Detections

Yara:

AgentTeslaV2

Analysis

Category Package Started Completed Duration Options Log
FILE exe 2020-06-22 19:10:22 2020-06-22 19:14:44 262 seconds Show Options Show Log
route = tor
2020-05-13 09:07:45,680 [root] INFO: Date set to: 20200622T19:10:21, timeout set to: 200
2020-06-22 19:10:21,031 [root] DEBUG: Starting analyzer from: C:\tmpnwhtwc92
2020-06-22 19:10:21,046 [root] DEBUG: Storing results at: C:\HxkcSeoo
2020-06-22 19:10:21,046 [root] DEBUG: Pipe server name: \\.\PIPE\hqLUsYTkS
2020-06-22 19:10:21,046 [root] DEBUG: Python path: C:\Users\Rebecca\AppData\Local\Programs\Python\Python38-32
2020-06-22 19:10:21,046 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2020-06-22 19:10:21,046 [root] INFO: Automatically selected analysis package "exe"
2020-06-22 19:10:21,046 [root] DEBUG: Trying to import analysis package "exe"...
2020-06-22 19:10:21,062 [root] DEBUG: Imported analysis package "exe".
2020-06-22 19:10:21,062 [root] DEBUG: Trying to initialize analysis package "exe"...
2020-06-22 19:10:21,062 [root] DEBUG: Initialized analysis package "exe".
2020-06-22 19:10:21,093 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.browser"...
2020-06-22 19:10:21,093 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser".
2020-06-22 19:10:21,093 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.curtain"...
2020-06-22 19:10:21,140 [root] DEBUG: Imported auxiliary module "modules.auxiliary.curtain".
2020-06-22 19:10:21,140 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.digisig"...
2020-06-22 19:10:21,156 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig".
2020-06-22 19:10:21,156 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.disguise"...
2020-06-22 19:10:21,171 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise".
2020-06-22 19:10:21,171 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.human"...
2020-06-22 19:10:21,171 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human".
2020-06-22 19:10:21,171 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.procmon"...
2020-06-22 19:10:21,187 [root] DEBUG: Imported auxiliary module "modules.auxiliary.procmon".
2020-06-22 19:10:21,187 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.screenshots"...
2020-06-22 19:10:21,187 [modules.auxiliary.screenshots] DEBUG: Importing 'time'
2020-06-22 19:10:21,187 [modules.auxiliary.screenshots] DEBUG: Importing 'StringIO'
2020-06-22 19:10:21,187 [modules.auxiliary.screenshots] DEBUG: Importing 'Thread'
2020-06-22 19:10:21,187 [modules.auxiliary.screenshots] DEBUG: Importing 'Auxiliary'
2020-06-22 19:10:21,187 [modules.auxiliary.screenshots] DEBUG: Importing 'NetlogFile'
2020-06-22 19:10:21,187 [modules.auxiliary.screenshots] DEBUG: Importing 'Screenshot'
2020-06-22 19:10:21,187 [lib.api.screenshot] DEBUG: Importing 'math'
2020-06-22 19:10:21,187 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2020-06-22 19:10:21,375 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageGrab'
2020-06-22 19:10:21,375 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageDraw'
2020-06-22 19:10:21,390 [modules.auxiliary.screenshots] DEBUG: Imports OK
2020-06-22 19:10:21,390 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots".
2020-06-22 19:10:21,390 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.sysmon"...
2020-06-22 19:10:21,390 [root] DEBUG: Imported auxiliary module "modules.auxiliary.sysmon".
2020-06-22 19:10:21,390 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.usage"...
2020-06-22 19:10:21,406 [root] DEBUG: Imported auxiliary module "modules.auxiliary.usage".
2020-06-22 19:10:21,406 [root] DEBUG: Trying to initialize auxiliary module "Browser"...
2020-06-22 19:10:21,406 [root] DEBUG: Initialized auxiliary module "Browser".
2020-06-22 19:10:21,406 [root] DEBUG: Trying to start auxiliary module "Browser"...
2020-06-22 19:10:21,406 [root] DEBUG: Started auxiliary module Browser
2020-06-22 19:10:21,406 [root] DEBUG: Trying to initialize auxiliary module "Curtain"...
2020-06-22 19:10:21,406 [root] DEBUG: Initialized auxiliary module "Curtain".
2020-06-22 19:10:21,406 [root] DEBUG: Trying to start auxiliary module "Curtain"...
2020-06-22 19:10:21,406 [root] DEBUG: Started auxiliary module Curtain
2020-06-22 19:10:21,406 [root] DEBUG: Trying to initialize auxiliary module "DigiSig"...
2020-06-22 19:10:21,406 [root] DEBUG: Initialized auxiliary module "DigiSig".
2020-06-22 19:10:21,406 [root] DEBUG: Trying to start auxiliary module "DigiSig"...
2020-06-22 19:10:21,406 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature.
2020-06-22 19:10:21,890 [modules.auxiliary.digisig] DEBUG: File is not signed.
2020-06-22 19:10:21,890 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2020-06-22 19:10:21,906 [root] DEBUG: Started auxiliary module DigiSig
2020-06-22 19:10:21,906 [root] DEBUG: Trying to initialize auxiliary module "Disguise"...
2020-06-22 19:10:21,906 [root] DEBUG: Initialized auxiliary module "Disguise".
2020-06-22 19:10:21,906 [root] DEBUG: Trying to start auxiliary module "Disguise"...
2020-06-22 19:10:21,937 [root] DEBUG: Started auxiliary module Disguise
2020-06-22 19:10:21,937 [root] DEBUG: Trying to initialize auxiliary module "Human"...
2020-06-22 19:10:21,937 [root] DEBUG: Initialized auxiliary module "Human".
2020-06-22 19:10:21,937 [root] DEBUG: Trying to start auxiliary module "Human"...
2020-06-22 19:10:21,953 [root] DEBUG: Started auxiliary module Human
2020-06-22 19:10:21,953 [root] DEBUG: Trying to initialize auxiliary module "Procmon"...
2020-06-22 19:10:21,953 [root] DEBUG: Initialized auxiliary module "Procmon".
2020-06-22 19:10:21,953 [root] DEBUG: Trying to start auxiliary module "Procmon"...
2020-06-22 19:10:21,953 [root] DEBUG: Started auxiliary module Procmon
2020-06-22 19:10:21,953 [root] DEBUG: Trying to initialize auxiliary module "Screenshots"...
2020-06-22 19:10:21,953 [root] DEBUG: Initialized auxiliary module "Screenshots".
2020-06-22 19:10:21,953 [root] DEBUG: Trying to start auxiliary module "Screenshots"...
2020-06-22 19:10:21,953 [root] DEBUG: Started auxiliary module Screenshots
2020-06-22 19:10:21,953 [root] DEBUG: Trying to initialize auxiliary module "Sysmon"...
2020-06-22 19:10:21,953 [root] DEBUG: Initialized auxiliary module "Sysmon".
2020-06-22 19:10:21,953 [root] DEBUG: Trying to start auxiliary module "Sysmon"...
2020-06-22 19:10:21,968 [root] DEBUG: Started auxiliary module Sysmon
2020-06-22 19:10:21,968 [root] DEBUG: Trying to initialize auxiliary module "Usage"...
2020-06-22 19:10:21,968 [root] DEBUG: Initialized auxiliary module "Usage".
2020-06-22 19:10:21,968 [root] DEBUG: Trying to start auxiliary module "Usage"...
2020-06-22 19:10:21,968 [root] DEBUG: Started auxiliary module Usage
2020-06-22 19:10:21,968 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2020-06-22 19:10:21,968 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2020-06-22 19:10:21,968 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option
2020-06-22 19:10:21,968 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option
2020-06-22 19:10:22,046 [lib.api.process] INFO: Successfully executed process from path "C:\Users\Rebecca\AppData\Local\Temp\Invoice UT05-222546.pdf.exe" with arguments "" with pid 5364
2020-06-22 19:10:22,046 [lib.api.process] INFO: Monitor config for process 5364: C:\tmpnwhtwc92\dll\5364.ini
2020-06-22 19:10:22,046 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpnwhtwc92\dll\exqCgRKO.dll, loader C:\tmpnwhtwc92\bin\ZJlbquU.exe
2020-06-22 19:10:22,078 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\hqLUsYTkS.
2020-06-22 19:10:22,078 [root] DEBUG: Loader: Injecting process 5364 (thread 1352) with C:\tmpnwhtwc92\dll\exqCgRKO.dll.
2020-06-22 19:10:22,093 [root] DEBUG: Process image base: 0x00E10000
2020-06-22 19:10:22,093 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2020-06-22 19:10:22,093 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2020-06-22 19:10:22,093 [root] DEBUG: Successfully injected DLL C:\tmpnwhtwc92\dll\exqCgRKO.dll.
2020-06-22 19:10:22,093 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 5364
2020-06-22 19:10:24,093 [lib.api.process] INFO: Successfully resumed process with pid 5364
2020-06-22 19:10:24,156 [root] DEBUG: Python path set to 'C:\Users\Rebecca\AppData\Local\Programs\Python\Python38-32'.
2020-06-22 19:10:24,156 [root] DEBUG: Dropped file limit defaulting to 100.
2020-06-22 19:10:24,156 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 5364 at 0x69d90000, image base 0xe10000, stack from 0x215000-0x220000
2020-06-22 19:10:24,156 [root] DEBUG: Commandline: C:\Users\Rebecca\AppData\Local\Temp\"C:\Users\Rebecca\AppData\Local\Temp\Invoice UT05-222546.pdf.exe".
2020-06-22 19:10:24,171 [root] INFO: Loaded monitor into process with pid 5364
2020-06-22 19:10:24,187 [root] DEBUG: set_caller_info: Adding region at 0x00120000 to caller regions list (advapi32::RegQueryInfoKeyW).
2020-06-22 19:10:24,187 [root] DEBUG: set_caller_info: Adding region at 0x00890000 to caller regions list (ntdll::RtlDispatchException).
2020-06-22 19:10:24,203 [root] DEBUG: DLL loaded at 0x74DB0000: C:\Windows\system32\cryptbase (0xc000 bytes).
2020-06-22 19:10:24,203 [root] DEBUG: DumpMemory: Exception occured reading memory address 0x890000
2020-06-22 19:10:24,203 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x00890000 size 0x400000.
2020-06-22 19:10:24,203 [root] DEBUG: DumpPEsInRange: Scanning range 0x890000 - 0x891000.
2020-06-22 19:10:24,203 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x890000-0x891000.
2020-06-22 19:10:24,249 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\HxkcSeoo\CAPE\5364_21316174702430223262020 (size 0x596)
2020-06-22 19:10:24,249 [root] DEBUG: DumpRegion: Dumped stack region from 0x00890000, size 0x1000.
2020-06-22 19:10:24,249 [root] DEBUG: set_caller_info: Failed to dumping calling PE image at 0x00120000.
2020-06-22 19:10:24,249 [root] DEBUG: set_caller_info: Adding region at 0x00520000 to caller regions list (kernel32::FindFirstFileExW).
2020-06-22 19:10:24,359 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\HxkcSeoo\CAPE\5364_19787043282430223262020 (size 0x100099)
2020-06-22 19:10:24,359 [root] DEBUG: DumpRegion: Dumped stack region from 0x00520000, size 0x101000.
2020-06-22 19:10:24,406 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xb8 amd local view 0x703E0000 to global list.
2020-06-22 19:10:24,421 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xd4 amd local view 0x00220000 to global list.
2020-06-22 19:10:24,421 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xd0 amd local view 0x00220000 to global list.
2020-06-22 19:10:24,421 [root] DEBUG: DLL loaded at 0x74330000: C:\Windows\system32\VERSION (0x9000 bytes).
2020-06-22 19:10:24,437 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x69060000 for section view with handle 0xd4.
2020-06-22 19:10:24,437 [root] DEBUG: DLL loaded at 0x69060000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr (0x6ef000 bytes).
2020-06-22 19:10:24,437 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x6B9D0000 for section view with handle 0xd4.
2020-06-22 19:10:24,453 [root] DEBUG: DLL loaded at 0x6B9D0000: C:\Windows\system32\MSVCR120_CLR0400 (0xf5000 bytes).
2020-06-22 19:10:24,484 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 5364, handle 0xf4.
2020-06-22 19:10:24,500 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xf8 amd local view 0x00100000 to global list.
2020-06-22 19:10:24,500 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xfc amd local view 0x00110000 to global list.
2020-06-22 19:10:24,500 [root] INFO: Disabling sleep skipping.
2020-06-22 19:10:24,500 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 5364.
2020-06-22 19:10:24,500 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 5364.
2020-06-22 19:10:24,515 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1b0 amd local view 0x05620000 to global list.
2020-06-22 19:10:24,531 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 5364.
2020-06-22 19:10:24,562 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1f4 amd local view 0x66C30000 to global list.
2020-06-22 19:10:24,562 [root] DEBUG: DLL loaded at 0x66C30000: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\6715dc4d04e35f16d482900c355325e9\mscorlib.ni (0x1393000 bytes).
2020-06-22 19:10:24,593 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x200 amd local view 0x6B570000 to global list.
2020-06-22 19:10:24,593 [root] DEBUG: DLL loaded at 0x6B570000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit (0x80000 bytes).
2020-06-22 19:10:24,609 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1fc amd local view 0x77020000 to global list.
2020-06-22 19:10:24,609 [root] DEBUG: DLL loaded at 0x77020000: C:\Windows\system32\OLEAUT32 (0x91000 bytes).
2020-06-22 19:10:24,609 [root] DEBUG: set_caller_info: Adding region at 0x00290000 to caller regions list (ntdll::NtQueryPerformanceCounter).
2020-06-22 19:10:24,609 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x29ffff
2020-06-22 19:10:24,609 [root] DEBUG: DumpMemory: Nothing to dump at 0x00290000!
2020-06-22 19:10:24,609 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x00290000 size 0x10000.
2020-06-22 19:10:24,640 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\HxkcSeoo\CAPE\5364_20602107064430223262020 (size 0x48c)
2020-06-22 19:10:24,640 [root] DEBUG: DumpRegion: Dumped stack region from 0x00290000, size 0x1000.
2020-06-22 19:10:24,703 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x218 amd local view 0x681A0000 to global list.
2020-06-22 19:10:24,703 [root] DEBUG: DLL loaded at 0x681A0000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System\43822396682b0ffc3cfb66137ddab95f\System.ni (0xa10000 bytes).
2020-06-22 19:10:24,718 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x66450000 for section view with handle 0x218.
2020-06-22 19:10:24,718 [root] DEBUG: DLL loaded at 0x66450000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\c8a2021e940773064c655a6ea6ee8cb2\System.Core.ni (0x7e0000 bytes).
2020-06-22 19:10:24,750 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x214 amd local view 0x6A040000 to global list.
2020-06-22 19:10:24,750 [root] DEBUG: DLL loaded at 0x6A040000: C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\6090b158fd3d10686b422a455e188125\Microsoft.VisualBasic.ni (0x1d1000 bytes).
2020-06-22 19:10:24,812 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x220 amd local view 0x00C90000 to global list.
2020-06-22 19:10:24,828 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x21c amd local view 0x6E160000 to global list.
2020-06-22 19:10:24,828 [root] DEBUG: DLL loaded at 0x6E160000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\nlssorting (0x13000 bytes).
2020-06-22 19:10:24,843 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x059F0000 for section view with handle 0x21c.
2020-06-22 19:10:24,859 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x002B0000 for section view with handle 0x220.
2020-06-22 19:10:24,875 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x224 amd local view 0x69EA0000 to global list.
2020-06-22 19:10:24,875 [root] DEBUG: DLL loaded at 0x69EA0000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\2c462a934e0586ac5e46c8b93e461384\System.Drawing.ni (0x194000 bytes).
2020-06-22 19:10:34,906 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x737A0000 for section view with handle 0x21c.
2020-06-22 19:10:34,906 [root] DEBUG: DLL loaded at 0x737A0000: C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24308_none_5c028e37a0121035\gdiplus (0x192000 bytes).
2020-06-22 19:10:34,921 [root] DEBUG: set_caller_info: Adding region at 0x00230000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2020-06-22 19:10:34,921 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x23ffff
2020-06-22 19:10:34,921 [root] DEBUG: DumpMemory: Nothing to dump at 0x00230000!
2020-06-22 19:10:34,921 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x00230000 size 0x10000.
2020-06-22 19:10:34,937 [root] DEBUG: DumpPEsInRange: Scanning range 0x230000 - 0x231000.
2020-06-22 19:10:34,937 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x230000-0x231000.
2020-06-22 19:10:35,000 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\HxkcSeoo\CAPE\5364_11888887131731223262020 (size 0x77)
2020-06-22 19:10:35,000 [root] DEBUG: DumpRegion: Dumped stack region from 0x00230000, size 0x1000.
2020-06-22 19:10:35,015 [root] DEBUG: DLL loaded at 0x731D0000: C:\Windows\system32\WindowsCodecs (0x131000 bytes).
2020-06-22 19:10:35,046 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x230 amd local view 0x00630000 to global list.
2020-06-22 19:10:35,046 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00640000 for section view with handle 0x230.
2020-06-22 19:10:35,046 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00650000 for section view with handle 0x230.
2020-06-22 19:10:35,234 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x234 amd local view 0x02B80000 to global list.
2020-06-22 19:10:35,343 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x23c amd local view 0x65730000 to global list.
2020-06-22 19:10:35,343 [root] DEBUG: DLL loaded at 0x65730000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\aece3d371c0714e60f9509d2a3137395\System.Windows.Forms.ni (0xd1d000 bytes).
2020-06-22 19:10:35,359 [root] DEBUG: DLL loaded at 0x753D0000: C:\Windows\system32\shell32 (0xc4c000 bytes).
2020-06-22 19:10:35,359 [root] INFO: Added new file to list with pid None and path C:\Users\Rebecca\AppData\Roaming\yNYFRHTfohvGo.exe
2020-06-22 19:10:35,390 [root] INFO: Added new file to list with pid None and path C:\Users\Rebecca\AppData\Local\Temp\tmpF96A.tmp
2020-06-22 19:10:35,390 [root] DEBUG: DLL loaded at 0x73A50000: C:\Windows\system32\PROPSYS (0xf5000 bytes).
2020-06-22 19:10:35,390 [root] DEBUG: DLL loaded at 0x73DC0000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\comctl32 (0x19e000 bytes).
2020-06-22 19:10:35,406 [root] DEBUG: DLL loaded at 0x74D60000: C:\Windows\system32\apphelp (0x4c000 bytes).
2020-06-22 19:10:35,406 [root] DEBUG: DLL loaded at 0x76B50000: C:\Windows\system32\CLBCatQ (0x83000 bytes).
2020-06-22 19:10:35,406 [root] DEBUG: DLL loaded at 0x6BBC0000: C:\Windows\System32\ieframe (0xaba000 bytes).
2020-06-22 19:10:35,421 [root] DEBUG: DLL loaded at 0x74FE0000: C:\Windows\system32\api-ms-win-downlevel-advapi32-l1-1-0 (0x5000 bytes).
2020-06-22 19:10:35,421 [root] DEBUG: DLL loaded at 0x74FF0000: C:\Windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0 (0x4000 bytes).
2020-06-22 19:10:35,421 [root] DEBUG: DLL loaded at 0x751C0000: C:\Windows\system32\api-ms-win-downlevel-user32-l1-1-0 (0x4000 bytes).
2020-06-22 19:10:35,421 [root] DEBUG: DLL loaded at 0x71BA0000: C:\Windows\System32\api-ms-win-downlevel-shell32-l1-1-0 (0x4000 bytes).
2020-06-22 19:10:35,421 [root] DEBUG: DLL loaded at 0x75010000: C:\Windows\system32\api-ms-win-downlevel-version-l1-1-0 (0x4000 bytes).
2020-06-22 19:10:35,421 [root] DEBUG: DLL loaded at 0x75000000: C:\Windows\system32\api-ms-win-downlevel-normaliz-l1-1-0 (0x3000 bytes).
2020-06-22 19:10:35,421 [root] DEBUG: DLL loaded at 0x76AA0000: C:\Windows\system32\normaliz (0x3000 bytes).
2020-06-22 19:10:35,437 [root] DEBUG: DLL loaded at 0x767A0000: C:\Windows\system32\iertutil (0x215000 bytes).
2020-06-22 19:10:35,468 [root] DEBUG: DLL loaded at 0x75230000: C:\Windows\system32\SETUPAPI (0x19d000 bytes).
2020-06-22 19:10:35,468 [root] DEBUG: DLL loaded at 0x74F80000: C:\Windows\system32\CFGMGR32 (0x27000 bytes).
2020-06-22 19:10:35,468 [root] DEBUG: DLL loaded at 0x75020000: C:\Windows\system32\DEVOBJ (0x12000 bytes).
2020-06-22 19:10:35,515 [root] DEBUG: DLL unloaded from 0x753D0000.
2020-06-22 19:10:35,515 [root] DEBUG: DLL loaded at 0x73B50000: C:\Windows\system32\ntmarta (0x21000 bytes).
2020-06-22 19:10:35,515 [root] DEBUG: DLL loaded at 0x760D0000: C:\Windows\system32\WLDAP32 (0x45000 bytes).
2020-06-22 19:10:35,531 [root] DEBUG: DLL loaded at 0x74E60000: C:\Windows\system32\profapi (0xb000 bytes).
2020-06-22 19:10:35,531 [root] DEBUG: DLL loaded at 0x76CE0000: C:\Windows\system32\urlmon (0x124000 bytes).
2020-06-22 19:10:35,546 [root] DEBUG: DLL loaded at 0x74F70000: C:\Windows\system32\api-ms-win-downlevel-ole32-l1-1-0 (0x4000 bytes).
2020-06-22 19:10:35,546 [root] DEBUG: DLL loaded at 0x76160000: C:\Windows\system32\WININET (0x1c4000 bytes).
2020-06-22 19:10:35,546 [root] DEBUG: DLL loaded at 0x74B40000: C:\Windows\system32\Secur32 (0x8000 bytes).
2020-06-22 19:10:35,578 [root] INFO: Announced 32-bit process name: schtasks.exe pid: 4560
2020-06-22 19:10:35,578 [lib.api.process] INFO: Monitor config for process 4560: C:\tmpnwhtwc92\dll\4560.ini
2020-06-22 19:10:35,578 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpnwhtwc92\dll\exqCgRKO.dll, loader C:\tmpnwhtwc92\bin\ZJlbquU.exe
2020-06-22 19:10:35,593 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\hqLUsYTkS.
2020-06-22 19:10:35,609 [root] DEBUG: Loader: Injecting process 4560 (thread 5220) with C:\tmpnwhtwc92\dll\exqCgRKO.dll.
2020-06-22 19:10:35,609 [root] DEBUG: Process image base: 0x00E80000
2020-06-22 19:10:35,609 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmpnwhtwc92\dll\exqCgRKO.dll.
2020-06-22 19:10:35,609 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-06-22 19:10:35,609 [root] DEBUG: Successfully injected DLL C:\tmpnwhtwc92\dll\exqCgRKO.dll.
