Detections

Yara:

Emotet

Analysis

Category Package Started Completed Duration Log
FILE Emotet 2020-10-18 06:15:05 2020-10-18 06:16:12 67 seconds Show Log
2020-05-13 09:25:38,180 [root] INFO: Date set to: 20201018T06:15:03, timeout set to: 200
2020-10-18 06:15:03,046 [root] DEBUG: Starting analyzer from: C:\tmp2ssujfce
2020-10-18 06:15:03,046 [root] DEBUG: Storing results at: C:\HwSSForU
2020-10-18 06:15:03,046 [root] DEBUG: Pipe server name: \\.\PIPE\QmZSVB
2020-10-18 06:15:03,046 [root] DEBUG: Python path: C:\Users\Louise\AppData\Local\Programs\Python\Python38-32
2020-10-18 06:15:03,046 [root] INFO: Analysis package "Emotet" has been specified.
2020-10-18 06:15:03,046 [root] DEBUG: Importing analysis package "Emotet"...
2020-10-18 06:15:03,062 [root] DEBUG: Initializing analysis package "Emotet"...
2020-10-18 06:15:03,187 [root] DEBUG: Importing auxiliary module "modules.auxiliary.browser"...
2020-10-18 06:15:03,203 [root] DEBUG: Importing auxiliary module "modules.auxiliary.curtain"...
2020-10-18 06:15:03,265 [root] DEBUG: Importing auxiliary module "modules.auxiliary.digisig"...
2020-10-18 06:15:03,281 [root] DEBUG: Importing auxiliary module "modules.auxiliary.disguise"...
2020-10-18 06:15:03,359 [root] DEBUG: Importing auxiliary module "modules.auxiliary.human"...
2020-10-18 06:15:03,375 [root] DEBUG: Importing auxiliary module "modules.auxiliary.procmon"...
2020-10-18 06:15:03,390 [root] DEBUG: Importing auxiliary module "modules.auxiliary.screenshots"...
2020-10-18 06:15:03,390 [modules.auxiliary.screenshots] DEBUG: Importing 'time'
2020-10-18 06:15:03,390 [modules.auxiliary.screenshots] DEBUG: Importing 'StringIO'
2020-10-18 06:15:03,390 [modules.auxiliary.screenshots] DEBUG: Importing 'Thread'
2020-10-18 06:15:03,390 [modules.auxiliary.screenshots] DEBUG: Importing 'Auxiliary'
2020-10-18 06:15:03,390 [modules.auxiliary.screenshots] DEBUG: Importing 'NetlogFile'
2020-10-18 06:15:03,390 [modules.auxiliary.screenshots] DEBUG: Importing 'Screenshot'
2020-10-18 06:15:03,390 [lib.api.screenshot] DEBUG: Importing 'math'
2020-10-18 06:15:03,390 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2020-10-18 06:15:03,765 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageGrab'
2020-10-18 06:15:03,781 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageDraw'
2020-10-18 06:15:03,781 [modules.auxiliary.screenshots] DEBUG: Imports OK
2020-10-18 06:15:03,781 [root] DEBUG: Importing auxiliary module "modules.auxiliary.sysmon"...
2020-10-18 06:15:03,781 [root] DEBUG: Importing auxiliary module "modules.auxiliary.usage"...
2020-10-18 06:15:03,812 [root] DEBUG: Initializing auxiliary module "Browser"...
2020-10-18 06:15:03,812 [root] DEBUG: Started auxiliary module Browser
2020-10-18 06:15:03,812 [root] DEBUG: Initializing auxiliary module "Curtain"...
2020-10-18 06:15:03,812 [root] DEBUG: Started auxiliary module Curtain
2020-10-18 06:15:03,812 [root] DEBUG: Initializing auxiliary module "DigiSig"...
2020-10-18 06:15:03,812 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature.
2020-10-18 06:15:04,843 [modules.auxiliary.digisig] DEBUG: File is not signed.
2020-10-18 06:15:04,843 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2020-10-18 06:15:04,906 [root] DEBUG: Started auxiliary module DigiSig
2020-10-18 06:15:04,906 [root] DEBUG: Initializing auxiliary module "Disguise"...
2020-10-18 06:15:04,921 [modules.auxiliary.disguise] INFO: Disguising GUID to 89c745d1-e6f5-45c9-ba7a-24168d7ce1c9
2020-10-18 06:15:04,921 [root] DEBUG: Started auxiliary module Disguise
2020-10-18 06:15:04,921 [root] DEBUG: Initializing auxiliary module "Human"...
2020-10-18 06:15:04,937 [root] DEBUG: Started auxiliary module Human
2020-10-18 06:15:04,937 [root] DEBUG: Initializing auxiliary module "Procmon"...
2020-10-18 06:15:04,984 [root] DEBUG: Started auxiliary module Procmon
2020-10-18 06:15:04,984 [root] DEBUG: Initializing auxiliary module "Screenshots"...
2020-10-18 06:15:05,000 [root] DEBUG: Started auxiliary module Screenshots
2020-10-18 06:15:05,000 [root] DEBUG: Initializing auxiliary module "Sysmon"...
2020-10-18 06:15:05,000 [root] DEBUG: Started auxiliary module Sysmon
2020-10-18 06:15:05,015 [root] DEBUG: Initializing auxiliary module "Usage"...
2020-10-18 06:15:05,031 [root] DEBUG: Started auxiliary module Usage
2020-10-18 06:15:05,031 [root] INFO: Analyzer: Package modules.packages.Emotet does not specify a DLL option
2020-10-18 06:15:05,031 [root] INFO: Analyzer: Package modules.packages.Emotet does not specify a DLL_64 option
2020-10-18 06:15:05,031 [root] INFO: Analyzer: Package modules.packages.Emotet does not specify a loader option
2020-10-18 06:15:05,031 [root] INFO: Analyzer: Package modules.packages.Emotet does not specify a loader_64 option
2020-10-18 06:15:05,078 [lib.api.process] INFO: Successfully executed process from path "C:\Users\Louise\AppData\Local\Temp\emotet_exe_e1_da05a3c6c959126ebbee038d38853906cbcaeb3bd309e71e9218bb4e1a8d1bc4_2020-10-18__06150.exe" with arguments "" with pid 896
2020-10-18 06:15:05,078 [lib.api.process] INFO: Monitor config for process 896: C:\tmp2ssujfce\dll\896.ini
2020-10-18 06:15:05,109 [lib.api.process] INFO: Option 'unpacker' with value '1' sent to monitor
2020-10-18 06:15:05,109 [lib.api.process] INFO: Option 'injection' with value '0' sent to monitor
2020-10-18 06:15:05,109 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp2ssujfce\dll\jGDuJid.dll, loader C:\tmp2ssujfce\bin\QgoxiXN.exe
2020-10-18 06:15:05,187 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\QmZSVB.
2020-10-18 06:15:05,187 [root] DEBUG: Loader: Injecting process 896 (thread 528) with C:\tmp2ssujfce\dll\jGDuJid.dll.
2020-10-18 06:15:05,203 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmp2ssujfce\dll\jGDuJid.dll.
2020-10-18 06:15:05,203 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-10-18 06:15:05,203 [root] DEBUG: Successfully injected DLL C:\tmp2ssujfce\dll\jGDuJid.dll.
2020-10-18 06:15:07,218 [lib.api.process] INFO: Successfully resumed process with pid 896
2020-10-18 06:15:07,390 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-10-18 06:15:07,406 [root] DEBUG: Auto-unpacking of payloads enabled.
2020-10-18 06:15:07,406 [root] DEBUG: Dropped file limit defaulting to 100.
2020-10-18 06:15:07,421 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-10-18 06:15:07,421 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 896 at 0x70390000, image base 0x400000, stack from 0x186000-0x190000
2020-10-18 06:15:07,421 [root] DEBUG: Commandline: C:\Users\Louise\AppData\Local\Temp\"C:\Users\Louise\AppData\Local\Temp\emotet_exe_e1_da05a3c6c959126ebbee038d38853906cbcaeb3bd309e71e9218bb4e1a8d1bc4_2020-10-18__06150.exe"
2020-10-18 06:15:07,484 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77180000, KiUserExceptionDispatcher: 0x0, NtSetContextThread: 0x771eb5f0, Wow64PrepareForException: 0x0
2020-10-18 06:15:07,484 [root] INFO: Disabling sleep skipping.
2020-10-18 06:15:07,484 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x240000
2020-10-18 06:15:07,484 [root] DEBUG: UnpackerInit: Debugger initialised.
2020-10-18 06:15:07,515 [root] INFO: Disabling sleep skipping.
2020-10-18 06:15:07,515 [root] INFO: Disabling sleep skipping.
2020-10-18 06:15:07,515 [root] DEBUG: AddTrackedRegion: Created new tracked region for address 0x00400000.
2020-10-18 06:15:07,515 [root] DEBUG: AddTrackedRegion: New region at 0x00400000 size 0x1000 added to tracked regions: EntryPoint 0x10b66, Entropy 6.420217e+00
2020-10-18 06:15:07,515 [root] DEBUG: UnpackerInit: Adding main image base to tracked regions.
2020-10-18 06:15:07,515 [root] INFO: Loaded monitor into process with pid 896
2020-10-18 06:15:07,546 [root] DEBUG: Allocation: 0x003E0000 - 0x003E1000, size: 0x1000, protection: 0x40.
2020-10-18 06:15:07,546 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-10-18 06:15:07,562 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-10-18 06:15:07,562 [root] DEBUG: ProcessImageBase: EP 0x00010B66 image base 0x00400000 size 0x0 entropy 6.433275e+00.
2020-10-18 06:15:07,562 [root] DEBUG: AllocationHandler: Adding allocation to tracked region list: 0x003E0000, size: 0x1000.
2020-10-18 06:15:07,562 [root] DEBUG: AddTrackedRegion: Created new tracked region for address 0x003E0000.
2020-10-18 06:15:07,562 [root] DEBUG: AddTrackedRegion: New region at 0x003E0000 size 0x1000 added to tracked regions.
2020-10-18 06:15:07,562 [root] DEBUG: ActivateBreakpoints: TrackedRegion->AllocationBase: 0x003E0000, TrackedRegion->RegionSize: 0x1000, thread 528
2020-10-18 06:15:07,562 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on empty protect address: 0x003E0000
2020-10-18 06:15:07,562 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x003E003C
2020-10-18 06:15:07,562 [root] DEBUG: AllocationHandler: Breakpoints set on newly-allocated executable region at: 0x003E0000 (size 0x1000).
2020-10-18 06:15:07,578 [root] DEBUG: CAPEExceptionFilter: breakpoint 0 hit by instruction at 0x0040FF28 (thread 528)
2020-10-18 06:15:07,578 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x003E0000.
2020-10-18 06:15:07,578 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x3e0000: 0x6e.
2020-10-18 06:15:07,578 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2020-10-18 06:15:07,578 [root] DEBUG: Allocation: 0x004F0000 - 0x004F1000, size: 0x1000, protection: 0x40.
2020-10-18 06:15:07,578 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-10-18 06:15:07,578 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-10-18 06:15:07,578 [root] DEBUG: ProcessImageBase: EP 0x00010B66 image base 0x00400000 size 0x0 entropy 6.433275e+00.
2020-10-18 06:15:07,578 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003E0000.
2020-10-18 06:15:07,593 [root] DEBUG: AllocationHandler: Adding allocation to tracked region list: 0x004F0000, size: 0x1000.
2020-10-18 06:15:07,593 [root] DEBUG: AddTrackedRegion: Created new tracked region for address 0x004F0000.
2020-10-18 06:15:07,593 [root] DEBUG: AddTrackedRegion: New region at 0x004F0000 size 0x1000 added to tracked regions.
2020-10-18 06:15:07,593 [root] DEBUG: ActivateBreakpoints: TrackedRegion->AllocationBase: 0x004F0000, TrackedRegion->RegionSize: 0x1000, thread 528
2020-10-18 06:15:07,593 [root] DEBUG: ActivateBreakpoints: Switching breakpoints from region 0x003E0000 to 0x004F0000.
2020-10-18 06:15:07,593 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on empty protect address: 0x004F0000
2020-10-18 06:15:07,593 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x004F003C
2020-10-18 06:15:07,593 [root] DEBUG: AllocationHandler: Breakpoints set on newly-allocated executable region at: 0x004F0000 (size 0x1000).
2020-10-18 06:15:07,609 [root] DEBUG: CAPEExceptionFilter: breakpoint 0 hit by instruction at 0x0040FF18 (thread 528)
2020-10-18 06:15:07,609 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x004F0000.
2020-10-18 06:15:07,609 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x4f0000: 0x4c.
2020-10-18 06:15:07,609 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2020-10-18 06:15:07,609 [root] DEBUG: Allocation: 0x00500000 - 0x00501000, size: 0x1000, protection: 0x40.
2020-10-18 06:15:07,609 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-10-18 06:15:07,609 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-10-18 06:15:07,609 [root] DEBUG: ProcessImageBase: EP 0x00010B66 image base 0x00400000 size 0x0 entropy 6.433341e+00.
2020-10-18 06:15:07,609 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003E0000.
2020-10-18 06:15:07,609 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x004F0000.
2020-10-18 06:15:07,625 [root] DEBUG: AllocationHandler: Adding allocation to tracked region list: 0x00500000, size: 0x1000.
2020-10-18 06:15:07,625 [root] DEBUG: AddTrackedRegion: Created new tracked region for address 0x00500000.
2020-10-18 06:15:07,625 [root] DEBUG: AddTrackedRegion: New region at 0x00500000 size 0x1000 added to tracked regions.
2020-10-18 06:15:07,625 [root] DEBUG: ActivateBreakpoints: TrackedRegion->AllocationBase: 0x00500000, TrackedRegion->RegionSize: 0x1000, thread 528
2020-10-18 06:15:07,625 [root] DEBUG: ActivateBreakpoints: Switching breakpoints from region 0x004F0000 to 0x00500000.
2020-10-18 06:15:07,625 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on empty protect address: 0x00500000
2020-10-18 06:15:07,625 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x0050003C
2020-10-18 06:15:07,625 [root] DEBUG: AllocationHandler: Breakpoints set on newly-allocated executable region at: 0x00500000 (size 0x1000).
2020-10-18 06:15:07,625 [root] DEBUG: CAPEExceptionFilter: breakpoint 0 hit by instruction at 0x0040FF18 (thread 528)
2020-10-18 06:15:07,625 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x00500000.
2020-10-18 06:15:07,640 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x500000: 0x4c.
2020-10-18 06:15:07,640 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2020-10-18 06:15:07,640 [root] DEBUG: Allocation: 0x01E30000 - 0x01E4A000, size: 0x1a000, protection: 0x40.
2020-10-18 06:15:07,640 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-10-18 06:15:07,640 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-10-18 06:15:07,640 [root] DEBUG: ProcessImageBase: EP 0x00010B66 image base 0x00400000 size 0x0 entropy 6.433402e+00.
2020-10-18 06:15:07,640 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003E0000.
2020-10-18 06:15:07,640 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x004F0000.
2020-10-18 06:15:07,640 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00500000.
2020-10-18 06:15:07,640 [root] DEBUG: AllocationHandler: Adding allocation to tracked region list: 0x01E30000, size: 0x1a000.
2020-10-18 06:15:07,640 [root] DEBUG: AddTrackedRegion: Created new tracked region for address 0x01E30000.
2020-10-18 06:15:07,656 [root] DEBUG: AddTrackedRegion: New region at 0x01E30000 size 0x1a000 added to tracked regions.
2020-10-18 06:15:07,656 [root] DEBUG: ActivateBreakpoints: TrackedRegion->AllocationBase: 0x01E30000, TrackedRegion->RegionSize: 0x1a000, thread 528
2020-10-18 06:15:07,656 [root] DEBUG: ActivateBreakpoints: Switching breakpoints from region 0x00500000 to 0x01E30000.
2020-10-18 06:15:07,656 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on empty protect address: 0x01E30000
2020-10-18 06:15:07,656 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x01E3003C
2020-10-18 06:15:07,656 [root] DEBUG: AllocationHandler: Breakpoints set on newly-allocated executable region at: 0x01E30000 (size 0x1a000).
2020-10-18 06:15:07,656 [root] DEBUG: CAPEExceptionFilter: breakpoint 0 hit by instruction at 0x0041517F (thread 528)
2020-10-18 06:15:07,687 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x01E30000.
2020-10-18 06:15:07,687 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x1e30000: 0xf.
2020-10-18 06:15:07,687 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2020-10-18 06:15:07,687 [root] DEBUG: CAPEExceptionFilter: breakpoint 1 hit by instruction at 0x0041518E (thread 528)
2020-10-18 06:15:07,687 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x01E3003C.
2020-10-18 06:15:07,687 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0x4804a37b (at 0x01E3003C).
2020-10-18 06:15:07,687 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x01E30000.
2020-10-18 06:15:07,687 [root] DEBUG: CAPEExceptionFilter: breakpoint 0 hit by instruction at 0x00402C0C (thread 528)
2020-10-18 06:15:07,687 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x01E30000.
2020-10-18 06:15:07,687 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x1e30000: 0xe8.
2020-10-18 06:15:07,687 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2020-10-18 06:15:07,703 [root] DEBUG: CAPEExceptionFilter: breakpoint 0 hit by instruction at 0x00402C0C (thread 528)
2020-10-18 06:15:07,703 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x01E30000.
2020-10-18 06:15:07,703 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x1e30000: 0xe8.
