Detections

Yara:

Remcos

Analysis

Category Package Started Completed Duration Options Log
FILE exe 2020-10-18 06:35:08 2020-10-18 06:41:03 355 seconds Show Options Show Log
route = tor
2020-05-13 09:13:44,969 [root] INFO: Date set to: 20201018T06:35:07, timeout set to: 200
2020-10-18 06:35:07,046 [root] DEBUG: Starting analyzer from: C:\tmpq_mrpfl7
2020-10-18 06:35:07,046 [root] DEBUG: Storing results at: C:\ggHPsSQObk
2020-10-18 06:35:07,046 [root] DEBUG: Pipe server name: \\.\PIPE\vcWcZc
2020-10-18 06:35:07,046 [root] DEBUG: Python path: C:\Users\Rebecca\AppData\Local\Programs\Python\Python38-32
2020-10-18 06:35:07,046 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2020-10-18 06:35:07,078 [root] INFO: Automatically selected analysis package "exe"
2020-10-18 06:35:07,078 [root] DEBUG: Importing analysis package "exe"...
2020-10-18 06:35:07,203 [root] DEBUG: Initializing analysis package "exe"...
2020-10-18 06:35:07,312 [root] DEBUG: Importing auxiliary module "modules.auxiliary.browser"...
2020-10-18 06:35:07,328 [root] DEBUG: Importing auxiliary module "modules.auxiliary.curtain"...
2020-10-18 06:35:07,359 [root] DEBUG: Importing auxiliary module "modules.auxiliary.digisig"...
2020-10-18 06:35:07,390 [root] DEBUG: Importing auxiliary module "modules.auxiliary.disguise"...
2020-10-18 06:35:07,437 [root] DEBUG: Importing auxiliary module "modules.auxiliary.human"...
2020-10-18 06:35:07,437 [root] DEBUG: Importing auxiliary module "modules.auxiliary.procmon"...
2020-10-18 06:35:07,453 [root] DEBUG: Importing auxiliary module "modules.auxiliary.screenshots"...
2020-10-18 06:35:07,484 [modules.auxiliary.screenshots] DEBUG: Importing 'time'
2020-10-18 06:35:07,484 [modules.auxiliary.screenshots] DEBUG: Importing 'StringIO'
2020-10-18 06:35:07,484 [modules.auxiliary.screenshots] DEBUG: Importing 'Thread'
2020-10-18 06:35:07,484 [modules.auxiliary.screenshots] DEBUG: Importing 'Auxiliary'
2020-10-18 06:35:07,484 [modules.auxiliary.screenshots] DEBUG: Importing 'NetlogFile'
2020-10-18 06:35:07,484 [modules.auxiliary.screenshots] DEBUG: Importing 'Screenshot'
2020-10-18 06:35:07,500 [lib.api.screenshot] DEBUG: Importing 'math'
2020-10-18 06:35:07,500 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2020-10-18 06:35:10,390 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageGrab'
2020-10-18 06:35:10,406 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageDraw'
2020-10-18 06:35:10,421 [modules.auxiliary.screenshots] DEBUG: Imports OK
2020-10-18 06:35:10,421 [root] DEBUG: Importing auxiliary module "modules.auxiliary.sysmon"...
2020-10-18 06:35:10,437 [root] DEBUG: Importing auxiliary module "modules.auxiliary.usage"...
2020-10-18 06:35:10,437 [root] DEBUG: Initializing auxiliary module "Browser"...
2020-10-18 06:35:10,437 [root] DEBUG: Started auxiliary module Browser
2020-10-18 06:35:10,437 [root] DEBUG: Initializing auxiliary module "Curtain"...
2020-10-18 06:35:10,437 [root] DEBUG: Started auxiliary module Curtain
2020-10-18 06:35:10,437 [root] DEBUG: Initializing auxiliary module "DigiSig"...
2020-10-18 06:35:10,437 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature.
2020-10-18 06:35:10,968 [modules.auxiliary.digisig] DEBUG: File is not signed.
2020-10-18 06:35:10,968 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2020-10-18 06:35:10,984 [root] DEBUG: Started auxiliary module DigiSig
2020-10-18 06:35:10,984 [root] DEBUG: Initializing auxiliary module "Disguise"...
2020-10-18 06:35:11,031 [modules.auxiliary.disguise] INFO: Disguising GUID to 7fa35f1b-30b8-4251-928a-353f364aebd5
2020-10-18 06:35:11,031 [root] DEBUG: Started auxiliary module Disguise
2020-10-18 06:35:11,031 [root] DEBUG: Initializing auxiliary module "Human"...
2020-10-18 06:35:11,046 [root] DEBUG: Started auxiliary module Human
2020-10-18 06:35:11,046 [root] DEBUG: Initializing auxiliary module "Procmon"...
2020-10-18 06:35:11,062 [root] DEBUG: Started auxiliary module Procmon
2020-10-18 06:35:11,078 [root] DEBUG: Initializing auxiliary module "Screenshots"...
2020-10-18 06:35:11,078 [root] DEBUG: Started auxiliary module Screenshots
2020-10-18 06:35:11,078 [root] DEBUG: Initializing auxiliary module "Sysmon"...
2020-10-18 06:35:11,078 [root] DEBUG: Started auxiliary module Sysmon
2020-10-18 06:35:11,078 [root] DEBUG: Initializing auxiliary module "Usage"...
2020-10-18 06:35:11,078 [root] DEBUG: Started auxiliary module Usage
2020-10-18 06:35:11,078 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2020-10-18 06:35:11,078 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2020-10-18 06:35:11,078 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option
2020-10-18 06:35:11,078 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option
2020-10-18 06:35:11,375 [lib.api.process] INFO: Successfully executed process from path "C:\Users\Rebecca\AppData\Local\Temp\6FNEaMg3dNB7sGi.exe" with arguments "" with pid 2904
2020-10-18 06:35:11,375 [lib.api.process] INFO: Monitor config for process 2904: C:\tmpq_mrpfl7\dll\2904.ini
2020-10-18 06:35:11,390 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpq_mrpfl7\dll\JVFpkQ.dll, loader C:\tmpq_mrpfl7\bin\AwhUulg.exe
2020-10-18 06:35:11,531 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\vcWcZc.
2020-10-18 06:35:11,531 [root] DEBUG: Loader: Injecting process 2904 (thread 5276) with C:\tmpq_mrpfl7\dll\JVFpkQ.dll.
2020-10-18 06:35:11,531 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2020-10-18 06:35:11,531 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2020-10-18 06:35:11,531 [root] DEBUG: Successfully injected DLL C:\tmpq_mrpfl7\dll\JVFpkQ.dll.
2020-10-18 06:35:13,546 [lib.api.process] INFO: Successfully resumed process with pid 2904
2020-10-18 06:35:13,765 [root] DEBUG: Python path set to 'C:\Users\Rebecca\AppData\Local\Programs\Python\Python38-32'.
2020-10-18 06:35:13,765 [root] DEBUG: Dropped file limit defaulting to 100.
2020-10-18 06:35:13,781 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 2904 at 0x68d00000, image base 0xb30000, stack from 0x1b5000-0x1c0000
2020-10-18 06:35:13,812 [root] INFO: Loaded monitor into process with pid 2904
2020-10-18 06:35:13,812 [root] DEBUG: set_caller_info: Adding region at 0x000C0000 to caller regions list (advapi32::RegQueryInfoKeyW).
2020-10-18 06:35:13,812 [root] DEBUG: DumpPEsInRange: Scanning range 0xc0000 - 0x1c0000.
2020-10-18 06:35:13,828 [root] DEBUG: ScanForDisguisedPE: Exception occurred scanning buffer at 0xc0000
2020-10-18 06:35:13,906 [root] DEBUG: DLL loaded at 0x75B30000: C:\Windows\system32\cryptbase (0xc000 bytes).
2020-10-18 06:35:13,906 [root] DEBUG: DumpMemory: Exception occurred reading memory address 0xc0000
2020-10-18 06:35:13,906 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x000C0000 size 0x100000.
2020-10-18 06:35:13,953 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\ggHPsSQObk\CAPE\2904_33244204613555180102020 (size 0x8a8)
2020-10-18 06:35:13,953 [root] DEBUG: DumpRegion: Dumped region at 0x001BF000, size 0x1000.
2020-10-18 06:35:13,953 [root] DEBUG: set_caller_info: Adding region at 0x018E0000 to caller regions list (advapi32::RegOpenKeyExW).
2020-10-18 06:35:13,968 [root] DEBUG: DumpPEsInRange: Scanning range 0x18e0000 - 0x1ce0000.
2020-10-18 06:35:13,968 [root] DEBUG: ScanForDisguisedPE: Exception occurred scanning buffer at 0x1925fc1
2020-10-18 06:35:13,984 [root] DEBUG: DumpMemory: Exception occurred reading memory address 0x18e0000
2020-10-18 06:35:13,984 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x018E0000 size 0x400000.
2020-10-18 06:35:14,000 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\ggHPsSQObk\CAPE\2904_73270384013555180102020 (size 0x1a41)
2020-10-18 06:35:14,000 [root] DEBUG: DumpRegion: Dumped region at 0x01C9D000, size 0x10000.
2020-10-18 06:35:14,000 [root] DEBUG: set_caller_info: Adding region at 0x00510000 to caller regions list (kernel32::FindFirstFileExW).
2020-10-18 06:35:14,015 [root] DEBUG: DumpPEsInRange: Scanning range 0x510000 - 0x5d8000.
2020-10-18 06:35:14,015 [root] DEBUG: TestPERequirements: Exception occurred reading region at 0x5150a1
2020-10-18 06:35:14,015 [root] DEBUG: TestPERequirements: Exception occurred reading region at 0x5150b9
2020-10-18 06:35:14,015 [root] DEBUG: ScanForDisguisedPE: Exception occurred scanning buffer at 0x514fc1
2020-10-18 06:35:14,015 [root] DEBUG: ScanForNonZero: Exception occurred reading memory address 0x5d8000
2020-10-18 06:35:14,015 [root] DEBUG: DumpMemory: Nothing to dump at 0x00510000!
2020-10-18 06:35:14,015 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x00510000 size 0xc8000.
2020-10-18 06:35:14,031 [root] DEBUG: ScanForNonZero: Exception occurred reading memory address 0x5d0000
2020-10-18 06:35:14,031 [root] DEBUG: DumpMemory: Nothing to dump at 0x00570000!
2020-10-18 06:35:14,046 [root] DEBUG: DumpRegion: Failed to dump region at 0x00570000 size 0x60000.
2020-10-18 06:35:14,046 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xbc and local view 0x71720000 to global list.
2020-10-18 06:35:14,046 [root] DEBUG: DLL loaded at 0x71720000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei (0x7d000 bytes).
2020-10-18 06:35:14,046 [root] DEBUG: DLL unloaded from 0x76A30000.
2020-10-18 06:35:14,062 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xcc and local view 0x00A50000 to global list.
2020-10-18 06:35:14,078 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xc8 and local view 0x00A50000 to global list.
2020-10-18 06:35:14,078 [root] DEBUG: DLL loaded at 0x750B0000: C:\Windows\system32\VERSION (0x9000 bytes).
2020-10-18 06:35:14,093 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x6A530000 for section view with handle 0xcc.
2020-10-18 06:35:14,093 [root] DEBUG: DLL loaded at 0x6A530000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr (0x6ef000 bytes).
2020-10-18 06:35:14,093 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x6C1F0000 for section view with handle 0xcc.
2020-10-18 06:35:14,093 [root] DEBUG: DLL loaded at 0x6C1F0000: C:\Windows\system32\MSVCR120_CLR0400 (0xf5000 bytes).
2020-10-18 06:35:14,109 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xf0 and local view 0x00090000 to global list.
2020-10-18 06:35:14,125 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xf4 and local view 0x000A0000 to global list.
2020-10-18 06:35:14,125 [root] INFO: Disabling sleep skipping.
2020-10-18 06:35:14,140 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1d4 and local view 0x05400000 to global list.
2020-10-18 06:35:14,171 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1f4 and local view 0x66420000 to global list.
2020-10-18 06:35:14,171 [root] DEBUG: DLL loaded at 0x66420000: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\6715dc4d04e35f16d482900c355325e9\mscorlib.ni (0x1393000 bytes).
2020-10-18 06:35:14,296 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x214 and local view 0x65690000 to global list.
2020-10-18 06:35:14,312 [root] DEBUG: DLL loaded at 0x65690000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System\43822396682b0ffc3cfb66137ddab95f\System.ni (0xa10000 bytes).
2020-10-18 06:35:14,328 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x64EB0000 for section view with handle 0x214.
2020-10-18 06:35:14,343 [root] DEBUG: DLL loaded at 0x64EB0000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\c8a2021e940773064c655a6ea6ee8cb2\System.Core.ni (0x7e0000 bytes).
2020-10-18 06:35:14,421 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x210 and local view 0x66240000 to global list.
2020-10-18 06:35:14,484 [root] DEBUG: DLL loaded at 0x66240000: C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\6090b158fd3d10686b422a455e188125\Microsoft.VisualBasic.ni (0x1d1000 bytes).
2020-10-18 06:35:14,921 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x20c and local view 0x68C80000 to global list.
2020-10-18 06:35:14,921 [root] DEBUG: DLL loaded at 0x68C80000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit (0x80000 bytes).
2020-10-18 06:35:14,953 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x677F0000 for section view with handle 0x214.
2020-10-18 06:35:14,953 [root] DEBUG: DLL loaded at 0x677F0000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\2c462a934e0586ac5e46c8b93e461384\System.Drawing.ni (0x194000 bytes).
2020-10-18 06:35:14,953 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x64190000 for section view with handle 0x210.
2020-10-18 06:35:14,968 [root] DEBUG: DLL loaded at 0x64190000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\aece3d371c0714e60f9509d2a3137395\System.Windows.Forms.ni (0xd1d000 bytes).
2020-10-18 06:35:14,984 [root] DEBUG: set_caller_info: Adding region at 0x003E0000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2020-10-18 06:35:14,984 [root] DEBUG: DumpPEsInRange: Scanning range 0x3e0000 - 0x3f0000.
2020-10-18 06:35:14,984 [root] DEBUG: ScanForDisguisedPE: Exception occurred scanning buffer at 0x3e0fc1
2020-10-18 06:35:14,984 [root] DEBUG: ScanForNonZero: Exception occurred reading memory address 0x3f0000
2020-10-18 06:35:14,984 [root] DEBUG: DumpMemory: Nothing to dump at 0x003E0000!
2020-10-18 06:35:14,984 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x003E0000 size 0x10000.
2020-10-18 06:35:15,015 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\ggHPsSQObk\CAPE\2904_181595648034555180102020 (size 0x4ca)
2020-10-18 06:35:15,015 [root] DEBUG: DumpRegion: Dumped region at 0x003E0000, size 0x1000.
2020-10-18 06:35:15,109 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x218 and local view 0x68B20000 to global list.
2020-10-18 06:35:15,125 [root] DEBUG: DLL loaded at 0x68B20000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2f61c87db96dbe27deea0e525a665761\System.Configuration.ni (0xfc000 bytes).
2020-10-18 06:35:15,140 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x220 and local view 0x6B020000 to global list.
2020-10-18 06:35:15,140 [root] DEBUG: DLL loaded at 0x6B020000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\nlssorting (0x13000 bytes).
2020-10-18 06:35:15,140 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x056D0000 for section view with handle 0x220.
2020-10-18 06:35:15,156 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x63A50000 for section view with handle 0x220.
2020-10-18 06:35:15,171 [root] DEBUG: DLL loaded at 0x63A50000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\a3abb36b9f9e867b09bb3a670b074c45\System.Xml.ni (0x73e000 bytes).
2020-10-18 06:35:15,171 [root] DEBUG: DLL loaded at 0x76AE0000: C:\Windows\system32\shell32 (0xc4c000 bytes).
2020-10-18 06:35:15,187 [root] DEBUG: DLL loaded at 0x75BE0000: C:\Windows\system32\profapi (0xb000 bytes).
2020-10-18 06:35:15,203 [root] DEBUG: set_caller_info: Adding region at 0x001C0000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2020-10-18 06:35:15,203 [root] DEBUG: DumpPEsInRange: Scanning range 0x1c0000 - 0x1d0000.
2020-10-18 06:35:15,203 [root] DEBUG: ScanForDisguisedPE: Exception occurred scanning buffer at 0x1c0fc1
2020-10-18 06:35:15,203 [root] DEBUG: ScanForNonZero: Exception occurred reading memory address 0x1d0000
2020-10-18 06:35:15,203 [root] DEBUG: DumpMemory: Nothing to dump at 0x001C0000!
2020-10-18 06:35:15,203 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x001C0000 size 0x10000.
2020-10-18 06:35:15,234 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\ggHPsSQObk\CAPE\2904_174190753235555180102020 (size 0x5b7)
2020-10-18 06:35:15,234 [root] DEBUG: DumpRegion: Dumped region at 0x001CD000, size 0x1000.
2020-10-18 06:35:15,249 [root] DEBUG: DLL loaded at 0x75750000: C:\Windows\system32\bcrypt (0x17000 bytes).
2020-10-18 06:35:15,249 [root] DEBUG: DLL loaded at 0x75600000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2020-10-18 06:35:15,281 [root] DEBUG: DLL loaded at 0x75390000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2020-10-18 06:35:15,296 [root] DEBUG: DLL loaded at 0x66130000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32 (0x84000 bytes).
2020-10-18 06:35:15,312 [root] DEBUG: set_caller_info: Adding region at 0x001D0000 to caller regions list (ntdll::LdrGetProcedureAddress).
2020-10-18 06:35:15,312 [root] DEBUG: DumpPEsInRange: Scanning range 0x1d0000 - 0x1e0000.
2020-10-18 06:35:15,312 [root] DEBUG: ScanForDisguisedPE: Exception occurred scanning buffer at 0x1d9fc1
2020-10-18 06:35:15,312 [root] DEBUG: ScanForNonZero: Exception occurred reading memory address 0x1e0000
2020-10-18 06:35:15,312 [root] DEBUG: DumpMemory: Nothing to dump at 0x001D0000!
2020-10-18 06:35:15,328 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x001D0000 size 0x10000.
2020-10-18 06:35:15,359 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\ggHPsSQObk\CAPE\2904_24240269635555180102020 (size 0xf6)
2020-10-18 06:35:15,359 [root] DEBUG: DumpRegion: Dumped region at 0x001DD000, size 0x1000.
2020-10-18 06:35:15,421 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x260 and local view 0x63980000 to global list.
2020-10-18 06:35:15,437 [root] DEBUG: DLL loaded at 0x63980000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runt73a1fc9d#\badfff92e7e4f52c948920e4a4975073\System.Runtime.Remoting.ni (0xc9000 bytes).
2020-10-18 06:35:15,562 [root] DEBUG: DLL loaded at 0x74790000: C:\Windows\system32\uxtheme (0x40000 bytes).
2020-10-18 06:35:15,578 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x258 and local view 0x63480000 to global list.
2020-10-18 06:35:15,750 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x264 and local view 0x017F0000 to global list.
2020-10-18 06:35:15,937 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00420000 for section view with handle 0x264.
2020-10-18 06:35:26,093 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x268 and local view 0x74560000 to global list.
2020-10-18 06:35:26,093 [root] DEBUG: DLL loaded at 0x74560000: C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24308_none_5c028e37a0121035\gdiplus (0x192000 bytes).
2020-10-18 06:35:26,109 [root] DEBUG: DLL loaded at 0x73E10000: C:\Windows\system32\WindowsCodecs (0x131000 bytes).
2020-10-18 06:35:26,125 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x270 and local view 0x004D0000 to global list.
2020-10-18 06:35:26,125 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x004E0000 for section view with handle 0x270.
2020-10-18 06:35:26,125 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x004F0000 for section view with handle 0x270.
2020-10-18 06:35:26,281 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x278 and local view 0x059B0000 to global list.
2020-10-18 06:35:26,359 [root] DEBUG: set_caller_info: Adding region at 0x01870000 to caller regions list (ntdll::NtQueryPerformanceCounter).
2020-10-18 06:35:26,359 [root] DEBUG: DumpPEsInRange: Scanning range 0x1870000 - 0x1880000.
2020-10-18 06:35:26,359 [root] DEBUG: ScanForDisguisedPE: Exception occurred scanning buffer at 0x1875fc1
2020-10-18 06:35:26,375 [root] DEBUG: ScanForNonZero: Exception occurred reading memory address 0x1880000
2020-10-18 06:35:26,375 [root] DEBUG: DumpMemory: Nothing to dump at 0x01870000!
2020-10-18 06:35:26,375 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x01870000 size 0x10000.
2020-10-18 06:35:26,406 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\ggHPsSQObk\CAPE\2904_198150862229565180102020 (size 0x1608)
2020-10-18 06:35:26,406 [root] DEBUG: DumpRegion: Dumped region at 0x01874000, size 0x2000.
2020-10-18 06:35:26,421 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00810000 for section view with handle 0x278.
2020-10-18 06:35:26,531 [root] DEBUG: DLL loaded at 0x74900000: C:\Windows\system32\ntmarta (0x21000 bytes).
2020-10-18 06:35:26,531 [root] DEBUG: DLL loaded at 0x761A0000: C:\Windows\system32\WLDAP32 (0x45000 bytes).
2020-10-18 06:35:26,609 [root] INFO: Added new file to list with pid None and path C:\Users\Rebecca\AppData\Roaming\QDsgqHC.exe
2020-10-18 06:35:26,687 [root] INFO: Added new file to list with pid None and path C:\Users\Rebecca\AppData\Local\Temp\tmp2D72.tmp
2020-10-18 06:35:26,718 [root] DEBUG: DLL loaded at 0x747E0000: C:\Windows\system32\PROPSYS (0xf5000 bytes).
2020-10-18 06:35:26,718 [root] DEBUG: DLL loaded at 0x74AC0000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\comctl32 (0x19e000 bytes).
2020-10-18 06:35:26,734 [root] DEBUG: DLL loaded at 0x75AE0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2020-10-18 06:35:26,734 [root] DEBUG: DLL loaded at 0x76010000: C:\Windows\system32\CLBCatQ (0x83000 bytes).
2020-10-18 06:35:26,734 [root] DEBUG: DLL loaded at 0x6C300000: C:\Windows\System32\ieframe (0xaba000 bytes).
2020-10-18 06:35:26,734 [root] DEBUG: DLL loaded at 0x75CE0000: C:\Windows\system32\api-ms-win-downlevel-advapi32-l1-1-0 (0x5000 bytes).
2020-10-18 06:35:26,750 [root] DEBUG: DLL loaded at 0x75CD0000: C:\Windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0 (0x4000 bytes).
2020-10-18 06:35:26,750 [root] DEBUG: DLL loaded at 0x75C80000: C:\Windows\system32\api-ms-win-downlevel-user32-l1-1-0 (0x4000 bytes).
2020-10-18 06:35:26,750 [root] DEBUG: DLL loaded at 0x6C2F0000: C:\Windows\System32\api-ms-win-downlevel-shell32-l1-1-0 (0x4000 bytes).
2020-10-18 06:35:26,750 [root] DEBUG: DLL loaded at 0x75CC0000: C:\Windows\system32\api-ms-win-downlevel-version-l1-1-0 (0x4000 bytes).
2020-10-18 06:35:26,750 [root] DEBUG: DLL loaded at 0x75C60000: C:\Windows\system32\api-ms-win-downlevel-normaliz-l1-1-0 (0x3000 bytes).
2020-10-18 06:35:26,750 [root] DEBUG: DLL loaded at 0x75F50000: C:\Windows\system32\normaliz (0x3000 bytes).
2020-10-18 06:35:26,765 [root] DEBUG: DLL loaded at 0x779D0000: C:\Windows\system32\iertutil (0x215000 bytes).
2020-10-18 06:35:26,796 [root] DEBUG: DLL loaded at 0x77830000: C:\Windows\system32\SETUPAPI (0x19d000 bytes).
2020-10-18 06:35:26,796 [root] DEBUG: DLL loaded at 0x75C90000: C:\Windows\system32\CFGMGR32 (0x27000 bytes).
2020-10-18 06:35:26,796 [root] DEBUG: DLL loaded at 0x75CF0000: C:\Windows\system32\DEVOBJ (0x12000 bytes).
2020-10-18 06:35:26,812 [root] DEBUG: DLL loaded at 0x761F0000: C:\Windows\system32\urlmon (0x124000 bytes).
2020-10-18 06:35:26,828 [root] DEBUG: DLL loaded at 0x75C70000: C:\Windows\system32\api-ms-win-downlevel-ole32-l1-1-0 (0x4000 bytes).
2020-10-18 06:35:26,828 [root] DEBUG: DLL loaded at 0x76790000: C:\Windows\system32\WININET (0x1c4000 bytes).
2020-10-18 06:35:26,828 [root] DEBUG: DLL unloaded from 0x76AE0000.
2020-10-18 06:35:26,828 [root] DEBUG: DLL loaded at 0x758C0000: C:\Windows\system32\Secur32 (0x8000 bytes).
2020-10-18 06:35:26,921 [root] INFO: Announced 32-bit process name: schtasks.exe pid: 2920
2020-10-18 06:35:26,921 [lib.api.process] INFO: Monitor config for process 2920: C:\tmpq_mrpfl7\dll\2920.ini
2020-10-18 06:35:26,921 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpq_mrpfl7\dll\JVFpkQ.dll, loader C:\tmpq_mrpfl7\bin\AwhUulg.exe
2020-10-18 06:35:26,937 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\vcWcZc.
2020-10-18 06:35:26,937 [root] DEBUG: Loader: Injecting process 2920 (thread 5756) with C:\tmpq_mrpfl7\dll\JVFpkQ.dll.
2020-10-18 06:35:26,937 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmpq_mrpfl7\dll\JVFpkQ.dll.
2020-10-18 06:35:26,968 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-10-18 06:35:26,968 [root] DEBUG: Successfully injected DLL C:\tmpq_mrpfl7\dll\JVFpkQ.dll.
2020-10-18 06:35:26,984 [root] DEBUG: CreateProcessHandler: Injection info set for new process 2920, ImageBase: 0x00420000
2020-10-18 06:35:26,984 [root] INFO: Announced 32-bit process name: schtasks.exe pid: 2920
2020-10-18 06:35:26,984 [lib.api.process] INFO: Monitor config for process 2920: C:\tmpq_mrpfl7\dll\2920.ini
2020-10-18 06:35:26,984 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpq_mrpfl7\dll\JVFpkQ.dll, loader C:\tmpq_mrpfl7\bin\AwhUulg.exe
2020-10-18 06:35:27,015 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\vcWcZc.
2020-10-18 06:35:27,015 [root] DEBUG: Loader: Injecting process 2920 (thread 5756) with C:\tmpq_mrpfl7\dll\JVFpkQ.dll.
2020-10-18 06:35:27,015 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmpq_mrpfl7\dll\JVFpkQ.dll.
2020-10-18 06:35:27,015 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-10-18 06:35:27,015 [root] DEBUG: Successfully injected DLL C:\tmpq_mrpfl7\dll\JVFpkQ.dll.
