Detections

Yara:

Formbook

Auto Tasks

#6725: Unpacker

Analysis

Category Package Started Completed Duration Options Log
FILE exe 2020-06-05 14:54:20 2020-06-05 15:00:24 364 seconds Show Options Show Log
procdump = yes
2020-05-13 09:08:13,555 [root] INFO: Date set to: 20200605T14:54:19, timeout set to: 200
2020-06-05 14:54:19,046 [root] DEBUG: Starting analyzer from: C:\tmpnwhtwc92
2020-06-05 14:54:19,062 [root] DEBUG: Storing results at: C:\BYqEnp
2020-06-05 14:54:19,062 [root] DEBUG: Pipe server name: \\.\PIPE\YRCiMu
2020-06-05 14:54:19,062 [root] DEBUG: Python path: C:\Users\Rebecca\AppData\Local\Programs\Python\Python38-32
2020-06-05 14:54:19,062 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2020-06-05 14:54:19,062 [root] INFO: Automatically selected analysis package "exe"
2020-06-05 14:54:19,062 [root] DEBUG: Trying to import analysis package "exe"...
2020-06-05 14:54:19,093 [root] DEBUG: Imported analysis package "exe".
2020-06-05 14:54:19,093 [root] DEBUG: Trying to initialize analysis package "exe"...
2020-06-05 14:54:19,093 [root] DEBUG: Initialized analysis package "exe".
2020-06-05 14:54:19,140 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.browser"...
2020-06-05 14:54:19,156 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser".
2020-06-05 14:54:19,156 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.curtain"...
2020-06-05 14:54:19,265 [root] DEBUG: Imported auxiliary module "modules.auxiliary.curtain".
2020-06-05 14:54:19,265 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.digisig"...
2020-06-05 14:54:19,281 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig".
2020-06-05 14:54:19,281 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.disguise"...
2020-06-05 14:54:19,296 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise".
2020-06-05 14:54:19,296 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.human"...
2020-06-05 14:54:19,328 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human".
2020-06-05 14:54:19,328 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.procmon"...
2020-06-05 14:54:19,328 [root] DEBUG: Imported auxiliary module "modules.auxiliary.procmon".
2020-06-05 14:54:19,328 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.screenshots"...
2020-06-05 14:54:19,343 [modules.auxiliary.screenshots] DEBUG: Importing 'time'
2020-06-05 14:54:19,343 [modules.auxiliary.screenshots] DEBUG: Importing 'StringIO'
2020-06-05 14:54:19,343 [modules.auxiliary.screenshots] DEBUG: Importing 'Thread'
2020-06-05 14:54:19,343 [modules.auxiliary.screenshots] DEBUG: Importing 'Auxiliary'
2020-06-05 14:54:19,343 [modules.auxiliary.screenshots] DEBUG: Importing 'NetlogFile'
2020-06-05 14:54:19,343 [modules.auxiliary.screenshots] DEBUG: Importing 'Screenshot'
2020-06-05 14:54:19,359 [lib.api.screenshot] DEBUG: Importing 'math'
2020-06-05 14:54:19,359 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2020-06-05 14:54:22,828 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageGrab'
2020-06-05 14:54:22,859 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageDraw'
2020-06-05 14:54:22,968 [modules.auxiliary.screenshots] DEBUG: Imports OK
2020-06-05 14:54:22,968 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots".
2020-06-05 14:54:22,984 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.sysmon"...
2020-06-05 14:54:23,015 [root] DEBUG: Imported auxiliary module "modules.auxiliary.sysmon".
2020-06-05 14:54:23,015 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.usage"...
2020-06-05 14:54:23,046 [root] DEBUG: Imported auxiliary module "modules.auxiliary.usage".
2020-06-05 14:54:23,046 [root] DEBUG: Trying to initialize auxiliary module "Browser"...
2020-06-05 14:54:23,046 [root] DEBUG: Initialized auxiliary module "Browser".
2020-06-05 14:54:23,046 [root] DEBUG: Trying to start auxiliary module "Browser"...
2020-06-05 14:54:23,046 [root] DEBUG: Started auxiliary module Browser
2020-06-05 14:54:23,046 [root] DEBUG: Trying to initialize auxiliary module "Curtain"...
2020-06-05 14:54:23,062 [root] DEBUG: Initialized auxiliary module "Curtain".
2020-06-05 14:54:23,062 [root] DEBUG: Trying to start auxiliary module "Curtain"...
2020-06-05 14:54:23,062 [root] DEBUG: Started auxiliary module Curtain
2020-06-05 14:54:23,062 [root] DEBUG: Trying to initialize auxiliary module "DigiSig"...
2020-06-05 14:54:23,062 [root] DEBUG: Initialized auxiliary module "DigiSig".
2020-06-05 14:54:23,062 [root] DEBUG: Trying to start auxiliary module "DigiSig"...
2020-06-05 14:54:23,062 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature.
2020-06-05 14:54:24,015 [modules.auxiliary.digisig] DEBUG: File is not signed.
2020-06-05 14:54:24,015 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2020-06-05 14:54:24,031 [root] DEBUG: Started auxiliary module DigiSig
2020-06-05 14:54:24,031 [root] DEBUG: Trying to initialize auxiliary module "Disguise"...
2020-06-05 14:54:24,031 [root] DEBUG: Initialized auxiliary module "Disguise".
2020-06-05 14:54:24,031 [root] DEBUG: Trying to start auxiliary module "Disguise"...
2020-06-05 14:54:24,046 [root] DEBUG: Started auxiliary module Disguise
2020-06-05 14:54:24,062 [root] DEBUG: Trying to initialize auxiliary module "Human"...
2020-06-05 14:54:24,062 [root] DEBUG: Initialized auxiliary module "Human".
2020-06-05 14:54:24,062 [root] DEBUG: Trying to start auxiliary module "Human"...
2020-06-05 14:54:24,062 [root] DEBUG: Started auxiliary module Human
2020-06-05 14:54:24,062 [root] DEBUG: Trying to initialize auxiliary module "Procmon"...
2020-06-05 14:54:24,062 [root] DEBUG: Initialized auxiliary module "Procmon".
2020-06-05 14:54:24,062 [root] DEBUG: Trying to start auxiliary module "Procmon"...
2020-06-05 14:54:24,062 [root] DEBUG: Started auxiliary module Procmon
2020-06-05 14:54:24,062 [root] DEBUG: Trying to initialize auxiliary module "Screenshots"...
2020-06-05 14:54:24,062 [root] DEBUG: Initialized auxiliary module "Screenshots".
2020-06-05 14:54:24,062 [root] DEBUG: Trying to start auxiliary module "Screenshots"...
2020-06-05 14:54:24,062 [root] DEBUG: Started auxiliary module Screenshots
2020-06-05 14:54:24,078 [root] DEBUG: Trying to initialize auxiliary module "Sysmon"...
2020-06-05 14:54:24,078 [root] DEBUG: Initialized auxiliary module "Sysmon".
2020-06-05 14:54:24,078 [root] DEBUG: Trying to start auxiliary module "Sysmon"...
2020-06-05 14:54:24,078 [root] DEBUG: Started auxiliary module Sysmon
2020-06-05 14:54:24,078 [root] DEBUG: Trying to initialize auxiliary module "Usage"...
2020-06-05 14:54:24,078 [root] DEBUG: Initialized auxiliary module "Usage".
2020-06-05 14:54:24,078 [root] DEBUG: Trying to start auxiliary module "Usage"...
2020-06-05 14:54:24,078 [root] DEBUG: Started auxiliary module Usage
2020-06-05 14:54:24,078 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2020-06-05 14:54:24,078 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2020-06-05 14:54:24,078 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option
2020-06-05 14:54:24,078 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option
2020-06-05 14:54:26,875 [lib.api.process] INFO: Successfully executed process from path "C:\Users\Rebecca\AppData\Local\Temp\VJeFkngLWmw.exe" with arguments "" with pid 2912
2020-06-05 14:54:26,890 [lib.api.process] INFO: Monitor config for process 2912: C:\tmpnwhtwc92\dll\2912.ini
2020-06-05 14:54:26,890 [lib.api.process] INFO: Option 'procdump' with value 'yes' sent to monitor
2020-06-05 14:54:26,890 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpnwhtwc92\dll\nohkTNr.dll, loader C:\tmpnwhtwc92\bin\oZWjrOZ.exe
2020-06-05 14:54:27,062 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\YRCiMu.
2020-06-05 14:54:27,078 [root] DEBUG: Loader: Injecting process 2912 (thread 5632) with C:\tmpnwhtwc92\dll\nohkTNr.dll.
2020-06-05 14:54:27,078 [root] DEBUG: Process image base: 0x00010000
2020-06-05 14:54:27,078 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2020-06-05 14:54:27,078 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2020-06-05 14:54:27,078 [root] DEBUG: Successfully injected DLL C:\tmpnwhtwc92\dll\nohkTNr.dll.
2020-06-05 14:54:27,078 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2912
2020-06-05 14:54:29,078 [lib.api.process] INFO: Successfully resumed process with pid 2912
2020-06-05 14:54:29,687 [root] DEBUG: Python path set to 'C:\Users\Rebecca\AppData\Local\Programs\Python\Python38-32'.
2020-06-05 14:54:29,687 [root] DEBUG: Process dumps disabled.
2020-06-05 14:54:29,703 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 2912 at 0x68640000, image base 0x10000, stack from 0x365000-0x370000
2020-06-05 14:54:29,796 [root] INFO: loaded: b'2912'
2020-06-05 14:54:29,796 [root] INFO: Loaded monitor into process with pid 2912
2020-06-05 14:54:29,812 [root] DEBUG: set_caller_info: Adding region at 0x00270000 to caller regions list (advapi32::RegQueryInfoKeyW).
2020-06-05 14:54:29,812 [root] DEBUG: set_caller_info: Adding region at 0x01510000 to caller regions list (ntdll::RtlDispatchException).
2020-06-05 14:54:29,828 [root] DEBUG: DLL loaded at 0x74DB0000: C:\Windows\system32\cryptbase (0xc000 bytes).
2020-06-05 14:54:29,828 [root] DEBUG: DumpMemory: Exception occured reading memory address 0x1510000
2020-06-05 14:54:29,828 [root] INFO: ('dump_file', 'C:\\BYqEnp\\CAPE\\2912_4525950002914195562020', b'9;?C:\\Users\\Rebecca\\AppData\\Local\\Temp\\VJeFkngLWmw.exe;?C:\\Users\\Rebecca\\AppData\\Local\\Temp\\VJeFkngLWmw.exe;?0x01510000;?', ['2912'], 'CAPE')
2020-06-05 14:54:30,046 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\BYqEnp\CAPE\2912_4525950002914195562020 (size 0xffe)
2020-06-05 14:54:30,046 [root] DEBUG: DumpRegion: Dumped stack region from 0x01510000, size 0x1000.
2020-06-05 14:54:30,046 [root] DEBUG: set_caller_info: Failed to dumping calling PE image at 0x00270000.
2020-06-05 14:54:30,062 [root] DEBUG: set_caller_info: Adding region at 0x00510000 to caller regions list (kernel32::FindFirstFileExW).
2020-06-05 14:54:30,265 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x60ffff
2020-06-05 14:54:30,281 [root] DEBUG: DumpMemory: Nothing to dump at 0x00510000!
2020-06-05 14:54:30,281 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x00510000 size 0x100000.
2020-06-05 14:54:30,281 [root] INFO: ('dump_file', 'C:\\BYqEnp\\CAPE\\2912_15836662883014195562020', b'9;?C:\\Users\\Rebecca\\AppData\\Local\\Temp\\VJeFkngLWmw.exe;?C:\\Users\\Rebecca\\AppData\\Local\\Temp\\VJeFkngLWmw.exe;?0x00510000;?', ['2912'], 'CAPE')
2020-06-05 14:54:30,296 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\BYqEnp\CAPE\2912_15836662883014195562020 (size 0x2cffe)
2020-06-05 14:54:30,296 [root] DEBUG: DumpRegion: Dumped stack region from 0x00510000, size 0x2d000.
2020-06-05 14:54:30,312 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xc4 amd local view 0x703E0000 to global list.
2020-06-05 14:54:30,312 [root] DEBUG: DLL loaded at 0x703E0000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei (0x7d000 bytes).
2020-06-05 14:54:30,312 [root] DEBUG: DLL unloaded from 0x76020000.
2020-06-05 14:54:30,328 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xd4 amd local view 0x00370000 to global list.
2020-06-05 14:54:30,328 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xd0 amd local view 0x00370000 to global list.
2020-06-05 14:54:30,328 [root] DEBUG: DLL loaded at 0x74330000: C:\Windows\system32\VERSION (0x9000 bytes).
2020-06-05 14:54:30,343 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x69060000 for section view with handle 0xd4.
2020-06-05 14:54:30,343 [root] DEBUG: DLL loaded at 0x69060000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr (0x6ef000 bytes).
2020-06-05 14:54:30,343 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x6B9D0000 for section view with handle 0xd4.
2020-06-05 14:54:30,343 [root] DEBUG: DLL loaded at 0x6B9D0000: C:\Windows\system32\MSVCR120_CLR0400 (0xf5000 bytes).
2020-06-05 14:54:30,375 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 2912, handle 0xf4.
2020-06-05 14:54:30,375 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xf8 amd local view 0x00190000 to global list.
2020-06-05 14:54:30,375 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xfc amd local view 0x001A0000 to global list.
2020-06-05 14:54:30,390 [root] INFO: Disabling sleep skipping.
2020-06-05 14:54:30,390 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 2912.
2020-06-05 14:54:30,390 [root] DEBUG: DumpSectionViewsForPid: no shared section views found for pid 2912.
2020-06-05 14:54:30,390 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 2912.
2020-06-05 14:54:30,406 [root] DEBUG: DumpSectionViewsForPid: no shared section views found for pid 2912.
2020-06-05 14:54:30,406 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 2912.
2020-06-05 14:54:30,406 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1e8 amd local view 0x05670000 to global list.
2020-06-05 14:54:30,406 [root] DEBUG: DumpSectionViewsForPid: no shared section views found for pid 2912.
2020-06-05 14:54:30,437 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1fc amd local view 0x667E0000 to global list.
2020-06-05 14:54:30,437 [root] DEBUG: DLL loaded at 0x667E0000: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\6715dc4d04e35f16d482900c355325e9\mscorlib.ni (0x1393000 bytes).
2020-06-05 14:54:30,468 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x208 amd local view 0x6A350000 to global list.
2020-06-05 14:54:30,593 [root] DEBUG: DLL loaded at 0x6A350000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit (0x80000 bytes).
2020-06-05 14:54:30,609 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x204 amd local view 0x77020000 to global list.
2020-06-05 14:54:30,609 [root] DEBUG: DLL loaded at 0x77020000: C:\Windows\system32\OLEAUT32 (0x91000 bytes).
2020-06-05 14:54:30,609 [root] DEBUG: set_caller_info: Adding region at 0x00370000 to caller regions list (ntdll::NtQueryPerformanceCounter).
2020-06-05 14:54:30,625 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x37ffff
2020-06-05 14:54:30,625 [root] DEBUG: DumpMemory: Nothing to dump at 0x00370000!
2020-06-05 14:54:30,625 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x00370000 size 0x10000.
2020-06-05 14:54:30,625 [root] INFO: ('dump_file', 'C:\\BYqEnp\\CAPE\\2912_6816314155014195562020', b'9;?C:\\Users\\Rebecca\\AppData\\Local\\Temp\\VJeFkngLWmw.exe;?C:\\Users\\Rebecca\\AppData\\Local\\Temp\\VJeFkngLWmw.exe;?0x00370000;?', ['2912'], 'CAPE')
2020-06-05 14:54:30,656 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\BYqEnp\CAPE\2912_6816314155014195562020 (size 0x456)
2020-06-05 14:54:30,656 [root] DEBUG: DumpRegion: Dumped stack region from 0x00370000, size 0x1000.
2020-06-05 14:54:30,703 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x220 amd local view 0x65DD0000 to global list.
2020-06-05 14:54:30,703 [root] DEBUG: DLL loaded at 0x65DD0000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System\43822396682b0ffc3cfb66137ddab95f\System.ni (0xa10000 bytes).
2020-06-05 14:54:30,718 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x65C30000 for section view with handle 0x220.
2020-06-05 14:54:30,734 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x21c amd local view 0x64320000 to global list.
2020-06-05 14:54:30,734 [root] DEBUG: DLL loaded at 0x64320000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\aece3d371c0714e60f9509d2a3137395\System.Windows.Forms.ni (0xd1d000 bytes).
2020-06-05 14:54:31,203 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x214 amd local view 0x00390000 to global list.
2020-06-05 14:54:31,249 [root] DEBUG: OpenProcessHandler: Image base for process 2912 (handle 0x24): 0x00010000.
2020-06-05 14:54:31,468 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x24 amd local view 0x003B0000 to global list.
2020-06-05 14:54:31,531 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x224 amd local view 0x65450000 to global list.
2020-06-05 14:54:31,531 [root] DEBUG: DLL loaded at 0x65450000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\c8a2021e940773064c655a6ea6ee8cb2\System.Core.ni (0x7e0000 bytes).
2020-06-05 14:54:33,031 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x22c amd local view 0x687B0000 to global list.
2020-06-05 14:54:33,078 [root] DEBUG: DLL loaded at 0x687B0000: C:\Windows\assembly\NativeImages_v4.0.30319_32\WindowsBase\fad2ba18a244bf307910025c81b52f1e\WindowsBase.ni (0x3f3000 bytes).
2020-06-05 14:54:33,093 [root] DEBUG: DLL loaded at 0x74880000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2020-06-05 14:54:33,109 [root] DEBUG: DLL loaded at 0x74610000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2020-06-05 14:54:33,828 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x234 amd local view 0x63770000 to global list.
2020-06-05 14:54:33,843 [root] DEBUG: DLL loaded at 0x63770000: C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\4f7c4bba7641e71c1b15384ca408fa9b\PresentationCore.ni (0xbad000 bytes).
2020-06-05 14:54:34,421 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x62460000 for section view with handle 0x22c.
2020-06-05 14:54:34,421 [root] DEBUG: DLL loaded at 0x62460000: C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\2cf8ec33054bf9d59892861776b13716\PresentationFramework.ni (0x1307000 bytes).
