Detections

Yara:

Emotet

Analysis

Category Package Started Completed Duration Log
FILE exe 2020-10-18 07:31:17 2020-10-18 07:35:29 252 seconds Show Log
2020-05-13 09:25:36,665 [root] INFO: Date set to: 20201018T07:31:16, timeout set to: 200
2020-10-18 07:31:16,046 [root] DEBUG: Starting analyzer from: C:\tmp2ssujfce
2020-10-18 07:31:16,046 [root] DEBUG: Storing results at: C:\VGNxFLaJA
2020-10-18 07:31:16,046 [root] DEBUG: Pipe server name: \\.\PIPE\HZgBnG
2020-10-18 07:31:16,046 [root] DEBUG: Python path: C:\Users\Louise\AppData\Local\Programs\Python\Python38-32
2020-10-18 07:31:16,046 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2020-10-18 07:31:16,046 [root] INFO: Automatically selected analysis package "exe"
2020-10-18 07:31:16,046 [root] DEBUG: Importing analysis package "exe"...
2020-10-18 07:31:16,093 [root] DEBUG: Initializing analysis package "exe"...
2020-10-18 07:31:16,156 [root] DEBUG: Importing auxiliary module "modules.auxiliary.browser"...
2020-10-18 07:31:16,171 [root] DEBUG: Importing auxiliary module "modules.auxiliary.curtain"...
2020-10-18 07:31:16,171 [root] DEBUG: Importing auxiliary module "modules.auxiliary.digisig"...
2020-10-18 07:31:16,203 [root] DEBUG: Importing auxiliary module "modules.auxiliary.disguise"...
2020-10-18 07:31:16,281 [root] DEBUG: Importing auxiliary module "modules.auxiliary.human"...
2020-10-18 07:31:16,296 [root] DEBUG: Importing auxiliary module "modules.auxiliary.procmon"...
2020-10-18 07:31:16,312 [root] DEBUG: Importing auxiliary module "modules.auxiliary.screenshots"...
2020-10-18 07:31:16,328 [modules.auxiliary.screenshots] DEBUG: Importing 'time'
2020-10-18 07:31:16,328 [modules.auxiliary.screenshots] DEBUG: Importing 'StringIO'
2020-10-18 07:31:16,328 [modules.auxiliary.screenshots] DEBUG: Importing 'Thread'
2020-10-18 07:31:16,328 [modules.auxiliary.screenshots] DEBUG: Importing 'Auxiliary'
2020-10-18 07:31:16,328 [modules.auxiliary.screenshots] DEBUG: Importing 'NetlogFile'
2020-10-18 07:31:16,328 [modules.auxiliary.screenshots] DEBUG: Importing 'Screenshot'
2020-10-18 07:31:16,328 [lib.api.screenshot] DEBUG: Importing 'math'
2020-10-18 07:31:16,328 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2020-10-18 07:31:16,843 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageGrab'
2020-10-18 07:31:16,859 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageDraw'
2020-10-18 07:31:16,875 [modules.auxiliary.screenshots] DEBUG: Imports OK
2020-10-18 07:31:16,875 [root] DEBUG: Importing auxiliary module "modules.auxiliary.sysmon"...
2020-10-18 07:31:16,875 [root] DEBUG: Importing auxiliary module "modules.auxiliary.usage"...
2020-10-18 07:31:16,890 [root] DEBUG: Initializing auxiliary module "Browser"...
2020-10-18 07:31:16,890 [root] DEBUG: Started auxiliary module Browser
2020-10-18 07:31:16,890 [root] DEBUG: Initializing auxiliary module "Curtain"...
2020-10-18 07:31:16,890 [root] DEBUG: Started auxiliary module Curtain
2020-10-18 07:31:16,890 [root] DEBUG: Initializing auxiliary module "DigiSig"...
2020-10-18 07:31:16,890 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature.
2020-10-18 07:31:17,359 [modules.auxiliary.digisig] DEBUG: File is not signed.
2020-10-18 07:31:17,359 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2020-10-18 07:31:17,375 [root] DEBUG: Started auxiliary module DigiSig
2020-10-18 07:31:17,375 [root] DEBUG: Initializing auxiliary module "Disguise"...
2020-10-18 07:31:17,390 [modules.auxiliary.disguise] INFO: Disguising GUID to 1b347e93-6572-4ee5-aa9a-0ac9095f0830
2020-10-18 07:31:17,390 [root] DEBUG: Started auxiliary module Disguise
2020-10-18 07:31:17,390 [root] DEBUG: Initializing auxiliary module "Human"...
2020-10-18 07:31:17,406 [root] DEBUG: Started auxiliary module Human
2020-10-18 07:31:17,406 [root] DEBUG: Initializing auxiliary module "Procmon"...
2020-10-18 07:31:17,406 [root] DEBUG: Started auxiliary module Procmon
2020-10-18 07:31:17,406 [root] DEBUG: Initializing auxiliary module "Screenshots"...
2020-10-18 07:31:17,406 [root] DEBUG: Started auxiliary module Screenshots
2020-10-18 07:31:17,406 [root] DEBUG: Initializing auxiliary module "Sysmon"...
2020-10-18 07:31:17,421 [root] DEBUG: Started auxiliary module Sysmon
2020-10-18 07:31:17,421 [root] DEBUG: Initializing auxiliary module "Usage"...
2020-10-18 07:31:17,421 [root] DEBUG: Started auxiliary module Usage
2020-10-18 07:31:17,421 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2020-10-18 07:31:17,421 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2020-10-18 07:31:17,421 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option
2020-10-18 07:31:17,421 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option
2020-10-18 07:31:17,453 [lib.api.process] INFO: Successfully executed process from path "C:\Users\Louise\AppData\Local\Temp\f80aef3bfcea3c887a94.exe" with arguments "" with pid 4120
2020-10-18 07:31:17,468 [lib.api.process] INFO: Monitor config for process 4120: C:\tmp2ssujfce\dll\4120.ini
2020-10-18 07:31:17,468 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp2ssujfce\dll\mjGeJyhd.dll, loader C:\tmp2ssujfce\bin\OMuZalq.exe
2020-10-18 07:31:17,515 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\HZgBnG.
2020-10-18 07:31:17,515 [root] DEBUG: Loader: Injecting process 4120 (thread 1180) with C:\tmp2ssujfce\dll\mjGeJyhd.dll.
2020-10-18 07:31:17,515 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmp2ssujfce\dll\mjGeJyhd.dll.
2020-10-18 07:31:17,531 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-10-18 07:31:17,531 [root] DEBUG: Successfully injected DLL C:\tmp2ssujfce\dll\mjGeJyhd.dll.
2020-10-18 07:31:19,546 [lib.api.process] INFO: Successfully resumed process with pid 4120
2020-10-18 07:31:19,609 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-10-18 07:31:19,609 [root] DEBUG: Dropped file limit defaulting to 100.
2020-10-18 07:31:19,609 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-10-18 07:31:19,609 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 4120 at 0x6fa40000, image base 0x400000, stack from 0x186000-0x190000
2020-10-18 07:31:19,609 [root] DEBUG: Commandline: C:\Users\Louise\AppData\Local\Temp\"C:\Users\Louise\AppData\Local\Temp\f80aef3bfcea3c887a94.exe"
2020-10-18 07:31:19,656 [root] INFO: Loaded monitor into process with pid 4120
2020-10-18 07:31:19,828 [root] DEBUG: api-rate-cap: GetSystemTimeAsFileTime hook disabled.
2020-10-18 07:31:19,859 [root] DEBUG: set_caller_info: Adding region at 0x00570000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2020-10-18 07:31:19,859 [root] DEBUG: DumpPEsInRange: Scanning range 0x570000 - 0x58a000.
2020-10-18 07:31:19,875 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x57052e
2020-10-18 07:31:19,875 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image.
2020-10-18 07:31:19,875 [root] DEBUG: DumpPE: Instantiating PeParser with address: 0x0057052E.
2020-10-18 07:31:19,953 [root] DEBUG: DumpPE: PE file in memory dumped successfully - dump size 0x19000.
2020-10-18 07:31:19,953 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x57279e
2020-10-18 07:31:19,968 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image.
2020-10-18 07:31:19,968 [root] DEBUG: DumpPE: Instantiating PeParser with address: 0x0057279E.
2020-10-18 07:31:20,062 [root] DEBUG: DumpPE: PE file in memory dumped successfully - dump size 0x16a00.
2020-10-18 07:31:20,171 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x19000.
2020-10-18 07:31:20,171 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x594070
2020-10-18 07:31:20,171 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image.
2020-10-18 07:31:20,171 [root] DEBUG: DumpPE: Instantiating PeParser with address: 0x00594070.
2020-10-18 07:31:20,187 [root] DEBUG: DumpPE: PE file in memory dumped successfully - dump size 0x16a00.
2020-10-18 07:31:20,187 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x595070-0x5ac000.
2020-10-18 07:31:20,187 [root] DEBUG: DumpRegion: Dumped PE image(s) from base address 0x00590000, size 0x1c000.
2020-10-18 07:31:20,187 [root] DEBUG: set_caller_info: Adding region at 0x005B0000 to caller regions list (ntdll::LdrGetDllHandle).
2020-10-18 07:31:20,187 [root] DEBUG: DumpPEsInRange: Scanning range 0x5b0000 - 0x5cb000.
2020-10-18 07:31:20,187 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x5b0000
2020-10-18 07:31:20,187 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-10-18 07:31:20,203 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x005B0000.
2020-10-18 07:31:20,203 [root] DEBUG: DumpProcess: Module entry point VA is 0x00005C50.
2020-10-18 07:31:20,234 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x16a00.
2020-10-18 07:31:20,234 [root] DEBUG: ScanForDisguisedPE: Exception occurred scanning buffer at 0x5befc1
2020-10-18 07:31:20,234 [root] DEBUG: DumpRegion: Dumped PE image(s) from base address 0x005B0000, size 0x1b000.
2020-10-18 07:31:20,234 [root] DEBUG: DLL loaded at 0x76A70000: C:\Windows\syswow64\crypt32 (0x122000 bytes).
2020-10-18 07:31:20,234 [root] DEBUG: DLL loaded at 0x76EA0000: C:\Windows\syswow64\MSASN1 (0xc000 bytes).
2020-10-18 07:31:20,249 [root] DEBUG: DLL loaded at 0x74F40000: C:\Windows\syswow64\shell32 (0xc4c000 bytes).
2020-10-18 07:31:20,249 [root] DEBUG: DLL loaded at 0x75B90000: C:\Windows\syswow64\urlmon (0x124000 bytes).
2020-10-18 07:31:20,249 [root] DEBUG: DLL loaded at 0x76EB0000: C:\Windows\syswow64\api-ms-win-downlevel-ole32-l1-1-0 (0x4000 bytes).
2020-10-18 07:31:20,249 [root] DEBUG: DLL loaded at 0x74E90000: C:\Windows\syswow64\api-ms-win-downlevel-shlwapi-l1-1-0 (0x4000 bytes).
2020-10-18 07:31:20,265 [root] DEBUG: DLL loaded at 0x76EF0000: C:\Windows\syswow64\api-ms-win-downlevel-advapi32-l1-1-0 (0x5000 bytes).
2020-10-18 07:31:20,265 [root] DEBUG: DLL loaded at 0x76E40000: C:\Windows\syswow64\api-ms-win-downlevel-user32-l1-1-0 (0x4000 bytes).
2020-10-18 07:31:20,265 [root] DEBUG: DLL loaded at 0x76EE0000: C:\Windows\syswow64\api-ms-win-downlevel-version-l1-1-0 (0x4000 bytes).
2020-10-18 07:31:20,265 [root] DEBUG: DLL loaded at 0x73590000: C:\Windows\system32\version (0x9000 bytes).
2020-10-18 07:31:20,265 [root] DEBUG: DLL loaded at 0x767F0000: C:\Windows\syswow64\api-ms-win-downlevel-normaliz-l1-1-0 (0x3000 bytes).
2020-10-18 07:31:20,265 [root] DEBUG: DLL loaded at 0x766F0000: C:\Windows\syswow64\normaliz (0x3000 bytes).
2020-10-18 07:31:20,265 [root] DEBUG: DLL loaded at 0x76BA0000: C:\Windows\syswow64\iertutil (0x215000 bytes).
2020-10-18 07:31:20,281 [root] DEBUG: DLL loaded at 0x75CC0000: C:\Windows\syswow64\WININET (0x1c4000 bytes).
2020-10-18 07:31:20,281 [root] DEBUG: DLL loaded at 0x74450000: C:\Windows\system32\userenv (0x17000 bytes).
2020-10-18 07:31:20,296 [root] DEBUG: DLL loaded at 0x74440000: C:\Windows\system32\profapi (0xb000 bytes).