2020-10-18 06:15:07,703 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2020-10-18 06:15:07,703 [root] DEBUG: CAPEExceptionFilter: breakpoint 1 hit by instruction at 0x00402C0C (thread 528)
2020-10-18 06:15:07,703 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x01E3003C.
2020-10-18 06:15:07,703 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0x4804a356 (at 0x01E3003C).
2020-10-18 06:15:07,703 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x01E30000.
2020-10-18 06:15:07,703 [root] DEBUG: CAPEExceptionFilter: breakpoint 1 hit by instruction at 0x00402C0C (thread 528)
2020-10-18 06:15:07,703 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x01E3003C.
2020-10-18 06:15:07,703 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0x48045756 (at 0x01E3003C).
2020-10-18 06:15:07,703 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x01E30000.
2020-10-18 06:15:07,703 [root] DEBUG: CAPEExceptionFilter: breakpoint 1 hit by instruction at 0x00402C0C (thread 528)
2020-10-18 06:15:07,734 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x01E3003C.
2020-10-18 06:15:07,734 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0x48335756 (at 0x01E3003C).
2020-10-18 06:15:07,734 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x01E30000.
2020-10-18 06:15:07,734 [root] DEBUG: CAPEExceptionFilter: breakpoint 1 hit by instruction at 0x00402C0C (thread 528)
2020-10-18 06:15:07,734 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x01E3003C.
2020-10-18 06:15:07,734 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0xf6335756 (at 0x01E3003C).
2020-10-18 06:15:07,734 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x01E30000.
2020-10-18 06:15:07,765 [root] DEBUG: CAPEExceptionFilter: breakpoint 2 hit by instruction at 0x01E30000 (thread 528)
2020-10-18 06:15:07,765 [root] DEBUG: ShellcodeExecCallback: Breakpoint 2 at Address 0x01E30000 (allocation base 0x01E30000).
2020-10-18 06:15:07,765 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x1e30000 - 0x1e4a000.
2020-10-18 06:15:07,781 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x01E30000.
2020-10-18 06:15:07,781 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x01E3003C.
2020-10-18 06:15:07,781 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 2 address 0x01E30000.
2020-10-18 06:15:07,781 [root] DEBUG: ShellcodeExecCallback: About to scan region for a PE image (base 0x01E30000, size 0x1a000).
2020-10-18 06:15:07,781 [root] DEBUG: DumpPEsInRange: Scanning range 0x1e30000 - 0x1e4a000.
2020-10-18 06:15:07,781 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x1e3052e
2020-10-18 06:15:07,781 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image.
2020-10-18 06:15:07,781 [root] DEBUG: DumpPE: Instantiating PeParser with address: 0x01E3052E.
2020-10-18 06:15:07,828 [root] DEBUG: DumpPE: PE file in memory dumped successfully - dump size 0x19000.
2020-10-18 06:15:07,828 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x1e3279e
2020-10-18 06:15:07,828 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image.
2020-10-18 06:15:07,828 [root] DEBUG: DumpPE: Instantiating PeParser with address: 0x01E3279E.
2020-10-18 06:15:07,890 [root] DEBUG: DumpPE: PE file in memory dumped successfully - dump size 0x16a00.
2020-10-18 06:15:07,890 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x1e3379e-0x1e4a000.
2020-10-18 06:15:07,890 [root] DEBUG: ShellcodeExecCallback: PE image(s) detected and dumped.
2020-10-18 06:15:07,890 [root] DEBUG: set_caller_info: Adding region at 0x01E30000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2020-10-18 06:15:07,906 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-10-18 06:15:07,906 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-10-18 06:15:07,906 [root] DEBUG: ProcessImageBase: EP 0x00010B66 image base 0x00400000 size 0x0 entropy 6.433633e+00.
2020-10-18 06:15:07,906 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003E0000.
2020-10-18 06:15:07,906 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x004F0000.
2020-10-18 06:15:07,906 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00500000.
2020-10-18 06:15:07,906 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01E30000.
2020-10-18 06:15:07,921 [root] DEBUG: ProtectionHandler: Adding region at 0x01E51000 to tracked regions.
2020-10-18 06:15:07,921 [root] DEBUG: AddTrackedRegion: Created new tracked region for address 0x01E51000.
2020-10-18 06:15:07,921 [root] DEBUG: AddTrackedRegion: New region at 0x01E50000 size 0x2000 added to tracked regions: EntryPoint 0x27b0, Entropy 6.903276e+00
2020-10-18 06:15:07,921 [root] DEBUG: ProtectionHandler: Address: 0x01E51000 (alloc base 0x01E50000), NumberOfBytesToProtect: 0x1a00, NewAccessProtection: 0x20
2020-10-18 06:15:07,921 [root] DEBUG: ProtectionHandler: Increased region size at 0x01E51000 to 0x2a00.
2020-10-18 06:15:07,921 [root] DEBUG: ProtectionHandler: New code detected at (0x01E50000), scanning for PE images.
2020-10-18 06:15:07,921 [root] DEBUG: DumpPEsInRange: Scanning range 0x1e50000 - 0x1e52a00.
2020-10-18 06:15:07,921 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x1e50000
2020-10-18 06:15:07,937 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-10-18 06:15:07,937 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x01E50000.
2020-10-18 06:15:07,937 [root] DEBUG: DumpProcess: Module entry point VA is 0x000027B0.
2020-10-18 06:15:07,984 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x19000.
2020-10-18 06:15:07,984 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x1e51000-0x1e52a00.
2020-10-18 06:15:07,984 [root] DEBUG: DumpPEsInTrackedRegion: Dumped 1 PE image(s) from range 0x01E50000 - 0x01E52A00.
2020-10-18 06:15:07,984 [root] DEBUG: ProtectionHandler: PE image(s) dumped from 0x01E50000.
2020-10-18 06:15:07,984 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x1e50000 - 0x1e52a00.
2020-10-18 06:15:07,984 [root] DEBUG: set_caller_info: Adding region at 0x01E50000 to caller regions list (ntdll::LdrLoadDll).
2020-10-18 06:15:08,015 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-10-18 06:15:08,015 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-10-18 06:15:08,015 [root] DEBUG: ProcessImageBase: EP 0x00010B66 image base 0x00400000 size 0x0 entropy 6.433633e+00.
2020-10-18 06:15:08,015 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003E0000.
2020-10-18 06:15:08,015 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x004F0000.
2020-10-18 06:15:08,031 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00500000.
2020-10-18 06:15:08,031 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01E30000.
2020-10-18 06:15:08,031 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01E50000.
2020-10-18 06:15:08,031 [root] DEBUG: ProtectionHandler: Adding region at 0x03581000 to tracked regions.
2020-10-18 06:15:08,031 [root] DEBUG: AddTrackedRegion: Created new tracked region for address 0x03581000.
2020-10-18 06:15:08,031 [root] DEBUG: AddTrackedRegion: New region at 0x03580000 size 0xb000 added to tracked regions: EntryPoint 0x5d20, Entropy 6.804941e+00
2020-10-18 06:15:08,031 [root] DEBUG: ProtectionHandler: Address: 0x03581000 (alloc base 0x03580000), NumberOfBytesToProtect: 0xa600, NewAccessProtection: 0x20
2020-10-18 06:15:08,031 [root] DEBUG: ProtectionHandler: Increased region size at 0x03581000 to 0xb600.
2020-10-18 06:15:08,031 [root] DEBUG: ActivateBreakpoints: TrackedRegion->AllocationBase: 0x03580000, TrackedRegion->RegionSize: 0xb600, thread 528
2020-10-18 06:15:08,046 [root] DEBUG: ActivateBreakpoints: Switching breakpoints from region 0x01E30000 to 0x03580000.
2020-10-18 06:15:08,046 [root] DEBUG: ActivateBreakpoints: Set execution breakpoint on non-zero byte 0x51 at protected address: 0x03581000
2020-10-18 06:15:08,046 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x0358003C
2020-10-18 06:15:08,046 [root] DEBUG: ProtectionHandler: Breakpoints set on executable region at: 0x03581000.
2020-10-18 06:15:08,046 [root] DEBUG: set_caller_info: Adding region at 0x03580000 to caller regions list (ntdll::LdrGetDllHandle).
2020-10-18 06:15:08,218 [root] DEBUG: DLL loaded at 0x76A70000: C:\Windows\syswow64\crypt32 (0x122000 bytes).
2020-10-18 06:15:08,218 [root] DEBUG: DLL loaded at 0x76EA0000: C:\Windows\syswow64\MSASN1 (0xc000 bytes).
2020-10-18 06:15:08,312 [root] DEBUG: DLL loaded at 0x74F40000: C:\Windows\syswow64\shell32 (0xc4c000 bytes).
2020-10-18 06:15:08,312 [root] DEBUG: DLL loaded at 0x75B90000: C:\Windows\syswow64\urlmon (0x124000 bytes).
2020-10-18 06:15:08,328 [root] DEBUG: DLL loaded at 0x76EB0000: C:\Windows\syswow64\api-ms-win-downlevel-ole32-l1-1-0 (0x4000 bytes).
2020-10-18 06:15:08,328 [root] DEBUG: DLL loaded at 0x74E90000: C:\Windows\syswow64\api-ms-win-downlevel-shlwapi-l1-1-0 (0x4000 bytes).
2020-10-18 06:15:08,328 [root] DEBUG: DLL loaded at 0x76EF0000: C:\Windows\syswow64\api-ms-win-downlevel-advapi32-l1-1-0 (0x5000 bytes).
2020-10-18 06:15:08,328 [root] DEBUG: DLL loaded at 0x76E40000: C:\Windows\syswow64\api-ms-win-downlevel-user32-l1-1-0 (0x4000 bytes).
2020-10-18 06:15:08,328 [root] DEBUG: DLL loaded at 0x76EE0000: C:\Windows\syswow64\api-ms-win-downlevel-version-l1-1-0 (0x4000 bytes).
2020-10-18 06:15:08,328 [root] DEBUG: DLL loaded at 0x73590000: C:\Windows\system32\version (0x9000 bytes).
2020-10-18 06:15:08,343 [root] DEBUG: DLL loaded at 0x767F0000: C:\Windows\syswow64\api-ms-win-downlevel-normaliz-l1-1-0 (0x3000 bytes).
2020-10-18 06:15:08,343 [root] DEBUG: DLL loaded at 0x766F0000: C:\Windows\syswow64\normaliz (0x3000 bytes).
2020-10-18 06:15:08,343 [root] DEBUG: DLL loaded at 0x76BA0000: C:\Windows\syswow64\iertutil (0x215000 bytes).
2020-10-18 06:15:08,343 [root] DEBUG: DLL loaded at 0x75CC0000: C:\Windows\syswow64\WININET (0x1c4000 bytes).
2020-10-18 06:15:08,359 [root] DEBUG: DLL loaded at 0x74450000: C:\Windows\system32\userenv (0x17000 bytes).
2020-10-18 06:15:08,359 [root] DEBUG: DLL loaded at 0x74440000: C:\Windows\system32\profapi (0xb000 bytes).
2020-10-18 06:15:08,359 [root] DEBUG: DLL loaded at 0x743F0000: C:\Windows\system32\wtsapi32 (0xd000 bytes).
2020-10-18 06:15:08,484 [root] DEBUG: CreateThread: Initialising breakpoints for thread 3584.
2020-10-18 06:15:08,656 [root] DEBUG: DLL loaded at 0x744D0000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2020-10-18 06:15:08,671 [root] DEBUG: DLL loaded at 0x74400000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2020-10-18 06:15:17,218 [root] INFO: Analysis timeout hit, terminating analysis.
2020-10-18 06:15:17,218 [lib.api.process] INFO: Terminate event set for process 896
2020-10-18 06:15:17,218 [root] DEBUG: Terminate Event: Processing tracked regions before shutdown (process 896).
2020-10-18 06:15:17,218 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-10-18 06:15:17,218 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-10-18 06:15:17,218 [root] DEBUG: ProcessImageBase: EP 0x00010B66 image base 0x00400000 size 0x0 entropy 6.433633e+00.
2020-10-18 06:15:17,218 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003E0000.
2020-10-18 06:15:17,234 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x004F0000.
2020-10-18 06:15:17,234 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00500000.
2020-10-18 06:15:17,234 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01E30000.
2020-10-18 06:15:17,234 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x03580000.
2020-10-18 06:15:17,234 [root] DEBUG: Terminate Event: Attempting to dump process 896
2020-10-18 06:15:17,234 [root] DEBUG: DoProcessDump: Dumping Imagebase at 0x00400000.
2020-10-18 06:15:17,234 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-10-18 06:15:17,234 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00400000.
2020-10-18 06:15:17,234 [root] DEBUG: DumpProcess: Module entry point VA is 0x00010B66.
2020-10-18 06:15:17,281 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x59c00.
2020-10-18 06:15:17,281 [root] DEBUG: DoProcessDump: Dumping 'new' Imagebase at 0x03580000.
2020-10-18 06:15:17,281 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-10-18 06:15:17,281 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x03580000.
2020-10-18 06:15:17,281 [root] DEBUG: DumpProcess: Module entry point VA is 0x00005D20.
2020-10-18 06:15:17,312 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x16800.
2020-10-18 06:15:17,312 [lib.api.process] INFO: Termination confirmed for process 896
2020-10-18 06:15:17,312 [root] INFO: Terminate event set for process 896.
2020-10-18 06:15:17,312 [root] INFO: Created shutdown mutex.
2020-10-18 06:15:17,312 [root] DEBUG: Terminate Event: CAPE shutdown complete for process 896
2020-10-18 06:15:17,593 [root] DEBUG: DLL loaded at 0x73230000: C:\Windows\system32\Secur32 (0x8000 bytes).
2020-10-18 06:15:17,609 [root] DEBUG: DLL loaded at 0x72DF0000: C:\Windows\system32\api-ms-win-downlevel-advapi32-l2-1-0 (0x4000 bytes).
2020-10-18 06:15:17,625 [root] DEBUG: DLL loaded at 0x763F0000: C:\Windows\syswow64\WS2_32 (0x35000 bytes).
2020-10-18 06:15:17,625 [root] DEBUG: DLL loaded at 0x760B0000: C:\Windows\syswow64\NSI (0x6000 bytes).
2020-10-18 06:15:17,625 [root] DEBUG: DLL loaded at 0x6EA70000: C:\Windows\system32\winhttp (0x58000 bytes).
2020-10-18 06:15:17,640 [root] DEBUG: DLL loaded at 0x6EA20000: C:\Windows\system32\webio (0x50000 bytes).
2020-10-18 06:15:17,640 [root] DEBUG: DLL unloaded from 0x6EA70000.
2020-10-18 06:15:17,640 [root] DEBUG: DLL loaded at 0x74490000: C:\Windows\system32\mswsock (0x3c000 bytes).
2020-10-18 06:15:17,656 [root] DEBUG: DLL loaded at 0x72DE0000: C:\Windows\System32\wship6 (0x6000 bytes).
2020-10-18 06:15:17,656 [root] DEBUG: DLL loaded at 0x74880000: C:\Windows\system32\IPHLPAPI (0x1c000 bytes).
2020-10-18 06:15:17,656 [root] DEBUG: DLL loaded at 0x74870000: C:\Windows\system32\WINNSI (0x7000 bytes).
2020-10-18 06:15:17,671 [root] DEBUG: DLL loaded at 0x702A0000: C:\Windows\system32\api-ms-win-downlevel-shlwapi-l2-1-0 (0x4000 bytes).
2020-10-18 06:15:17,671 [root] DEBUG: DLL loaded at 0x70250000: C:\Windows\system32\DNSAPI (0x44000 bytes).
2020-10-18 06:15:17,687 [root] DEBUG: DLL loaded at 0x76170000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2020-10-18 06:15:17,687 [root] DEBUG: DLL loaded at 0x70310000: C:\Windows\System32\netprofm (0x5a000 bytes).
2020-10-18 06:15:17,687 [root] DEBUG: DLL loaded at 0x72E10000: C:\Windows\System32\nlaapi (0x10000 bytes).
2020-10-18 06:15:17,703 [root] DEBUG: DLL loaded at 0x746C0000: C:\Windows\System32\wshtcpip (0x5000 bytes).
2020-10-18 06:15:17,703 [root] DEBUG: DLL loaded at 0x702D0000: C:\Windows\system32\dhcpcsvc6 (0xd000 bytes).
2020-10-18 06:15:17,718 [root] DEBUG: DLL loaded at 0x70230000: C:\Windows\system32\rasadhlp (0x6000 bytes).
2020-10-18 06:15:17,718 [root] DEBUG: DLL loaded at 0x6FA80000: C:\Windows\System32\fwpuclnt (0x38000 bytes).
2020-10-18 06:15:17,734 [root] DEBUG: DLL loaded at 0x702B0000: C:\Windows\system32\dhcpcsvc (0x12000 bytes).
2020-10-18 06:15:17,734 [root] DEBUG: DLL loaded at 0x74340000: C:\Windows\system32\RpcRtRemote (0xe000 bytes).
2020-10-18 06:15:17,765 [root] DEBUG: DLL loaded at 0x73A10000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\Comctl32 (0x19e000 bytes).
2020-10-18 06:15:17,765 [root] DEBUG: DLL unloaded from 0x746C0000.
2020-10-18 06:15:17,765 [root] DEBUG: DLL unloaded from 0x72DE0000.
2020-10-18 06:15:17,765 [root] DEBUG: DLL loaded at 0x72E00000: C:\Windows\System32\npmproxy (0x8000 bytes).
2020-10-18 06:15:18,312 [root] INFO: Shutting down package.
2020-10-18 06:15:18,312 [root] INFO: Stopping auxiliary modules.
2020-10-18 06:15:18,531 [lib.common.results] WARNING: File C:\HwSSForU\bin\procmon.xml doesn't exist anymore
2020-10-18 06:15:18,531 [root] INFO: Finishing auxiliary modules.
2020-10-18 06:15:18,531 [root] INFO: Shutting down pipe server and dumping dropped files.
2020-10-18 06:15:18,531 [root] WARNING: Folder at path "C:\HwSSForU\debugger" does not exist, skip.
2020-10-18 06:15:18,531 [root] INFO: Analysis completed.

