Detections

Yara:

Remcos

Analysis

Category Package Started Completed Duration Options Log
FILE exe 2020-10-18 06:35:09 2020-10-18 06:40:56 347 seconds Show Options Show Log
route = tor
2020-05-13 09:29:27,464 [root] INFO: Date set to: 20201018T06:35:08, timeout set to: 200
2020-10-18 06:35:08,062 [root] DEBUG: Starting analyzer from: C:\tmp558c2t_g
2020-10-18 06:35:08,062 [root] DEBUG: Storing results at: C:\LyfqDWD
2020-10-18 06:35:08,062 [root] DEBUG: Pipe server name: \\.\PIPE\NtiJjDpEf
2020-10-18 06:35:08,062 [root] DEBUG: Python path: C:\Users\Louise\AppData\Local\Programs\Python\Python38-32
2020-10-18 06:35:08,062 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2020-10-18 06:35:08,062 [root] INFO: Automatically selected analysis package "exe"
2020-10-18 06:35:08,062 [root] DEBUG: Importing analysis package "exe"...
2020-10-18 06:35:08,125 [root] DEBUG: Initializing analysis package "exe"...
2020-10-18 06:35:08,359 [root] DEBUG: Importing auxiliary module "modules.auxiliary.browser"...
2020-10-18 06:35:08,359 [root] DEBUG: Importing auxiliary module "modules.auxiliary.curtain"...
2020-10-18 06:35:08,546 [root] DEBUG: Importing auxiliary module "modules.auxiliary.digisig"...
2020-10-18 06:35:08,609 [root] DEBUG: Importing auxiliary module "modules.auxiliary.disguise"...
2020-10-18 06:35:08,671 [root] DEBUG: Importing auxiliary module "modules.auxiliary.human"...
2020-10-18 06:35:08,671 [root] DEBUG: Importing auxiliary module "modules.auxiliary.procmon"...
2020-10-18 06:35:08,687 [root] DEBUG: Importing auxiliary module "modules.auxiliary.screenshots"...
2020-10-18 06:35:08,687 [modules.auxiliary.screenshots] DEBUG: Importing 'time'
2020-10-18 06:35:08,687 [modules.auxiliary.screenshots] DEBUG: Importing 'StringIO'
2020-10-18 06:35:08,687 [modules.auxiliary.screenshots] DEBUG: Importing 'Thread'
2020-10-18 06:35:08,703 [modules.auxiliary.screenshots] DEBUG: Importing 'Auxiliary'
2020-10-18 06:35:08,703 [modules.auxiliary.screenshots] DEBUG: Importing 'NetlogFile'
2020-10-18 06:35:08,703 [modules.auxiliary.screenshots] DEBUG: Importing 'Screenshot'
2020-10-18 06:35:08,703 [lib.api.screenshot] DEBUG: Importing 'math'
2020-10-18 06:35:08,703 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2020-10-18 06:35:10,093 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageGrab'
2020-10-18 06:35:10,125 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageDraw'
2020-10-18 06:35:10,187 [modules.auxiliary.screenshots] DEBUG: Imports OK
2020-10-18 06:35:10,187 [root] DEBUG: Importing auxiliary module "modules.auxiliary.sysmon"...
2020-10-18 06:35:10,203 [root] DEBUG: Importing auxiliary module "modules.auxiliary.usage"...
2020-10-18 06:35:10,265 [root] DEBUG: Initializing auxiliary module "Browser"...
2020-10-18 06:35:10,265 [root] DEBUG: Started auxiliary module Browser
2020-10-18 06:35:10,265 [root] DEBUG: Initializing auxiliary module "Curtain"...
2020-10-18 06:35:10,281 [root] DEBUG: Started auxiliary module Curtain
2020-10-18 06:35:10,281 [root] DEBUG: Initializing auxiliary module "DigiSig"...
2020-10-18 06:35:10,281 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature.
2020-10-18 06:35:11,953 [modules.auxiliary.digisig] DEBUG: File is not signed.
2020-10-18 06:35:11,953 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2020-10-18 06:35:11,968 [root] DEBUG: Started auxiliary module DigiSig
2020-10-18 06:35:11,968 [root] DEBUG: Initializing auxiliary module "Disguise"...
2020-10-18 06:35:12,000 [modules.auxiliary.disguise] INFO: Disguising GUID to 9d96f683-3bce-4782-a014-7d803d63baea
2020-10-18 06:35:12,000 [root] DEBUG: Started auxiliary module Disguise
2020-10-18 06:35:12,000 [root] DEBUG: Initializing auxiliary module "Human"...
2020-10-18 06:35:12,000 [root] DEBUG: Started auxiliary module Human
2020-10-18 06:35:12,000 [root] DEBUG: Initializing auxiliary module "Procmon"...
2020-10-18 06:35:12,015 [root] DEBUG: Started auxiliary module Procmon
2020-10-18 06:35:12,015 [root] DEBUG: Initializing auxiliary module "Screenshots"...
2020-10-18 06:35:12,031 [root] DEBUG: Started auxiliary module Screenshots
2020-10-18 06:35:12,031 [root] DEBUG: Initializing auxiliary module "Sysmon"...
2020-10-18 06:35:12,031 [root] DEBUG: Started auxiliary module Sysmon
2020-10-18 06:35:12,031 [root] DEBUG: Initializing auxiliary module "Usage"...
2020-10-18 06:35:12,031 [root] DEBUG: Started auxiliary module Usage
2020-10-18 06:35:12,031 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2020-10-18 06:35:12,031 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2020-10-18 06:35:12,031 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option
2020-10-18 06:35:12,031 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option
2020-10-18 06:35:12,078 [lib.api.process] INFO: Successfully executed process from path "C:\Users\Louise\AppData\Local\Temp\Quotation.exe" with arguments "" with pid 1872
2020-10-18 06:35:12,078 [lib.api.process] INFO: Monitor config for process 1872: C:\tmp558c2t_g\dll\1872.ini
2020-10-18 06:35:12,078 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp558c2t_g\dll\qhUagc.dll, loader C:\tmp558c2t_g\bin\tQnVlph.exe
2020-10-18 06:35:12,203 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\NtiJjDpEf.
2020-10-18 06:35:12,203 [root] DEBUG: Loader: Injecting process 1872 (thread 3452) with C:\tmp558c2t_g\dll\qhUagc.dll.
2020-10-18 06:35:12,218 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2020-10-18 06:35:12,218 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2020-10-18 06:35:12,218 [root] DEBUG: Successfully injected DLL C:\tmp558c2t_g\dll\qhUagc.dll.
2020-10-18 06:35:14,234 [lib.api.process] INFO: Successfully resumed process with pid 1872
2020-10-18 06:35:14,546 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-10-18 06:35:14,562 [root] DEBUG: Dropped file limit defaulting to 100.
2020-10-18 06:35:14,562 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 1872 at 0x6f9e0000, image base 0x12e0000, stack from 0x336000-0x340000
2020-10-18 06:35:14,578 [root] DEBUG: Commandline: C:\Users\Louise\AppData\Local\Temp\"C:\Users\Louise\AppData\Local\Temp\Quotation.exe"
2020-10-18 06:35:14,640 [root] INFO: Loaded monitor into process with pid 1872
2020-10-18 06:35:14,640 [root] DEBUG: set_caller_info: Adding region at 0x00240000 to caller regions list (advapi32::RegQueryInfoKeyW).
2020-10-18 06:35:14,640 [root] DEBUG: DumpPEsInRange: Scanning range 0x240000 - 0x340000.
2020-10-18 06:35:14,656 [root] DEBUG: ScanForDisguisedPE: Exception occurred scanning buffer at 0x240000
2020-10-18 06:35:14,656 [root] DEBUG: DumpMemory: Exception occurred reading memory address 0x240000
2020-10-18 06:35:14,656 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x00240000 size 0x100000.
2020-10-18 06:35:14,718 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\LyfqDWD\CAPE\1872_1033974912145521180102020 (size 0xd04)
2020-10-18 06:35:14,718 [root] DEBUG: DumpRegion: Dumped region at 0x0033F000, size 0x1000.
2020-10-18 06:35:14,734 [root] DEBUG: set_caller_info: Adding region at 0x00A70000 to caller regions list (advapi32::RegOpenKeyExW).
2020-10-18 06:35:14,750 [root] DEBUG: DumpPEsInRange: Scanning range 0xa70000 - 0xe70000.
2020-10-18 06:35:14,750 [root] DEBUG: ScanForDisguisedPE: Exception occurred scanning buffer at 0xab5fc1
2020-10-18 06:35:14,781 [root] DEBUG: DumpMemory: Exception occurred reading memory address 0xa70000
2020-10-18 06:35:14,781 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x00A70000 size 0x400000.
2020-10-18 06:35:14,843 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\LyfqDWD\CAPE\1872_1789487525145521180102020 (size 0x1a41)
2020-10-18 06:35:14,843 [root] DEBUG: DumpRegion: Dumped region at 0x00E2D000, size 0x10000.
2020-10-18 06:35:14,843 [root] DEBUG: set_caller_info: Adding region at 0x000D0000 to caller regions list (advapi32::RegOpenKeyExW).
2020-10-18 06:35:14,843 [root] DEBUG: set_caller_info: Calling region at 0x000D0000 skipped.
2020-10-18 06:35:14,859 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xd0 and local view 0x732A0000 to global list.
2020-10-18 06:35:14,890 [root] DEBUG: DLL loaded at 0x732A0000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei (0x7d000 bytes).
2020-10-18 06:35:14,890 [root] DEBUG: DLL unloaded from 0x75E80000.
2020-10-18 06:35:14,906 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xe8 and local view 0x011E0000 to global list.
2020-10-18 06:35:14,953 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xe4 and local view 0x011E0000 to global list.
2020-10-18 06:35:14,953 [root] DEBUG: DLL loaded at 0x734E0000: C:\Windows\system32\VERSION (0x9000 bytes).
2020-10-18 06:35:14,968 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x72660000 for section view with handle 0xe8.
2020-10-18 06:35:15,125 [root] DEBUG: DLL loaded at 0x72660000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr (0x6ef000 bytes).
2020-10-18 06:35:15,156 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x73510000 for section view with handle 0xe8.
2020-10-18 06:35:15,156 [root] DEBUG: DLL loaded at 0x73510000: C:\Windows\system32\MSVCR120_CLR0400 (0xf5000 bytes).
2020-10-18 06:35:15,546 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x10c and local view 0x00150000 to global list.
2020-10-18 06:35:15,562 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x110 and local view 0x00160000 to global list.
2020-10-18 06:35:15,578 [root] INFO: Disabling sleep skipping.
2020-10-18 06:35:15,671 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1c8 and local view 0x06130000 to global list.
2020-10-18 06:35:16,546 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x20c and local view 0x6E3E0000 to global list.
2020-10-18 06:35:16,609 [root] DEBUG: DLL loaded at 0x6E3E0000: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\6715dc4d04e35f16d482900c355325e9\mscorlib.ni (0x1393000 bytes).
2020-10-18 06:35:17,156 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x22c and local view 0x6D9D0000 to global list.
2020-10-18 06:35:17,171 [root] DEBUG: DLL loaded at 0x6D9D0000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System\43822396682b0ffc3cfb66137ddab95f\System.ni (0xa10000 bytes).
2020-10-18 06:35:17,500 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x6D1F0000 for section view with handle 0x22c.
2020-10-18 06:35:17,515 [root] DEBUG: DLL loaded at 0x6D1F0000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\c8a2021e940773064c655a6ea6ee8cb2\System.Core.ni (0x7e0000 bytes).
2020-10-18 06:35:17,578 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x228 and local view 0x6D010000 to global list.
2020-10-18 06:35:17,609 [root] DEBUG: DLL loaded at 0x6D010000: C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\6090b158fd3d10686b422a455e188125\Microsoft.VisualBasic.ni (0x1d1000 bytes).
2020-10-18 06:35:17,781 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x224 and local view 0x6F900000 to global list.
2020-10-18 06:35:17,796 [root] DEBUG: DLL loaded at 0x6F900000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit (0x80000 bytes).
2020-10-18 06:35:17,984 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x6CE70000 for section view with handle 0x22c.
2020-10-18 06:35:18,015 [root] DEBUG: DLL loaded at 0x6CE70000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\2c462a934e0586ac5e46c8b93e461384\System.Drawing.ni (0x194000 bytes).
2020-10-18 06:35:18,078 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x6C150000 for section view with handle 0x228.
2020-10-18 06:35:18,109 [root] DEBUG: DLL loaded at 0x6C150000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\aece3d371c0714e60f9509d2a3137395\System.Windows.Forms.ni (0xd1d000 bytes).
2020-10-18 06:35:18,187 [root] DEBUG: set_caller_info: Adding region at 0x00370000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2020-10-18 06:35:18,187 [root] DEBUG: DumpPEsInRange: Scanning range 0x370000 - 0x380000.
2020-10-18 06:35:18,187 [root] DEBUG: ScanForDisguisedPE: Exception occurred scanning buffer at 0x370fc1
2020-10-18 06:35:18,187 [root] DEBUG: ScanForNonZero: Exception occurred reading memory address 0x380000
2020-10-18 06:35:18,187 [root] DEBUG: DumpMemory: Nothing to dump at 0x00370000!
2020-10-18 06:35:18,187 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x00370000 size 0x10000.
2020-10-18 06:35:18,234 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\LyfqDWD\CAPE\1872_1017587381385521180102020 (size 0x4ca)
2020-10-18 06:35:18,234 [root] DEBUG: DumpRegion: Dumped region at 0x00370000, size 0x1000.
2020-10-18 06:35:18,484 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x6B960000 for section view with handle 0x228.
2020-10-18 06:35:18,500 [root] DEBUG: DLL loaded at 0x6B960000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Data\ec27d822eb278dc8c0dbcfce9b47f5b7\System.Data.ni (0x7e6000 bytes).
2020-10-18 06:35:18,531 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x6B600000 for section view with handle 0x228.
2020-10-18 06:35:18,546 [root] DEBUG: DLL loaded at 0x6B600000: C:\Windows\Microsoft.Net\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data (0x351000 bytes).
2020-10-18 06:35:18,546 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x76B20000 for section view with handle 0x224.
2020-10-18 06:35:18,546 [root] DEBUG: DLL loaded at 0x76B20000: C:\Windows\syswow64\WS2_32 (0x35000 bytes).
2020-10-18 06:35:18,562 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x76170000 for section view with handle 0x224.
2020-10-18 06:35:18,562 [root] DEBUG: DLL loaded at 0x76170000: C:\Windows\syswow64\NSI (0x6000 bytes).
2020-10-18 06:35:18,562 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x76770000 for section view with handle 0x224.
2020-10-18 06:35:18,562 [root] DEBUG: DLL loaded at 0x76770000: C:\Windows\syswow64\CRYPT32 (0x122000 bytes).
2020-10-18 06:35:18,562 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x762F0000 for section view with handle 0x224.
2020-10-18 06:35:18,562 [root] DEBUG: DLL loaded at 0x762F0000: C:\Windows\syswow64\MSASN1 (0xc000 bytes).
2020-10-18 06:35:18,578 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x06780000 for section view with handle 0x228.
2020-10-18 06:35:18,593 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x06780000 for section view with handle 0x224.
2020-10-18 06:35:18,609 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x06780000 for section view with handle 0x22c.
2020-10-18 06:35:18,609 [root] DEBUG: DLL unloaded from 0x72660000.
2020-10-18 06:35:18,781 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x6AEC0000 for section view with handle 0x228.
2020-10-18 06:35:18,796 [root] DEBUG: DLL loaded at 0x6AEC0000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\a3abb36b9f9e867b09bb3a670b074c45\System.Xml.ni (0x73e000 bytes).
2020-10-18 06:35:19,125 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x230 and local view 0x6F800000 to global list.
2020-10-18 06:35:19,140 [root] DEBUG: DLL loaded at 0x6F800000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2f61c87db96dbe27deea0e525a665761\System.Configuration.ni (0xfc000 bytes).
2020-10-18 06:35:19,187 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x238 and local view 0x6F7E0000 to global list.
2020-10-18 06:35:19,187 [root] DEBUG: DLL loaded at 0x6F7E0000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\nlssorting (0x13000 bytes).
2020-10-18 06:35:19,203 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x06780000 for section view with handle 0x238.
2020-10-18 06:35:19,500 [root] DEBUG: DLL loaded at 0x750D0000: C:\Windows\syswow64\shell32 (0xc4c000 bytes).
2020-10-18 06:35:19,500 [root] DEBUG: DLL loaded at 0x74380000: C:\Windows\system32\profapi (0xb000 bytes).
2020-10-18 06:35:19,546 [root] DEBUG: set_caller_info: Adding region at 0x00180000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2020-10-18 06:35:19,562 [root] DEBUG: DumpPEsInRange: Scanning range 0x180000 - 0x190000.
2020-10-18 06:35:19,562 [root] DEBUG: ScanForDisguisedPE: Exception occurred scanning buffer at 0x180fc1
2020-10-18 06:35:19,562 [root] DEBUG: ScanForNonZero: Exception occurred reading memory address 0x190000
2020-10-18 06:35:19,562 [root] DEBUG: DumpMemory: Nothing to dump at 0x00180000!
2020-10-18 06:35:19,562 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x00180000 size 0x10000.
2020-10-18 06:35:19,593 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\LyfqDWD\CAPE\1872_221786118395521180102020 (size 0x5b7)
2020-10-18 06:35:19,593 [root] DEBUG: DumpRegion: Dumped region at 0x0018D000, size 0x1000.
2020-10-18 06:35:19,609 [root] DEBUG: DLL loaded at 0x74730000: C:\Windows\system32\bcrypt (0x17000 bytes).
2020-10-18 06:35:19,640 [root] DEBUG: DLL loaded at 0x74360000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2020-10-18 06:35:19,656 [root] DEBUG: DLL loaded at 0x74270000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2020-10-18 06:35:19,718 [root] DEBUG: DLL loaded at 0x6AE30000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32 (0x84000 bytes).
2020-10-18 06:35:19,718 [root] DEBUG: set_caller_info: Adding region at 0x00190000 to caller regions list (ntdll::LdrGetProcedureAddress).
2020-10-18 06:35:19,718 [root] DEBUG: DumpPEsInRange: Scanning range 0x190000 - 0x1a0000.
2020-10-18 06:35:19,718 [root] DEBUG: ScanForDisguisedPE: Exception occurred scanning buffer at 0x19afc1
2020-10-18 06:35:19,734 [root] DEBUG: ScanForNonZero: Exception occurred reading memory address 0x1a0000
2020-10-18 06:35:19,734 [root] DEBUG: DumpMemory: Nothing to dump at 0x00190000!
2020-10-18 06:35:19,734 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x00190000 size 0x10000.
2020-10-18 06:35:19,765 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\LyfqDWD\CAPE\1872_898158892395521180102020 (size 0x176)
2020-10-18 06:35:19,765 [root] DEBUG: DumpRegion: Dumped region at 0x0019D000, size 0x1000.
2020-10-18 06:35:19,859 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x278 and local view 0x6AD60000 to global list.
2020-10-18 06:35:19,921 [root] DEBUG: DLL loaded at 0x6AD60000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runt73a1fc9d#\badfff92e7e4f52c948920e4a4975073\System.Runtime.Remoting.ni (0xc9000 bytes).
2020-10-18 06:35:20,109 [root] DEBUG: DLL loaded at 0x742C0000: C:\Windows\system32\uxtheme (0x80000 bytes).
2020-10-18 06:35:20,125 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x270 and local view 0x6A860000 to global list.
2020-10-18 06:35:22,515 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x27c and local view 0x009F0000 to global list.
2020-10-18 06:35:22,625 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x005F0000 for section view with handle 0x27c.
2020-10-18 06:35:32,828 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x280 and local view 0x6ABC0000 to global list.
2020-10-18 06:35:32,828 [root] DEBUG: DLL loaded at 0x6ABC0000: C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24308_none_5c028e37a0121035\gdiplus (0x192000 bytes).
2020-10-18 06:35:32,859 [root] DEBUG: DLL loaded at 0x6AA80000: C:\Windows\system32\WindowsCodecs (0x131000 bytes).
2020-10-18 06:35:32,859 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x288 and local view 0x00FD0000 to global list.
2020-10-18 06:35:32,859 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00FE0000 for section view with handle 0x288.
2020-10-18 06:35:32,859 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00FF0000 for section view with handle 0x288.
2020-10-18 06:35:33,000 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x290 and local view 0x03D00000 to global list.
2020-10-18 06:35:33,234 [root] DEBUG: set_caller_info: Adding region at 0x03AA0000 to caller regions list (ntdll::NtQueryPerformanceCounter).
2020-10-18 06:35:33,234 [root] DEBUG: DumpPEsInRange: Scanning range 0x3aa0000 - 0x3ab0000.
2020-10-18 06:35:33,234 [root] DEBUG: ScanForDisguisedPE: Exception occurred scanning buffer at 0x3aa5fc1
2020-10-18 06:35:33,249 [root] DEBUG: ScanForNonZero: Exception occurred reading memory address 0x3ab0000
2020-10-18 06:35:33,249 [root] DEBUG: DumpMemory: Nothing to dump at 0x03AA0000!
2020-10-18 06:35:33,249 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x03AA0000 size 0x10000.
2020-10-18 06:35:33,265 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\LyfqDWD\CAPE\1872_2121432246375621180102020 (size 0x12f0)
2020-10-18 06:35:33,265 [root] DEBUG: DumpRegion: Dumped region at 0x03AA4000, size 0x2000.
2020-10-18 06:35:33,281 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x011E0000 for section view with handle 0x290.
2020-10-18 06:35:33,765 [root] DEBUG: DLL loaded at 0x73CD0000: C:\Windows\system32\ntmarta (0x21000 bytes).
2020-10-18 06:35:33,765 [root] DEBUG: DLL loaded at 0x75F60000: C:\Windows\syswow64\WLDAP32 (0x45000 bytes).
2020-10-18 06:35:33,859 [root] INFO: Added new file to list with pid None and path C:\Users\Louise\AppData\Roaming\SgDbfuA.exe
2020-10-18 06:35:34,312 [root] INFO: Added new file to list with pid None and path C:\Users\Louise\AppData\Local\Temp\tmp7980.tmp
2020-10-18 06:35:34,531 [root] DEBUG: DLL loaded at 0x6A980000: C:\Windows\system32\PROPSYS (0xf5000 bytes).
2020-10-18 06:35:34,546 [root] DEBUG: DLL loaded at 0x73950000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\comctl32 (0x19e000 bytes).
2020-10-18 06:35:34,546 [root] DEBUG: DLL loaded at 0x74C10000: C:\Windows\system32\apphelp (0x4c000 bytes).
2020-10-18 06:35:34,984 [root] DEBUG: DLL loaded at 0x761C0000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2020-10-18 06:35:35,000 [root] DEBUG: DLL loaded at 0x69400000: C:\Windows\SysWOW64\ieframe (0xaba000 bytes).
2020-10-18 06:35:35,000 [root] DEBUG: DLL loaded at 0x76180000: C:\Windows\syswow64\api-ms-win-downlevel-advapi32-l1-1-0 (0x5000 bytes).
2020-10-18 06:35:35,000 [root] DEBUG: DLL loaded at 0x75D40000: C:\Windows\syswow64\api-ms-win-downlevel-shlwapi-l1-1-0 (0x4000 bytes).
2020-10-18 06:35:35,000 [root] DEBUG: DLL loaded at 0x75FC0000: C:\Windows\syswow64\api-ms-win-downlevel-user32-l1-1-0 (0x4000 bytes).
2020-10-18 06:35:35,015 [root] DEBUG: DLL loaded at 0x6F7D0000: C:\Windows\SysWOW64\api-ms-win-downlevel-shell32-l1-1-0 (0x4000 bytes).
2020-10-18 06:35:35,015 [root] DEBUG: DLL loaded at 0x76250000: C:\Windows\syswow64\api-ms-win-downlevel-version-l1-1-0 (0x4000 bytes).
2020-10-18 06:35:35,015 [root] DEBUG: DLL loaded at 0x74CF0000: C:\Windows\syswow64\api-ms-win-downlevel-normaliz-l1-1-0 (0x3000 bytes).
2020-10-18 06:35:35,015 [root] DEBUG: DLL loaded at 0x75F30000: C:\Windows\syswow64\normaliz (0x3000 bytes).
2020-10-18 06:35:35,015 [root] DEBUG: DLL loaded at 0x76900000: C:\Windows\syswow64\iertutil (0x215000 bytes).
2020-10-18 06:35:35,203 [root] DEBUG: DLL loaded at 0x74D00000: C:\Windows\syswow64\SETUPAPI (0x19d000 bytes).
2020-10-18 06:35:35,203 [root] DEBUG: DLL loaded at 0x750A0000: C:\Windows\syswow64\CFGMGR32 (0x27000 bytes).
2020-10-18 06:35:35,203 [root] DEBUG: DLL loaded at 0x75D20000: C:\Windows\syswow64\DEVOBJ (0x12000 bytes).
2020-10-18 06:35:35,218 [root] DEBUG: DLL unloaded from 0x750D0000.
2020-10-18 06:35:35,234 [root] DEBUG: DLL loaded at 0x765C0000: C:\Windows\SysWOW64\urlmon (0x124000 bytes).
2020-10-18 06:35:35,234 [root] DEBUG: DLL loaded at 0x76260000: C:\Windows\syswow64\api-ms-win-downlevel-ole32-l1-1-0 (0x4000 bytes).
2020-10-18 06:35:35,640 [root] DEBUG: DLL loaded at 0x76300000: C:\Windows\syswow64\WININET (0x1c4000 bytes).
2020-10-18 06:35:35,656 [root] DEBUG: DLL loaded at 0x701D0000: C:\Windows\system32\Secur32 (0x8000 bytes).
2020-10-18 06:35:35,812 [root] INFO: Announced 32-bit process name: schtasks.exe pid: 2092
2020-10-18 06:35:35,812 [lib.api.process] INFO: Monitor config for process 2092: C:\tmp558c2t_g\dll\2092.ini
2020-10-18 06:35:35,828 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp558c2t_g\dll\qhUagc.dll, loader C:\tmp558c2t_g\bin\tQnVlph.exe
2020-10-18 06:35:35,859 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\NtiJjDpEf.
2020-10-18 06:35:35,859 [root] DEBUG: Loader: Injecting process 2092 (thread 4136) with C:\tmp558c2t_g\dll\qhUagc.dll.
2020-10-18 06:35:35,859 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmp558c2t_g\dll\qhUagc.dll.
2020-10-18 06:35:35,906 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-10-18 06:35:35,906 [root] DEBUG: Successfully injected DLL C:\tmp558c2t_g\dll\qhUagc.dll.
2020-10-18 06:35:36,015 [root] DEBUG: CreateProcessHandler: Injection info set for new process 2092, ImageBase: 0x00BC0000
2020-10-18 06:35:36,015 [root] INFO: Announced 32-bit process name: schtasks.exe pid: 2092
2020-10-18 06:35:36,015 [lib.api.process] INFO: Monitor config for process 2092: C:\tmp558c2t_g\dll\2092.ini
2020-10-18 06:35:36,015 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp558c2t_g\dll\qhUagc.dll, loader C:\tmp558c2t_g\bin\tQnVlph.exe
2020-10-18 06:35:36,031 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\NtiJjDpEf.
2020-10-18 06:35:36,031 [root] DEBUG: Loader: Injecting process 2092 (thread 4136) with C:\tmp558c2t_g\dll\qhUagc.dll.
2020-10-18 06:35:36,031 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmp558c2t_g\dll\qhUagc.dll.
2020-10-18 06:35:36,031 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-10-18 06:35:36,031 [root] DEBUG: Successfully injected DLL C:\tmp558c2t_g\dll\qhUagc.dll.
