Detections

Yara:

Emotet

Analysis

Category Package Started Completed Duration Log
FILE Emotet 2020-09-16 14:20:32 2020-09-16 14:23:10 158 seconds Show Log
2020-05-13 09:25:42,102 [root] INFO: Date set to: 20200916T10:29:07, timeout set to: 200
2020-09-16 10:29:07,062 [root] DEBUG: Starting analyzer from: C:\tmp2ssujfce
2020-09-16 10:29:07,062 [root] DEBUG: Storing results at: C:\CEdcOi
2020-09-16 10:29:07,062 [root] DEBUG: Pipe server name: \\.\PIPE\fcprcX
2020-09-16 10:29:07,062 [root] DEBUG: Python path: C:\Users\Louise\AppData\Local\Programs\Python\Python38-32
2020-09-16 10:29:07,062 [root] INFO: Analysis package "Emotet" has been specified.
2020-09-16 10:29:07,062 [root] DEBUG: Trying to import analysis package "Emotet"...
2020-09-16 10:29:07,125 [root] DEBUG: Imported analysis package "Emotet".
2020-09-16 10:29:07,125 [root] DEBUG: Trying to initialize analysis package "Emotet"...
2020-09-16 10:29:07,125 [root] DEBUG: Initialized analysis package "Emotet".
2020-09-16 10:29:07,171 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.browser"...
2020-09-16 10:29:07,187 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser".
2020-09-16 10:29:07,187 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.curtain"...
2020-09-16 10:29:07,249 [root] DEBUG: Imported auxiliary module "modules.auxiliary.curtain".
2020-09-16 10:29:07,249 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.digisig"...
2020-09-16 10:29:07,281 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig".
2020-09-16 10:29:07,281 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.disguise"...
2020-09-16 10:29:07,343 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise".
2020-09-16 10:29:07,343 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.human"...
2020-09-16 10:29:07,359 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human".
2020-09-16 10:29:07,359 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.procmon"...
2020-09-16 10:29:07,375 [root] DEBUG: Imported auxiliary module "modules.auxiliary.procmon".
2020-09-16 10:29:07,375 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.screenshots"...
2020-09-16 10:29:07,375 [modules.auxiliary.screenshots] DEBUG: Importing 'time'
2020-09-16 10:29:07,390 [modules.auxiliary.screenshots] DEBUG: Importing 'StringIO'
2020-09-16 10:29:07,390 [modules.auxiliary.screenshots] DEBUG: Importing 'Thread'
2020-09-16 10:29:07,390 [modules.auxiliary.screenshots] DEBUG: Importing 'Auxiliary'
2020-09-16 10:29:07,390 [modules.auxiliary.screenshots] DEBUG: Importing 'NetlogFile'
2020-09-16 10:29:07,390 [modules.auxiliary.screenshots] DEBUG: Importing 'Screenshot'
2020-09-16 10:29:07,390 [lib.api.screenshot] DEBUG: Importing 'math'
2020-09-16 10:29:07,390 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2020-09-16 10:29:08,421 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageGrab'
2020-09-16 10:29:08,437 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageDraw'
2020-09-16 10:29:08,453 [modules.auxiliary.screenshots] DEBUG: Imports OK
2020-09-16 10:29:08,453 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots".
2020-09-16 10:29:08,453 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.sysmon"...
2020-09-16 10:29:08,453 [root] DEBUG: Imported auxiliary module "modules.auxiliary.sysmon".
2020-09-16 10:29:08,453 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.usage"...
2020-09-16 10:29:08,515 [root] DEBUG: Imported auxiliary module "modules.auxiliary.usage".
2020-09-16 10:29:08,515 [root] DEBUG: Trying to initialize auxiliary module "Browser"...
2020-09-16 10:29:08,515 [root] DEBUG: Initialized auxiliary module "Browser".
2020-09-16 10:29:08,515 [root] DEBUG: Trying to start auxiliary module "Browser"...
2020-09-16 10:29:08,515 [root] DEBUG: Started auxiliary module Browser
2020-09-16 10:29:08,515 [root] DEBUG: Trying to initialize auxiliary module "Curtain"...
2020-09-16 10:29:08,515 [root] DEBUG: Initialized auxiliary module "Curtain".
2020-09-16 10:29:08,515 [root] DEBUG: Trying to start auxiliary module "Curtain"...
2020-09-16 10:29:08,531 [root] DEBUG: Started auxiliary module Curtain
2020-09-16 10:29:08,531 [root] DEBUG: Trying to initialize auxiliary module "DigiSig"...
2020-09-16 10:29:08,531 [root] DEBUG: Initialized auxiliary module "DigiSig".
2020-09-16 10:29:08,531 [root] DEBUG: Trying to start auxiliary module "DigiSig"...
2020-09-16 10:29:08,531 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature.
2020-09-16 10:29:09,734 [modules.auxiliary.digisig] DEBUG: File is not signed.
2020-09-16 10:29:09,734 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2020-09-16 10:29:09,750 [root] DEBUG: Started auxiliary module DigiSig
2020-09-16 10:29:09,750 [root] DEBUG: Trying to initialize auxiliary module "Disguise"...
2020-09-16 10:29:09,750 [root] DEBUG: Initialized auxiliary module "Disguise".
2020-09-16 10:29:09,750 [root] DEBUG: Trying to start auxiliary module "Disguise"...
2020-09-16 10:29:09,765 [modules.auxiliary.disguise] INFO: Disguising GUID to 72bd8ad8-87b9-4a3b-b283-d76a99756092
2020-09-16 10:29:09,765 [root] DEBUG: Started auxiliary module Disguise
2020-09-16 10:29:09,765 [root] DEBUG: Trying to initialize auxiliary module "Human"...
2020-09-16 10:29:09,765 [root] DEBUG: Initialized auxiliary module "Human".
2020-09-16 10:29:09,765 [root] DEBUG: Trying to start auxiliary module "Human"...
2020-09-16 10:29:09,765 [root] DEBUG: Started auxiliary module Human
2020-09-16 10:29:09,765 [root] DEBUG: Trying to initialize auxiliary module "Procmon"...
2020-09-16 10:29:09,765 [root] DEBUG: Initialized auxiliary module "Procmon".
2020-09-16 10:29:09,765 [root] DEBUG: Trying to start auxiliary module "Procmon"...
2020-09-16 10:29:09,781 [root] DEBUG: Started auxiliary module Procmon
2020-09-16 10:29:09,781 [root] DEBUG: Trying to initialize auxiliary module "Screenshots"...
2020-09-16 10:29:09,781 [root] DEBUG: Initialized auxiliary module "Screenshots".
2020-09-16 10:29:09,781 [root] DEBUG: Trying to start auxiliary module "Screenshots"...
2020-09-16 10:29:09,781 [root] DEBUG: Started auxiliary module Screenshots
2020-09-16 10:29:09,781 [root] DEBUG: Trying to initialize auxiliary module "Sysmon"...
2020-09-16 10:29:09,781 [root] DEBUG: Initialized auxiliary module "Sysmon".
2020-09-16 10:29:09,781 [root] DEBUG: Trying to start auxiliary module "Sysmon"...
2020-09-16 10:29:09,781 [root] DEBUG: Started auxiliary module Sysmon
2020-09-16 10:29:09,781 [root] DEBUG: Trying to initialize auxiliary module "Usage"...
2020-09-16 10:29:09,781 [root] DEBUG: Initialized auxiliary module "Usage".
2020-09-16 10:29:09,781 [root] DEBUG: Trying to start auxiliary module "Usage"...
2020-09-16 10:29:09,781 [root] DEBUG: Started auxiliary module Usage
2020-09-16 10:29:09,781 [root] INFO: Analyzer: Package modules.packages.Emotet does not specify a DLL option
2020-09-16 10:29:09,781 [root] INFO: Analyzer: Package modules.packages.Emotet does not specify a DLL_64 option
2020-09-16 10:29:09,796 [root] INFO: Analyzer: Package modules.packages.Emotet does not specify a loader option
2020-09-16 10:29:09,796 [root] INFO: Analyzer: Package modules.packages.Emotet does not specify a loader_64 option
2020-09-16 10:29:09,906 [lib.api.process] INFO: Successfully executed process from path "C:\Users\Louise\AppData\Local\Temp\emotet_exe_e1_e66c08fc6f64c._exe" with arguments "" with pid 840
2020-09-16 10:29:09,906 [lib.api.process] INFO: Monitor config for process 840: C:\tmp2ssujfce\dll\840.ini
2020-09-16 10:29:09,906 [lib.api.process] INFO: Option 'unpacker' with value '1' sent to monitor
2020-09-16 10:29:09,906 [lib.api.process] INFO: Option 'injection' with value '0' sent to monitor
2020-09-16 10:29:09,906 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp2ssujfce\dll\eNcqxCQ.dll, loader C:\tmp2ssujfce\bin\wAALdKQ.exe
2020-09-16 10:29:09,968 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\fcprcX.
2020-09-16 10:29:09,968 [root] DEBUG: Loader: Injecting process 840 (thread 2568) with C:\tmp2ssujfce\dll\eNcqxCQ.dll.
2020-09-16 10:29:09,968 [root] DEBUG: Process image base: 0x00400000
2020-09-16 10:29:09,984 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmp2ssujfce\dll\eNcqxCQ.dll.
2020-09-16 10:29:09,984 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-09-16 10:29:09,984 [root] DEBUG: Successfully injected DLL C:\tmp2ssujfce\dll\eNcqxCQ.dll.
2020-09-16 10:29:09,984 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 840
2020-09-16 10:29:12,015 [lib.api.process] INFO: Successfully resumed process with pid 840
2020-09-16 10:29:14,406 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-09-16 10:29:14,421 [root] DEBUG: Auto-unpacking of payloads enabled.
2020-09-16 10:29:14,421 [root] DEBUG: Dropped file limit defaulting to 100.
2020-09-16 10:29:14,421 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-09-16 10:29:14,437 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 840 at 0x704f0000, image base 0x400000, stack from 0x186000-0x190000
2020-09-16 10:29:14,437 [root] DEBUG: Commandline: C:\Users\Louise\AppData\Local\Temp\"C:\Users\Louise\AppData\Local\Temp\emotet_exe_e1_e66c08fc6f64c._exe".
2020-09-16 10:29:14,484 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77180000, KiUserExceptionDispatcher: 0x0, NtSetContextThread: 0x771eb5f0, Wow64PrepareForException: 0x0
2020-09-16 10:29:14,500 [root] INFO: Disabling sleep skipping.
2020-09-16 10:29:14,500 [root] INFO: Disabling sleep skipping.
2020-09-16 10:29:14,500 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x3f0000
2020-09-16 10:29:14,500 [root] INFO: Disabling sleep skipping.
2020-09-16 10:29:14,500 [root] INFO: Disabling sleep skipping.
2020-09-16 10:29:14,500 [root] DEBUG: UnpackerInit: Debugger initialised.
2020-09-16 10:29:14,500 [root] DEBUG: AddTrackedRegion: Created new tracked region for address 0x00400000.
2020-09-16 10:29:14,500 [root] DEBUG: AddTrackedRegion: New region at 0x00400000 size 0x1000 added to tracked regions: EntryPoint 0x12316, Entropy 6.539216e+00
2020-09-16 10:29:14,531 [root] DEBUG: DLL loaded at 0x70420000: C:\Windows\system32\odbcint (0x38000 bytes).
2020-09-16 10:29:14,765 [root] DEBUG: DLL unloaded from 0x00400000.
2020-09-16 10:29:14,843 [root] DEBUG: set_caller_info: Adding region at 0x038C0000 to caller regions list (kernel32::FindResourceExA).
2020-09-16 10:29:15,031 [root] DEBUG: DLL loaded at 0x744D0000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2020-09-16 10:29:15,046 [root] DEBUG: DLL loaded at 0x74400000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2020-09-16 10:29:15,046 [root] DEBUG: DLL loaded at 0x74450000: C:\Windows\system32\USERENV (0x17000 bytes).
2020-09-16 10:29:15,046 [root] DEBUG: DLL loaded at 0x74440000: C:\Windows\system32\profapi (0xb000 bytes).
2020-09-16 10:29:15,078 [root] DEBUG: Allocation: 0x00490000 - 0x0049F000, size: 0xf000, protection: 0x40.
2020-09-16 10:29:15,078 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-09-16 10:29:15,078 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-09-16 10:29:15,078 [root] DEBUG: ProcessImageBase: EP 0x00012316 image base 0x00400000 size 0x0 entropy 6.542734e+00.
2020-09-16 10:29:15,078 [root] DEBUG: AllocationHandler: Adding allocation to tracked region list: 0x00490000, size: 0xf000.
2020-09-16 10:29:15,093 [root] DEBUG: AddTrackedRegion: Created new tracked region for address 0x00490000.
2020-09-16 10:29:15,093 [root] DEBUG: AddTrackedRegion: New region at 0x00490000 size 0xf000 added to tracked regions.
2020-09-16 10:29:15,093 [root] DEBUG: ActivateBreakpoints: TrackedRegion->AllocationBase: 0x00490000, TrackedRegion->RegionSize: 0xf000, thread 2568
2020-09-16 10:29:15,093 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on empty protect address: 0x00490000
2020-09-16 10:29:15,093 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x0049003C
2020-09-16 10:29:15,093 [root] DEBUG: AllocationHandler: Breakpoints set on newly-allocated executable region at: 0x00490000 (size 0xf000).
2020-09-16 10:29:15,109 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x00404427 (thread 2568)
2020-09-16 10:29:15,109 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x00490000.
2020-09-16 10:29:15,109 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x490000: 0xe8.
2020-09-16 10:29:15,109 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2020-09-16 10:29:15,109 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x490000: 0xe8.