2020-06-22 19:10:35,609 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 4560
2020-06-22 19:10:35,625 [root] DEBUG: CreateProcessHandler: Injection info set for new process 4560, ImageBase: 0x00E80000
2020-06-22 19:10:35,625 [root] INFO: Announced 32-bit process name: schtasks.exe pid: 4560
2020-06-22 19:10:35,625 [lib.api.process] INFO: Monitor config for process 4560: C:\tmpnwhtwc92\dll\4560.ini
2020-06-22 19:10:35,625 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpnwhtwc92\dll\exqCgRKO.dll, loader C:\tmpnwhtwc92\bin\ZJlbquU.exe
2020-06-22 19:10:35,640 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\hqLUsYTkS.
2020-06-22 19:10:35,640 [root] DEBUG: Loader: Injecting process 4560 (thread 5220) with C:\tmpnwhtwc92\dll\exqCgRKO.dll.
2020-06-22 19:10:35,640 [root] DEBUG: Process image base: 0x00E80000
2020-06-22 19:10:35,656 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmpnwhtwc92\dll\exqCgRKO.dll.
2020-06-22 19:10:35,656 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-06-22 19:10:35,656 [root] DEBUG: Successfully injected DLL C:\tmpnwhtwc92\dll\exqCgRKO.dll.
2020-06-22 19:10:35,656 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 4560
2020-06-22 19:10:35,671 [root] DEBUG: DLL loaded at 0x74880000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2020-06-22 19:10:35,687 [root] DEBUG: DLL loaded at 0x74610000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2020-06-22 19:10:35,687 [root] DEBUG: DLL loaded at 0x74E50000: C:\Windows\system32\RpcRtRemote (0xe000 bytes).
2020-06-22 19:10:35,703 [root] DEBUG: Python path set to 'C:\Users\Rebecca\AppData\Local\Programs\Python\Python38-32'.
2020-06-22 19:10:35,703 [root] DEBUG: Dropped file limit defaulting to 100.
2020-06-22 19:10:35,718 [root] INFO: Disabling sleep skipping.
2020-06-22 19:10:35,718 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-06-22 19:10:35,718 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 4560 at 0x69d90000, image base 0xe80000, stack from 0x116000-0x120000
2020-06-22 19:10:35,718 [root] DEBUG: Commandline: C:\Users\Rebecca\AppData\Local\Temp\"C:\Windows\System32\schtasks.exe" \Create \TN "Updates\yNYFRHTfohvGo" \XML "C:\Users\Rebecca\AppData\Local\Temp\tmpF96A.tmp".
2020-06-22 19:10:35,734 [root] INFO: Loaded monitor into process with pid 4560
2020-06-22 19:10:35,734 [root] DEBUG: DLL loaded at 0x74330000: C:\Windows\System32\VERSION (0x9000 bytes).
2020-06-22 19:10:35,734 [root] DEBUG: DLL unloaded from 0x00E80000.
2020-06-22 19:10:35,750 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xc4 amd local view 0x00B70000 to global list.
2020-06-22 19:10:35,750 [root] DEBUG: DLL loaded at 0x74DB0000: C:\Windows\System32\CRYPTBASE (0xc000 bytes).
2020-06-22 19:10:35,765 [root] DEBUG: ResumeThreadHandler: CurrentInjectionInfo 0x0 (Pid 4560).
2020-06-22 19:10:35,796 [root] INFO: Stopping Task Scheduler Service
2020-06-22 19:10:35,890 [root] INFO: Stopped Task Scheduler Service
2020-06-22 19:10:35,921 [root] INFO: Starting Task Scheduler Service
2020-06-22 19:10:35,984 [root] INFO: Started Task Scheduler Service
2020-06-22 19:10:35,984 [lib.api.process] INFO: Monitor config for process 840: C:\tmpnwhtwc92\dll\840.ini
2020-06-22 19:10:35,984 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpnwhtwc92\dll\exqCgRKO.dll, loader C:\tmpnwhtwc92\bin\ZJlbquU.exe
2020-06-22 19:10:36,000 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\hqLUsYTkS.
2020-06-22 19:10:36,015 [root] DEBUG: Loader: Injecting process 840 (thread 0) with C:\tmpnwhtwc92\dll\exqCgRKO.dll.
2020-06-22 19:10:36,015 [root] DEBUG: Error 0 (0x0) - GetProcessInitialThreadId: Remote PEB 0x7FFDF000 Local PEB 0x7FFDF000 Local TEB 0x7FFD4000: The operation completed successfully.
2020-06-22 19:10:36,015 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2020-06-22 19:10:36,015 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed, falling back to thread injection.
2020-06-22 19:10:36,031 [root] DEBUG: Python path set to 'C:\Users\Rebecca\AppData\Local\Programs\Python\Python38-32'.
2020-06-22 19:10:36,031 [root] DEBUG: Dropped file limit defaulting to 100.
2020-06-22 19:10:36,031 [root] INFO: Disabling sleep skipping.
2020-06-22 19:10:36,078 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 840 at 0x69d90000, image base 0xbb0000, stack from 0x1996000-0x19a0000
2020-06-22 19:10:36,078 [root] DEBUG: Commandline: C:\Windows\System32\svchost.exe -k netsvcs.
2020-06-22 19:10:36,093 [root] INFO: Loaded monitor into process with pid 840
2020-06-22 19:10:36,109 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2020-06-22 19:10:36,140 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2020-06-22 19:10:36,140 [root] DEBUG: Successfully injected DLL C:\tmpnwhtwc92\dll\exqCgRKO.dll.
2020-06-22 19:10:38,156 [root] DEBUG: DLL loaded at 0x76B50000: C:\Windows\system32\CLBCatQ (0x83000 bytes).
2020-06-22 19:10:38,156 [root] DEBUG: DLL loaded at 0x73500000: C:\Windows\system32\taskschd (0x7d000 bytes).
2020-06-22 19:10:38,531 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 4560
2020-06-22 19:10:38,531 [root] DEBUG: GetHookCallerBase: thread 5220 (handle 0x0), return address 0x00E97569, allocation base 0x00E80000.
2020-06-22 19:10:38,546 [root] DEBUG: DoProcessDump: Dumping Imagebase at 0x00E80000.
2020-06-22 19:10:38,546 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-06-22 19:10:38,546 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00E80000.
2020-06-22 19:10:38,546 [root] DEBUG: DumpProcess: Module entry point VA is 0x00017683.
2020-06-22 19:10:38,578 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x2b400.
2020-06-22 19:10:38,578 [root] DEBUG: DLL unloaded from 0x76130000.
2020-06-22 19:10:38,578 [root] INFO: Process with pid 4560 has terminated
2020-06-22 19:10:38,671 [root] INFO: Announced 32-bit process name: Invoice UT05-222546.pdf.exe pid: 4360
2020-06-22 19:10:38,671 [lib.api.process] INFO: Monitor config for process 4360: C:\tmpnwhtwc92\dll\4360.ini
2020-06-22 19:10:38,718 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpnwhtwc92\dll\exqCgRKO.dll, loader C:\tmpnwhtwc92\bin\ZJlbquU.exe
2020-06-22 19:10:38,734 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\hqLUsYTkS.
2020-06-22 19:10:38,734 [root] DEBUG: Loader: Injecting process 4360 (thread 1780) with C:\tmpnwhtwc92\dll\exqCgRKO.dll.
2020-06-22 19:10:38,734 [root] DEBUG: Process image base: 0x00E10000
2020-06-22 19:10:38,734 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2020-06-22 19:10:38,734 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2020-06-22 19:10:38,734 [root] DEBUG: Successfully injected DLL C:\tmpnwhtwc92\dll\exqCgRKO.dll.
2020-06-22 19:10:38,750 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 4360
2020-06-22 19:10:38,781 [root] DEBUG: CreateProcessHandler: Injection info set for new process 4360, ImageBase: 0x00E10000
2020-06-22 19:10:38,781 [root] INFO: Announced 32-bit process name: Invoice UT05-222546.pdf.exe pid: 4360
2020-06-22 19:10:38,796 [lib.api.process] INFO: Monitor config for process 4360: C:\tmpnwhtwc92\dll\4360.ini
2020-06-22 19:10:38,812 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpnwhtwc92\dll\exqCgRKO.dll, loader C:\tmpnwhtwc92\bin\ZJlbquU.exe
2020-06-22 19:10:38,859 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\hqLUsYTkS.
2020-06-22 19:10:38,859 [root] DEBUG: Loader: Injecting process 4360 (thread 1780) with C:\tmpnwhtwc92\dll\exqCgRKO.dll.
2020-06-22 19:10:38,875 [root] DEBUG: Process image base: 0x00E10000
2020-06-22 19:10:38,875 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2020-06-22 19:10:38,875 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2020-06-22 19:10:38,875 [root] DEBUG: Successfully injected DLL C:\tmpnwhtwc92\dll\exqCgRKO.dll.
2020-06-22 19:10:38,875 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 4360
2020-06-22 19:10:38,890 [root] DEBUG: WriteMemoryHandler: Executable binary injected into process 4360 (ImageBase 0x400000)
2020-06-22 19:10:38,890 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image.
2020-06-22 19:10:38,890 [root] DEBUG: DumpPE: Instantiating PeParser with address: 0x047224E8.
2020-06-22 19:10:38,968 [root] DEBUG: DumpPE: PE file in memory dumped successfully - dump size 0x45800.
2020-06-22 19:10:38,968 [root] DEBUG: WriteMemoryHandler: Dumped PE image from buffer at 0x47224e8, SizeOfImage 0x4c000.
2020-06-22 19:10:38,984 [root] INFO: Announced 32-bit process name: Invoice UT05-222546.pdf.exe pid: 4360
2020-06-22 19:10:38,984 [lib.api.process] INFO: Monitor config for process 4360: C:\tmpnwhtwc92\dll\4360.ini
2020-06-22 19:10:39,015 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpnwhtwc92\dll\exqCgRKO.dll, loader C:\tmpnwhtwc92\bin\ZJlbquU.exe
2020-06-22 19:10:39,031 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\hqLUsYTkS.
2020-06-22 19:10:39,046 [root] DEBUG: Loader: Injecting process 4360 (thread 0) with C:\tmpnwhtwc92\dll\exqCgRKO.dll.
2020-06-22 19:10:39,046 [root] DEBUG: Error 0 (0x0) - GetProcessInitialThreadId: Remote PEB 0x7FFDD000 Local PEB 0x7FFDF000 Local TEB 0x7FFD8000: The operation completed successfully.
2020-06-22 19:10:39,046 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2020-06-22 19:10:39,046 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed (SessionId=1).
2020-06-22 19:10:39,062 [root] DEBUG: Failed to inject DLL C:\tmpnwhtwc92\dll\exqCgRKO.dll.
2020-06-22 19:10:39,062 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 4360, error: 4294967281
2020-06-22 19:10:39,078 [root] DEBUG: WriteMemoryHandler: shellcode at 0x04655C38 (size 0x45000) injected into process 4360.
2020-06-22 19:10:39,125 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\HxkcSeoo\CAPE\5364_10275694921232223262020 (size 0x44e92)
2020-06-22 19:10:39,140 [root] DEBUG: WriteMemoryHandler: Dumped injected code/data from buffer.
2020-06-22 19:10:39,140 [root] INFO: Announced 32-bit process name: Invoice UT05-222546.pdf.exe pid: 4360
2020-06-22 19:10:39,156 [lib.api.process] INFO: Monitor config for process 4360: C:\tmpnwhtwc92\dll\4360.ini
2020-06-22 19:10:39,156 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpnwhtwc92\dll\exqCgRKO.dll, loader C:\tmpnwhtwc92\bin\ZJlbquU.exe
2020-06-22 19:10:39,187 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\hqLUsYTkS.
2020-06-22 19:10:39,203 [root] DEBUG: Loader: Injecting process 4360 (thread 0) with C:\tmpnwhtwc92\dll\exqCgRKO.dll.
2020-06-22 19:10:39,203 [root] DEBUG: Error 0 (0x0) - GetProcessInitialThreadId: Remote PEB 0x7FFDD000 Local PEB 0x7FFDE000 Local TEB 0x7FFDF000: The operation completed successfully.
2020-06-22 19:10:39,203 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2020-06-22 19:10:39,203 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed (SessionId=1).
2020-06-22 19:10:39,203 [root] DEBUG: Failed to inject DLL C:\tmpnwhtwc92\dll\exqCgRKO.dll.
2020-06-22 19:10:39,203 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 4360, error: 4294967281
2020-06-22 19:10:39,203 [root] DEBUG: WriteMemoryHandler: shellcode at 0x03446D3C (size 0x400) injected into process 4360.
2020-06-22 19:10:39,281 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\HxkcSeoo\CAPE\5364_2439542211232223262020 (size 0x308)
2020-06-22 19:10:39,281 [root] DEBUG: WriteMemoryHandler: Dumped injected code/data from buffer.
2020-06-22 19:10:39,281 [root] INFO: Announced 32-bit process name: Invoice UT05-222546.pdf.exe pid: 4360
2020-06-22 19:10:39,375 [lib.api.process] INFO: Monitor config for process 4360: C:\tmpnwhtwc92\dll\4360.ini
2020-06-22 19:10:39,375 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpnwhtwc92\dll\exqCgRKO.dll, loader C:\tmpnwhtwc92\bin\ZJlbquU.exe
2020-06-22 19:10:39,406 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\hqLUsYTkS.
2020-06-22 19:10:39,406 [root] DEBUG: Loader: Injecting process 4360 (thread 0) with C:\tmpnwhtwc92\dll\exqCgRKO.dll.
2020-06-22 19:10:39,406 [root] DEBUG: Error 0 (0x0) - GetProcessInitialThreadId: Remote PEB 0x7FFDD000 Local PEB 0x7FFDF000 Local TEB 0x7FFDC000: The operation completed successfully.
2020-06-22 19:10:39,406 [root] DEBUG: InjectDll: No thread ID supplied. Initial thread ID -17, handle 0x0
2020-06-22 19:10:39,421 [root] DEBUG: Python path set to 'C:\Users\Rebecca\AppData\Local\Programs\Python\Python38-32'.
2020-06-22 19:10:39,421 [root] DEBUG: Dropped file limit defaulting to 100.
2020-06-22 19:10:39,437 [root] INFO: Disabling sleep skipping.
2020-06-22 19:10:39,437 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 4360 at 0x69d90000, image base 0xe10000, stack from 0x576000-0x580000
2020-06-22 19:10:39,468 [root] DEBUG: Commandline: C:\Users\Rebecca\AppData\Local\Temp\"{path}".
2020-06-22 19:10:39,484 [root] INFO: Loaded monitor into process with pid 4360
2020-06-22 19:10:39,500 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2020-06-22 19:10:39,500 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2020-06-22 19:10:39,500 [root] DEBUG: Successfully injected DLL C:\tmpnwhtwc92\dll\exqCgRKO.dll.
2020-06-22 19:10:39,515 [root] DEBUG: WriteMemoryHandler: shellcode at 0x03447148 (size 0x200) injected into process 4360.
2020-06-22 19:10:39,562 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\HxkcSeoo\CAPE\5364_1740601511232223262020 (size 0x9)
2020-06-22 19:10:39,562 [root] DEBUG: WriteMemoryHandler: Dumped injected code/data from buffer.
2020-06-22 19:10:39,578 [root] DEBUG: SetThreadContextHandler: Hollow process entry point reset via NtSetContextThread to 0x00046E8E (process 4360).
2020-06-22 19:10:39,593 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 4360.
2020-06-22 19:10:39,593 [root] DEBUG: set_caller_info: Adding region at 0x00030000 to caller regions list (ntdll::LdrLoadDll).
2020-06-22 19:10:39,593 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 5364.
2020-06-22 19:10:39,593 [root] DEBUG: set_caller_info: Adding region at 0x008E0000 to caller regions list (kernel32::GetSystemTime).
2020-06-22 19:10:39,609 [root] DEBUG: DLL loaded at 0x74DB0000: C:\Windows\system32\cryptbase (0xc000 bytes).
2020-06-22 19:10:39,609 [root] DEBUG: DumpMemory: Exception occured reading memory address 0x8e0000
2020-06-22 19:10:39,671 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 5364.
2020-06-22 19:10:39,671 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\HxkcSeoo\CAPE\4360_15776387792931223262020 (size 0x596)
2020-06-22 19:10:39,687 [root] DEBUG: DumpRegion: Dumped stack region from 0x008E0000, size 0x1000.
2020-06-22 19:10:39,734 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\HxkcSeoo\CAPE\4360_7148895132931223262020 (size 0x12b)
2020-06-22 19:10:39,734 [root] DEBUG: DumpRegion: Dumped stack region from 0x00030000, size 0x1000.
2020-06-22 19:10:39,734 [root] DEBUG: DLL loaded at 0x00450000: C:\tmpnwhtwc92\dll\exqCgRKO (0xd5000 bytes).
2020-06-22 19:10:39,734 [root] DEBUG: DLL unloaded from 0x716B0000.
2020-06-22 19:10:39,734 [root] DEBUG: DLL unloaded from 0x769C0000.
2020-06-22 19:10:39,734 [root] DEBUG: DLL unloaded from 0x716B0000.
2020-06-22 19:10:39,734 [root] DEBUG: DLL unloaded from 0x769C0000.
2020-06-22 19:10:39,734 [root] DEBUG: DLL unloaded from 0x00450000.
2020-06-22 19:10:39,750 [root] DEBUG: set_caller_info: Adding region at 0x00170000 to caller regions list (ntdll::LdrLoadDll).
2020-06-22 19:10:39,796 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\HxkcSeoo\CAPE\4360_6609891782931223262020 (size 0x12b)
2020-06-22 19:10:39,812 [root] DEBUG: DumpRegion: Dumped stack region from 0x00170000, size 0x1000.
2020-06-22 19:10:39,812 [root] DEBUG: DLL loaded at 0x00450000: C:\tmpnwhtwc92\dll\exqCgRKO (0xd5000 bytes).
2020-06-22 19:10:39,812 [root] DEBUG: DLL unloaded from 0x716B0000.
2020-06-22 19:10:39,828 [root] DEBUG: set_caller_info: Adding region at 0x00070000 to caller regions list (advapi32::RegQueryInfoKeyW).
2020-06-22 19:10:39,828 [root] DEBUG: set_caller_info: Failed to dumping calling PE image at 0x00070000.
2020-06-22 19:10:39,843 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xc0 amd local view 0x703E0000 to global list.
2020-06-22 19:10:39,843 [root] DEBUG: DLL loaded at 0x703E0000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei (0x7d000 bytes).
2020-06-22 19:10:39,843 [root] DEBUG: DLL unloaded from 0x76020000.
2020-06-22 19:10:39,859 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 4360
2020-06-22 19:10:39,859 [root] DEBUG: GetHookCallerBase: thread 1780 (handle 0x0), return address 0x69DC1698, allocation base 0x69D90000.
2020-06-22 19:10:39,875 [root] DEBUG: DoProcessDump: Dumping Imagebase at 0x00E10000.
2020-06-22 19:10:39,875 [root] DEBUG: LooksLikeSectionBoundary: Exception occured reading around suspected boundary at 0x00E12000
2020-06-22 19:10:39,890 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image.
2020-06-22 19:10:39,906 [root] DEBUG: DumpPE: Instantiating PeParser with address: 0x00E10000.
2020-06-22 19:10:39,921 [root] DEBUG: DumpPE: Empty or inaccessible last section, file image seems incomplete (from 0x00E69E00 to 0x00E6A000).
2020-06-22 19:10:39,968 [root] DEBUG: DumpPE: Error: Cannot dump PE file from memory.
2020-06-22 19:10:39,968 [root] DEBUG: DumpImageInCurrentProcess: Failed to dump 'raw' PE image from 0x00E10000, dumping memory region.
2020-06-22 19:10:39,984 [root] DEBUG: DoProcessDump: Dumping 'new' Imagebase at 0x00400000.
2020-06-22 19:10:39,984 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-06-22 19:10:39,984 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00400000.
2020-06-22 19:10:39,984 [root] DEBUG: DumpProcess: Module entry point VA is 0x00046E8E.
2020-06-22 19:10:40,062 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x45a00.
2020-06-22 19:10:40,062 [root] DEBUG: DLL unloaded from 0x76130000.
2020-06-22 19:10:40,062 [root] DEBUG: DLL unloaded from 0x703E0000.
2020-06-22 19:10:40,078 [root] INFO: Process with pid 4360 has terminated
2020-06-22 19:10:41,921 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 5364
2020-06-22 19:10:41,921 [root] DEBUG: GetHookCallerBase: thread 1352 (handle 0x0), return address 0x00290D32, allocation base 0x00290000.
2020-06-22 19:10:41,921 [root] DEBUG: DoProcessDump: Dumping Imagebase at 0x00E10000.
2020-06-22 19:10:41,921 [root] DEBUG: LooksLikeSectionBoundary: Exception occured reading around suspected boundary at 0x00E12000
2020-06-22 19:10:41,921 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image.
2020-06-22 19:10:41,921 [root] DEBUG: DumpPE: Instantiating PeParser with address: 0x00E10000.
2020-06-22 19:10:41,937 [root] DEBUG: DumpPE: Empty or inaccessible last section, file image seems incomplete (from 0x00E69E00 to 0x00E6A000).
2020-06-22 19:10:41,968 [root] DEBUG: DumpPE: Error: Cannot dump PE file from memory.
2020-06-22 19:10:41,968 [root] DEBUG: DumpImageInCurrentProcess: Failed to dump 'raw' PE image from 0x00E10000, dumping memory region.
2020-06-22 19:11:00,390 [root] DEBUG: set_caller_info: Adding region at 0x6D690000 to caller regions list (ntdll::NtWaitForSingleObject).
2020-06-22 19:11:00,390 [root] DEBUG: set_caller_info: Calling region at 0x6D690000 skipped.
2020-06-22 19:11:02,140 [root] DEBUG: set_caller_info: Adding region at 0x6EAA0000 to caller regions list (kernel32::GetSystemTimeAsFileTime).
2020-06-22 19:11:02,187 [root] DEBUG: set_caller_info: Calling region at 0x6EAA0000 skipped.
2020-06-22 19:11:04,343 [root] DEBUG: set_caller_info: Adding region at 0x6E490000 to caller regions list (ntdll::memcpy).
2020-06-22 19:11:04,343 [root] DEBUG: set_caller_info: Calling region at 0x6E490000 skipped.
2020-06-22 19:11:04,343 [root] DEBUG: set_caller_info: Adding region at 0x6DD60000 to caller regions list (ntdll::memcpy).
2020-06-22 19:11:04,343 [root] DEBUG: set_caller_info: Calling region at 0x6DD60000 skipped.
2020-06-22 19:12:17,718 [root] DEBUG: DLL unloaded from 0x76640000.
2020-06-22 19:13:44,390 [root] INFO: Analysis timeout hit, terminating analysis.
2020-06-22 19:13:44,390 [lib.api.process] ERROR: Failed to open terminate event for pid 5364
2020-06-22 19:13:44,406 [root] INFO: Terminate event set for process 5364.
2020-06-22 19:13:44,406 [lib.api.process] INFO: Terminate event set for process 840
2020-06-22 19:13:44,406 [root] DEBUG: Terminate Event: Attempting to dump process 840
2020-06-22 19:13:44,421 [root] DEBUG: DoProcessDump: Dumping Imagebase at 0x00BB0000.
2020-06-22 19:13:44,421 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-06-22 19:13:44,421 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00BB0000.
2020-06-22 19:13:44,453 [root] DEBUG: DumpProcess: Module entry point VA is 0x00002104.
2020-06-22 19:13:44,531 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x5200.
2020-06-22 19:13:44,546 [lib.api.process] INFO: Termination confirmed for process 840
2020-06-22 19:13:44,546 [root] DEBUG: Terminate Event: CAPE shutdown complete for process 840
2020-06-22 19:13:44,546 [root] INFO: Terminate event set for process 840.
2020-06-22 19:13:44,546 [root] INFO: Created shutdown mutex.
2020-06-22 19:13:45,546 [root] INFO: Shutting down package.
2020-06-22 19:13:45,546 [root] INFO: Stopping auxiliary modules.
2020-06-22 19:13:45,625 [lib.common.results] WARNING: File C:\HxkcSeoo\bin\procmon.xml doesn't exist anymore
2020-06-22 19:13:45,625 [root] INFO: Finishing auxiliary modules.
2020-06-22 19:13:45,625 [root] INFO: Shutting down pipe server and dumping dropped files.
2020-06-22 19:13:45,656 [root] WARNING: Folder at path "C:\HxkcSeoo\debugger" does not exist, skip.
2020-06-22 19:13:45,671 [root] INFO: Analysis completed.