2020-10-18 06:35:36,093 [root] DEBUG: DLL loaded at 0x73920000: C:\Windows\system32\RpcRtRemote (0xe000 bytes).
2020-10-18 06:35:36,421 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-10-18 06:35:36,421 [root] DEBUG: Dropped file limit defaulting to 100.
2020-10-18 06:35:36,437 [root] INFO: Disabling sleep skipping.
2020-10-18 06:35:36,437 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-10-18 06:35:36,437 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 2092 at 0x6f9e0000, image base 0xbc0000, stack from 0x226000-0x230000
2020-10-18 06:35:36,437 [root] DEBUG: Commandline: C:\Users\Louise\AppData\Local\Temp\"C:\Windows\System32\schtasks.exe" \Create \TN "Updates\SgDbfuA" \XML "C:\Users\Louise\AppData\Local\Temp\tmp7980.tmp"
2020-10-18 06:35:36,484 [root] INFO: Loaded monitor into process with pid 2092
2020-10-18 06:35:36,484 [root] DEBUG: DLL loaded at 0x734E0000: C:\Windows\SysWOW64\VERSION (0x9000 bytes).
2020-10-18 06:35:36,484 [root] DEBUG: DLL unloaded from 0x00BC0000.
2020-10-18 06:35:36,500 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xd0 and local view 0x038F0000 to global list.
2020-10-18 06:35:36,500 [root] INFO: Stopping Task Scheduler Service
2020-10-18 06:35:36,765 [root] INFO: Stopped Task Scheduler Service
2020-10-18 06:35:36,906 [root] INFO: Starting Task Scheduler Service
2020-10-18 06:35:37,015 [root] INFO: Started Task Scheduler Service
2020-10-18 06:35:37,015 [lib.api.process] INFO: Monitor config for process 840: C:\tmp558c2t_g\dll\840.ini
2020-10-18 06:35:37,031 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmp558c2t_g\dll\xbkRJp.dll, loader C:\tmp558c2t_g\bin\hBCagvVI.exe
2020-10-18 06:35:37,046 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\NtiJjDpEf.
2020-10-18 06:35:37,046 [root] DEBUG: Loader: Injecting process 840 (thread 0) with C:\tmp558c2t_g\dll\xbkRJp.dll.
2020-10-18 06:35:37,046 [root] DEBUG: InjectDll: No thread ID supplied, initial thread ID 844, handle 0xa4
2020-10-18 06:35:37,046 [root] DEBUG: InjectDllViaIAT: Not a new process, aborting IAT patch
2020-10-18 06:35:37,046 [root] DEBUG: InjectDll: IAT patching failed, falling back to thread injection.
2020-10-18 06:35:37,062 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-10-18 06:35:37,062 [root] DEBUG: Dropped file limit defaulting to 100.
2020-10-18 06:35:37,062 [root] INFO: Disabling sleep skipping.
2020-10-18 06:35:37,062 [root] DEBUG: CAPE initialised: 64-bit monitor loaded in process 840 at 0x000007FEF00F0000, image base 0x00000000FF500000, stack from 0x0000000002CE6000-0x0000000002CF0000
2020-10-18 06:35:37,078 [root] DEBUG: Commandline: C:\Windows\sysnative\svchost.exe -k netsvcs
2020-10-18 06:35:37,156 [root] WARNING: b'Unable to place hook on LockResource'
2020-10-18 06:35:37,156 [root] WARNING: b'Unable to hook LockResource'
2020-10-18 06:35:37,218 [root] INFO: Loaded monitor into process with pid 840
2020-10-18 06:35:37,218 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2020-10-18 06:35:37,234 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2020-10-18 06:35:37,234 [root] DEBUG: Successfully injected DLL C:\tmp558c2t_g\dll\xbkRJp.dll.
2020-10-18 06:35:37,234 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 840
2020-10-18 06:35:38,359 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF2600000 to caller regions list (ntdll::NtWaitForSingleObject).
2020-10-18 06:35:38,359 [root] DEBUG: set_caller_info: Calling region at 0x000007FEF2600000 skipped.
2020-10-18 06:35:39,234 [root] DEBUG: DLL loaded at 0x761C0000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2020-10-18 06:35:39,234 [root] DEBUG: DLL loaded at 0x73610000: C:\Windows\SysWOW64\taskschd (0x7d000 bytes).
2020-10-18 06:35:40,937 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2092
2020-10-18 06:35:40,937 [root] DEBUG: GetHookCallerBase: thread 4136 (handle 0x0), return address 0x00BD7569, allocation base 0x00BC0000.
2020-10-18 06:35:40,937 [root] DEBUG: DoProcessDump: Dumping Imagebase at 0x00BC0000.
2020-10-18 06:35:40,937 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-10-18 06:35:40,937 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00BC0000.
2020-10-18 06:35:40,953 [root] DEBUG: DumpProcess: Module entry point VA is 0x00017683.
2020-10-18 06:35:40,984 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x2b400.
2020-10-18 06:35:40,984 [root] DEBUG: DLL unloaded from 0x768A0000.
2020-10-18 06:35:40,984 [root] INFO: Process with pid 2092 has terminated
2020-10-18 06:35:41,093 [root] INFO: Announced 32-bit process name: vbc.exe pid: 3120
2020-10-18 06:35:41,109 [lib.api.process] INFO: Monitor config for process 3120: C:\tmp558c2t_g\dll\3120.ini
2020-10-18 06:35:41,109 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp558c2t_g\dll\qhUagc.dll, loader C:\tmp558c2t_g\bin\tQnVlph.exe
2020-10-18 06:35:41,125 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\NtiJjDpEf.
2020-10-18 06:35:41,125 [root] DEBUG: Loader: Injecting process 3120 (thread 3096) with C:\tmp558c2t_g\dll\qhUagc.dll.
2020-10-18 06:35:41,125 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmp558c2t_g\dll\qhUagc.dll.
2020-10-18 06:35:41,140 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-10-18 06:35:41,140 [root] DEBUG: Successfully injected DLL C:\tmp558c2t_g\dll\qhUagc.dll.
2020-10-18 06:35:42,546 [root] DEBUG: CreateProcessHandler: Injection info set for new process 3120, ImageBase: 0x01310000
2020-10-18 06:35:42,546 [root] INFO: Announced 32-bit process name: vbc.exe pid: 3120
2020-10-18 06:35:42,546 [lib.api.process] INFO: Monitor config for process 3120: C:\tmp558c2t_g\dll\3120.ini
2020-10-18 06:35:42,562 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF01F0000 to caller regions list (msvcrt::memcpy).
2020-10-18 06:35:42,562 [root] DEBUG: set_caller_info: Calling region at 0x000007FEF01F0000 skipped.
2020-10-18 06:35:42,562 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp558c2t_g\dll\qhUagc.dll, loader C:\tmp558c2t_g\bin\tQnVlph.exe
2020-10-18 06:35:42,578 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\NtiJjDpEf.
2020-10-18 06:35:42,593 [root] DEBUG: Loader: Injecting process 3120 (thread 3096) with C:\tmp558c2t_g\dll\qhUagc.dll.
2020-10-18 06:35:42,593 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xbac and local view 0x0000000006260000 to global list.
2020-10-18 06:35:42,593 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmp558c2t_g\dll\qhUagc.dll.
2020-10-18 06:35:42,609 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x7c4 and local view 0x0000000006AB0000 to global list.
2020-10-18 06:35:42,625 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-10-18 06:35:42,625 [root] DEBUG: Successfully injected DLL C:\tmp558c2t_g\dll\qhUagc.dll.
2020-10-18 06:35:42,656 [root] DEBUG: WriteMemoryHandler: Executable binary injected into process 3120 (ImageBase 0x400000)
2020-10-18 06:35:42,656 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image.
2020-10-18 06:35:42,656 [root] DEBUG: DumpPE: Instantiating PeParser with address: 0x0512A8D8.
2020-10-18 06:35:42,671 [root] DEBUG: DumpPE: PE file in memory dumped successfully - dump size 0x20000.
2020-10-18 06:35:42,687 [root] DEBUG: WriteMemoryHandler: Dumped PE image from buffer at 0x512a8d8, SizeOfImage 0x21000.
2020-10-18 06:35:42,687 [root] INFO: Announced 32-bit process name: vbc.exe pid: 3120
2020-10-18 06:35:42,687 [lib.api.process] INFO: Monitor config for process 3120: C:\tmp558c2t_g\dll\3120.ini
2020-10-18 06:35:42,687 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp558c2t_g\dll\qhUagc.dll, loader C:\tmp558c2t_g\bin\tQnVlph.exe
2020-10-18 06:35:42,703 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\NtiJjDpEf.
2020-10-18 06:35:42,703 [root] DEBUG: Loader: Injecting process 3120 (thread 0) with C:\tmp558c2t_g\dll\qhUagc.dll.
2020-10-18 06:35:42,703 [root] DEBUG: InjectDll: No thread ID supplied, initial thread ID 3096, handle 0xbc
2020-10-18 06:35:42,718 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmp558c2t_g\dll\qhUagc.dll.
2020-10-18 06:35:42,718 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-10-18 06:35:42,718 [root] DEBUG: Successfully injected DLL C:\tmp558c2t_g\dll\qhUagc.dll.
2020-10-18 06:35:42,734 [root] DEBUG: WriteMemoryHandler: shellcode at 0x040818FC (size 0x14000) injected into process 3120.
2020-10-18 06:35:42,765 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\LyfqDWD\CAPE\1872_1912867235375721180102020 (size 0x13246)
2020-10-18 06:35:42,781 [root] DEBUG: WriteMemoryHandler: Dumped injected code/data from buffer.
2020-10-18 06:35:42,781 [root] INFO: Announced 32-bit process name: vbc.exe pid: 3120
2020-10-18 06:35:42,781 [lib.api.process] INFO: Monitor config for process 3120: C:\tmp558c2t_g\dll\3120.ini
2020-10-18 06:35:42,781 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp558c2t_g\dll\qhUagc.dll, loader C:\tmp558c2t_g\bin\tQnVlph.exe
2020-10-18 06:35:42,796 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\NtiJjDpEf.
2020-10-18 06:35:42,796 [root] DEBUG: Loader: Injecting process 3120 (thread 0) with C:\tmp558c2t_g\dll\qhUagc.dll.
2020-10-18 06:35:42,796 [root] DEBUG: InjectDll: No thread ID supplied, initial thread ID 3096, handle 0xbc
2020-10-18 06:35:42,812 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmp558c2t_g\dll\qhUagc.dll.
2020-10-18 06:35:42,812 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-10-18 06:35:42,812 [root] DEBUG: Successfully injected DLL C:\tmp558c2t_g\dll\qhUagc.dll.
2020-10-18 06:35:42,828 [root] DEBUG: WriteMemoryHandler: shellcode at 0x04095908 (size 0x6000) injected into process 3120.
2020-10-18 06:35:42,843 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\LyfqDWD\CAPE\1872_1620715817375721180102020 (size 0x53e9)
2020-10-18 06:35:42,843 [root] DEBUG: WriteMemoryHandler: Dumped injected code/data from buffer.
2020-10-18 06:35:42,859 [root] INFO: Announced 32-bit process name: vbc.exe pid: 3120
2020-10-18 06:35:42,859 [lib.api.process] INFO: Monitor config for process 3120: C:\tmp558c2t_g\dll\3120.ini
2020-10-18 06:35:42,859 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp558c2t_g\dll\qhUagc.dll, loader C:\tmp558c2t_g\bin\tQnVlph.exe
2020-10-18 06:35:42,875 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\NtiJjDpEf.
2020-10-18 06:35:42,875 [root] DEBUG: Loader: Injecting process 3120 (thread 0) with C:\tmp558c2t_g\dll\qhUagc.dll.
2020-10-18 06:35:42,875 [root] DEBUG: InjectDll: No thread ID supplied, initial thread ID 3096, handle 0xbc
2020-10-18 06:35:42,875 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmp558c2t_g\dll\qhUagc.dll.
2020-10-18 06:35:42,875 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-10-18 06:35:42,875 [root] DEBUG: Successfully injected DLL C:\tmp558c2t_g\dll\qhUagc.dll.
2020-10-18 06:35:42,890 [root] DEBUG: WriteMemoryHandler: shellcode at 0x0409B914 (size 0x1000) injected into process 3120.
2020-10-18 06:35:42,953 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\LyfqDWD\CAPE\1872_1564488779375721180102020 (size 0x191)
2020-10-18 06:35:42,953 [root] DEBUG: WriteMemoryHandler: Dumped injected code/data from buffer.
2020-10-18 06:35:42,953 [root] INFO: Announced 32-bit process name: vbc.exe pid: 3120
2020-10-18 06:35:42,953 [lib.api.process] INFO: Monitor config for process 3120: C:\tmp558c2t_g\dll\3120.ini
2020-10-18 06:35:42,953 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp558c2t_g\dll\qhUagc.dll, loader C:\tmp558c2t_g\bin\tQnVlph.exe
2020-10-18 06:35:42,968 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\NtiJjDpEf.
2020-10-18 06:35:42,968 [root] DEBUG: Loader: Injecting process 3120 (thread 0) with C:\tmp558c2t_g\dll\qhUagc.dll.
2020-10-18 06:35:42,968 [root] DEBUG: InjectDll: No thread ID supplied, initial thread ID 3096, handle 0xbc
2020-10-18 06:35:42,968 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmp558c2t_g\dll\qhUagc.dll.
2020-10-18 06:35:42,968 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-10-18 06:35:42,984 [root] DEBUG: Successfully injected DLL C:\tmp558c2t_g\dll\qhUagc.dll.
2020-10-18 06:35:42,984 [root] DEBUG: WriteMemoryHandler: shellcode at 0x0409C920 (size 0x1000) injected into process 3120.
2020-10-18 06:35:43,000 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\LyfqDWD\CAPE\1872_143789059375721180102020 (size 0x1000)
2020-10-18 06:35:43,015 [root] DEBUG: WriteMemoryHandler: Dumped injected code/data from buffer.
2020-10-18 06:35:43,015 [root] INFO: Announced 32-bit process name: vbc.exe pid: 3120
2020-10-18 06:35:43,015 [lib.api.process] INFO: Monitor config for process 3120: C:\tmp558c2t_g\dll\3120.ini
2020-10-18 06:35:43,015 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp558c2t_g\dll\qhUagc.dll, loader C:\tmp558c2t_g\bin\tQnVlph.exe
2020-10-18 06:35:43,031 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\NtiJjDpEf.
2020-10-18 06:35:43,031 [root] DEBUG: Loader: Injecting process 3120 (thread 0) with C:\tmp558c2t_g\dll\qhUagc.dll.
2020-10-18 06:35:43,031 [root] DEBUG: InjectDll: No thread ID supplied, initial thread ID 3096, handle 0xbc
2020-10-18 06:35:43,031 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmp558c2t_g\dll\qhUagc.dll.
2020-10-18 06:35:43,031 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-10-18 06:35:43,031 [root] DEBUG: Successfully injected DLL C:\tmp558c2t_g\dll\qhUagc.dll.
2020-10-18 06:35:43,046 [root] DEBUG: WriteMemoryHandler: shellcode at 0x0409D92C (size 0x3000) injected into process 3120.
2020-10-18 06:35:43,062 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\LyfqDWD\CAPE\1872_410504363375721180102020 (size 0x242c)
2020-10-18 06:35:43,062 [root] DEBUG: WriteMemoryHandler: Dumped injected code/data from buffer.
2020-10-18 06:35:43,062 [root] INFO: Announced 32-bit process name: vbc.exe pid: 3120
2020-10-18 06:35:43,062 [lib.api.process] INFO: Monitor config for process 3120: C:\tmp558c2t_g\dll\3120.ini
2020-10-18 06:35:43,062 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp558c2t_g\dll\qhUagc.dll, loader C:\tmp558c2t_g\bin\tQnVlph.exe
2020-10-18 06:35:43,078 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\NtiJjDpEf.
2020-10-18 06:35:43,093 [root] DEBUG: Loader: Injecting process 3120 (thread 0) with C:\tmp558c2t_g\dll\qhUagc.dll.
2020-10-18 06:35:43,093 [root] DEBUG: InjectDll: No thread ID supplied, initial thread ID 3096, handle 0xbc
2020-10-18 06:35:43,093 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmp558c2t_g\dll\qhUagc.dll.
2020-10-18 06:35:43,093 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-10-18 06:35:43,093 [root] DEBUG: Successfully injected DLL C:\tmp558c2t_g\dll\qhUagc.dll.
2020-10-18 06:35:43,109 [root] INFO: Announced 32-bit process name: vbc.exe pid: 3120
2020-10-18 06:35:43,109 [lib.api.process] INFO: Monitor config for process 3120: C:\tmp558c2t_g\dll\3120.ini
2020-10-18 06:35:43,109 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp558c2t_g\dll\qhUagc.dll, loader C:\tmp558c2t_g\bin\tQnVlph.exe
2020-10-18 06:35:43,125 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\NtiJjDpEf.
2020-10-18 06:35:43,125 [root] DEBUG: Loader: Injecting process 3120 (thread 0) with C:\tmp558c2t_g\dll\qhUagc.dll.
2020-10-18 06:35:43,125 [root] DEBUG: InjectDll: No thread ID supplied, initial thread ID 3096, handle 0xbc
2020-10-18 06:35:43,125 [root] DEBUG: InjectDllViaIAT: Modified EP detected, rebasing IAT patch to new image base 0x00400000 (context EP 0x0139FAF0)
2020-10-18 06:35:43,125 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmp558c2t_g\dll\qhUagc.dll.
2020-10-18 06:35:43,125 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-10-18 06:35:43,125 [root] DEBUG: Successfully injected DLL C:\tmp558c2t_g\dll\qhUagc.dll.
2020-10-18 06:35:43,140 [root] DEBUG: SetThreadContextHandler: Hollow process entry point reset via NtSetContextThread to 0x00013FA4 (process 3120).
2020-10-18 06:35:43,140 [root] INFO: Announced 32-bit process name: vbc.exe pid: 3120
2020-10-18 06:35:43,140 [lib.api.process] INFO: Monitor config for process 3120: C:\tmp558c2t_g\dll\3120.ini
2020-10-18 06:35:43,140 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp558c2t_g\dll\qhUagc.dll, loader C:\tmp558c2t_g\bin\tQnVlph.exe
2020-10-18 06:35:43,156 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\NtiJjDpEf.
2020-10-18 06:35:43,156 [root] DEBUG: Loader: Injecting process 3120 (thread 3096) with C:\tmp558c2t_g\dll\qhUagc.dll.
2020-10-18 06:35:43,171 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmp558c2t_g\dll\qhUagc.dll.
2020-10-18 06:35:43,171 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-10-18 06:35:43,171 [root] DEBUG: Successfully injected DLL C:\tmp558c2t_g\dll\qhUagc.dll.
2020-10-18 06:35:43,187 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 3120.
2020-10-18 06:35:43,249 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 1872
2020-10-18 06:35:43,249 [root] DEBUG: GetHookCallerBase: thread 3452 (handle 0x0), return address 0x003742AB, allocation base 0x00370000.
2020-10-18 06:35:43,265 [root] DEBUG: DoProcessDump: Dumping Imagebase at 0x012E0000.
2020-10-18 06:35:43,265 [root] DEBUG: LooksLikeSectionBoundary: Exception occured reading around suspected boundary at 0x012E2000
2020-10-18 06:35:43,343 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image.
2020-10-18 06:35:43,343 [root] DEBUG: DumpPE: Instantiating PeParser with address: 0x012E0000.
2020-10-18 06:35:43,343 [root] DEBUG: DumpPE: Empty or inaccessible last section, file image seems incomplete (from 0x01392200 to 0x01392400).
2020-10-18 06:35:43,437 [root] DEBUG: DumpPE: Error: Cannot dump PE file from memory.
2020-10-18 06:35:43,437 [root] DEBUG: DumpImageInCurrentProcess: Failed to dump 'raw' PE image from 0x012E0000, dumping memory region.
2020-10-18 06:35:43,453 [root] DEBUG: DLL unloaded from 0x74F00000.
2020-10-18 06:35:43,453 [root] DEBUG: DLL unloaded from 0x6A980000.
2020-10-18 06:35:43,515 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-10-18 06:35:43,515 [root] DEBUG: Dropped file limit defaulting to 100.
2020-10-18 06:35:43,531 [root] INFO: Disabling sleep skipping.
2020-10-18 06:35:43,531 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-10-18 06:35:43,531 [root] DEBUG: DLL unloaded from 0x768A0000.
2020-10-18 06:35:43,531 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 3120 at 0x6f9e0000, image base 0x400000, stack from 0x1a6000-0x1b0000
2020-10-18 06:35:43,531 [root] DEBUG: DLL unloaded from 0x73CD0000.
2020-10-18 06:35:43,546 [root] DEBUG: Commandline: C:\Users\Louise\AppData\Local\Temp\"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2020-10-18 06:35:43,578 [root] DEBUG: DLL unloaded from 0x72660000.
2020-10-18 06:35:43,578 [root] INFO: Loaded monitor into process with pid 3120
2020-10-18 06:35:43,578 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 1872
2020-10-18 06:35:43,593 [root] DEBUG: GetHookCallerBase: thread 3452 (handle 0x0), return address 0x003742AB, allocation base 0x00370000.
2020-10-18 06:35:43,593 [root] DEBUG: DoProcessDump: Dumping Imagebase at 0x012E0000.
2020-10-18 06:35:43,593 [root] DEBUG: LooksLikeSectionBoundary: Exception occured reading around suspected boundary at 0x012E2000
2020-10-18 06:35:43,593 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image.
2020-10-18 06:35:43,593 [root] DEBUG: DumpPE: Instantiating PeParser with address: 0x012E0000.
2020-10-18 06:35:43,593 [root] DEBUG: DumpPE: Empty or inaccessible last section, file image seems incomplete (from 0x01392200 to 0x01392400).
2020-10-18 06:35:43,609 [root] DEBUG: DumpPE: Error: Cannot dump PE file from memory.
2020-10-18 06:35:43,609 [root] DEBUG: DumpImageInCurrentProcess: Failed to dump 'raw' PE image from 0x012E0000, dumping memory region.
2020-10-18 06:35:43,625 [root] INFO: Process with pid 1872 has terminated
2020-10-18 06:35:43,718 [root] DEBUG: DLL loaded at 0x743D0000: C:\Windows\system32\mswsock (0x3c000 bytes).
2020-10-18 06:35:43,734 [root] DEBUG: DLL loaded at 0x743C0000: C:\Windows\System32\wshtcpip (0x5000 bytes).
2020-10-18 06:35:43,734 [root] DEBUG: DLL loaded at 0x73030000: C:\Windows\system32\NLAapi (0x10000 bytes).
2020-10-18 06:35:43,734 [root] DEBUG: DLL loaded at 0x73020000: C:\Windows\system32\napinsp (0x10000 bytes).
2020-10-18 06:35:43,750 [root] DEBUG: DLL loaded at 0x73000000: C:\Windows\system32\pnrpnsp (0x12000 bytes).
2020-10-18 06:35:43,781 [root] DEBUG: DLL loaded at 0x72FB0000: C:\Windows\system32\DNSAPI (0x44000 bytes).
2020-10-18 06:35:43,781 [root] DEBUG: DLL loaded at 0x72FA0000: C:\Windows\System32\winrnr (0x8000 bytes).
2020-10-18 06:35:43,796 [root] DEBUG: DLL loaded at 0x72F60000: C:\Windows\System32\fwpuclnt (0x38000 bytes).
2020-10-18 06:35:43,812 [root] DEBUG: DLL loaded at 0x72F50000: C:\Windows\system32\rasadhlp (0x6000 bytes).
2020-10-18 06:35:53,734 [root] INFO: Added new file to list with pid None and path C:\Users\Louise\AppData\Roaming\remcos\logs.dat
2020-10-18 06:35:54,515 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF5080000 to caller regions list (ntdll::NtWaitForSingleObject).
2020-10-18 06:35:54,515 [root] DEBUG: set_caller_info: Calling region at 0x000007FEF5080000 skipped.
2020-10-18 06:35:57,656 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF6E90000 to caller regions list (kernel32::GetSystemTimeAsFileTime).
2020-10-18 06:35:57,656 [root] DEBUG: set_caller_info: Calling region at 0x000007FEF6E90000 skipped.
2020-10-18 06:36:00,296 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF5A90000 to caller regions list (msvcrt::memcpy).
2020-10-18 06:36:00,296 [root] DEBUG: set_caller_info: Calling region at 0x000007FEF5A90000 skipped.
2020-10-18 06:36:52,921 [root] DEBUG: DLL unloaded from 0x000007FEFBFD0000.
2020-10-18 06:38:34,359 [root] INFO: Analysis timeout hit, terminating analysis.
2020-10-18 06:38:34,359 [lib.api.process] INFO: Terminate event set for process 840
2020-10-18 06:38:34,359 [root] DEBUG: Terminate Event: Attempting to dump process 840
2020-10-18 06:38:34,359 [root] DEBUG: DoProcessDump: Dumping Imagebase at 0x00000000FF500000.
2020-10-18 06:38:34,359 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-10-18 06:38:34,375 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00000000FF500000.
2020-10-18 06:38:34,375 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000246C.
2020-10-18 06:38:34,406 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x6800.
2020-10-18 06:38:34,421 [lib.api.process] INFO: Termination confirmed for process 840
2020-10-18 06:38:34,421 [root] INFO: Terminate event set for process 840.
2020-10-18 06:38:34,421 [root] DEBUG: Terminate Event: CAPE shutdown complete for process 840
2020-10-18 06:38:34,421 [lib.api.process] INFO: Terminate event set for process 3120
2020-10-18 06:38:34,421 [root] DEBUG: Terminate Event: Attempting to dump process 3120
2020-10-18 06:38:34,421 [root] DEBUG: DoProcessDump: Dumping Imagebase at 0x00400000.
2020-10-18 06:38:34,421 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image.
2020-10-18 06:38:34,421 [root] DEBUG: DumpPE: Instantiating PeParser with address: 0x00400000.
2020-10-18 06:38:34,500 [root] DEBUG: DumpPE: PE file in memory dumped successfully - dump size 0x20000.
2020-10-18 06:38:34,515 [lib.api.process] INFO: Termination confirmed for process 3120
2020-10-18 06:38:34,515 [root] INFO: Terminate event set for process 3120.
2020-10-18 06:38:34,515 [root] INFO: Created shutdown mutex.
2020-10-18 06:38:34,515 [root] DEBUG: Terminate Event: CAPE shutdown complete for process 3120
2020-10-18 06:38:35,515 [root] INFO: Shutting down package.
2020-10-18 06:38:35,515 [root] INFO: Stopping auxiliary modules.
2020-10-18 06:38:35,546 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x127c and local view 0x0000000006260000 to global list.
2020-10-18 06:38:35,609 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xf20 and local view 0x0000000000AB0000 to global list.
2020-10-18 06:38:35,640 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x0000000000AE0000 for section view with handle 0xf20.
2020-10-18 06:38:35,640 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x0000000000AB0000 for section view with handle 0xf20.
2020-10-18 06:38:35,640 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x0000000000AE0000 for section view with handle 0xf20.
2020-10-18 06:38:35,656 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x0000000000AB0000 for section view with handle 0xf20.
2020-10-18 06:38:35,750 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x0000000049F00000 for section view with handle 0xf20.
2020-10-18 06:38:35,765 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x0000000000AB0000 for section view with handle 0xf20.
2020-10-18 06:38:35,781 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x0000000049F00000 for section view with handle 0xf20.
2020-10-18 06:38:35,812 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x0000000000AB0000 for section view with handle 0xf20.
2020-10-18 06:38:35,875 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xecc and local view 0x0000000049F00000 to global list.
2020-10-18 06:38:35,921 [lib.common.results] WARNING: File C:\LyfqDWD\bin\procmon.xml doesn't exist anymore
2020-10-18 06:38:35,921 [root] INFO: Finishing auxiliary modules.
2020-10-18 06:38:35,921 [root] INFO: Shutting down pipe server and dumping dropped files.
2020-10-18 06:38:35,984 [root] WARNING: Folder at path "C:\LyfqDWD\debugger" does not exist, skip.
2020-10-18 06:38:35,984 [root] INFO: Analysis completed.