2020-09-16 10:29:15,109 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2020-09-16 10:29:15,109 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x00404427 (thread 2568)
2020-09-16 10:29:15,125 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x0049003C.
2020-09-16 10:29:15,125 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x0049007E.
2020-09-16 10:29:15,125 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x00404427 (thread 2568)
2020-09-16 10:29:15,125 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x0049003C.
2020-09-16 10:29:15,125 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0x5756 (at 0x0049003C).
2020-09-16 10:29:15,125 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x00490000.
2020-09-16 10:29:15,125 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x00404427 (thread 2568)
2020-09-16 10:29:15,125 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x0049003C.
2020-09-16 10:29:15,125 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0x335756 (at 0x0049003C).
2020-09-16 10:29:15,140 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x00490000.
2020-09-16 10:29:15,140 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x0049003C.
2020-09-16 10:29:15,140 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0xf6335756 (at 0x0049003C).
2020-09-16 10:29:15,140 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x00490000.
2020-09-16 10:29:15,140 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x00404427 (thread 2568)
2020-09-16 10:29:15,140 [root] DEBUG: MagicWriteCallback: pointer to PE header too big: 0xF6335756.
2020-09-16 10:29:15,140 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x00404427 (thread 2568)
2020-09-16 10:29:15,140 [root] DEBUG: MagicWriteCallback: pointer to PE header too big: 0xF6335756.
2020-09-16 10:29:15,140 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x00404427 (thread 2568)
2020-09-16 10:29:15,140 [root] DEBUG: AddressOfEPWriteCallback: pointer to PE header too big: 0xF6335756.
2020-09-16 10:29:15,140 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x00404427 (thread 2568)
2020-09-16 10:29:15,156 [root] DEBUG: AddressOfEPWriteCallback: pointer to PE header too big: 0xF6335756.
2020-09-16 10:29:15,156 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x00404427 (thread 2568)
2020-09-16 10:29:15,156 [root] DEBUG: AddressOfEPWriteCallback: pointer to PE header too big: 0xF6335756.
2020-09-16 10:29:15,156 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x00404427 (thread 2568)
2020-09-16 10:29:15,156 [root] DEBUG: AddressOfEPWriteCallback: pointer to PE header too big: 0xF6335756.
2020-09-16 10:29:15,249 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x00490000 (thread 2568)
2020-09-16 10:29:15,249 [root] DEBUG: ShellcodeExecCallback: Breakpoint 2 at Address 0x00490000 (allocation base 0x00490000).
2020-09-16 10:29:15,249 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x490000 - 0x49f000.
2020-09-16 10:29:15,249 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x0049006E.
2020-09-16 10:29:15,265 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x0049003C.
2020-09-16 10:29:15,265 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 2 address 0x00490000.
2020-09-16 10:29:15,265 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 3 address 0x0049007E.
2020-09-16 10:29:15,265 [root] DEBUG: ShellcodeExecCallback: About to scan region for a PE image (base 0x00490000, size 0xf000).
2020-09-16 10:29:15,265 [root] DEBUG: DumpPEsInRange: Scanning range 0x490000 - 0x49f000.
2020-09-16 10:29:15,265 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x49052e
2020-09-16 10:29:15,265 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image.
2020-09-16 10:29:15,265 [root] DEBUG: DumpPE: Instantiating PeParser with address: 0x0049052E.
2020-09-16 10:29:15,312 [root] DEBUG: DumpPE: PE file in memory dumped successfully - dump size 0xe600.
2020-09-16 10:29:15,343 [root] DEBUG: DumpPE: PE file in memory dumped successfully - dump size 0xc000.
2020-09-16 10:29:15,359 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x49379e-0x49f000.
2020-09-16 10:29:15,359 [root] DEBUG: ShellcodeExecCallback: PE image(s) detected and dumped.
2020-09-16 10:29:15,359 [root] DEBUG: set_caller_info: Adding region at 0x00490000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2020-09-16 10:29:15,359 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-09-16 10:29:15,359 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-09-16 10:29:15,359 [root] DEBUG: ProcessImageBase: EP 0x00012316 image base 0x00400000 size 0x0 entropy 6.542734e+00.
2020-09-16 10:29:15,375 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00490000.
2020-09-16 10:29:15,375 [root] DEBUG: ProtectionHandler: Adding region at 0x034F1000 to tracked regions.
2020-09-16 10:29:15,375 [root] DEBUG: AddTrackedRegion: Created new tracked region for address 0x034F1000.
2020-09-16 10:29:15,375 [root] DEBUG: AddTrackedRegion: New region at 0x034F0000 size 0x2000 added to tracked regions: EntryPoint 0x27b0, Entropy 5.704692e+00
2020-09-16 10:29:15,375 [root] DEBUG: ProtectionHandler: Address: 0x034F1000 (alloc base 0x034F0000), NumberOfBytesToProtect: 0x1a00, NewAccessProtection: 0x20
2020-09-16 10:29:15,375 [root] DEBUG: ProtectionHandler: Increased region size at 0x034F1000 to 0x2a00.
2020-09-16 10:29:15,375 [root] DEBUG: ProtectionHandler: New code detected at (0x034F0000), scanning for PE images.
2020-09-16 10:29:15,375 [root] DEBUG: DumpPEsInRange: Scanning range 0x34f0000 - 0x34f2a00.
2020-09-16 10:29:15,390 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x34f0000
2020-09-16 10:29:15,390 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-09-16 10:29:15,390 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x034F0000.
2020-09-16 10:29:15,390 [root] DEBUG: DumpProcess: Module entry point VA is 0x000027B0.
2020-09-16 10:29:15,453 [root] DEBUG: DumpProcess: Module image dump success - dump size 0xe400.
2020-09-16 10:29:15,453 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x34f1000-0x34f2a00.
2020-09-16 10:29:15,453 [root] DEBUG: DumpPEsInTrackedRegion: Dumped 1 PE image(s) from range 0x034F0000 - 0x034F2A00.
2020-09-16 10:29:15,453 [root] DEBUG: ProtectionHandler: PE image(s) dumped from 0x034F0000.
2020-09-16 10:29:15,453 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x34f0000 - 0x34f2a00.
2020-09-16 10:29:15,453 [root] DEBUG: set_caller_info: Adding region at 0x034F0000 to caller regions list (ntdll::LdrLoadDll).
2020-09-16 10:29:15,468 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-09-16 10:29:15,468 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-09-16 10:29:15,468 [root] DEBUG: ProcessImageBase: EP 0x00012316 image base 0x00400000 size 0x0 entropy 6.542734e+00.
2020-09-16 10:29:15,468 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00490000.
2020-09-16 10:29:15,468 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x034F0000.
2020-09-16 10:29:15,468 [root] DEBUG: ProtectionHandler: Adding region at 0x00771000 to tracked regions.
2020-09-16 10:29:15,484 [root] DEBUG: AddTrackedRegion: Created new tracked region for address 0x00771000.
2020-09-16 10:29:15,484 [root] DEBUG: AddTrackedRegion: New region at 0x00770000 size 0xb000 added to tracked regions: EntryPoint 0x5ae0, Entropy 5.620810e+00
2020-09-16 10:29:15,484 [root] DEBUG: ProtectionHandler: Address: 0x00771000 (alloc base 0x00770000), NumberOfBytesToProtect: 0xa600, NewAccessProtection: 0x20
2020-09-16 10:29:15,484 [root] DEBUG: ProtectionHandler: Increased region size at 0x00771000 to 0xb600.
2020-09-16 10:29:15,484 [root] DEBUG: ActivateBreakpoints: Switching breakpoints from region 0x00490000 to 0x00770000.
2020-09-16 10:29:15,484 [root] DEBUG: ActivateBreakpoints: Set execution breakpoint on non-zero byte 0x51 at protected address: 0x00771000
2020-09-16 10:29:15,484 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x0077003C
2020-09-16 10:29:15,500 [root] DEBUG: ProtectionHandler: Breakpoints set on executable region at: 0x00771000.
2020-09-16 10:29:15,500 [root] DEBUG: set_caller_info: Adding region at 0x00770000 to caller regions list (ntdll::LdrGetDllHandle).
2020-09-16 10:29:15,500 [root] DEBUG: DLL loaded at 0x76A70000: C:\Windows\syswow64\crypt32 (0x122000 bytes).
2020-09-16 10:29:15,515 [root] DEBUG: DLL loaded at 0x76EA0000: C:\Windows\syswow64\MSASN1 (0xc000 bytes).
2020-09-16 10:29:15,515 [root] DEBUG: DLL loaded at 0x75B90000: C:\Windows\syswow64\urlmon (0x124000 bytes).
2020-09-16 10:29:15,515 [root] DEBUG: DLL loaded at 0x76EB0000: C:\Windows\syswow64\api-ms-win-downlevel-ole32-l1-1-0 (0x4000 bytes).
2020-09-16 10:29:15,531 [root] DEBUG: DLL loaded at 0x74E90000: C:\Windows\syswow64\api-ms-win-downlevel-shlwapi-l1-1-0 (0x4000 bytes).
2020-09-16 10:29:15,531 [root] DEBUG: DLL loaded at 0x76EF0000: C:\Windows\syswow64\api-ms-win-downlevel-advapi32-l1-1-0 (0x5000 bytes).
2020-09-16 10:29:15,531 [root] DEBUG: DLL loaded at 0x76E40000: C:\Windows\syswow64\api-ms-win-downlevel-user32-l1-1-0 (0x4000 bytes).
2020-09-16 10:29:15,531 [root] DEBUG: DLL loaded at 0x76EE0000: C:\Windows\syswow64\api-ms-win-downlevel-version-l1-1-0 (0x4000 bytes).
2020-09-16 10:29:15,531 [root] DEBUG: DLL loaded at 0x73590000: C:\Windows\system32\version (0x9000 bytes).
2020-09-16 10:29:15,546 [root] DEBUG: DLL loaded at 0x767F0000: C:\Windows\syswow64\api-ms-win-downlevel-normaliz-l1-1-0 (0x3000 bytes).
2020-09-16 10:29:15,546 [root] DEBUG: DLL loaded at 0x766F0000: C:\Windows\syswow64\normaliz (0x3000 bytes).
2020-09-16 10:29:15,546 [root] DEBUG: DLL loaded at 0x76BA0000: C:\Windows\syswow64\iertutil (0x215000 bytes).
2020-09-16 10:29:15,562 [root] DEBUG: DLL loaded at 0x75CC0000: C:\Windows\syswow64\WININET (0x1c4000 bytes).
2020-09-16 10:29:15,578 [root] DEBUG: DLL loaded at 0x743F0000: C:\Windows\system32\wtsapi32 (0xd000 bytes).
2020-09-16 10:29:15,609 [root] DEBUG: CreateThread: Initialising breakpoints for thread 4112.
2020-09-16 10:29:22,828 [root] INFO: Analysis timeout hit, terminating analysis.
2020-09-16 10:29:22,828 [lib.api.process] INFO: Terminate event set for process 840
2020-09-16 10:29:22,828 [root] DEBUG: Terminate Event: Processing tracked regions before shutdown (process 840).
2020-09-16 10:29:22,828 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-09-16 10:29:22,828 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-09-16 10:29:22,843 [root] DEBUG: ProcessImageBase: EP 0x00012316 image base 0x00400000 size 0x0 entropy 6.542734e+00.
2020-09-16 10:29:22,843 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00490000.
2020-09-16 10:29:22,843 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x034F0000.
2020-09-16 10:29:22,843 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00770000.
2020-09-16 10:29:22,843 [root] DEBUG: Terminate Event: Attempting to dump process 840
2020-09-16 10:29:22,843 [root] DEBUG: DoProcessDump: Dumping Imagebase at 0x00400000.
2020-09-16 10:29:22,843 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image.
2020-09-16 10:29:22,859 [root] DEBUG: DumpPE: Instantiating PeParser with address: 0x00400000.
2020-09-16 10:29:22,906 [root] DEBUG: DumpPE: PE file in memory dumped successfully - dump size 0x2f000.
2020-09-16 10:29:22,906 [root] DEBUG: DoProcessDump: Dumping 'new' Imagebase at 0x00770000.
2020-09-16 10:29:22,921 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00770000.
2020-09-16 10:29:22,921 [root] DEBUG: DumpProcess: Module entry point VA is 0x00005AE0.
2020-09-16 10:29:22,953 [root] DEBUG: DumpProcess: Module image dump success - dump size 0xc200.
2020-09-16 10:29:22,968 [lib.api.process] INFO: Termination confirmed for process 840
2020-09-16 10:29:22,968 [root] INFO: Terminate event set for process 840.
2020-09-16 10:29:22,968 [root] INFO: Created shutdown mutex.
2020-09-16 10:29:22,968 [root] DEBUG: Terminate Event: CAPE shutdown complete for process 840
2020-09-16 10:29:23,968 [root] INFO: Shutting down package.
2020-09-16 10:29:23,968 [root] INFO: Stopping auxiliary modules.
2020-09-16 10:29:24,171 [lib.common.results] WARNING: File C:\CEdcOi\bin\procmon.xml doesn't exist anymore
2020-09-16 10:29:24,171 [root] INFO: Finishing auxiliary modules.
2020-09-16 10:29:24,171 [root] INFO: Shutting down pipe server and dumping dropped files.
2020-09-16 10:29:24,171 [root] WARNING: Folder at path "C:\CEdcOi\debugger" does not exist, skip.
2020-09-16 10:29:24,171 [root] INFO: Analysis completed.