Machine

Name Label Manager Started On Shutdown On
win7_1 win7_1 KVM 2020-06-22 19:10:22 2020-06-22 19:14:44

File Details

File Name Invoice UT05-222546.pdf.exe
File Size 368640 bytes
File Type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
PE timestamp 2020-06-22 13:09:36
MD5 b76512014f74e255d5fa3bd144090baf
SHA1 19e3bd57858eea5e1904f379f5683243e39fbaed
SHA256 6de0a133506d6df141e56bf1f834c3028c31809a056f7bb97d76c9199c5823b7
SHA512 5c5d3757ebdb6bdd86d1de031889e788ea480c178e3e2959e314c1983a6f0da0eca698e384a70a616e7147cf1d3a406df7d615d84965b0b8d6a04069e438e4f3
CRC32 EE35FC7B
Ssdeep 6144:4i6QQRUOfvWxjyzfn7MEniEaYSwIEWs0L5Zs2wizSkRJxtXNOPNbv:4jQQyOfvSsfnfnlSREZ43w6SkR7BNs
Download Download ZIP Resubmit sample

Signatures

SetUnhandledExceptionFilter detected (possible anti-debug)
Yara rule detections observed from a process memory dump/dropped files/CAPE
Hit: PID 4360 trigged the Yara rule 'AgentTeslaV2'
Hit: PID 5364 trigged the Yara rule 'AgentTeslaV2'
Hit: PID 5364 trigged the Yara rule 'embedded_win_api'
Creates RWX memory
Guard pages use detected - possible anti-debugging.
Dynamic (imported) function loading detected
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: KERNEL32.dll/FlsAlloc
DynamicLoader: KERNEL32.dll/FlsFree
DynamicLoader: KERNEL32.dll/FlsGetValue
DynamicLoader: KERNEL32.dll/FlsSetValue
DynamicLoader: KERNEL32.dll/InitializeCriticalSectionEx
DynamicLoader: KERNEL32.dll/CreateEventExW
DynamicLoader: KERNEL32.dll/CreateSemaphoreExW
DynamicLoader: KERNEL32.dll/SetThreadStackGuarantee
DynamicLoader: KERNEL32.dll/CreateThreadpoolTimer
DynamicLoader: KERNEL32.dll/SetThreadpoolTimer
DynamicLoader: KERNEL32.dll/WaitForThreadpoolTimerCallbacks
DynamicLoader: KERNEL32.dll/CloseThreadpoolTimer
DynamicLoader: KERNEL32.dll/CreateThreadpoolWait
DynamicLoader: KERNEL32.dll/SetThreadpoolWait
DynamicLoader: KERNEL32.dll/CloseThreadpoolWait
DynamicLoader: KERNEL32.dll/FlushProcessWriteBuffers
DynamicLoader: KERNEL32.dll/FreeLibraryWhenCallbackReturns
DynamicLoader: KERNEL32.dll/GetCurrentProcessorNumber
DynamicLoader: KERNEL32.dll/GetLogicalProcessorInformation
DynamicLoader: KERNEL32.dll/CreateSymbolicLinkW
DynamicLoader: KERNEL32.dll/SetDefaultDllDirectories
DynamicLoader: KERNEL32.dll/EnumSystemLocalesEx
DynamicLoader: KERNEL32.dll/CompareStringEx
DynamicLoader: KERNEL32.dll/GetDateFormatEx
DynamicLoader: KERNEL32.dll/GetLocaleInfoEx
DynamicLoader: KERNEL32.dll/GetTimeFormatEx
DynamicLoader: KERNEL32.dll/GetUserDefaultLocaleName
DynamicLoader: KERNEL32.dll/IsValidLocaleName
DynamicLoader: KERNEL32.dll/LCMapStringEx
DynamicLoader: KERNEL32.dll/GetCurrentPackageId
DynamicLoader: KERNEL32.dll/GetTickCount64
DynamicLoader: KERNEL32.dll/GetFileInformationByHandleExW
DynamicLoader: KERNEL32.dll/SetFileInformationByHandleW
DynamicLoader: KERNEL32.dll/AcquireSRWLockExclusive
DynamicLoader: KERNEL32.dll/ReleaseSRWLockExclusive
DynamicLoader: ADVAPI32.dll/EventRegister
DynamicLoader: ADVAPI32.dll/EventSetInformation
DynamicLoader: MSCOREE.DLL/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/_CorExeMain_RetAddr
DynamicLoader: mscoreei.dll/_CorExeMain
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: VERSION.dll/GetFileVersionInfoSizeW
DynamicLoader: VERSION.dll/GetFileVersionInfoW
DynamicLoader: VERSION.dll/VerQueryValueW
DynamicLoader: KERNEL32.dll/FlsAlloc
DynamicLoader: KERNEL32.dll/FlsFree
DynamicLoader: KERNEL32.dll/FlsGetValue
DynamicLoader: KERNEL32.dll/FlsSetValue
DynamicLoader: KERNEL32.dll/InitializeCriticalSectionEx
DynamicLoader: KERNEL32.dll/CreateEventExW
DynamicLoader: KERNEL32.dll/CreateSemaphoreExW
DynamicLoader: KERNEL32.dll/SetThreadStackGuarantee
DynamicLoader: KERNEL32.dll/CreateThreadpoolTimer
DynamicLoader: KERNEL32.dll/SetThreadpoolTimer
DynamicLoader: KERNEL32.dll/WaitForThreadpoolTimerCallbacks
DynamicLoader: KERNEL32.dll/CloseThreadpoolTimer
DynamicLoader: KERNEL32.dll/CreateThreadpoolWait
DynamicLoader: KERNEL32.dll/SetThreadpoolWait
DynamicLoader: KERNEL32.dll/CloseThreadpoolWait
DynamicLoader: KERNEL32.dll/FlushProcessWriteBuffers
DynamicLoader: KERNEL32.dll/FreeLibraryWhenCallbackReturns
DynamicLoader: KERNEL32.dll/GetCurrentProcessorNumber
DynamicLoader: KERNEL32.dll/GetLogicalProcessorInformation
DynamicLoader: KERNEL32.dll/CreateSymbolicLinkW
DynamicLoader: KERNEL32.dll/SetDefaultDllDirectories
DynamicLoader: KERNEL32.dll/EnumSystemLocalesEx
DynamicLoader: KERNEL32.dll/CompareStringEx
DynamicLoader: KERNEL32.dll/GetDateFormatEx
DynamicLoader: KERNEL32.dll/GetLocaleInfoEx
DynamicLoader: KERNEL32.dll/GetTimeFormatEx
DynamicLoader: KERNEL32.dll/GetUserDefaultLocaleName
DynamicLoader: KERNEL32.dll/IsValidLocaleName
DynamicLoader: KERNEL32.dll/LCMapStringEx
DynamicLoader: KERNEL32.dll/GetCurrentPackageId
DynamicLoader: KERNEL32.dll/GetTickCount64
DynamicLoader: KERNEL32.dll/GetFileInformationByHandleExW
DynamicLoader: KERNEL32.dll/SetFileInformationByHandleW
DynamicLoader: ADVAPI32.dll/EventSetInformation
DynamicLoader: clr.dll/SetRuntimeInfo
DynamicLoader: USER32.dll/GetProcessWindowStation
DynamicLoader: USER32.dll/GetUserObjectInformationW
DynamicLoader: clr.dll/_CorExeMain
DynamicLoader: KERNEL32.dll/AcquireSRWLockExclusive
DynamicLoader: KERNEL32.dll/ReleaseSRWLockExclusive
DynamicLoader: MSCOREE.DLL/CreateConfigStream
DynamicLoader: mscoreei.dll/CreateConfigStream_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream
DynamicLoader: KERNEL32.dll/GetNumaHighestNodeNumber
DynamicLoader: KERNEL32.dll/FlsSetValue
DynamicLoader: KERNEL32.dll/FlsGetValue
DynamicLoader: KERNEL32.dll/FlsAlloc
DynamicLoader: KERNEL32.dll/FlsFree
DynamicLoader: KERNEL32.dll/GetSystemWindowsDirectoryW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: KERNEL32.dll/AddSIDToBoundaryDescriptor
DynamicLoader: KERNEL32.dll/CreateBoundaryDescriptorW
DynamicLoader: KERNEL32.dll/CreatePrivateNamespaceW
DynamicLoader: KERNEL32.dll/OpenPrivateNamespaceW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: KERNEL32.dll/DeleteBoundaryDescriptor
DynamicLoader: KERNEL32.dll/WerRegisterRuntimeExceptionModule
DynamicLoader: KERNEL32.dll/RaiseException
DynamicLoader: MSCOREE.DLL/
DynamicLoader: mscoreei.dll/
DynamicLoader: KERNELBASE.dll/SetSystemFileCacheSize
DynamicLoader: ntdll.dll/NtSetSystemInformation
DynamicLoader: KERNELBASE.dll/PrivIsDllSynchronizationHeld
DynamicLoader: KERNEL32.dll/AddDllDirectory
DynamicLoader: KERNEL32.dll/SortGetHandle
DynamicLoader: KERNEL32.dll/SortCloseHandle
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: cryptbase.dll/SystemFunction036
DynamicLoader: ole32.dll/CoGetContextToken
DynamicLoader: clrjit.dll/sxsJitStartup
DynamicLoader: clrjit.dll/jitStartup
DynamicLoader: clrjit.dll/getJit
DynamicLoader: ADVAPI32.dll/EventRegister
DynamicLoader: MSCOREE.DLL/GetProcessExecutableHeap
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap_RetAddr
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap
DynamicLoader: KERNEL32.dll/GetLocaleInfoEx
DynamicLoader: KERNEL32.dll/LocaleNameToLCID
DynamicLoader: KERNEL32.dll/GetUserDefaultLocaleName
DynamicLoader: KERNEL32.dll/LCIDToLocaleName
DynamicLoader: KERNEL32.dll/GetUserPreferredUILanguages
DynamicLoader: KERNEL32.dll/CompareStringOrdinal
DynamicLoader: KERNEL32.dll/GetFullPathName
DynamicLoader: KERNEL32.dll/GetFullPathNameW
DynamicLoader: KERNEL32.dll/SetThreadErrorMode
DynamicLoader: KERNEL32.dll/GetFileAttributesEx
DynamicLoader: KERNEL32.dll/GetFileAttributesExW
DynamicLoader: KERNEL32.dll/ResolveLocaleName
DynamicLoader: nlssorting.dll/SortGetHandle
DynamicLoader: nlssorting.dll/SortCloseHandle
DynamicLoader: KERNEL32.dll/LCMapStringEx
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegOpenKeyEx
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: gdiplus.dll/GdiplusStartup
DynamicLoader: KERNEL32.dll/IsProcessorFeaturePresent
DynamicLoader: USER32.dll/GetWindowInfo
DynamicLoader: USER32.dll/GetAncestor
DynamicLoader: USER32.dll/GetMonitorInfoA
DynamicLoader: USER32.dll/EnumDisplayMonitors
DynamicLoader: USER32.dll/EnumDisplayDevicesA
DynamicLoader: GDI32.dll/ExtTextOutW
DynamicLoader: GDI32.dll/GdiIsMetaPrintDC
DynamicLoader: gdiplus.dll/GdipLoadImageFromStream
DynamicLoader: WindowsCodecs.dll/DllGetClassObject
DynamicLoader: gdiplus.dll/GdipImageForceValidation
DynamicLoader: gdiplus.dll/GdipGetImageType
DynamicLoader: gdiplus.dll/GdipGetImageRawFormat
DynamicLoader: gdiplus.dll/GdipGetImageWidth
DynamicLoader: gdiplus.dll/GdipGetImageHeight
DynamicLoader: gdiplus.dll/GdipBitmapGetPixel
DynamicLoader: shell32.dll/SHGetFolderPath
DynamicLoader: shell32.dll/SHGetFolderPathW
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: KERNEL32.dll/CopyFile
DynamicLoader: KERNEL32.dll/CopyFileW
DynamicLoader: KERNEL32.dll/CloseHandle
DynamicLoader: KERNEL32.dll/GetCurrentProcess
DynamicLoader: KERNEL32.dll/GetCurrentProcessW
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: KERNEL32.dll/LocalFree
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/GetTokenInformationW
DynamicLoader: KERNEL32.dll/LocalAlloc
DynamicLoader: KERNEL32.dll/LocalAllocW
DynamicLoader: ADVAPI32.dll/LsaClose
DynamicLoader: ADVAPI32.dll/LsaFreeMemory
DynamicLoader: ADVAPI32.dll/LsaOpenPolicy
DynamicLoader: ADVAPI32.dll/LsaLookupSids
DynamicLoader: KERNEL32.dll/GetTempPath
DynamicLoader: KERNEL32.dll/GetTempPathW
DynamicLoader: KERNEL32.dll/GetTempFileName
DynamicLoader: KERNEL32.dll/GetTempFileNameW
DynamicLoader: KERNEL32.dll/CreateFile
DynamicLoader: KERNEL32.dll/CreateFileW
DynamicLoader: KERNEL32.dll/GetFileType
DynamicLoader: KERNEL32.dll/WriteFile
DynamicLoader: KERNEL32.dll/LocalAlloc
DynamicLoader: shell32.dll/ShellExecuteEx
DynamicLoader: shell32.dll/ShellExecuteExW
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: KERNEL32.dll/CloseHandle
DynamicLoader: KERNEL32.dll/GetCurrentProcess
DynamicLoader: KERNEL32.dll/DuplicateHandle
DynamicLoader: ole32.dll/CoWaitForMultipleHandles
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: ole32.dll/NdrOleInitializeExtension
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: RpcRtRemote.dll/I_RpcExtInitializeExtensionPoint
DynamicLoader: KERNEL32.dll/DeleteFile
DynamicLoader: KERNEL32.dll/DeleteFileW
DynamicLoader: KERNEL32.dll/CreateProcess
DynamicLoader: KERNEL32.dll/CreateProcessW
DynamicLoader: KERNEL32.dll/GetThreadContext
DynamicLoader: KERNEL32.dll/ReadProcessMemory
DynamicLoader: KERNEL32.dll/VirtualAllocEx
DynamicLoader: KERNEL32.dll/WriteProcessMemory
DynamicLoader: KERNEL32.dll/SetThreadContext
DynamicLoader: KERNEL32.dll/ResumeThread
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValue
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValueW
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivileges
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivilegesW
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtQuerySystemInformationW
DynamicLoader: ADVAPI32.dll/EventUnregister
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/UnregisterTraceGuids
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: comctl32.dll/
DynamicLoader: KERNEL32.dll/CreateActCtxW
DynamicLoader: KERNEL32.dll/AddRefActCtx
DynamicLoader: KERNEL32.dll/ReleaseActCtx
DynamicLoader: KERNEL32.dll/ActivateActCtx
DynamicLoader: KERNEL32.dll/DeactivateActCtx
DynamicLoader: KERNEL32.dll/GetCurrentActCtx
DynamicLoader: KERNEL32.dll/QueryActCtxW
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/EventUnregister
DynamicLoader: VERSION.dll/GetFileVersionInfoSizeW
DynamicLoader: VERSION.dll/GetFileVersionInfoW
DynamicLoader: VERSION.dll/VerQueryValueW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: SspiCli.dll/GetUserNameExW
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: KERNEL32.dll/FlsAlloc
DynamicLoader: KERNEL32.dll/FlsFree
DynamicLoader: KERNEL32.dll/FlsGetValue
DynamicLoader: KERNEL32.dll/FlsSetValue
DynamicLoader: KERNEL32.dll/InitializeCriticalSectionEx
DynamicLoader: KERNEL32.dll/CreateEventExW
DynamicLoader: KERNEL32.dll/CreateSemaphoreExW
DynamicLoader: KERNEL32.dll/SetThreadStackGuarantee
DynamicLoader: KERNEL32.dll/CreateThreadpoolTimer
DynamicLoader: KERNEL32.dll/SetThreadpoolTimer
DynamicLoader: KERNEL32.dll/WaitForThreadpoolTimerCallbacks
DynamicLoader: KERNEL32.dll/CloseThreadpoolTimer
DynamicLoader: KERNEL32.dll/CreateThreadpoolWait
DynamicLoader: KERNEL32.dll/SetThreadpoolWait
DynamicLoader: KERNEL32.dll/CloseThreadpoolWait
DynamicLoader: KERNEL32.dll/FlushProcessWriteBuffers
DynamicLoader: KERNEL32.dll/FreeLibraryWhenCallbackReturns
DynamicLoader: KERNEL32.dll/GetCurrentProcessorNumber
DynamicLoader: KERNEL32.dll/GetLogicalProcessorInformation
DynamicLoader: KERNEL32.dll/CreateSymbolicLinkW
DynamicLoader: KERNEL32.dll/SetDefaultDllDirectories
DynamicLoader: KERNEL32.dll/EnumSystemLocalesEx
DynamicLoader: KERNEL32.dll/CompareStringEx
DynamicLoader: KERNEL32.dll/GetDateFormatEx
DynamicLoader: KERNEL32.dll/GetLocaleInfoEx
DynamicLoader: KERNEL32.dll/GetTimeFormatEx
DynamicLoader: KERNEL32.dll/GetUserDefaultLocaleName
DynamicLoader: KERNEL32.dll/IsValidLocaleName
DynamicLoader: KERNEL32.dll/LCMapStringEx
DynamicLoader: KERNEL32.dll/GetCurrentPackageId
DynamicLoader: KERNEL32.dll/GetTickCount64
DynamicLoader: KERNEL32.dll/GetFileInformationByHandleExW
DynamicLoader: KERNEL32.dll/SetFileInformationByHandleW
DynamicLoader: KERNEL32.dll/AcquireSRWLockExclusive
DynamicLoader: KERNEL32.dll/ReleaseSRWLockExclusive
DynamicLoader: ADVAPI32.dll/EventRegister
DynamicLoader: ADVAPI32.dll/EventSetInformation
DynamicLoader: MSCOREE.DLL/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/_CorExeMain_RetAddr
DynamicLoader: mscoreei.dll/_CorExeMain
DynamicLoader: ADVAPI32.dll/EventUnregister
A process created a hidden window
Process: Invoice UT05-222546.pdf.exe -> schtasks.exe
CAPE extracted potentially suspicious content
Invoice UT05-222546.pdf.exe: Injected Shellcode/Data
Invoice UT05-222546.pdf.exe: Unpacked Shellcode
Invoice UT05-222546.pdf.exe: Unpacked Shellcode
Invoice UT05-222546.pdf.exe: AgentTeslaV2 Payload: 32-bit executable
Invoice UT05-222546.pdf.exe: AgentTeslaV2
Invoice UT05-222546.pdf.exe: Unpacked Shellcode
Invoice UT05-222546.pdf.exe: Unpacked Shellcode
Invoice UT05-222546.pdf.exe: Injected Shellcode/Data
Invoice UT05-222546.pdf.exe: Unpacked Shellcode
Invoice UT05-222546.pdf.exe: AgentTeslaV2 Payload
Invoice UT05-222546.pdf.exe: AgentTeslaV2
Invoice UT05-222546.pdf.exe: Unpacked Shellcode
Invoice UT05-222546.pdf.exe: Unpacked Shellcode
Attempts to mimic the file extension of a PDF document by having 'pdf' in the file name.
Queries or connects to DNS-Over-HTTPS/DNS-Over-TLS domain or IP address
ip: 1.1.1.1
The binary likely contains encrypted or compressed data.
section: name: .text, entropy: 7.94, characteristics: IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ, raw_size: 0x00059400, virtual_size: 0x0005920c
Authenticode signature is invalid
authenticode error: No signature found. SignTool Error File not valid C\Users\Rebecca\AppData\Local\Temp\Invoice UT05-222546.pdf.exe
Uses Windows utilities for basic functionality
command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yNYFRHTfohvGo" /XML "C:\Users\Rebecca\AppData\Local\Temp\tmpF96A.tmp"
command: schtasks.exe /Create /TN "Updates\yNYFRHTfohvGo" /XML "C:\Users\Rebecca\AppData\Local\Temp\tmpF96A.tmp"
Behavioural detection: Injection (Process Hollowing)
Injection: Invoice UT05-222546.pdf.exe(5364) -> Invoice UT05-222546.pdf.exe(4360)
Executed a process and injected code into it, probably while unpacking
Injection: Invoice UT05-222546.pdf.exe(5364) -> Invoice UT05-222546.pdf.exe(4360)
Behavioural detection: Injection (inter-process)
Network activity detected but not expressed in API logs
CAPE detected the AgentTeslaV2 malware family
File has been identified by 15 Antiviruses on VirusTotal as malicious
FireEye: Generic.mg.b76512014f74e255
Cylance: Unsafe
Sangfor: Malware
Cybereason: malicious.7858ee
Symantec: ML.Attribute.HighConfidence
APEX: Malicious
Kaspersky: UDS:DangerousObject.Multi.Generic
Invincea: heuristic
McAfee-GW-Edition: BehavesLike.Win32.Generic.fc
Endgame: malicious (high confidence)
Microsoft: Trojan:Win32/Sonbokli.A!cl
ZoneAlarm: UDS:DangerousObject.Multi.Generic
Ikarus: Win32.Outbreak
BitDefenderTheta: Gen:[email protected]
CrowdStrike: win/malicious_confidence_90% (W)
Creates a copy of itself
copy: C:\Users\Rebecca\AppData\Roaming\yNYFRHTfohvGo.exe

Screenshots


Hosts

Direct IP Country Name
Y 1.1.1.1 [VT] Australia

DNS

No domains contacted.