Machine

Name Label Manager Started On Shutdown On
win7x64_1 win7x64_5 KVM 2020-10-18 06:15:05 2020-10-18 06:16:12

File Details

File Name emotet_exe_e1_da05a3c6c959126ebbee038d38853906cbcaeb3bd309e71e9218bb4e1a8d1bc4_2020-10-18__06150.exe
File Size 373248 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
PE timestamp 2020-10-16 20:25:24
MD5 e0384cd4bbf35bcf1d2c96894c4886bc
SHA1 d2c9134479ff3590e4d99f21d968fa2dc4a321f4
SHA256 df03c47f6fb13fe970f1cedefef217bc14126d0b697c9ecbe0d41d5b3162ccb4
SHA512 042e220c34ec90edcb987137ba18676728efe03a2167fd19881047d4bc0319f4716c371f9b0e6dad8facd37f1590fe471cd4dbfbd1886b9c7cdec3bfcf845769
CRC32 B56BA0C8
Ssdeep 6144:Bq7qn/fjMREXGdAEsas1Jea/b+3Lhr1C8J/XO6Mb:Bq/RjdAKcJH/K7J1CAJ
Download Download ZIP Resubmit sample

Signatures

SetUnhandledExceptionFilter detected (possible anti-debug)
Behavioural detection: Executable code extraction - unpacking
Yara rule detections observed from a process memory dump/dropped files/CAPE
Hit: PID 896 trigged the Yara rule 'Emotet'
Mimics the system's user agent string for its own requests
Dynamic (imported) function loading detected
DynamicLoader: ntdll.dll/qsort
DynamicLoader: ntdll.dll/bsearch
DynamicLoader: ntdll.dll/wcslen
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/Process32Next
DynamicLoader: kernel32.dll/Process32First
DynamicLoader: kernel32.dll/CreateToolhelp32Snapshot
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/SetLastError
DynamicLoader: kernel32.dll/HeapAlloc
DynamicLoader: kernel32.dll/HeapFree
DynamicLoader: kernel32.dll/GetProcessHeap
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/VirtualQuery
DynamicLoader: kernel32.dll/FreeLibrary
DynamicLoader: kernel32.dll/GetProcAddress
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: kernel32.dll/LoadLibraryW
DynamicLoader: kernel32.dll/IsBadReadPtr
DynamicLoader: kernel32.dll/GetNativeSystemInfo
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptImportKey
DynamicLoader: CRYPTSP.dll/CryptGenKey
DynamicLoader: CRYPTSP.dll/CryptCreateHash
DynamicLoader: CRYPTSP.dll/CryptDuplicateHash
DynamicLoader: CRYPTSP.dll/CryptEncrypt
DynamicLoader: CRYPTSP.dll/CryptExportKey
DynamicLoader: CRYPTSP.dll/CryptGetHashParam
DynamicLoader: CRYPTSP.dll/CryptDestroyHash
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/WSAIoctl
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: IPHLPAPI.DLL/NotifyIpInterfaceChange
DynamicLoader: IPHLPAPI.DLL/NotifyUnicastIpAddressChange
DynamicLoader: IPHLPAPI.DLL/GetBestInterfaceEx
DynamicLoader: IPHLPAPI.DLL/GetIfEntry2
DynamicLoader: api-ms-win-downlevel-ole32-l1-1-0.dll/CoInitializeEx
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/EventWrite
DynamicLoader: api-ms-win-downlevel-ole32-l1-1-0.dll/CoCreateInstance
DynamicLoader: IPHLPAPI.DLL/GetAdaptersAddresses
DynamicLoader: WS2_32.dll/GetAddrInfoW
Performs HTTP requests potentially not found in PCAP.
url: 2.45.176.233:80/BLfQ9KqDOoIqcG/zqz2N/KQXL5UF/nBOzoLvdOrveZ8Hd/LqlQQz0euc/
Enumerates running processes
process: System with pid 4
process: smss.exe with pid 248
process: csrss.exe with pid 328
process: csrss.exe with pid 376
process: wininit.exe with pid 384
process: winlogon.exe with pid 412
process: services.exe with pid 476
process: lsass.exe with pid 484
process: lsm.exe with pid 492
process: svchost.exe with pid 592
process: svchost.exe with pid 668
process: svchost.exe with pid 764
process: svchost.exe with pid 796
process: svchost.exe with pid 820
process: svchost.exe with pid 844
process: svchost.exe with pid 308
process: spoolsv.exe with pid 1036
process: taskeng.exe with pid 1044
process: svchost.exe with pid 1108
process: OfficeClickToRun.exe with pid 1248
process: taskhost.exe with pid 1344
process: GoogleUpdate.exe with pid 1352
process: dwm.exe with pid 1420
process: explorer.exe with pid 1428
process: svchost.exe with pid 1616
process: svchost.exe with pid 2040
process: whatapp.exe with pid 1380
process: SearchIndexer.exe with pid 2220
process: mscorsvw.exe with pid 2284
process: mscorsvw.exe with pid 2640
process: taskeng.exe with pid 2516
process: OneDriveStandaloneUpdater.exe with pid 2908
process: splwow64.exe with pid 3652
process: OSPPSVC.EXE with pid 3768
process: SDXHelper.exe with pid 1632
process: taskhost.exe with pid 4880
process: emotet_exe_e1_da05a3c6c959126ebbee038d38853906cbcaeb3bd309e71e9218bb4e1a8d1bc4_2020-10-18__06150.exe with pid 896
process: SDXHelper.exe with pid 3660
Expresses interest in specific running processes
process: emotet_exe_e1_da05a3c6c959126ebbee038d38853906cbcaeb3bd309e71e9218bb4e1a8d1bc4_2020-10-18__06150.exe
CAPE extracted potentially suspicious content
emotet_exe_e1_da05a3c6c959126ebbee038d38853906cbcaeb3bd309e71e9218bb4e1a8d1bc4_2020-10-18__06150.exe: Emotet Payload: 32-bit DLL
emotet_exe_e1_da05a3c6c959126ebbee038d38853906cbcaeb3bd309e71e9218bb4e1a8d1bc4_2020-10-18__06150.exe: Emotet
emotet_exe_e1_da05a3c6c959126ebbee038d38853906cbcaeb3bd309e71e9218bb4e1a8d1bc4_2020-10-18__06150.exe: Emotet Payload: 32-bit executable
emotet_exe_e1_da05a3c6c959126ebbee038d38853906cbcaeb3bd309e71e9218bb4e1a8d1bc4_2020-10-18__06150.exe: Emotet
Queries or connects to DNS-Over-HTTPS/DNS-Over-TLS domain or IP address
ip: 1.1.1.1
The binary likely contains encrypted or compressed data.
section: name: .rsrc, entropy: 7.56, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ, raw_size: 0x00020200, virtual_size: 0x00020163
Authenticode signature is invalid
authenticode error: No signature found. SignTool Error File not valid C\Users\Louise\AppData\Local\Temp\emotet_exe_e1_da05a3c6c959126ebbee038d38853906cbcaeb3bd309e71e9218bb4e1a8d1bc4_2020-10-18__06150.exe
CAPE detected the Emotet malware family
File has been identified by 34 Antiviruses on VirusTotal as malicious
Bkav: W32.AIDetectVM.malware1
Elastic: malicious (high confidence)
DrWeb: Trojan.Emotet.1041
MicroWorld-eScan: Trojan.GenericKD.34802371
Alibaba: Trojan:Win32/EmotetCrypt.be825df8
Invincea: Mal/Generic-S
BitDefenderTheta: Gen:[email protected]
Symantec: ML.Attribute.HighConfidence
ESET-NOD32: Win32/Emotet.CI
Avast: Win32:BankerX-gen [Trj]
Kaspersky: HEUR:Trojan.Win32.Zenpak.gen
BitDefender: Trojan.GenericKD.34802371
Paloalto: generic.ml
Rising: [email protected] (RDML:ryuRL5nk+6wrBIEhcLaMLA)
Ad-Aware: Trojan.GenericKD.34802371
Sophos: Mal/Generic-S
McAfee-GW-Edition: BehavesLike.Win32.Generic.fh
FireEye: Generic.mg.e0384cd4bbf35bcf
Emsisoft: Trojan.GenericKD.34802371 (B)
Ikarus: Trojan-Banker.Emotet
GData: Trojan.GenericKD.34802371
eGambit: Unsafe.AI_Score_96%
Arcabit: Trojan.Generic.D2130AC3
ZoneAlarm: HEUR:Trojan.Win32.Zenpak.gen
Microsoft: Trojan:Win32/EmotetCrypt.PEF!MTB
Cynet: Malicious (score: 100)
McAfee: GenericRXAA-AA!E0384CD4BBF3
MAX: malware (ai score=87)
Malwarebytes: Trojan.Emotet
APEX: Malicious
SentinelOne: DFI - Suspicious PE
Fortinet: W32/BankerX.5CC7!tr
AVG: Win32:BankerX-gen [Trj]
Qihoo-360: Win32/Trojan.716
Anomalous binary characteristics
anomaly: Actual checksum does not match that reported in PE header

Screenshots


Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
Y 2.45.176.233 [VT] Italy
Y 1.1.1.1 [VT] Australia

DNS

No domains contacted.