Machine

Name Label Manager Started On Shutdown On
win7x64_1 win7x64_5 KVM 2020-09-16 14:20:33 2020-09-16 14:23:10

File Details

File Name emotet_exe_e1_e66c08fc6f64c._exe
File Size 192512 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
PE timestamp 2020-09-16 09:59:00
MD5 55629d34297d9190570017ece48e526d
SHA1 8e5eba1191737c60b9a05a6e30e790d7a250e21f
SHA256 e66c08fc6f64cc1b50fd34988f63f5dbbc26fd5be428cf0127092396419b52bb
SHA512 ceaa8dee9148e0c421c8137a5e90ab32f23a12307e20eb3f58eb90c0417799b10fcbef42c3d5be6def1c8ec4ff7672b6d7af64712d76bf7cedbf39299fc992cf
CRC32 EEE162A7
Ssdeep 3072:WcosYS2q2/4NPx3Q+3d4SICmWcwaQH2ZaD58EdLdsFTTIp5+1Xr07V62H50EJE:VoqcqPhxN4SILuHH2ZaDecJsxcp5+1Xk
Download Download ZIP Resubmit sample

Signatures

Behavioural detection: Executable code extraction - unpacking
Yara rule detections observed from a process memory dump/dropped files/CAPE
Hit: PID 840 trigged the Yara rule 'Emotet'
Dynamic (imported) function loading detected
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: KERNELBASE.dll/InitializeCriticalSectionAndSpinCount
DynamicLoader: kernel32.dll/ProcessIdToSessionId
DynamicLoader: IMM32.DLL/ImmCreateContext
DynamicLoader: IMM32.DLL/ImmDestroyContext
DynamicLoader: IMM32.DLL/ImmNotifyIME
DynamicLoader: IMM32.DLL/ImmAssociateContext
DynamicLoader: IMM32.DLL/ImmReleaseContext
DynamicLoader: IMM32.DLL/ImmGetContext
DynamicLoader: IMM32.DLL/ImmGetCompositionStringA
DynamicLoader: IMM32.DLL/ImmSetCompositionStringA
DynamicLoader: IMM32.DLL/ImmGetCompositionStringW
DynamicLoader: IMM32.DLL/ImmSetCompositionStringW
DynamicLoader: IMM32.DLL/ImmSetCandidateWindow
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: SHELL32.dll/ExtractIconA
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: ADVAPI32.dll/RegSetValueA
DynamicLoader: ADVAPI32.dll/RegQueryValueA
DynamicLoader: CRYPTSP.dll/CryptAcquireContextA
DynamicLoader: ntdll.dll/qsort
DynamicLoader: ntdll.dll/bsearch
DynamicLoader: ntdll.dll/wcslen
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/Process32Next
DynamicLoader: kernel32.dll/Process32First
DynamicLoader: kernel32.dll/CreateToolhelp32Snapshot
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/SetLastError
DynamicLoader: kernel32.dll/HeapAlloc
DynamicLoader: kernel32.dll/HeapFree
DynamicLoader: kernel32.dll/GetProcessHeap
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/VirtualQuery
DynamicLoader: kernel32.dll/FreeLibrary
DynamicLoader: kernel32.dll/GetProcAddress
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: kernel32.dll/LoadLibraryW
DynamicLoader: kernel32.dll/IsBadReadPtr
DynamicLoader: kernel32.dll/GetNativeSystemInfo
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptImportKey
DynamicLoader: CRYPTSP.dll/CryptGenKey
DynamicLoader: CRYPTSP.dll/CryptCreateHash
Expresses interest in specific running processes
process: emotet_exe_e1_e66c08fc6f64c._exe
File has been identified by 7 Antiviruses on VirusTotal as malicious
Bkav: W32.AIDetectVM.malware1
McAfee: Emotet-FSE!55629D34297D
K7AntiVirus: Trojan ( 005605291 )
K7GW: Trojan ( 005605291 )
APEX: Malicious
Rising: Trojan.Kryptik!8.8 (TFE:6:lSbXDYX0Z5G)
Fortinet: W32/Kryptik.HGCU!tr
CAPE extracted potentially suspicious content
emotet_exe_e1_e66c08fc6f64c._exe: Emotet Payload: 32-bit DLL
emotet_exe_e1_e66c08fc6f64c._exe: Emotet
emotet_exe_e1_e66c08fc6f64c._exe: Emotet Payload
emotet_exe_e1_e66c08fc6f64c._exe: Emotet
emotet_exe_e1_e66c08fc6f64c._exe: Emotet Payload: 32-bit executable
emotet_exe_e1_e66c08fc6f64c._exe: Emotet
Queries or connects to DNS-Over-HTTPS/DNS-Over-TLS domain or IP address
ip: 1.1.1.1
The binary likely contains encrypted or compressed data.
section: name: .rsrc, entropy: 7.26, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ, raw_size: 0x00014000, virtual_size: 0x00013468
Authenticode signature is invalid
authenticode error: No signature found. SignTool Error File not valid C\Users\Louise\AppData\Local\Temp\emotet_exe_e1_e66c08fc6f64c._exe
Network activity detected but not expressed in API logs
CAPE detected the Emotet malware family

Screenshots


Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
Y 1.1.1.1 [VT] Australia

DNS

No domains contacted.