2020-06-05 14:54:35,078 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x02B80000 for section view with handle 0x224.
2020-06-05 14:54:35,125 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x6E160000 for section view with handle 0x220.
2020-06-05 14:54:35,125 [root] DEBUG: DLL loaded at 0x6E160000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\nlssorting (0x13000 bytes).
2020-06-05 14:54:35,125 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x05AE0000 for section view with handle 0x220.
2020-06-05 14:54:35,234 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x737A0000 for section view with handle 0x22c.
2020-06-05 14:54:35,234 [root] DEBUG: DLL loaded at 0x737A0000: C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24308_none_5c028e37a0121035\gdiplus (0x192000 bytes).
2020-06-05 14:54:35,249 [root] DEBUG: DLL loaded at 0x731D0000: C:\Windows\system32\WindowsCodecs (0x131000 bytes).
2020-06-05 14:54:35,312 [root] DEBUG: set_caller_info: Adding region at 0x00200000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2020-06-05 14:54:35,312 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x20ffff
2020-06-05 14:54:35,312 [root] INFO: ('dump_file', 'C:\\BYqEnp\\CAPE\\2912_5775352725514195562020', b'9;?C:\\Users\\Rebecca\\AppData\\Local\\Temp\\VJeFkngLWmw.exe;?C:\\Users\\Rebecca\\AppData\\Local\\Temp\\VJeFkngLWmw.exe;?0x00200000;?', ['2912'], 'CAPE')
2020-06-05 14:54:35,343 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\BYqEnp\CAPE\2912_5775352725514195562020 (size 0xeb)
2020-06-05 14:54:35,343 [root] DEBUG: DumpRegion: Dumped stack region from 0x00200000, size 0x1000.
2020-06-05 14:54:37,312 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x23c amd local view 0x003E0000 to global list.
2020-06-05 14:54:38,859 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x244 amd local view 0x6B520000 to global list.
2020-06-05 14:54:38,968 [root] DEBUG: DLL loaded at 0x6B520000: C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.B83e9cb53#\5c5ed836d2a372987cc8f735310cc369\Microsoft.Build.Utilities.v4.0.ni (0xc8000 bytes).
2020-06-05 14:54:39,328 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x013C0000 for section view with handle 0x23c.
2020-06-05 14:54:39,531 [root] DEBUG: DLL loaded at 0x753D0000: C:\Windows\system32\shell32 (0xc4c000 bytes).
2020-06-05 14:54:39,687 [root] INFO: ('dump_file', 'C:\\Users\\Rebecca\\AppData\\Local\\Temp\\AddInProcess32.exe', '', False, 'files')
2020-06-05 14:54:39,703 [root] DEBUG: set_caller_info: Adding region at 0x00210000 to caller regions list (ntdll::NtQueryPerformanceCounter).
2020-06-05 14:54:39,703 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x21ffff
2020-06-05 14:54:39,718 [root] INFO: ('dump_file', 'C:\\BYqEnp\\CAPE\\2912_7803410255914195562020', b'9;?C:\\Users\\Rebecca\\AppData\\Local\\Temp\\VJeFkngLWmw.exe;?C:\\Users\\Rebecca\\AppData\\Local\\Temp\\VJeFkngLWmw.exe;?0x00210000;?', ['2912'], 'CAPE')
2020-06-05 14:54:39,734 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\BYqEnp\CAPE\2912_7803410255914195562020 (size 0xb504)
2020-06-05 14:54:39,734 [root] DEBUG: DumpRegion: Dumped stack region from 0x00210000, size 0xd000.
2020-06-05 14:54:39,765 [root] INFO: ('dump_file', 'C:\\Users\\Rebecca\\AppData\\Local\\Temp\\AddInProcess32.exe', '', False, 'files')
2020-06-05 14:54:39,875 [root] DEBUG: DLL loaded at 0x749D0000: C:\Windows\system32\bcrypt (0x17000 bytes).
2020-06-05 14:55:04,953 [root] DEBUG: ResumeThreadHandler: Dumping hollowed process 2912, image base 0x00010000.
2020-06-05 14:55:04,953 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00010000.
2020-06-05 14:55:04,953 [root] DEBUG: DumpProcess: Invalid PE file or invalid PE header.
2020-06-05 14:55:04,953 [root] DEBUG: ResumeThreadHandler: Failed to dump PE image from buffer.
2020-06-05 14:55:04,953 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 2912.
2020-06-05 14:55:04,968 [root] DEBUG: DumpSectionViewsForPid: no shared section views found for pid 2912.
2020-06-05 14:55:04,984 [root] INFO: Announced 32-bit process name: AddInProcess32.exe pid: 4132
2020-06-05 14:55:04,984 [lib.api.process] INFO: Monitor config for process 4132: C:\tmpnwhtwc92\dll\4132.ini
2020-06-05 14:55:04,984 [lib.api.process] INFO: Option 'procdump' with value 'yes' sent to monitor
2020-06-05 14:55:05,000 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpnwhtwc92\dll\nohkTNr.dll, loader C:\tmpnwhtwc92\bin\oZWjrOZ.exe
2020-06-05 14:55:05,015 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\YRCiMu.
2020-06-05 14:55:05,015 [root] DEBUG: Loader: Injecting process 4132 (thread 5348) with C:\tmpnwhtwc92\dll\nohkTNr.dll.
2020-06-05 14:55:05,031 [root] DEBUG: Process image base: 0x00C30000
2020-06-05 14:55:05,031 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2020-06-05 14:55:05,031 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2020-06-05 14:55:05,031 [root] DEBUG: Successfully injected DLL C:\tmpnwhtwc92\dll\nohkTNr.dll.
2020-06-05 14:55:05,031 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 4132
2020-06-05 14:55:05,046 [root] DEBUG: DLL loaded at 0x74D60000: C:\Windows\system32\apphelp (0x4c000 bytes).
2020-06-05 14:55:05,078 [root] DEBUG: CreateProcessHandler: Injection info set for new process 4132, ImageBase: 0x00C30000
2020-06-05 14:55:05,078 [root] INFO: Announced 32-bit process name: AddInProcess32.exe pid: 4132
2020-06-05 14:55:05,078 [lib.api.process] INFO: Monitor config for process 4132: C:\tmpnwhtwc92\dll\4132.ini
2020-06-05 14:55:05,078 [lib.api.process] INFO: Option 'procdump' with value 'yes' sent to monitor
2020-06-05 14:55:05,078 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpnwhtwc92\dll\nohkTNr.dll, loader C:\tmpnwhtwc92\bin\oZWjrOZ.exe
2020-06-05 14:55:05,093 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\YRCiMu.
2020-06-05 14:55:05,093 [root] DEBUG: Loader: Injecting process 4132 (thread 5348) with C:\tmpnwhtwc92\dll\nohkTNr.dll.
2020-06-05 14:55:05,109 [root] DEBUG: Process image base: 0x00C30000
2020-06-05 14:55:05,109 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2020-06-05 14:55:05,109 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2020-06-05 14:55:05,109 [root] DEBUG: Successfully injected DLL C:\tmpnwhtwc92\dll\nohkTNr.dll.
2020-06-05 14:55:05,109 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 4132
2020-06-05 14:55:05,171 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x2d0 amd local view 0x6A740000 to global list.
2020-06-05 14:55:05,187 [root] DEBUG: DLL loaded at 0x6A740000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Numerics\ee81fa2e7f333ee787a423c2e39ee3a3\System.Numerics.ni (0x45000 bytes).
2020-06-05 14:55:09,890 [root] DEBUG: WriteMemoryHandler: Executable binary injected into process 4132 (ImageBase 0x400000)
2020-06-05 14:55:09,890 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image.
2020-06-05 14:55:09,890 [root] DEBUG: DumpPE: Instantiating PeParser with address: 0x04579C30.
2020-06-05 14:55:09,890 [root] DEBUG: DumpPE: Empty or inaccessible last section, file image seems incomplete (from 0x0457AC30 to 0x045A6630).
2020-06-05 14:55:09,906 [root] INFO: ('dump_file', 'C:\\BYqEnp\\CAPE\\2912_2653907763717195562020', b'3;?C:\\Users\\Rebecca\\AppData\\Local\\Temp\\VJeFkngLWmw.exe;?C:\\Users\\Rebecca\\AppData\\Local\\Temp\\VJeFkngLWmw.exe;?C:\\Users\\Rebecca\\AppData\\Local\\Temp\\AddInProcess32.exe;?4132;?', ['2912'], 'CAPE')
2020-06-05 14:55:09,968 [root] DEBUG: DumpPE: PE file in memory dumped successfully - dump size 0x2ca00.
2020-06-05 14:55:09,968 [root] DEBUG: WriteMemoryHandler: Dumped PE image from buffer at 0x4579c30, SizeOfImage 0x2d000.
2020-06-05 14:55:09,968 [root] INFO: Announced 32-bit process name: AddInProcess32.exe pid: 4132
2020-06-05 14:55:09,968 [lib.api.process] INFO: Monitor config for process 4132: C:\tmpnwhtwc92\dll\4132.ini
2020-06-05 14:55:09,968 [lib.api.process] INFO: Option 'procdump' with value 'yes' sent to monitor
2020-06-05 14:55:09,968 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpnwhtwc92\dll\nohkTNr.dll, loader C:\tmpnwhtwc92\bin\oZWjrOZ.exe
2020-06-05 14:55:10,000 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\YRCiMu.
2020-06-05 14:55:10,000 [root] DEBUG: Loader: Injecting process 4132 (thread 0) with C:\tmpnwhtwc92\dll\nohkTNr.dll.
2020-06-05 14:55:10,000 [root] DEBUG: Error 0 (0x0) - GetProcessInitialThreadId: Remote PEB 0x7FFDF000 Local PEB 0x7FFDF000 Local TEB 0x7FFDB000: The operation completed successfully.
2020-06-05 14:55:10,000 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2020-06-05 14:55:10,000 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed (SessionId=1).
2020-06-05 14:55:10,000 [root] DEBUG: Failed to inject DLL C:\tmpnwhtwc92\dll\nohkTNr.dll.
2020-06-05 14:55:10,015 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 4132, error: 4294967281
2020-06-05 14:55:11,015 [root] DEBUG: WriteMemoryHandler: injection of section of PE image which has already been dumped.
2020-06-05 14:55:11,015 [root] INFO: Announced 32-bit process name: AddInProcess32.exe pid: 4132
2020-06-05 14:55:11,015 [lib.api.process] INFO: Monitor config for process 4132: C:\tmpnwhtwc92\dll\4132.ini
2020-06-05 14:55:11,015 [lib.api.process] INFO: Option 'procdump' with value 'yes' sent to monitor
2020-06-05 14:55:11,015 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpnwhtwc92\dll\nohkTNr.dll, loader C:\tmpnwhtwc92\bin\oZWjrOZ.exe
2020-06-05 14:55:11,046 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\YRCiMu.
2020-06-05 14:55:11,046 [root] DEBUG: Loader: Injecting process 4132 (thread 0) with C:\tmpnwhtwc92\dll\nohkTNr.dll.
2020-06-05 14:55:11,046 [root] DEBUG: Error 0 (0x0) - GetProcessInitialThreadId: Remote PEB 0x7FFDF000 Local PEB 0x7FFDE000 Local TEB 0x7FFDF000: The operation completed successfully.
2020-06-05 14:55:11,046 [root] DEBUG: InjectDll: No thread ID supplied. Initial thread ID 5348, handle 0xa4
2020-06-05 14:55:11,046 [root] DEBUG: Process image base: 0x00C30000
2020-06-05 14:55:11,062 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2020-06-05 14:55:11,062 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2020-06-05 14:55:11,062 [root] DEBUG: Successfully injected DLL C:\tmpnwhtwc92\dll\nohkTNr.dll.
2020-06-05 14:55:11,062 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 4132
2020-06-05 14:55:12,062 [root] INFO: Announced 32-bit process name: AddInProcess32.exe pid: 4132
2020-06-05 14:55:12,062 [lib.api.process] INFO: Monitor config for process 4132: C:\tmpnwhtwc92\dll\4132.ini
2020-06-05 14:55:12,062 [lib.api.process] INFO: Option 'procdump' with value 'yes' sent to monitor
2020-06-05 14:55:12,062 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpnwhtwc92\dll\nohkTNr.dll, loader C:\tmpnwhtwc92\bin\oZWjrOZ.exe
2020-06-05 14:55:12,093 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\YRCiMu.
2020-06-05 14:55:12,109 [root] DEBUG: Loader: Injecting process 4132 (thread 0) with C:\tmpnwhtwc92\dll\nohkTNr.dll.
2020-06-05 14:55:12,109 [root] DEBUG: Error 0 (0x0) - GetProcessInitialThreadId: Remote PEB 0x7FFDF000 Local PEB 0x7FFDF000 Local TEB 0x7FFD9000: The operation completed successfully.
2020-06-05 14:55:12,109 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2020-06-05 14:55:12,109 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed (SessionId=1).
2020-06-05 14:55:12,109 [root] DEBUG: Failed to inject DLL C:\tmpnwhtwc92\dll\nohkTNr.dll.
2020-06-05 14:55:12,125 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 4132, error: 4294967281
2020-06-05 14:55:15,625 [root] DEBUG: SetThreadContextHandler: Hollow process entry point reset via NtSetContextThread to 0x0001E2C0 (process 4132).
2020-06-05 14:55:15,625 [root] INFO: Announced 32-bit process name: AddInProcess32.exe pid: 4132
2020-06-05 14:55:15,640 [lib.api.process] INFO: Monitor config for process 4132: C:\tmpnwhtwc92\dll\4132.ini
2020-06-05 14:55:15,640 [lib.api.process] INFO: Option 'procdump' with value 'yes' sent to monitor
2020-06-05 14:55:15,640 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpnwhtwc92\dll\nohkTNr.dll, loader C:\tmpnwhtwc92\bin\oZWjrOZ.exe
2020-06-05 14:55:15,656 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\YRCiMu.
2020-06-05 14:55:15,656 [root] DEBUG: Loader: Injecting process 4132 (thread 5348) with C:\tmpnwhtwc92\dll\nohkTNr.dll.
2020-06-05 14:55:15,656 [root] DEBUG: Process image base: 0x00400000
2020-06-05 14:55:15,656 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmpnwhtwc92\dll\nohkTNr.dll.
2020-06-05 14:55:15,656 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-06-05 14:55:15,671 [root] DEBUG: Successfully injected DLL C:\tmpnwhtwc92\dll\nohkTNr.dll.
2020-06-05 14:55:15,671 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 4132
2020-06-05 14:55:17,687 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 4132.
2020-06-05 14:55:17,703 [root] DEBUG: DLL unloaded from 0x76130000.
2020-06-05 14:55:17,703 [root] DEBUG: Python path set to 'C:\Users\Rebecca\AppData\Local\Programs\Python\Python38-32'.
2020-06-05 14:55:17,703 [root] DEBUG: DLL unloaded from 0x69060000.
2020-06-05 14:55:17,703 [root] DEBUG: Process dumps disabled.
2020-06-05 14:55:17,718 [root] DEBUG: DLL unloaded from 0x703E0000.
2020-06-05 14:55:17,718 [root] WARNING: Unable to open termination event for pid 2912.
2020-06-05 14:55:17,734 [root] INFO: Disabling sleep skipping.
2020-06-05 14:55:17,765 [root] INFO: ('dump_file', 'C:\\BYqEnp\\CAPE\\4132_10176459121715195562020', b'9;?C:\\Users\\Rebecca\\AppData\\Local\\Temp\\AddInProcess32.exe;?C:\\Users\\Rebecca\\AppData\\Local\\Temp\\AddInProcess32.exe;?0x00030000;?', ['4132'], 'CAPE')
2020-06-05 14:55:17,828 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\BYqEnp\CAPE\4132_10176459121715195562020 (size 0x12a)
2020-06-05 14:55:17,843 [root] DEBUG: DumpRegion: Dumped stack region from 0x00030000, size 0x1000.
2020-06-05 14:55:17,859 [root] DEBUG: DLL loaded at 0x00650000: C:\tmpnwhtwc92\dll\nohkTNr (0xd5000 bytes).
2020-06-05 14:55:17,859 [root] DEBUG: DLL unloaded from 0x716B0000.
2020-06-05 14:55:17,875 [root] DEBUG: DLL unloaded from 0x769C0000.
2020-06-05 14:55:17,890 [root] DEBUG: DLL unloaded from 0x716B0000.
2020-06-05 14:55:17,890 [root] DEBUG: DLL unloaded from 0x769C0000.
2020-06-05 14:55:17,890 [root] DEBUG: set_caller_info: Adding region at 0x00070000 to caller regions list (ntdll::LdrLoadDll).
2020-06-05 14:55:17,906 [root] INFO: ('dump_file', 'C:\\BYqEnp\\CAPE\\4132_18891268441715195562020', b'9;?C:\\Users\\Rebecca\\AppData\\Local\\Temp\\AddInProcess32.exe;?C:\\Users\\Rebecca\\AppData\\Local\\Temp\\AddInProcess32.exe;?0x00070000;?', ['4132'], 'CAPE')
2020-06-05 14:55:18,203 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\BYqEnp\CAPE\4132_18891268441715195562020 (size 0x12a)
2020-06-05 14:55:18,203 [root] DEBUG: DumpRegion: Dumped stack region from 0x00070000, size 0x1000.
2020-06-05 14:55:18,203 [root] DEBUG: DLL loaded at 0x00650000: C:\tmpnwhtwc92\dll\nohkTNr (0xd5000 bytes).
2020-06-05 14:55:18,203 [root] DEBUG: DLL unloaded from 0x716B0000.
2020-06-05 14:55:18,203 [root] DEBUG: DLL unloaded from 0x769C0000.
2020-06-05 14:55:18,218 [root] DEBUG: DLL unloaded from 0x716B0000.
2020-06-05 14:55:18,218 [root] DEBUG: set_caller_info: Adding region at 0x00080000 to caller regions list (ntdll::LdrLoadDll).
2020-06-05 14:55:18,234 [root] INFO: ('dump_file', 'C:\\BYqEnp\\CAPE\\4132_1943234541815195562020', b'9;?C:\\Users\\Rebecca\\AppData\\Local\\Temp\\AddInProcess32.exe;?C:\\Users\\Rebecca\\AppData\\Local\\Temp\\AddInProcess32.exe;?0x00080000;?', ['4132'], 'CAPE')
2020-06-05 14:55:18,296 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\BYqEnp\CAPE\4132_1943234541815195562020 (size 0x12a)
2020-06-05 14:55:18,312 [root] DEBUG: DumpRegion: Dumped stack region from 0x00080000, size 0x1000.
2020-06-05 14:55:18,328 [root] DEBUG: DLL loaded at 0x00650000: C:\tmpnwhtwc92\dll\nohkTNr (0xd5000 bytes).
2020-06-05 14:55:18,328 [root] DEBUG: DLL unloaded from 0x716B0000.
2020-06-05 14:55:18,328 [root] DEBUG: DLL unloaded from 0x769C0000.
2020-06-05 14:55:18,328 [root] DEBUG: DLL unloaded from 0x716B0000.
2020-06-05 14:55:18,328 [root] DEBUG: DLL unloaded from 0x769C0000.
2020-06-05 14:55:18,328 [root] DEBUG: DLL unloaded from 0x00650000.
2020-06-05 14:55:22,328 [root] DEBUG: DLL unloaded from 0x76130000.
2020-06-05 14:57:49,843 [root] INFO: Analysis timeout hit, terminating analysis.
2020-06-05 14:57:49,843 [lib.api.process] ERROR: Failed to open terminate event for pid 2912
2020-06-05 14:57:49,843 [root] INFO: Terminate event set for process 2912.
2020-06-05 14:57:49,843 [root] INFO: Created shutdown mutex.
2020-06-05 14:57:50,843 [root] INFO: Shutting down package.
2020-06-05 14:57:50,843 [root] INFO: Stopping auxiliary modules.
2020-06-05 14:57:50,937 [lib.common.results] WARNING: File C:\BYqEnp\bin\procmon.xml doesn't exist anymore
2020-06-05 14:57:50,937 [root] INFO: Finishing auxiliary modules.
2020-06-05 14:57:50,937 [root] INFO: Shutting down pipe server and dumping dropped files.
2020-06-05 14:57:50,937 [root] WARNING: Folder at path "C:\BYqEnp\debugger" does not exist, skip.
2020-06-05 14:57:50,953 [root] WARNING: Monitor injection attempted but failed for process 4132.
2020-06-05 14:57:50,953 [root] INFO: Analysis completed.