2020-10-18 07:31:20,296 [root] DEBUG: DLL loaded at 0x743F0000: C:\Windows\system32\wtsapi32 (0xd000 bytes).
2020-10-18 07:31:20,296 [root] INFO: Disabling sleep skipping.
2020-10-18 07:31:20,312 [root] DEBUG: set_caller_info: Adding region at 0x00A40000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2020-10-18 07:31:21,015 [root] DEBUG: DumpPEsInRange: Scanning range 0xa40000 - 0x1e40000.
2020-10-18 07:31:21,031 [root] DEBUG: ScanForDisguisedPE: Exception occurred scanning buffer at 0xad8fc1
2020-10-18 07:31:21,031 [root] DEBUG: ScanForNonZero: Exception occurred reading memory address 0x1e40000
2020-10-18 07:31:21,031 [root] DEBUG: DumpMemory: Nothing to dump at 0x00A40000!
2020-10-18 07:31:21,031 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x00A40000 size 0x1400000.
2020-10-18 07:31:21,031 [root] DEBUG: ScanForNonZero: Exception occurred reading memory address 0x1e40000
2020-10-18 07:31:21,046 [root] DEBUG: DumpMemory: Nothing to dump at 0x01A75000!
2020-10-18 07:31:21,046 [root] DEBUG: DumpRegion: Failed to dump region at 0x01A75000 size 0x3cb000.
2020-10-18 07:31:21,062 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x15c and local view 0x03AD0000 to global list.
2020-10-18 07:31:21,249 [root] DEBUG: DLL loaded at 0x744D0000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2020-10-18 07:31:21,265 [root] DEBUG: DLL loaded at 0x74400000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2020-10-18 07:31:36,093 [root] DEBUG: DLL loaded at 0x73230000: C:\Windows\system32\Secur32 (0x8000 bytes).
2020-10-18 07:31:36,093 [root] DEBUG: DLL loaded at 0x72DF0000: C:\Windows\system32\api-ms-win-downlevel-advapi32-l2-1-0 (0x4000 bytes).
2020-10-18 07:31:36,125 [root] DEBUG: DLL loaded at 0x763F0000: C:\Windows\syswow64\WS2_32 (0x35000 bytes).
2020-10-18 07:31:36,140 [root] DEBUG: DLL loaded at 0x760B0000: C:\Windows\syswow64\NSI (0x6000 bytes).
2020-10-18 07:31:36,140 [root] DEBUG: DLL loaded at 0x6EA70000: C:\Windows\system32\winhttp (0x58000 bytes).
2020-10-18 07:31:36,140 [root] DEBUG: DLL loaded at 0x6EA20000: C:\Windows\system32\webio (0x50000 bytes).
2020-10-18 07:31:36,156 [root] DEBUG: DLL unloaded from 0x6EA70000.
2020-10-18 07:31:36,156 [root] DEBUG: DLL loaded at 0x74490000: C:\Windows\system32\mswsock (0x3c000 bytes).
2020-10-18 07:31:36,171 [root] DEBUG: DLL loaded at 0x72DE0000: C:\Windows\System32\wship6 (0x6000 bytes).
2020-10-18 07:31:36,171 [root] DEBUG: DLL loaded at 0x74880000: C:\Windows\system32\IPHLPAPI (0x1c000 bytes).
2020-10-18 07:31:36,171 [root] DEBUG: DLL loaded at 0x74870000: C:\Windows\system32\WINNSI (0x7000 bytes).
2020-10-18 07:31:36,187 [root] DEBUG: DLL loaded at 0x702A0000: C:\Windows\system32\api-ms-win-downlevel-shlwapi-l2-1-0 (0x4000 bytes).
2020-10-18 07:31:36,187 [root] DEBUG: DLL loaded at 0x70250000: C:\Windows\system32\DNSAPI (0x44000 bytes).
2020-10-18 07:31:36,203 [root] DEBUG: DLL loaded at 0x76170000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2020-10-18 07:31:36,203 [root] DEBUG: DLL loaded at 0x702D0000: C:\Windows\system32\dhcpcsvc6 (0xd000 bytes).
2020-10-18 07:31:36,203 [root] DEBUG: DLL loaded at 0x70310000: C:\Windows\System32\netprofm (0x5a000 bytes).
2020-10-18 07:31:36,203 [root] DEBUG: DLL loaded at 0x72E10000: C:\Windows\System32\nlaapi (0x10000 bytes).
2020-10-18 07:31:36,218 [root] DEBUG: DLL loaded at 0x702B0000: C:\Windows\system32\dhcpcsvc (0x12000 bytes).
2020-10-18 07:31:36,218 [root] DEBUG: DLL loaded at 0x746C0000: C:\Windows\System32\wshtcpip (0x5000 bytes).
2020-10-18 07:31:36,218 [root] DEBUG: DLL loaded at 0x70230000: C:\Windows\system32\rasadhlp (0x6000 bytes).
2020-10-18 07:31:36,234 [root] DEBUG: DLL loaded at 0x73240000: C:\Windows\System32\fwpuclnt (0x38000 bytes).
2020-10-18 07:31:36,234 [root] DEBUG: DLL loaded at 0x74340000: C:\Windows\system32\RpcRtRemote (0xe000 bytes).
2020-10-18 07:31:36,249 [root] DEBUG: DLL loaded at 0x72E00000: C:\Windows\System32\npmproxy (0x8000 bytes).
2020-10-18 07:31:36,249 [root] DEBUG: DLL loaded at 0x73A10000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\Comctl32 (0x19e000 bytes).
2020-10-18 07:31:36,265 [root] DEBUG: DLL unloaded from 0x746C0000.
2020-10-18 07:31:36,265 [root] DEBUG: DLL unloaded from 0x72DE0000.
2020-10-18 07:31:46,187 [root] DEBUG: DLL unloaded from 0x75CC0000.
2020-10-18 07:31:46,187 [root] DEBUG: DLL unloaded from 0x76430000.
2020-10-18 07:31:46,187 [root] DEBUG: DLL unloaded from 0x72E00000.
2020-10-18 07:31:46,187 [root] DEBUG: DLL unloaded from 0x70310000.
2020-10-18 07:31:56,234 [root] DEBUG: DLL unloaded from 0x75E90000.
2020-10-18 07:32:06,046 [root] DEBUG: DLL loaded at 0x70310000: C:\Windows\System32\netprofm (0x5a000 bytes).
2020-10-18 07:32:06,046 [root] DEBUG: DLL loaded at 0x72E10000: C:\Windows\System32\nlaapi (0x10000 bytes).
2020-10-18 07:32:06,062 [root] DEBUG: DLL loaded at 0x72E00000: C:\Windows\System32\npmproxy (0x8000 bytes).
2020-10-18 07:32:16,046 [root] DEBUG: DLL unloaded from 0x75CC0000.
2020-10-18 07:32:16,046 [root] DEBUG: DLL unloaded from 0x76430000.
2020-10-18 07:32:16,046 [root] DEBUG: DLL unloaded from 0x70310000.
2020-10-18 07:32:26,062 [root] DEBUG: DLL unloaded from 0x75E90000.
2020-10-18 07:32:42,203 [root] DEBUG: DLL loaded at 0x730C0000: C:\Windows\System32\netprofm (0x5a000 bytes).
2020-10-18 07:32:42,203 [root] DEBUG: DLL loaded at 0x73D80000: C:\Windows\System32\nlaapi (0x10000 bytes).
2020-10-18 07:32:42,218 [root] DEBUG: DLL loaded at 0x739E0000: C:\Windows\System32\npmproxy (0x8000 bytes).
2020-10-18 07:32:42,390 [root] DEBUG: set_caller_info: Adding region at 0x002C0000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2020-10-18 07:32:42,390 [root] DEBUG: DumpPEsInRange: Scanning range 0x2c0000 - 0x300000.
2020-10-18 07:32:42,390 [root] DEBUG: ScanForDisguisedPE: Exception occurred scanning buffer at 0x2c0000
2020-10-18 07:32:42,390 [root] DEBUG: DumpMemory: Exception occurred reading memory address 0x2c0000
2020-10-18 07:32:42,390 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x002C0000 size 0x40000.
2020-10-18 07:32:42,390 [root] DEBUG: ScanForNonZero: Exception occurred reading memory address 0x2f9000
2020-10-18 07:32:42,390 [root] DEBUG: DumpMemory: Nothing to dump at 0x002D0000!
2020-10-18 07:32:42,390 [root] DEBUG: DumpRegion: Failed to dump region at 0x002D0000 size 0x29000.
2020-10-18 07:32:52,203 [root] DEBUG: DLL unloaded from 0x75CC0000.
2020-10-18 07:32:52,203 [root] DEBUG: DLL unloaded from 0x76430000.
2020-10-18 07:32:52,203 [root] DEBUG: DLL unloaded from 0x730C0000.
2020-10-18 07:33:02,218 [root] DEBUG: DLL unloaded from 0x75E90000.
2020-10-18 07:33:05,687 [root] DEBUG: DLL loaded at 0x72E60000: C:\Windows\System32\netprofm (0x5a000 bytes).
2020-10-18 07:33:05,687 [root] DEBUG: DLL loaded at 0x739E0000: C:\Windows\System32\nlaapi (0x10000 bytes).
2020-10-18 07:33:05,703 [root] DEBUG: DLL loaded at 0x735A0000: C:\Windows\System32\npmproxy (0x8000 bytes).
2020-10-18 07:33:15,687 [root] DEBUG: DLL unloaded from 0x75CC0000.
2020-10-18 07:33:15,687 [root] DEBUG: DLL unloaded from 0x76430000.
2020-10-18 07:33:15,687 [root] DEBUG: DLL unloaded from 0x72E60000.
2020-10-18 07:33:25,703 [root] DEBUG: DLL unloaded from 0x75E90000.
2020-10-18 07:33:35,234 [root] DEBUG: DLL loaded at 0x72E00000: C:\Windows\System32\netprofm (0x5a000 bytes).
2020-10-18 07:33:35,234 [root] DEBUG: DLL loaded at 0x739E0000: C:\Windows\System32\nlaapi (0x10000 bytes).
2020-10-18 07:33:35,249 [root] DEBUG: DLL loaded at 0x72EB0000: C:\Windows\System32\npmproxy (0x8000 bytes).
2020-10-18 07:33:37,546 [root] DEBUG: set_caller_info: Adding region at 0x72E00000 to caller regions list (ntdll::memcpy).
2020-10-18 07:33:45,234 [root] DEBUG: DLL unloaded from 0x75CC0000.
2020-10-18 07:33:45,234 [root] DEBUG: DLL unloaded from 0x76430000.
2020-10-18 07:33:45,234 [root] DEBUG: DLL unloaded from 0x72E00000.
2020-10-18 07:33:55,249 [root] DEBUG: DLL unloaded from 0x75E90000.
2020-10-18 07:34:03,328 [root] DEBUG: DLL loaded at 0x72E60000: C:\Windows\System32\netprofm (0x5a000 bytes).
2020-10-18 07:34:03,328 [root] DEBUG: DLL loaded at 0x739E0000: C:\Windows\System32\nlaapi (0x10000 bytes).
2020-10-18 07:34:03,343 [root] DEBUG: DLL loaded at 0x735A0000: C:\Windows\System32\npmproxy (0x8000 bytes).
2020-10-18 07:34:13,328 [root] DEBUG: DLL unloaded from 0x75CC0000.
2020-10-18 07:34:13,328 [root] DEBUG: DLL unloaded from 0x76430000.
2020-10-18 07:34:13,328 [root] DEBUG: DLL unloaded from 0x735A0000.
2020-10-18 07:34:13,328 [root] DEBUG: DLL unloaded from 0x72E60000.
2020-10-18 07:34:23,343 [root] DEBUG: DLL unloaded from 0x75E90000.
2020-10-18 07:34:39,578 [root] INFO: Analysis timeout hit, terminating analysis.
2020-10-18 07:34:39,578 [lib.api.process] INFO: Terminate event set for process 4120
2020-10-18 07:34:39,578 [root] DEBUG: Terminate Event: Attempting to dump process 4120
2020-10-18 07:34:39,578 [root] DEBUG: DoProcessDump: Dumping Imagebase at 0x00400000.
2020-10-18 07:34:39,578 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-10-18 07:34:39,578 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00400000.
2020-10-18 07:34:39,578 [root] DEBUG: DumpProcess: Module entry point VA is 0x0000ECF9.
2020-10-18 07:34:39,828 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x59200.
2020-10-18 07:34:39,828 [root] DEBUG: DoProcessDump: Dumping 'new' Imagebase at 0x005B0000.
2020-10-18 07:34:39,828 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-10-18 07:34:39,828 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x005B0000.
2020-10-18 07:34:39,828 [root] DEBUG: DumpProcess: Module entry point VA is 0x00005C50.
2020-10-18 07:34:39,859 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x16e00.
2020-10-18 07:34:39,859 [lib.api.process] INFO: Termination confirmed for process 4120
2020-10-18 07:34:39,859 [root] INFO: Terminate event set for process 4120.
2020-10-18 07:34:39,859 [root] DEBUG: Terminate Event: CAPE shutdown complete for process 4120
2020-10-18 07:34:39,859 [root] INFO: Created shutdown mutex.
2020-10-18 07:34:40,671 [root] DEBUG: DLL loaded at 0x72E00000: C:\Windows\System32\netprofm (0x5a000 bytes).
2020-10-18 07:34:40,671 [root] DEBUG: DLL loaded at 0x739E0000: C:\Windows\System32\nlaapi (0x10000 bytes).
2020-10-18 07:34:40,687 [root] DEBUG: DLL loaded at 0x72EB0000: C:\Windows\System32\npmproxy (0x8000 bytes).
2020-10-18 07:34:40,859 [root] INFO: Shutting down package.
2020-10-18 07:34:40,859 [root] INFO: Stopping auxiliary modules.
2020-10-18 07:34:41,046 [lib.common.results] WARNING: File C:\VGNxFLaJA\bin\procmon.xml doesn't exist anymore
2020-10-18 07:34:41,046 [root] INFO: Finishing auxiliary modules.
2020-10-18 07:34:41,046 [root] INFO: Shutting down pipe server and dumping dropped files.
2020-10-18 07:34:41,046 [root] WARNING: Folder at path "C:\VGNxFLaJA\debugger" does not exist, skip.
2020-10-18 07:34:41,046 [root] INFO: Analysis completed.