Summary

C:\Windows\System32\MFC42LOC.DLL
C:\Windows\System32\MFC42LOC.DLL.DLL
C:\Windows\sysnative\MFC42LOC.DLL
C:\Windows\sysnative\MFC42LOC.DLL.DLL
C:\Users\Louise\AppData\Local\Temp\emotet_exe_e1_e66c08fc6f64c._exe
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\System32\*
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Users\Louise\AppData\Local\Temp\emotet_exe_e1_e66c08fc6f64c._exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\BidInterface\Loader
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_CURRENT_USER\SOFTWARE\ODBC\ODBC.INI\ODBC
HKEY_LOCAL_MACHINE\SOFTWARE\ODBC\ODBC.INI\ODBC
HKEY_CURRENT_USER
DisableUserModeCallbackFilter
HKEY_CURRENT_USER\software
HKEY_CURRENT_USER\Software\Josefsson
HKEY_CURRENT_USER\Software\Josefsson\Dialupwatch
HKEY_CURRENT_USER\Software\Josefsson\Dialupwatch\Recent File List
HKEY_CURRENT_USER\Software\Josefsson\Dialupwatch\Recent File List\File1
HKEY_CURRENT_USER\Software\Josefsson\Dialupwatch\Recent File List\File2
HKEY_CURRENT_USER\Software\Josefsson\Dialupwatch\Recent File List\File3
HKEY_CURRENT_USER\Software\Josefsson\Dialupwatch\Recent File List\File4
HKEY_CURRENT_USER\Software\Josefsson\Dialupwatch\Settings
HKEY_CURRENT_USER\Software\Josefsson\Dialupwatch\Settings\PreviewPages
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SESSION MANAGER\SafeProcessSearchMode
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\00060101.00060101
HKEY_CURRENT_USER\Software\Classes
HKEY_CURRENT_USER\Software\Classes\Dialupwatch.Document
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Dialupwatch.Document\(Default)
HKEY_CURRENT_USER\Software\Classes\Dialupwatch.Document\DefaultIcon
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Dialupwatch.Document\DefaultIcon\(Default)
HKEY_CURRENT_USER\Software\Classes\Dialupwatch.Document\shell\open\command
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Dialupwatch.Document\shell\open\command\(Default)
HKEY_CURRENT_USER\Software\Classes\Dialupwatch.Document\shell\print\command
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Dialupwatch.Document\shell\print\command\(Default)
HKEY_CURRENT_USER\Software\Classes\Dialupwatch.Document\shell\printto\command
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Dialupwatch.Document\shell\printto\command\(Default)
HKEY_CURRENT_USER\Software\Classes\.otf
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.otf\(Default)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
DisableUserModeCallbackFilter
HKEY_CURRENT_USER\Software\Josefsson\Dialupwatch\Recent File List\File1
HKEY_CURRENT_USER\Software\Josefsson\Dialupwatch\Recent File List\File2
HKEY_CURRENT_USER\Software\Josefsson\Dialupwatch\Recent File List\File3
HKEY_CURRENT_USER\Software\Josefsson\Dialupwatch\Recent File List\File4
HKEY_CURRENT_USER\Software\Josefsson\Dialupwatch\Settings\PreviewPages
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SESSION MANAGER\SafeProcessSearchMode
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\00060101.00060101
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.otf\(Default)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_CURRENT_USER\Software\Josefsson
HKEY_CURRENT_USER\Software\Josefsson\Dialupwatch
HKEY_CURRENT_USER\Software\Josefsson\Dialupwatch\Recent File List
HKEY_CURRENT_USER\Software\Josefsson\Dialupwatch\Settings
HKEY_CURRENT_USER\Software\Classes\Dialupwatch.Document
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Dialupwatch.Document\(Default)
HKEY_CURRENT_USER\Software\Classes\Dialupwatch.Document\DefaultIcon
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Dialupwatch.Document\DefaultIcon\(Default)
HKEY_CURRENT_USER\Software\Classes\Dialupwatch.Document\shell\open\command
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Dialupwatch.Document\shell\open\command\(Default)
HKEY_CURRENT_USER\Software\Classes\Dialupwatch.Document\shell\print\command
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Dialupwatch.Document\shell\print\command\(Default)
HKEY_CURRENT_USER\Software\Classes\Dialupwatch.Document\shell\printto\command
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Dialupwatch.Document\shell\printto\command\(Default)
kernel32.dll.TryEnterCriticalSection
kernel32.dll.SetCriticalSectionSpinCount
kernel32.dll.FlsAlloc
kernel32.dll.FlsGetValue
kernel32.dll.FlsSetValue
kernel32.dll.FlsFree
kernelbase.dll.InitializeCriticalSectionAndSpinCount
kernel32.dll.ProcessIdToSessionId
imm32.dll.ImmCreateContext
imm32.dll.ImmDestroyContext
imm32.dll.ImmNotifyIME
imm32.dll.ImmAssociateContext
imm32.dll.ImmReleaseContext
imm32.dll.ImmGetContext
imm32.dll.ImmGetCompositionStringA
imm32.dll.ImmSetCompositionStringA
imm32.dll.ImmGetCompositionStringW
imm32.dll.ImmSetCompositionStringW
imm32.dll.ImmSetCandidateWindow
cryptbase.dll.SystemFunction036
shell32.dll.ExtractIconA
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
advapi32.dll.RegSetValueA
advapi32.dll.RegQueryValueA
cryptsp.dll.CryptAcquireContextA
ntdll.dll.qsort
ntdll.dll.bsearch
ntdll.dll.wcslen
kernel32.dll.VirtualFree
kernel32.dll.Process32Next
kernel32.dll.Process32First
kernel32.dll.CreateToolhelp32Snapshot
kernel32.dll.CloseHandle
kernel32.dll.SetLastError
kernel32.dll.HeapAlloc
kernel32.dll.HeapFree
kernel32.dll.GetProcessHeap
kernel32.dll.ExitProcess
kernel32.dll.VirtualAlloc
kernel32.dll.VirtualProtect
kernel32.dll.VirtualQuery
kernel32.dll.FreeLibrary
kernel32.dll.GetProcAddress
kernel32.dll.LoadLibraryA
kernel32.dll.LoadLibraryW
kernel32.dll.IsBadReadPtr
kernel32.dll.GetNativeSystemInfo
cryptsp.dll.CryptAcquireContextW
cryptsp.dll.CryptImportKey
cryptsp.dll.CryptGenKey
cryptsp.dll.CryptCreateHash

BinGraph Download graph

2020-09-16T19:31:39.080982 image/svg+xml Matplotlib v3.3.0, https://matplotlib.org/

PE Information

Image Base Entry Point Reported Checksum Actual Checksum Minimum OS Version Compile Time Import Hash Icon Icon Exact Hash Icon Similarity Hash Exported DLL Name
0x00400000 0x00412316 0x00000000 0x0003ac27 4.0 2020-09-16 09:59:00 c6da07369598089954b5912e6ef7be34 a30aed6d3699626c392ce646318a1c01 8ca47d351d736cecbf3efceacd5a5d47 Dialupwatch.exe

Sections

Name RAW Address Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00001000 0x00001000 0x000127de 0x00013000 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.11
.rdata 0x00014000 0x00014000 0x000052b6 0x00006000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.45
.data 0x0001a000 0x0001a000 0x00001f48 0x00001000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 4.79
.rsrc 0x0001b000 0x0001c000 0x00013468 0x00014000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 7.26