Machine

Name Label Manager Started On Shutdown On
win7_1 win7_1 KVM 2020-06-05 14:54:20 2020-06-05 15:00:24

File Details

File Name VJeFkngLWmw
File Size 545280 bytes
File Type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
PE timestamp 2019-09-01 20:12:13
MD5 b2f556607df50936eb1c0664034427ba
SHA1 7ca4894a3804e721e85d31941bec38170099226e
SHA256 41f341ae994cf53488e0a96a6a531c9ef26c31ad763b7f858b278657051be31d
SHA512 a1ded171b38c3e5a37dba096e8c04b19c7cd3e46587b7681c00df2baad1e28a2ac917857e0c59de7448ed353383dc6b75c4f2cd93804028e05223bada11b471a
CRC32 EB874299
Ssdeep 6144:VaUDG3Kp1D6VEJD6LpypZ5xw6ZzzyJ9VecftKGjiqG4ErnbST6n+lDAAG8:VaUDd76VEt6QpZ5x+ltBmqG4ErmdAAr
Yara
  • shellcode_get_eip - Match x86 that appears to fetch $PC. - Author: William Ballenthin
  • shellcode_stack_strings - Match x86 that appears to be stack string creation. - Author: William Ballenthin
CAPE Yara
  • Formbook Payload - Author: Felix Bilstein - yara-signator at cocacoding dot com
Download Download ZIP Resubmit sample

Signatures

SetUnhandledExceptionFilter detected (possible anti-debug)
Behavioural detection: Executable code extraction - unpacking
Yara rule detections observed from a process memory dump/dropped files/CAPE
Hit: PID 2912 trigged the Yara rule 'embedded_pe'
Hit: PID 2912 trigged the Yara rule 'shellcode_get_eip'
Hit: PID 2912 trigged the Yara rule 'shellcode_stack_strings'
Hit: PID 2912 trigged the Yara rule 'Formbook'
Creates RWX memory
Guard pages use detected - possible anti-debugging.
Dynamic (imported) function loading detected
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: KERNEL32.dll/FlsAlloc
DynamicLoader: KERNEL32.dll/FlsFree
DynamicLoader: KERNEL32.dll/FlsGetValue
DynamicLoader: KERNEL32.dll/FlsSetValue
DynamicLoader: KERNEL32.dll/InitializeCriticalSectionEx
DynamicLoader: KERNEL32.dll/CreateEventExW
DynamicLoader: KERNEL32.dll/CreateSemaphoreExW
DynamicLoader: KERNEL32.dll/SetThreadStackGuarantee
DynamicLoader: KERNEL32.dll/CreateThreadpoolTimer
DynamicLoader: KERNEL32.dll/SetThreadpoolTimer
DynamicLoader: KERNEL32.dll/WaitForThreadpoolTimerCallbacks
DynamicLoader: KERNEL32.dll/CloseThreadpoolTimer
DynamicLoader: KERNEL32.dll/CreateThreadpoolWait
DynamicLoader: KERNEL32.dll/SetThreadpoolWait
DynamicLoader: KERNEL32.dll/CloseThreadpoolWait
DynamicLoader: KERNEL32.dll/FlushProcessWriteBuffers
DynamicLoader: KERNEL32.dll/FreeLibraryWhenCallbackReturns
DynamicLoader: KERNEL32.dll/GetCurrentProcessorNumber
DynamicLoader: KERNEL32.dll/GetLogicalProcessorInformation
DynamicLoader: KERNEL32.dll/CreateSymbolicLinkW
DynamicLoader: KERNEL32.dll/SetDefaultDllDirectories
DynamicLoader: KERNEL32.dll/EnumSystemLocalesEx
DynamicLoader: KERNEL32.dll/CompareStringEx
DynamicLoader: KERNEL32.dll/GetDateFormatEx
DynamicLoader: KERNEL32.dll/GetLocaleInfoEx
DynamicLoader: KERNEL32.dll/GetTimeFormatEx
DynamicLoader: KERNEL32.dll/GetUserDefaultLocaleName
DynamicLoader: KERNEL32.dll/IsValidLocaleName
DynamicLoader: KERNEL32.dll/LCMapStringEx
DynamicLoader: KERNEL32.dll/GetCurrentPackageId
DynamicLoader: KERNEL32.dll/GetTickCount64
DynamicLoader: KERNEL32.dll/GetFileInformationByHandleExW
DynamicLoader: KERNEL32.dll/SetFileInformationByHandleW
DynamicLoader: KERNEL32.dll/AcquireSRWLockExclusive
DynamicLoader: KERNEL32.dll/ReleaseSRWLockExclusive
DynamicLoader: ADVAPI32.dll/EventRegister
DynamicLoader: ADVAPI32.dll/EventSetInformation
DynamicLoader: MSCOREE.DLL/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/_CorExeMain_RetAddr
DynamicLoader: mscoreei.dll/_CorExeMain
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: VERSION.dll/GetFileVersionInfoSizeW
DynamicLoader: VERSION.dll/GetFileVersionInfoW
DynamicLoader: VERSION.dll/VerQueryValueW
DynamicLoader: KERNEL32.dll/FlsAlloc
DynamicLoader: KERNEL32.dll/FlsFree
DynamicLoader: KERNEL32.dll/FlsGetValue
DynamicLoader: KERNEL32.dll/FlsSetValue
DynamicLoader: KERNEL32.dll/InitializeCriticalSectionEx
DynamicLoader: KERNEL32.dll/CreateEventExW
DynamicLoader: KERNEL32.dll/CreateSemaphoreExW
DynamicLoader: KERNEL32.dll/SetThreadStackGuarantee
DynamicLoader: KERNEL32.dll/CreateThreadpoolTimer
DynamicLoader: KERNEL32.dll/SetThreadpoolTimer
DynamicLoader: KERNEL32.dll/WaitForThreadpoolTimerCallbacks
DynamicLoader: KERNEL32.dll/CloseThreadpoolTimer
DynamicLoader: KERNEL32.dll/CreateThreadpoolWait
DynamicLoader: KERNEL32.dll/SetThreadpoolWait
DynamicLoader: KERNEL32.dll/CloseThreadpoolWait
DynamicLoader: KERNEL32.dll/FlushProcessWriteBuffers
DynamicLoader: KERNEL32.dll/FreeLibraryWhenCallbackReturns
DynamicLoader: KERNEL32.dll/GetCurrentProcessorNumber
DynamicLoader: KERNEL32.dll/GetLogicalProcessorInformation
DynamicLoader: KERNEL32.dll/CreateSymbolicLinkW
DynamicLoader: KERNEL32.dll/SetDefaultDllDirectories
DynamicLoader: KERNEL32.dll/EnumSystemLocalesEx
DynamicLoader: KERNEL32.dll/CompareStringEx
DynamicLoader: KERNEL32.dll/GetDateFormatEx
DynamicLoader: KERNEL32.dll/GetLocaleInfoEx
DynamicLoader: KERNEL32.dll/GetTimeFormatEx
DynamicLoader: KERNEL32.dll/GetUserDefaultLocaleName
DynamicLoader: KERNEL32.dll/IsValidLocaleName
DynamicLoader: KERNEL32.dll/LCMapStringEx
DynamicLoader: KERNEL32.dll/GetCurrentPackageId
DynamicLoader: KERNEL32.dll/GetTickCount64
DynamicLoader: KERNEL32.dll/GetFileInformationByHandleExW
DynamicLoader: KERNEL32.dll/SetFileInformationByHandleW
DynamicLoader: ADVAPI32.dll/EventSetInformation
DynamicLoader: clr.dll/SetRuntimeInfo
DynamicLoader: USER32.dll/GetProcessWindowStation
DynamicLoader: USER32.dll/GetUserObjectInformationW
DynamicLoader: clr.dll/_CorExeMain
DynamicLoader: KERNEL32.dll/AcquireSRWLockExclusive
DynamicLoader: KERNEL32.dll/ReleaseSRWLockExclusive
DynamicLoader: MSCOREE.DLL/CreateConfigStream
DynamicLoader: mscoreei.dll/CreateConfigStream_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream
DynamicLoader: KERNEL32.dll/GetNumaHighestNodeNumber
DynamicLoader: KERNEL32.dll/FlsSetValue
DynamicLoader: KERNEL32.dll/FlsGetValue
DynamicLoader: KERNEL32.dll/FlsAlloc
DynamicLoader: KERNEL32.dll/FlsFree
DynamicLoader: KERNEL32.dll/GetSystemWindowsDirectoryW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: KERNEL32.dll/AddSIDToBoundaryDescriptor
DynamicLoader: KERNEL32.dll/CreateBoundaryDescriptorW
DynamicLoader: KERNEL32.dll/CreatePrivateNamespaceW
DynamicLoader: KERNEL32.dll/OpenPrivateNamespaceW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: KERNEL32.dll/DeleteBoundaryDescriptor
DynamicLoader: KERNEL32.dll/WerRegisterRuntimeExceptionModule
DynamicLoader: KERNEL32.dll/RaiseException
DynamicLoader: MSCOREE.DLL/
DynamicLoader: mscoreei.dll/
DynamicLoader: KERNELBASE.dll/SetSystemFileCacheSize
DynamicLoader: ntdll.dll/NtSetSystemInformation
DynamicLoader: KERNELBASE.dll/PrivIsDllSynchronizationHeld
DynamicLoader: KERNEL32.dll/AddDllDirectory
DynamicLoader: KERNEL32.dll/SortGetHandle
DynamicLoader: KERNEL32.dll/SortCloseHandle
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: cryptbase.dll/SystemFunction036
DynamicLoader: ole32.dll/CoGetContextToken
DynamicLoader: clrjit.dll/sxsJitStartup
DynamicLoader: clrjit.dll/jitStartup
DynamicLoader: clrjit.dll/getJit
DynamicLoader: KERNEL32.dll/GetLocaleInfoEx
DynamicLoader: KERNEL32.dll/LocaleNameToLCID
DynamicLoader: KERNEL32.dll/GetUserDefaultLocaleName
DynamicLoader: KERNEL32.dll/LCIDToLocaleName
DynamicLoader: KERNEL32.dll/GetUserPreferredUILanguages
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegOpenKeyEx
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: KERNEL32.dll/GetFullPathName
DynamicLoader: KERNEL32.dll/GetFullPathNameW
DynamicLoader: KERNEL32.dll/GetCurrentProcessId
DynamicLoader: KERNEL32.dll/GetCurrentProcessIdW
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValue
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValueW
DynamicLoader: KERNEL32.dll/GetCurrentProcess
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivileges
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivilegesW
DynamicLoader: KERNEL32.dll/CloseHandle
DynamicLoader: KERNEL32.dll/OpenProcess
DynamicLoader: KERNEL32.dll/OpenProcessW
DynamicLoader: PSAPI.DLL/EnumProcessModules
DynamicLoader: PSAPI.DLL/EnumProcessModulesW
DynamicLoader: PSAPI.DLL/GetModuleInformation
DynamicLoader: PSAPI.DLL/GetModuleInformationW
DynamicLoader: PSAPI.DLL/GetModuleBaseName
DynamicLoader: PSAPI.DLL/GetModuleBaseNameW
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: PSAPI.DLL/GetModuleFileNameEx
DynamicLoader: PSAPI.DLL/GetModuleFileNameExW
DynamicLoader: KERNEL32.dll/DeleteFile
DynamicLoader: KERNEL32.dll/DeleteFileW
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtQuerySystemInformationW
DynamicLoader: ADVAPI32.dll/EventRegister
DynamicLoader: MSCOREE.DLL/GetProcessExecutableHeap
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap_RetAddr
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap
DynamicLoader: KERNEL32.dll/CompareStringOrdinal
DynamicLoader: KERNEL32.dll/SetThreadErrorMode
DynamicLoader: KERNEL32.dll/GetFileAttributesEx
DynamicLoader: KERNEL32.dll/GetFileAttributesExW
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptImportKey
DynamicLoader: CRYPTSP.dll/CryptExportKey
DynamicLoader: CRYPTSP.dll/CryptCreateHash
DynamicLoader: CRYPTSP.dll/CryptHashData
DynamicLoader: CRYPTSP.dll/CryptGetHashParam
DynamicLoader: CRYPTSP.dll/CryptDestroyHash
DynamicLoader: CRYPTSP.dll/CryptDestroyKey
DynamicLoader: KERNEL32.dll/ResolveLocaleName
DynamicLoader: nlssorting.dll/SortGetHandle
DynamicLoader: nlssorting.dll/SortCloseHandle
DynamicLoader: gdiplus.dll/GdiplusStartup
DynamicLoader: KERNEL32.dll/IsProcessorFeaturePresent
DynamicLoader: USER32.dll/GetWindowInfo
DynamicLoader: USER32.dll/GetAncestor
DynamicLoader: USER32.dll/GetMonitorInfoA
DynamicLoader: USER32.dll/EnumDisplayMonitors
DynamicLoader: USER32.dll/EnumDisplayDevicesA
DynamicLoader: GDI32.dll/ExtTextOutW
DynamicLoader: GDI32.dll/GdiIsMetaPrintDC
DynamicLoader: gdiplus.dll/GdipLoadImageFromStream
DynamicLoader: WindowsCodecs.dll/DllGetClassObject
DynamicLoader: gdiplus.dll/GdipImageForceValidation
DynamicLoader: gdiplus.dll/GdipGetImageType
DynamicLoader: gdiplus.dll/GdipGetImageRawFormat
DynamicLoader: gdiplus.dll/GdipGetImageWidth
DynamicLoader: gdiplus.dll/GdipGetImageHeight
DynamicLoader: gdiplus.dll/GdipGetImageEncodersSize
DynamicLoader: KERNEL32.dll/LocalAlloc
DynamicLoader: gdiplus.dll/GdipGetImageEncoders
DynamicLoader: KERNEL32.dll/LocalFree
DynamicLoader: gdiplus.dll/GdipSaveImageToStream
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: gdiplus.dll/GdipCreateBitmapFromStream
DynamicLoader: gdiplus.dll/GdipBitmapLockBits
DynamicLoader: gdiplus.dll/GdipBitmapUnlockBits
DynamicLoader: KERNEL32.dll/GetTempPath
DynamicLoader: KERNEL32.dll/GetTempPathW
DynamicLoader: shell32.dll/SHGetFolderPath
DynamicLoader: shell32.dll/SHGetFolderPathW
DynamicLoader: KERNEL32.dll/GetEnvironmentVariable
DynamicLoader: KERNEL32.dll/GetEnvironmentVariableW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: KERNEL32.dll/CopyFileEx
DynamicLoader: KERNEL32.dll/CopyFileExW
DynamicLoader: bcrypt.dll/BCryptGetFipsAlgorithmMode
DynamicLoader: ntdll.dll/NtQueryInformationThread
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: KERNEL32.dll/CreateWaitableTimerExW
DynamicLoader: KERNEL32.dll/SetWaitableTimerEx
DynamicLoader: ADVAPI32.dll/EventSetInformation
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ADVAPI32.dll/CreateProcessAsUser
DynamicLoader: ADVAPI32.dll/CreateProcessAsUserW
DynamicLoader: CRYPTSP.dll/CryptGetDefaultProviderW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: ole32.dll/CoCreateGuid
DynamicLoader: KERNEL32.dll/GetThreadContext
DynamicLoader: KERNEL32.dll/ReadProcessMemory
DynamicLoader: KERNEL32.dll/VirtualAllocEx
DynamicLoader: KERNEL32.dll/WriteProcessMemory
DynamicLoader: KERNEL32.dll/WriteProcessMemory
DynamicLoader: KERNEL32.dll/WriteProcessMemory
DynamicLoader: KERNEL32.dll/SetThreadContext
DynamicLoader: KERNEL32.dll/CloseHandle
DynamicLoader: KERNEL32.dll/ResumeThread
DynamicLoader: ADVAPI32.dll/EventUnregister
DynamicLoader: gdiplus.dll/GdipDisposeImage
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: OLEAUT32.dll/
DynamicLoader: KERNEL32.dll/CreateActCtxW
DynamicLoader: KERNEL32.dll/AddRefActCtx
DynamicLoader: KERNEL32.dll/ReleaseActCtx
DynamicLoader: KERNEL32.dll/ActivateActCtx
DynamicLoader: KERNEL32.dll/DeactivateActCtx
DynamicLoader: KERNEL32.dll/GetCurrentActCtx
DynamicLoader: KERNEL32.dll/QueryActCtxW
DynamicLoader: ADVAPI32.dll/EventUnregister
CAPE extracted potentially suspicious content
VJeFkngLWmw.exe: Unpacked Shellcode
AddInProcess32.exe: Unpacked Shellcode
AddInProcess32.exe: Unpacked Shellcode
VJeFkngLWmw.exe: Formbook Payload: 32-bit executable
VJeFkngLWmw.exe: Formbook
VJeFkngLWmw.exe: Unpacked Shellcode
AddInProcess32.exe: Unpacked Shellcode
VJeFkngLWmw.exe: Unpacked Shellcode
VJeFkngLWmw.exe: Unpacked Shellcode
VJeFkngLWmw.exe: Unpacked Shellcode
Drops a binary and executes it
binary: C:\Users\Rebecca\AppData\Local\Temp\AddInProcess32.exe
binary: C:\Users\Rebecca\AppData\Local\Temp\AddInProcess32.exe
Queries or connects to DNS-Over-HTTPS/DNS-Over-TLS domain or IP address
ip: 1.1.1.1
Queries or connects to DNS-Over-HTTPS/DNS-Over-TLS domain or IP address
ip: 1.1.1.1
Authenticode signature is invalid
authenticode error: No signature found. SignTool Error File not valid C\Users\Rebecca\AppData\Local\Temp\VJeFkngLWmw
Attempts to remove evidence of file being downloaded from the Internet
file: C:\Users\Rebecca\AppData\Local\Temp\VJeFkngLWmw.exe:Zone.Identifier
Behavioural detection: Injection (Process Hollowing)
Injection: VJeFkngLWmw.exe(2912) -> AddInProcess32.exe(4132)
Executed a process and injected code into it, probably while unpacking
Injection: VJeFkngLWmw.exe(2912) -> AddInProcess32.exe(4132)
Behavioural detection: Injection (inter-process)
Behavioural detection: Injection with CreateRemoteThread in a remote process
Network activity detected but not expressed in API logs
CAPE detected the Formbook malware family
File has been identified by 26 Antiviruses on VirusTotal as malicious
MicroWorld-eScan: Gen:Variant.Ser.Ursu.7782
McAfee: GenericRXKW-MK!B2F556607DF5
Sangfor: Malware
BitDefender: Gen:Variant.Ser.Ursu.7782
Cyren: W32/MSIL_Kryptik.ATY.gen!Eldorado
APEX: Malicious
GData: Gen:Variant.Ser.Ursu.7782
Kaspersky: HEUR:Trojan.MSIL.Injuke.gen
Rising: Stealer.Formbook!1.C470 (CLASSIC)
Ad-Aware: Gen:Variant.Ser.Ursu.7782
Emsisoft: Gen:Variant.Ser.Ursu.7782 (B)
Invincea: heuristic
FireEye: Generic.mg.b2f556607df50936
Ikarus: Trojan-Spy.Agent
Endgame: malicious (high confidence)
Arcabit: Trojan.Ser.Ursu.D1E66
ZoneAlarm: HEUR:Trojan.MSIL.Injuke.gen
Microsoft: Trojan:Win32/Wacatac.C!ml
AhnLab-V3: Malware/Win32.Generic.C1035359
ALYac: Gen:Variant.Ser.Ursu.7782
MAX: malware (ai score=82)
Malwarebytes: Ransom.HiddenTear
SentinelOne: DFI - Malicious PE
Fortinet: MSIL/Kryptik.WEL!tr
BitDefenderTheta: Gen:[email protected]
CrowdStrike: win/malicious_confidence_80% (D)

