Detections

Yara:

Emotet

Analysis

Category Package Started Completed Duration Options Log
FILE Emotet 2020-05-23 10:18:01 2020-05-23 10:22:16 255 seconds Show Options Show Log
route = inetsim
2020-05-13 09:29:15,339 [root] INFO: Date set to: 20200523T10:18:01, timeout set to: 200
2020-05-23 10:18:01,078 [root] DEBUG: Starting analyzer from: C:\tmp558c2t_g
2020-05-23 10:18:01,078 [root] DEBUG: Storing results at: C:\vNFUxGcErD
2020-05-23 10:18:01,078 [root] DEBUG: Pipe server name: \\.\PIPE\yLFdireq
2020-05-23 10:18:01,078 [root] DEBUG: Python path: C:\Users\Louise\AppData\Local\Programs\Python\Python38-32
2020-05-23 10:18:01,078 [root] INFO: Analysis package "Emotet" has been specified.
2020-05-23 10:18:01,078 [root] DEBUG: Trying to import analysis package "Emotet"...
2020-05-23 10:18:01,093 [root] DEBUG: Imported analysis package "Emotet".
2020-05-23 10:18:01,093 [root] DEBUG: Trying to initialize analysis package "Emotet"...
2020-05-23 10:18:01,093 [root] DEBUG: Initialized analysis package "Emotet".
2020-05-23 10:18:01,140 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.browser"...
2020-05-23 10:18:01,140 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser".
2020-05-23 10:18:01,140 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.curtain"...
2020-05-23 10:18:01,156 [root] DEBUG: Imported auxiliary module "modules.auxiliary.curtain".
2020-05-23 10:18:01,156 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.digisig"...
2020-05-23 10:18:01,171 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig".
2020-05-23 10:18:01,171 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.disguise"...
2020-05-23 10:18:01,187 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise".
2020-05-23 10:18:01,187 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.human"...
2020-05-23 10:18:01,187 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human".
2020-05-23 10:18:01,187 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.procmon"...
2020-05-23 10:18:01,203 [root] DEBUG: Imported auxiliary module "modules.auxiliary.procmon".
2020-05-23 10:18:01,203 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.screenshots"...
2020-05-23 10:18:01,218 [modules.auxiliary.screenshots] DEBUG: Importing 'time'
2020-05-23 10:18:01,218 [modules.auxiliary.screenshots] DEBUG: Importing 'StringIO'
2020-05-23 10:18:01,218 [modules.auxiliary.screenshots] DEBUG: Importing 'Thread'
2020-05-23 10:18:01,218 [modules.auxiliary.screenshots] DEBUG: Importing 'Auxiliary'
2020-05-23 10:18:01,218 [modules.auxiliary.screenshots] DEBUG: Importing 'NetlogFile'
2020-05-23 10:18:01,218 [modules.auxiliary.screenshots] DEBUG: Importing 'Screenshot'
2020-05-23 10:18:01,218 [lib.api.screenshot] DEBUG: Importing 'math'
2020-05-23 10:18:01,218 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2020-05-23 10:18:01,359 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageGrab'
2020-05-23 10:18:01,359 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageDraw'
2020-05-23 10:18:01,375 [modules.auxiliary.screenshots] DEBUG: Imports OK
2020-05-23 10:18:01,375 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots".
2020-05-23 10:18:01,375 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.sysmon"...
2020-05-23 10:18:01,375 [root] DEBUG: Imported auxiliary module "modules.auxiliary.sysmon".
2020-05-23 10:18:01,375 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.usage"...
2020-05-23 10:18:01,390 [root] DEBUG: Imported auxiliary module "modules.auxiliary.usage".
2020-05-23 10:18:01,390 [root] DEBUG: Trying to initialize auxiliary module "Browser"...
2020-05-23 10:18:01,390 [root] DEBUG: Initialized auxiliary module "Browser".
2020-05-23 10:18:01,390 [root] DEBUG: Trying to start auxiliary module "Browser"...
2020-05-23 10:18:01,390 [root] DEBUG: Started auxiliary module Browser
2020-05-23 10:18:01,390 [root] DEBUG: Trying to initialize auxiliary module "Curtain"...
2020-05-23 10:18:01,390 [root] DEBUG: Initialized auxiliary module "Curtain".
2020-05-23 10:18:01,390 [root] DEBUG: Trying to start auxiliary module "Curtain"...
2020-05-23 10:18:01,406 [root] DEBUG: Started auxiliary module Curtain
2020-05-23 10:18:01,406 [root] DEBUG: Trying to initialize auxiliary module "DigiSig"...
2020-05-23 10:18:01,406 [root] DEBUG: Initialized auxiliary module "DigiSig".
2020-05-23 10:18:01,406 [root] DEBUG: Trying to start auxiliary module "DigiSig"...
2020-05-23 10:18:01,406 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature.
2020-05-23 10:18:01,859 [modules.auxiliary.digisig] DEBUG: File is not signed.
2020-05-23 10:18:01,859 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2020-05-23 10:18:01,875 [root] DEBUG: Started auxiliary module DigiSig
2020-05-23 10:18:01,875 [root] DEBUG: Trying to initialize auxiliary module "Disguise"...
2020-05-23 10:18:01,875 [root] DEBUG: Initialized auxiliary module "Disguise".
2020-05-23 10:18:01,875 [root] DEBUG: Trying to start auxiliary module "Disguise"...
2020-05-23 10:18:01,906 [root] DEBUG: Started auxiliary module Disguise
2020-05-23 10:18:01,906 [root] DEBUG: Trying to initialize auxiliary module "Human"...
2020-05-23 10:18:01,906 [root] DEBUG: Initialized auxiliary module "Human".
2020-05-23 10:18:01,906 [root] DEBUG: Trying to start auxiliary module "Human"...
2020-05-23 10:18:01,906 [root] DEBUG: Started auxiliary module Human
2020-05-23 10:18:01,906 [root] DEBUG: Trying to initialize auxiliary module "Procmon"...
2020-05-23 10:18:01,906 [root] DEBUG: Initialized auxiliary module "Procmon".
2020-05-23 10:18:01,906 [root] DEBUG: Trying to start auxiliary module "Procmon"...
2020-05-23 10:18:01,953 [root] DEBUG: Started auxiliary module Procmon
2020-05-23 10:18:01,953 [root] DEBUG: Trying to initialize auxiliary module "Screenshots"...
2020-05-23 10:18:01,953 [root] DEBUG: Initialized auxiliary module "Screenshots".
2020-05-23 10:18:01,953 [root] DEBUG: Trying to start auxiliary module "Screenshots"...
2020-05-23 10:18:01,953 [root] DEBUG: Started auxiliary module Screenshots
2020-05-23 10:18:01,953 [root] DEBUG: Trying to initialize auxiliary module "Sysmon"...
2020-05-23 10:18:01,953 [root] DEBUG: Initialized auxiliary module "Sysmon".
2020-05-23 10:18:01,968 [root] DEBUG: Trying to start auxiliary module "Sysmon"...
2020-05-23 10:18:01,968 [root] DEBUG: Started auxiliary module Sysmon
2020-05-23 10:18:01,968 [root] DEBUG: Trying to initialize auxiliary module "Usage"...
2020-05-23 10:18:01,968 [root] DEBUG: Initialized auxiliary module "Usage".
2020-05-23 10:18:01,968 [root] DEBUG: Trying to start auxiliary module "Usage"...
2020-05-23 10:18:01,968 [root] DEBUG: Started auxiliary module Usage
2020-05-23 10:18:01,968 [root] INFO: Analyzer: Package modules.packages.Emotet does not specify a DLL option
2020-05-23 10:18:01,968 [root] INFO: Analyzer: Package modules.packages.Emotet does not specify a DLL_64 option
2020-05-23 10:18:01,968 [root] INFO: Analyzer: Package modules.packages.Emotet does not specify a loader option
2020-05-23 10:18:01,968 [root] INFO: Analyzer: Package modules.packages.Emotet does not specify a loader_64 option
2020-05-23 10:18:02,078 [lib.api.process] INFO: Successfully executed process from path "C:\Users\Louise\AppData\Local\Temp\EE0CH2Xu3Nt2.exe" with arguments "" with pid 3004
2020-05-23 10:18:02,078 [lib.api.process] INFO: Monitor config for process 3004: C:\tmp558c2t_g\dll\3004.ini
2020-05-23 10:18:02,093 [lib.api.process] INFO: Option 'extraction' with value '1' sent to monitor
2020-05-23 10:18:02,093 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2020-05-23 10:18:02,093 [lib.api.process] INFO: Option 'exclude-apis' with value 'RegOpenKeyExA:SendMessageA:srand:GetSystemTimeAsFileTime' sent to monitor
2020-05-23 10:18:02,093 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp558c2t_g\dll\wNvaeZRT.dll, loader C:\tmp558c2t_g\bin\TqnebDl.exe
2020-05-23 10:18:02,171 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\yLFdireq.
2020-05-23 10:18:02,171 [root] DEBUG: Loader: Injecting process 3004 (thread 3032) with C:\tmp558c2t_g\dll\wNvaeZRT.dll.
2020-05-23 10:18:02,187 [root] DEBUG: Process image base: 0x00400000
2020-05-23 10:18:02,203 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmp558c2t_g\dll\wNvaeZRT.dll.
2020-05-23 10:18:02,234 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-05-23 10:18:02,234 [root] DEBUG: Successfully injected DLL C:\tmp558c2t_g\dll\wNvaeZRT.dll.
2020-05-23 10:18:02,234 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3004
2020-05-23 10:18:04,296 [lib.api.process] INFO: Successfully resumed process with pid 3004
2020-05-23 10:18:04,453 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-05-23 10:18:04,453 [root] DEBUG: Capture of extracted payloads enabled.
2020-05-23 10:18:04,453 [root] DEBUG: Process dumps enabled.
2020-05-23 10:18:04,453 [root] DEBUG: Dropped file limit defaulting to 100.
2020-05-23 10:18:04,468 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-05-23 10:18:04,468 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 3004 at 0x6fa60000, image base 0x400000, stack from 0x186000-0x190000
2020-05-23 10:18:04,468 [root] DEBUG: Commandline: C:\Users\Louise\AppData\Local\Temp\"C:\Users\Louise\AppData\Local\Temp\EE0CH2Xu3Nt2.exe".
2020-05-23 10:18:04,531 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x770d0000, KiUserExceptionDispatcher: 0x0, NtSetContextThread: 0x7713b5f0, Wow64PrepareForException: 0x0
2020-05-23 10:18:04,640 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x2f0000
2020-05-23 10:18:04,734 [root] DEBUG: ExtractionInit: Debugger initialised.
2020-05-23 10:18:04,812 [root] DEBUG: AddTrackedRegion: Created new tracked region for address 0x00400000.
2020-05-23 10:18:04,906 [root] DEBUG: AddTrackedRegion: New region at 0x00400000 size 0x1000 added to tracked regions: EntryPoint 0x3f0f, Entropy 6.328023e+00
2020-05-23 10:18:05,000 [root] DEBUG: ExtractionInit: Adding main image base to tracked regions.
2020-05-23 10:18:05,093 [root] INFO: loaded: b'3004'
2020-05-23 10:18:05,093 [root] INFO: Loaded monitor into process with pid 3004
2020-05-23 10:18:05,328 [root] DEBUG: DLL unloaded from 0x6F9D0000.
2020-05-23 10:18:05,453 [root] DEBUG: DLL loaded at 0x03700000: C:\Windows\system32\WerFault.exe (0x5b000 bytes).
2020-05-23 10:18:08,984 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x00300000 (thread 3032)
2020-05-23 10:18:09,000 [root] DEBUG: ShellcodeExecCallback: Breakpoint 2 at Address 0x00300000 (allocation base 0x00300000).
2020-05-23 10:18:09,000 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x300000 - 0x30a000.
2020-05-23 10:18:09,000 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x00300000.
2020-05-23 10:18:09,000 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x0030003C.
2020-05-23 10:18:09,015 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 2 address 0x00300000.
2020-05-23 10:18:09,015 [root] DEBUG: ShellcodeExecCallback: About to scan region for a PE image (base 0x00300000, size 0xa000).
2020-05-23 10:18:09,015 [root] DEBUG: DumpPEsInRange: Scanning range 0x300000 - 0x30a000.
2020-05-23 10:18:09,015 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x30053f
2020-05-23 10:18:09,031 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image.
2020-05-23 10:18:09,031 [root] DEBUG: DumpPE: Instantiating PeParser with address: 0x0030053F.
2020-05-23 10:18:09,046 [root] INFO: ('dump_file', 'C:\\vNFUxGcErD\\CAPE\\3004_6642725282522524052020', b'8;?C:\\Users\\Louise\\AppData\\Local\\Temp\\EE0CH2Xu3Nt2.exe;?C:\\Users\\Louise\\AppData\\Local\\Temp\\EE0CH2Xu3Nt2.exe;?0x00300000;?', ['3004'], 'CAPE')
2020-05-23 10:18:09,093 [root] DEBUG: DumpPE: PE file in memory dumped successfully - dump size 0x9a00.
2020-05-23 10:18:09,093 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x30153f-0x30a000.
2020-05-23 10:18:09,093 [root] DEBUG: ShellcodeExecCallback: PE image(s) detected and dumped.
2020-05-23 10:18:09,093 [root] DEBUG: set_caller_info: Adding region at 0x00300000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2020-05-23 10:18:09,109 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-05-23 10:18:09,109 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-05-23 10:18:09,109 [root] DEBUG: ProcessImageBase: EP 0x00003F0F image base 0x00400000 size 0x0 entropy 6.350293e+00.
2020-05-23 10:18:09,109 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00300000.
2020-05-23 10:18:09,109 [root] DEBUG: ProtectionHandler: Adding region at 0x00361000 to tracked regions.
2020-05-23 10:18:09,109 [root] DEBUG: AddTrackedRegion: Created new tracked region for address 0x00361000.
2020-05-23 10:18:09,125 [root] DEBUG: AddTrackedRegion: New region at 0x00360000 size 0x9000 added to tracked regions: EntryPoint 0x51f0, Entropy 5.869380e+00
2020-05-23 10:18:09,125 [root] DEBUG: ProtectionHandler: Address: 0x00361000 (alloc base 0x00360000), NumberOfBytesToProtect: 0x8600, NewAccessProtection: 0x20
2020-05-23 10:18:09,125 [root] DEBUG: ProtectionHandler: Increased region size at 0x00361000 to 0x9600.
2020-05-23 10:18:09,125 [root] DEBUG: ProtectionHandler: New code detected at (0x00360000), scanning for PE images.
2020-05-23 10:18:09,125 [root] DEBUG: DumpPEsInRange: Scanning range 0x360000 - 0x369600.
2020-05-23 10:18:09,125 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x360000
2020-05-23 10:18:09,125 [root] DEBUG: DumpImageInCurrentProcess: Disguised PE image (bad MZ and/or PE headers) at 0x00360000
2020-05-23 10:18:09,125 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-05-23 10:18:09,140 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00360000.
2020-05-23 10:18:09,140 [root] DEBUG: DumpProcess: Module entry point VA is 0x000051F0.
2020-05-23 10:18:09,140 [root] INFO: ('dump_file', 'C:\\vNFUxGcErD\\CAPE\\3004_5095476689181623652020', b'8;?C:\\Users\\Louise\\AppData\\Local\\Temp\\EE0CH2Xu3Nt2.exe;?C:\\Users\\Louise\\AppData\\Local\\Temp\\EE0CH2Xu3Nt2.exe;?0x00360000;?', ['3004'], 'CAPE')
2020-05-23 10:18:09,421 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x9a00.
2020-05-23 10:18:09,421 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x361000-0x369600.
2020-05-23 10:18:09,437 [root] DEBUG: DumpPEsInTrackedRegion: Dumped 1 PE image(s) from range 0x00360000 - 0x00369600.
2020-05-23 10:18:09,437 [root] DEBUG: ProtectionHandler: PE image(s) dumped from 0x00360000.
2020-05-23 10:18:09,437 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x360000 - 0x369600.
2020-05-23 10:18:09,437 [root] DEBUG: set_caller_info: Adding region at 0x00360000 to caller regions list (ntdll::LdrGetDllHandle).
2020-05-23 10:18:09,453 [root] DEBUG: DLL loaded at 0x76770000: C:\Windows\syswow64\crypt32 (0x122000 bytes).
2020-05-23 10:18:09,453 [root] DEBUG: DLL loaded at 0x762F0000: C:\Windows\syswow64\MSASN1 (0xc000 bytes).
2020-05-23 10:18:09,468 [root] DEBUG: DLL loaded at 0x765C0000: C:\Windows\syswow64\urlmon (0x124000 bytes).
2020-05-23 10:18:09,484 [root] DEBUG: DLL loaded at 0x76260000: C:\Windows\syswow64\api-ms-win-downlevel-ole32-l1-1-0 (0x4000 bytes).
2020-05-23 10:18:09,484 [root] DEBUG: DLL loaded at 0x75D40000: C:\Windows\syswow64\api-ms-win-downlevel-shlwapi-l1-1-0 (0x4000 bytes).
2020-05-23 10:18:09,484 [root] DEBUG: DLL loaded at 0x76180000: C:\Windows\syswow64\api-ms-win-downlevel-advapi32-l1-1-0 (0x5000 bytes).
2020-05-23 10:18:09,484 [root] DEBUG: DLL loaded at 0x75FC0000: C:\Windows\syswow64\api-ms-win-downlevel-user32-l1-1-0 (0x4000 bytes).
2020-05-23 10:18:09,484 [root] DEBUG: DLL loaded at 0x76250000: C:\Windows\syswow64\api-ms-win-downlevel-version-l1-1-0 (0x4000 bytes).
2020-05-23 10:18:09,500 [root] DEBUG: DLL loaded at 0x734E0000: C:\Windows\system32\version (0x9000 bytes).
2020-05-23 10:18:09,500 [root] DEBUG: DLL loaded at 0x74CF0000: C:\Windows\syswow64\api-ms-win-downlevel-normaliz-l1-1-0 (0x3000 bytes).
2020-05-23 10:18:09,500 [root] DEBUG: DLL loaded at 0x75F30000: C:\Windows\syswow64\normaliz (0x3000 bytes).
2020-05-23 10:18:09,500 [root] DEBUG: DLL loaded at 0x76900000: C:\Windows\syswow64\iertutil (0x215000 bytes).
2020-05-23 10:18:09,515 [root] DEBUG: DLL loaded at 0x76300000: C:\Windows\syswow64\WININET (0x1c4000 bytes).
2020-05-23 10:18:09,515 [root] DEBUG: DLL loaded at 0x74390000: C:\Windows\system32\userenv (0x17000 bytes).
2020-05-23 10:18:09,515 [root] DEBUG: DLL loaded at 0x74380000: C:\Windows\system32\profapi (0xb000 bytes).
2020-05-23 10:18:09,531 [root] DEBUG: DLL loaded at 0x74350000: C:\Windows\system32\wtsapi32 (0xd000 bytes).
2020-05-23 10:18:09,546 [root] INFO: Disabling sleep skipping.
2020-05-23 10:18:16,000 [root] DEBUG: DLL loaded at 0x75DE0000: C:\Windows\syswow64\OLEAUT32 (0x91000 bytes).
2020-05-23 10:18:16,015 [root] DEBUG: DLL loaded at 0x73950000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\comctl32 (0x19e000 bytes).
2020-05-23 10:18:16,031 [root] DEBUG: DLL loaded at 0x74D00000: C:\Windows\syswow64\SETUPAPI (0x19d000 bytes).
2020-05-23 10:18:16,046 [root] DEBUG: DLL loaded at 0x750A0000: C:\Windows\syswow64\CFGMGR32 (0x27000 bytes).
2020-05-23 10:18:16,046 [root] DEBUG: DLL loaded at 0x75D20000: C:\Windows\syswow64\DEVOBJ (0x12000 bytes).
2020-05-23 10:18:16,046 [root] DEBUG: DLL loaded at 0x761C0000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2020-05-23 10:18:16,062 [root] DEBUG: DLL loaded at 0x72FF0000: C:\Windows\system32\propsys (0xf5000 bytes).
2020-05-23 10:18:16,078 [root] DEBUG: DLL loaded at 0x73CD0000: C:\Windows\system32\ntmarta (0x21000 bytes).
2020-05-23 10:18:16,078 [root] DEBUG: DLL loaded at 0x75F60000: C:\Windows\syswow64\WLDAP32 (0x45000 bytes).
2020-05-23 10:18:16,093 [root] DEBUG: DLL unloaded from 0x750D0000.
2020-05-23 10:18:16,203 [root] INFO: ('dump_file', 'C:\\Windows\\SysWOW64\\glmf32\\glmf32.exe', '', None, 'files')
2020-05-23 10:18:16,281 [root] INFO: Announced 64-bit process name: explorer.exe pid: 1440
2020-05-23 10:18:16,281 [lib.api.process] INFO: Monitor config for process 1440: C:\tmp558c2t_g\dll\1440.ini
2020-05-23 10:18:16,281 [lib.api.process] INFO: Option 'extraction' with value '1' sent to monitor