Resources

Name Offset Size Language Sub-language Entropy File type
RT_BITMAP 0x0002ca78 0x000001d0 LANG_ENGLISH SUBLANG_ENGLISH_US 3.32 None
RT_ICON 0x0002d800 0x000008a8 LANG_ITALIAN SUBLANG_ITALIAN 3.32 None
RT_ICON 0x0002d800 0x000008a8 LANG_ITALIAN SUBLANG_ITALIAN 3.32 None
RT_ICON 0x0002d800 0x000008a8 LANG_ITALIAN SUBLANG_ITALIAN 3.32 None
RT_ICON 0x0002d800 0x000008a8 LANG_ITALIAN SUBLANG_ITALIAN 3.32 None
RT_ICON 0x0002d800 0x000008a8 LANG_ITALIAN SUBLANG_ITALIAN 3.32 None
RT_ICON 0x0002d800 0x000008a8 LANG_ITALIAN SUBLANG_ITALIAN 3.32 None
RT_ICON 0x0002d800 0x000008a8 LANG_ITALIAN SUBLANG_ITALIAN 3.32 None
RT_ICON 0x0002d800 0x000008a8 LANG_ITALIAN SUBLANG_ITALIAN 3.32 None
RT_ICON 0x0002d800 0x000008a8 LANG_ITALIAN SUBLANG_ITALIAN 3.32 None
RT_MENU 0x0002d4f0 0x0000004e LANG_FRENCH SUBLANG_FRENCH 2.98 None
RT_MENU 0x0002d4f0 0x0000004e LANG_FRENCH SUBLANG_FRENCH 2.98 None
RT_DIALOG 0x0002d540 0x000002bc LANG_FRENCH SUBLANG_FRENCH 3.46 None
RT_DIALOG 0x0002d540 0x000002bc LANG_FRENCH SUBLANG_FRENCH 3.46 None
RT_STRING 0x0002f088 0x0000006e LANG_ENGLISH SUBLANG_ENGLISH_US 2.42 None
RT_STRING 0x0002f088 0x0000006e LANG_ENGLISH SUBLANG_ENGLISH_US 2.42 None
RT_STRING 0x0002f088 0x0000006e LANG_ENGLISH SUBLANG_ENGLISH_US 2.42 None
RT_STRING 0x0002f088 0x0000006e LANG_ENGLISH SUBLANG_ENGLISH_US 2.42 None
RT_STRING 0x0002f088 0x0000006e LANG_ENGLISH SUBLANG_ENGLISH_US 2.42 None
RT_STRING 0x0002f088 0x0000006e LANG_ENGLISH SUBLANG_ENGLISH_US 2.42 None
RT_STRING 0x0002f088 0x0000006e LANG_ENGLISH SUBLANG_ENGLISH_US 2.42 None
RT_STRING 0x0002f088 0x0000006e LANG_ENGLISH SUBLANG_ENGLISH_US 2.42 None
RT_STRING 0x0002f088 0x0000006e LANG_ENGLISH SUBLANG_ENGLISH_US 2.42 None
RT_STRING 0x0002f088 0x0000006e LANG_ENGLISH SUBLANG_ENGLISH_US 2.42 None
RT_STRING 0x0002f088 0x0000006e LANG_ENGLISH SUBLANG_ENGLISH_US 2.42 None
RT_STRING 0x0002f088 0x0000006e LANG_ENGLISH SUBLANG_ENGLISH_US 2.42 None
RT_STRING 0x0002f088 0x0000006e LANG_ENGLISH SUBLANG_ENGLISH_US 2.42 None
RT_STRING 0x0002f088 0x0000006e LANG_ENGLISH SUBLANG_ENGLISH_US 2.42 None
RT_STRING 0x0002f088 0x0000006e LANG_ENGLISH SUBLANG_ENGLISH_US 2.42 None
RT_STRING 0x0002f088 0x0000006e LANG_ENGLISH SUBLANG_ENGLISH_US 2.42 None
RT_STRING 0x0002f088 0x0000006e LANG_ENGLISH SUBLANG_ENGLISH_US 2.42 None
RT_ACCELERATOR 0x0002cd28 0x00000070 LANG_ENGLISH SUBLANG_ENGLISH_US 2.95 None
RT_GROUP_ICON 0x0001d138 0x00000014 LANG_NEUTRAL SUBLANG_NEUTRAL 2.08 None
RT_GROUP_ICON 0x0001d138 0x00000014 LANG_NEUTRAL SUBLANG_NEUTRAL 2.08 None
RT_GROUP_ICON 0x0001d138 0x00000014 LANG_NEUTRAL SUBLANG_NEUTRAL 2.08 None
RT_GROUP_ICON 0x0001d138 0x00000014 LANG_NEUTRAL SUBLANG_NEUTRAL 2.08 None
RT_GROUP_ICON 0x0001d138 0x00000014 LANG_NEUTRAL SUBLANG_NEUTRAL 2.08 None
RT_GROUP_ICON 0x0001d138 0x00000014 LANG_NEUTRAL SUBLANG_NEUTRAL 2.08 None
RT_GROUP_ICON 0x0001d138 0x00000014 LANG_NEUTRAL SUBLANG_NEUTRAL 2.08 None
RT_VERSION 0x0002ced8 0x00000314 LANG_ENGLISH SUBLANG_ENGLISH_US 3.38 None
None 0x0001d6d0 0x0000eb33 LANG_NEUTRAL SUBLANG_NEUTRAL 7.99 None
None 0x0002cc48 0x0000000e LANG_ENGLISH SUBLANG_ENGLISH_US 3.09 None

Imports

0x414810 None
0x414814 None
0x414818 None
0x41481c None
0x414820 None
0x414824 None
0x414828 None
0x41482c None
0x414830 None
0x414834 None
0x414838 None
0x41483c None
0x414840 None
0x414844 None
0x414108 None
0x41410c None
0x414110 None
0x414114 None
0x414118 None
0x41411c None
0x414120 None
0x414124 None
0x414128 None
0x41412c None
0x414130 None
0x414134 None
0x414138 None
0x41413c None
0x414140 None
0x414144 None
0x414148 None
0x41414c None
0x414150 None
0x414154 None
0x414158 None
0x41415c None
0x414160 None
0x414164 None
0x414168 None
0x41416c None
0x414170 None
0x414174 None
0x414178 None
0x41417c None
0x414180 None
0x414184 None
0x414188 None
0x41418c None
0x414190 None
0x414194 None
0x414198 None
0x41419c None
0x4141a0 None
0x4141a4 None
0x4141a8 None
0x4141ac None
0x4141b0 None
0x4141b4 None
0x4141b8 None
0x4141bc None
0x4141c0 None
0x4141c4 None
0x4141c8 None
0x4141cc None
0x4141d0 None
0x4141d4 None
0x4141d8 None
0x4141dc None
0x4141e0 None
0x4141e4 None
0x4141e8 None
0x4141ec None
0x4141f0 None
0x4141f4 None
0x4141f8 None
0x4141fc None
0x414200 None
0x414204 None
0x414208 None
0x41420c None
0x414210 None
0x414214 None
0x414218 None
0x41421c None
0x414220 None
0x414224 None
0x414228 None
0x41422c None
0x414230 None
0x414234 None
0x414238 None
0x41423c None
0x414240 None
0x414244 None
0x414248 None
0x41424c None
0x414250 None
0x414254 None
0x414258 None
0x41425c None
0x414260 None
0x414264 None
0x414268 None
0x41426c None
0x414270 None
0x414274 None
0x414278 None
0x41427c None
0x414280 None
0x414284 None
0x414288 None
0x41428c None
0x414290 None
0x414294 None
0x414298 None
0x41429c None
0x4142a0 None
0x4142a4 None
0x4142a8 None
0x4142ac None
0x4142b0 None
0x4142b4 None
0x4142b8 None
0x4142bc None
0x4142c0 None
0x4142c4 None
0x4142c8 None
0x4142cc None
0x4142d0 None
0x4142d4 None
0x4142d8 None
0x4142dc None
0x4142e0 None
0x4142e4 None
0x4142e8 None
0x4142ec None
0x4142f0 None
0x4142f4 None
0x4142f8 None
0x4142fc None
0x414300 None
0x414304 None
0x414308 None
0x41430c None
0x414310 None
0x414314 None
0x414318 None
0x41431c None
0x414320 None
0x414324 None
0x414328 None
0x41432c None
0x414330 None
0x414334 None
0x414338 None
0x41433c None
0x414340 None
0x414344 None
0x414348 None
0x41434c None
0x414350 None
0x414354 None
0x414358 None
0x41435c None
0x414360 None
0x414364 None
0x414368 None
0x41436c None
0x414370 None
0x414374 None
0x414378 None
0x41437c None
0x414380 None
0x414384 None
0x414388 None
0x41438c None
0x414390 None
0x414394 None
0x414398 None
0x41439c None
0x4143a0 None
0x4143a4 None
0x4143a8 None
0x4143ac None
0x4143b0 None
0x4143b4 None
0x4143b8 None
0x4143bc None
0x4143c0 None
0x4143c4 None
0x4143c8 None
0x4143cc None
0x4143d0 None
0x4143d4 None
0x4143d8 None
0x4143dc None
0x4143e0 None
0x4143e4 None
0x4143e8 None
0x4143ec None
0x4143f0 None
0x4143f4 None
0x4143f8 None
0x4143fc None
0x414400 None
0x414404 None
0x414408 None
0x41440c None
0x414410 None
0x414414 None
0x414418 None
0x41441c None
0x414420 None
0x414424 None
0x414428 None
0x41442c None
0x414430 None
0x414434 None
0x414438 None