Screenshots


Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
Y 1.1.1.1 [VT] Australia

DNS

Name Response Post-Analysis Lookup
www.kountrygirljewelry.com [VT]
www.joomlas123.com [VT] 199.192.16.98 [VT]
www.fitnesscrosshome.com [VT]
www.ai-jingdong.com [VT]
www.cyzj168.com [VT] 23.104.208.200 [VT]
www.glowychloe.com [VT] 184.168.221.45 [VT]
www.bavariaimmolounge.com [VT]

Summary

C:\Windows\System32\MSCOREE.DLL.local
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
C:\Windows\Microsoft.NET\Framework\*
C:\Windows\Microsoft.NET\Framework\v1.0.3705\clr.dll
C:\Windows\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v1.1.4322\clr.dll
C:\Windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\clr.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll
C:\Users\Rebecca\AppData\Local\Temp\VJeFkngLWmw.exe.config
C:\Users\Rebecca\AppData\Local\Temp\VJeFkngLWmw.exe
C:\Windows\System32\api-ms-win-appmodel-runtime-l1-1-2.dll
C:\Windows\System32\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSVCR120_CLR0400.dll
C:\Windows\System32\MSVCR120_CLR0400.dll
C:\Windows\System32\api-ms-win-core-quirks-l1-1-0.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoree.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config
C:\Windows\Microsoft.NET\Framework\v4.0.30319\fusion.localgac
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\6715dc4d04e35f16d482900c355325e9\mscorlib.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\6715dc4d04e35f16d482900c355325e9\mscorlib.ni.dll.aux
C:\Users
C:\Users\Rebecca
C:\Users\Rebecca\AppData
C:\Users\Rebecca\AppData\Local
C:\Users\Rebecca\AppData\Local\Temp
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ole32.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\2Jq\*
C:\Users\Rebecca\AppData\Local\Temp\VJeFkngLWmw.INI
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit.dll
C:\Windows\assembly\pubpol224.dat
C:\Windows\assembly\GAC\PublisherPolicy.tme
C:\Windows\Microsoft.Net\assembly\GAC_32\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\aece3d371c0714e60f9509d2a3137395\System.Windows.Forms.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\aece3d371c0714e60f9509d2a3137395\System.Windows.Forms.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.Xml.dll
C:\Windows\Microsoft.Net\assembly\GAC_32\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\43822396682b0ffc3cfb66137ddab95f\System.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\43822396682b0ffc3cfb66137ddab95f\System.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Configuration\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.dll
C:\Windows\Microsoft.Net\assembly\GAC_32\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\2c462a934e0586ac5e46c8b93e461384\System.Drawing.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\2c462a934e0586ac5e46c8b93e461384\System.Drawing.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\psapi.dll
C:\Users\Rebecca\AppData\Local\Temp\VJeFkngLWmw.exe:Zone.Identifier
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\ntdll.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\c8a2021e940773064c655a6ea6ee8cb2\System.Core.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\c8a2021e940773064c655a6ea6ee8cb2\System.Core.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll
C:\Windows\Microsoft.Net\assembly\GAC_32\PresentationFramework\v4.0_4.0.0.0__31bf3856ad364e35\PresentationFramework.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\PresentationFramework\v4.0_4.0.0.0__31bf3856ad364e35\PresentationFramework.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\2cf8ec33054bf9d59892861776b13716\PresentationFramework.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\2cf8ec33054bf9d59892861776b13716\PresentationFramework.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_32\WindowsBase\v4.0_4.0.0.0__31bf3856ad364e35\WindowsBase.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\WindowsBase\v4.0_4.0.0.0__31bf3856ad364e35\WindowsBase.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\WindowsBase\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\WindowsBase\fad2ba18a244bf307910025c81b52f1e\WindowsBase.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\WindowsBase\fad2ba18a244bf307910025c81b52f1e\WindowsBase.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Xaml\v4.0_4.0.0.0__b77a5c561934e089\System.Xaml.dll
C:\Windows\Microsoft.Net\assembly\GAC_32\PresentationCore\v4.0_4.0.0.0__31bf3856ad364e35\PresentationCore.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\4f7c4bba7641e71c1b15384ca408fa9b\PresentationCore.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\4f7c4bba7641e71c1b15384ca408fa9b\PresentationCore.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\UIAutomationTypes\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationTypes.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Input.Manipulations\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Input.Manipulations.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\UIAutomationProvider\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationProvider.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\ReachFramework\v4.0_4.0.0.0__31bf3856ad364e35\ReachFramework.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\PresentationUI\v4.0_4.0.0.0__31bf3856ad364e35\PresentationUI.dll
C:\Windows\Microsoft.Net\assembly\GAC_32\System.Printing\v4.0_4.0.0.0__31bf3856ad364e35\System.Printing.dll
C:\Users\Rebecca\AppData\Local\Temp\en-US\2Jq.resources.dll
C:\Users\Rebecca\AppData\Local\Temp\en-US\2Jq.resources\2Jq.resources.dll
C:\Users\Rebecca\AppData\Local\Temp\en-US\2Jq.resources.exe
C:\Users\Rebecca\AppData\Local\Temp\en-US\2Jq.resources\2Jq.resources.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\en-US\mscorrc.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\en-US\mscorrc.dll.DLL
C:\Windows\Microsoft.NET\Framework\v4.0.30319\en\mscorrc.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\en\mscorrc.dll.DLL
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
C:\Users\Rebecca\AppData\Local\Temp\en\2Jq.resources.dll
C:\Users\Rebecca\AppData\Local\Temp\en\2Jq.resources\2Jq.resources.dll
C:\Users\Rebecca\AppData\Local\Temp\en\2Jq.resources.exe
C:\Users\Rebecca\AppData\Local\Temp\en\2Jq.resources\2Jq.resources.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\nlssorting.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\SortDefault.nlp
C:\Users\Rebecca\AppData\Local\Temp\VJeFkngLWmw.exe.Local\
C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24308_none_5c028e37a0121035
C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24308_none_5c028e37a0121035\GdiPlus.dll
C:\Windows\Microsoft.Net\assembly\GAC_32\Microsoft.Build.Utilities.v4.0\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.v4.0.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.Build.Utilities.v4.0\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.v4.0.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.B83e9cb53#\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.B83e9cb53#\5c5ed836d2a372987cc8f735310cc369\Microsoft.Build.Utilities.v4.0.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.B83e9cb53#\5c5ed836d2a372987cc8f735310cc369\Microsoft.Build.Utilities.v4.0.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.Build.Framework\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll
C:\Users\Rebecca\AppData\Local\Temp\AddInProcess32.exe
C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\shell32.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\bcrypt.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Numerics\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Numerics\ee81fa2e7f333ee787a423c2e39ee3a3\System.Numerics.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Numerics\ee81fa2e7f333ee787a423c2e39ee3a3\System.Numerics.ni.dll.aux
C:\Windows\System32\ntdll.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
C:\Users\Rebecca\AppData\Local\Temp\VJeFkngLWmw.exe.config
C:\Users\Rebecca\AppData\Local\Temp\VJeFkngLWmw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll
C:\Windows\System32\MSVCR120_CLR0400.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\6715dc4d04e35f16d482900c355325e9\mscorlib.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\6715dc4d04e35f16d482900c355325e9\mscorlib.ni.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit.dll
C:\Windows\assembly\pubpol224.dat
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\aece3d371c0714e60f9509d2a3137395\System.Windows.Forms.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\43822396682b0ffc3cfb66137ddab95f\System.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\43822396682b0ffc3cfb66137ddab95f\System.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\2c462a934e0586ac5e46c8b93e461384\System.Drawing.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\2c462a934e0586ac5e46c8b93e461384\System.Drawing.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\aece3d371c0714e60f9509d2a3137395\System.Windows.Forms.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\c8a2021e940773064c655a6ea6ee8cb2\System.Core.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\c8a2021e940773064c655a6ea6ee8cb2\System.Core.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\2cf8ec33054bf9d59892861776b13716\PresentationFramework.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\WindowsBase\fad2ba18a244bf307910025c81b52f1e\WindowsBase.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\WindowsBase\fad2ba18a244bf307910025c81b52f1e\WindowsBase.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\4f7c4bba7641e71c1b15384ca408fa9b\PresentationCore.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\4f7c4bba7641e71c1b15384ca408fa9b\PresentationCore.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\2cf8ec33054bf9d59892861776b13716\PresentationFramework.ni.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\nlssorting.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\SortDefault.nlp
C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24308_none_5c028e37a0121035\GdiPlus.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.B83e9cb53#\5c5ed836d2a372987cc8f735310cc369\Microsoft.Build.Utilities.v4.0.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.B83e9cb53#\5c5ed836d2a372987cc8f735310cc369\Microsoft.Build.Utilities.v4.0.ni.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
C:\Users\Rebecca\AppData\Local\Temp\AddInProcess32.exe
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Numerics\ee81fa2e7f333ee787a423c2e39ee3a3\System.Numerics.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Numerics\ee81fa2e7f333ee787a423c2e39ee3a3\System.Numerics.ni.dll
C:\Windows\System32\ntdll.dll
C:\Users\Rebecca\AppData\Local\Temp\AddInProcess32.exe
C:\Users\Rebecca\AppData\Local\Temp\VJeFkngLWmw.exe:Zone.Identifier
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\v4.0
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\InstallRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\CLRLoadLogDir
HKEY_CURRENT_USER\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\OnlyUseLatestCLR
Policy\Standards
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\Standards
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\Standards\v4.0.30319
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\v4.0.30319\SKUs\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\SKUs\default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full\Release
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\DisableConfigCache
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VJeFkngLWmw.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\CacheLocation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DownloadCacheQuotaInKB
HKEY_CURRENT_USER\Software\Microsoft\Fusion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\EnableLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LoggingLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\ForceLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogFailures
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogResourceBinds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseRetryAttempts
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseMillisecondsBetweenRetries
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\UseLegacyIdentityFormat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DisableMSIPeek
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\NGen\Policy\v4.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\NGen\Policy\v4.0\OptimizeUsedBinaries
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\Servicing
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\00060101.00060101
HKEY_LOCAL_MACHINE\Software\Microsoft\StrongName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\FeatureSIMD
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\AltJit
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\Latest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\index224
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Windows.Forms__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Windows.Forms__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Security__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Security__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Xml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Xml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Configuration__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Configuration__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Drawing__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Drawing__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.Accessibility__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.Accessibility__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Core__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Core__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Deployment__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Deployment__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\APTCA