2020-05-23 10:18:16,281 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2020-05-23 10:18:16,281 [lib.api.process] INFO: Option 'exclude-apis' with value 'RegOpenKeyExA:SendMessageA:srand:GetSystemTimeAsFileTime' sent to monitor
2020-05-23 10:18:16,281 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmp558c2t_g\dll\YgXhonh.dll, loader C:\tmp558c2t_g\bin\ySPzdcqQ.exe
2020-05-23 10:18:16,328 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\yLFdireq.
2020-05-23 10:18:16,328 [root] DEBUG: Loader: Injecting process 1440 (thread 0) with C:\tmp558c2t_g\dll\YgXhonh.dll.
2020-05-23 10:18:16,328 [root] DEBUG: Error 0 (0x0) - GetProcessInitialThreadId: Remote PEB 0x000007FFFFFDE000 Local PEB 0x000007FFFFFDC000 Local TEB 0x000007FFFFFDE000: The operation completed successfully.
2020-05-23 10:18:16,343 [root] DEBUG: InjectDll: No thread ID supplied. Initial thread ID 1444, handle 0xa8
2020-05-23 10:18:16,343 [root] DEBUG: Process image base: 0x00000000FF540000
2020-05-23 10:18:16,343 [root] DEBUG: InjectDllViaIAT: Not a new process, aborting IAT patch
2020-05-23 10:18:16,343 [root] DEBUG: InjectDll: IAT patching failed, falling back to thread injection.
2020-05-23 10:18:16,375 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-05-23 10:18:16,375 [root] DEBUG: Capture of extracted payloads enabled.
2020-05-23 10:18:16,375 [root] DEBUG: Process dumps enabled.
2020-05-23 10:18:16,375 [root] DEBUG: Dropped file limit defaulting to 100.
2020-05-23 10:18:16,390 [root] INFO: Disabling sleep skipping.
2020-05-23 10:18:16,390 [root] DEBUG: CAPE initialised: 64-bit monitor loaded in process 1440 at 0x0000000072EF0000, image base 0x00000000FF540000, stack from 0x0000000007B12000-0x0000000007B20000
2020-05-23 10:18:16,390 [root] DEBUG: Commandline: C:\Windows\explorer.exe.
2020-05-23 10:18:16,468 [root] WARNING: b'Unable to place hook on LockResource'
2020-05-23 10:18:16,468 [root] WARNING: b'Unable to hook LockResource'
2020-05-23 10:18:16,515 [root] DEBUG: ExtractionInit: Debugger initialised.
2020-05-23 10:18:16,515 [root] DEBUG: AddTrackedRegion: Created new tracked region for address 0x00000000FF540000.
2020-05-23 10:18:16,531 [root] DEBUG: set_caller_info: Adding region at 0x00000000FF540000 to caller regions list (user32::SendMessageW).
2020-05-23 10:18:16,687 [root] DEBUG: AddTrackedRegion: New region at 0x00000000FF540000 size 0x1000 added to tracked regions: EntryPoint 0x2b794, Entropy 5.540929e+00
2020-05-23 10:18:16,687 [root] DEBUG: ExtractionInit: Adding main image base to tracked regions.
2020-05-23 10:18:16,687 [root] INFO: loaded: b'1440'
2020-05-23 10:18:16,687 [root] INFO: Loaded monitor into process with pid 1440
2020-05-23 10:18:16,703 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2020-05-23 10:18:16,703 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2020-05-23 10:18:16,703 [root] DEBUG: Successfully injected DLL C:\tmp558c2t_g\dll\YgXhonh.dll.
2020-05-23 10:18:16,781 [root] DEBUG: DLL unloaded from 0x72FF0000.
2020-05-23 10:18:16,843 [root] DEBUG: DLL loaded at 0x74360000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2020-05-23 10:18:16,859 [root] DEBUG: DLL loaded at 0x74270000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2020-05-23 10:18:16,875 [root] DEBUG: DLL loaded at 0x73920000: C:\Windows\system32\RpcRtRemote (0xe000 bytes).
2020-05-23 10:18:16,984 [root] DEBUG: DLL loaded at 0x72EE0000: C:\Windows\system32\mssprxy (0xc000 bytes).
2020-05-23 10:18:17,000 [root] DEBUG: DLL unloaded from 0x72EE0000.
2020-05-23 10:18:17,015 [root] DEBUG: DLL unloaded from 0x750D0000.
2020-05-23 10:18:17,109 [root] INFO: Announced 32-bit process name: glmf32.exe pid: 4152
2020-05-23 10:18:17,109 [lib.api.process] INFO: Monitor config for process 4152: C:\tmp558c2t_g\dll\4152.ini
2020-05-23 10:18:17,125 [lib.api.process] INFO: Option 'extraction' with value '1' sent to monitor
2020-05-23 10:18:17,125 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2020-05-23 10:18:17,125 [lib.api.process] INFO: Option 'exclude-apis' with value 'RegOpenKeyExA:SendMessageA:srand:GetSystemTimeAsFileTime' sent to monitor
2020-05-23 10:18:17,125 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp558c2t_g\dll\wNvaeZRT.dll, loader C:\tmp558c2t_g\bin\TqnebDl.exe
2020-05-23 10:18:17,140 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\yLFdireq.
2020-05-23 10:18:17,156 [root] DEBUG: Loader: Injecting process 4152 (thread 4148) with C:\tmp558c2t_g\dll\wNvaeZRT.dll.
2020-05-23 10:18:17,156 [root] DEBUG: Process image base: 0x00400000
2020-05-23 10:18:17,156 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmp558c2t_g\dll\wNvaeZRT.dll.
2020-05-23 10:18:17,156 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-05-23 10:18:17,156 [root] DEBUG: Successfully injected DLL C:\tmp558c2t_g\dll\wNvaeZRT.dll.
2020-05-23 10:18:17,156 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 4152
2020-05-23 10:18:17,171 [root] DEBUG: DLL loaded at 0x74C10000: C:\Windows\system32\apphelp (0x4c000 bytes).
2020-05-23 10:18:17,203 [root] DEBUG: DLL unloaded from 0x00400000.
2020-05-23 10:18:17,203 [root] INFO: Announced 32-bit process name: glmf32.exe pid: 4152
2020-05-23 10:18:17,203 [lib.api.process] INFO: Monitor config for process 4152: C:\tmp558c2t_g\dll\4152.ini
2020-05-23 10:18:17,203 [lib.api.process] INFO: Option 'extraction' with value '1' sent to monitor
2020-05-23 10:18:17,203 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2020-05-23 10:18:17,203 [lib.api.process] INFO: Option 'exclude-apis' with value 'RegOpenKeyExA:SendMessageA:srand:GetSystemTimeAsFileTime' sent to monitor
2020-05-23 10:18:17,203 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp558c2t_g\dll\wNvaeZRT.dll, loader C:\tmp558c2t_g\bin\TqnebDl.exe
2020-05-23 10:18:17,234 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\yLFdireq.
2020-05-23 10:18:17,234 [root] DEBUG: Loader: Injecting process 4152 (thread 4148) with C:\tmp558c2t_g\dll\wNvaeZRT.dll.
2020-05-23 10:18:17,234 [root] DEBUG: Process image base: 0x00400000
2020-05-23 10:18:17,234 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmp558c2t_g\dll\wNvaeZRT.dll.
2020-05-23 10:18:17,234 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-05-23 10:18:17,249 [root] DEBUG: Successfully injected DLL C:\tmp558c2t_g\dll\wNvaeZRT.dll.
2020-05-23 10:18:17,249 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 4152
2020-05-23 10:18:17,249 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 3004).
2020-05-23 10:18:17,249 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-05-23 10:18:17,249 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-05-23 10:18:17,249 [root] DEBUG: ProcessImageBase: EP 0x00003F0F image base 0x00400000 size 0x0 entropy 6.350293e+00.
2020-05-23 10:18:17,265 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00300000.
2020-05-23 10:18:17,265 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00360000.
2020-05-23 10:18:17,265 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 3004
2020-05-23 10:18:17,265 [root] DEBUG: DLL unloaded from 0x77290000.
2020-05-23 10:18:17,265 [root] DEBUG: GetHookCallerBase: thread 3032 (handle 0xd0), return address 0x0036520F, allocation base 0x00360000.
2020-05-23 10:18:17,265 [root] DEBUG: DoProcessDump: Dumping Imagebase at 0x00400000.
2020-05-23 10:18:17,265 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-05-23 10:18:17,265 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00400000.
2020-05-23 10:18:17,265 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-05-23 10:18:17,281 [root] DEBUG: DumpProcess: Module entry point VA is 0x00003F0F.
2020-05-23 10:18:17,281 [root] DEBUG: Capture of extracted payloads enabled.
2020-05-23 10:18:17,281 [root] DEBUG: Process dumps enabled.
2020-05-23 10:18:17,281 [root] DEBUG: Dropped file limit defaulting to 100.
2020-05-23 10:18:17,281 [root] INFO: b'C:\\vNFUxGcErD\\CAPE\\3004_1434272664323524052020|3004|0;?C:\\Users\\Louise\\AppData\\Local\\Temp\\EE0CH2Xu3Nt2.exe;?C:\\Users\\Louise\\AppData\\Local\\Temp\\EE0CH2Xu3Nt2.exe;?'
2020-05-23 10:18:17,281 [root] INFO: cape
2020-05-23 10:18:17,281 [root] INFO: ('dump_file', 'C:\\vNFUxGcErD\\CAPE\\3004_1434272664323524052020', b'0;?C:\\Users\\Louise\\AppData\\Local\\Temp\\EE0CH2Xu3Nt2.exe;?C:\\Users\\Louise\\AppData\\Local\\Temp\\EE0CH2Xu3Nt2.exe;?', ['3004'], 'procdump')
2020-05-23 10:18:17,281 [root] INFO: Disabling sleep skipping.
2020-05-23 10:18:17,296 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-05-23 10:18:17,296 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 4152 at 0x6fa60000, image base 0x400000, stack from 0x186000-0x190000
2020-05-23 10:18:17,296 [root] DEBUG: Commandline: C:\Users\Louise\AppData\Local\Temp\"C:\Windows\SysWOW64\glmf32\glmf32.exe".
2020-05-23 10:18:17,343 [root] INFO: ('dump_file', 'C:\\vNFUxGcErD\\CAPE\\3004_1434272664323524052020', '', False, 'files')
2020-05-23 10:18:17,359 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x770d0000, KiUserExceptionDispatcher: 0x0, NtSetContextThread: 0x7713b5f0, Wow64PrepareForException: 0x0
2020-05-23 10:18:17,359 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x3f0000
2020-05-23 10:18:17,359 [root] DEBUG: ExtractionInit: Debugger initialised.
2020-05-23 10:18:17,359 [root] DEBUG: AddTrackedRegion: Created new tracked region for address 0x00400000.
2020-05-23 10:18:17,359 [root] DEBUG: AddTrackedRegion: New region at 0x00400000 size 0x1000 added to tracked regions: EntryPoint 0x3f0f, Entropy 6.328023e+00
2020-05-23 10:18:17,359 [root] DEBUG: ExtractionInit: Adding main image base to tracked regions.
2020-05-23 10:18:17,375 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x43c00.
2020-05-23 10:18:17,375 [root] INFO: loaded: b'4152'
2020-05-23 10:18:17,375 [root] INFO: Loaded monitor into process with pid 4152
2020-05-23 10:18:17,375 [root] DEBUG: DumpInterestingRegions: Dumping calling region at 0x00300000.
2020-05-23 10:18:17,375 [root] INFO: ('dump_file', 'C:\\vNFUxGcErD\\CAPE\\3004_14773132364323524052020', b'9;?C:\\Users\\Louise\\AppData\\Local\\Temp\\EE0CH2Xu3Nt2.exe;?C:\\Users\\Louise\\AppData\\Local\\Temp\\EE0CH2Xu3Nt2.exe;?0x00300000;?', ['3004'], 'CAPE')
2020-05-23 10:18:17,390 [root] DEBUG: DLL unloaded from 0x6F9D0000.
2020-05-23 10:18:17,406 [root] DEBUG: DLL loaded at 0x03550000: C:\Windows\system32\WerFault.exe (0x5b000 bytes).
2020-05-23 10:18:17,406 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\vNFUxGcErD\CAPE\3004_14773132364323524052020 (size 0x9f42)
2020-05-23 10:18:17,421 [root] DEBUG: Allocation: 0x004D0000 - 0x004DA000, size: 0xa000, protection: 0x40.
2020-05-23 10:18:17,421 [root] DEBUG: DumpRegion: Dumped stack region from 0x00300000, size 0xa000.
2020-05-23 10:18:17,421 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-05-23 10:18:17,421 [root] DEBUG: DumpInterestingRegions: Dumping calling region at 0x00360000.
2020-05-23 10:18:17,421 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-05-23 10:18:17,421 [root] DEBUG: DumpImageInCurrentProcess: Disguised PE image (bad MZ and/or PE headers) at 0x00360000
2020-05-23 10:18:17,421 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-05-23 10:18:17,421 [root] DEBUG: ProcessImageBase: EP 0x00003F0F image base 0x00400000 size 0x0 entropy 6.350088e+00.
2020-05-23 10:18:17,437 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00360000.
2020-05-23 10:18:17,437 [root] DEBUG: AllocationHandler: Adding allocation to tracked region list: 0x004D0000, size: 0xa000.
2020-05-23 10:18:17,437 [root] DEBUG: DumpProcess: Module entry point VA is 0x000051F0.
2020-05-23 10:18:17,437 [root] DEBUG: AddTrackedRegion: Created new tracked region for address 0x004D0000.
2020-05-23 10:18:17,437 [root] DEBUG: AddTrackedRegion: New region at 0x004D0000 size 0xa000 added to tracked regions.
2020-05-23 10:18:17,453 [root] INFO: ('dump_file', 'C:\\vNFUxGcErD\\CAPE\\3004_16320122394323524052020', b'8;?C:\\Users\\Louise\\AppData\\Local\\Temp\\EE0CH2Xu3Nt2.exe;?C:\\Users\\Louise\\AppData\\Local\\Temp\\EE0CH2Xu3Nt2.exe;?0x00360000;?', ['3004'], 'CAPE')
2020-05-23 10:18:17,453 [root] DEBUG: ActivateBreakpoints: TrackedRegion->AllocationBase: 0x004D0000, TrackedRegion->RegionSize: 0xa000, thread 4148
2020-05-23 10:18:17,453 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 4148 type 1 at address 0x004D0000, size 2 with Callback 0x6fa67ee0.
2020-05-23 10:18:17,453 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on empty protect address: 0x004D0000
2020-05-23 10:18:17,453 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 4148 type 1 at address 0x004D003C, size 4 with Callback 0x6fa67b30.
2020-05-23 10:18:17,468 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x004D003C
2020-05-23 10:18:17,468 [root] DEBUG: AllocationHandler: Breakpoints set on newly-allocated executable region at: 0x004D0000 (size 0xa000).
2020-05-23 10:18:17,468 [root] DEBUG: DLL unloaded from 0x77290000.
2020-05-23 10:18:17,468 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x004024DA (thread 4148)
2020-05-23 10:18:17,468 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x004D0000.
2020-05-23 10:18:17,484 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x4d0000: 0xdf.
2020-05-23 10:18:17,484 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2020-05-23 10:18:17,484 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x9a00.
2020-05-23 10:18:17,484 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x004024DA (thread 4148)
2020-05-23 10:18:17,484 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x004D003C.
2020-05-23 10:18:17,484 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0xa369609b (at 0x004D003C).
2020-05-23 10:18:17,500 [root] DEBUG: DLL unloaded from 0x72FF0000.
2020-05-23 10:18:17,500 [root] DEBUG: ContextSetNextAvailableBreakpoint: An identical breakpoint (2) at 0x004D0000 already exists for thread 4148 (process 4152), skipping.
2020-05-23 10:18:17,500 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x004D0000.
2020-05-23 10:18:17,500 [root] DEBUG: DLL unloaded from 0x768A0000.
2020-05-23 10:18:17,500 [root] DEBUG: DLL unloaded from 0x73CD0000.
2020-05-23 10:18:17,500 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x00402362 (thread 4148)
2020-05-23 10:18:17,500 [root] WARNING: Unable to open termination event for pid 3004.
2020-05-23 10:18:17,500 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x004D0000.
2020-05-23 10:18:17,593 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 3004).
2020-05-23 10:18:17,593 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-05-23 10:18:17,640 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-05-23 10:18:18,625 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x004D0000 (thread 4148)
2020-05-23 10:18:18,687 [root] DEBUG: ShellcodeExecCallback: Breakpoint 2 at Address 0x004D0000 (allocation base 0x004D0000).
2020-05-23 10:18:18,687 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x4d0000 - 0x4da000.
2020-05-23 10:18:18,687 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x004D0000.
2020-05-23 10:18:18,703 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x004D003C.
2020-05-23 10:18:18,703 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 2 address 0x004D0000.
2020-05-23 10:18:18,718 [root] DEBUG: ShellcodeExecCallback: About to scan region for a PE image (base 0x004D0000, size 0xa000).
2020-05-23 10:18:18,734 [root] DEBUG: DumpPEsInRange: Scanning range 0x4d0000 - 0x4da000.
2020-05-23 10:18:18,734 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x4d053f
2020-05-23 10:18:18,734 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image.
2020-05-23 10:18:18,734 [root] DEBUG: DumpPE: Instantiating PeParser with address: 0x004D053F.
2020-05-23 10:18:18,750 [root] INFO: ('dump_file', 'C:\\vNFUxGcErD\\CAPE\\4152_168781347058591623652020', b'8;?C:\\Windows\\SysWOW64\\glmf32\\glmf32.exe;?C:\\Windows\\SysWOW64\\glmf32\\glmf32.exe;?0x004D0000;?', ['4152'], 'CAPE')
2020-05-23 10:18:18,781 [root] DEBUG: DumpPE: PE file in memory dumped successfully - dump size 0x9a00.
2020-05-23 10:18:18,781 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x4d153f-0x4da000.
2020-05-23 10:18:18,796 [root] DEBUG: ShellcodeExecCallback: PE image(s) detected and dumped.
2020-05-23 10:18:18,796 [root] DEBUG: set_caller_info: Adding region at 0x004D0000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2020-05-23 10:18:18,796 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-05-23 10:18:18,796 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-05-23 10:18:18,796 [root] DEBUG: ProcessImageBase: EP 0x00003F0F image base 0x00400000 size 0x0 entropy 6.350088e+00.
2020-05-23 10:18:18,812 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x004D0000.
2020-05-23 10:18:18,812 [root] DEBUG: ProtectionHandler: Adding region at 0x004E1000 to tracked regions.
2020-05-23 10:18:18,828 [root] DEBUG: AddTrackedRegion: Created new tracked region for address 0x004E1000.
2020-05-23 10:18:18,843 [root] DEBUG: AddTrackedRegion: New region at 0x004E0000 size 0x9000 added to tracked regions: EntryPoint 0x51f0, Entropy 5.869678e+00
2020-05-23 10:18:18,843 [root] DEBUG: ProtectionHandler: Address: 0x004E1000 (alloc base 0x004E0000), NumberOfBytesToProtect: 0x8600, NewAccessProtection: 0x20
2020-05-23 10:18:18,859 [root] DEBUG: ProtectionHandler: Increased region size at 0x004E1000 to 0x9600.
2020-05-23 10:18:18,875 [root] DEBUG: ProtectionHandler: New code detected at (0x004E0000), scanning for PE images.
2020-05-23 10:18:18,890 [root] DEBUG: DumpPEsInRange: Scanning range 0x4e0000 - 0x4e9600.
2020-05-23 10:18:18,906 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x4e0000
2020-05-23 10:18:18,921 [root] DEBUG: DumpImageInCurrentProcess: Disguised PE image (bad MZ and/or PE headers) at 0x004E0000
2020-05-23 10:18:18,921 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-05-23 10:18:18,921 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x004E0000.
2020-05-23 10:18:18,921 [root] DEBUG: DumpProcess: Module entry point VA is 0x000051F0.
2020-05-23 10:18:18,937 [root] INFO: ('dump_file', 'C:\\vNFUxGcErD\\CAPE\\4152_102447101118181623652020', b'8;?C:\\Windows\\SysWOW64\\glmf32\\glmf32.exe;?C:\\Windows\\SysWOW64\\glmf32\\glmf32.exe;?0x004E0000;?', ['4152'], 'CAPE')