0x41443c None
0x414440 None
0x414444 None
0x414448 None
0x41444c None
0x414450 None
0x414454 None
0x414458 None
0x41445c None
0x414460 None
0x414464 None
0x414468 None
0x41446c None
0x414470 None
0x414474 None
0x414478 None
0x41447c None
0x414480 None
0x414484 None
0x414488 None
0x41448c None
0x414490 None
0x414494 None
0x414498 None
0x41449c None
0x4144a0 None
0x4144a4 None
0x4144a8 None
0x4144ac None
0x4144b0 None
0x4144b4 None
0x4144b8 None
0x4144bc None
0x4144c0 None
0x4144c4 None
0x4144c8 None
0x4144cc None
0x4144d0 None
0x4144d4 None
0x4144d8 None
0x4144dc None
0x4144e0 None
0x4144e4 None
0x4144e8 None
0x4144ec None
0x4144f0 None
0x4144f4 None
0x4144f8 None
0x4144fc None
0x414500 None
0x414504 None
0x414508 None
0x41450c None
0x414510 None
0x414514 None
0x414518 None
0x41451c None
0x414520 None
0x414524 None
0x414528 None
0x41452c None
0x414530 None
0x414534 None
0x414538 None
0x41453c None
0x414540 None
0x414544 None
0x414548 None
0x41454c None
0x414550 None
0x414554 None
0x414558 None
0x41455c None
0x414560 None
0x414564 None
0x414568 None
0x41456c None
0x414570 None
0x414574 None
0x414578 None
0x41457c None
0x414580 None
0x414584 None
0x414588 None
0x41458c None
0x414590 None
0x414594 None
0x414598 None
0x41459c None
0x4145a0 None
0x4145a4 None
0x4145a8 None
0x4145ac None
0x4145b0 None
0x4145b4 None
0x4145b8 None
0x4145bc None
0x4145c0 None
0x4145c4 None
0x4145c8 None
0x4145cc None
0x4145d0 None
0x4145d4 None
0x4145d8 None
0x4145dc None
0x4145e0 None
0x4145e4 None
0x4145e8 None
0x4145ec None
0x4145f0 None
0x4145f4 None
0x4145f8 None
0x4145fc None
0x414600 None
0x414604 None
0x414608 None
0x41460c None
0x414610 None
0x414614 None
0x414618 None
0x41461c None
0x414620 None
0x414624 None
0x414628 None
0x41462c None
0x414630 None
0x414634 None
0x414638 None
0x41463c None
0x414640 None
0x414644 None
0x414648 None
0x41464c None
0x414650 None
0x414654 None
0x414658 None
0x41465c None
0x414660 None
0x414664 None
0x414668 None
0x41466c None
0x414670 None
0x414674 None
0x414678 None
0x41467c None
0x414680 None
0x414684 None
0x414688 None
0x41468c None
0x414690 None
0x414694 None
0x414698 None
0x41469c None
0x4146a0 None
0x4146a4 None
0x4146a8 None
0x4146ac None
0x4146b0 None
0x4146b4 None
0x4146b8 None
0x4146bc None
0x4146c0 None
0x4146c4 None
0x4146c8 None
0x4146cc None
0x4146d0 None
0x4146d4 None
0x4146d8 None
0x4146dc None
0x4146e0 None
0x4146e4 None
0x4146e8 None
0x4146ec None
0x4146f0 None
0x4146f4 None
0x4146f8 None
0x4146fc None
0x414700 None
0x414704 None
0x414708 None
0x41470c None
0x414710 None
0x414714 None
0x414718 None
0x41471c None
0x414720 None
0x414724 None
0x414728 None
0x41472c None
0x414730 None
0x414734 None
0x414738 None
0x41473c None
0x414740 None
0x41478c _onexit
0x414790 _exit
0x414794 _XcptFilter
0x414798 exit
0x41479c _acmdln
0x4147a0 __getmainargs
0x4147a4 _initterm
0x4147a8 __setusermatherr
0x4147ac _adjust_fdiv
0x4147b0 __p__commode
0x4147b4 __p__fmode
0x4147b8 __set_app_type
0x4147bc _except_handler3
0x4147c0 _setmbcp
0x4147c4 __dllonexit
0x4147c8 _controlfp
0x4147cc sprintf
0x4147d0 _access
0x4147d4 __CxxFrameHandler
0x4147d8 strrchr
0x4147dc malloc
0x4147e0 atoi
0x4147e4 free
0x4147e8 _mbsstr
0x4147ec _mbscmp
0x4147f0 memmove
0x4147f4 wcslen
0x4147f8 _ftol
0x4147fc sscanf
0x414800 _CxxThrowException
0x414804 _EH_prolog
0x41407c GetModuleHandleA
0x414080 GetSystemDirectoryA
0x414084 CreateFileA
0x414088 GetFileSize
0x41408c CloseHandle
0x414090 MoveFileExA
0x414094 LocalAlloc
0x414098 LocalLock
0x41409c LocalUnlock
0x4140a0 GetModuleHandleW
0x4140a4 GetLocalTime
0x4140a8 GetProcAddress
0x4140ac LoadLibraryA
0x4140b0 FreeLibrary
0x4140b4 lstrcpynA
0x4140b8 MultiByteToWideChar
0x4140bc GlobalAddAtomA
0x4140c0 GlobalFindAtomA
0x4140c4 GlobalDeleteAtom
0x4140c8 GetCurrentThreadId
0x4140cc SetLastError
0x4140d0 FindResourceA
0x4140d4 LoadResource
0x4140d8 LockResource
0x4140dc MulDiv
0x4140e0 GetLastError
0x4140e4 FormatMessageA
0x4140e8 LocalFree
0x4140ec GetVersion
0x4140f0 GetVersionExA
0x4140f4 FreeConsole
0x4140f8 GetModuleFileNameA
0x4140fc CopyFileA
0x414100 GetStartupInfoA
0x414858 IsWindow
0x41485c SendMessageA
0x414860 PostMessageA
0x414864 SetMenuDefaultItem
0x414868 KillTimer
0x41486c SetTimer
0x414870 CallNextHookEx
0x414874 GetClassNameA
0x414878 SetPropA
0x41487c GetDCEx
0x414880 wsprintfA
0x414884 GetPropA
0x414888 RemovePropA
0x41488c UnhookWindowsHookEx
0x414890 SetWindowsHookExA
0x414894 GetParent
0x414898 GetWindowDC
0x41489c ReleaseDC
0x4148a0 IntersectRect
0x4148a4 IsRectEmpty
0x4148a8 DestroyIcon
0x4148ac DrawMenuBar
0x4148b0 GetMenuState
0x4148b4 GetMenuStringA
0x4148b8 GetCursorPos
0x4148bc CallWindowProcA
0x4148c0 TrackPopupMenu
0x4148c4 CreateMenu
0x4148c8 CreatePopupMenu
0x4148cc GetDesktopWindow
0x4148d0 LoadBitmapA
0x4148d4 ModifyMenuA
0x4148d8 InsertMenuA
0x4148dc AppendMenuA
0x4148e0 LoadIconA
0x4148e4 EnableWindow
0x4148e8 GetClientRect
0x4148ec SetWindowLongA
0x4148f0 DrawEdge
0x4148f4 SetRect
0x4148f8 FillRect
0x4148fc DrawFocusRect
0x414900 GetMessagePos
0x414904 DrawStateA
0x414908 GetSystemMetrics
0x41490c InflateRect
0x414910 GetSysColor
0x414914 GetMenuItemCount
0x414918 GetSubMenu
0x41491c GetMenuItemID
0x414920 GetMenuItemInfoA
0x414924 IsMenu
0x414928 GetMenu
0x41492c WindowFromDC
0x414930 CopyRect
0x414934 OffsetRect
0x41493c MessageBoxA
0x414940 GetWindowRect
0x414944 GetClassInfoA
0x414948 RemoveMenu
0x41494c ShowWindow
0x414950 UpdateWindow
0x414954 FindWindowA
0x414958 SetForegroundWindow
0x41495c GetWindowLongA
0x414960 GetSystemMenu
0x41404c BitBlt
0x414050 GetPixel
0x414054 CreateCompatibleDC
0x41405c SetPixel
0x414060 Rectangle
0x414064 CreateFontIndirectA
0x414068 CreateSolidBrush
0x41406c CreateFontA
0x414074 RoundRect
0x414004 RegOpenKeyExA
0x414008 RegQueryValueExA
0x41400c RegCreateKeyA
0x414010 RegSetValueExA
0x414014 RegCloseKey
0x414018 RegConnectRegistryA
0x41401c QueryServiceStatus
0x414020 OpenSCManagerA
0x414024 OpenServiceA
0x414028 CloseServiceHandle
0x41484c SHGetMalloc
0x414850 Shell_NotifyIconA
0x414030 ImageList_Draw
0x414038 ImageList_GetIcon
0x41403c ImageList_AddMasked
0x414968 CoUninitialize
0x41496c CoInitialize
0x414970 CoCreateInstance
0x414748 GradientFill