Summary

C:\Users\Louise\AppData\Local\Temp\emotet_exe_e1_da05a3c6c959126ebbee038d38853906cbcaeb3bd309e71e9218bb4e1a8d1bc4_2020-10-18__06150.exe.2.Manifest
C:\Users\Louise\AppData\Local\Temp\emotet_exe_e1_da05a3c6c959126ebbee038d38853906cbcaeb3bd309e71e9218bb4e1a8d1bc4_2020-10-18__06150.exe.3.Manifest
C:\Users\Louise\AppData\Local\Temp\emotet_exe_e1_da05a3c6c959126ebbee038d38853906cbcaeb3bd309e71e9218bb4e1a8d1bc4_2020-10-18__06150.exe.Config
C:\Users\Louise\AppData\Local\Temp\emotet_exe_e1_da05a3c6c959126ebbee038d38853906cbcaeb3bd309e71e9218bb4e1a8d1bc4_2020-10-18__06150.exe
C:\Windows\System32\*
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\
\??\Nsi
C:\Users\Louise\AppData\Local\Temp\emotet_exe_e1_da05a3c6c959126ebbee038d38853906cbcaeb3bd309e71e9218bb4e1a8d1bc4_2020-10-18__06150.exe.2.Manifest
C:\Users\Louise\AppData\Local\Temp\emotet_exe_e1_da05a3c6c959126ebbee038d38853906cbcaeb3bd309e71e9218bb4e1a8d1bc4_2020-10-18__06150.exe.3.Manifest
C:\Users\Louise\AppData\Local\Temp\emotet_exe_e1_da05a3c6c959126ebbee038d38853906cbcaeb3bd309e71e9218bb4e1a8d1bc4_2020-10-18__06150.exe.Config
C:\Users\Louise\AppData\Local\Temp\emotet_exe_e1_da05a3c6c959126ebbee038d38853906cbcaeb3bd309e71e9218bb4e1a8d1bc4_2020-10-18__06150.exe
C:\Windows\Globalization\Sorting\sortdefault.nls
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Network
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\00060101.00060101
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\00060101.00060101
winspool.drv.#218
winspool.drv.#217
winspool.drv.SetDefaultPrinterW
winspool.drv.GetDefaultPrinterW
winspool.drv.GetPrinterDriverPackagePathW
winspool.drv.CorePrinterDriverInstalledW
winspool.drv.GetCorePrinterDriversW
winspool.drv.UploadPrinterDriverPackageW
winspool.drv.InstallPrinterDriverFromPackageW
winspool.drv.#251
winspool.drv.AddPrinterConnection2W
winspool.drv.OpenPrinter2W
winspool.drv.DeletePrinterKeyW
winspool.drv.DeletePrinterDataExW
winspool.drv.EnumPrinterKeyW
winspool.drv.EnumPrinterDataExW
winspool.drv.GetPrinterDataExW
winspool.drv.SetPrinterDataExW
winspool.drv.DeletePrinterDataW
winspool.drv.EnumPrinterDataW
winspool.drv.SpoolerPrinterEvent
winspool.drv.SetPortW
winspool.drv.DocumentPropertySheets
winspool.drv.DevicePropertySheets
winspool.drv.IsValidDevmodeW
winspool.drv.IsValidDevmodeA
winspool.drv.AddPortExW
winspool.drv.DeletePrintProvidorW
winspool.drv.AddPrintProvidorW
winspool.drv.DeletePrintProcessorW
winspool.drv.DeleteMonitorW
winspool.drv.AddMonitorW
winspool.drv.StartDocDlgW
winspool.drv.AdvancedDocumentPropertiesW
winspool.drv.AdvancedDocumentPropertiesA
winspool.drv.DocumentPropertiesW
winspool.drv.DeviceCapabilitiesW
winspool.drv.DeletePrinterIC
winspool.drv.PlayGdiScriptOnPrinterIC
winspool.drv.CreatePrinterIC
winspool.drv.SetJobW
winspool.drv.GetJobW
winspool.drv.EnumJobsW
winspool.drv.AddPrinterW
winspool.drv.SetPrinterW
winspool.drv.GetPrinterDriverW
winspool.drv.GetPrinterDriverDirectoryW
winspool.drv.EnumPrintersW
winspool.drv.AddPrinterConnectionW
winspool.drv.DeletePrinterConnectionW
winspool.drv.AddPrinterDriverExW
winspool.drv.AddPrinterDriverExA
winspool.drv.EnumPrinterDriversW
winspool.drv.DeletePrinterDriverW
winspool.drv.DeletePrinterDriverExW
winspool.drv.AddPrintProcessorW
winspool.drv.EnumPrintProcessorsW
winspool.drv.GetPrintProcessorDirectoryW
winspool.drv.EnumPrintProcessorDatatypesW
winspool.drv.#207
winspool.drv.#209
winspool.drv.#211
winspool.drv.#212
winspool.drv.SplDriverUnloadComplete
winspool.drv.#213
winspool.drv.#214
winspool.drv.OpenPrinterW
winspool.drv.OpenPrinterA
winspool.drv.ResetPrinterW
winspool.drv.StartDocPrinterW
winspool.drv.FlushPrinter
winspool.drv.GetPrinterDataW
winspool.drv.SetPrinterDataW
winspool.drv.AddJobW
winspool.drv.ScheduleJob
winspool.drv.WaitForPrinterChange
winspool.drv.FindNextPrinterChangeNotification
winspool.drv.PrinterMessageBoxW
winspool.drv.ClosePrinter
winspool.drv.AddFormW
winspool.drv.DeleteFormW
winspool.drv.GetFormW
winspool.drv.SetFormW
winspool.drv.EnumFormsW
winspool.drv.EnumPortsW
winspool.drv.EnumMonitorsW
winspool.drv.AddPortW
winspool.drv.ConfigurePortW
winspool.drv.DeletePortW
winspool.drv.GetPrinterW
winspool.drv.DeletePrinterDriverPackageW
winspool.drv.#234
kernel32.dll.FlsAlloc
kernel32.dll.FlsGetValue
kernel32.dll.FlsSetValue
kernel32.dll.FlsFree
kernel32.dll.IsProcessorFeaturePresent
kernel32.dll.CreateActCtxW
kernel32.dll.ReleaseActCtx
kernel32.dll.ActivateActCtx
kernel32.dll.DeactivateActCtx
user32.dll.NotifyWinEvent
kernel32.dll.VirtualAllocExNuma
ntdll.dll.LdrFindResource_U
ntdll.dll.LdrAccessResource
ntdll.dll.qsort
ntdll.dll.bsearch
ntdll.dll.wcslen
kernel32.dll.VirtualFree
kernel32.dll.Process32Next
kernel32.dll.Process32First
kernel32.dll.CreateToolhelp32Snapshot
kernel32.dll.CloseHandle
kernel32.dll.SetLastError
kernel32.dll.HeapAlloc
kernel32.dll.HeapFree
kernel32.dll.GetProcessHeap
kernel32.dll.ExitProcess
kernel32.dll.VirtualAlloc
kernel32.dll.VirtualProtect
kernel32.dll.VirtualQuery
kernel32.dll.FreeLibrary
kernel32.dll.GetProcAddress
kernel32.dll.LoadLibraryA
kernel32.dll.LoadLibraryW
kernel32.dll.IsBadReadPtr
kernel32.dll.GetNativeSystemInfo
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
cryptsp.dll.CryptAcquireContextW
cryptsp.dll.CryptImportKey
cryptsp.dll.CryptGenKey
cryptsp.dll.CryptCreateHash
cryptsp.dll.CryptDuplicateHash
cryptsp.dll.CryptEncrypt
cryptsp.dll.CryptExportKey
cryptsp.dll.CryptGetHashParam
cryptsp.dll.CryptDestroyHash
ws2_32.dll.#23
ws2_32.dll.#21
ws2_32.dll.WSAIoctl
ws2_32.dll.#3
ws2_32.dll.#116
iphlpapi.dll.NotifyIpInterfaceChange
iphlpapi.dll.NotifyUnicastIpAddressChange
iphlpapi.dll.GetBestInterfaceEx
iphlpapi.dll.GetIfEntry2
api-ms-win-downlevel-ole32-l1-1-0.dll.CoInitializeEx
cryptbase.dll.SystemFunction036
api-ms-win-downlevel-advapi32-l1-1-0.dll.EventWrite
api-ms-win-downlevel-ole32-l1-1-0.dll.CoCreateInstance
iphlpapi.dll.GetAdaptersAddresses
ws2_32.dll.GetAddrInfoW

BinGraph Download graph

2020-10-18T06:16:30.361587 image/svg+xml Matplotlib v3.3.0, https://matplotlib.org/

PE Information

Image Base Entry Point Reported Checksum Actual Checksum Minimum OS Version Compile Time Import Hash Icon Icon Exact Hash Icon Similarity Hash
0x00400000 0x00410b66 0x0006846d 0x0005d5af 5.0 2020-10-16 20:25:24 763e965a2cf58d23d3ae92c9a69eba4d 6521591d1f2314d311de64678e92d647 9742f9137b96ee123c763608f07828e6

Sections

Name RAW Address Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00000400 0x00001000 0x000260c1 0x00026200 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.61
.rdata 0x00026600 0x00028000 0x00009436 0x00009600 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 5.03
.data 0x0002fc00 0x00032000 0x00006e98 0x00003200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 4.33
.rsrc 0x00032e00 0x00039000 0x00020163 0x00020200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 7.56
.reloc 0x00053000 0x0005a000 0x000081c0 0x00008200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ 3.07

Resources

Name Offset Size Language Sub-language Entropy File type
RT_CURSOR 0x0003adb4 0x00000134 LANG_ENGLISH SUBLANG_ENGLISH_US 2.23 None
RT_CURSOR 0x0003adb4 0x00000134 LANG_ENGLISH SUBLANG_ENGLISH_US 2.23 None
RT_CURSOR 0x0003adb4 0x00000134 LANG_ENGLISH SUBLANG_ENGLISH_US 2.23 None
RT_CURSOR 0x0003adb4 0x00000134 LANG_ENGLISH SUBLANG_ENGLISH_US 2.23 None
RT_CURSOR 0x0003adb4 0x00000134 LANG_ENGLISH SUBLANG_ENGLISH_US 2.23 None
RT_CURSOR 0x0003adb4 0x00000134 LANG_ENGLISH SUBLANG_ENGLISH_US 2.23 None
RT_CURSOR 0x0003adb4 0x00000134 LANG_ENGLISH SUBLANG_ENGLISH_US 2.23 None
RT_CURSOR 0x0003adb4 0x00000134 LANG_ENGLISH SUBLANG_ENGLISH_US 2.23 None
RT_CURSOR 0x0003adb4 0x00000134 LANG_ENGLISH SUBLANG_ENGLISH_US 2.23 None
RT_CURSOR 0x0003adb4 0x00000134 LANG_ENGLISH SUBLANG_ENGLISH_US 2.23 None
RT_CURSOR 0x0003adb4 0x00000134 LANG_ENGLISH SUBLANG_ENGLISH_US 2.23 None
RT_CURSOR 0x0003adb4 0x00000134 LANG_ENGLISH SUBLANG_ENGLISH_US 2.23 None
RT_CURSOR 0x0003adb4 0x00000134 LANG_ENGLISH SUBLANG_ENGLISH_US 2.23 None
RT_CURSOR 0x0003adb4 0x00000134 LANG_ENGLISH SUBLANG_ENGLISH_US 2.23 None
RT_CURSOR 0x0003adb4 0x00000134 LANG_ENGLISH SUBLANG_ENGLISH_US 2.23 None
RT_CURSOR 0x0003adb4 0x00000134 LANG_ENGLISH SUBLANG_ENGLISH_US 2.23 None
RT_BITMAP 0x0003afa0 0x00000144 LANG_ENGLISH SUBLANG_ENGLISH_US 2.88 None
RT_BITMAP 0x0003afa0 0x00000144 LANG_ENGLISH SUBLANG_ENGLISH_US 2.88 None
RT_ICON 0x0003b0e4 0x00000ca8 LANG_ENGLISH SUBLANG_ENGLISH_US 3.07 None
RT_DIALOG 0x0003df24 0x00000034 LANG_ENGLISH SUBLANG_ENGLISH_US 2.42 None
RT_DIALOG 0x0003df24 0x00000034 LANG_ENGLISH SUBLANG_ENGLISH_US 2.42 None
RT_DIALOG 0x0003df24 0x00000034 LANG_ENGLISH SUBLANG_ENGLISH_US 2.42 None
RT_DIALOG 0x0003df24 0x00000034 LANG_ENGLISH SUBLANG_ENGLISH_US 2.42 None
RT_DIALOG 0x0003df24 0x00000034 LANG_ENGLISH SUBLANG_ENGLISH_US 2.42 None
RT_DIALOG 0x0003df24 0x00000034 LANG_ENGLISH SUBLANG_ENGLISH_US 2.42 None
RT_DIALOG 0x0003df24 0x00000034 LANG_ENGLISH SUBLANG_ENGLISH_US 2.42 None
RT_DIALOG 0x0003df24 0x00000034 LANG_ENGLISH SUBLANG_ENGLISH_US 2.42 None
RT_DIALOG 0x0003df24 0x00000034 LANG_ENGLISH SUBLANG_ENGLISH_US 2.42 None
RT_STRING 0x0003f4c8 0x00000042 LANG_ENGLISH SUBLANG_ENGLISH_US 1.96 None
RT_STRING 0x0003f4c8 0x00000042 LANG_ENGLISH SUBLANG_ENGLISH_US 1.96 None
RT_STRING 0x0003f4c8 0x00000042 LANG_ENGLISH SUBLANG_ENGLISH_US 1.96 None
RT_STRING 0x0003f4c8 0x00000042 LANG_ENGLISH SUBLANG_ENGLISH_US 1.96 None
RT_STRING 0x0003f4c8 0x00000042 LANG_ENGLISH SUBLANG_ENGLISH_US 1.96 None
RT_STRING 0x0003f4c8 0x00000042 LANG_ENGLISH SUBLANG_ENGLISH_US 1.96 None
RT_STRING 0x0003f4c8 0x00000042 LANG_ENGLISH SUBLANG_ENGLISH_US 1.96 None
RT_STRING 0x0003f4c8 0x00000042 LANG_ENGLISH SUBLANG_ENGLISH_US 1.96 None
RT_STRING 0x0003f4c8 0x00000042 LANG_ENGLISH SUBLANG_ENGLISH_US 1.96 None
RT_STRING 0x0003f4c8 0x00000042 LANG_ENGLISH SUBLANG_ENGLISH_US 1.96 None
RT_STRING 0x0003f4c8 0x00000042 LANG_ENGLISH SUBLANG_ENGLISH_US 1.96 None
RT_STRING 0x0003f4c8 0x00000042 LANG_ENGLISH SUBLANG_ENGLISH_US 1.96 None
RT_STRING 0x0003f4c8 0x00000042 LANG_ENGLISH SUBLANG_ENGLISH_US 1.96 None
RT_GROUP_CURSOR 0x0003f634 0x00000014 LANG_ENGLISH SUBLANG_ENGLISH_US 2.02 None
RT_GROUP_CURSOR 0x0003f634 0x00000014 LANG_ENGLISH SUBLANG_ENGLISH_US 2.02 None
RT_GROUP_CURSOR 0x0003f634 0x00000014 LANG_ENGLISH SUBLANG_ENGLISH_US 2.02 None
RT_GROUP_CURSOR 0x0003f634 0x00000014 LANG_ENGLISH SUBLANG_ENGLISH_US 2.02 None
RT_GROUP_CURSOR 0x0003f634 0x00000014 LANG_ENGLISH SUBLANG_ENGLISH_US 2.02 None
RT_GROUP_CURSOR 0x0003f634 0x00000014 LANG_ENGLISH SUBLANG_ENGLISH_US 2.02 None
RT_GROUP_CURSOR 0x0003f634 0x00000014 LANG_ENGLISH SUBLANG_ENGLISH_US 2.02 None
RT_GROUP_CURSOR 0x0003f634 0x00000014 LANG_ENGLISH SUBLANG_ENGLISH_US 2.02 None
RT_GROUP_CURSOR 0x0003f634 0x00000014 LANG_ENGLISH SUBLANG_ENGLISH_US 2.02 None
RT_GROUP_CURSOR 0x0003f634 0x00000014 LANG_ENGLISH SUBLANG_ENGLISH_US 2.02 None
RT_GROUP_CURSOR 0x0003f634 0x00000014 LANG_ENGLISH SUBLANG_ENGLISH_US 2.02 None
RT_GROUP_CURSOR 0x0003f634 0x00000014 LANG_ENGLISH SUBLANG_ENGLISH_US 2.02 None
RT_GROUP_CURSOR 0x0003f634 0x00000014 LANG_ENGLISH SUBLANG_ENGLISH_US 2.02 None
RT_GROUP_CURSOR 0x0003f634 0x00000014 LANG_ENGLISH SUBLANG_ENGLISH_US 2.02 None
RT_GROUP_CURSOR 0x0003f634 0x00000014 LANG_ENGLISH SUBLANG_ENGLISH_US 2.02 None
RT_GROUP_ICON 0x0003f648 0x00000014 LANG_ENGLISH SUBLANG_ENGLISH_US 1.92 None
RT_MANIFEST 0x0003f974 0x000002bb LANG_ENGLISH SUBLANG_ENGLISH_US 4.81 None
RT_MANIFEST 0x0003f974 0x000002bb LANG_ENGLISH SUBLANG_ENGLISH_US 4.81 None
None 0x0003fc30 0x00019533 LANG_ENGLISH SUBLANG_ENGLISH_US 7.99 None