2020-05-23 10:18:18,953 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x9a00.
2020-05-23 10:18:18,968 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x4e1000-0x4e9600.
2020-05-23 10:18:19,015 [root] DEBUG: DumpPEsInTrackedRegion: Dumped 1 PE image(s) from range 0x004E0000 - 0x004E9600.
2020-05-23 10:18:19,031 [root] DEBUG: ProtectionHandler: PE image(s) dumped from 0x004E0000.
2020-05-23 10:18:19,031 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x4e0000 - 0x4e9600.
2020-05-23 10:18:19,062 [root] DEBUG: set_caller_info: Adding region at 0x004E0000 to caller regions list (ntdll::LdrGetDllHandle).
2020-05-23 10:18:19,125 [root] DEBUG: DLL loaded at 0x76770000: C:\Windows\syswow64\crypt32 (0x122000 bytes).
2020-05-23 10:18:19,187 [root] DEBUG: DLL loaded at 0x762F0000: C:\Windows\syswow64\MSASN1 (0xc000 bytes).
2020-05-23 10:18:19,218 [root] DEBUG: DLL loaded at 0x765C0000: C:\Windows\syswow64\urlmon (0x124000 bytes).
2020-05-23 10:18:19,218 [root] DEBUG: DLL loaded at 0x76260000: C:\Windows\syswow64\api-ms-win-downlevel-ole32-l1-1-0 (0x4000 bytes).
2020-05-23 10:18:19,249 [root] DEBUG: DLL loaded at 0x75D40000: C:\Windows\syswow64\api-ms-win-downlevel-shlwapi-l1-1-0 (0x4000 bytes).
2020-05-23 10:18:19,249 [root] DEBUG: DLL loaded at 0x76180000: C:\Windows\syswow64\api-ms-win-downlevel-advapi32-l1-1-0 (0x5000 bytes).
2020-05-23 10:18:19,249 [root] DEBUG: DLL loaded at 0x75FC0000: C:\Windows\syswow64\api-ms-win-downlevel-user32-l1-1-0 (0x4000 bytes).
2020-05-23 10:18:19,265 [root] DEBUG: DLL loaded at 0x76250000: C:\Windows\syswow64\api-ms-win-downlevel-version-l1-1-0 (0x4000 bytes).
2020-05-23 10:18:19,281 [root] DEBUG: DLL loaded at 0x734E0000: C:\Windows\system32\version (0x9000 bytes).
2020-05-23 10:18:19,296 [root] DEBUG: DLL loaded at 0x74CF0000: C:\Windows\syswow64\api-ms-win-downlevel-normaliz-l1-1-0 (0x3000 bytes).
2020-05-23 10:18:19,296 [root] DEBUG: DLL loaded at 0x75F30000: C:\Windows\syswow64\normaliz (0x3000 bytes).
2020-05-23 10:18:19,296 [root] DEBUG: DLL loaded at 0x76900000: C:\Windows\syswow64\iertutil (0x215000 bytes).
2020-05-23 10:18:19,312 [root] DEBUG: DLL loaded at 0x76300000: C:\Windows\syswow64\WININET (0x1c4000 bytes).
2020-05-23 10:18:19,312 [root] DEBUG: DLL loaded at 0x74390000: C:\Windows\system32\userenv (0x17000 bytes).
2020-05-23 10:18:19,328 [root] DEBUG: DLL loaded at 0x74380000: C:\Windows\system32\profapi (0xb000 bytes).
2020-05-23 10:18:19,343 [root] DEBUG: DLL loaded at 0x74350000: C:\Windows\system32\wtsapi32 (0xd000 bytes).
2020-05-23 10:18:19,734 [root] DEBUG: DLL loaded at 0x74360000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2020-05-23 10:18:19,765 [root] DEBUG: DLL loaded at 0x74270000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2020-05-23 10:18:20,312 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF0420000 to caller regions list (ntdll::NtDuplicateObject).
2020-05-23 10:18:20,328 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF90C0000 to caller regions list (ntdll::NtDuplicateObject).
2020-05-23 10:18:20,359 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF16C0000 to caller regions list (ntdll::NtClose).
2020-05-23 10:18:20,390 [root] DEBUG: DLL unloaded from 0x000007FEF3860000.
2020-05-23 10:18:28,359 [root] DEBUG: DLL loaded at 0x730E0000: C:\Windows\system32\Secur32 (0x8000 bytes).
2020-05-23 10:18:28,375 [root] DEBUG: DLL loaded at 0x730D0000: C:\Windows\system32\api-ms-win-downlevel-advapi32-l2-1-0 (0x4000 bytes).
2020-05-23 10:18:28,406 [root] DEBUG: DLL loaded at 0x76B20000: C:\Windows\syswow64\WS2_32 (0x35000 bytes).
2020-05-23 10:18:28,421 [root] DEBUG: DLL loaded at 0x76170000: C:\Windows\syswow64\NSI (0x6000 bytes).
2020-05-23 10:18:28,437 [root] DEBUG: DLL loaded at 0x73070000: C:\Windows\system32\winhttp (0x58000 bytes).
2020-05-23 10:18:28,437 [root] DEBUG: DLL loaded at 0x73020000: C:\Windows\system32\webio (0x50000 bytes).
2020-05-23 10:18:28,437 [root] DEBUG: DLL unloaded from 0x73070000.
2020-05-23 10:18:28,484 [root] DEBUG: DLL loaded at 0x743D0000: C:\Windows\system32\mswsock (0x3c000 bytes).
2020-05-23 10:18:28,500 [root] DEBUG: DLL loaded at 0x730C0000: C:\Windows\System32\wship6 (0x6000 bytes).
2020-05-23 10:18:28,500 [root] DEBUG: DLL loaded at 0x747E0000: C:\Windows\system32\IPHLPAPI (0x1c000 bytes).
2020-05-23 10:18:28,500 [root] DEBUG: DLL loaded at 0x747D0000: C:\Windows\system32\WINNSI (0x7000 bytes).
2020-05-23 10:18:28,515 [root] DEBUG: DLL loaded at 0x730B0000: C:\Windows\system32\api-ms-win-downlevel-shlwapi-l2-1-0 (0x4000 bytes).
2020-05-23 10:18:28,515 [root] DEBUG: DLL loaded at 0x73060000: C:\Windows\system32\DNSAPI (0x44000 bytes).
2020-05-23 10:18:28,531 [root] DEBUG: DLL loaded at 0x761C0000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2020-05-23 10:18:28,531 [root] DEBUG: DLL loaded at 0x75DE0000: C:\Windows\syswow64\OLEAUT32 (0x91000 bytes).
2020-05-23 10:18:28,546 [root] DEBUG: DLL loaded at 0x73000000: C:\Windows\System32\netprofm (0x5a000 bytes).
2020-05-23 10:18:28,546 [root] DEBUG: DLL loaded at 0x72FF0000: C:\Windows\System32\nlaapi (0x10000 bytes).
2020-05-23 10:18:28,562 [root] DEBUG: DLL loaded at 0x72EE0000: C:\Windows\system32\dhcpcsvc6 (0xd000 bytes).
2020-05-23 10:18:28,562 [root] DEBUG: DLL loaded at 0x743C0000: C:\Windows\System32\wshtcpip (0x5000 bytes).
2020-05-23 10:18:28,578 [root] DEBUG: DLL loaded at 0x72EC0000: C:\Windows\system32\dhcpcsvc (0x12000 bytes).
2020-05-23 10:18:28,593 [root] DEBUG: DLL loaded at 0x73920000: C:\Windows\system32\RpcRtRemote (0xe000 bytes).
2020-05-23 10:18:28,593 [root] DEBUG: DLL loaded at 0x72EB0000: C:\Windows\system32\rasadhlp (0x6000 bytes).
2020-05-23 10:18:28,609 [root] DEBUG: DLL loaded at 0x72E70000: C:\Windows\System32\fwpuclnt (0x38000 bytes).
2020-05-23 10:18:28,625 [root] DEBUG: DLL loaded at 0x72E60000: C:\Windows\System32\npmproxy (0x8000 bytes).
2020-05-23 10:18:28,640 [root] DEBUG: DLL loaded at 0x73950000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\Comctl32 (0x19e000 bytes).
2020-05-23 10:18:28,656 [root] DEBUG: DLL unloaded from 0x743C0000.
2020-05-23 10:18:28,656 [root] DEBUG: DLL unloaded from 0x730C0000.
2020-05-23 10:18:30,906 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF38B0000 to caller regions list (ntdll::NtQueryPerformanceCounter).
2020-05-23 10:18:32,281 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF55D0000 to caller regions list (ntdll::NtClose).
2020-05-23 10:18:32,296 [root] DEBUG: DLL unloaded from 0x000007FEF5BC0000.
2020-05-23 10:18:32,312 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF5BC0000 to caller regions list (ntdll::NtFreeVirtualMemory).
2020-05-23 10:18:32,328 [root] DEBUG: DLL unloaded from 0x000007FEF6540000.
2020-05-23 10:18:32,406 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF6540000 to caller regions list (ntdll::LdrGetProcedureAddress).
2020-05-23 10:18:32,437 [root] DEBUG: DLL unloaded from 0x000007FEF5610000.
2020-05-23 10:18:32,437 [root] DEBUG: DLL unloaded from 0x000007FEF63C0000.
2020-05-23 10:18:32,468 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF63C0000 to caller regions list (ntdll::NtClose).
2020-05-23 10:18:32,468 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF6680000 to caller regions list (ntdll::LdrGetProcedureAddress).
2020-05-23 10:18:32,500 [root] DEBUG: DLL unloaded from 0x000007FEF5C50000.
2020-05-23 10:18:32,593 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF5C50000 to caller regions list (ntdll::NtClose).
2020-05-23 10:18:32,609 [root] DEBUG: DLL unloaded from 0x000007FEF55D0000.
2020-05-23 10:18:32,625 [root] DEBUG: DLL unloaded from 0x000007FEF0420000.
2020-05-23 10:18:32,687 [root] DEBUG: DLL unloaded from 0x000007FEFDAD0000.
2020-05-23 10:18:32,703 [root] DEBUG: set_caller_info: Adding region at 0x000007FEFD750000 to caller regions list (ntdll::NtClose).
2020-05-23 10:18:38,578 [root] DEBUG: DLL unloaded from 0x76300000.
2020-05-23 10:18:48,609 [root] DEBUG: DLL unloaded from 0x76C30000.
2020-05-23 10:18:55,171 [root] DEBUG: DLL loaded at 0x72E10000: C:\Windows\System32\netprofm (0x5a000 bytes).
2020-05-23 10:18:55,203 [root] DEBUG: DLL loaded at 0x73050000: C:\Windows\System32\nlaapi (0x10000 bytes).
2020-05-23 10:18:55,234 [root] DEBUG: DLL loaded at 0x73040000: C:\Windows\System32\npmproxy (0x8000 bytes).
2020-05-23 10:19:00,390 [root] DEBUG: DLL unloaded from 0x000007FEF0B00000.
2020-05-23 10:19:05,203 [root] DEBUG: DLL unloaded from 0x76300000.
2020-05-23 10:19:05,234 [root] DEBUG: DLL unloaded from 0x75DE0000.
2020-05-23 10:19:05,234 [root] DEBUG: DLL unloaded from 0x73040000.
2020-05-23 10:19:05,249 [root] DEBUG: DLL unloaded from 0x72E10000.
2020-05-23 10:19:10,296 [root] DEBUG: DLL unloaded from 0x000007FEFD2B0000.
2020-05-23 10:19:15,249 [root] DEBUG: DLL unloaded from 0x76C30000.
2020-05-23 10:19:29,546 [root] DEBUG: DLL loaded at 0x73000000: C:\Windows\System32\netprofm (0x5a000 bytes).
2020-05-23 10:19:29,562 [root] DEBUG: DLL loaded at 0x72FF0000: C:\Windows\System32\nlaapi (0x10000 bytes).
2020-05-23 10:19:29,578 [root] DEBUG: DLL loaded at 0x72E60000: C:\Windows\System32\npmproxy (0x8000 bytes).
2020-05-23 10:19:39,546 [root] DEBUG: DLL unloaded from 0x76300000.
2020-05-23 10:19:39,546 [root] DEBUG: DLL unloaded from 0x75DE0000.
2020-05-23 10:19:39,546 [root] DEBUG: DLL unloaded from 0x72E60000.
2020-05-23 10:19:39,562 [root] DEBUG: DLL unloaded from 0x73000000.
2020-05-23 10:19:49,562 [root] DEBUG: DLL unloaded from 0x76C30000.
2020-05-23 10:19:51,937 [root] DEBUG: DLL loaded at 0x72E10000: C:\Windows\System32\netprofm (0x5a000 bytes).
2020-05-23 10:19:51,937 [root] DEBUG: DLL loaded at 0x73050000: C:\Windows\System32\nlaapi (0x10000 bytes).
2020-05-23 10:19:51,953 [root] DEBUG: DLL loaded at 0x73040000: C:\Windows\System32\npmproxy (0x8000 bytes).
2020-05-23 10:20:01,921 [root] DEBUG: DLL unloaded from 0x76300000.
2020-05-23 10:20:01,921 [root] DEBUG: DLL unloaded from 0x75DE0000.
2020-05-23 10:20:01,921 [root] DEBUG: DLL unloaded from 0x73040000.
2020-05-23 10:20:01,937 [root] DEBUG: DLL unloaded from 0x72E10000.
2020-05-23 10:20:11,953 [root] DEBUG: DLL unloaded from 0x76C30000.
2020-05-23 10:20:25,968 [root] DEBUG: DLL loaded at 0x73000000: C:\Windows\System32\netprofm (0x5a000 bytes).
2020-05-23 10:20:25,984 [root] DEBUG: DLL loaded at 0x72FF0000: C:\Windows\System32\nlaapi (0x10000 bytes).
2020-05-23 10:20:25,984 [root] DEBUG: DLL loaded at 0x72E60000: C:\Windows\System32\npmproxy (0x8000 bytes).
2020-05-23 10:20:35,968 [root] DEBUG: DLL unloaded from 0x76300000.
2020-05-23 10:20:35,968 [root] DEBUG: DLL unloaded from 0x75DE0000.
2020-05-23 10:20:36,000 [root] DEBUG: DLL unloaded from 0x72E60000.
2020-05-23 10:20:45,984 [root] DEBUG: DLL unloaded from 0x76C30000.
2020-05-23 10:20:54,031 [root] DEBUG: DLL loaded at 0x72E10000: C:\Windows\System32\netprofm (0x5a000 bytes).
2020-05-23 10:20:54,046 [root] DEBUG: DLL loaded at 0x73050000: C:\Windows\System32\nlaapi (0x10000 bytes).
2020-05-23 10:20:54,062 [root] DEBUG: DLL loaded at 0x73040000: C:\Windows\System32\npmproxy (0x8000 bytes).
2020-05-23 10:21:04,031 [root] DEBUG: DLL unloaded from 0x76300000.
2020-05-23 10:21:04,046 [root] DEBUG: DLL unloaded from 0x75DE0000.
2020-05-23 10:21:04,046 [root] DEBUG: DLL unloaded from 0x73040000.
2020-05-23 10:21:04,046 [root] DEBUG: DLL unloaded from 0x72E10000.
2020-05-23 10:21:14,046 [root] DEBUG: DLL unloaded from 0x76C30000.
2020-05-23 10:21:15,421 [root] DEBUG: DLL loaded at 0x73000000: C:\Windows\System32\netprofm (0x5a000 bytes).
2020-05-23 10:21:15,437 [root] DEBUG: DLL loaded at 0x72FF0000: C:\Windows\System32\nlaapi (0x10000 bytes).
2020-05-23 10:21:15,453 [root] DEBUG: DLL loaded at 0x72E60000: C:\Windows\System32\npmproxy (0x8000 bytes).
2020-05-23 10:21:24,968 [root] INFO: Analysis timeout hit, terminating analysis.
2020-05-23 10:21:25,015 [lib.api.process] ERROR: Failed to open terminate event for pid 3004
2020-05-23 10:21:25,015 [root] INFO: Terminate event set for process 3004.
2020-05-23 10:21:25,046 [lib.api.process] INFO: Terminate event set for process 1440
2020-05-23 10:21:25,062 [root] DEBUG: Terminate Event: Processing tracked regions before shutdown (process 1440).
2020-05-23 10:21:25,062 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x0000000000000000.
2020-05-23 10:21:25,078 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000FF540000.
2020-05-23 10:21:25,093 [root] DEBUG: ProcessImageBase: EP 0x000000000002B794 image base 0x00000000FF540000 size 0x0 entropy 5.540934e+00.
2020-05-23 10:21:25,093 [root] DEBUG: ClearAllBreakpoints: Error getting thread context (thread 4700, handle 0xc10).
2020-05-23 10:21:25,109 [root] DEBUG: Terminate Event: Attempting to dump process 1440
2020-05-23 10:21:25,125 [root] DEBUG: DoProcessDump: Dumping Imagebase at 0x00000000FF540000.
2020-05-23 10:21:25,125 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-05-23 10:21:25,156 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00000000FF540000.
2020-05-23 10:21:25,187 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000002B794.
2020-05-23 10:21:25,203 [root] INFO: b'C:\\vNFUxGcErD\\CAPE\\1440_214136211925211623652020|1440|0;?C:\\Windows\\explorer.exe;?C:\\Windows\\explorer.exe;?'
2020-05-23 10:21:25,203 [root] INFO: cape
2020-05-23 10:21:25,218 [root] INFO: ('dump_file', 'C:\\vNFUxGcErD\\CAPE\\1440_214136211925211623652020', b'0;?C:\\Windows\\explorer.exe;?C:\\Windows\\explorer.exe;?', ['1440'], 'procdump')
2020-05-23 10:21:25,421 [root] DEBUG: DLL unloaded from 0x76300000.
2020-05-23 10:21:25,421 [root] DEBUG: DLL unloaded from 0x75DE0000.
2020-05-23 10:21:25,421 [root] DEBUG: DLL unloaded from 0x72E60000.
2020-05-23 10:21:25,437 [root] DEBUG: DLL unloaded from 0x73000000.
2020-05-23 10:21:25,468 [root] INFO: ('dump_file', 'C:\\vNFUxGcErD\\CAPE\\1440_214136211925211623652020', '', False, 'files')
2020-05-23 10:21:25,578 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x314a00.
2020-05-23 10:21:25,609 [root] DEBUG: Terminate Event: CAPE shutdown complete for process 1440
2020-05-23 10:21:25,609 [lib.api.process] INFO: Termination confirmed for process 1440
2020-05-23 10:21:25,609 [root] INFO: Terminate event set for process 1440.
2020-05-23 10:21:25,625 [lib.api.process] INFO: Terminate event set for process 4152
2020-05-23 10:21:25,640 [root] DEBUG: Terminate Event: Processing tracked regions before shutdown (process 4152).
2020-05-23 10:21:25,640 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-05-23 10:21:25,656 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-05-23 10:21:25,656 [root] DEBUG: ProcessImageBase: EP 0x00003F0F image base 0x00400000 size 0x0 entropy 6.350088e+00.
2020-05-23 10:21:25,671 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x004D0000.
2020-05-23 10:21:25,671 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x004E0000.
2020-05-23 10:21:25,671 [root] DEBUG: Terminate Event: Attempting to dump process 4152
2020-05-23 10:21:25,671 [root] DEBUG: DoProcessDump: Dumping Imagebase at 0x00400000.
2020-05-23 10:21:25,671 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-05-23 10:21:25,687 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00400000.
2020-05-23 10:21:25,718 [root] DEBUG: DumpProcess: Module entry point VA is 0x00003F0F.
2020-05-23 10:21:25,718 [root] INFO: b'C:\\vNFUxGcErD\\CAPE\\4152_30144719225211623652020|4152|0;?C:\\Windows\\SysWOW64\\glmf32\\glmf32.exe;?C:\\Windows\\SysWOW64\\glmf32\\glmf32.exe;?'
2020-05-23 10:21:25,718 [root] INFO: cape
2020-05-23 10:21:25,718 [root] INFO: ('dump_file', 'C:\\vNFUxGcErD\\CAPE\\4152_30144719225211623652020', b'0;?C:\\Windows\\SysWOW64\\glmf32\\glmf32.exe;?C:\\Windows\\SysWOW64\\glmf32\\glmf32.exe;?', ['4152'], 'procdump')
2020-05-23 10:21:25,859 [root] INFO: ('dump_file', 'C:\\vNFUxGcErD\\CAPE\\4152_30144719225211623652020', '', False, 'files')
2020-05-23 10:21:25,890 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x43c00.
2020-05-23 10:21:25,906 [root] DEBUG: DumpInterestingRegions: Dumping calling region at 0x004D0000.
2020-05-23 10:21:25,921 [root] INFO: ('dump_file', 'C:\\vNFUxGcErD\\CAPE\\4152_167883601225211623652020', b'9;?C:\\Windows\\SysWOW64\\glmf32\\glmf32.exe;?C:\\Windows\\SysWOW64\\glmf32\\glmf32.exe;?0x004D0000;?', ['4152'], 'CAPE')
2020-05-23 10:21:25,984 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\vNFUxGcErD\CAPE\4152_167883601225211623652020 (size 0x9f42)
2020-05-23 10:21:26,000 [root] DEBUG: DumpRegion: Dumped stack region from 0x004D0000, size 0xa000.
2020-05-23 10:21:26,000 [root] DEBUG: DumpInterestingRegions: Dumping calling region at 0x004E0000.
2020-05-23 10:21:26,015 [root] DEBUG: DumpImageInCurrentProcess: Disguised PE image (bad MZ and/or PE headers) at 0x004E0000
2020-05-23 10:21:26,046 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-05-23 10:21:26,062 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x004E0000.
2020-05-23 10:21:26,078 [root] DEBUG: DumpProcess: Module entry point VA is 0x000051F0.
2020-05-23 10:21:26,078 [root] INFO: ('dump_file', 'C:\\vNFUxGcErD\\CAPE\\4152_90134690426211623652020', b'8;?C:\\Windows\\SysWOW64\\glmf32\\glmf32.exe;?C:\\Windows\\SysWOW64\\glmf32\\glmf32.exe;?0x004E0000;?', ['4152'], 'CAPE')
2020-05-23 10:21:26,140 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x9a00.
2020-05-23 10:21:26,156 [lib.api.process] INFO: Termination confirmed for process 4152
2020-05-23 10:21:26,156 [root] INFO: Terminate event set for process 4152.
2020-05-23 10:21:26,156 [root] DEBUG: Terminate Event: CAPE shutdown complete for process 4152
2020-05-23 10:21:26,156 [root] INFO: Created shutdown mutex.
2020-05-23 10:21:27,156 [root] INFO: Shutting down package.
2020-05-23 10:21:27,156 [root] INFO: Stopping auxiliary modules.
2020-05-23 10:21:27,328 [lib.common.results] WARNING: File C:\vNFUxGcErD\bin\procmon.xml doesn't exist anymore
2020-05-23 10:21:27,328 [root] INFO: Finishing auxiliary modules.
2020-05-23 10:21:27,328 [root] INFO: Shutting down pipe server and dumping dropped files.
2020-05-23 10:21:27,343 [root] WARNING: Folder at path "C:\vNFUxGcErD\debugger" does not exist, skip.
2020-05-23 10:21:27,359 [root] INFO: Analysis completed.