2020-10-18 06:35:27,046 [root] DEBUG: DLL loaded at 0x75BD0000: C:\Windows\system32\RpcRtRemote (0xe000 bytes).
2020-10-18 06:35:27,093 [root] DEBUG: Python path set to 'C:\Users\Rebecca\AppData\Local\Programs\Python\Python38-32'.
2020-10-18 06:35:27,093 [root] DEBUG: Dropped file limit defaulting to 100.
2020-10-18 06:35:27,093 [root] INFO: Disabling sleep skipping.
2020-10-18 06:35:27,109 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-10-18 06:35:27,109 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 2920 at 0x68d00000, image base 0x420000, stack from 0x186000-0x190000
2020-10-18 06:35:27,109 [root] DEBUG: Commandline: C:\Users\Rebecca\AppData\Local\Temp\"C:\Windows\System32\schtasks.exe" \Create \TN "Updates\QDsgqHC" \XML "C:\Users\Rebecca\AppData\Local\Temp\tmp2D72.tmp"
2020-10-18 06:35:27,125 [root] INFO: Loaded monitor into process with pid 2920
2020-10-18 06:35:27,140 [root] DEBUG: DLL loaded at 0x750B0000: C:\Windows\System32\VERSION (0x9000 bytes).
2020-10-18 06:35:27,140 [root] DEBUG: DLL unloaded from 0x00420000.
2020-10-18 06:35:27,156 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xbc and local view 0x02840000 to global list.
2020-10-18 06:35:27,156 [root] DEBUG: DLL loaded at 0x75B30000: C:\Windows\System32\CRYPTBASE (0xc000 bytes).
2020-10-18 06:35:27,171 [root] INFO: Stopping Task Scheduler Service
2020-10-18 06:35:27,375 [root] INFO: Stopped Task Scheduler Service
2020-10-18 06:35:27,406 [root] INFO: Starting Task Scheduler Service
2020-10-18 06:35:27,468 [root] INFO: Started Task Scheduler Service
2020-10-18 06:35:27,484 [lib.api.process] INFO: Monitor config for process 844: C:\tmpq_mrpfl7\dll\844.ini
2020-10-18 06:35:27,484 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpq_mrpfl7\dll\JVFpkQ.dll, loader C:\tmpq_mrpfl7\bin\AwhUulg.exe
2020-10-18 06:35:27,500 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\vcWcZc.
2020-10-18 06:35:27,500 [root] DEBUG: Loader: Injecting process 844 (thread 0) with C:\tmpq_mrpfl7\dll\JVFpkQ.dll.
2020-10-18 06:35:27,500 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2020-10-18 06:35:27,500 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed, falling back to thread injection.
2020-10-18 06:35:27,500 [root] DEBUG: InjectDll: IAT patching failed, falling back to thread injection.
2020-10-18 06:35:27,515 [root] DEBUG: Python path set to 'C:\Users\Rebecca\AppData\Local\Programs\Python\Python38-32'.
2020-10-18 06:35:27,515 [root] DEBUG: Dropped file limit defaulting to 100.
2020-10-18 06:35:27,515 [root] INFO: Disabling sleep skipping.
2020-10-18 06:35:27,515 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 844 at 0x68d00000, image base 0x3c0000, stack from 0x11d6000-0x11e0000
2020-10-18 06:35:27,515 [root] DEBUG: Commandline: C:\Windows\System32\svchost.exe -k netsvcs
2020-10-18 06:35:27,546 [root] INFO: Loaded monitor into process with pid 844
2020-10-18 06:35:27,546 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2020-10-18 06:35:27,546 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2020-10-18 06:35:27,546 [root] DEBUG: Successfully injected DLL C:\tmpq_mrpfl7\dll\JVFpkQ.dll.
2020-10-18 06:35:27,546 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 844
2020-10-18 06:35:29,546 [root] DEBUG: DLL loaded at 0x76010000: C:\Windows\system32\CLBCatQ (0x83000 bytes).
2020-10-18 06:35:29,546 [root] DEBUG: DLL loaded at 0x742F0000: C:\Windows\system32\taskschd (0x7d000 bytes).
2020-10-18 06:35:31,515 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2920
2020-10-18 06:35:31,515 [root] DEBUG: GetHookCallerBase: thread 5756 (handle 0x0), return address 0x00437569, allocation base 0x00420000.
2020-10-18 06:35:31,531 [root] DEBUG: DoProcessDump: Dumping Imagebase at 0x00420000.
2020-10-18 06:35:31,531 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-10-18 06:35:31,531 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00420000.
2020-10-18 06:35:31,531 [root] DEBUG: DumpProcess: Module entry point VA is 0x00017683.
2020-10-18 06:35:31,593 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x2b400.
2020-10-18 06:35:31,609 [root] DEBUG: DLL unloaded from 0x76730000.
2020-10-18 06:35:31,609 [root] INFO: Process with pid 2920 has terminated
2020-10-18 06:35:31,671 [root] INFO: Announced 32-bit process name: 6FNEaMg3dNB7sGi.exe pid: 4276
2020-10-18 06:35:31,671 [lib.api.process] INFO: Monitor config for process 4276: C:\tmpq_mrpfl7\dll\4276.ini
2020-10-18 06:35:31,671 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpq_mrpfl7\dll\JVFpkQ.dll, loader C:\tmpq_mrpfl7\bin\AwhUulg.exe
2020-10-18 06:35:31,750 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\vcWcZc.
2020-10-18 06:35:31,765 [root] DEBUG: Loader: Injecting process 4276 (thread 6136) with C:\tmpq_mrpfl7\dll\JVFpkQ.dll.
2020-10-18 06:35:31,765 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2020-10-18 06:35:31,765 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2020-10-18 06:35:31,765 [root] DEBUG: Successfully injected DLL C:\tmpq_mrpfl7\dll\JVFpkQ.dll.
2020-10-18 06:35:31,859 [root] DEBUG: CreateProcessHandler: Injection info set for new process 4276, ImageBase: 0x00B30000
2020-10-18 06:35:31,890 [root] INFO: Announced 32-bit process name: 6FNEaMg3dNB7sGi.exe pid: 4276
2020-10-18 06:35:31,890 [lib.api.process] INFO: Monitor config for process 4276: C:\tmpq_mrpfl7\dll\4276.ini
2020-10-18 06:35:31,937 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpq_mrpfl7\dll\JVFpkQ.dll, loader C:\tmpq_mrpfl7\bin\AwhUulg.exe
2020-10-18 06:35:32,015 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\vcWcZc.
2020-10-18 06:35:32,031 [root] DEBUG: Loader: Injecting process 4276 (thread 6136) with C:\tmpq_mrpfl7\dll\JVFpkQ.dll.
2020-10-18 06:35:32,046 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2020-10-18 06:35:32,046 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2020-10-18 06:35:32,046 [root] DEBUG: Successfully injected DLL C:\tmpq_mrpfl7\dll\JVFpkQ.dll.
2020-10-18 06:35:32,078 [root] DEBUG: WriteMemoryHandler: Executable binary injected into process 4276 (ImageBase 0x400000)
2020-10-18 06:35:32,078 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image.
2020-10-18 06:35:32,093 [root] DEBUG: DumpPE: Instantiating PeParser with address: 0x044D20C8.
2020-10-18 06:35:32,156 [root] DEBUG: DumpPE: PE file in memory dumped successfully - dump size 0x20000.
2020-10-18 06:35:32,156 [root] DEBUG: WriteMemoryHandler: Dumped PE image from buffer at 0x44d20c8, SizeOfImage 0x21000.
2020-10-18 06:35:32,156 [root] INFO: Announced 32-bit process name: 6FNEaMg3dNB7sGi.exe pid: 4276
2020-10-18 06:35:32,156 [lib.api.process] INFO: Monitor config for process 4276: C:\tmpq_mrpfl7\dll\4276.ini
2020-10-18 06:35:32,171 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpq_mrpfl7\dll\JVFpkQ.dll, loader C:\tmpq_mrpfl7\bin\AwhUulg.exe
2020-10-18 06:35:32,187 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\vcWcZc.
2020-10-18 06:35:32,187 [root] DEBUG: Loader: Injecting process 4276 (thread 0) with C:\tmpq_mrpfl7\dll\JVFpkQ.dll.
2020-10-18 06:35:32,203 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2020-10-18 06:35:32,203 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed (SessionId=1).
2020-10-18 06:35:32,203 [root] DEBUG: Successfully injected DLL C:\tmpq_mrpfl7\dll\JVFpkQ.dll.
2020-10-18 06:35:32,218 [root] DEBUG: WriteMemoryHandler: shellcode at 0x03436318 (size 0x14000) injected into process 4276.
2020-10-18 06:35:32,281 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\ggHPsSQObk\CAPE\2904_12963910825575180102020 (size 0x13246)
2020-10-18 06:35:32,296 [root] DEBUG: WriteMemoryHandler: Dumped injected code/data from buffer.
2020-10-18 06:35:32,312 [root] INFO: Announced 32-bit process name: 6FNEaMg3dNB7sGi.exe pid: 4276
2020-10-18 06:35:32,312 [lib.api.process] INFO: Monitor config for process 4276: C:\tmpq_mrpfl7\dll\4276.ini
2020-10-18 06:35:32,312 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpq_mrpfl7\dll\JVFpkQ.dll, loader C:\tmpq_mrpfl7\bin\AwhUulg.exe
2020-10-18 06:35:32,359 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\vcWcZc.
2020-10-18 06:35:32,359 [root] DEBUG: Loader: Injecting process 4276 (thread 0) with C:\tmpq_mrpfl7\dll\JVFpkQ.dll.
2020-10-18 06:35:32,375 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2020-10-18 06:35:32,375 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed (SessionId=1).
2020-10-18 06:35:32,390 [root] DEBUG: Successfully injected DLL C:\tmpq_mrpfl7\dll\JVFpkQ.dll.
2020-10-18 06:35:32,390 [root] DEBUG: WriteMemoryHandler: shellcode at 0x0344A324 (size 0x6000) injected into process 4276.
2020-10-18 06:35:32,421 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\ggHPsSQObk\CAPE\2904_179479184025575180102020 (size 0x53e9)
2020-10-18 06:35:32,437 [root] DEBUG: WriteMemoryHandler: Dumped injected code/data from buffer.
2020-10-18 06:35:32,437 [root] INFO: Announced 32-bit process name: 6FNEaMg3dNB7sGi.exe pid: 4276
2020-10-18 06:35:32,453 [lib.api.process] INFO: Monitor config for process 4276: C:\tmpq_mrpfl7\dll\4276.ini
2020-10-18 06:35:32,453 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpq_mrpfl7\dll\JVFpkQ.dll, loader C:\tmpq_mrpfl7\bin\AwhUulg.exe
2020-10-18 06:35:32,500 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\vcWcZc.
2020-10-18 06:35:32,500 [root] DEBUG: Loader: Injecting process 4276 (thread 0) with C:\tmpq_mrpfl7\dll\JVFpkQ.dll.
2020-10-18 06:35:32,531 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2020-10-18 06:35:32,531 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed (SessionId=1).
2020-10-18 06:35:32,531 [root] DEBUG: Successfully injected DLL C:\tmpq_mrpfl7\dll\JVFpkQ.dll.
2020-10-18 06:35:32,531 [root] DEBUG: WriteMemoryHandler: shellcode at 0x03450330 (size 0x1000) injected into process 4276.
2020-10-18 06:35:32,578 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\ggHPsSQObk\CAPE\2904_210783980525575180102020 (size 0x191)
2020-10-18 06:35:32,578 [root] DEBUG: WriteMemoryHandler: Dumped injected code/data from buffer.
2020-10-18 06:35:32,593 [root] INFO: Announced 32-bit process name: 6FNEaMg3dNB7sGi.exe pid: 4276
2020-10-18 06:35:32,593 [lib.api.process] INFO: Monitor config for process 4276: C:\tmpq_mrpfl7\dll\4276.ini
2020-10-18 06:35:32,593 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpq_mrpfl7\dll\JVFpkQ.dll, loader C:\tmpq_mrpfl7\bin\AwhUulg.exe
2020-10-18 06:35:32,609 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\vcWcZc.
2020-10-18 06:35:32,609 [root] DEBUG: Loader: Injecting process 4276 (thread 0) with C:\tmpq_mrpfl7\dll\JVFpkQ.dll.
2020-10-18 06:35:32,625 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2020-10-18 06:35:32,625 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed (SessionId=1).
2020-10-18 06:35:32,625 [root] DEBUG: Successfully injected DLL C:\tmpq_mrpfl7\dll\JVFpkQ.dll.
2020-10-18 06:35:32,640 [root] DEBUG: WriteMemoryHandler: shellcode at 0x0345133C (size 0x1000) injected into process 4276.
2020-10-18 06:35:32,687 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\ggHPsSQObk\CAPE\2904_161296714425575180102020 (size 0x1000)
2020-10-18 06:35:32,687 [root] DEBUG: WriteMemoryHandler: Dumped injected code/data from buffer.
2020-10-18 06:35:32,703 [root] INFO: Announced 32-bit process name: 6FNEaMg3dNB7sGi.exe pid: 4276
2020-10-18 06:35:32,703 [lib.api.process] INFO: Monitor config for process 4276: C:\tmpq_mrpfl7\dll\4276.ini
2020-10-18 06:35:32,718 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpq_mrpfl7\dll\JVFpkQ.dll, loader C:\tmpq_mrpfl7\bin\AwhUulg.exe
2020-10-18 06:35:32,734 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\vcWcZc.
2020-10-18 06:35:32,734 [root] DEBUG: Loader: Injecting process 4276 (thread 0) with C:\tmpq_mrpfl7\dll\JVFpkQ.dll.
2020-10-18 06:35:32,734 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2020-10-18 06:35:32,734 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed (SessionId=1).
2020-10-18 06:35:32,750 [root] DEBUG: Successfully injected DLL C:\tmpq_mrpfl7\dll\JVFpkQ.dll.
2020-10-18 06:35:32,750 [root] DEBUG: WriteMemoryHandler: shellcode at 0x03452348 (size 0x3000) injected into process 4276.
2020-10-18 06:35:32,875 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\ggHPsSQObk\CAPE\2904_205245177425575180102020 (size 0x242c)
2020-10-18 06:35:32,921 [root] INFO: Announced 32-bit process name: 6FNEaMg3dNB7sGi.exe pid: 4276
2020-10-18 06:35:32,921 [lib.api.process] INFO: Monitor config for process 4276: C:\tmpq_mrpfl7\dll\4276.ini
2020-10-18 06:35:32,937 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpq_mrpfl7\dll\JVFpkQ.dll, loader C:\tmpq_mrpfl7\bin\AwhUulg.exe
2020-10-18 06:35:32,984 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\vcWcZc.
2020-10-18 06:35:32,984 [root] DEBUG: Loader: Injecting process 4276 (thread 0) with C:\tmpq_mrpfl7\dll\JVFpkQ.dll.
2020-10-18 06:35:32,984 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2020-10-18 06:35:32,984 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed (SessionId=1).
2020-10-18 06:35:33,000 [root] DEBUG: Successfully injected DLL C:\tmpq_mrpfl7\dll\JVFpkQ.dll.
2020-10-18 06:35:33,031 [root] INFO: Announced 32-bit process name: 6FNEaMg3dNB7sGi.exe pid: 4276
2020-10-18 06:35:33,062 [lib.api.process] INFO: Monitor config for process 4276: C:\tmpq_mrpfl7\dll\4276.ini
2020-10-18 06:35:33,093 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpq_mrpfl7\dll\JVFpkQ.dll, loader C:\tmpq_mrpfl7\bin\AwhUulg.exe
2020-10-18 06:35:33,140 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\vcWcZc.
2020-10-18 06:35:33,156 [root] DEBUG: Loader: Injecting process 4276 (thread 0) with C:\tmpq_mrpfl7\dll\JVFpkQ.dll.
2020-10-18 06:35:33,156 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2020-10-18 06:35:33,156 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed (SessionId=1).
2020-10-18 06:35:33,156 [root] DEBUG: Successfully injected DLL C:\tmpq_mrpfl7\dll\JVFpkQ.dll.
2020-10-18 06:35:33,187 [root] DEBUG: SetThreadContextHandler: Hollow process entry point reset via NtSetContextThread to 0x00013FA4 (process 4276).
2020-10-18 06:35:33,187 [root] INFO: Announced 32-bit process name: 6FNEaMg3dNB7sGi.exe pid: 4276
2020-10-18 06:35:33,187 [lib.api.process] INFO: Monitor config for process 4276: C:\tmpq_mrpfl7\dll\4276.ini
2020-10-18 06:35:33,203 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpq_mrpfl7\dll\JVFpkQ.dll, loader C:\tmpq_mrpfl7\bin\AwhUulg.exe
2020-10-18 06:35:33,249 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\vcWcZc.
2020-10-18 06:35:33,249 [root] DEBUG: Loader: Injecting process 4276 (thread 6136) with C:\tmpq_mrpfl7\dll\JVFpkQ.dll.
2020-10-18 06:35:33,265 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmpq_mrpfl7\dll\JVFpkQ.dll.
2020-10-18 06:35:33,281 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-10-18 06:35:33,296 [root] DEBUG: Successfully injected DLL C:\tmpq_mrpfl7\dll\JVFpkQ.dll.
2020-10-18 06:35:33,296 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 4276.
2020-10-18 06:35:33,406 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2904
2020-10-18 06:35:33,421 [root] DEBUG: GetHookCallerBase: thread 5276 (handle 0x0), return address 0x003E3CC3, allocation base 0x003E0000.
2020-10-18 06:35:33,421 [root] DEBUG: DoProcessDump: Dumping Imagebase at 0x00B30000.
2020-10-18 06:35:33,421 [root] DEBUG: LooksLikeSectionBoundary: Exception occured reading around suspected boundary at 0x00B32000
2020-10-18 06:35:33,437 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image.
2020-10-18 06:35:33,453 [root] DEBUG: DumpPE: Instantiating PeParser with address: 0x00B30000.
2020-10-18 06:35:33,453 [root] DEBUG: DumpPE: Empty or inaccessible last section, file image seems incomplete (from 0x00BDBA00 to 0x00BDBC00).
2020-10-18 06:35:33,500 [root] DEBUG: Python path set to 'C:\Users\Rebecca\AppData\Local\Programs\Python\Python38-32'.
2020-10-18 06:35:33,515 [root] DEBUG: Dropped file limit defaulting to 100.
2020-10-18 06:35:33,515 [root] DEBUG: DumpPE: Error: Cannot dump PE file from memory.
2020-10-18 06:35:33,515 [root] DEBUG: DumpImageInCurrentProcess: Failed to dump 'raw' PE image from 0x00B30000, dumping memory region.
2020-10-18 06:35:33,515 [root] INFO: Disabling sleep skipping.
2020-10-18 06:35:33,515 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-10-18 06:35:33,531 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 4276 at 0x68d00000, image base 0x400000, stack from 0x146000-0x150000
2020-10-18 06:35:33,531 [root] DEBUG: DLL unloaded from 0x76650000.
2020-10-18 06:35:33,531 [root] DEBUG: Commandline: C:\Users\Rebecca\AppData\Local\Temp\"C:\Users\Rebecca\AppData\Local\Temp\6FNEaMg3dNB7sGi.exe"
2020-10-18 06:35:33,546 [root] DEBUG: DLL unloaded from 0x747E0000.
2020-10-18 06:35:33,562 [root] INFO: Loaded monitor into process with pid 4276
2020-10-18 06:35:33,562 [root] DEBUG: DLL unloaded from 0x76730000.
2020-10-18 06:35:33,562 [root] DEBUG: DLL loaded at 0x02D00000: C:\tmpq_mrpfl7\dll\JVFpkQ (0xd6000 bytes).
2020-10-18 06:35:33,578 [root] DEBUG: DLL unloaded from 0x74900000.
2020-10-18 06:35:33,578 [root] DEBUG: DLL unloaded from 0x72490000.
2020-10-18 06:35:33,578 [root] DEBUG: DLL unloaded from 0x6A530000.
2020-10-18 06:35:33,578 [root] DEBUG: DLL unloaded from 0x76650000.
2020-10-18 06:35:33,578 [root] DEBUG: DLL unloaded from 0x71720000.
2020-10-18 06:35:33,578 [root] DEBUG: DLL unloaded from 0x72490000.
2020-10-18 06:35:33,593 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2904
2020-10-18 06:35:33,593 [root] DEBUG: DLL unloaded from 0x76650000.
2020-10-18 06:35:33,609 [root] DEBUG: GetHookCallerBase: thread 5276 (handle 0x0), return address 0x003E3CC3, allocation base 0x003E0000.
2020-10-18 06:35:33,609 [root] DEBUG: DLL unloaded from 0x02D00000.
2020-10-18 06:35:33,625 [root] DEBUG: DoProcessDump: Dumping Imagebase at 0x00B30000.
2020-10-18 06:35:33,625 [root] DEBUG: set_caller_info: Adding region at 0x00170000 to caller regions list (ntdll::LdrLoadDll).
2020-10-18 06:35:33,625 [root] DEBUG: LooksLikeSectionBoundary: Exception occured reading around suspected boundary at 0x00B32000
2020-10-18 06:35:33,625 [root] DEBUG: DumpPEsInRange: Scanning range 0x170000 - 0x171000.
2020-10-18 06:35:33,625 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image.
2020-10-18 06:35:33,640 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x170000-0x171000.
2020-10-18 06:35:33,640 [root] DEBUG: DumpPE: Instantiating PeParser with address: 0x00B30000.
2020-10-18 06:35:33,656 [root] DEBUG: DLL loaded at 0x75B30000: C:\Windows\system32\cryptbase (0xc000 bytes).
2020-10-18 06:35:33,656 [root] DEBUG: DumpPE: Empty or inaccessible last section, file image seems incomplete (from 0x00BDBA00 to 0x00BDBC00).
2020-10-18 06:35:33,703 [root] DEBUG: DumpPE: Error: Cannot dump PE file from memory.
2020-10-18 06:35:33,703 [root] DEBUG: DumpImageInCurrentProcess: Failed to dump 'raw' PE image from 0x00B30000, dumping memory region.
2020-10-18 06:35:33,718 [root] INFO: Process with pid 2904 has terminated
2020-10-18 06:35:33,734 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\ggHPsSQObk\CAPE\4276_20544947233555180102020 (size 0x12a)
2020-10-18 06:35:33,734 [root] DEBUG: DumpRegion: Dumped entire allocation from 0x00170000, size 0x1000.
2020-10-18 06:35:33,750 [root] DEBUG: DLL loaded at 0x02D00000: C:\tmpq_mrpfl7\dll\JVFpkQ (0xd6000 bytes).
2020-10-18 06:35:33,750 [root] DEBUG: DLL unloaded from 0x72490000.
2020-10-18 06:35:33,750 [root] DEBUG: DLL unloaded from 0x76650000.
2020-10-18 06:35:33,750 [root] DEBUG: DLL unloaded from 0x72490000.
2020-10-18 06:35:33,765 [root] DEBUG: DLL unloaded from 0x76650000.
2020-10-18 06:35:33,765 [root] DEBUG: DLL unloaded from 0x02D00000.
2020-10-18 06:35:33,796 [root] DEBUG: DLL loaded at 0x755C0000: C:\Windows\system32\mswsock (0x3c000 bytes).
2020-10-18 06:35:33,812 [root] DEBUG: DLL loaded at 0x75140000: C:\Windows\System32\wshtcpip (0x5000 bytes).
2020-10-18 06:35:33,812 [root] DEBUG: DLL loaded at 0x74720000: C:\Windows\system32\NLAapi (0x10000 bytes).
2020-10-18 06:35:33,812 [root] DEBUG: DLL loaded at 0x6D9C0000: C:\Windows\system32\napinsp (0x10000 bytes).
2020-10-18 06:35:33,828 [root] DEBUG: DLL loaded at 0x6D9A0000: C:\Windows\system32\pnrpnsp (0x12000 bytes).
2020-10-18 06:35:33,828 [root] DEBUG: DLL loaded at 0x75480000: C:\Windows\system32\DNSAPI (0x44000 bytes).
2020-10-18 06:35:33,828 [root] DEBUG: DLL loaded at 0x6D5B0000: C:\Windows\System32\winrnr (0x8000 bytes).
2020-10-18 06:35:33,828 [root] DEBUG: DLL loaded at 0x740A0000: C:\Windows\system32\IPHLPAPI (0x1c000 bytes).
2020-10-18 06:35:33,843 [root] DEBUG: DLL loaded at 0x74060000: C:\Windows\system32\WINNSI (0x7000 bytes).
2020-10-18 06:35:36,656 [root] DEBUG: DLL loaded at 0x74010000: C:\Windows\System32\fwpuclnt (0x38000 bytes).
2020-10-18 06:35:36,671 [root] DEBUG: DLL loaded at 0x72290000: C:\Windows\system32\rasadhlp (0x6000 bytes).
2020-10-18 06:35:37,265 [root] DEBUG: set_caller_info: Adding region at 0x6F4D0000 to caller regions list (ntdll::NtWaitForSingleObject).
2020-10-18 06:35:37,265 [root] DEBUG: set_caller_info: Calling region at 0x6F4D0000 skipped.
2020-10-18 06:35:42,968 [root] DEBUG: set_caller_info: Adding region at 0x6E420000 to caller regions list (ntdll::NtWaitForSingleObject).
2020-10-18 06:35:42,968 [root] DEBUG: set_caller_info: Calling region at 0x6E420000 skipped.
2020-10-18 06:35:43,859 [root] INFO: Added new file to list with pid None and path C:\Users\Rebecca\AppData\Roaming\September\logs.dat
2020-10-18 06:36:14,390 [root] DEBUG: set_caller_info: Adding region at 0x6F770000 to caller regions list (kernel32::GetSystemTimeAsFileTime).
2020-10-18 06:36:14,390 [root] DEBUG: set_caller_info: Calling region at 0x6F770000 skipped.
2020-10-18 06:36:16,468 [root] DEBUG: set_caller_info: Adding region at 0x6F0C0000 to caller regions list (ntdll::memcpy).
2020-10-18 06:36:16,468 [root] DEBUG: set_caller_info: Calling region at 0x6F0C0000 skipped.
2020-10-18 06:36:16,484 [root] DEBUG: set_caller_info: Adding region at 0x6EAE0000 to caller regions list (ntdll::memcpy).
2020-10-18 06:36:16,484 [root] DEBUG: set_caller_info: Calling region at 0x6EAE0000 skipped.
2020-10-18 06:38:33,750 [root] INFO: Analysis timeout hit, terminating analysis.
2020-10-18 06:38:33,750 [lib.api.process] INFO: Terminate event set for process 844
2020-10-18 06:38:33,781 [root] DEBUG: Terminate Event: Attempting to dump process 844
2020-10-18 06:38:33,796 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x003C0000.
2020-10-18 06:38:33,796 [root] DEBUG: DumpProcess: Module entry point VA is 0x00002104.
2020-10-18 06:38:33,859 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x5200.
2020-10-18 06:38:33,875 [root] DEBUG: Terminate Event: CAPE shutdown complete for process 844
2020-10-18 06:38:33,875 [lib.api.process] INFO: Termination confirmed for process 844
2020-10-18 06:38:33,875 [root] INFO: Terminate event set for process 844.
2020-10-18 06:38:33,890 [lib.api.process] INFO: Terminate event set for process 4276
2020-10-18 06:38:33,890 [root] DEBUG: Terminate Event: Attempting to dump process 4276
2020-10-18 06:38:33,890 [root] DEBUG: DoProcessDump: Dumping Imagebase at 0x00400000.
2020-10-18 06:38:33,890 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image.
2020-10-18 06:38:33,921 [root] DEBUG: DumpPE: PE file in memory dumped successfully - dump size 0x20000.
2020-10-18 06:38:33,937 [lib.api.process] INFO: Termination confirmed for process 4276
2020-10-18 06:38:33,937 [root] INFO: Terminate event set for process 4276.
2020-10-18 06:38:33,937 [root] DEBUG: Terminate Event: CAPE shutdown complete for process 4276
2020-10-18 06:38:33,937 [root] INFO: Created shutdown mutex.
2020-10-18 06:38:34,953 [root] INFO: Shutting down package.
2020-10-18 06:38:34,953 [root] INFO: Stopping auxiliary modules.
2020-10-18 06:38:35,125 [lib.common.results] WARNING: File C:\ggHPsSQObk\bin\procmon.xml doesn't exist anymore
2020-10-18 06:38:35,125 [root] INFO: Finishing auxiliary modules.
2020-10-18 06:38:35,125 [root] INFO: Shutting down pipe server and dumping dropped files.
2020-10-18 06:38:35,265 [root] WARNING: Folder at path "C:\ggHPsSQObk\debugger" does not exist, skip.
2020-10-18 06:38:35,265 [root] INFO: Analysis completed.