Machine

Name Label Manager Started On Shutdown On
win7x64_1 win7x64_5 KVM 2020-10-18 07:31:17 2020-10-18 07:35:29

File Details

File Name f80aef3bfcea3c887a94.exe
File Size 369664 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
PE timestamp 2020-10-16 20:45:05
MD5 6f6ae03f22b52404ef412247bdc2e4a6
SHA1 d459dc48bc7dfc2b6d57f956821b4b9ea4443706
SHA256 f80aef3bfcea3c887a94b3dfeb9ca14a1984fa589c12033971c0109ee396fb21
SHA512 e2cf7a2d98e5b65d4cb1e71bda5fb461cced0356cfd0e11f1566e5fe92d1f8e75c9a929ff667a65a503e9e7c0879815357ec9e79a63e2b07ca2f2fc7a858437f
CRC32 60091C50
Ssdeep 6144:QWXIwVZNNuh5pVI7Lf36g3uLcxjmkoAvLg+4wnS9+RR1eis3f1k:PNE5pVI7z36g3uIxjmhAvxnY+71Xge
Download Download ZIP Resubmit sample

Signatures

SetUnhandledExceptionFilter detected (possible anti-debug)
Behavioural detection: Executable code extraction - unpacking
Communicates with IPs located across a large number of unique countries
country: Hungary
country: Latvia
country: United States
country: Pakistan
country: France
country: Sweden
country: Indonesia
country: Korea, Republic of
country: Argentina
country: Chile
country: Germany
country: Singapore
country: El Salvador
country: India
country: Vietnam
country: Philippines
country: Australia
Yara rule detections observed from a process memory dump/dropped files/CAPE
Hit: PID 4120 trigged the Yara rule 'Emotet'
Creates RWX memory
Mimics the system's user agent string for its own requests
A process attempted to delay the analysis task.
Process: f80aef3bfcea3c887a94.exe tried to sleep 420.0 seconds, actually delayed analysis time by 0.0 seconds
Dynamic (imported) function loading detected
DynamicLoader: ntdll.dll/qsort
DynamicLoader: ntdll.dll/bsearch
DynamicLoader: ntdll.dll/wcslen
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/Process32Next
DynamicLoader: kernel32.dll/Process32First
DynamicLoader: kernel32.dll/CreateToolhelp32Snapshot
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/SetLastError
DynamicLoader: kernel32.dll/HeapAlloc
DynamicLoader: kernel32.dll/HeapFree
DynamicLoader: kernel32.dll/GetProcessHeap
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/VirtualQuery
DynamicLoader: kernel32.dll/FreeLibrary
DynamicLoader: kernel32.dll/GetProcAddress
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: kernel32.dll/LoadLibraryW
DynamicLoader: kernel32.dll/IsBadReadPtr
DynamicLoader: kernel32.dll/GetNativeSystemInfo
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptImportKey
DynamicLoader: CRYPTSP.dll/CryptGenKey
DynamicLoader: CRYPTSP.dll/CryptCreateHash
DynamicLoader: CRYPTSP.dll/CryptDuplicateHash
DynamicLoader: CRYPTSP.dll/CryptEncrypt
DynamicLoader: CRYPTSP.dll/CryptExportKey
DynamicLoader: CRYPTSP.dll/CryptGetHashParam
DynamicLoader: CRYPTSP.dll/CryptDestroyHash
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/WSAIoctl
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: IPHLPAPI.DLL/NotifyIpInterfaceChange
DynamicLoader: IPHLPAPI.DLL/NotifyUnicastIpAddressChange
DynamicLoader: IPHLPAPI.DLL/GetBestInterfaceEx
DynamicLoader: IPHLPAPI.DLL/GetIfEntry2
DynamicLoader: api-ms-win-downlevel-ole32-l1-1-0.dll/CoInitializeEx
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/EventWrite
DynamicLoader: api-ms-win-downlevel-ole32-l1-1-0.dll/CoCreateInstance
DynamicLoader: IPHLPAPI.DLL/GetAdaptersAddresses
DynamicLoader: WS2_32.dll/GetAddrInfoW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/DllGetClassObject
DynamicLoader: OLEAUT32.dll/DllCanUnloadNow
DynamicLoader: ADVAPI32.dll/RegOpenKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: IPHLPAPI.DLL/ConvertInterfaceGuidToLuid
DynamicLoader: IPHLPAPI.DLL/GetIpForwardTable2
DynamicLoader: IPHLPAPI.DLL/GetIpNetEntry2
DynamicLoader: IPHLPAPI.DLL/FreeMibTable
DynamicLoader: api-ms-win-downlevel-ole32-l1-1-0.dll/StringFromIID
DynamicLoader: api-ms-win-downlevel-ole32-l1-1-0.dll/CoUninitialize
DynamicLoader: OLEAUT32.dll/
DynamicLoader: api-ms-win-downlevel-ole32-l1-1-0.dll/CoSetProxyBlanket
DynamicLoader: ole32.dll/ObjectStublessClient10
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/RegEnumKeyExW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/DllGetClassObject
DynamicLoader: OLEAUT32.dll/DllCanUnloadNow
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: OLEAUT32.dll/DllGetClassObject
DynamicLoader: OLEAUT32.dll/DllCanUnloadNow
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: OLEAUT32.dll/DllGetClassObject
DynamicLoader: OLEAUT32.dll/DllCanUnloadNow
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: OLEAUT32.dll/DllGetClassObject
DynamicLoader: OLEAUT32.dll/DllCanUnloadNow
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: OLEAUT32.dll/DllGetClassObject
DynamicLoader: OLEAUT32.dll/DllCanUnloadNow
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemFree
Performs HTTP requests potentially not found in PCAP.
url: 221.147.142.214:80/FywCIYoLysUHvE/7LcOHf1EfF/BX6YDDN7LH2/
url: 188.40.170.197:80/sjHgxbjg/FCpeKUM7xgXCATcELjR/veERJ41fHEo/sbFYU52jAMtl6nhL/jn2dQEoq9HLefB/
url: 51.38.50.144:8080/i4P6y3RcwhOfAjsmr/cb5k9RttoPBx/updVTjrTpF/QCH5cAf08/
url: 46.22.116.163:7080/P2wTpdZ9fW/PJAW2MO0ddMFxd/BGLKt6I6tVAv/
url: 190.151.5.131:443/IFv4Z/8HG10UuK/FGxH9xmBgXS/08MdUHqQCa/Wi7WUyB5w3Q9/sgnA1c/
url: 58.27.215.3:8080/tWit6dwhO4JyJWy08/CtrNtzi1UK/L3houhs97evjU2Oy6/hdpyM5W/XIqh6MlqpMzM5/qVtp/
url: 179.5.118.12:80/SuV9iTn55hmObl/ed6eo9tT6ZydWt9DB0O/cszFAJ6UXdvB/
url: 73.100.19.104:80/xRXJiCdgTXolV/qElIeWOdyzsl4gd/
url: 192.210.217.94:8080/8X2duDsXifwdzud/WhdL7Kt49/
url: 192.163.221.191:8080/NsjZ7yZAAz1T/XdKeJaPQzd4/0eiDPuOLzrFQiTA/
url: 103.93.220.182:80/uPn3mLYDEzFPFra/B8XdTz3u/LPRFRfLDhP/3Ks6dmsqJSuLLdrUP/sPH3wEE4mP0/Bk2e0kldWWQ8J6m/
url: 91.213.106.100:8080/blQttNq27/DsrRF8fLJDSzf4s3p/P7mmU1Qb66/LN3dZ0UOt1sLVkQ/
url: 190.192.39.136:80/42xPZdndJd/RUDKwNmMd/qWJUD/
url: 115.79.59.157:80/RINIUDNGzh/0zdmLKRDDd05DO1h9dQ/ZADsJAXAdcJ2bNx/PrKmK49sATz/GDAfIPUzz0/
url: 190.164.135.81:80/5adLAUuV4wk5mTRPm/tRSTJbdPOdV1i/
url: 91.83.93.103:443/1Su0gAg/OlKrPrVKrwB5/KOXlKn7cFc1H1aN2C0/3eG0VX3wlJXd7/1IuB/a9aD8cJw3QJs/
url: 188.166.220.180:7080/WaGTcDWQx/s2FK27n/
url: 116.202.10.123:8080/GurzHssmHNq/dTYK52HQJhhqt7CTjBK/
Enumerates running processes
process: System with pid 4
process: smss.exe with pid 248
process: csrss.exe with pid 328
process: csrss.exe with pid 376
process: wininit.exe with pid 384
process: winlogon.exe with pid 412
process: services.exe with pid 476
process: lsass.exe with pid 484
process: lsm.exe with pid 492
process: svchost.exe with pid 592
process: svchost.exe with pid 668
process: svchost.exe with pid 764
process: svchost.exe with pid 796
process: svchost.exe with pid 820
process: svchost.exe with pid 844
process: svchost.exe with pid 308
process: spoolsv.exe with pid 1036
process: taskeng.exe with pid 1044
process: svchost.exe with pid 1108
process: OfficeClickToRun.exe with pid 1248
process: taskhost.exe with pid 1344
process: GoogleUpdate.exe with pid 1352
process: dwm.exe with pid 1420
process: explorer.exe with pid 1428
process: svchost.exe with pid 1616
process: svchost.exe with pid 2040
process: whatapp.exe with pid 1380
process: SearchIndexer.exe with pid 2220
process: mscorsvw.exe with pid 2284
process: mscorsvw.exe with pid 2640
process: taskeng.exe with pid 2516
process: OneDriveStandaloneUpdater.exe with pid 2908
process: splwow64.exe with pid 3652
process: OSPPSVC.EXE with pid 3768
process: SDXHelper.exe with pid 4512
process: taskhost.exe with pid 4008
process: f80aef3bfcea3c887a94.exe with pid 4120
process: GoogleUpdate.exe with pid 3776
process: GoogleUpdate.exe with pid 3664
Expresses interest in specific running processes
process: f80aef3bfcea3c887a94.exe
Repeatedly searches for a not-found process, may want to run with startbrowser=1 option
CAPE extracted potentially suspicious content
f80aef3bfcea3c887a94.exe: Emotet Payload: 32-bit DLL
f80aef3bfcea3c887a94.exe: Emotet
f80aef3bfcea3c887a94.exe: Emotet Payload: 32-bit executable
f80aef3bfcea3c887a94.exe: Emotet
f80aef3bfcea3c887a94.exe: Emotet Payload: 32-bit executable
f80aef3bfcea3c887a94.exe: Emotet
Multiple direct IP connections
direct_ip_connections: Made direct connections to 21 unique IP addresses
Queries or connects to DNS-Over-HTTPS/DNS-Over-TLS domain or IP address
ip: 1.1.1.1
The binary likely contains encrypted or compressed data.
section: name: .rsrc, entropy: 7.58, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ, raw_size: 0x00021800, virtual_size: 0x0002170c
Authenticode signature is invalid
authenticode error: No signature found. SignTool Error File not valid C\Users\Louise\AppData\Local\Temp\f80aef3bfcea3c887a94.exe
Attempts to repeatedly call a single API many times in order to delay analysis time
Spam: f80aef3bfcea3c887a94.exe (4120) called API GetSystemTimeAsFileTime 14639 times
CAPE detected the Emotet malware family
File has been identified by 24 Antiviruses on VirusTotal as malicious
Bkav: W32.AIDetectVM.malware1
MicroWorld-eScan: Trojan.Ranapama.AMW
FireEye: Trojan.Ranapama.AMW
Cylance: Unsafe
APEX: Malicious
Kaspersky: HEUR:Trojan-Banker.Win32.Emotet.gen
BitDefender: Trojan.Ranapama.AMW
Ad-Aware: Trojan.Ranapama.AMW
Emsisoft: Trojan.Ranapama.AMW (B)
F-Secure: Trojan.TR/AD.Emotet.pdjej
DrWeb: Trojan.Emotet.1042
SentinelOne: DFI - Suspicious PE
GData: Trojan.Ranapama.AMW
Avira: TR/AD.Emotet.pdjej
MAX: malware (ai score=89)
Arcabit: Trojan.Ranapama.AMW
ZoneAlarm: HEUR:Trojan-Banker.Win32.Emotet.gen
Microsoft: Trojan:Win32/EmotetCrypt.ARJ!MTB
Cynet: Malicious (score: 85)
McAfee: GenericRXAA-AA!6F6AE03F22B5
Malwarebytes: Trojan.Emotet
ESET-NOD32: Win32/Emotet.CI
Fortinet: W32/BankerX.5CC7!tr
Qihoo-360: HEUR/QVM10.1.A943.Malware.Gen
Attempts to modify proxy settings
CAPE has extracted a malware configuration
extracted_config: Emotet
Anomalous binary characteristics
anomaly: Actual checksum does not match that reported in PE header
Created network traffic indicative of malicious activity
signature: ET CNC Feodo Tracker Reported CnC Server group 10
signature: ET CNC Feodo Tracker Reported CnC Server group 17
signature: ET CNC Feodo Tracker Reported CnC Server group 12
signature: ET CNC Feodo Tracker Reported CnC Server group 1
signature: ET CNC Feodo Tracker Reported CnC Server group 2
signature: ET CNC Feodo Tracker Reported CnC Server group 11

Screenshots


Hosts

Direct IP Country Name
Y 91.83.93.103 [VT] Hungary
Y 91.213.106.100 [VT] Latvia
Y 8.8.8.8 [VT] United States
Y 73.100.19.104 [VT] United States
Y 58.27.215.3 [VT] Pakistan
Y 51.38.50.144 [VT] France
Y 46.22.116.163 [VT] Sweden
Y 36.91.44.183 [VT] Indonesia
Y 221.147.142.214 [VT] Korea, Republic of
Y 192.210.217.94 [VT] United States
Y 192.163.221.191 [VT] United States
Y 190.192.39.136 [VT] Argentina
Y 190.164.135.81 [VT] Chile
Y 190.151.5.131 [VT] Chile
Y 188.40.170.197 [VT] Germany
Y 188.166.220.180 [VT] Singapore
Y 179.5.118.12 [VT] El Salvador
Y 116.202.10.123 [VT] India
Y 115.79.59.157 [VT] Vietnam
Y 103.93.220.182 [VT] Philippines
Y 1.1.1.1 [VT] Australia

DNS

No domains contacted.