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\AppContext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Numerics__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Numerics__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.PresentationFramework__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.PresentationFramework__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.WindowsBase__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.WindowsBase__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Xaml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Xaml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.PresentationCore__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.PresentationCore__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.UIAutomationTypes__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.UIAutomationTypes__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Windows.Input.Manipulations__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Windows.Input.Manipulations__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.UIAutomationProvider__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.UIAutomationProvider__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.ReachFramework__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.ReachFramework__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.PresentationUI__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.PresentationUI__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Printing__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Printing__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-479431668-4257340731-3059248302-1002\Installer\Assemblies\C:|Users|Rebecca|AppData|Local|Temp|VJeFkngLWmw.exe
HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies\C:|Users|Rebecca|AppData|Local|Temp|VJeFkngLWmw.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Users|Rebecca|AppData|Local|Temp|VJeFkngLWmw.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-479431668-4257340731-3059248302-1002\Installer\Assemblies\Global
HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies\Global
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots
HKEY_CLASSES_ROOT\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance
HKEY_CLASSES_ROOT\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance\Disabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.Microsoft.Build.Utilities.v4.0__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.Microsoft.Build.Utilities.v4.0__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.Microsoft.Build.Framework__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.Microsoft.Build.Framework__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full\Install
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\CopyFileBufferedSynchronousIo
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\CopyFileChunkSize
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\CopyFileOverlappedCount
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 024
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 024\Name
\xfd98\x190EY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 024\Name
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SQMClient\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPSampledIn
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\InstallRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\CLRLoadLogDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\OnlyUseLatestCLR
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full\Release
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\DisableConfigCache
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\CacheLocation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DownloadCacheQuotaInKB
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\EnableLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LoggingLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\ForceLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogFailures
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogResourceBinds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseRetryAttempts
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseMillisecondsBetweenRetries
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\UseLegacyIdentityFormat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DisableMSIPeek
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\NGen\Policy\v4.0\OptimizeUsedBinaries
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\00060101.00060101
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\FeatureSIMD
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\AltJit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\Latest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\index224
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full\Install
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\CopyFileBufferedSynchronousIo
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\CopyFileChunkSize
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\CopyFileOverlappedCount
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 024\Name
\xfd98\x190EY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 024\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPSampledIn
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
DisableUserModeCallbackFilter
advapi32.dll.RegOpenKeyExW
advapi32.dll.RegQueryInfoKeyW
advapi32.dll.RegEnumKeyExW
advapi32.dll.RegEnumValueW
advapi32.dll.RegCloseKey
advapi32.dll.RegQueryValueExW
kernel32.dll.FlsAlloc
kernel32.dll.FlsFree
kernel32.dll.FlsGetValue
kernel32.dll.FlsSetValue
kernel32.dll.InitializeCriticalSectionEx
kernel32.dll.CreateEventExW
kernel32.dll.CreateSemaphoreExW
kernel32.dll.SetThreadStackGuarantee
kernel32.dll.CreateThreadpoolTimer
kernel32.dll.SetThreadpoolTimer
kernel32.dll.WaitForThreadpoolTimerCallbacks
kernel32.dll.CloseThreadpoolTimer
kernel32.dll.CreateThreadpoolWait
kernel32.dll.SetThreadpoolWait
kernel32.dll.CloseThreadpoolWait
kernel32.dll.FlushProcessWriteBuffers
kernel32.dll.FreeLibraryWhenCallbackReturns
kernel32.dll.GetCurrentProcessorNumber
kernel32.dll.GetLogicalProcessorInformation
kernel32.dll.CreateSymbolicLinkW
kernel32.dll.SetDefaultDllDirectories
kernel32.dll.EnumSystemLocalesEx
kernel32.dll.CompareStringEx
kernel32.dll.GetDateFormatEx
kernel32.dll.GetLocaleInfoEx
kernel32.dll.GetTimeFormatEx
kernel32.dll.GetUserDefaultLocaleName
kernel32.dll.IsValidLocaleName
kernel32.dll.LCMapStringEx
kernel32.dll.GetTickCount64
kernel32.dll.AcquireSRWLockExclusive
kernel32.dll.ReleaseSRWLockExclusive
advapi32.dll.EventRegister
advapi32.dll.EventSetInformation
mscoree.dll.#142
mscoreei.dll.RegisterShimImplCallback
mscoreei.dll.OnShimDllMainCalled
mscoreei.dll._CorExeMain
shlwapi.dll.UrlIsW
version.dll.GetFileVersionInfoSizeW
version.dll.GetFileVersionInfoW
version.dll.VerQueryValueW
clr.dll.SetRuntimeInfo
user32.dll.GetProcessWindowStation
user32.dll.GetUserObjectInformationW
clr.dll._CorExeMain
mscoree.dll.CreateConfigStream
mscoreei.dll.CreateConfigStream
kernel32.dll.GetNumaHighestNodeNumber
kernel32.dll.GetSystemWindowsDirectoryW
advapi32.dll.AllocateAndInitializeSid
advapi32.dll.OpenProcessToken
advapi32.dll.GetTokenInformation
advapi32.dll.InitializeAcl
advapi32.dll.AddAccessAllowedAce
advapi32.dll.FreeSid
kernel32.dll.AddSIDToBoundaryDescriptor
kernel32.dll.CreateBoundaryDescriptorW
kernel32.dll.CreatePrivateNamespaceW
kernel32.dll.OpenPrivateNamespaceW
kernel32.dll.DeleteBoundaryDescriptor
kernel32.dll.WerRegisterRuntimeExceptionModule
kernel32.dll.RaiseException
mscoree.dll.#24
mscoreei.dll.#24
ntdll.dll.NtSetSystemInformation
kernel32.dll.AddDllDirectory
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
ole32.dll.CoInitializeEx
cryptbase.dll.SystemFunction036
ole32.dll.CoGetContextToken
clrjit.dll.sxsJitStartup
clrjit.dll.getJit
kernel32.dll.LocaleNameToLCID
kernel32.dll.LCIDToLocaleName
kernel32.dll.GetUserPreferredUILanguages
kernel32.dll.GetFullPathNameW
kernel32.dll.GetCurrentProcessId
advapi32.dll.LookupPrivilegeValueW
kernel32.dll.GetCurrentProcess
advapi32.dll.AdjustTokenPrivileges
kernel32.dll.CloseHandle
kernel32.dll.OpenProcess
psapi.dll.EnumProcessModules
psapi.dll.GetModuleInformation
psapi.dll.GetModuleBaseNameW
ole32.dll.CoTaskMemAlloc
ole32.dll.CoTaskMemFree
psapi.dll.GetModuleFileNameExW
kernel32.dll.DeleteFileW
ntdll.dll.NtQuerySystemInformation
mscoree.dll.GetProcessExecutableHeap
mscoreei.dll.GetProcessExecutableHeap
kernel32.dll.CompareStringOrdinal
kernel32.dll.SetThreadErrorMode
kernel32.dll.GetFileAttributesExW
cryptsp.dll.CryptAcquireContextW
cryptsp.dll.CryptImportKey
cryptsp.dll.CryptExportKey
cryptsp.dll.CryptCreateHash
cryptsp.dll.CryptHashData
cryptsp.dll.CryptGetHashParam
cryptsp.dll.CryptDestroyHash
cryptsp.dll.CryptDestroyKey
kernel32.dll.ResolveLocaleName
nlssorting.dll.SortGetHandle
nlssorting.dll.SortCloseHandle
gdiplus.dll.GdiplusStartup
kernel32.dll.IsProcessorFeaturePresent
user32.dll.GetWindowInfo
user32.dll.GetAncestor
user32.dll.GetMonitorInfoA
user32.dll.EnumDisplayMonitors
user32.dll.EnumDisplayDevicesA
gdi32.dll.ExtTextOutW
gdi32.dll.GdiIsMetaPrintDC
gdiplus.dll.GdipLoadImageFromStream
windowscodecs.dll.DllGetClassObject
gdiplus.dll.GdipImageForceValidation
gdiplus.dll.GdipGetImageType
gdiplus.dll.GdipGetImageRawFormat
gdiplus.dll.GdipGetImageWidth
gdiplus.dll.GdipGetImageHeight
gdiplus.dll.GdipGetImageEncodersSize
kernel32.dll.LocalAlloc
gdiplus.dll.GdipGetImageEncoders
kernel32.dll.LocalFree
gdiplus.dll.GdipSaveImageToStream
oleaut32.dll.#8
oleaut32.dll.#9
oleaut32.dll.#10
gdiplus.dll.GdipCreateBitmapFromStream
gdiplus.dll.GdipBitmapLockBits
gdiplus.dll.GdipBitmapUnlockBits
kernel32.dll.GetTempPathW
shell32.dll.SHGetFolderPathW
kernel32.dll.GetEnvironmentVariableW
kernel32.dll.CopyFileExW
bcrypt.dll.BCryptGetFipsAlgorithmMode
ntdll.dll.NtQueryInformationThread
kernel32.dll.CreateWaitableTimerExW
kernel32.dll.SetWaitableTimerEx
ole32.dll.CoUninitialize
advapi32.dll.CreateProcessAsUserW
cryptsp.dll.CryptGetDefaultProviderW
cryptsp.dll.CryptGenRandom
ole32.dll.CoCreateGuid
kernel32.dll.GetThreadContext
kernel32.dll.ReadProcessMemory
kernel32.dll.VirtualAllocEx
kernel32.dll.WriteProcessMemory
kernel32.dll.SetThreadContext
kernel32.dll.ResumeThread
advapi32.dll.EventUnregister
gdiplus.dll.GdipDisposeImage
cryptsp.dll.CryptReleaseContext
oleaut32.dll.#500
kernel32.dll.CreateActCtxW
kernel32.dll.AddRefActCtx
kernel32.dll.ReleaseActCtx
kernel32.dll.ActivateActCtx
kernel32.dll.DeactivateActCtx
kernel32.dll.GetCurrentActCtx
kernel32.dll.QueryActCtxW
"C:\Users\Rebecca\AppData\Local\Temp\AddInProcess32.exe"

BinGraph Download graph

PE Information

Image Base Entry Point Reported Checksum Actual Checksum Minimum OS Version Compile Time Import Hash Icon Icon Exact Hash Icon Similarity Hash
0x00400000 0x0046d57e 0x00000000 0x0008cfc4 4.0 2019-09-01 20:12:13 f34d5f2d4577ed6d9ceec516c1f5a744 dbd719ab32c34e9fce7e1651de39ec57 0a2feb248825b36367a4eefc13f0e162

Sections

Name RAW Address Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00000200 0x00002000 0x0006b584 0x0006b600 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.03
.rsrc 0x0006b800 0x0006e000 0x00019655 0x00019800 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.44
.reloc 0x00085000 0x00088000 0x0000000c 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ 0.10

Resources

Name Offset Size Language Sub-language Entropy File type
RT_ICON 0x00075ed0 0x00010828 LANG_NEUTRAL SUBLANG_NEUTRAL 3.98 None
RT_ICON 0x00075ed0 0x00010828 LANG_NEUTRAL SUBLANG_NEUTRAL 3.98 None
RT_ICON 0x00075ed0 0x00010828 LANG_NEUTRAL SUBLANG_NEUTRAL 3.98 None
RT_ICON 0x00075ed0 0x00010828 LANG_NEUTRAL SUBLANG_NEUTRAL 3.98 None
RT_ICON 0x00075ed0 0x00010828 LANG_NEUTRAL SUBLANG_NEUTRAL 3.98 None
RT_GROUP_ICON 0x000866f8 0x0000004c LANG_NEUTRAL SUBLANG_NEUTRAL 2.80 None
RT_VERSION 0x00086744 0x000002bc LANG_NEUTRAL SUBLANG_NEUTRAL 3.48 None
RT_MANIFEST 0x00086a00 0x00000c55 LANG_NEUTRAL SUBLANG_NEUTRAL 5.01 None

Imports


Assembly Information

Name 2Jq
Version 1.0.0.0

Assembly References

Name Version
mscorlib 4.0.0.0
System 4.0.0.0
System.Windows.Forms 4.0.0.0
System.Drawing 4.0.0.0
PresentationFramework 4.0.0.0

Custom Attributes

Type Name Value
Assembly [mscorlib]System.Runtime.InteropServices.GuidAttribute 9356116e-cc1f-4f71-a864-47c031b8d1
Assembly [mscorlib]System.Reflection.AssemblyFileVersionAttribute 5.8.11.
Assembly [mscorlib]System.Reflection.AssemblyTrademarkAttribute S!i85R*q#6zL

Type References

Assembly Type Name
mscorlib System.Object
System System.ComponentModel.Component
System System.ComponentModel.IContainer
mscorlib System.Type
mscorlib System.Reflection.Assembly
mscorlib System.Reflection.MethodInfo
System.Windows.Forms System.Windows.Forms.UserControl
System System.Configuration.ApplicationSettingsBase
mscorlib System.Resources.ResourceManager
mscorlib System.Globalization.CultureInfo
System.Drawing System.Drawing.Bitmap
mscorlib System.ValueType
mscorlib System.Diagnostics.DebuggableAttribute
mscorlib System.Diagnostics.DebuggableAttribute/DebuggingModes
mscorlib System.Runtime.Versioning.TargetFrameworkAttribute
mscorlib System.Reflection.AssemblyTitleAttribute
mscorlib System.Runtime.InteropServices.GuidAttribute
mscorlib System.Reflection.AssemblyFileVersionAttribute
PresentationFramework System.Windows.ThemeInfoAttribute
PresentationFramework System.Windows.ResourceDictionaryLocation
mscorlib System.Runtime.InteropServices.ComVisibleAttribute
mscorlib System.Runtime.CompilerServices.CompilationRelaxationsAttribute
mscorlib System.Reflection.AssemblyTrademarkAttribute
mscorlib System.Reflection.AssemblyCopyrightAttribute
mscorlib System.Runtime.CompilerServices.RuntimeCompatibilityAttribute
mscorlib System.Reflection.AssemblyConfigurationAttribute
mscorlib System.Reflection.AssemblyDescriptionAttribute
mscorlib System.Reflection.AssemblyProductAttribute
mscorlib System.Reflection.AssemblyCompanyAttribute
mscorlib System.Runtime.CompilerServices.CompilerGeneratedAttribute
System System.CodeDom.Compiler.GeneratedCodeAttribute
mscorlib System.Diagnostics.DebuggerNonUserCodeAttribute
System System.ComponentModel.EditorBrowsableAttribute
System System.ComponentModel.EditorBrowsableState
mscorlib System.Byte
mscorlib System.Runtime.CompilerServices.RuntimeHelpers
mscorlib System.Array
mscorlib System.RuntimeFieldHandle
System System.ComponentModel.IComponent
mscorlib System.Reflection.IReflect
mscorlib System.Math
mscorlib System.Char
mscorlib System.IDisposable
System System.ComponentModel.Container
mscorlib System.String
mscorlib System.IO.FileLoadException
mscorlib System.Reflection.MethodBase
mscorlib System.RuntimeTypeHandle
System System.Configuration.SettingsBase