Imports

0x428088 RtlUnwind
0x428090 RaiseException
0x428094 HeapAlloc
0x428098 GetCommandLineA
0x42809c GetStartupInfoA
0x4280a0 HeapFree
0x4280a4 VirtualAlloc
0x4280a8 HeapReAlloc
0x4280ac Sleep
0x4280b0 ExitProcess
0x4280b4 HeapSize
0x4280b8 TerminateProcess
0x4280c4 IsDebuggerPresent
0x4280c8 VirtualFree
0x4280cc HeapCreate
0x4280d0 GetStdHandle
0x4280d4 GetACP
0x4280d8 IsValidCodePage
0x4280e8 SetHandleCount
0x4280ec GetFileType
0x4280f4 GetTickCount
0x4280fc LCMapStringA
0x428100 LCMapStringW
0x428104 GetStringTypeA
0x428108 GetStringTypeW
0x42810c GetUserDefaultLCID
0x428110 EnumSystemLocalesA
0x428114 IsValidLocale
0x428118 GetConsoleCP
0x42811c GetConsoleMode
0x428120 GetLocaleInfoW
0x428124 SetStdHandle
0x428128 WriteConsoleA
0x42812c GetConsoleOutputCP
0x428130 WriteConsoleW
0x428134 SetErrorMode
0x42813c GetModuleHandleW
0x428140 GetOEMCP
0x428144 GetCPInfo
0x42814c TlsFree
0x428154 LocalReAlloc
0x428158 TlsSetValue
0x42815c TlsAlloc
0x428164 GlobalHandle
0x428168 GlobalReAlloc
0x428170 TlsGetValue
0x428178 LocalAlloc
0x42817c GlobalFlags
0x428184 GetModuleFileNameW
0x428188 FlushFileBuffers
0x42818c GetCurrentThread
0x428198 GetLocaleInfoA
0x42819c InterlockedExchange
0x4281a0 lstrcmpA
0x4281a4 GetCurrentProcessId
0x4281a8 GetModuleFileNameA
0x4281ac GlobalAlloc
0x4281b0 FormatMessageA
0x4281b4 LocalFree
0x4281b8 GetCurrentThreadId
0x4281bc GlobalGetAtomNameA
0x4281c0 GlobalAddAtomA
0x4281c4 GlobalFindAtomA
0x4281c8 GlobalDeleteAtom
0x4281cc FreeLibrary
0x4281d0 CompareStringA
0x4281d4 LoadLibraryA
0x4281d8 GetLastError
0x4281dc SetLastError
0x4281e0 MultiByteToWideChar
0x4281e4 lstrcmpW
0x4281e8 GetModuleHandleA
0x4281ec GetVersionExA
0x4281f0 GlobalLock
0x4281f4 GlobalUnlock
0x4281f8 GlobalFree
0x4281fc CreateFileA
0x428200 WriteFile
0x428204 CloseHandle
0x428208 SetFilePointer
0x42820c ReadFile
0x428210 GetModuleHandleExA
0x428214 GetProcAddress
0x428218 GetCurrentProcess
0x42821c lstrlenA
0x428220 WideCharToMultiByte
0x428224 FindResourceA
0x428228 LoadResource
0x42822c LockResource
0x428234 SizeofResource
0x428258 LoadCursorA
0x42825c GetSysColorBrush
0x428260 ReleaseDC
0x428264 GetDC
0x428268 ClientToScreen
0x42826c GrayStringA
0x428270 DrawTextExA
0x428274 DrawTextA
0x428278 TabbedTextOutA
0x42827c DestroyMenu
0x428280 SetCursor
0x428284 GetMessageA
0x428288 TranslateMessage
0x42828c GetCursorPos
0x428290 ValidateRect
0x428294 PostQuitMessage
0x42829c ShowWindow
0x4282a0 SetWindowTextA
0x4282a4 SetMenuItemBitmaps
0x4282ac LoadBitmapA
0x4282b0 ModifyMenuA
0x4282b4 CheckMenuItem
0x4282bc WinHelpA
0x4282c0 GetCapture
0x4282c4 SetWindowsHookExA
0x4282c8 CallNextHookEx
0x4282cc GetClassLongA
0x4282d0 GetClassNameA
0x4282d4 SetPropA
0x4282d8 GetPropA
0x4282dc RemovePropA
0x4282e0 GetFocus
0x4282e4 GetWindowTextA
0x4282e8 GetForegroundWindow
0x4282ec GetLastActivePopup
0x4282f0 DispatchMessageA
0x4282f4 GetTopWindow
0x4282f8 UnhookWindowsHookEx
0x4282fc GetMessageTime
0x428300 GetMessagePos
0x428304 PeekMessageA
0x428308 MapWindowPoints
0x42830c GetKeyState
0x428310 SetMenu
0x428314 SetForegroundWindow
0x428318 IsWindowVisible
0x42831c EnableWindow
0x428320 SendMessageA
0x428324 PostMessageA
0x428328 GetSubMenu
0x42832c GetMenuItemID
0x428330 GetMenuItemCount
0x428334 MessageBoxA
0x428338 CreateWindowExA
0x42833c GetClassInfoExA
0x428340 GetClassInfoA
0x428344 RegisterClassA
0x428348 GetSysColor
0x42834c AdjustWindowRectEx
0x428350 UnregisterClassA
0x428354 GetMenuState
0x428358 IsIconic
0x42835c GetClientRect
0x428360 LoadIconA
0x428364 GetSystemMetrics
0x428368 GetParent
0x42836c IsWindowEnabled
0x428370 GetDlgItem
0x428374 GetWindowLongA
0x428378 IsWindow
0x42837c DestroyWindow
0x428380 GetActiveWindow
0x428384 GetWindow
0x428388 GetWindowRect
0x42838c CopyRect
0x428390 PtInRect
0x428394 GetDlgCtrlID
0x428398 DefWindowProcA
0x42839c CallWindowProcA
0x4283a0 GetMenu
0x4283a4 SetWindowLongA
0x4283a8 SetWindowPos
0x4283b0 GetWindowPlacement
0x4283b4 EnableMenuItem
0x428028 ScaleWindowExtEx
0x42802c DeleteDC
0x428030 GetStockObject
0x428034 SetWindowExtEx
0x428038 ScaleViewportExtEx
0x42803c SetViewportExtEx
0x428040 OffsetViewportOrgEx
0x428044 SetViewportOrgEx
0x428048 SelectObject
0x42804c Escape
0x428050 TextOutA
0x428054 RectVisible
0x428058 PtVisible
0x42805c DeleteObject
0x428060 SetMapMode
0x428064 RestoreDC
0x428068 SaveDC
0x42806c ExtTextOutA
0x428070 GetDeviceCaps
0x428074 CreateBitmap
0x428078 SetBkColor
0x42807c SetTextColor
0x428080 GetClipBox
0x4283bc DocumentPropertiesA
0x4283c0 OpenPrinterA
0x4283c4 ClosePrinter
0x428000 RegSetValueExA
0x428004 RegCreateKeyExA
0x428008 RegQueryValueA
0x42800c RegOpenKeyA
0x428010 RegEnumKeyA
0x428014 RegDeleteKeyA
0x428018 RegOpenKeyExA
0x42801c RegQueryValueExA
0x428020 RegCloseKey
0x42824c PathFindFileNameA
0x428250 PathFindExtensionA
0x42823c VariantClear
0x428240 VariantChangeType
0x428244 VariantInit