Summary

C:\Users\Louise\AppData\Local\Temp\f80aef3bfcea3c887a94.exe.2.Manifest
C:\Users\Louise\AppData\Local\Temp\f80aef3bfcea3c887a94.exe.3.Manifest
C:\Users\Louise\AppData\Local\Temp\f80aef3bfcea3c887a94.exe.Config
C:\Users\Louise\AppData\Local\Temp\f80aef3bfcea3c887a94.exe
C:\Windows\System32\*
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\
\??\Nsi
C:\Users\Louise\AppData\Local\Temp\f80aef3bfcea3c887a94.exe.2.Manifest
C:\Users\Louise\AppData\Local\Temp\f80aef3bfcea3c887a94.exe.3.Manifest
C:\Users\Louise\AppData\Local\Temp\f80aef3bfcea3c887a94.exe.Config
C:\Users\Louise\AppData\Local\Temp\f80aef3bfcea3c887a94.exe
C:\Windows\Globalization\Sorting\sortdefault.nls
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Network
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\00060101.00060101
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad
HKEY_CURRENT_USER\Software\Classes
HKEY_CURRENT_USER\Software\Classes\Interface\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\Interface\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\Interface\{55272A00-42CB-11CE-8135-00AA004BB851}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{55272A00-42CB-11CE-8135-00AA004BB851}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{55272A00-42CB-11CE-8135-00AA004BB851}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocHandler
HKEY_LOCAL_MACHINE\Software\Microsoft\OleAut
HKEY_CURRENT_USER\Software\Classes\Interface\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\Interface\{2A1C9EB2-DF62-4154-B800-63278FCB8037}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2A1C9EB2-DF62-4154-B800-63278FCB8037}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2A1C9EB2-DF62-4154-B800-63278FCB8037}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}\WpadDecision
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}\WpadDecisionTime
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadExpirationDays
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}\WpadDecisionReason
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}\WpadDhcp
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}\WpadDns
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}\WpadDetectedUrl
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecision
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecisionTime
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecisionReason
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDhcp
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDns
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDetectedUrl
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}\52-54-00-6f-d4-05
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}\WpadNetworkName
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\00060101.00060101
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{55272A00-42CB-11CE-8135-00AA004BB851}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2A1C9EB2-DF62-4154-B800-63278FCB8037}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}\WpadDecision
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}\WpadDecisionTime
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadExpirationDays
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}\WpadDecisionReason
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}\WpadDhcp
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}\WpadDns
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}\WpadDetectedUrl
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecision
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecisionTime
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecisionReason
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDhcp
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDns
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDetectedUrl
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecisionReason
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecisionTime
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecision
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDetectedUrl
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}\WpadDecisionReason
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}\WpadDecisionTime
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}\WpadDecision
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}\WpadNetworkName
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}\WpadDetectedUrl
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDetectedUrl
winspool.drv.#218
winspool.drv.#217
winspool.drv.SetDefaultPrinterW
winspool.drv.GetDefaultPrinterW
winspool.drv.GetPrinterDriverPackagePathW
winspool.drv.CorePrinterDriverInstalledW
winspool.drv.GetCorePrinterDriversW
winspool.drv.UploadPrinterDriverPackageW
winspool.drv.InstallPrinterDriverFromPackageW
winspool.drv.#251
winspool.drv.AddPrinterConnection2W
winspool.drv.OpenPrinter2W
winspool.drv.DeletePrinterKeyW
winspool.drv.DeletePrinterDataExW
winspool.drv.EnumPrinterKeyW
winspool.drv.EnumPrinterDataExW
winspool.drv.GetPrinterDataExW
winspool.drv.SetPrinterDataExW
winspool.drv.DeletePrinterDataW
winspool.drv.EnumPrinterDataW
winspool.drv.SpoolerPrinterEvent
winspool.drv.SetPortW
winspool.drv.DocumentPropertySheets
winspool.drv.DevicePropertySheets
winspool.drv.IsValidDevmodeW
winspool.drv.IsValidDevmodeA
winspool.drv.AddPortExW
winspool.drv.DeletePrintProvidorW
winspool.drv.AddPrintProvidorW
winspool.drv.DeletePrintProcessorW
winspool.drv.DeleteMonitorW
winspool.drv.AddMonitorW
winspool.drv.StartDocDlgW
winspool.drv.AdvancedDocumentPropertiesW
winspool.drv.AdvancedDocumentPropertiesA
winspool.drv.DocumentPropertiesW
winspool.drv.DeviceCapabilitiesW
winspool.drv.DeletePrinterIC
winspool.drv.PlayGdiScriptOnPrinterIC
winspool.drv.CreatePrinterIC
winspool.drv.SetJobW
winspool.drv.GetJobW
winspool.drv.EnumJobsW
winspool.drv.AddPrinterW
winspool.drv.SetPrinterW
winspool.drv.GetPrinterDriverW
winspool.drv.GetPrinterDriverDirectoryW
winspool.drv.EnumPrintersW
winspool.drv.AddPrinterConnectionW
winspool.drv.DeletePrinterConnectionW
winspool.drv.AddPrinterDriverExW
winspool.drv.AddPrinterDriverExA
winspool.drv.EnumPrinterDriversW
winspool.drv.DeletePrinterDriverW
winspool.drv.DeletePrinterDriverExW
winspool.drv.AddPrintProcessorW
winspool.drv.EnumPrintProcessorsW
winspool.drv.GetPrintProcessorDirectoryW
winspool.drv.EnumPrintProcessorDatatypesW
winspool.drv.#207
winspool.drv.#209
winspool.drv.#211
winspool.drv.#212
winspool.drv.SplDriverUnloadComplete
winspool.drv.#213
winspool.drv.#214
winspool.drv.OpenPrinterW
winspool.drv.OpenPrinterA
winspool.drv.ResetPrinterW
winspool.drv.StartDocPrinterW
winspool.drv.FlushPrinter
winspool.drv.GetPrinterDataW
winspool.drv.SetPrinterDataW
winspool.drv.AddJobW
winspool.drv.ScheduleJob
winspool.drv.WaitForPrinterChange
winspool.drv.FindNextPrinterChangeNotification
winspool.drv.PrinterMessageBoxW
winspool.drv.ClosePrinter
winspool.drv.AddFormW
winspool.drv.DeleteFormW
winspool.drv.GetFormW
winspool.drv.SetFormW
winspool.drv.EnumFormsW
winspool.drv.EnumPortsW
winspool.drv.EnumMonitorsW
winspool.drv.AddPortW
winspool.drv.ConfigurePortW
winspool.drv.DeletePortW
winspool.drv.GetPrinterW
winspool.drv.DeletePrinterDriverPackageW
winspool.drv.#234
kernel32.dll.FlsAlloc
kernel32.dll.FlsGetValue
kernel32.dll.FlsSetValue
kernel32.dll.FlsFree
kernel32.dll.IsProcessorFeaturePresent
kernel32.dll.CreateActCtxW
kernel32.dll.ReleaseActCtx
kernel32.dll.ActivateActCtx
kernel32.dll.DeactivateActCtx
user32.dll.NotifyWinEvent
kernel32.dll.VirtualAllocExNuma
ntdll.dll.LdrFindResource_U
ntdll.dll.LdrAccessResource
ntdll.dll.qsort
ntdll.dll.bsearch
ntdll.dll.wcslen
kernel32.dll.VirtualFree
kernel32.dll.Process32Next
kernel32.dll.Process32First
kernel32.dll.CreateToolhelp32Snapshot
kernel32.dll.CloseHandle
kernel32.dll.SetLastError
kernel32.dll.HeapAlloc
kernel32.dll.HeapFree
kernel32.dll.GetProcessHeap
kernel32.dll.ExitProcess
kernel32.dll.VirtualAlloc
kernel32.dll.VirtualProtect
kernel32.dll.VirtualQuery
kernel32.dll.FreeLibrary
kernel32.dll.GetProcAddress
kernel32.dll.LoadLibraryA
kernel32.dll.LoadLibraryW
kernel32.dll.IsBadReadPtr
kernel32.dll.GetNativeSystemInfo
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
cryptsp.dll.CryptAcquireContextW
cryptsp.dll.CryptImportKey
cryptsp.dll.CryptGenKey
cryptsp.dll.CryptCreateHash
cryptsp.dll.CryptDuplicateHash
cryptsp.dll.CryptEncrypt
cryptsp.dll.CryptExportKey
cryptsp.dll.CryptGetHashParam
cryptsp.dll.CryptDestroyHash
ws2_32.dll.#23
ws2_32.dll.#21
ws2_32.dll.WSAIoctl
ws2_32.dll.#3
ws2_32.dll.#116
iphlpapi.dll.NotifyIpInterfaceChange
iphlpapi.dll.NotifyUnicastIpAddressChange
iphlpapi.dll.GetBestInterfaceEx
iphlpapi.dll.GetIfEntry2
api-ms-win-downlevel-ole32-l1-1-0.dll.CoInitializeEx
cryptbase.dll.SystemFunction036
api-ms-win-downlevel-advapi32-l1-1-0.dll.EventWrite
api-ms-win-downlevel-ole32-l1-1-0.dll.CoCreateInstance
iphlpapi.dll.GetAdaptersAddresses
ws2_32.dll.GetAddrInfoW
oleaut32.dll.#8
oleaut32.dll.#9
oleaut32.dll.DllGetClassObject
oleaut32.dll.DllCanUnloadNow
advapi32.dll.RegOpenKeyW
iphlpapi.dll.ConvertInterfaceGuidToLuid
iphlpapi.dll.GetIpForwardTable2
iphlpapi.dll.GetIpNetEntry2
iphlpapi.dll.FreeMibTable
api-ms-win-downlevel-ole32-l1-1-0.dll.StringFromIID
api-ms-win-downlevel-ole32-l1-1-0.dll.CoUninitialize
oleaut32.dll.#500
api-ms-win-downlevel-ole32-l1-1-0.dll.CoSetProxyBlanket
ole32.dll.ObjectStublessClient10
oleaut32.dll.#2
ole32.dll.CoTaskMemFree
api-ms-win-downlevel-advapi32-l1-1-0.dll.RegEnumKeyExW
oleaut32.dll.#6

BinGraph Download graph

2020-10-18T07:35:52.038689 image/svg+xml Matplotlib v3.3.0, https://matplotlib.org/

PE Information

Image Base Entry Point Reported Checksum Actual Checksum Minimum OS Version Compile Time Import Hash Icon Icon Exact Hash Icon Similarity Hash
0x00400000 0x0040ecf9 0x00067db0 0x000618dc 5.0 2020-10-16 20:45:05 802db2b693e23b594e5f02f63ef92ced 3a807dc65fb160f5c875569f387561d7 40881eb50f4641dd9e840ec8234dfaa3

Sections

Name RAW Address Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00000400 0x00001000 0x00025227 0x00025400 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.59
.rdata 0x00025800 0x00027000 0x0000930a 0x00009400 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.92
.data 0x0002ec00 0x00031000 0x000062f8 0x00002600 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 3.93
.rsrc 0x00031200 0x00038000 0x0002170c 0x00021800 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 7.58
.reloc 0x00052a00 0x0005a000 0x00007976 0x00007a00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ 2.93

Resources

Name Offset Size Language Sub-language Entropy File type
RT_CURSOR 0x00039fac 0x00000134 LANG_GERMAN SUBLANG_GERMAN 2.23 None
RT_CURSOR 0x00039fac 0x00000134 LANG_GERMAN SUBLANG_GERMAN 2.23 None
RT_CURSOR 0x00039fac 0x00000134 LANG_GERMAN SUBLANG_GERMAN 2.23 None
RT_CURSOR 0x00039fac 0x00000134 LANG_GERMAN SUBLANG_GERMAN 2.23 None
RT_CURSOR 0x00039fac 0x00000134 LANG_GERMAN SUBLANG_GERMAN 2.23 None
RT_CURSOR 0x00039fac 0x00000134 LANG_GERMAN SUBLANG_GERMAN 2.23 None
RT_CURSOR 0x00039fac 0x00000134 LANG_GERMAN SUBLANG_GERMAN 2.23 None
RT_CURSOR 0x00039fac 0x00000134 LANG_GERMAN SUBLANG_GERMAN 2.23 None
RT_CURSOR 0x00039fac 0x00000134 LANG_GERMAN SUBLANG_GERMAN 2.23 None
RT_CURSOR 0x00039fac 0x00000134 LANG_GERMAN SUBLANG_GERMAN 2.23 None
RT_CURSOR 0x00039fac 0x00000134 LANG_GERMAN SUBLANG_GERMAN 2.23 None
RT_CURSOR 0x00039fac 0x00000134 LANG_GERMAN SUBLANG_GERMAN 2.23 None
RT_CURSOR 0x00039fac 0x00000134 LANG_GERMAN SUBLANG_GERMAN 2.23 None
RT_CURSOR 0x00039fac 0x00000134 LANG_GERMAN SUBLANG_GERMAN 2.23 None
RT_CURSOR 0x00039fac 0x00000134 LANG_GERMAN SUBLANG_GERMAN 2.23 None
RT_CURSOR 0x00039fac 0x00000134 LANG_GERMAN SUBLANG_GERMAN 2.23 None
RT_BITMAP 0x0003a198 0x00000144 LANG_GERMAN SUBLANG_GERMAN 2.88 None
RT_BITMAP 0x0003a198 0x00000144 LANG_GERMAN SUBLANG_GERMAN 2.88 None
RT_ICON 0x0003d2ec 0x000008a8 LANG_GERMAN SUBLANG_GERMAN 5.83 None
RT_ICON 0x0003d2ec 0x000008a8 LANG_GERMAN SUBLANG_GERMAN 5.83 None
RT_ICON 0x0003d2ec 0x000008a8 LANG_GERMAN SUBLANG_GERMAN 5.83 None
RT_ICON 0x0003d2ec 0x000008a8 LANG_GERMAN SUBLANG_GERMAN 5.83 None
RT_ICON 0x0003d2ec 0x000008a8 LANG_GERMAN SUBLANG_GERMAN 5.83 None
RT_ICON 0x0003d2ec 0x000008a8 LANG_GERMAN SUBLANG_GERMAN 5.83 None
RT_ICON 0x0003d2ec 0x000008a8 LANG_GERMAN SUBLANG_GERMAN 5.83 None
RT_ICON 0x0003d2ec 0x000008a8 LANG_GERMAN SUBLANG_GERMAN 5.83 None
RT_ICON 0x0003d2ec 0x000008a8 LANG_GERMAN SUBLANG_GERMAN 5.83 None
RT_ICON 0x0003d2ec 0x000008a8 LANG_GERMAN SUBLANG_GERMAN 5.83 None
RT_ICON 0x0003d2ec 0x000008a8 LANG_GERMAN SUBLANG_GERMAN 5.83 None
RT_DIALOG 0x0003e260 0x00000034 LANG_GERMAN SUBLANG_GERMAN 2.42 None
RT_DIALOG 0x0003e260 0x00000034 LANG_GERMAN SUBLANG_GERMAN 2.42 None
RT_DIALOG 0x0003e260 0x00000034 LANG_GERMAN SUBLANG_GERMAN 2.42 None
RT_DIALOG 0x0003e260 0x00000034 LANG_GERMAN SUBLANG_GERMAN 2.42 None
RT_STRING 0x0003f9d4 0x00000042 LANG_GERMAN SUBLANG_GERMAN 1.96 None
RT_STRING 0x0003f9d4 0x00000042 LANG_GERMAN SUBLANG_GERMAN 1.96 None
RT_STRING 0x0003f9d4 0x00000042 LANG_GERMAN SUBLANG_GERMAN 1.96 None
RT_STRING 0x0003f9d4 0x00000042 LANG_GERMAN SUBLANG_GERMAN 1.96 None
RT_STRING 0x0003f9d4 0x00000042 LANG_GERMAN SUBLANG_GERMAN 1.96 None
RT_STRING 0x0003f9d4 0x00000042 LANG_GERMAN SUBLANG_GERMAN 1.96 None
RT_STRING 0x0003f9d4 0x00000042 LANG_GERMAN SUBLANG_GERMAN 1.96 None
RT_STRING 0x0003f9d4 0x00000042 LANG_GERMAN SUBLANG_GERMAN 1.96 None
RT_STRING 0x0003f9d4 0x00000042 LANG_GERMAN SUBLANG_GERMAN 1.96 None
RT_STRING 0x0003f9d4 0x00000042 LANG_GERMAN SUBLANG_GERMAN 1.96 None
RT_STRING 0x0003f9d4 0x00000042 LANG_GERMAN SUBLANG_GERMAN 1.96 None
RT_STRING 0x0003f9d4 0x00000042 LANG_GERMAN SUBLANG_GERMAN 1.96 None
RT_STRING 0x0003f9d4 0x00000042 LANG_GERMAN SUBLANG_GERMAN 1.96 None
RT_STRING 0x0003f9d4 0x00000042 LANG_GERMAN SUBLANG_GERMAN 1.96 None
RT_GROUP_CURSOR 0x0003fb40 0x00000014 LANG_GERMAN SUBLANG_GERMAN 2.02 None
RT_GROUP_CURSOR 0x0003fb40 0x00000014 LANG_GERMAN SUBLANG_GERMAN 2.02 None
RT_GROUP_CURSOR 0x0003fb40 0x00000014 LANG_GERMAN SUBLANG_GERMAN 2.02 None
RT_GROUP_CURSOR 0x0003fb40 0x00000014 LANG_GERMAN SUBLANG_GERMAN 2.02 None
RT_GROUP_CURSOR 0x0003fb40 0x00000014 LANG_GERMAN SUBLANG_GERMAN 2.02 None
RT_GROUP_CURSOR 0x0003fb40 0x00000014 LANG_GERMAN SUBLANG_GERMAN 2.02 None
RT_GROUP_CURSOR 0x0003fb40 0x00000014 LANG_GERMAN SUBLANG_GERMAN 2.02 None
RT_GROUP_CURSOR 0x0003fb40 0x00000014 LANG_GERMAN SUBLANG_GERMAN 2.02 None
RT_GROUP_CURSOR 0x0003fb40 0x00000014 LANG_GERMAN SUBLANG_GERMAN 2.02 None
RT_GROUP_CURSOR 0x0003fb40 0x00000014 LANG_GERMAN SUBLANG_GERMAN 2.02 None
RT_GROUP_CURSOR 0x0003fb40 0x00000014 LANG_GERMAN SUBLANG_GERMAN 2.02 None
RT_GROUP_CURSOR 0x0003fb40 0x00000014 LANG_GERMAN SUBLANG_GERMAN 2.02 None
RT_GROUP_CURSOR 0x0003fb40 0x00000014 LANG_GERMAN SUBLANG_GERMAN 2.02 None
RT_GROUP_CURSOR 0x0003fb40 0x00000014 LANG_GERMAN SUBLANG_GERMAN 2.02 None
RT_GROUP_CURSOR 0x0003fb40 0x00000014 LANG_GERMAN SUBLANG_GERMAN 2.02 None
RT_GROUP_ICON 0x0003fbf0 0x00000022 LANG_GERMAN SUBLANG_GERMAN 2.55 None
RT_GROUP_ICON 0x0003fbf0 0x00000022 LANG_GERMAN SUBLANG_GERMAN 2.55 None
RT_GROUP_ICON 0x0003fbf0 0x00000022 LANG_GERMAN SUBLANG_GERMAN 2.55 None
RT_GROUP_ICON 0x0003fbf0 0x00000022 LANG_GERMAN SUBLANG_GERMAN 2.55 None
RT_GROUP_ICON 0x0003fbf0 0x00000022 LANG_GERMAN SUBLANG_GERMAN 2.55 None
RT_VERSION 0x0003fc14 0x00000354 LANG_GERMAN SUBLANG_GERMAN 3.38 None
RT_MANIFEST 0x0003ff68 0x0000026e LANG_ENGLISH SUBLANG_ENGLISH_US 5.02 None
None 0x000401d8 0x00019533 LANG_GERMAN SUBLANG_GERMAN 7.99 None