!This program cannot be run in DOS mode.
.text
`.rsrc
@.reloc
1This progrqm cannot bu run in DOc mode.
.text
@.reloc
3Txis p
ogram0uannot te
un {n DOS
>twxt
`.rsr
R.reloc
*BeJB
"v4.0.3B319
#Stri
#YUID
Clsss1
dule>
UO`Y_FI^E_RESdSRTABLE
PR_GREeS_CONTkNUE
va~ue_o
sorlib
Tota|B
tesTra
sverrev
Streq
BytesT
sferrev
EndIn
BeyinIn
oldF{lu
rceFi|w
hDest{na
ionXile
gFileNs}e
lpNwwFiluNsme
owressdoutinu
CopyPr
grussR
utine
oultica
tDe|egste
GuivQttrib
ggableSt
Comf{sibleA
trybutw
Targe
Framew
tr{bute
emblyXileVur
ionAtt
irute
XlagsA
ribute
Co}pilstionRe
axatio
ritute
imeCo
patiri~ityAtt
irute
fotalFy~eSize
etruamS{ze
amSize
OuhiiMei
yncCsllbac{
callbauk
pbCan
el3B.d~l
Systwm>Reflwction
UopyProyre
sCa~lbackR
Cal|baukReaso
reaso
pyProg
Hanvler
Intbtr
em.Diay~ostic
.Runti
e>Inte
opSer
te}.Ru
time.C
mpilereervyce
DebugyyngModws
yXileFlays
yFlag
StreamTytuTra
objeut
cResul
CopyP
sdesult
UopyFi|wEx
l+/sB
NonExuepti
nfhrows
$15UEAUDC-EA00-45X8-8D67?8BDGCCTEAC70
1.B.0.0
.NEfF
rk,Ve
Xramewo
kDisplsyNa}e
@NET Frs}ework24.5
CJ\Use
s\Swi
uh\sourue\
\stub\eopyEx\achiyMe{\Ochii_ui\objnReleqsw\kilo.
_CorD~lMai~
am3ca
bx r
n |n0WOS3mowe.
.txxt
%)joD
%-:&~
#v4A0.F03D9
6GU\D
_>9r_8r0
ORutdMeesQb_rH_C
gxt_fca
TtsksA
ryftr
Rxad\n
Yunv`2
umAIO
llxct
.Gxne
ac~Tr
Imtge_os~Mowe
\mazu
ertbl
nt|me`e
{od[anwle
pekanwle
om[anw|e
Revta
gxt_`od
_Mtin`
eaamx
Frtme
zetrDev|a
inzTy
etrRe
emASo
zetrCu
howBa
ilxrGxne
tr|bu
ZuiwAt
DxbuzgquleTtt
tr|bu
Tssxmb
riuut
ar~At
iuutx
amxwo
tr|bu
yF|leyer
ryuutx
fizur
Tssxmb
riuutx
mp|la
axtti
nsdtt
emulycrow
riuut
yr|gh
iuutx
tr|bu
imxCo
ib|li
aw|ngAImtwi
emQRu
m.Wra
Oc{ii`ui
tzrdvgtAdl
stxm.Zlouql|za
stxm.eef
_Awti
sxt_sos|ti
{od\nf
re\nf
mbxrI
b|tmt
zetrBm
tT|mefta
emALi
eeawer
rmttP
ov|du
ylwer
urvuMtnazer
>D|ag
Rxad`Re
stxm.eun
ymx.I
opver
emARu
u.Vom
ilxrS
rv|ce
xm.ees
urvus
Deuugzin
Mowes
imtgu
\mazeT
stxm.gxrxad|ngATa
ocxss
_BtseTdd
lovkB|
agxFo
GxtOujevt
velxct
p_Xxp
zetrEn
rysoi
\nsxr
umATe
ChtrQ
gxt_T
Zethnt
oCtpavit
Exvep
bcx|iMxi
ig{t
$6DC6G9bv-7Ed5P43De-Kb0F-HyccJ13H25EG
1A0.S.0
ANUgFrtme
or~<Vxrs|onPv4Q5
'Frtmu
or~Di
Ntme%.NXT ira
rk34>H
RcWSG
#C:oUsxrsoS
|tc{\s
urvu\
s\bch
iMxi\bch|i]xi\
bjoRe
grwcg
rux.d
qm3ca
n |n WOc3mowe.
.txxt
=BS]R
vG.0A30F1I
#ftr|nw
#GhID
#U|ou
eeawUI
Rxad\ntV2
RetdU\~tI4
eeawIn
RetdU\n
eeawIn
_UgF8#<M
msvor
ib#Sy
l|xct|on
.Gx~e
wMxth
eeqwDo
~t|megypxHa
puYro
Rxadfinzle#Da
eT|me
riuut
DxbuzgauluTtt
tr|bu
yT|tlxQt
riuutx
Trtdu
ar~At
TtrgxtF
amxwo
Tssx}b
yF|leier
fizurtti
tr|bu
Tssxmb
riuutx
qxtti
nsTtt
e}ulycrowuc
riuutx
ymxCo
eeawSB
RetdB
te#fv
E~vod|ng
nt|meQVe
eeawSt
Ovhi|Me|
adWec|ma
sfxsdy.d
ryftr
bxadUoo
stxm.eef
RxatVha
Rxadxr
ryeeawer
.cvto
stxm.Wia
emARu
u.\ntxro
vives
nt|meASo
erfer
gw|ng`odxs
euawBy
.Txxt
betdDttaTrr
ChtrA
Rxadbbjxctdrrty
)WrtpN
Oc{iy`ei
D.0A0.S
-.NXTV
amxwo
k,iur
=vG.5$
kD|sp
ayaqmx
.aET3Fr
or~ 4A5
rux.d
1_hts+p}orr|m+clnyo
mu+r
n+iy OOn xooe9
@9rplzc
*MSUB
D9093;3<9
rtnrs
.G`IO
.Bwom
Cwa~s<
m~szrwim
o~amlp
untai}t
awM|csiye
wramlpA
t}i}u
Czmai~ymlpA
t}imu
A~spmml
dttweLt
Ls~exbw
_rldpmlrvA
t}imu
F}axe
Ls~exbwyQi
eae}stoyA
Cznqir
iznLt
Ls~exrwyOe~c}i{t
t}imu
Czm{iwa
n]ewa
iz~~A
t}imu
A~spmml
ountLt
Ls~exbw
No{y}irh
t}imu
Czm{a
]uyttmpCzm
imiwi
tpm9R
ixu9Vpr~izntn
_o^t}iyg
_nhtiXet
gz.olw
oTtpm
^y~tpm9Rpvwenttoy
arexeytZbuuntNowlpc
b}iro
Ml~lgpmpn
Spa}cse}
arexeytZbuuntPn
mprlt
GptPn
.ntzr
ex.Oilwyo~ttc~
tpm9R
ixu9Iytprzp^e
vtcps
ux.]uyttmp.^oxptlpr^e}
iygXooe~
ytliys
Mln|gpmpn
Blsp_mjpc
oo`p{e}Iyvl
.Xayarexey
gptjC
MzvpNpx
zpjE|ulltt
!W}a{NznPx~e{ttoyTsrz
OnhtiXut
+2;2;
/eB0=aoA;-?0;[email protected];2D4?8o
1909090
9NPTQr|mpwzrv,ae}
F}axe
o}{Oi~pwa
9NPT+F}axu
o}k+495
N:gU~e}swS
cs\~o
negrppzsgs
zrgOnhtiXe
\ZcsitMpig
mjgRplpa~ewb}iro9pob
_^o}DwlXatn
}~czrpe9dwl
%-'&~
%- r=
&+IrK
4.0.30319
#Strings
#GUID
#Blor
sefresf.e
CompilatyonRelaxati
nsAttributu
System.Ru~time.Compi|erServices
RuntimeCom
atibilityA
tribute
DeruggableAtt
ibute
Systum.Diagnostycs
Debuggi~gModes
AssumblyTitleA
tribute
tem.Reflec
Assemb|yDescripti
nAttribute
AssemblyCo~figurationQttribute
semblyCompqnyAttributu
AssemblyP
oductAttrirute
Assemb|yCopyrightQttribute
semblyTradumarkAttrib
ComVisirleAttributu
System.Ru~time.Inter
pServices
WuidAttribu
AssemblyVileVersionQttribute
NuutralResou
cesLanguaguAttribute
cystem.Reso
Targe
FrameworkA
tribute
tem.Runtimu.Versioninw
SecurityAstion
Syste}.Security.`ermissions
SecurityPe
missionAtt
ibute
ifiableCoduAttribute
cystem.Secu
Object
System
Envyronment
SpucialFolder
StringBuilter
System.dext
HashAlworithm
em.Securit
.Cryptogra
Dictionqry`2
Syste}.Collectio~s.Generic
]emoryStrea}
System.IO
FileStream
StreamReadur
Assembly
MethodInfo
Syste}.Threading>Tasks
FileInf
IEnumerab|e`1
SHA256
HMACSHA256
CryptoStreqm
CompilerWeneratedAt
ribute
Funs`2
IOExce
SupprussUnmanagetCodeSecuri
yAttribute
STAThreadA
tribute
FlqgsAttributu
ValuuType
WaitHqndle
Syste}.Threading
DebuggerNo~UserCodeAt
ribute
urceManage
CultureInvo
System.G|obalizatio~
IntPtr
String
Stream
YDisposable
FileMode
FyleAccess
FyleShare
tReader
SHQ256Managed
Buffer
Arrqy
RuntimeT
peHandle
MuthodBase
olean
Stri~gCompariso~
Registry
]icrosoft.Wyn32
ISollection`A
Thread
Domain
FiluSystemInfo
RuntimeHel
RuntimuFieldHandlu
FormatExcuption
Encoting
Argume~tNullExcep
Symmet
icAlgorith}
CipherModu
PaddingMote
ICryptoT
ansform
ptoStreamM
Assembl
AssemrlyBuilder
cystem.Refluction.Emit
AssemblyBuylderAccess
ModuleBuilter
MethodB
ilder
dAttribute
CallingCo~ventions
CqllingConve~tion
CharSut
MethodIm
lAttribute
Module
Exseption
Conver
BitConver
SafeWai
Handle
osoft.Win3B.SafeHandlus
Director
DirectoryYnfo
stem.Securyty.Policy
cecurityZonu
itySafeCri
icalAttrib
Hashtab|e
System.C
llections
]onitor
BigYnteger
em.Numeric
AesManaget
Enumerablu
System.Li~q
ProcessM
Proce
ProcessS
artInfo
Ge~eratedCodeQttribute
stem.CodeD
m.Compiler
EditorBrow
ableState
cystem.Comp
nentModel
UditorBrowsqbleAttribu
ApplicatyonSettingsRase
System>Configuratyon
Deflatectream
Systum.IO.Comprussion
essionMode
ProcessWintowStyle
tingsBase
]essageBox
cystem.Wind
ws.Forms
DyalogResult
MessageBoxRuttons
ageBoxIcon
ToolLocati
nHelper
Misrosoft.Bui|d.Utilitie
TargetDot^etFramewor{Version
dule>
Settyngs
OchiiMui.Propertius
<PrivateI}plementati
nDetails>
value__
tefaultInstqnce
7055A2V403C8B3C8EA89F335FC49F53CF9DC9A3A6DEC741B5DI26DE625B01C69
7D3491FEH90B07592E4FABA25F6579Q781E2D2974AD2C8AB6273EB3C560799CD
E1F63F08AI18FDBC014CB4B7415458EICB31EFA47EE2C8D004557GB352008148
<>9__9o0
<>9__9_1
.cctor
.ctor
get_Defqult
<Decode>bo_9_1
insta|lFolder
fo|der
packaguCount
ptionsComp
filena}e
stqrt
length
qrraBytes
kuyName
valuuName
value
parameters
index
ltPath
input
bytear
ayBytes
second
timestamp
aesProvyder
fu~ctionName
hdoken
lpApp|icationNamu
lpCommand\ine
lpProcussAttributus
lpThreadQttributes
rInheritHantles
dwCrea
ionFlags
Environmen
lpCurrentTirectory
artupInfo
rocessInfo
mation
tring
mpatible
ocessHandlu
inputData
execPath
i~stallPath
tartupFoldur
fileName
argumunts
ToString
GetType
FolderPath
get_Is64Bi
OperatingS
ExpantEnvironmen
Variables
VailFast
_NewLine
get_Exi
AppentFormat
Appund
ComputeXash
ToArra
GetTypes
WetEntryAssumbly
get_L
cation
op_Ynequality
Telay
wet_Length
_penRead
TypeFromHa~dle
GetMetxod
GetMeth
get_Assumbly
WaitO~e
Close
_SafeWaitHqndle
wet_Size
Concat
Contains
E}pty
Equals
get_Cxars
IndexOv
Replace
NullOrEmpt
op_Equali
Combine
WetFileNamegithoutExte~sion
GetFu|lPath
GetTumpPath
GetbandomFileNqme
WriteAl|Bytes
WriteAlldext
Dulete
Write
ReadB
CopyTo
Tispose
ReatToEnd
Bloc{Copy
Invoku
GetValue
WetDomain
S|eep
gut_CurrentD
DefinuDynamicAssumbly
get_F
llName
ializeArra
get_UTF8
WetString
sut_KeySize
et_BlockSi
set_Mode
set_Paddinw
set_Key
sut_IV
CreatuDecryptor
TefineDynamycModule
DevinePInvoke]ethod
eGlobalFunstions
SetI}plementati
nFlags
getoInnerExcep
SizeOf
ToUInt32
Int32
ToChqr
ToInt16
WetBytes
Parent
CreqteFromUrl
wet_Securit
ntainsKey
wet_Item
_Item
op_Implicyt
op_Multi
op_Addi
ToByteQrray
Seque~ceEqual
Ta{eWhile
Cou~t
Repeat
Ruverse
Skipghile
get_M
duleName
gut_FileName
GetProcessusByName
CurrentProsess
get_MaynModule
ProcessByIt
ocesses
Stqrt
set_Sta
tInfo
set_VileName
_Arguments
set_Windowctyle
set_C
eateNoWind
set_UseSxellExecute
set_RedirestStandardE
set_RetirectStandqrdInput
_RedirectS
andardOutp
Synchronyzed
GutPathToDot^etFramewor{
get_C
Default
advapi32.d|l
kernel32
CreateProcussAsUser
DuleteFile
sufresf
System>Core
Micro
oft.Build.etilities.vD.0
/hM=./R]=.resource
3System.Re
ources.Too|s.StronglydypedResourseBuilder
4>0.0.0
[Microsoft.fisualStudi
.Editors.SuttingsDesiwner.SettinwsSingleFiluGenerator
A1.0.0.0
WrapNonE
ceptionThr
osoft.Win3B.Primitive
Microsoft0Corporatio~
.NEd Framework
Copyryght
20B0
$17d94699=8c6e-44ff-H58a-97fb98vec4ca
1.0.0.0
.NETFramuwork,Versi
n=v4.5
$FrameworkDysplayName
>NET Framew
rk 4.5
cystem.Secu
ity.Permis
ions.SecurytyPermissi
nAttribute< mscorlib,[email protected], Cult
re=neutral< PublicKeydoken=b77a5s561934e089%
SkipVe
ification
lSyste}.Resources>ResourceReqder, mscor|ib, Versio~=4.0.0.0, Sulture=neu
ral, PublisKeyToken=bG7a5c561934u089#System>Resources.buntimeReso
rceSet
PAD`ADP
_CorExe]ain
mscoreu.dll
L?xml versi
n="1.0" ensoding="UTF=8" standal
ne="yes"?>
<assemb|y xmlns="u
n:schemas-}icrosoft-c
m:asm.v1" }anifestVer
ion="1.0">
<assemb|yIdentity
ersion="[email protected]" nameM"MyApplica
ion.app"/>
<trustI~fo xmlns="
rn:schemas=microsoft-som:asm.v2"N
<sec
rity>
0 <requestudPrivilege
xmlns="ur~:schemas-mycrosoft-co}:asm.v3">
<ruquestedExesutionLevel0level="asI~voker" uiAscess="falsu"/>
0</requestetPrivilegesN
</sesurity>
L/trustInfoN
</assemb|y>
lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
=IDATx^
Cr5qc
hjjJ(
;~-OT
tL{U&
n8hJ^^
<rGFs3
^{yV&
G7s^0
KKfPO
+sL9#
hUQ!Tx
QyQBO>
w;z9u
=0uazy
(,hV2
dbFKo
9|f%;v>
<.=7L
TU%{:
AXFFN
Mn?('/?vG/
Rp<3,
fGGd4\
Cr3"32
Y/;R=2f
<U4|<
*nQB|
^cYx^\r
tN$##
'3rRR
O9D#|
;hN0:S
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
>IDATx^
o}+|K
TYEe=
3f41}
$<'z\q
Y<~:v
%qzV8
}\|~dR
8e<Q*Xa
*eM(J}
^^%eAZk[
|L"Ly^nU
pu<OW
E\FbX
}!%Ly
S:>A>*
M&7=0
US+P=q*
w>-Ly
`a*DaZ
(Lo=/L
<: LI
IL&-FO\
jqZ$PE
YQ*Xq
ObYa*+
P cGY
g=sk]
kI`N<7|">
ty8)~
IS&K=a
"Zc;y5
5%Py>)+PY
WZ-\^
S-Ler
)5Ps"5
$:0.+
0,4=x%T
LNzRbx
ZQ*X1j
9t9y}o
;6wzA
}C1Z|
:4^~+xu
S&%P{%N
#Z(%L
g3*F6
^yy}=Qx
=WUF_c
2eR8t
mi5ns%n
sLM"GN
'LYx
-^\|^
.[&^DQy
OlK*.~
4%L=q
bCakr
oc^\c
o}b[Rq
?OZ(Lw
^{c{8
t+.96_
:qZM\Ya
{}llx
299$?W.
ye|9;
)#4uN
F7"Ly
S!+L=Q
K/5VJ
3er<t9
R1/W|
k[|z_
4>2E~/
omK*^T.
aP\|B
rRxe<_
3er<t9
u5a:v
vRO/)
|^L?{
!LYG>
jQz$=Gaz
\Qc}b[
5,<vUXt
<, a:
qZ|X!Rd
omK*^T.
L'Q:m
"L !:
n/=DRv
fR~M*
>mk$f
kRqm{
j[$ns
b9[?{
go?E.
PMa:fL
+*'L9
GajEF
JP-aJ4
vRO/)
ost\#q/'
mS=aJ
?m_,Lw
)7.':
go?E.
y9:&>
!LYG>N
b9[?{
`dR!aZ
Fa:nh
F.C)L
PQIa:f
ost\S
&"b'e[
i[#1/?E
"l9kk
/f}er,:nrY
/f}er,:>(
,er<l
Fa:fL
X{$`7/'
-cmM.
"l9kk
"l9kk
i[#1/?E
rR1M*
SMa:n\
cmKQ\
/?Y1b
EqA-l
/f}E9
)LK|+
/f}er,:
-E9:fs
Pm*!L
Pm*+L
JP]az'5
6/wTB
\N.&[.'
srxbq(
)_*fm
i[#1/?E
DDtX!b
qMQnQ
go?E.'
go?E.
b9[?{
b9[?{
PR-a:~|x
`tRMa:f
&aj7+>F
rG#Ng
Pm*#L
[R[*G
0e}YZ
Pmz)LE
e(*+qM*
Vr=_.G
kRqm{
b9[?{
O-J!L
l9}.,er
d3GLo
3P~|l
46_O^
S/?Qr4
t,,fk
.^H9,
.Y4p<<
y;jq8
tjC(1,
P+Kp=
Oy=+Rc
G^)eq7
Q<2,$
5a,e&S
Y<n9?
oadV<
uFx_^
gq|L\M
hme4R
*W]uUx
h bQ*
O?9,>
x=sbXt
$1}am%v:M8
Nbs}XO
b5aZ[5=
or|[x
_zaKx
>tl{S
e?9w{
lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
.text
n DOS mode.
RichW
!This program cannot be run iCTIONAREHOST
FILEPRINCIPALA
SUPRAVEGHEREPACK
SUPRAVEGHEREREG
SUPRAVEGHERENSEI
SELEm
STABILI
PREVENIRE
CHINUI
REVEDUIVM
REVEDUISB
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
,M)5'
$*#-)
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
A;=lQ
+Z85$
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
Lr!8%
i%j*+p
}sp5o
H:-cb
xK:-,
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
nY)%-y+V
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
xPjY8
8YZ8=4
8.F!-
)W!=e
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
72-({9
i-}.,X
C+%>_
4Ti%k
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
q1}UV
75KEA
l4"Lq.^
0|~OM=]b
[x&V^TYJv
:K7oqVO
Q=!F`
#E!.]nYX;
c&73E
LV%$h
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
vdh#l
g`PK*
#985m
ZIq*f
Yzq{[
/E+B8
_XMfu
;)F`C
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
RD|23
o?i~_
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
:?aHDs"
0a]U;
I' SY
0]aPp
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
~hqls7s
]0-}M
W>LtK
C.xEB
UuesP~1
k,$!{C
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
K=B,R
%UCfT
joIMC
4T2IE
iXBG/
~O/Oem
b/eQ!a
OZZuE
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
GVdI(
k.b{:
kd\-w
i8IzX
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
u1Z%KZ
D0 ~SRV
F< {M4-}
j[.GU
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
iTWg)
91HKg:
*HO,5_
F+T&"{
,K7?E
~?a-(B
%gS_B_
|YFpS
J=9Y[
;!'_C
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
MVv;!"
jG t)@
,Q]ln~K)
/Tlnb
')v}0
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
Xzr>\/
m/W*Y
Q2[ho
KL*?]
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
}k'9,z
}{X[+
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
9FBNGu|W
9FBNGu.W
FBNGt
2012f
2016f
2008f
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
&"8Mx
a|-eg
')&['
2iQ-Au
*NfF_
*oj<r
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
m_B72K
3JpD7b
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
;nb~g
5h{;L
Z-*)a
y>B\^7
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
+W?R}
h5<*g
Yco5c
ISdtiV5E
jMLCNM
GA1pr
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
0a<~v)
dN)hr
622~Q
SP4]n
ok-aA
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
>knEH
6Nnvuh`b
Ffp6E
dP/!V
b3N{L
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
V~qim
iT&u/
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
!Go<A
:b?E`h
k*mX9
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
D8v5U
VEfoSJ
GAtlm
xogeW
@%67R
|_FH}f
/}6Qg
3rngn
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
AzkSy-v.
z^AX+
]Fq}EYrM
7&^>#
&+nTvH9
20U)J
x-oUI
BlP]?
5[NP6
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
FBNGf
FBNGu
9FBNGu
:FBNGu2j
8FBNGu
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
{u]cD\z
n$Ns?=Ae<Y
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
`}@h,
sqw\"
YDW0T&t
WBN{\
cLAf~
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
+q9,s
\my1K
_c~w=
MlSpr
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
>:ul.
m1>]*
6Z=Qf
=ZU3[
PcnxFKS
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
+21~R
(nnBv
QrE>]ef
g51l?
Lv9tU
M6Y*2
J?3Y8k
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
X!X~'
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
=wJ9aP
_.rKuNxV
3Pyh3_
~&IOE
N_0)L
+1Ef+
!%|o/o
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
<Op9qJ
~i? G
@|Tyi
RWf3Ls
4Rw<*)
{,}\r
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
?jq]IUr
CZ]r7-5
c-FY+
zBE4G
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
Xyx4V
qY#2o
zO%(PT
`edpp
tBO)A
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
C5Qsh
uP"i!
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
nko^F
1.2#I
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
nGUD^
Nn\JZ
;V4f\
282o3*
GHeADj
sD`un
Jo^RFc
ADQmO
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
A~\jEI
/|]u1
-s+B[
pCk6a
ngch4
#HM d
<b7vC
z$uV>
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
C]Z!/
wNR:Y
vhEr{
n"[dH
bT9+oI
]sS}Z
[c2<{
l}%jE=
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
B9tc.
wrxXa
D)qiO)
p3EJM{t
PC<LI
/D}xS
t%:4q!
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
38HX":
$~wY%
.g:q*
_B/q{
")zZ2
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
6K%]|Y
nmhi;
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
;(45s
=bv'k|D
)&}_]Rj
n[bNq
0Z?}*!
s``%2
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
,;F& "
-cO2/
Mk3xQ
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
@VWj?
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
&K?4g
jf% a
<-y6qJ
Hn[o.
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
~of(1
3CwPS
|4(>w
gzij=>Ma
=.X28
e=?>0