Exports

Ordinal Address Name
1 0x4042c0 SDASQFddefgshdSSSgfdtEghfIITFDSSSSS
!This program cannot be run in DOS mode.
RichP/-
.text
`.rdata
@.data
.rsrc
tRf=d
M PQR
t5f=d
F QRP
F WSUP
QSUVW
~`j j
l$,VW3
T$4P3
|$,PQh
RWWWj
T$8PQh
L$ _^][d
L$ _^[d
0SUVW
D$ SRP
d$ SP
T$ VWh|
D$ +D$0
D$`SUV
L$4PQ
L$TPQ
RUjTh
h4(@P
L$pjTh
L$`_^]d
WPPhxLA
t!PhP
jdPjV
\$4UV
T$HRUP
_$KxK
\$dUV
T$pPR
D$(0YA
L$\jG
L$PSSSj
SSSSj
D$$tC
L$HPQV
D$LPV
T$DPR
T$4PR
T$4PR
L$`_^][d
T$lVR
L$lPQ
D$ht09w
9pH~,
L$$9q
D$P0YA
T$(QR
\$lj$SQP
L$|RQP
D$8XYA
D$(XYA
QRWVj
D$PXYA
T$,jbR
D$,jiP
_^][d
L$$_^][d
D$|XYA
L$lWQ
D$$WP
D$XXYA
T$$WR
D$`t3
L$$PQ
L$0QRP
L$(PQ
T$$RP
UWPPR
L$8PQ
L$LRQP
j#RQUWj
L$8PQ
|$4j&
_^][d
D$$0YA
|$`RhT
IRQVP
_^][d
D$$0YA
|$`RhT
IRQVP
_^][d
L$,WSQ
D$(VQ
_^][d
D$$PQ
L$,SRQ
D$$j(
D$0USP
D$,VQ
^]_[d
D$$lYA
L$hPQ
t-9\$
D$$lYA
D$$\OA
_^][d
QSUVW
_^][d
\$ UVWh
G4f9^
_^][d
T$8SR
D$$VP
L$Xhl
T$TQhl
T$8jl
L$8VQ
L$$IN
L$$WQ
L$(^]d
UVWPh
D$ Pj
QjiRW
u0Sj1
D$ PV
R8_^][
\$(VW
P8_^[
R8_^][
L$`_^[d
\$(VWS
D$8WPQ
L$ PQ
T$(PR
D$TPQW
L$TPQV
T$0PR
D$TPQW
L$(PQ
tISVW
L$<UQ
T$,PR
L$,PQ
L$<UQ
L$,PQ
L$,PQ
8SUVW
D$\B=
D$`PV
|$\Fu
T$dRV
T$`RV
T$(Pj
T$<QRh
t$<h
T$<UR
D$P][d
D$4A;
E QRWP
\$$WS
T$0QSRP
V,Rhp`A
L$$RQh
RPSSS
D$0[d
T$$PR
L$$RQ
L$$SQSRP
D$$VPSQR
RPSWQ
L$ SQS
T$ WRVP
~P9=l
F$^][
F$^][
F$WVf
F$^][
_^][d
AHSUV3
F;qH|
L$0Qj
L$DQj
L$dQj
L$ RPQ
T$$QR
_^][d
Y<<Yt^~
QSVWh
>"u:F
XPVSS
OldMenuProc
PDH.DLL
ODBC32.dll
MFC42.DLL
sprintf
_access
__CxxFrameHandler
strrchr
malloc
_mbsstr
_mbscmp
memmove
wcslen
_ftol
sscanf
_CxxThrowException
_EH_prolog
MSVCRT.dll
__dllonexit
_onexit
_exit
_XcptFilter
_acmdln
__getmainargs
_initterm
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
_except_handler3
_controlfp
CopyFileA
GetModuleFileNameA
FreeConsole
GetVersionExA
GetVersion
LocalFree
FormatMessageA
GetLastError
MulDiv
LockResource
LoadResource
FindResourceA
SetLastError
GetCurrentThreadId
GlobalDeleteAtom
GlobalFindAtomA
GlobalAddAtomA
MultiByteToWideChar
lstrcpynA
FreeLibrary
LoadLibraryA
GetProcAddress
GetLocalTime
GetModuleHandleW
LocalUnlock
LocalLock
LocalAlloc
MoveFileExA
CloseHandle
GetFileSize
CreateFileA
GetSystemDirectoryA
GetModuleHandleA
GetStartupInfoA
KERNEL32.dll
SendMessageA
IsWindow
GetSystemMenu
LoadIconA
EnableWindow
GetClientRect
SetWindowLongA
GetWindowLongA
SetForegroundWindow
FindWindowA
UpdateWindow
ShowWindow
RemoveMenu
GetClassInfoA
GetWindowRect
MessageBoxA
SystemParametersInfoA
OffsetRect
CopyRect
WindowFromDC
GetMenu
IsMenu
GetMenuItemInfoA
GetMenuItemID
GetSubMenu
GetMenuItemCount
GetSysColor
InflateRect
GetSystemMetrics
DrawStateA
GetMessagePos
DrawFocusRect
FillRect
SetRect
DrawEdge
AppendMenuA
InsertMenuA
ModifyMenuA
LoadBitmapA
GetDesktopWindow
CreatePopupMenu
CreateMenu
GetMenuStringA
GetMenuState
DrawMenuBar
DestroyIcon
IsRectEmpty
IntersectRect
ReleaseDC
GetWindowDC
GetParent
SetWindowsHookExA
UnhookWindowsHookEx
RemovePropA
GetPropA
CallWindowProcA
GetDCEx
SetPropA
GetClassNameA
CallNextHookEx
SetTimer
KillTimer
SetMenuDefaultItem
PostMessageA
TrackPopupMenu
GetCursorPos
wsprintfA
USER32.dll
GetTextExtentPoint32A
RoundRect
CreateFontA
CreateSolidBrush
CreateFontIndirectA
Rectangle
SetPixel
CreateCompatibleBitmap
CreateCompatibleDC
GetPixel
BitBlt
GDI32.dll
RegCloseKey
RegSetValueExA
RegCreateKeyA
CryptAcquireContextA
RegQueryValueExA
RegOpenKeyExA
RegConnectRegistryA
CloseServiceHandle
OpenServiceA
OpenSCManagerA
QueryServiceStatus
ADVAPI32.dll
SHGetMalloc
Shell_NotifyIconA
SHELL32.dll
ImageList_ReplaceIcon
ImageList_SetBkColor
ImageList_Draw
ImageList_GetIconSize
ImageList_GetIcon
ImageList_AddMasked
COMCTL32.dll
CoInitialize
CoUninitialize
CoCreateInstance
ole32.dll
MSVCP60.dll
GradientFill
MSIMG32.dll
_setmbcp
Dialupwatch.exe
SDASQFddefgshdSSSgfdtEghfIITFDSSSSS
Microsoft Access Driver (*.mdb)
DSN=%s$ DESCRIPTION=TOC support source$ DBQ=%s$ FIL=MicrosoftAccess$ DEFAULTDIR=D:\Database$$
Dialup
INSERT INTO Connection (ConnectionName, ConnectionDate, ConnectionDuration) VALUES (?, ?, ?)
SELECT * FROM Connection
CDateTree
CConnection
CTreeItem
SysTreeView32
%d-12
%d-11
%d-10
%d-%d
%d-%d-%s
CDetailsView
SysListView32
Item!
Total:
%H:%M:%S
%d-%m-%Y
Dial-up watch
\Dial-up watch.lnk
Keeps an eye on the dial-up connections
Connections
Josefsson
Software\Microsoft\Windows\CurrentVersion\Run
CDialupwatchDoc
NafylkAz^#asaMJcm7c54CN&?zMlZ4YPPfapl<(T?>+yj7oe7)8UNNR_PyWAmLPyG*_##TfW(c?4<U#(chR
HeH8c
CMainFrame
LdrAccessResource
LdrFindResource_U
Settings
ShowIcon
SDASQFddefgshdSSSgfdtEghfIITFDSSSSS
lAlloc
Virtua
76567567$%^#[email protected]%$GFSDZDAHxsf
EDAWytyfghtyuGFASCZFSDSGSDGDSZC
MainFrmSplitPos
MainColumns
MainFrmSize
MainFrmPos
AllowQuit
CNewMultiDocTemplate
CNewMDIFrameWnd
CNewFrameWnd
CNewMiniDockFrameWnd
CNewMDIChildWnd
CNewMiniFrameWnd
CNewDialog
CNewMenu
CNewMenuItemData
Error message 0x%lx not found
Error
MenuItem:
Arial
Marlett
#32768
CSystemTray
%d,%d,%d,%d
%d,%d
%u,%d,%d,%d,%d,%d,%d,%d,%d
%d,%d
Settings\Window\
Software\Josefsson\Dial-up watch\
CPdhException
PDH.DLL
PdhAddCounterA
PdhBrowseCountersA
PdhCalculateCounterFromRawValue
PdhCloseQuery
PdhCollectQueryData
PdhComputeCounterStatistics
PdhConnectMachineA
PdhEnumMachinesA
PdhEnumObjectItemsA
PdhEnumObjectsA
PdhExpandCounterPathA
PdhGetCounterInfoA
PdhGetDefaultPerfCounterA
PdhGetDefaultPerfObjectA
PdhGetFormattedCounterValue
PdhGetRawCounterValue
PdhMakeCounterPathA
PdhOpenQuery
PdhParseCounterPathA
PdhParseInstanceNameA
PdhRemoveCounter
PdhSetCounterScaleFactor
PdhValidatePathA
%s\%s
PerfStats\StartStat
PerfStats\StatData
PerfStats\StopStat
CRasMonitor
\Ras Total\Bytes Transmitted
\Ras Total\Bytes Received
ConnectSpeed
TotalBytesRecvd
TotalBytesXmit
Dial-Up Adapter
RasMan
CRasMonitor Notification Window
RasGetConnectStatusA
RasEnumConnectionsA
RASAPI32.DLL
SQLConfigDataSource
odbccp32.dll
The program %s, or one of its DLLs attempted to call the function %s which is not supported in the loaded ODBC installer DLL (%s). Press OK to proceed.
The ODBC installer DLL (ODBCCP32.DLL) is not installed on this system.
ODBC Installer Error
%s\odbccp32.bad
VerQueryValueA
GetFileVersionInfoA
GetFileVersionInfoSizeA
version.dll
wwwwwwp
wwwww
wwwww
.0029>>
(-).0
539:;
,$%-).0
,$%2).030
-).00
,$%-).)
.WXYAFJ
??4HOO
MN>9>
?N9>HIJ
MN94EF
9N !
57iAq
_c_.1
S;)Bs
$x[g;
E*:U) >
zu0f4t
\S&eIR
d8J>q
E4ull
;2/dE
_4lfy-
dib(U
mfU\+
E_)MOX
mg{m)
]*=zi
.n+mpM2F
Fky}
6_vs1
?'D>Y
Pk?}M
?<#CZ
FKR/y
(8U)6&k,
C=%FI
7Q~6YX
Hb~'b
yJ<\n
m{rO(&
q<nA-
-'@b5
U:]Hc
*X7Q^
b/dA'*
Yjt:w
'wd;(?y|
@s_BF
HSf-Y/
"kee.
IcqfY
S;"0n
v#9g4
>VWE"
uUr v
I+iuEa
9r,;U
Zo6Y_i
gErKna
gEE:w
O.l&M
sn2,:
ZH1ZE
R[GZ:
>KJx+~
fQm63
;5Q(Z
q9tF?!
,5Sd0
4LN$s
=SyNm
CbO>^G
0M_;H
_D^e>
Qgy%[
/+#A#
aO"J?
#y<3Ld
Pv{`~tV
d]7b^
[(^[_
P]$==
^#RI
u(KS+
5={zH
h0);'
8_&l"
v3O7ZP%
_(?Sa^f
%tvhX
g,(5GC
$Z[!u
5%F|)*
\NhC1
oP68b{
4`T*X
}'#NW
jGVw{l<
-m/av
*w b(
Nss(@
46QH3l
\:AWL
qfK:}
9X5//U*
$Sp*t
=}N)p=v
);bKP
twF4]
xNlX%
O*\m5
z?K EQ
r`Br}qo
r*t1`:
z|c?I
:l1*'
tS!z2D
IOj%Q W
?0Mt>+\
S3nSn
OJd,@
NOstBb
q8n=
dPeTQE
e*B8;
]M~}x
`"Z5h
I)rNB
Tqx5aq
[J<!(
y`IIP
xD%B\ak
9F? B
dXPqOM
_pi57P
SEYj{
}ok\'
z1.yn]
]>o/T
>!uRrS
bThG;:
61]K3
{%.F+
WH3B8
mk^y7Lh?
)!eDD
(d~u$
NFC{F(
BsJ;x
cCHF(
^zz&DdR
m\KFY_
?%y1=
8|0O=
\i=nI
Am 9?R
G}W.UN
D<<n]
CK WeXx%
:C[5%^}9
l/JH0ag_
G]m#*j
8vh/0
$]C~a
wO,*n
9El$W*~1
uZ3-F
\nk\JC
!S"$u/)
Efmz=S
d}b&:
77YP^c
RuO<&[
dQe]Z~NG
$fFltC
2StO%
C<]lC
lX2?{R
=qxPk
3w<6Kt
FrKp2
Pv/3;f6
wn("$S
tO[7,
RVrq5B
.*\W_
dEys m
uf4/?
`H(Ai
'QrAG
CtHWU1
xruWj
!uyb2
e8mK]
:Hs"p
n Tp;J+
!\R8#,
TA:s-
Q/SO
XY,yv
OT&6#
{`==;
$W+Wnl,
#cZ'=
\ys'\
mkP!RM
pl{J3
p'iTJzw
Nbr.bB
6PA$vo
f5'ev
mPKFI
@,=e=A
m>e>fc
WlsLdW?
03_uOi
?FG_V
UT64L
!MY$_
DGcuH
eIK$W
z~>!E\
O2A":kZY"
8p2WT
0ks,A
L?rcI2r
=jV6D
j:S:%
3SYs]
Z8bv3
]~z-k!t.(#
4um+k
>a^mY
E)(vXI
jm85W$
2Rtxq
}If)X~
]=uIw
=a(QH
U^q~E
2#{E|
70n)Dq
_r+8UT
PWuV27
94oC9
n3t!^
`8nGU
{&&yN
CPeZog
i)/g&
BN%v6
'L&cS
dMGlV9
RKr*V
W3`;x
5JtK<
ukaw`h2
lNpp+Hv
#G?iF
p~oiJ
oxNco
pp[x&pO
2R`Cj
MmB'2
!QB6z
v`p[-
)'V[({
sv51<=L&
PewgQ
i] K>
/FxS%?
^oCT3;
Zu#]~Fe8
70rZU
TqUD_k
nA&>U
-vM4j
wwwwx
vfffx
wwwwx
wwwwx
xfgfg
wwwww
wwwwwwwwwwwwwwwwwwwwwwwwp
wwwwp
wwwn`
wwwwpppwww
wvffffffgww
wwwwwwwwwww
wwwwwwwwwwwwp
jjjjj
jjjjj
jjjjj
jjjjj
jjjjj
jjjjj
jjjjj
jjjjj
jjjjj
jjjjj
jjjjj
jjjjj
Ajjjj
ntdll.dll
Skernel32.dll
&File
Open Dial-up watch
E&xit
&View
&Toolbar
&Status Bar
&Help
&About Dialupwatch...
About Dialupwatch
MS Sans Serif
Dial-up watch Version 1.0
Copyright (C) 2002 Anders Josefsson
VS_VERSION_INFO
StringFileInfo
040904B0
CompanyName
FileDescription
Dialupwatch MFC Application
FileVersion
1, 0, 0, 1
InternalName
Dialupwatch
LegalCopyright
Copyright (C) 2002
LegalTrademarks
OriginalFilename
Dialupwatch.EXE
ProductName
Dialupwatch Application
ProductVersion
1, 0, 0, 1
VarFileInfo
Translation
Popup
Open "Dial-up watch"
Dialog
MS Sans Serif
Cancel
SysDateTimePick32
DateTimePicker1
SysDateTimePick32
DateTimePicker1
From :
Cheap rate
Normal rate
euros per minute
Don't have one
Use the following
bsJP2
WDialupwatch
Online
Online Time Files (*.otf)
Dialupwatch.Document
Online Document
Time opened
Duration
Time closed
Connection
Dialupwatch
Ready
Create a new document
Open an existing document
Close the active document
Close
Save the active document
Save0Save the active document with a new name
Save As&Change the printing options
Page Setup3Change the printer and printing options
Print Setup
Print the active document
Print
Display full pages
Print Preview
?Display program information, version number and copyright
About4Quit the application; prompts to save documents
Open this document
Open this document
Open this document
Open this document
Open this document
Open this document
Open this document
Open this document
Open this document
Open this document
Open this document
Open this document
Open this document
Open this document
Open this document
Open this document(Switch to the next window pane
Next Pane5Switch back to the previous window pane
Previous Pane
(Split the active window into panes
Split
Erase the selection
Erase
Erase everything
Erase All3Copy the selection and put it on the Clipboard
Copy1Cut the selection and put it on the Clipboard
Find the specified text
Insert Clipboard contents
Paste
Repeat the last action
Repeat1Replace specific text with different text
Replace%Select the entire document
Select All
Undo the last action
Undo&Redo the previously undone action
'Show or hide the toolbar
Toggle ToolBar,Show or hide the status bar
Toggle StatusBar
Arrange icons on a grid.
Change the window size
Change the window position
Reduce the window to an icon
Enlarge the window to full size"Switch to the next document window&Switch to the previous document window9Close the active window and prompts to save the documents
!Restore the window to normal size
Activate Task List
'Close print preview mode
Cancel Preview
/Display items by using small icons.
Small Icons/Display items by using large icons.
Large Icons
Displays items in a list.
ListDDisplays detailed information about each item in the window.
Details
Arranges icons in a grid.
Sorts the icons alphabetically.
Quit the application
Exit%Open Dial-up watch
Open Dial-up watch
Calculate cost
Calculate cost
Exit)Open "Dial-up watch"
Open "Dial-up watch"

