49200 201.173.217.124 [VT] 443 TCP 1 2404314 5780 ET CNC Feodo Tracker Reported CnC Server group 15 A Network Trojan was detected 1
2020-06-30 14:07:45.606 192.168.1.4 [VT] 49202 24.1.189.87 [VT] 8080 TCP 1 2404316 5780 ET CNC Feodo Tracker Reported CnC Server group 17 A Network Trojan was detected 1

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

Sorry! No dropped files.
Sorry! No CAPE files.
Process Name E2-20200630_100917.exe
PID 2788
Dump Size 806912 bytes
Module Path C:\Users\Rebecca\AppData\Local\Temp\E2-20200630_100917.exe
Type PE image: 32-bit executable
PE timestamp 2020-06-30 10:09:17
MD5 c7e6d3c4dc0c9a2477093a624b3e3da5
SHA1 4f1e8e221e4dc8dcc87ff0a21bfbbe3743d8ebfd
SHA256 38ec7931414d031a725d0807bf1669832223c20f93dab2edd9249ca4fffc222e
CRC32 C6ABC1CE
Ssdeep 12288:BXH5qcS4yOhYCS5/WVFdf+0gczhS/ubHXc08WmSyex8:BXHJV/lgcz8/WcWIv
Dump Filename 38ec7931414d031a725d0807bf1669832223c20f93dab2edd9249ca4fffc222e
Download Download Zip

BinGraph Download graph

JSON Report Download
Defense Evasion Discovery
  • T1116 - Code Signing
    • Signature - invalid_authenticode_signature
  • T1057 - Process Discovery
    • Signature - process_interest

    Processing ( 19.432000000000002 seconds )

    • 11.84 BehaviorAnalysis
    • 5.553 Suricata
    • 1.217 Static
    • 0.275 VirusTotal
    • 0.198 CAPE
    • 0.097 TargetInfo
    • 0.085 NetworkAnalysis
    • 0.073 ProcDump
    • 0.038 Deduplicate
    • 0.026 AnalysisInfo
    • 0.017 Strings
    • 0.008 peid
    • 0.005 Debug

    Signatures ( 0.7920000000000005 seconds )

    • 0.069 antiav_detectreg
    • 0.038 stealth_timeout
    • 0.033 decoy_document
    • 0.031 api_spamming
    • 0.029 infostealer_ftp
    • 0.027 territorial_disputes_sigs
    • 0.026 NewtWire Behavior
    • 0.017 infostealer_im
    • 0.017 ransomware_files
    • 0.016 antivm_generic_disk
    • 0.016 hawkeye_behavior
    • 0.014 antianalysis_detectreg
    • 0.013 antiav_avast_libs
    • 0.013 vawtrak_behavior
    • 0.012 Doppelganging
    • 0.012 mimics_filetime
    • 0.012 process_interest
    • 0.011 network_anomaly
    • 0.011 ransomware_extensions
    • 0.01 bootkit
    • 0.01 lsass_credential_dumping
    • 0.01 injection_createremotethread
    • 0.01 persistence_autorun
    • 0.01 antiav_detectfile
    • 0.009 InjectionCreateRemoteThread
    • 0.009 antisandbox_sunbelt_libs
    • 0.009 virus
    • 0.008 antivm_generic_scsi
    • 0.008 reads_self
    • 0.008 stealth_file
    • 0.008 antivm_vbox_keys
    • 0.008 infostealer_mail
    • 0.007 exec_crash
    • 0.007 injection_runpe
    • 0.007 office_com_load
    • 0.007 infostealer_bitcoin
    • 0.006 InjectionProcessHollowing
    • 0.006 antiav_bitdefender_libs
    • 0.006 antiav_bullgaurd_libs
    • 0.006 antiav_emsisoft_libs
    • 0.006 antiav_qurb_libs
    • 0.006 antiav_apioverride_libs
    • 0.006 antiav_nthookengine_libs
    • 0.006 antisandbox_sboxie_libs
    • 0.006 hancitor_behavior
    • 0.006 blackrat_registry_keys
    • 0.006 antianalysis_detectfile
    • 0.005 InjectionInterProcess
    • 0.005 antivm_vmware_keys
    • 0.005 modify_proxy
    • 0.005 masquerade_process_name
    • 0.004 EvilGrab
    • 0.004 antiemu_wine_func
    • 0.004 dynamic_function_loading
    • 0.004 malicious_dynamic_function_loading
    • 0.004 OrcusRAT Behavior
    • 0.004 recon_programs
    • 0.004 antivm_parallels_keys
    • 0.004 antivm_vbox_files
    • 0.004 browser_security
    • 0.004 disables_browser_warn
    • 0.003 antivm_generic_services
    • 0.003 infostealer_browser_password
    • 0.003 kibex_behavior
    • 0.003 kovter_behavior
    • 0.003 office_vb_load
    • 0.003 office_wmi_load
    • 0.003 process_needed
    • 0.003 antivm_xen_keys
    • 0.003 geodo_banking_trojan
    • 0.002 RegBinary
    • 0.002 antivm_vbox_libs
    • 0.002 betabot_behavior
    • 0.002 uac_bypass_eventvwr
    • 0.002 persistence_autorun_tasks
    • 0.002 persistence_bootexecute
    • 0.002 tinba_behavior
    • 0.002 persists_dev_util
    • 0.002 antivm_generic_diskreg
    • 0.002 antivm_vpc_keys
    • 0.002 masslogger_files
    • 0.002 network_dns_doh_tls
    • 0.002 revil_mutexes
    • 0.002 limerat_regkeys
    • 0.002 recon_fingerprint
    • 0.001 antidebug_guardpages
    • 0.001 banker_prinimalka
    • 0.001 cerber_behavior
    • 0.001 creates_largekey
    • 0.001 exploit_getbasekerneladdress
    • 0.001 exploit_gethaldispatchtable
    • 0.001 exploit_heapspray
    • 0.001 gootkit_behavior
    • 0.001 http_request
    • 0.001 internet_dropper
    • 0.001 network_tor
    • 0.001 persistence_registry_script
    • 0.001 Sodinokibi Behavior
    • 0.001 rat_nanocore
    • 0.001 shifu_behavior
    • 0.001 stealth_network
    • 0.001 antidbg_devices
    • 0.001 antivm_xen_keys
    • 0.001 antivm_hyperv_keys
    • 0.001 antivm_vmware_files
    • 0.001 ketrican_regkeys
    • 0.001 banker_zeus_mutex
    • 0.001 bot_drive
    • 0.001 browser_addon
    • 0.001 bypass_firewall
    • 0.001 codelux_behavior
    • 0.001 darkcomet_regkeys
    • 0.001 disables_smartscreen
    • 0.001 disables_system_restore
    • 0.001 disables_windows_defender
    • 0.001 azorult_mutexes
    • 0.001 predatorthethief_files
    • 0.001 qulab_files
    • 0.001 modify_security_center_warnings
    • 0.001 modify_uac_prompt
    • 0.001 office_security
    • 0.001 persistence_shim_database
    • 0.001 medusalocker_regkeys
    • 0.001 satan_mutexes
    • 0.001 modirat_bheavior
    • 0.001 rat_pcclient
    • 0.001 rat_spynet
    • 0.001 warzonerat_regkeys
    • 0.001 remcos_regkeys
    • 0.001 stealth_hiddenreg
    • 0.001 tampers_etw
    • 0.001 lokibot_mutexes

    Reporting ( 10.904 seconds )

    • 6.669 BinGraph
    • 4.131 JsonDump
    • 0.093 MITRE_TTPS
    • 0.011 PCAP2CERT