Machine

Name Label Manager Started On Shutdown On
win7x64_3 win7x64_7 KVM 2020-05-23 10:18:01 2020-05-23 10:22:16

File Details

File Name EE0CH2Xu3Nt2
File Size 278635 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
PE timestamp 2020-05-11 20:53:39
MD5 fccc6f6e8b036fd9536649cfaef73b6e
SHA1 ff783e15e551e16619371c6f4ec275575eb3eaf6
SHA256 60ac102f07fd90461ddaeb9c329708551c0c15e6993eaeaf71e57212367cf8a2
SHA512 769ff9d208227307751237effdccf07ae8c8c4d6b6a10089b301ef7c000a53315462a7dd82e2ca788ac7fa7f347c8230434d93a5b13619ed744df9df5f740a93
CRC32 F7264265
Ssdeep 6144:c8vlCNIHgU7itNX5+iWaOymY3TgsN44uEC+bwWjP8FA:XfgUut7+iWaOymY3TnaECaw48FA
Download Download ZIP Resubmit sample

Signatures

SetUnhandledExceptionFilter detected (possible anti-debug)
Behavioural detection: Executable code extraction
Communicates with IPs located across a large number of unique countries
country: United States
country: Germany
country: Poland
country: France
country: unknown
country: Malaysia
country: Canada
country: Colombia
country: Argentina
country: Brazil
country: Mexico
country: Vietnam
country: India
country: Australia
Yara rule detections observed from a process memory dump/dropped files/CAPE
Hit: PID 3004 trigged the Yara rule 'embedded_pe'
Hit: PID 3004 trigged the Yara rule 'shellcode_patterns'
Hit: PID 3004 trigged the Yara rule 'shellcode_get_eip'
Hit: PID 3004 trigged the Yara rule 'shellcode_peb_parsing'
Hit: PID 3004 trigged the Yara rule 'Emotet'
Hit: PID 4152 trigged the Yara rule 'Emotet'
Mimics the system's user agent string for its own requests
A process attempted to delay the analysis task.
Process: glmf32.exe tried to sleep 420.03 seconds, actually delayed analysis time by 0.0 seconds
Dynamic (imported) function loading detected
DynamicLoader: IMM32.DLL/ImmCreateContext
DynamicLoader: IMM32.DLL/ImmDestroyContext
DynamicLoader: IMM32.DLL/ImmNotifyIME
DynamicLoader: IMM32.DLL/ImmAssociateContext
DynamicLoader: IMM32.DLL/ImmReleaseContext
DynamicLoader: IMM32.DLL/ImmGetContext
DynamicLoader: IMM32.DLL/ImmGetCompositionStringA
DynamicLoader: IMM32.DLL/ImmSetCompositionStringA
DynamicLoader: IMM32.DLL/ImmGetCompositionStringW
DynamicLoader: IMM32.DLL/ImmSetCompositionStringW
DynamicLoader: IMM32.DLL/ImmSetCandidateWindow
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/SetDefaultPrinterW
DynamicLoader: WINSPOOL.DRV/GetDefaultPrinterW
DynamicLoader: WINSPOOL.DRV/GetPrinterDriverPackagePathW
DynamicLoader: WINSPOOL.DRV/CorePrinterDriverInstalledW
DynamicLoader: WINSPOOL.DRV/GetCorePrinterDriversW
DynamicLoader: WINSPOOL.DRV/UploadPrinterDriverPackageW
DynamicLoader: WINSPOOL.DRV/InstallPrinterDriverFromPackageW
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/AddPrinterConnection2W
DynamicLoader: WINSPOOL.DRV/OpenPrinter2W
DynamicLoader: WINSPOOL.DRV/DeletePrinterKeyW
DynamicLoader: WINSPOOL.DRV/DeletePrinterDataExW
DynamicLoader: WINSPOOL.DRV/EnumPrinterKeyW
DynamicLoader: WINSPOOL.DRV/EnumPrinterDataExW
DynamicLoader: WINSPOOL.DRV/GetPrinterDataExW
DynamicLoader: WINSPOOL.DRV/SetPrinterDataExW
DynamicLoader: WINSPOOL.DRV/DeletePrinterDataW
DynamicLoader: WINSPOOL.DRV/EnumPrinterDataW
DynamicLoader: WINSPOOL.DRV/SpoolerPrinterEvent
DynamicLoader: WINSPOOL.DRV/SetPortW
DynamicLoader: WINSPOOL.DRV/DocumentPropertySheets
DynamicLoader: WINSPOOL.DRV/DevicePropertySheets
DynamicLoader: WINSPOOL.DRV/IsValidDevmodeW
DynamicLoader: WINSPOOL.DRV/IsValidDevmodeA
DynamicLoader: WINSPOOL.DRV/AddPortExW
DynamicLoader: WINSPOOL.DRV/DeletePrintProvidorW
DynamicLoader: WINSPOOL.DRV/AddPrintProvidorW
DynamicLoader: WINSPOOL.DRV/DeletePrintProcessorW
DynamicLoader: WINSPOOL.DRV/DeleteMonitorW
DynamicLoader: WINSPOOL.DRV/AddMonitorW
DynamicLoader: WINSPOOL.DRV/StartDocDlgW
DynamicLoader: WINSPOOL.DRV/AdvancedDocumentPropertiesW
DynamicLoader: WINSPOOL.DRV/AdvancedDocumentPropertiesA
DynamicLoader: WINSPOOL.DRV/DocumentPropertiesW
DynamicLoader: WINSPOOL.DRV/DeviceCapabilitiesW
DynamicLoader: WINSPOOL.DRV/DeletePrinterIC
DynamicLoader: WINSPOOL.DRV/PlayGdiScriptOnPrinterIC
DynamicLoader: WINSPOOL.DRV/CreatePrinterIC
DynamicLoader: WINSPOOL.DRV/SetJobW
DynamicLoader: WINSPOOL.DRV/GetJobW
DynamicLoader: WINSPOOL.DRV/EnumJobsW
DynamicLoader: WINSPOOL.DRV/AddPrinterW
DynamicLoader: WINSPOOL.DRV/SetPrinterW
DynamicLoader: WINSPOOL.DRV/GetPrinterDriverW
DynamicLoader: WINSPOOL.DRV/GetPrinterDriverDirectoryW
DynamicLoader: WINSPOOL.DRV/EnumPrintersW
DynamicLoader: WINSPOOL.DRV/AddPrinterConnectionW
DynamicLoader: WINSPOOL.DRV/DeletePrinterConnectionW
DynamicLoader: WINSPOOL.DRV/AddPrinterDriverExW
DynamicLoader: WINSPOOL.DRV/AddPrinterDriverExA
DynamicLoader: WINSPOOL.DRV/EnumPrinterDriversW
DynamicLoader: WINSPOOL.DRV/DeletePrinterDriverW
DynamicLoader: WINSPOOL.DRV/DeletePrinterDriverExW
DynamicLoader: WINSPOOL.DRV/AddPrintProcessorW
DynamicLoader: WINSPOOL.DRV/EnumPrintProcessorsW
DynamicLoader: WINSPOOL.DRV/GetPrintProcessorDirectoryW
DynamicLoader: WINSPOOL.DRV/EnumPrintProcessorDatatypesW
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/SplDriverUnloadComplete
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/OpenPrinterW
DynamicLoader: WINSPOOL.DRV/OpenPrinterA
DynamicLoader: WINSPOOL.DRV/ResetPrinterW
DynamicLoader: WINSPOOL.DRV/StartDocPrinterW
DynamicLoader: WINSPOOL.DRV/FlushPrinter
DynamicLoader: WINSPOOL.DRV/GetPrinterDataW
DynamicLoader: WINSPOOL.DRV/SetPrinterDataW
DynamicLoader: WINSPOOL.DRV/AddJobW
DynamicLoader: WINSPOOL.DRV/ScheduleJob
DynamicLoader: WINSPOOL.DRV/WaitForPrinterChange
DynamicLoader: WINSPOOL.DRV/FindNextPrinterChangeNotification
DynamicLoader: WINSPOOL.DRV/PrinterMessageBoxW
DynamicLoader: WINSPOOL.DRV/ClosePrinter
DynamicLoader: WINSPOOL.DRV/AddFormW
DynamicLoader: WINSPOOL.DRV/DeleteFormW
DynamicLoader: WINSPOOL.DRV/GetFormW
DynamicLoader: WINSPOOL.DRV/SetFormW
DynamicLoader: WINSPOOL.DRV/EnumFormsW
DynamicLoader: WINSPOOL.DRV/EnumPortsW
DynamicLoader: WINSPOOL.DRV/EnumMonitorsW
DynamicLoader: WINSPOOL.DRV/AddPortW
DynamicLoader: WINSPOOL.DRV/ConfigurePortW
DynamicLoader: WINSPOOL.DRV/DeletePortW
DynamicLoader: WINSPOOL.DRV/GetPrinterW
DynamicLoader: WINSPOOL.DRV/DeletePrinterDriverPackageW
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: COMCTL32.dll/InitCommonControlsEx
DynamicLoader: COMCTL32.dll/InitCommonControlsEx
DynamicLoader: COMCTL32.dll/InitCommonControlsEx
DynamicLoader: COMCTL32.dll/InitCommonControlsEx
DynamicLoader: COMCTL32.dll/InitCommonControlsEx
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: SHELL32.dll/
DynamicLoader: ADVAPI32.dll/OpenThreadToken
DynamicLoader: propsys.dll/PSLookupPropertyHandlerCLSID
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: propsys.dll/PSCreatePropertyStoreFromObject
DynamicLoader: propsys.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: propsys.dll/PropVariantToStringAlloc
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore
DynamicLoader: propsys.dll/PropVariantToBuffer
DynamicLoader: propsys.dll/PropVariantToUInt64
DynamicLoader: propsys.dll/PropVariantToBoolean
DynamicLoader: propsys.dll/InitPropVariantFromBuffer
DynamicLoader: ADVAPI32.dll/GetNamedSecurityInfoW
DynamicLoader: ADVAPI32.dll/TreeSetNamedSecurityInfoW
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: OLEAUT32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/UnregisterTraceGuids
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: ntdll.dll/EtwUnregisterTraceGuids
DynamicLoader: ntdll.dll/EtwUnregisterTraceGuids
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: KERNELBASE.dll/InitializeCriticalSectionAndSpinCount
DynamicLoader: kernel32.dll/ProcessIdToSessionId
DynamicLoader: IMM32.DLL/ImmCreateContext
DynamicLoader: IMM32.DLL/ImmDestroyContext
DynamicLoader: IMM32.DLL/ImmNotifyIME
DynamicLoader: IMM32.DLL/ImmAssociateContext
DynamicLoader: IMM32.DLL/ImmReleaseContext
DynamicLoader: IMM32.DLL/ImmGetContext
DynamicLoader: IMM32.DLL/ImmGetCompositionStringA
DynamicLoader: IMM32.DLL/ImmSetCompositionStringA
DynamicLoader: IMM32.DLL/ImmGetCompositionStringW
DynamicLoader: IMM32.DLL/ImmSetCompositionStringW
DynamicLoader: IMM32.DLL/ImmSetCandidateWindow
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/SetDefaultPrinterW
DynamicLoader: WINSPOOL.DRV/GetDefaultPrinterW
DynamicLoader: WINSPOOL.DRV/GetPrinterDriverPackagePathW
DynamicLoader: WINSPOOL.DRV/CorePrinterDriverInstalledW
DynamicLoader: WINSPOOL.DRV/GetCorePrinterDriversW
DynamicLoader: WINSPOOL.DRV/UploadPrinterDriverPackageW
DynamicLoader: WINSPOOL.DRV/InstallPrinterDriverFromPackageW
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/AddPrinterConnection2W
DynamicLoader: WINSPOOL.DRV/OpenPrinter2W
DynamicLoader: WINSPOOL.DRV/DeletePrinterKeyW
DynamicLoader: WINSPOOL.DRV/DeletePrinterDataExW
DynamicLoader: WINSPOOL.DRV/EnumPrinterKeyW
DynamicLoader: WINSPOOL.DRV/EnumPrinterDataExW
DynamicLoader: WINSPOOL.DRV/GetPrinterDataExW
DynamicLoader: WINSPOOL.DRV/SetPrinterDataExW
DynamicLoader: WINSPOOL.DRV/DeletePrinterDataW
DynamicLoader: WINSPOOL.DRV/EnumPrinterDataW
DynamicLoader: WINSPOOL.DRV/SpoolerPrinterEvent
DynamicLoader: WINSPOOL.DRV/SetPortW
DynamicLoader: WINSPOOL.DRV/DocumentPropertySheets
DynamicLoader: WINSPOOL.DRV/DevicePropertySheets
DynamicLoader: WINSPOOL.DRV/IsValidDevmodeW
DynamicLoader: WINSPOOL.DRV/IsValidDevmodeA
DynamicLoader: WINSPOOL.DRV/AddPortExW
DynamicLoader: WINSPOOL.DRV/DeletePrintProvidorW
DynamicLoader: WINSPOOL.DRV/AddPrintProvidorW
DynamicLoader: WINSPOOL.DRV/DeletePrintProcessorW
DynamicLoader: WINSPOOL.DRV/DeleteMonitorW
DynamicLoader: WINSPOOL.DRV/AddMonitorW
DynamicLoader: WINSPOOL.DRV/StartDocDlgW
DynamicLoader: WINSPOOL.DRV/AdvancedDocumentPropertiesW
DynamicLoader: WINSPOOL.DRV/AdvancedDocumentPropertiesA
DynamicLoader: WINSPOOL.DRV/DocumentPropertiesW
DynamicLoader: WINSPOOL.DRV/DeviceCapabilitiesW
DynamicLoader: WINSPOOL.DRV/DeletePrinterIC
DynamicLoader: WINSPOOL.DRV/PlayGdiScriptOnPrinterIC
DynamicLoader: WINSPOOL.DRV/CreatePrinterIC
DynamicLoader: WINSPOOL.DRV/SetJobW
DynamicLoader: WINSPOOL.DRV/GetJobW
DynamicLoader: WINSPOOL.DRV/EnumJobsW
DynamicLoader: WINSPOOL.DRV/AddPrinterW
DynamicLoader: WINSPOOL.DRV/SetPrinterW
DynamicLoader: WINSPOOL.DRV/GetPrinterDriverW
DynamicLoader: WINSPOOL.DRV/GetPrinterDriverDirectoryW
DynamicLoader: WINSPOOL.DRV/EnumPrintersW
DynamicLoader: WINSPOOL.DRV/AddPrinterConnectionW
DynamicLoader: WINSPOOL.DRV/DeletePrinterConnectionW
DynamicLoader: WINSPOOL.DRV/AddPrinterDriverExW
DynamicLoader: WINSPOOL.DRV/AddPrinterDriverExA
DynamicLoader: WINSPOOL.DRV/EnumPrinterDriversW
DynamicLoader: WINSPOOL.DRV/DeletePrinterDriverW
DynamicLoader: WINSPOOL.DRV/DeletePrinterDriverExW
DynamicLoader: WINSPOOL.DRV/AddPrintProcessorW
DynamicLoader: WINSPOOL.DRV/EnumPrintProcessorsW
DynamicLoader: WINSPOOL.DRV/GetPrintProcessorDirectoryW
DynamicLoader: WINSPOOL.DRV/EnumPrintProcessorDatatypesW
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/SplDriverUnloadComplete
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/OpenPrinterW
DynamicLoader: WINSPOOL.DRV/OpenPrinterA
DynamicLoader: WINSPOOL.DRV/ResetPrinterW
DynamicLoader: WINSPOOL.DRV/StartDocPrinterW
DynamicLoader: WINSPOOL.DRV/FlushPrinter
DynamicLoader: WINSPOOL.DRV/GetPrinterDataW
DynamicLoader: WINSPOOL.DRV/SetPrinterDataW
DynamicLoader: WINSPOOL.DRV/AddJobW
DynamicLoader: WINSPOOL.DRV/ScheduleJob
DynamicLoader: WINSPOOL.DRV/WaitForPrinterChange
DynamicLoader: WINSPOOL.DRV/FindNextPrinterChangeNotification
DynamicLoader: WINSPOOL.DRV/PrinterMessageBoxW
DynamicLoader: WINSPOOL.DRV/ClosePrinter
DynamicLoader: WINSPOOL.DRV/AddFormW
DynamicLoader: WINSPOOL.DRV/DeleteFormW
DynamicLoader: WINSPOOL.DRV/GetFormW
DynamicLoader: WINSPOOL.DRV/SetFormW
DynamicLoader: WINSPOOL.DRV/EnumFormsW
DynamicLoader: WINSPOOL.DRV/EnumPortsW
DynamicLoader: WINSPOOL.DRV/EnumMonitorsW
DynamicLoader: WINSPOOL.DRV/AddPortW
DynamicLoader: WINSPOOL.DRV/ConfigurePortW
DynamicLoader: WINSPOOL.DRV/DeletePortW
DynamicLoader: WINSPOOL.DRV/GetPrinterW
DynamicLoader: WINSPOOL.DRV/DeletePrinterDriverPackageW
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: COMCTL32.dll/InitCommonControlsEx
DynamicLoader: COMCTL32.dll/InitCommonControlsEx
DynamicLoader: COMCTL32.dll/InitCommonControlsEx
DynamicLoader: COMCTL32.dll/InitCommonControlsEx
DynamicLoader: COMCTL32.dll/InitCommonControlsEx
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptImportKey
DynamicLoader: CRYPTSP.dll/CryptGenKey
DynamicLoader: CRYPTSP.dll/CryptCreateHash
DynamicLoader: CRYPTSP.dll/CryptDuplicateHash
DynamicLoader: CRYPTSP.dll/CryptEncrypt
DynamicLoader: CRYPTSP.dll/CryptExportKey
DynamicLoader: CRYPTSP.dll/CryptGetHashParam
DynamicLoader: CRYPTSP.dll/CryptDestroyHash
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/WSAIoctl
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: IPHLPAPI.DLL/NotifyIpInterfaceChange
DynamicLoader: IPHLPAPI.DLL/NotifyUnicastIpAddressChange
DynamicLoader: api-ms-win-downlevel-ole32-l1-1-0.dll/CoInitializeEx
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/EventWrite
DynamicLoader: api-ms-win-downlevel-ole32-l1-1-0.dll/CoCreateInstance
DynamicLoader: IPHLPAPI.DLL/GetAdaptersAddresses
DynamicLoader: WS2_32.dll/GetAddrInfoW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/DllGetClassObject
DynamicLoader: OLEAUT32.dll/DllCanUnloadNow
DynamicLoader: ADVAPI32.dll/RegOpenKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: IPHLPAPI.DLL/ConvertInterfaceGuidToLuid
DynamicLoader: IPHLPAPI.DLL/GetIpForwardTable2
DynamicLoader: IPHLPAPI.DLL/GetIpNetEntry2
DynamicLoader: IPHLPAPI.DLL/FreeMibTable
DynamicLoader: api-ms-win-downlevel-ole32-l1-1-0.dll/StringFromIID
DynamicLoader: api-ms-win-downlevel-ole32-l1-1-0.dll/CoUninitialize
DynamicLoader: OLEAUT32.dll/
DynamicLoader: api-ms-win-downlevel-ole32-l1-1-0.dll/CoSetProxyBlanket
DynamicLoader: ole32.dll/ObjectStublessClient10
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/RegEnumKeyExW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/DllGetClassObject
DynamicLoader: OLEAUT32.dll/DllCanUnloadNow
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: OLEAUT32.dll/DllGetClassObject
DynamicLoader: OLEAUT32.dll/DllCanUnloadNow
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: OLEAUT32.dll/DllGetClassObject
DynamicLoader: OLEAUT32.dll/DllCanUnloadNow
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: OLEAUT32.dll/DllGetClassObject
DynamicLoader: OLEAUT32.dll/DllCanUnloadNow
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: OLEAUT32.dll/DllGetClassObject
DynamicLoader: OLEAUT32.dll/DllCanUnloadNow
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: OLEAUT32.dll/DllGetClassObject
DynamicLoader: OLEAUT32.dll/DllCanUnloadNow
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemFree
Performs HTTP requests potentially not found in PCAP.
url: 200.119.11.118:443/Sm1Q7u3QoYutZ0W/Au13fi/K6sGg0MBS3JzqAG4/OIFI124HsfNa6QJbq1G/
url: 103.83.81.141:8080/LoxVdmPk1Rax1N4I/
url: 190.229.148.144:80/rxqMl5uUo/Og6GiXYW/GJwAuL/5VEfM6n/7JFGUbaWn7NCaNb/HYRAwTzdsMsxgO/
url: 77.90.136.129:8080/hgL9P9pkZefit/PLrDzBbgaxG/Xk6UyNAMs5/Rc37/8xcqyA3gQzseAxhHx/zFva95u8/
url: 45.161.242.102:80/RJeuj5xd69H/1bkTn3NjML2PML/
url: 47.150.248.161:80/k2Rnth5Y2Mk8/17hxZtiw/9zshtFOpINrIe0sZ/A7raPA/ddbTX244x1ir2td/
url: 177.72.13.80:80/77yi4/PBFOuD0xn7C6KF8M8/sATcB1ioKcL2/7epCCEy7v/
url: 177.188.121.26:443/sqp9o4/LcjZ5J/eDZ4hUwUy3xiEV/viX9dWVBMaUz1bf/miERLp8Msuca49hFEi/
url: 189.1.185.248:80/cwZcU5A/rLBiylbI/MKxnePsXhGuihikfUf/3nVCjIBxjjaDSKH6AE/wzPdk/FtAcI/
url: 221.133.46.86:443/bSIVFNgA1Ab6QAG/V8bOQMa/
url: 177.38.15.151:80/FRk7ghx3RTn7nlM/p0DzVfGPW2EH9M26O0x/
url: 5.196.35.138:7080/JiTalsfknO/tokT2MhW18veqKR/8PoApOTpGVVxusDk/
url: 77.55.211.77:8080/baCXHk/diMG7uZYMbCyngdO/vTQGHz7Odg/
url: 118.69.71.14:80/VqVqFsDbHmSjS4xr/DjvyWwGB4akakeHS/ThJ4Bx0KYJ/
url: 113.190.254.245:80/d1JLiiopcVgWvPCz/
url: 204.225.249.100:7080/CeRnJtBoHrczA/Kwq3g8HiF/BAGSzpPJPbjnpg/t9DuW2WpUvFFF5/aw7Thrwqj/xG2Z8/
url: 185.94.252.12:80/y4L6e/94iE0t6GLAbCi7/s5phnc5A7lBU0fVN/y7TEaACnx2DBG9LDkw5/nWwGB/kA0h0lmKBl4CDEva0/
url: 187.162.248.237:80/t9Xr/2LHqqOTcXBOnmc5SqX/Jyk3sy4Q7krV/
url: 12.162.84.2:8080/6DfOyVqMEog7XiAw/sRnYxDc0usaAI/ynOv9QSL/yIttIHyz7IQD/BsCDt0QkMJz/
Expresses interest in specific running processes
process: glmf32.exe
Repeatedly searches for a not-found process, may want to run with startbrowser=1 option
CAPE extracted potentially suspicious content
EE0CH2Xu3Nt2.exe: Emotet Payload
EE0CH2Xu3Nt2.exe: [{'name': 'Emotet', 'meta': {'author': 'kevoreilly', 'description': 'Emotet Payload', 'cape_type': 'Emotet Payload'}, 'strings': [b'\x8bH\x18\xc7\x00\xf8\[email protected]\x00\[email protected]$\xf8\[email protected]\x00\[email protected]\x00\x00\x00\x00\x83<\xcd\xf8\[email protected]\x00\x00t\x0eA\x89H\x18\x83<\xcd\xf8\[email protected]\x00\x00u\xf2'], 'addresses': {'snippet7': 4192}}]
glmf32.exe: Emotet Payload
glmf32.exe: [{'name': 'Emotet', 'meta': {'author': 'kevoreilly', 'description': 'Emotet Payload', 'cape_type': 'Emotet Payload'}, 'strings': [b'\x8bH\x18\xc7\x00\xf8\[email protected]\x00\[email protected]$\xf8\[email protected]\x00\[email protected]\x00\x00\x00\x00\x83<\xcd\xf8\[email protected]\x00\x00t\x0eA\x89H\x18\x83<\xcd\xf8\[email protected]\x00\x00u\xf2'], 'addresses': {'snippet7': 2849}}]
Multiple direct IP connections
direct_ip_connections: Made direct connections to 21 unique IP addresses
Queries or connects to DNS-Over-HTTPS/DNS-Over-TLS domain or IP address
ip: 1.1.1.1
Queries or connects to DNS-Over-HTTPS/DNS-Over-TLS domain or IP address
ip: 1.1.1.1
The binary likely contains encrypted or compressed data.
section: name: .rsrc, entropy: 7.10, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ, raw_size: 0x0000f000, virtual_size: 0x0000e800
Authenticode signature is invalid
authenticode error: No signature found. SignTool Error File not valid C\Users\Louise\AppData\Local\Temp\EE0CH2Xu3Nt2
Deletes its original binary from disk
Attempts to remove evidence of file being downloaded from the Internet
file: C:\Windows\SysWOW64\glmf32\glmf32.exe:Zone.Identifier
Installs itself for autorun at Windows startup
service name: glmf32
service path: "C:\Windows\SysWOW64\glmf32\glmf32.exe"
Installs itself for autorun at Windows startup
service name: glmf32
service path: "C:\Windows\SysWOW64\glmf32\glmf32.exe"
CAPE detected the Emotet malware family
File has been identified by 51 Antiviruses on VirusTotal as malicious
MicroWorld-eScan: Gen:Variant.Midie.72472
Qihoo-360: Win32/Trojan.0c3
ALYac: Trojan.Agent.Emotet
Malwarebytes: Trojan.Emotet
Zillya: Trojan.Emotet.Win32.20637
Sangfor: Malware
CrowdStrike: win/malicious_confidence_60% (W)
BitDefender: Gen:Variant.Midie.72472
K7GW: Trojan ( 005600f21 )
K7AntiVirus: Trojan ( 005600f21 )
Arcabit: Trojan.Midie.D11B18
Invincea: heuristic
F-Prot: W32/Emotet.AKV.gen!Eldorado
Symantec: ML.Attribute.HighConfidence
ESET-NOD32: a variant of Win32/Kryptik.HDHN
APEX: Malicious
Paloalto: generic.ml
ClamAV: Win.Dropper.Emotet-7789635-0
Kaspersky: Trojan-Banker.Win32.Emotet.ffgd
Alibaba: Trojan:Win32/Emotet.479d1e5f
AegisLab: Trojan.Win32.Emotet.L!c
Avast: Win32:BankerX-gen [Trj]
Rising: Trojan.Kryptik!1.C627 (CLOUD)
Ad-Aware: Gen:Variant.Midie.72472
Emsisoft: Trojan.Emotet (A)
Comodo: [email protected]#245kn67wtjwmn
F-Secure: Trojan.TR/AD.Emotet.dtphr
DrWeb: Trojan.DownLoader33.41241
VIPRE: Trojan.Win32.Generic!BT
TrendMicro: TROJ_FRS.VSNTEC20
Sophos: Mal/Generic-S
Cyren: W32/Emotet.AKV.gen!Eldorado
Jiangmin: Backdoor.Emotet.ez
Webroot: W32.Trojan.Emotet
Avira: TR/AD.Emotet.dtphr
Antiy-AVL: Trojan[Banker]/Win32.Emotet
Microsoft: Trojan:Win32/Emotet.DEM!MTB
ViRobot: Trojan.Win32.Emotet.278528
ZoneAlarm: Trojan-Banker.Win32.Emotet.ffgd
GData: Gen:Variant.Midie.72472
AhnLab-V3: Malware/Win32.Generic.C4094932
McAfee: Emotet-FQS!FCCC6F6E8B03
MAX: malware (ai score=89)
VBA32: Backdoor.Emotet
TrendMicro-HouseCall: TROJ_FRS.VSNTEC20
Tencent: Win32.Trojan-banker.Emotet.Ehia
Yandex: Trojan.Kryptik!uIb29ZyfbPY
Ikarus: Trojan-Banker.Emotet
Fortinet: PossibleThreat.MU
AVG: Win32:BankerX-gen [Trj]
Panda: Trj/Emotet.C
Attempts to modify proxy settings
Creates a copy of itself
copy: C:\Windows\SysWOW64\glmf32\glmf32.exe
Drops a binary and executes it
binary: C:\Windows\SysWOW64\glmf32\glmf32.exe
Created a service that was not started
service: glmf32
Created network traffic indicative of malicious activity
signature: ET CNC Feodo Tracker Reported CnC Server group 17
signature: ET CNC Feodo Tracker Reported CnC Server group 16
signature: ET CNC Feodo Tracker Reported CnC Server group 18
signature: ET CNC Feodo Tracker Reported CnC Server group 14
signature: ET CNC Feodo Tracker Reported CnC Server group 2
signature: ET CNC Feodo Tracker Reported CnC Server group 6
signature: ET CNC Feodo Tracker Reported CnC Server group 10
signature: ET CNC Feodo Tracker Reported CnC Server group 1
signature: ET CNC Feodo Tracker Reported CnC Server group 3
signature: ET CNC Feodo Tracker Reported CnC Server group 11

Screenshots


Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
Y 77.90.136.129 [VT] Germany
Y 77.55.211.77 [VT] Poland
Y 5.196.35.138 [VT] France
Y 47.150.248.161 [VT] United States
Y 45.161.242.102 [VT] unknown
Y 221.133.46.86 [VT] Malaysia
Y 204.225.249.100 [VT] Canada
Y 200.119.11.118 [VT] Colombia
Y 190.229.148.144 [VT] Argentina
Y 189.1.185.248 [VT] Brazil
Y 187.162.248.237 [VT] Mexico
Y 185.94.252.12 [VT] Germany
Y 177.72.13.80 [VT] Brazil
Y 177.38.15.151 [VT] Brazil
Y 177.188.121.26 [VT] Brazil
Y 12.162.84.2 [VT] United States
Y 118.69.71.14 [VT] Vietnam
Y 113.190.254.245 [VT] Vietnam
Y 103.83.81.141 [VT] India
Y 1.1.1.1 [VT] Australia

DNS

No domains contacted.