!This program cannot be run in DOS mode.
RichC
.text
`.rdata
@.data
.rsrc
@.reloc
VQRUj
^_][Y
SUVW3
PQSVW
@;D$
L$$Qj
T$0Rh
L$$QRh
D$(PjMh $C
L$4QRV
\$p9t$hr
9t$Lr
Y_^][
+WPWU
L$0PQP
PQUVW
PWRQV
;(r[V
Q$_^]
Q(_^]
Q,_^]
Q0_^]
Q4_^]
Q8_^]
Q<_^]
QD_^]
QP_^]
QT_^]
QX_^]
Q\_^]
Qd_^]
Qh_^]
S\_^[]
S\_^[]
@[_^]
t39w u&
_ 9w$u
Ht;O u
Q$_^]
Q(_^]
Q,_^]
Q0_^]
Q4_^]
Q8_^]
Q<_^]
QD_^]
QP_^]
QT_^]
QX_^]
Q\_^]
Qd_^]
u:j0^V
SVWj(3
9=ppC
9=ppC
SSOWVQ
v|h4{C
P|_^]
j _W3
0WWWWS
WWWWS
Ph_^[
@_[^]
WtrHHt
tA9wht<
9p t-S
9p$ty
+F(_^[;E
F(@@;F,v
F(;^ r
F(;F0u
^(_^[]
Pjmh8
jmh8
<A|0<Z
1GG;E
<A|S<Z
1CC;E
PWVWWW
WVWWW
QQSVW
^(_^[
9~8ucj
F4_^[]
QQSVWd
0WWWWW
0WWWWW
SSSSS
SSSSS
VVVVV
SSSSS
SSSSS
HH_^[
SSSSS
SSSSS
SSSSS
@PVh(
SSSSS
YQPVh
Y__^[
0SSSSS
Y__^[
0;1t|
wIVSP
0SSSSS
0SSSSS
SSSSS
WWWWW
WWWWW
^SSSSS
^SSSSS
SSSSS
SSSSS
s[S;7|G;w
tR99u2
@_^[]
tehUGA
PPPPP
VVVVV
PPPPP
VVVVV
VVVVV
VVVVV
to=(HC
Y_^[]
SSSSS
SSSSS
PPPPP
SSSSS
PPPPP
VVVVV
VVVVV
VVVVV
PPPPP
VVVVV
vSSSh
SSSSS
PPPPP
, <Xw
t%HHt
HHtXHHt
HHty+
>If90t
PPPPP
t$HHt
HHtYHHt
HHty+
_VVVVV
SSSSS
SSSSS
^WWWWW
PPPPP
SSSSS
SSSSS
VVVVV
t$<"u
>=Yt1j
tNVSP
PPPPP
< tK<
@PWSS
URPQQh
SSSSS
^SSSSS
^SSSSS
j"^SSSSS
PPPPP
WWWWW
PPPPPPPP
PPPPPPPP
WWWWW
SVWUj
;t$,v-
UQPXY]Y[
VVVVV
u8SS3
9]$SS
t"SS9]
9] SS
Pj1Q3
F Pj*
F$Pj+
F(Pj,
F,Pj-
F0Pj.
F4Pj/
F8PjD
F<PjE
FDPjG
FHPjH
FLPjI
FPPjJ
FTPjK
FXPjL
F\PjM
F`PjN
FdPjO
FhPj8
FlPj9
FpPj:
FtPj;
FxPj<
F|Pj=
;50HC
v$;5LHC
C PjPV
C$PjQV
C*PjTV
C+PjUV
C,PjVV
C-PjWV
C.PjRV
C/PjSV
PPPPP
PPPPPPPP
WWWWW
WWWWW
VVVVV
VVVVV
WWWWW
VVVVV
VVVVV
^SSSSS
j"^SSSSS
QSWVj
SSSSW
SSSSW
0SSSSS
PPPPP
_VVVVV
u,VVWV
t VV9u
WWWWW
@WuyV
WWWWW
VVVVV
WWWWV
t+WWVPV
SSSSS
SSSSS
VVVVV
SSSSS
SSSSS
VVVVV
VW|[;
VVVVV
~,WPV
SSSSS
<+t(<-t$:
+t HHt
VVVVV
VVVVV
SSSSS
SSSSS
VVVVV
WWWWW
WWWWW
SSSSS
WWWWW
FYY;u
FYY;u
HHtt2
t}9>uyj
9^Lth
F 98u
FAPPW
9^Lty
FAPPQ
F09^(u
Wh<QC
QRPh<
WWWWW
WWWWW
WWWWW
WWWWW
SSSSS
WWWWW
VVVVV
WWWWW
WWWWW
VVVVV
VVVVV
WWWWW
SSSSS
bad allocation
SynthPop
Anime
Trash Metal
Salsa
Merengue
Christian Rock
Contemporary Christian
Crossover
Black Metal
Heavy Metal
Christian Gangsta Rap
Polsk Punk
Negerpunk
BritPop
Indie
Terror
Hardcore
Club House
Drum & Bass
Dance Hall
Euro House
A Capella
Drum Solo
Punk Rock
Freestyle
Rhytmic Soul
Power Ballad
Ballad
Folklore
Samba
Tango
Slow Jam
Satire
Porn Groove
Primus
Booty Bass
Symphony
Sonata
Chamber Music
Opera
Chanson
Speech
Humour
Acoustic
Easy Listening
Chorus
Big Band
Slow Rock
Symphonic Rock
Psychedelic Rock
Progressive Rock
Gothic Rock
Avantgarde
Bluegrass
Celtic
Revival
Latin
Bebob
Fast Fusion
Swing
National Folk
Folk Rock
Hard Rock
Rock & Roll
Musical
Retro
Polka
Acid Jazz
Acid Punk
Tribal
Lo-Fi
Trailer
ShowTunes
Psychadelic
New Wave
Cabaret
Native American
Jungle
Pop Funk
Christian Rap
Top 40
Gangsta
Comedy
Southern Rock
Dream
Eurodance
Pop Folk
Electronic
Techno-Industrial
Darkwave
Gothic
Ethnic
Instrumental Rock
Instrumental Pop
Meditative
Space
Alternative Rock
Noise
Gospel
Sound Clip
House
Instrumental
Classical
Trance
Fusion
Jazz Funk
Vocal
Trip Hop
Ambient
Euro-Techno
Soundtrack
Pranks
Death Metal
Alternative
Industrial
Techno
Reggae
Other
Oldies
New Age
Metal
Hip-Hop
Grunge
Disco
Dance
Country
Classic Rock
Blues
VirtualAllocExNuma
kernel32.dll
ios_base::eofbit set
ios_base::failbit set
ios_base::badbit set
ntdll.dll
indResource_U
sResource
LdrAcces
Delete
NoRemove
ForceRemove
AfxWnd90s
AfxControlBar90s
AfxMDIFrame90s
AfxFrameOrView90s
AfxOleControl90s
AfxOldWndProc423
EnumDisplayDevicesA
GetMonitorInfoA
EnumDisplayMonitors
MonitorFromPoint
MonitorFromRect
MonitorFromWindow
GetSystemMetrics
USER32
DISPLAY
InitCommonControls
InitCommonControlsEx
HtmlHelpA
hhctrl.ocx
F#32768
%s (%s:%d)
%s (%s:%d)
Exception thrown in destructor
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin2.inl
commctrl_DragListMsg
CCmdTarget
COleException
CInvalidArgException
CNotSupportedException
CMemoryException
CSimpleException
CException
CWinApp
Settings
PreviewPages
DeactivateActCtx
ActivateActCtx
ReleaseActCtx
CreateActCtxA
KERNEL32
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoRun
NoDrives
RestrictRun
NoNetConnectDisconnect
NoRecentDocsHistory
NoClose
Software\Microsoft\Windows\CurrentVersion\Policies\Network
NoEntireNetwork
Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32
NoPlacesBar
NoBackButton
NoFileMru
GetSystemDefaultUILanguage
GetUserDefaultUILanguage
%s%s.dll
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\appcore.cpp
CWinThread
Software\Classes\
Software\
CObject
CArchiveException
CreateActCtxW
comctl32.dll
comdlg32.dll
shell32.dll
CMenu
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin1.inl
CGdiObject
CUserException
CResourceException
CMapPtrToPtr
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\auxdata.cpp
software
NotifyWinEvent
user32.dll
%2\CLSID
%2\Insertable
%2\protocol\StdFileEditing\verb\0
&Edit
%2\protocol\StdFileEditing\server
CLSID\%1
CLSID\%1\ProgID
CLSID\%1\InprocHandler32
ole32.dll
CLSID\%1\LocalServer32
CLSID\%1\Verb\0
&Edit,0,2
CLSID\%1\Verb\1
&Open,0,2
CLSID\%1\Insertable
CLSID\%1\AuxUserType\2
CLSID\%1\AuxUserType\3
CLSID\%1\DefaultIcon
%3,%7
CLSID\%1\MiscStatus
CLSID\%1\InProcServer32
CLSID\%1\DocObject
%2\DocObject
CLSID\%1\Printable
CLSID\%1\DefaultExtension
%9, %8
CByteArray
CObArray
CPtrArray
Unknown exception
CorExitProcess
HeapQueryInformation
bad exception
EncodePointer
DecodePointer
FlsFree
FlsSetValue
FlsGetValue
FlsAlloc
runtime error
TLOSS error
SING error
DOMAIN error
R6034
An application has made an attempt to load the C runtime library incorrectly.
Please contact the application's support team for more information.
R6033
- Attempt to use MSIL code from this assembly during native code initialization
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
R6032
- not enough space for locale information
R6031
- Attempt to initialize the CRT more than once.
This indicates a bug in your application.
R6030
- CRT not initialized
R6028
- unable to initialize heap
R6027
- not enough space for lowio initialization
R6026
- not enough space for stdio initialization
R6025
- pure virtual function call
R6024
- not enough space for _onexit/atexit table
R6019
- unable to open console device
R6018
- unexpected heap error
R6017
- unexpected multithread lock error
R6016
- not enough space for thread data
This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.
R6009
- not enough space for environment
R6008
- not enough space for arguments
R6002
- floating point support not loaded
Microsoft Visual C++ Runtime Library
<program name unknown>
Runtime Error!
Program:
LC_TIME
LC_NUMERIC
LC_MONETARY
LC_CTYPE
LC_COLLATE
LC_ALL
!"#$%&'()*+,-./0123456789:;<=>[email protected][\]^_`abcdefghijklmnopqrstuvwxyz{|}~
(null)
( 8PX
700WP
`h````
xpxxxx
('8PW
700PP
`h`hhh
xppwpp
e+000
GAIsProcessorFeaturePresent
SunMonTueWedThuFriSat
JanFebMarAprMayJunJulAugSepOctNovDec
Complete Object Locator'
Class Hierarchy Descriptor'
Base Class Array'
Base Class Descriptor at (
Type Descriptor'
`local static thread guard'
`managed vector copy constructor iterator'
`vector vbase copy constructor iterator'
`vector copy constructor iterator'
`dynamic atexit destructor for '
`dynamic initializer for '
`eh vector vbase copy constructor iterator'
`eh vector copy constructor iterator'
`managed vector destructor iterator'
`managed vector constructor iterator'
`placement delete[] closure'
`placement delete closure'
`omni callsig'
delete[]
new[]
`local vftable constructor closure'
`local vftable'
`RTTI
`udt returning'
`copy constructor closure'
`eh vector vbase constructor iterator'
`eh vector destructor iterator'
`eh vector constructor iterator'
`virtual displacement map'
`vector vbase constructor iterator'
`vector destructor iterator'
`vector constructor iterator'
`scalar deleting destructor'
`default constructor closure'
`vector deleting destructor'
`vbase destructor'
`string'
`local static guard'
`typeof'
`vcall'
`vbtable'
`vftable'
operator
delete
__unaligned
__restrict
__ptr64
__clrcall
__fastcall
__thiscall
__stdcall
__pascal
__cdecl
__based(
GetProcessWindowStation
GetUserObjectInformationA
GetLastActivePopup
GetActiveWindow
MessageBoxA
USER32.DLL
!"#$%&'()*+,-./0123456789:;<=>[email protected][\]^_`abcdefghijklmnopqrstuvwxyz{|}~
!"#$%&'()*+,-./0123456789:;<=>[email protected][\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
HH:mm:ss
dddd, MMMM dd, yyyy
MM/dd/yy
December
November
October
September
August
April
March
February
January
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
united-states
united-kingdom
trinidad & tobago
south-korea
south-africa
south korea
south africa
slovak
puerto-rico
pr-china
pr china
new-zealand
hong-kong
holland
great britain
england
czech
china
britain
america
swiss
swedish-finland
spanish-venezuela
spanish-uruguay
spanish-puerto rico
spanish-peru
spanish-paraguay
spanish-panama
spanish-nicaragua
spanish-modern
spanish-mexican
spanish-honduras
spanish-guatemala
spanish-el salvador
spanish-ecuador
spanish-dominican republic
spanish-costa rica
spanish-colombia
spanish-chile
spanish-bolivia
spanish-argentina
portuguese-brazilian
norwegian-nynorsk
norwegian-bokmal
norwegian
italian-swiss
irish-english
german-swiss
german-luxembourg
german-lichtenstein
german-austrian
french-swiss
french-luxembourg
french-canadian
french-belgian
english-usa
english-us
english-uk
english-trinidad y tobago
english-south africa
english-nz
english-jamaica
english-ire
english-caribbean
english-can
english-belize
english-aus
english-american
dutch-belgian
chinese-traditional
chinese-singapore
chinese-simplified
chinese-hongkong
chinese
canadian
belgian
australian
american-english
american english
american
Norwegian-Nynorsk
1#QNAN
1#INF
1#IND
1#SNAN
CONOUT$
=L9o<
string too long
invalid string position
bad cast
OLEACC.dll
CreateStdAccessibleObject
LresultFromObject
SizeofResource
LockResource
LoadResource
FindResourceA
WideCharToMultiByte
lstrlenA
GetCurrentProcess
GetProcAddress
GetModuleHandleExA
ReadFile
SetFilePointer
CloseHandle
WriteFile
CreateFileA
GlobalFree
GlobalUnlock
GlobalLock
GetVersionExA
GetModuleHandleA
lstrcmpW
MultiByteToWideChar
SetLastError
GetLastError
LoadLibraryA
CompareStringA
FreeLibrary
GlobalDeleteAtom
GlobalFindAtomA
GlobalAddAtomA
GlobalGetAtomNameA
GetCurrentThreadId
LocalFree
FormatMessageA
GlobalAlloc
GetModuleFileNameA
GetCurrentProcessId
lstrcmpA
InterlockedExchange
GetLocaleInfoA
EnumResourceLanguagesA
ConvertDefaultLocale
GetCurrentThread
FlushFileBuffers
GetModuleFileNameW
InterlockedDecrement
GlobalFlags
LocalAlloc
LeaveCriticalSection
TlsGetValue
EnterCriticalSection
GlobalReAlloc
GlobalHandle
InitializeCriticalSection
TlsAlloc
TlsSetValue
LocalReAlloc
DeleteCriticalSection
TlsFree
InterlockedIncrement
GetCPInfo
GetOEMCP
GetModuleHandleW
WritePrivateProfileStringA
SetErrorMode
RtlUnwind
GetSystemTimeAsFileTime
RaiseException
HeapAlloc
GetCommandLineA
GetStartupInfoA
HeapFree
VirtualAlloc
HeapReAlloc
Sleep
ExitProcess
HeapSize
TerminateProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
VirtualFree
HeapCreate
GetStdHandle
GetACP
IsValidCodePage
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
GetEnvironmentStringsW
SetHandleCount
GetFileType
QueryPerformanceCounter
GetTickCount
InitializeCriticalSectionAndSpinCount
LCMapStringA
LCMapStringW
GetStringTypeA
GetStringTypeW
GetUserDefaultLCID
EnumSystemLocalesA
IsValidLocale
GetConsoleCP
GetConsoleMode
GetLocaleInfoW
SetStdHandle
WriteConsoleA
GetConsoleOutputCP
WriteConsoleW
KERNEL32.dll
EnableWindow
SendMessageA
IsIconic
GetClientRect
LoadIconA
GetSystemMetrics
GetParent
IsWindowEnabled
GetDlgItem
GetWindowLongA
IsWindow
DestroyWindow
GetActiveWindow
GetWindow
GetWindowRect
GetWindowPlacement
SystemParametersInfoA
SetWindowPos
SetWindowLongA
GetMenu
CallWindowProcA
DefWindowProcA
GetDlgCtrlID
PtInRect
CopyRect
AdjustWindowRectEx
GetSysColor
RegisterClassA
GetClassInfoA
GetClassInfoExA
CreateWindowExA
MessageBoxA
GetMenuItemCount
GetMenuItemID
GetSubMenu
PostMessageA
IsWindowVisible
SetForegroundWindow
SetMenu
GetKeyState
MapWindowPoints
PeekMessageA
GetMessagePos
GetMessageTime
UnhookWindowsHookEx
GetTopWindow
DispatchMessageA
GetLastActivePopup
GetForegroundWindow
GetWindowTextA
GetFocus
RemovePropA
GetPropA
SetPropA
GetClassNameA
GetClassLongA
CallNextHookEx
SetWindowsHookExA
GetCapture
WinHelpA
RegisterWindowMessageA
CheckMenuItem
EnableMenuItem
GetMenuState
ModifyMenuA
LoadBitmapA
GetMenuCheckMarkDimensions
SetMenuItemBitmaps
SetWindowTextA
ShowWindow
GetWindowThreadProcessId
PostQuitMessage
ValidateRect
GetCursorPos
TranslateMessage
GetMessageA
SetCursor
DestroyMenu
TabbedTextOutA
DrawTextA
DrawTextExA
GrayStringA
ClientToScreen
GetDC
ReleaseDC
GetSysColorBrush
LoadCursorA
UnregisterClassA
USER32.dll
GetClipBox
SetTextColor
SetBkColor
CreateBitmap
GetDeviceCaps
ExtTextOutA
SaveDC
RestoreDC
SetMapMode
DeleteObject
PtVisible
RectVisible
TextOutA
Escape
SelectObject
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
SetWindowExtEx
ScaleWindowExtEx
DeleteDC
GetStockObject
GDI32.dll
ClosePrinter
DocumentPropertiesA
OpenPrinterA
WINSPOOL.DRV
RegCloseKey
RegQueryValueExA
RegOpenKeyExA
RegDeleteKeyA
RegEnumKeyA
RegOpenKeyA
RegQueryValueA
RegCreateKeyExA
RegSetValueExA
ADVAPI32.dll
PathFindExtensionA
PathFindFileNameA
SHLWAPI.dll
OLEAUT32.dll
pTPq_GGZq0)AJCOr$Wpj6OmKKk$8c#fh2ZmTAkI_<bzu&xx_rihHYtl4>N3seu<MYS(WFVS$7_Tz
Apartment
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