Imports

0x427088 GetStartupInfoW
0x42708c HeapAlloc
0x427094 HeapFree
0x427098 RtlUnwind
0x42709c RaiseException
0x4270a0 HeapReAlloc
0x4270a4 Sleep
0x4270a8 ExitProcess
0x4270ac HeapSize
0x4270b4 GetStdHandle
0x4270b8 GetModuleFileNameA
0x4270c4 GetCommandLineW
0x4270c8 SetHandleCount
0x4270cc GetFileType
0x4270d0 GetStartupInfoA
0x4270d4 HeapCreate
0x4270d8 VirtualFree
0x4270e0 GetTickCount
0x4270e4 TerminateProcess
0x4270e8 IsDebuggerPresent
0x4270ec VirtualAlloc
0x4270f4 GetCPInfo
0x4270f8 GetACP
0x4270fc GetOEMCP
0x427100 IsValidCodePage
0x427104 GetConsoleCP
0x427108 GetConsoleMode
0x42710c GetLocaleInfoA
0x427110 GetUserDefaultLCID
0x427114 EnumSystemLocalesA
0x427118 IsValidLocale
0x42711c GetStringTypeA
0x427120 GetStringTypeW
0x427124 LCMapStringA
0x427128 LCMapStringW
0x42712c SetStdHandle
0x427130 WriteConsoleA
0x427134 GetConsoleOutputCP
0x427138 WriteConsoleW
0x42713c CreateFileA
0x427140 SetErrorMode
0x427144 FlushFileBuffers
0x427148 SetFilePointer
0x42714c WriteFile
0x427150 ReadFile
0x427158 GlobalFlags
0x42715c TlsFree
0x427164 LocalReAlloc
0x427168 TlsSetValue
0x42716c TlsAlloc
0x427174 GlobalHandle
0x427178 GlobalReAlloc
0x427180 TlsGetValue
0x427188 LocalAlloc
0x427190 CloseHandle
0x427198 GetCurrentThread
0x4271a4 GetLocaleInfoW
0x4271a8 InterlockedExchange
0x4271ac lstrlenA
0x4271b0 lstrcmpA
0x4271b4 GetCurrentProcessId
0x4271b8 GetModuleFileNameW
0x4271bc GetModuleHandleA
0x4271c0 GlobalFree
0x4271c4 GlobalAlloc
0x4271c8 GlobalLock
0x4271cc GlobalUnlock
0x4271d0 WideCharToMultiByte
0x4271d4 lstrlenW
0x4271d8 GetCurrentThreadId
0x4271dc GlobalAddAtomW
0x4271e0 GlobalFindAtomW
0x4271e4 GlobalDeleteAtom
0x4271e8 LoadLibraryA
0x4271ec GetLastError
0x4271f0 SetLastError
0x4271f4 lstrcmpW
0x4271f8 MultiByteToWideChar
0x4271fc GetModuleHandleW
0x427200 GetVersionExA
0x427204 FindResourceW
0x427208 LoadResource
0x42720c LockResource
0x427210 SizeofResource
0x427214 GetCurrentProcess
0x427218 GetProcAddress
0x42721c GetModuleHandleExA
0x427220 LocalFree
0x427224 FormatMessageW
0x427228 FreeLibrary
0x42722c LoadLibraryW
0x427254 IsWindowEnabled
0x427258 ShowWindow
0x42725c SetWindowTextW
0x427264 WinHelpW
0x427268 GetCapture
0x42726c SetWindowsHookExW
0x427270 CallNextHookEx
0x427274 GetClassLongW
0x427278 GetClassNameW
0x42727c SetPropW
0x427280 GetPropW
0x427284 RemovePropW
0x427288 GetFocus
0x42728c GetWindowTextW
0x427290 GetForegroundWindow
0x427294 GetLastActivePopup
0x427298 DispatchMessageW
0x42729c GetDlgItem
0x4272a0 GetTopWindow
0x4272a4 DestroyWindow
0x4272a8 UnhookWindowsHookEx
0x4272ac GetMessageTime
0x4272b0 GetMessagePos
0x4272b4 PeekMessageW
0x4272b8 MapWindowPoints
0x4272bc GetKeyState
0x4272c0 SetMenu
0x4272c4 SetForegroundWindow
0x4272c8 IsWindowVisible
0x4272cc PostMessageW
0x4272d0 GetSubMenu
0x4272d4 GetMenuItemID
0x4272d8 GetMenuItemCount
0x4272dc MessageBoxW
0x4272e0 CreateWindowExW
0x4272e4 GetClassInfoExW
0x4272e8 GetClassInfoW
0x4272ec RegisterClassW
0x4272f0 AdjustWindowRectEx
0x4272f4 CopyRect
0x4272f8 GetDlgCtrlID
0x4272fc DefWindowProcW
0x427300 CallWindowProcW
0x427304 GetMenu
0x427308 GetWindowLongW
0x42730c SetWindowPos
0x427314 GetWindowPlacement
0x427318 GetWindow
0x42731c GetSystemMetrics
0x427320 IsIconic
0x427324 LoadIconW
0x427328 EnableWindow
0x42732c SendMessageW
0x427330 SetCursor
0x427334 PtInRect
0x427338 GetCursorPos
0x42733c LoadCursorW
0x427340 ReleaseDC
0x427344 GetDC
0x427348 GetParent
0x42734c GetWindowRect
0x427350 GetSysColor
0x427354 IsWindow
0x427358 UnregisterClassW
0x42735c SetWindowLongW
0x427360 GetClientRect
0x427364 GetSysColorBrush
0x427368 DestroyMenu
0x42736c GetMessageW
0x427370 TranslateMessage
0x427374 ValidateRect
0x427378 GetActiveWindow
0x42737c PostQuitMessage
0x427384 ClientToScreen
0x427388 GrayStringW
0x42738c DrawTextExW
0x427390 DrawTextW
0x427394 TabbedTextOutW
0x427398 SetMenuItemBitmaps
0x4273a0 LoadBitmapW
0x4273a4 ModifyMenuW
0x4273a8 GetMenuState
0x4273ac EnableMenuItem
0x4273b0 CheckMenuItem
0x427028 DeleteObject
0x42702c PtVisible
0x427030 RectVisible
0x427034 TextOutW
0x427038 ExtTextOutW
0x42703c Escape
0x427040 SelectObject
0x427044 SetViewportOrgEx
0x427048 OffsetViewportOrgEx
0x42704c SetViewportExtEx
0x427050 ScaleViewportExtEx
0x427054 SetWindowExtEx
0x427058 DeleteDC
0x42705c SetMapMode
0x427060 RestoreDC
0x427064 SaveDC
0x427068 SetBkColor
0x42706c GetDeviceCaps
0x427070 ScaleWindowExtEx
0x427074 GetStockObject
0x427078 SetTextColor
0x42707c GetClipBox
0x427080 CreateBitmap
0x4273b8 DocumentPropertiesW
0x4273bc OpenPrinterW
0x4273c0 ClosePrinter
0x427000 RegSetValueExW
0x427004 RegOpenKeyW
0x427008 RegEnumKeyW
0x42700c RegDeleteKeyW
0x427010 RegOpenKeyExW
0x427014 RegCreateKeyExW
0x427018 RegQueryValueExW
0x42701c RegCloseKey
0x427020 RegQueryValueW
0x427248 PathFindFileNameW
0x42724c PathFindExtensionW
0x427238 VariantInit
0x42723c VariantChangeType
0x427240 VariantClear