Machine

Name Label Manager Started On Shutdown On
win7x64_3 win7x64_7 KVM 2020-10-18 06:35:09 2020-10-18 06:40:56

File Details

File Name Quotation.exe
File Size 730112 bytes
File Type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
PE timestamp 2020-10-17 23:18:16
MD5 a11b9d71c560fd447199129385ef8fe2
SHA1 3d9bdb73d3c42471f8258cda96cd63f49bd089f7
SHA256 c1db0bc7089675799a66c321a0401a402b94e0d455037b0cbd76e54188de43c8
SHA512 f92d5d39a7d74bfec9b398fe14bdbb045b5d3470f9b7432519beecf73c0b350d96589f781f5c54f716151890aa0b4affeb8c0332c8ba8c0fb2066aa6d4e28a43
CRC32 C428334C
Ssdeep 12288:EBrC8Ij22wddDnw4nPnsOaV4rEj6V2YSsuhHz2R8ZkhEdEIIEx65uWSE:EBruePst4oGV2lsuhHK62h8E83n
Download Download ZIP Resubmit sample

Signatures

SetUnhandledExceptionFilter detected (possible anti-debug)
Behavioural detection: Executable code extraction - unpacking
Yara rule detections observed from a process memory dump/dropped files/CAPE
Hit: PID 3120 trigged the Yara rule 'Parallax'
Hit: PID 3120 trigged the Yara rule 'Remcos'
Hit: PID 1872 trigged the Yara rule 'shellcode_patterns'
Hit: PID 1872 trigged the Yara rule 'embedded_win_api'
Hit: PID 1872 trigged the Yara rule 'Parallax'
Hit: PID 1872 trigged the Yara rule 'Remcos'
Creates RWX memory
Guard pages use detected - possible anti-debugging.
A process attempted to delay the analysis task.
Process: vbc.exe tried to sleep 693.24 seconds, actually delayed analysis time by 0.0 seconds
Dynamic (imported) function loading detected
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: KERNEL32.dll/FlsAlloc
DynamicLoader: KERNEL32.dll/FlsFree
DynamicLoader: KERNEL32.dll/FlsGetValue
DynamicLoader: KERNEL32.dll/FlsSetValue
DynamicLoader: KERNEL32.dll/InitializeCriticalSectionEx
DynamicLoader: KERNEL32.dll/CreateEventExW
DynamicLoader: KERNEL32.dll/CreateSemaphoreExW
DynamicLoader: KERNEL32.dll/SetThreadStackGuarantee
DynamicLoader: KERNEL32.dll/CreateThreadpoolTimer
DynamicLoader: KERNEL32.dll/SetThreadpoolTimer
DynamicLoader: KERNEL32.dll/WaitForThreadpoolTimerCallbacks
DynamicLoader: KERNEL32.dll/CloseThreadpoolTimer
DynamicLoader: KERNEL32.dll/CreateThreadpoolWait
DynamicLoader: KERNEL32.dll/SetThreadpoolWait
DynamicLoader: KERNEL32.dll/CloseThreadpoolWait
DynamicLoader: KERNEL32.dll/FlushProcessWriteBuffers
DynamicLoader: KERNEL32.dll/FreeLibraryWhenCallbackReturns
DynamicLoader: KERNEL32.dll/GetCurrentProcessorNumber
DynamicLoader: KERNEL32.dll/GetLogicalProcessorInformation
DynamicLoader: KERNEL32.dll/CreateSymbolicLinkW
DynamicLoader: KERNEL32.dll/SetDefaultDllDirectories
DynamicLoader: KERNEL32.dll/EnumSystemLocalesEx
DynamicLoader: KERNEL32.dll/CompareStringEx
DynamicLoader: KERNEL32.dll/GetDateFormatEx
DynamicLoader: KERNEL32.dll/GetLocaleInfoEx
DynamicLoader: KERNEL32.dll/GetTimeFormatEx
DynamicLoader: KERNEL32.dll/GetUserDefaultLocaleName
DynamicLoader: KERNEL32.dll/IsValidLocaleName
DynamicLoader: KERNEL32.dll/LCMapStringEx
DynamicLoader: KERNEL32.dll/GetCurrentPackageId
DynamicLoader: KERNEL32.dll/GetTickCount64
DynamicLoader: KERNEL32.dll/GetFileInformationByHandleExW
DynamicLoader: KERNEL32.dll/SetFileInformationByHandleW
DynamicLoader: KERNEL32.dll/AcquireSRWLockExclusive
DynamicLoader: KERNEL32.dll/ReleaseSRWLockExclusive
DynamicLoader: ADVAPI32.dll/EventRegister
DynamicLoader: ADVAPI32.dll/EventSetInformation
DynamicLoader: MSCOREE.DLL/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/_CorExeMain_RetAddr
DynamicLoader: mscoreei.dll/_CorExeMain
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: VERSION.dll/GetFileVersionInfoSizeW
DynamicLoader: VERSION.dll/GetFileVersionInfoW
DynamicLoader: VERSION.dll/VerQueryValueW
DynamicLoader: KERNEL32.dll/FlsAlloc
DynamicLoader: KERNEL32.dll/FlsFree
DynamicLoader: KERNEL32.dll/FlsGetValue
DynamicLoader: KERNEL32.dll/FlsSetValue
DynamicLoader: KERNEL32.dll/InitializeCriticalSectionEx
DynamicLoader: KERNEL32.dll/CreateEventExW
DynamicLoader: KERNEL32.dll/CreateSemaphoreExW
DynamicLoader: KERNEL32.dll/SetThreadStackGuarantee
DynamicLoader: KERNEL32.dll/CreateThreadpoolTimer
DynamicLoader: KERNEL32.dll/SetThreadpoolTimer
DynamicLoader: KERNEL32.dll/WaitForThreadpoolTimerCallbacks
DynamicLoader: KERNEL32.dll/CloseThreadpoolTimer
DynamicLoader: KERNEL32.dll/CreateThreadpoolWait
DynamicLoader: KERNEL32.dll/SetThreadpoolWait
DynamicLoader: KERNEL32.dll/CloseThreadpoolWait
DynamicLoader: KERNEL32.dll/FlushProcessWriteBuffers
DynamicLoader: KERNEL32.dll/FreeLibraryWhenCallbackReturns
DynamicLoader: KERNEL32.dll/GetCurrentProcessorNumber
DynamicLoader: KERNEL32.dll/GetLogicalProcessorInformation
DynamicLoader: KERNEL32.dll/CreateSymbolicLinkW
DynamicLoader: KERNEL32.dll/SetDefaultDllDirectories
DynamicLoader: KERNEL32.dll/EnumSystemLocalesEx
DynamicLoader: KERNEL32.dll/CompareStringEx
DynamicLoader: KERNEL32.dll/GetDateFormatEx
DynamicLoader: KERNEL32.dll/GetLocaleInfoEx
DynamicLoader: KERNEL32.dll/GetTimeFormatEx
DynamicLoader: KERNEL32.dll/GetUserDefaultLocaleName
DynamicLoader: KERNEL32.dll/IsValidLocaleName
DynamicLoader: KERNEL32.dll/LCMapStringEx
DynamicLoader: KERNEL32.dll/GetCurrentPackageId
DynamicLoader: KERNEL32.dll/GetTickCount64
DynamicLoader: KERNEL32.dll/GetFileInformationByHandleExW
DynamicLoader: KERNEL32.dll/SetFileInformationByHandleW
DynamicLoader: ADVAPI32.dll/EventSetInformation
DynamicLoader: clr.dll/SetRuntimeInfo
DynamicLoader: USER32.dll/GetProcessWindowStation
DynamicLoader: USER32.dll/GetUserObjectInformationW
DynamicLoader: clr.dll/_CorExeMain
DynamicLoader: KERNEL32.dll/AcquireSRWLockExclusive
DynamicLoader: KERNEL32.dll/ReleaseSRWLockExclusive
DynamicLoader: MSCOREE.DLL/CreateConfigStream
DynamicLoader: mscoreei.dll/CreateConfigStream_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream
DynamicLoader: KERNEL32.dll/GetNumaHighestNodeNumber
DynamicLoader: KERNEL32.dll/FlsSetValue
DynamicLoader: KERNEL32.dll/FlsGetValue
DynamicLoader: KERNEL32.dll/FlsAlloc
DynamicLoader: KERNEL32.dll/FlsFree
DynamicLoader: KERNEL32.dll/GetSystemWindowsDirectoryW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: KERNEL32.dll/AddSIDToBoundaryDescriptor
DynamicLoader: KERNEL32.dll/CreateBoundaryDescriptorW
DynamicLoader: KERNEL32.dll/CreatePrivateNamespaceW
DynamicLoader: KERNEL32.dll/OpenPrivateNamespaceW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: KERNEL32.dll/DeleteBoundaryDescriptor
DynamicLoader: KERNEL32.dll/WerRegisterRuntimeExceptionModule
DynamicLoader: KERNEL32.dll/RaiseException
DynamicLoader: MSCOREE.DLL/
DynamicLoader: mscoreei.dll/
DynamicLoader: KERNELBASE.dll/SetSystemFileCacheSize
DynamicLoader: ntdll.dll/NtSetSystemInformation
DynamicLoader: KERNELBASE.dll/PrivIsDllSynchronizationHeld
DynamicLoader: KERNEL32.dll/AddDllDirectory
DynamicLoader: KERNEL32.dll/SortGetHandle
DynamicLoader: KERNEL32.dll/SortCloseHandle
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ole32.dll/CoGetContextToken
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: clrjit.dll/sxsJitStartup
DynamicLoader: clrjit.dll/jitStartup
DynamicLoader: clrjit.dll/getJit
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: USER32.dll/RegisterWindowMessage
DynamicLoader: USER32.dll/RegisterWindowMessageW
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: mscoreei.dll/_CorDllMain_RetAddr
DynamicLoader: mscoreei.dll/_CorDllMain
DynamicLoader: MSCOREE.DLL/GetTokenForVTableEntry
DynamicLoader: MSCOREE.DLL/SetTargetForVTableEntry
DynamicLoader: MSCOREE.DLL/GetTargetForVTableEntry
DynamicLoader: mscoreei.dll/GetTokenForVTableEntry_RetAddr
DynamicLoader: mscoreei.dll/GetTokenForVTableEntry
DynamicLoader: mscoreei.dll/SetTargetForVTableEntry_RetAddr
DynamicLoader: mscoreei.dll/SetTargetForVTableEntry
DynamicLoader: mscoreei.dll/GetTargetForVTableEntry_RetAddr
DynamicLoader: mscoreei.dll/GetTargetForVTableEntry
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/CloseHandle
DynamicLoader: KERNEL32.dll/GetCurrentProcess
DynamicLoader: KERNEL32.dll/GetCurrentProcessW
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: KERNEL32.dll/GetCurrentProcess
DynamicLoader: KERNEL32.dll/GetCurrentThread
DynamicLoader: KERNEL32.dll/DuplicateHandle
DynamicLoader: KERNEL32.dll/GetCurrentThreadId
DynamicLoader: KERNEL32.dll/GetLocaleInfoEx
DynamicLoader: KERNEL32.dll/LocaleNameToLCID
DynamicLoader: KERNEL32.dll/GetUserDefaultLocaleName
DynamicLoader: KERNEL32.dll/LCIDToLocaleName
DynamicLoader: KERNEL32.dll/GetUserPreferredUILanguages
DynamicLoader: nlssorting.dll/SortGetHandle
DynamicLoader: nlssorting.dll/SortCloseHandle
DynamicLoader: KERNEL32.dll/CompareStringOrdinal
DynamicLoader: KERNEL32.dll/GetFullPathName
DynamicLoader: KERNEL32.dll/GetFullPathNameW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegOpenKeyEx
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: KERNEL32.dll/GetFileAttributesEx
DynamicLoader: KERNEL32.dll/GetFileAttributesExW
DynamicLoader: KERNEL32.dll/SetThreadErrorMode
DynamicLoader: KERNEL32.dll/CreateFile
DynamicLoader: KERNEL32.dll/CreateFileW
DynamicLoader: KERNEL32.dll/GetFileType
DynamicLoader: ADVAPI32.dll/ConvertSidToStringSidW
DynamicLoader: shell32.dll/SHGetFolderPathW
DynamicLoader: KERNEL32.dll/GetFileAttributesEx
DynamicLoader: KERNEL32.dll/GetFileAttributesExW
DynamicLoader: MSCOREE.DLL/GetProcessExecutableHeap
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap_RetAddr
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap
DynamicLoader: bcrypt.dll/BCryptGetFipsAlgorithmMode
DynamicLoader: CRYPTSP.dll/CryptGetDefaultProviderW
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: KERNEL32.dll/GetFileSize
DynamicLoader: KERNEL32.dll/ReadFile
DynamicLoader: USER32.dll/GetSystemMetrics
DynamicLoader: KERNEL32.dll/GetModuleHandle
DynamicLoader: KERNEL32.dll/GetModuleHandleW
DynamicLoader: KERNEL32.dll/GetProcAddress
DynamicLoader: KERNEL32.dll/WideCharToMultiByte
DynamicLoader: KERNEL32.dll/AddDllDirectory
DynamicLoader: KERNEL32.dll/LoadLibraryEx
DynamicLoader: KERNEL32.dll/LoadLibraryExW
DynamicLoader: USER32.dll/DefWindowProcW
DynamicLoader: GDI32.dll/GetStockObject
DynamicLoader: USER32.dll/RegisterClass
DynamicLoader: USER32.dll/RegisterClassW
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: USER32.dll/CreateWindowEx
DynamicLoader: USER32.dll/CreateWindowExW
DynamicLoader: USER32.dll/SetWindowLong
DynamicLoader: USER32.dll/SetWindowLongW
DynamicLoader: USER32.dll/GetWindowLong
DynamicLoader: USER32.dll/GetWindowLongW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: USER32.dll/SetWindowLong
DynamicLoader: USER32.dll/SetWindowLongW
DynamicLoader: USER32.dll/CallWindowProc
DynamicLoader: USER32.dll/CallWindowProcW
DynamicLoader: USER32.dll/GetClientRect
DynamicLoader: USER32.dll/GetWindowRect
DynamicLoader: USER32.dll/GetParent
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: uxtheme.dll/IsAppThemed
DynamicLoader: uxtheme.dll/IsAppThemedW
DynamicLoader: KERNEL32.dll/CreateActCtx
DynamicLoader: KERNEL32.dll/CreateActCtxA
DynamicLoader: KERNEL32.dll/LCMapStringEx
DynamicLoader: USER32.dll/AdjustWindowRectEx
DynamicLoader: ADVAPI32.dll/EventRegister
DynamicLoader: KERNEL32.dll/ResolveLocaleName
DynamicLoader: CRYPTSP.dll/CryptAcquireContextA
DynamicLoader: CRYPTSP.dll/CryptCreateHash
DynamicLoader: CRYPTSP.dll/CryptGetHashParam
DynamicLoader: CRYPTSP.dll/CryptHashData
DynamicLoader: CRYPTSP.dll/CryptDestroyHash
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: CRYPTSP.dll/CryptImportKey
DynamicLoader: CRYPTSP.dll/CryptExportKey
DynamicLoader: CRYPTSP.dll/CryptDestroyKey
DynamicLoader: gdiplus.dll/GdiplusStartup
DynamicLoader: KERNEL32.dll/IsProcessorFeaturePresent
DynamicLoader: USER32.dll/GetWindowInfo
DynamicLoader: USER32.dll/GetAncestor
DynamicLoader: USER32.dll/GetMonitorInfoA
DynamicLoader: USER32.dll/EnumDisplayMonitors
DynamicLoader: USER32.dll/EnumDisplayDevicesA
DynamicLoader: GDI32.dll/ExtTextOutW
DynamicLoader: GDI32.dll/GdiIsMetaPrintDC
DynamicLoader: gdiplus.dll/GdipLoadImageFromStream
DynamicLoader: WindowsCodecs.dll/DllGetClassObject
DynamicLoader: gdiplus.dll/GdipImageForceValidation
DynamicLoader: gdiplus.dll/GdipGetImageType
DynamicLoader: gdiplus.dll/GdipGetImageRawFormat
DynamicLoader: gdiplus.dll/GdipGetImageWidth
DynamicLoader: gdiplus.dll/GdipGetImageHeight
DynamicLoader: gdiplus.dll/GdipBitmapGetPixel
DynamicLoader: KERNEL32.dll/LoadLibraryA
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: KERNEL32.dll/GetProcAddress
DynamicLoader: KERNEL32.dll/ResumeThread
DynamicLoader: KERNEL32.dll/Wow64SetThreadContext
DynamicLoader: KERNEL32.dll/SetThreadContext
DynamicLoader: KERNEL32.dll/Wow64GetThreadContext
DynamicLoader: KERNEL32.dll/GetThreadContext
DynamicLoader: KERNEL32.dll/VirtualAllocEx
DynamicLoader: KERNEL32.dll/WriteProcessMemory
DynamicLoader: KERNEL32.dll/ReadProcessMemory
DynamicLoader: ntdll.dll/ZwUnmapViewOfSection
DynamicLoader: KERNEL32.dll/CreateProcessA
DynamicLoader: shell32.dll/SHGetFolderPath
DynamicLoader: shell32.dll/SHGetFolderPathW
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivileges
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivilegesW
DynamicLoader: ADVAPI32.dll/SetNamedSecurityInfoW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: KERNEL32.dll/CopyFile
DynamicLoader: KERNEL32.dll/CopyFileW
DynamicLoader: ADVAPI32.dll/GetUserName
DynamicLoader: ADVAPI32.dll/GetUserNameW
DynamicLoader: KERNEL32.dll/SetFileAttributes
DynamicLoader: KERNEL32.dll/SetFileAttributesW
DynamicLoader: ADVAPI32.dll/LsaClose
DynamicLoader: ADVAPI32.dll/LsaFreeMemory
DynamicLoader: ADVAPI32.dll/LsaOpenPolicy
DynamicLoader: ADVAPI32.dll/LsaLookupNames2
DynamicLoader: KERNEL32.dll/LocalFree
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/GetTokenInformationW
DynamicLoader: KERNEL32.dll/LocalAlloc
DynamicLoader: KERNEL32.dll/LocalAllocW
DynamicLoader: ADVAPI32.dll/LsaLookupSids
DynamicLoader: KERNEL32.dll/GetTempPath
DynamicLoader: KERNEL32.dll/GetTempPathW
DynamicLoader: KERNEL32.dll/GetTempFileName
DynamicLoader: KERNEL32.dll/GetTempFileNameW
DynamicLoader: KERNEL32.dll/WriteFile
DynamicLoader: KERNEL32.dll/LocalAlloc
DynamicLoader: shell32.dll/ShellExecuteEx
DynamicLoader: shell32.dll/ShellExecuteExW
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: KERNEL32.dll/CloseHandle
DynamicLoader: KERNEL32.dll/GetCurrentProcess
DynamicLoader: KERNEL32.dll/DuplicateHandle
DynamicLoader: ole32.dll/CoWaitForMultipleHandles
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: ole32.dll/NdrOleInitializeExtension
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: RpcRtRemote.dll/I_RpcExtInitializeExtensionPoint
DynamicLoader: KERNEL32.dll/DeleteFile
DynamicLoader: KERNEL32.dll/DeleteFileW
DynamicLoader: USER32.dll/SetClassLong
DynamicLoader: USER32.dll/SetClassLongW
DynamicLoader: USER32.dll/PostMessage
DynamicLoader: USER32.dll/PostMessageW
DynamicLoader: USER32.dll/UnregisterClass
DynamicLoader: USER32.dll/UnregisterClassW
DynamicLoader: ADVAPI32.dll/EventUnregister
DynamicLoader: gdiplus.dll/GdipDisposeImage
DynamicLoader: KERNEL32.dll/CloseHandle
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/UnregisterTraceGuids
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: comctl32.dll/
DynamicLoader: clr.dll/_CorDllMain
DynamicLoader: KERNEL32.dll/CreateActCtxW
DynamicLoader: KERNEL32.dll/AddRefActCtx
DynamicLoader: KERNEL32.dll/ReleaseActCtx
DynamicLoader: KERNEL32.dll/ActivateActCtx
DynamicLoader: KERNEL32.dll/DeactivateActCtx
DynamicLoader: KERNEL32.dll/GetCurrentActCtx
DynamicLoader: KERNEL32.dll/QueryActCtxW
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/EventUnregister
DynamicLoader: VERSION.dll/GetFileVersionInfoSizeW
DynamicLoader: VERSION.dll/GetFileVersionInfoW
DynamicLoader: VERSION.dll/VerQueryValueW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: SspiCli.dll/GetUserNameExW
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/RegisterTraceGuidsW
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/OpenThreadToken
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/OpenProcessToken
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/AllocateAndInitializeSid
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/CheckTokenMembership
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/FreeSid
DynamicLoader: ADVAPI32.dll/RegisterTraceGuidsA
DynamicLoader: USER32.dll/GetCursorInfo
DynamicLoader: USER32.dll/GetLastInputInfo
DynamicLoader: kernel32.dll/GetConsoleWindow
DynamicLoader: PSAPI.DLL/GetModuleFileNameExA
DynamicLoader: PSAPI.DLL/GetModuleFileNameExW
DynamicLoader: kernel32.dll/GlobalMemoryStatusEx
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: kernel32.dll/GetComputerNameExW
DynamicLoader: SHELL32.dll/IsUserAnAdmin
DynamicLoader: kernel32.dll/SetProcessDEPPolicy
DynamicLoader: USER32.dll/EnumDisplayDevicesW
DynamicLoader: USER32.dll/EnumDisplayMonitors
DynamicLoader: USER32.dll/GetMonitorInfoW
DynamicLoader: SHLWAPI.dll/
A process created a hidden window
Process: Quotation.exe -> schtasks.exe
Process: Quotation.exe -> C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
CAPE extracted potentially suspicious content
Quotation.exe: Injected Shellcode/Data
Quotation.exe: Unpacked Shellcode
Quotation.exe: Unpacked Shellcode
Quotation.exe: Injected Shellcode/Data
Quotation.exe: Unpacked Shellcode
Quotation.exe: Injected Shellcode/Data
Quotation.exe: Injected Shellcode/Data
Quotation.exe: Unpacked Shellcode
Quotation.exe: Unpacked Shellcode
Quotation.exe: Unpacked Shellcode
Quotation.exe: Injected Shellcode/Data
Quotation.exe: Parallax
Quotation.exe: Remcos Payload: 32-bit executable
Quotation.exe: Parallax
Queries or connects to DNS-Over-HTTPS/DNS-Over-TLS domain or IP address
ip: 1.1.1.1
Performs some HTTP requests
url: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt
The binary likely contains encrypted or compressed data.
section: name: .text, entropy: 7.18, characteristics: IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ, raw_size: 0x000b1a00, virtual_size: 0x000b1844
Authenticode signature is invalid
authenticode error: No signature found. SignTool Error File not valid C\Users\Louise\AppData\Local\Temp\Quotation.exe
Uses Windows utilities for basic functionality
command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SgDbfuA" /XML "C:\Users\Louise\AppData\Local\Temp\tmp7980.tmp"
command: schtasks.exe /Create /TN "Updates\SgDbfuA" /XML "C:\Users\Louise\AppData\Local\Temp\tmp7980.tmp"
Behavioural detection: Injection (Process Hollowing)
Injection: Quotation.exe(1872) -> vbc.exe(3120)
Executed a process and injected code into it, probably while unpacking
Injection: Quotation.exe(1872) -> vbc.exe(3120)
Sniffs keystrokes
SetWindowsHookExA: Process: vbc.exe(3120)
Behavioural detection: Injection (inter-process)
CAPE detected the Remcos malware family
File has been identified by 21 Antiviruses on VirusTotal as malicious
Elastic: malicious (high confidence)
McAfee: PWS-FCRK!A11B9D71C560
Alibaba: Trojan:Win32/starter.ali1000139
Invincea: Generic ML PUA (PUA)
Cyren: W32/Trojan.SW.gen!Eldorado
Symantec: ML.Attribute.HighConfidence
APEX: Malicious
Avast: Win32:Evo-gen [Susp]
Kaspersky: UDS:DangerousObject.Multi.Generic
Paloalto: generic.ml
McAfee-GW-Edition: BehavesLike.Win32.Generic.bc
SentinelOne: DFI - Malicious PE
eGambit: Unsafe.AI_Score_94%
ZoneAlarm: UDS:DangerousObject.Multi.Generic
Cynet: Malicious (score: 100)
BitDefenderTheta: Gen:[email protected]
Ikarus: Win32.Outbreak
MaxSecure: Trojan.Malware.300983.susgen
Fortinet: MSIL/Kryptik.YFO!tr
AVG: Win32:Evo-gen [Susp]
Qihoo-360: Generic/HEUR/QVM03.0.A8BF.Malware.Gen
CAPE has extracted a malware configuration
extracted_config: Remcos
Creates a copy of itself
copy: C:\Users\Louise\AppData\Roaming\SgDbfuA.exe
Creates known Remcos directories and/or files
file: C:\Users\Louise\AppData\Roaming\remcos\logs.dat
Creates known Remcos mutexes
mutex: Remcos_Mutex_Inj
Creates known Remcos registry keys
Key: HKEY_CURRENT_USER\Software\Remcos-FJXN4E\
Created network traffic indicative of malicious activity
signature: ET JA3 Hash - Possible Malware - Various Eitest