Machine

Name Label Manager Started On Shutdown On
win7_4 win7_4 KVM 2020-10-18 06:35:08 2020-10-18 06:41:03

File Details

File Name 6FNEaMg3dNB7sGi.exe
File Size 703488 bytes
File Type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
PE timestamp 2020-10-17 21:19:46
MD5 fbf6c63acd92d191fb1a77f15b90850c
SHA1 74ce9041a05b4195660d3ce5ac1f6f620f14818d
SHA256 2ac56457e5dfd887f318ab16bbc8fa9711095b8cb4cae99f5a34358c9a8502f0
SHA512 1aeb9e6e609c47cf3e83bde6316a334eba37de70695e86f4f545c88f16818855248aa3b9f7123e9eb923fc1788a308bc109dae04fee3fbbcac1bd70dcee19093
CRC32 AF22B638
Ssdeep 12288:0gEcQd3STz36T4IBIZT9oPb6Gxbql62ebKcJUwAbjYFbgAiaiZ:0gEd38jc1i5oPb6Gx2lf5Db0fC
Download Download ZIP Resubmit sample

Signatures

SetUnhandledExceptionFilter detected (possible anti-debug)
Behavioural detection: Executable code extraction - unpacking
Yara rule detections observed from a process memory dump/dropped files/CAPE
Hit: PID 4276 trigged the Yara rule 'Parallax'
Hit: PID 4276 trigged the Yara rule 'Remcos'
Hit: PID 2904 trigged the Yara rule 'Parallax'
Hit: PID 2904 trigged the Yara rule 'Remcos'
Hit: PID 2904 trigged the Yara rule 'shellcode_patterns'
Hit: PID 2904 trigged the Yara rule 'embedded_win_api'
Creates RWX memory
Guard pages use detected - possible anti-debugging.
A process attempted to delay the analysis task.
Process: 6FNEaMg3dNB7sGi.exe tried to sleep 814.434 seconds, actually delayed analysis time by 0.0 seconds
Dynamic (imported) function loading detected
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: KERNEL32.dll/FlsAlloc
DynamicLoader: KERNEL32.dll/FlsFree
DynamicLoader: KERNEL32.dll/FlsGetValue
DynamicLoader: KERNEL32.dll/FlsSetValue
DynamicLoader: KERNEL32.dll/InitializeCriticalSectionEx
DynamicLoader: KERNEL32.dll/CreateEventExW
DynamicLoader: KERNEL32.dll/CreateSemaphoreExW
DynamicLoader: KERNEL32.dll/SetThreadStackGuarantee
DynamicLoader: KERNEL32.dll/CreateThreadpoolTimer
DynamicLoader: KERNEL32.dll/SetThreadpoolTimer
DynamicLoader: KERNEL32.dll/WaitForThreadpoolTimerCallbacks
DynamicLoader: KERNEL32.dll/CloseThreadpoolTimer
DynamicLoader: KERNEL32.dll/CreateThreadpoolWait
DynamicLoader: KERNEL32.dll/SetThreadpoolWait
DynamicLoader: KERNEL32.dll/CloseThreadpoolWait
DynamicLoader: KERNEL32.dll/FlushProcessWriteBuffers
DynamicLoader: KERNEL32.dll/FreeLibraryWhenCallbackReturns
DynamicLoader: KERNEL32.dll/GetCurrentProcessorNumber
DynamicLoader: KERNEL32.dll/GetLogicalProcessorInformation
DynamicLoader: KERNEL32.dll/CreateSymbolicLinkW
DynamicLoader: KERNEL32.dll/SetDefaultDllDirectories
DynamicLoader: KERNEL32.dll/EnumSystemLocalesEx
DynamicLoader: KERNEL32.dll/CompareStringEx
DynamicLoader: KERNEL32.dll/GetDateFormatEx
DynamicLoader: KERNEL32.dll/GetLocaleInfoEx
DynamicLoader: KERNEL32.dll/GetTimeFormatEx
DynamicLoader: KERNEL32.dll/GetUserDefaultLocaleName
DynamicLoader: KERNEL32.dll/IsValidLocaleName
DynamicLoader: KERNEL32.dll/LCMapStringEx
DynamicLoader: KERNEL32.dll/GetCurrentPackageId
DynamicLoader: KERNEL32.dll/GetTickCount64
DynamicLoader: KERNEL32.dll/GetFileInformationByHandleExW
DynamicLoader: KERNEL32.dll/SetFileInformationByHandleW
DynamicLoader: KERNEL32.dll/AcquireSRWLockExclusive
DynamicLoader: KERNEL32.dll/ReleaseSRWLockExclusive
DynamicLoader: ADVAPI32.dll/EventRegister
DynamicLoader: ADVAPI32.dll/EventSetInformation
DynamicLoader: MSCOREE.DLL/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/_CorExeMain_RetAddr
DynamicLoader: mscoreei.dll/_CorExeMain
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: VERSION.dll/GetFileVersionInfoSizeW
DynamicLoader: VERSION.dll/GetFileVersionInfoW
DynamicLoader: VERSION.dll/VerQueryValueW
DynamicLoader: KERNEL32.dll/FlsAlloc
DynamicLoader: KERNEL32.dll/FlsFree
DynamicLoader: KERNEL32.dll/FlsGetValue
DynamicLoader: KERNEL32.dll/FlsSetValue
DynamicLoader: KERNEL32.dll/InitializeCriticalSectionEx
DynamicLoader: KERNEL32.dll/CreateEventExW
DynamicLoader: KERNEL32.dll/CreateSemaphoreExW
DynamicLoader: KERNEL32.dll/SetThreadStackGuarantee
DynamicLoader: KERNEL32.dll/CreateThreadpoolTimer
DynamicLoader: KERNEL32.dll/SetThreadpoolTimer
DynamicLoader: KERNEL32.dll/WaitForThreadpoolTimerCallbacks
DynamicLoader: KERNEL32.dll/CloseThreadpoolTimer
DynamicLoader: KERNEL32.dll/CreateThreadpoolWait
DynamicLoader: KERNEL32.dll/SetThreadpoolWait
DynamicLoader: KERNEL32.dll/CloseThreadpoolWait
DynamicLoader: KERNEL32.dll/FlushProcessWriteBuffers
DynamicLoader: KERNEL32.dll/FreeLibraryWhenCallbackReturns
DynamicLoader: KERNEL32.dll/GetCurrentProcessorNumber
DynamicLoader: KERNEL32.dll/GetLogicalProcessorInformation
DynamicLoader: KERNEL32.dll/CreateSymbolicLinkW
DynamicLoader: KERNEL32.dll/SetDefaultDllDirectories
DynamicLoader: KERNEL32.dll/EnumSystemLocalesEx
DynamicLoader: KERNEL32.dll/CompareStringEx
DynamicLoader: KERNEL32.dll/GetDateFormatEx
DynamicLoader: KERNEL32.dll/GetLocaleInfoEx
DynamicLoader: KERNEL32.dll/GetTimeFormatEx
DynamicLoader: KERNEL32.dll/GetUserDefaultLocaleName
DynamicLoader: KERNEL32.dll/IsValidLocaleName
DynamicLoader: KERNEL32.dll/LCMapStringEx
DynamicLoader: KERNEL32.dll/GetCurrentPackageId
DynamicLoader: KERNEL32.dll/GetTickCount64
DynamicLoader: KERNEL32.dll/GetFileInformationByHandleExW
DynamicLoader: KERNEL32.dll/SetFileInformationByHandleW
DynamicLoader: ADVAPI32.dll/EventSetInformation
DynamicLoader: clr.dll/SetRuntimeInfo
DynamicLoader: USER32.dll/GetProcessWindowStation
DynamicLoader: USER32.dll/GetUserObjectInformationW
DynamicLoader: clr.dll/_CorExeMain
DynamicLoader: KERNEL32.dll/AcquireSRWLockExclusive
DynamicLoader: KERNEL32.dll/ReleaseSRWLockExclusive
DynamicLoader: MSCOREE.DLL/CreateConfigStream
DynamicLoader: mscoreei.dll/CreateConfigStream_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream
DynamicLoader: KERNEL32.dll/GetNumaHighestNodeNumber
DynamicLoader: KERNEL32.dll/FlsSetValue
DynamicLoader: KERNEL32.dll/FlsGetValue
DynamicLoader: KERNEL32.dll/FlsAlloc
DynamicLoader: KERNEL32.dll/FlsFree
DynamicLoader: KERNEL32.dll/GetSystemWindowsDirectoryW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: KERNEL32.dll/AddSIDToBoundaryDescriptor
DynamicLoader: KERNEL32.dll/CreateBoundaryDescriptorW
DynamicLoader: KERNEL32.dll/CreatePrivateNamespaceW
DynamicLoader: KERNEL32.dll/OpenPrivateNamespaceW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: KERNEL32.dll/DeleteBoundaryDescriptor
DynamicLoader: KERNEL32.dll/WerRegisterRuntimeExceptionModule
DynamicLoader: KERNEL32.dll/RaiseException
DynamicLoader: MSCOREE.DLL/
DynamicLoader: mscoreei.dll/
DynamicLoader: KERNELBASE.dll/SetSystemFileCacheSize
DynamicLoader: ntdll.dll/NtSetSystemInformation
DynamicLoader: KERNELBASE.dll/PrivIsDllSynchronizationHeld
DynamicLoader: KERNEL32.dll/AddDllDirectory
DynamicLoader: KERNEL32.dll/SortGetHandle
DynamicLoader: KERNEL32.dll/SortCloseHandle
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: cryptbase.dll/SystemFunction036
DynamicLoader: ole32.dll/CoGetContextToken
DynamicLoader: clrjit.dll/sxsJitStartup
DynamicLoader: clrjit.dll/jitStartup
DynamicLoader: clrjit.dll/getJit
DynamicLoader: USER32.dll/RegisterWindowMessage
DynamicLoader: USER32.dll/RegisterWindowMessageW
DynamicLoader: KERNEL32.dll/CloseHandle
DynamicLoader: KERNEL32.dll/GetCurrentProcess
DynamicLoader: KERNEL32.dll/GetCurrentProcessW
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: KERNEL32.dll/GetCurrentProcess
DynamicLoader: KERNEL32.dll/GetCurrentThread
DynamicLoader: KERNEL32.dll/DuplicateHandle
DynamicLoader: KERNEL32.dll/GetCurrentThreadId
DynamicLoader: KERNEL32.dll/GetLocaleInfoEx
DynamicLoader: KERNEL32.dll/LocaleNameToLCID
DynamicLoader: KERNEL32.dll/GetUserDefaultLocaleName
DynamicLoader: KERNEL32.dll/LCIDToLocaleName
DynamicLoader: KERNEL32.dll/GetUserPreferredUILanguages
DynamicLoader: nlssorting.dll/SortGetHandle
DynamicLoader: nlssorting.dll/SortCloseHandle
DynamicLoader: KERNEL32.dll/CompareStringOrdinal
DynamicLoader: KERNEL32.dll/GetFullPathName
DynamicLoader: KERNEL32.dll/GetFullPathNameW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegOpenKeyEx
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: KERNEL32.dll/GetFileAttributesEx
DynamicLoader: KERNEL32.dll/GetFileAttributesExW
DynamicLoader: KERNEL32.dll/SetThreadErrorMode
DynamicLoader: KERNEL32.dll/CreateFile
DynamicLoader: KERNEL32.dll/CreateFileW
DynamicLoader: KERNEL32.dll/GetFileType
DynamicLoader: ADVAPI32.dll/ConvertSidToStringSidW
DynamicLoader: shell32.dll/SHGetFolderPathW
DynamicLoader: KERNEL32.dll/GetFileAttributesEx
DynamicLoader: KERNEL32.dll/GetFileAttributesExW
DynamicLoader: MSCOREE.DLL/GetProcessExecutableHeap
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap_RetAddr
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap
DynamicLoader: bcrypt.dll/BCryptGetFipsAlgorithmMode
DynamicLoader: CRYPTSP.dll/CryptGetDefaultProviderW
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: KERNEL32.dll/GetFileSize
DynamicLoader: KERNEL32.dll/ReadFile
DynamicLoader: USER32.dll/GetSystemMetrics
DynamicLoader: KERNEL32.dll/GetModuleHandle
DynamicLoader: KERNEL32.dll/GetModuleHandleW
DynamicLoader: KERNEL32.dll/GetProcAddress
DynamicLoader: KERNEL32.dll/WideCharToMultiByte
DynamicLoader: KERNEL32.dll/AddDllDirectory
DynamicLoader: KERNEL32.dll/LoadLibraryEx
DynamicLoader: KERNEL32.dll/LoadLibraryExW
DynamicLoader: USER32.dll/DefWindowProcW
DynamicLoader: GDI32.dll/GetStockObject
DynamicLoader: USER32.dll/RegisterClass
DynamicLoader: USER32.dll/RegisterClassW
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: USER32.dll/CreateWindowEx
DynamicLoader: USER32.dll/CreateWindowExW
DynamicLoader: USER32.dll/SetWindowLong
DynamicLoader: USER32.dll/SetWindowLongW
DynamicLoader: USER32.dll/GetWindowLong
DynamicLoader: USER32.dll/GetWindowLongW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: USER32.dll/SetWindowLong
DynamicLoader: USER32.dll/SetWindowLongW
DynamicLoader: USER32.dll/CallWindowProc
DynamicLoader: USER32.dll/CallWindowProcW
DynamicLoader: USER32.dll/GetClientRect
DynamicLoader: USER32.dll/GetWindowRect
DynamicLoader: USER32.dll/GetParent
DynamicLoader: uxtheme.dll/IsAppThemed
DynamicLoader: uxtheme.dll/IsAppThemedW
DynamicLoader: KERNEL32.dll/CreateActCtx
DynamicLoader: KERNEL32.dll/CreateActCtxA
DynamicLoader: KERNEL32.dll/LCMapStringEx
DynamicLoader: USER32.dll/AdjustWindowRectEx
DynamicLoader: ADVAPI32.dll/EventRegister
DynamicLoader: KERNEL32.dll/ResolveLocaleName
DynamicLoader: CRYPTSP.dll/CryptAcquireContextA
DynamicLoader: CRYPTSP.dll/CryptCreateHash
DynamicLoader: CRYPTSP.dll/CryptGetHashParam
DynamicLoader: CRYPTSP.dll/CryptHashData
DynamicLoader: CRYPTSP.dll/CryptDestroyHash
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: CRYPTSP.dll/CryptImportKey
DynamicLoader: CRYPTSP.dll/CryptExportKey
DynamicLoader: CRYPTSP.dll/CryptDestroyKey
DynamicLoader: gdiplus.dll/GdiplusStartup
DynamicLoader: KERNEL32.dll/IsProcessorFeaturePresent
DynamicLoader: USER32.dll/GetWindowInfo
DynamicLoader: USER32.dll/GetAncestor
DynamicLoader: USER32.dll/GetMonitorInfoA
DynamicLoader: USER32.dll/EnumDisplayMonitors
DynamicLoader: USER32.dll/EnumDisplayDevicesA
DynamicLoader: GDI32.dll/ExtTextOutW
DynamicLoader: GDI32.dll/GdiIsMetaPrintDC
DynamicLoader: gdiplus.dll/GdipLoadImageFromStream
DynamicLoader: WindowsCodecs.dll/DllGetClassObject
DynamicLoader: gdiplus.dll/GdipImageForceValidation
DynamicLoader: gdiplus.dll/GdipGetImageType
DynamicLoader: gdiplus.dll/GdipGetImageRawFormat
DynamicLoader: gdiplus.dll/GdipGetImageWidth
DynamicLoader: gdiplus.dll/GdipGetImageHeight
DynamicLoader: gdiplus.dll/GdipBitmapGetPixel
DynamicLoader: KERNEL32.dll/LoadLibraryA
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: KERNEL32.dll/GetProcAddress
DynamicLoader: KERNEL32.dll/ResumeThread
DynamicLoader: KERNEL32.dll/Wow64SetThreadContext
DynamicLoader: KERNEL32.dll/SetThreadContext
DynamicLoader: KERNEL32.dll/Wow64GetThreadContext
DynamicLoader: KERNEL32.dll/GetThreadContext
DynamicLoader: KERNEL32.dll/VirtualAllocEx
DynamicLoader: KERNEL32.dll/WriteProcessMemory
DynamicLoader: KERNEL32.dll/ReadProcessMemory
DynamicLoader: ntdll.dll/ZwUnmapViewOfSection
DynamicLoader: KERNEL32.dll/CreateProcessA
DynamicLoader: shell32.dll/SHGetFolderPath
DynamicLoader: shell32.dll/SHGetFolderPathW
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivileges
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivilegesW
DynamicLoader: ADVAPI32.dll/SetNamedSecurityInfoW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: KERNEL32.dll/CopyFile
DynamicLoader: KERNEL32.dll/CopyFileW
DynamicLoader: ADVAPI32.dll/GetUserName
DynamicLoader: ADVAPI32.dll/GetUserNameW
DynamicLoader: KERNEL32.dll/SetFileAttributes
DynamicLoader: KERNEL32.dll/SetFileAttributesW
DynamicLoader: ADVAPI32.dll/LsaClose
DynamicLoader: ADVAPI32.dll/LsaFreeMemory
DynamicLoader: ADVAPI32.dll/LsaOpenPolicy
DynamicLoader: ADVAPI32.dll/LsaLookupNames2
DynamicLoader: KERNEL32.dll/LocalFree
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/GetTokenInformationW
DynamicLoader: KERNEL32.dll/LocalAlloc
DynamicLoader: KERNEL32.dll/LocalAllocW
DynamicLoader: ADVAPI32.dll/LsaLookupSids
DynamicLoader: KERNEL32.dll/GetTempPath
DynamicLoader: KERNEL32.dll/GetTempPathW
DynamicLoader: KERNEL32.dll/GetTempFileName
DynamicLoader: KERNEL32.dll/GetTempFileNameW
DynamicLoader: KERNEL32.dll/WriteFile
DynamicLoader: KERNEL32.dll/LocalAlloc
DynamicLoader: shell32.dll/ShellExecuteEx
DynamicLoader: shell32.dll/ShellExecuteExW
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: comctl32.dll/
DynamicLoader: KERNEL32.dll/CloseHandle
DynamicLoader: KERNEL32.dll/GetCurrentProcess
DynamicLoader: KERNEL32.dll/DuplicateHandle
DynamicLoader: ole32.dll/CoWaitForMultipleHandles
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: ole32.dll/NdrOleInitializeExtension
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: RpcRtRemote.dll/I_RpcExtInitializeExtensionPoint
DynamicLoader: KERNEL32.dll/DeleteFile
DynamicLoader: KERNEL32.dll/DeleteFileW
DynamicLoader: USER32.dll/SetClassLong
DynamicLoader: USER32.dll/SetClassLongW
DynamicLoader: USER32.dll/PostMessage
DynamicLoader: USER32.dll/PostMessageW
DynamicLoader: USER32.dll/UnregisterClass
DynamicLoader: USER32.dll/UnregisterClassW
DynamicLoader: ADVAPI32.dll/EventUnregister
DynamicLoader: gdiplus.dll/GdipDisposeImage
DynamicLoader: KERNEL32.dll/CloseHandle
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/UnregisterTraceGuids
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: comctl32.dll/
DynamicLoader: KERNEL32.dll/CreateActCtxW
DynamicLoader: KERNEL32.dll/AddRefActCtx
DynamicLoader: KERNEL32.dll/ReleaseActCtx
DynamicLoader: KERNEL32.dll/ActivateActCtx
DynamicLoader: KERNEL32.dll/DeactivateActCtx
DynamicLoader: KERNEL32.dll/GetCurrentActCtx
DynamicLoader: KERNEL32.dll/QueryActCtxW
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/EventUnregister
DynamicLoader: VERSION.dll/GetFileVersionInfoSizeW
DynamicLoader: VERSION.dll/GetFileVersionInfoW
DynamicLoader: VERSION.dll/VerQueryValueW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: SspiCli.dll/GetUserNameExW
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/RegisterTraceGuidsW
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/OpenThreadToken
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/OpenProcessToken
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/AllocateAndInitializeSid
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/CheckTokenMembership
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/FreeSid
DynamicLoader: ADVAPI32.dll/RegisterTraceGuidsA
DynamicLoader: USER32.dll/GetCursorInfo
DynamicLoader: USER32.dll/GetLastInputInfo
DynamicLoader: kernel32.dll/GetConsoleWindow
DynamicLoader: PSAPI.DLL/GetModuleFileNameExA
DynamicLoader: PSAPI.DLL/GetModuleFileNameExW
DynamicLoader: kernel32.dll/GlobalMemoryStatusEx
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: kernel32.dll/GetComputerNameExW
DynamicLoader: SHELL32.dll/IsUserAnAdmin
DynamicLoader: kernel32.dll/SetProcessDEPPolicy
DynamicLoader: USER32.dll/EnumDisplayDevicesW
DynamicLoader: USER32.dll/EnumDisplayMonitors
DynamicLoader: USER32.dll/GetMonitorInfoW
DynamicLoader: SHLWAPI.dll/
A process created a hidden window
Process: 6FNEaMg3dNB7sGi.exe -> schtasks.exe
Process: 6FNEaMg3dNB7sGi.exe -> C:\Users\Rebecca\AppData\Local\Temp\6FNEaMg3dNB7sGi.exe
CAPE extracted potentially suspicious content
6FNEaMg3dNB7sGi.exe: Injected Shellcode/Data
6FNEaMg3dNB7sGi.exe: Unpacked Shellcode
6FNEaMg3dNB7sGi.exe: Remcos Payload: 32-bit executable
6FNEaMg3dNB7sGi.exe: Parallax
6FNEaMg3dNB7sGi.exe: Unpacked Shellcode
6FNEaMg3dNB7sGi.exe: Injected Shellcode/Data
6FNEaMg3dNB7sGi.exe: Unpacked Shellcode
6FNEaMg3dNB7sGi.exe: Unpacked Shellcode
6FNEaMg3dNB7sGi.exe: Unpacked Shellcode
6FNEaMg3dNB7sGi.exe: Unpacked Shellcode
6FNEaMg3dNB7sGi.exe: Unpacked Shellcode
6FNEaMg3dNB7sGi.exe: Injected Shellcode/Data
6FNEaMg3dNB7sGi.exe: Injected Shellcode/Data
6FNEaMg3dNB7sGi.exe: Injected Shellcode/Data
6FNEaMg3dNB7sGi.exe: Parallax
Queries or connects to DNS-Over-HTTPS/DNS-Over-TLS domain or IP address
ip: 1.1.1.1
The binary likely contains encrypted or compressed data.
section: name: .text, entropy: 7.19, characteristics: IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ, raw_size: 0x000ab200, virtual_size: 0x000ab014
Authenticode signature is invalid
authenticode error: No signature found. SignTool Error File not valid C\Users\Rebecca\AppData\Local\Temp\6FNEaMg3dNB7sGi.exe
Uses Windows utilities for basic functionality
command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QDsgqHC" /XML "C:\Users\Rebecca\AppData\Local\Temp\tmp2D72.tmp"
command: schtasks.exe /Create /TN "Updates\QDsgqHC" /XML "C:\Users\Rebecca\AppData\Local\Temp\tmp2D72.tmp"
Behavioural detection: Injection (Process Hollowing)
Injection: 6FNEaMg3dNB7sGi.exe(2904) -> 6FNEaMg3dNB7sGi.exe(4276)
Executed a process and injected code into it, probably while unpacking
Injection: 6FNEaMg3dNB7sGi.exe(2904) -> 6FNEaMg3dNB7sGi.exe(4276)
Sniffs keystrokes
SetWindowsHookExA: Process: 6FNEaMg3dNB7sGi.exe(4276)
Behavioural detection: Injection (inter-process)
Created a process from a suspicious location
File executed: C:\Users\Rebecca\AppData\Local\Temp\6FNEaMg3dNB7sGi.exe
Commandline executed:
CAPE detected the Remcos malware family
File has been identified by 17 Antiviruses on VirusTotal as malicious
Elastic: malicious (high confidence)
Alibaba: Trojan:Win32/starter.ali1000139
Invincea: Generic ML PUA (PUA)
Cyren: W32/Trojan.SW.gen!Eldorado
Symantec: ML.Attribute.HighConfidence
APEX: Malicious
Kaspersky: UDS:DangerousObject.Multi.Generic
McAfee-GW-Edition: BehavesLike.Win32.Generic.jc
MaxSecure: Trojan.Malware.300983.susgen
FireEye: Generic.mg.fbf6c63acd92d191
SentinelOne: DFI - Malicious PE
ZoneAlarm: UDS:DangerousObject.Multi.Generic
Microsoft: Trojan:Win32/AgentTesla!ml
McAfee: PWS-FCRK!FBF6C63ACD92
Fortinet: MSIL/Kryptik.YFO!tr
AVG: FileRepMalware
Qihoo-360: HEUR/QVM03.0.A7DB.Malware.Gen
CAPE has extracted a malware configuration
extracted_config: Remcos
Creates a copy of itself
copy: C:\Users\Rebecca\AppData\Roaming\QDsgqHC.exe
Creates known Remcos mutexes
mutex: Remcos_Mutex_Inj
Created network traffic indicative of malicious activity
signature: ET JA3 Hash - Possible Malware - Various Malspam/RigEK
signature: ET DNS Query for .to TLD