!This program cannot be run in DOS mode.
.text
`.rdata
@.data
.rsrc
@.reloc
@t'9u
;(r[V
F0$xB
Q$_^]
Q(_^]
Q,_^]
Q0_^]
Q4_^]
Q8_^]
Q<_^]
QD_^]
QP_^]
QT_^]
QX_^]
Q\_^]
Qd_^]
Qh_^]
F0$xB
S\_^[]
S\_^[]
@[_^]
t39w u&
_ 9w$u
Ht;O u
Q$_^]
Q(_^]
Q,_^]
Q0_^]
Q4_^]
Q8_^]
Q<_^]
QD_^]
QP_^]
QT_^]
QX_^]
Q\_^]
Qd_^]
u8hdzB
8hXzB
u=j0^VP
SVWj(3
+F(_^[;E
F(@@;F,v
F(;^ r
F(;F0u
^(_^[]
P|_^]
j _W3
PWVWWW
WVWWW
0WWWWS
WWWWS
Ph_^[
@_[^]
WtrHHt
tA9wht<
9p t-S
9p$ty
u*hHRC
Pj8hh
j8hh
QQSVW
^(_^[
9~8ucj
F4_^[]
YQPVh
SSSSS
SSSSS
HH_^[
VVVVV
VVVVV
SSSSS
SSSSS
0WWWWW
VVVVV
0WWWWW
@AA;E
0WWWWW
AAFFf;
QQSVWd
Y__^[
Y__^[
0WWWWW
@@BBf;
@@BBf;
0;1t|
wIVSP
9=(]C
uBhm0A
YhptB
0WWWWW
AAFFf;
SSSSS
WWWWW
WWWWW
SVWt*
VVVVV
PPPPP
VVVVV
VVVVV
VVVVV
>=Yt1j
tPVWP
PPPPP
QQSVWh
teht3A
PPPPP
PPPPP
PPPPP
0SSSSS
s[S;7|G;w
tR99u2
@_^[]
URPQQhLwA
SSSSS
PPPPP
_VVVVV
SSSSS
SSSSS
^WWWWW
PPPPP
SSSSS
SSSSS
VVVVV
WWWWW
uL9=(]C
0SSSSS
0SSSSS
VVVVV
to=H+C
Y_^[]
SSSSS
SSSSS
PPPPP
SSSSS
PPPPP
VVVVV
VVVVV
VVVVV
PPPPP
VVVVV
vSSSh
SSSSS
Ph0^C
95P^C
WWWWW
WWWWW
VVVVV
VVVVV
WWWWW
VVVVV
VVVVV
SVWUj
;t$,v-
UQPXY]Y[
u,VVWV
t VV9u
^SSSSS
j"^SSSSS
QSWVj
SSSSW
SSSSW
0SSSSS
PPPPP
_VVVVV
Pj1Q3
F Pj*
F$Pj+
F(Pj,
F,Pj-
F0Pj.
F4Pj/
F8PjD
F<PjE
FDPjG
FHPjH
FLPjI
FPPjJ
FTPjK
FXPjL
F\PjM
F`PjN
FdPjO
FhPj8
FlPj9
FpPj:
FtPj;
FxPj<
F|Pj=
;5P+C
v$;5l+C
C PjPV
C$PjQV
C*PjTV
C+PjUV
C,PjVV
C-PjWV
C.PjRV
C/PjSV
PPPPPPPP
PPPPP
9] SS
PPPPPPPP
u8SS3
9]$SS
t"SS9]
VW|[;
VVVVV
~,WPV
WWWWW
@WuyV
WWWWW
VVVVV
WWWWW
SSSSS
<+t(<-t$:
+t HHt
VVVVV
VVVVV
SSSSS
SSSSS
95,^C
VVVVV
SSSSS
SSSSS
95,^C
VVVVV
^SSSSS
^SSSSS
WWWWV
t+WWVPV
WWWWW
WWWWW
SSSSS
SSSSS
SSSSS
VVVVV
WWWWW
FYY;u
FYY;u
HHtt2
t}9>uyj
9^Lth
F 98u
FAPPW
9^Lty
FAPPQ
F09^(u
WWWWW
WWWWW
WWWWW
WWWWW
SSSSS
WWWWW
VVVVV
WWWWW
WWWWW
VVVVV
VVVVV
WWWWW
SSSSS
GetMonitorInfoA
GetMonitorInfoW
EnumDisplayDevicesW
EnumDisplayMonitors
MonitorFromPoint
MonitorFromRect
MonitorFromWindow
GetSystemMetrics
DISPLAY
InitCommonControls
InitCommonControlsEx
HtmlHelpW
hhctrl.ocx
CCmdTarget
COleException
CInvalidArgException
CNotSupportedException
CMemoryException
CSimpleException
CException
CGdiObject
CUserException
CResourceException
CArchiveException
CObject
CWinApp
DeactivateActCtx
ActivateActCtx
ReleaseActCtx
CreateActCtxW
GetSystemDefaultUILanguage
GetUserDefaultUILanguage
CWinThread
CMenu
CMapPtrToPtr
CByteArray
NotifyWinEvent
CObArray
CPtrArray
Unknown exception
CorExitProcess
HeapQueryInformation
runtime error
TLOSS error
SING error
DOMAIN error
R6034
An application has made an attempt to load the C runtime library incorrectly.
Please contact the application's support team for more information.
R6033
- Attempt to use MSIL code from this assembly during native code initialization
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
R6032
- not enough space for locale information
R6031
- Attempt to initialize the CRT more than once.
This indicates a bug in your application.
R6030
- CRT not initialized
R6028
- unable to initialize heap
R6027
- not enough space for lowio initialization
R6026
- not enough space for stdio initialization
R6025
- pure virtual function call
R6024
- not enough space for _onexit/atexit table
R6019
- unable to open console device
R6018
- unexpected heap error
R6017
- unexpected multithread lock error
R6016
- not enough space for thread data
This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.
R6009
- not enough space for environment
R6008
- not enough space for arguments
R6002
- floating point support not loaded
Microsoft Visual C++ Runtime Library
<program name unknown>
Runtime Error!
Program:
EncodePointer
DecodePointer
FlsFree
FlsSetValue
FlsGetValue
FlsAlloc
bad exception
e+000
GAIsProcessorFeaturePresent
KERNEL32
SunMonTueWedThuFriSat
JanFebMarAprMayJunJulAugSepOctNovDec
GetProcessWindowStation
GetUserObjectInformationA
GetLastActivePopup
GetActiveWindow
MessageBoxA
USER32.DLL
LC_TIME
LC_NUMERIC
LC_MONETARY
LC_CTYPE
LC_COLLATE
LC_ALL
!"#$%&'()*+,-./0123456789:;<=>[email protected][\]^_`abcdefghijklmnopqrstuvwxyz{|}~
Complete Object Locator'
Class Hierarchy Descriptor'
Base Class Array'
Base Class Descriptor at (
Type Descriptor'
`local static thread guard'
`managed vector copy constructor iterator'
`vector vbase copy constructor iterator'
`vector copy constructor iterator'
`dynamic atexit destructor for '
`dynamic initializer for '
`eh vector vbase copy constructor iterator'
`eh vector copy constructor iterator'
`managed vector destructor iterator'
`managed vector constructor iterator'
`placement delete[] closure'
`placement delete closure'
`omni callsig'
delete[]
new[]
`local vftable constructor closure'
`local vftable'
`RTTI
`udt returning'
`copy constructor closure'
`eh vector vbase constructor iterator'
`eh vector destructor iterator'
`eh vector constructor iterator'
`virtual displacement map'
`vector vbase constructor iterator'
`vector destructor iterator'
`vector constructor iterator'
`scalar deleting destructor'
`default constructor closure'
`vector deleting destructor'
`vbase destructor'
`string'
`local static guard'
`typeof'
`vcall'
`vbtable'
`vftable'
operator
delete
__unaligned
__restrict
__ptr64
__clrcall
__fastcall
__thiscall
__stdcall
__pascal
__cdecl
__based(
(null)
( 8PX
700WP
`h````
xpxxxx
('8PW
700PP
`h`hhh
xppwpp
!"#$%&'()*+,-./0123456789:;<=>[email protected][\]^_`abcdefghijklmnopqrstuvwxyz{|}~
!"#$%&'()*+,-./0123456789:;<=>[email protected][\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
HH:mm:ss
dddd, MMMM dd, yyyy
MM/dd/yy
December
November
October
September
August
April
March
February
January
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
united-states
united-kingdom
trinidad & tobago
south-korea
south-africa
south korea
south africa
slovak
puerto-rico
pr-china
pr china
new-zealand
hong-kong
holland
great britain
england
czech
china
britain
america
swiss
swedish-finland
spanish-venezuela
spanish-uruguay
spanish-puerto rico
spanish-peru
spanish-paraguay
spanish-panama
spanish-nicaragua
spanish-modern
spanish-mexican
spanish-honduras
spanish-guatemala
spanish-el salvador
spanish-ecuador
spanish-dominican republic
spanish-costa rica
spanish-colombia
spanish-chile
spanish-bolivia
spanish-argentina
portuguese-brazilian
norwegian-nynorsk
norwegian-bokmal
norwegian
italian-swiss
irish-english
german-swiss
german-luxembourg
german-lichtenstein
german-austrian
french-swiss
french-luxembourg
french-canadian
french-belgian
english-usa
english-us
english-uk
english-trinidad y tobago
english-south africa
english-nz
english-jamaica
english-ire
english-caribbean
english-can
english-belize
english-aus
english-american
dutch-belgian
chinese-traditional
chinese-singapore
chinese-simplified
chinese-hongkong
chinese
canadian
belgian
australian
american-english
american english
american
Norwegian-Nynorsk
1#QNAN
1#INF
1#IND
1#SNAN
CONOUT$
bad cast
string too long
invalid string position
=L9o<
OLEACC.dll
bad allocation
ios_base::badbit set
ios_base::failbit set
ios_base::eofbit set
kernel32.dll
VirtualAllocExNuma
LdrAcces
sResource
indResource_U
ntdll.dll
RSDS3[
C:\Users\BEAUREGARD\Videos\PwdChange_src\PwdChange\Release\PwdChange.pdb
CreateStdAccessibleObject
LresultFromObject
LoadLibraryW
FreeLibrary
FormatMessageW
LocalFree
GetModuleHandleExA
GetProcAddress
GetCurrentProcess
SizeofResource
LockResource
LoadResource
FindResourceW
GetVersionExA
GetModuleHandleW
MultiByteToWideChar
lstrcmpW
SetLastError
GetLastError
LoadLibraryA
GlobalDeleteAtom
GlobalFindAtomW
GlobalAddAtomW
GetCurrentThreadId
lstrlenW
WideCharToMultiByte
GlobalUnlock
GlobalLock
GlobalAlloc
GlobalFree
GetModuleHandleA
GetModuleFileNameW
GetCurrentProcessId
lstrcmpA
lstrlenA
InterlockedExchange
GetLocaleInfoW
EnumResourceLanguagesW
ConvertDefaultLocale
GetCurrentThread
WritePrivateProfileStringW
CloseHandle
InterlockedDecrement
LocalAlloc
LeaveCriticalSection
TlsGetValue
EnterCriticalSection
GlobalReAlloc
GlobalHandle
InitializeCriticalSection
TlsAlloc
TlsSetValue
LocalReAlloc
DeleteCriticalSection
TlsFree
GlobalFlags
InterlockedIncrement
ReadFile
WriteFile
SetFilePointer
FlushFileBuffers
SetErrorMode
GetStartupInfoW
HeapAlloc
GetSystemTimeAsFileTime
HeapFree
RtlUnwind
RaiseException
HeapReAlloc
Sleep
ExitProcess
HeapSize
SetUnhandledExceptionFilter
GetStdHandle
GetModuleFileNameA
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetCommandLineW
SetHandleCount
GetFileType
GetStartupInfoA
HeapCreate
VirtualFree
QueryPerformanceCounter
GetTickCount
TerminateProcess
UnhandledExceptionFilter
IsDebuggerPresent
VirtualAlloc
InitializeCriticalSectionAndSpinCount
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
GetConsoleCP
GetConsoleMode
GetLocaleInfoA
GetUserDefaultLCID
EnumSystemLocalesA
IsValidLocale
GetStringTypeA
GetStringTypeW
LCMapStringA
LCMapStringW
SetStdHandle
WriteConsoleA
GetConsoleOutputCP
WriteConsoleW
CreateFileA
KERNEL32.dll
EnableWindow
SendMessageW
SetCursor
SetWindowLongW
GetClientRect
IsWindow
GetSysColor
GetWindowRect
GetParent
GetDC
ReleaseDC
LoadCursorW
GetCursorPos
PtInRect
LoadIconW
IsIconic
GetSystemMetrics
GetWindow
GetWindowPlacement
SystemParametersInfoA
SetWindowPos
GetWindowLongW
GetMenu
CallWindowProcW
DefWindowProcW
GetDlgCtrlID
CopyRect
AdjustWindowRectEx
RegisterClassW
GetClassInfoW
GetClassInfoExW
CreateWindowExW
MessageBoxW
GetMenuItemCount
GetMenuItemID
GetSubMenu
PostMessageW
IsWindowVisible
SetForegroundWindow
SetMenu
GetKeyState
MapWindowPoints
PeekMessageW
GetMessagePos
GetMessageTime
UnhookWindowsHookEx
DestroyWindow
GetTopWindow
GetDlgItem
DispatchMessageW
GetLastActivePopup
GetForegroundWindow
GetWindowTextW
GetFocus
RemovePropW
GetPropW
SetPropW
GetClassNameW
GetClassLongW
CallNextHookEx
SetWindowsHookExW
GetCapture
WinHelpW
RegisterWindowMessageW
SetWindowTextW
ShowWindow
IsWindowEnabled
CheckMenuItem
EnableMenuItem
GetMenuState
ModifyMenuW
LoadBitmapW
GetMenuCheckMarkDimensions
SetMenuItemBitmaps
TabbedTextOutW
DrawTextW
DrawTextExW
GrayStringW
ClientToScreen
GetWindowThreadProcessId
PostQuitMessage
GetActiveWindow
ValidateRect
TranslateMessage
GetMessageW
DestroyMenu
GetSysColorBrush
UnregisterClassW
USER32.dll
GetStockObject
GetClipBox
SetTextColor
SetBkColor
CreateBitmap
GetDeviceCaps
SaveDC
RestoreDC
SetMapMode
DeleteObject
PtVisible
RectVisible
TextOutW
ExtTextOutW
Escape
SelectObject
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
SetWindowExtEx
ScaleWindowExtEx
DeleteDC
GDI32.dll
ClosePrinter
DocumentPropertiesW
OpenPrinterW
WINSPOOL.DRV
RegOpenKeyExW
RegQueryValueW
RegCloseKey
RegQueryValueExW
RegCreateKeyExW
RegSetValueExW
RegDeleteKeyW
RegEnumKeyW
RegOpenKeyW
ADVAPI32.dll
PathFindExtensionW
PathFindFileNameW
SHLWAPI.dll
OLEAUT32.dll
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
z?aUY
zc%C1
-64OS
Copyright (c) 1992-2004 by P.J. Plauger, licensed by Dinkumware, Ltd. ALL RIGHTS RESERVED.
[email protected])!2vG#>^*WC$kq?f+Sn)GKaebrYV$lg77<l2obfka?Gg^6V<X?BY*nnrtDRc
ww187
w7pwp8
87770
77777
77778
788777
ssssw
77777
78777
w777w77
swsss
33330
w77ww70888
ssssssp
78770708888
777p80
770888
wwwwwwp
wwwwww
wwwww
wwwwwp
wwwww
wwwwz
wwwwww
wwwwwp
pnnxp
pnnxp
wwwwz
jjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjj{{{{{jjjjjjjjjjjjjjj}}}}}jjjjj
jjjjjjjjjjjj
+8}jjjjjjjjjj
ssv*w
#jjjjjjjjj
ssv*w
yjjjjjjjjj
0jjjjjjjjjjj
0jjjj
jjjjjj}}}|jjj
jjjjj
nn}}}}
LLN<<
AMQQQRH<
AMQQQRH<
KRSTTSR<
7lmmnb
KRSTTSR<
OUUWWUU<
yyyllllyyy
OUUWWUU<
KWZ[[[X<
jjjjyD
KWZ[[[X<
W[]cc\[<
jjjjyD
W[]cc\[<
Y\deed\<#jjjjyD
Y\ceed\<#j
:a_]<yjjjjj
7:a_]<yjjjjj
/jjjjjj
"jjjjjj
/jjjjjjjjjjjjjjj
jjjjjjjjjjjjjjjjjjjjjjj
/////+8}jjjjjjjjjjjjjjjjjjjjj
#jjjjjjjjjjjjjjjjjjjjj
yjjjjjjjjjjjjjjjjjjjjjj
+jjjjjjjjjjjjjjjjjjjjjjjj
|jjjjjjjjjjjjjjjjjjjjjj
AMQQQRH<
jjjjjjjjjjjjjjjjjjjjjj
KRSTTSR<
jjjjjjjjjjjjjjjjjjjjjj
OUUWWUU<
jjjjjjjjjjjjjjjjjjjjjj
KWZ[[[X<
jjjjjjjjjjjjjjjjjjjjj
W[]cc\[<
jjjjjjjjjjjjjjjjjjjjj
Y\deed\<#jjjjjjjjjjjjjjjjjjjjj
7:a_]<yjjjjjjjjjjjjjjjjjjjjjjjjj
/jjjjjjjjjjj
""""(
wwwwwww
ssxxx""
x8swxw
3swwxp
wwwww
wwwwwwwwww1"""
fffffffff
l|||||||f
nnnnn
n~~~~~~
s"""7wwwwwwwwwww2""
eSOJ`VH
E==5]]H
]b0..(bV
_X<%!!
]M`usqnh
>+?<#
}sqjXT
}hUGK44To
~aKIWakoS84To
>"1:Whsqnc\
sqncADGGD9J
sqnX;DGGG==
1sqnW/@76CA.
asqn:##$,;9'
(hsqn:
Dpppi_rv
{|oSO
DDDDD
{xcc9/////9jc
J/(,,%<[email protected]==7++# j
9,5DNO6
6OOOKC=;2-*$
!<>HOQV(
3ZYVQOF=;20
5>MOR\P
v8a^\VOH=;0!
X;HOT^fL|
]le^ZOE=09
<OS^gl1
)kle^TO>8u
<O\elp
|1pla\QB
,S^lmlX
?nh^Q&
Ldlsi
pVDCO
Q2EZx
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
<security>
<requestedPrivileges>
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