z?aUY
zc%C1
-64OS
Copyright (c) 1992-2004 by P.J. Plauger, licensed by Dinkumware, Ltd. ALL RIGHTS RESERVED.
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Microsoft.Windows.MP3Rename" type="win32"></assemblyIdentity><description>Your app description here</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo></assembly>
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<assemblyIdentity
version="1.0.0.0"
processorArchitecture="X86"
name="Microsoft.Windows.MP3Rename"
type="win32"
<description>Your app description here</description>
<dependency>
<dependentAssembly>
<assemblyIdentity
type="win32"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
processorArchitecture="X86"
publicKeyToken="6595b64144ccf1df"
language="*"
/>
</dependentAssembly>
</dependency>
</assembly>
c1,Bv]sM
zJh5A
l"}S;`
QN0<A
4QI8&
^^6/d
r"p[-
5Pz=/lS>w
e/Ob%W
}NExg9
3BNbJ
#$=/o,
\Qs=DR
-%H}g
_];($Pm
'AeZ/
\&dIV
1Djd1
7woYLV
aDx;m_
5.F/M
$"J^E
yB8L;
q_/K
Urjub
G.CGf
/)h&)
7$\EF
Fu<rq
/1hJ&
![nU%
@'aREU
G&J,;
WU)P7
Hw&X3
G2RD*
EnW*BK6
r#$%A
p+P7o
Am\Ch
tc?"+_
k+h9Lm)
a18^KXq&
l(\\Z
$O|i35
ivWzMSRi
0"HS"u;V\
_%G%L`
qX`2L
|(V35*
8f'>,
,3}*O
03?l+
gC Z)J
m#UO$FG(
YScA4l
PS&r}
Qb?X-
[Ud5K
bc,sq
6o}\nZ
0Y~j+sj
yHb=O
EWR1u
ZKOXDl
Ln>FWT
YwPpT?Gh
ETiR5uf
!^,-L
7nA`l
h;jc`
QIIYl
WzVJS
)Kw5Ehrk
*""6i
m$hD0
Q[cp4In
r&"zh
Lu_.c
RM/%W
rhyR^w
j<~F!
{h7]~
Fn+%_
+I#[T
VSR|
7xeE%
"9JRoj
P%UOuQ
zk?`c
kT,`Vk
Cuv"RUa
JQw>J
z`:1ur
.8idW
]b9;K
]M]12F
D>^pd
_v6*HV
Mz3"5T
IN 's
? p;sFE1
`6z}Ff
IE=cd
\*og/
nHO).A
vVHv7
?:]65
_(w+\
L8T'RM
779UM-
']IPr<
mQ6Bti
F5OuA
h1BUo
e$Vv~
m%&JG
hlQQ`ae
n>\UO$
[,c,c:
wUb9w
e"/h#
<0P 0NiX
ZiV&MJC~
||"~J
[a0&V
Uv:W4
5-2R7?
kgR8c
9Yjchs
\{<*X
^A#VK
$|<Ih)
W^[f#O
/XMEA
!QhLS
6D_wxg
Y;Da*
Yp"8&
(mO6T
$M?^W
-?G&\<3
-sH9/
y!CIT
1J*w_|
"qD)j
X8GSU
t>U<5
mX\y6
m!NDY
VDo%7t
vD&SM
238h}x`
D__Anl
q.`eio
-r/v+
|/IcaFY!
[5JV*
_FC6n
:TLQ0I|
`>MGud
TCC33
dXxWK_
L!7`wq2Y
>:O>>
^JatX'\V`+
H<n)Q
('zlL
>A3*7h
g-"g^L
tWrG'
~ruj]K
0lXa
d5-/l~r
qB .h
pQR9k3<=
|4r&'
Z.a?8
og<a;r
8vd7L
EBtLJ
pr[O=
w5M9I6
[Xm.3
=_w3*5G
ulWE|
Ef>b3C
"{5o)
O9OD^
I'_E.
y_3I8
cI\(U
[an[=
6RA{T
|eG4
V924C0m]
c/h8a
5ha{P
Jo7Z?-
^[<Tw
s\(i!q
y?dZy
E3}%~^
&Tl?e"
D;d+
&9T_`5
vI y1
X*r~(
3`ij^
y=U"gA
j%}c)
;Z&nE
l/\3[V]]UIJ
4]\@/J
f+3Wl
UplqG3
3H}sJ
%X)FG~
%"k:V
#d{s
%/y{G'3go8
0O[xD/Z
ZIR'a%
+&~x),#
+H%+s"
zBhJ#
5\K uoT?
h5pY[#,
8D5w,
&f<De
&u]x+
08HC{
gg`(hf?
:Y*0lT
bnb$8k|
&3P
t;_{s
]DN2^,
L0dH-D
s_{l/
u;G#y
pIb*r
:vi^p
*wXI?
5Hq$G_
IES(}E
ywwRYB
b)ksnz
BzV2}
:"&1x(-
OP/E(
:oU5Y3
rx 1e
qpf,(
X-\Ts
t23`t
TRp~S
|$]1)
B/Z]Nj
60wP}b
Vr#Si
l-IlC0
QGW/%
-L:1I
!*fmg6
t}/WO^ #'
>^G`U
9P3-CU
S_nh?qnY
_zAE$D
v2Iu[
)hc~RI?
zJhG|
i>|$]
L=Mkg
)@IvUM
%axRZ~
Dpc|]
l-op
|w"9+
:zCzh
V{\Hu
?qE`I(64
.8-:h
2gr4:
YN70,
~iakZQ
`Z`%3wq
K\ej-5W4P
{#{q3[
@s=$H4
~A16Y
Bw9`6
gMU"=
~V1GO
kGU}^
VaY*A
ZBXf!
a`0|),
&F4fP
W!cH`
,t.r}I
DR%`;q
]O['0u1Ay
9I'Cv
8$'?O
Irh7s,
.ZnTn
b-']F
/g{O2=1
8xJ86
uc$Pe>
*w8N#Ef
O'DKU
@e*[V
Xbe#X
?E=gA
^@>C`{+vL]
G;OH%
s9\Gy5
eY,3#No>
+0;Pd
4xhQ%
s=zY<
:M5TiKa=
)2:tj
DSxPWk
-G?Ma.
|4Ge1w
/1-H;
B*nj_JNPi
KJe]k
E?>N6
q]sk<
`9GZ*
OTT'-g
? `^o
(xjvq
;8|F/
2]8wig
yO$-!
K4Mch
O5):W
;PrdL
BOZ_C
{PHZ&
:.kpj
VyC1J
<)oQD
}'gs9
e!&GL^
L[mDu6
sEJh9
gwv^|:
-C|9uUY
YeEKB
N%EBk
uQm<n
{z&ea~QQ]Pp
&z<HU
J4BHk(
3#+m9
<[vOq
}nw<|
~|ktY$g
4l-<JE
OCFh/F
.\/,F
$AZRTyA
Crmb$
w/.K2
K2j:)
"~LrQ&
3vP+;
wz8wSHyIu
.%Sz|
E ^_/
I)A"t(LT
A27xMS-
+j9*'
(8ZP%
m3YTW8
_7r=`
Cw<?m
j1GQv%
rCvu6
jp7J5
GXv1
pc]%]
!Zj7d
"vt}Zz
(080n0}0
4D4{4
919L9
334E4
525?5c5r5
7T7c7q7
:M;z;
;C<U<g<
<>=b=
>6>B>l>}>
2r3x3
4E4h4r4
5 5,52585>5D5J5P5i5
5/6X6j6
;"<1<5<9<=<A<E<I<M<Q<U<Y<]<a<e<i<m<q<u<y<
</=v=
454=4{4
4*5^5x5
3b4o4
415<5B5`5
6U7a7x7
8n8s8
9$9)9
:9:K;T;
<c<i<
=P>c>
?)?c?
1 1(1
9f:k:
:*;/;
<)<4<|<
=X=_=f=
40F0d0w0
1&1z1
2I2U2
4!4E4M4U4l5
<#<'<+</<3<7<;<?<C<G<K<O<S<W<[<_<c<g<k<o<s<w<{<
=D>j>
>,?4?x?
1 2<2W2y2
4[5%6)6-6165696=6A6E6I6M6Q6
8&8D8
98:F:
:!;(;9;>;
<,<K<n<
=>=I={=
262y2
2)3n3
3Z4g4m4~4
455d5x5
516L6c6x6
7J8]8
859F9e9
:&:V:\:
:7;R;p;~;
<h<z<
>!>P>j>
>*?=?u?
4E5f5
6C7K7S7
8*9x9
:2:@:b:
:N;k;
=E>M>
?O?o?
6+6B6e6
9(9-9C9S9
:!:4:@:i:X<d<
=B=R=
0"1'121D1I1T1
3/3M3b3
4P4n4
676S6v6
6a7o7w7
798n8w8
9P9b9n9
9H:N:\:l:~:
;#;8;M;
=%=1=y=
= >.>E>c>
?3?T?
0!0/0d0q0
1[1i1r1y1
242U2c2j2t2
5&616<6G6)717K7
<'<-<3<N<p<
=#=.=_=m=|=
1)1C1g1m1
3*4D4
415y5
84:"<
7A8Y8^8
<'<y<
=(=\=
=/>H>O>W>\>`>d>
>>?D?H?L?P?
0;0m0t0x0|0
0F1y1
2C2T2
2Y3d3
3 4%4<4
8=9B9H9L9R9V9\9`9f9j9o9u9y9
:0:8:C:
?,?D?
L7P7T7X7\7`7d7h7l7p7t7x7|7
8U9[9
9-:3:?:
<(<4<<<L<a<
?#?*?6?<?K?_?
60<0P0
0=1C1
5)505D5K5c5o5u5
6*6M6b6
727X7
778?8
9#9(9.939B9X9c9h9s9x9
:`:k:
; ;&;-;4;;;B;I;P;W;_;g;o;{;
>->S>q>x>|>
>V?a?|?
0 0$0(0,000z0
2j3x3
5'5,5o7}7
898?8J8O8W8]8g8n8
=G=m=
0+0b0z0
1/1T1y1
2/383D3{3
6.6h6u6
7C7z7
728O8
:#:?:H:N:W:\:k:
;)<u<
=#>,>5>A>M>Y>e>p>
1!121
1S2T3
6"7|<7=
>)?2?^?d?m?t?
0>1K1T1
182C2M2^2i2
676=6o6
7.848W8\8}8
9$9,9M9Y9e:(;-;?;];q;w;
=!=w=R>
1:2?2
9P9V9b9
99:E:
;+;1;A;F;^;d;s;y;
<.<K<
=!=,=\=
9$969H9
:4;F;X;j;|;
=&>7>
1$2,2J2R2
3B3R3d3x3
3%4~4
9W9j9
9T;a;z;
2(3G3
4+5X5k5q5
6(666K6U6{6
7R7]7
1!1<1D1Q1X1
7!7M7
<\<m<
=*=X=f=u=
>'>4>U>a>
#0]021(202
3^4d4
5v6l7t7'8
9J:P:`:
2"2&2*2.222?2
323A3m3
1N2X2
8/8W8
:8;u;
>3>b>
?5???\?m?w?
0y0~0
2<4G4{4
4Z5y5
:3;&<
30393p3}3
4:5O5X5
5E6_6f6
6M8U8_8n8{8
8d9o9
9(:2:K:S:k:|:
;&;T;^;r;
=(=_>r>y>
020?0F0O0T0
1<2C2e2l2
;G<T<t<
020Z0
0*1R1z1
393\3w3
4:4]4
585v5
6_6z6
6 7l7
8)9D9_9
:G:t:
;(;K;
;#<1<;<G<S<Y<^<d<p<v<z<
=#=(=-=9=D=L=R=V=\=`=f=j=o=t=y=~=
>(>4>>>J>X>c>j>p>v>z>
0"0)0-04080>0H0S0W0^0b0h0r0|0
4 4$4(4,4044484<[email protected]\4h4l4
;4;P;T;X;\;`;d;h;l;p;t;x;|;
<x=|=
0 0$0(0,0004080<[email protected]\0`0d0h0l0p0t0x0|0
1 1$1(1,1014181<[email protected]\1`1d1h1l1p1t1x1|1
2X2\2`2d2h2l2p2t2x2|2
4,4D4\4t4
545L5d5|5
6$6<6T6l6
9 9$9(9,9094989<[email protected]\9`9d9h9l9p9t9x9|9
< <$<(<,<0<4<8<<<@<D<H<L<P<T<X<\<`<d<h<l<p<t<x<|<
=(=8=<[email protected]=D=H=L=P=T=X=\=`=d=h=l=p=t=x=|=
>4>D>P>T>X>\>`>d>h>
? ?$?(?,?0?4?
0 0$0(0,0004080<[email protected]\0`0d0h0l0p0t0x0|0
4 4$4(4044484<[email protected]\4d4h4p4t4x4|4
5 5$54585<[email protected]`5d5h5l5
5 6$6(6
7 =(=,=0=4=8=<[email protected]=D=H=L=P=T=X=\=`=d=
`5d5h5l5p5t5x5|5
6 6$6(6,6064686<[email protected]\6`6d6h6l6p6t6x6|6
6 6([email protected]`6h6p6x6
7 7([email protected]`7h7p7x7
9094989<[email protected]\9`9d9h9l9p9t9x9|9
:0:4:
;$;4;8;L;P;`;d;h;p;
<0<@<D<H<L<P<X<p<
=,=<[email protected]=P=T=\=t=
> >8>H>L>`>d>t>x>|>
?4?D?H?L?P?X?p?
00040L0\0`0p0t0x0|0
1 181H1L1P1X1p1t1
3 3$3,3D3T3X3h3l3p3t3x3
5 585H5L5\5`5d5l5
949D9H9X9\9`9h9
:$:(:8:<:@:H:`:d:|:
; ;$;,;D;T;X;h;l;t;
< <8<H<L<\<`<d<l<
=$=4=8=H=L=T=l=|=
> >(>@>P>T>d>h>l>p>t>|>
?$?4?8?H?L?\?`?d?h?p?
0,00040<0T0d0h0x0|0
0D2P2p2x2
343H3P3\3|3
4 444<4H4h4t4
6,646<6D6L6T6d6p6
7(7H7P7\7|7
8<8D8h8t8|8
9$9D9L9T9\9h9
:(:0:H:T:t:
;8;T;p;
<8<@<D<H<L<P<X<t<
=$=,[email protected]=H=`=l=t=
>,>4>D>T>\>d>l>x>
1 1$1,1H1P1t1
2$2,2P2\2d2|2
3$3D3L3X3x3
484D4L4x4
7,707L7P7l7p7
8(8D8H8d8h8
9(9H9h9
:,:0:P:l:p:x:
; ;(;0;8;<;@;H;\;d;p;
<4<@<`<h<p<t<|<
=,=8=X=d=
>$>X>x>
000H0L0P0T0X0\0`0d0h0l0p0t0x0|0
1 1$1(1,1014181<[email protected]\1`1d1h1l1p1t1x1|1
2 2$2(2,2024282<[email protected]\2`2d2h2l2p2t2x2|2
2p4t4
[email protected]\5`5d5h5l5p5t5x5|5
6 6$6(6,6064686<[email protected]\6`6d6h6l6p6t6x6|6
7 7$7(7,7074787<[email protected]\7`7d7h7l7p7t7x7|7
9 9$9(9,9094989<[email protected]\9`9d9h9l9p9t9x9|9
: :$:(:,:0:4:8:<:@:D:H:L:P:T:X:\:`:d:h:l:p:t:x:|:
; ;$;(;,;0;4;8;<;@;D;H;L;P;T;X;\;`;d;
= =$=(=,=0=4=8=<[email protected]=D=H=L=P=T=X=\=`=d=h=l=p=t=x=|=
> >$>(>,>0>4>8><>@>D>H>L>P>T>X>\>`>d>h>l>p>t>x>|>
? ?$?(?,?0?4?8?<?
081<[email protected]\1`1d1h1l1p1t1x1|1
2$2D2h2
3P3x3
4(4D4`4x4
545T5|5
8 808P8p8
:(:D:
:$;`;l;p;x;|;
;`=p=
?$?,?4?<?D?L?T?\?d?l?t?|?
5(585H5X5|5
6`7d7h7l7p7t7x7|7
8 8(8,8084888<[email protected]
?4?T?t?x?|?
jjjjj
YaccParent
accChildCount
accChild
accName
accValue
accDescription
accRole
accState
accHelp
accHelpTopic
accKeyboardShortcut
accFocus
accSelection
accDefaultAction
accSelect
accLocation
accNavigate
accHitTest
accDoDefaultAction
@kernel32.dll
mscoree.dll
KERNEL32.DLL
(null)
((((( H
h(((( H
H
MP3 Rename
MS Shell Dlg
Rename!
Directory
Browse...
MP3 List
Options...
Select None
Select All
Options
MS Shell Dlg
Filename Formatting
Prefix
Prefix
Prefix
Suffix
Suffix
Suffix
Prefix
Suffix
Example:
Field Separator
Artist
Album
Track
Title
Help Main
MS Shell Dlg
Programming by centuriJon
-for comments and questions email [email protected]
Programming...
About...
Help...
What's Next...
Programming
MS Shell Dlg
Programming by Jonathan D. (centuriJon)
Compiled with Microsoft
Visual Studio
.NET in C++ with MFC
Thanks to:
Armen Hakobyan for his Folder Dialog code
Roman Nurik for his ID3 tag code
www.codeproject.com for providing access to their code
Finger Eleven for their fine listening music during this endeavor
If you have any problems questions or comments, email me at [email protected]
This program has only been tested on Windows XP Service Pack 1, please let me know if you are having troubles on other Microsoft operating systems (except DOS and Windows 3.1)
About
MS Shell Dlg
The Story:
I woke up one day and didn't like how I've named my mp3's
and I have a lot of them, so I wrote a program to change them for me
on top of that, I only found 1 other mp3 renaming program on the internet
and I didn't like it, so I decided to share
What does it do?:
Fairly simple. First, browse to a directory with mp3s in it
Then set the options for how you want to rename the files
Then click on 'rename'
Finally, sit back and watch your file names change to match the ID3 tag in the mp3!
These steps to not have to be done in order
As a note: I like my program, but it's not a super-genius program. It will take
whatever information is in the ID3 tag and put it in the filename.
The only error-checking it does is to make sure that the filename will be valid.
Nothing bad should happen, but I am not responsible for any damage
to your computer or your mp3's
Why is the icon so ugly? Because I drew it by hand (sorry)
MS Shell Dlg
Fairly simple. First, browse to a directory with mp3s in it
Then set the options for how you want to rename the files
Then click on 'rename'
Finally, sit back and watch your file names change to match the ID3 tag in the mp3!
These steps to not have to be done in order
What's Next
MS Shell Dlg
Features I am currently working on:
-Options memory, so you don't need to set it every time
-Folder memory, for the same reason
-Ability to choose the order the mp3 info fields are put out
ie track, then artist, then title, ...ect
-Idle-time processing (instead of a delay before each rename)
-ID3 v2 tag editing (longer field lengths)
-preview list, so you can see if a file will be renamed poorly
Any suggestions? let me know ([email protected])
MS Shell Dlg
&New
Cancel
&Help
MS Shell Dlg
Save As
All Files (*.*)
Untitled
an unnamed file
&Hide
No error message is available.#Attempted an unsupported operation.$A required resource was unavailable.
Out of memory.
An unknown error has occurred.!Encountered an improper argument.
Incorrect filename.
Failed to open document.
Failed to save document.
Save changes to %1? Failed to create empty document.
The file is too large to open.
Could not start print job.
Failed to launch help.
Internal application error.
Command failed.)Insufficient memory to perform operation.PSystem registry entries have been removed and the INI file (if any) was deleted.BNot all of the system registry entries (or INI file) were removed.FThis program requires the file %s, which was not found on this system.tThis program is linked to the missing export %s in the file %s. This machine may have an incompatible version of %s.
Enter an integer.
Enter a number.#Enter an integer between %1 and %2.!Enter a number between %1 and %2.!Enter no more than %1 characters.
Select a button.#Enter an integer between 0 and 255.
Enter a positive integer.
Enter a date and/or time.
Enter a currency.
Enter a GUID.
Enter a time.
Enter a date.
Unexpected file format.O%1
Cannot find this file.
Verify that the correct path and file name are given.
Destination disk drive is full.5Unable to read from %1, it is opened by someone else.AUnable to write to %1, it is read-only or opened by someone else.1Encountered an unexpected error while reading %1.1Encountered an unexpected error while writing %1.
%1: %2
Continue running script?
Dispatch exception: %1
#Unable to read write-only property.#Unable to write read-only property.
#Unable to load mail system support.
Mail system DLL is invalid.!Send Mail failed to send message.
No error occurred.-An unknown error occurred while accessing %1.
%1 was not found.
%1 contains an incorrect path.8Could not open %1 because there are too many open files.
Access to %1 was denied.0An incorrect file handle was associated with %1.8Could not remove %1 because it is the current directory.2Could not create %1 because the directory is full.
Seek failed on %14Encountered a hardware I/O error while accessing %1.3Encountered a sharing violation while accessing %1.3Encountered a locking violation while accessing %1.
Disk full while accessing %1.$Attempted to access %1 past its end.
No error occurred.-An unknown error occurred while accessing %1.%Attempted to write to the reading %1.$Attempted to access %1 past its end.&Attempted to read from the writing %1.
%1 has a bad format."%1 contained an unexpected object. %1 contains an incorrect schema.
pixels
Uncheck
Check
Mixed