Summary

C:\Windows\System32\MSCOREE.DLL.local
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
C:\Windows\Microsoft.NET\Framework\*
C:\Windows\Microsoft.NET\Framework\v1.0.3705\clr.dll
C:\Windows\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v1.1.4322\clr.dll
C:\Windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\clr.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll
C:\Users\Rebecca\AppData\Local\Temp\Invoice UT05-222546.pdf.exe.config
C:\Users\Rebecca\AppData\Local\Temp\Invoice UT05-222546.pdf.exe
C:\Windows\System32\api-ms-win-appmodel-runtime-l1-1-2.dll
C:\Windows\System32\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSVCR120_CLR0400.dll
C:\Windows\System32\MSVCR120_CLR0400.dll
C:\Windows\System32\api-ms-win-core-quirks-l1-1-0.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoree.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config
C:\Windows\Microsoft.NET\Framework\v4.0.30319\fusion.localgac
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\6715dc4d04e35f16d482900c355325e9\mscorlib.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\6715dc4d04e35f16d482900c355325e9\mscorlib.ni.dll.aux
C:\Users
C:\Users\Rebecca
C:\Users\Rebecca\AppData
C:\Users\Rebecca\AppData\Local
C:\Users\Rebecca\AppData\Local\Temp
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ole32.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\xCdlmDVDFdbEdQbyC\*
C:\Users\Rebecca\AppData\Local\Temp\Invoice UT05-222546.pdf.INI
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit.dll
C:\Windows\assembly\pubpol224.dat
C:\Windows\assembly\GAC\PublisherPolicy.tme
C:\Windows\Microsoft.Net\assembly\GAC_32\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\6090b158fd3d10686b422a455e188125\Microsoft.VisualBasic.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\6090b158fd3d10686b422a455e188125\Microsoft.VisualBasic.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_32\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\43822396682b0ffc3cfb66137ddab95f\System.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\43822396682b0ffc3cfb66137ddab95f\System.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Configuration\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.Xml.dll
C:\Windows\Microsoft.Net\assembly\GAC_32\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\c8a2021e940773064c655a6ea6ee8cb2\System.Core.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\c8a2021e940773064c655a6ea6ee8cb2\System.Core.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Xml.Linq\v4.0_4.0.0.0__b77a5c561934e089\System.Xml.Linq.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
C:\Users\Rebecca\AppData\Local\Temp\en-US\xCdlmDVDFdbEdQbyC.resources.dll
C:\Users\Rebecca\AppData\Local\Temp\en-US\xCdlmDVDFdbEdQbyC.resources\xCdlmDVDFdbEdQbyC.resources.dll
C:\Users\Rebecca\AppData\Local\Temp\en-US\xCdlmDVDFdbEdQbyC.resources.exe
C:\Users\Rebecca\AppData\Local\Temp\en-US\xCdlmDVDFdbEdQbyC.resources\xCdlmDVDFdbEdQbyC.resources.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\en-US\mscorrc.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\en-US\mscorrc.dll.DLL
C:\Windows\Microsoft.NET\Framework\v4.0.30319\en\mscorrc.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\en\mscorrc.dll.DLL
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
C:\Users\Rebecca\AppData\Local\Temp\en\xCdlmDVDFdbEdQbyC.resources.dll
C:\Users\Rebecca\AppData\Local\Temp\en\xCdlmDVDFdbEdQbyC.resources\xCdlmDVDFdbEdQbyC.resources.dll
C:\Users\Rebecca\AppData\Local\Temp\en\xCdlmDVDFdbEdQbyC.resources.exe
C:\Users\Rebecca\AppData\Local\Temp\en\xCdlmDVDFdbEdQbyC.resources\xCdlmDVDFdbEdQbyC.resources.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\nlssorting.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\SortDefault.nlp
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\2c462a934e0586ac5e46c8b93e461384\System.Drawing.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\2c462a934e0586ac5e46c8b93e461384\System.Drawing.ni.dll.aux
C:\Users\Rebecca\AppData\Local\Temp\Invoice UT05-222546.pdf.exe.Local\
C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24308_none_5c028e37a0121035
C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24308_none_5c028e37a0121035\GdiPlus.dll
C:\Users\Rebecca\AppData\Local\Temp\en-US\ReZer0V4.resources.dll
C:\Users\Rebecca\AppData\Local\Temp\en-US\ReZer0V4.resources\ReZer0V4.resources.dll
C:\Users\Rebecca\AppData\Local\Temp\en-US\ReZer0V4.resources.exe
C:\Users\Rebecca\AppData\Local\Temp\en-US\ReZer0V4.resources\ReZer0V4.resources.exe
C:\Users\Rebecca\AppData\Local\Temp\en\ReZer0V4.resources.dll
C:\Users\Rebecca\AppData\Local\Temp\en\ReZer0V4.resources\ReZer0V4.resources.dll
C:\Users\Rebecca\AppData\Local\Temp\en\ReZer0V4.resources.exe
C:\Users\Rebecca\AppData\Local\Temp\en\ReZer0V4.resources\ReZer0V4.resources.exe
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\aece3d371c0714e60f9509d2a3137395\System.Windows.Forms.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\aece3d371c0714e60f9509d2a3137395\System.Windows.Forms.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\shell32.dll
C:\Users\Rebecca\AppData\Roaming\yNYFRHTfohvGo.exe
C:\Users\Rebecca\AppData\Local\Temp\tmpF96A.tmp
\??\MountPointManager
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\ntdll.dll
\Device\KsecDD
C:\Windows\System32\Tasks
C:\Windows\System32\Tasks\*
C:\Windows\System32\Tasks\AutoKMS
C:\Windows\System32\Tasks\Updates\yNYFRHTfohvGo
C:\Windows\System32\Tasks\Updates
C:\Windows\System32\Tasks\Updates\
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
C:\Users\Rebecca\AppData\Local\Temp\Invoice UT05-222546.pdf.exe.config
C:\Users\Rebecca\AppData\Local\Temp\Invoice UT05-222546.pdf.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll
C:\Windows\System32\MSVCR120_CLR0400.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\6715dc4d04e35f16d482900c355325e9\mscorlib.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\6715dc4d04e35f16d482900c355325e9\mscorlib.ni.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit.dll
C:\Windows\assembly\pubpol224.dat
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\6090b158fd3d10686b422a455e188125\Microsoft.VisualBasic.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\43822396682b0ffc3cfb66137ddab95f\System.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\43822396682b0ffc3cfb66137ddab95f\System.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\c8a2021e940773064c655a6ea6ee8cb2\System.Core.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\c8a2021e940773064c655a6ea6ee8cb2\System.Core.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\6090b158fd3d10686b422a455e188125\Microsoft.VisualBasic.ni.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\nlssorting.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\SortDefault.nlp
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\2c462a934e0586ac5e46c8b93e461384\System.Drawing.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\2c462a934e0586ac5e46c8b93e461384\System.Drawing.ni.dll
C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24308_none_5c028e37a0121035\GdiPlus.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\aece3d371c0714e60f9509d2a3137395\System.Windows.Forms.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\aece3d371c0714e60f9509d2a3137395\System.Windows.Forms.ni.dll
C:\Users\Rebecca\AppData\Local\Temp\tmpF96A.tmp
\Device\KsecDD
C:\Users\Rebecca\AppData\Roaming\yNYFRHTfohvGo.exe
C:\Users\Rebecca\AppData\Local\Temp\tmpF96A.tmp
C:\Users\Rebecca\AppData\Local\Temp\tmpF96A.tmp
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\v4.0
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\InstallRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\CLRLoadLogDir
HKEY_CURRENT_USER\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\OnlyUseLatestCLR
Policy\Standards
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\Standards
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\Standards\v4.0.30319
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\v4.0.30319\SKUs\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\SKUs\default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full\Release
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\DisableConfigCache
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Invoice UT05-222546.pdf.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\CacheLocation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DownloadCacheQuotaInKB
HKEY_CURRENT_USER\Software\Microsoft\Fusion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\EnableLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LoggingLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\ForceLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogFailures
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogResourceBinds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseRetryAttempts
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseMillisecondsBetweenRetries
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\UseLegacyIdentityFormat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DisableMSIPeek
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\NGen\Policy\v4.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\NGen\Policy\v4.0\OptimizeUsedBinaries
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\Servicing
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\00060101.00060101
HKEY_LOCAL_MACHINE\Software\Microsoft\StrongName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\FeatureSIMD
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\AltJit
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\Latest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\index224
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.10.0.Microsoft.VisualBasic__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.10.0.Microsoft.VisualBasic__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Configuration__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Configuration__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Xml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Xml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Core__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Core__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Numerics__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Numerics__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Security__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Security__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Windows.Forms__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Windows.Forms__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Drawing__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Drawing__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Deployment__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Deployment__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Management__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Management__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Xml.Linq__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Xml.Linq__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Runtime.Remoting__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Runtime.Remoting__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\APTCA
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-479431668-4257340731-3059248302-1002\Installer\Assemblies\C:|Users|Rebecca|AppData|Local|Temp|Invoice UT05-222546.pdf.exe
HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies\C:|Users|Rebecca|AppData|Local|Temp|Invoice UT05-222546.pdf.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Users|Rebecca|AppData|Local|Temp|Invoice UT05-222546.pdf.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-479431668-4257340731-3059248302-1002\Installer\Assemblies\Global
HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies\Global
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\AppContext
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots
HKEY_CLASSES_ROOT\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance
HKEY_CLASSES_ROOT\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance\Disabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.Accessibility__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.Accessibility__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{4c2e3c01-5984-11ea-a9cb-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{4c2e3c01-5984-11ea-a9cb-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{4c2e3c01-5984-11ea-a9cb-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{210acb57-272f-11e9-8326-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{210acb57-272f-11e9-8326-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{210acb57-272f-11e9-8326-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{210acb58-272f-11e9-8326-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{210acb58-272f-11e9-8326-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{210acb58-272f-11e9-8326-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Classes
HKEY_CURRENT_USER\Software\Classes\AppID\Invoice UT05-222546.pdf.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE\AppCompat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\RaiseDefaultAuthnLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\DefaultAccessPermission
HKEY_CURRENT_USER\Software\Classes\Interface\{00000134-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Extensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\RemoteRpcDll
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SQMClient\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPSampledIn
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
DisableUserModeCallbackFilter
HKEY_CURRENT_USER\Software\Classes\AppID\schtasks.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AutoKMS
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AutoKMS\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\SchedulingEngineKnob
HKEY_USERS\S-1-5-21-479431668-4257340731-3059248302-1002
HKEY_USERS\S-1-5-21-479431668-4257340731-3059248302-1002\Control Panel\International
HKEY_USERS\S-1-5-21-479431668-4257340731-3059248302-1002\Control Panel\International\LocaleName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Updates\yNYFRHTfohvGo
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\App Paths\svchost.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\svchost.exe
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{CEA36B4E-8FB4-4357-ACE3-9E73A3C29A59}\Path
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{CEA36B4E-8FB4-4357-ACE3-9E73A3C29A59}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Updates\yNYFRHTfohvGo\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Updates\yNYFRHTfohvGo\Index
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{CEA36B4E-8FB4-4357-ACE3-9E73A3C29A59}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{CEA36B4E-8FB4-4357-ACE3-9E73A3C29A59}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{CEA36B4E-8FB4-4357-ACE3-9E73A3C29A59}\DynamicInfo
HKEY_LOCAL_MACHINE\system\Setup
HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\RepositoryRestoreInProgress
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\InstallRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\CLRLoadLogDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\OnlyUseLatestCLR
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full\Release
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\DisableConfigCache
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\CacheLocation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DownloadCacheQuotaInKB
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\EnableLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LoggingLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\ForceLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogFailures
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogResourceBinds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseRetryAttempts
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseMillisecondsBetweenRetries
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\UseLegacyIdentityFormat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DisableMSIPeek
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\NGen\Policy\v4.0\OptimizeUsedBinaries
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\00060101.00060101
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\FeatureSIMD
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\AltJit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\Latest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\index224
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{4c2e3c01-5984-11ea-a9cb-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{4c2e3c01-5984-11ea-a9cb-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{210acb57-272f-11e9-8326-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{210acb57-272f-11e9-8326-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{210acb58-272f-11e9-8326-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{210acb58-272f-11e9-8326-806e6f6e6963}\Generation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\RaiseDefaultAuthnLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\DefaultAccessPermission
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\RemoteRpcDll
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPSampledIn
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AutoKMS\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\SchedulingEngineKnob
HKEY_USERS\S-1-5-21-479431668-4257340731-3059248302-1002\Control Panel\International\LocaleName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{CEA36B4E-8FB4-4357-ACE3-9E73A3C29A59}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{CEA36B4E-8FB4-4357-ACE3-9E73A3C29A59}\DynamicInfo
HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{CEA36B4E-8FB4-4357-ACE3-9E73A3C29A59}\Path
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{CEA36B4E-8FB4-4357-ACE3-9E73A3C29A59}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Updates\yNYFRHTfohvGo\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Updates\yNYFRHTfohvGo\Index
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{CEA36B4E-8FB4-4357-ACE3-9E73A3C29A59}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{CEA36B4E-8FB4-4357-ACE3-9E73A3C29A59}\DynamicInfo
advapi32.dll.RegOpenKeyExW
advapi32.dll.RegQueryInfoKeyW
advapi32.dll.RegEnumKeyExW
advapi32.dll.RegEnumValueW
advapi32.dll.RegCloseKey
advapi32.dll.RegQueryValueExW
kernel32.dll.FlsAlloc
kernel32.dll.FlsFree
kernel32.dll.FlsGetValue
kernel32.dll.FlsSetValue
kernel32.dll.InitializeCriticalSectionEx
kernel32.dll.CreateEventExW
kernel32.dll.CreateSemaphoreExW
kernel32.dll.SetThreadStackGuarantee
kernel32.dll.CreateThreadpoolTimer
kernel32.dll.SetThreadpoolTimer
kernel32.dll.WaitForThreadpoolTimerCallbacks
kernel32.dll.CloseThreadpoolTimer
kernel32.dll.CreateThreadpoolWait
kernel32.dll.SetThreadpoolWait
kernel32.dll.CloseThreadpoolWait
kernel32.dll.FlushProcessWriteBuffers
kernel32.dll.FreeLibraryWhenCallbackReturns
kernel32.dll.GetCurrentProcessorNumber
kernel32.dll.GetLogicalProcessorInformation
kernel32.dll.CreateSymbolicLinkW
kernel32.dll.SetDefaultDllDirectories
kernel32.dll.EnumSystemLocalesEx
kernel32.dll.CompareStringEx
kernel32.dll.GetDateFormatEx
kernel32.dll.GetLocaleInfoEx
kernel32.dll.GetTimeFormatEx
kernel32.dll.GetUserDefaultLocaleName
kernel32.dll.IsValidLocaleName
kernel32.dll.LCMapStringEx
kernel32.dll.GetTickCount64
kernel32.dll.AcquireSRWLockExclusive
kernel32.dll.ReleaseSRWLockExclusive
advapi32.dll.EventRegister
advapi32.dll.EventSetInformation
mscoree.dll.#142
mscoreei.dll.RegisterShimImplCallback
mscoreei.dll.OnShimDllMainCalled
mscoreei.dll._CorExeMain
shlwapi.dll.UrlIsW
version.dll.GetFileVersionInfoSizeW
version.dll.GetFileVersionInfoW
version.dll.VerQueryValueW
clr.dll.SetRuntimeInfo
user32.dll.GetProcessWindowStation
user32.dll.GetUserObjectInformationW
clr.dll._CorExeMain
mscoree.dll.CreateConfigStream
mscoreei.dll.CreateConfigStream
kernel32.dll.GetNumaHighestNodeNumber
kernel32.dll.GetSystemWindowsDirectoryW
advapi32.dll.AllocateAndInitializeSid
advapi32.dll.OpenProcessToken
advapi32.dll.GetTokenInformation
advapi32.dll.InitializeAcl
advapi32.dll.AddAccessAllowedAce
advapi32.dll.FreeSid
kernel32.dll.AddSIDToBoundaryDescriptor
kernel32.dll.CreateBoundaryDescriptorW
kernel32.dll.CreatePrivateNamespaceW
kernel32.dll.OpenPrivateNamespaceW
kernel32.dll.DeleteBoundaryDescriptor
kernel32.dll.WerRegisterRuntimeExceptionModule
kernel32.dll.RaiseException
mscoree.dll.#24
mscoreei.dll.#24
ntdll.dll.NtSetSystemInformation
kernel32.dll.AddDllDirectory
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
ole32.dll.CoInitializeEx
cryptbase.dll.SystemFunction036
ole32.dll.CoGetContextToken
clrjit.dll.sxsJitStartup
clrjit.dll.getJit
mscoree.dll.GetProcessExecutableHeap
mscoreei.dll.GetProcessExecutableHeap
kernel32.dll.LocaleNameToLCID
kernel32.dll.LCIDToLocaleName
kernel32.dll.GetUserPreferredUILanguages
kernel32.dll.CompareStringOrdinal
kernel32.dll.GetFullPathNameW
kernel32.dll.SetThreadErrorMode
kernel32.dll.GetFileAttributesExW
kernel32.dll.ResolveLocaleName
nlssorting.dll.SortGetHandle
nlssorting.dll.SortCloseHandle
gdiplus.dll.GdiplusStartup
kernel32.dll.IsProcessorFeaturePresent
user32.dll.GetWindowInfo
user32.dll.GetAncestor
user32.dll.GetMonitorInfoA
user32.dll.EnumDisplayMonitors
user32.dll.EnumDisplayDevicesA
gdi32.dll.ExtTextOutW
gdi32.dll.GdiIsMetaPrintDC
gdiplus.dll.GdipLoadImageFromStream
windowscodecs.dll.DllGetClassObject
gdiplus.dll.GdipImageForceValidation
gdiplus.dll.GdipGetImageType
gdiplus.dll.GdipGetImageRawFormat
gdiplus.dll.GdipGetImageWidth
gdiplus.dll.GdipGetImageHeight
gdiplus.dll.GdipBitmapGetPixel
shell32.dll.SHGetFolderPathW
ole32.dll.CoTaskMemAlloc
ole32.dll.CoTaskMemFree
kernel32.dll.CopyFileW
kernel32.dll.CloseHandle
kernel32.dll.GetCurrentProcess
kernel32.dll.LocalFree
kernel32.dll.LocalAlloc
advapi32.dll.LsaClose
advapi32.dll.LsaFreeMemory
advapi32.dll.LsaOpenPolicy
advapi32.dll.LsaLookupSids
kernel32.dll.GetTempPathW
kernel32.dll.GetTempFileNameW
kernel32.dll.CreateFileW
kernel32.dll.GetFileType
kernel32.dll.WriteFile
shell32.dll.ShellExecuteEx
shell32.dll.ShellExecuteExW
setupapi.dll.CM_Get_Device_Interface_List_Size_ExW
setupapi.dll.CM_Get_Device_Interface_List_ExW
comctl32.dll.#332
comctl32.dll.#386
kernel32.dll.DuplicateHandle
ole32.dll.CoWaitForMultipleHandles
sechost.dll.LookupAccountNameLocalW
advapi32.dll.LookupAccountSidW
sechost.dll.LookupAccountSidLocalW
cryptsp.dll.CryptAcquireContextW
cryptsp.dll.CryptGenRandom
ole32.dll.NdrOleInitializeExtension
ole32.dll.CoGetClassObject
ole32.dll.CoGetMarshalSizeMax
ole32.dll.CoMarshalInterface
ole32.dll.CoUnmarshalInterface
ole32.dll.StringFromIID
ole32.dll.CoGetPSClsid
ole32.dll.CoCreateInstance
ole32.dll.CoReleaseMarshalData
ole32.dll.DcomChannelSetHResult
rpcrtremote.dll.I_RpcExtInitializeExtensionPoint
kernel32.dll.DeleteFileW
kernel32.dll.CreateProcessW
kernel32.dll.GetThreadContext
kernel32.dll.ReadProcessMemory
kernel32.dll.VirtualAllocEx
kernel32.dll.WriteProcessMemory
kernel32.dll.SetThreadContext
kernel32.dll.ResumeThread
advapi32.dll.LookupPrivilegeValueW
advapi32.dll.AdjustTokenPrivileges
ntdll.dll.NtQuerySystemInformation
advapi32.dll.EventUnregister
api-ms-win-downlevel-advapi32-l1-1-0.dll.UnregisterTraceGuids
advapi32.dll.UnregisterTraceGuids
comctl32.dll.#321
kernel32.dll.CreateActCtxW
kernel32.dll.AddRefActCtx
kernel32.dll.ReleaseActCtx
kernel32.dll.ActivateActCtx
kernel32.dll.DeactivateActCtx
kernel32.dll.GetCurrentActCtx
kernel32.dll.QueryActCtxW
cryptsp.dll.CryptReleaseContext
sspicli.dll.GetUserNameExW
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yNYFRHTfohvGo" /XML "C:\Users\Rebecca\AppData\Local\Temp\tmpF96A.tmp"
schtasks.exe /Create /TN "Updates\yNYFRHTfohvGo" /XML "C:\Users\Rebecca\AppData\Local\Temp\tmpF96A.tmp"
"{path}"
C:\Users\Rebecca\AppData\Local\Temp\Invoice UT05-222546.pdf.exe "{path}"