Screenshots


Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
Y 79.134.225.30 [VT] Switzerland
Y 185.165.153.243 [VT] Netherlands
N 104.18.11.39 [VT] United States
Y 1.1.1.1 [VT] Australia

DNS

Name Response Post-Analysis Lookup
cacerts.digicert.com [VT] A 104.18.11.39 [VT] 104.18.11.39 [VT]

Summary

C:\Windows\System32\MSCOREE.DLL.local
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
C:\Windows\Microsoft.NET\Framework\*
C:\Windows\Microsoft.NET\Framework\v1.0.3705\clr.dll
C:\Windows\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v1.1.4322\clr.dll
C:\Windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\clr.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll
C:\Users\Louise\AppData\Local\Temp\Quotation.exe.config
C:\Users\Louise\AppData\Local\Temp\Quotation.exe
C:\Windows\System32\api-ms-win-appmodel-runtime-l1-1-2.dll
C:\Windows\System32\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSVCR120_CLR0400.dll
C:\Windows\System32\MSVCR120_CLR0400.dll
C:\Windows\System32\api-ms-win-core-quirks-l1-1-0.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoree.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config
C:\Windows\Microsoft.NET\Framework\v4.0.30319\fusion.localgac
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\6715dc4d04e35f16d482900c355325e9\mscorlib.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\6715dc4d04e35f16d482900c355325e9\mscorlib.ni.dll.aux
C:\Users
C:\Users\Louise
C:\Users\Louise\AppData
C:\Users\Louise\AppData\Local
C:\Users\Louise\AppData\Local\Temp
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ole32.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\urNDKOjlKEbS0Ha\*
C:\Users\Louise\AppData\Local\Temp\Quotation.INI
C:\Windows\assembly\pubpol214.dat
C:\Windows\assembly\GAC\PublisherPolicy.tme
C:\Windows\Microsoft.Net\assembly\GAC_32\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\6090b158fd3d10686b422a455e188125\Microsoft.VisualBasic.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\6090b158fd3d10686b422a455e188125\Microsoft.VisualBasic.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_32\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\43822396682b0ffc3cfb66137ddab95f\System.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\43822396682b0ffc3cfb66137ddab95f\System.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Configuration\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.Xml.dll
C:\Windows\Microsoft.Net\assembly\GAC_32\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\c8a2021e940773064c655a6ea6ee8cb2\System.Core.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\c8a2021e940773064c655a6ea6ee8cb2\System.Core.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Xml.Linq\v4.0_4.0.0.0__b77a5c561934e089\System.Xml.Linq.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\aece3d371c0714e60f9509d2a3137395\System.Windows.Forms.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\aece3d371c0714e60f9509d2a3137395\System.Windows.Forms.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\2c462a934e0586ac5e46c8b93e461384\System.Drawing.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\2c462a934e0586ac5e46c8b93e461384\System.Drawing.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
C:\Windows\Microsoft.Net\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Data\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Data\ec27d822eb278dc8c0dbcfce9b47f5b7\System.Data.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Data\ec27d822eb278dc8c0dbcfce9b47f5b7\System.Data.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Runtime.Caching\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Runtime.Caching.dll
C:\Windows\Microsoft.Net\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll
C:\Windows\Microsoft.Net\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll.config
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\a3abb36b9f9e867b09bb3a670b074c45\System.Xml.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\a3abb36b9f9e867b09bb3a670b074c45\System.Xml.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2f61c87db96dbe27deea0e525a665761\System.Configuration.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2f61c87db96dbe27deea0e525a665761\System.Configuration.ni.dll.aux
C:\Windows\Microsoft.NET\Framework\v4.0.30319\nlssorting.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\SortDefault.nlp
C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\bcrypt.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runt73a1fc9d#\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runt73a1fc9d#\badfff92e7e4f52c948920e4a4975073\System.Runtime.Remoting.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runt73a1fc9d#\badfff92e7e4f52c948920e4a4975073\System.Runtime.Remoting.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\uxtheme.dll
C:\Users\Louise\AppData\Local\Temp\en-US\urNDKOjlKEbS0Ha.resources.dll
C:\Users\Louise\AppData\Local\Temp\en-US\urNDKOjlKEbS0Ha.resources\urNDKOjlKEbS0Ha.resources.dll
C:\Users\Louise\AppData\Local\Temp\en-US\urNDKOjlKEbS0Ha.resources.exe
C:\Users\Louise\AppData\Local\Temp\en-US\urNDKOjlKEbS0Ha.resources\urNDKOjlKEbS0Ha.resources.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\en-US\mscorrc.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\en-US\mscorrc.dll.DLL
C:\Windows\Microsoft.NET\Framework\v4.0.30319\en\mscorrc.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\en\mscorrc.dll.DLL
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
C:\Users\Louise\AppData\Local\Temp\en\urNDKOjlKEbS0Ha.resources.dll
C:\Users\Louise\AppData\Local\Temp\en\urNDKOjlKEbS0Ha.resources\urNDKOjlKEbS0Ha.resources.dll
C:\Users\Louise\AppData\Local\Temp\en\urNDKOjlKEbS0Ha.resources.exe
C:\Users\Louise\AppData\Local\Temp\en\urNDKOjlKEbS0Ha.resources\urNDKOjlKEbS0Ha.resources.exe
C:\Users\Louise\AppData\Local\Temp\Quotation.exe.Local\
C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24308_none_5c028e37a0121035
C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24308_none_5c028e37a0121035\GdiPlus.dll
C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\shell32.dll
C:\Users\Louise\AppData\Roaming\SgDbfuA.exe
C:\Users\Louise\AppData\Roaming\
C:\Users\Louise\AppData\Local\Temp\en-US\Kedermister.resources.dll
C:\Users\Louise\AppData\Local\Temp\en-US\Kedermister.resources\Kedermister.resources.dll
C:\Users\Louise\AppData\Local\Temp\en-US\Kedermister.resources.exe
C:\Users\Louise\AppData\Local\Temp\en-US\Kedermister.resources\Kedermister.resources.exe
C:\Users\Louise\AppData\Local\Temp\en\Kedermister.resources.dll
C:\Users\Louise\AppData\Local\Temp\en\Kedermister.resources\Kedermister.resources.dll
C:\Users\Louise\AppData\Local\Temp\en\Kedermister.resources.exe
C:\Users\Louise\AppData\Local\Temp\en\Kedermister.resources\Kedermister.resources.exe
C:\Users\Louise\AppData\Local\Temp\tmp7980.tmp
\??\MountPointManager
\Device\KsecDD
C:\Windows\sysnative\Tasks
C:\Windows\sysnative\Tasks\*
C:\Windows\sysnative\Tasks\AutoKMS
C:\Windows\sysnative\Tasks\Updates\SgDbfuA
C:\Windows\sysnative\Tasks\Updates
C:\Windows\sysnative\Tasks\Updates\
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows
C:\Windows\AppPatch\sysmain.sdb
C:\Windows\Microsoft.NET\Framework\v4.0.30319\
C:\Windows\Microsoft.NET\Framework\v4.0.30319\*.*
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ui\SwDRM.dll
C:\Windows\SysWOW64\wevtutil.exe
C:\Windows\SysWOW64
C:\Windows\SysWOW64\
C:\Windows\SysWOW64\*.*
C:\Windows\SysWOW64\en-US\wevtutil.exe.mui
C:\Windows\SysWOW64\ui\SwDRM.dll
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\en-US\cmd.exe.mui
C:\Users\Louise\AppData\Roaming
C:\Users\Louise\AppData\Roaming\remcos\logs.dat
C:\Users\Louise\AppData\Roaming\remcos
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
C:\Users\Louise\AppData\Local\Temp\Quotation.exe.config
C:\Users\Louise\AppData\Local\Temp\Quotation.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll
C:\Windows\System32\MSVCR120_CLR0400.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\6715dc4d04e35f16d482900c355325e9\mscorlib.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\6715dc4d04e35f16d482900c355325e9\mscorlib.ni.dll
C:\Windows\assembly\pubpol214.dat
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\6090b158fd3d10686b422a455e188125\Microsoft.VisualBasic.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\43822396682b0ffc3cfb66137ddab95f\System.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\43822396682b0ffc3cfb66137ddab95f\System.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\c8a2021e940773064c655a6ea6ee8cb2\System.Core.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\c8a2021e940773064c655a6ea6ee8cb2\System.Core.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\6090b158fd3d10686b422a455e188125\Microsoft.VisualBasic.ni.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\aece3d371c0714e60f9509d2a3137395\System.Windows.Forms.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\2c462a934e0586ac5e46c8b93e461384\System.Drawing.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\2c462a934e0586ac5e46c8b93e461384\System.Drawing.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\aece3d371c0714e60f9509d2a3137395\System.Windows.Forms.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Data\ec27d822eb278dc8c0dbcfce9b47f5b7\System.Data.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Data\ec27d822eb278dc8c0dbcfce9b47f5b7\System.Data.ni.dll
C:\Windows\Microsoft.Net\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll
C:\Windows\Microsoft.Net\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll.config
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\a3abb36b9f9e867b09bb3a670b074c45\System.Xml.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\a3abb36b9f9e867b09bb3a670b074c45\System.Xml.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2f61c87db96dbe27deea0e525a665761\System.Configuration.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2f61c87db96dbe27deea0e525a665761\System.Configuration.ni.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\nlssorting.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\SortDefault.nlp
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runt73a1fc9d#\badfff92e7e4f52c948920e4a4975073\System.Runtime.Remoting.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runt73a1fc9d#\badfff92e7e4f52c948920e4a4975073\System.Runtime.Remoting.ni.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24308_none_5c028e37a0121035\GdiPlus.dll
C:\Users\Louise\AppData\Local\Temp\tmp7980.tmp
\Device\KsecDD
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\AppPatch\sysmain.sdb
C:\Windows\Microsoft.NET\Framework\v4.0.30319\
C:\Windows\SysWOW64\wevtutil.exe
C:\Windows\SysWOW64\
C:\Windows\SysWOW64\en-US\wevtutil.exe.mui
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\en-US\cmd.exe.mui
C:\Users\Louise\AppData\Roaming\remcos\logs.dat
C:\Users\Louise\AppData\Roaming\SgDbfuA.exe
C:\Users\Louise\AppData\Local\Temp\tmp7980.tmp
C:\Users\Louise\AppData\Roaming\remcos\logs.dat
C:\Users\Louise\AppData\Local\Temp\tmp7980.tmp
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\v4.0
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\InstallRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\CLRLoadLogDir
HKEY_CURRENT_USER\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\OnlyUseLatestCLR
Policy\Standards
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\Standards
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\Standards\v4.0.30319
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\v4.0.30319\SKUs\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319\SKUs\default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\NET Framework Setup\NDP\v4\Full\Release
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DisableConfigCache
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Quotation.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\CacheLocation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DownloadCacheQuotaInKB
HKEY_CURRENT_USER\Software\Microsoft\Fusion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\EnableLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LoggingLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\ForceLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogFailures
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogResourceBinds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseRetryAttempts
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseMillisecondsBetweenRetries
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\UseLegacyIdentityFormat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DisableMSIPeek
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\NGen\Policy\v4.0
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGen\Policy\v4.0\OptimizeUsedBinaries
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\Servicing
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\00060101.00060101
HKEY_LOCAL_MACHINE\Software\Microsoft\StrongName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full\Release
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\Latest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\index214
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.10.0.Microsoft.VisualBasic__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.10.0.Microsoft.VisualBasic__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Configuration__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Configuration__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Xml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Xml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Core__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Core__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Numerics__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Numerics__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Security__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Security__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Windows.Forms__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Windows.Forms__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Drawing__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Drawing__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Deployment__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Deployment__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Management__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Management__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Xml.Linq__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Xml.Linq__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Runtime.Remoting__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Runtime.Remoting__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\APTCA
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\FeatureSIMD
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\AltJit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.Accessibility__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.Accessibility__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Data__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Data__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Transactions__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Transactions__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Runtime.Caching__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Runtime.Caching__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.EnterpriseServices__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.EnterpriseServices__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\crypt32
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DebugHeapFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\BidInterface\Loader
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Data.SqlXml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Data.SqlXml__b77a5c561934e089
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\AppContext
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1339698970-4093829097-1161395185-1000
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 024
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Defaults\Provider Types\Type 024\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DbgJITDebugLaunchSetting
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DbgManagedDebugger
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Web__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Web__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.DirectoryServices__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.DirectoryServices__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-1339698970-4093829097-1161395185-1000\Installer\Assemblies\C:|Users|Louise|AppData|Local|Temp|Quotation.exe
HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies\C:|Users|Louise|AppData|Local|Temp|Quotation.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Users|Louise|AppData|Local|Temp|Quotation.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-1339698970-4093829097-1161395185-1000\Installer\Assemblies\Global
HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies\Global
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots
HKEY_CLASSES_ROOT\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance
HKEY_CLASSES_ROOT\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance\Disabled
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\AccessProviders
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\AccessProviders\MartaExtension
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{9a0b8d7d-300f-11ea-b342-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{9a0b8d7d-300f-11ea-b342-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{9a0b8d7d-300f-11ea-b342-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{80b5a657-2730-11e9-8620-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{80b5a657-2730-11e9-8620-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{80b5a657-2730-11e9-8620-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{80b5a658-2730-11e9-8620-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{80b5a658-2730-11e9-8620-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{80b5a658-2730-11e9-8620-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Classes
HKEY_CURRENT_USER\Software\Classes\AppID\Quotation.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE\AppCompat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\AppCompat\RaiseDefaultAuthnLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\DefaultAccessPermission
HKEY_CURRENT_USER\Software\Classes\Interface\{00000134-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Extensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\RemoteRpcDll
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SQMClient\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPSampledIn
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
DisableUserModeCallbackFilter
HKEY_CURRENT_USER\Software\Classes\AppID\schtasks.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AutoKMS
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AutoKMS\Id
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\SchedulingEngineKnob
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000\Control Panel\International
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000\Control Panel\International\LocaleName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Updates\SgDbfuA
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\App Paths\svchost.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\svchost.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{73157F5E-C54B-4783-9873-FE77D40061ED}\Path
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{73157F5E-C54B-4783-9873-FE77D40061ED}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Updates\SgDbfuA\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Updates\SgDbfuA\Index
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{73157F5E-C54B-4783-9873-FE77D40061ED}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{73157F5E-C54B-4783-9873-FE77D40061ED}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{73157F5E-C54B-4783-9873-FE77D40061ED}\DynamicInfo
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\vbc.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\RepositoryRestoreInProgress
HKEY_LOCAL_MACHINE\system\Setup
HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\wevtutil.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\cmd.exe
HKEY_CURRENT_USER\Software\Remcos-FJXN4E\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\ProductName
HKEY_CURRENT_USER\Software\Remcos-FJXN4E\exepath
HKEY_CURRENT_USER\Software\Remcos-FJXN4E\licence
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Hostname
HKEY_CURRENT_USER\Software\Remcos-FJXN4E\override
HKEY_CURRENT_USER\Software\Remcos-FJXN4E\name
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\InstallRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\CLRLoadLogDir
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\OnlyUseLatestCLR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\NET Framework Setup\NDP\v4\Full\Release
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DisableConfigCache
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\CacheLocation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DownloadCacheQuotaInKB
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\EnableLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LoggingLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\ForceLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogFailures
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogResourceBinds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseRetryAttempts
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseMillisecondsBetweenRetries
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\UseLegacyIdentityFormat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DisableMSIPeek
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGen\Policy\v4.0\OptimizeUsedBinaries
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\00060101.00060101
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full\Release
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\Latest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\index214
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\FeatureSIMD
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\AltJit
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DebugHeapFlags
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Defaults\Provider Types\Type 024\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DbgJITDebugLaunchSetting
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DbgManagedDebugger
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\AccessProviders\MartaExtension
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{9a0b8d7d-300f-11ea-b342-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{9a0b8d7d-300f-11ea-b342-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{80b5a657-2730-11e9-8620-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{80b5a657-2730-11e9-8620-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{80b5a658-2730-11e9-8620-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{80b5a658-2730-11e9-8620-806e6f6e6963}\Generation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\AppCompat\RaiseDefaultAuthnLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\DefaultAccessPermission
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\RemoteRpcDll
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPSampledIn
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AutoKMS\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\SchedulingEngineKnob
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000\Control Panel\International\LocaleName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{73157F5E-C54B-4783-9873-FE77D40061ED}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{73157F5E-C54B-4783-9873-FE77D40061ED}\DynamicInfo
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache
HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\ProductName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Hostname
HKEY_CURRENT_USER\Software\Remcos-FJXN4E\override
HKEY_CURRENT_USER\Software\Remcos-FJXN4E\name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{73157F5E-C54B-4783-9873-FE77D40061ED}\Path
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{73157F5E-C54B-4783-9873-FE77D40061ED}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Updates\SgDbfuA\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Updates\SgDbfuA\Index
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{73157F5E-C54B-4783-9873-FE77D40061ED}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{73157F5E-C54B-4783-9873-FE77D40061ED}\DynamicInfo
HKEY_CURRENT_USER\Software\Remcos-FJXN4E\
HKEY_CURRENT_USER\Software\Remcos-FJXN4E\exepath
HKEY_CURRENT_USER\Software\Remcos-FJXN4E\licence
advapi32.dll.RegOpenKeyExW
advapi32.dll.RegQueryInfoKeyW
advapi32.dll.RegEnumKeyExW
advapi32.dll.RegEnumValueW
advapi32.dll.RegCloseKey
advapi32.dll.RegQueryValueExW
kernel32.dll.FlsAlloc
kernel32.dll.FlsFree
kernel32.dll.FlsGetValue
kernel32.dll.FlsSetValue
kernel32.dll.InitializeCriticalSectionEx
kernel32.dll.CreateEventExW
kernel32.dll.CreateSemaphoreExW
kernel32.dll.SetThreadStackGuarantee
kernel32.dll.CreateThreadpoolTimer
kernel32.dll.SetThreadpoolTimer
kernel32.dll.WaitForThreadpoolTimerCallbacks
kernel32.dll.CloseThreadpoolTimer
kernel32.dll.CreateThreadpoolWait
kernel32.dll.SetThreadpoolWait
kernel32.dll.CloseThreadpoolWait
kernel32.dll.FlushProcessWriteBuffers
kernel32.dll.FreeLibraryWhenCallbackReturns
kernel32.dll.GetCurrentProcessorNumber
kernel32.dll.GetLogicalProcessorInformation
kernel32.dll.CreateSymbolicLinkW
kernel32.dll.SetDefaultDllDirectories
kernel32.dll.EnumSystemLocalesEx
kernel32.dll.CompareStringEx
kernel32.dll.GetDateFormatEx
kernel32.dll.GetLocaleInfoEx
kernel32.dll.GetTimeFormatEx
kernel32.dll.GetUserDefaultLocaleName
kernel32.dll.IsValidLocaleName
kernel32.dll.LCMapStringEx
kernel32.dll.GetTickCount64
kernel32.dll.AcquireSRWLockExclusive
kernel32.dll.ReleaseSRWLockExclusive
advapi32.dll.EventRegister
advapi32.dll.EventSetInformation
mscoree.dll.#142
mscoreei.dll.RegisterShimImplCallback
mscoreei.dll.OnShimDllMainCalled
mscoreei.dll._CorExeMain
shlwapi.dll.UrlIsW
version.dll.GetFileVersionInfoSizeW
version.dll.GetFileVersionInfoW
version.dll.VerQueryValueW
clr.dll.SetRuntimeInfo
user32.dll.GetProcessWindowStation
user32.dll.GetUserObjectInformationW
clr.dll._CorExeMain
mscoree.dll.CreateConfigStream
mscoreei.dll.CreateConfigStream
kernel32.dll.GetNumaHighestNodeNumber
kernel32.dll.GetSystemWindowsDirectoryW
advapi32.dll.AllocateAndInitializeSid
advapi32.dll.OpenProcessToken
advapi32.dll.GetTokenInformation
advapi32.dll.InitializeAcl
advapi32.dll.AddAccessAllowedAce
advapi32.dll.FreeSid
kernel32.dll.AddSIDToBoundaryDescriptor
kernel32.dll.CreateBoundaryDescriptorW
kernel32.dll.CreatePrivateNamespaceW
kernel32.dll.OpenPrivateNamespaceW
kernel32.dll.DeleteBoundaryDescriptor
kernel32.dll.WerRegisterRuntimeExceptionModule
kernel32.dll.RaiseException
mscoree.dll.#24
mscoreei.dll.#24
ntdll.dll.NtSetSystemInformation
kernel32.dll.AddDllDirectory
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
kernel32.dll.GetNativeSystemInfo
ole32.dll.CoInitializeEx
cryptbase.dll.SystemFunction036
ole32.dll.CoGetContextToken
clrjit.dll.sxsJitStartup
clrjit.dll.getJit
user32.dll.RegisterWindowMessageW
mscoreei.dll._CorDllMain
mscoree.dll.GetTokenForVTableEntry
mscoree.dll.SetTargetForVTableEntry
mscoree.dll.GetTargetForVTableEntry
mscoreei.dll.GetTokenForVTableEntry
mscoreei.dll.SetTargetForVTableEntry
mscoreei.dll.GetTargetForVTableEntry
kernel32.dll.CloseHandle
kernel32.dll.GetCurrentProcess
kernel32.dll.GetCurrentThread
kernel32.dll.DuplicateHandle
kernel32.dll.GetCurrentThreadId
kernel32.dll.LocaleNameToLCID
kernel32.dll.LCIDToLocaleName
kernel32.dll.GetUserPreferredUILanguages
nlssorting.dll.SortGetHandle
nlssorting.dll.SortCloseHandle
kernel32.dll.CompareStringOrdinal
kernel32.dll.GetFullPathNameW
ntdll.dll.NtQuerySystemInformation
kernel32.dll.GetFileAttributesExW
kernel32.dll.SetThreadErrorMode
kernel32.dll.CreateFileW
kernel32.dll.GetFileType
advapi32.dll.ConvertSidToStringSidW
shell32.dll.SHGetFolderPathW
mscoree.dll.GetProcessExecutableHeap
mscoreei.dll.GetProcessExecutableHeap
bcrypt.dll.BCryptGetFipsAlgorithmMode
cryptsp.dll.CryptGetDefaultProviderW
cryptsp.dll.CryptAcquireContextW
cryptsp.dll.CryptGenRandom
kernel32.dll.GetFileSize
kernel32.dll.ReadFile
user32.dll.GetSystemMetrics
kernel32.dll.GetModuleHandleW
kernel32.dll.GetProcAddress
kernel32.dll.WideCharToMultiByte
kernel32.dll.LoadLibraryExW
user32.dll.DefWindowProcW
gdi32.dll.GetStockObject
user32.dll.RegisterClassW
ole32.dll.CoTaskMemAlloc
ole32.dll.CoTaskMemFree
user32.dll.CreateWindowExW
user32.dll.SetWindowLongW
user32.dll.GetWindowLongW
user32.dll.CallWindowProcW
user32.dll.GetClientRect
user32.dll.GetWindowRect
user32.dll.GetParent
uxtheme.dll.IsAppThemed
kernel32.dll.CreateActCtxA
user32.dll.AdjustWindowRectEx
kernel32.dll.ResolveLocaleName
cryptsp.dll.CryptAcquireContextA
cryptsp.dll.CryptCreateHash
cryptsp.dll.CryptGetHashParam
cryptsp.dll.CryptHashData
cryptsp.dll.CryptDestroyHash
cryptsp.dll.CryptReleaseContext
cryptsp.dll.CryptImportKey
cryptsp.dll.CryptExportKey
cryptsp.dll.CryptDestroyKey
gdiplus.dll.GdiplusStartup
kernel32.dll.IsProcessorFeaturePresent
user32.dll.GetWindowInfo
user32.dll.GetAncestor
user32.dll.GetMonitorInfoA
user32.dll.EnumDisplayMonitors
user32.dll.EnumDisplayDevicesA
gdi32.dll.ExtTextOutW
gdi32.dll.GdiIsMetaPrintDC
gdiplus.dll.GdipLoadImageFromStream
windowscodecs.dll.DllGetClassObject
gdiplus.dll.GdipImageForceValidation
gdiplus.dll.GdipGetImageType
gdiplus.dll.GdipGetImageRawFormat
gdiplus.dll.GdipGetImageWidth
gdiplus.dll.GdipGetImageHeight
gdiplus.dll.GdipBitmapGetPixel
kernel32.dll.LoadLibraryA
kernel32.dll.ResumeThread
kernel32.dll.Wow64SetThreadContext
kernel32.dll.SetThreadContext
kernel32.dll.Wow64GetThreadContext
kernel32.dll.GetThreadContext
kernel32.dll.VirtualAllocEx
kernel32.dll.WriteProcessMemory
kernel32.dll.ReadProcessMemory
ntdll.dll.ZwUnmapViewOfSection
kernel32.dll.CreateProcessA
advapi32.dll.AdjustTokenPrivileges
advapi32.dll.SetNamedSecurityInfoW
ntmarta.dll.GetMartaExtensionInterface
kernel32.dll.CopyFileW
advapi32.dll.GetUserNameW
kernel32.dll.SetFileAttributesW
advapi32.dll.LsaClose
advapi32.dll.LsaFreeMemory
advapi32.dll.LsaOpenPolicy
advapi32.dll.LsaLookupNames2
kernel32.dll.LocalFree
kernel32.dll.LocalAlloc
advapi32.dll.LsaLookupSids
kernel32.dll.GetTempPathW
kernel32.dll.GetTempFileNameW
kernel32.dll.WriteFile
shell32.dll.ShellExecuteEx
shell32.dll.ShellExecuteExW
setupapi.dll.CM_Get_Device_Interface_List_Size_ExW
setupapi.dll.CM_Get_Device_Interface_List_ExW
comctl32.dll.#332
comctl32.dll.#386
ole32.dll.CoWaitForMultipleHandles
sechost.dll.LookupAccountNameLocalW
advapi32.dll.LookupAccountSidW
sechost.dll.LookupAccountSidLocalW
ole32.dll.NdrOleInitializeExtension
ole32.dll.CoGetClassObject
ole32.dll.CoGetMarshalSizeMax
ole32.dll.CoMarshalInterface
ole32.dll.CoUnmarshalInterface
ole32.dll.StringFromIID
ole32.dll.CoGetPSClsid
ole32.dll.CoCreateInstance
ole32.dll.CoReleaseMarshalData
ole32.dll.DcomChannelSetHResult
rpcrtremote.dll.I_RpcExtInitializeExtensionPoint
kernel32.dll.DeleteFileW
user32.dll.SetClassLongW
user32.dll.PostMessageW
user32.dll.UnregisterClassW
advapi32.dll.EventUnregister
gdiplus.dll.GdipDisposeImage
api-ms-win-downlevel-advapi32-l1-1-0.dll.UnregisterTraceGuids
advapi32.dll.UnregisterTraceGuids
comctl32.dll.#321
clr.dll._CorDllMain
kernel32.dll.CreateActCtxW
kernel32.dll.AddRefActCtx
kernel32.dll.ReleaseActCtx
kernel32.dll.ActivateActCtx
kernel32.dll.DeactivateActCtx
kernel32.dll.GetCurrentActCtx
kernel32.dll.QueryActCtxW
sspicli.dll.GetUserNameExW
api-ms-win-downlevel-advapi32-l1-1-0.dll.RegisterTraceGuidsW
api-ms-win-downlevel-advapi32-l1-1-0.dll.OpenThreadToken
api-ms-win-downlevel-advapi32-l1-1-0.dll.OpenProcessToken
api-ms-win-downlevel-advapi32-l1-1-0.dll.AllocateAndInitializeSid
api-ms-win-downlevel-advapi32-l1-1-0.dll.CheckTokenMembership
api-ms-win-downlevel-advapi32-l1-1-0.dll.FreeSid
advapi32.dll.RegisterTraceGuidsA
user32.dll.GetCursorInfo
user32.dll.GetLastInputInfo
kernel32.dll.GetConsoleWindow
psapi.dll.GetModuleFileNameExA
psapi.dll.GetModuleFileNameExW
kernel32.dll.GlobalMemoryStatusEx
kernel32.dll.IsWow64Process
kernel32.dll.GetComputerNameExW
shell32.dll.IsUserAnAdmin
kernel32.dll.SetProcessDEPPolicy
user32.dll.EnumDisplayDevicesW
user32.dll.GetMonitorInfoW
shlwapi.dll.#12
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SgDbfuA" /XML "C:\Users\Louise\AppData\Local\Temp\tmp7980.tmp"
schtasks.exe /Create /TN "Updates\SgDbfuA" /XML "C:\Users\Louise\AppData\Local\Temp\tmp7980.tmp"
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Remcos_Mutex_Inj
Remcos-FJXN4E