Screenshots


Hosts

Direct IP Country Name
N 91.193.75.93 [VT] Serbia
Y 8.8.8.8 [VT] United States
N 185.140.53.228 [VT] Germany
Y 1.1.1.1 [VT] Australia

DNS

Name Response Post-Analysis Lookup
u875414.nvpn.to [VT] A 185.140.53.228 [VT] 185.140.53.228 [VT]
u875414.duckdns.org [VT] NXDOMAIN
u875414.ddns.net [VT]
u875414.nsupdate.info [VT] A 91.193.75.93 [VT] 91.193.75.93 [VT]

Summary

C:\Windows\System32\MSCOREE.DLL.local
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
C:\Windows\Microsoft.NET\Framework\*
C:\Windows\Microsoft.NET\Framework\v1.0.3705\clr.dll
C:\Windows\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v1.1.4322\clr.dll
C:\Windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\clr.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll
C:\Users\Rebecca\AppData\Local\Temp\6FNEaMg3dNB7sGi.exe.config
C:\Users\Rebecca\AppData\Local\Temp\6FNEaMg3dNB7sGi.exe
C:\Windows\System32\api-ms-win-appmodel-runtime-l1-1-2.dll
C:\Windows\System32\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSVCR120_CLR0400.dll
C:\Windows\System32\MSVCR120_CLR0400.dll
C:\Windows\System32\api-ms-win-core-quirks-l1-1-0.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoree.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config
C:\Windows\Microsoft.NET\Framework\v4.0.30319\fusion.localgac
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\6715dc4d04e35f16d482900c355325e9\mscorlib.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\6715dc4d04e35f16d482900c355325e9\mscorlib.ni.dll.aux
C:\Users
C:\Users\Rebecca
C:\Users\Rebecca\AppData
C:\Users\Rebecca\AppData\Local
C:\Users\Rebecca\AppData\Local\Temp
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ole32.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\6FNEaMg3dNB7sGi\*
C:\Users\Rebecca\AppData\Local\Temp\6FNEaMg3dNB7sGi.INI
C:\Windows\assembly\pubpol224.dat
C:\Windows\assembly\GAC\PublisherPolicy.tme
C:\Windows\Microsoft.Net\assembly\GAC_32\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\6090b158fd3d10686b422a455e188125\Microsoft.VisualBasic.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\6090b158fd3d10686b422a455e188125\Microsoft.VisualBasic.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_32\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\43822396682b0ffc3cfb66137ddab95f\System.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\43822396682b0ffc3cfb66137ddab95f\System.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Configuration\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.Xml.dll
C:\Windows\Microsoft.Net\assembly\GAC_32\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\c8a2021e940773064c655a6ea6ee8cb2\System.Core.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\c8a2021e940773064c655a6ea6ee8cb2\System.Core.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Xml.Linq\v4.0_4.0.0.0__b77a5c561934e089\System.Xml.Linq.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\aece3d371c0714e60f9509d2a3137395\System.Windows.Forms.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\aece3d371c0714e60f9509d2a3137395\System.Windows.Forms.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\2c462a934e0586ac5e46c8b93e461384\System.Drawing.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\2c462a934e0586ac5e46c8b93e461384\System.Drawing.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2f61c87db96dbe27deea0e525a665761\System.Configuration.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2f61c87db96dbe27deea0e525a665761\System.Configuration.ni.dll.aux
C:\Windows\Microsoft.NET\Framework\v4.0.30319\nlssorting.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\SortDefault.nlp
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\a3abb36b9f9e867b09bb3a670b074c45\System.Xml.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\a3abb36b9f9e867b09bb3a670b074c45\System.Xml.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll
C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\bcrypt.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runt73a1fc9d#\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runt73a1fc9d#\badfff92e7e4f52c948920e4a4975073\System.Runtime.Remoting.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runt73a1fc9d#\badfff92e7e4f52c948920e4a4975073\System.Runtime.Remoting.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\uxtheme.dll
C:\Users\Rebecca\AppData\Local\Temp\en-US\6FNEaMg3dNB7sGi.resources.dll
C:\Users\Rebecca\AppData\Local\Temp\en-US\6FNEaMg3dNB7sGi.resources\6FNEaMg3dNB7sGi.resources.dll
C:\Users\Rebecca\AppData\Local\Temp\en-US\6FNEaMg3dNB7sGi.resources.exe
C:\Users\Rebecca\AppData\Local\Temp\en-US\6FNEaMg3dNB7sGi.resources\6FNEaMg3dNB7sGi.resources.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\en-US\mscorrc.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\en-US\mscorrc.dll.DLL
C:\Windows\Microsoft.NET\Framework\v4.0.30319\en\mscorrc.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\en\mscorrc.dll.DLL
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
C:\Users\Rebecca\AppData\Local\Temp\en\6FNEaMg3dNB7sGi.resources.dll
C:\Users\Rebecca\AppData\Local\Temp\en\6FNEaMg3dNB7sGi.resources\6FNEaMg3dNB7sGi.resources.dll
C:\Users\Rebecca\AppData\Local\Temp\en\6FNEaMg3dNB7sGi.resources.exe
C:\Users\Rebecca\AppData\Local\Temp\en\6FNEaMg3dNB7sGi.resources\6FNEaMg3dNB7sGi.resources.exe
C:\Users\Rebecca\AppData\Local\Temp\6FNEaMg3dNB7sGi.exe.Local\
C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24308_none_5c028e37a0121035
C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24308_none_5c028e37a0121035\GdiPlus.dll
C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\shell32.dll
C:\Users\Rebecca\AppData\Roaming\QDsgqHC.exe
C:\Users\Rebecca\AppData\Roaming\
C:\Users\Rebecca\AppData\Local\Temp\en-US\Kedermister.resources.dll
C:\Users\Rebecca\AppData\Local\Temp\en-US\Kedermister.resources\Kedermister.resources.dll
C:\Users\Rebecca\AppData\Local\Temp\en-US\Kedermister.resources.exe
C:\Users\Rebecca\AppData\Local\Temp\en-US\Kedermister.resources\Kedermister.resources.exe
C:\Users\Rebecca\AppData\Local\Temp\en\Kedermister.resources.dll
C:\Users\Rebecca\AppData\Local\Temp\en\Kedermister.resources\Kedermister.resources.dll
C:\Users\Rebecca\AppData\Local\Temp\en\Kedermister.resources.exe
C:\Users\Rebecca\AppData\Local\Temp\en\Kedermister.resources\Kedermister.resources.exe
C:\Users\Rebecca\AppData\Local\Temp\tmp2D72.tmp
\??\MountPointManager
\Device\KsecDD
C:\Windows\System32\Tasks
C:\Windows\System32\Tasks\*
C:\Windows\System32\Tasks\AutoKMS
C:\Windows\System32\Tasks\Updates\QDsgqHC
C:\Windows\System32\Tasks\Updates
C:\Windows\System32\Tasks\Updates\
C:\Users\Rebecca\AppData\Roaming
C:\Users\Rebecca\AppData\Roaming\September\logs.dat
C:\Users\Rebecca\AppData\Roaming\September
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
C:\Users\Rebecca\AppData\Local\Temp\6FNEaMg3dNB7sGi.exe.config
C:\Users\Rebecca\AppData\Local\Temp\6FNEaMg3dNB7sGi.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll
C:\Windows\System32\MSVCR120_CLR0400.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\6715dc4d04e35f16d482900c355325e9\mscorlib.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\6715dc4d04e35f16d482900c355325e9\mscorlib.ni.dll
C:\Windows\assembly\pubpol224.dat
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\6090b158fd3d10686b422a455e188125\Microsoft.VisualBasic.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\43822396682b0ffc3cfb66137ddab95f\System.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\43822396682b0ffc3cfb66137ddab95f\System.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\c8a2021e940773064c655a6ea6ee8cb2\System.Core.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\c8a2021e940773064c655a6ea6ee8cb2\System.Core.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\6090b158fd3d10686b422a455e188125\Microsoft.VisualBasic.ni.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\aece3d371c0714e60f9509d2a3137395\System.Windows.Forms.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\2c462a934e0586ac5e46c8b93e461384\System.Drawing.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\2c462a934e0586ac5e46c8b93e461384\System.Drawing.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\aece3d371c0714e60f9509d2a3137395\System.Windows.Forms.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2f61c87db96dbe27deea0e525a665761\System.Configuration.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2f61c87db96dbe27deea0e525a665761\System.Configuration.ni.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\nlssorting.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\SortDefault.nlp
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\a3abb36b9f9e867b09bb3a670b074c45\System.Xml.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\a3abb36b9f9e867b09bb3a670b074c45\System.Xml.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runt73a1fc9d#\badfff92e7e4f52c948920e4a4975073\System.Runtime.Remoting.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runt73a1fc9d#\badfff92e7e4f52c948920e4a4975073\System.Runtime.Remoting.ni.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24308_none_5c028e37a0121035\GdiPlus.dll
C:\Users\Rebecca\AppData\Local\Temp\tmp2D72.tmp
\Device\KsecDD
C:\Users\Rebecca\AppData\Roaming\September\logs.dat
C:\Users\Rebecca\AppData\Roaming\QDsgqHC.exe
C:\Users\Rebecca\AppData\Local\Temp\tmp2D72.tmp
C:\Users\Rebecca\AppData\Roaming\September\logs.dat
C:\Users\Rebecca\AppData\Local\Temp\tmp2D72.tmp
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\v4.0
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\InstallRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\CLRLoadLogDir
HKEY_CURRENT_USER\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\OnlyUseLatestCLR
Policy\Standards
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\Standards
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\Standards\v4.0.30319
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\v4.0.30319\SKUs\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\SKUs\default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full\Release
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\DisableConfigCache
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\6FNEaMg3dNB7sGi.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\CacheLocation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DownloadCacheQuotaInKB
HKEY_CURRENT_USER\Software\Microsoft\Fusion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\EnableLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LoggingLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\ForceLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogFailures
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogResourceBinds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseRetryAttempts
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseMillisecondsBetweenRetries
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\UseLegacyIdentityFormat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DisableMSIPeek
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\NGen\Policy\v4.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\NGen\Policy\v4.0\OptimizeUsedBinaries
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\Servicing
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\00060101.00060101
HKEY_LOCAL_MACHINE\Software\Microsoft\StrongName
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\Latest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\index224
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.10.0.Microsoft.VisualBasic__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.10.0.Microsoft.VisualBasic__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Configuration__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Configuration__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Xml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Xml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Core__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Core__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Numerics__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Numerics__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Security__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Security__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Windows.Forms__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Windows.Forms__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Drawing__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Drawing__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Deployment__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Deployment__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Management__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Management__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Xml.Linq__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Xml.Linq__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Runtime.Remoting__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Runtime.Remoting__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\APTCA
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\FeatureSIMD
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\AltJit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.Accessibility__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.Accessibility__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\AppContext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Data.SqlXml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Data.SqlXml__b77a5c561934e089
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-479431668-4257340731-3059248302-1002
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 024
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 024\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\DbgJITDebugLaunchSetting
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\DbgManagedDebugger
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Web__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Web__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.DirectoryServices__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.DirectoryServices__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-479431668-4257340731-3059248302-1002\Installer\Assemblies\C:|Users|Rebecca|AppData|Local|Temp|6FNEaMg3dNB7sGi.exe
HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies\C:|Users|Rebecca|AppData|Local|Temp|6FNEaMg3dNB7sGi.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Users|Rebecca|AppData|Local|Temp|6FNEaMg3dNB7sGi.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-479431668-4257340731-3059248302-1002\Installer\Assemblies\Global
HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies\Global
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots
HKEY_CLASSES_ROOT\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance
HKEY_CLASSES_ROOT\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance\Disabled
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\AccessProviders
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\AccessProviders\MartaExtension
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{4c2e3c01-5984-11ea-a9cb-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{4c2e3c01-5984-11ea-a9cb-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{4c2e3c01-5984-11ea-a9cb-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{210acb57-272f-11e9-8326-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{210acb57-272f-11e9-8326-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{210acb57-272f-11e9-8326-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{210acb58-272f-11e9-8326-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{210acb58-272f-11e9-8326-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{210acb58-272f-11e9-8326-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Classes
HKEY_CURRENT_USER\Software\Classes\AppID\6FNEaMg3dNB7sGi.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE\AppCompat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\RaiseDefaultAuthnLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\DefaultAccessPermission
HKEY_CURRENT_USER\Software\Classes\Interface\{00000134-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Extensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\RemoteRpcDll
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SQMClient\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPSampledIn
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
DisableUserModeCallbackFilter
HKEY_CURRENT_USER\Software\Classes\AppID\schtasks.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AutoKMS
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AutoKMS\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\SchedulingEngineKnob
HKEY_USERS\S-1-5-21-479431668-4257340731-3059248302-1002
HKEY_USERS\S-1-5-21-479431668-4257340731-3059248302-1002\Control Panel\International
HKEY_USERS\S-1-5-21-479431668-4257340731-3059248302-1002\Control Panel\International\LocaleName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Updates\QDsgqHC
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\App Paths\svchost.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\svchost.exe
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A4D0D3AA-EEB8-4AEF-8D61-0F10AFBF0D1A}\Path
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A4D0D3AA-EEB8-4AEF-8D61-0F10AFBF0D1A}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Updates\QDsgqHC\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Updates\QDsgqHC\Index
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A4D0D3AA-EEB8-4AEF-8D61-0F10AFBF0D1A}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A4D0D3AA-EEB8-4AEF-8D61-0F10AFBF0D1A}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A4D0D3AA-EEB8-4AEF-8D61-0F10AFBF0D1A}\DynamicInfo
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\RepositoryRestoreInProgress
HKEY_CURRENT_USER\Software\September-IJ9HLQ\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductName
HKEY_CURRENT_USER\Software\September-IJ9HLQ\exepath
HKEY_CURRENT_USER\Software\September-IJ9HLQ\licence
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Hostname
HKEY_CURRENT_USER\Software\September-IJ9HLQ\override
HKEY_CURRENT_USER\Software\September-IJ9HLQ\name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\InstallRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\CLRLoadLogDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\OnlyUseLatestCLR
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full\Release
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\DisableConfigCache
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\CacheLocation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DownloadCacheQuotaInKB
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\EnableLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LoggingLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\ForceLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogFailures
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogResourceBinds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseRetryAttempts
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseMillisecondsBetweenRetries
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\UseLegacyIdentityFormat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DisableMSIPeek
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\NGen\Policy\v4.0\OptimizeUsedBinaries
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\00060101.00060101
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\Latest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\index224
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\FeatureSIMD
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\AltJit
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 024\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\DbgJITDebugLaunchSetting
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\DbgManagedDebugger
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\AccessProviders\MartaExtension
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{4c2e3c01-5984-11ea-a9cb-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{4c2e3c01-5984-11ea-a9cb-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{210acb57-272f-11e9-8326-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{210acb57-272f-11e9-8326-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{210acb58-272f-11e9-8326-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{210acb58-272f-11e9-8326-806e6f6e6963}\Generation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\RaiseDefaultAuthnLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\DefaultAccessPermission
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\RemoteRpcDll
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPSampledIn
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AutoKMS\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\SchedulingEngineKnob
HKEY_USERS\S-1-5-21-479431668-4257340731-3059248302-1002\Control Panel\International\LocaleName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A4D0D3AA-EEB8-4AEF-8D61-0F10AFBF0D1A}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A4D0D3AA-EEB8-4AEF-8D61-0F10AFBF0D1A}\DynamicInfo
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Hostname
HKEY_CURRENT_USER\Software\September-IJ9HLQ\override
HKEY_CURRENT_USER\Software\September-IJ9HLQ\name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A4D0D3AA-EEB8-4AEF-8D61-0F10AFBF0D1A}\Path
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A4D0D3AA-EEB8-4AEF-8D61-0F10AFBF0D1A}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Updates\QDsgqHC\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Updates\QDsgqHC\Index
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A4D0D3AA-EEB8-4AEF-8D61-0F10AFBF0D1A}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A4D0D3AA-EEB8-4AEF-8D61-0F10AFBF0D1A}\DynamicInfo
HKEY_CURRENT_USER\Software\September-IJ9HLQ\
HKEY_CURRENT_USER\Software\September-IJ9HLQ\exepath
HKEY_CURRENT_USER\Software\September-IJ9HLQ\licence
advapi32.dll.RegOpenKeyExW
advapi32.dll.RegQueryInfoKeyW
advapi32.dll.RegEnumKeyExW
advapi32.dll.RegEnumValueW
advapi32.dll.RegCloseKey
advapi32.dll.RegQueryValueExW
kernel32.dll.FlsAlloc
kernel32.dll.FlsFree
kernel32.dll.FlsGetValue
kernel32.dll.FlsSetValue
kernel32.dll.InitializeCriticalSectionEx
kernel32.dll.CreateEventExW
kernel32.dll.CreateSemaphoreExW
kernel32.dll.SetThreadStackGuarantee
kernel32.dll.CreateThreadpoolTimer
kernel32.dll.SetThreadpoolTimer
kernel32.dll.WaitForThreadpoolTimerCallbacks
kernel32.dll.CloseThreadpoolTimer
kernel32.dll.CreateThreadpoolWait
kernel32.dll.SetThreadpoolWait
kernel32.dll.CloseThreadpoolWait
kernel32.dll.FlushProcessWriteBuffers
kernel32.dll.FreeLibraryWhenCallbackReturns
kernel32.dll.GetCurrentProcessorNumber
kernel32.dll.GetLogicalProcessorInformation
kernel32.dll.CreateSymbolicLinkW
kernel32.dll.SetDefaultDllDirectories
kernel32.dll.EnumSystemLocalesEx
kernel32.dll.CompareStringEx
kernel32.dll.GetDateFormatEx
kernel32.dll.GetLocaleInfoEx
kernel32.dll.GetTimeFormatEx
kernel32.dll.GetUserDefaultLocaleName
kernel32.dll.IsValidLocaleName
kernel32.dll.LCMapStringEx
kernel32.dll.GetTickCount64
kernel32.dll.AcquireSRWLockExclusive
kernel32.dll.ReleaseSRWLockExclusive
advapi32.dll.EventRegister
advapi32.dll.EventSetInformation
mscoree.dll.#142
mscoreei.dll.RegisterShimImplCallback
mscoreei.dll.OnShimDllMainCalled
mscoreei.dll._CorExeMain
shlwapi.dll.UrlIsW
version.dll.GetFileVersionInfoSizeW
version.dll.GetFileVersionInfoW
version.dll.VerQueryValueW
clr.dll.SetRuntimeInfo
user32.dll.GetProcessWindowStation
user32.dll.GetUserObjectInformationW
clr.dll._CorExeMain
mscoree.dll.CreateConfigStream
mscoreei.dll.CreateConfigStream
kernel32.dll.GetNumaHighestNodeNumber
kernel32.dll.GetSystemWindowsDirectoryW
advapi32.dll.AllocateAndInitializeSid
advapi32.dll.OpenProcessToken
advapi32.dll.GetTokenInformation
advapi32.dll.InitializeAcl
advapi32.dll.AddAccessAllowedAce
advapi32.dll.FreeSid
kernel32.dll.AddSIDToBoundaryDescriptor
kernel32.dll.CreateBoundaryDescriptorW
kernel32.dll.CreatePrivateNamespaceW
kernel32.dll.OpenPrivateNamespaceW
kernel32.dll.DeleteBoundaryDescriptor
kernel32.dll.WerRegisterRuntimeExceptionModule
kernel32.dll.RaiseException
mscoree.dll.#24
mscoreei.dll.#24
ntdll.dll.NtSetSystemInformation
kernel32.dll.AddDllDirectory
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
ole32.dll.CoInitializeEx
cryptbase.dll.SystemFunction036
ole32.dll.CoGetContextToken
clrjit.dll.sxsJitStartup
clrjit.dll.getJit
user32.dll.RegisterWindowMessageW
kernel32.dll.CloseHandle
kernel32.dll.GetCurrentProcess
kernel32.dll.GetCurrentThread
kernel32.dll.DuplicateHandle
kernel32.dll.GetCurrentThreadId
kernel32.dll.LocaleNameToLCID
kernel32.dll.LCIDToLocaleName
kernel32.dll.GetUserPreferredUILanguages
nlssorting.dll.SortGetHandle
nlssorting.dll.SortCloseHandle
kernel32.dll.CompareStringOrdinal
kernel32.dll.GetFullPathNameW
ntdll.dll.NtQuerySystemInformation
kernel32.dll.GetFileAttributesExW
kernel32.dll.SetThreadErrorMode
kernel32.dll.CreateFileW
kernel32.dll.GetFileType
advapi32.dll.ConvertSidToStringSidW
shell32.dll.SHGetFolderPathW
mscoree.dll.GetProcessExecutableHeap
mscoreei.dll.GetProcessExecutableHeap
bcrypt.dll.BCryptGetFipsAlgorithmMode
cryptsp.dll.CryptGetDefaultProviderW
cryptsp.dll.CryptAcquireContextW
cryptsp.dll.CryptGenRandom
kernel32.dll.GetFileSize
kernel32.dll.ReadFile
user32.dll.GetSystemMetrics
kernel32.dll.GetModuleHandleW
kernel32.dll.GetProcAddress
kernel32.dll.WideCharToMultiByte
kernel32.dll.LoadLibraryExW
user32.dll.DefWindowProcW
gdi32.dll.GetStockObject
user32.dll.RegisterClassW
ole32.dll.CoTaskMemAlloc
ole32.dll.CoTaskMemFree
user32.dll.CreateWindowExW
user32.dll.SetWindowLongW
user32.dll.GetWindowLongW
user32.dll.CallWindowProcW
user32.dll.GetClientRect
user32.dll.GetWindowRect
user32.dll.GetParent
uxtheme.dll.IsAppThemed
kernel32.dll.CreateActCtxA
user32.dll.AdjustWindowRectEx
kernel32.dll.ResolveLocaleName
cryptsp.dll.CryptAcquireContextA
cryptsp.dll.CryptCreateHash
cryptsp.dll.CryptGetHashParam
cryptsp.dll.CryptHashData
cryptsp.dll.CryptDestroyHash
cryptsp.dll.CryptReleaseContext
cryptsp.dll.CryptImportKey
cryptsp.dll.CryptExportKey
cryptsp.dll.CryptDestroyKey
gdiplus.dll.GdiplusStartup
kernel32.dll.IsProcessorFeaturePresent
user32.dll.GetWindowInfo
user32.dll.GetAncestor
user32.dll.GetMonitorInfoA
user32.dll.EnumDisplayMonitors
user32.dll.EnumDisplayDevicesA
gdi32.dll.ExtTextOutW
gdi32.dll.GdiIsMetaPrintDC
gdiplus.dll.GdipLoadImageFromStream
windowscodecs.dll.DllGetClassObject
gdiplus.dll.GdipImageForceValidation
gdiplus.dll.GdipGetImageType
gdiplus.dll.GdipGetImageRawFormat
gdiplus.dll.GdipGetImageWidth
gdiplus.dll.GdipGetImageHeight
gdiplus.dll.GdipBitmapGetPixel
kernel32.dll.LoadLibraryA
kernel32.dll.ResumeThread
kernel32.dll.Wow64SetThreadContext
kernel32.dll.SetThreadContext
kernel32.dll.Wow64GetThreadContext
kernel32.dll.GetThreadContext
kernel32.dll.VirtualAllocEx
kernel32.dll.WriteProcessMemory
kernel32.dll.ReadProcessMemory
ntdll.dll.ZwUnmapViewOfSection
kernel32.dll.CreateProcessA
advapi32.dll.AdjustTokenPrivileges
advapi32.dll.SetNamedSecurityInfoW
ntmarta.dll.GetMartaExtensionInterface
kernel32.dll.CopyFileW
advapi32.dll.GetUserNameW
kernel32.dll.SetFileAttributesW
advapi32.dll.LsaClose
advapi32.dll.LsaFreeMemory
advapi32.dll.LsaOpenPolicy
advapi32.dll.LsaLookupNames2
kernel32.dll.LocalFree
kernel32.dll.LocalAlloc
advapi32.dll.LsaLookupSids
kernel32.dll.GetTempPathW
kernel32.dll.GetTempFileNameW
kernel32.dll.WriteFile
shell32.dll.ShellExecuteEx
shell32.dll.ShellExecuteExW
setupapi.dll.CM_Get_Device_Interface_List_Size_ExW
setupapi.dll.CM_Get_Device_Interface_List_ExW
comctl32.dll.#386
ole32.dll.CoWaitForMultipleHandles
sechost.dll.LookupAccountNameLocalW
advapi32.dll.LookupAccountSidW
sechost.dll.LookupAccountSidLocalW
ole32.dll.NdrOleInitializeExtension
ole32.dll.CoGetClassObject
ole32.dll.CoGetMarshalSizeMax
ole32.dll.CoMarshalInterface
ole32.dll.CoUnmarshalInterface
ole32.dll.StringFromIID
ole32.dll.CoGetPSClsid
ole32.dll.CoCreateInstance
ole32.dll.CoReleaseMarshalData
ole32.dll.DcomChannelSetHResult
rpcrtremote.dll.I_RpcExtInitializeExtensionPoint
kernel32.dll.DeleteFileW
user32.dll.SetClassLongW
user32.dll.PostMessageW
user32.dll.UnregisterClassW
advapi32.dll.EventUnregister
gdiplus.dll.GdipDisposeImage
api-ms-win-downlevel-advapi32-l1-1-0.dll.UnregisterTraceGuids
advapi32.dll.UnregisterTraceGuids
comctl32.dll.#321
kernel32.dll.CreateActCtxW
kernel32.dll.AddRefActCtx
kernel32.dll.ReleaseActCtx
kernel32.dll.ActivateActCtx
kernel32.dll.DeactivateActCtx
kernel32.dll.GetCurrentActCtx
kernel32.dll.QueryActCtxW
sspicli.dll.GetUserNameExW
api-ms-win-downlevel-advapi32-l1-1-0.dll.RegisterTraceGuidsW
api-ms-win-downlevel-advapi32-l1-1-0.dll.OpenThreadToken
api-ms-win-downlevel-advapi32-l1-1-0.dll.OpenProcessToken
api-ms-win-downlevel-advapi32-l1-1-0.dll.AllocateAndInitializeSid
api-ms-win-downlevel-advapi32-l1-1-0.dll.CheckTokenMembership
api-ms-win-downlevel-advapi32-l1-1-0.dll.FreeSid
advapi32.dll.RegisterTraceGuidsA
user32.dll.GetCursorInfo
user32.dll.GetLastInputInfo
kernel32.dll.GetConsoleWindow
psapi.dll.GetModuleFileNameExA
psapi.dll.GetModuleFileNameExW
kernel32.dll.GlobalMemoryStatusEx
kernel32.dll.IsWow64Process
kernel32.dll.GetComputerNameExW
shell32.dll.IsUserAnAdmin
kernel32.dll.SetProcessDEPPolicy
user32.dll.EnumDisplayDevicesW
user32.dll.GetMonitorInfoW
shlwapi.dll.#12
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QDsgqHC" /XML "C:\Users\Rebecca\AppData\Local\Temp\tmp2D72.tmp"
schtasks.exe /Create /TN "Updates\QDsgqHC" /XML "C:\Users\Rebecca\AppData\Local\Temp\tmp2D72.tmp"
"C:\Users\Rebecca\AppData\Local\Temp\6FNEaMg3dNB7sGi.exe"
Remcos_Mutex_Inj
September-IJ9HLQ