PE Information

Image Base Entry Point Reported Checksum Actual Checksum Minimum OS Version Compile Time Import Hash
0x00400000 0x0045b206 0x00000000 0x000694be 4.0 2020-06-22 13:09:36 f34d5f2d4577ed6d9ceec516c1f5a744

Sections

Name RAW Address Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00000200 0x00002000 0x0005920c 0x00059400 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 7.94
.rsrc 0x00059600 0x0005c000 0x00000638 0x00000800 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 3.54
.reloc 0x00059e00 0x0005e000 0x0000000c 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ 0.10

Resources

Name Offset Size Language Sub-language Entropy File type
RT_VERSION 0x0005c090 0x000003a8 LANG_NEUTRAL SUBLANG_NEUTRAL 3.38 None
RT_MANIFEST 0x0005c448 0x000001ea LANG_NEUTRAL SUBLANG_NEUTRAL 5.00 None

Imports


Assembly Information

Name xCdlmDVDFdbEdQbyC
Version 6.0.6.0

Assembly References

Name Version
mscorlib 4.0.0.0
System.Windows.Forms 4.0.0.0
System 4.0.0.0
System.Drawing 4.0.0.0
Microsoft.VisualBasic 10.0.0.0

Custom Attributes

Type Name Value
Assembly [mscorlib]System.Reflection.AssemblyTitleAttribute VirtualBox Manag
Assembly [mscorlib]System.Reflection.AssemblyCompanyAttribute Oracle Corporati
Assembly [mscorlib]System.Reflection.AssemblyProductAttribute VirtualB
Assembly [mscorlib]System.Reflection.AssemblyCopyrightAttribute Copyright \xa9 2009-2019 Oracle Corporati
Assembly [mscorlib]System.Runtime.InteropServices.GuidAttribute 88927233-A79A-4774-B212-E39CA23DDF
Assembly [mscorlib]System.Reflection.AssemblyFileVersionAttribute 6.0.6

Type References

Assembly Type Name
mscorlib System.Runtime.CompilerServices.CompilationRelaxationsAttribute
mscorlib System.Runtime.CompilerServices.RuntimeCompatibilityAttribute
mscorlib System.Diagnostics.DebuggableAttribute
mscorlib System.Diagnostics.DebuggableAttribute/DebuggingModes
mscorlib System.Reflection.AssemblyTitleAttribute
mscorlib System.Reflection.AssemblyDescriptionAttribute
mscorlib System.Reflection.AssemblyConfigurationAttribute
mscorlib System.Reflection.AssemblyCompanyAttribute
mscorlib System.Reflection.AssemblyProductAttribute
mscorlib System.Reflection.AssemblyCopyrightAttribute
mscorlib System.Reflection.AssemblyTrademarkAttribute
mscorlib System.Runtime.InteropServices.ComVisibleAttribute
mscorlib System.Runtime.InteropServices.GuidAttribute
mscorlib System.Reflection.AssemblyFileVersionAttribute
mscorlib System.Runtime.Versioning.TargetFrameworkAttribute
mscorlib System.Object
mscorlib System.Runtime.CompilerServices.CompilerGeneratedAttribute
mscorlib System.Diagnostics.DebuggerBrowsableState
mscorlib System.Diagnostics.DebuggerBrowsableAttribute
mscorlib System.ConsoleKey
mscorlib System.IO.TextReader
mscorlib System.Collections.Generic.List`1
mscorlib System.ConsoleKeyInfo
mscorlib System.Random
mscorlib System.Enum
mscorlib System.STAThreadAttribute
System.Windows.Forms System.Windows.Forms.OpenFileDialog
mscorlib System.AppDomain
System System.CodeDom.Compiler.GeneratedCodeAttribute
mscorlib System.Diagnostics.DebuggerNonUserCodeAttribute
mscorlib System.Resources.ResourceManager
mscorlib System.Globalization.CultureInfo
System.Drawing System.Drawing.Bitmap
System System.ComponentModel.EditorBrowsableState
System System.ComponentModel.EditorBrowsableAttribute
mscorlib System.Console
mscorlib System.IO.Path
mscorlib System.IO.Directory
mscorlib System.IO.DirectoryInfo
mscorlib System.IO.FileSystemInfo
mscorlib System.IO.StreamReader
mscorlib System.Char
mscorlib System.Int32
mscorlib System.Convert
mscorlib System.String
mscorlib System.Environment
System.Windows.Forms System.Windows.Forms.CommonDialog
System.Windows.Forms System.Windows.Forms.DialogResult
System.Windows.Forms System.Windows.Forms.FileDialog
mscorlib System.IO.File
mscorlib System.Array
mscorlib System.Action`1
Microsoft.VisualBasic Microsoft.VisualBasic.CompilerServices.LateBinding
mscorlib System.Type
mscorlib System.Threading.Thread
mscorlib System.RuntimeTypeHandle
mscorlib System.Reflection.Assembly