BinGraph Download graph

2020-10-18T06:50:17.523204 image/svg+xml Matplotlib v3.3.0, https://matplotlib.org/

PE Information

Image Base Entry Point Reported Checksum Actual Checksum Minimum OS Version Compile Time Import Hash
0x00400000 0x004b383e 0x00000000 0x000bca59 4.0 2020-10-17 23:18:16 f34d5f2d4577ed6d9ceec516c1f5a744

Sections

Name RAW Address Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00000200 0x00002000 0x000b1844 0x000b1a00 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 7.18
.rsrc 0x000b1c00 0x000b4000 0x00000600 0x00000600 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.06
.reloc 0x000b2200 0x000b6000 0x0000000c 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ 0.10

Resources

Name Offset Size Language Sub-language Entropy File type
RT_VERSION 0x000b4090 0x0000030c LANG_NEUTRAL SUBLANG_NEUTRAL 3.27 None
RT_MANIFEST 0x000b43ac 0x000001ea LANG_NEUTRAL SUBLANG_NEUTRAL 5.00 None

Imports


Assembly Information

Name urNDKOjlKEbS0Ha
Version 1.0.0.0

Assembly References

Name Version
mscorlib 4.0.0.0
System 4.0.0.0
Microsoft.VisualBasic 10.0.0.0
System.Windows.Forms 4.0.0.0
System.Drawing 4.0.0.0
System.Data 4.0.0.0
System.Xml 4.0.0.0
System.Data.DataSetExtensions 4.0.0.0

Custom Attributes

Type Name Value
Property [System]System.ComponentModel.Design.HelpKeywordAttribute My.Comput
Assembly [mscorlib]System.Reflection.AssemblyTitleAttribute ScrapBo
Assembly [mscorlib]System.Reflection.AssemblyProductAttribute ScrapBo
Assembly [mscorlib]System.Reflection.AssemblyCopyrightAttribute Copyright \xa9 20
Assembly [mscorlib]System.Runtime.InteropServices.GuidAttribute 1c6213db-06c8-4009-b436-92604df147
Assembly [mscorlib]System.Reflection.AssemblyFileVersionAttribute 1.0.0
Property [System]System.ComponentModel.Design.HelpKeywordAttribute My.Applicati
Property [System]System.ComponentModel.Design.HelpKeywordAttribute My.Us
Property [System]System.ComponentModel.Design.HelpKeywordAttribute My.For
TypeDef [System]System.ComponentModel.DesignerCategoryAttribute co
TypeDef [System.Xml]System.Xml.Serialization.XmlSchemaProviderAttribute GetTypedDataSetSche
TypeDef [System.Xml]System.Xml.Serialization.XmlRootAttribute ScrapDBDataS
TypeDef [System]System.ComponentModel.Design.HelpKeywordAttribute vs.data.DataS
TypeDef [mscorlib]System.Reflection.DefaultMemberAttribute It
TypeDef [System.Xml]System.Xml.Serialization.XmlSchemaProviderAttribute GetTypedTableSche
TypeDef [mscorlib]System.Reflection.DefaultMemberAttribute It
TypeDef [System.Xml]System.Xml.Serialization.XmlSchemaProviderAttribute GetTypedTableSche
TypeDef [mscorlib]System.Reflection.DefaultMemberAttribute It
TypeDef [System.Xml]System.Xml.Serialization.XmlSchemaProviderAttribute GetTypedTableSche
TypeDef [mscorlib]System.Reflection.DefaultMemberAttribute It
TypeDef [System.Xml]System.Xml.Serialization.XmlSchemaProviderAttribute GetTypedTableSche
TypeDef [mscorlib]System.Reflection.DefaultMemberAttribute It
TypeDef [System.Xml]System.Xml.Serialization.XmlSchemaProviderAttribute GetTypedTableSche
Property [System]System.Configuration.DefaultSettingValueAttribute Data Source=(localdb)\ProjectsV13;Initial Catalog=ScrapDB;Integrated Security=Tr
Property [System]System.ComponentModel.Design.HelpKeywordAttribute My.Settin
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
TypeDef [System]System.ComponentModel.DesignerCategoryAttribute co
TypeDef [System]System.ComponentModel.DesignerAttribute Microsoft.VSDesigner.DataSource.Design.TableAdapterDesigner, Microsoft.VSDesigner, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a
TypeDef [System]System.ComponentModel.Design.HelpKeywordAttribute vs.data.TableAdapt
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
TypeDef [System]System.ComponentModel.DesignerCategoryAttribute co
TypeDef [System]System.ComponentModel.DesignerAttribute Microsoft.VSDesigner.DataSource.Design.TableAdapterDesigner, Microsoft.VSDesigner, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a
TypeDef [System]System.ComponentModel.Design.HelpKeywordAttribute vs.data.TableAdapt
TypeDef [System]System.ComponentModel.DesignerCategoryAttribute co
TypeDef [System]System.ComponentModel.DesignerAttribute Microsoft.VSDesigner.DataSource.Design.TableAdapterDesigner, Microsoft.VSDesigner, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a
TypeDef [System]System.ComponentModel.Design.HelpKeywordAttribute vs.data.TableAdapt
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
TypeDef [System]System.ComponentModel.DesignerCategoryAttribute co
TypeDef [System]System.ComponentModel.DesignerAttribute Microsoft.VSDesigner.DataSource.Design.TableAdapterDesigner, Microsoft.VSDesigner, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a
TypeDef [System]System.ComponentModel.Design.HelpKeywordAttribute vs.data.TableAdapt
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
TypeDef [System]System.ComponentModel.DesignerCategoryAttribute co
TypeDef [System]System.ComponentModel.DesignerAttribute Microsoft.VSDesigner.DataSource.Design.TableAdapterDesigner, Microsoft.VSDesigner, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a
TypeDef [System]System.ComponentModel.Design.HelpKeywordAttribute vs.data.TableAdapt
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
TypeDef [System]System.ComponentModel.DesignerCategoryAttribute co
TypeDef [System]System.ComponentModel.DesignerAttribute Microsoft.VSDesigner.DataSource.Design.TableAdapterManagerDesigner, Microsoft.VSDesigner, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a
TypeDef [System]System.ComponentModel.Design.HelpKeywordAttribute vs.data.TableAdapterManag
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute PictureBo
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
FieldDef [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
MethodDef [System]System.ComponentModel.Design.HelpKeywordAttribute vs.data.TableAdapt
MethodDef [System]System.ComponentModel.Design.HelpKeywordAttribute vs.data.TableAdapt
MethodDef [System]System.ComponentModel.Design.HelpKeywordAttribute vs.data.TableAdapt
MethodDef [System]System.ComponentModel.Design.HelpKeywordAttribute vs.data.TableAdapt
MethodDef [System]System.ComponentModel.Design.HelpKeywordAttribute vs.data.TableAdapt
MethodDef [System]System.ComponentModel.Design.HelpKeywordAttribute vs.data.TableAdapt
MethodDef [System]System.ComponentModel.Design.HelpKeywordAttribute vs.data.TableAdapt
MethodDef [System]System.ComponentModel.Design.HelpKeywordAttribute vs.data.TableAdapt
MethodDef [System]System.ComponentModel.Design.HelpKeywordAttribute vs.data.TableAdapt
MethodDef [System]System.ComponentModel.Design.HelpKeywordAttribute vs.data.TableAdapt
MethodDef [System]System.ComponentModel.Design.HelpKeywordAttribute vs.data.TableAdapt
MethodDef [System]System.ComponentModel.Design.HelpKeywordAttribute vs.data.TableAdapt
MethodDef [System]System.ComponentModel.Design.HelpKeywordAttribute vs.data.TableAdapt
MethodDef [System]System.ComponentModel.Design.HelpKeywordAttribute vs.data.TableAdapt
MethodDef [System]System.ComponentModel.Design.HelpKeywordAttribute vs.data.TableAdapt
MethodDef [System]System.ComponentModel.Design.HelpKeywordAttribute vs.data.TableAdapt
MethodDef [System]System.ComponentModel.Design.HelpKeywordAttribute vs.data.TableAdapt
MethodDef [System]System.ComponentModel.Design.HelpKeywordAttribute vs.data.TableAdapt
MethodDef [System]System.ComponentModel.Design.HelpKeywordAttribute vs.data.TableAdapt
MethodDef [System]System.ComponentModel.Design.HelpKeywordAttribute vs.data.TableAdapt
MethodDef [System]System.ComponentModel.Design.HelpKeywordAttribute vs.data.TableAdapt
MethodDef [System]System.ComponentModel.Design.HelpKeywordAttribute vs.data.TableAdapt
MethodDef [System]System.ComponentModel.Design.HelpKeywordAttribute vs.data.TableAdapt
MethodDef [System]System.ComponentModel.Design.HelpKeywordAttribute vs.data.TableAdapt
MethodDef [System]System.ComponentModel.Design.HelpKeywordAttribute vs.data.TableAdapt
MethodDef [System]System.ComponentModel.Design.HelpKeywordAttribute vs.data.TableAdapt
MethodDef [System]System.ComponentModel.Design.HelpKeywordAttribute vs.data.TableAdapt
MethodDef [System]System.ComponentModel.Design.HelpKeywordAttribute vs.data.TableAdapt
MethodDef [System]System.ComponentModel.Design.HelpKeywordAttribute vs.data.TableAdapt
MethodDef [System]System.ComponentModel.Design.HelpKeywordAttribute vs.data.TableAdapt
MethodDef [System]System.ComponentModel.Design.HelpKeywordAttribute vs.data.TableAdapt
MethodDef [System]System.ComponentModel.Design.HelpKeywordAttribute vs.data.TableAdapt
MethodDef [System]System.ComponentModel.Design.HelpKeywordAttribute vs.data.TableAdapt
MethodDef [System]System.ComponentModel.Design.HelpKeywordAttribute vs.data.TableAdapt
MethodDef [System]System.ComponentModel.Design.HelpKeywordAttribute vs.data.TableAdapt
MethodDef [System]System.ComponentModel.Design.HelpKeywordAttribute vs.data.TableAdapt
MethodDef [System]System.ComponentModel.Design.HelpKeywordAttribute vs.data.TableAdapt
MethodDef [System]System.ComponentModel.Design.HelpKeywordAttribute vs.data.TableAdapt
MethodDef [System]System.ComponentModel.Design.HelpKeywordAttribute vs.data.TableAdapt
MethodDef [System]System.ComponentModel.Design.HelpKeywordAttribute vs.data.TableAdapt
MethodDef [System]System.ComponentModel.Design.HelpKeywordAttribute vs.data.TableAdapt
MethodDef [System]System.ComponentModel.Design.HelpKeywordAttribute vs.data.TableAdapt
MethodDef [System]System.ComponentModel.Design.HelpKeywordAttribute vs.data.TableAdapt
MethodDef [System]System.ComponentModel.Design.HelpKeywordAttribute vs.data.TableAdapt
MethodDef [System]System.ComponentModel.Design.HelpKeywordAttribute vs.data.TableAdapt
MethodDef [System]System.ComponentModel.Design.HelpKeywordAttribute vs.data.TableAdapt
MethodDef [System]System.ComponentModel.Design.HelpKeywordAttribute vs.data.TableAdapt
MethodDef [System]System.ComponentModel.Design.HelpKeywordAttribute vs.data.TableAdapt
MethodDef [System]System.ComponentModel.Design.HelpKeywordAttribute vs.data.TableAdapt
MethodDef [System]System.ComponentModel.Design.HelpKeywordAttribute vs.data.TableAdapt

Type References

Assembly Type Name
Microsoft.VisualBasic Microsoft.VisualBasic.ApplicationServices.WindowsFormsApplicationBase
System.Windows.Forms System.Windows.Forms.Application
mscorlib System.STAThreadAttribute
mscorlib System.Diagnostics.DebuggerHiddenAttribute
System System.ComponentModel.EditorBrowsableAttribute
System System.ComponentModel.EditorBrowsableState
Microsoft.VisualBasic Microsoft.VisualBasic.ApplicationServices.ShutdownMode
Microsoft.VisualBasic Microsoft.VisualBasic.ApplicationServices.AuthenticationMode
mscorlib System.Diagnostics.DebuggerStepThroughAttribute
System.Windows.Forms System.Windows.Forms.Form
System System.CodeDom.Compiler.GeneratedCodeAttribute
Microsoft.VisualBasic Microsoft.VisualBasic.Devices.Computer
mscorlib System.Object
Microsoft.VisualBasic Microsoft.VisualBasic.ApplicationServices.User
System System.ComponentModel.Design.HelpKeywordAttribute
Microsoft.VisualBasic Microsoft.VisualBasic.CompilerServices.StandardModuleAttribute
Microsoft.VisualBasic Microsoft.VisualBasic.HideModuleNameAttribute
mscorlib System.Collections.Hashtable
mscorlib System.ThreadStaticAttribute
mscorlib System.Reflection.TargetInvocationException
System.Windows.Forms System.Windows.Forms.Control
mscorlib System.Type
mscorlib System.RuntimeTypeHandle
mscorlib System.String
Microsoft.VisualBasic Microsoft.VisualBasic.CompilerServices.Utils
mscorlib System.InvalidOperationException
mscorlib System.Activator
Microsoft.VisualBasic Microsoft.VisualBasic.CompilerServices.ProjectData
mscorlib System.Exception
System System.ComponentModel.Component
mscorlib System.Runtime.CompilerServices.RuntimeHelpers
mscorlib System.ArgumentException
Microsoft.VisualBasic Microsoft.VisualBasic.MyGroupCollectionAttribute
mscorlib System.Runtime.CompilerServices.CompilerGeneratedAttribute
mscorlib System.Runtime.InteropServices.ComVisibleAttribute
mscorlib System.Resources.ResourceManager
mscorlib System.Globalization.CultureInfo
mscorlib System.Reflection.Assembly
System.Drawing System.Drawing.Bitmap
mscorlib System.Diagnostics.DebuggerNonUserCodeAttribute
System System.Configuration.ApplicationSettingsBase
System System.Configuration.SettingsBase
mscorlib System.EventArgs
Microsoft.VisualBasic Microsoft.VisualBasic.CompilerServices.ObjectFlowControl
mscorlib System.Threading.Monitor
Microsoft.VisualBasic Microsoft.VisualBasic.ApplicationServices.ShutdownEventHandler
Microsoft.VisualBasic Microsoft.VisualBasic.CompilerServices.Conversions
System System.Configuration.ApplicationScopedSettingAttribute
System System.Configuration.SpecialSettingAttribute
System System.Configuration.SpecialSetting
System System.Configuration.DefaultSettingValueAttribute
System System.ComponentModel.IContainer
System.Windows.Forms System.Windows.Forms.Label
mscorlib System.Diagnostics.DebuggerBrowsableAttribute
mscorlib System.Diagnostics.DebuggerBrowsableState
mscorlib System.Runtime.CompilerServices.AccessedThroughPropertyAttribute
System.Windows.Forms System.Windows.Forms.Button
System.Windows.Forms System.Windows.Forms.TextBox
mscorlib System.EventHandler
mscorlib System.IDisposable
System.Windows.Forms System.Windows.Forms.ButtonBase
System.Drawing System.Drawing.Point
System.Drawing System.Drawing.SizeF
System.Windows.Forms System.Windows.Forms.ContainerControl
System.Drawing System.Drawing.Size
System.Windows.Forms System.Windows.Forms.Control/ControlCollection
System.Windows.Forms System.Windows.Forms.AutoScaleMode
System.Drawing System.Drawing.Color
System.Data System.Data.SqlClient.SqlException
Microsoft.VisualBasic Microsoft.VisualBasic.CompilerServices.Operators
Microsoft.VisualBasic Microsoft.VisualBasic.Interaction
Microsoft.VisualBasic Microsoft.VisualBasic.MsgBoxResult
Microsoft.VisualBasic Microsoft.VisualBasic.MsgBoxStyle
System.Data System.Data.SqlClient.SqlCommand
System.Data System.Data.SqlClient.SqlConnection
System.Windows.Forms System.Windows.Forms.MessageBox
System.Windows.Forms System.Windows.Forms.DialogResult
Microsoft.VisualBasic Microsoft.VisualBasic.CompilerServices.DesignerGeneratedAttribute
System.Drawing System.Drawing.SystemColors
System System.Text.RegularExpressions.Match
System System.Text.RegularExpressions.Group
System System.Text.RegularExpressions.Regex
System.Windows.Forms System.Windows.Forms.PictureBox
System.Drawing System.Drawing.Font
System.Drawing System.Drawing.FontStyle
System.Drawing System.Drawing.GraphicsUnit
System System.ComponentModel.ISupportInitialize
System.Windows.Forms System.Windows.Forms.BorderStyle
System.Windows.Forms System.Windows.Forms.DataGridView
System.Windows.Forms System.Windows.Forms.BindingSource
System.Windows.Forms System.Windows.Forms.DataGridViewTextBoxColumn
System.Windows.Forms System.Windows.Forms.ContextMenuStrip
System.Windows.Forms System.Windows.Forms.ToolStripMenuItem
System System.ComponentModel.Container
System.Windows.Forms System.Windows.Forms.DataGridViewColumn
System.Windows.Forms System.Windows.Forms.DataGridViewAutoSizeColumnsMode
System.Windows.Forms System.Windows.Forms.DataGridViewAutoSizeRowsMode
System.Windows.Forms System.Windows.Forms.ToolStripItem
System.Windows.Forms System.Windows.Forms.DataGridViewColumnHeadersHeightSizeMode
System.Windows.Forms System.Windows.Forms.DataGridViewColumnCollection
System.Windows.Forms System.Windows.Forms.ToolStrip
System.Windows.Forms System.Windows.Forms.ToolStripItemCollection
System.Data System.Data.DataSet
System.Windows.Forms System.Windows.Forms.DataGridViewCellMouseEventHandler
System.Windows.Forms System.Windows.Forms.DataGridViewRowCollection
System.Windows.Forms System.Windows.Forms.DataGridViewRow
System.Windows.Forms System.Windows.Forms.MouseEventArgs
System.Windows.Forms System.Windows.Forms.MouseButtons
System.Windows.Forms System.Windows.Forms.DataGridViewCellMouseEventArgs
System.Windows.Forms System.Windows.Forms.ToolStripDropDown
System.Windows.Forms System.Windows.Forms.DataGridViewCellCollection
System.Windows.Forms System.Windows.Forms.DataGridViewCell
System.Windows.Forms System.Windows.Forms.Cursor
mscorlib System.Text.Encoding
mscorlib System.Byte
mscorlib System.Array
mscorlib System.Int32
Microsoft.VisualBasic Microsoft.VisualBasic.CompilerServices.NewLateBinding
mscorlib System.Boolean
System.Windows.Forms System.Windows.Forms.GroupBox
System.Windows.Forms System.Windows.Forms.PictureBoxSizeMode
System.Windows.Forms System.Windows.Forms.ImageLayout
System.Data System.Data.SchemaSerializationMode
System System.ComponentModel.CollectionChangeEventHandler
System.Data System.Data.DataTableCollection
System.Data System.Data.DataRelationCollection
mscorlib System.Runtime.Serialization.SerializationInfo
mscorlib System.Runtime.Serialization.StreamingContext
mscorlib System.IO.StringReader
System.Xml System.Xml.XmlTextReader
mscorlib System.IO.TextReader
System.Xml System.Xml.XmlReader
System.Data System.Data.DataTable
System.Data System.Data.MissingSchemaAction
System.Data System.Data.XmlReadMode
System.Xml System.Xml.Schema.XmlSchema
mscorlib System.IO.MemoryStream
System.Xml System.Xml.XmlTextWriter
mscorlib System.IO.Stream
System.Xml System.Xml.XmlWriter
System.Xml System.Xml.Schema.ValidationEventHandler
System System.ComponentModel.CollectionChangeEventArgs
System System.ComponentModel.CollectionChangeAction
System.Xml System.Xml.Schema.XmlSchemaComplexType
System.Xml System.Xml.Schema.XmlSchemaSequence
System.Xml System.Xml.Schema.XmlSchemaAny
mscorlib System.Collections.IEnumerator
System.Xml System.Xml.Schema.XmlSchemaParticle
System.Xml System.Xml.Schema.XmlSchemaSet
System.Xml System.Xml.Schema.XmlSchemaObjectCollection
System.Xml System.Xml.Schema.XmlSchemaObject
mscorlib System.Collections.ICollection
mscorlib System.Collections.IEnumerable
System System.ComponentModel.BrowsableAttribute
System System.ComponentModel.DesignerSerializationVisibilityAttribute
System System.ComponentModel.DesignerSerializationVisibility
System System.ComponentModel.DesignerCategoryAttribute
System System.ComponentModel.ToolboxItemAttribute
System.Xml System.Xml.Serialization.XmlSchemaProviderAttribute
System.Xml System.Xml.Serialization.XmlRootAttribute
mscorlib System.MulticastDelegate
mscorlib System.IAsyncResult
mscorlib System.AsyncCallback
System.Data.DataSetExtensions System.Data.TypedTableBase`1
System.Data System.Data.DataColumn
System.Data System.Data.DataRowCollection
System.Data System.Data.DataRow
mscorlib System.Threading.Interlocked
mscorlib System.Delegate
System.Data System.Data.DataColumnCollection
System.Data System.Data.ConstraintCollection
System.Data System.Data.UniqueConstraint
System.Data System.Data.Constraint
System.Data System.Data.MappingType
System.Data System.Data.DataRowBuilder
System.Data System.Data.DataRowChangeEventArgs
System.Data System.Data.DataRowAction
System.Xml System.Xml.Schema.XmlSchemaAttribute
mscorlib System.Decimal
System.Xml System.Xml.Schema.XmlSchemaContentProcessing
mscorlib System.Reflection.DefaultMemberAttribute
mscorlib System.InvalidCastException
System.Data System.Data.StrongTypingException
mscorlib System.Convert
System.Data System.Data.SqlClient.SqlDataAdapter
System.Data System.Data.SqlClient.SqlTransaction
System.Data System.Data.Common.DataTableMapping
System.Data System.Data.SqlClient.SqlParameterCollection
System.Data System.Data.SqlClient.SqlParameter
System.Data System.Data.SqlDbType
System.Data System.Data.ParameterDirection
System.Data System.Data.DataRowVersion
System.Data System.Data.CommandType
System.Data System.Data.Common.DataColumnMappingCollection
System.Data System.Data.Common.DataColumnMapping
System.Data System.Data.Common.DataAdapter
System.Data System.Data.Common.DataTableMappingCollection
System.Data System.Data.Common.DbDataAdapter
System System.ComponentModel.DataObjectMethodAttribute
System System.ComponentModel.DataObjectMethodType
System.Data System.Data.ConnectionState
mscorlib System.ArgumentNullException
System System.ComponentModel.DataObjectAttribute
System System.ComponentModel.DesignerAttribute
mscorlib System.DBNull
mscorlib System.Nullable`1
System.Data System.Data.IDbConnection
System.Data System.Data.DataViewRowState
mscorlib System.Collections.Generic.List`1
mscorlib System.Collections.Generic.IEnumerable`1
System.Data System.Data.IDbTransaction
mscorlib System.Collections.Generic.Dictionary`2
mscorlib System.ApplicationException
System System.Diagnostics.Debug
mscorlib System.Collections.Generic.IComparer`1
System.Data System.Data.DataRelation
mscorlib System.StringComparison
System System.ComponentModel.EditorAttribute
mscorlib System.Enum
mscorlib System.Collections.Generic.IDictionary`2
mscorlib System.Collections.Generic.ICollection`1
mscorlib System.Collections.Generic.KeyValuePair`2
System.Windows.Forms System.Windows.Forms.DataGridViewClipboardCopyMode
System.Data System.Data.SqlClient.SqlDataReader
System.Windows.Forms System.Windows.Forms.ComboBox
System.Windows.Forms System.Windows.Forms.ComboBox/ObjectCollection
System System.ComponentModel.ComponentResourceManager
System.Drawing System.Drawing.Icon
System.Windows.Forms System.Windows.Forms.DataGridViewCellBorderStyle
System.Windows.Forms System.Windows.Forms.LinkLabel
System.Windows.Forms System.Windows.Forms.LinkLabelLinkClickedEventArgs
System.Windows.Forms System.Windows.Forms.TextBoxBase
System.Drawing System.Drawing.ContentAlignment
System.Windows.Forms System.Windows.Forms.LinkLabelLinkClickedEventHandler
System.Windows.Forms System.Windows.Forms.TableLayoutPanel
System.Windows.Forms System.Windows.Forms.TableLayoutColumnStyleCollection
System.Windows.Forms System.Windows.Forms.ColumnStyle
System.Windows.Forms System.Windows.Forms.SizeType
System.Windows.Forms System.Windows.Forms.DockStyle
System.Windows.Forms System.Windows.Forms.TableLayoutRowStyleCollection
System.Windows.Forms System.Windows.Forms.RowStyle
System.Windows.Forms System.Windows.Forms.FormStartPosition
System.Windows.Forms System.Windows.Forms.FormBorderStyle
Microsoft.VisualBasic Microsoft.VisualBasic.ApplicationServices.ApplicationBase
Microsoft.VisualBasic Microsoft.VisualBasic.ApplicationServices.AssemblyInfo
mscorlib System.Runtime.CompilerServices.CompilationRelaxationsAttribute
mscorlib System.Runtime.CompilerServices.RuntimeCompatibilityAttribute
mscorlib System.Diagnostics.DebuggableAttribute
mscorlib System.Diagnostics.DebuggableAttribute/DebuggingModes
mscorlib System.Reflection.AssemblyTitleAttribute
mscorlib System.Reflection.AssemblyDescriptionAttribute
mscorlib System.Reflection.AssemblyCompanyAttribute
mscorlib System.Reflection.AssemblyProductAttribute
mscorlib System.Reflection.AssemblyCopyrightAttribute
mscorlib System.Reflection.AssemblyTrademarkAttribute
mscorlib System.Runtime.InteropServices.GuidAttribute
mscorlib System.Reflection.AssemblyFileVersionAttribute
mscorlib System.Runtime.Versioning.TargetFrameworkAttribute