BinGraph Download graph

2020-10-18T06:50:59.374722 image/svg+xml Matplotlib v3.3.0, https://matplotlib.org/

PE Information

Image Base Entry Point Reported Checksum Actual Checksum Minimum OS Version Compile Time Import Hash
0x00400000 0x004ad00e 0x00000000 0x000b0c03 4.0 2020-10-17 21:19:46 f34d5f2d4577ed6d9ceec516c1f5a744

Sections

Name RAW Address Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00000200 0x00002000 0x000ab014 0x000ab200 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 7.19
.rsrc 0x000ab400 0x000ae000 0x00000600 0x00000600 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.07
.reloc 0x000aba00 0x000b0000 0x0000000c 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ 0.10

Resources

Name Offset Size Language Sub-language Entropy File type
RT_VERSION 0x000ae090 0x0000030c LANG_NEUTRAL SUBLANG_NEUTRAL 3.29 None
RT_MANIFEST 0x000ae3ac 0x000001ea LANG_NEUTRAL SUBLANG_NEUTRAL 5.00 None

Imports


Assembly Information

Name 6FNEaMg3dNB7sGi
Version 1.0.0.0

Assembly References

Name Version
mscorlib 4.0.0.0
System 4.0.0.0
Microsoft.VisualBasic 10.0.0.0
System.Windows.Forms 4.0.0.0
System.Drawing 4.0.0.0
System.Data 4.0.0.0
System.Xml 4.0.0.0
System.Data.DataSetExtensions 4.0.0.0

Custom Attributes

Type Name Value
Property [System]System.ComponentModel.Design.HelpKeywordAttribute My.Comput
Assembly [mscorlib]System.Reflection.AssemblyTitleAttribute ScrapBo
Assembly [mscorlib]System.Reflection.AssemblyProductAttribute ScrapBo
Assembly [mscorlib]System.Reflection.AssemblyCopyrightAttribute Copyright \xa9 20
Assembly [mscorlib]System.Runtime.InteropServices.GuidAttribute 1c6213db-06c8-4009-b436-92604df147
Assembly [mscorlib]System.Reflection.AssemblyFileVersionAttribute 1.0.0
Property [System]System.ComponentModel.Design.HelpKeywordAttribute My.Applicati
Property [System]System.ComponentModel.Design.HelpKeywordAttribute My.Us
Property [System]System.ComponentModel.Design.HelpKeywordAttribute My.For
TypeDef [System]System.ComponentModel.DesignerCategoryAttribute co
TypeDef [System.Xml]System.Xml.Serialization.XmlSchemaProviderAttribute GetTypedDataSetSche
TypeDef [System.Xml]System.Xml.Serialization.XmlRootAttribute ScrapDBDataS
TypeDef [System]System.ComponentModel.Design.HelpKeywordAttribute vs.data.DataS
TypeDef [mscorlib]System.Reflection.DefaultMemberAttribute It
TypeDef [System.Xml]System.Xml.Serialization.XmlSchemaProviderAttribute GetTypedTableSche
TypeDef [mscorlib]System.Reflection.DefaultMemberAttribute It
TypeDef [System.Xml]System.Xml.Serialization.XmlSchemaProviderAttribute GetTypedTableSche
TypeDef [mscorlib]System.Reflection.DefaultMemberAttribute It
TypeDef [System.Xml]System.Xml.Serialization.XmlSchemaProviderAttribute GetTypedTableSche
TypeDef [mscorlib]System.Reflection.DefaultMemberAttribute It
TypeDef [System.Xml]System.Xml.Serialization.XmlSchemaProviderAttribute GetTypedTableSche
TypeDef [mscorlib]System.Reflection.DefaultMemberAttribute It
TypeDef [System.Xml]System.Xml.Serialization.XmlSchemaProviderAttribute GetTypedTableSche
Property [System]System.Configuration.DefaultSettingValueAttribute Data Source=(localdb)\ProjectsV13;Initial Catalog=ScrapDB;Integrated Security=Tr
Property [System]System.ComponentModel.Design.HelpKeywordAttribute My.Settin
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
TypeDef [System]System.ComponentModel.DesignerCategoryAttribute co
TypeDef [System]System.ComponentModel.DesignerAttribute Microsoft.VSDesigner.DataSource.Design.TableAdapterDesigner, Microsoft.VSDesigner, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a
TypeDef [System]System.ComponentModel.Design.HelpKeywordAttribute vs.data.TableAdapt
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
TypeDef [System]System.ComponentModel.DesignerCategoryAttribute co
TypeDef [System]System.ComponentModel.DesignerAttribute Microsoft.VSDesigner.DataSource.Design.TableAdapterDesigner, Microsoft.VSDesigner, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a
TypeDef [System]System.ComponentModel.Design.HelpKeywordAttribute vs.data.TableAdapt
TypeDef [System]System.ComponentModel.DesignerCategoryAttribute co
TypeDef [System]System.ComponentModel.DesignerAttribute Microsoft.VSDesigner.DataSource.Design.TableAdapterDesigner, Microsoft.VSDesigner, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a
TypeDef [System]System.ComponentModel.Design.HelpKeywordAttribute vs.data.TableAdapt
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
TypeDef [System]System.ComponentModel.DesignerCategoryAttribute co
TypeDef [System]System.ComponentModel.DesignerAttribute Microsoft.VSDesigner.DataSource.Design.TableAdapterDesigner, Microsoft.VSDesigner, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a
TypeDef [System]System.ComponentModel.Design.HelpKeywordAttribute vs.data.TableAdapt
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
TypeDef [System]System.ComponentModel.DesignerCategoryAttribute co
TypeDef [System]System.ComponentModel.DesignerAttribute Microsoft.VSDesigner.DataSource.Design.TableAdapterDesigner, Microsoft.VSDesigner, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a
TypeDef [System]System.ComponentModel.Design.HelpKeywordAttribute vs.data.TableAdapt
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
TypeDef [System]System.ComponentModel.DesignerCategoryAttribute co
TypeDef [System]System.ComponentModel.DesignerAttribute Microsoft.VSDesigner.DataSource.Design.TableAdapterManagerDesigner, Microsoft.VSDesigner, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a
TypeDef [System]System.ComponentModel.Design.HelpKeywordAttribute vs.data.TableAdapterManag
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute PictureBo
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
MethodDef [System]System.ComponentModel.Design.HelpKeywordAttribute vs.data.TableAdapt
MethodDef [System]System.ComponentModel.Design.HelpKeywordAttribute vs.data.TableAdapt
MethodDef [System]System.ComponentModel.Design.HelpKeywordAttribute vs.data.TableAdapt
MethodDef [System]System.ComponentModel.Design.HelpKeywordAttribute vs.data.TableAdapt
MethodDef [System]System.ComponentModel.Design.HelpKeywordAttribute vs.data.TableAdapt
MethodDef [System]System.ComponentModel.Design.HelpKeywordAttribute vs.data.TableAdapt
MethodDef [System]System.ComponentModel.Design.HelpKeywordAttribute vs.data.TableAdapt
MethodDef [System]System.ComponentModel.Design.HelpKeywordAttribute vs.data.TableAdapt
MethodDef [System]System.ComponentModel.Design.HelpKeywordAttribute vs.data.TableAdapt
MethodDef [System]System.ComponentModel.Design.HelpKeywordAttribute vs.data.TableAdapt
MethodDef [System]System.ComponentModel.Design.HelpKeywordAttribute vs.data.TableAdapt
MethodDef [System]System.ComponentModel.Design.HelpKeywordAttribute vs.data.TableAdapt
MethodDef [System]System.ComponentModel.Design.HelpKeywordAttribute vs.data.TableAdapt
MethodDef [System]System.ComponentModel.Design.HelpKeywordAttribute vs.data.TableAdapt
MethodDef [System]System.ComponentModel.Design.HelpKeywordAttribute vs.data.TableAdapt
MethodDef [System]System.ComponentModel.Design.HelpKeywordAttribute vs.data.TableAdapt
MethodDef [System]System.ComponentModel.Design.HelpKeywordAttribute vs.data.TableAdapt
MethodDef [System]System.ComponentModel.Design.HelpKeywordAttribute vs.data.TableAdapt
MethodDef [System]System.ComponentModel.Design.HelpKeywordAttribute vs.data.TableAdapt
MethodDef [System]System.ComponentModel.Design.HelpKeywordAttribute vs.data.TableAdapt
MethodDef [System]System.ComponentModel.Design.HelpKeywordAttribute vs.data.TableAdapt
MethodDef [System]System.ComponentModel.Design.HelpKeywordAttribute vs.data.TableAdapt
MethodDef [System]System.ComponentModel.Design.HelpKeywordAttribute vs.data.TableAdapt
MethodDef [System]System.ComponentModel.Design.HelpKeywordAttribute vs.data.TableAdapt
MethodDef [System]System.ComponentModel.Design.HelpKeywordAttribute vs.data.TableAdapt
MethodDef [System]System.ComponentModel.Design.HelpKeywordAttribute vs.data.TableAdapt
MethodDef [System]System.ComponentModel.Design.HelpKeywordAttribute vs.data.TableAdapt
MethodDef [System]System.ComponentModel.Design.HelpKeywordAttribute vs.data.TableAdapt
MethodDef [System]System.ComponentModel.Design.HelpKeywordAttribute vs.data.TableAdapt
MethodDef [System]System.ComponentModel.Design.HelpKeywordAttribute vs.data.TableAdapt
MethodDef [System]System.ComponentModel.Design.HelpKeywordAttribute vs.data.TableAdapt
MethodDef [System]System.ComponentModel.Design.HelpKeywordAttribute vs.data.TableAdapt
MethodDef [System]System.ComponentModel.Design.HelpKeywordAttribute vs.data.TableAdapt
MethodDef [System]System.ComponentModel.Design.HelpKeywordAttribute vs.data.TableAdapt
MethodDef [System]System.ComponentModel.Design.HelpKeywordAttribute vs.data.TableAdapt
MethodDef [System]System.ComponentModel.Design.HelpKeywordAttribute vs.data.TableAdapt
MethodDef [System]System.ComponentModel.Design.HelpKeywordAttribute vs.data.TableAdapt
MethodDef [System]System.ComponentModel.Design.HelpKeywordAttribute vs.data.TableAdapt
MethodDef [System]System.ComponentModel.Design.HelpKeywordAttribute vs.data.TableAdapt
MethodDef [System]System.ComponentModel.Design.HelpKeywordAttribute vs.data.TableAdapt
MethodDef [System]System.ComponentModel.Design.HelpKeywordAttribute vs.data.TableAdapt
MethodDef [System]System.ComponentModel.Design.HelpKeywordAttribute vs.data.TableAdapt
MethodDef [System]System.ComponentModel.Design.HelpKeywordAttribute vs.data.TableAdapt
MethodDef [System]System.ComponentModel.Design.HelpKeywordAttribute vs.data.TableAdapt
MethodDef [System]System.ComponentModel.Design.HelpKeywordAttribute vs.data.TableAdapt
MethodDef [System]System.ComponentModel.Design.HelpKeywordAttribute vs.data.TableAdapt
MethodDef [System]System.ComponentModel.Design.HelpKeywordAttribute vs.data.TableAdapt
MethodDef [System]System.ComponentModel.Design.HelpKeywordAttribute vs.data.TableAdapt
MethodDef [System]System.ComponentModel.Design.HelpKeywordAttribute vs.data.TableAdapt
MethodDef [System]System.ComponentModel.Design.HelpKeywordAttribute vs.data.TableAdapt

Type References

Assembly Type Name
Microsoft.VisualBasic Microsoft.VisualBasic.ApplicationServices.WindowsFormsApplicationBase
System.Windows.Forms System.Windows.Forms.Application
mscorlib System.STAThreadAttribute
mscorlib System.Diagnostics.DebuggerHiddenAttribute
System System.ComponentModel.EditorBrowsableAttribute
System System.ComponentModel.EditorBrowsableState
Microsoft.VisualBasic Microsoft.VisualBasic.ApplicationServices.ShutdownMode
Microsoft.VisualBasic Microsoft.VisualBasic.ApplicationServices.AuthenticationMode
mscorlib System.Diagnostics.DebuggerStepThroughAttribute
System.Windows.Forms System.Windows.Forms.Form
System System.CodeDom.Compiler.GeneratedCodeAttribute
Microsoft.VisualBasic Microsoft.VisualBasic.Devices.Computer
mscorlib System.Object
Microsoft.VisualBasic Microsoft.VisualBasic.ApplicationServices.User
System System.ComponentModel.Design.HelpKeywordAttribute
Microsoft.VisualBasic Microsoft.VisualBasic.CompilerServices.StandardModuleAttribute
Microsoft.VisualBasic Microsoft.VisualBasic.HideModuleNameAttribute
mscorlib System.Collections.Hashtable
mscorlib System.ThreadStaticAttribute
mscorlib System.Reflection.TargetInvocationException
System.Windows.Forms System.Windows.Forms.Control
mscorlib System.Type
mscorlib System.RuntimeTypeHandle
mscorlib System.String
Microsoft.VisualBasic Microsoft.VisualBasic.CompilerServices.Utils
mscorlib System.InvalidOperationException
mscorlib System.Activator
Microsoft.VisualBasic Microsoft.VisualBasic.CompilerServices.ProjectData
mscorlib System.Exception
System System.ComponentModel.Component
mscorlib System.Runtime.CompilerServices.RuntimeHelpers
mscorlib System.ArgumentException
Microsoft.VisualBasic Microsoft.VisualBasic.MyGroupCollectionAttribute
mscorlib System.Runtime.CompilerServices.CompilerGeneratedAttribute
mscorlib System.Runtime.InteropServices.ComVisibleAttribute
mscorlib System.Resources.ResourceManager
mscorlib System.Globalization.CultureInfo
mscorlib System.Reflection.Assembly
System.Drawing System.Drawing.Bitmap
mscorlib System.Diagnostics.DebuggerNonUserCodeAttribute
System System.Configuration.ApplicationSettingsBase
System System.Configuration.SettingsBase
mscorlib System.EventArgs
Microsoft.VisualBasic Microsoft.VisualBasic.CompilerServices.ObjectFlowControl
mscorlib System.Threading.Monitor
Microsoft.VisualBasic Microsoft.VisualBasic.ApplicationServices.ShutdownEventHandler
Microsoft.VisualBasic Microsoft.VisualBasic.CompilerServices.Conversions
System System.Configuration.ApplicationScopedSettingAttribute
System System.Configuration.SpecialSettingAttribute
System System.Configuration.SpecialSetting
System System.Configuration.DefaultSettingValueAttribute
System System.ComponentModel.IContainer
System.Windows.Forms System.Windows.Forms.Label
mscorlib System.Diagnostics.DebuggerBrowsableAttribute
mscorlib System.Diagnostics.DebuggerBrowsableState
mscorlib System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
System.Windows.Forms System.Windows.Forms.Button
System.Windows.Forms System.Windows.Forms.TextBox
mscorlib System.EventHandler
mscorlib System.IDisposable
System.Drawing System.Drawing.Point
System.Windows.Forms System.Windows.Forms.ButtonBase
System.Drawing System.Drawing.Size
System.Windows.Forms System.Windows.Forms.ContainerControl
System.Windows.Forms System.Windows.Forms.AutoScaleMode
System.Drawing System.Drawing.Color
System.Windows.Forms System.Windows.Forms.Control/ControlCollection
System.Drawing System.Drawing.SizeF
System.Data System.Data.SqlClient.SqlException
Microsoft.VisualBasic Microsoft.VisualBasic.CompilerServices.Operators
Microsoft.VisualBasic Microsoft.VisualBasic.Interaction
Microsoft.VisualBasic Microsoft.VisualBasic.MsgBoxResult
Microsoft.VisualBasic Microsoft.VisualBasic.MsgBoxStyle
System.Data System.Data.SqlClient.SqlCommand
System.Data System.Data.SqlClient.SqlConnection
System.Windows.Forms System.Windows.Forms.MessageBox
System.Windows.Forms System.Windows.Forms.DialogResult
Microsoft.VisualBasic Microsoft.VisualBasic.CompilerServices.DesignerGeneratedAttribute
System.Drawing System.Drawing.SystemColors
System System.Text.RegularExpressions.Match
System System.Text.RegularExpressions.Regex
System System.Text.RegularExpressions.Group
System.Windows.Forms System.Windows.Forms.PictureBox
System.Drawing System.Drawing.Font
System.Drawing System.Drawing.FontStyle
System.Drawing System.Drawing.GraphicsUnit
System.Windows.Forms System.Windows.Forms.BorderStyle
System System.ComponentModel.ISupportInitialize
System.Windows.Forms System.Windows.Forms.DataGridView
System.Windows.Forms System.Windows.Forms.BindingSource
System.Windows.Forms System.Windows.Forms.DataGridViewTextBoxColumn
System.Windows.Forms System.Windows.Forms.ContextMenuStrip
System.Windows.Forms System.Windows.Forms.ToolStripMenuItem
System.Windows.Forms System.Windows.Forms.DataGridViewColumnHeadersHeightSizeMode
System.Windows.Forms System.Windows.Forms.DataGridViewColumnCollection
System.Windows.Forms System.Windows.Forms.DataGridViewColumn
System System.ComponentModel.Container
System.Data System.Data.DataSet
System.Windows.Forms System.Windows.Forms.DataGridViewAutoSizeColumnsMode
System.Windows.Forms System.Windows.Forms.DataGridViewAutoSizeRowsMode
System.Windows.Forms System.Windows.Forms.ToolStripItem
System.Windows.Forms System.Windows.Forms.ToolStrip
System.Windows.Forms System.Windows.Forms.ToolStripItemCollection
System.Windows.Forms System.Windows.Forms.DataGridViewCellMouseEventHandler
System.Windows.Forms System.Windows.Forms.DataGridViewRowCollection
System.Windows.Forms System.Windows.Forms.DataGridViewRow
System.Windows.Forms System.Windows.Forms.MouseEventArgs
System.Windows.Forms System.Windows.Forms.MouseButtons
System.Windows.Forms System.Windows.Forms.DataGridViewCellMouseEventArgs
System.Windows.Forms System.Windows.Forms.Cursor
System.Windows.Forms System.Windows.Forms.ToolStripDropDown
System.Windows.Forms System.Windows.Forms.DataGridViewCellCollection
System.Windows.Forms System.Windows.Forms.DataGridViewCell
mscorlib System.Byte
mscorlib System.Text.Encoding
mscorlib System.Array
mscorlib System.Int32
Microsoft.VisualBasic Microsoft.VisualBasic.CompilerServices.NewLateBinding
mscorlib System.Boolean
System.Windows.Forms System.Windows.Forms.GroupBox
System.Windows.Forms System.Windows.Forms.PictureBoxSizeMode
System.Windows.Forms System.Windows.Forms.ImageLayout
System.Data System.Data.SchemaSerializationMode
System System.ComponentModel.CollectionChangeEventHandler
System.Data System.Data.DataTableCollection
System.Data System.Data.DataRelationCollection
mscorlib System.Runtime.Serialization.SerializationInfo
mscorlib System.Runtime.Serialization.StreamingContext
mscorlib System.IO.StringReader
System.Xml System.Xml.XmlTextReader
mscorlib System.IO.TextReader
System.Xml System.Xml.XmlReader
System.Data System.Data.DataTable
System.Data System.Data.MissingSchemaAction
System.Data System.Data.XmlReadMode
System.Xml System.Xml.Schema.XmlSchema
mscorlib System.IO.MemoryStream
System.Xml System.Xml.XmlTextWriter
mscorlib System.IO.Stream
System.Xml System.Xml.XmlWriter
System.Xml System.Xml.Schema.ValidationEventHandler
System System.ComponentModel.CollectionChangeEventArgs
System System.ComponentModel.CollectionChangeAction
System.Xml System.Xml.Schema.XmlSchemaComplexType
System.Xml System.Xml.Schema.XmlSchemaSequence
System.Xml System.Xml.Schema.XmlSchemaAny
mscorlib System.Collections.IEnumerator
System.Xml System.Xml.Schema.XmlSchemaObjectCollection
System.Xml System.Xml.Schema.XmlSchemaObject
System.Xml System.Xml.Schema.XmlSchemaSet
mscorlib System.Collections.ICollection
mscorlib System.Collections.IEnumerable
System.Xml System.Xml.Schema.XmlSchemaParticle
System System.ComponentModel.BrowsableAttribute
System System.ComponentModel.DesignerSerializationVisibilityAttribute
System System.ComponentModel.DesignerSerializationVisibility
System System.ComponentModel.DesignerCategoryAttribute
System System.ComponentModel.ToolboxItemAttribute
System.Xml System.Xml.Serialization.XmlSchemaProviderAttribute
System.Xml System.Xml.Serialization.XmlRootAttribute
mscorlib System.MulticastDelegate
mscorlib System.IAsyncResult
mscorlib System.AsyncCallback
System.Data.DataSetExtensions System.Data.TypedTableBase`1
System.Data System.Data.DataColumn
System.Data System.Data.DataRowCollection
System.Data System.Data.DataRow
mscorlib System.Threading.Interlocked
mscorlib System.Delegate
System.Data System.Data.DataColumnCollection
System.Data System.Data.MappingType
System.Data System.Data.ConstraintCollection
System.Data System.Data.UniqueConstraint
System.Data System.Data.Constraint
System.Data System.Data.DataRowBuilder
System.Data System.Data.DataRowChangeEventArgs
System.Data System.Data.DataRowAction
System.Xml System.Xml.Schema.XmlSchemaAttribute
mscorlib System.Decimal
System.Xml System.Xml.Schema.XmlSchemaContentProcessing
mscorlib System.Reflection.DefaultMemberAttribute
mscorlib System.InvalidCastException
System.Data System.Data.StrongTypingException
mscorlib System.Convert
System.Data System.Data.SqlClient.SqlDataAdapter
System.Data System.Data.SqlClient.SqlTransaction
System.Data System.Data.Common.DataTableMapping
System.Data System.Data.Common.DataColumnMappingCollection
System.Data System.Data.Common.DataColumnMapping
System.Data System.Data.CommandType
System.Data System.Data.SqlClient.SqlParameterCollection
System.Data System.Data.SqlClient.SqlParameter
System.Data System.Data.SqlDbType
System.Data System.Data.ParameterDirection
System.Data System.Data.DataRowVersion
System.Data System.Data.Common.DataAdapter
System.Data System.Data.Common.DataTableMappingCollection
System.Data System.Data.Common.DbDataAdapter
System System.ComponentModel.DataObjectMethodAttribute
System System.ComponentModel.DataObjectMethodType
System.Data System.Data.ConnectionState
mscorlib System.ArgumentNullException
System System.ComponentModel.DataObjectAttribute
System System.ComponentModel.DesignerAttribute
mscorlib System.DBNull
mscorlib System.Nullable`1
System.Data System.Data.IDbConnection
System.Data System.Data.DataViewRowState
mscorlib System.Collections.Generic.List`1
mscorlib System.Collections.Generic.IEnumerable`1
System.Data System.Data.IDbTransaction
mscorlib System.Collections.Generic.Dictionary`2
mscorlib System.ApplicationException
System System.Diagnostics.Debug
mscorlib System.Collections.Generic.IComparer`1
System.Data System.Data.DataRelation
mscorlib System.StringComparison
System System.ComponentModel.EditorAttribute
mscorlib System.Enum
mscorlib System.Collections.Generic.IDictionary`2
mscorlib System.Collections.Generic.ICollection`1
mscorlib System.Collections.Generic.KeyValuePair`2
System.Windows.Forms System.Windows.Forms.DataGridViewClipboardCopyMode
System.Data System.Data.SqlClient.SqlDataReader
System.Windows.Forms System.Windows.Forms.ComboBox
System.Windows.Forms System.Windows.Forms.ComboBox/ObjectCollection
System System.ComponentModel.ComponentResourceManager
System.Drawing System.Drawing.Icon
System.Windows.Forms System.Windows.Forms.DataGridViewCellBorderStyle
System.Windows.Forms System.Windows.Forms.LinkLabel
System.Windows.Forms System.Windows.Forms.LinkLabelLinkClickedEventArgs
System.Windows.Forms System.Windows.Forms.TextBoxBase
System.Drawing System.Drawing.ContentAlignment
System.Windows.Forms System.Windows.Forms.LinkLabelLinkClickedEventHandler
System.Windows.Forms System.Windows.Forms.TableLayoutPanel
System.Windows.Forms System.Windows.Forms.TableLayoutRowStyleCollection
System.Windows.Forms System.Windows.Forms.RowStyle
System.Windows.Forms System.Windows.Forms.SizeType
System.Windows.Forms System.Windows.Forms.FormBorderStyle
System.Windows.Forms System.Windows.Forms.FormStartPosition
System.Windows.Forms System.Windows.Forms.TableLayoutColumnStyleCollection
System.Windows.Forms System.Windows.Forms.ColumnStyle
System.Windows.Forms System.Windows.Forms.DockStyle
Microsoft.VisualBasic Microsoft.VisualBasic.ApplicationServices.ApplicationBase
Microsoft.VisualBasic Microsoft.VisualBasic.ApplicationServices.AssemblyInfo
mscorlib System.Runtime.CompilerServices.CompilationRelaxationsAttribute
mscorlib System.Runtime.CompilerServices.RuntimeCompatibilityAttribute
mscorlib System.Diagnostics.DebuggableAttribute
mscorlib System.Diagnostics.DebuggableAttribute/DebuggingModes
mscorlib System.Reflection.AssemblyTitleAttribute
mscorlib System.Reflection.AssemblyDescriptionAttribute
mscorlib System.Reflection.AssemblyCompanyAttribute
mscorlib System.Reflection.AssemblyProductAttribute
mscorlib System.Reflection.AssemblyCopyrightAttribute
mscorlib System.Reflection.AssemblyTrademarkAttribute
mscorlib System.Runtime.InteropServices.GuidAttribute
mscorlib System.Reflection.AssemblyFileVersionAttribute
mscorlib System.Runtime.Versioning.TargetFrameworkAttribute