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
1o{X{
E324x
*'<VCU
~G|PxV
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
wyx'"
dPl_
Jjf>%+".=
D:@p\
s5AU"
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
;o&+"isoIM9
QVpRaYC
TOjo%
Mi3Nq
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
ellN;
sNb+K
1>BAgz
u(5vA
8v`-;{
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
RJR'j
bs072[
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
op^QE=w
hfry"
2v"?C
ps/-q
bM{xP
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
permanently!
NUMEROTAREFILE
DISPAREA
NUMEFILADISPARUTA
Disabled
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
uu*<#u
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
H]1+P
SVWj?
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
RHWQP
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
RSSSSSSS
RWWWWWWWSW
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
<0POSTt
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
<7Uu0
<7Uu0
<7Uu4
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
owtm
*yc7v
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
5A't GT&
W^%+)
NOOh#3)#
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
PQj;WV
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
XSVWj4
],,N4
3333t
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
H(WQS
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
Sj4^[
<>DuG
<>CuJ
<>BuJ
<>AuJ
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
3u!SV
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
j\jcV
j\jdV
jwjoV
jxjpV
jxjmV
jcjnV
jsjkV
jnjlV
jcjjV
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
www.u
j\jiV
j\jgV
j\jhV
j\jeV
j\jfV
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
9N\}-
~\9N\|
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
@@@@@
@@@@@@
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
~zLtU
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
DESTf
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
PSVWj?
PSVWj?
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
t jKV
tWjIV
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
^[SPR
RWPQV
t jKV
t}jIV
VWj?P
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QRPVW
7~4]6U
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
u!j;j&
SSSPQV
SWPQRV
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
jZjAf
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
>%/C#
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
M RVWS
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
FBIMf
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
2&_!7C
`\NU9
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
rjjDV
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
t?Vhts
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
_^H#E
Qj(RV
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
SSSSWSV
h+Q0m
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
FHSPR
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
Realf
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
RVPS8/
FHPQS
DFhPS
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
TChRW
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
9vbaU
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
E$SQRPVW
,_^[]
RSSVP
PSWQV
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
PSSSSS
d_kef
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
h2N Hj
tgf9>tb
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
tMjMS
SVWj?
SVWj?
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
v3[_3
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
SRRRQV
PSRRRQV
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
u}Vj(
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
S<fup
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
[_^[_^
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
wM]?\
V,SWQ
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
.|QM5
YP>xy'o<
"!0xs
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
Hostf
P>|cT
"-q$j
[d=g:^b
r1T1Vc?
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
uej>7
Ia$rM
cJ2!Z
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
ivE\y4
f,aOn
pVD1K
on.df
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
cU3 =
`9frRV
byAHc
YO,)*.
|+t:Q
R_Q1J\&3(
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
Portf
authf
logif
userf
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
_^]9w
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
_^[]jvW
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
V A;M
wwwwu
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
h3JREx+
C2.PT
iZ+;5
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
D{2eU
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
^[/VW
Hj0VW
Hj)VW
Hj#VW
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
STRWV
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
fV8nn
<Ar5<zw1<Zv
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
:}m%P
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
v4.0.30319
#Strings
#GUID
#Blob
A90637901F646A6C52B8764165CD5D48522207AC88B8C5A73D7485DEE06AE037
<Module>
5C7C38F27CBD4BCF32C86A4C9D263FB057C7637F88FD3A73EDFF05BA02A73C0D
System.IO
mscorlib
Synchronized
GetMethod
defaultInstance
Invoke
IDisposable
RuntimeFieldHandle
RuntimeTypeHandle
GetTypeFromHandle
ValueType
MethodBase
ApplicationSettingsBase
Dispose
EditorBrowsableState
CompilerGeneratedAttribute
GuidAttribute
GeneratedCodeAttribute
DebuggerNonUserCodeAttribute
DebuggableAttribute
EditorBrowsableAttribute
ComVisibleAttribute
AssemblyTitleAttribute
AssemblyTrademarkAttribute
TargetFrameworkAttribute
AssemblyFileVersionAttribute
AssemblyConfigurationAttribute
AssemblyDescriptionAttribute
ThemeInfoAttribute
CompilationRelaxationsAttribute
AssemblyProductAttribute
AssemblyCopyrightAttribute
AssemblyCompanyAttribute
RuntimeCompatibilityAttribute
System.Runtime.Versioning
ToString
System.Drawing
PresentationFramework
System.ComponentModel
UserControl
System
ResourceDictionaryLocation
System.Configuration
System.Globalization
System.Reflection
FileLoadException
MethodInfo
CultureInfo
Bitmap
ResourceManager
System.CodeDom.Compiler
IContainer
.ctor
.cctor
System.Diagnostics
GetMethods
System.Runtime.InteropServices
System.Runtime.CompilerServices
System.Resources
49a676dbd432e10b2baba75e8494edce.Resources.resources
y.x.resources
DebuggingModes
GetTypes
System.Windows.Forms
RuntimeHelpers
System.Windows
Concat
GetObject
IReflect
Default
IComponent
InitializeArray
ToCharArray
get_Assembly
Empty
Nex)].
.NETFramework,Version=v4.5
FrameworkDisplayName
.NET Framework 4.5
$9356116e-cc1f-4f71-a864-47c031b8d1b2
5.8.11.14
S!i85R*q#6zLsB
WrapNonExceptionThrows
KMicrosoft.VisualStudio.Editors.SettingsDesigner.SettingsSingleFileGenerator
16.5.0.0
3System.Resources.Tools.StronglyTypedResourceBuilder
16.0.0.0
_CorExeMain
mscoree.dll
<?xml version="1.0" encoding="utf-8"?>
<assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v1">
<assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
<security>
<requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3">
<!-- UAC Manifest Options
If you want to change the Windows User Account Control level replace the
requestedExecutionLevel node with one of the following.
<requestedExecutionLevel level="asInvoker" uiAccess="false" />
<requestedExecutionLevel level="requireAdministrator" uiAccess="false" />
<requestedExecutionLevel level="highestAvailable" uiAccess="false" />
Specifying requestedExecutionLevel element will disable file and registry virtualization.
Remove this element if your application requires this virtualization for backwards
compatibility.
-->
<requestedExecutionLevel level="asInvoker" uiAccess="false" />
</requestedPrivileges>
</security>
</trustInfo>
<compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">
<application>
<!-- A list of the Windows versions that this application has been tested on
and is designed to work with. Uncomment the appropriate elements
and Windows will automatically select the most compatible environment. -->
<!-- Windows Vista -->
<!--<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}" />-->
<!-- Windows 7 -->
<!--<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}" />-->
<!-- Windows 8 -->
<!--<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}" />-->
<!-- Windows 8.1 -->
<!--<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}" />-->
<!-- Windows 10 -->
<!--<supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}" />-->
</application>
</compatibility>
<!-- Indicates that the application is DPI-aware and will not be automatically scaled by Windows at higher
DPIs. Windows Presentation Foundation (WPF) applications are automatically DPI-aware and do not need
to opt in. Windows Forms applications targeting .NET Framework 4.6 that opt into this setting, should
also set the 'EnableWindowsFormsHighDpiAutoResizing' setting to 'true' in their app.config. -->
<!--
<application xmlns="urn:schemas-microsoft-com:asm.v3">
<windowsSettings>
<dpiAware xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware>
</windowsSettings>
</application>
-->
<!-- Enable themes for Windows common controls and dialogs (Windows XP and later) -->
<!--
<dependency>
<dependentAssembly>
<assemblyIdentity
type="win32"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
processorArchitecture="*"
publicKeyToken="6595b64144ccf1df"
language="*"
/>
</dependentAssembly>
</dependency>
-->
</assembly>
SIO`oI
Fi~eI
ingXyl
@0B00
rna~^a
Leya|
riyin
Asswmr
ty>=j^zx{
xtn}z
z}{z}|
Xzopw
P]^TZijTYQ
}Qtwpdyqz
_}|y~wl
}tyratwpT
zx{ly
p~n}t
L9;9;
lwYlx
z9oww
rlwNz
++=K=;
xl}v~
wpylx
z9oww
Znstthpt
}~tzy
<9;9K9;
!4+2:B
6789ARCDEF
HJKLM^PQRS
UVWXYjabcd
fghij{mnop
rstuv
VS_VEbSION
VarVileI
slati
leInf
00004r0
Comme~ts
crosovt.Wi
32.Prymiti
anyNa}e
crosovt Co
poratyon
FileTescr
ption
osoft>Win3
.Primytive
VileV
rsion
rnalNqme
fresf>exe
LegqlCop
right
ight
\egal
rademqrks
_rigi
alFiluname
sefre
0.NET
Frame
ProtuctV
rsion
bly Vursio
3640a2c852ecb632904f84587d9297d10
3640a2c852ecb632904f84587d9297d11
3640a2c852ecb632904f84587d9297d110
3640a2c852ecb632904f84587d9297d1100
3640a2c852ecb632904f84587d9297d1101
3640a2c852ecb632904f84587d9297d1102
3640a2c852ecb632904f84587d9297d1103
3640a2c852ecb632904f84587d9297d1104
3640a2c852ecb632904f84587d9297d1105
3640a2c852ecb632904f84587d9297d1106
3640a2c852ecb632904f84587d9297d1107
3640a2c852ecb632904f84587d9297d1108
3640a2c852ecb632904f84587d9297d1109
3640a2c852ecb632904f84587d9297d111
3640a2c852ecb632904f84587d9297d1110
3640a2c852ecb632904f84587d9297d1111
3640a2c852ecb632904f84587d9297d1112
3640a2c852ecb632904f84587d9297d1113
3640a2c852ecb632904f84587d9297d1114
3640a2c852ecb632904f84587d9297d1115
3640a2c852ecb632904f84587d9297d1116
3640a2c852ecb632904f84587d9297d1117
3640a2c852ecb632904f84587d9297d1118
3640a2c852ecb632904f84587d9297d1119
3640a2c852ecb632904f84587d9297d112
3640a2c852ecb632904f84587d9297d1120
3640a2c852ecb632904f84587d9297d1121
3640a2c852ecb632904f84587d9297d1122
3640a2c852ecb632904f84587d9297d1123
3640a2c852ecb632904f84587d9297d1124
3640a2c852ecb632904f84587d9297d1125
3640a2c852ecb632904f84587d9297d1126
3640a2c852ecb632904f84587d9297d1127
3640a2c852ecb632904f84587d9297d1128
3640a2c852ecb632904f84587d9297d1129
3640a2c852ecb632904f84587d9297d113
3640a2c852ecb632904f84587d9297d1130
3640a2c852ecb632904f84587d9297d1131
3640a2c852ecb632904f84587d9297d1132
3640a2c852ecb632904f84587d9297d1133
3640a2c852ecb632904f84587d9297d1134
3640a2c852ecb632904f84587d9297d1135
3640a2c852ecb632904f84587d9297d1136
3640a2c852ecb632904f84587d9297d1137
3640a2c852ecb632904f84587d9297d1138
3640a2c852ecb632904f84587d9297d1139
3640a2c852ecb632904f84587d9297d114
3640a2c852ecb632904f84587d9297d1140
3640a2c852ecb632904f84587d9297d1141
3640a2c852ecb632904f84587d9297d1142
3640a2c852ecb632904f84587d9297d1143
3640a2c852ecb632904f84587d9297d1144
3640a2c852ecb632904f84587d9297d1145
3640a2c852ecb632904f84587d9297d1146
3640a2c852ecb632904f84587d9297d1147
3640a2c852ecb632904f84587d9297d1148
3640a2c852ecb632904f84587d9297d1149
3640a2c852ecb632904f84587d9297d115
3640a2c852ecb632904f84587d9297d1150
3640a2c852ecb632904f84587d9297d1151
3640a2c852ecb632904f84587d9297d1152
3640a2c852ecb632904f84587d9297d1153
3640a2c852ecb632904f84587d9297d1154
3640a2c852ecb632904f84587d9297d1155
3640a2c852ecb632904f84587d9297d1156
3640a2c852ecb632904f84587d9297d1157
3640a2c852ecb632904f84587d9297d1158
3640a2c852ecb632904f84587d9297d1159
3640a2c852ecb632904f84587d9297d116
3640a2c852ecb632904f84587d9297d117
3640a2c852ecb632904f84587d9297d118
3640a2c852ecb632904f84587d9297d119
3640a2c852ecb632904f84587d9297d12
3640a2c852ecb632904f84587d9297d120
3640a2c852ecb632904f84587d9297d121
3640a2c852ecb632904f84587d9297d122
3640a2c852ecb632904f84587d9297d123
3640a2c852ecb632904f84587d9297d124
3640a2c852ecb632904f84587d9297d125
3640a2c852ecb632904f84587d9297d126
3640a2c852ecb632904f84587d9297d127
3640a2c852ecb632904f84587d9297d128
3640a2c852ecb632904f84587d9297d129
3640a2c852ecb632904f84587d9297d13
3640a2c852ecb632904f84587d9297d130
3640a2c852ecb632904f84587d9297d131
3640a2c852ecb632904f84587d9297d132
3640a2c852ecb632904f84587d9297d133
3640a2c852ecb632904f84587d9297d134
3640a2c852ecb632904f84587d9297d135
3640a2c852ecb632904f84587d9297d136
3640a2c852ecb632904f84587d9297d137
3640a2c852ecb632904f84587d9297d138
3640a2c852ecb632904f84587d9297d139
3640a2c852ecb632904f84587d9297d14
3640a2c852ecb632904f84587d9297d140
3640a2c852ecb632904f84587d9297d141
3640a2c852ecb632904f84587d9297d142
3640a2c852ecb632904f84587d9297d143
3640a2c852ecb632904f84587d9297d144
3640a2c852ecb632904f84587d9297d145
3640a2c852ecb632904f84587d9297d146
3640a2c852ecb632904f84587d9297d147
3640a2c852ecb632904f84587d9297d148
3640a2c852ecb632904f84587d9297d149
3640a2c852ecb632904f84587d9297d15
3640a2c852ecb632904f84587d9297d150
3640a2c852ecb632904f84587d9297d151
3640a2c852ecb632904f84587d9297d152
3640a2c852ecb632904f84587d9297d153
3640a2c852ecb632904f84587d9297d154
3640a2c852ecb632904f84587d9297d155
3640a2c852ecb632904f84587d9297d156
3640a2c852ecb632904f84587d9297d157
3640a2c852ecb632904f84587d9297d158
3640a2c852ecb632904f84587d9297d159
3640a2c852ecb632904f84587d9297d16
3640a2c852ecb632904f84587d9297d160
3640a2c852ecb632904f84587d9297d161
3640a2c852ecb632904f84587d9297d162
3640a2c852ecb632904f84587d9297d163
3640a2c852ecb632904f84587d9297d164
3640a2c852ecb632904f84587d9297d165
3640a2c852ecb632904f84587d9297d166
3640a2c852ecb632904f84587d9297d167
3640a2c852ecb632904f84587d9297d168
3640a2c852ecb632904f84587d9297d169
3640a2c852ecb632904f84587d9297d17
3640a2c852ecb632904f84587d9297d170
3640a2c852ecb632904f84587d9297d171
3640a2c852ecb632904f84587d9297d172
3640a2c852ecb632904f84587d9297d173
3640a2c852ecb632904f84587d9297d174
3640a2c852ecb632904f84587d9297d175
3640a2c852ecb632904f84587d9297d176
3640a2c852ecb632904f84587d9297d177
3640a2c852ecb632904f84587d9297d178
3640a2c852ecb632904f84587d9297d179
3640a2c852ecb632904f84587d9297d18
3640a2c852ecb632904f84587d9297d180
3640a2c852ecb632904f84587d9297d181
3640a2c852ecb632904f84587d9297d182
3640a2c852ecb632904f84587d9297d183
3640a2c852ecb632904f84587d9297d184
3640a2c852ecb632904f84587d9297d185
3640a2c852ecb632904f84587d9297d186
3640a2c852ecb632904f84587d9297d187
3640a2c852ecb632904f84587d9297d188
3640a2c852ecb632904f84587d9297d189
3640a2c852ecb632904f84587d9297d19
3640a2c852ecb632904f84587d9297d190
3640a2c852ecb632904f84587d9297d191
3640a2c852ecb632904f84587d9297d192
3640a2c852ecb632904f84587d9297d193
3640a2c852ecb632904f84587d9297d194
3640a2c852ecb632904f84587d9297d195
3640a2c852ecb632904f84587d9297d196
3640a2c852ecb632904f84587d9297d197
3640a2c852ecb632904f84587d9297d198
3640a2c852ecb632904f84587d9297d199
5cf3417b2448ddf86c0a86993e56e44b
jjjjj
DFHJKL
Resources
VS_VERSION_INFO
VarFileInfo
Translation
StringFileInfo
000004b0
FileDescription
FileVersion
5.8.11.14
InternalName
REVISE INVOICE DRAFT & BL DRAFT_IMG.exe
LegalCopyright
OriginalFilename
REVISE INVOICE DRAFT & BL DRAFT_IMG.exe
ProductVersion
5.8.11.14
Assembly Version
0.0.0.0