!This program cannot be run in DOS mode.
.text
`.rsrc
@.reloc
a* sm
!Y* ;
Y xtd
Ye Z4
f 'sH
?1 qn
!a* %_}
Y* &*
Xf &M
e B\1
X* HY
+O&8t
Ye* P
cf* \*
Y* !f,
c* (uP&
!aef
&Y L=
w)Yf
)X 3{
#Xef*
s Y* .ex
f ugv
afe*
aef*
cf* 3
&Y* j
Ye 2C|
Xf MD
ef* @
7ef +
Xf* R^
&Ye :%
lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
PADPADP
lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
PADPADP
lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
PADPADP
lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
PADPADP
lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
PADPADP
lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
PADPADP
lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
PADPADP
lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
PADPADP
lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
PADPADP
lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
PADPADP
lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
PADPADP
lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
PADPADP
lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
PADPADP
lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
PADPADP
lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
PADPADP
lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
PADPADP
lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
fSystem.Drawing.Icon, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aBj
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Icon
IconData
IconSize
System.Drawing.Size
System.Drawing.Size
width
height
DDDDD
DDDDDDDDDDDDDDDDDDD3333
DDDDDDDDDDDDDD
DGwww?
wwwwwwwwwwwtD
DDDDDD
DDDDDDDDDDDDDDDDD
DDDDDD
DDDDD
wwwxw
wwwwxw
wwwwwxw
wwwwwxw
wwwwwxw
wwwwwx
wwwww
wwwwww
wwwww
DDDDD
DDDDDDD
DDDDDD
DDDDDD
pDDDDDD
DDDDD
pDDDDD
DDDDH
DDDDD
DDDDDH
DDDDDD
DDDDDDH
DDDDDDD
DDDDDDDD
DDDDDDDDD
DDDDDDDDDH
DDDDDDDD
wwwwwwww
wwwxx
xwwwxx
xwwwx
prtustq
wjklxv
mfnzey
|good{
YYXYXXXXYXXYYXYWS
Y[TT[ZYYYYYYYYYYY
(FE871-,,,./45;6
>LLLLLLLLLLLLLKI$
HMMMMMMMMMMMMMMM
NNNNNNNNNNNNNNNN
%UUUUUUUUUUUUUUU?
0VVVVVVVVVVVVVVV0
BOOOOOOOOOOOOOOO&
PPPPPPPPPPPPPPPP
'QQQQQQQQQQQQQQQ<
:RRRRRRRRRRRRRRR)
***+999=R
UVVYXW
IKMLJR
QGFONS
===;;==><
@?>=======
y`cfi
\`cfil
[\`cfilo
\`cfil
usuy|hp
losuy~sfohiju
xlosuy~{d
~nklp
losuy~
vsuy~
cdefghir
uy~yr
~acdefghijklt
zfghijkl
"iqz|z
-1/,*)'&(+%
0444444432-
5555555555#
8888888888
$6666666666
.777777777.
9999999999!
::::::::::
szzzs
dooo*++-,uooooowwwww"$%#)wwwwwu_
'&!(.
wo___qU2Q
;Jg__
HT429ScxugM8L
O01?ap`QWbehi
V?Y^GTfnlZJ
qW>???=DK\h k
RBIUXD357>y
LK6QNRPLr
:~/I/
888`777
9990999
===p===
@@@@???
BBB AAA
BBB0BBB
ZZZPccc
]]] ^^^
fffPfff
<<<@;;;
>>> ===
___`www
lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
PADPADP
lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD
*X*\m*XA*m*
*X*Hm*X
FY**B
&+X*.l*X
+m*"+*m
&o*X+(m*
**miX**s*X*
m*X\*m*
+m*x+*m>Y**
+m*y+*m:Y**
*X*@m*XH*m*
**mQX**
M+*m/Y**
>*miL**
*Xq:m*
'X**`*X
&m*{&*mpS**
"m*\"*m
_**<,X*
-}LH-%+
12!DXb
`{saz
-d(`*
Ilj*Gd
4XEa$*Y
X(~=+
eQ2*Q
UXn[6
hP*&5
3hTBcf
~-Y%#
V.%|33
~-Y%#
V.%|33
oMLKc
>wTv]3(C
]to1~
dTea$`
7Cl>z
sO+ulAUNl
Lxa}8
`>}pGS
Fs /+
ku>-f
2-U1g
TWUyY
TI(`m-
-p4([x
E&;('*_
3CY1eG
_&!(']
m57WGqerq;
56SGq
g56qGpRrq
GqCrp,5q
k56qGpR
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
IDATx^\
Va3x$2
6u|ef
/mUV]
?Swpl
0jE`t
9cQ3_
wfL{l
Dslw.
\|awb
cX.ge
~(x}]
>Te=`6
9i46Z
nKzop
XGyGZ:'C7J
!I3/;
FK^nx
Nxq;"T
Hw'So#
IJpSk
cfS2-
kZ[OV
V(/=qa~
>;:;i
?Ez'o
|F=*d
a,L^R
^ZVRJ|
l&b.4$gD
2n4A>
jL6<>%
QiE"b
E6DkE
*~[XrU
$Up2a
cs7M2<
!gY&Z
Jl!tE
|Wq<Fr
BIM1v
?7;d)+
WNJl}
x<k*
&#9&FrL
dEz]O
~H]C(
RRB]AgB
vR+D4
Xh?q0
fiq060
HzWz~i
yR't1
&b-~;
g$:0S
.d/]}*
ua]cg
;u,x{
||+tq~
<:c8p
vL}bu}
~9lDr
m:?})
=g~z`
NH1H3
_dwI!}
<wxfQ
o83:m
p{_=~K
LASZ$;
*91-
rphOA
2)_?}
c_&gTm
hf41A
)X.i/
{%lT+\
Q3iQ+.d
gB7o{
#\fZO
@oD(F
10MrK
g938v
|*CY=L
~P:e&
f;9)xZ
}2WQx
fIu1.
@3`_Gg
@f~3O
+)?I<
b9F2{Io
=9>-"
SM*G'
>mtZpu
o55KdD
0'0|]
a,$s^
{>66q
mwqy+
]+M#Pi
052wJ
%g.?tr
-ToVJ
N=Ws
A[Y%M8tA U
zt^!m
k6mdc
5-7G3
Rq$HJ
hB8AC
%/LB_m:v
[W_98
:),6YO
iZ+cme
P^yP5x
{ow0r
bt-k(
---L3
hr13L
'"5&l")
|eNh~
&`nGr
t4`JC
\#RmM
>,9_d
Mk7m.]
5GNV}
IU1:}<
7?O]sb
32f,Q
zgS:g
G=.[Z
0OOpd
(|H;>"w
l8uic
sAuxoA
9~J/VTU
L^Lz2
mg!L{
>NSjV}x
*QO\D
g6-_t
vW&]vLl[2u
+YUWh
,SA`d
-n=HR
`euy}&
UA50R
$RMhi
|g&:({,z
75Ddx/=
z3!-4.
yqfAm
rN}[^|}
O*<b>|
,J$-h
o/_HaZ
+6FL-
>`#96aD
Tv$5.$Q
cMpg?
lghOVg
A^fH T
Ul(fk
e:/Lb7
f_:V%n`
A|_JW
;gKDM
|u<x5
pOuNg\k
b<|3c
-f ms
gqa+]
m!.[^_
9'WeoO/6u
o=`0Y
U7q/[
+U?5M/(
>y$Z^O
J$mjp
fHr%Z
v;6nn
J0XT"
QlG(}
}T3xv
6mE$a
t$s$8=o
:fC\?|
J 0!]
YG).5
7]`bM
9ATzjfEb
jcTg7H
w`X0}
67TaR~p
1}bS~
Pfn"x<
Kx[E=E]
LJ57<x
8>q^=
)]aQ9
P?ZZJ
gT6'i
riwb}
gOe.|
A[|/X
P'N86
7+EX>
zlCHQ
\QWJs
S"hI)^
@3W+OV}TpH:
7Q_0{
1xC"9
t')-k
ZAH<-
YFTH3
;]uxZ
u(Hb`
Q2$v3
tJBrL
(3&&qdmE
Gd.wj
o%KdfI
xvnN*
+yWB>
"g~IJ
Vdfj9
*<NVN[
(<=T+
K|f_ils
QB3De
aP(q%
t=B#lt/
yggcQ
/l-jV
o[^,[
hW7ib
kk$&%!z/
jld`id
if>al?
f8shm
eQ36[
A.t&
ep?f4%
c6[0O
k[{k(
Y=1'[x
' ;X4
W?+28
d3nTP
l5vj_
Z|jy:
KkbBu
wl{JG`
5E#VU
S,(s,
sSc-/j
^F$%~
)oXrS^IB7
!)^5zm
Y\#fd
kHN .
7]K~t
;Rb=~
eK!.P
zc}jf
kY]dp
tUbZj
G'8%<p
B (-e
"K8cW
K[$zE
wssKA
wjL`f
xN{\j
JzYxq
nAq|tR
s8O5.k
]ie)n
WQU-WL
>Vp!q*O
sF (@|
bdt0t
U'2,*
R+fN9]I
BAbr%A
F-9{f
ufQ_}
HO?#i
rPLPf]
ps,66
AxX[5
iQP/%)
WS7W+
4^=(>
g<q?s
Wjt&%
2O$G~Sa
P,zz?
K#HeG
{L0nt
,33<u#>7"
&Nq10
S~qrN^
(WC.Q
6FEBb
-b:! B
!H.{&i
lKJz{`
2-/1z
z}gowV
1^ykM
({9P<
{GF0=
8EX6&E
wcBFp
GlOM)
~JwCc
LGAie
)A8Jpq
Wti j
<**:pp
:I+$F
>f8;fe
[Q:w]
~yoMC
1Q-"
:WA$I
Na}qq
bo-~
f-[;=
2~.63C
\%%EJj
l,#vr
k:{&/
G(-#x
A+24^
wg\Xn
/a60-
>Iz!{
fT$&OL
mwYG"oq
`3"6i
"I2}~
-T<OH
DzH#pL*
;."9Y
o .&
>k^0H
d^%/R_
M}_[V_{
\PXS~+
;IJdW#
gFg+?o=v
}k,o:
A*Fh$9
x`u]X]S
;>lW}
[z&lOw
4tdQT
* MH"
'=;4
FsoN~_
QZ#]W
7,!gL
YZ0'w
f\4Z"
1Q6'E^
6V<\pJ;
.g^z$
:2ipb
uU`n9
1[Na^]
niz4ep
dllVL
p4y4X
zVU(5
0'##,!
ikz~V
UNQ3;>
*?-qz0g
WB^/I
&`pAwdn
'~_.Y
{kIv,
f2;B32
T;oI,
,%^f=]u
~X.s"
8U-0&
47tvtpB
c Z h
&'d%9
x]bY-
\ltuj
k/R33w
Km]_;5
WHm?vxq
<`4f1\
n)~cO
h<;v'
Umc#L=A(
fv)|N`.
uFqS/
8}(9{
Od%HR
|^Oy$
Z=%%&
W|81{
5^O<q
.Le_$B
ub44g
Nj[\S
V:nC6
E?2_N
p=BGG
$O|%r
a C B
DGrLY
8sr,h
kT<zKww
QtONJ
s<]p%
2R]^hY
u~e]l5o
E`.960
kb30l
/AX\B
Q+NSq
4WUfzZY
24j{R
;U.w^
sTZ{m
f'?4U
`&b:\
"%'20
$NT=M
_`z`N
O-uN}#L
>V|wq
+n7hFo?E
X11<@
<sLoV
`sKUe
y1B-Z8f
2AW=0`M
,#Huh
tduCnGD
WdfdV
dXWp5
j7!4r
LtO\9M
aE&{E
~|vw"
GlKIS
&ybsxIF
%O-m9
t}hjm%
GdRR%n
#m8`W6gm
v_p4[E
"3!Nd!
jQmtN
@2mTbf
aC{;{\M[
N^|T\D
+vPS.
38*a:
9e[F%G
{Svr1
3so{HU2
%%RV!
7?&?U
i'JB/
lk}}oNl}
L/3[{
$`Q#.
h3_cz
5o_nsu{v
/j;"W
XV0Xmu
k?<;#
v>w*4
T|G?J
k#&+H
tj]#=
alakgk
pB0cx
{z8f#
d,b^K
p$I\I
ALxGP8U
GQbt/
:AZl<Lw
(w;;sr
-85e/|
Dy"wrr4
nVDrLn"b
Rk|cBu
UQ%I_t
H;M !2
5OXm_
.Zp[sy
*frhuI
GlZ1O:
sRcV9h
g*Im9(o
RPR;q
RR f^
3|!O
lzHom
oetfw
OOh+>
^Qq 5
J0wM3
J7'[zdF
\>xa{
u'v8&
0|~Nh
L(}!p
I_Y2#
OlPzm}z
<K5,.
bA*bL
vU-i>r
N`#!
`L<ba
A6b1%
UJ{,o
(0z8x
#wC$s
WJH]}zP
g!9V7
{a_6L[L*
?[x1f
GB7Wx
GD`S"A
q<g5k
sAe9(
7mRDc8gT
T9Yd$d
YfZEze{
5_8?<
w|_!z3
E'dzM
ALd`=
yQO&,E
na})=
a|'e
~)qwWkH
fw&Nj
IDATA
kS4h_*~
F~k{f
nY{zC
R)ms6
hnV`]
7]J_U
Oy2Sw:
;Bm:R
_?oL3
bL8/C)
sO$}C
:Ul(VF
GS)Z-
kj]^,
'}3Z/
^KCl%
0I.%=
LO15MN
RX(jm
jxksIyf
<m&fk
P..[=
%-Y{7
( sF#
*=P91
o1o
!QQlG
,_[3iV[
dW>VJ
Murc42C
4117HH
]?5,K?
3'I;<
>ca<M
eZ#U2
@s&:tP
+[*IN
&G<-<
7ZoZ:
w[BdT
LTJ8#|
zAwF|
WLg<R8
|=dL|rO+|1N
o2NuSp.
${8cS
&0K?5
/UtS;q
4.h7+
/u2UZ
]2kzO~
tO2?e
FWEdV
2m`J\
HF5Ul\s0qn
Wy%9k
nm&Jn
V,PlQ
x6`l
^]$$5(
K-mtl8b=-
- 0"<
%dAFR
%mh;$
""`$B
^I>+(}
X+*}8yu
=E:*u
V?$Et
E2}d4
c`|.z
(|^u%
i<y*n
}6d`
M{L#I=
MS$X{V(*
O/u|nk
_VxFD
),35<<=
R'mCh
4$y}u
K%w>]
+':(G
c^,K<
QLcGk
fAu49
B!^lW
EH"QZX
aM+u6
Lzc9[yE]V
+>LXt{
e21wG
_p[j1
U:o]6
evV*94#'
SJjP"
6M/]g
,itu\
K)0Q,
-`+1%
[y8p3=pVc5
>s&f%
,^[;,
YvDd{28v
g,%o,
]:^7}t
grw#
!AHu`V(
cLjJ71t
d3S29
dSVcv
]*}*Mc
;'*=
+<8|?[G}C}
O[B`C
LD>NV
xF_P4
TKSx<
+_h2S
aNrvX
Lsh~6
,C/+F0
w9VJ"0[i
%=.(&
VDT:*
V`7p/
}sB]BB7
{2[',b
k\v~{
SRwYo
ST"6'+
mjzWz
KV/THx:g
ro_b{D
Xk:%]
z`tsx
T3<'h
=AFW$
v_|fw
XoY/)
1,qYF
qhigT
xPaHQh
o|$vV
afL3t
0oysv
e]XYNih
j4)o{
*TM$kt
IcHFm
`oKf|
7n6o{~
/9dejy
qm*cJ
o9zpf
Y$%*7
w!vF
?7h 9
ozLl(V
6n1\M
k,R{v
>\;&@`
v1j3
(x'oI
#k#><VX
0`-Oq
YCQ?tG
w/:O
H\&Rr
/-(PL>
KSo^zlo
+Hoku
/BOO_3
*TA*s
Y\#4Z,
B^^"4
gNkVe
wV/Hx2
&+q66d2
\@H~ 1_{
1z:c<j
Ny_\X
~#exj
?gcmI
_VRM'
?RR~Y
>b7XMa0
cU/!PC
a}ioN">?.
f>d?{
Z`kKU
H17]l
.+G'xd
Aqpzc
s\ftX
wO]3;
Cm!>e?
idrB*
4%o>x
V6./V)
{dVzc
zcx{N
9`PlT
nmQF8t
{CP!c=
ekgB^
zmsk+
LYZK#
#fl<{
]H+PTS
rc3\7
Wco$cF
%A>d6
"wglH
3NWN{5Kj
br]6=
KCbYR
|r:sI
0i|3Fe
'o6^[
jj07O
k<:ec
[@Vuc6d
1Y291h
~/?+1g
=^3x+t
s87ec
m`s]w
>#)+?
}GOB/
;(Gq9
6:=}9
`06]#
iPIm$
IVNk6
2uwuw
x>kUuD
n>WmR<u_
" `U#y
Ka/g'Y
6O347b
Hfccc
yK?6H
K}=dp:
I?Z4m
Sw=Z0
iuy4r
N %*E;1P'<
&$~-:
Km_i$W
E(g:3^/
bEaLRg
Nk6,px
Y^o/RYm
QF6,F{
7t}:vzT
7GlYS|
Kjfy[}
-Ei7_*
Q-wvb
5Z6Y+
BSO+S}
N<!~z
3jrUM,
N^P+Q
7JGmxw5
L|(8oT
?x?cE
VOFi8
CLlH+
&drkZ
+2]DB,+tm
G]m7n:u
g^>b:
YrLPp*
vl_sN
{2M,q
xt2;6q
r375M
Pze"k
}\{8D
+N)Hm
o:uIi6
lK86T(
Lqpi0t
#85]'1
_91e,
#3Db~
mwwNP
Dl33p
.;R8a
^ML^ip
[zHRh
kv}W5
9{Z`C
OT]#gXi
!j`KtXs
oZ]5>+
9A2iI
gO4':
3h7qC,
pMP7c
wMN1t
o^SyS
3UC=V!kc
GS#S>
bK7^;-}
cdKG:
pb|K&_5
QY}F4
:+a~p
\<-T1R
\1RXb
m_UAo
3SZ6M
z{IdDf
e]+)>qt
gINXEo
bv_j4^,
%%kiT
IXDg?
'whfa
I^XqJ<4K
wkj$.+
Sw|b u
e,*:\_
i9[K\
iS7wy
J{}gtz
zAI7b
OE[83G"
<K6Sg
Nex$t
i|mFMS
5p8eu
@CsF:
eEZyp!
"3u`}
+gXLD
9[W3F
}*2ttu
U16_~1+
}'{|zL
of,@_d`
kT,a
u)YP1m
~-tHj
HBVQm
H"Yr)C
T8vY\
&*}p|
t#D?E
D&f^=
AWDV<
@lE;@
wpy8N
FYehC'w
ZP6bI$b
niG6a9
ttGac
JM.o0;
]_7uU
^LYgS
[Gff(
-24'<
p0;w<
5xa4H
S7=^=
Kl~\;X
0TKrb
C.2dE
]7WIm
H)XHA
!F&em6
qcA4H
W1?:o
`UR*U
f")7"
q, [Rm
D51K0&gf
zKvc+l(
f'mll
1A/F+g.
58J%C
lt?9K
6Hs5#
u1lIv
-)*a4
SL"l<l
.Vl,o
mNx[Q
T]bBF
b+XcS
r,2'Gl
$/Ts.
x&Lnzy
DqhBP
l-"8^>
XjDFf4
,^{e9
a[[,;jr
=3 bX
X6FKk
8{hiM
n.m(*
1]tz-
]:(/3
Y+75\Jc
fJ,%
p{[=1{>
en=F'
>r`_z
^6?pMS
Gzb]:
Ca]xF
U-LvL_
v!`w#
k5]jt
TKCs/2
C7l3f
ZK{s&
0a>f=
10}X.
<h#p(P
)1\((D`
LVN(H
s8o79
*'Yf>!
Vl7.D
heltj
YS3M-
Q~ )"
%g^IB
.V|M+
Na-jE
aZvtH
Tvfp?
.xtii
I#E#q
K9bR8FC
Wx,czI
%8wBay
?}VX\o'
gmxJt
yM8XN
: 9$:
Yq5),O
y{6rtR[
2aO,Z*
$^`NA
|:|Jo
Nt|MRP
84Qk/
k/=(W
WHF1I
kY2COZ
GjiAt
:\,wm
MvvNXvx
"G^)w
vluzx
F^M^87KiA
vN;xr
pA#z/}
yk/'.
6zo&Z)
cgE\(x^
}# _
qOng
g]Frl
4]H-Zu
Jz'\N
e?]{!Z
{:};U`
0!CkQT,
|q~EGS{
l1sOI1{j
=]G[5
M^""H
JGrim*
xQjt?
ypBDfLzf
e52w^oK
@#X#`
h#%mmh
$25<,
Gr(0JMc
qymO3l
=['9$-
?&c,-
UX[ e
XxgPn
:[K]8cB
Sw^F
ebRrH
;+.hEr
iUg/O+
6qHXj
%8A L
L:7[l
).K={M>
|Zy#2
x4vJC
dN-:F
cp{Dh
8t!4&I
Z=tPh
(]}:8
)|[zq
b8 wqO
@u3:'
i'lNx}
F;RDE
"I6-;
Vhpww
)edyv
#7AoX
c=7!Wk
;5omT(
qoGiV
5l5_*
@C_?7
iZu>n
)BonM
?Gqo
zF-L"
")Nv&
1innN
?d&xyG7t
vVyHj=c
?#`rE
JNE_P"
c,:vD
W5*lV
#cm7p
zVB\"
)iU~SS
{~))<
4_^qy
]~Ox`
MVg`J(
srxJx
X^N?'
j{N%Hx
fOirpA
GrOX#
1i3bs
Q-"+
u|wup
)<v?"t
uE?n:
hgpa+
jIG<NY
9 rz^
IDAT!
QHv+=p
;c&%dp
zQso/
]B<=l}S9
kjhXo
/q~qLa
[yF}$Y2~C
Wr#w{
}1"ll
9&Ar
VBCwo
0A|)$c
iy+{t
k$z,V
UOm|XuBg
v`+u^\
@lg+:
cL%>h
00Av&
Bc< 5
,`]Z":
!8AQzK
}KPl:
E$Q~k
K>=Lsr
A"iS.
\(1a9
3j_x$
Tib!NJ
BfW1Qu
]y;tf
q(w"T8d
7N_ii
wJ+J;w{
}h9cW
y)Yb}
Q0tK#
T[+[r
Qy<YQ
R0?uhu
Hsp;W
DXCrj(
o|[*Z?
[vX(.
bn97=r*1
sSx^[y>
e" f'
EA?VL*
yp{yc
s^@^k
tA!vl
*(uHO
sq+"o\z
4_pqOH
Z?;[$Mh
.-IyM
rlm|f=
gbFtt
7tv5w
YCeX%
Un,18;
&{oS8
ncrl%+
WQ}]eKC
*Bh36M
3#uGC
xhwc$91v|
U}Vxz
`>Ri8
erpV72N
%DkqG<
WukNDw
w$vhMg
.<HRV
q.7i[
8^&0 #
7LhY|
P<;K~r
lACG{
U4iB#
><'@
0HeKY
UKqGBj
.1M0W
fCH?q
"m-#-#
1+)0Q
\o=S
WxZGAYm
N`C"d!
19&h\
SAZMeU
:SSx7=G
o|_4X
BCMmA\F&%1
{f8EX
b&9%J
[dqPr*
J}5%+
x\Lgt
A`Akt
NW>0F
keGuF
`eccGS
s.<=5%
kkMnO
~yq0$n
D+s'ghjoaA
G[{X$fy
K5Bgt
7j.f/
I`G5>
(+QJx
?b<N{
cZ_Z8
1PxIZn2
@^3fXx
DK.^b
MU_.L8
HDCw?
0G*.m
2f)`X
&8~4V
Z+wg[
_~(]XH
7<7dR8
,rB[7
`s9DH
&tesu
ud.nD
?r,vT
c~vJ{t
.ngg}=p
~Yk]r
}NI>j
K{Pr&,o
bHxq{
oK*&$
w>~&f
7uBDeg
yw6Yj]q
C:uaL
8 qPt
^;+Z 3
s~x^x|f
%m5q[
*spdL
/HG`7
o2{VO8
vQg6x
8oS{{%a
a~vaor
*|<\0
=p+|!jt
t+6(p
mZ#I}
x`_y;
d]}<y
1kyP;
ikbrs
~Yzav
` "20
\&>)0
-`#'4
]HaP\
f'd~o
*VmrL;W1
a[A)C
]Gpb~
bz8i+
lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
PADPADP
lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
PADPADP
v4.0.30319
#Strings
#GUID
#Blob
,%O!Q
8!U!^!F"]"
Nullable`1
IEnumerable`1
TypedTableBase`1
ICollection`1
IComparer`1
List`1
SplashScreen1
Int32
KeyValuePair`2
IDictionary`2
get_PictureBox3
set_PictureBox3
<Module>
SizeF
System.IO
value__
urNDKOjlKEbS0Ha
System.Xml.Schema
GetTypedTableSchema
ReadXmlSchema
WriteXmlSchema
GetTypedDataSetSchema
System.Data
GetSerializationData
ProjectData
GetData
Xosh_Maza
FromArgb
mscorlib
System.Collections.Generic
Microsoft.VisualBasic
add_Load
get_Red
get_DarkRed
SetAdded
add_CollectionChanged
OnRowChanged
add_LoginRowChanged
remove_LoginRowChanged
add_AdminRowChanged
remove_AdminRowChanged
add_BooksRowChanged
remove_BooksRowChanged
add_ChatsRowChanged
remove_ChatsRowChanged
add_SupportRowChanged
remove_SupportRowChanged
add_LinkClicked
remove_LinkClicked
Interlocked
set_DoubleBuffered
get_IsDisposed
set_Selected
OnRowDeleted
add_LoginRowDeleted
remove_LoginRowDeleted
add_AdminRowDeleted
remove_AdminRowDeleted
add_BooksRowDeleted
remove_BooksRowDeleted
add_ChatsRowDeleted
remove_ChatsRowDeleted
add_SupportRowDeleted
remove_SupportRowDeleted
IsBinarySerialized
Synchronized
get_UpdateCommand
set_UpdateCommand
get_DeleteCommand
set_DeleteCommand
SqlCommand
set_SelectCommand
get_InsertCommand
set_InsertCommand
TargetMethod
Original_Password
get_Password
set_Password
get_ButtonFace
get_Namespace
set_Namespace
get_TargetNamespace
get_AppWorkspace
StackTrace
set_IsSingleInstance
CreateInstance
XmlSchemaSequence
set_DataSource
BindingSource
GetHashCode
XmlReadMode
set_AutoScaleMode
set_SizeMode
set_ColumnHeadersHeightSizeMode
DataGridViewColumnHeadersHeightSizeMode
PictureBoxSizeMode
AuthenticationMode
get_SchemaSerializationMode
set_SchemaSerializationMode
DetermineSchemaSerializationMode
ShutdownMode
set_AutoSizeColumnsMode
DataGridViewAutoSizeColumnsMode
set_AutoSizeRowsMode
DataGridViewAutoSizeRowsMode
set_ClipboardCopyMode
DataGridViewClipboardCopyMode
get_BigEndianUnicode
DeactivateSubPage
ProfilePage
HomePage
MainPage
AdminLoginPage
SettingsPage
ChatPage
ForgotPage
PostPage
get_Message
AddRange
CompareExchange
Merge
get_WhiteSmoke
EndInvoke
BeginInvoke
get_Locale
set_Locale
get_Table
LoginDataTable
AdminDataTable
BooksDataTable
ChatsDataTable
SupportDataTable
dataTable
set_SourceTable
set_DataSetTable
IEnumerable
IDisposable
Hashtable
GetSchemaSerializable
ReadXmlSerializable
set_Particle
XmlSchemaParticle
RuntimeTypeHandle
GetTypeFromHandle
Original_Title
get_Title
set_Title
FindByTitle
DockStyle
ColumnStyle
set_ShutdownStyle
set_BorderStyle
set_CellBorderStyle
DataGridViewCellBorderStyle
set_FormBorderStyle
FontStyle
RowStyle
MsgBoxStyle
set_Name
get_TableName
set_TableName
Original_UserName
get_UserName
set_UserName
FindByUserName
get_DataSetName
set_DataSetName
set_DataPropertyName
get_Lime
AdminHome
Combine
set_Multiline
Original_Phone
get_Phone
set_Phone
Clone
SqlDbType
set_CommandType
DataObjectMethodType
CheckForSyncLockOnValueType
SizeType
MappingType
GetRowType
XmlSchemaComplexType
Compare
WindowsFormsApplicationBase
ButtonBase
ApplicationSettingsBase
TextBoxBase
Close
Dispose
get_BackupDataSetBeforeUpdate
set_BackupDataSetBeforeUpdate
get_AcceptChangesDuringUpdate
set_AcceptChangesDuringUpdate
MulticastDelegate
get_Chocolate
get_State
DelegateAsyncState
DebuggerBrowsableState
EditorBrowsableState
ConnectionState
DataViewRowState
InsertUpdateDelete
UpdateInsertDelete
get_White
Write
XmlSchemaAttribute
ThreadStaticAttribute
STAThreadAttribute
CompilerGeneratedAttribute
DesignerGeneratedAttribute
GuidAttribute
DataObjectMethodAttribute
HelpKeywordAttribute
GeneratedCodeAttribute
DebuggerNonUserCodeAttribute
DebuggableAttribute
DebuggerBrowsableAttribute
EditorBrowsableAttribute
ComVisibleAttribute
AssemblyTitleAttribute
StandardModuleAttribute
HideModuleNameAttribute
DefaultSettingValueAttribute
ApplicationScopedSettingAttribute
SpecialSettingAttribute
DebuggerStepThroughAttribute
AssemblyTrademarkAttribute
TargetFrameworkAttribute
ToolboxItemAttribute
DebuggerHiddenAttribute
AssemblyFileVersionAttribute
MyGroupCollectionAttribute
AssemblyDescriptionAttribute
DefaultMemberAttribute
XmlSchemaProviderAttribute
DesignerAttribute
EditorAttribute
CompilationRelaxationsAttribute
DataObjectAttribute
AssemblyProductAttribute
AssemblyCopyrightAttribute
XmlRootAttribute
AssemblyCompanyAttribute
DesignerCategoryAttribute
DesignerSerializationVisibilityAttribute
RuntimeCompatibilityAttribute
AccessedThroughPropertyAttribute
ReadByte
get_Blue
get_SteelBlue
get_MidnightBlue
get_Value
set_Value
set_FixedValue
get_HasValue
WithEventsValue
GetObjectValue
GetValue
set_Unique
add_Leave
remove_Leave
get_Olive
get_CaseSensitive
set_CaseSensitive
Remove
urNDKOjlKEbS0Ha.exe
set_Size
set_AutoSize
set_ClientSize
ISupportInitialize
IndexOf
System.Threading
NewLateBinding
Encoding
OnRowChanging
add_LoginRowChanging
remove_LoginRowChanging
add_AdminRowChanging
remove_AdminRowChanging
add_BooksRowChanging
remove_BooksRowChanging
add_ChatsRowChanging
remove_ChatsRowChanging
add_SupportRowChanging
remove_SupportRowChanging
System.Runtime.Versioning
DataTableMapping
DataColumnMapping
get_UseCompatibleTextRendering
GetResourceString
CompareString
get_ScrapDBConnectionString
get_ConnectionString
set_ConnectionString
ToString
disposing
XmlSchemaContentProcessing
OnRowDeleting
add_LoginRowDeleting
remove_LoginRowDeleting
add_AdminRowDeleting
remove_AdminRowDeleting
add_BooksRowDeleting
remove_BooksRowDeleting
add_ChatsRowDeleting
remove_ChatsRowDeleting
add_SupportRowDeleting
remove_SupportRowDeleting
SpecialSetting
System.Drawing
Debug
Match
set_Width
get_Length
SetLength
set_MaxLength
AsyncCallback
DelegateCallback
Rollback
get_Black
EmailAddressCheck
add_Click
remove_Click
set_Dock
NextSink
ScrapBook
get_Teal
ToDecimal
LinkLabel
writelabeltolabel
writetextboxtolabel
System.ComponentModel
TableLayoutPanel