!This program cannot be run in DOS mode.
.text
`.rsrc
@.reloc
ae M~
H)X 2I
Ye* *
S:# \
$Y vAp
f ?4S
a /%f
Ye* ,2
c DE3
cf* e`.
e N`.
c k$R&Ye
(Y* qW
5! L/
X* i,
Ye a)
X !r3
Ye* ok
bf*f+
'Y* ?
Y* b{
cf* ]
a* 4!
a* IR
Xee*
ce* A
Xf* M
a* [D
;!Y*6+
lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
PADPADP
lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
PADPADP
lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
PADPADP
lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
PADPADP
lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
PADPADP
lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
PADPADP
lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
PADPADP
lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
PADPADP
lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
PADPADP
lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
PADPADP
lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
PADPADP
lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
PADPADP
lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
PADPADP
lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
PADPADP
lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
PADPADP
lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
PADPADP
lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
fSystem.Drawing.Icon, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aBj
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Icon
IconData
IconSize
System.Drawing.Size
System.Drawing.Size
width
height
DDDDD
DDDDDDDDDDDDDDDDDDD3333
DDDDDDDDDDDDDD
DGwww?
wwwwwwwwwwwtD
DDDDDD
DDDDDDDDDDDDDDDDD
DDDDDD
DDDDD
wwwxw
wwwwxw
wwwwwxw
wwwwwxw
wwwwwxw
wwwwwx
wwwww
wwwwww
wwwww
DDDDD
DDDDDDD
DDDDDD
DDDDDD
pDDDDDD
DDDDD
pDDDDD
DDDDH
DDDDD
DDDDDH
DDDDDD
DDDDDDH
DDDDDDD
DDDDDDDD
DDDDDDDDD
DDDDDDDDDH
DDDDDDDD
wwwwwwww
wwwxx
xwwwxx
xwwwx
prtustq
wjklxv
mfnzey
|good{
YYXYXXXXYXXYYXYWS
Y[TT[ZYYYYYYYYYYY
(FE871-,,,./45;6
>LLLLLLLLLLLLLKI$
HMMMMMMMMMMMMMMM
NNNNNNNNNNNNNNNN
%UUUUUUUUUUUUUUU?
0VVVVVVVVVVVVVVV0
BOOOOOOOOOOOOOOO&
PPPPPPPPPPPPPPPP
'QQQQQQQQQQQQQQQ<
:RRRRRRRRRRRRRRR)
***+999=R
UVVYXW
IKMLJR
QGFONS
===;;==><
@?>=======
y`cfi
\`cfil
[\`cfilo
\`cfil
usuy|hp
losuy~sfohiju
xlosuy~{d
~nklp
losuy~
vsuy~
cdefghir
uy~yr
~acdefghijklt
zfghijkl
"iqz|z
-1/,*)'&(+%
0444444432-
5555555555#
8888888888
$6666666666
.777777777.
9999999999!
::::::::::
szzzs
dooo*++-,uooooowwwww"$%#)wwwwwu_
'&!(.
wo___qU2Q
;Jg__
HT429ScxugM8L
O01?ap`QWbehi
V?Y^GTfnlZJ
qW>???=DK\h k
RBIUXD357>y
LK6QNRPLr
:~/I/
888`777
9990999
===p===
@@@@???
BBB AAA
BBB0BBB
ZZZPccc
]]] ^^^
fffPfff
<<<@;;;
>>> ===
___`www
lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
PADPADP
lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD
*X*\m*XA*m*
*X*Hm*X
FY**B
&+X*.l*X
+m*"+*m
&o*X+(m*
**miX**s*X*
m*X\*m*
+m*x+*m>Y**
+m*y+*m:Y**
*X*@m*XH*m*
**mQX**
M+*m/Y**
>*miL**
*Xq:m*
'X**`*X
&m*{&*mpS**
"m*\"*m
_**<,X*
-}LH-%+
12!DXb
`{saz
-d(`*
Ilj*Gd
4XEa$*Y
X(~=+
eQ2*Q
UXn[6
hP*&5
3hTBcf
~-Y%#
V.%|33
~-Y%#
V.%|33
oMLKc
>wTv]3(C
]to1~
dTea$`
7Cl>z
sO+ulAUNl
Lxa}8
`>}pGS
Fs /+
ku>-f
2-U1g
TWUyY
TI(`m-
-p4([x
E&;('*_
3CY1eG
_&!(']
m57WGqerq;
56SGq
g56qGpRrq
GqCrp,5q
k56qGpR
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
IDATx^\}
r[0i&
7k0[{
?W0Yd
~m)z(F
;!uv!
Lw]'#yHR
{,5s9}
z VyXv
4^d9?Q8
]80pi
3d)htK
lH[s1
Jk[1)
pY&b:
(PR9}|-
/7n89m
mm:KVe
M?,8i<
[WGz3y
gBp$n
s6Ok]
jMR8u
x-iuv
>V]XB
mDjk6~a`
RE|tm
Y#v!V
*}C=cU!
c/9?B8K
Ns?Nn
qLhYng%8
!5p"'n
tOPh|
VBRA&(
Iu'gY
]8$*]DumzT
#xql{
-y`H "
)P7s;1
1cM3-
yJUdo[D
c4RLn
9kG}0"ZS
B`h a
",Aqh<s
&4DFp
=?$w<
cT7,b(|4
e}mSd
chQgl
~1IvA
-{_w9+
PGPF/d6
a:hF9A
eKm2dvo0Y
h=\0L
>$OvZ
y*Kj#W
?d6D_
:.tT2"
5v5Pv
TEt*;/%`
$#Ie;
yT(l>r
Ye|"+$?
m^{15g
!vIeYM
>M{~~
K7;{j
H,$_F
Z46UR
:[4'c
C:Vq`a
k.e$n
#U%A#GY
ouh$#
IQ]75
4%T2<
[YY42
nFQ m
;#>\O
GTRC6
OGD)~P\yb
;|(eTR
~Y7cu
[*H!Yy
#G1i$
O>dA{!
4S&fg
Zf^~x#w
nxg%;+
0q;d/
9b+#(
s8FT+
|V~5&
D" bp
+"N.6
|;eE!
49$&)<
rVJiD&
@IE
/b~S5
+nUys_
qpCv[
yXlup
1r|:Vv
6h,Gz**
i4'HbT
]/d4(
#&o6#go/j
'm[H&
)-m-P
W?0-(
^g6]/k
[F%[u
fO3T-
xoF!d
C%II;
R(e 9d
z\Nm7
i<--
+P%}D
2}(}y.
m9sc`A
EunCp
`7J~|DA
73'Y%
"=e+vn
YR.d$
B`+G+q
<",N#
Nkn,\
}]WPy
2Ln=K
ZF|44
&s"Ie
Cj<n!
I2w>.
6`&*v'
33}RR
ZJg-x59)
1;}tj
RZ$x6Q
PJ><Q20
E!pA
>;7;$
d8V8x
ZPVrt-
b):4*
,oMm5}
3.ihN4
1X`>gP:
nb4`.
gc7v(
x>q00G
>m|&,y
%L:t=
jqUBR}
5beD)2
JjT2r
>9d%+
+Yjku3K
L6*G0
m!`Q^A`
E"K!js
`*cG~
KNTxv
c~x=&S
<7;5V
[i!S~
.sN^n
/2v/0
&%R7d
br3!S
P#zN f9
/b[l>
!{/g/W_
~1T#A
0.d1(
i2#\+b
_IETx
I#!j+
0J>0A3
nxMiY
O`h\o
6pt1P
m!x p Q
][f!0B`
8bj(,
n,Lt8
DyCw<
UoQX|:
+N%<f
A}l `@
ba6xD6
aJF!l
3UA:)-j
?J^>4^
S=/rm#
'2<WO?
v'9cX<
HdWF'
''nW'^
{$zZ{B A
Zyao>
I4zZg
E[gg.
.*JBKq
7/?n[
X|Vn[
1F~{$#
)n]s`
#IeJn
v&p-?5
d2-[R
>cMS)
DW<S*
=bO`;
%[jrq>
FeZ5>
vC(Tna
cvQKQ
7.<6z
8`S$&
s;Q1{
<9;:`
MbPkA
LHP3~S_
%\^KU-
z]OGuXX
CN!(B
tQk9&i
y0Jhq%
SavF1Nw
ss%X1^9d
,,kD>
1[PSw
MQH[R
oGa}MTg
kU}afr
X0OBM
pvP{;P
sW\{O
4\his
btL__
ZptVhI
X>4L4
>b2C&
+5QKR$
b9`HR)T
jen+N
-V>~z
bmIQJ
ys6g`]
UagKm
=?z?&]
INM,s
Y{1?v
'%3G]R
INMVa
\1|v]
P(H2s
4l<vq
E4OwFQ
sbXI\l
9lJ^SR
9g"'r
e*.SB
E}|+a`
z`jSl
j{tU\
W~jI[
~8 c+
*Q%O[y
LR|D>
*UJ t
D}ahZb
Y{oMp
%UNdyC
AqG!X
V:qo=mLI
&?v!U'
6i21K*
Rpf;5
:|u$nz
1yYFYA
4_E1K
>RX_{
WW3#w
\:ogO
J*wJ+c
<~RAW
'"MDn
C9<gA}
-DIpM
?N|R6
DY9N!!f
D>>]n
4*\<x
Lh?(]
>J'Nb<
!v&P&
}P>IH
WT&EA
M8'b[
DWA8BQ
_X'b$
ERi9:
CpZ2Q
j(5~g
(_S<]~XgaK
FueW'
,BNdR
H{sQV
Dw?4e
<;VXSlRA+fYT
U7F*[
AZ'}9
d3!4B
uY; 7
#,*<z$v
3uLaC
qX<p/q
NNdge/E
E8p&)~$
@a|]!8M
2!p"Ix
@axXD
6)56/
~lw{rd
231:z2%dg
.86b*
u}uwW
(qo%\
1k3[!3
T->4,
Khy0-
;JO+_t
1=<4*
nJYfR
&Kx7N?
Kh%a\
)wv#@
o\Z1%a
LcXU)
}_In{
2&qCl
tj"`J
FkXNpM
S!k J,h
)W>v'
g(a C
!%"IE
utq`CR
BzBO>
qUu|u
8GrM)R
;bN(W
@Q*|?
7195"
O;VD>
eywaM
7D#@AQ*
TK:<FF
^e-!6G
5w\ij
}{b91
Im$ru
v^JNl
W[TtayP
AF=WX
pfSD|@#J
IM(nN
<5rT+|
oY6?U
:-^dy
?!PKaubR
yfo;by
Z`gk7
m<qaKa
92Mtif[
b|11r
F~&$}
TeqK>8h
yP"It
|W#fb
3(K~k
?YpOk
1R7OG
{ypcs
)!W"?
PWA3v
0wZ}j
I/lvF
12;ie
j}YfU
'ZiO?
f3*Gr
sLT3Bd
hkBV=
)vuaP
|>*kf
+p[-a
<;^kCp
ebT<JS
Mr5~k
=gwx>
&6Zn[
NTyK"
[L{P4
Oro?y5
!}k0}
58OCF
C.&\]l
SXrEt
Qw/`V
xMZ2>
[v.e{
2gJms
UD"/K!2
@KA1j
"QPF"n
a*'4|t}
t3AOm
@H)3!
{;6)$.
[YW%1
}N[R/
B=pP6
>b{m:S
Y^6M~
geviD
'df^o;4
bu>h2
|SMna
q&J5e>
j>z7EBL0=
']yy<
I7Bl|
YRnTT
Iq;ghM
rx7X"
G+NiX(
|QJL(8)
OdvK]Q
-9IgHd
T(bxS
B( !
p]Egyx
!G##&&
4Voq-|s
g)]:p
/p26V
?kfo/
,7-stt
jV){K
wQ?u7
O/3=0
;(J?}
{z~~(
@8b+I3
-c.^ D
dFhnjL
Cb-Uo
\z+sX~\3
"T1DX>
*>@GM
VF`(1
QI,/v|
'ow{(
_{KZu
U5)h|
>K)=1\'T
}40%D
2'v*PU4Vgm
{f0^V
DZ*d4
:HR!&
u2Cxz
O]^T[Z
Z|%&X#
8^&<?
N`^WO
6h`*f
!v$PS
%q7\9;
pTdxB
uJyK=
]U+cj
n!dRt
,eXo*d
)^N|wP
uLoxU
8ow\^
CcYH]$2
sJb+\
J*-\[
B_KHg
J9Un`8
:d`\s
bBvL2
=by|&
u",.E
YQt<-
W%8'f'
,#7js
;Qvtu
3oimR
\B'q+//
P)gfM
OPV^+
hO|kc
Q*?|%
dN|Ac1
(<6E8
W^M|{m8
ga9gTY&
4:T-H^:
OD+Mh
|SVX;
?RA:!
/ICR${8A
m0'/Fc
>{lUb
Hrfd(
cMbM,
]r<veU
ahJ&JF
uC1G={
JrPu4F\
84`;T
q6prs
<ypJ$`
><Lms
y"*7|
cRg"T
)aeaV(,
*V<2vS
T]Xu]6
|>P6}G
-[CHG
6G95#
tBB,\
R{dUY
tPR8/
bk6Y[
sxQwj
wQk>Vu
8<a0k
QA?*s(
Y-2H=t
DC `L#
gbbCQo
h.0CN
R<W.k
3g&, V
BZSCFN
d:WY j
ZPWq.{
|!3qv
X96-?
\;)q|
NeL7;,2
yg&L=
-*j 0
#fb}a
1PmT<+
av[Kj
LBM-A
u|_o-I
sU96R]
$lt#z^
'S&]|
<QTgc
(v+b7S
NrK5e
5v3{=v<S
CuW5}J9
;/,@ 4
pbBmJ
^oz9%
@H:vZjw
lst,3
cPg5]I
&ZBV
T(Alg
>rg Fc
uqZ6i
>Y8No
G"gX}]
n?;Wp}
tYcFk
`Fe6G
!(=[D\G(W
gkG9_
5>_zMd
h5[<b/=
NlYs"
04TM[
ELczX
a4(Zu
Z9w^I
bQH.-
l93&9
uCI}i
7O|cG
;\g$4
"6Wk2
!x)(,>
Ma"DX|
:]L[Z\
nI%VF ?
7?Y&mk
\y^m^e
"&5]I
I,b$2d
KVZH!
qgOw;
ot=6l
6{3Fj
#[sDz
U,Qzo~
3N3Iw
6`$!]
\C5V4>
!N|Rvq
Df5b/
=iC*<
ga1il
xNY<G
=gNj)
b<<Ww
b+1+6
;O 9$q
B0JT]>1
30|M'
>BEaq!
&Lrb)Am6
eE*z6
25L{O
u/nZRM
.z%9Z
qd_/O
2[H:5
1axxqi
v~!p-P
i6nBe
\cou(
lj]Xe
NX$g}
}'^x~
P(EjP
,zMDW&
ur>5$
`fIko
~ZG~Hy
K-rWjV
Vqgvn
`SK+1
as'J[
6:.b"
`5c#VL,
![JDU
.bn9!
)$Uzr @@
O$2d_
ZAK~8*O
J~qh~
I&Lb
yv~xl
u<i}4
Tl]y7D
Oyc~F
BH(ZCep{
~s0DTj
!FERt$OW
rLX;JA
zJ_`D"
"EtN.0
*o:xe
S{wgZ
td%b~
$&j3jK
YH^;#$
O}WMm
R`{&w
J+W4jf}*bP
=1%W?STD
RLPvR
a69_j
[$}Q]fg
.tFaq:
|P+Q4
l]61W
he\sCaq
x*H($
YSLF`k
C&Xg!U
\:=r{
G)jl^
FQ="B
?vpgl
RLT*`
{/{"U
gQ?Uh
<7PKQ
ML:?n
3mrJ{R
Z"*~g
xJU7U
sS{.S
A8f;0
8 #G,P
KHkm4
z&m%+
cVXxv
_1*bG
<7_\vkw]b
i9JR\n
/4qpj
KLt2=}Tb
{o{Qwn
B5Ya4
/25?k
s2 tgw[
U>;Z}o
xQV10
;<gj'
ic3qw[a
u=zZRM
K,?>a
%{Xs[
?M;ew
3:|*z
b#hlL6
"4qDM
0pq`4i
l-_s6
vEy)s
qZE[[
a_n7{
9b{w}TD8y
-u!MuV>k
R6i}jp
b5U]O
o{g]t,
%3opTza
$wHr?
*>4\<
l+4T(]P
PR!0y
p]eq1
hq]#X
b:P^%
gER2b
RmPbm
.r;l}
ZF:{h
RSq>I%
@0jE`
>iImS
DM-ar
J=TJ=0
Qy"Yd
07,#A
AWCSOj
3>zDX
LO&*I
mG`2}
:<oj&
6_$YwcSL
1EuM\
:>`4$t"
ci``xR
cB0(I
CmDX)h
9bcNm
?l7U4
wvS[>(
U\mma^G
+0K176!
#K9YCE
^_Xig>
[ry\F
%Pt-'<?
=3z?B
A#Z XM
Q2`wQd
M^^a-
*5i|Y
!']s;
PbIkC
g'/|i
Dkb9'
SZ\tKk
|CQ*n
T5i{t
(KH>9
w$QbR
&+kAw
GjEmL
"mxEF
ZsH8h
v^Fna
ZrC-K,SM2A"hDE
`5Ey8
x&2t&
Ob9^k,
p9lC\
GoFn\
-L4</
p]%we
jmQJKb
uew*y
hsm('
-:z]I
Rp v_
5;8t[
PG-'D_
N&5V(7y
Rm[g*z
0kE.b60(h/
mxugi
\F)E4
*!(Hf
T(c(O
*lE}m
ooco\
B/Z&%
ta}Av
FFQ*TkV
8_o+CG
7vf-J
hRpMN'C
NWo4=q
Sb?Fw
}fx6m
wWevU
G`M{{
Z3U*l
/dBbuk
@Q*p#
bsv$^
RPSs;{
[YnN}
{4#@_2
eV+dGG8
O-Lst
)+)M3F
7o=f{KD
|qF%:
g>&ZPT
f1|zf
A:r$[
0{\HH
qI6YSKeD
<j`Eos
u[Nzf}
)A}6>
qlrHbe
T4gJIj
-6cL\I
#B94&
K-rve5'
FyCkW
"GpE&
MRXnL
(&`82
ubThb
;qxjPhAx^q~Pd
I^~~y
h[Et+b
\*rEs!
&$11P
BC=KA
zh!FX
fl`<[
);>9-H
Xo%U7
D:#U>1
0QbwM
mWIM1
&Ux;b
4T iL.
6q+(O
(7b?v
4NG^L
/.h%)
_H{u[
QC-[b
>)UcV
![d9qF
Vx|b6
l&fT`
:OKy<
|~:dD
;cs&fQ
?8KI_97
nteZ7Z
jlU_c
!g-mQ
Dn\b8
WDnA,
}P-w24
[H600I
PJcPJ^m
M1dfK
K<'_G]
]"c5Z
$!SHB
rpY;$
A+p0-
nh6hi
}|Qs{
Q*IN*uJ
TRPr q
HIHRA
EN"Jh
Wju_Z
AwQNZnv
~l\=#
>dnzP
_DFQ-Uh
NN=(/
O>|Hh
v`![:
~,FpR
/~7K\y
aHTht
X<<')
.W)?`
99&Pe
`;S;4|
G5Y8x
f{ye+'
<H.%S
PAU1|n#J
b{'XT
?*BMC
j9>1[
OQ`HR
VfAmVw
wS=NG
C%Z[l
W c&J
c'og!
J0j06d&h
&a<eP7
hO11{
CcG8i
}'Wlh
>s<HN
o/jo!
o5\'F
8dP<L
GX>d)
z\} %
DDw=l
iPu{jk
7o[qp
2m\vl
MzyIe{*'k/
qUUW,X
`&PRy
2|3%^
=GzItX
)J"!C
WX_.1[
'k`V.I_
`!Hr!
1^m7]
+mxQrGI
|qfrq
(/9u)
X}l(I
GdZ<Q4
M/9eb
3gS=c
{]k>@
EQ*4sk
3;^`KSs
&uO3b
64{Zj^GM
H7;9T6y
_7cjb
k11Ik
Cfj'v
nXN4T
YzG6E
X,GjA
n;hB!c
(,NE!
{?1C-FczS
M*5\)
J^*5-NeE
G?mN^
|>DT96
bKc!\
?#BRyB
/0V\b
Y)*8x
c}L1$
%N#vX
]uWO_
e$GlO
C?l6x
INVTC
3OQ.o
1.oti64D
&n"g2j
\'IRT
T/Y^)=
O-_p?
Jq|I8
\p,C.q
xj=mR
O^}XX
B{GFU
]SSnG
_.}'Y
47z.G
BTVPi3
6HVB&F
a,K+0
24o*x
\h1vRvZ
+vJr\
w!;FG
g+bD
UjYDR
wq6L}
X2b:x
t+#%K
vPX|/
HlYL\a
5C}Ga
/OPPXM
jot8v
^R;%.
&$"[#
sVX+|}
`k!+i
n5}.w
o[eoW
xo"gy
&"l\?
dxr$;
j&WX"
EVR_f
CuN}UU
"U/hHz{
Qr :/
x;4[\
Nrv:Z&
f2q3I<
{ 6<J]
,69%D
"bV8<
b0=N
Q:dNp
oxN>~%\i
W;MH%
'x=1O
iq8%#1
$0sAp`
TE0<{
=}eM]
(JdIDt
Bp2$)Z
`$"L<
! mXB
MZTKFQ*
SB)pr
K,.2+
o%ea$
BxOZY
N#IDATg
pB[e7
-6ma.
w&BC$j
=zNk`
EFZgV
HzDkQ^
sl&_d
7pY<[
??d|9
Fb24Pj
q\h7V&4yH*0S/7_vMMS
s}].Q
F0*t)
'J%'Z
jq%",
W-|oa
J^9=U
Jh"p?Q
bFcBb
yv1Mv
*{hS =
/@czA
-<FH8
WvKJi
g'-:T
_$V%Y
O6Q'@
RHs)l
#U;b7
J.[Zr&
_.h't'
Df/Hp
GzmXm
t|K*|q
w~{hd
}dh(d
OgrS&
BNXr8
c=_<}
xD/[j
9_I[W
.ms*Qmsr[8__7
n#3ec
UGp}o
Ws?(1
2j#i7
XGE`+
M$fE!
a.en^
9\^3]
[ZY7X
D{X:l8
?o~E;ex
]\u6O
o%n&T
d$67$
%tCy8H
@;1s"~
Y[K_5V
@R8CF
#NGLf
b#%(ip(
x'6nX
A`jXY
b$Z7Y
an?Kh
<e;P^
k|#7T
Q2nJ{9d
*_D')
;bR,f
9#?[8;
1)(ay
@sm<M
{Is78
lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
PADPADP
lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
PADPADP
v4.0.30319
#Strings
#GUID
#Blob
8!U!^!F"]"
Nullable`1
IEnumerable`1
TypedTableBase`1
ICollection`1
IComparer`1
List`1
SplashScreen1
Int32
KeyValuePair`2
IDictionary`2
get_PictureBox3
set_PictureBox3
<Module>
SizeF
System.IO
value__
System.Xml.Schema
GetTypedTableSchema
ReadXmlSchema
WriteXmlSchema
GetTypedDataSetSchema
System.Data
GetSerializationData
ProjectData
GetData
Xosh_Maza
FromArgb
mscorlib
System.Collections.Generic
Microsoft.VisualBasic
add_Load
get_Red
get_DarkRed
SetAdded
add_CollectionChanged
OnRowChanged
add_LoginRowChanged
remove_LoginRowChanged
add_AdminRowChanged
remove_AdminRowChanged
add_BooksRowChanged
remove_BooksRowChanged
add_ChatsRowChanged
remove_ChatsRowChanged
add_SupportRowChanged
remove_SupportRowChanged
add_LinkClicked
remove_LinkClicked
Interlocked
set_DoubleBuffered
get_IsDisposed
set_Selected
OnRowDeleted
add_LoginRowDeleted
remove_LoginRowDeleted
add_AdminRowDeleted
remove_AdminRowDeleted
add_BooksRowDeleted
remove_BooksRowDeleted
add_ChatsRowDeleted
remove_ChatsRowDeleted
add_SupportRowDeleted
remove_SupportRowDeleted
IsBinarySerialized
Synchronized
get_UpdateCommand
set_UpdateCommand
get_DeleteCommand
set_DeleteCommand
SqlCommand
set_SelectCommand
get_InsertCommand
set_InsertCommand
TargetMethod
Original_Password
get_Password
set_Password
get_ButtonFace
get_Namespace
set_Namespace
get_TargetNamespace
get_AppWorkspace
StackTrace
set_IsSingleInstance
CreateInstance
XmlSchemaSequence
set_DataSource
BindingSource
GetHashCode
XmlReadMode
set_AutoScaleMode
set_SizeMode
set_ColumnHeadersHeightSizeMode
DataGridViewColumnHeadersHeightSizeMode
PictureBoxSizeMode
AuthenticationMode
get_SchemaSerializationMode
set_SchemaSerializationMode
DetermineSchemaSerializationMode
ShutdownMode
set_AutoSizeColumnsMode
DataGridViewAutoSizeColumnsMode
set_AutoSizeRowsMode
DataGridViewAutoSizeRowsMode
set_ClipboardCopyMode
DataGridViewClipboardCopyMode
get_BigEndianUnicode
DeactivateSubPage
ProfilePage
HomePage
MainPage
AdminLoginPage
SettingsPage
ChatPage
ForgotPage
PostPage
get_Message
AddRange
CompareExchange
Merge
get_WhiteSmoke
EndInvoke
BeginInvoke
get_Locale
set_Locale
get_Table
LoginDataTable
AdminDataTable
BooksDataTable
ChatsDataTable
SupportDataTable
dataTable
set_SourceTable
set_DataSetTable
IEnumerable
IDisposable
Hashtable
GetSchemaSerializable
ReadXmlSerializable
set_Particle
XmlSchemaParticle
RuntimeTypeHandle
GetTypeFromHandle
Original_Title
get_Title
set_Title
FindByTitle
DockStyle
ColumnStyle
set_ShutdownStyle
set_BorderStyle
set_CellBorderStyle
DataGridViewCellBorderStyle
set_FormBorderStyle
FontStyle
RowStyle
MsgBoxStyle
set_Name
get_TableName
set_TableName
Original_UserName
get_UserName
set_UserName
FindByUserName
get_DataSetName
set_DataSetName
set_DataPropertyName
get_Lime
AdminHome
Combine
set_Multiline
Original_Phone
get_Phone
set_Phone
Clone
SqlDbType
set_CommandType
DataObjectMethodType
CheckForSyncLockOnValueType
SizeType
MappingType
GetRowType
XmlSchemaComplexType
Compare
WindowsFormsApplicationBase
ButtonBase
ApplicationSettingsBase
TextBoxBase
Close
Dispose
get_BackupDataSetBeforeUpdate
set_BackupDataSetBeforeUpdate
get_AcceptChangesDuringUpdate
set_AcceptChangesDuringUpdate
MulticastDelegate
get_Chocolate
get_State
DelegateAsyncState
DebuggerBrowsableState
EditorBrowsableState
ConnectionState
DataViewRowState
InsertUpdateDelete
UpdateInsertDelete
get_White
Write
XmlSchemaAttribute
ThreadStaticAttribute
STAThreadAttribute
CompilerGeneratedAttribute
DesignerGeneratedAttribute
GuidAttribute
DataObjectMethodAttribute
HelpKeywordAttribute
GeneratedCodeAttribute
DebuggerNonUserCodeAttribute
DebuggableAttribute
DebuggerBrowsableAttribute
EditorBrowsableAttribute
ComVisibleAttribute
AssemblyTitleAttribute
StandardModuleAttribute
HideModuleNameAttribute
DefaultSettingValueAttribute
ApplicationScopedSettingAttribute
SpecialSettingAttribute
DebuggerStepThroughAttribute
AssemblyTrademarkAttribute
TargetFrameworkAttribute
ToolboxItemAttribute
DebuggerHiddenAttribute
AssemblyFileVersionAttribute
MyGroupCollectionAttribute
AssemblyDescriptionAttribute
DefaultMemberAttribute
XmlSchemaProviderAttribute
DesignerAttribute
EditorAttribute
CompilationRelaxationsAttribute
DataObjectAttribute
AssemblyProductAttribute
AssemblyCopyrightAttribute
XmlRootAttribute
AssemblyCompanyAttribute
DesignerCategoryAttribute
DesignerSerializationVisibilityAttribute
RuntimeCompatibilityAttribute
AccessedThroughPropertyAttribute
ReadByte
get_Blue
get_SteelBlue
get_MidnightBlue
get_Value
set_Value
set_FixedValue
get_HasValue
WithEventsValue
GetObjectValue
GetValue
set_Unique
add_Leave
remove_Leave
get_Olive
get_CaseSensitive
set_CaseSensitive
Remove
6FNEaMg3dNB7sGi.exe
set_Size
set_AutoSize
set_ClientSize
ISupportInitialize
IndexOf
System.Threading
NewLateBinding
Encoding
OnRowChanging
add_LoginRowChanging
remove_LoginRowChanging
add_AdminRowChanging
remove_AdminRowChanging
add_BooksRowChanging
remove_BooksRowChanging
add_ChatsRowChanging
remove_ChatsRowChanging
add_SupportRowChanging
remove_SupportRowChanging
System.Runtime.Versioning
DataTableMapping
DataColumnMapping
get_UseCompatibleTextRendering
GetResourceString
CompareString
get_ScrapDBConnectionString
get_ConnectionString
set_ConnectionString
ToString
disposing
XmlSchemaContentProcessing
OnRowDeleting
add_LoginRowDeleting
remove_LoginRowDeleting
add_AdminRowDeleting
remove_AdminRowDeleting
add_BooksRowDeleting
remove_BooksRowDeleting
add_ChatsRowDeleting
remove_ChatsRowDeleting
add_SupportRowDeleting
remove_SupportRowDeleting
SpecialSetting
System.Drawing
Debug
Match
set_Width
get_Length
SetLength
set_MaxLength
6FNEaMg3dNB7sGi
AsyncCallback
DelegateCallback
Rollback
get_Black
EmailAddressCheck
add_Click
remove_Click
set_Dock
NextSink
ScrapBook
get_Teal
ToDecimal
LinkLabel
writelabeltolabel
writetextboxtolabel
System.ComponentModel
TableLayoutPanel
Original_Email
get_Email
set_Email
UpdateAll
set_CurrentCell
DataGridViewCell
get_ClearBeforeFill
set_ClearBeforeFill
set_AllowDBNull
IsPhoneNull
SetPhoneNull
IsEmailNull
SetEmailNull
IsOccupationNull
SetOccupationNull
IsNull
IsAboutNull
SetAboutNull
IsReplyNull
SetReplyNull
System.Xml
ReadXml
get_Control
ContainerControl
ObjectFlowControl
MemoryStream
get_Item
set_Item
ToolStripItem
ToolStripMenuItem
System