Full Results

Engine Signature Engine Signature Engine Signature
Bkav W32.AIDetectVM.malware1 Elastic malicious (high confidence) DrWeb Trojan.Emotet.1041
MicroWorld-eScan Trojan.GenericKD.34802371 CMC Clean CAT-QuickHeal Clean
ALYac Clean Cylance Clean Zillya Clean
SUPERAntiSpyware Clean Sangfor Clean K7AntiVirus Clean
Alibaba Trojan:Win32/EmotetCrypt.be825df8 K7GW Clean Cybereason Clean
Invincea Mal/Generic-S BitDefenderTheta Gen:[email protected] Cyren Clean
Symantec ML.Attribute.HighConfidence ESET-NOD32 Win32/Emotet.CI Zoner Clean
TrendMicro-HouseCall Clean TotalDefense Clean Avast Win32:BankerX-gen [Trj]
ClamAV Clean Kaspersky HEUR:Trojan.Win32.Zenpak.gen BitDefender Trojan.GenericKD.34802371
NANO-Antivirus Clean Paloalto generic.ml AegisLab Clean
Rising [email protected] (RDML:ryuRL5nk+6wrBIEhcLaMLA) Ad-Aware Trojan.GenericKD.34802371 TACHYON Clean
Sophos Mal/Generic-S Comodo Clean F-Secure Clean
Baidu Clean VIPRE Clean TrendMicro Clean
McAfee-GW-Edition BehavesLike.Win32.Generic.fh FireEye Generic.mg.e0384cd4bbf35bcf Emsisoft Trojan.GenericKD.34802371 (B)
Ikarus Trojan-Banker.Emotet GData Trojan.GenericKD.34802371 Jiangmin Clean
eGambit Unsafe.AI_Score_96% Avira Clean Antiy-AVL Clean
Kingsoft Clean Arcabit Trojan.Generic.D2130AC3 ViRobot Clean
ZoneAlarm HEUR:Trojan.Win32.Zenpak.gen Microsoft Trojan:Win32/EmotetCrypt.PEF!MTB Cynet Malicious (score: 100)
AhnLab-V3 Clean Acronis Clean McAfee GenericRXAA-AA!E0384CD4BBF3
MAX malware (ai score=87) VBA32 Clean Malwarebytes Trojan.Emotet
APEX Malicious Tencent Clean Yandex Clean
SentinelOne DFI - Suspicious PE MaxSecure Clean Fortinet W32/BankerX.5CC7!tr
Webroot Clean AVG Win32:BankerX-gen [Trj] Panda Clean
CrowdStrike Clean Qihoo-360 Win32/Trojan.716
Sorry! No behavior.

Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
Y 2.45.176.233 [VT] Italy
Y 1.1.1.1 [VT] Australia

TCP

Source Source Port Destination Destination Port
192.168.1.6 49190 2.45.176.233 80

UDP

Source Source Port Destination Destination Port
192.168.1.6 56304 1.1.1.1 53
192.168.1.6 58697 1.1.1.1 53
192.168.1.6 63713 1.1.1.1 53
192.168.1.6 64201 1.1.1.1 53
192.168.1.6 137 192.168.1.255 137
192.168.1.6 56304 8.8.8.8 53
192.168.1.6 57593 8.8.8.8 53
192.168.1.6 58697 8.8.8.8 53
192.168.1.6 63241 8.8.8.8 53
192.168.1.6 63713 8.8.8.8 53
192.168.1.6 64201 8.8.8.8 53

DNS

No domains contacted.

HTTP Requests

No HTTP requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

Sorry! No dropped files.
Sorry! No CAPE files.
Process Name emotet_exe_e1_da05a3c6c959126ebbee038d38853906cbcaeb3bd309e71e9218bb4e1a8d1bc4_2020-10-18__06150.exe
PID 896
Dump Size 367616 bytes
Module Path C:\Users\Louise\AppData\Local\Temp\emotet_exe_e1_da05a3c6c
Type PE image: 32-bit executable
PE timestamp 2020-10-16 20:25:24
MD5 a3a67e43dbb384fe6010eadaf3ba427b
SHA1 efb0bef32c1621a33eb22bfe0b2c753ed6a983e6
SHA256 153245d4af729231278e3a43e956ac49dd57d1231fb21cfa6e76ce103c4c4dc9
CRC32 3D1E87C2
Ssdeep 6144:2q7qn/fjMREXGdAEsas1JeaYb+zPXhr1C8J/XO6Mb:2q/RjdAKcJHYKzJ1CAJ
Dump Filename 153245d4af729231278e3a43e956ac49dd57d1231fb21cfa6e76ce103c4c4dc9
Download Download Zip Submit file

BinGraph Download graph

2020-10-18T06:16:31.900298 image/svg+xml Matplotlib v3.3.0, https://matplotlib.org/
Process Name emotet_exe_e1_da05a3c6c959126ebbee038d38853906cbcaeb3bd309e71e9218bb4e1a8d1bc4_2020-10-18__06150.exe
PID 896
Dump Size 92160 bytes
Module Path C:\Users\Louise\AppData\Local\Temp\emotet_exe_e1_da05a3c6c9
Type PE image: 32-bit executable
PE timestamp 2020-10-12 19:48:14
MD5 e1d4dac9f7c8e20b9dc3ed552a6cf854
SHA1 8e8ea60fe7aea2e15ea2b687a6579f827e86bde3
SHA256 2937c7d451e6189e1d1a3377ee7a677aa02fe68e261f5def8c794d412f95d4c8
CRC32 AAD43E00
Ssdeep 1536:oBpPG9AsypIq6Z05zZ9GJH8thBPDWqvbf2q8t:orTpmALGK7RWqvF
CAPE Yara
  • Emotet Payload - Author: kevoreilly
Dump Filename 2937c7d451e6189e1d1a3377ee7a677aa02fe68e261f5def8c794d412f95d4c8
Download Download Zip Submit file

BinGraph Download graph

2020-10-18T06:16:33.058634 image/svg+xml Matplotlib v3.3.0, https://matplotlib.org/
Defense Evasion Discovery
  • T1116 - Code Signing
    • Signature - invalid_authenticode_signature
  • T1045 - Software Packing
    • Signature - packer_entropy
  • T1057 - Process Discovery
    • Signature - enumerates_running_processes

    Processing ( 14.207000000000003 seconds )

    • 6.683 CAPE
    • 5.304 Suricata
    • 1.047 VirusTotal
    • 0.585 Static
    • 0.242 NetworkAnalysis
    • 0.104 AnalysisInfo
    • 0.091 BehaviorAnalysis
    • 0.048 ProcDump
    • 0.046 Deduplicate
    • 0.034 TargetInfo
    • 0.009 peid
    • 0.009 Strings
    • 0.005 Debug

    Signatures ( 0.09900000000000002 seconds )

    • 0.011 antiav_detectreg
    • 0.011 ransomware_files
    • 0.008 ransomware_extensions
    • 0.006 antiav_detectfile
    • 0.006 infostealer_ftp
    • 0.005 territorial_disputes_sigs
    • 0.004 antianalysis_detectfile
    • 0.004 infostealer_bitcoin
    • 0.003 persistence_autorun
    • 0.003 infostealer_im
    • 0.003 infostealer_mail
    • 0.003 masquerade_process_name
    • 0.002 api_spamming
    • 0.002 decoy_document
    • 0.002 stealth_timeout
    • 0.002 antianalysis_detectreg
    • 0.002 antivm_vbox_files
    • 0.002 geodo_banking_trojan
    • 0.001 Doppelganging
    • 0.001 InjectionCreateRemoteThread
    • 0.001 antiemu_wine_func
    • 0.001 betabot_behavior
    • 0.001 guloader_apis
    • 0.001 infostealer_browser_password
    • 0.001 kibex_behavior
    • 0.001 kovter_behavior
    • 0.001 NewtWire Behavior
    • 0.001 tinba_behavior
    • 0.001 antidbg_devices
    • 0.001 antivm_vbox_keys
    • 0.001 bot_drive
    • 0.001 browser_security
    • 0.001 disables_backups
    • 0.001 disables_browser_warn
    • 0.001 azorult_mutexes
    • 0.001 qulab_files
    • 0.001 revil_mutexes
    • 0.001 ursnif_behavior

    Reporting ( 7.662999999999999 seconds )

    • 7.399 BinGraph
    • 0.262 MITRE_TTPS
    • 0.002 PCAP2CERT