Summary

C:\
C:\Windows\SysWOW64\multdbt.exe
C:\Windows\System32\*
C:\Windows\
C:\Windows\SysWOW64\
C:\Windows\SysWOW64\glmf32\
C:\Windows\SysWOW64\shell32.dll
C:\Windows\SysWOW64\glmf32\glmf32.exe
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Users
C:\Users\Louise\AppData\Local\Microsoft\Windows\Caches
C:\Users\Louise\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
\??\MountPointManager
C:\Users\Louise\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000014.db
C:\Users\desktop.ini
C:\Users\Louise
C:\Users\Louise\AppData
C:\Users\Louise\AppData\Local
C:\Users\Louise\AppData\Local\Temp
C:\Windows
C:\Windows\SysWOW64
C:\Windows\SysWOW64\glmf32
C:\Users\Louise\AppData\Local\Temp\EE0CH2Xu3Nt2.exe
C:\Windows\SysWOW64\propsys.dll
C:\Windows\sysnative\propsys.dll
C:\Windows\SysWOW64\en-US\SHELL32.dll.mui
C:\Users\Louise\AppData\Local\
C:\Windows\SysWOW64\glmf32\glmf32.exe:Zone.Identifier
C:\Users\Louise\AppData\Local\Microsoft\Windows\Burn
C:\Windows\SysWOW64\shell32.dll
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\
C:\Users\Louise\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
C:\Users\Louise\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000014.db
C:\Users\desktop.ini
C:\Users
C:\Users\Louise
C:\Users\Louise\AppData
C:\Users\Louise\AppData\Local
C:\Windows
C:\Windows\SysWOW64
C:\Users\Louise\AppData\Local\Temp
C:\Windows\SysWOW64\en-US\SHELL32.dll.mui
C:\Users\Louise\AppData\Local\Microsoft\Windows\Burn
C:\Windows\SysWOW64\glmf32\glmf32.exe
C:\Windows\SysWOW64\multdbt.exe
C:\Users\Louise\AppData\Local\Temp\EE0CH2Xu3Nt2.exe
C:\Windows\SysWOW64\glmf32\glmf32.exe:Zone.Identifier
HKEY_CURRENT_USER
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\648fa520
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\NoFileFolderConnection
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesRecycleBin
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\00060101.00060101
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\EE0CH2Xu3Nt2.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups
HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\CallForAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\RestrictedAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORDISPLAY
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideFolderVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\UseDropHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORPARSING
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsParseDisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\MapNetDriveVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForInfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideInWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideOnDesktopPerUser
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsAliasedNotifications
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsUniversalDelegate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\NoFileFolderJunction
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\PinToNameSpaceTree
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HasNavigationEnum
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{80b5a658-2730-11e9-8620-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{80b5a658-2730-11e9-8620-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{80b5a658-2730-11e9-8620-806e6f6e6963}\Generation
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{9a0b8d7d-300f-11ea-b342-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{9a0b8d7d-300f-11ea-b342-806e6f6e6963}\Data
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\AccessProviders
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\AccessProviders\MartaExtension
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{9a0b8d7d-300f-11ea-b342-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{80b5a657-2730-11e9-8620-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{80b5a657-2730-11e9-8620-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{80b5a657-2730-11e9-8620-806e6f6e6963}\Generation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DontShowSuperHidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ClassicShell
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\SeparateProcess
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetCrawling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSimpleStartMenu
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowCompColor
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\DontPrettyPath
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowInfoTip
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideIcons
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\MapNetDrvBtn
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\WebView
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Filter
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\SeparateProcess
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\NoNetCrawling
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AutoCheckSelect
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\IconsOnly
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowTypeOverlay
HKEY_CLASSES_ROOT\.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe\(Default)
HKEY_CLASSES_ROOT\.exe\OpenWithProgids
HKEY_CLASSES_ROOT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\OpenWithProgids
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\UserChoice
HKEY_CLASSES_ROOT\exefile
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\CurVer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\ShellEx\IconHandler
HKEY_CLASSES_ROOT\SystemFileAssociations\.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\ShellEx\IconHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe\Content Type
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\NeverShowExt
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\PropertySystem\PropertyHandlers\.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\PropertySystem\PropertyHandlers\.exe\(Default)
HKEY_CLASSES_ROOT\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\OverrideFileSystemProperties
HKEY_CLASSES_ROOT\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\DisableProcessIsolation
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\NoOplock
HKEY_CLASSES_ROOT\ExplorerCLSIDFlags\{66742402-F9B9-11D1-A202-0000F81FEDEE}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\UseInProcHandlerCache
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\UseOutOfProcHandlerCache
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Shell\RegisteredApplications\UrlAssociations\Directory\OpenWithProgids
HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\Directory
HKEY_CLASSES_ROOT\Directory
HKEY_CURRENT_USER\Software\Classes\Directory\CurVer
HKEY_CURRENT_USER\Software\Classes\Directory\
HKEY_CURRENT_USER\Software\Classes\Directory\ShellEx\IconHandler
HKEY_CLASSES_ROOT\Folder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\ShellEx\IconHandler
HKEY_CLASSES_ROOT\AllFilesystemObjects
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\ShellEx\IconHandler
HKEY_CURRENT_USER\Software\Classes\Directory\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\DocObject
HKEY_CURRENT_USER\Software\Classes\Directory\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\BrowseInPlace
HKEY_CURRENT_USER\Software\Classes\Directory\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\Clsid
HKEY_CURRENT_USER\Software\Classes\Directory\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\IsShortcut
HKEY_CURRENT_USER\Software\Classes\Directory\AlwaysShowExt
HKEY_CURRENT_USER\Software\Classes\Directory\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\NeverShowExt
HKEY_CURRENT_USER\Software\Classes\Directory\ShellEx\PropertyHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\ShellEx\PropertyHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\ShellEx\PropertyHandler
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\MaxUndoItems
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Advanced\MaxUndoItems
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\App Paths\EE0CH2Xu3Nt2.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\EE0CH2Xu3Nt2.exe
HKEY_CURRENT_USER\Software\Classes\Directory\ShellEx\{2F711B17-773C-41D4-93FA-7F23EDCECB66}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\ShellEx\{2F711B17-773C-41D4-93FA-7F23EDCECB66}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\ShellEx\{2F711B17-773C-41D4-93FA-7F23EDCECB66}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceCopyACLWithFile
HKEY_CURRENT_USER\Software\Classes\Directory\ShellEx\{000214F9-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\ShellEx\{000214F9-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\ShellEx\{000214F9-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\MoveSecurityAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoEncryptOnMove
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\AllowFileCLSIDJunctions
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad
HKEY_CURRENT_USER\Software\Classes
HKEY_CURRENT_USER\Software\Classes\Interface\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\Interface\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\Interface\{55272A00-42CB-11CE-8135-00AA004BB851}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{55272A00-42CB-11CE-8135-00AA004BB851}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{55272A00-42CB-11CE-8135-00AA004BB851}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocHandler
HKEY_LOCAL_MACHINE\Software\Microsoft\OleAut
HKEY_CURRENT_USER\Software\Classes\Interface\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\Interface\{2A1C9EB2-DF62-4154-B800-63278FCB8037}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2A1C9EB2-DF62-4154-B800-63278FCB8037}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2A1C9EB2-DF62-4154-B800-63278FCB8037}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}\WpadDecision
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}\WpadDecisionTime
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadExpirationDays
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}\WpadDecisionReason
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}\WpadDhcp
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}\WpadDns
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}\WpadDetectedUrl
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecision
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecisionTime
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecisionReason
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDhcp
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDns
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDetectedUrl
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}\52-54-00-6f-d4-05
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}\WpadNetworkName
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\648fa520
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\NoFileFolderConnection
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesRecycleBin
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\00060101.00060101
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\CallForAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\RestrictedAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORDISPLAY
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideFolderVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\UseDropHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORPARSING
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsParseDisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\MapNetDriveVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForInfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideInWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideOnDesktopPerUser
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsAliasedNotifications
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsUniversalDelegate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\NoFileFolderJunction
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\PinToNameSpaceTree
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HasNavigationEnum
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{80b5a658-2730-11e9-8620-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{80b5a658-2730-11e9-8620-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{9a0b8d7d-300f-11ea-b342-806e6f6e6963}\Data
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\AccessProviders\MartaExtension
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{9a0b8d7d-300f-11ea-b342-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{80b5a657-2730-11e9-8620-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{80b5a657-2730-11e9-8620-806e6f6e6963}\Generation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DontShowSuperHidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ClassicShell
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\SeparateProcess
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetCrawling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSimpleStartMenu
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowCompColor
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\DontPrettyPath
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowInfoTip
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideIcons
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\MapNetDrvBtn
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\WebView
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Filter
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\SeparateProcess
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\NoNetCrawling
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AutoCheckSelect
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\IconsOnly
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowTypeOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe\Content Type
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\PropertySystem\PropertyHandlers\.exe\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\DisableProcessIsolation
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\NoOplock
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\UseInProcHandlerCache
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\UseOutOfProcHandlerCache
HKEY_CURRENT_USER\Software\Classes\Directory\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\DocObject
HKEY_CURRENT_USER\Software\Classes\Directory\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\BrowseInPlace
HKEY_CURRENT_USER\Software\Classes\Directory\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\IsShortcut
HKEY_CURRENT_USER\Software\Classes\Directory\AlwaysShowExt
HKEY_CURRENT_USER\Software\Classes\Directory\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\NeverShowExt
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\MaxUndoItems
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Advanced\MaxUndoItems
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceCopyACLWithFile
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\MoveSecurityAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoEncryptOnMove
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\AllowFileCLSIDJunctions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{55272A00-42CB-11CE-8135-00AA004BB851}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2A1C9EB2-DF62-4154-B800-63278FCB8037}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}\WpadDecision
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}\WpadDecisionTime
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadExpirationDays
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}\WpadDecisionReason
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}\WpadDhcp
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}\WpadDns
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}\WpadDetectedUrl
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecision
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecisionTime
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecisionReason
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDhcp
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDns
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDetectedUrl
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\648fa520
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecisionReason
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecisionTime
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecision
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDetectedUrl
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}\WpadDecisionReason
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}\WpadDecisionTime
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}\WpadDecision
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}\WpadNetworkName
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}\WpadDetectedUrl
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDetectedUrl
kernel32.dll.FlsAlloc
kernel32.dll.FlsGetValue
kernel32.dll.FlsSetValue
kernel32.dll.FlsFree
kernelbase.dll.InitializeCriticalSectionAndSpinCount
kernel32.dll.ProcessIdToSessionId
imm32.dll.ImmCreateContext
imm32.dll.ImmDestroyContext
imm32.dll.ImmNotifyIME
imm32.dll.ImmAssociateContext
imm32.dll.ImmReleaseContext
imm32.dll.ImmGetContext
imm32.dll.ImmGetCompositionStringA
imm32.dll.ImmSetCompositionStringA
imm32.dll.ImmGetCompositionStringW
imm32.dll.ImmSetCompositionStringW
imm32.dll.ImmSetCandidateWindow
winspool.drv.#218
winspool.drv.#217
winspool.drv.SetDefaultPrinterW
winspool.drv.GetDefaultPrinterW
winspool.drv.GetPrinterDriverPackagePathW
winspool.drv.CorePrinterDriverInstalledW
winspool.drv.GetCorePrinterDriversW
winspool.drv.UploadPrinterDriverPackageW
winspool.drv.InstallPrinterDriverFromPackageW
winspool.drv.#251
winspool.drv.AddPrinterConnection2W
winspool.drv.OpenPrinter2W
winspool.drv.DeletePrinterKeyW
winspool.drv.DeletePrinterDataExW
winspool.drv.EnumPrinterKeyW
winspool.drv.EnumPrinterDataExW
winspool.drv.GetPrinterDataExW
winspool.drv.SetPrinterDataExW
winspool.drv.DeletePrinterDataW
winspool.drv.EnumPrinterDataW
winspool.drv.SpoolerPrinterEvent
winspool.drv.SetPortW
winspool.drv.DocumentPropertySheets
winspool.drv.DevicePropertySheets
winspool.drv.IsValidDevmodeW
winspool.drv.IsValidDevmodeA
winspool.drv.AddPortExW
winspool.drv.DeletePrintProvidorW
winspool.drv.AddPrintProvidorW
winspool.drv.DeletePrintProcessorW
winspool.drv.DeleteMonitorW
winspool.drv.AddMonitorW
winspool.drv.StartDocDlgW
winspool.drv.AdvancedDocumentPropertiesW
winspool.drv.AdvancedDocumentPropertiesA
winspool.drv.DocumentPropertiesW
winspool.drv.DeviceCapabilitiesW
winspool.drv.DeletePrinterIC
winspool.drv.PlayGdiScriptOnPrinterIC
winspool.drv.CreatePrinterIC
winspool.drv.SetJobW
winspool.drv.GetJobW
winspool.drv.EnumJobsW
winspool.drv.AddPrinterW
winspool.drv.SetPrinterW
winspool.drv.GetPrinterDriverW
winspool.drv.GetPrinterDriverDirectoryW
winspool.drv.EnumPrintersW
winspool.drv.AddPrinterConnectionW
winspool.drv.DeletePrinterConnectionW
winspool.drv.AddPrinterDriverExW
winspool.drv.AddPrinterDriverExA
winspool.drv.EnumPrinterDriversW
winspool.drv.DeletePrinterDriverW
winspool.drv.DeletePrinterDriverExW
winspool.drv.AddPrintProcessorW
winspool.drv.EnumPrintProcessorsW
winspool.drv.GetPrintProcessorDirectoryW
winspool.drv.EnumPrintProcessorDatatypesW
winspool.drv.#207
winspool.drv.#209
winspool.drv.#211
winspool.drv.#212
winspool.drv.SplDriverUnloadComplete
winspool.drv.#213
winspool.drv.#214
winspool.drv.OpenPrinterW
winspool.drv.OpenPrinterA
winspool.drv.ResetPrinterW
winspool.drv.StartDocPrinterW
winspool.drv.FlushPrinter
winspool.drv.GetPrinterDataW
winspool.drv.SetPrinterDataW
winspool.drv.AddJobW
winspool.drv.ScheduleJob
winspool.drv.WaitForPrinterChange
winspool.drv.FindNextPrinterChangeNotification
winspool.drv.PrinterMessageBoxW
winspool.drv.ClosePrinter
winspool.drv.AddFormW
winspool.drv.DeleteFormW
winspool.drv.GetFormW
winspool.drv.SetFormW
winspool.drv.EnumFormsW
winspool.drv.EnumPortsW
winspool.drv.EnumMonitorsW
winspool.drv.AddPortW
winspool.drv.ConfigurePortW
winspool.drv.DeletePortW
winspool.drv.GetPrinterW
winspool.drv.DeletePrinterDriverPackageW
winspool.drv.#234
comctl32.dll.InitCommonControlsEx
oleaut32.dll.#200
ole32.dll.CoInitializeEx
cryptbase.dll.SystemFunction036
comctl32.dll.#385
comctl32.dll.#320
comctl32.dll.#324
comctl32.dll.#323
ole32.dll.CreateBindCtx
ole32.dll.CoTaskMemAlloc
ole32.dll.CoGetApartmentType
ole32.dll.CoRegisterInitializeSpy
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
ole32.dll.CoTaskMemFree
comctl32.dll.#236
oleaut32.dll.#6
ole32.dll.CoGetMalloc
comctl32.dll.#328
comctl32.dll.#334
oleaut32.dll.#2
setupapi.dll.CM_Get_Device_Interface_List_Size_ExW
ole32.dll.CoCreateInstance
setupapi.dll.CM_Get_Device_Interface_List_ExW
advapi32.dll.InitializeSecurityDescriptor
advapi32.dll.SetEntriesInAclW
ntmarta.dll.GetMartaExtensionInterface
comctl32.dll.#332
advapi32.dll.SetSecurityDescriptorDacl
advapi32.dll.IsTextUnicode
comctl32.dll.#338
comctl32.dll.#386
comctl32.dll.#339
shell32.dll.#102
advapi32.dll.OpenThreadToken
propsys.dll.PSLookupPropertyHandlerCLSID
advapi32.dll.RegOpenKeyExW
advapi32.dll.RegQueryValueExW
advapi32.dll.RegCloseKey
propsys.dll.PSCreatePropertyStoreFromObject
propsys.dll.#417
propsys.dll.PropVariantToStringAlloc
ole32.dll.PropVariantClear
propsys.dll.PSCreateMemoryPropertyStore
propsys.dll.PropVariantToBuffer
propsys.dll.PropVariantToUInt64
propsys.dll.PropVariantToBoolean
propsys.dll.InitPropVariantFromBuffer
advapi32.dll.GetNamedSecurityInfoW
advapi32.dll.TreeSetNamedSecurityInfoW
ole32.dll.CoUninitialize
comctl32.dll.#329
comctl32.dll.#388
comctl32.dll.#321
ole32.dll.CoRevokeInitializeSpy
oleaut32.dll.#500
comctl32.dll.#387
comctl32.dll.#327
advapi32.dll.UnregisterTraceGuids
api-ms-win-downlevel-advapi32-l1-1-0.dll.UnregisterTraceGuids
cryptsp.dll.CryptReleaseContext
ntdll.dll.EtwUnregisterTraceGuids
cryptsp.dll.CryptAcquireContextW
cryptsp.dll.CryptImportKey
cryptsp.dll.CryptGenKey
cryptsp.dll.CryptCreateHash
cryptsp.dll.CryptDuplicateHash
cryptsp.dll.CryptEncrypt
cryptsp.dll.CryptExportKey
cryptsp.dll.CryptGetHashParam
cryptsp.dll.CryptDestroyHash
ws2_32.dll.#23
ws2_32.dll.#21
ws2_32.dll.WSAIoctl
ws2_32.dll.#3
ws2_32.dll.#116
iphlpapi.dll.NotifyIpInterfaceChange
iphlpapi.dll.NotifyUnicastIpAddressChange
api-ms-win-downlevel-ole32-l1-1-0.dll.CoInitializeEx
api-ms-win-downlevel-advapi32-l1-1-0.dll.EventWrite
api-ms-win-downlevel-ole32-l1-1-0.dll.CoCreateInstance
iphlpapi.dll.GetAdaptersAddresses
ws2_32.dll.GetAddrInfoW
oleaut32.dll.#8
oleaut32.dll.#9
oleaut32.dll.DllGetClassObject
oleaut32.dll.DllCanUnloadNow
advapi32.dll.RegOpenKeyW
iphlpapi.dll.ConvertInterfaceGuidToLuid
iphlpapi.dll.GetIpForwardTable2
iphlpapi.dll.GetIpNetEntry2
iphlpapi.dll.FreeMibTable
api-ms-win-downlevel-ole32-l1-1-0.dll.StringFromIID
api-ms-win-downlevel-ole32-l1-1-0.dll.CoUninitialize
api-ms-win-downlevel-ole32-l1-1-0.dll.CoSetProxyBlanket
ole32.dll.ObjectStublessClient10
api-ms-win-downlevel-advapi32-l1-1-0.dll.RegEnumKeyExW
"C:\Windows\SysWOW64\glmf32\glmf32.exe"
Global\I648FA520
Global\M648FA520
glmf32

BinGraph Download graph

PE Information

Image Base Entry Point Reported Checksum Actual Checksum Minimum OS Version Compile Time Import Hash Icon Icon Exact Hash Icon Similarity Hash
0x00400000 0x00403f0f 0x0004a397 0x0004a397 4.0 2020-05-11 20:53:39 796da5749343e7cb12cb70d99a6f9b0d 703767d4808df340e2b4fab05cf318fb 815da8f87392cb72b01d721c0c02546d

Sections

Name RAW Address Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00001000 0x00001000 0x00022c55 0x00023000 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.54
.rdata 0x00024000 0x00024000 0x00006650 0x00007000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.01
.data 0x0002b000 0x0002b000 0x00005d78 0x00003000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 3.21
.idata 0x0002e000 0x00031000 0x00002512 0x00003000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 4.91
.rsrc 0x00031000 0x00034000 0x0000e800 0x0000f000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 7.10
.reloc 0x00040000 0x00043000 0x000037e0 0x00004000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ 6.10