set_MainForm
OnCreateMainForm
get_Tan
Boolean
get_DarkOliveGreen
get_DarkGreen
set_SplashScreen
OnCreateSplashScreen
set_ImageAlign
System.ComponentModel.Design
get_Login
Original_Admin
get_Admin
set_Admin
FindByAdmin
DataColumn
get_PasswordColumn
get_TitleColumn
get_UserNameColumn
get_PhoneColumn
get_EmailColumn
get_AdminColumn
get_OccupationColumn
get_AuthorColumn
get_MessagesColumn
get_DetailsColumn
get_AboutColumn
DataGridViewColumn
DataGridViewTextBoxColumn
get_ReplyColumn
set_Icon
DataRowVersion
Application
get_Location
set_Location
DataRelation
relation
Original_Occupation
get_Occupation
set_Occupation
System.Configuration
System.Globalization
System.Runtime.Serialization
System.Xml.Serialization
get_Action
MissingSchemaAction
CollectionChangeAction
DataRowAction
Interaction
set_Transaction
IDbTransaction
SqlTransaction
BeginTransaction
System.Reflection
ICollection
get_CommandCollection
DataTableCollection
TableLayoutColumnStyleCollection
TableLayoutRowStyleCollection
DataTableMappingCollection
DataColumnMappingCollection
DataGridViewCellCollection
ControlCollection
ToolStripItemCollection
DataColumnCollection
DataGridViewColumnCollection
DataRelationCollection
SqlParameterCollection
XmlSchemaObjectCollection
ConstraintCollection
DataRowCollection
DataGridViewRowCollection
get_Connection
set_Connection
IDbConnection
SqlConnection
MatchTableAdapterConnection
inputConnection
ParameterDirection
get_Position
set_Position
set_StartPosition
FormStartPosition
UpdateOrderOption
StrongTypingException
ArgumentNullException
SqlException
ApplicationException
TargetInvocationException
InvalidOperationException
get_InnerException
ArgumentException
InvalidCastException
get_Salmon
get_LightSalmon
System.Data.Common
StringComparison
get_Crimson
get_Button
ToolStripDropDown
add_Shutdown
get_Brown
get_SandyBrown
get_RosyBrown
CompareTo
CopyTo
get_Info
CultureInfo
SerializationInfo
AssemblyInfo
get_Tomato
add_CellMouseUp
remove_CellMouseUp
Bitmap
ToolStrip
ContextMenuStrip
set_TabStop
Group
set_ShowInTaskbar
Clear
set_PasswordChar
set_DataMember
SqlDataReader
ExecuteReader
StringReader
XmlReader
XmlTextReader
reader
NewRowFromBuilder
DataRowBuilder
builder
sender
get_UpdateOrder
set_UpdateOrder
ComponentResourceManager
TableAdapterManager
BooksHandler
UsersHandler
LinkLabelLinkClickedEventHandler
CollectionChangeEventHandler
LoginRowChangeEventHandler
AdminRowChangeEventHandler
BooksRowChangeEventHandler
ChatsRowChangeEventHandler
SupportRowChangeEventHandler
DataGridViewCellMouseEventHandler
ValidationEventHandler
ShutdownEventHandler
SupportHandler
System.CodeDom.Compiler
IContainer
AddUpdateUser
SqlParameter
XmlWriter
XmlTextWriter
add_Enter
remove_Enter
get_Adapter
DbDataAdapter
SqlDataAdapter
get_LoginTableAdapter
set_LoginTableAdapter
get_AdminTableAdapter
set_AdminTableAdapter
get_BooksTableAdapter
set_BooksTableAdapter
get_ChatsTableAdapter
set_ChatsTableAdapter
get_SupportTableAdapter
set_SupportTableAdapter
Computer
Original_Author
get_Author
set_Author
set_GridColor
set_BackgroundColor
set_ForeColor
set_BackColor
set_UseVisualStyleBackColor
set_LinkColor
set_VisitedLinkColor
ClearProjectError
SetProjectError
Cursor
Compressor
IEnumerator
InternalPartitionEnumerator
GetEnumerator
Activator
.ctor
.cctor
Monitor
Schemas
System.Diagnostics
Microsoft.VisualBasic.Devices
Microsoft.VisualBasic.ApplicationServices
System.Runtime.InteropServices
Microsoft.VisualBasic.CompilerServices
System.Runtime.CompilerServices
System.Resources
ScrapBook.My.Resources
ScrapBook.SplashScreen1.resources
ScrapBook.DeactivateSubPage.resources
ScrapBook.ProfilePage.resources
ScrapBook.HomePage.resources
ScrapBook.MainPage.resources
ScrapBook.AdminLoginPage.resources
ScrapBook.SettingsPage.resources
ScrapBook.ChatPage.resources
ScrapBook.ForgotPage.resources
ScrapBook.PostPage.resources
ScrapBook.AdminHome.resources
ScrapBook.BooksHandler.resources
ScrapBook.UsersHandler.resources
ScrapBook.SupportHandler.resources
ScrapBook.AddUpdateUser.resources
ScrapBook.Resources.resources
ScrapBook.AddUpdateBooks.resources
ScrapBook.Credits.resources
ScrapBook.Support.resources
ScrapBook.AddUpdateSupport.resources
ScrapBook.ChatPost.resources
DebuggingModes
get_Messages
set_Messages
HasChanges
AcceptChanges
get_Tables
ShouldSerializeTables
set_EnableVisualStyles
get_ColumnStyles
get_RowStyles
GetTypes
get_Attributes
GetBytes
get_TableMappings
get_ColumnMappings
MySettings
LinkLabelLinkClickedEventArgs
CollectionChangeEventArgs
DataRowChangeEventArgs
DataGridViewCellMouseEventArgs
get_Books
AddUpdateBooks
ReferenceEquals
get_Details
set_Details
Utils
get_Cells
get_Controls
get_Items
System.Windows.Forms
Contains
get_Columns
set_AutoGenerateColumns
set_AllowUserToOrderColumns
set_AutoScaleDimensions
System.Data.DataSetExtensions
Conversions
System.Text.RegularExpressions
get_Relations
ShouldSerializeRelations
System.Collections
MouseButtons
RuntimeHelpers
get_Parameters
ScrapBook.ScrapDBDataSetTableAdapters
SystemColors
Operators
set_MinOccurs
set_MaxOccurs
get_Success
emailaddress
get_Chats
Credits
set_ProcessContents
get_Constraints
get_EnforceConstraints
set_EnforceConstraints
Focus
get_Rows
dataRows
set_AllowUserToAddRows
SortSelfReferenceRows
set_AllowUserToDeleteRows
RemoveAt
Concat
XmlSchemaObject
GetObject
TargetObject
Select
LateGet
LateIndexGet
XmlSchemaSet
ScrapDBDataSet
get_DataSet
InitializeDerivedDataSet
dataSet
get_Violet
get_DarkViolet
Reset
get_ButtonHighlight
get_MenuHighlight
Commit
EndInit
BeginInit
GraphicsUnit
get_SaveMySettingsOnExit
set_SaveMySettingsOnExit
SetCompatibleTextRenderingDefault
IAsyncResult
DelegateAsyncResult
DialogResult
MsgBoxResult
System.Data.SqlClient
ContentAlignment
Component
get_Transparent
get_Current
LoginRowChangeEvent
AdminRowChangeEvent
BooksRowChangeEvent
ChatsRowChangeEvent
SupportRowChangeEvent
UniqueConstraint
Point
set_Font
get_Count
get_TableAdapterInstanceCount
set_ColumnCount
Insert
Assert
Convert
get_Support
AddUpdateSupport
ChatPost
childFirst
get_About
set_About
SuspendLayout
set_BackgroundImageLayout
ResumeLayout
PerformLayout
MoveNext
System.Text
get_Text
set_Text
set_CommandText
get_ActiveCaptionText
set_HeaderText
StreamingContext
context
get_Peru
DataGridView
get_Row
DataRow
dataRow
AddLoginRow
RemoveLoginRow
NewLoginRow
AddAdminRow
RemoveAdminRow
NewAdminRow
AddBooksRow
RemoveBooksRow
NewBooksRow
AddChatsRow
RemoveChatsRow
NewChatsRow
GetParentRow
AddSupportRow
RemoveSupportRow
NewSupportRow
get_IsNewRow
DataGridViewRow
get_Yellow
set_TabIndex
get_RowIndex
index
Regex
get_Prefix
set_Prefix
MessageBox
PictureBox
set_MinimizeBox
set_MaximizeBox
MsgBox
set_ControlBox
ComboBox
GroupBox
TextBox
ScrapBook.My
get_SlateGray
set_ItemArray
ToArray
CopyArray
ContainsKey
get_Assembly
set_ReadOnly
get_Reply
set_Reply
XmlSchemaAny
ExecuteNonQuery
get_MinimumCapacity
set_MinimumCapacity
DesignerSerializationVisibility
MyTemplate
11.0.0.0
My.Computer
My.Application
My.User
My.Forms
My.WebServices
System.Windows.Forms.Form
Create__Instance__
Dispose__Instance__
My.MyProject.Forms
4System.Web.Services.Protocols.SoapHttpClientProtocol
Create__Instance__
Dispose__Instance__
3System.Resources.Tools.StronglyTypedResourceBuilder
16.0.0.0
RData Source=(localdb)\ProjectsV13;Initial Catalog=ScrapDB;Integrated Security=True
KMicrosoft.VisualStudio.Editors.SettingsDesigner.SettingsSingleFileGenerator
16.7.0.0
My.Settings
(System.Data.Design.TypedDataSetGenerator
16.0.0.0
GetTypedDataSetSchema
ScrapDBDataSet
vs.data.DataSet
GetTypedTableSchema
vs.data.TableAdapter
Microsoft.VSDesigner.DataSource.Design.TableAdapterDesigner, Microsoft.VSDesigner, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
Microsoft.VSDesigner.DataSource.Design.TableAdapterManagerPropertyEditor, Microsoft.VSDesigner, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"System.Drawing.Design.UITypeEditor
Microsoft.VSDesigner.DataSource.Design.TableAdapterManagerDesigner, Microsoft.VSDesigner, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
vs.data.TableAdapterManager
PictureBox3
WrapNonExceptionThrows
ScrapBook
Copyright
2017
$1c6213db-06c8-4009-b436-92604df14741
1.0.0.0
.NETFramework,Version=v4.0
FrameworkDisplayName
.NET Framework 4
_CorExeMain
mscoree.dll
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
<security>
<requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3">
<requestedExecutionLevel level="asInvoker" uiAccess="false"/>
</requestedPrivileges>
</security>
</trustInfo>
</assembly>
$this.Icon
orNqHBPJ
, #, +, 37)
@c,C{cC3|I
`c,c{cc3|i
WinForms_RecursiveFormCreate
WinForms_SeeInnerException
Property can only be set to Nothing
ScrapBook.Resources
orNqHBPJ
ScrapDBConnectionString
Author
TextBox3
Button1
AboutBook
Label1
Button3
TextBox1
Delete
BookTitle
AddUpdateBooks
Label2
Label3
Button2
Update
TextBox2
Don't keep blank Credentials for Title
Don't keep blank Credentials for Details
Don't keep blank Credentials for Author
insert into Books (Title, Details, Author) values ('
Book Posted
Delete From Books Where Title='
Book Deleted
Update Books Set Details='
', Author = '
' WHERE Title='
Book Updated
Reply
AddUpdateSupport
Message
UserName
Don't keep blank Credentials for User
Don't keep blank Credentials for message
Update Support Set Reply='
' WHERE UserName='
Replied User
Delete From Support Where UserName='
Messages Deleted
TextBox4
TextBox5
Password
Email
Label5
About
Label4
TextBox6
Occupation
Label6
Phone
AddUpdateUser
Don't keep blank Credentials for UserName
Don't keep blank Credentials for Password
Update Login Set Password='
', Email = '
' , About = '
', Occupation = '
', Phone = '
Profile Updated
Delete From login Where UserName='
Profile Deleted
insert into Login (UserName, Password, About, Email, Phone, Occupation) values ('
Profile Added
Enter a Valid Email
Warning
^[a-zA-Z][\w\.-]*[a-zA-Z0-9]@[a-zA-Z0-9][\w\.-]*[a-zA-Z0-9]\.[a-zA-Z][a-zA-Z\.]*[a-zA-Z]$
SupportHandler DB
Microsoft Sans Serif
PictureBox1
BooksHandler DB
AdminHome
Button4
UsersHandler DB
SignOut
Button6
Users DB
DataGridView1
ScrapDBDataSet
Details
DetailsDataGridViewTextBoxColumn
Title
TitleDataGridViewTextBoxColumn
Support DB
BooksHandler
BooksHandlerDB
Refresh
AuthorDataGridViewTextBoxColumn
Books
Button7
Sign Out
Delete Row
Button5
ContextMenuStrip1
DeleteRowToolStripMenuItem
ChatPost
ChatForm
Message:
UserName:
Please fill the blank boxes
insert into Chats (UserName,Messages) values ('
CreateInstance
Green
ScrapBook
GroupBox4
Credits
GroupBox5
Sarvesh Kumar Modi
15YASB7111
Tejram Patel
15YASB7128
PictureBox2
GroupBox3
Georgia
Vishnu KP
15YASB7137
PictureBox3
GroupBox1
XmlSchema
Admin
Chats
Login
Support
http://tempuri.org/ScrapDBDataSet.xsd
Constraint1
http://www.w3.org/2001/XMLSchema
namespace
urn:schemas-microsoft-com:xml-diffgram-v1
AdminDataTable
tableTypeName
BooksDataTable
Messages
ChatsDataTable
LoginDataTable
SupportDataTable
The value for column 'About' in table 'Login' is DBNull.
The value for column 'Email' in table 'Login' is DBNull.
The value for column 'Occupation' in table 'Login' is DBNull.
The value for column 'Phone' in table 'Login' is DBNull.
The value for column 'Reply' in table 'Support' is DBNull.
UPDATE [dbo].[Admin] SET [Admin] = @Admin, [Password] = @Password WHERE (([Admin] = @Original_Admin) AND ([Password] = @Original_Password));
SELECT Admin, Password FROM Admin WHERE (Admin = @Admin)
Table
@Original_Admin
@Original_Password
@Admin
@Password
INSERT INTO [dbo].[Admin] ([Admin], [Password]) VALUES (@Admin, @Password);
SELECT Admin, Password FROM Admin WHERE (Admin = @Admin)
DELETE FROM [dbo].[Admin] WHERE (([Admin] = @Original_Admin) AND ([Password] = @Original_Password))
SELECT Admin, Password FROM dbo.Admin
Original_Admin
Original_Password
@Details
@Author
DELETE FROM [dbo].[Books] WHERE (([Title] = @Original_Title) AND ([Author] = @Original_Author))
@Original_Author
INSERT INTO [dbo].[Books] ([Title], [Details], [Author]) VALUES (@Title, @Details, @Author);
SELECT Title, Details, Author FROM Books WHERE (Title = @Title)
@Original_Title
@Title
UPDATE [dbo].[Books] SET [Title] = @Title, [Details] = @Details, [Author] = @Author WHERE (([Title] = @Original_Title) AND ([Author] = @Original_Author));
SELECT Title, Details, Author FROM Books WHERE (Title = @Title)
SELECT Title, Details, Author FROM dbo.Books
Original_Title
Original_Author
@Original_UserName
@Messages
@UserName
UPDATE [dbo].[Chats] SET [UserName] = @UserName, [Messages] = @Messages WHERE (([UserName] = @Original_UserName));
SELECT UserName, Messages FROM Chats WHERE (UserName = @UserName)
INSERT INTO [dbo].[Chats] ([UserName], [Messages]) VALUES (@UserName, @Messages);
SELECT UserName, Messages FROM Chats WHERE (UserName = @UserName)
DELETE FROM [dbo].[Chats] WHERE (([UserName] = @Original_UserName))
SELECT UserName, Messages FROM dbo.Chats
Original_UserName
@IsNull_Email
@Original_Email
@IsNull_Occupation
@Original_Occupation
@Original_Phone
@IsNull_Phone
@Occupation
@Phone
@About
@Email
DELETE FROM [dbo].[Login] WHERE (([UserName] = @Original_UserName) AND ([Password] = @Original_Password) AND ((@IsNull_Email = 1 AND [Email] IS NULL) OR ([Email] = @Original_Email)) AND ((@IsNull_Occupation = 1 AND [Occupation] IS NULL) OR ([Occupation] = @Original_Occupation)) AND ((@IsNull_Phone = 1 AND [Phone] IS NULL) OR ([Phone] = @Original_Phone)))
INSERT INTO [dbo].[Login] ([UserName], [Password], [About], [Email], [Occupation], [Phone]) VALUES (@UserName, @Password, @About, @Email, @Occupation, @Phone);
SELECT UserName, Password, About, Email, Occupation, Phone FROM Login WHERE (UserName = @UserName)
UPDATE [dbo].[Login] SET [UserName] = @UserName, [Password] = @Password, [About] = @About, [Email] = @Email, [Occupation] = @Occupation, [Phone] = @Phone WHERE (([UserName] = @Original_UserName) AND ([Password] = @Original_Password) AND ((@IsNull_Email = 1 AND [Email] IS NULL) OR ([Email] = @Original_Email)) AND ((@IsNull_Occupation = 1 AND [Occupation] IS NULL) OR ([Occupation] = @Original_Occupation)) AND ((@IsNull_Phone = 1 AND [Phone] IS NULL) OR ([Phone] = @Original_Phone)));
SELECT UserName, Password, About, Email, Occupation, Phone FROM Login WHERE (UserName = @UserName)
SELECT UserName, Password, About, Email, Occupation, Phone FROM dbo.Login
INSERT INTO [dbo].[Support] ([UserName], [Messages], [Reply]) VALUES (@UserName, @Messages, @Reply);
SELECT UserName, Messages, Reply FROM Support WHERE (UserName = @UserName)
DELETE FROM [dbo].[Support] WHERE (([UserName] = @Original_UserName))
UPDATE [dbo].[Support] SET [UserName] = @UserName, [Messages] = @Messages, [Reply] = @Reply WHERE (([UserName] = @Original_UserName));
SELECT UserName, Messages, Reply FROM Support WHERE (UserName = @UserName)
@Reply
SELECT UserName, Messages, Reply FROM dbo.Support
dataSet
All TableAdapters managed by a TableAdapterManager must use the same connection string.
TableAdapterManager contains no connection information. Set each TableAdapterManager TableAdapter property to a valid TableAdapter instance.
The transaction cannot begin. The current data connection does not support transactions or the current state is not allowing the transaction to begin.
UserNameDataGridViewTextBoxColumn
MessagesDataGridViewTextBoxColumn
Post to Support
ReplyDataGridViewTextBoxColumn
Please fill the blank boxe
insert into Support (UserName, Messages) values ('
Support Message Sent
SupportHandler
Books DB
OccupationDataGridViewTextBoxColumn
PhoneDataGridViewTextBoxColumn
UsersHandler
UserHandlerDB
PasswordDataGridViewTextBoxColumn
AboutDataGridViewTextBoxColumn
EmailDataGridViewTextBoxColumn
AdminLoginPage
Go Back
ScrapBook Admin
Log In
Don't leave Blank Credentials
select Admin, Password from Admin where Admin = '
'AND Password = '
OOOps login failed
ChatPage
GroupBox2
Integrated Security=true; Initial Catalog = ScrapDB ; Data source=(localdb)\ProjectsV13;
Sign Up Again
Your Account is Deactivated
DeactivateSubPage
Deactivation
Reset
ForgotPage
Forgot Password
NewPassWord
Update login Set Password = '
' WHERE Email ='
Passowrd Resest Done!!!
PostPage
About The Book
Book Title
Don't keep blank credentials
insert into Books (Title, Details, Author) values ('
Book Posted!!!
Server= (localdb)\ProjectsV13; Database = ScrapDB; Integrated Security = true
ComboBox1
Reader
Publisher
Save/Update
ProfilePage
Profile Page
About you
Update login Set Email = '
', Phone =
WHERE UserName='
$this.Icon
HomePage
Home
Profile
Settings
select UserName, Password from Login where UserName = '
Ooops!! Login Failed
Welcome Back...!!!
insert into Login (UserName, Password, Email) values ('
Welcome New User...!!!
Email*
LinkLabel1
User Name*
helps you learn and share with the people in your life.
Sign Up
Label8
Forgot Password ?
Label7
Password*
MainPage
Login/SignUp
Create An Account
Welcome to ScrapBook
Ask For Support
SettingsPage
Deactivate Account
Update Profile
Profile Deactivated
SplashScreen1
MainLayoutPanel
VS_VERSION_INFO
VarFileInfo
Translation
StringFileInfo
000004b0
Comments
CompanyName
FileDescription
ScrapBook
FileVersion
1.0.0.0
InternalName
OhJ6.exe
LegalCopyright
Copyright
2017
LegalTrademarks
OriginalFilename
OhJ6.exe
ProductName
ScrapBook
ProductVersion
1.0.0.0
Assembly Version
1.0.0.0