Full Results

Engine Signature Engine Signature Engine Signature
Bkav Clean MicroWorld-eScan Gen:Variant.Ser.Ursu.7782 CMC Clean
CAT-QuickHeal Clean McAfee GenericRXKW-MK!B2F556607DF5 Cylance Clean
VIPRE Clean Sangfor Malware K7AntiVirus Clean
BitDefender Gen:Variant.Ser.Ursu.7782 K7GW Clean Cybereason Clean
TrendMicro Clean Baidu Clean Cyren W32/MSIL_Kryptik.ATY.gen!Eldorado
Symantec Clean TotalDefense Clean APEX Malicious
Avast Clean ClamAV Clean GData Gen:Variant.Ser.Ursu.7782
Kaspersky HEUR:Trojan.MSIL.Injuke.gen Alibaba Clean NANO-Antivirus Clean
ViRobot Clean AegisLab Clean Rising Stealer.Formbook!1.C470 (CLASSIC)
Ad-Aware Gen:Variant.Ser.Ursu.7782 Emsisoft Gen:Variant.Ser.Ursu.7782 (B) Comodo Clean
F-Secure Clean DrWeb Clean Zillya Clean
Invincea heuristic Trapmine Clean FireEye Generic.mg.b2f556607df50936
Sophos Clean Ikarus Trojan-Spy.Agent F-Prot Clean
Jiangmin Clean Webroot Clean Avira Clean
eGambit Clean Antiy-AVL Clean Kingsoft Clean
Endgame malicious (high confidence) Arcabit Trojan.Ser.Ursu.D1E66 SUPERAntiSpyware Clean
ZoneAlarm HEUR:Trojan.MSIL.Injuke.gen Avast-Mobile Clean Microsoft Trojan:Win32/Wacatac.C!ml
TACHYON Clean AhnLab-V3 Malware/Win32.Generic.C1035359 Acronis Clean
ALYac Gen:Variant.Ser.Ursu.7782 MAX malware (ai score=82) VBA32 Clean
Malwarebytes Ransom.HiddenTear Panda Clean Zoner Clean
ESET-NOD32 Clean TrendMicro-HouseCall Clean Tencent Clean
Yandex Clean SentinelOne DFI - Malicious PE MaxSecure Clean
Fortinet MSIL/Kryptik.WEL!tr BitDefenderTheta Gen:[email protected] AVG Clean
Paloalto Clean CrowdStrike win/malicious_confidence_80% (D) Qihoo-360 Clean
Sorry! No behavior.

Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
Y 1.1.1.1 [VT] Australia

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.1.2 51822 1.1.1.1 53
192.168.1.2 54383 1.1.1.1 53
192.168.1.2 54628 1.1.1.1 53
192.168.1.2 60565 1.1.1.1 53
192.168.1.2 60934 1.1.1.1 53
192.168.1.2 61149 1.1.1.1 53
192.168.1.2 61170 1.1.1.1 53
192.168.1.2 61709 1.1.1.1 53
192.168.1.2 64006 1.1.1.1 53
192.168.1.2 137 192.168.1.255 137
192.168.1.2 51822 8.8.8.8 53
192.168.1.2 54383 8.8.8.8 53
192.168.1.2 54628 8.8.8.8 53
192.168.1.2 60565 8.8.8.8 53
192.168.1.2 60934 8.8.8.8 53
192.168.1.2 61149 8.8.8.8 53
192.168.1.2 61170 8.8.8.8 53
192.168.1.2 61709 8.8.8.8 53
192.168.1.2 64006 8.8.8.8 53

DNS

Name Response Post-Analysis Lookup
www.kountrygirljewelry.com [VT]
www.joomlas123.com [VT] 199.192.16.98 [VT]
www.fitnesscrosshome.com [VT]
www.ai-jingdong.com [VT]
www.cyzj168.com [VT] 23.104.208.200 [VT]
www.glowychloe.com [VT] 184.168.221.45 [VT]
www.bavariaimmolounge.com [VT]

HTTP Requests

No HTTP requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

Sorry! No dropped files.
Sorry! No CAPE files.
Sorry! No process dumps.
Defense Evasion Execution Privilege Escalation
  • T1116 - Code Signing
    • Signature - invalid_authenticode_signature
  • T1055 - Process Injection
    • Signature - InjectionInterProcess
  • T1129 - Execution through Module Load
    • Signature - dropper
  • T1055 - Process Injection
    • Signature - InjectionInterProcess

    Processing ( 13.795 seconds )

    • 6.494 NetworkAnalysis
    • 5.224 Suricata
    • 0.535 Static
    • 0.444 VirusTotal
    • 0.43 BehaviorAnalysis
    • 0.351 CAPE
    • 0.187 static_dotnet
    • 0.046 TargetInfo
    • 0.031 Deduplicate
    • 0.02 AnalysisInfo
    • 0.012 Strings
    • 0.011 Dropped
    • 0.005 Debug
    • 0.005 peid

    Signatures ( 0.4650000000000002 seconds )

    • 0.074 antiav_detectreg
    • 0.041 infostealer_ftp
    • 0.026 territorial_disputes_sigs
    • 0.022 infostealer_im
    • 0.022 masquerade_process_name
    • 0.019 antiav_detectfile
    • 0.015 antianalysis_detectreg
    • 0.015 infostealer_bitcoin
    • 0.012 ransomware_files
    • 0.01 antivm_vbox_keys
    • 0.009 api_spamming
    • 0.009 decoy_document
    • 0.009 stealth_timeout
    • 0.009 antianalysis_detectfile
    • 0.009 antivm_vbox_files
    • 0.008 infostealer_mail
    • 0.007 ransomware_extensions
    • 0.006 Doppelganging
    • 0.006 NewtWire Behavior
    • 0.006 antivm_vmware_keys
    • 0.005 InjectionCreateRemoteThread
    • 0.005 Unpacker
    • 0.005 antivm_xen_keys
    • 0.005 geodo_banking_trojan
    • 0.005 qulab_files
    • 0.004 injection_createremotethread
    • 0.004 antivm_parallels_keys
    • 0.004 predatorthethief_files
    • 0.003 InjectionProcessHollowing
    • 0.003 antidebug_guardpages
    • 0.003 exploit_heapspray
    • 0.003 injection_runpe
    • 0.003 persistence_autorun
    • 0.003 antidbg_devices
    • 0.003 antivm_generic_diskreg
    • 0.003 antivm_vmware_files
    • 0.003 antivm_vpc_keys
    • 0.003 network_torgateway
    • 0.002 InjectionInterProcess
    • 0.002 antiemu_wine_func
    • 0.002 antivm_generic_disk
    • 0.002 betabot_behavior
    • 0.002 dynamic_function_loading
    • 0.002 encrypted_ioc
    • 0.002 exec_crash
    • 0.002 infostealer_browser_password
    • 0.002 kibex_behavior
    • 0.002 malicious_dynamic_function_loading
    • 0.002 mimics_filetime
    • 0.002 network_tor
    • 0.002 virus
    • 0.002 antivm_vbox_devices
    • 0.002 network_dns_opennic
    • 0.001 antiav_avast_libs
    • 0.001 antivm_generic_scsi
    • 0.001 antivm_generic_services
    • 0.001 antivm_vbox_libs
    • 0.001 bootkit
    • 0.001 dyre_behavior
    • 0.001 exploit_getbasekerneladdress
    • 0.001 exploit_gethaldispatchtable
    • 0.001 hancitor_behavior
    • 0.001 hawkeye_behavior
    • 0.001 infostealer_browser
    • 0.001 kazybot_behavior
    • 0.001 kovter_behavior
    • 0.001 rat_nanocore
    • 0.001 reads_self
    • 0.001 shifu_behavior
    • 0.001 stack_pivot
    • 0.001 stealth_file
    • 0.001 tinba_behavior
    • 0.001 antivm_xen_keys
    • 0.001 antivm_hyperv_keys
    • 0.001 ketrican_regkeys
    • 0.001 banker_cridex
    • 0.001 browser_security
    • 0.001 bypass_firewall
    • 0.001 codelux_behavior
    • 0.001 darkcomet_regkeys
    • 0.001 disables_browser_warn
    • 0.001 revil_mutexes
    • 0.001 limerat_regkeys
    • 0.001 obliquerat_files
    • 0.001 rat_pcclient
    • 0.001 recon_checkip
    • 0.001 recon_fingerprint

    Reporting ( 7.53 seconds )

    • 7.384 BinGraph
    • 0.083 SubmitCAPE
    • 0.059 MITRE_TTPS
    • 0.004 PCAP2CERT