Overlay

Offset 0x00044000
Size 0x0000006b

Resources

Name Offset Size Language Sub-language Entropy File type
RT_CURSOR 0x00040778 0x000000b4 LANG_ENGLISH SUBLANG_ENGLISH_US 2.74 None
RT_CURSOR 0x00040778 0x000000b4 LANG_ENGLISH SUBLANG_ENGLISH_US 2.74 None
RT_BITMAP 0x00041150 0x00000144 LANG_ENGLISH SUBLANG_ENGLISH_US 2.88 None
RT_BITMAP 0x00041150 0x00000144 LANG_ENGLISH SUBLANG_ENGLISH_US 2.88 None
RT_BITMAP 0x00041150 0x00000144 LANG_ENGLISH SUBLANG_ENGLISH_US 2.88 None
RT_BITMAP 0x00041150 0x00000144 LANG_ENGLISH SUBLANG_ENGLISH_US 2.88 None
RT_ICON 0x00036420 0x00000128 LANG_ENGLISH SUBLANG_ENGLISH_EIRE 2.66 None
RT_ICON 0x00036420 0x00000128 LANG_ENGLISH SUBLANG_ENGLISH_EIRE 2.66 None
RT_ICON 0x00036420 0x00000128 LANG_ENGLISH SUBLANG_ENGLISH_EIRE 2.66 None
RT_ICON 0x00036420 0x00000128 LANG_ENGLISH SUBLANG_ENGLISH_EIRE 2.66 None
RT_ICON 0x00036420 0x00000128 LANG_ENGLISH SUBLANG_ENGLISH_EIRE 2.66 None
RT_ICON 0x00036420 0x00000128 LANG_ENGLISH SUBLANG_ENGLISH_EIRE 2.66 None
RT_ICON 0x00036420 0x00000128 LANG_ENGLISH SUBLANG_ENGLISH_EIRE 2.66 None
RT_ICON 0x00036420 0x00000128 LANG_ENGLISH SUBLANG_ENGLISH_EIRE 2.66 None
RT_ICON 0x00036420 0x00000128 LANG_ENGLISH SUBLANG_ENGLISH_EIRE 2.66 None
RT_ICON 0x00036420 0x00000128 LANG_ENGLISH SUBLANG_ENGLISH_EIRE 2.66 None
RT_ICON 0x00036420 0x00000128 LANG_ENGLISH SUBLANG_ENGLISH_EIRE 2.66 None
RT_ICON 0x00036420 0x00000128 LANG_ENGLISH SUBLANG_ENGLISH_EIRE 2.66 None
RT_ICON 0x00036420 0x00000128 LANG_ENGLISH SUBLANG_ENGLISH_EIRE 2.66 None
RT_ICON 0x00036420 0x00000128 LANG_ENGLISH SUBLANG_ENGLISH_EIRE 2.66 None
RT_ICON 0x00036420 0x00000128 LANG_ENGLISH SUBLANG_ENGLISH_EIRE 2.66 None
RT_DIALOG 0x00040e40 0x000000e8 LANG_ENGLISH SUBLANG_ENGLISH_US 3.07 None
RT_DIALOG 0x00040e40 0x000000e8 LANG_ENGLISH SUBLANG_ENGLISH_US 3.07 None
RT_STRING 0x000427d0 0x0000002c LANG_ENGLISH SUBLANG_ENGLISH_US 1.08 None
RT_STRING 0x000427d0 0x0000002c LANG_ENGLISH SUBLANG_ENGLISH_US 1.08 None
RT_STRING 0x000427d0 0x0000002c LANG_ENGLISH SUBLANG_ENGLISH_US 1.08 None
RT_STRING 0x000427d0 0x0000002c LANG_ENGLISH SUBLANG_ENGLISH_US 1.08 None
RT_STRING 0x000427d0 0x0000002c LANG_ENGLISH SUBLANG_ENGLISH_US 1.08 None
RT_STRING 0x000427d0 0x0000002c LANG_ENGLISH SUBLANG_ENGLISH_US 1.08 None
RT_STRING 0x000427d0 0x0000002c LANG_ENGLISH SUBLANG_ENGLISH_US 1.08 None
RT_STRING 0x000427d0 0x0000002c LANG_ENGLISH SUBLANG_ENGLISH_US 1.08 None
RT_STRING 0x000427d0 0x0000002c LANG_ENGLISH SUBLANG_ENGLISH_US 1.08 None
RT_STRING 0x000427d0 0x0000002c LANG_ENGLISH SUBLANG_ENGLISH_US 1.08 None
RT_STRING 0x000427d0 0x0000002c LANG_ENGLISH SUBLANG_ENGLISH_US 1.08 None
RT_RCDATA 0x00036570 0x00009f44 LANG_ENGLISH SUBLANG_ENGLISH_EIRE 7.99 None
RT_GROUP_CURSOR 0x00040830 0x00000022 LANG_ENGLISH SUBLANG_ENGLISH_US 2.20 None
RT_GROUP_ICON 0x00036120 0x00000014 LANG_ENGLISH SUBLANG_ENGLISH_EIRE 2.32 None
RT_GROUP_ICON 0x00036120 0x00000014 LANG_ENGLISH SUBLANG_ENGLISH_EIRE 2.32 None
RT_GROUP_ICON 0x00036120 0x00000014 LANG_ENGLISH SUBLANG_ENGLISH_EIRE 2.32 None
RT_GROUP_ICON 0x00036120 0x00000014 LANG_ENGLISH SUBLANG_ENGLISH_EIRE 2.32 None
RT_GROUP_ICON 0x00036120 0x00000014 LANG_ENGLISH SUBLANG_ENGLISH_EIRE 2.32 None
RT_GROUP_ICON 0x00036120 0x00000014 LANG_ENGLISH SUBLANG_ENGLISH_EIRE 2.32 None
RT_GROUP_ICON 0x00036120 0x00000014 LANG_ENGLISH SUBLANG_ENGLISH_EIRE 2.32 None
RT_GROUP_ICON 0x00036120 0x00000014 LANG_ENGLISH SUBLANG_ENGLISH_EIRE 2.32 None
RT_GROUP_ICON 0x00036120 0x00000014 LANG_ENGLISH SUBLANG_ENGLISH_EIRE 2.32 None
RT_GROUP_ICON 0x00036120 0x00000014 LANG_ENGLISH SUBLANG_ENGLISH_EIRE 2.32 None
RT_GROUP_ICON 0x00036120 0x00000014 LANG_ENGLISH SUBLANG_ENGLISH_EIRE 2.32 None
RT_GROUP_ICON 0x00036120 0x00000014 LANG_ENGLISH SUBLANG_ENGLISH_EIRE 2.32 None
RT_GROUP_ICON 0x00036120 0x00000014 LANG_ENGLISH SUBLANG_ENGLISH_EIRE 2.32 None

Imports

0x4317d0 GetShortPathNameA
0x4317d4 GetFileAttributesA
0x4317d8 GetFileSize
0x4317dc GetFileTime
0x4317e8 SetFileTime
0x4317ec SetFileAttributesA
0x4317f8 RtlUnwind
0x4317fc GetStartupInfoA
0x431800 GetCommandLineA
0x431804 ExitProcess
0x431808 TerminateProcess
0x43180c HeapFree
0x431810 RaiseException
0x431814 HeapAlloc
0x431818 CreateThread
0x43181c ExitThread
0x431820 HeapReAlloc
0x431824 HeapSize
0x431828 GetACP
0x431830 GetSystemTime
0x431834 GetLocalTime
0x431848 GetThreadLocale
0x43184c SetHandleCount
0x431850 GetStdHandle
0x431854 GetFileType
0x431858 HeapDestroy
0x43185c HeapCreate
0x431860 VirtualFree
0x431864 FatalAppExitA
0x431868 VirtualAlloc
0x43186c IsBadWritePtr
0x431874 LCMapStringA
0x431878 LCMapStringW
0x43187c GetStringTypeA
0x431880 GetStringTypeW
0x431884 Sleep
0x431888 IsBadReadPtr
0x43188c IsBadCodePtr
0x431890 IsValidLocale
0x431894 IsValidCodePage
0x431898 GetLocaleInfoA
0x43189c EnumSystemLocalesA
0x4318a0 GetUserDefaultLCID
0x4318a4 GetVersionExA
0x4318ac CompareStringA
0x4318b0 CompareStringW
0x4318b8 GetLocaleInfoW
0x4318bc GetStringTypeExA
0x4318c0 GetFullPathNameA
0x4318c8 FindFirstFileA
0x4318cc FindClose
0x4318d0 DeleteFileA
0x4318d4 MoveFileA
0x4318d8 SetEndOfFile
0x4318dc UnlockFile
0x4318e0 LockFile
0x4318e4 FlushFileBuffers
0x4318e8 SetFilePointer
0x4318ec WriteFile
0x4318f0 InterlockedExchange
0x4318f4 SetStdHandle
0x4318f8 ReadFile
0x4318fc CreateFileA
0x431900 GetCurrentProcess
0x431904 DuplicateHandle
0x431908 SetErrorMode
0x43190c GetOEMCP
0x431910 GetCPInfo
0x431914 GetProcessVersion
0x431918 GetLastError
0x43192c GlobalFlags
0x431930 lstrcpynA
0x431934 TlsGetValue
0x431938 LocalReAlloc
0x43193c TlsSetValue
0x431944 GlobalReAlloc
0x43194c TlsFree
0x431950 GlobalHandle
0x431958 TlsAlloc
0x431960 LocalFree
0x431964 LocalAlloc
0x431968 MulDiv
0x43196c SetLastError
0x431970 CreateEventA
0x431974 SuspendThread
0x431978 SetThreadPriority
0x43197c ResumeThread
0x431980 SetEvent
0x431984 WaitForSingleObject
0x431988 CloseHandle
0x43198c GetModuleFileNameA
0x431990 MultiByteToWideChar
0x431994 WideCharToMultiByte
0x431998 lstrlenA
0x4319a4 LoadLibraryA
0x4319a8 FreeLibrary
0x4319ac GetVersion
0x4319b0 lstrcatA
0x4319b4 GlobalGetAtomNameA
0x4319b8 GlobalAddAtomA
0x4319bc GlobalFindAtomA
0x4319c0 lstrcpyA
0x4319c4 GetModuleHandleA
0x4319c8 GetProcAddress
0x4319cc GlobalUnlock
0x4319d0 GlobalFree
0x4319d4 LockResource
0x4319d8 GlobalLock
0x4319dc GlobalAlloc
0x4319e0 GlobalDeleteAtom
0x4319e4 lstrcmpA
0x4319e8 lstrcmpiA
0x4319ec GetCurrentThread
0x4319f0 GetCurrentThreadId
0x4319f4 LoadLibraryExW
0x4319f8 FindResourceA
0x4319fc LoadResource
0x431a04 SizeofResource
0x431a18 PeekMessageA
0x431a1c MapWindowPoints
0x431a20 SendDlgItemMessageA
0x431a24 UpdateWindow
0x431a28 CheckDlgButton
0x431a2c CheckRadioButton
0x431a30 GetDlgItemInt
0x431a34 GetDlgItemTextA
0x431a38 SetDlgItemInt
0x431a3c SetDlgItemTextA
0x431a40 IsDlgButtonChecked
0x431a44 ScrollWindowEx
0x431a48 IsDialogMessageA
0x431a4c SetWindowTextA
0x431a50 MoveWindow
0x431a54 ShowWindow
0x431a58 EnableMenuItem
0x431a5c CheckMenuItem
0x431a60 SetMenuItemBitmaps
0x431a64 ModifyMenuA
0x431a68 GetMenuState
0x431a6c LoadBitmapA
0x431a74 wvsprintfA
0x431a78 CharToOemA
0x431a7c OemToCharA
0x431a80 LoadStringA
0x431a84 ShowOwnedPopups
0x431a88 SetCursor
0x431a8c GetCursorPos
0x431a90 ValidateRect
0x431a94 TranslateMessage
0x431a98 GetMessageA
0x431a9c ClientToScreen
0x431aa0 GetDC
0x431aa4 ReleaseDC
0x431aa8 GetWindowDC
0x431aac BeginPaint
0x431ab0 EndPaint
0x431ab4 TabbedTextOutA
0x431ab8 DrawTextA
0x431abc GrayStringA
0x431ac0 GetClassNameA
0x431ac4 PtInRect
0x431ac8 GetDesktopWindow
0x431acc InsertMenuA
0x431ad0 DeleteMenu
0x431ad4 GetMenuStringA
0x431ad8 GetDialogBaseUnits
0x431adc LoadCursorA
0x431ae0 GetSysColorBrush
0x431ae4 DestroyMenu
0x431ae8 CharUpperA
0x431aec DispatchMessageA
0x431af0 GetFocus
0x431af4 SetFocus
0x431af8 AdjustWindowRectEx
0x431afc ScreenToClient
0x431b00 EqualRect
0x431b04 DeferWindowPos
0x431b08 GetClientRect
0x431b0c BeginDeferWindowPos
0x431b10 CopyRect
0x431b14 EndDeferWindowPos
0x431b18 IsWindowVisible
0x431b1c ScrollWindow
0x431b20 GetScrollInfo
0x431b24 SetScrollInfo
0x431b28 ShowScrollBar
0x431b2c GetScrollRange
0x431b30 SetScrollRange
0x431b34 GetScrollPos
0x431b38 SetScrollPos
0x431b3c GetTopWindow
0x431b40 MessageBoxA
0x431b44 IsChild
0x431b48 GetCapture
0x431b4c WinHelpA
0x431b50 wsprintfA
0x431b54 GetClassInfoA
0x431b58 RegisterClassA
0x431b5c GetMenu
0x431b60 GetMenuItemCount
0x431b64 GetSubMenu
0x431b68 GetMenuItemID
0x431b6c TrackPopupMenu
0x431b70 SetWindowPlacement
0x431b78 GetWindowTextA
0x431b7c GetDlgCtrlID
0x431b80 GetKeyState
0x431b84 DefWindowProcA
0x431b88 CreateWindowExA
0x431b8c SetWindowsHookExA
0x431b90 CallNextHookEx
0x431b94 GetClassLongA
0x431b98 UnhookWindowsHookEx
0x431b9c GetPropA
0x431ba0 CallWindowProcA
0x431ba4 RemovePropA
0x431ba8 GetMessageTime
0x431bac GetMessagePos
0x431bb0 GetLastActivePopup
0x431bb4 GetForegroundWindow
0x431bb8 SetForegroundWindow
0x431bbc GetWindow
0x431bc0 SetWindowLongA
0x431bc4 SetWindowPos
0x431bcc OffsetRect
0x431bd0 IntersectRect
0x431bd8 IsIconic
0x431bdc GetWindowPlacement
0x431be0 GetWindowRect
0x431be4 GetNextDlgTabItem
0x431be8 EndDialog
0x431bec GetActiveWindow
0x431bf0 SetActiveWindow
0x431bf4 IsWindow
0x431bf8 GetSystemMetrics
0x431c00 DestroyWindow
0x431c04 GetParent
0x431c08 GetWindowLongA
0x431c0c GetDlgItem
0x431c10 IsWindowEnabled
0x431c14 PostMessageA
0x431c18 PostQuitMessage
0x431c1c DestroyIcon
0x431c20 FillRect
0x431c24 GetSysColor
0x431c28 DrawIconEx
0x431c2c LoadImageA
0x431c30 EnableWindow
0x431c34 SendMessageA
0x431c38 GetSystemMenu
0x431c3c LoadIconA
0x431c40 SetPropA
0x431c44 UnregisterClassA
0x4316b8 SetROP2
0x4316bc SetStretchBltMode
0x4316c0 SetMapMode
0x4316c4 SetViewportOrgEx
0x4316c8 OffsetViewportOrgEx
0x4316cc SetViewportExtEx
0x4316d0 ScaleViewportExtEx
0x4316d4 SetWindowOrgEx
0x4316d8 OffsetWindowOrgEx
0x4316dc SetWindowExtEx
0x4316e0 ScaleWindowExtEx
0x4316e4 SelectClipRgn
0x4316e8 ExcludeClipRect
0x4316ec IntersectClipRect
0x4316f0 OffsetClipRgn
0x4316f4 MoveToEx
0x4316f8 LineTo
0x4316fc SetTextAlign
0x431708 SetMapperFlags
0x431710 ArcTo
0x431714 SetArcDirection
0x431718 PolyDraw
0x43171c PolylineTo
0x431720 SetColorAdjustment
0x431724 SetPolyFillMode
0x431728 SelectPalette
0x43172c DeleteObject
0x431730 GetClipRgn
0x431734 CreateRectRgn
0x431738 SelectClipPath
0x43173c ExtSelectClipRgn
0x431740 PlayMetaFileRecord
0x431744 GetObjectType
0x431748 EnumMetaFile
0x43174c PlayMetaFile
0x431750 GetDeviceCaps
0x431754 GetViewportExtEx
0x431758 GetWindowExtEx
0x43175c CreatePen
0x431760 ExtCreatePen
0x431764 CreateSolidBrush
0x431768 CreateHatchBrush
0x43176c CreatePatternBrush
0x431774 PtVisible
0x431778 RectVisible
0x43177c TextOutA
0x431780 ExtTextOutA
0x431784 Escape
0x43178c GetTextMetricsA
0x431790 CreateFontIndirectA
0x431794 PolyBezierTo
0x431798 SetBkMode
0x43179c SetTextColor
0x4317a0 GetClipBox
0x4317a4 GetStockObject
0x4317a8 SelectObject
0x4317ac RestoreDC
0x4317b0 SaveDC
0x4317b4 StartDocA
0x4317b8 DeleteDC
0x4317bc CreateBitmap
0x4317c0 SetBkColor
0x4317c4 GetDCOrgEx
0x4317c8 GetObjectA
0x431c5c GetFileTitleA
0x431c4c DocumentPropertiesA
0x431c50 ClosePrinter
0x431c54 OpenPrinterA
0x43168c RegDeleteKeyA
0x431690 RegDeleteValueA
0x431694 RegSetValueExA
0x431698 RegQueryValueExA
0x43169c RegOpenKeyExA
0x4316a0 RegCreateKeyExA
0x4316a4 RegCloseKey
0x4316a8 RegOpenKeyA
0x431a0c SHGetFileInfoA
0x431a10 DragAcceptFiles
0x4316b0 None