!This program cannot be run in DOS mode.
.text
`.rsrc
@.reloc
@.h8K
v4.0.30319
#Strings
#GUID
#Blob
<>c__DisplayClass6_0
<CheckTruckLost>b__0
_23561
Action`1
List`1
ToInt32
get_CoreModel4
_877765
<Module>
<PrivateImplementationDetails>
xCdlmDVDFdbEdQbyC
SokobanCLI
JJJJJ
System.IO
RIGHT
get_mKEpFksRyVfoXhXyopT
value__
mscorlib
System.Collections.Generic
Microsoft.VisualBasic
Thread
get__Field
set__Field
<_Field>k__BackingField
<_Employee>k__BackingField
<Awake>k__BackingField
<Movable>k__BackingField
<_FirstTile>k__BackingField
<_Active>k__BackingField
<Above>k__BackingField
<Maze>k__BackingField
<_Maze>k__BackingField
<_North>k__BackingField
<_South>k__BackingField
<_Truck>k__BackingField
<Symbol>k__BackingField
<SymbolOnDestination>k__BackingField
<AmountOfChestsOnDestination>k__BackingField
<CurrentWorker>k__BackingField
<_counter>k__BackingField
<AmountOfChests>k__BackingField
<Left>k__BackingField
<CurrentForkLift>k__BackingField
<Right>k__BackingField
<_East>k__BackingField
<_West>k__BackingField
<First>k__BackingField
<Below>k__BackingField
<Entity>k__BackingField
PutEntityOnThisField
field
Replace
get__Employee
set__Employee
employee
LevelCompletedMessage
PrintWelcomeMessage
InvalidInputMessage
get_Awake
set_Awake
CheckIfAwake
get__Movable
set__Movable
get_Movable
set_Movable
movable
RuntimeTypeHandle
GetTypeFromHandle
ParseLevelFile
get__FirstTile
set__FirstTile
EmptyTile
Console
_Game
GenerateGame
StartGame
get_FileName
GetFileName
get_FullName
GetDirectoryName
ReadLine
WriteLine
get_Culture
set_Culture
resourceCulture
TryParse
Crate
crate
DebuggerBrowsableState
EditorBrowsableState
Write
STAThreadAttribute
CompilerGeneratedAttribute
GuidAttribute
GeneratedCodeAttribute
DebuggerNonUserCodeAttribute
DebuggableAttribute
DebuggerBrowsableAttribute
EditorBrowsableAttribute
ComVisibleAttribute
AssemblyTitleAttribute
AssemblyTrademarkAttribute
TargetFrameworkAttribute
AssemblyFileVersionAttribute
AssemblyConfigurationAttribute
AssemblyDescriptionAttribute
CompilationRelaxationsAttribute
AssemblyProductAttribute
AssemblyCopyrightAttribute
AssemblyCompanyAttribute
RuntimeCompatibilityAttribute
value
get__Active
set__Active
SetEmployeeActive
get_Above
set_Above
xCdlmDVDFdbEdQbyC.exe
get__Maze
set__Maze
get_Maze
set_Maze
BuildMaze
PrintMaze
System.Threading
LateBinding
System.Runtime.Versioning
ToString
Substring
System.Drawing
OpenFileDialog
CommonDialog
ShowDialog
ForEach
ComputeStringHash
BinaryMath
get_Length
GetLength
get__North
set__North
MoveNorth
MoveTruckNorth
get__South
set__South
MoveSouth
MoveTruckSouth
get__Truck
set__Truck
truck
Sokoban_M3.Model
System.ComponentModel
LoadLevel
loadLevel
StepOnPitFall
Pitfall
get_Symbol
set_Symbol
_symbol
Program
System
MoveRandom
resourceMan
Sokoban
randomGen
AppDomain
GetDomain
get_CurrentDomain
CheckTruckWon
ReturnRandomDestination
ArrivedOnDestination
CheckCrateOnDestination
get_SymbolOnDestination
set_SymbolOnDestination
get_AmountOfChestsOnDestination
set_AmountOfChestsOnDestination
destination
Sokoban_M3.Presentation
System.Globalization
System.Reflection
Direction
direction
CultureInfo
FileSystemInfo
ConsoleKeyInfo
DirectoryInfo
Bitmap
RetrieveMazeNumber
Spacer
StreamReader
TextReader
get_ResourceManager
get_CurrentWorker
set_CurrentWorker
System.CodeDom.Compiler
MainController
_Parser
parser
get_PlacedCounter
set_PlacedCounter
get__counter
set__counter
DirectionConverter
Trapdoor
Floor
.ctor
.cctor
System.Diagnostics
System.Runtime.InteropServices
Microsoft.VisualBasic.CompilerServices
System.Runtime.CompilerServices
GenerateReferences
System.Resources
Sokoban.Properties.Resources.resources
DebuggingModes
Sokoban.Properties
tiles
ReadAllLines
crates
MoveOnThis
Equals
System.Windows.Forms
get_Chars
Sokoban_M3.Process
get_AmountOfChests
set_AmountOfChests
previous
MoveArrows
GetObject
LateGet
get_Left
set_Left
get_CurrentForkLift
set_CurrentForkLift
Forklift
get_Right
set_Right
DialogResult
Environment
GetParent
current
get_Count
Convert
get__East
set__East
MoveEast
MoveTruckEast
get__West
set__West
MoveWest
MoveTruckWest
Chest
CrateList
crateList
CheckTruckLost
get_First
set_First
first
AskForArrowInput
InputView
inputView
OutputView
outputView
get_Below
set_Below
LevelArray
get_Key
ReadKey
RetrieveConsoleKey
get_Assembly
get_BaseDirectory
op_Equality
get_Entity
set_Entity
WrapNonExceptionThrows
VirtualBox Manager
Oracle Corporation
VirtualBox
)Copyright
2009-2019 Oracle Corporation
$88927233-A79A-4774-B212-E39CA23DDFA3
6.0.6.0
.NETFramework,Version=v4.0
FrameworkDisplayName
.NET Framework 4
3System.Resources.Tools.StronglyTypedResourceBuilder
16.0.0.0
lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPADE
!This program cannot be run in DOS mode.
.text
`.rsrc
@.reloc
+$+)+*+++,t
%,S+^
+b+c+d+l8q
*BSJB
v4.0.30319
#Strings
#GUID
#Blob
CoreModel.dll
CoreModel
<Module>
Setup
mscorlib
Object
System
PoweredByAttribute
SmartAssembly.Attributes
Attribute
QSQWDWD
QSQSQSQS
System.Drawing
Bitmap
WDWDW
DeleteSetup
CSCSC
SCSCSC
.ctor
CompilationRelaxationsAttribute
System.Runtime.CompilerServices
RuntimeCompatibilityAttribute
DebuggableAttribute
System.Diagnostics
DebuggingModes
AssemblyTitleAttribute
System.Reflection
AssemblyDescriptionAttribute
AssemblyConfigurationAttribute
AssemblyCompanyAttribute
AssemblyProductAttribute
AssemblyCopyrightAttribute
AssemblyTrademarkAttribute
ComVisibleAttribute
System.Runtime.InteropServices
GuidAttribute
AssemblyFileVersionAttribute
TargetFrameworkAttribute
System.Runtime.Versioning
Array
get_Height
GetPixel
Color
FromArgb
op_Inequality
get_R
get_G
get_B
List`1
System.Collections.Generic
AddRange
IEnumerable`1
ToArray
Image
get_Width
get_Size
String
Concat
Assembly
GetEntryAssembly
ResourceManager
System.Resources
GetObject
AppDomain
Microsoft.VisualBasic
Interaction
CallByName
CallType
Int32
Environment
Thread
System.Threading
Sleep
GetDomain
WrapNonExceptionThrows
CoreModel
Copyright
2020
$7813e2b4-ad0f-42b4-9c20-58765e008edd
1.0.0.0
.NETFramework,Version=v4.0
FrameworkDisplayName
.NET Framework 4(
#Powered by SmartAssembly 7.3.0.3296
_CorDllMain
mscoree.dll
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
IDATx^
FQtkQ
t%y\&
Z%bTx
wEz$<
_Y`ug
5e1k7
]<I7`~p0y
NLFS2
cx&/5=
*$w!f
D`)"p
5|^aE
?4$:o/e
8Z;0yb
ZZr3?b
'`8Q"
aE#=w
]|k[a
dLKbE
:fjqHu'aA!y
h&(F`UU
-gEPy
Xu>UZW
p8F x
5\ubM
YN}S+
VT iO,
o<6T`
"9o?ch2
ml2[NFX(
@L <MT
&7$7o
bN6cQ
TpP p
pL dn:
HL\Ef
@V:Vc
(R=Nh/Jl
1M7c]
JWN4Mbt
)=<Xv
O#f=z
N4}:E
q$qS>
WrZI9
?CfM`
T2v'q
CcYjeH
xMTj-nn3cX
tQRJ8
o]y4C
iWE"Jq
ACXb.
~^XK$Q
gL%:,oA
B9vn?
YQr'1
R%k5PU
)CGk.
of,T_
D]qb6
q&Ov<
3e+Q/
@ \vm*
*q#c1
leY?7
k4GJpyu
j%FtT x
$Jp(n1
K[J>i1
|U-:\
l6n^I
?S 2Q
R0uzO
3|S;1
+:-Z`!
Jp9\
oW1BT'
0lJf2o
%p*5:
a|pV)
Qsx{2
CzySY
8#*bL
//^Po|U
qL*:A
*/#%r"M
*f-pX"
g6E T
I\tI6
L%b6w
7k6McD
-CFt`
/+J|1h
5Q3gqL
.-KPD
yl#Eo
94n#1
!JR |
K8lq|
*YSw0c
$z:6-
nDv*Q
:P)@9N
/:{RX a
vryL]
4K Pz
Vk'$}
B-5;
)ZG~)
Sna:|(
@0(Q}
7H-ehX
^5Z6*
C^QfKi
&wT3|Zi
?TZEK-
.$pDE6
a|I)G
?T%]|%
DXtE;
#])@u
<XcKl
11YA\
*7,wl`
6{YsU)
81]NV
_DHq{
,7f]V
|5OQS
8?wft<
K+*>3&}Y
cdX(-v
7mN0g
` C}S8
YO2G;
p~7;s
%hji9
w88K8/
,J~H&
4Vr#
"I^,e
,-N$h
"V1c1
1jJdWi0.
XRUg.g
T(N8B
Jw#b?
'p\W0R
d%#2O0a
@R1+9
? zF0
(@p%s
oP_&Y~!
>a:Sh
'2F<f
yGSSe
l-^M_
0\0aIO
h=\0y
^?2GW
"iW(P=>T
Kr[|D
5t%#P`
r_xBb
S+Xdp
=XC]o
[en\(C
?!Z7k
6(1y_*
y"%)B
3x.'VU
t'8LJ
<'@D)
}9muBX
d&^uC0
}4~S?pW
?mCF2
|;c1/
igYELJ
x&:pr
x2Mu&
\%:Ck1?;
?}WN6
-U&XT
$KL^0
-sL&_
0()ga#[
,@Pkw
VJ *@
8\;=#2
J<5>M
m:r(v1
$-1v0 :
`_):C
OO<#[
wZP5v5}
e5*Xn
$~HaW`}
|Pj }
YJ &e|)
BaD>b
obsV-
EN$8n
nDiU:
{XX7f
@Zf2,-
[`,@<
Rx".R
(%Y`h
rkyr7F
qGN6H
-?(4K!1V0
LabR)&Q
eIt;8
u>yi&
o],kk2
Jf9GR{H
[B\A1
;9mTJ6
XYOWJ6h)
&GGH!J
{^c~/
.<pGuw}Lk5
1Ika
v;oT]<
H-co*
"{6s{m&
Eud#d
L\0im[
Pn`Kkg
Sn4V6"
BlF%i
}/@4eDgZ
P0n.=
pkBxmC
%&of2
`$i>.
"g{:M
FDg,]
N"ZxB
0B&(O
geO~v~
di"k{E2
/7{1JS
l(+/@s
:/19-
VWzpm
(1yCGy
r\w,Jf
TDyt#
Y(@(5
WPwrG
%@@!?
<01H$
1!b//<
@4^Xb
!S&g`
$=X)w^
(cZ\6
#>+Le
Zk~|K
rY2~$
yq|:)
reO#a
qC)zS
0&m i
JlzcBN
%)Z-<
07j*F|
zW[Q7
wu*P#^
g~AILu
Z5O5~
_ G:Y
`/2|]y^
ab}7r
F{qQ}X
iqLqA1
]/F?H
F)LRaBO
)Z+ok9
&c1Ae
`3'*V
J8C5b
{3W~,
qe_:}
WD-jG
Ne{ae
$.>:/
qTA4a
e+1&}7U
]k7`d
1UFvcs
KD_)v
x2'a,_
0Y%EK!
vJ9D;
2-Jcd
B5O7'
kSgnZh
V_}T&
ZfJL7
?f*Cg
KtH\c
jMVG=
o]+0yH,
<GF3*
* x3u
*Hn$V
Kc&Ljp7
$|eJz
yk71d`%4
yesqG
Q.`=wO
,5,r_
7P-6(
2i]jX
r5t"#
Qd%FL
_it(F
mK/f|
Kd$Lv)/
TZ[^+
"L2f Q
Z'LtwI
Atv,Ow
mmoaR
Sr{\\
xnYF+L
KXz~o
(L,Sm
m#`&L6
pQ.a-a
dW()Z
=%Lvo
hnD3!
i76+*Z
s:.i( P
&h. 2Me
$~CW5&
1$hZc_T L
$nS~F
nMPzt
=) j( z
ycx7P
#2T&{
{C-{/
lgaD0
0u,Y!n,
a{Y?0
9HLHi
~Gsyz
]$L~#
m2p)u
W$O2r
YHM}]
oB~Qw