Original_Email
get_Email
set_Email
UpdateAll
set_CurrentCell
DataGridViewCell
get_ClearBeforeFill
set_ClearBeforeFill
set_AllowDBNull
IsPhoneNull
SetPhoneNull
IsEmailNull
SetEmailNull
IsOccupationNull
SetOccupationNull
IsNull
IsAboutNull
SetAboutNull
IsReplyNull
SetReplyNull
System.Xml
ReadXml
get_Control
ContainerControl
ObjectFlowControl
MemoryStream
get_Item
set_Item
ToolStripItem
ToolStripMenuItem
System
set_MainForm
OnCreateMainForm
get_Tan
Boolean
get_DarkOliveGreen
get_DarkGreen
set_SplashScreen
OnCreateSplashScreen
set_ImageAlign
System.ComponentModel.Design
get_Login
Original_Admin
get_Admin
set_Admin
FindByAdmin
DataColumn
get_PasswordColumn
get_TitleColumn
get_UserNameColumn
get_PhoneColumn
get_EmailColumn
get_AdminColumn
get_OccupationColumn
get_AuthorColumn
get_MessagesColumn
get_DetailsColumn
get_AboutColumn
DataGridViewColumn
DataGridViewTextBoxColumn
get_ReplyColumn
set_Icon
DataRowVersion
Application
get_Location
set_Location
DataRelation
relation
Original_Occupation
get_Occupation
set_Occupation
System.Configuration
System.Globalization
System.Runtime.Serialization
System.Xml.Serialization
get_Action
MissingSchemaAction
CollectionChangeAction
DataRowAction
Interaction
set_Transaction
IDbTransaction
SqlTransaction
BeginTransaction
System.Reflection
ICollection
get_CommandCollection
DataTableCollection
TableLayoutColumnStyleCollection
TableLayoutRowStyleCollection
DataTableMappingCollection
DataColumnMappingCollection
DataGridViewCellCollection
ControlCollection
ToolStripItemCollection
DataColumnCollection
DataGridViewColumnCollection
DataRelationCollection
SqlParameterCollection
XmlSchemaObjectCollection
ConstraintCollection
DataRowCollection
DataGridViewRowCollection
get_Connection
set_Connection
IDbConnection
SqlConnection
MatchTableAdapterConnection
inputConnection
ParameterDirection
get_Position
set_Position
set_StartPosition
FormStartPosition
UpdateOrderOption
StrongTypingException
ArgumentNullException
SqlException
ApplicationException
TargetInvocationException
InvalidOperationException
get_InnerException
ArgumentException
InvalidCastException
get_Salmon
get_LightSalmon
System.Data.Common
StringComparison
get_Crimson
get_Button
ToolStripDropDown
add_Shutdown
get_Brown
get_SandyBrown
get_RosyBrown
CompareTo
CopyTo
get_Info
CultureInfo
SerializationInfo
AssemblyInfo
get_Tomato
add_CellMouseUp
remove_CellMouseUp
Bitmap
ToolStrip
ContextMenuStrip
set_TabStop
Group
set_ShowInTaskbar
Clear
set_PasswordChar
set_DataMember
SqlDataReader
ExecuteReader
StringReader
XmlReader
XmlTextReader
reader
NewRowFromBuilder
DataRowBuilder
builder
sender
get_UpdateOrder
set_UpdateOrder
ComponentResourceManager
TableAdapterManager
BooksHandler
UsersHandler
LinkLabelLinkClickedEventHandler
CollectionChangeEventHandler
LoginRowChangeEventHandler
AdminRowChangeEventHandler
BooksRowChangeEventHandler
ChatsRowChangeEventHandler
SupportRowChangeEventHandler
DataGridViewCellMouseEventHandler
ValidationEventHandler
ShutdownEventHandler
SupportHandler
System.CodeDom.Compiler
IContainer
AddUpdateUser
SqlParameter
XmlWriter
XmlTextWriter
add_Enter
remove_Enter
get_Adapter
DbDataAdapter
SqlDataAdapter
get_LoginTableAdapter
set_LoginTableAdapter
get_AdminTableAdapter
set_AdminTableAdapter
get_BooksTableAdapter
set_BooksTableAdapter
get_ChatsTableAdapter
set_ChatsTableAdapter
get_SupportTableAdapter
set_SupportTableAdapter
Computer
Original_Author
get_Author
set_Author
set_GridColor
set_BackgroundColor
set_ForeColor
set_BackColor
set_UseVisualStyleBackColor
set_LinkColor
set_VisitedLinkColor
ClearProjectError
SetProjectError
Cursor
Compressor
IEnumerator
InternalPartitionEnumerator
GetEnumerator
Activator
.ctor
.cctor
Monitor
Schemas
System.Diagnostics
Microsoft.VisualBasic.Devices
Microsoft.VisualBasic.ApplicationServices
System.Runtime.InteropServices
Microsoft.VisualBasic.CompilerServices
System.Runtime.CompilerServices
System.Resources
ScrapBook.My.Resources
ScrapBook.SplashScreen1.resources
ScrapBook.DeactivateSubPage.resources
ScrapBook.ProfilePage.resources
ScrapBook.HomePage.resources
ScrapBook.MainPage.resources
ScrapBook.AdminLoginPage.resources
ScrapBook.SettingsPage.resources
ScrapBook.ChatPage.resources
ScrapBook.ForgotPage.resources
ScrapBook.PostPage.resources
ScrapBook.AdminHome.resources
ScrapBook.BooksHandler.resources
ScrapBook.UsersHandler.resources
ScrapBook.SupportHandler.resources
ScrapBook.AddUpdateUser.resources
ScrapBook.Resources.resources
ScrapBook.AddUpdateBooks.resources
ScrapBook.Credits.resources
ScrapBook.Support.resources
ScrapBook.AddUpdateSupport.resources
ScrapBook.ChatPost.resources
DebuggingModes
get_Messages
set_Messages
HasChanges
AcceptChanges
get_Tables
ShouldSerializeTables
set_EnableVisualStyles
get_ColumnStyles
get_RowStyles
GetTypes
get_Attributes
GetBytes
get_TableMappings
get_ColumnMappings
MySettings
LinkLabelLinkClickedEventArgs
CollectionChangeEventArgs
DataRowChangeEventArgs
DataGridViewCellMouseEventArgs
get_Books
AddUpdateBooks
ReferenceEquals
get_Details
set_Details
Utils
get_Cells
get_Controls
get_Items
System.Windows.Forms
Contains
get_Columns
set_AutoGenerateColumns
set_AllowUserToOrderColumns
set_AutoScaleDimensions
System.Data.DataSetExtensions
Conversions
System.Text.RegularExpressions
get_Relations
ShouldSerializeRelations
System.Collections
MouseButtons
RuntimeHelpers
get_Parameters
ScrapBook.ScrapDBDataSetTableAdapters
SystemColors
Operators
set_MinOccurs
set_MaxOccurs
get_Success
emailaddress
get_Chats
Credits
set_ProcessContents
get_Constraints
get_EnforceConstraints
set_EnforceConstraints
Focus
get_Rows
dataRows
set_AllowUserToAddRows
SortSelfReferenceRows
set_AllowUserToDeleteRows
RemoveAt
Concat
XmlSchemaObject
GetObject
TargetObject
Select
LateGet
LateIndexGet
XmlSchemaSet
ScrapDBDataSet
get_DataSet
InitializeDerivedDataSet
dataSet
get_Violet
get_DarkViolet
Reset
get_ButtonHighlight
get_MenuHighlight
Commit
EndInit
BeginInit
GraphicsUnit
get_SaveMySettingsOnExit
set_SaveMySettingsOnExit
SetCompatibleTextRenderingDefault
IAsyncResult
DelegateAsyncResult
DialogResult
MsgBoxResult
System.Data.SqlClient
ContentAlignment
Component
get_Transparent
get_Current
LoginRowChangeEvent
AdminRowChangeEvent
BooksRowChangeEvent
ChatsRowChangeEvent
SupportRowChangeEvent
UniqueConstraint
Point
set_Font
get_Count
get_TableAdapterInstanceCount
set_ColumnCount
Insert
Assert
Convert
get_Support
AddUpdateSupport
ChatPost
childFirst
get_About
set_About
SuspendLayout
set_BackgroundImageLayout
ResumeLayout
PerformLayout
MoveNext
System.Text
get_Text
set_Text
set_CommandText
get_ActiveCaptionText
set_HeaderText
StreamingContext
context
get_Peru
DataGridView
get_Row
DataRow
dataRow
AddLoginRow
RemoveLoginRow
NewLoginRow
AddAdminRow
RemoveAdminRow
NewAdminRow
AddBooksRow
RemoveBooksRow
NewBooksRow
AddChatsRow
RemoveChatsRow
NewChatsRow
GetParentRow
AddSupportRow
RemoveSupportRow
NewSupportRow
get_IsNewRow
DataGridViewRow
get_Yellow
set_TabIndex
get_RowIndex
index
Regex
get_Prefix
set_Prefix
MessageBox
PictureBox
set_MinimizeBox
set_MaximizeBox
MsgBox
set_ControlBox
ComboBox
GroupBox
TextBox
ScrapBook.My
get_SlateGray
set_ItemArray
ToArray
CopyArray
ContainsKey
get_Assembly
set_ReadOnly
get_Reply
set_Reply
XmlSchemaAny
ExecuteNonQuery
get_MinimumCapacity
set_MinimumCapacity
DesignerSerializationVisibility
MyTemplate
11.0.0.0
My.Computer
My.Application
My.User
My.Forms
My.WebServices
System.Windows.Forms.Form
Create__Instance__
Dispose__Instance__
My.MyProject.Forms
4System.Web.Services.Protocols.SoapHttpClientProtocol
Create__Instance__
Dispose__Instance__
3System.Resources.Tools.StronglyTypedResourceBuilder
16.0.0.0
RData Source=(localdb)\ProjectsV13;Initial Catalog=ScrapDB;Integrated Security=True
KMicrosoft.VisualStudio.Editors.SettingsDesigner.SettingsSingleFileGenerator
16.7.0.0
My.Settings
(System.Data.Design.TypedDataSetGenerator
16.0.0.0
GetTypedDataSetSchema
ScrapDBDataSet
vs.data.DataSet
GetTypedTableSchema
vs.data.TableAdapter
Microsoft.VSDesigner.DataSource.Design.TableAdapterDesigner, Microsoft.VSDesigner, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
Microsoft.VSDesigner.DataSource.Design.TableAdapterManagerPropertyEditor, Microsoft.VSDesigner, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"System.Drawing.Design.UITypeEditor
Microsoft.VSDesigner.DataSource.Design.TableAdapterManagerDesigner, Microsoft.VSDesigner, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
vs.data.TableAdapterManager
PictureBox3
WrapNonExceptionThrows
ScrapBook
Copyright
2017
$1c6213db-06c8-4009-b436-92604df14741
1.0.0.0
.NETFramework,Version=v4.0
FrameworkDisplayName
.NET Framework 4
_CorExeMain
mscoree.dll
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
<security>
<requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3">
<requestedExecutionLevel level="asInvoker" uiAccess="false"/>
</requestedPrivileges>
</security>
</trustInfo>
</assembly>
$this.Icon
ChmHNmbjv
, #, +, 37)
@c,C{cC3|I
`c,c{cc3|i
WinForms_RecursiveFormCreate
WinForms_SeeInnerException
Property can only be set to Nothing
ScrapBook.Resources
ChmHNmbjv
ScrapDBConnectionString
Delete
Update
TextBox3
TextBox2
AboutBook
Label1
Author
Label3
AddUpdateBooks
BookTitle
Label2
TextBox1
Button2
Button3
Button1
Don't keep blank Credentials for Title
Don't keep blank Credentials for Details
Don't keep blank Credentials for Author
insert into Books (Title, Details, Author) values ('
Book Posted
Delete From Books Where Title='
Book Deleted
Update Books Set Details='
', Author = '
' WHERE Title='
Book Updated
Reply
Message
UserName
AddUpdateSupport
Don't keep blank Credentials for User
Don't keep blank Credentials for message
Update Support Set Reply='
' WHERE UserName='
Replied User
Delete From Support Where UserName='
Messages Deleted
AddUpdateUser
Label6
Phone
Password
TextBox6
Email
Label5
TextBox4
TextBox5
About
Label4
Occupation
Don't keep blank Credentials for UserName
Don't keep blank Credentials for Password
Update Login Set Password='
', Email = '
' , About = '
', Occupation = '
', Phone = '
Profile Updated
Delete From login Where UserName='
Profile Deleted
insert into Login (UserName, Password, About, Email, Phone, Occupation) values ('
Profile Added
Enter a Valid Email
Warning
^[a-zA-Z][\w\.-]*[a-zA-Z0-9]@[a-zA-Z0-9][\w\.-]*[a-zA-Z0-9]\.[a-zA-Z][a-zA-Z\.]*[a-zA-Z]$
BooksHandler DB
Microsoft Sans Serif
AdminHome
PictureBox1
Button4
SignOut
SupportHandler DB
UsersHandler DB
Refresh
Button6
Users DB
Support DB
Title
TitleDataGridViewTextBoxColumn
Sign Out
AuthorDataGridViewTextBoxColumn
Books
Details
DetailsDataGridViewTextBoxColumn
Delete Row
DataGridView1
ContextMenuStrip1
DeleteRowToolStripMenuItem
Button7
Button5
BooksHandler
BooksHandlerDB
ScrapDBDataSet
UserName:
Message:
ChatForm
ChatPost
Please fill the blank boxes
insert into Chats (UserName,Messages) values ('
CreateInstance
Green
ScrapBook
GroupBox1
Vishnu KP
15YASB7137
PictureBox3
Georgia
GroupBox5
Credits
Tejram Patel
15YASB7128
PictureBox2
GroupBox4
Sarvesh Kumar Modi
15YASB7111
GroupBox3
XmlSchema
Admin
Chats
Login
Support
http://tempuri.org/ScrapDBDataSet.xsd
Constraint1
namespace
tableTypeName
urn:schemas-microsoft-com:xml-diffgram-v1
AdminDataTable
http://www.w3.org/2001/XMLSchema
BooksDataTable
Messages
ChatsDataTable
LoginDataTable
SupportDataTable
The value for column 'About' in table 'Login' is DBNull.
The value for column 'Email' in table 'Login' is DBNull.
The value for column 'Occupation' in table 'Login' is DBNull.
The value for column 'Phone' in table 'Login' is DBNull.
The value for column 'Reply' in table 'Support' is DBNull.
@Original_Admin
@Original_Password
@Admin
@Password
DELETE FROM [dbo].[Admin] WHERE (([Admin] = @Original_Admin) AND ([Password] = @Original_Password))
INSERT INTO [dbo].[Admin] ([Admin], [Password]) VALUES (@Admin, @Password);
SELECT Admin, Password FROM Admin WHERE (Admin = @Admin)
UPDATE [dbo].[Admin] SET [Admin] = @Admin, [Password] = @Password WHERE (([Admin] = @Original_Admin) AND ([Password] = @Original_Password));
SELECT Admin, Password FROM Admin WHERE (Admin = @Admin)
Table
SELECT Admin, Password FROM dbo.Admin
Original_Admin
Original_Password
@Author
@Original_Title
@Title
@Details
@Original_Author
DELETE FROM [dbo].[Books] WHERE (([Title] = @Original_Title) AND ([Author] = @Original_Author))
INSERT INTO [dbo].[Books] ([Title], [Details], [Author]) VALUES (@Title, @Details, @Author);
SELECT Title, Details, Author FROM Books WHERE (Title = @Title)
UPDATE [dbo].[Books] SET [Title] = @Title, [Details] = @Details, [Author] = @Author WHERE (([Title] = @Original_Title) AND ([Author] = @Original_Author));
SELECT Title, Details, Author FROM Books WHERE (Title = @Title)
SELECT Title, Details, Author FROM dbo.Books
Original_Title
Original_Author
INSERT INTO [dbo].[Chats] ([UserName], [Messages]) VALUES (@UserName, @Messages);
SELECT UserName, Messages FROM Chats WHERE (UserName = @UserName)
@UserName
@Original_UserName
UPDATE [dbo].[Chats] SET [UserName] = @UserName, [Messages] = @Messages WHERE (([UserName] = @Original_UserName));
SELECT UserName, Messages FROM Chats WHERE (UserName = @UserName)
@Messages
DELETE FROM [dbo].[Chats] WHERE (([UserName] = @Original_UserName))
SELECT UserName, Messages FROM dbo.Chats
Original_UserName
@IsNull_Email
@Original_Email
@IsNull_Occupation
UPDATE [dbo].[Login] SET [UserName] = @UserName, [Password] = @Password, [About] = @About, [Email] = @Email, [Occupation] = @Occupation, [Phone] = @Phone WHERE (([UserName] = @Original_UserName) AND ([Password] = @Original_Password) AND ((@IsNull_Email = 1 AND [Email] IS NULL) OR ([Email] = @Original_Email)) AND ((@IsNull_Occupation = 1 AND [Occupation] IS NULL) OR ([Occupation] = @Original_Occupation)) AND ((@IsNull_Phone = 1 AND [Phone] IS NULL) OR ([Phone] = @Original_Phone)));
SELECT UserName, Password, About, Email, Occupation, Phone FROM Login WHERE (UserName = @UserName)
@Phone
@About
@Email
@Occupation
@Original_Occupation
@IsNull_Phone
@Original_Phone
INSERT INTO [dbo].[Login] ([UserName], [Password], [About], [Email], [Occupation], [Phone]) VALUES (@UserName, @Password, @About, @Email, @Occupation, @Phone);
SELECT UserName, Password, About, Email, Occupation, Phone FROM Login WHERE (UserName = @UserName)
DELETE FROM [dbo].[Login] WHERE (([UserName] = @Original_UserName) AND ([Password] = @Original_Password) AND ((@IsNull_Email = 1 AND [Email] IS NULL) OR ([Email] = @Original_Email)) AND ((@IsNull_Occupation = 1 AND [Occupation] IS NULL) OR ([Occupation] = @Original_Occupation)) AND ((@IsNull_Phone = 1 AND [Phone] IS NULL) OR ([Phone] = @Original_Phone)))
SELECT UserName, Password, About, Email, Occupation, Phone FROM dbo.Login
INSERT INTO [dbo].[Support] ([UserName], [Messages], [Reply]) VALUES (@UserName, @Messages, @Reply);
SELECT UserName, Messages, Reply FROM Support WHERE (UserName = @UserName)
DELETE FROM [dbo].[Support] WHERE (([UserName] = @Original_UserName))
UPDATE [dbo].[Support] SET [UserName] = @UserName, [Messages] = @Messages, [Reply] = @Reply WHERE (([UserName] = @Original_UserName));
SELECT UserName, Messages, Reply FROM Support WHERE (UserName = @UserName)
@Reply
SELECT UserName, Messages, Reply FROM dbo.Support
dataSet
All TableAdapters managed by a TableAdapterManager must use the same connection string.
TableAdapterManager contains no connection information. Set each TableAdapterManager TableAdapter property to a valid TableAdapter instance.
The transaction cannot begin. The current data connection does not support transactions or the current state is not allowing the transaction to begin.
MessagesDataGridViewTextBoxColumn
Post to Support
UserNameDataGridViewTextBoxColumn
ReplyDataGridViewTextBoxColumn
Please fill the blank boxe
insert into Support (UserName, Messages) values ('
Support Message Sent
Books DB
SupportHandler
EmailDataGridViewTextBoxColumn
OccupationDataGridViewTextBoxColumn
PhoneDataGridViewTextBoxColumn
PasswordDataGridViewTextBoxColumn
AboutDataGridViewTextBoxColumn
UsersHandler
UserHandlerDB
Log In
ScrapBook Admin
Go Back
AdminLoginPage
Don't leave Blank Credentials
select Admin, Password from Admin where Admin = '
'AND Password = '
OOOps login failed
ChatPage
GroupBox2
Integrated Security=true; Initial Catalog = ScrapDB ; Data source=(localdb)\ProjectsV13;
Sign Up Again
DeactivateSubPage
Deactivation
Your Account is Deactivated
NewPassWord
Reset
ForgotPage
Forgot Password
Update login Set Password = '
' WHERE Email ='
Passowrd Resest Done!!!
Book Title
PostPage
About The Book
Don't keep blank credentials
insert into Books (Title, Details, Author) values ('
Book Posted!!!
Server= (localdb)\ProjectsV13; Database = ScrapDB; Integrated Security = true
Save/Update
ProfilePage
Profile Page
Reader
Publisher
ComboBox1
About you
Update login Set Email = '
', Phone =
WHERE UserName='
Home
Settings
Profile
$this.Icon
HomePage
select UserName, Password from Login where UserName = '
Ooops!! Login Failed
Welcome Back...!!!
insert into Login (UserName, Password, Email) values ('
Welcome New User...!!!
helps you learn and share with the people in your life.
Label8
Forgot Password ?
Password*
Create An Account
Label7
User Name*
MainPage
Login/SignUp
Email*
LinkLabel1
Welcome to ScrapBook
Sign Up
Deactivate Account
Update Profile
Ask For Support
SettingsPage
Profile Deactivated
SplashScreen1
MainLayoutPanel
VS_VERSION_INFO
VarFileInfo
Translation
StringFileInfo
000004b0
Comments
CompanyName
FileDescription
ScrapBook
FileVersion
1.0.0.0
InternalName
xi0W.exe
LegalCopyright
Copyright
2017
LegalTrademarks
OriginalFilename
xi0W.exe
ProductName
ScrapBook
ProductVersion
1.0.0.0
Assembly Version
1.0.0.0