!This program cannot be run in DOS mode.
Richj
.text
`.rdata
@.data
.idata
.rsrc
@.reloc
F\PSW
QQSVW
$SUVW
X_^][
j j j
j j j
t_hLKB
tNh<KB
t=h(KB
VPVj0
(h|KB
tTHto
QQSVWd
X_^[]
SVWUj
t.;t$$t(
uRFGHt
$ < u
VWjtj
QSUVW
_^][Y
Yt)W3
QQSVW
tn<%t2
tnHtS
HHtiHtGH
HtHHt(
HtOHt)H
It"It
It&It
YY_^[
sO;>|C;~
QQSVW
t:jtj
u?jtj
QQSVW
QQSVW
wBVSP
?=t"U
t#SSUP
t$$VSS
_^][YY
HSVWh
VC20XC00U
j?Y;M
PPPPPPPP
uFWWj
"WWSh
tMWWS
QQSVWj
>:uNFV
>:u#FV
WQPWS
,f9=<
Wt$9]
Fh`dB
t(hddB
SUVWj
>Cu28V
.tTPV
PhtdB
PhpdB
VWuBh
WQj1Pj
F Pj*
F$Pj+
F(Pj,
F,Pj-
F0Pj.
F4Pj/
F8PjD
F<PjE
FDPjG
FHPjH
FLPjI
FPPjJ
FTPjK
FXPjL
F\PjM
F`PjN
FdPjO
FhPj8
FlPj9
FpPj:
FtPj;
FxPj<
F|Pj=
Vtvj0j
F PjPWj
F$PjQWj
F*PjTWj
F+PjUWj
F,PjVWj
F-PjWWj
F.PjRWj
VjSWj
PPPPPPPP
t,h8kB
It[IItM
^}%95
9~Pu'
t:Kua
HSVHWtgHHtF
WWWWj
t/WWUPj
_^][Y
zu^SSS
t:SVW
FGQPS
PWPSS
PWPSS
QQSVW3
u.WWj
u.VVj
t/Ht HH
YYF;5
QQSUVWj
_^][YY
t/SWV
PhP^B
PhdTB
~<j j
~<j j
WWWWW
PQQQQQ
NT_^[
WhpLB
Wh\LB
PX_^[
u*9] t
VwltB
PPPPhd
t6WWh
SUVWj
tvWWWWU
ug9|$
te9|$
WWWWU
F,_^][
E SVj
(wqt\HHtS
tFHt>
t>Ht Ht
u09=h
t$$SS
t$ PP
X_^[]
F(t]P
QSUVWj
n0SSSSU
_SSSSU
Ph_^][Y
VVUVS
_^][Y
tuHHt
tD9_Pt?
9X tn
~0PPW
Rh|ZB
jHjZS
X[_^]
QQSVW
Ph0]B
Ht#HHt
@t4Ht1Ht_Ht
[t7Wj
t>IIt
QSVW3
^$_^[]
N US+
F(_+F$^[;E
PVhTTB
WWWWh
<A|2<Z
1GG;E
<A|@<Z
1FF;E
+t|HtlHt\HtCHt%
+tJHt:Ht*
~ESVW
tUh|EB
AhpEB
PhpDB
_j X;
F,_9^
_^]YY
QQSVW
PWVWWW
WVWWW
;9y|tw
u5SVW
9^xu2
^,_^][
CWinApp
PreviewPages
Settings
File%d
Recent File List
Automation
Embedding
Unregserver
Unregister
CDialog
MS Sans Serif
MS Shell Dlg
CTempWnd
AfxOldWndProc423
AfxWnd42s
AfxControlBar42s
AfxMDIFrame42s
AfxFrameOrView42s
AfxOleControl42s
GetMonitorInfoA
EnumDisplayMonitors
MonitorFromPoint
MonitorFromRect
MonitorFromWindow
GetSystemMetrics
USER32
DISPLAY
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
InitCommonControlsEx
COMCTL32.DLL
CScrollBar
CEdit
CComboBox
CListBox
CButton
CStatic
STATIC
BUTTON
LISTBOX
COMBOBOX
SCROLLBAR
CCmdTarget
CWinThread
CTL3D32.DLL
CTempGdiObject
CTempDC
CPalette
CBitmap
CFont
CBrush
CGdiObject
CPaintDC
CWindowDC
CClientDC
CUserException
CResourceException
GetLayout
GDI32.DLL
SetLayout
combobox
software
CObject
CNotSupportedException
CMemoryException
CException
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
System
CMapPtrToPtr
CTempMenu
CMenu
CPtrList
CFile
DllGetClassObject
{%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}
InProcServer32
CLSID
CFileException
CArchiveException
H:mm:ss
dddd, MMMM dd, yyyy
M/d/yy
December
November
October
September
August
April
March
February
January
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
am/pm
runtime error
TLOSS error
SING error
DOMAIN error
R6028
- unable to initialize heap
R6027
- not enough space for lowio initialization
R6026
- not enough space for stdio initialization
R6025
- pure virtual function call
R6024
- not enough space for _onexit/atexit table
R6019
- unable to open console device
R6018
- unexpected heap error
R6017
- unexpected multithread lock error
R6016
- not enough space for thread data
abnormal program termination
R6009
- not enough space for environment
R6008
- not enough space for arguments
R6002
- floating point not loaded
Microsoft Visual C++ Runtime Library
Runtime Error!
Program:
<program name unknown>
SunMonTueWedThuFriSat
JanFebMarAprMayJunJulAugSepOctNovDec
LC_TIME
LC_NUMERIC
LC_MONETARY
LC_CTYPE
LC_COLLATE
LC_ALL
GetLastActivePopup
GetActiveWindow
MessageBoxA
user32.dll
Paraguay
Uruguay
Chile
Ecuador
Argentina
Colombia
Venezuela
Dominican Republic
South Africa
Panama
Luxembourg
Costa Rica
Switzerland
Guatemala
Canada
Spanish - Modern Sort
Australia
English
Austria
German
Belgium
Mexico
Spanish
Basque
Sweden
Swedish
Iceland
Icelandic
France
French
Finland
Finnish
Spain
Spanish - Traditional Sort
united-states
united-kingdom
trinidad & tobago
south-korea
south-africa
south korea
south africa
slovak
puerto-rico
pr-china
pr china
new-zealand
hong-kong
holland
great britain
england
czech
china
britain
america
swiss
swedish-finland
spanish-venezuela
spanish-uruguay
spanish-puerto rico
spanish-peru
spanish-paraguay
spanish-panama
spanish-nicaragua
spanish-modern
spanish-mexican
spanish-honduras
spanish-guatemala
spanish-el salvador
spanish-ecuador
spanish-dominican republic
spanish-costa rica
spanish-colombia
spanish-chile
spanish-bolivia
spanish-argentina
portuguese-brazilian
norwegian-nynorsk
norwegian-bokmal
norwegian
italian-swiss
irish-english
german-swiss
german-luxembourg
german-lichtenstein
german-austrian
french-swiss
french-luxembourg
french-canadian
french-belgian
english-usa
english-us
english-uk
english-trinidad y tobago
english-south africa
english-nz
english-jamaica
english-ire
english-caribbean
english-can
english-belize
english-aus
english-american
dutch-belgian
chinese-traditional
chinese-singapore
chinese-simplified
chinese-hongkong
chinese
canadian
belgian
australian
american-english
american english
american
string too long
invalid string position
ios::eofbit set
ios::failbit set
ios::badbit set
invalid ios::iword/pword index
bad allocation
Unknown exception
mFW5wh4EmJwE9THFp3G1cqSxio46Zl7Kf3hlf9ghmT8hBNb7J2gnojr4MalGoKNg
ujtjKDOd7BAwBfMb311cVqCwcI6eJvnjaA
CSmallIconComboBox
Warning: Could not find matching icon in the icon combo box
CLargeIconComboBox
SizeofResource
LoadResource
FindResourceA
LoadLibraryExW
GetCurrentThreadId
GetCurrentThread
lstrcmpiA
lstrcmpA
GlobalDeleteAtom
GlobalAlloc
GlobalLock
LockResource
GlobalFree
GlobalUnlock
GetProcAddress
GetModuleHandleA
lstrcpyA
GlobalFindAtomA
GlobalAddAtomA
GlobalGetAtomNameA
lstrcatA
GetVersion
FreeLibrary
LoadLibraryA
InterlockedDecrement
InterlockedIncrement
lstrlenA
WideCharToMultiByte
MultiByteToWideChar
GetModuleFileNameA
CloseHandle
WaitForSingleObject
SetEvent
ResumeThread
SetThreadPriority
SuspendThread
CreateEventA
SetLastError
MulDiv
LocalAlloc
LocalFree
InitializeCriticalSection
TlsAlloc
DeleteCriticalSection
GlobalHandle
TlsFree
LeaveCriticalSection
GlobalReAlloc
EnterCriticalSection
TlsSetValue
LocalReAlloc
TlsGetValue
lstrcpynA
GlobalFlags
GetPrivateProfileIntA
GetPrivateProfileStringA
WritePrivateProfileStringA
GetCurrentDirectoryA
GetLastError
GetProcessVersion
GetCPInfo
GetOEMCP
SetErrorMode
DuplicateHandle
GetCurrentProcess
CreateFileA
ReadFile
WriteFile
SetFilePointer
FlushFileBuffers
LockFile
UnlockFile
SetEndOfFile
MoveFileA
DeleteFileA
FindClose
FindFirstFileA
GetVolumeInformationA
GetFullPathNameA
GetStringTypeExA
GetThreadLocale
GetShortPathNameA
GetFileAttributesA
GetFileSize
GetFileTime
LocalFileTimeToFileTime
SystemTimeToFileTime
SetFileTime
SetFileAttributesA
FileTimeToSystemTime
FileTimeToLocalFileTime
RtlUnwind
GetStartupInfoA
GetCommandLineA
ExitProcess
TerminateProcess
HeapFree
RaiseException
HeapAlloc
CreateThread
ExitThread
HeapReAlloc
HeapSize
GetACP
GetTimeZoneInformation
GetSystemTime
GetLocalTime
UnhandledExceptionFilter
FreeEnvironmentStringsA
FreeEnvironmentStringsW
GetEnvironmentStrings
GetEnvironmentStringsW
SetHandleCount
GetStdHandle
GetFileType
HeapDestroy
HeapCreate
VirtualFree
FatalAppExitA
VirtualAlloc
IsBadWritePtr
SetUnhandledExceptionFilter
LCMapStringA
LCMapStringW
GetStringTypeA
GetStringTypeW
Sleep
IsBadReadPtr
IsBadCodePtr
IsValidLocale
IsValidCodePage
GetLocaleInfoA
EnumSystemLocalesA
GetUserDefaultLCID
GetVersionExA
SetConsoleCtrlHandler
CompareStringA
CompareStringW
SetEnvironmentVariableA
GetLocaleInfoW
KERNEL32.dll
LoadIconA
GetSystemMenu
SendMessageA
EnableWindow
LoadImageA
DrawIconEx
GetSysColor
FillRect
DestroyIcon
PostQuitMessage
PostMessageA
IsWindowEnabled
GetDlgItem
GetWindowLongA
GetParent
DestroyWindow
CreateDialogIndirectParamA
GetSystemMetrics
IsWindow
SetActiveWindow
GetActiveWindow
EndDialog
GetNextDlgTabItem
GetWindowRect
GetWindowPlacement
IsIconic
SystemParametersInfoA
IntersectRect
OffsetRect
RegisterWindowMessageA
SetWindowPos
SetWindowLongA
GetWindow
SetForegroundWindow
GetForegroundWindow
GetLastActivePopup
GetMessagePos
GetMessageTime
RemovePropA
CallWindowProcA
GetPropA
UnhookWindowsHookEx
SetPropA
GetClassLongA
CallNextHookEx
SetWindowsHookExA
CreateWindowExA
DefWindowProcA
GetKeyState
GetDlgCtrlID
GetWindowTextA
GetWindowTextLengthA
SetWindowPlacement
TrackPopupMenu
GetMenuItemID
GetSubMenu
GetMenuItemCount
GetMenu
RegisterClassA
GetClassInfoA
wsprintfA
WinHelpA
GetCapture
IsChild
MessageBoxA
GetTopWindow
SetScrollPos
GetScrollPos
SetScrollRange
GetScrollRange
ShowScrollBar
SetScrollInfo
GetScrollInfo
ScrollWindow
IsWindowVisible
EndDeferWindowPos
CopyRect
BeginDeferWindowPos
GetClientRect
DeferWindowPos
EqualRect
ScreenToClient
AdjustWindowRectEx
SetFocus
GetFocus
DispatchMessageA
PeekMessageA
MapWindowPoints
SendDlgItemMessageA
UpdateWindow
CheckDlgButton
CheckRadioButton
GetDlgItemInt
GetDlgItemTextA
SetDlgItemInt
SetDlgItemTextA
IsDlgButtonChecked
ScrollWindowEx
IsDialogMessageA
SetWindowTextA
MoveWindow
ShowWindow
EnableMenuItem
CheckMenuItem
SetMenuItemBitmaps
ModifyMenuA
GetMenuState
LoadBitmapA
GetMenuCheckMarkDimensions
wvsprintfA
CharToOemA
OemToCharA
LoadStringA
ShowOwnedPopups
SetCursor
GetCursorPos
ValidateRect
TranslateMessage
GetMessageA
ClientToScreen
GetDC
ReleaseDC
GetWindowDC
BeginPaint
EndPaint
TabbedTextOutA
DrawTextA
GrayStringA
GetClassNameA
PtInRect
GetDesktopWindow
InsertMenuA
DeleteMenu
GetMenuStringA
GetDialogBaseUnits
LoadCursorA
GetSysColorBrush
DestroyMenu
CharUpperA
USER32.dll
GetDCOrgEx
GetClipBox
SetTextColor
SetBkColor
GetObjectA
CreateBitmap
DeleteDC
StartDocA
SaveDC
RestoreDC
SelectObject
GetStockObject
SelectPalette
SetBkMode
SetPolyFillMode
SetROP2
SetStretchBltMode
SetMapMode
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
SetWindowOrgEx
OffsetWindowOrgEx
SetWindowExtEx
ScaleWindowExtEx
SelectClipRgn
ExcludeClipRect
IntersectClipRect
OffsetClipRgn
MoveToEx
LineTo
SetTextAlign
SetTextJustification
SetTextCharacterExtra
SetMapperFlags
GetCurrentPositionEx
ArcTo
SetArcDirection
PolyDraw
PolylineTo
SetColorAdjustment
PolyBezierTo
DeleteObject
GetClipRgn
CreateRectRgn
SelectClipPath
ExtSelectClipRgn
PlayMetaFileRecord
GetObjectType
EnumMetaFile
PlayMetaFile
GetDeviceCaps
GetViewportExtEx
GetWindowExtEx
CreatePen
ExtCreatePen
CreateSolidBrush
CreateHatchBrush
CreatePatternBrush
CreateDIBPatternBrushPt
PtVisible
RectVisible
TextOutA
ExtTextOutA
Escape
GetTextExtentPoint32A
GetTextMetricsA
CreateFontIndirectA
GDI32.dll
GetFileTitleA
comdlg32.dll
ClosePrinter
DocumentPropertiesA
OpenPrinterA
WINSPOOL.DRV
RegCloseKey
RegCreateKeyExA
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
RegDeleteValueA
RegDeleteKeyA
RegOpenKeyA
ADVAPI32.dll
DragAcceptFiles
SHGetFileInfoA
SHELL32.dll
COMCTL32.dll
InterlockedExchange
SetStdHandle
UnregisterClassA
n8Wx{PzC
DDLLDDDL
LLDDLD
DDLDLD
LDDDDDDD
DDDDDDDDD
DDDDDDDDDDD
DDDDDDDDDDDDD
DDDDDDD
UUUUUU
UUUUUUP
UUUUP
UUU_UUP
UUUUP
UUUUUUP
UUUUUU
""""""
""""""
""""""
UUUUUU
UUUUUUP
UUUUP
UUUUP
UUUUUUP
UUUUUU
UUUUUU
UUUUUUP
UUUUUUP
UUUUUU
DDDDDD
DDDDDD
DDDDDD
DDDDDD
UUUUUU
UUUUUUP
UUUUUUP
UUUUUU
""""""
""""""
/"""
///"""
""""""
""""""
?{;{{{
?{;{{{
xxxxxxxp
wwwwwp
wwwwwpx
wwwwwp
wwwwwpx
wwwwwp
wwwwwpx
wwwwwp
wwwwwpp
wwwwwp
wwwwwp
wwwwwpx
wwwwwp
wwwwwpp
wwwwwp
wwwwwww
"7o"Tt
Kq;h,e
"]i_gS
EZw!7
8>dc$
AZSX]Y(
"&`)T
=~|B7<<
kd4cS[Af
{GrV9
Q\%We
3a^[v
2TyJ2*E"O
EpQNY
o0:=1
*)(Y$
Lj2)_
,j[3Y_
Z5=6;
nlCW!4p
7!u0rb?
7(&YV
jB>NU
>!>w>
1|WN.3]
dm{.p
CGPRv
=V?fP
:_\#8
KK`C#
K D9(
.+9b+$
^0H]{x?
{@,S[#
xsdEC
F#krE
:L5JF
N]5hw
~20d_
d+4BnR
w6-KXaU
AO55OR
4y_|l
B?_?
|!x(!E.
bTzt.
juulN
#8'ET
C1pcPF
F^iy5q
5tC0W
Nf}:K
'z#{m
swx#/Y
Nl1&4
(b'/qu
8g<-c
)l'Y"
K+ Pf4
pg[\x
3aC3a_
_[;"0:
a2Oy`
m> Y9
\bA+zhB
|w[!n
_,T-A:
F.Hio
ONZR_
Rlsh13
;z]D]
CKP};
nx-K}
wqX1b
B35`~
Ztp##
+?ao%
@^Iwu-
(v4[_
p*|4~
LFB9m
2z#:q
G#+1:
$74wS
3#*i3
h;Mx&*
Mq<We
o=OGk
7xx}k
jA0z^y
`gfpT
AFPb8r
9,+)uy
S[+SF5<
b+^l7
L.BqI%
-\WXY
Zn#sV
A!60I
aS.m-
W\,(T
Jw17^{
2*|{m3t
KY*~]y
`dC2}
7M/t#
7CqHufTo
%g<zn0
:0S5t
-S'vNn
z1tgW
&]O'2
RnI>1
Z54y]
V-M8S
.>i^9
O-gH`j
1C.FdC
OEnvF~
o\k(n1E
mr6_+
h?Djw.
]Y3wy
MJ+psx?
fswI".9
uY[-j<
K1>(B
cC{V0
3h}(-
J0~K;x\
'|!cOs)
ls6sg
s<.hF
|WeCu
4d^?}%!,
ijxT\
1]fin>
S>.++
Z'4 4
z'E#%
kW(;B
Wig5S$
InjBQ
T8u7U
3vT]p
{]YAM
-t"CN
(e|ss`
#9*S|v
;M.j:
N($z,
xXSMx
&uB{<
F_AZ$
un2aq
$DvJ*
JZz?Q
Y!Eln
$QTSz
ZzuV\v
b8cAb
i|Juz"
o+zW\5
2"&Jq1<
wwwwww
wwwwww
wwwwww
wwwwww
wwwwww
wwwwww
wwwwww
wwwwww
0,0C0M0f0
1*1b182E2e2
373Z3}3
4,4O4r4
4!5D5g5
696\6
7.7Q7t7
8#8F8i8
9;9^9
:0:S:v:
;%;H;k;
<=<`<
=2=U=x=
>'>J>m>
???b?
040W0z0
1)1L1o1
2A2d2
454<4P4
6,656?6K6U6
8d9p9
:d:u:~:
;N<|<
=j={=
>1?=?J?P?\?a?k?r?|?
0C0j0~0
1-1>1M1
222W2i2
434[4}4
5#5G5l5
6B6g6
7$7[7s7
8#8C8R8z8
>*>1>L>b>h>m>y>
?7?A?O?Z?b?
050>0[0g0
1;1F1K1U1Z1
3T3{3
5;5A5y5
566M6e6x6
8;8U8\8`8d8h8l8p8t8x8
8:9E9`9g9l9p9t9
:Z:`:d:h:l:
<)<:<b<
>+>2>
?"?a?|?
0k1p1
3'3H3N3o3y3
4"4-474A4G4
41575U5f5y5
6$626<6C6T6
:#:H:
;3<X<
<'=1=
1U3`3j3p3v3
5G5O5
6N6V6p6u6
6 7(7t7~7
7\809
:&:e:
;5?:?
1m3r3T4\4v4|4
5/595R5
5c6h6
7d7j7
7O8U8s8y8!9/9e9t9
:T:`:j:~:
>?>S>
?7?a?o?
0.040D0K0R0Z0
2<2K2
3'343A3I3T3Z3b3j3r3~3
6.9<9B9\9a9p9v9
:#:3:9:}:#;
=#=6=<=R=Y=_=i=o=t=z=
2-282J2V2d2j2o2u2
6$6)60666I6P6`6f6
6/7C7W7
7P9U9t9
:4;Y;
;!<'<3<
=#=;=[=
>(>c>j>q>x>
?$?+?;?F?V?]?d?|?
0E0M0m0u0
1'141<1C1K1S1]1f1n1z1
1)2.2
2%3-3E3N3`3l3
4W4y4
5>5v5
6?7J7\7n7
8'8,838;8E8O8U8
9P9h9m9
;.;v;|;
=?=P=j=s=y=
?'?8?
0%0,0
5&565G5\5g5r5
6#60666<6G6Q6`6s6~6
7C7L7W7c7i7t7
9-:3:Q:
;#;(;;;@;S;
;M<_<d<l<p<
=.=>=D=W=a=
>*>7>J>R>Y>a>m>x>
?,?>?F?L?T?\?k?}?
0"0*020=0L0S0b0
1,161E1V1b1j1y1
2 2*292U2\2b2g2{2
333S3^3
3$4/4:4D4N4X4b4
5%5+5l5
7$7.7E7K7S7|7
7N8S8[8`8h8m8
989>9
:+:::
<$<,<<<S<k<
<5=Z=Y?
&0G0L0k0v0
3!3/3>3h3r3
4^4s4
455:5V5g5z5
6(6H6M6i6z6
6 7F7H8N8T8Z8`8f8l8r8x8~8
9 9&9,92989>9D9J9P9V9\9b9h9n9t9z9
:":(:.:4:::@:F:L:R:X:^:d:j:p:v:|:
;$;*;0;6;<;B;H;N;T;Z;`;f;l;r;x;~;
< <&<,<2<8<><D<J<P<V<\<b<h<n<t<z<
="=(=.=4=:[email protected]=F=L=R=X=^=d=j=p=v=|=
>$>*>0>6><>B>H>N>T>Z>`>f>l>r>x>~>
? ?&?,?2?8?>?D?J?P?V?\?b?h?n?t?z?
0"0(0.040:[email protected]^0d0j0p0v0|0
111<1H1]1u1
2 2,262U2]2g2
3(343W3\3m3
4 494c4
545>5]5
5#6U6
6a8i8|8
1(121>1R1\1h1~1
232K2V2b2w2
3,3=3I3^3h3}3
5*545J5
6)6F6P6f6
;"=I?Q?
0,040?0Y0{0
0&1[1n1
2/2X2`2k2}2
2(3T3o3
4#4,424=4B4N4Z4`4k4s4|4
445<5V5p5
5=6r6
959]9e9
="=/=H=N=X=b=g=m=
>4>J>Y>
2>2T2^2
5'585T5c5u5~5
;D;V;><K<
20J0`0h0
0"1*1
3c3{3
6A7N7s7
:?:I:
:";,;H;
;$<1<
=.=4=
=?>G>M>U>
?K?Q?e?|?
<0^0f0
1.1=1]1
4U5h5
6-6F6L6R6
:0:s:
:q;};
2_3r3
4,4t4}4
7)8N8[8
839u9$:3:S:
:[;u;
=H>N>S>e>p>}>
0/1p1
3D3N4T4g4r4
556:6Z6
7O7p7
8'8,8H8P8X8r8w8
9,:>:N:V:^:f:
<_<t<
=I=w=
=0>G>k?
0[0|0
0,131H1O1^1p1
1<2}2
2%3w3;4B405M5$8(8,8084888<[email protected]\8`8d8h8l8p8t8x8|8
8t9y9
;%;F;^;
;:<O<U<
=,=d=
=2>=>|>
0&0X0a0}0
1%1+1K1s1
2;2A2^2
3=5e5j5
798>8
8X9v9
:-:l:
<(=c=
> >b>
>D?l?
<0X0s0
2>3C3m3
454K4
5F5x5
6>6~6
?:?W?
0'0C0J0n0y0
111B1Z1j1z1
2&2/2V2
2&3Q3x3
454S4
4M5Y5z5
949^9
:);7;N;W;^;
;+<:<
="=B=G=g=
>5>@>T>d>w>
3P3U3
5:5A5
6O7e7
; ;m;
; =%=*=:=
>*>5>J>V>g>
?-?;?o?
3-393D3l3
7>7[7
9&919E9Y9c9s9
9>:W:q:j;|;
<?<N<j<y<
=%=C=N=n=z=
><>Z>
>#?*?T?\?
0>0D0]0|0
1:1I1U1}1
5Y6k6[7a7{7
7G8i8}8
8#9E9
:5;y<}<
>B?T?
091R1
292g2
2-3y3
5"5`5
5 6e6
6.7?7Q7
8,9A9R9i9
:&:]:r:
=*>7>R>
?5?U?d?
0[0m0~0
2<2Y2_2
2(333G3Y3a3r3z3
4)41484V4c4
5$545K5[5w5
B0Z0/1h1
2A2p2
3P3]3
344C4q4
5B5o5
5#6=6e6
8:8f8
:\:g:
;<;r<
=Z=e=
?!?7?J?S?q?
1$111
4A4L4^4
4R5]5o5
5S6c6
7&8+8N8S8x8
8"949
:);:;@;Q;
;2<7<{<
="=B=f={=
=2>V>\>b>h>n>t>
>6???N?S?Z?q?
0!0-0r0
1k2w2
2#3P3v3
414U4g4
6+6:6Q6\6h6r6
767S7h7n7
8'828?8H8N8
939[9d9k9u9
:);G;Z;p;
=/=8=O=[=e=
=h>~>
>L?c?}?
0H0Q0p0z0
1D1e1
3#333=3I3T3^3j3s3|3
4K4R4m4
5$5-535?5L5R5c5k5q5w5|5
6(636B6S6Z6b6j6
7 828>8D8J8P8_8
>)>C>U>i>}>
?)?5?K?U?i?u?
020E0Y0m0
1-1A1U1
2)2=2Q2e2y2
3/3A3U3i3}3
484f4
535E5Y5e5y5
6H6t6
7<7T7l7y7
8-8=8M8s8
9$919A9Q9a9q9
:3:[:x:
;-;A;U;i;};
<%<L<
0$0<0X0\0x0|0
1 1$1(1,1014181<[email protected]\1`1d1h1l1p1t1x1|1
2 2$2(2,2024282<[email protected]\2`2d2h2l2p2t2x2|2
3 3$3(3,3034383<[email protected]\3`3d3h3l3p3x3
4$4<4T4
5 5$5(5,5054585<[email protected]\5`5
6$6<6T6l6
7 7$7(7,7074787<[email protected]\7`7d7h7l7p7t7x7
8$8<8T8l8
9,9D9\9t9
:4:L:d:x:|:
< <$<(<,<0<4<8<<<@<D<H<L<P<T<|<
= =$=(=,=0=4=8=<[email protected]=D=H=L=P=T=X=\=`=d=h=l=p=t=x=
>(>8>H>`>d>h>l>p>t>x>|>
?$?(?,?0?4?8?<[email protected]?D?H?L?P?T?X?\?`?d?h?l?p?t?x?|?
0 0$0(0,0004080<[email protected]\0`0d0h0l0p0t0x0|0
1 1$1(1,1014181<[email protected]\1`1d1h1l1p1t1x1|1
2 2$2(2,2024282<[email protected]|2
3 3(383\3|3
4 4$4(4,4044484<[email protected]
5(54585P5\5`5p5
6(686D6H6`6p6
7 707L7P7T7X7\7`7d7h7l7p7t7x7|7
8 8$8(8,8084888<[email protected]\8`8d8h8l8p8t8x8|8
9 9$9(9,9094989<[email protected]\9`9d9h9l9p9t9x9|9
: :$:(:,:0:4:8:<:`:d:h:l:p:t:x:
;(;H;X;x;
<(<@<D<H<L<P<\<`<x<
= =P=T=X=\=`=d=h=l=p=t=x=|=
=(>8>X>h>
L0P0`0h0l0t0x0
3D;H;P;T;\;`;h;l;t;x;
< <$<(<,<0<4<8<<<@<D<H<L<P<T<\<`<d<h<l<p<
= =(=,=0=4=X=\=`=d=
>8>P>h>l>
0,00080P0h0l0
1,1<[email protected]`1d1h1l1
242D2H2P2h2l2p2t2
3 3$3<3L3P3T3l3|3
4 4([email protected]\4l4p4x4
545D5H5P5h5l5
8 888P8h8l8p8t8
949D9H9P9h9|9
:,:<:@:H:`:t:
;$;(;0;H;L;P;d;t;x;
< <8<<<@<T<d<h<p<
= =8=P=T=X=l=|=
>$>4>8><>T>d>h>p>
0$0(000H0\0l0p0x0
1$1(101H1L1P1d1t1x1
242D2H2L2d2t2x2
3,30343L3\3`3p3
4$4,444<4D4L4T4\4d4l4t4|4
5$5,545<5D5L5T5\5d5l5t5|5
6$6,646<6D6L6T6\6d6l6t6|6
7$7,747<7D7L7T7\7d7l7t7|7
8(808`8t8
9$909L9X9t9
:,:8:@:\:d:
;0;<;D;P;l;x;
<0<<<D<P<l<x<
>$>0>L>X>t>
? ?<?H?d?l?x?
181D1L1X1t1
2 2<2H2d2p2
3,383T3`3|3
4(4D4P4l4x4
686D6L6X6t6
7 7<7D7L7X7t7
949<9H9d9p9
9 :,:4:@:\:h:
;4;@;\;h;
< <4<@<\<d<l<x<
=$=0=L=X=`=
>(>D>L>T>`>|>
?$?0?L?X?t?
141<1D1X1d1x1
2$2,282T2`2|2
343<3P3\3p3|3
4,484T4`4|4
5(5D5L5T5`5|5
6(64686D6L6
0 0$0(0,0004080<[email protected]\0`0d0h0l0p0t0x0|0
202P2h2
303H3h3
4 484`4
505H5`5x5
707`7
808H8`8x8
< <$<(<,<0<4<8<<<@<D<H<L<P<T<X<\<`<d<h<l<t<,=4=<=D=L=T=\=d=l=t=|=
3$3H3P3t3|3
4$4,4P4X4|4
5,545X5`5
646<6`6h6
7<7D7h7p7
8 8([email protected]`8h8p8x8
9 9([email protected]`9h9p9x9
: :(:0:8:@:H:P:X:`:h:p:x:
:0;p;
;0<h<
<(=h=
>0>P>x>
C:\Users\User\Desktop\VC 6.0\MFC-master\MFC-master\UI\IconComboBox_src\Release\testapp.pdb
WerFault.exe
KERNEL32.dll
((((( H
Test App for Icon ComboBox classes
MS Sans Serif
Small Icon combo box:
Large Icon combo box:
MS Shell Dlg
&New
Cancel
&Help
Save As
All Files (*.*)
Untitled
an unnamed file
&Hide
No error message is available.'An unsupported operation was attempted.$A required resource was unavailable.
Out of memory.
An unknown error has occurred.
Invalid filename.
Failed to open document.
Failed to save document.
Save changes to %1? Failed to create empty document.
The file is too large to open.
Could not start print job.
Failed to launch help.
Internal application error.
Command failed.)Insufficient memory to perform operation.PSystem registry entries have been removed and the INI file (if any) was deleted.BNot all of the system registry entries (or INI file) were removed.FThis program requires the file %s, which was not found on this system.tThis program is linked to the missing export %s in the file %s. This machine may have an incompatible version of %s.
#Unable to read write-only property.#Unable to write read-only property.
Unexpected file format.V%1
Cannot find this file.
Please verify that the correct path and file name are given.
Destination disk drive is full.5Unable to read from %1, it is opened by someone else.AUnable to write to %1, it is read-only or opened by someone else..An unexpected error occurred while reading %1..An unexpected error occurred while writing %1.
Please enter an integer.
Please enter a number.*Please enter an integer between %1 and %2.(Please enter a number between %1 and %2.(Please enter no more than %1 characters.
Please select a button.*Please enter an integer between 0 and 255. Please enter a positive integer. Please enter a date and/or time.
Please enter a currency.
No error occurred.-An unknown error occurred while accessing %1.
%1 was not found.
%1 contains an invalid path.=%1 could not be opened because there are too many open files.
Access to %1 was denied..An invalid file handle was associated with %1.<%1 could not be removed because it is the current directory.6%1 could not be created because the directory is full.
Seek failed on %15A hardware I/O error was reported while accessing %1.0A sharing violation occurred while accessing %1.0A locking violation occurred while accessing %1.
Disk full while accessing %1..An attempt was made to access %1 past its end.
No error occurred.-An unknown error occurred while accessing %1./An attempt was made to write to the reading %1..An attempt was made to access %1 past its end.0An attempt was made to read from the writing %1.
%1 has a bad format."%1 contained an unexpected object. %1 contains an incorrect schema.
#Unable to load mail system support.
Mail system DLL is invalid.!Send Mail failed to send message.
pixels