nSm`+
~uW{le
( >`9
b&Y}M
'$qoJ
TQrC1
[}!qF?
roU>6Ue*
S=5;Ca2o}
DAz$~M
gT"9z,OZ
r&3;X`
dJ0+W
g5GL>
b4k*s
!Kzqr
W63=b
jpoZ/5EKI1
U&7!}%
TUq2pv)N
SZjwP
S1"eV
hM*b!Lvz
l(# :`m
q6y;vzc0hc
d{'(Lz"
B_}tF-6
CX1q?
ziXxY
}/?JW
Mdez*N.?d
v>/ W
q>Z'su
%O7-l,_
lq8HC
k:`4a
:6%(k
P$ v"
debe~
'Zpa(
Wv<, `I~
e4VJ^
#Mw4_
N#X~Oy
FSUwZI
5N#cH(Z
U|zdO
t-ZEF
{!K-Ga
e[;&HL
S0i);A
axkI*Z
{N56Am
lIpC.
N51wJ
At?_t
d}i|^i
jrLVJ
wGO\B
X sN1
$&6Y0
``xS~
x_U6lk_
&iM"}B
4<\N~
|&_rG
\fIYi&C
(9EJn
o1bf&
:2iAzU
S~2'dC0#7
w4nkS|
5`@Ms
OYF'9;!
-ggH-
Gum,j
l${BR8c^
*0fiSg
V:Vtz
Gj39Q0
_)W\I
R>`FS
&k^k:
_..A{
ZCnW5
+hyeb/
Z{<nK
fD:ndt
m0B-_
<~dN5
$_$c7J
IA5KI
Lq~\i
Qh0qe?V]M
TnT(u6HY
>+?l-F
2rK,9r
_QPzP
*9;A'
?1iCG
>,nHO
20V|@#
yh=9E
y24L0!
(uYF%
Z,?22
YQ.w{
4JGa:
yM/N6
9s{a'T
JOTjo
#bXWb
83-)_
sGqhx
oTG01
jqL27$
<A2BAh
Ng*>W
{Gawu
;f{BX6
u0F'a
{spx8
WW80,
)y3g#
m?H \
H7#L&Wegt
*r?O#j
._I55
'cny^
@\SZ0s
@O)&x
oCvaU
?BG5S
<\_,wf
Z%7Jtji
3ut&?J#
x0;0W
@4U\"
*OU:D
Y?X^h
/#yE}9
KFL011
Lz 3y
AT?:M\B
)5Z<Gij
#1Ag)
;/WlI1A
FHW~X
Fe|XX
lM9Eb [{w
bFlk'
Y4poE
+n9_k
`B5h7
#.AcF.
\6th]U
,Z0Y)
c(~?[
=<waR#
cMT~/
K1MEI
N[rP3
|O|t9
z\)q;
x9,]\
9r2|/
>tybM
:gK1e
g6o(#
.r8H2BK
E53o1
7PQV)
Fs9Os
&x]~X+E
Av{9(
~A|LZ%gWT
|Bh=C
fRL.]
LO~!?l
E8S=y
st%w#
q?d0f
bhvt$
mR%%(
"@HW09[
ztwR'v
`n#WlI
nX&0QMzX
Rl8]*
*wXbbN7
~ymNU
,e7Hz
&vwIhU
mU8`h
lr:.!vgG
hI)VR
FSrgM
QUl`Si
~kWRO
|H}Ct
1tUQ3v
kjj;3b
C:cXP
&tg={
JJ:dS
BYd!w
!{b&C
d&+U\%
,y"QR8
F)<;iF
z8jks
n.!rfo
F #If
cq!_}X
`jZ&v:
#eC-F
bUKnK
Nj8"N;
__HrY-o
j#\;PF.
J1g^=
fax'*y
hfA.:
r4n%e
\&njM
sCro[
KC\_)
ESbKY1
iAi5E
^/'2j
/stSI
riVre
0d*Ll
G^s_v
h+u>[
d%rB{
`+#<u
+MY.o
NG/WF
%L49,
'`3-Q
=.b-LN
k7"<\
*GHk[
}7S7(
15;'N~?
G4-svb
3}+ z
y%EH);
z\uG#g?%%e<=g
ga7)&$
j11w"
bQW-U/
`7goi
9hY5-
5u$36
zG/&s
`MP83v
mSy% t
*[PK.
evf9L
W^&'e
RGG){
T =e2E*
PeBuC
9fW/c
U)H%O9 o&on
3qh{"
^` 5Z&
M(?Bz
;)?Zr
#F))2
R,(t2
S-6PA
WZ~k|
W})L2
y-F$>
P1KQS
H=. `
kfr-k
NsgC1
?P.O`*&
2AK%;@y
u4djm-
xm:qB
0<>7`hn
|n2A\
l:7NgT[wb:
=)- vn
;sP1b{
IrI*i
G:j8FQ
|j1fva*
79r~>
e>0se
9>d8t
lWLgR
~}II8!!
*1"k.9p
jLUyXK
Qi]y1
${*Rz
;W rB[
uw`S-a
aK{6R~
dR77,
c,c*`
VxlcU
saqkN4
s~]1Q
`"L4N\I
,yo)L
ha/VY
-EqRS
]E5&}cCW
?44QZv{\%
(/ X-
!i\*8
.ruO:
*0=(P
{qqj2>
y ==n
O(:V[
rgq's
-y]w7VR
ot}l]
x*L>&
'3LHQf
Ug}A9
DNff1
9n!Co}
v(>kG
k&f[iq
LcoF-l
1Q-;m
P~?{*(
&L^ar
h5E+&&
#K-VP
Yi*Ns
|O^e5
w#0\q
+G352
:/.6e
y^LI{
a({+Y
0YOj4
T?35E
Nc4r.7
L]/W5
(Z5"JL
o>[p07
dN}t`\
l|n3z
5cG{7l
! lQ:
{n>U
v\.A{
gUQk#
@{%Em
,LAki(L
m% fd:
~z1on
sQC9?_
p]IvLa
^U,ktf
h93L=
4HH("
&`a7r
Q9[*x<c
3j0U<
Y9n0m
SsUOVY
ja^GC
YV,a*
Itz+4q
Bfz<M
iB?;GJ]
,jgTQU
!L6^e
b5a<+?
jCDS7
%6ar]=2
!\yX<
^A-o#
a#[c{
oc5; x
C9ME^
BJX]tE
ssZ;V'
-.( jZ
AaBzN
mW~ST
2y5Ek
2|r*k
OD{P0
2'oTg
ve1Mk
UaGxm2
4D?;R
6]qlP
]J8(\
kI?B^
OdT=5E
MrC_.
Ii-F_l
8C-60^
5G*Tk ^
wM5%c
~N~L}
vi8Zu
T.0$[y
Fz*6W
f>dY7
um~;cIe
ovt;,g
zD.Q?5
UJQabn
MMBiO3
u=Jfgcg
[8)GZ
^uip!
6+ ,L
zO0p8
I))Zj
4qg*q0
'VFSY
x)1A?q
86p'>
o,fFIcNT(
zbD*s
JUqjX
(EJpJ
()b>!h
ush7B
tbCcKv
w"rdM
<I]K\
;5nxs
4]kQK~D
3m(Yt
QQa3d
"jF?#b
&b|3Z
xRa3+
aa,Fl
bD=R(
Ww|u>R
kj8F1b1
()zu]ty
kL<`J7
]EJP)
'EK)6p
}e.Qc
&xPZl
G1elE
J$m8I
:3Xy&
'24n1w6
sb.M,
O,Um&
!^iEq
IDATd~E
1${Zc
3Cy'%
bcB\@5
0~^jC
'xTx!
1"QhJ;
TObHj
:{kX .
+R|uh
D3kQ>7
5+1F.
Lh6z
;R9Oq
$nu2UA
;8ZC1bch
xq}7Z
~L0IS
c:n(c
l{n\1
~k^_#
_ U+ySu
O'Pl3
$&<4%
&Xity
ZYLVksUU
\?zRm
p]~Hz
UywfT
(Qi/b
|3,m*S\:
rj8BI
lX(Fpoa
3:n&w
DtMtp
Nt+lE
kF`M]
K2FFC
MaB[X
w"^@
1bCUO$l
0zmO.
TYm/S&
*@Rd0
bDF)L
5?Y9l
Mc6}O
lXVl0B
dV4#e
hwW]L
LBElA
m<YuL
NO~]l&@l
`q<X|
jr6mc|
as:Dk
97O-d
C-86L
Qd*11S
V0jef
.u6p.
{:gnH lK
1Gk*S
gAZ(6n
R8FyQ
=S?*Mt
/ [x2
w)Bl`
&>e\7
M_Mh
w|NU{
3N(CC
tFmI!hY
S|?);#
AS-Ij
etgn'
F4+{N
b|iUL
`r{6VP
m?2cm%
/w6pTB;
CtH"s
M3)wl
4\De~
"f18.
Ws2-&c6
B-x4w
HYE,E
^b~aD
oG57W
v][o.Z
W10D}Y1
K#99m:
r'|==
d3K*o
Lt[tU8
M|j<c
i1u}!
-IT<s
^>T0Q
.)8#@T
,:IB\,c&
F[*IS
5Z0AC\
+1+Xm
'0w>EQl
G3uMc
Hb]Gu
{B$&*@
95{yS
j=XO_:9KF<
->1gs6q
=RUlP<
9_f&gGH
$=X5{
NcTt{
v4.{I+
gVx}d
L*[<p
VjY^Y
0YEKN
m?kqY
KntX&
2~\wv>;L
8s8[Jv
yoe&-
PVbi}
X?9&.
D5p98
@c{m&Hz
C);
g)aYk
r8AbR
k8Y8Vf
`mK;b
r_K)R
d`i-~
#jQi<U
{1O6g1
? zA0
\JehX"
U\XqB.
$\'?q
z|53b
_3wR0
[01#W
rlJ^='&
-3IjHR
TLC!U<
UtMmCq
cQuy<
k9EkXe
~R8 w
;:ObRb
bLbrY
er8AE
9JS_s6
h=&L|
KRz}j
#LiQ
auSwr
w,lm#
a8mkd
.F&CZ%
k*Y7w$eQ
4uJ!3
{A<_6B
i=(,+c
cpn:M
$Ou~xU
L0eIO
~%o=\Ik|
;.V4&
~#\qMaD
KA=lz
^4o_?AE=
oLz4e
NF'a4G
0"EW?
fnCBVm1~9yY
1Gx"s
@]gfm+
o'L8O
OIIvP
krgZ7
p~T-CM
k1Pg9
0z;D0q
AQe/f
]1"/
c:Wftn2
~hAYa
mC8g]G
VJv?2
`|mkj
V3#hE%
K/bU1
j5{^80f]8
d5F*o
fkPeN
aRJ$]W
)0t!H
m-+v7
;[0Eo
)g}j0s
& j9]
6TqX.F
DZ'E3f
?1"kf8
]X,L2
7p/5r;Q
3([lAp=[
7s7q?2K
j`,,b
RZVgtmm"S
6%LVC
lYY~!O
^gdEK
mN6`M
n"E{ g
VKNrb
kqnvk
eh\>]
3!H{4
nN,Z,
*FlJf!
&u/q`
<cvsq
0mp:+
o|"ci|n
}_s"Z
FmU1l%:
2'ilr
YCfl>
mK.S9=`
;`-1)C
YC|ly
+)([@
zc`V_
?ZekS+
a,9iFT
#})Uf
Lb:t'i`;
UeJyW
T*GcY
y[V1b
wawOw>[$
"@3eB
E-obZ
' hE/
kDnt'
l zUa
THTBl
/8Ioa
7=-9W
dNgl*
_fbnjMg
a'e>i
-m>gf
KKw!2
GS_6W
!+Aa2
aUj*G
c&3ow&
3\+xNFXU
u&/SU
|-'L6_
qcHh2
*5>*
9ys;F
OB)y^
l+zZE
dr{7UEKI
tLkSh
L&C=Zc7
teB_s
q1D9O'?$
ui>J6
n;r>n$
)q9y(5
cL9Nf
>Y3n`i
<NASn
f\U["
u50-_
uGv{G
s}Z6-$s
n!Q/y
BwF9|`
ru9Vv27{
dw`Ie
/`gUg^
_N]C?
k*YP5
O>\cvt
KWzSN
~z8w?
T=A#9
Mm:98
U_r_^d
RHHm%N
70F;^
n/z_(
'xA!K
h](I6p
)v=JB
zU=p_
&,ihF
<3/5Y
7aup>
3v}FQz
G{0`S
^fub"
ndoLd
gr*q<
1W[~?
wxj,<
?\agH-
a$o-j
l8oBgS
9e#*P
=2s13
IA+U=
a\68A5
l^'=#
^@t]K
}U)@M
a$tpc
/S-<\t
<c[j^P
Ls\Vl
+B6q>
BiTg$ rF
$rF"Vy
<ao{_J+
x,?Iad
^~DUa
cU&jo>
?. ,$p
6]LX0
WwF+|
5E;"W
Y[s >
]\{4krh
bO16?
KrT.m
Y|t=#
ky{B|5t3
'lp&9A
;z0MC7
( zO6
ML?bY#
4Wu95d=_
DT~"+
rjz85
/l}mid&
5?*)*f
+ (.s
Z\M'b]
u:Mn(
h{&c9
e}y[.
$ZG**ZE
zZ]l{6
$b2fp
wi<})
6l&L*Q
VRl0j~y~-
'e3f3
TZ(7;
"&t?Kt
ti7f[
bmw8pl
F5B?.
`u/B*
.)w4X
+U8W7
)1q%E
k-j\8AN
iDUt6
G=fO9w*|
mer23
'LP9DJ
6;`f"C
D-6(#F
[-vPT
'Y"Lp
D3/{|w))nu
5c{Q=0
CHOsU
'0o)#
.%QEi
!Ofo"-
#5tO3v
.NK[1
]+-.)y
yyj4m[
9T=bJ
'~/G;
SR.\%'x
SuQAT
;Mi"f
9kFYS
{b&)Ea,
d.%RnX
HTBGR
OVILV
h2v{#YW
QAtk]_
p|b+ X
r-r+M"
O>NnFT
&jp/v
;-6Dq
bMo7#
^,*1a
FS'b9y
;EY?WI
&r~yR
ce~{1b
IY?C<
e.7NMR
*ZaM}
,5&kf
Wqx&F
t,QJ{
^dy|U
S[~+z
mGugox"
iw60t
OF_7B
p>1z-
yvwB~
,RzTy
v4#{`
0k_3t
Aq%'8~SAT
SaRJv
r<sZ%b
`?~I b
8}"=L
?Lvl"
&iSH7W
_hYGaSk"q
iHe%EOq
X`www
dh-i#L6
u?V1Kq
~]_P)
^Apa7
!\%nP
<l)R|
4t^Li[
LdsjC.
U#:lM!
Xw()M
z:b"L
SSM[U
J;c?}*]w
0drO|
!%:bw
?hPYM{u
,=N?}
$ Xp3
xR{+b
/8Vp'iE
( VV>v3
_UQk[
\Q*3T1
r') &
_2eXM
&F R1
QcDIe
g9$Ll
Ol)-
*iINh
,Y?=_
,|)_S
3tfXd:>
e{/|v
qt,zn^
2L6q%
GCET[Ciqg
EdI{E
l{.vm
3F4&(
rdR9Jetcl
=\;%X
,2,\)
FdO-OB
86t m
:3|B7
uYvN3
83k"?
8_lQR
&;j1[o
PIi/ t
9l<AG
1)p#>
VOh4x?
:;CM[
Uj}q:
Tq&7I
v"lU,
&NZGc5
Pa2vt
Q8{;C
3ZHHFm
,MXP$z
KBK;f
#nF!M
hnU"$
\Gh/o
.4j`I
][>b]
+!ZbDk
% "L$
[{%c+P
pO-+n
0})7ZUc
K[Sqg
Z1u1/
b9Dq#
k5]j%
Nc%m7
iAHK}Z
Sc|F\!
}G)o#
PA)9-`
n'{_:
8t ON
(!ZIF
0<8\MV
DYO%m6eK
;1ff65e
qF?b-
Gw'01
-LT1B
na)*Y
!erCV
o3lJ!i
jjtF9
=Lu=X& 4
bEUT<mzw
e(+ >
}Y9m.:
bK|?6
p:g;5
l5+<-
'if&9
Vf(@cmJ
{W qz9V
ewi.x
s%9{6
z]ab
Y}]/[
"8c_R#
#rp]&
d=~[.
aXq2s#71
$ZP|d;
zb;l<q
_CorExeMain
mscoree.dll
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
<security>
<requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3">
<requestedExecutionLevel level="asInvoker" uiAccess="false"/>
</requestedPrivileges>
</security>
</trustInfo>
</assembly>
"!##$$%
Succes
Ongeldige input
Gebruik de pijltjes toetsen.
Geen valide input probeer opnieuw
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
| Welkom bij Sokoban |
| |
| Betekenis van de symbolen | Doel van het spel |
| | |
| spatie : outerspace | Duw met de truck |
|
: muur | De krat(ten) |
|
: vloer | naar de bestemming |
| O : krat | |
| 0 : krat op bestemming | |
| x : bestemming | |
| @ : truck | |
| ~ : valkuil | |
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
> Kies een doolhof (1 - 6), s = stop
Level Completed!!!
doolhof
mKEpFksRyVfoXhXyopT
GetType
CoreModel.Setup
GetMethod
Delet eSetup
Invoke
Sokoban
Sokoban.Properties.Resources
CoreModel4
CoreModel4
mKEpFksRyVfoXhXyopT
j.#s.+
.Cs.K
.Properties.Resources
EntryPoint
Invoke
VS_VERSION_INFO
VarFileInfo
Translation
StringFileInfo
000004b0
Comments
CompanyName
FileDescription
CoreModel
FileVersion
1.0.0.0
InternalName
CoreModel.dll
LegalCopyright
Copyright
2020
LegalTrademarks
OriginalFilename
CoreModel.dll
ProductName
CoreModel
ProductVersion
1.0.0.0
Assembly Version
1.0.0.0
VS_VERSION_INFO
VarFileInfo
Translation
StringFileInfo
000004b0
Comments
CompanyName
Oracle Corporation
FileDescription
VirtualBox Manager
FileVersion
6.0.6.0
InternalName
xCdlmDVDFdbEdQbyC.exe
LegalCopyright
Copyright
2009-2019 Oracle Corporation
LegalTrademarks
OriginalFilename
xCdlmDVDFdbEdQbyC.exe
ProductName
VirtualBox
ProductVersion
6.0.6.0
Assembly Version
6.0.6.0