</requestedPrivileges>
</security>
</trustInfo>
<dependency>
<dependentAssembly>
<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity>
</dependentAssembly>
</dependency>
</assembly>PA
.5H;0
i>ka)09
Br[{}U
"`3=Q
L#=$ "
227A0M0F
nTW-_
1!at=b
10s?a
q973f
KE^#s
,]Y-'
cQ3(C
'fSLC
!ejb)
1.](:
/}H.G
S!hy\_
E2!kt.qeC
N+#Uq
~*UdM
89Qb/
fG=.=N++e
((.h\
y&tCf\
_juP_/E
+itr4
dGwd{"&a*
wW5dL
YS]!6
MvC>M
Aal#^
Ax[H$
`d\ur
r/{23
Zr%]2
sfLo/4
h6k.$d82
G8z^p
iNyUD
oV?kp
g%deqwC
[Pca
u0(~:C
er 9f
t=PsX
k"T|F
d!9*#m
u<Z+PH
k|8:_Q
B\^7G
AT:Tf
q7J6Zjk
xF#=j
FP_>E
:_Uj2
WOc_P
aFQ+RZo
{bc!]a
aQ&_$
+mLXJPw".GlD
y5SRh
{1F[1
bpq8(g+
Sx~Pw
gV($fJJX
a:je=
i!bCL(
Y\#]8
kVF\@
7H_\s5"[
O+]Po
YPM\_P
WCz]W
U_]yT
Kx+Z7)&
oi*?'
((?bTM
_,)cY
Q1Kb+iHF
;qhe"
y(iLc,
m_|Ib,5
@PG`8<
k+G(>61
CbdHw
~K\)~
K%#3Xf
kUk+%
269sp
K(_myR
%NRk0
kP#@W
JYD.X
S`H<4
lw\NPY
>?"_>V]
XCJ$
vP.9d
?z[0+J
xu_~;"
=?i:@
FWj5_
*o3"D5)jA/
GR#2x
m'=XA
7Gg8~]
*um5)
jF8PQFW>9
1[q#+
(N}}KvC
U6~`@^
fx'r]
+,wU
CuU;_
FxB#w
%QPqJ0u
;]kB4
tCLogQ(
{Q!<@
.4u%c
Rm<nh
,lM#~
2'ACsi'
mb8=TA4
+B_{F
IaQgN
T?EB9
K[2AJ
.fyR*
I-F$rD
U?x9w
.17x*f
(,'G<
Jp_<]
nJYd#
'WKOd
M)'RR
d{IOu
,e(QYjvmp'
!6iPx
9V>&`Qi
nilk/A
p%Aqm
}kVUs
UJi(NQ#]'9
.N[nc?
!.9x*
44G%~l0$X~
dgb"i$
r#ZEj
wfT?"
h8B+1
T%M(y
HhDls
M3X,#
gWxyv
eHepoL
uPs3?
:rNS]K
UL'kIdmdc
~T/Dp
TB7`N
r6(ze{3
B"$6W
]]d5I
k>3{9Ak
i%DQf
+ECcE
3[H9S
6(o{{
EFd3F
%6E4j
5(VJJ
pu"Z_
LIOfw
=5s6"2X
G9rnR;
'kLh%
hkT!l
WOO~F
r>b#XK
k7?qy
1`c5k
Vx+n7m
%LS:o
*cB]f
N9q?`
4g9XZ
ov'm-Zv
cPUeh
Q*@mCM#3w
:-{o:H
4[mpW
}~~NzE
#|E]Wh
)=[o2
)~(M[
\9]%}
Uc!hP
J9$}4
}vjQ`
?03mV%
Dqg"9?N<iy&n
g.>L\
S&io",.
1G$;3
A.#Dj
"lXn%k
3y^G&
*I0+5
vq,1$y
V^F^$
_k5St
h!nw$7
@#:xv
>$tW.
]k/LL6
>M19/X
p?N[S=
jxk^g
g!8)I
+*hLd
B2$v9
QODg7
[2AwJkc>Ll
!.bV\
EY00}w
_w*eLm
R<Qms-
F Ngt
n<P$Z9S
x~>M*-
1TJsR
Etw4m
()l'R
RoHoZ
zGLYFr
v^<Z6
2<^Dih
@Q*fF
hjRaw
7ed%AH]qw
FA-)L]
+4)wt
c1+XXj/
~SSDxe=
]TYKF
,3BNEG
x}aKq
T{$K/
ZW#p\
!6CY6
RDfw\Pe
:okM$
<e#N)
=3x$D
_3d%#
,P]H+q
?L(@_8f>/
1>-h]
S)Nd7
~1_(B
wNVg
KDlyv
?FL}b
(FBkUf,
@==RB
bY'_J
LxvkX
-|d%z<
33+KF/
fEJ?#tfQ+
F&7PW
s'r;l
,(QD]Mf
Z"EcU
S6!T`
3j3PW
Sfj:!Y
],Q.$
?tL)>_[r
f0tn.
ys?_Kd
|xv~]
qbQ"~
aJ{;0
+P[MF
Z37S>S
|>o%D
8y1j:
u=]e#
|'Eu2
sKiwY
>Z'#J=Z'
pue6G
Jx'cB
6_:3B
QEtPAk
S(iXJ
\&(+>
Q(@Zb
]hc{Ac_>kF
'u4~c#Y
)U]$t
^_Dh]
9IkzN
2>\QD
$NPu]
!*w-I
Q$D|-
b`VO5m
]J$`Rb`
NlUMv
j}A>1
])0VM*6
5oH(*m
<&QE$
:B[ 2%3;dQ
1I)e7
/Np!j
cAeUr
hj>Ra2
_D9;bx
'9:vsK
Ves(X7
l(kRN
[.!xw
xK&E:
~8U;&
pP.tg&
Z&u6N
Hj\mo
-"RKU
0(Dwu(
)24sf
I-Fs"[lD
'X_ yx
M~qxh
kb5nch
&E_;Vv
cJ!S8E|(
F~-&J
zNHt1
R$CDB
/v:,t
"3ydm
@hk/a
Ht#r#
_&Laq
-`8cm
SiBB&i
u.\Do-
$0,jN
YkRxIA
ygrNo
-t8]9
[oN[9S
o;!ks
d%;wY
voTnQ
RvWk}hx=
1o yp
>g(v7*c
y63XK
(84]n
l{ji33
oB[ut
-oV =
9Owht
`Mc MI
Na%dY
Y+g~d
UqiiB
`vY{\
bjB`N^
K/d49
n:zd$}
7,GfZ
YqP"e
P:B9V
K'apU
C6I$P
usK+c[Tv
]@_Nm
]_fQC
'd!}-^
~>9,{
M<xG,
HiK;,f
@/SWjB
&`LU|
6""Wwfj0
ahfiT
3;Qs|+Vw
xw"Ciq
_<z+w|
B~V}v
{Nd7E
_Mfjpr2
$3i\@
n?E+K
c:AVA
+H$XPY
(>Ik7
,aEmF*
r3XwN
{(*sM~
\<;cn*Dn
jVz}V
)K"Zp
bo`^(w
]3~6(X
cbZK^
8xf8p||
.|kP8
Fm?;C
3MQ~U!=J
,nE7C`|
3y61w
lJn"}
qTa8K
?Z0kw1}
13=7/
#WG]{2
{QV>V
sR-IW
`O+^n
Pg+H8
n:" JD
Tth5D
{&<U5
%2B4h
UAK,<
^;KHEFx
mU1Pa
_ktfk&g
+I :?
u `LlD
T)LCg3/
,?6NV
!sf7"
n]&>$
""E}C
/~;h%I
R_1u;
JB'i(TRovl
jzeR\5
UGE$h
M$nHG
(e{wn=
^e)N)n
d?3X]
R2(V96
3\;K7
jIl1i
3UE Z
'Sf];nD
keR~e
t,&+f085%c
h7!yg
goF*V
(]2?Q
Quzkt
|qv)|T
Nvo3I
dj:iv
,oh|A
l'v"(
mA2,H
)D%:`s
8D]3toC*
@B!LM
:Uijb\
KP]N[
LCP?\h
><Yk\
Bx[y#_
"DGU"i
@*MsQ
(jG+6
nBytC>
g&!IO
TH3!u
(oR6n
-"v<(]"
(K8jfG
6-(#$(
A=:XZ
PPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD
1W5f5u5
8%8c8
8#9(9;9e9j9u9
92:W:
:&;^;p;y;
<G<o<
=9=H=O=e=w=~=}>
304>4C4U4^4
7N7\7n7
889j9
:!:):3:::A:I:X:d:j:p:v:|:
;#;2;j;x;
=Y>4?Z?
2T2[2b2
2?3o3$4t4~4
5+8F8
9 9^9
9&:@:H:
:8;l;
<I<^<
=f=0>E>x>
94:q:|:
:S;^;
<@=[=
>5>:>?>!?&?O?
1.131y1
22272
2f3y3*4?4y4
6&6.666>6
808]8
0`1n1y1
4!4(4
5H6o6w6~6
7)797>7o7
8A8Q8
919K9P9t9|9
1"1&1*1.12161:1>1B1F1J1N1R1V1Z1^1b1f1j1n1r1v1z1~1
2$3s3
4*4[4c4
6(6C6K6
6O7k7
8$:::
;M;x;
<&>,>2>l>w>
1&232;2P2[253
4K4s4
7I7x7
828Y8
;.;K;p;u;z;
<D<I<N<
=">6>I>g>
0,4\4
646<6
7>7^7
92:8:S:s:
:6;;;
=X=`=
>-?n?
0#0(0A0
2'303
4L4_4
5 5%505a5
6e6l6
8l819~:
;%;,;n;s;
;(<Y<^<
<%=}=+>
1*1E1
4#484O4r4
757:7P7`7
8#8.8A8M8v8
;<;O;_;
?"?7?
2/2M2
4N4[4~4
5E5S5\5c5m5
5%676C6s6
7#717A7S7c7
80878>8D8M8q8x8
>W?g?
0Q1e1
8*8Q8
<4<g<
>$>->4>9>
698v8
8`:k:
;,<6<
2Q3i3
5M5^5
7$7(7,707
8M8T8X8\8`8d8h8l8p8
8 9+9
;$;s;y;
<,?L?
2k2~2
2>3Z3}3
;E;};
;?<E<i<
=8=A=n=
= >(>;>F>K>[>e>l>w>
>4?A?k?p?{?
O0\0w1
1<2e2
3-3e3
4$4(4A4R4n4"7(7F7}7
8"8J8o8
;\;g;q;
>+>1>c>
?4?M?
"0(0K0P0q0v0
1'131H1O1c1j1
2&252<2I2l2
393Q3w3
4V4^4
5(5-52585<5B5G5M5R5a5w5
6G6L6Z6i6
7 7'7.757<7C7J7Q7Y7a7i7u7~7
:e:w:I;S;`;{;
444Z4B6p8t8x8|8
4 4$4(4,4Z4
6!6<6C6H6L6P6q6
:":;:O:U:^:q:
:*;J;X;];
>(>3>9>?>D>M>j>p>{>
?!?'?8?
93E3x3
8%818j8s8
9(9;9
:);5<~<
5#6.6Y6d6
8i9t9
9[:h:}:
<+<M<R<W<\<l<
<:=?=F=K=R=W=
=_>n>w>
:(:/:
<\<b<n<
=,=2=A=G=U=^=m=r=|=
>l?s?y?
1^2u2
3+363
4Q5W5t5y5
:(;h;~;
;A<y<
1/2:2D2]2g2z2
3^4}4
5#5>5F5N5e5~5
6'646~6
>R>q>
?B?q?
677C7
758A8}8
9V;t;
;D<b<t<
1d1u1q2
3 4D4
6^7g7
9;9J9
=1=a=
0N1_1
2J2X2g2u2}2
3&3G3S3z3
6^9e9t:
:P;~<
<f=\>d>
3[4=5
647K7{7
::>>>B>F>J>N>R>V>Z>^>b>f>s>N?f?u?
0%0/:
3L3V3
5V6`6
8'9d9
9g:/<<<J<z<
=U=_=w=
>p?v?|?
4"4(404C4R4\4k4
5D7W7
r1(2y2
4#4k4
6/6^6
717;7X7i7s7
:7:T:
;';0;
;+<R<[<t<
<5=B=L=Q=
=W>r>{>
0,0<0L0\0
1!1>1M1W1d1s1x1
3V3b3j3
8_:6;
?4?h?
3/3b3
4;4V4z4
5/5S5
747O7Y7z7
8'8R8v8
8N9{9
:9:\:
;M;z;
;-<a<|<
>#>(>->2>7><>H>T>Z>^>d>h>n>r>x>
?+?1?5?;???E?I?O?X?]?b?g?l?q?v?{?
0.0:0F0P0\0g0r0|0
161A1G1Q1[1e1o1y1
4 4$4(4,4044484D4H4L4P4T4`4d4x5|5
5 8$8(8,8084888<[email protected]\8`8d8h8l8p8t8x8|8
9 9$9(9,9094989<[email protected]\9`9d9h9l9p9t9x9|9
:$:(:p:t:x:|:
;$;0;<;
<,<D<\<t<
=4=L=d=|=
>$><>T>l>
?D?H?L?|?
0 0$0(0,[email protected]\0`0d0h0l0p0t0
[email protected]\1h1l1p1t1x1|1
2(282D2P2T2`2l2p2|2
3 3$3(3,3034383<[email protected]|3
4`4p4|4
488<[email protected]\8`8d8h8l8p8t8x8|8
: :$:d:h:l:p:t:x:|:
;0;@;L;P;T;X;\;`;
0 0$0(0,0004080<[email protected]\0`0d0h0l0p0t0x0
1 1(1,1014181<[email protected]\1`1d1h1l1p1t1
2 2$2(2,2P2T2X2\2`2x2|2
; ;$;(;,;0;4;
p1t1x1|1
2 2$2(2,2024282<[email protected]\2`2d2h2l2p2t2x2|2
2 2([email protected]`2h2p2x2
3 3([email protected]`3h3p3x3
4 4([email protected]`4h4p4x4
4H5L5P5T5X5\5`5d5h5l5p5t5x5|5
6 6$6(6,6064686<[email protected]|6
[email protected]\9`9d9h9l9p9t9x9|9
9<:@:
; ;8;H;L;\;`;p;t;x;
<4<D<H<\<`<d<h<l<p<t<|<
>$><>@>X>h>l>p>t>x>|>
?$?<[email protected]?X?h?l?p?x?
0 00040D0H0X0\0`0h0
1 1014181L1P1`1d1h1l1t1
242D2H2X2\2`2d2h2p2
5$54585H5L5P5T5\5t5
7 7$7,7D7T7X7h7l7p7x7
8$8(888<8L8P8T8\8t8
:4:8:P:`:d:l:
;0;4;L;P;h;x;|;
<$<(<8<<<@<H<`<p<t<x<
=4=D=H=X=\=`=d=l=
> >0>4>D>H>L>T>l>p>
?$?(?8?<[email protected]?D?L?d?t?x?
1X2x2
3,383p3
4$4H4T4\4t4
5$5,5D5L5`5x5
6(646<6\6d6p6
7$7(7,70747<7X7|7
:(:H:P:d:l:
;$;,;<;L;T;\;d;p;
<,<4<<<D<L<p<|<
= =(=0=<=\=d=
> >@>H>T>t>|>
101P1X1\1t1x1
303P3p3|3
4(4H4h4t4
5,505P5X5d5
6(646T6\6d6h6p6
7 7,7L7X7x7
80888D8d8p8
909P9p9
:,:4:H:P:d:l:p:t:|:
;$;0;8;P;\;|;
;0<D<P<X<p<|<
=0=<=D=l=t=|=
0X0\0`0d0h0l0p0t0x0|0
1 1D1d1
282p2
484`4
9$9,949<9L9\9d9l9|9
:,:L:h:
<,<0<P<T<
>$>,>4><>D>L>T>\>d>l>t>|>
@0D0t0x0|0
00141
1(282H2X2h2
7\:`:
; ;$;(;,;0;@;H;L;P;T;X;\;`;d;h;l;x;
0,0h0
041T1t1x1
3(3H3L3
jjjjj
AfxWnd90su
AfxControlBar90su
AfxMDIFrame90su
AfxFrameOrView90su
AfxOleControl90su
AfxOldWndProc423
USER32
YaccParent
accChildCount
accChild
accName
accValue
accDescription
accRole
accState
accHelp
accHelpTopic
accKeyboardShortcut
accFocus
accSelection
accDefaultAction
accSelect
accLocation
accNavigate
accHitTest
accDoDefaultAction
#32768
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin2.inl
commctrl_DragListMsg
tDelete
NoRemove
ForceRemove
pSettings
PreviewPages
KERNEL32
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoRun
NoDrives
RestrictRun
NoNetConnectDisconnect
NoRecentDocsHistory
NoClose
Software\Microsoft\Windows\CurrentVersion\Policies\Network
NoEntireNetwork
Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32
NoPlacesBar
NoBackButton
NoFileMru
ntdll.dll
kernel32.dll
%s%s.dll
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\appcore.cpp
software
@Software\Classes\
Software\
@comctl32.dll
@comdlg32.dll
@shell32.dll
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\auxdata.cpp
%2\CLSID
%2\Insertable
%2\protocol\StdFileEditing\verb\0
&Edit
%2\protocol\StdFileEditing\server
CLSID\%1
CLSID\%1\ProgID
CLSID\%1\InprocHandler32
ole32.dll
CLSID\%1\LocalServer32
CLSID\%1\Verb\0
&Edit,0,2
CLSID\%1\Verb\1
&Open,0,2
CLSID\%1\Insertable
CLSID\%1\AuxUserType\2
CLSID\%1\AuxUserType\3
CLSID\%1\DefaultIcon
%3,%7
CLSID\%1\MiscStatus
CLSID\%1\InProcServer32
CLSID\%1\DocObject
%2\DocObject
CLSID\%1\Printable
CLSID\%1\DefaultExtension
%9, %8
B.INI
user32.dll
mscoree.dll
KERNEL32.DLL
B(null)
((((( H
h(((( H
H
C:\Program Files (x86)\Microsoft Visual Studio 9.0\VC\atlmfc\include\afxwin1.inl
Exception thrown in destructor
%s (%s:%d)
%s (%s:%d)
Apartment
Info
ber Password Changer
MS Shell Dlg
Password Changer
Version 1.0
(C) Copyright 2006 by Steffen Lange
Alle Rechte vorbehalten.
Password Changer
MS Shell Dlg
IDCANCEL
IDC_LBL_DOMAIN
IDC_LBL_SERVER
IDC_BTN_SERVER
IDC_LBL_USER
IDC_BTN_USER
IDC_LBL_OLDPASSWORD
IDC_LBL_NEWPASSWORD
IDC_BTN_CHANGE
Steffen-Lange.com
MS Shell Dlg
&New
Cancel
&Help
MS Shell Dlg
&Info...
&Schlie
&Computer suchen
&Benutzer suchen
&Kennwort
ndern
ne / Arbeitsgruppe
Computer
Benutzer
Altes Kennwort
Neues KennwortSDer Benutzername ist falsch oder die eingegebenen Kennw
rter stimmen nicht
berein.
Save As
All Files (*.*)
Untitled
an unnamed file
&Hide
No error message is available.#Attempted an unsupported operation.$A required resource was unavailable.
Out of memory.
An unknown error has occurred.!Encountered an improper argument.
Incorrect filename.
Failed to open document.
Failed to save document.
Save changes to %1? Failed to create empty document.
The file is too large to open.
Could not start print job.
Failed to launch help.
Internal application error.
Command failed.)Insufficient memory to perform operation.PSystem registry entries have been removed and the INI file (if any) was deleted.BNot all of the system registry entries (or INI file) were removed.FThis program requires the file %s, which was not found on this system.tThis program is linked to the missing export %s in the file %s. This machine may have an incompatible version of %s.
Enter an integer.
Enter a number.#Enter an integer between %1 and %2.!Enter a number between %1 and %2.!Enter no more than %1 characters.
Select a button.#Enter an integer between 0 and 255.
Enter a positive integer.
Enter a date and/or time.
Enter a currency.
Enter a GUID.
Enter a time.
Enter a date.
Unexpected file format.O%1
Cannot find this file.
Verify that the correct path and file name are given.
Destination disk drive is full.5Unable to read from %1, it is opened by someone else.AUnable to write to %1, it is read-only or opened by someone else.1Encountered an unexpected error while reading %1.1Encountered an unexpected error while writing %1.
%1: %2
Continue running script?
Dispatch exception: %1
#Unable to read write-only property.#Unable to write read-only property.
#Unable to load mail system support.
Mail system DLL is invalid.!Send Mail failed to send message.
No error occurred.-An unknown error occurred while accessing %1.
%1 was not found.
%1 contains an incorrect path.8Could not open %1 because there are too many open files.
Access to %1 was denied.0An incorrect file handle was associated with %1.8Could not remove %1 because it is the current directory.2Could not create %1 because the directory is full.
Seek failed on %14Encountered a hardware I/O error while accessing %1.3Encountered a sharing violation while accessing %1.3Encountered a locking violation while accessing %1.
Disk full while accessing %1.$Attempted to access %1 past its end.
No error occurred.-An unknown error occurred while accessing %1.%Attempted to write to the reading %1.$Attempted to access %1 past its end.&Attempted to read from the writing %1.
%1 has a bad format."%1 contained an unexpected object. %1 contains an incorrect schema.
pixels
Uncheck
Check
Mixed
VS_VERSION_INFO
StringFileInfo
040704e4
CompanyName
Steffen Lange
FileDescription
Password Changer
FileVersion
1.0.0.1
InternalName
PwdChange.exe
LegalCopyright
(C) Copyright 2006 by Steffen Lange
LegalTrademarks
Alle Rechte vorbehalten.
OriginalFilename
PwdChange.exe
ProductName
Password Changer
ProductVersion
1.0.0.1
VarFileInfo
Translation