Full Results

Engine Signature Engine Signature Engine Signature
Bkav Clean Elastic malicious (high confidence) MicroWorld-eScan Clean
CMC Clean CAT-QuickHeal Clean McAfee PWS-FCRK!A11B9D71C560
Cylance Clean Zillya Clean SUPERAntiSpyware Clean
Sangfor Clean K7AntiVirus Clean Alibaba Trojan:Win32/starter.ali1000139
K7GW Clean Cybereason Clean Invincea Generic ML PUA (PUA)
Baidu Clean Cyren W32/Trojan.SW.gen!Eldorado Symantec ML.Attribute.HighConfidence
TotalDefense Clean APEX Malicious Avast Win32:Evo-gen [Susp]
ClamAV Clean Kaspersky UDS:DangerousObject.Multi.Generic BitDefender Clean
NANO-Antivirus Clean Paloalto generic.ml AegisLab Clean
Rising Clean Ad-Aware Clean Sophos Clean
Comodo Clean F-Secure Clean DrWeb Clean
VIPRE Clean TrendMicro Clean McAfee-GW-Edition BehavesLike.Win32.Generic.bc
Emsisoft Clean SentinelOne DFI - Malicious PE Jiangmin Clean
eGambit Unsafe.AI_Score_94% Avira Clean MAX Clean
Antiy-AVL Clean Kingsoft Clean Arcabit Clean
ViRobot Clean ZoneAlarm UDS:DangerousObject.Multi.Generic GData Clean
Cynet Malicious (score: 100) AhnLab-V3 Clean Acronis Clean
BitDefenderTheta Gen:[email protected] ALYac Clean TACHYON Clean
VBA32 Clean Malwarebytes Clean Zoner Clean
ESET-NOD32 Clean TrendMicro-HouseCall Clean Tencent Clean
Yandex Clean Ikarus Win32.Outbreak MaxSecure Trojan.Malware.300983.susgen
Fortinet MSIL/Kryptik.YFO!tr Webroot Clean AVG Win32:Evo-gen [Susp]
Panda Clean CrowdStrike Clean Qihoo-360 Generic/HEUR/QVM03.0.A8BF.Malware.Gen
Sorry! No behavior.

Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
Y 79.134.225.30 [VT] Switzerland
Y 185.165.153.243 [VT] Netherlands
N 104.18.11.39 [VT] United States
Y 1.1.1.1 [VT] Australia

TCP

Source Source Port Destination Destination Port
192.168.1.8 49206 104.18.11.39 cacerts.digicert.com 80
192.168.1.8 49176 13.107.42.23 443
192.168.1.8 49178 13.107.42.23 443
192.168.1.8 45850 168.62.200.169 24940
192.168.1.8 31894 168.62.200.169 5131
192.168.1.8 41582 168.62.200.169 31798
192.168.1.8 49202 168.62.200.169 443
192.168.1.8 49199 185.165.153.243 2021
192.168.1.8 49201 185.165.153.243 2021
192.168.1.8 49204 185.165.153.243 2021
192.168.1.8 49200 79.134.225.30 2244
192.168.1.8 49203 79.134.225.30 2244
192.168.1.8 49207 93.184.220.29 80

UDP

Source Source Port Destination Destination Port
192.168.1.8 51064 1.1.1.1 53
192.168.1.8 55051 1.1.1.1 53
192.168.1.8 63225 1.1.1.1 53
192.168.1.8 137 192.168.1.255 137
192.168.1.8 49744 8.8.8.8 53
192.168.1.8 51064 8.8.8.8 53
192.168.1.8 55051 8.8.8.8 53
192.168.1.8 56571 8.8.8.8 53
192.168.1.8 61380 8.8.8.8 53
192.168.1.8 63225 8.8.8.8 53
192.168.1.8 63471 8.8.8.8 53
192.168.1.8 65129 8.8.8.8 53

DNS

Name Response Post-Analysis Lookup
cacerts.digicert.com [VT] A 104.18.11.39 [VT] 104.18.11.39 [VT]

HTTP Requests

URI Data
http://cacerts.digicert.com/DigiCertGlobalRootG2.crt
GET /DigiCertGlobalRootG2.crt HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: cacerts.digicert.com

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

Source Destination ICMP Type Data
192.168.1.8 1.1.1.1 3
192.168.1.8 1.1.1.1 3
192.168.1.8 8.8.8.8 3
192.168.1.8 8.8.8.8 3

CIF Results

No CIF Results

Suricata Alerts

Timestamp Source IP Source Port Destination IP Destination Port Protocol GID SID REV Signature Category Severity
2020-10-18 06:37:31.905 192.168.1.8 [VT] 49172 13.107.42.23 [VT] 443 TCP 1 2028395 2 ET JA3 Hash - Possible Malware - Various Eitest Unknown Traffic 3
2020-10-18 06:37:31.967 192.168.1.8 [VT] 49177 13.107.42.23 [VT] 443 TCP 1 2028395 2 ET JA3 Hash - Possible Malware - Various Eitest Unknown Traffic 3
2020-10-18 06:37:31.968 192.168.1.8 [VT] 49176 13.107.42.23 [VT] 443 TCP 1 2028395 2 ET JA3 Hash - Possible Malware - Various Eitest Unknown Traffic 3
2020-10-18 06:37:31.969 192.168.1.8 [VT] 49179 13.107.42.23 [VT] 443 TCP 1 2028395 2 ET JA3 Hash - Possible Malware - Various Eitest Unknown Traffic 3
2020-10-18 06:37:32.009 192.168.1.8 [VT] 49178 13.107.42.23 [VT] 443 TCP 1 2028395 2 ET JA3 Hash - Possible Malware - Various Eitest Unknown Traffic 3

Suricata TLS

Timestamp Source IP Source Port Destination IP Destination Port Subject Issuer Fingerprint Version
2020-10-18 06:37:31.910 192.168.1.8 [VT] 49172 13.107.42.23 [VT] 443 CN=edge.skype.com 5c:3b:53:ee:b8:65:a3:2a:66:d4:04:36:67:98:af:88:8d:96:5d:74 TLS 1.2
2020-10-18 06:37:31.969 192.168.1.8 [VT] 49176 13.107.42.23 [VT] 443 CN=edge.skype.com 5c:3b:53:ee:b8:65:a3:2a:66:d4:04:36:67:98:af:88:8d:96:5d:74 TLS 1.2
2020-10-18 06:37:32.009 192.168.1.8 [VT] 49179 13.107.42.23 [VT] 443 CN=edge.skype.com 5c:3b:53:ee:b8:65:a3:2a:66:d4:04:36:67:98:af:88:8d:96:5d:74 TLS 1.2
2020-10-18 06:37:32.010 192.168.1.8 [VT] 49178 13.107.42.23 [VT] 443 CN=edge.skype.com 5c:3b:53:ee:b8:65:a3:2a:66:d4:04:36:67:98:af:88:8d:96:5d:74 TLS 1.2
2020-10-18 06:37:32.066 192.168.1.8 [VT] 49177 13.107.42.23 [VT] 443 CN=edge.skype.com 5c:3b:53:ee:b8:65:a3:2a:66:d4:04:36:67:98:af:88:8d:96:5d:74 TLS 1.2
2020-10-18 06:38:38.072 192.168.1.8 [VT] 49202 168.62.200.169 [VT] 443 C=US, ST=WA, L=Redmond, O=Microsoft Corporation, CN=*.events.data.microsoft.com 1e:c4:c7:d6:8d:8d:a2:4a:82:99:22:21:5c:35:03:96:bd:05:43:b6 TLS 1.2

Suricata HTTP

Timestamp Source IP Source Port Destination IP Destination Port Method Status Hostname URI Content Type User Agent Referrer Length
2020-10-18 06:38:39.784 192.168.1.8 [VT] 49205 8.253.238.45 [VT] 80 200 ctldl.windowsupdate.com [VT] /msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?0d23747eb5b0cb5e application/vnd.ms-cab-compressed Microsoft-CryptoAPI/6.1 None 4776
2020-10-18 06:38:40.704 192.168.1.8 [VT] 49206 104.18.11.39 [VT] 80 403 cacerts.digicert.com [VT] /DigiCertGlobalRootG2.crt text/html Microsoft-CryptoAPI/6.1 None 2894
2020-10-18 06:38:41.567 192.168.1.8 [VT] 49205 8.253.238.45 [VT] 80 200 ctldl.windowsupdate.com [VT] /msdownload/update/v3/static/trustedr/en/authrootstl.cab?5fb5bfc6ea09b818 application/vnd.ms-cab-compressed Microsoft-CryptoAPI/6.1 None 58918
2020-10-18 06:38:42.134 192.168.1.8 [VT] 49205 8.253.238.45 [VT] 80 200 ctldl.windowsupdate.com [VT] /msdownload/update/v3/static/trustedr/en/DF3C24F9BFD666761B268073FE06D1CC8D4F82A4.crt?fe35b67044255598 application/x-x509-ca-cert Microsoft-CryptoAPI/6.1 None 914
2020-10-18 06:38:42.761 192.168.1.8 [VT] 49207 93.184.220.29 [VT] 80 200 ocsp.digicert.com [VT] /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAqvpsXKY8RRQeo74ffHUxc%3D application/ocsp-response Microsoft-CryptoAPI/6.1 None 471
Sorry! No dropped Suricata Extracted files.

JA3

Source Source Port Destination Destination Port JA3 Hash JA3 Description
192.168.1.8 49172 13.107.42.23 443 1074895078955b2db60423ed2bf8ac23 unknown
192.168.1.8 49176 13.107.42.23 443 1074895078955b2db60423ed2bf8ac23 unknown
192.168.1.8 49177 13.107.42.23 443 1074895078955b2db60423ed2bf8ac23 unknown
192.168.1.8 49178 13.107.42.23 443 1074895078955b2db60423ed2bf8ac23 unknown
192.168.1.8 49179 13.107.42.23 443 1074895078955b2db60423ed2bf8ac23 unknown
192.168.1.8 49202 168.62.200.169 443 d124ae14809abde3528a479fe01a12bd unknown
Sorry! No dropped files.
Sorry! No CAPE files.
Process Name schtasks.exe
PID 2092
Dump Size 177152 bytes
Module Path C:\Windows\SysWOW64\schtasks.exe
Type PE image: 32-bit executable
PE timestamp 2010-11-20 09:20:03
MD5 b0114b337b4074e0abdb2fed95487872
SHA1 dfdff4f26312bf714ebdc4108ab7a0c71f13576f
SHA256 03416fa80ddd6b87e6fc6323e77c0570a8b5ef1796eddff7252f2422326b53c5
CRC32 57B0EC35
Ssdeep 3072:R4dcaBAum1pBwCx+SMh7zv0F/g0u6+NDXrAcOfp8GBGAK3Cx:RecaBA/7x264h6MrAbGAt
Dump Filename 03416fa80ddd6b87e6fc6323e77c0570a8b5ef1796eddff7252f2422326b53c5
Download Download Zip Submit file

BinGraph Download graph

2020-10-18T06:50:19.754274 image/svg+xml Matplotlib v3.3.0, https://matplotlib.org/
Process Name vbc.exe
PID 3120
Dump Size 131072 bytes
Module Path C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
Type PE image: 32-bit executable
PE timestamp 2020-09-14 11:18:00
MD5 d02b7db4b4759f99a736e930fea9287e
SHA1 094272dc485202f991165d15af58794d36bdbac7
SHA256 11322c1d9f56662b7a91f8a28266ca43a32e2eda6a2e6b95d24cfb90dc7e5e76
CRC32 11081158
Ssdeep 3072:S4XgM0gTUJNFbnOabI/JZ7k0qvo7wvdbnrlSl26FNPbmrzqhKRA2hrQ:NXgMtwNFbOabI/qxlSl26FNPKrzqhKPQ
ClamAV
  • Win.Trojan.Remcos-9753190-0
  • Win.Trojan.Remcos-9763891-0
CAPE Yara
  • Parallax RAT - Author: @bartblaze
  • Remcos Payload - Author: kevoreilly
Dump Filename 11322c1d9f56662b7a91f8a28266ca43a32e2eda6a2e6b95d24cfb90dc7e5e76
Download Download Zip Submit file

BinGraph Download graph

2020-10-18T06:50:20.997424 image/svg+xml Matplotlib v3.3.0, https://matplotlib.org/
Process Name svchost.exe
PID 840
Dump Size 26624 bytes
Module Path C:\Windows\sysnative\svchost.exe
Type PE image: 64-bit executable
PE timestamp 2009-07-13 23:31:13
MD5 d1eab5e71d8f1b3b3939f5516b03298a
SHA1 dd36219319286e93ca6c344be0dda3ab164c58f0
SHA256 50cf520f662cfcea4cbee051755cc4d5fed01e0fe284af754222c0aede5e19bf
CRC32 5424B475
Ssdeep 384:TvvWkXZVq+1t5TYGaVeAYMq1n+Rfk4ue//wCEyrlWVSsEsj45RCOvojtPKW9C5bW:7WkX7q+f5TYvVeZMmn+0C4xZEbvKtPK
Dump Filename 50cf520f662cfcea4cbee051755cc4d5fed01e0fe284af754222c0aede5e19bf
Download Download Zip Submit file

BinGraph Download graph

2020-10-18T06:50:22.139627 image/svg+xml Matplotlib v3.3.0, https://matplotlib.org/
Defense Evasion Privilege Escalation Execution Persistence
  • T1116 - Code Signing
    • Signature - invalid_authenticode_signature
  • T1055 - Process Injection
    • Signature - InjectionInterProcess
  • T1045 - Software Packing
    • Signature - packer_entropy
  • T1055 - Process Injection
    • Signature - InjectionInterProcess
  • T1053 - Scheduled Task
    • Signature - uses_windows_utilities_to_create_scheduled_task
  • T1053 - Scheduled Task
    • Signature - uses_windows_utilities_to_create_scheduled_task
  • T1053 - Scheduled Task
    • Signature - uses_windows_utilities_to_create_scheduled_task

    Processing ( 16.178 seconds )

    • 6.874 CAPE
    • 5.218 Suricata
    • 1.039 ProcDump
    • 0.973 BehaviorAnalysis
    • 0.701 Static
    • 0.531 NetworkAnalysis
    • 0.308 VirusTotal
    • 0.179 static_dotnet
    • 0.114 AnalysisInfo
    • 0.09 Dropped
    • 0.068 TargetInfo
    • 0.052 Deduplicate
    • 0.018 Strings
    • 0.007 Debug
    • 0.006 peid

    Signatures ( 1.2999999999999972 seconds )

    • 0.441 wmi_script_process
    • 0.118 antiav_detectreg
    • 0.054 guloader_apis
    • 0.047 infostealer_ftp
    • 0.041 territorial_disputes_sigs
    • 0.028 masquerade_process_name
    • 0.027 api_spamming
    • 0.027 decoy_document
    • 0.027 infostealer_im
    • 0.026 stealth_timeout
    • 0.025 antianalysis_detectreg
    • 0.023 antiav_detectfile
    • 0.019 NewtWire Behavior
    • 0.017 masslogger_artifacts
    • 0.016 ransomware_files
    • 0.015 accesses_recyclebin
    • 0.015 infostealer_bitcoin
    • 0.013 antivm_vbox_keys
    • 0.012 antianalysis_detectfile
    • 0.011 antivm_generic_disk
    • 0.011 infostealer_mail
    • 0.011 ransomware_extensions
    • 0.009 mimics_filetime
    • 0.009 antivm_vbox_files
    • 0.008 Doppelganging
    • 0.008 antisandbox_sleep
    • 0.008 antivm_vmware_keys
    • 0.007 dridex_behavior
    • 0.006 bootkit
    • 0.006 kazybot_behavior
    • 0.006 reads_self
    • 0.006 stealth_file
    • 0.006 virus
    • 0.006 antivm_parallels_keys
    • 0.006 antivm_xen_keys
    • 0.006 geodo_banking_trojan
    • 0.006 predatorthethief_files
    • 0.006 qulab_files
    • 0.005 InjectionCreateRemoteThread
    • 0.005 antiemu_wine_func
    • 0.005 injection_createremotethread
    • 0.005 persistence_autorun
    • 0.004 antivm_generic_scsi
    • 0.004 dynamic_function_loading
    • 0.004 exec_crash
    • 0.004 hancitor_behavior
    • 0.004 Locky_behavior
    • 0.004 antivm_generic_diskreg
    • 0.004 antivm_vpc_keys
    • 0.003 antidebug_guardpages
    • 0.003 betabot_behavior
    • 0.003 dyre_behavior
    • 0.003 infostealer_browser
    • 0.003 infostealer_browser_password
    • 0.003 injection_runpe
    • 0.003 kibex_behavior
    • 0.003 kovter_behavior
    • 0.003 malicious_dynamic_function_loading
    • 0.003 antidbg_devices
    • 0.003 antivm_vmware_files
    • 0.003 browser_security
    • 0.002 InjectionInterProcess
    • 0.002 InjectionProcessHollowing
    • 0.002 Unpacker
    • 0.002 antiav_360_libs
    • 0.002 antidbg_windows
    • 0.002 antivm_generic_services
    • 0.002 antivm_vbox_libs
    • 0.002 encrypted_ioc
    • 0.002 exploit_getbasekerneladdress
    • 0.002 exploit_heapspray
    • 0.002 hawkeye_behavior
    • 0.002 network_tor
    • 0.002 shifu_behavior
    • 0.002 antivm_xen_keys
    • 0.002 antivm_hyperv_keys
    • 0.002 antivm_vbox_devices
    • 0.002 bypass_firewall
    • 0.002 disables_backups
    • 0.002 disables_browser_warn
    • 0.002 network_torgateway
    • 0.002 ursnif_behavior
    • 0.001 PlugX
    • 0.001 antiav_ahnlab_libs
    • 0.001 antiav_avast_libs
    • 0.001 antiav_emsisoft_libs
    • 0.001 antiav_apioverride_libs
    • 0.001 antiav_nthookengine_libs
    • 0.001 antisandbox_sboxie_libs
    • 0.001 antisandbox_sunbelt_libs
    • 0.001 exploit_gethaldispatchtable
    • 0.001 Raccoon Behavior
    • 0.001 Vidar Behavior
    • 0.001 office_com_load
    • 0.001 ransomware_message
    • 0.001 rat_nanocore
    • 0.001 OrcusRAT Behavior
    • 0.001 recon_programs
    • 0.001 sets_autoconfig_url
    • 0.001 stack_pivot
    • 0.001 tinba_behavior
    • 0.001 vawtrak_behavior
    • 0.001 neshta_files
    • 0.001 ketrican_regkeys
    • 0.001 browser_addon
    • 0.001 modify_proxy
    • 0.001 codelux_behavior
    • 0.001 file_credential_store_access
    • 0.001 darkcomet_regkeys
    • 0.001 azorult_mutexes
    • 0.001 network_cnc_http
    • 0.001 network_dns_opennic
    • 0.001 revil_mutexes
    • 0.001 limerat_regkeys
    • 0.001 modirat_behavior
    • 0.001 obliquerat_files
    • 0.001 rat_pcclient
    • 0.001 warzonerat_regkeys
    • 0.001 recon_fingerprint
    • 0.001 sniffer_winpcap
    • 0.001 tampers_etw
    • 0.001 targeted_flame
    • 0.001 lokibot_mutexes

    Reporting ( 17.786 seconds )

    • 17.198 BinGraph
    • 0.562 MITRE_TTPS
    • 0.026 PCAP2CERT