Full Results

Engine Signature Engine Signature Engine Signature
Bkav Clean Elastic malicious (high confidence) MicroWorld-eScan Clean
CMC Clean CAT-QuickHeal Clean ALYac Clean
Cylance Clean VIPRE Clean SUPERAntiSpyware Clean
Sangfor Clean K7AntiVirus Clean Alibaba Trojan:Win32/starter.ali1000139
K7GW Clean Cybereason Clean Invincea Generic ML PUA (PUA)
Baidu Clean Cyren W32/Trojan.SW.gen!Eldorado Symantec ML.Attribute.HighConfidence
TotalDefense Clean APEX Malicious Avast Clean
ClamAV Clean Kaspersky UDS:DangerousObject.Multi.Generic BitDefender Clean
NANO-Antivirus Clean Paloalto Clean AegisLab Clean
Tencent Clean Ad-Aware Clean Sophos Clean
Comodo Clean F-Secure Clean DrWeb Clean
Zillya Clean TrendMicro Clean McAfee-GW-Edition BehavesLike.Win32.Generic.jc
MaxSecure Trojan.Malware.300983.susgen FireEye Generic.mg.fbf6c63acd92d191 Emsisoft Clean
SentinelOne DFI - Malicious PE GData Clean Jiangmin Clean
Webroot Clean Avira Clean MAX Clean
Antiy-AVL Clean Kingsoft Clean Arcabit Clean
ViRobot Clean ZoneAlarm UDS:DangerousObject.Multi.Generic Microsoft Trojan:Win32/AgentTesla!ml
Cynet Clean AhnLab-V3 Clean Acronis Clean
McAfee PWS-FCRK!FBF6C63ACD92 TACHYON Clean VBA32 Clean
Malwarebytes Clean Zoner Clean ESET-NOD32 Clean
TrendMicro-HouseCall Clean Rising Clean Yandex Clean
Ikarus Clean eGambit Clean Fortinet MSIL/Kryptik.YFO!tr
BitDefenderTheta Clean AVG FileRepMalware Panda Clean
CrowdStrike Clean Qihoo-360 HEUR/QVM03.0.A7DB.Malware.Gen
Sorry! No behavior.

Hosts

Direct IP Country Name
N 91.193.75.93 [VT] Serbia
Y 8.8.8.8 [VT] United States
N 185.140.53.228 [VT] Germany
Y 1.1.1.1 [VT] Australia

TCP

Source Source Port Destination Destination Port
192.168.1.5 49199 185.140.53.228 u875414.nvpn.to 2404
192.168.1.5 49200 91.193.75.93 u875414.nsupdate.info 2404

UDP

Source Source Port Destination Destination Port
192.168.1.5 50775 1.1.1.1 53
192.168.1.5 52876 1.1.1.1 53
192.168.1.5 54312 1.1.1.1 53
192.168.1.5 61410 1.1.1.1 53
192.168.1.5 63931 1.1.1.1 53
192.168.1.5 137 192.168.1.255 137
192.168.1.5 50775 8.8.8.8 53
192.168.1.5 54312 8.8.8.8 53
192.168.1.5 54724 8.8.8.8 53
192.168.1.5 61410 8.8.8.8 53
192.168.1.5 63931 8.8.8.8 53

DNS

Name Response Post-Analysis Lookup
u875414.nvpn.to [VT] A 185.140.53.228 [VT] 185.140.53.228 [VT]
u875414.duckdns.org [VT] NXDOMAIN
u875414.ddns.net [VT]
u875414.nsupdate.info [VT] A 91.193.75.93 [VT] 91.193.75.93 [VT]

HTTP Requests

No HTTP requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

Source Destination ICMP Type Data
192.168.1.5 1.1.1.1 3
192.168.1.5 1.1.1.1 3
192.168.1.5 1.1.1.1 3
192.168.1.5 1.1.1.1 3
192.168.1.5 1.1.1.1 3
192.168.1.5 1.1.1.1 3
192.168.1.5 8.8.8.8 3
192.168.1.5 8.8.8.8 3
192.168.1.5 8.8.8.8 3
192.168.1.5 8.8.8.8 3
192.168.1.5 8.8.8.8 3
192.168.1.5 8.8.8.8 3
192.168.1.5 8.8.8.8 3
192.168.1.5 8.8.8.8 3
192.168.1.5 8.8.8.8 3
192.168.1.5 8.8.8.8 3

CIF Results

No CIF Results

Suricata Alerts

Timestamp Source IP Source Port Destination IP Destination Port Protocol GID SID REV Signature Category Severity
2020-10-18 06:37:44.172 192.168.1.5 [VT] 49181 13.107.42.23 [VT] 443 TCP 1 2028397 2 ET JA3 Hash - Possible Malware - Various Malspam/RigEK Unknown Traffic 3
2020-10-18 06:38:00.298 192.168.1.5 [VT] 54724 8.8.8.8 [VT] 53 UDP 1 2027757 5 ET DNS Query for .to TLD Potentially Bad Traffic 2
2020-10-18 06:38:01.292 192.168.1.5 [VT] 54724 8.8.8.8 [VT] 53 UDP 1 2027757 5 ET DNS Query for .to TLD Potentially Bad Traffic 2
2020-10-18 06:38:02.293 192.168.1.5 [VT] 54724 8.8.8.8 [VT] 53 UDP 1 2027757 5 ET DNS Query for .to TLD Potentially Bad Traffic 2
2020-10-18 06:38:13.127 192.168.1.5 [VT] 63931 8.8.8.8 [VT] 53 UDP 1 2022918 3 ET INFO DYNAMIC_DNS Query to *.duckdns. Domain Misc activity 3
2020-10-18 06:38:14.120 192.168.1.5 [VT] 63931 8.8.8.8 [VT] 53 UDP 1 2022918 3 ET INFO DYNAMIC_DNS Query to *.duckdns. Domain Misc activity 3
2020-10-18 06:38:15.120 192.168.1.5 [VT] 63931 8.8.8.8 [VT] 53 UDP 1 2022918 3 ET INFO DYNAMIC_DNS Query to *.duckdns. Domain Misc activity 3
2020-10-18 06:38:17.120 192.168.1.5 [VT] 63931 1.1.1.1 [VT] 53 UDP 1 2022918 3 ET INFO DYNAMIC_DNS Query to *.duckdns. Domain Misc activity 3
2020-10-18 06:38:17.121 192.168.1.5 [VT] 63931 8.8.8.8 [VT] 53 UDP 1 2022918 3 ET INFO DYNAMIC_DNS Query to *.duckdns. Domain Misc activity 3
2020-10-18 06:38:21.120 192.168.1.5 [VT] 63931 1.1.1.1 [VT] 53 UDP 1 2022918 3 ET INFO DYNAMIC_DNS Query to *.duckdns. Domain Misc activity 3
2020-10-18 06:38:21.120 192.168.1.5 [VT] 63931 8.8.8.8 [VT] 53 UDP 1 2022918 3 ET INFO DYNAMIC_DNS Query to *.duckdns. Domain Misc activity 3
2020-10-18 06:38:22.001 192.168.1.5 [VT] 50775 8.8.8.8 [VT] 53 UDP 1 2028675 2 ET POLICY DNS Query to DynDNS Domain *.ddns .net Potentially Bad Traffic 2
2020-10-18 06:38:22.995 192.168.1.5 [VT] 50775 8.8.8.8 [VT] 53 UDP 1 2028675 2 ET POLICY DNS Query to DynDNS Domain *.ddns .net Potentially Bad Traffic 2
2020-10-18 06:38:23.995 192.168.1.5 [VT] 50775 8.8.8.8 [VT] 53 UDP 1 2028675 2 ET POLICY DNS Query to DynDNS Domain *.ddns .net Potentially Bad Traffic 2
2020-10-18 06:38:25.995 192.168.1.5 [VT] 50775 1.1.1.1 [VT] 53 UDP 1 2028675 2 ET POLICY DNS Query to DynDNS Domain *.ddns .net Potentially Bad Traffic 2
2020-10-18 06:38:25.996 192.168.1.5 [VT] 50775 8.8.8.8 [VT] 53 UDP 1 2028675 2 ET POLICY DNS Query to DynDNS Domain *.ddns .net Potentially Bad Traffic 2

Suricata TLS

Timestamp Source IP Source Port Destination IP Destination Port Subject Issuer Fingerprint Version
2020-10-18 06:37:44.317 192.168.1.5 [VT] 49181 13.107.42.23 [VT] 443 CN=edge.skype.com 5c:3b:53:ee:b8:65:a3:2a:66:d4:04:36:67:98:af:88:8d:96:5d:74 TLS 1.2

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

Source Source Port Destination Destination Port JA3 Hash JA3 Description
192.168.1.5 49181 13.107.42.23 443 3b483d0b34894548b602e8d18cdc24c5 unknown
Sorry! No dropped files.
Sorry! No CAPE files.
Process Name svchost.exe
PID 844
Dump Size 20992 bytes
Module Path C:\Windows\System32\svchost.exe
Type PE image: 32-bit executable
PE timestamp 2009-07-13 23:19:28
MD5 6e43bd43853d5545d2b609b3958871a7
SHA1 cbcbe222517f03a4111b736fc537befd0dc673a1
SHA256 4be6e1c20acfaa940ff02bd2d7eb7ba57c1b5204502fb1e2c4448ba63a1dd244
CRC32 F06779F8
Ssdeep 384:U52zu6rMsaGHr3ZlQ9hEysfSliretFUOLg2JdaW9C5bW9odW:dJ1DDYEy9iretFbdaw
Dump Filename 4be6e1c20acfaa940ff02bd2d7eb7ba57c1b5204502fb1e2c4448ba63a1dd244
Download Download Zip Submit file

BinGraph Download graph

2020-10-18T06:51:02.363241 image/svg+xml Matplotlib v3.3.0, https://matplotlib.org/
Process Name schtasks.exe
PID 2920
Dump Size 177152 bytes
Module Path C:\Windows\System32\schtasks.exe
Type PE image: 32-bit executable
PE timestamp 2010-11-20 09:20:03
MD5 6a32ad454270ede694bde719d8493d29
SHA1 395fb507402e13fc1cb77606b089735ca4799686
SHA256 995427e825c82f2162559d753f65e8a4daf29e9b62d805e2510c71103b807fb4
CRC32 E4B894E8
Ssdeep 3072:RLncEfyyK9TpwYlc4ah7lAdLuSKcY4sJDFFkadQ/3oGBGAHCx:R7cEfyBZ1Kqud74EFkJGA6
Dump Filename 995427e825c82f2162559d753f65e8a4daf29e9b62d805e2510c71103b807fb4
Download Download Zip Submit file

BinGraph Download graph

2020-10-18T06:51:03.662310 image/svg+xml Matplotlib v3.3.0, https://matplotlib.org/
Process Name 6FNEaMg3dNB7sGi.exe
PID 4276
Dump Size 131072 bytes
Module Path C:\Users\Rebecca\AppData\Local\Temp\6FNEaMg3dNB7sGi.exe
Type PE image: 32-bit executable
PE timestamp 2020-09-14 11:18:00
MD5 670b13f2b801cf57000401dd12a68ada
SHA1 f299bd5b48bcb200b5c2b97be876f96b6b789e5d
SHA256 346b2e0fd68989f714dd33e924e3debca8ed03bcb5ec66598653cbc90aaf3a35
CRC32 2AF458C0
Ssdeep 3072:y4XgM0gTUJNFbnOabI/JZ7k0qvo7wvdbnrlSl26FLbmrzqhKmXA2hrQ:tXgMtwNFbOabI/qxlSl26FLKrzqhKqQ
ClamAV
  • Win.Trojan.Remcos-9753190-0
  • Win.Trojan.Remcos-9763891-0
CAPE Yara
  • Parallax RAT - Author: @bartblaze
  • Remcos Payload - Author: kevoreilly
Dump Filename 346b2e0fd68989f714dd33e924e3debca8ed03bcb5ec66598653cbc90aaf3a35
Download Download Zip Submit file

BinGraph Download graph

2020-10-18T06:51:04.890042 image/svg+xml Matplotlib v3.3.0, https://matplotlib.org/
Defense Evasion Execution Privilege Escalation Persistence
  • T1116 - Code Signing
    • Signature - invalid_authenticode_signature
  • T1055 - Process Injection
    • Signature - InjectionInterProcess
  • T1045 - Software Packing
    • Signature - packer_entropy
  • T1106 - Execution through API
    • Signature - process_creation_suspicious_location
  • T1053 - Scheduled Task
    • Signature - uses_windows_utilities_to_create_scheduled_task
  • T1055 - Process Injection
    • Signature - InjectionInterProcess
  • T1053 - Scheduled Task
    • Signature - uses_windows_utilities_to_create_scheduled_task
  • T1053 - Scheduled Task
    • Signature - uses_windows_utilities_to_create_scheduled_task

    Processing ( 19.791 seconds )

    • 5.954 CAPE
    • 5.271 NetworkAnalysis
    • 5.226 Suricata
    • 1.032 ProcDump
    • 0.871 BehaviorAnalysis
    • 0.687 Static
    • 0.252 VirusTotal
    • 0.175 static_dotnet
    • 0.089 AnalysisInfo
    • 0.079 Dropped
    • 0.07 TargetInfo
    • 0.054 Deduplicate
    • 0.017 Strings
    • 0.008 Debug
    • 0.006 peid

    Signatures ( 0.7260000000000004 seconds )

    • 0.104 antiav_detectreg
    • 0.041 infostealer_ftp
    • 0.036 guloader_apis
    • 0.036 territorial_disputes_sigs
    • 0.025 api_spamming
    • 0.024 decoy_document
    • 0.024 infostealer_im
    • 0.024 masquerade_process_name
    • 0.023 stealth_timeout
    • 0.021 antianalysis_detectreg
    • 0.02 antiav_detectfile
    • 0.017 NewtWire Behavior
    • 0.016 ransomware_files
    • 0.012 infostealer_bitcoin
    • 0.011 antivm_vbox_keys
    • 0.011 ransomware_extensions
    • 0.01 antianalysis_detectfile
    • 0.01 infostealer_mail
    • 0.009 accesses_recyclebin
    • 0.008 antisandbox_sleep
    • 0.008 antivm_generic_disk
    • 0.008 antivm_vbox_files
    • 0.007 dridex_behavior
    • 0.007 masslogger_artifacts
    • 0.007 antivm_vmware_keys
    • 0.006 Doppelganging
    • 0.006 mimics_filetime
    • 0.006 antivm_parallels_keys
    • 0.005 InjectionCreateRemoteThread
    • 0.005 kazybot_behavior
    • 0.005 persistence_autorun
    • 0.005 reads_self
    • 0.005 stealth_file
    • 0.005 virus
    • 0.005 antivm_xen_keys
    • 0.005 geodo_banking_trojan
    • 0.005 predatorthethief_files
    • 0.005 qulab_files
    • 0.004 antiemu_wine_func
    • 0.004 antivm_generic_scsi
    • 0.004 bootkit
    • 0.004 dynamic_function_loading
    • 0.004 exec_crash
    • 0.004 injection_createremotethread
    • 0.004 Locky_behavior
    • 0.003 antidebug_guardpages
    • 0.003 betabot_behavior
    • 0.003 hancitor_behavior
    • 0.003 infostealer_browser
    • 0.003 infostealer_browser_password
    • 0.003 injection_runpe
    • 0.003 kibex_behavior
    • 0.003 malicious_dynamic_function_loading
    • 0.003 antidbg_devices
    • 0.003 antivm_generic_diskreg
    • 0.003 antivm_vmware_files
    • 0.003 antivm_vpc_keys
    • 0.003 network_torgateway
    • 0.002 InjectionInterProcess
    • 0.002 InjectionProcessHollowing
    • 0.002 Unpacker
    • 0.002 antiav_360_libs
    • 0.002 antidbg_windows
    • 0.002 antivm_generic_services
    • 0.002 antivm_vbox_libs
    • 0.002 dyre_behavior
    • 0.002 encrypted_ioc
    • 0.002 exploit_heapspray
    • 0.002 hawkeye_behavior
    • 0.002 kovter_behavior
    • 0.002 network_tor
    • 0.002 browser_security
    • 0.002 bypass_firewall
    • 0.002 disables_backups
    • 0.002 disables_browser_warn
    • 0.002 network_dns_opennic
    • 0.002 ursnif_behavior
    • 0.001 antisandbox_sunbelt_libs
    • 0.001 exploit_getbasekerneladdress
    • 0.001 exploit_gethaldispatchtable
    • 0.001 ransomware_message
    • 0.001 rat_nanocore
    • 0.001 OrcusRAT Behavior
    • 0.001 recon_programs
    • 0.001 sets_autoconfig_url
    • 0.001 shifu_behavior
    • 0.001 stack_pivot
    • 0.001 tinba_behavior
    • 0.001 vawtrak_behavior
    • 0.001 antivm_xen_keys
    • 0.001 antivm_hyperv_keys
    • 0.001 antivm_vbox_devices
    • 0.001 ketrican_regkeys
    • 0.001 browser_addon
    • 0.001 modify_proxy
    • 0.001 codelux_behavior
    • 0.001 darkcomet_regkeys
    • 0.001 azorult_mutexes
    • 0.001 revil_mutexes
    • 0.001 limerat_regkeys
    • 0.001 modirat_behavior
    • 0.001 obliquerat_files
    • 0.001 rat_pcclient
    • 0.001 warzonerat_regkeys
    • 0.001 recon_checkip
    • 0.001 recon_fingerprint
    • 0.001 remcos_regkeys
    • 0.001 sniffer_winpcap
    • 0.001 tampers_etw
    • 0.001 targeted_flame
    • 0.001 lokibot_mutexes

    Reporting ( 20.577 seconds )

    • 20.305 BinGraph
    • 0.262 MITRE_TTPS
    • 0.01 PCAP2CERT