Full Results

Engine Signature Engine Signature Engine Signature
Bkav W32.AIDetectVM.malware1 Elastic Clean MicroWorld-eScan Trojan.Ranapama.AMW
FireEye Trojan.Ranapama.AMW CAT-QuickHeal Clean ALYac Clean
Cylance Unsafe Zillya Clean SUPERAntiSpyware Clean
Sangfor Clean K7AntiVirus Clean Alibaba Clean
K7GW Clean Cybereason Clean Invincea Clean
Baidu Clean Cyren Clean Symantec Clean
TotalDefense Clean APEX Malicious Avast Clean
ClamAV Clean Kaspersky HEUR:Trojan-Banker.Win32.Emotet.gen BitDefender Trojan.Ranapama.AMW
NANO-Antivirus Clean Paloalto Clean ViRobot Clean
Rising Clean Ad-Aware Trojan.Ranapama.AMW Emsisoft Trojan.Ranapama.AMW (B)
Comodo Clean F-Secure Trojan.TR/AD.Emotet.pdjej DrWeb Trojan.Emotet.1042
VIPRE Clean TrendMicro Clean McAfee-GW-Edition Clean
CMC Clean Sophos Clean SentinelOne DFI - Suspicious PE
GData Trojan.Ranapama.AMW Jiangmin Clean Webroot Clean
Avira TR/AD.Emotet.pdjej eGambit Clean MAX malware (ai score=89)
Antiy-AVL Clean Kingsoft Clean Arcabit Trojan.Ranapama.AMW
AegisLab Clean ZoneAlarm HEUR:Trojan-Banker.Win32.Emotet.gen Microsoft Trojan:Win32/EmotetCrypt.ARJ!MTB
Cynet Malicious (score: 85) AhnLab-V3 Clean Acronis Clean
McAfee GenericRXAA-AA!6F6AE03F22B5 TACHYON Clean VBA32 Clean
Malwarebytes Trojan.Emotet Zoner Clean ESET-NOD32 Win32/Emotet.CI
TrendMicro-HouseCall Clean Tencent Clean Yandex Clean
Ikarus Clean MaxSecure Clean Fortinet W32/BankerX.5CC7!tr
BitDefenderTheta Clean AVG Clean Panda Clean
CrowdStrike Clean Qihoo-360 HEUR/QVM10.1.A943.Malware.Gen
Sorry! No behavior.

Hosts

Direct IP Country Name
Y 91.83.93.103 [VT] Hungary
Y 91.213.106.100 [VT] Latvia
Y 8.8.8.8 [VT] United States
Y 73.100.19.104 [VT] United States
Y 58.27.215.3 [VT] Pakistan
Y 51.38.50.144 [VT] France
Y 46.22.116.163 [VT] Sweden
Y 36.91.44.183 [VT] Indonesia
Y 221.147.142.214 [VT] Korea, Republic of
Y 192.210.217.94 [VT] United States
Y 192.163.221.191 [VT] United States
Y 190.192.39.136 [VT] Argentina
Y 190.164.135.81 [VT] Chile
Y 190.151.5.131 [VT] Chile
Y 188.40.170.197 [VT] Germany
Y 188.166.220.180 [VT] Singapore
Y 179.5.118.12 [VT] El Salvador
Y 116.202.10.123 [VT] India
Y 115.79.59.157 [VT] Vietnam
Y 103.93.220.182 [VT] Philippines
Y 1.1.1.1 [VT] Australia

TCP

Source Source Port Destination Destination Port
192.168.1.6 49199 103.93.220.182 80
192.168.1.6 49202 115.79.59.157 80
192.168.1.6 49206 116.202.10.123 8080
192.168.1.6 49195 179.5.118.12 80
192.168.1.6 49205 188.166.220.180 7080
192.168.1.6 49190 188.40.170.197 80
192.168.1.6 49193 190.151.5.131 443
192.168.1.6 49203 190.164.135.81 80
192.168.1.6 49201 190.192.39.136 80
192.168.1.6 49198 192.163.221.191 8080
192.168.1.6 49197 192.210.217.94 8080
192.168.1.6 49189 221.147.142.214 80
192.168.1.6 49210 36.91.44.183 80
192.168.1.6 49192 46.22.116.163 7080
192.168.1.6 49191 51.38.50.144 8080
192.168.1.6 49194 58.27.215.3 8080
192.168.1.6 49196 73.100.19.104 80
192.168.1.6 49200 91.213.106.100 8080
192.168.1.6 49204 91.83.93.103 443

UDP

Source Source Port Destination Destination Port
192.168.1.6 49918 1.1.1.1 53
192.168.1.6 50764 1.1.1.1 53
192.168.1.6 50797 1.1.1.1 53
192.168.1.6 52348 1.1.1.1 53
192.168.1.6 52555 1.1.1.1 53
192.168.1.6 54129 1.1.1.1 53
192.168.1.6 56219 1.1.1.1 53
192.168.1.6 56304 1.1.1.1 53
192.168.1.6 57593 1.1.1.1 53
192.168.1.6 58697 1.1.1.1 53
192.168.1.6 60016 1.1.1.1 53
192.168.1.6 60922 1.1.1.1 53
192.168.1.6 63241 1.1.1.1 53
192.168.1.6 63713 1.1.1.1 53
192.168.1.6 64201 1.1.1.1 53
192.168.1.6 64426 1.1.1.1 53
192.168.1.6 65048 1.1.1.1 53
192.168.1.6 137 192.168.1.255 137
192.168.1.6 49918 8.8.8.8 53
192.168.1.6 50764 8.8.8.8 53
192.168.1.6 50797 8.8.8.8 53
192.168.1.6 52348 8.8.8.8 53
192.168.1.6 52555 8.8.8.8 53
192.168.1.6 54129 8.8.8.8 53
192.168.1.6 56219 8.8.8.8 53
192.168.1.6 56304 8.8.8.8 53
192.168.1.6 57593 8.8.8.8 53
192.168.1.6 58697 8.8.8.8 53
192.168.1.6 60016 8.8.8.8 53
192.168.1.6 60922 8.8.8.8 53
192.168.1.6 63241 8.8.8.8 53
192.168.1.6 63713 8.8.8.8 53
192.168.1.6 64201 8.8.8.8 53
192.168.1.6 64426 8.8.8.8 53
192.168.1.6 65048 8.8.8.8 53

DNS

No domains contacted.

HTTP Requests

No HTTP requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

Timestamp Source IP Source Port Destination IP Destination Port Protocol GID SID REV Signature Category Severity
2020-10-18 07:33:52.723 192.168.1.6 [VT] 49198 192.163.221.191 [VT] 8080 TCP 1 2404311 5888 ET CNC Feodo Tracker Reported CnC Server group 12 A Network Trojan was detected 1
2020-10-18 07:34:07.267 192.168.1.6 [VT] 49199 103.93.220.182 [VT] 80 TCP 1 2404300 5888 ET CNC Feodo Tracker Reported CnC Server group 1 A Network Trojan was detected 1
2020-10-18 07:34:22.252 192.168.1.6 [VT] 49201 190.192.39.136 [VT] 80 TCP 1 2404310 5888 ET CNC Feodo Tracker Reported CnC Server group 11 A Network Trojan was detected 1
2020-10-18 07:34:36.908 192.168.1.6 [VT] 49202 115.79.59.157 [VT] 80 TCP 1 2404301 5888 ET CNC Feodo Tracker Reported CnC Server group 2 A Network Trojan was detected 1
2020-10-18 07:35:05.486 192.168.1.6 [VT] 49205 188.166.220.180 [VT] 7080 TCP 1 2404309 5888 ET CNC Feodo Tracker Reported CnC Server group 10 A Network Trojan was detected 1
2020-10-18 07:35:27.595 192.168.1.6 [VT] 49210 36.91.44.183 [VT] 80 TCP 1 2404316 5888 ET CNC Feodo Tracker Reported CnC Server group 17 A Network Trojan was detected 1

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

Sorry! No dropped files.
Sorry! No CAPE files.
Process Name f80aef3bfcea3c887a94.exe
PID 4120
Dump Size 93696 bytes
Module Path C:\Users\Louise\AppData\Local\Temp\f80aef3bfcea3c887a94.exe
Type PE image: 32-bit executable
PE timestamp 2020-10-12 19:48:16
MD5 e5b6012ef8956819cf86edb25343302c
SHA1 936c3a1e623e1e1bef159e7f5f96c9ffb65a12a7
SHA256 ad79d1bf2b5c1ddd3bfd13e435789584115634fb242b52506901f0a9c25dc5ea
CRC32 87F63C2D
Ssdeep 1536:O9hEPFCKkp1Er8QfN1eQPOXpjV/mp8wX/IBPDWqvbf2q8t:O9iP09tRmbQRWqvF
CAPE Yara
  • Emotet Payload - Author: kevoreilly
Dump Filename ad79d1bf2b5c1ddd3bfd13e435789584115634fb242b52506901f0a9c25dc5ea
Download Download Zip Submit file

BinGraph Download graph

2020-10-18T07:35:53.184910 image/svg+xml Matplotlib v3.3.0, https://matplotlib.org/
Process Name f80aef3bfcea3c887a94.exe
PID 4120
Dump Size 365056 bytes
Module Path C:\Users\Louise\AppData\Local\Temp\f80aef3bfcea3c887a94.exe
Type PE image: 32-bit executable
PE timestamp 2020-10-16 20:45:05
MD5 3e39eacfbe8cc6281dd096a23961915f
SHA1 b6e907458843cb8bc96a6764dd87c8231a49e421
SHA256 c7ad6b20802e74388b5669ec02b0a199c27f6d4a0c9ad1c9322f612a42f2a1ae
CRC32 B9530835
Ssdeep 6144:vWXIwVZNNuh5pVI7Lf36g3uLcxjmkIAvLEoD4wnS9+RR1eis3f1k:MNE5pVI7z36g3uIxjmJAvfnY+71Xge
Dump Filename c7ad6b20802e74388b5669ec02b0a199c27f6d4a0c9ad1c9322f612a42f2a1ae
Download Download Zip Submit file

BinGraph Download graph

2020-10-18T07:35:54.718050 image/svg+xml Matplotlib v3.3.0, https://matplotlib.org/
Defense Evasion Discovery
  • T1116 - Code Signing
    • Signature - invalid_authenticode_signature
  • T1045 - Software Packing
    • Signature - packer_entropy
  • T1057 - Process Discovery
    • Signature - enumerates_running_processes

    Processing ( 16.070000000000004 seconds )

    • 7.573 CAPE
    • 5.27 Suricata
    • 1.529 NetworkAnalysis
    • 0.646 Static
    • 0.534 BehaviorAnalysis
    • 0.243 VirusTotal
    • 0.089 AnalysisInfo
    • 0.061 ProcDump
    • 0.053 Deduplicate
    • 0.047 TargetInfo
    • 0.01 Strings
    • 0.009 peid
    • 0.006 Debug

    Signatures ( 0.3190000000000002 seconds )

    • 0.042 antiav_detectreg
    • 0.016 infostealer_ftp
    • 0.015 territorial_disputes_sigs
    • 0.014 decoy_document
    • 0.013 api_spamming
    • 0.013 stealth_timeout
    • 0.011 persistence_autorun
    • 0.011 ransomware_files
    • 0.009 NewtWire Behavior
    • 0.009 modify_proxy
    • 0.009 infostealer_im
    • 0.008 antianalysis_detectreg
    • 0.008 ransomware_extensions
    • 0.006 Doppelganging
    • 0.006 enumerates_running_processes
    • 0.006 antiav_detectfile
    • 0.005 InjectionCreateRemoteThread
    • 0.005 antivm_generic_disk
    • 0.005 injection_createremotethread
    • 0.004 antivm_generic_scsi
    • 0.004 lsass_credential_dumping
    • 0.004 process_interest
    • 0.004 antianalysis_detectfile
    • 0.004 antivm_vbox_keys
    • 0.004 infostealer_bitcoin
    • 0.004 infostealer_mail
    • 0.003 InjectionProcessHollowing
    • 0.003 bootkit
    • 0.003 injection_runpe
    • 0.003 vawtrak_behavior
    • 0.003 antivm_vmware_keys
    • 0.003 browser_security
    • 0.003 masquerade_process_name
    • 0.002 InjectionInterProcess
    • 0.002 antiemu_wine_func
    • 0.002 exec_crash
    • 0.002 mimics_filetime
    • 0.002 network_anomaly
    • 0.002 blackrat_registry_keys
    • 0.002 reads_self
    • 0.002 recon_programs
    • 0.002 stealth_file
    • 0.002 virus
    • 0.002 antivm_parallels_keys
    • 0.002 antivm_vbox_files
    • 0.002 antivm_xen_keys
    • 0.002 geodo_banking_trojan
    • 0.002 disables_backups
    • 0.002 disables_browser_warn
    • 0.002 ursnif_behavior
    • 0.001 EvilGrab
    • 0.001 antivm_generic_services
    • 0.001 betabot_behavior
    • 0.001 guloader_apis
    • 0.001 dynamic_function_loading
    • 0.001 hancitor_behavior
    • 0.001 infostealer_browser_password
    • 0.001 kibex_behavior
    • 0.001 kovter_behavior
    • 0.001 malicious_dynamic_function_loading
    • 0.001 persistence_autorun_tasks
    • 0.001 process_needed
    • 0.001 OrcusRAT Behavior
    • 0.001 tinba_behavior
    • 0.001 persists_dev_util
    • 0.001 antidbg_devices
    • 0.001 antivm_generic_diskreg
    • 0.001 antivm_vpc_keys
    • 0.001 ketrican_regkeys
    • 0.001 browser_addon
    • 0.001 azorult_mutexes
    • 0.001 network_dns_doh_tls
    • 0.001 revil_mutexes
    • 0.001 modirat_behavior
    • 0.001 recon_fingerprint

    Reporting ( 8.709 seconds )

    • 8.436 BinGraph
    • 0.264 MITRE_TTPS
    • 0.009 PCAP2CERT