Full Results

Engine Signature Engine Signature Engine Signature
Bkav Clean MicroWorld-eScan Gen:Variant.Midie.72472 CMC Clean
CAT-QuickHeal Clean Qihoo-360 Win32/Trojan.0c3 ALYac Trojan.Agent.Emotet
Malwarebytes Trojan.Emotet Zillya Trojan.Emotet.Win32.20637 SUPERAntiSpyware Clean
Sangfor Malware CrowdStrike win/malicious_confidence_60% (W) BitDefender Gen:Variant.Midie.72472
K7GW Trojan ( 005600f21 ) K7AntiVirus Trojan ( 005600f21 ) Arcabit Trojan.Midie.D11B18
Invincea heuristic Baidu Clean F-Prot W32/Emotet.AKV.gen!Eldorado
Symantec ML.Attribute.HighConfidence ESET-NOD32 a variant of Win32/Kryptik.HDHN APEX Malicious
Paloalto generic.ml ClamAV Win.Dropper.Emotet-7789635-0 Kaspersky Trojan-Banker.Win32.Emotet.ffgd
Alibaba Trojan:Win32/Emotet.479d1e5f NANO-Antivirus Clean AegisLab Trojan.Win32.Emotet.L!c
Avast Win32:BankerX-gen [Trj] Rising Trojan.Kryptik!1.C627 (CLOUD) Ad-Aware Gen:Variant.Midie.72472
Emsisoft Trojan.Emotet (A) Comodo [email protected]#245kn67wtjwmn F-Secure Trojan.TR/AD.Emotet.dtphr
DrWeb Trojan.DownLoader33.41241 VIPRE Trojan.Win32.Generic!BT TrendMicro TROJ_FRS.VSNTEC20
Trapmine Clean Sophos Mal/Generic-S SentinelOne Clean
Cyren W32/Emotet.AKV.gen!Eldorado Jiangmin Backdoor.Emotet.ez Webroot W32.Trojan.Emotet
Avira TR/AD.Emotet.dtphr Antiy-AVL Trojan[Banker]/Win32.Emotet Kingsoft Clean
Microsoft Trojan:Win32/Emotet.DEM!MTB Endgame Clean ViRobot Trojan.Win32.Emotet.278528
ZoneAlarm Trojan-Banker.Win32.Emotet.ffgd Avast-Mobile Clean GData Gen:Variant.Midie.72472
TACHYON Clean AhnLab-V3 Malware/Win32.Generic.C4094932 Acronis Clean
McAfee Emotet-FQS!FCCC6F6E8B03 MAX malware (ai score=89) VBA32 Backdoor.Emotet
Cylance Clean Zoner Clean TrendMicro-HouseCall TROJ_FRS.VSNTEC20
Tencent Win32.Trojan-banker.Emotet.Ehia Yandex Trojan.Kryptik!uIb29ZyfbPY Ikarus Trojan-Banker.Emotet
eGambit Clean Fortinet PossibleThreat.MU BitDefenderTheta Clean
AVG Win32:BankerX-gen [Trj] Cybereason Clean Panda Trj/Emotet.C
MaxSecure Clean
Sorry! No behavior.

Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
Y 77.90.136.129 [VT] Germany
Y 77.55.211.77 [VT] Poland
Y 5.196.35.138 [VT] France
Y 47.150.248.161 [VT] United States
Y 45.161.242.102 [VT] unknown
Y 221.133.46.86 [VT] Malaysia
Y 204.225.249.100 [VT] Canada
Y 200.119.11.118 [VT] Colombia
Y 190.229.148.144 [VT] Argentina
Y 189.1.185.248 [VT] Brazil
Y 187.162.248.237 [VT] Mexico
Y 185.94.252.12 [VT] Germany
Y 177.72.13.80 [VT] Brazil
Y 177.38.15.151 [VT] Brazil
Y 177.188.121.26 [VT] Brazil
Y 12.162.84.2 [VT] United States
Y 118.69.71.14 [VT] Vietnam
Y 113.190.254.245 [VT] Vietnam
Y 103.83.81.141 [VT] India
Y 1.1.1.1 [VT] Australia

TCP

Source Source Port Destination Destination Port
192.168.1.8 49185 103.83.81.141 8080
192.168.1.8 49198 113.190.254.245 80
192.168.1.8 49197 118.69.71.14 80
192.168.1.8 49202 12.162.84.2 8080
192.168.1.8 49191 177.188.121.26 443
192.168.1.8 49194 177.38.15.151 80
192.168.1.8 49190 177.72.13.80 80
192.168.1.8 49200 185.94.252.12 80
192.168.1.8 49201 187.162.248.237 80
192.168.1.8 49192 189.1.185.248 80
192.168.1.8 49186 190.229.148.144 80
192.168.1.8 49184 200.119.11.118 443
192.168.1.8 49199 204.225.249.100 7080
192.168.1.8 49193 221.133.46.86 443
192.168.1.8 49188 45.161.242.102 80
192.168.1.8 49189 47.150.248.161 80
192.168.1.8 49195 5.196.35.138 7080
192.168.1.8 49196 77.55.211.77 8080
192.168.1.8 49187 77.90.136.129 8080

UDP

Source Source Port Destination Destination Port
192.168.1.8 49744 1.1.1.1 53
192.168.1.8 51064 1.1.1.1 53
192.168.1.8 55051 1.1.1.1 53
192.168.1.8 63225 1.1.1.1 53
192.168.1.8 63471 1.1.1.1 53
192.168.1.8 65129 1.1.1.1 53
192.168.1.8 137 192.168.1.255 137
192.168.1.8 49744 8.8.8.8 53
192.168.1.8 51064 8.8.8.8 53
192.168.1.8 55051 8.8.8.8 53
192.168.1.8 63225 8.8.8.8 53
192.168.1.8 63471 8.8.8.8 53
192.168.1.8 65129 8.8.8.8 53

DNS

No domains contacted.

HTTP Requests

No HTTP requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

Source Destination ICMP Type Data
1.1.1.1 192.168.1.8 3
1.1.1.1 192.168.1.8 3
1.1.1.1 192.168.1.8 3
1.1.1.1 192.168.1.8 3
1.1.1.1 192.168.1.8 3
1.1.1.1 192.168.1.8 3
1.1.1.1 192.168.1.8 3
1.1.1.1 192.168.1.8 3
1.1.1.1 192.168.1.8 3
1.1.1.1 192.168.1.8 3
1.1.1.1 192.168.1.8 3
1.1.1.1 192.168.1.8 3
1.1.1.1 192.168.1.8 3
1.1.1.1 192.168.1.8 3
1.1.1.1 192.168.1.8 3
1.1.1.1 192.168.1.8 3
1.1.1.1 192.168.1.8 3
1.1.1.1 192.168.1.8 3
103.83.81.141 192.168.1.8 3
103.83.81.141 192.168.1.8 3
113.190.254.245 192.168.1.8 3
113.190.254.245 192.168.1.8 3
118.69.71.14 192.168.1.8 3
118.69.71.14 192.168.1.8 3
12.162.84.2 192.168.1.8 3
12.162.84.2 192.168.1.8 3
177.188.121.26 192.168.1.8 3
177.188.121.26 192.168.1.8 3
177.38.15.151 192.168.1.8 3
177.38.15.151 192.168.1.8 3
177.38.15.151 192.168.1.8 3
177.72.13.80 192.168.1.8 3
177.72.13.80 192.168.1.8 3
185.94.252.12 192.168.1.8 3
185.94.252.12 192.168.1.8 3
187.162.248.237 192.168.1.8 3
187.162.248.237 192.168.1.8 3
189.1.185.248 192.168.1.8 3
189.1.185.248 192.168.1.8 3
190.229.148.144 192.168.1.8 3
190.229.148.144 192.168.1.8 3
200.119.11.118 192.168.1.8 3
200.119.11.118 192.168.1.8 3
200.119.11.118 192.168.1.8 3
204.225.249.100 192.168.1.8 3
204.225.249.100 192.168.1.8 3
221.133.46.86 192.168.1.8 3
221.133.46.86 192.168.1.8 3
221.133.46.86 192.168.1.8 3
45.161.242.102 192.168.1.8 3
45.161.242.102 192.168.1.8 3
47.150.248.161 192.168.1.8 3
47.150.248.161 192.168.1.8 3
47.150.248.161 192.168.1.8 3
5.196.35.138 192.168.1.8 3
5.196.35.138 192.168.1.8 3
77.55.211.77 192.168.1.8 3
77.55.211.77 192.168.1.8 3
77.55.211.77 192.168.1.8 3
77.90.136.129 192.168.1.8 3
77.90.136.129 192.168.1.8 3
77.90.136.129 192.168.1.8 3
8.8.8.8 192.168.1.8 3
8.8.8.8 192.168.1.8 3
8.8.8.8 192.168.1.8 3
8.8.8.8 192.168.1.8 3
8.8.8.8 192.168.1.8 3
8.8.8.8 192.168.1.8 3
8.8.8.8 192.168.1.8 3
8.8.8.8 192.168.1.8 3
8.8.8.8 192.168.1.8 3
8.8.8.8 192.168.1.8 3
8.8.8.8 192.168.1.8 3
8.8.8.8 192.168.1.8 3
8.8.8.8 192.168.1.8 3
8.8.8.8 192.168.1.8 3
8.8.8.8 192.168.1.8 3
8.8.8.8 192.168.1.8 3
8.8.8.8 192.168.1.8 3
8.8.8.8 192.168.1.8 3
8.8.8.8 192.168.1.8 3
8.8.8.8 192.168.1.8 3
8.8.8.8 192.168.1.8 3
8.8.8.8 192.168.1.8 3
8.8.8.8 192.168.1.8 3
8.8.8.8 192.168.1.8 3

CIF Results

No CIF Results

Suricata Alerts

Timestamp Source IP Source Port Destination IP Destination Port Protocol GID SID REV Signature Category Severity
2020-05-23 10:19:15.130 192.168.1.8 [VT] 49184 200.119.11.118 [VT] 443 TCP 1 2404313 5734 ET CNC Feodo Tracker Reported CnC Server group 14 A Network Trojan was detected 1
2020-05-23 10:19:28.745 192.168.1.8 [VT] 49185 103.83.81.141 [VT] 8080 TCP 1 2404300 5734 ET CNC Feodo Tracker Reported CnC Server group 1 A Network Trojan was detected 1
2020-05-23 10:19:35.619 192.168.1.8 [VT] 49186 190.229.148.144 [VT] 80 TCP 1 2404310 5734 ET CNC Feodo Tracker Reported CnC Server group 11 A Network Trojan was detected 1
2020-05-23 10:19:56.150 192.168.1.8 [VT] 49188 45.161.242.102 [VT] 80 TCP 1 2404316 5734 ET CNC Feodo Tracker Reported CnC Server group 17 A Network Trojan was detected 1
2020-05-23 10:20:04.009 192.168.1.8 [VT] 49189 47.150.248.161 [VT] 80 TCP 1 2404317 5734 ET CNC Feodo Tracker Reported CnC Server group 18 A Network Trojan was detected 1
2020-05-23 10:20:24.462 192.168.1.8 [VT] 49191 177.188.121.26 [VT] 443 TCP 1 2404305 5734 ET CNC Feodo Tracker Reported CnC Server group 6 A Network Trojan was detected 1
2020-05-23 10:20:38.871 192.168.1.8 [VT] 49193 221.133.46.86 [VT] 443 TCP 1 2404315 5734 ET CNC Feodo Tracker Reported CnC Server group 16 A Network Trojan was detected 1
2020-05-23 10:21:27.009 192.168.1.8 [VT] 49197 118.69.71.14 [VT] 80 TCP 1 2404302 5734 ET CNC Feodo Tracker Reported CnC Server group 3 A Network Trojan was detected 1
2020-05-23 10:21:34.494 192.168.1.8 [VT] 49198 113.190.254.245 [VT] 80 TCP 1 2404301 5734 ET CNC Feodo Tracker Reported CnC Server group 2 A Network Trojan was detected 1
2020-05-23 10:21:55.884 192.168.1.8 [VT] 49201 187.162.248.237 [VT] 80 TCP 1 2404309 5734 ET CNC Feodo Tracker Reported CnC Server group 10 A Network Trojan was detected 1

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

Sorry! No dropped files.
Type Emotet Config
RSA public key
-----BEGIN PUBLIC KEY----- MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOZ9fLJ8UrI0OZURpPsR3eijAyfPj3z6 uS75f2igmYFW2aWgNcFIzsAYQleKzD0nlCFHOo7Zf8/4wY2UW0CJ4dJEHnE/PHlz 6uNk3pxjm7o4eCDyiJbzf+k0Azjl0q54FQIDAQAB -----END PUBLIC KEY-----
address
200.119.11.118:443
103.83.81.141:8080
190.229.148.144:80
77.90.136.129:8080
45.161.242.102:80
47.150.248.161:80
177.72.13.80:80
177.188.121.26:443
189.1.185.248:80
221.133.46.86:443
177.38.15.151:80
5.196.35.138:7080
77.55.211.77:8080
118.69.71.14:80
113.190.254.245:80
204.225.249.100:7080
185.94.252.12:80
187.162.248.237:80
12.162.84.2:8080
114.109.179.60:80
50.28.51.143:8080
185.94.252.27:443
72.47.248.48:7080
177.66.190.130:80
93.147.157.195:80
190.17.195.202:80
46.28.111.142:7080
70.32.115.157:8080
73.239.11.159:80
170.81.48.2:80
2.47.112.152:80
46.214.11.172:80
177.103.159.44:80
143.0.87.101:80
192.241.146.84:8080
91.83.93.124:7080
202.62.39.111:80
212.71.237.140:8080
104.131.41.185:8080
185.94.252.13:443
113.161.147.51:80
37.187.6.63:8080
187.51.47.26:80
149.62.173.247:8080
110.143.8.89:80
201.213.32.59:80
83.169.21.32:7080
177.139.131.143:443
94.176.234.118:443
186.188.222.3:80
93.147.137.162:80
186.3.232.68:80
82.196.15.205:8080
190.57.130.142:443
104.236.161.64:8080
68.183.190.199:8080
111.67.12.221:8080
91.236.4.234:443
59.120.5.154:80
190.181.235.46:80
172.104.169.32:8080
65.24.85.214:80
177.73.3.204:80
201.91.28.210:80
186.33.141.88:80
200.69.224.73:80
181.10.204.106:80
61.92.159.208:8080
200.126.237.113:80
181.31.211.181:80
175.114.178.83:443
152.231.89.226:80
203.25.159.3:8080
70.32.84.74:8080
192.241.143.52:8080
186.68.48.204:443
164.77.130.222:80
104.131.103.37:8080
178.79.163.131:8080
203.122.18.234:8080
Type Emotet Payload
Size 40770 bytes
Virtual Address 0x00300000
Process EE0CH2Xu3Nt2.exe
PID 3004
Path C:\Users\Louise\AppData\Local\Temp\EE0CH2Xu3Nt2.exe
MD5 a249150e30b9cecee24419d688be2484
SHA1 3acabbb7e0682154ea793819b85f8fda7cd95669
SHA256 ad838918b66a32ee69eee714ae12662cff244f0fd3066f1abb4cd5a6826603ec
CRC32 488074CB
Ssdeep 768:wpPwGjkSkhl5/eo9usFYZzBxMhkC+3Qvc05nkJ9iXwQ8Nrw:IwGkD5/7urz3p2KoAQ8W
Yara
  • embedded_pe - Contains an embedded PE32 file - Author: nex
  • shellcode_patterns - Matched shellcode byte patterns - Author: nex
  • shellcode_get_eip - Match x86 that appears to fetch $PC. - Author: William Ballenthin
  • shellcode_peb_parsing - Match x86 that appears to manually traverse the TEB/PEB/LDR data. - Author: William Ballenthin
CAPE Yara
  • Emotet Emotet Payload - Author: kevoreilly
Download Download zip

BinGraph Download graph

Type Emotet Payload
Size 39424 bytes
Virtual Address 0x004E0000
Process glmf32.exe
PID 4152
Path C:\Windows\SysWOW64\glmf32\glmf32.exe
PE timestamp 2020-02-06 16:23:05
MD5 48ae59c5c74c5a3e3db53a649f219407
SHA1 695b022e58d8d710d62323026b0bac216fd2cce8
SHA256 176887bbffd74d2483582e849be228bc4558e3749443b624ec95c4fbd902c064
CRC32 5DAC58E2
Ssdeep 768:ujkSkhl5/eo9usFYZzBxMhkC+3Qvc05nkJ9iXwQ8Nr:ukD5/7urz3p2KoAQ8
Yara None matched
CAPE Yara
  • Emotet Emotet Payload - Author: kevoreilly
Download Download zip

BinGraph Download graph

Process Name explorer.exe
PID 1440
Dump Size 3230208 bytes
Module Path C:\Windows\explorer.exe
Type PE image: 64-bit executable
PE timestamp 2016-08-29 15:04:30
MD5 78a8cc78df158f311d25a135cb86f8da
SHA1 4269410420c2056421584f35e2ffc7683cd52fa9
SHA256 e3759e717c1d0db951e92430780b2fb9d8bb56783c6d22a00ddb39e60036e273
CRC32 64E08E09
Ssdeep 98304:+AQexfivYYYYYYYYYYYRYYYYYYYYYYE3ia0eojk221:+AQexfil3r7ojk22
Dump Filename e3759e717c1d0db951e92430780b2fb9d8bb56783c6d22a00ddb39e60036e273
Download Download Zip

BinGraph Download graph