Full Results

Engine Signature Engine Signature Engine Signature
Bkav Clean MicroWorld-eScan Clean FireEye Generic.mg.b76512014f74e255
CAT-QuickHeal Clean McAfee Clean Cylance Unsafe
Zillya Clean SUPERAntiSpyware Clean Sangfor Malware
K7AntiVirus Clean Alibaba Clean K7GW Clean
Cybereason malicious.7858ee Arcabit Clean TrendMicro Clean
Baidu Clean F-Prot Clean Symantec ML.Attribute.HighConfidence
TotalDefense Clean APEX Malicious Paloalto Clean
ClamAV Clean Kaspersky UDS:DangerousObject.Multi.Generic BitDefender Clean
NANO-Antivirus Clean AegisLab Clean Rising Clean
Ad-Aware Clean TACHYON Clean Sophos Clean
Comodo Clean F-Secure Clean DrWeb Clean
VIPRE Clean Invincea heuristic McAfee-GW-Edition BehavesLike.Win32.Generic.fc
Trapmine Clean CMC Clean Emsisoft Clean
SentinelOne Clean Cyren Clean Jiangmin Clean
Webroot Clean Avira Clean Fortinet Clean
Antiy-AVL Clean Kingsoft Clean Endgame malicious (high confidence)
Microsoft Trojan:Win32/Sonbokli.A!cl ViRobot Clean ZoneAlarm UDS:DangerousObject.Multi.Generic
Avast-Mobile Clean Cynet Clean AhnLab-V3 Clean
Acronis Clean ALYac Clean MAX Clean
VBA32 Clean Malwarebytes Clean Zoner Clean
ESET-NOD32 Clean TrendMicro-HouseCall Clean Tencent Clean
Yandex Clean Ikarus Win32.Outbreak eGambit Clean
GData Clean BitDefenderTheta Gen:[email protected] AVG Clean
Panda Clean CrowdStrike win/malicious_confidence_90% (W) Qihoo-360 Clean
Sorry! No behavior.

Hosts

Direct IP Country Name
Y 1.1.1.1 [VT] Australia

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.1.2 60934 1.1.1.1 53
192.168.1.2 64006 1.1.1.1 53
192.168.1.2 137 192.168.1.255 137

DNS

No domains contacted.

HTTP Requests

No HTTP requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

Source Source Port Destination Destination Port JA3 Hash JA3 Description
192.168.1.2 49186 13.107.42.23 443 3b483d0b34894548b602e8d18cdc24c5 unknown
Sorry! No dropped files.
Sorry! No CAPE files.
Process Name schtasks.exe
PID 4560
Dump Size 177152 bytes
Module Path C:\Windows\System32\schtasks.exe
Type PE image: 32-bit executable
PE timestamp 2010-11-20 09:20:03
MD5 7b4dc9ed3093e72f4cf77c2bdc3db4dd
SHA1 93babde701503e03d8b0fad43665a9a38070dd52
SHA256 49413721977636607706ed250cc3cb164b7c3bda15fd06521194b21ab8ce3a3f
CRC32 1AC79B06
Ssdeep 3072:R0ZcOtWf+29dx4OAiyWYhnL8tXkkCuNwNDj3oI6HtnsGBGATCx:RecOtc73he6Utuc3oX3GAm
Dump Filename 49413721977636607706ed250cc3cb164b7c3bda15fd06521194b21ab8ce3a3f
Download Download Zip
Process Name svchost.exe
PID 840
Dump Size 20992 bytes
Module Path C:\Windows\System32\svchost.exe
Type PE image: 32-bit executable
PE timestamp 2009-07-13 23:19:28
MD5 c0b0122e117e99f1ade252828315fb9d
SHA1 371064bbd2df36c633c0d771c84d2eaac1252e98
SHA256 bf9479cfdc9a3ec4276e3aea046a7a01af41fdfc13ad7a7f19d718e120941ad5
CRC32 429EE1F4
Ssdeep 384:lscCMolF1B05Qh+oNqM+ZU/Aqe6ifFUOLg2JQaW9C5bW9odW:ejsnoI1ZwU6ifFbQaw
Dump Filename bf9479cfdc9a3ec4276e3aea046a7a01af41fdfc13ad7a7f19d718e120941ad5
Download Download Zip
Process Name Invoice UT05-222546.pdf.exe
PID 4360
Dump Size 285184 bytes
Module Path C:\Users\Rebecca\AppData\Local\Temp\Invoice UT05-222546.pdf.exe
Type PE image: 32-bit executable
PE timestamp 2020-06-17 13:09:34
MD5 0e3fede598a8153f7f108115767f4553
SHA1 87f821d153f438d00ca2e92719c7fc50d24dffd0
SHA256 d689825e018733cf66ebb0c1367edebaf372dd95f7cf373d8f515e63c91fefdf
CRC32 9530CB1A
Ssdeep 3072:UxN9InliUbzdqRVLnczsDl0OdQCfQuaXCc8Jma5geLyq7tHo6gqc3AeE9bWtl:UHSdqRVLnjewQuaXp8pgOy+ot6Kt
CAPE Yara
  • AgentTeslaV2 Payload - Author: ditekshen
Dump Filename d689825e018733cf66ebb0c1367edebaf372dd95f7cf373d8f515e63c91fefdf
Download Download Zip
Defense Evasion Privilege Escalation Execution Persistence
  • T1116 - Code Signing
    • Signature - invalid_authenticode_signature
  • T1055 - Process Injection
    • Signature - InjectionInterProcess
  • T1045 - Software Packing
    • Signature - packer_entropy
  • T1055 - Process Injection
    • Signature - InjectionInterProcess
  • T1053 - Scheduled Task
    • Signature - uses_windows_utilities_to_create_scheduled_task
  • T1053 - Scheduled Task
    • Signature - uses_windows_utilities_to_create_scheduled_task
  • T1053 - Scheduled Task
    • Signature - uses_windows_utilities_to_create_scheduled_task

    Processing ( 2.128 seconds )

    • 0.537 BehaviorAnalysis
    • 0.478 Static
    • 0.338 CAPE
    • 0.277 VirusTotal
    • 0.215 static_dotnet
    • 0.078 Deduplicate
    • 0.052 ProcDump
    • 0.037 Dropped
    • 0.034 TargetInfo
    • 0.03 NetworkAnalysis
    • 0.025 AnalysisInfo
    • 0.015 Strings
    • 0.006 peid
    • 0.005 Debug
    • 0.001 Suricata

    Signatures ( 0.4960000000000001 seconds )

    • 0.091 antiav_detectreg
    • 0.036 infostealer_ftp
    • 0.032 territorial_disputes_sigs
    • 0.021 infostealer_im
    • 0.021 masquerade_process_name
    • 0.019 antianalysis_detectreg
    • 0.018 antiav_detectfile
    • 0.014 ransomware_files
    • 0.011 stealth_timeout
    • 0.011 infostealer_bitcoin
    • 0.01 api_spamming
    • 0.01 decoy_document
    • 0.01 antivm_vbox_keys
    • 0.009 antianalysis_detectfile
    • 0.009 infostealer_mail
    • 0.008 NewtWire Behavior
    • 0.008 ransomware_extensions
    • 0.007 antivm_vbox_files
    • 0.007 antivm_vmware_keys
    • 0.005 Doppelganging
    • 0.005 antivm_generic_disk
    • 0.005 persistence_autorun
    • 0.005 antivm_parallels_keys
    • 0.005 antivm_xen_keys
    • 0.004 InjectionCreateRemoteThread
    • 0.004 Unpacker
    • 0.004 antiemu_wine_func
    • 0.004 Locky_behavior
    • 0.004 geodo_banking_trojan
    • 0.004 predatorthethief_files
    • 0.004 qulab_files
    • 0.003 dynamic_function_loading
    • 0.003 injection_createremotethread
    • 0.003 malicious_dynamic_function_loading
    • 0.003 mimics_filetime
    • 0.003 virus
    • 0.003 antivm_generic_diskreg
    • 0.003 antivm_vpc_keys
    • 0.002 InjectionProcessHollowing
    • 0.002 antidebug_guardpages
    • 0.002 antivm_generic_scsi
    • 0.002 betabot_behavior
    • 0.002 bootkit
    • 0.002 encrypted_ioc
    • 0.002 exec_crash
    • 0.002 exploit_heapspray
    • 0.002 hancitor_behavior
    • 0.002 infostealer_browser_password
    • 0.002 injection_runpe
    • 0.002 kibex_behavior
    • 0.002 kovter_behavior
    • 0.002 network_tor
    • 0.002 reads_self
    • 0.002 stealth_file
    • 0.002 antidbg_devices
    • 0.002 antivm_vmware_files
    • 0.002 browser_security
    • 0.002 disables_browser_warn
    • 0.001 InjectionInterProcess
    • 0.001 PlugX
    • 0.001 antiav_avast_libs
    • 0.001 antidbg_windows
    • 0.001 antivm_generic_services
    • 0.001 antivm_vbox_libs
    • 0.001 exploit_getbasekerneladdress
    • 0.001 exploit_gethaldispatchtable
    • 0.001 hawkeye_behavior
    • 0.001 infostealer_browser
    • 0.001 kazybot_behavior
    • 0.001 ransomware_message
    • 0.001 rat_nanocore
    • 0.001 OrcusRAT Behavior
    • 0.001 shifu_behavior
    • 0.001 stack_pivot
    • 0.001 tinba_behavior
    • 0.001 vawtrak_behavior
    • 0.001 antivm_xen_keys
    • 0.001 antivm_hyperv_keys
    • 0.001 antivm_vbox_devices
    • 0.001 ketrican_regkeys
    • 0.001 modify_proxy
    • 0.001 bypass_firewall
    • 0.001 codelux_behavior
    • 0.001 darkcomet_regkeys
    • 0.001 revil_mutexes
    • 0.001 limerat_regkeys
    • 0.001 rat_pcclient
    • 0.001 recon_fingerprint

    Reporting ( 11.493 seconds )

    • 11.438 BinGraph
    • 0.052 MITRE_TTPS
    • 0.003 PCAP2CERT