Full Results

Engine Signature Engine Signature Engine Signature
Bkav W32.AIDetectVM.malware1 Elastic Clean MicroWorld-eScan Clean
FireEye Clean CAT-QuickHeal Clean McAfee Emotet-FSE!55629D34297D
Cylance Clean Zillya Clean SUPERAntiSpyware Clean
Sangfor Clean K7AntiVirus Trojan ( 005605291 ) Alibaba Clean
K7GW Trojan ( 005605291 ) CrowdStrike Clean Invincea Clean
Baidu Clean Cyren Clean Symantec Clean
TotalDefense Clean APEX Malicious Avast Clean
Cynet Clean Kaspersky Clean BitDefender Clean
NANO-Antivirus Clean Paloalto Clean AegisLab Clean
Tencent Clean Ad-Aware Clean Comodo Clean
F-Secure Clean DrWeb Clean VIPRE Clean
TrendMicro Clean CMC Clean Sophos Clean
SentinelOne Clean GData Clean Jiangmin Clean
Webroot Clean Avira Clean Antiy-AVL Clean
Kingsoft Clean Arcabit Clean ViRobot Clean
ZoneAlarm Clean Microsoft Clean TACHYON Clean
AhnLab-V3 Clean Acronis Clean BitDefenderTheta Clean
ALYac Clean MAX Clean VBA32 Clean
Malwarebytes Clean Zoner Clean ESET-NOD32 Clean
TrendMicro-HouseCall Clean Rising Trojan.Kryptik!8.8 (TFE:6:lSbXDYX0Z5G) Yandex Clean
Ikarus Clean MaxSecure Clean Fortinet W32/Kryptik.HGCU!tr
AVG Clean Cybereason Clean Panda Clean
Qihoo-360 Clean
Sorry! No behavior.

Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
Y 1.1.1.1 [VT] Australia

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.1.6 56304 1.1.1.1 53
192.168.1.6 57593 1.1.1.1 53
192.168.1.6 58697 1.1.1.1 53
192.168.1.6 63241 1.1.1.1 53
192.168.1.6 63713 1.1.1.1 53
192.168.1.6 64201 1.1.1.1 53
192.168.1.6 137 192.168.1.255 137
192.168.1.6 56304 8.8.8.8 53
192.168.1.6 57593 8.8.8.8 53
192.168.1.6 58697 8.8.8.8 53
192.168.1.6 63241 8.8.8.8 53
192.168.1.6 63713 8.8.8.8 53
192.168.1.6 64201 8.8.8.8 53

DNS

No domains contacted.

HTTP Requests

No HTTP requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

Sorry! No dropped files.
Sorry! No CAPE files.
Process Name emotet_exe_e1_e66c08fc6f64c._exe
PID 840
Dump Size 192512 bytes
Module Path C:\Users\Louise\AppData\Local\Temp\emotet_exe_e1_e66c08fc6f64c._exe
Type PE image: 32-bit executable
PE timestamp 2020-09-16 09:59:00
MD5 dc934a04b91b879942787ef756e07557
SHA1 9aacabdaa49e868470eae82192e7f6c7a570657b
SHA256 76c247924c76ada021fe86d95cb3c57cfb3075f3ceb81c6ad64de05f67bb7d56
CRC32 5498F6B6
Ssdeep 3072:WcosYS2q2/4NPx3Q+3d4SxCmCcwQQH2ZaD58EdLdsFTTIp5+1Xr07V62H50EJ:VoqcqPhxN4SxLCxH2ZaDecJsxcp5+1Xk
Dump Filename 76c247924c76ada021fe86d95cb3c57cfb3075f3ceb81c6ad64de05f67bb7d56
Download Download Zip

BinGraph Download graph

2020-09-16T19:31:40.368058 image/svg+xml Matplotlib v3.3.0, https://matplotlib.org/
Process Name emotet_exe_e1_e66c08fc6f64c._exe
PID 840
Dump Size 49664 bytes
Module Path C:\Users\Louise\AppData\Local\Temp\emotet_exe_e1_e66c08fc6f64c._exe
Type PE image: 32-bit executable
PE timestamp 2020-09-10 18:12:31
MD5 8e5854713d00bcebd778bdbc9078ae35
SHA1 04bddebcc087aaf2a6644c9c2cfe2f9365a952c0
SHA256 d356e3d349f727a3ac2e770001524cd94669eb7b0c91ec4b6d004ac2cfd1044e
CRC32 72A34A3C
Ssdeep 768:dm6ICAAfN9MY19/JiM62s7C8xp+kI9LiDHTm+8ePzA:dm6IcRiMkC8xpdI89
CAPE Yara
  • Emotet Payload - Author: kevoreilly
Dump Filename d356e3d349f727a3ac2e770001524cd94669eb7b0c91ec4b6d004ac2cfd1044e
Download Download Zip

BinGraph Download graph

2020-09-16T19:31:41.429261 image/svg+xml Matplotlib v3.3.0, https://matplotlib.org/
Defense Evasion Discovery
  • T1116 - Code Signing
    • Signature - invalid_authenticode_signature
  • T1045 - Software Packing
    • Signature - packer_entropy
  • T1057 - Process Discovery
    • Signature - process_interest

    Processing ( 10.165999999999999 seconds )

    • 5.242 Suricata
    • 2.878 CAPE
    • 0.755 BehaviorAnalysis
    • 0.414 NetworkAnalysis
    • 0.351 Static
    • 0.308 VirusTotal
    • 0.09 AnalysisInfo
    • 0.05 Deduplicate
    • 0.036 ProcDump
    • 0.02 TargetInfo
    • 0.009 peid
    • 0.008 Debug
    • 0.005 Strings

    Signatures ( 0.13300000000000003 seconds )

    • 0.025 antiav_detectreg
    • 0.011 ransomware_files
    • 0.01 infostealer_ftp
    • 0.01 territorial_disputes_sigs
    • 0.008 ransomware_extensions
    • 0.006 antiav_detectfile
    • 0.006 infostealer_im
    • 0.005 persistence_autorun
    • 0.005 antianalysis_detectreg
    • 0.004 antianalysis_detectfile
    • 0.004 infostealer_bitcoin
    • 0.003 antivm_vbox_keys
    • 0.003 browser_security
    • 0.003 infostealer_mail
    • 0.003 masquerade_process_name
    • 0.002 api_spamming
    • 0.002 antivm_vbox_files
    • 0.002 geodo_banking_trojan
    • 0.002 disables_browser_warn
    • 0.001 Doppelganging
    • 0.001 antidbg_windows
    • 0.001 betabot_behavior
    • 0.001 decoy_document
    • 0.001 kibex_behavior
    • 0.001 NewtWire Behavior
    • 0.001 stealth_timeout
    • 0.001 tinba_behavior
    • 0.001 antidbg_devices
    • 0.001 antivm_generic_diskreg
    • 0.001 antivm_parallels_keys
    • 0.001 antivm_vmware_keys
    • 0.001 antivm_vpc_keys
    • 0.001 antivm_xen_keys
    • 0.001 browser_addon
    • 0.001 modify_proxy
    • 0.001 azorult_mutexes
    • 0.001 revil_mutexes
    • 0.001 modirat_bheavior

    Reporting ( 7.797 seconds )

    • 7.514 BinGraph
    • 0.281 MITRE_TTPS
    • 0.002 PCAP2CERT